Podcasts

Tosh Siao: Hey, good morning, Michael. Thanks for having me.

Michael Lichtenstein: You're welcome. What did this take us, only about five months to get on the calendar...

Tosh Siao: Glad to be here.

Michael Lichtenstein: I'm really glad to have you. So let me just start with sort of a basic question, that's maybe a tad bit off topic, but I know it's been on our listeners minds. We keep hearing about a hard market that we're facing in 2021 and what that's doing to coverage availability and premiums. And can you talk a little bit about what your experience is? What are we now, we're about three quarters of the way through 2021. What are you seeing in the market in terms of capacity and also premiums?

Tosh Siao: Sure. I think that's a great place to start. The buyer's market for commercial insurance remains fairly difficult. We are seeing signs as certain lines of business are stabilizing. But I think most of your listeners, the corporate buyers are seeing their cyber liability insurance, that's probably the type of policy that they're seeing, just incredible changes in terms and conditions and also premiums. It's not unusual to see premiums doubling or tripling from year to year. And that is a direct reflection of what's been going on. We've seen it in the news with ransomware, ransom demands and cyber attacks and those other types of things that insurers in the past frankly, did not anticipate occurring as often.

Tosh Siao: So I think the way in which I would describe the current market is that it is tough, but it is not impossible to get a good deal. And I think once you find the right insurer with the right premium and the right resources, you can partner with them to continue to drive costs down. So that's going to be my objective today is to give you some ideas and quick ideas that you can use, that will pay dividends for years down the road.

Michael Lichtenstein: Excellent. And so I've also heard that the coverages that are being provided, we can stick with cyber, because I know that's right in your wheelhouse, that those are even narrowing. Either certain things are not covered or they're adding sub limits that are trying to reduce the carriers overall exposure. Are you seeing that in your practice?

Tosh Siao: Yes, absolutely. On cyber, specifically as you know, ransomware coverage is something that's not only controversial, but also has been hit fairly often on policies. And as I said earlier, I don't think underwriters really expect to have these types of claims happen so often every single year. They may perhaps expect it, maybe once every five years, once every 10 years. But it almost seems like over the last 24 to 36 months, we see these types of demands from cyber criminals come up on a weekly basis. We are seeing a lot of contraction as well as many underwriters just deciding, "Hey, we will be glad to offer you cyber liability coverage. Our Ransomware is off the table. And if you want to retain that coverage, there are certain risk management steps that you have to take, otherwise you'll have to go without that insurance."

Michael Lichtenstein: All right. So it's a good segway. Let's talk about some of the insurance company programs that might be available to a policy holder that can help them reduce their costs. And to now our focus, we can talk about maybe two or three areas that I can think of. You've got sort of operations, can they help you save some money there? Legal expense and perhaps compliance. This all seems to kind of feed right into what you were talking about with regard to cyber. What can you tell our listeners about areas where insurance carriers can help reduce costs in those areas?

Tosh Siao: Well, I think there are two areas that I think we focus on that I think are easy to access. And perhaps these are things that the listeners may not have a chance to read through the 100 page policy to find out where the services are, but they are available. So the two examples I like to give are on the cyber liability policy, and then also on your employment practices, a liability policy. So in a standard cyber policy, and I think also because of the current marketplace, underwriters are offering these services because they truly want the policy holder to use them.

An example would be to use the pre-appointed, preferred vendors if they suffer a cyber attack. So these are vendors that have already been vetted by the insurers and who are obligated by contract, to the insurance companies themselves, to respond to a policy holder in need, so that is something that is contained in every single cyber policy. The names of the firms vary, but I think if you want to be in the cyber market, all insurers have to offer that service because it helps both sides, both the policy holder, as well as the underwriter.

And then the second example I'd like to give is on employment practices, liability policies, which is coverage for things like sexual harassment or discrimination in the workplace. All insurers in the segment of the business, will offer some type of pre-packaged training on their website. Again, these are things that the underwriters want the policy holder to access. These are frankly things that many times, let's say the human resource department may be outsourcing to another vendor and paying for it separately. These are things and examples that we have, and there are many others, where I think if we just took a deeper dive into the policies themselves, that you'll find that these things are already provided for little or no charge at all to the policy holder.

Michael Lichtenstein: In the cyberspace, will carriers also offer a service where they'll sort of take a look at least, at 50,000 feet at the computer systems, the network systems, the security measures that are in place, or even, is that part of the underwriting process, as they try to evaluate the risk and determine how much capacity they're prepared, or what limits they're prepared to offer and at what price. Do they offer some help? Some companies are very sophisticated. They have large IT departments and they probably don't need it. But a lot of middle market companies who might have one internal IT person, it can be overwhelming to try and make sure that the systems are running the way they should, but are also adequately protected from cyber criminals and the like. Are any of those services available to policy holders from insurance companies?

Tosh Siao: Yes. Those services are available. And I think because of the sophistication of the cyber market, there are many things that are being done to help evaluate the risk from the underwriter's standpoint, that I always try to ask for the results and share those with a policy holder. I'll give you an example. When you apply for cyber liability coverage, you obviously need to fill out an extended application, there's no way to sugar coat it, it's very daunting. You have to really get the IT director to fill it out, it's 10 pages, and it asks a lot of very specific security questions, as well as software and compliance protocol types of inquiries.

And in addition to that, I think as part of the process when you're applying for the cyber coverage, and I think for the most part, other types of insurance, it's a good way for you to check on how the company is doing itself in managing the risk. So to give you an example, when you apply for automobile insurance, they check your motor vehicle report to see whether you are a good risk or not. When you apply for a credit card, they check your credit report. So now when you are applying for cyber liability insurance, they actually can do, they meaning the underwriters, can actually do an external scan on the vulnerability of this company.

So what they would do, and I don't know the exact technical process of doing so, but they can actually go to your website and look at things that they see are exposures for the company, and they can suggest improvements. And they actually kind of build that in as part of the insurance offering. And I think using that data really helps kind of build the moat around the company, to protect it from any of these types of cyber attacks. And if the attack does happen, then at least you have also a good insurance policy to back that up.

Michael Lichtenstein: What it sounds like is that they sort of do a bit of a vulnerability scan to see if they can identify easily correctable areas of vulnerabilities. So I put my cynical hat on for a second, right? Because I think most of our listeners, many of whom I think are policy holder side, would say, "Wait a second, all these services that these insurance companies are offering, somehow they're really supposed to benefit them, not me, right?" So, my view from what I'm hearing, it sounds like pretty much benefits both. But what's your take on that? Do you see any downside or any inside baseball here where the carrier is asking you to use their training or asking you to use their pre-approved vendors, because they think that somehow that gives them some advantage either in the claim process or what have you. What do you think about that?

Tosh Siao: I think, honestly, it benefits both. I think the only drawback, if there is one of using underwriters' services, is that if you, again, going back to the cyber example, if this is the first time that you've had a, let's say an outside audit of your security measures and your vulnerability, you may want to consider using another vendor because if you were to use the insurance company's own approved list, then there is a chance that the information, whether it's good or bad, will have to be revealed to the insurance company. So to me, that would be the only downside of it. But again, I think when we go through the process of applying for the insurance, you want to know about what the holes are and what the issues, because they can actually address them. And I think the industry itself is doing a good job, incentivizing the policy holders to use these types of services and not hold it against them.

So, to give you an example, if you have been in the market for cyber liability recently, you know the issue of a multifaceted authentication MFA process is the number one question that's being asked by underwriters, so that is a conversation stopper. If you don't have it, then you're not going to get cyber insurance. That would be an example of where you can just say, "Hey, this is the minimum level of security or risk management that I need to do, to not only run my business, but also to get insurance." And also to a certain extent, to make sure that you are an attractive business partner to your customers and other types of companies, that you do business with. So I think the benefits are to the insurer, but I think the advantages to the policy holder, thinking about even beyond the insurance application process, just enterprise wise, for the business itself, will really outweigh those types of concerns.

Michael Lichtenstein: And I'll add as our listeners know, since I represent only policy holders, the issue of what vendors you would use post attack, for what services, is the kind of thing you would want to discuss either with your in-house counsel or outside counsel, because there are issues beyond the coverage that you might well be facing. Depending on the type of attack and what information may or may not have been accessed, you may be looking at third party liability, and then you have issues of who you're hiring to do what and how well you can protect the information that they generate from discovery and future litigation, and the like, so I don't want to go deep down that rabbit hole. Again, my listeners have heard me talk about this ad nauseam, but I just want to put that sort of footnote in.

One last question, Tosh. So some folks again cynically might say, "All the services that they're offering are actually just being built into their premiums. So, you really get nothing for free." Is there any way to sort of quantify or when you're comparing coverage profiles or policies being offered by different carriers, to try and see whether or not the services that are being offered are actually sort of built into the premium or whether they're increasing the premium and then telling you that you're getting this stuff for free, but you've really paid in increased premium?

Tosh Siao: Michael, that's a great question, and I get asked that question all the time. I would say for the very large clients, such as the Fortune 500, Fortune 1000, the policy holder will have control over what is built into the premium, because everything is a la carte. If you're a very large company and you need 1,000 hours of training, you obviously need to pay for that, you can't just squeeze that in, into the premium. However, for the majority of the middle market or the smaller business policy holders, these types of services are either use it or lose it, it's built in. Again, it's something that is part of the fixed cost of the insurance company to be in the business, and frankly, as part of their competitive offering that they have to provide.

The best way to quantify it, is to just get an idea of what, the example I gave earlier, is see what your other business units and the company are spending on training or operational risk assessment, and see if those things are available through the insurance company. So for example, ask the HR team, what are their training needs? Are there any of those that we can get from the insurance company that's already built in? Then we can also ask the IT team, are there certain areas that they are struggling with, to let's say, contain the cost of security monitoring or any other types of resources that they are having trouble accessing.

I think if you take the approach that the insurance company accessed them, used them and not just think about them as being, they're the ones that will cut the check at the end of the day, which they obviously, that's a major part of the reason why you do business with them. Have them be embedded as part of how you run your business, and I guarantee you, that you'll find a lot of savings, not only in the insurance premiums, but also on the costs that would otherwise just be hidden in the budgets of your other business units.

Michael Lichtenstein: All right. Well, we're going to leave it there. You heard it here first, Tosh guarantees cost savings, if you know where to look for them. And of course this will be the softball for Tosh. What increases your chance of finding them? You have a qualified broker who specializes in the area of insurance that you're looking to buy. And as you can tell from Tosh's answers to my questions, he certainly is in that category. So Tosh, any last words for the listeners before we sign off?

Tosh Siao: No, I just look forward to, if anybody has any questions, please feel free to contact us. But again, it is a difficult buyer's market out there, but with some creativity and with the understanding of what's available, you can still have a really good and successful renewal program, if you stick to some of these ideas that we spoke about today.

Michael Lichtenstein: Wonderful. Well, thanks so much for joining us and for our listeners, that's it for today, and we look forward to seeing you, hearing you, on a future podcast episode. Take care.

Kevin Iredell: Thank you for listening to today's episode. Please subscribe to our podcast series at lowenstein.com/podcasts, or find us on iTunes, Spotify, Pandora, Google podcasts, and SoundCloud. Lowenstein Sandler podcast series is presented by Lowenstein Sandler and cannot be copied or rebroadcast without consent. The information provided is intended for a general audience. It is not legal advice or a substitute for the advice of counsel. Prior results do not guarantee a similar outcome. The content reflects the personal views and opinions of the participants. No attorney client relationship is being created by this podcast and all rights are reserved.