What's the Right Type of Cyber Insurance with Brett Balsley?

Show Notes

In this episode of Smart Tech Spending, I am joined by Brett Balsley, president of BCA Insurance Group who sheds light on the differences between a standalone cyber insurance policy and a business owner’s insurance policy with a rider of cyber coverage.  He explains the benefits of having the right coverage and where businesses can go wrong.

 What you’ll learn in this episode:
- What size businesses should have cyber liability and data security insurance?
- Common types of cybercrime affecting businesses
- The impact of ransomware on cyber insurance claims
- A “real-life” example of a claim that was excluded from coverage
- The financial impact of a breach on a small or medium size business
- When should updates to a cyber liability insurance policy be made?

Brett Balsley’s Bio
Brett started his insurance career in 1991 in Atlantic County, NJ, providing homeowners and automobile insurance coverage, then quickly transitioned into providing commercial lines of insurance for clients.  Within 10 years, he was providing commercial and personal lines of insurance for clients in the Tri-State Area, nationally and to international clients as well.  BCA Insurance works with both national and regional insurance carriers.

Resources
Connect with Nicole Lefsky: https://www.linkedin.com/in/nicolelefsky
Jersey IT Group’s Website: https://www.jerseyitgroup.com
Connect with Brett Balsley: bbalsley@bca-insurance.com   
Brett Balsley’s Phone:  609-645-1700
Brett Balsley’s LinkedIn:  https://www.linkedin.com/in/brett-balsley-91ba741
BCA Insurance Group’s Website:  https://bca-insurance.com/

Thanks so much for listening!

If you enjoyed this episode, please take a moment to rate and review it on your favorite podcast player.

Don’t forget to subscribe to be updated when new episodes are available!

Chapters

• 1:47: Who needs cyber coverage?
• 3:42: The right kind of coverage
• 4:39: Common types of cyber crimes
• 7:10: The wrong coverage and the financial impact
• 11:35: Types of cyber coverage explained
• 13:26: Coverage differences between a standalone cyber liability policy and a business owner's policy with a rider
• 16:19: It'll never happen to me mindset
• 17:12: Proactively detecting threats
• 17:58: Protecting the golden egg
• 19:44: The numbers game for smart spending
• 20:09: How much cyber liability insurance is enough
• 25:25: Cyber insurance response teams

Transcript

What's the Right Type of Cyber Insurance with Brett Balsley?

[00:00:00] Brett Balsley: I actually don't like that these business owner's policies have these riders because now people have a full sense of security saying, "Oh, I've got this $50,000 rider of cyber coverage on my business owner's policy." Well, that $50,000 number one is not enough. Number two, the policy form is not very robust. 

[00:00:23] So when you go out and you purchase a million-dollar standalone mono line cyber policy, you have much more robust coverage with much greater limits.  

[00:00:36] Jersey IT Group: You're listening to Smart Tech Spending - a podcast designed to help businesses gauge the success of their technology investments. If you're looking to overcome the challenge of measuring the ROI of technology, tools, and services, avoid unplanned expenses, and uncover hidden costs, you've come to the right place. Let's get into the episode.  

[00:01:06] Nicole Lefsky: Welcome to Smart Tech Spending. I'm your host, Nicole Lefsky, and I'm here today with Brett Balsley, president of BCA Insurance Group. 

[00:01:16] Brett has been in the industry since 1991, over 30 years, probably hard to believe. Owns a longstanding insurance agency in the community. He works with major national and regional carriers providing personal and commercial lines of insurance. First of all, thank you for joining me today for this conversation. 

[00:01:37] Brett Balsley: Thank you.  

[00:01:38] Thank you for asking me to be on.  

[00:01:40] Nicole Lefsky: Happy to have you. With the increase in cyber risk for businesses, we're going to talk today about some of the important elements that in our conversations you've pointed out regarding cyber coverage. Some businesses have cyber coverage. Some businesses think they have cyber coverage. 

[00:02:00] And I guess the first question I have for you is why is it important for companies of all sizes, not just the large healthcare systems or conglomerates to have cyber insurance?  

[00:02:11] Brett Balsley: Well, just about every business today has some sort of cyber data security exposure. I'd like to make a comment that when people think about cyber, they think only technology. 

[00:02:26] Well, cyber should be thought of as cyber, technology and also data. So you know, the traditional dumpster diving where people would dive into dumpsters and grab documents and paperwork. So everybody has some sort of cyber exposure, personal identifiable information that is collected such as date of birth, driver's license, credit cards, check, and, and most importantly, emails. 

[00:02:54] I mean, emails are a part of all businesses today, and that is where you see a lot of the cyber-crime and cyber fraud hit businesses today. So I personally believe that every business, just about every business out there today, large or small, needs cyber.  

[00:03:13] You see these very large corporations that have been breached or attacked. And they have I. T. departments, million-dollar I. T. departments that are, you know, thwarting off or attempting to thwart off these, these cyber-crimes and it still happens. So what about an average sized business that does a million dollars a year of revenue or five hundred thousand dollars a year of revenue? 

[00:03:36] You know, we, we can't afford those cyber, cyber teams or I. T. teams to, to work 24/7 to, to try to prevent it from happening. Right. So, I think everybody today needs cyber insurance.  

[00:03:49] Nicole Lefsky: What's the right kind of coverage to have when it comes to, you know, the common threats that are happening? Many see it in the news. You know, we all see it if we're, you know, scrolling on social media, there are cyber-attacks happening all the time. There have been very large ones that hit the media and there are some that aren't necessarily reported. And of course, there are different requirements for reporting, but, when it comes to general protection for a business, what type of coverage should a company be considering? 

[00:04:22] Brett Balsley: Well, no two risks are the same, so every risk needs to be evaluated, and it's very important to sit down with an experienced broker, has specialty in cyber. And specifically design a plan for your company. Medical field is different than financial, different from trucking, retail, construction, all of it. They're all different.  

[00:04:46] So the four most common types of cybercrimes today are ransomware, extortion, and extortion and ransomware tend to be, commonly, you know, they think this is the same, it's actually not, social engineering, and then a data breach, your traditional data breach. One out of four cyber claims today are from ransomware. 

[00:05:10] So, that's where somebody hijacks and encrypts your systems, threatens to steal your data, delete your data, or sell your data. And unless you pay them to get, they'll give you the passwords and keywords to get back your data. Extortion is something a little bit different. They actually do steal the data and they won't give it back until you pay. And if you do pay, you still don't know if that data is going to be released or sold somewhere else because that data has been stolen. 

[00:05:49] So, you know, you really need to sit with the broker. Talk about how your business operates. Talk about your own concerns. What keeps you up at night? What, what really are you concerned about? And then you craft a policy because all the policies are different. You craft a policy specifically to your company. 

[00:06:14] One of the other major ones we see today is social engineering where a business email may be compromised. I can't tell you how many times my controller walked into my office and said, "Did you just ask me to get $200 worth of gift certificates and send them to you?" That is just, it happens all the time. And many of my clients tell me the same thing. So there's, there's all sorts of different types of cybercrimes out there. 

[00:06:46] If you're an ecommerce business where you're doing all of your business online That's, you know, you have a greater need than somebody that's doing all their business face to face with clients. 

[00:06:57] So, you really need to sit down with a broker, design a plan, and, and, and implement it. to protect you. No two plans or no two risks are the same.  

[00:07:08] Nicole Lefsky: When it comes to coverage, and you mentioned some of the most common ways in which data is either stolen or breaches occur. What happens if a company doesn't have the right coverage? 

[00:07:21] Can you give me an example of when a company had a form of coverage and they thought that after some sort of cyber incident occurred that they would be covered and they were not?  

[00:07:33] Brett Balsley: Sure, well it could be catastrophic to a company. You and I were talking earlier about records. So an agency like mine, I have tens of thousands of records, personal identifiable information of clients. 

[00:07:47] Some of my clients have 500 drivers. So I have those drivers, date of births, driver's license number, addresses, et cetera. So if we had a breach of some sort and we are required by law to notify and monitor every single record, even if only one record was breached. That could be millions of dollars that could put us out of business. 

[00:08:15] So, you know, having the right coverage is going to protect you or help protect you from something, you know, financially catastrophic happening. You may have an event that's not, you know, financially catastrophic, but it could harm your reputation. So in that aspect, maybe there was a $20,000 loss of, of income for some sort of a cyber breach, but your reputation could be much more financially catastrophic from a loss of reputation. 

[00:08:49] So, you know, I do have an example of a client that did not have any cyber coverage or actually they had cyber coverage, but it was part of their original business owner's policy - was like a rider. And those aren't usually the right type of policies to have. But they were in a spear phishing event where the, my client sent out an invoice to a client and immediately after that invoice was sent, a hacker sent another invoice another email that looked exactly like my client's email and said, "I'm sorry I gave you the wrong wiring instructions please send that money to this bank" and my client's client sent the money to the bank and next you know everybody was out twenty thousand dollars. So that was not covered under the business owner's policy's rider of cyber insurance.  

[00:09:56] So again, I really honestly believe, and I'll probably say this a couple more times, that you really need to sit down with an experienced broker, talk about your issues, talk about your business, talk about your concerns, and craft a policy specifically for you. That will address most of your needs. 

[00:10:19] One other thing I'd like to say, as we all know, IT evolves at a pace, it's just, it's, it's incredible. You know all the different things that are coming out with IT on a daily basis. So you could put a policy in place January 1st, 2024. And a new type of cyber-crime comes along in June of 2024. Well, you may not be protected because that policy from January didn't take into consideration this new type of cyber-crime. So it's always, it's really important to stay on top of it and make sure that you're covering as much as you can, as best as you can, and your broker should help you do that.  

[00:11:04] Nicole Lefsky: We've definitely seen an increase in the number of clients we have who have cyber coverage. And of course we always encourage it. Are you seeing a trend toward more businesses over the last, say, five years engaging in getting a cyber policy as opposed to having that rider that you spoke about?  

[00:11:26] Brett Balsley: Absolutely. That's a great question. It reminds me of employment practice liability that came out 20 years ago. You know, now today, anybody who has employees has employment practice liability.  

[00:11:38] Cyber liability is relatively new in the insurance world, and I, I actually don't like that these business owner's policies have these riders because now people have a full sense of security saying, "Oh, I've got this $50,000 rider of cyber coverage on my business owner's policy." 

[00:11:57] Well, that $50,000 number one is not enough. Number two, the policy form is not very robust. So when you go out and you purchase a million dollar stand alone, monoline cyber policy, you have much more robust coverage with much greater limits.  

[00:12:19] So, to answer your question specifically, yes, there has been a significant increase in the number of businesses that are purchasing cyber insurance. 

[00:12:28] And as an agency ourselves, when we look at our clients who are coming up for renewals today, we always say, you know, you need cyber, you need cyber, especially if they don't have it. Now, if they do have cyber, every year a cyber renewal application goes out to the insured. And they update the information. 

[00:12:52] So maybe new coverages are coming along, or maybe there's a new type of exposure where they never took credit cards online. It was always checks. Well, now they're taking credit cards online. So now we have to address that. But yes, there's been significant increase in the number of cyber policies purchased, but we are very far from where we need to be. From a percentage standpoint, I'd say. 30 percent of clients are buying it.  

[00:13:22] Nicole Lefsky: Can you help distinguish, obviously you said the limits themselves when you have a special policy, cyber policy with varied limits, can you distinguish for someone the difference between what that rider would cover or maybe what it doesn't cover from a professional liability policy versus having a standalone policy for cyber? 

[00:13:49] Brett Balsley: Well, yeah, on the business owner's policy, they typically give you lower limits, you know, $25 000 of automatic cyber, $50,000 of automatic cyber. And in some cases on that business owner's policy for a relatively inexpensive premium. You can buy a hundred thousand or maybe $250,000, maybe even $500,000.  

[00:14:14] When you go out and purchase a standalone cyber liability policy only. They're going to start at a million. That's going to be their basis, a million, a million dollars of limits. I have sold cyber policies up to $20 million of limits. So you're going to get a lot more coverage from a limit perspective from the standalone cyber liability policy. 

[00:14:40] The rider on the business owner's policy, or maybe it's part of your E and O policy. 

[00:14:47] There are a gaggle of types of coverages and to name one invoice manipulation, that is one of those, that was the example I just previously gave you when somebody's invoice went out. There was that spear phishing incident and the client paid the money. That would not be covered under a rider on a business owner's policy. 

[00:15:16] So that's one of several different examples. There are a lot more exclusions and limitations when it's a rider. So again, I think the best course of action is a standalone policy that you fully understand with your broker. And that being said, no two standalone policies are the same. So, you do need to do a deep dive into the policy, the policy forms, the policy destinations, and the limits that are on the policy forms. 

[00:15:51] Nicole Lefsky: Yeah, I think that's really important. I mean, I've certainly done that - you know, reached out to you and said, you know, in full disclosure, Brett works with us here at Jersey IT Group on our policy. And every year I think I call you and I say, okay, let's, let's break this down because we see trends, we see risk increasing in different areas and we want to make sure that we have the right coverage. And it allows us to further educate our clients about how to match the risk that they're potentially in given their industry or their course of, you know, type of work. 

[00:16:26] Why do you think it is that such a small percentage of businesses at this stage are not engaging in a dedicated policy at this point? 

[00:16:37] Brett Balsley: It's a new coverage. It's a relatively new coverage. And, everybody has the same canned responses all the time. That'll never happen to me. I know my bank will take care of it. If you have a point-of-sale system, they will indemnify me. Or why would somebody come after me? I'm too small. The smaller business owner is the target because as I said earlier, you don't have a, you know, IT staff department working 24/7 to try to thwart these crimes. It's very important to have a good IT third party IT team, such as yourself, you know, setting up that software. 

[00:17:17] You know, one of the, the trigger things today is endpoint detection and response. It's the artificial intelligence that will detect and proactively respond to an incoming threat. So if you don't have a staffed IT team, you should have something similar to that. 

[00:17:36] But again, when coverage is new in our world, people tend not to buy it until it happens to them or happens to you know, somebody they know. We can, you know, just overwhelm them with statistics and claim examples and, you know, they just sit there and say, "Oh, this won't happen." And, and there's another, you know, I get it. Insurance is not something that everybody wants to go out and buy. It's a non-tangible product that, you know, is expensive. 

[00:18:13] You don't ever want to use it. And when you do use it, there, there are always, you know, deductibles and aggravation. So nobody's racing out there to - Oh, show me this new insurance coverage. But you know, my response to a lot of those clients are, you know, you have a business, it's the goose that's laying the golden egg. It's, you know, it's providing income for you and your employees and a livelihood for your family. You want to protect that goose. You want to make sure it's, it's fine. It's safe. And if something was to happen, you now have a policy in place to help you through it.  

[00:18:55] Nicole Lefsky: And hackers have gotten pretty creative. 

[00:18:57] We've learned of incidents where hackers or bad actors will access a system. They'll spend time in that system trying to figure out where the greatest value is depending on their agenda. And sometimes they'll find a copy of the cyber policy and they will of course phish the company and the employees. 

[00:19:22] And as a result, whoever they're able to engage and download some ransomware on, they will often pose a ransom that's in the amount pertaining to their policy. You know, they used to be low, you know, couple thousand dollars. Now they're five and six figures, which is tremendous. When you and I were talking earlier, you mentioned, you know,  

[00:19:45] Brett Balsley: Because there's an insurance policy in place. 

[00:19:48] That's quite right. 

[00:19:49] Nicole Lefsky: That's right. 

[00:19:49] Brett Balsley: To your point. 

[00:19:50] Nicole Lefsky: Well, it becomes a numbers game to a great degree. You know, for those that don't have the policy or think that they're covered and they're reevaluating it and they see that it, you know, a standalone policy is always going to be more expensive than a rider, but it's what they're getting for it, right? But the value and investing in it far outweighs, I should say the cost, even given deductibles plus premium are always going to outweigh if, in fact, they have an incident. 

[00:20:15] Can you tell us a little bit about some of the numbers and how you calculate to kind of make a smart spending decision in terms of making that investment from a financial benefit where, you know, say, one doesn't have a policy and has to pay out of pocket and some of those costs versus having coverage? 

[00:20:35] Brett Balsley: Again, when we are talking to people about cyber liability insurance, we usually talk from a baseline of $1 million of limits. There are many clients of ours that accept the rider and that's where they want to be and $50,000 is fine by them. But to your point, there's a cost benefit. You've got to take a risk versus reward reward. 

[00:20:59] Some of your companies like medical professional, there are stringent requirements on them to carry a base of a million dollars, financial institutions, stockbrokers, financial planners, there's a minimum of a million dollars of coverage that they are required to carry. It's difficult to throw out a number. 

[00:21:21] The more the better. And in certain circumstances when somebody has $5 million of cyber liability limits and the premium, I'm pulling a number out of the air is, is $10,000. Well, for an extra $2,000 you can get $10 million of cyber coverage. So again and again, sorry to keep repeating myself, you have to sit down, you have to analyze it with the broker. 

[00:21:49] You have to see, you know, a company like me that has 10,000 records, what would that do to me and my agency versus a company that has a hundred records? So that is something that you really need to analyze. 

[00:22:05] Look, there's training that needs to be done. I think prevention is the, is the best, you know, is the best defense. Having a good IT team, third party IT team. You know, when you do buy an insurance policy, those insurance carriers do give you resources. They give you training webinars, cyber-attack response templates that you can implement in your office. And cyber policies, not an insurance policy, but what the company policy is regarding, you know, cyber and emails and when you receive an email. So it's, it's difficult to say what somebody should carry, but I, I'll tell you in my professional opinion, a million dollars should be the base that that should be your starting point. And going up from there.  

[00:23:03] Nicole Lefsky: You know, it's interesting when you brought up prevention and that being so key and you mentioned EDR. You know, there's the artificial intelligence component or the technological component, and then there's the human component, right? Nothing beats that mix. And we know that when it comes to cyber incidents and what can lead to a cyber-attack and potentially a breach, we know that phishing is one of the main strategies that are used. And the reason that it's so effective is because of the human element. And it's the employee or executive who've received that email and is, you know, good as they are now with imitation of major providers or some social engineering has been done beforehand and the names are dropped in of who the recipient is and it's very customized now. There's no wonder that if that human receiving the email isn't properly trained or isn't prepared for how to handle it with a policy or with prior training, they could certainly fall victim to it and it can put the whole company at risk.  

[00:24:16] Brett Balsley: I'll tell you.  

[00:24:16] Nicole Lefsky: I'm sorry. Go ahead. 

[00:24:17] Brett Balsley: If I may. 

[00:24:18] Nicole Lefsky: Sure. 

[00:24:18] Brett Balsley: I see emails all the time and I look at them and I'm like that was pretty good - that was pretty good. Or I sit there and I get up from my chair and fortunately I can walk down to my controller and say, "Did you send that email to me?" So even though I've gone through multiple seminars and phishing seminars and spear phishing seminars, there's so many seminars... there are times I look at something and I, I question it and I'm not sure. And sometimes it's a legitimate email and sometimes it's not.  

[00:24:49] Nicole Lefsky: Well, from our perspective, you did the right thing. Certainly, you know, verifying is the most important thing. And we know that when it comes to cost, having a policy and having the right coverage can prevent greater loss. 

[00:25:06] And we also know that if you can report an incident as soon as possible and get the ball rolling with the proper players in place, good advice from an insurance perspective, from a legal perspective, from a technological perspective, the time to recover from an incident can lower overall costs when an incident does occur. 

[00:25:30] Brett Balsley: It's a great point. If I may, unlike many other types of insurance claims, when you have a cyber loss or a situation or a ransomware or extortion, whatever it may be, the insurance carriers have a response team. Unlike anything they've ever done before in the past. And it's 24/7/365. And once you connect with them, they take over, they take control. They will tell you what to do, how to do it. They will come in. They will maybe take control of your, your software or your computer system somehow. They will make the determination. Do we need to make this payment to these hackers? It's, you know, I saw a claim like that in a cyber claim. And it was incredible how they, how quickly they responded and how everybody got together and made a determination. How are we going to move forward?  

[00:26:24] Much different than, you know, having a fire at your house and okay, we'll call the adjuster. He'll be out next week. And then you start getting contractors lined up and, you know, contractors might be a day or two delayed. 

[00:26:36] This is, it was very impressive though, you don't want to see it. It was a very impressive response and the carriers that are providing cyber insurance all have these 24/7/365 response teams.  

[00:26:50] Nicole Lefsky: Yeah, they're all lined up, ready to go because they want to minimize the risk to their policy holders and they want to minimize the outlay and inconvenience for everyone. 

[00:26:59] So it's, it's really, it's, I think once you have a policy, it's comforting and knowing that that team is there for a business to support them in the event along with the other advisors that they utilize and have relationships with. Together they can feel confident that they're in good hands. 

[00:27:18] If a company's interested in reaching out to you, you know, touching base with you, connecting with you, what is the best way to reach you? 

[00:27:28] Brett Balsley: Well, personally, I like the traditional old-fashioned phone. That's me. I like talking to people, communicating with people. So they can always call us at our office at 609-645-1700. Obviously, we're on the web, bca-ins.com. Email is great, email's fine. LinkedIn, I'm on LinkedIn. So we're available multiple different ways. 

[00:27:54] I always liked the old-fashioned phone, I like talking to people, which is another interesting thing. The new crime out there is voice cloning, where they somehow, someway, I guess they call on your cell phone, they work with you, talk to you, and then next thing you know, they clone your voice. So if they reach out to somebody, it might be sounding like Brett Balsley's calling you and I need you to transfer $50,000 from one account to the other. 

[00:28:21] It's very interesting and how creative these hackers are and Nicole you know, IT's always changing, so they will always come up with a way, but. Long story short, give me a call on the show.  

[00:28:35] Nicole Lefsky: You've certainly given, I think all the listeners some really valuable perspective on cyber insurance coverage, standalone coverage, the benefits of it, some things to look for, considerations when investing in a new policy and evaluating their existing policy. 

[00:28:53] So I want to thank you so much for joining me today for this conversation. It was really helpful. And I'm sure will enlighten many business owners around their current policies and how they should move forward. So thanks so much for joining us today.  

[00:29:09] Brett Balsley: I appreciate your time and I hope it does help. 

[00:29:11] And thank you.  

[00:29:12] Jersey IT Group: You've been listening to Smart Tech Spending hosted by Nicole Lefsky. Make sure you never miss an episode by subscribing in your favorite podcast player. And if you enjoyed this episode, we'd appreciate it if you'd rate and review the show. Thanks for listening.