Bedlam Makes Strange Bedfellows

Q&A With Cyber Insurance Expert Joseph Brunsman

PA: I can’t think of a topic more connected to the current business angst right now than cybersecurity. You play an interesting role in this discussion, Joe – tell us what you do.

Brunsman: Ostensibly, I’m just an insurance broker. In a former life I was in IT, then received my bachelor’s degree in systems engineering (robotics) from the Naval Academy. I also have a master’s in cybersecurity law from the Carey School of Law, and I founded my own insurance brokerage. I’m currently working on my fifth book on insurance while keeping up to date on my YouTube channel.  

PA: What types of companies tend to come to you? 

Brunsman: My traditional customer base is financial services. Over the last couple of years I’ve been working with an increasing number of MSPs due to my background and interests.

PA: How did you end up tripping into the MSP world?

Brunsman: Years of hard work, failures, sleepless nights, and dumb luck, actually. I’d written my second book on cyber insurance and cybersecurity law and I was sitting there thinking that people really need to know this stuff but businesses don’t know the fundamentals. They don’t need to know about the cross-border transfer mechanisms — that’s PhD-level insurance regulatory detail. What they do need to know is what laws apply to them. What should be in a cyber policy? What should they look for? What are the basics of cybersecurity? What questions should they ask? And so, I was putting all this information online for free … I went to Reddit, and I put it on the Information Security subreddit, and then my info made it over to the MSP subreddit and it gained a lot of traction from there.

Funny enough, I had never heard of an “MSP.” I quickly realized it’s the one kind of community where I can take all the stuff I know — law, technical and engineering skills, and insurance — and really add value to keep them out of trouble. It’s also a community where they get a bunch of terrible advice. If you go back maybe two and a half, three years, there weren’t really many court cases against MSPs, then all of a sudden, bam, I have to relay and explain 30 years of risk transference and management mechanisms for the industry as quickly as possible.  

PA: So how did you start the YouTube channel? 

Brunsman: I kept answering the same questions for my clients. And there are multiple angles to many of the questions — there’s the policy angle, the insurance angle, the business owner angle, and the potential legal angle. To streamline the effort and avoid missing crucial details, I decided to make videos about the most common questions. When I saw some of those same questions on the MSP subreddit, I made the videos available to that community too. The material is mostly evergreen, it can probably be used for the next 10 years. The other angle I took was more of a public service – there are things not on the radar yet for a lot of MSPs, but they should be worried about it now because finding out after the fact could be awfully expensive and stressful. So I put out that type of info on my YouTube channel to help the industry. 

PA: Give me a “state of the industry” overview. What does the landscape look like from your perspective right now? Both from a cybersecurity insurance perspective but also the breaches – we know there have been some massive ones the last few years.

Brunsman: I would encapsulate it with one word — bedlam. There are just so many pressures from so many different angles. Cyber premiums are increasing rapidly,  and there are many factors involved within that. From a cybersecurity prevention standpoint, it’s not clear what works with any statistical viability. It is somewhat frightening. The experts cannot determine to what degree a particular control or cybersecurity tool is effective. It’s very difficult to say how much safer using any one tool or control makes you because each insurance company is only working within their own data sets. A lot of those data sets are really quite small. Even antivirus software is now being called “increasingly useless” by some security professionals but insurance companies would scoff at that idea. To compound the issue, what works now can change based upon the threats we see and the avenues of attack. It’s the epitome of a cat and mouse game.

Take car insurance as a counter-example. I can go look at the statistics, and I can see exactly —  down to the zip code and probably down to the street — what the probability is that I, as a 37 year old man who’s married with two kids, driving this type of vehicle at 70 miles per hour, am going to get into an accident. With cyber insurance, how do you account for just one person getting tricked and then a million dollars disappears? What are the odds of that? We don’t really know. We don’t even know basic things, such as what’s the average ransomware amount? People can get their personal computers ransomed for a couple hundred dollars, they can get their entire business enterprise ransomed for millions. There’s no centralized database per se to account for all that data. 

Insurance companies are giant, behemoth bureaucracies. By the time they can pivot to requiring you to use a particular cyber tool or implement a particular control to protect your businesses, the bad guys have found a different avenue to generate revenue. They only have to get it right once, but we have to be right all the time.

Additionally, the lawyers on the plaintiff’s bar are getting more active going after companies for class action claims. They are going after the companies that got hit. Let’s say you are an accounting firm, for example, and you have a lot of social security numbers in your files and a bad guy gets in and all this info gets stolen. Not only do you have to worry about breach notification letters, credit monitoring, forensics and attorneys, now there’s this looming threat of class action lawsuits coming against your business. 

PA: So what’s changing?

Brunsman: The insurance companies are getting much more active in declining coverage and limiting coverage amounts. In addition, they’re demanding certain cybersecurity controls be implemented before they’ll offer terms. We’re also seeing insurance companies cut off entire industries if their losses become too high. It’s exciting, but also exhausting in that the fine details matter more and more every day. 

What I most commonly see when people come to me is that they’ve had a cyber event, or posed a coverage question, and they realize they didn’t exactly have the policy protection they thought they did. We’re seeing insurance companies decreasing their limits, putting more exclusions on policies, caps on widespread events, etc. They’re trying to limit their losses from multiple angles. The product is evolving rapidly. Compared to other lines of insurance, they’ve crammed probably 50 years of policy form evolution into the last 18 months.

PA: Do you have some advice for the copier dealers, realizing their companies can be structured very differently than the average MSP? Let’s say that they’re starting to sell managed IT services or managed services, but they don’t have cybersecurity insurance yet. What kind of advice would you give them?

Brunsman: When I look at a multifunction printer, I see a computer with a very specific purpose. So, I would say that ties in with the type and amount of insurance they should be considering when you look at the amount of risk exposure. Especially moving forward with the way the policies are evolving and some of the very specific exclusions being put into some policies, I would argue that copier dealers actually need what’s called a tech E&O (errors and omissions) policy. It’s analogous to a cyber insurance policy, but a tech E&O policy is two things put together: an E&O policy – also known as professional liability – and a cyber insurance policy. They’re combined together under one policy. The difference between a tech E&O policy and a cyber policy is in the types of third-party claims that they will cover.

Let’s say a copier dealer has a cyber policy. What if a client claims they have been damaged as a result of the services the dealer either rendered or failed to render? For instance, if the dealer installed multifunction printers on the client’s network, and there is a breach and the client claims the dealer did not properly secure the MFPs on their system — maybe they didn’t have the latest firmware or the installer left the port open. Because of that, the client got hit with ransomware, or a data breach, and is now going to sue the dealer. The tech E&O policy could cover that if properly structured, whereas a cyber policy would likely not cover that scenario. If you look at the cyber coverages under a tech E&O policy, it’s very close to what you’d see under a cyber policy. In addition, the tech E&O policy could have coverage in there for technology products that were sold, distributed, created, manufactured, etc. for their clients. The caveat is that each policy is different, so building the policy that is right for your needs is crucial. Arguably, copier dealers and MSPs both have the need for roughly the same type of policy but there are nuances, limits, coverage needs and exclusions that need to be considered. 

PA: Are you seeing more copier dealers that also provide MSP services coming to you?

Brunsman:  Absolutely, but it’s a challenge. Trying to adequately insure an MSP is really hard. If I need to provide a tech E&O policy to a $200 million copier dealer, I can do that. That’s easy. If I needed to provide a tech E&O policy to a $5 million MSP, it’s more difficult, but I can do that. But if I need to provide a tech E&O policy to a large copier dealer that is also an MSP — that is becoming excruciatingly difficult.

I understand why dealers are eyeing MSP businesses. Copier dealers already have a large client base, managing and monitoring equipment on their clients’ networks, and MSPs are a growth industry that also deal within networks, so they want to bring it in. The problem that I want the dealers to start thinking about is that 95% of MSPs are under $5 million in revenue. So a lot of the underwriting guidelines for a company that would offer insurance to an MSP do not exceed $15 million in revenue. In practice that’s like $8 million in revenue. A copier dealer’s revenue can be a lot higher than that. So moving forward for insurance purposes, dealers are going to have to start thinking about at what point they split that MSP off. The dealers have 40 or 50 years of relative business continuity and have been easily insurable. 

But now many of them have these comparatively small MSPs attached to them. The potential insurance risk and legal liability coming from a small part of their organization could in theory wipe out the entire insurance policy for the copier dealer organization because it’s all under one policy. They don’t want some monster claim to come in and then suddenly, their entire organization has no insurance left.

PA: What are you excited about right now? 

Brunsman: Granularly, I view insurance like an IT guy. From a higher-level perspective, I view insurance as an insurance guy. From a 30,000-foot view, I view insurance as an engineer. It’s like solving a puzzle. I love puzzles and riddles, so every policy is seen as a unique challenge.

Working with each client is my riddle to solve. What are they worried about? What should they be worried about? What are they not worried about? What do I think the best policy options are for them? What are the surprises coming down the line? Every insurance company is different. Every underwriter at every insurance company is different. So, every single policy is a unique opportunity to solve a puzzle. 

There’s always something new in the cyber world. Within the insurance world, traditional policy forms have been pretty well ironed out over 20 years. The case law around that type of insurance is at least 25 years old. When my traditional client base calls me with a problem, I know with about a 95% probability what’s going to happen on the timeline, and I can advise my client accordingly. That is not the situation with cyber insurance/tech E&O, because it’s changing so fast. It keeps me really excited and interested because there’s always something new to explore and offer. I do feel a unique responsibility with my interest and skill set. I’m in this fun and interesting position where I can impact a lot of people and help a lot of people in my own small way.