Jara Rowe: Gather around as we spill the tea on cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. The more I learn about cybersecurity, the more I understand that no system is completely secure, but cyber insurance is a way that companies can add an extra cushion if something were to happen. In season one of The Tea on Cybersecurity, we had an entire episode dedicated to cyber insurance. We covered what it is, who it's for, when to get it, and everything in between. On this episode, we are specifically talking about cyber insurance as it relates to SaaS companies. We know I'm not a cybersecurity expert and I have even less knowledge of cyber insurance, but that is why I have the guest with me today. I would like to welcome Trava's director of insurance, Ryan Dunn. Hey, Ryan.

Ryan Dunn: Hello, Jara. How are we?

Jara Rowe: All right. How are you?

Ryan Dunn: I'm doing great. Ready to talk about cyber insurance, cybersecurity, specifically relating to how SaaS companies can procure cyber insurance correctly and all the other topics above.

Jara Rowe: Yeah. Fantastic. You are a new voice to our listeners, so please go ahead and introduce yourself.

Ryan Dunn: Yeah, absolutely. Ryan, as Jara introduced me, director of insurance here at Trava. I've always been in the insurance world for just about eight years now. I've been surrounded by cyber insurance for about eight years as well. I also was a retail agent that focused primarily on SaaS companies, and so I have a lot of experience in procuring cyber insurance for a SaaS- like entity, but also other type of industries like manufacturing, healthcare, public entities. Really at the end of the day, any business should be procuring cyber insurance. We rely heavily on our digital infrastructure to conduct business and, therefore, no matter if you are in one of these categories that cyber tends to be more prevalent in or whether or not, you should definitely be looking at transferring some risk over to a cyber insurance policy.

Jara Rowe: Yeah, it's important, and you introducing yourself just shows that you're the perfect person to talk to about this stuff. All right, so as I was reviewing my questions there were a few terms that kept popping up that I'm not completely sure what the meaning is and I would feel like I'm doing injustice to me and some of the other listeners that may not be familiar. So my first question is what is an insurance premium?

Ryan Dunn: Yeah. Basically, it's the cost of the policy for the insured throughout the year. It's typically reflected in an annual amount. Now, agents can offer monthly payment terms or premium finance terms or quarterly payments. It's really up to you how you want to pay it, but whenever you get that premium number in that quote, it's a annual number not a monthly number.

Jara Rowe: Okay, cool. All right, so let's dive right in. How do insurance companies assess the cyber risk of a SaaS company?

Ryan Dunn: Yeah, that's a really good question. There's going to be a few different things, especially related to SaaS. Number one and most importantly, they're going to be looking at their master service agreement because you're not only writing a cyber policy there, but it's also accompanied by a tech policy, which technically is going to be your professional liability. If you think about it this way, when you're a lawyer, you're giving advice, so that's consulting and therefore you need to have what's called an errors and admissions policy, your professional liability policy. When you have a piece of software, it has an obligation to perform a duty. If that software fails, let's say it's a software that runs a train track, right?

Jara Rowe: Mm- hmm.

Ryan Dunn: That train goes off the track, crashes, that's a failure of the software's duty to perform there, and therefore that falls into an E& O bucket. The reason why cyber tied together is because if that software failed, did it fail because it was a failure in the code? Did it fail because there was some type of cyber breach? It falls into this gray area, right?

Jara Rowe: Mm- hmm.

Ryan Dunn: So you're going to need both those policies tied together so you don't have two different... Even if it's the same carrier, sometimes they have it on two different what we call paper. You really want have that on the same paper. They're going to be looking at that MSA first and foremost to see your limits of liability. From there, what we are seeing is obviously the MFA button is hot, it has been hot, and it's going to remain hot. I'm foreseeing it's going to become even more strict on what type of MFA you have. I don't see it happening right now, but as we enter into a hard market or just a more difficult market, we're going to see new underwriting guidelines come up. My thought is naturally we should be looking at, " Okay, great. You have MFA, but to what extent and how are you doing it? Is it through SMS? Is it third party app? What is the form of MFA?" They're also going to be paying super close attention to EDR, so they're going to be asking for proof of EDR, which is endpoint detection response, and that's going to be looking for 80% or above on your endpoints covered for them to even provide you a quote. Most of the times they ask you for proof, so you provide a printout of a spot in time. Those are the most important things. If we look into some other areas, you got CBE vulnerabilities, which are your external vulnerabilities. That's going to inaudible big one as well. They're going to be seeing like, "Hey, are you using a vulnerability management platform similar to how Trava is a vulnerability management platform?" They're going to be like, " Hey, are you using that? How often are you guys checking the vulnerabilities and fixing them? What's your MTTR, which is going to be the time it takes for you to fix a vulnerability, right? The average time."

Jara Rowe: Okay.

Ryan Dunn: Those are things they're going to dig into. Lastly, this is something that is another a little bit in the future, but these softwares companies have code and they frequently push out updates. We at Trava put out updates pretty frequently. The problem with putting out frequent updates is there can be new vulnerabilities in each update if it's inaudible.

Jara Rowe: Mm-hmm.

Ryan Dunn: They aren't doing this now, but it is something that they're looking at, and that's web app data scans. That's going to be like, " Hey, we just want to see if you guys have any vulnerabilities in your code currently." Maybe there'll be some type of compliance where they check it quarterly, but if you look at the Target hack the whole way, the reason that came through wasn't software, it was an internet thing, but they updated the device on the HVAC system and that's where the hacker got in. Just goes to show whenever there's a new update out there, you have to be super cautious about it. But yeah, those are a good amount of things that carriers are going to be looking at.

Jara Rowe: Yeah. Wow, that's a lot, but thanks for going over all of that.

Ryan Dunn: inaudible still with us.

Jara Rowe: Yeah. They're still here, I know they are. Thanks for clarifying some of those acronyms because I was definitely going to ask what EDR meant.

Ryan Dunn: I saw you writing. I saw you writing like, " I'm not going to let her ask. I'm going to inaudible."

Jara Rowe: Yeah, I appreciate that. Then you mentioned MFA, which almost every episode of the podcast someone has talked about how important MFA is.

Ryan Dunn: Yeah, which is awesome.

Jara Rowe: Yeah. Listeners, make sure you are using MFA. It's a necessity. All right, Ryan, so when it comes to a strong cybersecurity posture, how does that impact an insurance premium?

Ryan Dunn: Yeah. This is the biggest frustration in the cyber insurance world. Right now there's no set path. It's like, " Okay, this is your path to getting a better insurance premium." It's not set in stone.

Jara Rowe: Mm- hmm.

Ryan Dunn: However, there are some half steps being taken by some companies to do that. I know one carrier, Berkeley, is looking at doing that like, " Hey, if you provide us this type of information, we'll look at some type of premium credit there." Right?

Jara Rowe: Mm- hmm.

Ryan Dunn: It is the holy grail that everybody is working towards, " How can we reward our customers, our insureds, to have a better insurance premium or coverage if they are investing in their cybersecurity stack?" Because what's happening is people are investing in their cybersecurity stack, they're going out for the renewal and their premium increased, and they're like, " What? I'm more secure. Why am I..." Obviously some of it's out of their control. Everybody needs to understand that rates get set every year, and so even if you have an improved posture, let's just say it was related to property, you could bolster up your property with concrete everywhere and whatever, bunker it down, but if a category five hurricane hit and knocked out a bunch of buildings, your premium is still probably going to go up even though you invested in your infrastructure, right?

Jara Rowe: Mm- hmm. Mm-hmm.

Ryan Dunn: In cyber insurance, it's the same thing. You're not always going to be rewarded if you retroactively look at your last year's premium. However, you can be rewarded if you look at it towards, " Okay, what is everybody else renewing at? What is their premium increase?" It's like, " Okay, is everybody getting 120% increase and I'm only getting a 30? All right, that's a win."

Jara Rowe: Mm- hmm.

Ryan Dunn: People need to first have a good mindset as to what does winning look like in this. Then second of all, Trava and other companies, we're working towards rewarding people for investing in their cybersecurity. That's a big part of what Trava's doing.

Jara Rowe: Yeah.

Ryan Dunn: We're working heavily towards that, trying to leverage the agent to procure more information for their client in order to get better premiums and coverage, so empowering the agent to do so is a big belief of Trava.

Jara Rowe: Mm- hmm. For sure. All right. Again, throughout these episodes we've definitely learned that you need to have your cyber risk management in place pretty much from day one from a SaaS company. The next step I would assume is making sure we have enough coverage, which we were just talking about a bit. How can SaaS companies ensure they have adequate coverage for their needs?

Ryan Dunn: Yeah. I can go in a couple different ways here. One way, we can talk about how there's not really good information out there, and we can talk about why.

Jara Rowe: Mm- hmm. Mm-hmm.

Ryan Dunn: Another way, yes, there is way SaaS companies can try to get an idea, but I'm telling you right now there's not a great way. Right now if we look at the purchasing behavior across the board, even in SaaS, it's either driven by a contract request, so you're a SaaS company and your vendor is saying, " Hey, I need 10 million in limits." You're like, "Yeah, okay, I got to give you 10... I only have one million." That's a big driver of purchasing behavior. Another piece of purchasing behavior is agents selling a cyber policy with inadequate information, and so even if it's a$ 50 million SaaS company they're still throwing a million dollar limit on there, and just off of ballparking it, that's not accurate. The problem is a lot of that is going on, especially the latter, where a lot of people that shouldn't be buying one million in limits are buying it. Whenever you look historically, " Okay, what is a company my size buying?" It's filled with false data because it's not an educated purchase. That is a huge issue in the industry, and to make it even worse, financially quantifying your risk is a very difficult task to perform. There's people out there trying to do it, but if it's accurate, I don't know. If I were a SaaS company and I were procuring insurance, I would buy as many limits as possible.

Jara Rowe: All right.

Ryan Dunn: I would... You know?

Jara Rowe: Better safe than, sorry.

Ryan Dunn: inaudible five million in limits.

Jara Rowe: Cool. All right. What happens if a SaaS company's cybersecurity measures, their strategy, is deemed inadequate?

Ryan Dunn: Mm- hmm. What happens?

Jara Rowe: Mm- hmm. I guess in the insurance sense, does the agent typically make them go back and fix things before they're insured?

Ryan Dunn: Yeah. Yeah. Yeah, yeah. This is a big problem within the insurance industry as well. It's a reactive situation where a lot of these companies are just filling out the application inaudible they give it to the agent, the agent just pushes it off whether it's direct to a carrier or to a wholesaler, and then that wholesaler is just pushing that paper as well, so people aren't... They're not consulting, they're just paper pushers inaudible.

Jara Rowe: Mm- hmm.

Ryan Dunn: A lot of the times because, frankly, they're insurance experts, not cybersecurity experts. It's tough for somebody who doesn't know what data backups and all that stuff looks like and what's good and what's bad. What's happening is they send it to the carrier and the carrier's like, " What the hell?"

Jara Rowe: Yeah.

Ryan Dunn: Some carriers and MGAs are also using a vulnerability scanning, right?

Jara Rowe: Mm- hmm.

Ryan Dunn: If the agent doesn't use a vulnerability scan prior to going out to submission, they're kind of hoping and praying their client doesn't have any open ports and they can just quote it and bind it. That's happening a lot where they have open ports or they have compromised credentials, they have CBE exposures, and the agent doesn't know this going out to market. You only have one shot at going to market. That underwriter has to get through hundreds of submissions. I mean, they're bogged down. Also, this is just like a shout- out to agents, if you want to get better at placing insurance, talk to underwriters, get to know their lifestyle because you'll understand more as to why you need to put in a clean submission.

Jara Rowe: Mm- hmm.

Ryan Dunn: But back to my reactive rant, you're hoping and praying in your submission, you aren't confident in what's going out there, and so what does that do? You run the risk of getting no quotes for your client. You run the risk of the submission only hitting one or two carriers, and so you're going to get ineffective pricing and possibly ineffective coverage. What you're doing there is you're not putting your client in the best light possible to get a good quote, and that's what happens in a reactive stance. You're leaving it up to chance. I highly suggest, and we highly suggest, that they do these things ahead of time prior to going out to renewal, getting your client in good shape, getting a good underwriting presentation put together, and actually getting your client good pricing and good coverage.

Jara Rowe: Definitely. You talk about reactive verse proactive a lot, which is why we have a future episode about reactive verse proactive cyber risk management.

Ryan Dunn: Stay tuned. Stay tuned.

Jara Rowe: Yes, stay tuned. All right, Ryan, so another term that I hear you talk about a lot when it comes to insurance is continuous cybersecurity. How does that impact insurance coverage? I guess start by what is continuous cybersecurity and then how does that impact cyber insurance coverage and renewals for SaaS companies.

Ryan Dunn: Yeah. I think it's a thought that's shared throughout the industry. I see Coalition putting out stuff around continuous cybersecurity. There's some good players out there that are all over believing in this. Trava is a big believer in it. From an agent's perspective, what does continuous cybersecurity mean? Okay, every single one of your clients has an IT company or an external MSP, and they've had them for probably 20 years, 15 years, and they haven't moved off. Whenever the cyber conversation comes up, there's a good chance that MSP or that internal IT staff gets super defensive, but your job as an agent and a risk manager is to check and make sure that cybersecurity is up to par. Now, obviously you're a cyber insurance expert, you're not a cybersecurity expert, so how do you do that? This is going to be somewhat of a shameless plug, but it's the only solution I know out there. You need to deploy a platform like a Trava, and you also should have a partnership with either a vCISO or another external MSP team, and you should be doing quarterly checks on their cybersecurity posture and making sure that everything is good. Additionally, highly suggest running scans on their external infrastructure and internal infrastructure in a monthly at the minimum basis. This is so number one, you're doing your job as a risk manager. Number two, you're differentiating yourself. This would create a very sticky client that won't leave you, and you'll also most likely gain new clients from word of mouth from that just doing that.

Jara Rowe: Yeah.

Ryan Dunn: You're going to obviously get a stickier client, but you're going to also be performing your duty and making sure that their cybersecurity posture is up to par. Then lastly, this makes the cyber insurance renewal seamless. You don't have to fix anything. You're good to go. You just redownload the information into the application and you're all set. Continuous cybersecurity not only helps your client from, hey, they're going to stay secure, most likely stay more secure, and most likely not have a claim, but you're also going to be preparing them for that renewal coming up.

Jara Rowe: Mm- hmm. So helpful. Yeah, again, take cybersecurity serious from the beginning, do all the things you need to do throughout, and it makes your life easier when it comes to everything.

Ryan Dunn: Yeah.

Jara Rowe: Yeah. All right, so are there any legal obligations for a SaaS company to have cyber insurance in place?

Ryan Dunn: That is a really good question, Jara. I would say there could be negligence around that, but I've never seen an example of that.

Jara Rowe: Okay.

Ryan Dunn: That could happen is if you are a leader in the company or have more than 5% ownership in the company, there's something called D& O policy directors and officers. What I could see happening there is if they don't have cyber insurance, then the investors of that SaaS company could sue the directors of that company, which would fall under their D& O policy. That's just because they had a fiduciary responsibility to protect the company and they didn't. I would be very surprised if a SaaS company didn't have cyber insurance, but if you don't, definitely get it.

Jara Rowe: Yeah. All right. Are there any industry- specific considerations for SaaS companies when it comes to cyber insurance? For example, how might the insurance needs differ between a SaaS company focused on healthcare versus e- commerce?

Ryan Dunn: Got it. Yes. No. I mean, there's good cyber insurance policies and there's bad.

Jara Rowe: Mm- hmm.

Ryan Dunn: If you're a SaaS company, I would definitely push for any type of contingent business interruption or business interruption type of coverage. Definitely every company across the board should have any type of funds transfer fraud, social engineering, invoice manipulation, obviously ransomware, and you want ransomware to be full limits. Those are prime coverages that you need. Especially if you're a SaaS company and you're running lean, meaning that you have a thin balance sheet, I would definitely look for language in a policy that has pay on your behalf. This is so that you aren't waiting for the claim to settle to get paid. The claim gets paid and then it gets settled from there. Definitely look for something like that, especially if you're a lean operating SaaS company.

Jara Rowe: Yeah. That's awesome. That's a good tip. Speaking of lean companies, so for startups or smaller SaaS companies with limited resources like you were just talking about, what are some cost- effective options for obtaining cyber insurance without compromising coverage?

Ryan Dunn: Yeah. Like I said, if you're getting coverage, if you don't have social engineering coverage on there or invoice manipulation or funds transfer fraud and you're young company or you don't have a ton of revenue, those are the prime coverages you need.

Jara Rowe: Perfect.

Ryan Dunn: Any type of business email compromise type of coverage is rule number one for a small company. Just that alone could knock you out. Obviously get ransomware on there, but those are the main coverages that I would look for if I was like, " Okay, what are the core coverages that I need in my policy?" That's what I would look towards. Business interruption is huge, but if we're talking about frequency, anything related to email and people, I would invest in that.

Jara Rowe: Mm-hmm. Yeah. We've also learned in season one that people are unpredictable and cause the majority of the issues when it comes to incidents and breaches and stuff, so makes sense.

Ryan Dunn: We all have personal emails that we type in similar passwords to our work emails.

Jara Rowe: Yeah.

Ryan Dunn: Yeah. That's why we got to... Well, also shameless... Get a password manager.

Jara Rowe: Mm- hmm.

Ryan Dunn: Get a password manager and have it create randomized passwords for you for each thing.

Jara Rowe: Yeah, super helpful.

Ryan Dunn: That'll help you, and then obviously don't click on crazy emails.

Jara Rowe: Don't click on crazy links if you don't recognize who it came from especially. All right, Ryan, so as we giggle away I actually have some fun questions for you before I let you go.

Ryan Dunn: Okay.

Jara Rowe: Number one, what's the most bizarre cybersecurity myth you've ever heard?

Ryan Dunn: The most bizarre... Oh my god, " My data's in the cloud. I don't need cyber insurance." That is classic classic. Like, "Oh, I got it with Google. We're good." That one inaudible still. That's been one I've heard... For the past five years, people have been saying that to me.

Jara Rowe: Yeah. Oh my gosh. All right, so next, what's the best password you've ever seen? Maybe don't tell me what it is exactly if you're using it right now, but-

Ryan Dunn: inaudible. I saw... It was at my old agency, the managing partner there, he created one long tail, 20 words, but it was literally like a sentence from around his office. I hope a hacker's not listening to this inaudible figure it out.

Jara Rowe: Hopefully they don't know.

Ryan Dunn: I don't know if it was a real one or an example, but he showed me. I was like, " What? That's crazy."

Jara Rowe: That's perfect. All right.

Ryan Dunn: inaudible really good one.

Jara Rowe: Yeah, good. The longer, the better.

Ryan Dunn: Yeah.

Jara Rowe: Okay. If you could create a cybersecurity superhero, what would their powers be?

Ryan Dunn: Easily some type of MFA... If somebody was trying to get into your email, an identifier and destroyer of that or... Now, if we get into the superpower itself, I would say it creates a sandbox environment and so the hacker just goes into a sandbox environment and just gets stuck and wastes their time for days or months.

Jara Rowe: Perfect.

Ryan Dunn: That would bring satisfaction to me.

Jara Rowe: Good. All right, Ryan. Well, I definitely appreciate your knowledge when it comes to cyber insurance, but before I let you go is there anything else you would like to run home about cybersecurity or cyber insurance in general?

Ryan Dunn: No. I mean, we covered some good stuff in here.

Jara Rowe: I have two sheets of notes right now.

Ryan Dunn: Let's go, Jara. I'm pumped. No, I love this podcast. I love the tea. We spilled some tea today.

Jara Rowe: We did spill some tea today. All right, listeners, well, that wraps another episode of The Tea on Cybersecurity. Stay tuned as we talk about reactive verse proactive in cybersecurity and cyber insurance during the next episode. Thanks. Now that we've spilled the tea on cyber insurance for SaaS companies, it's time to go over the receipts. I thought all the information provided by Ryan was absolutely fantastic and made me understand this complicated industry so much clearer. One of the first things I took away was for agents assessing a SaaS company's requirements and needs. I took away four key things that Ryan went over when it comes to that, number one being they will look at a SaaS company's master service agreement or MSA, which also includes a tech E& O just to make sure that everyone's on the same page about everything. Another requirement is MFA. We talk about that in a lot of The Tea on Cybersecurity episodes, so more than likely you will need to deploy MFA. The third thing would be EDR protection, so endpoint detection response. They'll need to see what the company has in place for that, and then also CVE, which looks at your outside vulnerabilities. The next receipt that I have is about continuous cybersecurity. Ryan pretty much said that it's a necessity for a company to be as secure as possible. It'll just help you make sure that everything is in order over time. Ryan recommends that you run scans at least monthly to just see where your holes or gaps are in your cybersecurity for your company. Ryan also mentioned that as you do this continuous cybersecurity, it makes your renewal for insurance super easy down the line. You'll just have to upload the documents and then you're done because everything is already in place. Another thing that I asked Ryan was, " How can a SaaS company ensure that they are covered properly by cyber insurance?" Ryan said that it's kind of complicated, but he suggested that to make sure you have the most coverage is just to get as many limits as possible. The final thing that I took away-- actually, Ryan and I had this conversation previously to this podcast recording, but I think it's fantastic to mention here-- is when you are shopping around for cyber insurance, especially if you're a SaaS leader, it's important to have an agent that works in your niche because all agents are educated and equipped in different areas. The best way that you're going to make sure you're taken care of completely is to have someone behind you that understands what you are working on. I hope you gained just as much knowledge as I did about cyber insurance and SaaS companies. Stick around for a future episode of The Tea on Cybersecurity. That's The Tea on Cybersecurity. If you like what you listen to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.