Rising Star Ed Cooney Reveals the Intricate World of Cyber in the Public Sector Space
Come see the Stars! As part of our ongoing coverage of the best brokers in the commercial insurance space, Risk & Insurance®, with the sponsorship of Philadelphia Insurance, is expanding its coverage of the Rising Stars, those brokers who represent the next wave of insurance brokering talent.
Look for these expanded profiles on the Risk & Insurance website and in your social media feeds throughout 2023.
Here’s our conversation with Edward Cooney, partner and senior account executive at Conner Strong & Buckelew, and a 2023 Public Sector Power Broker winner.
Risk & Insurance: Tell us about how your career trajectory led you to focus on the public sector and ultimately craft further expertise in cyber coverage for joint insurance funds (JIFs)?
Ed Cooney: I started my career in insurance working with life science, pharmaceutical and biotechnology companies, with quite unique risks.
That roadmap taught me how to learn about things quickly, so when I had the opportunity to shift over to the public entity space, it was a relatively quick transition to get onboard with the nuance of that industry. We do all coverages in our teams and in one industry, rather than one coverage in multiple industries.
I started with cyber 12 or 13 years ago, and that was before it was a hot topic in insurance. There weren’t many claims back then, and a lot of people didn’t know exactly what it was meant to cover. I took a big interest in it at that time and started talking to a few cybersecurity experts about concerns down the road. We’re insurance people, so we always raise alarms about what might happen.
I became the go-to person in our company for a long time, and sure enough, once claims started coming in, and really the risk of ransomware in 2016, that’s when everyone turned to me, because I had been talking about cyber for so long.
R&I: What special challenges are presented by the coverage needs of public entities?
EC: Public entities have a couple of challenges for cyber.
One big, glaring issue is that they don’t have the budgets for cybersecurity and technology as a whole that many organizations do. Not to say that everyone has carte blanche and tons of money, but they are among the organizations with the least amount of funding.
Further, there are two core issues that really plague public entities today.
First, their technology and network architecture, network infrastructure, are so outdated that it’s hard to put security solutions around that network. In addition, they don’t have access to strong cybersecurity support. There are some people with great cybersecurity chops, like classic IT people that can do that, but many do not. Some of their contracts with technology professionals are quite old, and they engaged these companies 15 years ago when all they needed was email and a basic website.
So even in cases where there’s a willingness to implement recommended security controls, they don’t know who to go to in order to actually get it done.
R&I: You successfully created a custom cybersecurity maturity model for JIF members. Tell us about the impetus behind this unique product, its development, and the services included with the members’ premiums.
EC: They needed a solution that truly worked for them and would truly help them.
The insurance programs that we work with in public entity are large pool programs, similar to a captive. In particular, the cyber program that we started in was in New Jersey for a joint insurance fund of about 600 local governmental entities — municipalities, housing, fire departments. We stuck to what the issues and challenges are and built the program around it.
One was access to insurance, period.
When the ransomware wave really started crushing insurance companies, the landscape for cyber insurance really changed, a full 180. Prior to that time, you could get as much cyber insurance as you wanted and as many limits, it was so cheap, and after that time, the insurance companies were restricting the limits they offered, prices went through the roof multiple times, deductibles went through the roof, and that was if you were lucky enough to get insurance. Among the industries that were hard hit was local government.
We decided to buy it as a pool program with shared limits among the members.
A key thing to convince the insurance companies to get onboard was having a large retention. We took a large retention as a pool program and then passed on deductibles to our members depending on which controls they have in place. The next thing that comes with that is the fact that we’re taking the majority of the risk rather than the insurance company, so how do we protect ourselves?
We decided to implement a large deductible to start with, large enough to deal with many of the claims that we see from membership, and also to give the members an incentive to improve their controls.
So let’s say we start with a $100,000 deductible for the member — that’s huge relative to any other insurance that they have — so we incentivize them by saying that if you get into compliance and implement this set of controls, we’ll cut your deductible in half. With another set of controls, we’ll drop it even lower, and if you do everything in the cybersecurity framework, we’ll bring the deductible down to zero.
That’s how much we believe in our program.
On top of that is the development of the cybersecurity program itself. We engaged an expert cybersecurity firm to do analysis on all of our members and then put out a best set of controls for local government, and especially our members.
These joint insurance funds have been around since the 1980s, and they were born out of a time of crisis in insurance. All of a sudden back then, public entities couldn’t get insurance, so these pool programs popped up to self-insure as a group. Luckily, our leadership knew that risk prevention is a key to this model.
We applied the same framework to this cybersecurity program and included services as part of the group purchase program because we get lots of economies of scale. With the members’ purchase of the cybersecurity insurance are also vulnerability scanning, penetration testing and employee training, which are three of the most critical things we can offer.
R&I: What is the biggest challenge facing the market right now, and how can we meet it as an industry?
EC: The biggest challenge right now for the cyber market is understanding the risk of the clients they’re insuring. They’re all taking different approaches right now.
The ultimate goal is to see the complete inner workings on a day-by-day basis of any organization’s cybersecurity program, but it’s unrealistic. I think with the public entity sector in particular, it’s a great roadmap for them. We took one industry and focused on the local government’s base and all of the claims and the challenges and put the program together.
We’re not putting together a program that will eliminate 99% of all possible claims, but the program will eliminate probably 99% of all the claims that are typical of the public entity sector. So don’t just create a program with the same blueprint for every space.
R&I: What is your brokerage philosophy writ large?
EC: Coming out of college, I was a finance major, but graduating in the financial crisis of 2008 and 2009 — not a good time for finance jobs.
Insurance found me, as it’s done for many people and for many decades. It hit something inside me, looking to help people and solve problems, which is the core of my approach.
With anything I’m doing, I want to make sure that I’m helping them, not just saying “You need cyber insurance.” I want to explain why they need the coverage, the risk involved, and then how we can prevent the risks from ever actually happening. &