Cyber Insurance Decoded: A Focus on SaaS Companies with Trava’s Director of Insurance, Ryan Dunn

Jara Rowe: Gather around as we spill The Tea on Cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. The more I learn about cybersecurity, the more I understand that no system is completely secure, but cyber insurance is a way that companies can add an extra cushion if something were to happen. In season one of The Tea on Cybersecurity, we had an entire episode dedicated to cyber insurance. We covered what it is, who it's for, when to get it, and everything in between. On this episode, we are specifically talking about cyber insurance as it relates to SaaS companies, and we know, I'm not a cybersecurity expert and I have even less knowledge of cyber insurance, but that is why I have the guest with me today. I would like to welcome Trava's director of insurance, Ryan Dunn. Hey, Ryan.

Ryan Dunn: Hello, Jara. How are we?

Jara Rowe: All right, how are you?

Ryan Dunn: I'm doing great. Ready to talk about cyber insurance, cybersecurity, specifically relating to how SaaS companies can procure cyber insurance correctly, and all the other topics above.

Jara Rowe: Yeah. Fantastic. So you are a new voice to our listeners, so please go ahead and introduce yourself.

Ryan Dunn: Yeah, absolutely. Ryan, as Jara introduced me, director of insurance here at Trava. I've always been in the insurance world for just about eight years now. I've been surrounded by cyber insurance for about eight years as well. I also was a retail agent that focused primarily on SaaS companies, and so I have a lot of experience in procuring cyber insurance for a SaaS- like entity, but also other type of industries like manufacturing, healthcare, public entities. Really, at the end of the day, any business should be procuring cyber insurance. We rely heavily on our digital infrastructure to conduct business, and therefore, no matter if you are in one of these categories that cyber tends to be more prevalent in or whether or not you should definitely be looking at transferring some risk over to a cyber insurance policy.

Jara Rowe: Yeah, it's important, and you introducing yourself just shows that you're the perfect person to talk to about this stuff. All right, so as I was reviewing my questions, there were a few terms that kept popping up that I am not completely sure what the meaning is, and I would feel like I'm doing injustice to me and some of the other listeners that may not be familiar. So my first question is, " What is an insurance premium?"

Ryan Dunn: Basically, it's the cost of the policy for the insured throughout the year. So it's typically reflected in an annual amount. Right now, agents can offer monthly payment terms or premium finance terms, or quarterly payments. It's really up to you how you want to pay it, but whenever you get that premium number in that quote, it's a annual number, not a monthly number.

Jara Rowe: Okay, cool. All right, so let's dive right in. So how do insurance companies assess the cyber risk of a SaaS company?

Ryan Dunn: Yeah, that's a really good question. So there's going to be a few different things, especially related to SaaS. Number one, and most importantly, they're going to be looking at their master service agreement because you're not only writing a cyber policy there, but it's also accompanied by a tech policy, which technically is going to be your professional liability. So if you think about it this way, when you're a lawyer, you're giving advice, so that's consulting, and therefore you need to have what's called an errors and omissions policy, your professional liability policy. When you have a piece of software, it has an obligation to perform a duty. And so if that software fails, let's say it's a software that runs a train track, and that train goes off the track, crashes, that's a failure of the software's duty to perform there, and therefore that falls into an E and O bucket, right? The reason why cyber are tied together is because if that software failed, did it fail because it was a failure in the code? Did it fail because there was some type of cyber breach? And so it falls into this gray area, so you're going to need both those policies tied together so you don't have two different ones. Even if it's the same carrier, sometimes they have it on two different, what we call paper. So you really want to have that on the same paper. So they're going to be looking at that MSA, first and foremost, to see your limits of liability. From there, what we are seeing is, obviously, the MFA button is hot, it has been hot, and it's going to remain hot. I'm for seeing it's going to become even more strict on what type of MFA you have. I don't see it happening right now, but as we enter into a hard market or just a more difficult market, we're going to see new underwriting guidelines come up. So my thought is, naturally, we should be looking at, " Okay, great, you have MFA, but to what extent and how are you doing it? Is it through SMS? Is it third- party app? What is the form of MFA?" They're also going to be paying super close attention to EDR, so they're going to be asking for proof of EDR, which is endpoint detection response, and that's going to be looking for 80% or above on your endpoints covered for them to even provide you a quote. And most of the times, they ask you for proof, so you will provide like a printout spot in time. Those are the most important things. If we look into some other areas, you've got CVE vulnerabilities, which are your external vulnerabilities, that's going to be a big one as well. They're going to be seeing like, " Hey, are you using a vulnerability management platform similar to how Trava is a vulnerability management platform?" So they're going to be like, Hey, are you using that? How often are you guys checking the vulnerabilities and fixing them? What's your MTTR? Which is going to be the time it takes for you to fix a vulnerability, right? The average time. So those are the things that they're going to dig into. Lastly, this is something that is another little bit in the future, but these software companies have code, and they frequently push out updates. We had Trava put out updates pretty frequently. The problem with putting out frequent updates is, there can be new vulnerabilities in each update if it's not inaudible. And so they aren't doing this now, but it is something that they're looking at, and that's web app data scans, and that's going to be like, " Hey, we just want to see if you guys have any vulnerabilities in your code currently." Maybe there'll be some type of compliance where they check it quarterly, but if you look at the target hack the whole way, the reason that came through was it wasn't software as an internet things thing, but they updated the device on the HVAC system, and that's where the hacker got in. So just goes to show, whenever there's a new update out there, you have to be super cautious about it. But yeah, those are a good amount of things that carriers are going to be looking at.

Jara Rowe: Yeah. Wow, that's a lot. But thanks for going over all of that.

Ryan Dunn: They're still with us.

Jara Rowe: They're still here. I know they are. And thanks for clarifying some of those acronyms. I was definitely going to ask what EDR meant.

Ryan Dunn: I saw you writing. I saw you writing from that sheet. I'm not going to let her ask. I'm going to...

Jara Rowe: Yeah, I appreciate that. And then you mentioned MFA, which almost every episode of the podcast, someone has talked about how important MFA is.

Ryan Dunn: Yeah. Which is awesome.

Jara Rowe: Yeah. Listeners, make sure you are using MFA. It's a necessity. All right, Ryan, so when it comes to a strong cybersecurity posture, how does that impact an insurance premium?

Ryan Dunn: Yeah, this is the biggest frustration in the cyber insurance world. Right now, there's no set path, it's like, " Okay, this is your path to getting a better insurance premium." It's not set in stone. However, there are some half- steps being taken by some companies to do that. I know one carrier, Berkeley, is looking at doing that. Like, " Hey, if you provide us this type of information, we'll look at some type of premium credit there." It is the holy grail that everybody is working towards. How can we reward our customers, our insureds, to have a better insurance premium or coverage if they are investing in their cybersecurity stack? Because what's happening is people are investing in their cybersecurity stack, they're going out for the renewal, and their premium increased, and they're like, " What? I'm more secure. Why am I?" Obviously, that some of it's out of their control. Everybody needs to understand that rates get set every year. And so even if you have an improved posture, let's just say it was related to property, you could bolster up your property with concrete everywhere and whatever, bunker it down. But if a category five hurricane hit and knocked out a bunch of buildings, your premium is still probably going to go up even though you invested in your infrastructure. So in cyber insurance, it's the same thing. You're not always going to be rewarded if you retroactively look at your last year's premium. However, you can be rewarded if you look at it towards, " Okay, what is everybody else renewing at? What is their premium increase?" It's like, " Okay, is everybody getting a 120% increase and I'm only getting a 30?" All right, that's a win. So people need to first have a good mindset as to what is winning look like in this. And then, second of all, Trava and other companies, we're working towards rewarding people for investing in their cybersecurity. That's a big part of what Trava is doing. So we're working heavily towards that, trying to leverage the agent to procure more information for their client in order to get better premiums and coverage. So empowering the agent to do so is a big belief of Trava.

Jara Rowe: For sure. All right. So again, throughout these episodes, we've definitely learned that you need to have your cyber risk management in place pretty much from day one from a SaaS company. So the next step, I would assume, is making sure we have enough coverage, which we were just talking about a bit. So how can SaaS companies ensure they have adequate coverage for their needs?

Ryan Dunn: Yeah, I can go in a couple of ways here. One way we can talk about how there's not really good information out there, and we can talk about why. Another way, yes, there is a way SaaS companies can try to get an idea, but I'm telling you right now, there's not a great way. So right now, if we look at the purchasing behavior across the board, even in SaaS, it's either driven by a contract request. So you're in a SaaS company and your vendor is saying, " Hey, I need 10 million in limits." So you're like, " Oh, okay, I got to give you 10. I only have 1 million." So that's a big driver of purchasing behavior. Another piece of purchasing behavior is agents selling a cyber policy with inadequate information. And so even if it's a$ 50 million SaaS company, they're still throwing a million- dollar limit on there, and just off of ballparking it, that's not accurate. And so the problem is, a lot of that is going on, especially the latter, where a lot of people that shouldn't be buying 1 million limits and limits are buying it. And so whenever you look historically, " Okay, what is a company my size buying?" It's filled with false data because it's not an educated purchase. So that is a huge issue in the industry. And to make it even worse, financially, quantifying your risk is a very difficult task to perform. And so there's people out there trying to do it, but if it's accurate, I don't know. If I were a SaaS company and I were procuring insurance, I would buy as much many limits as possible.

Jara Rowe: All right.

Ryan Dunn: I would...

Jara Rowe: Better safe than sorry.

Ryan Dunn: Give me 5 million in limits.

Jara Rowe: Cool. All right. So what happens if a SaaS company's cybersecurity measures their strategy is deemed inadequate?

Ryan Dunn: What happens?

Jara Rowe: Hmm. I guess, when they're in the insurance sense, does the agent typically make them go back and fix things before they're insured?

Ryan Dunn: Yeah, yeah, yeah. So this is a big problem within the insurance industry as well. It's a reactive situation where a lot of these companies are just filling out the application sent in and they give it to the agent. The agent just pushes it off, whether it's direct to a carrier, to a wholesaler, and then that wholesaler is just pushing that paper as well. So people aren't, they're not consulting, they're just paper pushers at the end of the day. A lot of the times because, frankly, they're insurance experts, not cybersecurity experts. And so it's tough for somebody who doesn't know what data backups and all that stuff look like and what's good and what's bad. So what's happening is they send it to the carrier, and the carrier's like, " What the hell?" And some carriers and MGAs are also using a vulnerability scanning. And so if the agent doesn't use a vulnerability scan prior to going out to submission, they're kind of hoping and praying their client doesn't have any open ports, and they can just quote it and bind it. And that's happening a lot where they have open ports or they have compromised credentials, they have CVE exposures, and the agent doesn't know this going out to market, and you only have one shot at going to market. Once that underwriter has to get through hundreds of submissions, I mean, they're bogged down. And so also, this is just a shout- out to agents. If you want to get better at placing insurance, talk to underwriters, get to know their lifestyle, because you'll understand more as to why you need to put in a clean submission. Back to my reactive rant, you're hoping and praying in your submission, you aren't confident in what's going out there. And so, what does that do? You run the risk of getting no quotes for your client. You run the risk of the submission only hitting one or two carriers, and so you're going to get ineffective pricing and possibly ineffective coverage. And so what you're doing there is you're not putting your client in the best light possible to get a good quote, and that's what happens in a reactive stance. You're leaving it up to chance. And so I highly suggest, and we highly suggest, that they do these things ahead of time prior to going out to renewal. Getting your client in good shape, getting a good underwriting presentation put together, and actually getting your client good pricing and good coverage.

Jara Rowe: Definitely. You talk about reactive versus proactive a lot, which is why we have a future episode about reactive versus proactive cyber risk management.

Ryan Dunn: Stay tuned.

Jara Rowe: Yes, stay tuned. All right, Ryan, so another term that I hear you talk about a lot when it comes to insurance is continuous cybersecurity. So how does that impact insurance coverage? I guess, start by, " What is continuous cybersecurity, and then how does that impact cyber insurance coverage and renewals for SaaS companies?"

Ryan Dunn: Yeah, I think it's something, a thought that's shared throughout the industry. I see coalition putting out stuff around continuous cybersecurity. There's some good players out there that are all over believing in this. Trava is a big believer in it. From an agent's perspective, what does continuous cybersecurity mean? Okay, every single one of your clients has an IT company or an external MSP, and they've had them for probably 20 years, 15 years, and they haven't moved off. And whenever the cyber conversation comes up, there's a good chance that MSP or the internal IT staff gets super defensive, but your job as an agent and a risk manager is to check and make sure that cybersecurity is up to par. Now, obviously, you're a cyber insurance expert, you're not a cybersecurity expert, so how do you do that? There's going to be somewhat of a shameless plug, but it's the only solution I know out there. You need to deploy a platform like a Trava, and you also should have a partnership with either a vCISO or another external MSP team. And you should be doing quarterly checks on their cybersecurity posture and making sure that everything is good. Additionally, highly suggest running scans on their external infrastructure and internal infrastructure in a monthly, at the minimum basis. This is so, number one, you're doing your job as a risk manager. Number two, you're differentiating yourself. So this would create a very sticky client that won't leave you, and you'll also most likely gain new clients from word of mouth from that, just doing that. So you're going to obviously get a stickier client, but you're going to also be performing your duty and making sure that their cybersecurity posture is up to par. And then, lastly, this makes the cyber insurance renewal seamless. You don't have to fix anything. You're good to go. You just redownload the information and into the application, and you're all set. So continuous cybersecurity not only helps your client from, " Hey, they're going to stay secure," most likely stay more secure, and most likely not have a claim, but you're also going to be preparing them for that renewal coming up.

Jara Rowe: So helpful. Yeah, again, tech cybersecurity is serious, from the beginning, do all the things you need to do throughout, and it makes your life easier when it comes to everything.

Ryan Dunn: Yeah.

Jara Rowe: Yeah. All right. So are there any legal obligations for a SaaS company to have cyber insurance in place?

Ryan Dunn: That is a really good question, Jara. I would say there could be negligence around that, but I've never seen an example of that.

Jara Rowe: Okay.

Ryan Dunn: That could happen is, if you are a leader in the company or have more than 5% ownership in the company. There's something called D& O policy, directors and officers. So what I could see happening there is, if they don't have cyber insurance, then the investors of that SaaS company could sue the directors of that company, which would fall under their D& O policy, and that's just because they had a fiduciary responsibility to protect the company and they did it. So I would be very surprised if their SaaS company didn't have cyber insurance, but if you don't, definitely get it.

Jara Rowe: Yeah. All right. So are there any industry- specific considerations for SaaS companies when it comes to cyber insurance? For example, how might the insurance needs differ between a SaaS company focused on healthcare versus e- commerce?

Ryan Dunn: Got it. Yes. No, I mean, there's good cyber insurance policies and there's bad. If you're a SaaS company, I would definitely push for any type of contingent business interruption or business interruption type of coverage. Definitely, every company across the board should have any type of funds, transfer fraud, social engineering, invoice manipulation, obviously ransomware, and you want ransomware to be full limits. So those are our prime coverages that you need, especially if you're a SaaS company and you're running lean, meaning that you have a thin balance sheet. I would definitely look for language in a policy that has pay on your behalf. This is so that you aren't waiting for the claim to settle to get paid, the claim gets paid, and then it gets settled from there. So definitely look for something like that, especially if you're a lean operating SaaS company.

Jara Rowe: Yeah, that's awesome. That's a good tip. So speaking of lean companies, so for startups or smaller SaaS companies with limited resources, like you were just talking about, what are some cost- effective options for obtaining cyber insurance without compromising coverage?

Ryan Dunn: Like I said, if you're getting coverage, if you don't have social engineering coverage on there or invoice manipulation or funds, transfer fraud and you're young company or you don't have a ton of revenue, those are the prime coverages you need.

Jara Rowe: Perfect.

Ryan Dunn: Any type of business, email compromise type of coverage is rule number one for a small company. Just that alone could knock you out. Obviously, get ransomware on there, but those are the main coverages that I would look for if I was like, " Okay, what are the core coverages that I need in my policy?" And that's what I would look towards. Business interruption is huge, but if we're talking about frequency, anything related to email and people, I would invest in that.

Jara Rowe: Yeah. We've also learned in season one that people are unpredictable and cause the majority of the issues when it comes to incidents and breaches, and stuff, so it makes sense.

Ryan Dunn: We all have personal emails that we type in similar passwords to our work emails, and that's why we got, we'll also shameless, get a password manager. So get a password manager and have it create randomized passwords for you for each thing.

Jara Rowe: Yeah, super helpful.

Ryan Dunn: That'll help you. And then, obviously, don't click on crazy emails.

Jara Rowe: Don't click on crazy links if you don't recognize who it came from, especially. All right, Ryan, so as we giggle away, I actually have some fun questions for you before I let you go.

Ryan Dunn: Okay.

Jara Rowe: So number one, what's the most bizarre cybersecurity myth you've ever heard?

Ryan Dunn: The most bizarre, oh my god, my data's in the cloud. I don't need cyber insurance. That is classic. Classic. Like, " Oh, I got it with Google. We're good." And so that one's up still. That's been one I've heard, Jara, for the past five years. People have been saying that to me.

Jara Rowe: Yeah. Oh, my gosh. All right, so next, what's the best password you've ever seen? Maybe don't tell me what it is exactly if you're using it right now, but like...

Ryan Dunn: I saw it was at my old agency, the managing partner there. He created one long tail, 20 words, but it was literally a sentence from around his office, and I hope a hacker's not listening to this. I'm like, " Kid knows office, figure it out."

Jara Rowe: Hopefully, they don't know.

Ryan Dunn: He was like, I don't know if it was a real one or an example, but he showed me. I was like, " What? That's crazy."

Jara Rowe: That's perfect. All right.

Ryan Dunn: Really good one.

Jara Rowe: Yeah, good. The longer the better.

Ryan Dunn: Yep.

Jara Rowe: Okay. If you could create a cybersecurity superhero, what would their powers be?

Ryan Dunn: Easily, some type of MFA block, like if somebody was trying to get into your email like an identifier and destroyer of that, or now if we get into the superpower itself, I would say it creates a sandbox environment, and so the hacker just goes into a sandbox environment and just gets stuck and wastes their time for days or months.

Jara Rowe: Perfect.

Ryan Dunn: That would bring satisfaction to me.

Jara Rowe: Good. All right, Ryan. Well, I definitely appreciate your knowledge when it comes to cyber insurance, but before I let you go, is there anything else you would like to run home about cybersecurity or cyber insurance in general?

Ryan Dunn: No, I mean, we covered some good stuff in here.

Jara Rowe: I have two sheets of notes right now.

Ryan Dunn: Let's go, Jara. I'm pumped. No, I love this podcast. I love the tea. And we spilled some tea today.

Jara Rowe: We did spill some tea today. All right, listeners, well, that wraps another episode of The Tea on Cybersecurity. Stay tuned as we talk about reactive versus proactive in cybersecurity and cyber insurance during the next episode. Thanks. Now that we've spilled the tea on cyber insurance for SaaS companies, it's time to go over the receipts. I thought all the information provided by Ryan was absolutely fantastic and made me understand this complicated industry so much clearer. One of the first things I took away was for agents assessing a SaaS companies like requirements and needs. So I took away four key things that Ryan went over when it comes to that. Number one being, they will look at a SaaS company's master service agreement, or MSA, which also includes a tech E and O, just to make sure that everyone's on the same page about everything. Another requirement is MFA. We talk about that in a lot of The Tea on Cybersecurity episodes. So more than likely, you will need to deploy MFA. The third thing would be EDR protection, so endpoint detection response, they'll need to see what the company has in place for that. And then also CVE, which looks out your outside vulnerabilities. The next receipt that I have is about continuous cybersecurity, and Ryan pretty much said that it's a necessity for a company to be as secure as possible. It'll just help you make sure that everything is in order over time. Ryan recommends that you run scans at least monthly to just see where your holes or gaps are in your cybersecurity for your company. And Ryan also mentioned that as you do this, this continuous cybersecurity, it makes your renewal for insurance super easy down the line, you'll just have to upload the documents, and then you're done because everything is already in place. Another thing that I asked Ryan was, " How can a SaaS company ensure that they are covered properly by cyber insurance?" And Ryan said that it's kind of complicated, but he suggested that to make sure you have the most coverage is just to get as many limits as possible. And the final thing that I took away, actually, Ryan and I had this conversation previously to this podcast recording, but I think it's fantastic to mention here is, when you are shopping around for cyber insurance, especially if you're a SaaS leader, it's important to have an agent that works in your niche because all agents are educated and equipped in different areas. And the best way that you're going to make sure you're taken care of completely is to have someone behind you that understands what you are working on. I hope you gain just as much knowledge as I did about cyber insurance and SaaS companies. Stick around for a future episode of The Tea on Cybersecurity. And that's The Tea on Cybersecurity. If you like what you listen to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.