Cyber Insurance: When, How, and Why You Need It with Limit’s Shea McNamara

Jara Rowe: Gather around as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. You're listening to Episode 10 of The Tea on Cybersecurity. We've covered so many topics on cybersecurity so far, including risk management, and how to create a plan to mitigate a company's potential risks. But what if something actually happens? How is that company even covered? That is exactly what we'll be talking about today. This is where cyber insurance steps in. Today, I have a special guest, Shea McNamara, co- founder and head of sales at Limit. Hi Shay.

Shea McNamara: Hi ya.

Jara Rowe: How are you today?

Shea McNamara: I'm great, thank you.

Jara Rowe: Can you go ahead and give the listeners a bit of background about yourself and Limit?

Shea McNamara: Absolutely. My background is insurance. I started my career at AIG, behemoth in the insurance world, and my focus was on public companies' management liability. And I did that for a few years, learning the underwriting of risk overall. Then moved to the brokerage side, and I was a broker at Aon for 11 years total. I was a broker, and then I was an actual producer, a salesperson within Aon as well. And then, I left that world to do a stint at JLT. Then I joined an InsurTech. I helped start an InsurTech called Coalition, which was my first foray into the InsurTech world. And Coalition is a cyber insurance company, they do some security too, and I was the first employee there and helped build that business from scratch. Did that for about four years, and then moved to build Limit, which is my current shop. And we're a digital specialty wholesale brokerage business. I'm co- founder and head of sales here at Limit.

Jara Rowe: So what is the actual brokerage system?

Shea McNamara: It's like a marketplace. When you need insurance for your business, or for your home, or whatever, it's like what you see; every other commercial in America today is an insurance commercial, right?

Jara Rowe: That's true.

Shea McNamara: It's same idea. Okay, it's not car insurance, or home insurance, or life insurance; it's commercial insurance and specifically cyber insurance. And what that means is, you've got to go and get insurance for your business in the event that there's a loss, or an incident, or a ransomware, or a DDoS attack, or whatever it may be, that then is affecting and damaging your company. And so that's when you need a broker usually to go and help you get that insurance. It's not like you can go online and get immediately five, six, seven quotes for your cyber insurance of the business like you would for your car insurance. It's more sophisticated, and it needs more underwriting by the insurance carriers, but also more brokerage and advice from your local retail agent. And they know what they're doing; you got to use a broker, because you got to make sure that that coverage works when you need it. The brokerage world is like a consultant and an advisor to the business owner. And it's a very important piece,'cause when the proverbial poo hits the fan, you got to be ready, it's got to work, and you need that broker to be there to help you and the insurance coverage kick in the way it's supposed to.

Jara Rowe: Awesome. I learned something new; I hadn't really heard that brokerage term before. So I want to take a step back out of insurance just a little bit, just to talk about cybersecurity as a whole. Why do you think so many people find the cybersecurity industry so confusing?

Shea McNamara: Technology, as we know it in human civilization today, is confusing, right? Look at what's happening out there between syncing your iPhone to your car; technology is taking over our lives. Some people have fridges that now have software and have connectivity to the internet. It is getting to be super tech oriented, and it's permeating every industry. Many, many things are connected to the web automatically. Everything's connecting to each other through Bluetooth, or through Apple Play, or wifi. So there's more and more connectivity of technology assets in every way, shape and form. And that's in business too. And the problem or the challenge... it's not a problem, because usually these things are really helpful for us as human beings, but it's confusing. How does it actually work? How is it that these things connect, and why do they connect that way, and what code is behind it? And it's literally different language. The way these things are programmed are different languages, and that's changing every decade or so, in terms of what computer language and what coding language is being used. So it's very confusing for the average person in the business world and in our personal lives to figure this stuff out. And that's why we've seen a massive focus on cybersecurity, because the world of criminals and people trying to get an edge, they find exactly situations like this, where people don't quite understand what's happening, they're not quite familiar with how these things work; that means they're vulnerable. They don't know how things function. And it's not anybody's fault. We're all human beings, we're all trying to learn as much as we can every day. But what's happened is the criminal community has realized there's a great opportunity to make money. And so you've seen over the past decade or two, the hacking community used to focus on really big trophies, like Apple, or the CIA, or Walmart or whatever, and they'd hack into those networks and be like, " Look at me. I'm such a great hacker, I'm cool." And it was kind of this bragging 20 years ago. That film, WarGames with Matthew Broderick in the'80s, that was a hacker meme and it still exists today. People love that film in the hacking community. And so it's shifted though now to making money, because now people actually realize, well, if I can hold Walmart, or Home Depot, or Apple, or whomever ransom and freeze up all their websites, or freeze up their data, or whatever it may be, I can get inaudible-

Jara Rowe: Yeah.

Shea McNamara: And that's why cybersecurity has really blossomed, and really become such an integral part of the business world today.

Jara Rowe: I was shopping with my mom recently, and was talking to her about Apple Pay and Google Pay, and she was asking me how does it actually work? And I was like, " It's magic inaudible." It just happens.

Shea McNamara: Yes, it inaudible. Exactly. I do the same. I'm still try to teach my pops the difference between a text message, and an email, and WhatsApp, and all these others, it's hilarious.

Jara Rowe: So I will say through hosting this podcast, I've learned more about cybersecurity, and I don't find it as intimidating as I did previously. I'm not as confused about some of the terminology and things that we use. But when it comes to cyber insurance, that is a little different story for me, like what is a brokerage? I had no idea. So you started answering this question earlier, but just to reiterate, what is cyber insurance?

Shea McNamara: It's a big question. It's a big segment of commercial lines insurance these days, and it kind of didn't even exist till about 15, 20 years ago. The whole concept here is basically merging your old world insurance. Remember insurance as an industry is 400 years old. It's a really old industry.

Jara Rowe: Wow, yeah.

Shea McNamara: 400 years old. It's a$ 5 trillion industry, so it's very much a chunk of the commercial world that is ever- evolving, because risk is ever- evolving. And so companies, over the years, we were talking about the hackers from WarGames, and they would break into these networks to be like, " Hey, look at me. I'm such a good hacker; I can break into the Walmart network," or the Home Depot network, whatever. And what started to happen was companies were losing money. They would have data, and PII it's called, Personal Identifiable Information, which is protected and, they would have it leaked. That was the Sony stuff, and the Home Depot stuff. And they were able to really affect these businesses on a day- to- day basis, and have them lose credibility, lose reputation, lose money, actual money, lose data. So the insurance companies were like, well, let's insure some of these, not just the losses and the actual money that is stolen from a bank account through a fraudulent funds transfer, or the data that's stolen from a bunch of people's information, their Social Security Numbers and credit card numbers and that sort of thing. And then, they created this cyber insurance, which was a combination of liability insurance and property insurance and all these other things. And liability insurance is when you get sued. So you have a liability within a cyber policy. So in case you get sued like Home Depot or any of these shops that had a breach, they're going to get probably sued by the people who were affected by that breach, saying, you lost my data, and I'm going to sue you because that data's private. And that sort of thing, it is covered under a cyber insurance policy, that liability piece. The property piece, when that cash disappears from your operating cash checking account, that is intended to be covered, that's a funds transfer fraud, they call it. Reputational harm, right? Let's just say that you lose clients and customers, because your business was hacked and you've got to build back that reputation, and make everybody trust you and appreciate your business as a partner; that also is going to be covered under a policy. In terms of any type of business interruption is another angle. Business interruption is when you can't get to your data, or your website's down, or whatever and you're losing money, because you can't conduct business the way you historically had. That is also going to be covered under a cyber insurance policy. And then there's bells and whistles that are covered too as part of all of that. But that's the intent, all right, is the intent of these policies. And by the way, this is very important; every policy is going to depend on the claim. None of this is automatic, it's all depends on the claim, it depends on the coverage you've got in the policy, which is why you need to work with a good broker, but that is all intended to be covered by a cyber insurance policy. Both the physical damage, the digital damage, their loss, the liability, the legal situation, the reputational situation and the downtime; all that is going to be intended to be covered by a cyber insurance policy. Let's just think about that in the grand scale of insurance. Every company in America is buying property insurance. They have to buy and protect the property that they own, their machines, their office space, their laptops, all that stuff. They also buy liability insurance, general liability insurance. So when somebody comes in and slips and falls, and hurts themselves, or whatever it may be on the premises of the insured, that stuff is covered, right? They're buying all these insurances every day. And what businesses need to learn, and this is where the cybersecurity plays a bit more, is that they're also exposed to a cyber attack, a cyber incident, because it's not just the Home Depots, and the Targets, and the CIAs, and the Googles that we talked about before; now hackers are focusing on small businesses. They have for the past five, six years, because they realize they're not sophisticated users of technology, and therefore, they may be easier to hack. So all of these business owners need to be very aware that they have an exposure here, a real exposure. And a lot of business owners think, " Oh well, man, I stamp rubber mats for trucks. I don't have any cyber exposure. I'm not a digital company." But often cases when you scrape under the surface and look at the actual business, those stamping machines might be controlled by wifi, right? And on the factory floor in Wisconsin, all those machines, and they're multimillion dollar machines running every day, stamp stamp, stamp, stamp stamp. What if through the wifi, a hacker gets in and turns those machines off? Or what if inaudible comes in and turns them on, so they overheat or whatever? All exposures that are real happening today, right now around the world. And that's a scenario that people don't often think about. They think because they just are doing rubber mats, they're not a tech company, they're not exposed. They are exposed though.

Jara Rowe: Definitely exposed. Even when you were mentioning that, how do you accept your payments? I'm sure you're accepting digital payments and things like that, which is just a different set of risks as well.

Shea McNamara: That's exactly right. In terms of credit cards, how does that credit card scan? It goes through digital connections to the clearinghouse, which then checks to see whether you have a balance or not, and then it accepts the payment or doesn't. So it's all digital. It's all technology.

Jara Rowe: So you're mentioning a little bit about cyber liability insurance. Is there a difference between cyber insurance and cyber liability insurance?

Shea McNamara: In general, it's combined into one policy. Sometimes businesses buy, and then a small bit of cyber coverage through their general liability or through their property policy, and it's like an endorsement or an add- on, if you will, to that policy. It's just like your homeowners, right? If you've got jewelry, or you've got collectors antiques or something, you need to list them specifically to your insurance policy for them to be covered. It's the same idea with cyber, where you can just add on that coverage to your property or general liability, but it's very basic. You need more and more these days. If you've got more than a few million bucks in revenue as a business, you need a standalone all- inclusive cyber policy for your business, because it's going to give you proper coverage with different types of incident response teams and security teams that could come help, and various types of lawyers that help you with the breach, called the breach coach. So there's a lot of resources you get in addition to that insurance policy. So, I recommend that companies are always buying a standalone cyber insurance policy these days.

Jara Rowe: So I've heard you talk about a little bit like who it's for, and I think the answer is everyone, but I'm going to ask the question again. Now that we have a better understanding of what cyber insurance is, who is it for, and why is it important for that company to get it?

Shea McNamara: It is for any company that has any type of technology, okay? And again, people think they don't have technology, but actually when you look at it and you scratch under the surface and you do a little questioning, they realize they're doing emails all the time, with transferring funds, or transferring customer accounts or whatever. And the hackers are very clever, they can figure out ways to get that information from your email system, and get your account number, or get an invoice and change the account number without you knowing about it. There's all sorts of exposures that are out there. So basically, every company should be buying a cyber insurance policy today. It's just so ubiquitous, this risk, and the hackers have learned to make money on it, and they want to make more money, they want to find more victims. So really, it's not a matter of if they need, it's a matter of when they need it. It's a risk transfer tool. If you can imagine... let's use the rubber mat stamping company. Let's just say that they have an event happen, and they can't use their machines, and it's like the busiest time of year for buying of these rubber mats. And at the onset, they're printing their rubber mats, custom- made for trucks across America, great. And then all of a sudden everything shuts down, just in their busiest month, let's say it's October or whatever, then everything shuts down, and the hackers have gotten into their systems and they shut the machines down and they say, " Okay, Mr. And Mrs. CEO of rubber stamping company, we're going to get paid in order to release these machines, you got to pay us a million bucks." Imagine how impactful that is on the balance sheet and the financials, the income statement. Now, that company has to go pull a million bucks from its operating cash, or its savings, or its... whatever, go get a loan, whatever it is, to pay these people to get back in business. And if you've got a cyber insurance policy in that situation, you've got a lot more resources to help you... to pay that ransom, to fight that ransom, to advise on how best to manage that ransom. And now you're not having to go and immediately pull all of this cash, which then, of course, potentially means you can't pay your employees, or can't pay certain credit lines that come up on time. The insurance is there to really be a massive, massive tool on your cash flow. And sadly, that's where we are today, is that when these hackers come in and they've got ransom, they often... you can't get around it. If you've got amazing backups, yes, you can get around it. It takes time, but you can get around it. If you've got any type of urgency around getting those machines back up and running, the best way to do it is to pay the ransom. And the insurance carriers help you actually reduce it in many cases. Good insurance companies can say, " Oh no, no, no, no, Mr. And Mrs. Hacker, we're not giving you a million bucks. We'll give you$250, 000," and then the hacker's saying, " All right, all right, all right, $500, 000." And then it's this negotiating. But then it pays and you're backup and running. And now for the month of October, you're stamping mats the way you meant to, and you're not massively out of pocket for your busiest time of year.

Jara Rowe: Awesome. I mean, not awesome, but-

Shea McNamara: Yeah, no scary, but-

Jara Rowe: It is terrifying-

Shea McNamara: Yes, it's-

Jara Rowe: ...terrifying, for sure. So like most things, there is always a shift, and I know you mentioned that cyber insurance has been around for about 15 or 20 years, so how has cyber insurance changed over the years?

Shea McNamara: It's evolved a lot. Early days when I was at Aon, God, that was 10 years ago now, there was this kind of frustration with the lack of fit that cyber insurance was providing. So you had the big technology companies out there, and they're exposed to hacking. They know what's going on. They have CISOs, they have security teams, all this stuff. And some of them were buying cyber insurance, but some weren't. And the reason was that the cyber insurance wasn't filling the need as efficiently as they had hoped. So one example is business interruption used to be in a cyber policy, this may not be perfectly accurate, but it was something like, okay, technology firm, you buy a cyber insurance policy. If you get hacked, you have to be down for 24 hours, or 48 hours, or a week before the insurance kicks in. In other words, you're sitting there not making any money, your business is stalled, and you have to wait a few days, even a week before the insurance money kicks in, to make you whole from that week being down. It's a long time.

Jara Rowe: It's a really long time.

Shea McNamara: And when you're companies like an Amazon, or an eBay, or any of these e- commerce companies, that's a huge loss. So their approach is, " Why would I buy this at all? It doesn't cover me realistically for my needs." And so the insurance community, again, a 400- year- old industry Is a little slower to change than we'd like in some cases, but they're getting there. And so what they did, they slowly evolved that waiting period, business interruption waiting period from a week to three days, to one day. And now in 2023, we're at 12 hours or eight hours as a waiting period for business interruption, for example. And that's significantly better. And so that insurance product, if you will, all the insurance carriers, they all started to be like, okay, we need to make our product better for our insureds, for our users. And then if it's a better product, people will pay for it. And so that's what's happened is it's gone from not a great fit as a product. That's just one example of the various kind of incongruencies with the community that needs insurance, and the company that builds insurance, the carriers and the insureds. And so they finally have gotten to a point where it's much better connected in terms of how the product works, and response to claim, and the needs of their insureds. So it's evolved quite drastically over the past 20 years. And now, it works quite well. We've got a lot of evidence around how cyber insurance saves companies, literally saving companies from default and bankruptcy.

Jara Rowe: That's a great evolution to help save those companies. So now what do you think the future of cyber insurance is? Is there any trends that you think may come up?

Shea McNamara: I think there's a much larger move amongst the business community toward addressing this risk. It used to be even just four or five years ago, it was kind of a, " Oh, that's never going to happen to me." That's what the CEOs would say, and the owners of the businesses, " Oh, that's not going to happen to me. I'm not a technology inaudible," and they'd just kind of blow it off. But actually, it's definitely grown. And the example I always used was companies buy property insurance for their warehouses, and that's going to cover stuff like a fire, or a hail storm, or a tornado, or whatever. And I'd asked these CEOs, " When was the last time you had a tornado that tore your entire warehouse down?" " Oh, well it's never happened Shea." " Okay. Well, interesting. You spent all that money all these years on a tornado. When is the last time it hit the area?" " Oh, not in the past 20 years." Okay, well let me tell you, the odds of you getting a tornado destroy your warehouse are inaudible small. And the odds of you getting attacked by a random cyber attack out there that's just walking around looking for victims based on very simplest of vulnerabilities, is much higher than that. So if you're spending all this money over years and years of insurance on your property, you shouldn't spend money on your cyber too. So there's a movement toward awareness and fixing problems, and avoiding that vulnerability, which is great to see. That's really a big step. More and more companies are buying cyber insurance as well. They're often in tandem, so want to go get insurance, but oh, they don't have this security in place. So they often are doing both at once. So the security industry gets more demand, more awareness, but so does the cyber insurance industry. One trend I think that's really interesting is the requirements for getting insurance are getting higher. So it used to be as long as you had a website, and you had revenue, and you weren't some crazy wild industry, you're just in a normal business, you could get cyber insurance pretty easily. And that's changed over the years to now they say, well, we give you cyber insurance, but you have to have MFA in place, that's important. Or you've got to have a endpoint detection system, or you've got to have encryption on all your systems, or you have to have a verified backup and triage situation for any type of ransomware. The requirements are getting a little bit higher and higher. And so that's because the insurance carriers are getting smarter, and they're realizing that, " Oh, well all these claims we had back in 2021 were because of MFA or lack of MFA." Again, they're slow, but they learn, and they're requiring you to build in more security into your system before you get insurance. For example, you build a skyscraper, or a bridge, or something, right? The property insurers come out and they make sure you're pouring that foundation and they check it. And they come in and make sure those sprinkler systems are all being designed properly across the entire skyscraper. And that is exactly the same for cyber insurance. It's starting to become more of a, let's make sure Mr and Mrs. Business Owner that you've got the right kind of infrastructure in place to make sure you're secure. So that's a trend, is that more and more security needs are in place before you get your insurance, or in order to get that insurance.

Jara Rowe: So listeners, I feel like this is just one more episode that we've talked about MFA and why it's important. So make sure you enable that in any program that you're using; it's just going to help save you in the long run. That's been a takeaway in almost all of the episodes so far, be that important. So Shea, I know that Trava is fortunate enough to partner with Limit. So can you tell me more about this partnership and how it'll be helpful to our customers on both sides?

Shea McNamara: Absolutely. We're very excited about the partnership with Trava. We kind of pan back and look at the industry as a whole. We've learned that business owners generally want to be able to protect their businesses in the fastest, most efficient way possible. And as they become aware of how to do that, then they're taking advantage of that. But some still don't know how to do that. And so, they'll come to us, or they'll come to you guys, vice versa, and be able to say, " Hey, I need help getting these things in place." And by doing that and partnering with Trava, for us, we're able to send you guys companies that need help, and need a little guidance on how to set these things up. And that's really valuable because ultimately, our goal in this industry, in the planet, in this country is let's prevent the claim from happening in the first place. So let's help them protect their business from the core. And that's what you guys do at Trava, and that's really valuable, helping them avoid the claim in the first place. But no security is ever perfect, right? It's never 100%. And so that security net that Limit can put in place is that insurance policy, and that ability to know and sleep tight that hey, in case the insurance or the cybersecurity pieces and those features don't avoid the claim, then if it does happen and we do get breached or hacked, we've got this insurance policy in place that'll help us too. So it's just another set, another initiative to protect your business in every way, shape and form that you can. And the partnership I think is really valuable, because generally, our community, our customer base is brokers, brokers that need help getting cyber insurance, and they have a very, very powerful relationship in the industry, and that's the relationship with the business owner, the insured. The trust factor between the business owner and the broker is very, very high. It's the most trusting relationship in all of them. If their broker says to them, " Hey, Mr. And Mrs. CEO, I can help you solve these things. I'm going to connect you to a very respected group, Trava. Trava will help you solve these items, and check that list," and then you can go get the insurance you need at better pricing and better coverage. And that's the beauty of the relationship and partnership that we've got with Trava, that we're very excited to build upon.

Jara Rowe: Yeah, that's awesome. I love that the partnership is definitely going to help people sleep better at night, because who wants to be up worrying about their company being hacked, and then how it'll all be covered? And before I let you go, is there anything else that you would like to discuss or drive home?

Shea McNamara: I think we all have to just remember that in our businesses, things are changing every day, right? Change is tricky, change is hard, but we've all... it's the only guarantee in the world is that things are going to change, right? That's the only guarantee. And so we've all got to keep our minds open, and our perspectives open about how to protect our businesses as these things shift and change, and getting really good security solutions and really good security advice from Trava, getting good products and solutions from us as a broker, that's where we need to begin. And so that's what I'd like to end with.

Jara Rowe: Cool. It was great talking to you to learn about cyber insurance. Listeners, thanks for listening to Episode 10 of The Tea on Cybersecurity. Stay tuned for Episode 11 as we discuss how to think about your security journey when building your MVP product. Now that we've spilled the tea on cyber Insurance, it's time to go over the receipts. I have quite a few takeaways that I got from this conversation with Shea. One, brokers, they just help to get insurance. It's something that you'll have to do more underwriting, especially when it comes to cyber insurance. So it's relatively easy for a lot of us to get auto insurance policies. You can just get online, and it's typically relatively standard. You cannot do that with cyber insurance. So a broker helps you think and match you with the best policy for you, because it could be different for many companies. Next, cyber insurance is just a safety net for cyber security. You should have those standards and requirements in place to be safe and secure, but there are some times where that just doesn't happen, and you need that extra safety net. And so that is where cyber insurance comes into place. And it can include things like liability insurance, helps with property, reputational harm, and business interruption as well. So cyber insurance is something for all businesses. Which leads me to my next takeaway; cyber insurance is for everyone. Whether you think that you deal with technology as often as you do, we all, in all businesses, deal with some form of technology. And so if you deal with that, it is a no- brainer for you to get cyber insurance. Another receipt that I have is about business interruption. Shea mentioned that cyber insurance, that segment of insurance, has only been around for about 15 or 20 years. And one of the way it has been changing over time is with business interruption. And it used to be a week or so, they would make you stop your business for about a week. And I honestly can't imagine that for any business not being able to operate that long. And so over time, business interruption has been able to decrease. So now, you may only have to stop business for maybe just eight to 12 hours instead of a week, which I'm sure is a lot better for everyone. I hope you learned a lot from this episode of The Tea on Cybersecurity. Thanks for tuning in to The Tea on Cybersecurity. If you liked what you listen to, I would be greatly appreciative if you could leave me a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.