Getting the Cyber House in Order

Tell us about what Havoc Shield does.

I’ve always been the guy in the hot seat in these small companies, responsible for defending them from attacks—without a security team and without the budget or time to build a professional program that we felt would defend us or help us get an insurance policy with the new requirements or help us win a big customer.

What we realized was that my peers—these folks in operational roles, your IT director, people who are in that hot seat—really need something similar to what TurboTax did for tax prep: taking a complex, paper-driven, confusing process and getting an expert involved and turning it into a step-by-step plan that brings most of us through to filing before the deadline. So we took that model and applied it to what you need to have for a professional cyber-security program—things like endpoint detection, response, backups, staff training, all that stuff—and we brought it under one roof.

Your primary focus is on the small business space, those sorts of companies that have just one person who is trying to figure all this out, correct?

I would say we focus between the 10- and 200-employee size. But the types of problems they have are similar in effect nowadays to the types of problems that businesses in the 1,000- to 2,000-person range have when it comes to security. When we think about the insurance requirements on them, when we think about the types of things that their enterprise customers or partners are asking them to do, it’s the same stuff.

Let’s talk about what’s going on in the cyber world for your main clients. We continue to see claims with increasing severity and frequency. How are small businesses handling this?

Unfortunately, we’re still in the trenches. I think at a carrier level and an MGA level we’re all trying to figure out what are the right requirements to put in place when it comes to cyber liability. These SMBs, I think, really care about risk transfer more than they ever have before. They’re incentivized by their partners, their board, and their own fear of the impacts of an attack. But they look at a new application that used be two requirements and affordable premium and really good coverage, and it has turned into—because of ransomware and all the other events of the last couple years—20 requirements and more expensive premiums and maybe some decisions to make.

They are looking at the exchange of how much policy can I afford and how much pain is it going to take to get through that. A lot of them absolutely still want and need that, but they’re also looking more practically at folks like us who are putting a program together on the other side of it. So, maybe I’ve got some risk transfer in here with a policy, but I need to be proactive and make sure that, if I get hit by ransomware, if some of this funds-transfer fraud comes my way, do I have the assets and the capability of responding to that? I think that these small businesses are asking these questions sooner than they ever have before and they’re becoming more proactive, which is really nice to see.

Are you seeing an increase in awareness of the need for coverage and for risk management?

Absolutely. It’s hard to not see it. As a Main Street business, as a technology startup, anywhere these small companies reside in the environment, they’re looking to their left and their right, and they’re seeing a competitor or a partner or someone in their business sphere dealing with the impacts of an attack or being convinced to wire money to the wrong party by a malicious actor, things like that.

Do you see more brokers coming to you from this space and saying that a client needs this—whether or not the client has requested it?

In Q4 of last year, that really started to happen a lot. I think it’s a couple of things that are happening. Obviously, brokers want to be trusted advisors to their clients. So priority number one is how can I advise my clients? They don’t want to just sell them a policy; they want to be there. The vast majority of small businesses want to work with their broker, who they know and who they trust. So a lot of the broker partners that we have are trying to educate themselves and trying to bring solutions.

We also witnessed that this is becoming a problem for small businesses when it comes to their revenue and to their operations. Because of the stubborn loss ratios out there and in cyber the requirements that are in place to get a policy, which have grown by probably 10 times, …you have these applications that small business owners don’t understand or [don’t know] where they stand on them. You also have a producer or someone who should really be selling policies more and advising on the coverage trying to coach them through what MFA means. And then they go, “OK, well, I know that I don’t have that in place, I know I don’t have backups and whatever number of these other requirements,” so they have to go back to their business, leaving that application outstanding, to try to do the homework.

They’ve got to find someone to help them do it, they’ve got to put together the pieces, and then they’ve got to prove that they’ve done it. That leaves your applications outstanding in that pipeline for weeks, if not months. So we focus on helping both sides of that equation: helping those brokers advise their clients on the right things and help them do the homework but also build tools to speed up their pipeline, remove the necessity of coaching all on their own with tools that they can self-serve.

Do you think because of the challenge of the cost of loss and all of the requirements that policyholders now need to put in place in order to get coverage, in addition to increasing premiums, that there’s a risk of policyholders going either underinsured or without coverage at all?

It’s already happening. We see a lot of the what I’ll call “exhaust” from insureds getting denied because they can’t meet the threshold for coverage. It’s turning into more of a Boolean, “Yes, we’re going to give you coverage, or no, you’re not going to get coverage.” These small policyholders—while they can be profitable, good policies—they can’t meet that threshold more often than their larger counterparts. So we get a lot of brokers contacting us saying, “Hey, can you help this new applicant who has already been denied two, three, four times get covered at all?” And usually our answer is yes, because we do the homework behind those requirements to try to get a 10 out of 10, and we can prove it.

But to your question, yes, unfortunately, a lot of these small policyholders are not getting the types of coverage that they need. [Cyber liability] is still very new, and it’s hard to understand what is a pretty volatile market right now. The requirements are changing, and the threat environment is still crazy. I think to a large extent carriers and capacity are still really trying to figure this out. I think it’ll settle in the next year or two, a lot more than it has, because there is a lot of growth here. SMBs represent a hugely accelerating segment of desire in policyholders. There’s a good amount of cash and a good amount of business.

Do you think the market will become more specialized as a result?

I think that what we’re seeing right now is more of that wholesale and MGA tier filling the knowledge gap and filling the capacity gap with more purpose-built cyber liability products that strike a balance between the risk and the desire for better coverage and a reasonable price. So I think we’ll see more specialty for sure there.

But my other thought is that most small-business owners overwhelmingly want to work with the person down the street. They want to work with their independent broker that they’ve known throughout the course of their business. They don’t want to go to some large insurtech that’s faceless, and they want to know what types of coverage they need. So while I think that there is that specialty tier that’s going to be core to making this efficient and figuring out how to price this and help the carriers with that telemetry, as an independent broker, you’re still going to need to be knowledgeable about it.

We still hear that things like ransomware and phishing and various sorts of employee-focused cyber attacks are driving a lot of the loss. In your role, how do you reach the employees, the ones who really need to hear the messaging and hear the training? And are these attacks changing in nature? How do you keep up with that?

You can put all of the technology in place to build a good defense and try to catch the attackers, but if someone on your operations team or anyone on your team isn’t educated enough on what a malicious email looks like or how these types of fraud transfer, social engineering attacks occur, then you’re done. You’re baked. So it’s super important, and I feel that anyone insuring an SMB or larger counterpart needs to be asking more about the human element.

We have a core tool in our tool set that does award-winning cyber awareness training through a partner of ours; we recommend that it occur in small increments monthly. You get a lot of companies that just do the one annual checkbox training, and it’s just this boring slide deck that happens over 25 minutes just so they can be in compliance. That’s not the way that we want to do it. You want to make it enjoyable and a learning experience and engage people. So we try to do that in small, bite-size sessions. Then we test it, and we do phishing simulations, and we try to make those as real-world as possible. Both on the phishing side of things but also on the types of scams and wire fraud types of techniques that are out there. When, inevitably, some of those employees fall victim to those tests, we don’t scold them; we just help them understand and educate them. That’s where we want our SMB customers to be better educated at the administrator level about how to roll those things out. We take pretty good care about how to onboard companies into performing that process.

Staying in front of it, we have an advisory board with folks in very high level, security industry roles, people who have built very, very large companies and lead them and really understand at a high level where things are going and have experience in that. But we also have folks on our advisory board who are tactically in security jobs for large, medium and small companies with companies like MailChimp, duo, Webflow—companies you know. We regularly interface with them to understand across the environment what techniques and tactics they’re seeing, because these threats are ever-changing. We also update what I’ll call our catalog of modules—the types of priorities we put people through in our program and in our product—to meet the needs.

Any thoughts on whether or not we should be paying ransomware?

It’s a very, very hard decision. Outside of, will an insurer cover it or should we cover it, you have to think about being in the seat of a business owner. They have a decision to make between “I can pay the $50,000 ransomware and be back in business tomorrow, or I’ve got to go through all of the processes.” Even if they have coverage to do the response and remediation to get back up, they can’t often see the light at the end of the tunnel. That’s where, as partners, folks in my company’s position, brokers and insurers as a general risk transfer benefit, we need to do a better job of educating folks how to respond to the inevitability of an attack. If they can see the light at the end of the tunnel and they’ve exercised how to respond to an incident, then I think we actually will see fewer people opting to pay ransomware.

But we’ve got to do it, and it has got to be more of a question of when an attack will happen, not if it will happen in a lot of cases. If we take that attitude toward it, people are going to build better defenses so it’s less likely to happen. And when it does happen, then you’re going to mitigate the impacts so sincerely that all of our claims risk goes down, the business gets back in business quicker, ransomware becomes less of an attractive target or technique for attackers. So it solves a lot of problems. But we have to get to that education, that exercise and that preparation for an incident first.

Security is a scary topic, and technology is not going to solve everything. Find someone in your sphere who you trust, who’s knowledgeable about it, and ask them questions. To a certain extent, security is very business specific; what you should be doing because of the data you hold, the industry you’re in, and the size you are. If you’re not going to do anything else, one thing to do is enable multifactor authentication on everything you possibly can. It just stops a whole category of attacks, and it’s really quite easy to do on whatever you use. Whether it’s Google Workspace for your email, Office 365, most business SaaS applications now support it. If they don’t? Move and find one that does, especially if it’s critical to your business.