Episode #124

Cyber Insurance Evolution

With Scott Jacobson
Founder & President at Jacobson Professional Insurance
February 14, 2022

Scott Jacobson, Founder & President of Jacobson Professional Insurance, talks with Anthony about the evolving cyber insurance world.

Check out the transcript below and listen along with the embed, Spotify, Apple Podcasts, or your favorite podcast app.

Transcript

Intro

Anthony DeGraw: For the folks that are going to listen to this I have the pleasure of talking to Scott Jacobson. Scott created his own legal malpractice insurance firm a while ago as he was just kind of mentioning, called Jacobson Professional.

And he just has unique insights dealing with strategic problems, strategic firms, like just different things. And he comes up with unique ways of handling that. He also has a really cool, keen sense on marketing and just going against the grain on that, which when I was in the industry and Scott and I competed against each other, I just always respected.

He had the freedom and flexibility to do what he needed to do. And he always caught people’s attention. So Scott and I have had multiple conversations, usually over breakfast, I think. What does that place in Montclair? That’s also in Asbury Park? Um,

Scott Jacobson: Toast.

Anthony DeGraw: Toast, yeah, usually at Toast we have our conversations about where’s the legal malpractice insurance market today, and what’s he up to. I obviously switched sides and went to the tech side on the managed IT services and cybersecurity.

And recently Scott had a great post on LinkedIn and him and I were going back and forth. And I think I’ve asked you to come on the podcast like 15 times, and this is the first time we’re doing it. So Scott, why don’t you jump into what that post was about and like what you wanted to just talk about today with me on the tech versus insurance side.

Brief history of cyber liability insurance

Scott Jacobson: Oh, right on. So probably about like five years ago, lawyer’s malpractice insurance policies started including endorsements for cyber liability coverage, which, you can go back a little bit further when general liability policies started allowing you to endorse legal malpractice insurance limits onto it.

And it just all becomes a bad idea. When you start looking at new exposures as an endorsement. So what happens? The insurance companies then get beat up with claims and premiums start going up, and then they start restricting coverage. And all of a sudden you find cyber liability as its new entity.

Instead of it being a combo policy with lawyer’s malpractice insurance, which it should have been all along, there’s no possible way to quantify what a new exposure is going to be until you get beat over the head with how much you’re going to be paying out of pocket for it. It inadvertently thrust me into the cyber liability world probably about five years ago.

And over the past five years, cyber liability policies have become more and more expensive while the coverage has become more and more restrictive. So it’s not really a great time in our world where you’re going to find a super broad policy for peanuts. It’s just going, you’re going to get what you pay for.

The “dying breed” of policies

Scott Jacobson: And one of the policies that I deal with is probably one of the last, the dying breed, where they do not place any restrictions on some of the coverages within the cyber liability policy and can offer up to $5 million limits in the policy, which doesn’t seem all that exciting, except for the fact that, that is the fossil in the room.

Like it just doesn’t exist. That’s what you’re probably alluding to in the post that, I’ve done my digging and I have found something that really doesn’t exist because where you might get a $2 or $3 million limit cyber liability policy. You have all $3 million available for social engineering, for any sort of exposure that’s going to come out of that policy.

And as opposed to having a supplement on it, they might say, well, you might only get $100,000 limits. And then you’re thinking, why am I buying a $3 million policy? If all I have is a $100,000 limit. You’ve gotta be able to read between the lines and get your money’s worth. And that’s really what I want.

Anthony DeGraw: Absolutely. I remember when I was still in this space. Every cyber insurance policy was different. All the wording is different. The language is different, what they call one thing from one carrier to another is different. The verbiage they use in the policy wording is different.

And the number one thing that you picked up on in that post that I was seeing as well, was that, I’m buying a $3 million, $5 million, even $1 million cyber insurance policy. And I have a $25,000 sub limit or a $100,000 dollar sub limit. And to me, it’s soon as you saw sub limits, you knew that’s where they were expecting the claims from.

So they’re limiting their exposure on that specific line item. And then when you’re deep in that world, as you are with your legal malpractice clients or just in the cyber world in general, you start to see the claims, right? You start to get the examples from the insurance characters.

When they come out to visit you or give you a call or the wholesale brokers or whoever it is, you start to understand the claims that are actually coming in on these policies and where they’re hitting and boom, you’re like, “Hey. That’s the sub limit. And if I’m going to protect my client, I don’t want to sub limit there. I want that available for them.” So, yeah, it was just a great post on how you explained all that.

You cannot account for human error

Scott Jacobson: True. Well, you have now shifted to the cybersecurity and the cyber prevention side, I’m on the cyber reaction side. And the one thing that your preventative measures cannot account for is general human error. Correct?

Anthony DeGraw: Yup.

Scott Jacobson: You just can’t account for one person who receives a suspect email who forwards it to another person and just says, “I’m too busy. Can you handle this for me?” Not realizing what is in that email and all of a sudden, they are exposing their entire network to something that they shouldn’t do because the owner, managing partner, just told them to.

And so they did, and I have seen firms get hit with that time and time again, seen firms get locked out, have seen money float overseas, having to get the FBI involved in order to stop the money and hope they can recoup it in time. And in many cases it works, but in some cases they can’t because some of the money has already transferred. It’s tough.

Insurance carriers are getting smarter

Anthony DeGraw: You’re also seeing now, at least what I’m hearing in the cyber marketplace, I’m looking to do go a little bit deeper on this, is that insurance carriers, obviously, as you mentioned, they’re paying out claims and they’re paying out a lot of claims and now they’re getting smart and starting to require risk standards or things to put in place to prevent these things and really confirming that you do like a multi-factor authentication, and anti-virus system backup, and disaster recovery programs. And they’re diving deeper into those things because that’s where they’re getting burned.

And some of these small things that could be put in place up front are just completely at the time where it just being forgotten. Hey, I got a million dollar cyber policy. If something happens I’m okay. And now you’re seeing denials. I’m sure you are to denials of coverage. You can’t get coverage or coverage being decreased for the same amount of money or maybe even more money.

Yeah, there’s a lot. And in terms of law firms, we started the business started in ’97, all around law firms. That’s how the company got started. And we still have a significant amount of them here in New York City as well. And as in New Jersey, And I have one right now that we’re working on and they’ve gone through five or six IT Managers in the last five or six years. They’re not willing to invest in technology. They have this different mindset about it is “that’s not how we practice law 30 years ago.” And it’s just completely changed, they’re working off of systems from 2003 and 2007 and just some of the most basic things just don’t exist.

And it’s unsettling. It really is like they should be, hopefully they do have a cyber insurance policy right now, but I, if I was a carrier and I really knew what I was looking for, there’s no chance in hell I’d write them a cyber policy.

Scott Jacobson: You mean you’re still not using your. @ AOL email or your prodigy email? Of course times change, we’ve even seen insurance companies changed.

They’ve gone from the cyber carriers have gone from just offering terms to now providing a comprehensive review of the network, because they recognize that if they can identify ports that may be open that shouldn’t be, they can help the client eliminate exposure just and limit the opportunity for that client to have to file a claim against the insurance company and therefore every one’s profitable, just because the insurance company took that extra step.

Not so much as a cybersecurity type of company, but as a prevention tool. And I think that some of my clients have benefited from those services and they’re very appreciative that every year at renewal, they get a nice little report card that tells them what they’re doing. Where’s their deficiencies. And they address them because the report card says that, “Hey, you’re failing here.”

Anthony DeGraw: Yeah, it’s great to see them getting the cyber insurance companies getting more proactive on the front side of it. When I was there or in the business, it was, “Hey, we have this e-risk hub, and we provide all these additional services, once you purchase.”

And I think I was talking to somebody the other day, like an e-risk hub gets utilized like 3% of the time or something like that. And the aspects of those additional services that I always loved. It was like the data breach croach or the the forensic company to bail them out. Cause normally when these incidents happen, they have no idea where to go.

So I love that part of it, but getting more proactive is going to help both the insurance companies and the firms at the end of the day, you’re trying to protect your firm, and. Something that we always get into is like reputation, right? If the firm’s reputation means something to them, a lot of their relationships, this one, I’m talking about deals with hospital systems and they’ve built a great reputation in the hospital system space.

And I can’t imagine if, they were the reason, they were the third party vendor of the hospital systems that caused the hospital systems to have breaches. I don’t know how much longer they’d be in business or how much of a hit their business would take being just connected to that type of an incident.

Scott Jacobson: Well, what happens if a breach is then responsible for putting the business out of business. And then all of a sudden, someone who has been an employee of a company for years now loses their job because of decision made by the Chief Information Officer, the Chief Technology Officer, and now you have a director’s and officer’s claim on top of it.

So decisions about cybersecurity and decisions about insurance. That are all made by management, exposes law firm management in so many different ways and connect so many different policies that it’s really tough to comprehend that all of these policies need to be working in sync together. Otherwise any one of these exposures could be a multimillion dollar hit, and that could be something that takes the company.

Anthony DeGraw: Unbelievable. We are up on, we are up on time, but ladies and gentlemen, that Scott Jacobson Professional. If you are a law firm, you should definitely be considering Mr. Jacobson for all of your coverages, not just legal malpractice.

Scott dude, I appreciate you coming on. I do have to jump, but if you want to do this again let’s get after it.

Absolutely. That’s fine. Another time. And another topic to talk about, it’s been great talking to you about that. Thank you for having me.

Awesome, I’ll see you, man.

Scott Jacobson: See you. Be good.

Keep reading

Multifactor Authentication Breakdown

Multifactor Authentication Breakdown

Nick and Susan's monthly episode is joined by Lexie Nelson, a vCISO at Integris. Today's topic is multifactor authentication. We're going through a full breakdown into MFA: how much it really protects you and your organization, the things to look out for when...

“Anything We Can Do to Make It Right Is Our Thing”

“Anything We Can Do to Make It Right Is Our Thing”

Scott sits down with Jared Nolan, CEO of Norman & Young, a full service media company serving real estate agents. Jared talks about the highs and lows the pandemic has brought the industry, the new technology and standards raising the bar in the industry, and how...

How Companies Fail Vulnerability Management

How Companies Fail Vulnerability Management

Susan and Nick talk about Nick's must-haves for vulnerability management programs, and the best practices for whoever owns that process in an organization. Check out the transcript below and listen along with the embed, Spotify, Apple Podcasts, or your favorite...