As part of our expanded coverage of our Power Broker® Cyber winners and finalists, Risk & Insurance spoke to Nick Economidis, senior vice president of eRisk Underwriter for Crum & Forster. What follows is a transcript of that discussion, edited for length and clarity.

Risk & Insurance: Thanks for speaking with us Nick. What is the current state of cyber insurance pricing and availability?

Nick Economidis: The good news is that cyber insurance is generally widely available these days, with many markets offering coverage. Pricing has stabilized and has been slowly drifting downward since the hard market. We are likely nearing the end of that cycle.

Rates have been decreasing while losses have been trending upward. At some point, these lines will intersect, and we may see pricing level off or even increase in the future. However, at present, there is ample coverage available, and the rates are quite attractive.

R&I: What are the key ways a commercial insurance broker can add value for their clients seeking cyber insurance protection?

NE: While it’s relatively easy to secure attractive insurance terms in today’s market, brokers can add value in three key ways beyond simply obtaining lower prices.

First, they should help customers understand their policies. With no standard policy form in the market and each one being unique, it’s crucial for customers to grasp how their specific policy works.

Second, brokers need to emphasize the importance of reporting a claim or incident as early as possible. Cyber incidents, such as ransomware attacks, can be crisis situations. Making quick, informed decisions and involving the right people from the carrier, attorneys, and forensics consultants is essential for a good outcome.

Third, and perhaps most importantly, brokers should help customers understand the types of losses that are actually occurring and being paid. For example, “data breach” is a term you may hear a lot. But data breaches are not necessarily the cyber incidents that occur most frequently or that drive the biggest losses. Clients need to know what is actually happening today so they can strengthen their defenses and direct protection efforts and resources appropriately.

R&I: How does the timing of incident reporting impact coverage or claims resolution, particularly in cases where a system infiltration may have occurred weeks before it was discovered?

NE: Generally, the timing of incident discovery and reporting does not significantly impact coverage or claims resolution. Most policies today are written on a “losses discovered” basis, meaning that coverage is triggered when the insured first discovers the loss, not when the incident actually occurred.

This language has been adopted by the industry to address the very issues you mentioned, where an infiltration may have happened weeks before it was detected. The “losses discovered” wording is designed to be fair to all parties involved in such situations. But again, the faster an insured can notify their carrier, the more the carrier can help them contain the damage and respond efficiently and effectively to the incident.

R&I: What is the key role that great brokers play in the insurance process?

NE: Great brokers ensure that critical information flows smoothly through the pipeline back to the customer. They act as a vital conduit, making sure that the customer receives all the necessary details and insights.

This role is particularly important in facilitating effective communication between the various parties involved in the insurance process. By taking on this responsibility, great brokers contribute significantly to the overall success of the insurance transaction.

R&I: What’s an example of a broker going above and beyond to help a customer?

NE: One example that comes to mind is when a broker took advantage of our CybeReady calls to educate their customer, which in this case was a pool of relatively small school districts. The superintendents making decisions didn’t fully grasp the basic controls they needed, such as confusing the functions of a VPN with multi-factor authentication.

The broker’s efforts, combined with the CybeReady call, helped the superintendents understand the essential controls they needed to implement. The purpose of these calls, which involve our cyber solutions team of IT experts, is to educate the customer and help them make informed decisions before applying for insurance.

In this particular case, the broker played a crucial role in helping the customers identify the necessary controls, enabling them to secure a comprehensive insurance solution tailored to their needs.

R&I: What is the range of sophistication that brokers need to navigate when communicating with clients about insurance topics?

NE: It’s quite broad. On one end, we have conversations with larger multinational accounts that delve into technical terms and complex topics. These discussions can be challenging for non-technical people to follow.

On the other hand, we also need to be able to explain insurance concepts in more basic terms. This is necessary when communicating with clients who may not have a deep understanding of the industry.

Striking the right balance and adapting to the client’s level of knowledge is crucial. It’s not uncommon for people to be confused by acronyms and technical jargon, such as MFA (Multi-Factor Authentication) and VPN (Virtual Private Network). Brokers must be able to translate these concepts into language that their clients can understand.

R&I: What are some emerging risks in cyber insurance, such as different types of attacks you’re seeing or experiencing with your clients?

NE: There are two trends in cyber insurance that people should be aware of, beyond the typical discussions about direct attacks, data breaches, or ransomware events. The first trend is what I call “privacy litigation,” which includes alleged violations of the Video Privacy Protection Act or web litigation around web pixel tracking.

The second area is “vendor risk,” which cuts two ways. Companies rely on vendors to provide part of their infrastructure, and sometimes these vendors hold a lot of personal information that the company is responsible for. Two public examples illustrate this: the CrowdStrike outage, which was apparently caused by a vendor mistake and led to system outages for customers using CrowdStrike, and the recent PowerSchool situation, where an apparent data breach in the cloud-based software used by schools to manage student data impacted all the schools using that platform. These vendor risk issues go beyond attacks against your own network.

R&I: What are some basic, yet effective, IT security measures that companies can implement without significant resource investment?

NE: From an IT security standpoint, there are several measures we always encourage people to start with. The basics include implementing multi-factor authentication (MFA) and properly protecting your backups. It’s important to note that backups were designed for hardware failures, not ransomware recovery. If backups are not properly protected, bad actors can delete them, as well, rendering them useless for ransomware recovery.

We also highly recommend endpoint detection and response (EDR) systems. These are more advanced than traditional antivirus software, as they use a form of artificial intelligence to analyze behaviors, not just software code. If unusual behaviors are detected, EDR systems can automatically stop the activity and even roll back the computer system to undo any potential damage caused by a bad actor.

For a simple, yet effective measure that almost anyone can implement, I strongly advocate for removing administrative privileges on workstations. This is a straightforward configuration that only takes a few minutes to set up. By requiring a computer administrator to input their password for software installation, it helps prevent accidental downloads or installations of malicious code on the system. While it doesn’t stop everything, it adds a significant degree of protection.

R&I: What challenges do small businesses face when it comes to cybersecurity, and how can they improve their defenses?

NE: Small business owners often face challenges in cybersecurity due to a lack of understanding rather than willful ignorance. They are busy managing various aspects of their business, from customer concerns to operational issues, and may not have a deep understanding of cyber security techniques or best practices.

To significantly improve their cybersecurity posture, small businesses should focus on two simple but effective measures. First, they should implement MFA for all remote access points, including email systems and other critical applications. Second, they must ensure that their data backups are properly protected.

By prioritizing these two fundamental security controls, small businesses can greatly enhance their defenses against cyber threats. While there are certainly more advanced measures that can be taken, starting with these basics will put them in a much stronger position compared to many of the vulnerable businesses we encounter in our work.

Today’s environment is incredibly challenging, whether running a business or a school district. It’s important to recognize the immense pressure and responsibility they face on a daily basis. From managing finances and personnel to navigating complex regulations and societal expectations, their roles are far from easy.

This is why we must approach their situations with empathy and understanding. These leaders are doing their best to navigate a tough landscape, often with limited resources and support.

R&I: From your perspective, are organizational training programs having an impact on cybersecurity events or claims?

NE: Largely, the answer is no. That’s not to say that training is a bad thing, as it does reduce the number of potential incidents. I do support training, but most organizations are already doing the basic training. While training is important, we believe in emphasizing t the three basics – multi-factor authentication (MFA), endpoint detection and response (EDR), and protected backups – are the most critical measures to implement. These basic elements can do a lot to prevent cyber losses and drive better cyber outcomes if there is an incident. &