Confident Cyber Insurance Renewals: A Masterclass in Continuous Security

Speaker 1: Thanks for coming and we'll get this started. What are we going to go over in this masterclass, right? We're going to go over the challenges that we're seeing for cyber insurance renewals, right? And then, from there, most importantly, we're going to go over what are the benefits of continuous cybersecurity? Why is it worth your time to deploy a strategy like this to enhance your client's cyber insurance renewals and hopefully affect their cyber insurance premiums and coverage? Right? From there, we're going to go through some examples of how this can be effective, and then we're going to go over some cyber risk management principles. Where does cyber risk management intersect with cyber insurance? After that, we'll quickly jump into the platform and just show a quick demo of the Trava platform, and then we'll reserve some time at the end for some questions and answers. Thank you again for joining, and looking forward to digging into this with you guys. A quick introduction of myself. I am the director of insurance over here at Trava. I've been in the insurance world for a little bit over eight years now. I've specialized in cyber for a little bit over four years. Prior to this, I worked a lot in wholesale workers' comp, as well as just wholesale insurance in general, so I've been around the gamut when it comes to wholesale insurance, retail insurance, and understanding what are the problems associated with quoting and binding and issuing a cyber policy from the wholesale side and from the retail side. We'll dig into that in a second here. What are our objectives that we're going to learn today? When you walk out of this presentation, you'll be able to define continuous cybersecurity. You'll be able to identify any challenges associated with cyber policy renewals. You'll be able to explain continuous cybersecurity and be able to explain to either your staff or your client how this could help them with next year's renewal or this year's renewal. Right? You'll also be able to get a good understanding of how can I assess my insurance tech stack and how does this apply to enhancing their cyber insurance renewals? And then, you'll be able to apply this theory using these tactics that we're going to teach you today. You may be able to enter this into your questions and answers section, but on average, what is everybody's biggest challenge with cyber insurance renewals? These are three that we've received from a lot of our partner agencies, but if you could possibly enter this into the questions and answers section, that would help us at the end of this presentation. Right? These are three challenges that we've gathered. Carrier requirements. We all understand that carriers have deployed a lot of new requirements every single year. Now, the most recent one is pixel compliance. Right? This is becoming a huge problem now it's being added onto the applications, so how do we as agents react to that? Another big problem is the PDF applications. These being sent back and forth, huge issue. Not only is it not a secure way to transfer security data, but it's a strenuous process to get your clients to do this, right? In trying to describe the pricing increases, now recently, we've ran into a soft market, but that's not going to hold forever. So, how do you describe, " Hey, we went out to market, but only five carriers quoted you and the other ones declined coverage or went to underwriting referral and was going to take too long for a quote"? So, how do you describe that to your client? These are three challenges that we've gathered. Yeah. We have two answers in here right now. One was filling out PDF application, and two, a client investing a lot of resources in their cybersecurity and not being able to see an effect on their insurance. Right? I mean, that is a very frustrating thing, so in this presentation, I'd love to address both of those, which we will both on the PDF application side, and how do I translate that my client is investing in cybersecurity, and how can I have them be rewarded for that in some manner, whether that be efficient quoting or better premiums or enhanced coverage? Just some quick statistics for everybody before we get going, quoting cyber insurance, a hundred million and below has become somewhat streamlined, except for the hard- to- write industries. You see a lot of quote bind issue platforms out there now. We have entered in somewhat of soft markets, so those have taken up a lot of steam recently, but we all have to be aware of the fact that when we do dip back into a hard market, which is inevitable, these long quoting process will start to trickle into that hundred million dollars and below section. But on average, if you're a hundred million dollars and up in revenue or if you're in a hard- to- write industry... What are those hard- to- write industries? Healthcare, SaaS, manufacturing, public entities, right? these are going to be the industries that it's going to take on average four weeks a quote, and frankly that is very fast. I have seen this be eight weeks to quote in these types of industries or a hundred million and up. So, how can we streamline that? How can we make that a more effective experience for our clients, so that we know and we can show that we know what we're talking about with our client in providing value in those very little touchpoints that we have with them throughout the year? We only average about four touchpoints a year with our clients, so how can we show that we know what we're doing? This is going to be part of the presentation. Underwriting referrals are over 50% for hard- to- write industries. If you're in a hard- to- write industry, you are gathering an application, but then when you submit it out to market, the underwriter's going to be taking a look at it and they're also going to come back with more questions. So, how can we avoid that? How can we make it so that we're only gathering information at one point throughout the renewal process? All right. Let's dig into one first very important rule that we should be very, very aware of, and that is we need to move ourselves from a reactive state, which is our current state, to a proactive state. Reactive, what does that mean? Well, reactive is how we're currently addressing market, right? We're gathering an application from a carrier. We are then distributing that to the client. The client sends it out to their external MSP or internal IT staff. That external or internal MSP takes about two weeks, maybe even more, to fill out that application, distributes it back to the client. Client emails it back to you as the agent. You as the agent then submits it out to market. So, that in and of itself is a very long process that can be streamlined. And then, once we get to the underwriting submission, what does the reactive state do there? Well, like we said, if they're in a hard- to- write industry or a hundred million dollars and up, there's a very high chance they're going to get underwriter referral. So, what happens here? If all the information isn't correct, if all the information isn't filled out that's needed to quote, the underwriter's going to ask for more information. So, we need to avoid that, and going back to our client on this right- handed side over here is not the experience that we want to deliver to them, right? We only want to collect information at one point in that quoting process and be able to get a quote back because we know that we're experts in cyber insurance, and if we're experts in cyber insurance, we shouldn't be running back to our client and trying to gather more info. We should already have that info collected. So, we need to avoid that going back to client for more information step to really increase efficiency when it comes to quoting. So, what does that proactive state look like, right? Well, it's going to require some type of software enablement. Right? We're going to have to have a piece of software that gathers this info of the client, stores it, but also is able to address the vulnerability scan situation that we have going on with underwriters. Right now, the vulnerability scans are a very top- down approach, meaning vulnerability scans are only existing at that carrier level, so it has really put us agents in a very awkward position because we don't have the leverage that we need in order to quote our client's cyber insurance. We need to have the tools to be able to go to the carrier and say, " Hey, we have collected all the information from our client. Here it is," including maybe some internal scans which the carriers really want right now, or including those external scans. So, what does that aligning with that agency do or empowering the agency do when it comes to using those vulnerability scans? Right? Well, we're going to be able to run those scans ahead of time and be able to prepare our clients for any unforeseen vulnerabilities that may exist. The worst thing ever is when you fill out an application, you send it into the carrier, and they come back and they say, " Hey, we're declining coverage because they have two unnecessary open ports. Now, you have to run back to your client and try to explain what an open port is. Let's be honest, I mean, we're insurance experts. We're not cybersecurity experts. So, a very rudimentary reasoning when it comes to explaining to the client what this open port means. So, it's not the position we want to be in. We want to be in a position where we're able to give the carrier everything right ahead of time. We're able to fix things ahead of time, and we're able to download the report and deliver it to the carrier in a very seamless manner. So, we're going to go into a little bit how we can do that in a little bit here. Let's dig into the challenges a little bit. One challenge... We are just going over it. Preparing clients appropriately for cyber insurance renewals. This is that open port situation that I'm talking about where in our current state, us agents don't have the ability to address this ahead of time. This is a situation that we found with one of our agency clients where they set the client out for renewal, and this is what they received back. Now, navigating this as an insurance expert is extremely difficult, but the way that we need to be able to address this is by having the power of the scans in our hands beforehand and be able to run this proactively. Right? We can't be going to our client with this zero- day vulnerability and expecting them to believe that we know what we're talking about when we're hardly able to explain what this means. So, we need to address this challenge, right? We need to be able to run these scans ahead of time, and we need to address any type of zero- day vulnerabilities that may exist in our client's infrastructure before we go out to market. Another super important point here, think about how many submissions underwriters get every single day that they're supposed to address and navigate through. Your client only gets one look when you submit them out to market, and if it's a bad look, you are playing catch- up for the rest of that renewal period, and good luck trying to get good coverage for your client or a great premium. You'll get roasted on that next year renewal if you're not addressing this stuff ahead of time. So, it's super, super important when it comes to the renewals. All right. How do we resolve this, right? How do we get ahead of that? Well, there's something called an insurance readiness report, and this is going to really help you change that reactive approach to a proactive approach. With this insurance readiness report, what you're going to be able to do is you're going to be able to address carrier concerns prior to going out to market. This is like a pressure test before you go out to market. Imagine this if you're the agency speaking to a prospect, " Hey, what we do at agency X is we pressure test you before going out to market because what we want to do is avoid any unnecessary vulnerabilities that may exist in your infrastructure or any security controls that are lacking. We want to make sure that if agency X signs off on this and it's ready to go out to market, you're going to get the most favorable renewal that you've ever seen." So, we're really taking back control of that situation and basically, we're giving the client the confidence that if you can pass agency X's test, you can pass any carrier's test. We want to give them the answers to the test ahead of time. So, this is a super big empowering tool for you to take back control of that conversation, stop negotiating with carriers on your heels, and negotiating from a powerful stance. So, this insurance readiness report will help you become more of a proactive agent than a reactive agent. One point about this that I'd like to make is about this review and close unnecessary reports in external surface, as well as the monitor and reset passwords for email accounts. These are two super important things, right? The unnecessary reports, this is going to be an automatic declination if your client has this. Right? And the monitor and reset passwords, if they have several compromised credentials very close to the renewal period, there is a very high likelihood that the carrier will not provide them any social engineering or invoice manipulation coverage, which arguably, especially for small business, is one of the most important covers that a small business can have. Right? So, this is super important for that small business if you are going to be going out to quote for them. All right. Like we addressed earlier in the presentation, somebody asked a question or not asked a question, they said that filling out PDF applications is a tedious task. Right? Now, currently, the way that we're addressing this as agents is we're gathering a bunch of PDF applications or we're just gathering one PDF application going out to market, so how can we avoid this situation? This isn't a very secure way of transferring security data, number one. Number two, it's very segmented. It's not a seamless experience for the client, so how can we make this better? How can we improve on this as an agent to really go above and beyond for our clients? By utilizing continuous cybersecurity, we're really, really able to avoid this PDF application. Right? What you'll see, and if you're using any type of platform to gather data, that data needs to be stored for year two. So, you're addressing, when you're using continuous cybersecurity, a platform like Trava would be able to provide you maturity examples for the client so that, " Hey, this is where your current state is and this is how you get from point A to point B if you improve these security controls." Also, once you have this data loaded into the platform, there is no need for sending out renewal applications or PDFs at all. You have the data stored and the platform has already been staying on top of it throughout the year. So, when it gets to renewal period, it's really just confirming that the data is still accurate or if there's any improvements that have been made. The best part about that is if it's stored in the platform, we're able to translate to the underwriter, " Hey, this is where they were a year ago and this is how much they've improved in year two. They've clearly invested a lot of resources into their cybersecurity. Let's work together on how they can get some premium credits or some coverage enhancements here." So, it's all about having that documentation of their cybersecurity controls, and being able to tell that story is extremely important, so continuous cybersecurity is the only way that we're able to do that. We're not able to do that if we're only taking a look into our client's infrastructure once a year. We need to be taking a look into it at least every quarter if not every month. So, deploying this strategy will really help you when it comes to that year two, year three, year four, and also making sure that you're securing your client and nobody is going to come approach them if you have this unlocked. So, this is definitely a great example of how continuous cybersecurity can not only streamline your renewals but also enhance that coverage down the line. Right? I like to compare this to workers' comp mod. When a client has bad modification factor rating, what happens? Their premium increases. Well, it's very similar to cyber insurance. If they get a bad cyber insurance score, their premium is going to reflect poorly, so how can we as agents provide data that shows that client, " Hey, you're at a very high risk score. We need to bring you down in order to see some type of premium reflection"? So, I really like to compare this to that workers' comp world a lot. Challenge number three, the insurance application in general is just limited. I don't mean limited as in it's not long enough because we all know that applications are 15 pages long and it's brutal to drop that on your client's desk, but it's limited in the fact that it's a yes or no question. Right? Do you have MFA, yes or no? Do you have EDR, yes or no? It's somewhat nonsense to ask a question in that manner, and we need to be providing these carriers and we need to be taking the proactive action on it to provide them more in- depth information. So, what does that more information look like, right? We'll go into that in a second. Lost time. Trying to explain to a carrier a client's cyber infrastructure and gathering all that data is extremely time- consuming. Putting together that underwriting presentation, extremely time- consuming. So, how can we automate this so that we can just rip the necessary information that we know the carrier wants to look into in their cloud environment or look into in their Microsoft 365 environment? How can we just pull that data and just present that immediately to the carrier? So, that's a super, super important way for us to start battling for these middle- market accounts, but also for those hard- to- write industries and make sure that we're putting our client in the best possible light. Right? What's the resolution to this challenge? Well, we need to have more enriched data. I just mentioned Microsoft 365 or cloud environments, but how can you get this information easily? Well, there's several platforms out there, but you need to use an agency- geared platform that can pull this necessary information from your client and put into a report for you. What is this enriched data going to do? Well, it's definitely going to increase quoting efficiency. That's proven. From there, you work with the carrier on reducing premiums, enhancing coverage. Sometimes that takes a little while because remember, these can be admitted products, so working that into the admitted product can take some time, but the number three point, increase in quoting efficiency, is a proven point where if we're able to have the client just load their information into the platform, we're able to pull it out with the platform and put it into a nice presentation for the carrier to look at. That's going to take a week. If that, it could take days to now put together a full underwriting presentation for a hundred million revenue up account. Yeah. Like I said, it's taking some of the best agencies in the world weeks to gather this type of data. So, really empowering you as the agent to increase that quoting efficiency is absolutely massive, and it will make you look super impressive and give you the ability to compete at the highest level. All right. Cyber risk management. This section is going to be more about continuous cyber risk management. How does continuous cybersecurity intersect with cyber insurance? Why is it important? Well, us as agents, we already offer auto fleet management. We already offer HR best practices. Like I said before, workers' comp program. So, why not cyber risk management? If cyber is becoming one of the biggest lines of insurance, why are we not deploying cyber risk management services? This is an automatic opportunity to get a leg up on the competition, right? We're walking. If you do a lot of workers' comp or you're just quoting insurance and you're trying to gain new clients, offering risk management programs is a great way to differentiate yourself from the competition. So, how can we deploy this easily? How can we make it a set-it- and- forget- it type of environment and why is this important for our client? Well, if we're able to deploy a cyber risk management program... Vulnerabilities happen all the time. There's new vulnerabilities being uploaded all the time, so being able to identify those vulnerabilities as they happen, and being able to automatically tell your client, " Hey, there's new vulnerabilities found in Microsoft environments. You should take a look at your scan," being able to address these promptly is super important. And at the end of the day, like we said, as long as you're able to tell a story to the carrier and the underwriter, " Hey, this is how they've invested in their cybersecurity over time," it's going to be an added plus for their cyber insurance renewal, right? So, what does continuous cybersecurity look like? Well, it's more of an automated process of examining your client's infrastructure. Like I said, you're not trying to be the cybersecurity expert. You are able to just speak to the platform and empower their already hired IT staff or their external MSP or even their MSSP. Right? You're able to add them into the platform and they're able to address these vulnerabilities as they happen. So, it's important to note that you are not becoming a cybersecurity expert. You're becoming a cyber insurance expert with the ability to speak to a cybersecurity platform that's able to run on its own and identify these vulnerabilities as they go. How does this work? What are we looking at here? When you're an agent and you've empowered your client to have one of these platforms, we're measuring three different types of areas, right? We're measuring vulnerabilities. We're measuring their security controls, and we're also measuring their people risk. Huge piece there, people risk. We need to stay on top of our clients' people risk. So, what does that look like and how do I get my client involved? Well, once they become a client of your agency, you're now able to offer them a client environment where they are able to add their internal IT staff or external MSP onto the platform. From there, you're able to offer these daily, weekly, monthly reports, so now you're going from four touchpoints a year to maybe even 12 touchpoints a year if you want to do it that frequently. All right. Like we said before, how does this help your client when it comes to cyber insurance renewals? Well, you're going to be preventing breaches throughout the year, right? That's super important. You're eliminating that need for 15- page applications. I'd like to make a little point about what's going on in the market and how we can address this. There are situations where if a client is with a certain carrier, the carrier will try to eliminate the ability for the client to move to other carriers by reducing the amount of questions on the renewal. Sometimes you're looking to move the client from that carrier. It's always good to keep them with a carrier for a long period of time, but sometimes you place them in a dire situation and you need to find another market. So, how can we make our shopping experience carrier agnostic? That's going to be eliminating that PDF application across the board. If you're able to just download the information, now you can go back out to market and provide them better coverage or better premiums and start to lobby for that client. Like I said, if you're able to load them into the platform, security infrastructure is already actively uploaded and constantly updated automatically. At the end of the day, what is this going to do? It's going to increase insurability. It's going to enhance their coverage and possibly decrease pricing. Like we said, prevent breaches. This is an example of an email where there is a new vulnerability found. This isn't a vulnerability found in the client's environment, but this was a vulnerability that was identified across the board. So, the Trava platform automatically sends out an email where it's able to inform your team or your client, whichever way you would prefer, and inform them that, " Hey, there is this new vulnerability going around right now. You should run a scan on your client and make sure that everything is up to date. Like I said, this can go out to clients and/ or yourself, and you can manage it from there. Example two, eliminating the PDF. Like we said, their security controls are already loaded in here, so this is going to have all of their information about business continuity, infrastructure security, identity and access management. These are all the security control areas that we really need to pay attention to when it comes to shopping insurance renewals. Lastly, example of increasing coverage and reducing pricing. If a client has compromised credentials on the scans, they're not going to get any type of social engineering type of coverage. If they have false- positive results, how are we able to push back on that with the carrier? For an example, an agency who had a client that they went out to market. It was a very prominent client of theirs, and the carrier came back saying that they had three open ports that were unnecessary, so they automatically declined renewal. So, now they have to... Remember, they're not getting a renewal. They have to go back out to market. Well, using the Trava scans, they were able to identify that these ports were actually open, but there was documentation as to why they were open and why they actually technically were not open ports. So, they were able to provide pushback to the carrier and receive a quote on the backend. So, providing pushback to carriers is super important, and we've seen a lot of great success there. All right. From here, I'm going to walk through the Trava platform real quick. If anybody has any questions, please put them in that Q& A and I'll try to address them now. Can everybody see the platform as anybody? Give me a thumbs up. Great. Now, that we've walked into the platform, what you'll see here, we're already in the agency platform and we have multi- tenant, multi- users. Right? Now, that we'll dig into the client's environment, like we said, we measure risk from a vulnerability standpoint, a security control standpoint, and a people risk standpoint. When it comes to the vulnerabilities, we're talking about continuous cyber risk management. So, whenever we onboard a client, they're able to upload their credentials for a cloud scan, for a web app scan, for a Microsoft 365 scan. Now, what are these able to do? How is this helping our client? Well, when it comes to these full vulnerability assessments, this is the information that is able to get pulled from the platform and delivered to the carrier for improved pricing and increased coverage. So, once we upload the client into the platform and that we've onboarded their internal IT staff or external IT staff, we are able to now direct them to that vulnerability section for them to upload their cloud credentials or Microsoft 365 credentials. Super important note, these are viewing credentials, so we're only able to view into this. Another super important point, their full information is never shared with the carrier, and that is absolutely paramount about applying these types of scans to the agency level. We can't have this scan directly tied to the carrier. We really need this to be at the agency level because the agent has always been the one that has gathered the information, and then distributed it to the carrier. So, we really need to, as agents, just gather the information. Trava has already identified what information carriers need, and then distributed that to the carrier. So, like I said, once that client is onboarded or prospect is onboarded, all you do is add their internal MSP or external MSP onto the platform, and the cyber insurance renewal should be seamless from there because this vulnerability scan is automatically ran, and all they have to do is fill out a control survey, which is that insurance readiness survey. Right? I have already gone through and filled one out for the sake of time, but what you'll see here is the questions and answers, as well as the threat and the solution. So, how does this help us as agents on continuous cybersecurity? Well, first of all, these questions and answers are able to be now downloaded along with the vulnerability scans and distributed to your carrier network or your wholesaler network for insurance renewals, but on top of that, you're able to educate your client, " Hey, we need to fix these five things either before we go out to renewal or throughout the year," and I'll dig into that in a second, but this is where that security control framework lives. Lastly, we have the people risk, risk? We can easily run social engineering campaigns in here and provide cyber risk management to our clients. So, whenever you do this, you're able to provide a report to your client and say, " Hey, we ran a noninvasive social engineering test on your company. We had five people click. I think we need to deploy a little bit more security engineering education here, social engineering education." So, super important when it comes to that continuous cybersecurity and ongoing risk management. When it comes to running that insurance preparation, how do we do that? Where do we go for that? How can it easily be ran? You just click here and you click create insurance readiness report. I've downloaded it for the sake of time. Here's an example of what this is going to empower you to do. You're now able to go to your client ahead of time and tell them, " Hey, we have a lot of compromised credentials. We need to monitor and reset the passwords on these accounts. Hey, we don't have a backup recovery going on right now. We need to really implement this." You're able to give them, " Hey, we need to fix these five things, these three things before going out to renewal. Hey, we need to deploy MFA." But it's not just, " Hey, just deploy MFA on your email." We need to do it on any type of remote access, especially if it's SaaS- based or cloud- based type of environments. This is all about educating your clients on how they can not only improve their cyber insurance renewals, but also how can we give them cyber risk management practices from here on out. We have some more recommendations here that you can provide to the client and their IT staff on how to move forward. That's the Trava platform, and I wanted to give a quick, a really brief intro into it instead of digging all the way in, but we have a question here. What proactive steps can be taken to have mitigating controls having effect on premiums? This is a great question. When it comes to affecting premiums, what have we seen? Well, we've seen if you can deploy more robust MFA, not just, " Hey, they have MFA on their email," but, " Hey, they have MFA throughout their whole company. Every single employee has MFA in their email," or to what extent the MFA is enabled, that's a very important proactive step. Same thing with EDR. To what extent do they have endpoint detection response, right? Additionally, when it comes to affecting premiums, what we're seeing here is providing cloud data. What does their cloud security look like? With that Trava platform, that client is easily able to upload their cloud, viewing credentials in here, and from here, Trava is able to identify the various information that the carrier would like to see and inform you proactively, " Hey, these things aren't up to speed. Before we share it with the carrier. Why don't we fix these three items within the cloud?" This brings up another really important point. Right? How many times have we heard our clients say, " Our data is in the cloud. We don't need cyber insurance"? Great. Let's run a noninvasive cloud scan on your environment and see what's going on. You would be surprised how many clients have their cloud environments publicly available. It is extremely surprising and alarming, so definitely keep that in mind whenever you're deploying a solution like this. Looks like we have another question. Can you explain why carrier would emphasize EDR over Next- gen and AI- infused A/ B capabilities? I do not know the answer to this question. That seems like a better question for somebody that's specifically on the underwriting side, but we can definitely take this to our carrier network and get an answer for you. So, Jara, why don't we take this question down so that we can get an answer from a carrier on this? Because this is a great question. But I will explain the mindset if that helps. The mindset of carriers, remember, it's a very set in box question and answer type of thing, right? They're plugging answers to questions into their modeling, so it's a very set in stone type of process, and sometimes what happens there is being able to translate the importance of one cybersecurity solution over the other, it gets lost in translation because most of the time, the underwriter isn't a cybersecurity expert. They could possibly be even a greenie who's just following the basic rule set that's set out in front of them. So, definitely keep that in mind whenever you're approaching the market.