ALPS In Brief, The ALPS Risk Management Podcast, is hosted by ALPS Risk Manager, Mark Bassingthwaighte.
While in Missoula, Libby Benet, U.S. Lead for Beazley Product Solutions took the time to sit down with Mark to talk about the latest trends in cybercrime, including the rise of industrialized ransomware, and how prevention paired with protection can help law firms best avoid and manage a cyber breach. Beazley has handled 8 of the largest breaches to date. In 2012 Beazley Breach Response Services partnered with ALPS to create the ALPS Cyber Response policy, which is the only one of its kind designed specifically for law firms. A more feature-rich version of the ALPS Cyber Response policy will be coming out in January of 2018.
MARK: Welcome to the first episode of ALPS In Brief, the ALPS’ risk management podcast. We’re recording here at ALPS’ home office in the historic Florence Building in downtown Missoula, Montana. I’m Mark Bassingthwaighte, the ALPS risk manager, and I have the pleasure of sitting down today with Libby Benet, U.S. Lead for Beazley Product Solutions. Libby, welcome. It’s just a wonderful opportunity to have you join us today. We’ve been having some conversations earlier, doing some training here at the building, and I was fascinated and interested in your summary. You were really talking about, you know, why small firms, small law firms, should be looking at a cyber policy, and I would just ask you to share it with our listeners.
LIBBY: Yeah, sure. Thank you so much for having me here. I’m really glad that I have a chance to talk to you today. So we look at the cyber product really as a way for policyholders to deal with real-life risks that they’ve got in their businesses today that they may not be aware of and are addressing. And so small businesses — It’s not a question of whether they’ve been penetrated —
MARK: Right, right.
LIBBY: — or not; it’s when they will be penetrated.
MARK: Yeah, yeah.
LIBBY: And then what is the response going to be. At Beazley what we talk about is having a data breach is not a crisis, but mishandling that data breach is. And so having an insurer that’s got a policy and services associated with it to help that law firm when an event happens is critical to dealing with a crisis situation.
MARK: Okay. Can we go further with that?
MARK: If I would sit down and say, okay, I understand that it’s one of these “it’s not if, but when” kind of things —
MARK: — but I also — In my experience, a lot of small firms in particular tend to come with this attitude of I’m not big enough to be hit. I’m — I’m not on anybody’s radar. It’s not going to cost that much money, these kinds of things. Can you — Could you give me some business reasons, why — why would — You’re trying to convince me.
MARK: Why — why do I really need this product in terms —
LIBBY: So let’s —
MARK: What are the benefits —
MARK: — that come from this?
LIBBY: So this is a great question, Mark. I think one of the things we’re seeing at Beazley is that the area of ransomware has —
LIBBY: — absolutely exploded.
LIBBY: So this is a great example of how the exposures are changing and evolving in the marketplace. We are now seeing somewhere between 25 and 30 percent of the claims that we handle at the insurance company level are coming from ransomware attacks.
LIBBY: People are able to go out on the dark web, they’re able to buy the software that is malware, and they’re able to do an industrialized-sized explosion out into the marketplace through phishing emails.
LIBBY: And they’re capturing law firms. They’re capturing retail establishments. I mean, they’re capturing small businesses whose employees inadvertently click on a malicious link and launch the ransomware. If your system gets hit with a ransomware attack, you can no longer access your files until you’ve paid the ransom, and if the criminal gives you the key back, you can unencrypt your system. That’s something that we didn’t see before, really, you know, the last 24 months, I would say.
LIBBY: So that’s an example —
LIBBY: — of, you know, you can be a well-managed firm, but still have an exposure to a malicious event.
MARK: And that’s a great example. I mean, 2016 has been labeled as the year of ransomware and, yeah, I really see it as the year — or the rise of ransomware —
MARK: — that’s really come into the mainstream.
MARK: And this industrialization piece is absolutely spot-on. When I think about, okay, I know what my malpractice policy does, I have this general insurance policy and things, do I still have some gaps? What would this policy —
MARK: Just in general —
MARK: — what’s it going to do for me?
LIBBY: So two things, two sides of the coin: Do you have a gap in your other commercial insurance coverages, and the answer is yes.
LIBBY: So the industry realized that they were having these events and around 2014 started to add exclusions to the business owners’ policy and the CGL policy. Cyber is not — cyber events are not considered professional services —
LIBBY: — so they weren’t considered under the professional policy.
MARK: Makes sense.
LIBBY: So a gap occurred. So ALPS is offering an endorsement which offers information security and privacy, website media liability, PCI fines and penalties, business interruption, cyber extortion, data protection and some crime coverages, fraudulent instructions and computer crime.
LIBBY: So ALPS is trying to provide coverages for a series of events that happens when a breach occurs or a ransomware event occurs and the various losses that derive from that event.
MARK: Okay. Wow. You know, I mean, when you really sit down and just start to think about it, you don’t fully appreciate all the fallout of an attack, and that’s spot-on. I love it. In my own experience in terms of working with law firms that have had breaches over the years, one of the biggest concerns in terms of the financial loss seems to be just the funds. There’s wire fraud. We’ve seen a lot of that. And these dollar figures can go sky high in a heartbeat. It’s my understanding that that is a loss that is difficult to insure. Is that correct? I mean, in terms of a small business being able to go out.
LIBBY: Yes. So the industry typically excludes the loss of money or securities out of the typical general liability BOP world. And also in the — certainly in the malpractice side, loss of funds isn’t covered. It’s an area that the industry is actually beating each other around the head about, to be honest with you, to find out who’s going to cover the loss —
LIBBY: — if a loss occurs. And some — unfortunately, some law firms have found themselves without any coverage.
MARK: Right. Yes.
LIBBY: Firms with large exposure to crime ought to be seeking a crime policy out in the marketplace, and we just had a conversation with someone who was going through that process —
LIBBY: — and found that there were some markets that would do it up to $250,000 unlimited and one market that would do a million dollars. That’s an individually underwritten approach.
LIBBY: The ALPS’ endorsement that’s coming out offers a lower limit of crime protection that’s there, and for a small firm, that may be adequate. If in their evaluation, however, they think they have a much wider exposure, they should buy a crime policy in addition to this. (6:48-6:52)
MARK: Okay. And I agree with you. I mean, I understand —
MARK: — I’d rather have some coverage than no coverage.
MARK: And when I’ve looked at a lot of cyber policies, you’re right, you know, these generally don’t cover any of the financial loss, and the fact that we have a little here is a great perk with the policy. But what I’m taking away is this –the ability to affordably insure for these kinds of risks for small businesses is a challenge —
LIBBY: That’s true.
MARK: — to say the least, which then takes me to the side, okay, so what do we do about that? And it seems to me that the reality is getting proactive. I know that Beazley has some resources available. Maybe you can share a quick – in terms of the website and what kinds of things I might find out there.
LIBBY: Sure. So as part of your — as a Beazley insured that has this coverage, we have an online website that provides the risk management — some of the risk management tools that you can put in place to manage the entirety of your cyber exposure including —
LIBBY: — loss of funds. I also know in our conversation you do a lot of risk management as well.
LIBBY: I know you have some thoughts about this. How do you think is best to manage?
MARK: Well, honestly, the business standard in terms of what I’m seeing from even Microsoft down to a Ma and Pa shop, if you’re really going to get in front of cyber crime, cyber prevention is really what it’s all about. You know, I have been trying to advocate for years that we need ongoing regular training and just sit down with everyone in the office, from the most senior partner to the —
MARK: — you know, the part-time high school kid doing a little scanning in the summer, you know, that kind of thing because any one of these people can be the one that is tricked into doing something —
MARK: — you know, and I want to get ahead of it. So, to me, I want to use products like the insurance policy that Beazley offers, but I also want to look at the risk management tools and educational things and just sit down and do everything that I can to make sure that we don’t become the victim. Because at the end of the day, I mean, let’s be honest, IT can’t protect us from ourselves.
MARK: It’s all about securing the human. So I think that’s it. I thank you for listening. If you have any questions about the issue discussed today, please don’t hesitate to contact me at firstname.lastname@example.org. We’d love your feedback on the podcast, including any other issues you’d like to hear us cover.