Broker Buddha CEO, Jason Keck, is joined by Mike Volk, Sr. Manager of Cyber Insurance at Optiv. Mike began his insurance career on the broker side. He took interest in cyber insurance, an aspect of insurance that has grown within the last few years. As Mike's interest expanded, so did his knowledge and his ability to coach others. Jason and Mike also discuss some well known cyber security breaches and what risks breaches pose to businesses of all sizes.
Learn more about Mike Volk
Jason Keck: I just wrapped up a fantastic show with Mike Volk, Senior Manager at Optiv. Mike specializes in cybersecurity. He was formerly with PSA Financial, one of our insurance agency clients, and is now with the new cybersecurity company. As a tech engineering geek myself, I really enjoyed the conversation with Mike and talking about the evolving cyber insurance ecosystem. Enjoy the show!
Hi, and welcome to another episode of The Enlightened Agent. The podcast that brings you conversations with top insurance professionals and industry leaders. My name is Jason Keck, and I'm joined today by Mike Volk, Senior Manager of cyber insurance at Optiv. Mike, welcome to the show!
Mike Volk: Hey, thanks for having me!
JK: I know you recently left your previous company, an insurance agency, no surprise there to join a new company called Optiv. We chatted a little bit about that, about the old company and the new one but I don't think our audience knows as much about that as we do. Do you mind telling everybody a little bit about who you are and about the journey that you've been through to get here?
MV: So I would imagine that I got here in a similar way to many other folks that are in the insurance industry. I wasn't planning on making a career in insurance, but I found my way here through my experience in cybersecurity. I have a background in cyber education, workforce development training. One of the things that I started to become aware of in that role was the emergence of cyber insurance. We were working a lot with businesses that were trying to manage risk, and over time we started to hear more about this cyber insurance “thing”. We started getting questions about it, and then I got an opportunity to join my previous employer. An agency that was particularly focused on property and casualty insurance. They recognized that there was a new risk that seemed to apply to all of their clients. I think when I started, and again I didn't have an insurance background, when I joined PSA, my former employer. They made the connection to EPL employment practices, liability where like, there's this immersion, this threat or risk that really impacts all businesses. It's really hard to wrap your arms around it. They knew it was pretty forward thinking at the time, they knew that they had really good insurance people, but they didn't have somebody on staff for the cybersecurity landscape.
So I was really just brought on as a resource for the team to work alongside producers or account managers. As cyber insurance started to come up or cybersecurity questions started to come up or questions our clients had, questions about risk management, I was there to be that resource. I quickly fell in love with the insurance side of it. I started doing policy analysis and digging into the language and having conversations with other folks at PSA about coverage. I found pretty quickly that I guess I became an insurance nerd, which is another thing that I hear a lot about, it’s a personality type. I don't know how you become that.
JK: There's so much nuance in insurance and for a lot of people, it's very new. People who like to learn and people who like to grow, it's like you get into this and you're like, whoa, like I thought insurance was just something you pay for and it covers you, but like the nuance is extraordinary.
MV: I think you hit it on the head, I think that's it, so it was the aspect of like this is a policy and contract that applies to so many aspects of a business. Not only do you understand, you get to really dig into the coverage and how carriers are trying to solve this problem. Also, you get to really understand a business through this and apply cyber risk management, which is something that was brand new so quickly. I took the role, ended up building out what started as a cyber insurance practice to help work alongside the entire team to not only help our clients better understand the policies, which I came up with a way to do policy analysis and comparisons.
Most brokers here would understand the comparison of one policy to the next. It's hard, so that was the first hurdle. The next was coordinating application questions. We came up with a way to coordinate that, but I spent a lot of my time drawing from my background in education and training. Starting out, I mean it wasn't even that long ago, 2016 or so.
JK: Probably the beginning of cyber, it feels like about the time cyber insurance started.
AV: So people were asking about it, but it was like, am I really exposed, is this a risk, is this $3,000 policy worth the additional expense? Nobody wants to buy more insurance. So it was a lot of time to help them understand that this is really important. In my mind, I'm looking at the coverage and I'm like, man this covers everything. I'm looking at the potential threat landscape thinking what's the disconnect here? I just spent a ton of time trying to connect those dots, also working alongside the rest of the team that was really good insurance people trying to help them better understand the coverage and why it's important.
I then ended up getting into tech ENO and technology insurance. I built out a specific technology practice. There were a few things that I knew were challenges. So number one, right away I’m asking just a handful of questions to underwrite this super complex, challenging risk with this just looming threat hanging over us. This is not sustainable. I think the insurance industry and I don't subscribe to this, gets a lot of heat for writing policies without having as solid underwriting as they do potentially today.
Businesses didn't want to buy it, and if you didn't make it easy, they never would've made the move. Think about how many claims have been covered for businesses that may have potentially been knocked out of business if they didn't have the policy. Now it's maturing, now we're at a point where we need to change the way that underwriting is done. We see that we need to increase premiums. Now the burden is shifting to insured’s. This is the other issue that I run into, the appetite for doing proactive things for a business is low and they don't need to buy more things that they don't have. There's lots of things that a business needs to buy to be in business to do what they do. Cybersecurity is not always on the top of that list. It was a big part of my role, how do we change that to make it important. Here's how you have to do it, and here's how you can do it in an incremental way. You're going to have to do it eventually. The other piece of it was just the broker in the middle of this storm. How does that role evolve?
JK: I remember early on, the question was “do you store your information digitally”? Yes, then you have an exposure. Well then you dig into the details of what are you storing and how sensitive it is? Is it really at risk or not? Most people didn't realize that it was an exposure. It was like, what's the real risk? I think you discovered all that stuff firsthand in a very detailed way in your role.
MV: That's what led me to coming up. In the broker role, there was not only the insurance side, but I developed partnerships to come up with solutions that our clients could actually use. Cyber security is hard, right? There's no way to make it easier, but what you can do is build things that make it easier to meet people where they are. That's what I tried to do in my role at PSA, where I would draw partnerships to bring in third parties that could help with the legal side of things or the forensic side of things. To help explain it, bring in technology to make it easier to implement things like the basic level of firewall protection or quantifying risks. There's lots of ways to quantify risk these days so they can better understand what it means. That's what led me to Optiv. That's what led me to make this move because all of the things that I saw through my journey this far, everything started to come together. The biggest need is still how do you connect the dots between the cyber insurance process and the security side of it.
That's what I'm working on now. It's a lot of the things that I really enjoyed in the broker role, but helping to find solutions from a technology and cybersecurity standpoint at each level, at the carrier, at the broker, at the, at the insured. Again, the goal is to meet people where they are at each of those levels, which is way better than it was.
JK: We see it happening in some of the larger agencies. The companies that work with larger clients are very conscientious about this. Smaller agencies who are dealing with a lot of small businesses, the exposure is not as big. They don't feel like they're as exposed, I'm not sure that's a hundred percent true, but at least that's their perspective. We're not seeing that level of knowledge capital in the agencies that we are in the larger ones. One of my favorite topics on the show is talking about change. Insurance things don't change fast, but in the last five years, I think cyber insurance has blown up in a bunch of different ways. You really saw that firsthand at PSA. I’m curious how you've seen or how you think about the role of the broker and how it has changed or needs to change now that cyber security and cyber insurance is such a big part of the conversation.
MV: I think the thing that's changing the most in this equation is probably the broker role and the way that people buy cyber insurance. A lot of the things that we're talking about here and the things that I think a lot of brokers out there are starting to see is that cyber insurance is starting to look more like a cyber security solution than it is a traditional insurance belt.
The traditional liability coverage is there to protect against lawsuits and legal liability. You have your reimbursement coverage for the things that could go wrong. It’s similar to other policies, but the biggest benefit that you really see firsthand of cyber insurance, is when there is a claim or an issue. It's not necessarily the claim or the money that's being reimbursed, it's the resources that a business gets to do everything from incident response, to legal advice, to recovery, to communications. What that has done is pushed these pieces together. The broker needs to not only understand the insurance language, for any other policy, you need to know what you need to do, the language and how it protects the business in order to explain it. You also need to make know the mechanics of cyber risk management, especially when it comes to things like claims. Now as we've seen more businesses than ever buying cyber, which is also happening at the same time as we've seen higher claims than ever before.
Now what's happening is that the carriers have, and again, the cyber insurance industry is maturing, carriers are changing the way that they do underwriting. They're adding new technology to look at risks, and they're also asking for more details on the applications. They're asking for more requirements that are non-negotiable. Now brokers need to understand these very technical things that are being asked of them from a carrier and translate that to a client. It may not be extremely technical or used to cybersecurity themselves, but they need to figure out how to make sure that those questions are answered correctly so that if there is a claim that it's covered, they need to be able to explain why it was answered in a certain way when there's really no validation for this.
There's external scanning which is very good, and is better than it was to look at a network from the outside. The other piece to collecting underwriting information is an application that's completed by a business person and the broker assists with. There's no validation inside the network, there's really no way to do that yet. You have to rely on those responses, and if a broker is not able to give the advice to help a client. Answer those questions correctly. They're in a very Ansley, a very stressful position with all the pressure that's being put on them with, with the potential for claims. It's scary to think that a broker who may not be very technical themselves, is actually advising a client who's not very tactical than themselves on how to provide information, technical information. Trying to explain very technical nuances to a policy like that can be very difficult.
JK: It sounds like a dangerous landscape.
MV: Yes, it is. It's also difficult because there's no overarching guidance of what a business actually needs to do to protect themselves. When you look at other types of coverage, you look at things like workers' comp for safety. You have OSHA, there's guidelines and there's enforcement across the board. If you're a business, you have to do this. It's not all on a business to figure it out the best that they can, there's at least some type of guidance. The insurance industry over time has developed a lot of really great resources. Think of the loss control that most brokers have, or carriers have to do safety audits. The resources that they have, that doesn't necessarily exist across the board.
I mean like you said, some of the larger agencies are absolutely bringing these resources in, or even acquiring firms that do this kind of work. Across the board, the majority of businesses and the majority of agencies just don't have the capabilities to do this right now. From 2016 to today is not a very long time. That’s an overnight change.
JK: I was going to ask you, I think one of the reasons this has happened is because of high profile breaches over the last few years. I’m curious what you've seen as the impact of some of those breaches on either clients, insurance, or both.
MV: Yes, there have been major incidents recently that have sent shock waves through the insurance industry. A lot of those deal with ransomware, as well as the aggregated risk with either managed services or cloud services. I'll give you a couple of examples. I'm sure most folks that are listening probably heard of the Solar Winds Breach. Solar winds is a cyber security network security technology that many businesses use. It's typically managed by a third party. What this particular breach did is that someone was able to get access to the backend system, put in a vulnerability, that actually got pushed out to all clients through an update. So it's the technology that underwriters and carriers want to see businesses using that was pushed out through an update, which is required to be compliant. You have to update your systems, that's how this was pulled in. It's used by a lot of businesses, and a lot in government agencies. This is always something that the cybersecurity, cyber insurance was aware of that could happen. This was just a demonstration of how it happened in real life.
JK: That one was particularly gnarly because it's literally attacking the software that's supposed to protect the companies. They did it in a way that was super clever. I have no idea how they got to where they did, but they basically managed to get into the code of Solar Winds somehow and got this vulnerability placed. Anybody who used the technology was exposed. Were they able to find out what the breach was? I mean, I'm sure that it's not public knowledge but were there any known breaches using that vulnerability that people were aware of that came out?
MV: There were a lot of breaches caused by that. I don't have all the statistics, but it did result in compromise. This is how the ripple effects changed the industry. Now carriers see they are insured, so they're insuring a business and they're underwriting against this business. The business uses the technology to protect themselves. A carrier doesn't have the ability to underwrite Solar Winds. Even if they did, this wouldn't have been identified because it was unknown zero day, the type of attack that was perpetrated by somebody with inside access to do this. Now the carriers look at this and they say, okay now we have this is a known vulnerability and we're going to have to exclude this. Some carriers have looked for ways to exclude these known vulnerabilities and known issues. The other piece of this is when you fill out a cyber insurance application, you also have to attest that you're not aware of any known vulnerabilities that could lead to a breach or a claim.
If you are a business and you knowingly have Solar Winds and it's an old version, and you sign that and you have a breach because of it, you could potentially be uncovered. What this shows is a case that proves that there's this consolidated third-party exposure out there that you can't underwrite for. Solar winds is just one example, but think about all the cloud services that businesses are using. If you're a business, why would you host your own email, why would you have a server room? It doesn’t make sense, but as this is happening, the risk is being consolidated. The organizations that are running these services, it's an existential threat if that's breached. There are teams of people protecting this stuff that no business is going to be able to dedicate the resources to. However, looking at the Solar Winds issue, they were doing everything right and it still happened. Now you have this potential to create this type of attack that affects many businesses on the same day.
The other side of this is ransomware, the drastic increase in ransomware. When I started in cyber insurance, ransomware coverage was built in and it was kind of like marketing coverage. People have heard ransomware, we'll put it in. At that time, the ransom demands were in the thousands of dollars.
You're talking under your deductible, it was nice to have. The last time I looked, I think the average demand is $200,000 or more.
JK: This is somebody who hacks into your system and basically says, “you have to pay me to get out”?
MV: So this person hacks into your system. The way it started was they would randomly encrypt things. The way that ransomware has evolved is, the attackers are using vulnerabilities to get into systems to get access, and then look for things to steal. Exfiltrate the data, get out of the system,and launch ransomware. That's when the business knows about it. Not only does the attacker potentially own the entire network, they have all their data. The demand is pay us, or we're not going to unencrypt your systems, which you need to operate. Pay us, or we're going to release all of the data on the dark web. So either way, like you're saying, I can restore from a backup, they sell off your data. So then a business needs to think about what to do with this?
It's a business decision to pay or not to pay, and every situation is different. These demands are being paid and the insurance industry now is trying to say, okay, we were giving this away for nothing before because it wasn't as big of an issue. Now it's the biggest threat and these payouts are happening. They're trying to limit the exposure with things like co-insurance where a business has to pay part of the ransom claim themselves. In addition to a deductible to try to recoup some of those costs, sublimating coverages and then adding a lot of new controls to protect against ransomware. So a business has to have certain things in place in order to, to get coverage in the first place like multifactor authentication, backups, encryption, all that kind of endpoint protection is more important than ever too.
JK: It feels like there are so many ways you can get exposed. Right? We just talked about a few year difference. You're a cybersecurity specialist, I'm a reasonably technical person. I can understand when I hear something, I can process it. How do businesses and insurance agencies learn about these things and understand them? What are the resources for them? Are they seeking them out? How do people find out about this?
MV: From the broker standpoint, the best way that brokers are getting a lot of the education and training is through their carrier partners. Carriers have a vested interest in making sure that their broker partners understand what they're being asked about. Understand the coverage, understand the policies and the requirements and the application process. However, you also have to remember that a lot of the folks, in typically the average agency, are dealing with all lines of coverage. So property, workers' compensation, general liability, cyber insurance, how can they be an expert on that? Even if they try their best, that's just way too much to ask of any one person. That's where my role developed. This is probably the way that many agencies are going to Either work to find a specialist to assume that role where they can assist the entire team that comes with the education and potentially some of the background. We're working with the wholesale partners that have the specialization to be able to do it. There's not a really good way to get across the board, the deep insurance knowledge, because you have to be an expert on the insurance coverage as well as the cybersecurity.
JK: Even just knowing the exposures, if I were a carrier, I'd be out now marketing these. I'd be telling everybody, here are a bunch of things that could happen to you. The reality is, the larger the company, the more buttoned up they are. Certainly the small to mids out there, they're probably trying to be scrappy and efficient and find ways to cut corners. They don't realize that they’re exposed. Those guys are probably the most exposed because they may have real exposures and then they have real damages if they are exposed. I think it's clever that the PSA had you do what you were doing, and that's probably why they recommended you come on the show because they thought you were a pretty clever guy in that space.
If I were a carrier, I would be screaming, quite loudly, about the things that people need to be thinking of here. We were talking about this earlier, we did some table top exercises recently. When you start to think about, oh my God, what if that happened? It's pretty scary. As you know, the show is called The Enlightened Agent because we like to share stories about amazing agents, who do amazing things. And enlightenment is defined as “the state of having knowledge or understanding”. I was mentioning, one of your former colleagues recommended you be on the show because he thought you were fairly enlightened when it comes to cyber and cybersecurity. I’m curious if you have any stories that you can share with us from your time in the insurance space about how you're able to help a company get protected or help them avoid something catastrophic.
MV: There's quite a few examples and I'm going to do my best to give you some examples without providing too much of the specifics. Going through them, you're very aware of all the details. They're all different, every breach or claim is different. There's one example, a professional services type of company met with somebody, went through a process to help get some protections in place. One of the things that I did at PSA was work on protections, in addition to insurance, to try to be more of a holistic solution. I worked with companies like that, to put some of these things in place. Companies that never had cyber insurance before, and didn't know a lot about cyber risk management. I can think of a few examples where we worked with companies that meet that profile. Smaller businesses don't have their own internal cybersecurity IT team, and have some outsourced resources. We were able to work with businesses in that kind of bucket to get them protected.The ones in that space that really come to mind are the ones that valued not only the insurance coverage, but the knowledge about protecting the business. So you asked about how businesses get this education and training, that’s one of the things that we provided. I mean, they came to us as a resource for education, training and cyber risk management planning, the tabletop type things. That was incredibly rewarding and it had nothing to do with an insurance policy or the insurance side. It was so exciting to see businesses make meaningful steps voluntarily to improve their cyber security, because they were interested in making a change and they understood that these things are important.
I also have a few examples of those exact types of companies where we did those things, put things in place and within six months actually had a claim to use the policy. If they hadn't put the policies and the protections in place, who knows what it would do to a smaller business. Even if it's like a $200,000 or $300,000 claim, how many small businesses are going to have that in reserve ready to pay out of pocket? What we did when I did in that broker role was coordinate the incident response type work. In the best circumstance you probably want to bring in your lawyer first, but a lot of businesses don't have their plan built out. They don't know who to contact, they would contact me. I would be the one coordinating those resources to help them. It would always be the worst times like Friday nights, Saturday nights where I would be helping businesses through that and being just a sounding board as they're going through this horrible experience. Seeing them coming out on the other side was the most rewarding.
JK: It's funny, I always envisioned on the show we’d have stories about agents who help people get coverage. A lot of the enlightenment stories I hear about are not about agents helping their clients get coverage, but helping them deal with claims, so the service component of the role. The responsibility, even though it's not necessarily what you get paid for. It’s actually a super critical part of the role, guiding your client through the journey and dealing with the issue in the claim.
MV: The most rewarding, and also the most time consuming are the claims. When you're dealing with a claim it's frustrating and it's nerve wracking. When a client thanks you for doing that, you're like this is why I do this in the first place. This is the whole reason. It's sometimes overlooked because that's what you want to avoid, but that's why you're there. It's really good to validate all that hard work and all the things you put into it as an agent, it pays off and it makes a big difference to business.
JK: No question, right? I mean, we had a $200,000 claim that we had to pay for ourselves or, we weren't in a position to kind of figure out how to get it covered, we'd be in trouble.
MV: With cyber breaches, if you're stumbling around on your own thinking of all the laws and regulations you're going to run across. I mean, you can't do this on your own.
JK: Oh no, you can't, you need help. I think it's awesome that you were there to help people. It sounds like you're there to help people now. I appreciate the work you do, because I think you're helping businesses stay safe. There's enough good that these businesses are trying to do out there. They don't need to spend a lot of time, frankly, dealing with the bad and dealing with the problem space. So kudos to you for the things you did with PSA and now at Optiv. You’re hopefully protecting a lot of great businesses out there. Well, Mike, it's been great having you on the show. I really appreciate you taking the time and I’m excited for you and your new role.
Speaking of which, is anything that you'd like to share with the audience, or how can people get in touch with you if they need to?
MV: The best way is email. If you have any questions, any follow up questions, anything to pick my brain about what I saw in the broker role or what I'm doing now. My email is Mike.firstname.lastname@example.org.
JK: Mike.email@example.com. Well, hey thanks again for being on the show. I’m looking forward to hearing about how the journey continues in the cybersecurity space. Hopefully you're protected from lots of businesses and when we're not hearing about breaches and claims in the future. This is a very young space and I'm sure it's going to evolve. So thank you for that and I look forward to seeing you sometime soon.
MV:Thanks for having me, this was great!
Friday, December 17, 2021