July 13, 2023

Strategies for Reducing the Cost of Your Cyber Liability Insurance Policy


Like many other businesses, law firms are at significant risk of cyber-attack and increasingly are turning to cyber liability insurance (CLI) to transfer some of their cyber risk. But many are being denied coverage or face high premiums due to shortfalls in their cybersecurity controls.

In this episode, your host John Verry, CBIZ Pivot Point Security Managing Director, sits down with Jack Liljeberg, Assistant Broker at Thompson Flanagan. Jack helps give business and security leaders in the legal vertical, as well as anyone seeking CLI coverage, a comprehensive update on the state of the CLI marketplace and critical issues to be aware of.

In this episode, join us as we discuss:

  •       Whether CLI premiums still increasingly rapidly or have stabilized
  • Most critical information security controls that businesses need to obtain CLI coverage or avoid onerous premiums
  • The importance of honesty, accuracy, and plenty of detail in CLI applications
  • Exemptions and other issues to watch out for in CLI policies
  • Other insurance coverage types that can bridge gaps in a firm’s CLI coverage

To hear this episode and many more like it, we encourage you to subscribe to the Virtual CISO Podcast.

Just search for The Virtual CISO Podcast in your favorite podcast player or watch the Podcast on YouTube here.

To stay updated with the newest podcast releases, follow us on LinkedIn here.

See below for the complete transcription of this episode!


Intro Speaker (00:05):

Listening to the virtual CISO podcast, providing the best insight on information security and security it advice to business leaders everywhere.

John Verry (00:18):

Uh, hey there, and welcome to yet another episode of the virtual CISO podcast with you as always, John Ver, your host. And with you, me today is Jack Berg. Hey, Jack.

Jack Liljeberg (00:30):

How’s it going everyone?

John Verry (00:32):

Uh, thanks for coming on. Uh, can you tell us a little bit about who you are and what is it that you do every day?

Jack Liljeberg (00:38):

Yeah, absolutely. So I work for Thompson Flanagan, uh, at our Lawyers Professional group. Um, and I work with a team of, uh, brokers that work on primarily professional liability insurance for law firms. And me specifically, I work on cyber insurance for law firms, uh, as well as a couple other lines of insurance. Uh, but cyber is definitely the, the main point. Uh, I’ve been working for Thompson Flanagan the last two years. Um, kind of been through the ups and flows of, uh, the cyber market. So I definitely feel like I’ve learned a ton in those, those two years. And, um, yeah, that’s, that’s pretty much my, my background in insurance.

John Verry (01:20):

Sounds good. And, and cyber insurance is definitely why you’re here to chat. So looking forward to it. Um, always ask, uh, what’s your drink of choice?

Jack Liljeberg (01:29):

My drink of choice? Mm-hmm. Um, if I had to get, I mean, I would say maybe a margarita. Love a nice margarita.

John Verry (01:38):

Uh, do you go, uh, mezcal in there at all? Get, get a little smokey, get a little interesting.

Jack Liljeberg (01:41):

I do like, yeah, I do like the smokey love, a nice little spicy margarita. Yeah, it’s, it’s always nice and refreshing, especially when the weather’s getting a little nicer.

John Verry (01:50):

All right. And, uh, I drink everything, uh, but, you know, but, and is there a, a specific, um, a specific tequila that is your, uh, go-to

Jack Liljeberg (02:00):

Casamigos or,

John Verry (02:00):

Or whatever? Casa Amiga.

Jack Liljeberg (02:01):

Yeah, Casamigos is the best. That’s,

John Verry (02:04):

That’s, uh, that’s, that’s uh, what’s his name, isn’t it George? Um, George Clooney. George clo, yeah, that’s Clooney, right? Yeah, it’s really good. We, we bought it as a, as a gift for someone. It was, we were trying to figure it out between that and Patron, and we ended up with the Casamigos and I said, well, I should buy a bottle for myself so I can see what it’s like if I’m gonna give it as a gift. And it was, it was quite good. I think I got the, uh, Anejo, uh, which was really quite nice. Yeah.

Jack Liljeberg (02:28):

Yeah, it’s good stuff.

John Verry (02:30):

Yeah, good stuff. So in talking with customers, I’m, I’m definitely hearing a lot of complaints about their CLI premiums, um, getting quite expensive, you know, hundreds of percent, 200%, 300% increases, or even, you know, having trouble finding good coverage. I’m also talking to some friends in the insurance side and here that some insurers are dropping CLI coverage altogether. Um, what are you, what are you seeing right now?

Jack Liljeberg (02:52):

Yeah, I mean, I think definitely when I, when I first started premiums, um, were skyrocketing. I think it was, we were seeing any, anywhere from 60 to 200%, sometimes maybe like 400% increases in premium. Um, and it was definitely a lot more tough last year than this year. I think this year you can definitely tell the market stabilized, um, pricing is a little bit easier to find. Um, and especially in the law firm space, I think, um, a lot of the firms did not have the proper controls that they needed last year, and where we kind of had to push them to put in mfa, um, find an E D R solution, et cetera. Um, and I think a lot of our firms have the proper controls this year, or at least meet the minimum requirements. Um, so I think pricing has, has been a little bit better and, and through kind of the influx of, of, uh, carriers in the, in the market we’re, we’re able to negotiate price. So, um, I’ve, I’ve been a little more confident in, in our, our selling abilities this year.

John Verry (03:57):

So you’re, you’re, so you’re seeing it’s, it’s getting better, not getting worse, because I’m still hear I’m still hearing some pretty ugly stories.

Jack Liljeberg (04:04):

Yeah, no, I think it, it really depends. I, I know, I mean, if a firm has had a a, a large ran our claim or data breach in the last, uh, two years or so, I, it’s, it’s definitely tough to find a carrier that’s willing to provide all the, the necessary limits for the price that we want. Um, but I, if we have a firm that has all the, the proper security controls and hasn’t had any incidents, um, I, I, we’re comfortable in our ability to, to sell on behalf of the firm.

John Verry (04:36):

Gotcha. And then in terms of like, so when we go back to this point where we see, saw this, um, ramp in premiums, um, did, did the insurance companies get them itself into trouble by, you know, I’ve heard people say it was, well they, you know, they were, it was a buy market share grab or certainly, I know that there was not a lot of underwriting being done. Uh, are those the reasons why we saw premiums at, at one point that were so cheap, you were like, you’d be foolish not to take them, and then all of a sudden saw that, that big jump and escalation of premiums?

Jack Liljeberg (05:07):

Yeah, I think, I think my understanding, so when I, when I first started broking, I, I was kind of in the hard market, but I didn’t really get to experience the, the soft market or the one that was so easy to find coverage. But my understanding is, I guess underwriting wasn’t really happening then. It was kind of more just a, a side policy that was easy to add on top of a lawyer’s professional policy or, or something, something of that nature. Um, and now with the influx of ransomware claims, I think people had to start taking it more seriously and these carriers were getting hit pretty hard. Um, so I think the only way they could, uh, step afloat is to increase premiums, increase retention, limit coverage. So,

John Verry (05:52):

Yeah, so, you know, I I, I, I’ve noticed right, that I, I think there is more diligence being done. We can argue that it’s still not quite enough maybe, uh, but they’re definitely doing more diligence and they’re asking a lot more questions. And the questions they’re asking are a lot sharper and a lot more, uh, specific. Do you find that there are certain controls existence or lack thereof that would impact premiums more than other controls? You know, for example, you mentioned MFA or, uh, maybe they’re not encrypting data or maybe they’re not encrypting backups or maybe they don’t have backups or, you know, or So are more, are certain controls more impactful to somebody’s cyber liability insurance premium? And if so, what are they, you know, cuz then are clients that are listening to this would know, you know, which ones they should probably prioritize if they’re seeking a better cli.

Jack Liljeberg (06:40):

Yeah, I, yeah, I, I would say MFA is, is the biggest one by far. Um, if you don’t have any multifactor authentication to access your computer in and out of office, um, it’s gonna be really hard to find coverage at all. Um, that’s become a minimum requirement for many of our markets. Um, if we’re working with a, a very small law firm, we’re usually able to maybe to get, get by without it. Um, but I would say that’s probably the minimum requirement that we’re seeing. Um, I, I know like a, an E D R solution, endpoint detection response can be expensive. Um, but when our carriers see our law firms carrying that, it really, it really does help, um, with our ability to negotiate price. Um, and I’ve definitely seen that, that trend so far in the last couple months.

John Verry (07:30):

What about, I I would assume good offsite backups have to be something important as well, right? Because the biggest thing that, one of the biggest things they’re concerned about is ransomware. And that is absolutely the best, uh, approach to mitigating the overall risk associated with, uh, ransomware,

Jack Liljeberg (07:47):

Right? Yeah. Offsite backups, encrypted, um, MFA backing it up as well. I think all, all those are really important as well. Um, that, yeah, I mean I get that would definitely be somewhat of a minimal requirement in itself. I, I feel like most, most companies are, are, are good about having that in place.

John Verry (08:07):

Gotcha. And if, and if I were gonna look at, you know, uh, the applications for the Beasleys and the AX and the Zurich and everybody of that nature, uh, consistently we’re gonna see those specific questions on their, on their questionnaires.

Jack Liljeberg (08:20):

Absolutely. Yeah. Yeah, yeah. And I, I’ve definitely seen, um, the, the Beasley’s access, um, uh, maybe the bigger carriers, uh, really revamping their applications. Um, and there’s just so many more specific questions that are asked now. Um, it’s been a little bit harder of a, uh, conversation with our, our law firm clients that maybe aren’t super excited to fill out these large applications. But, uh, <laugh>, you know, it it’s just kind of the, the world we live in now.

John Verry (08:50):

Yeah. It’s, it’s sort of table stakes, right?

Jack Liljeberg (08:53):

Right. Exactly.

John Verry (08:55):

Uh, so in terms of, uh, going back to these applications, um, have you seen insurers, um, beginning to request compliance with standards, um, for, for example, uh, in the defense industrial base, are they asking about in the state DON 1 71 cmmc or in healthcare, do they ask about hipaa?

Jack Liljeberg (09:14):

Yeah, definitely. Uh, if you’re hipaa, um, is certified, I believe that’s, that’s what it is. Um, they definitely ask about that. Um, uh, yeah, I wouldn’t say that’s necessarily the make or make or break of the application process, but, um, in my experience, I guess I haven’t really, um, ran run into that as as much.

John Verry (09:38):

Um, what about pri you know, what about privacy standards now? Right? So as an example with gdpr, um, you know, an organization can be fine, you know, what is it 4% of their annual revenue in a worst case. And I think as of, I think this morning or yesterday morning, right, didn’t Google just get fined, I dunno, 1.3 billion or something nuts of that nature. Um, so I guess two questions there. Do most cyber liability insurance policies cover privacy issues of that nature? Uh, and if so, uh, I would assume that they’re gonna start to ask for evidence of some level of compliance, you know, with the, with the privacy state standards like GDPR and ccpa.

Jack Liljeberg (10:15):

Yeah, usually there’s an endorsement that would be added to the policy that would provide coverage for that. Um, as well as, I mean, there’s gonna be some sort of compliance issues when it comes to that. Um, yeah, and I, I think that’s something to look, look for in the next couple months as well, especially with the stuff you’re talking about, um, people getting fined and Yeah, no, I’d imagine that’s, that’s definitely gonna be a topic.

John Verry (10:40):

Gotcha. And when you say an endorsement is an endorsement and an additional coverage, so in other words, if I buy cyber liability insurance to, you know, to cover what I would consider to be a normal breach, um, do I need to pay additional, you know, uh, you know, do, do I need to pay additional for that endorsement to cover me from a privacy perspective or is that part and parcel of the c i policy?

Jack Liljeberg (11:03):

Uh, that’s gonna be just part of the policy. Okay. Yeah, and it’s gonna be a standard policy, standard endorsement that we’re gonna see on a lot of our, a lot of our main, uh, carriers will have it on there for no, uh, additional. Yeah.

John Verry (11:14):

Then I, yeah, then I find it hard to believe that they’re not gonna really, like, that’s not gonna be the next big thing that they’re asking for is because, you know, when they start seeing, uh, numbers of that nature, you know, that’s, that’s a staggering number. Right, exactly. No insurance, no insurance entity that I know of wants to be on the hook for that.

Jack Liljeberg (11:31):

Right, exactly. <laugh>,

John Verry (11:34):

What about, um, so, so you know, I asked you about specific standards there, um, but what about more, what I’m gonna call comprehensive third party attestation standards. Uh, are you seeing them ask for things like ISO 27,001 or SOC two, uh, or if they have an ISO 27,000 on our SOC two, uh, do you find that it’s going to be easier for them to get insurance and that the likelihood that their premiums are gonna be a little bit lower based on that?

Jack Liljeberg (12:03):

Yeah, no, I think it definitely helps to have, I don’t think it’s gonna be something that is make or break coming back to that. Um, I think a lot of my, my clients will be like small to mid-size law firms. Um, so I think it’s not necessarily a, a question they’re really gonna dive deep into, but it definitely helps with premium reduction as well. I mean, if they’re certified in that sense, then they’re really, I’ve seen care about their cybersecurity, um, that’s always gonna help and then pushing for, for a lower premium.

John Verry (12:39):

Um, so, you know, one of the questions I’ve been asked by, by people of course is that the fill, you know, Hey, can you help me fill out this application? Or can, can we talk about this application? What should I answer here? Um, so what happens or what are the implications, if you will, if a client is, you know, intentionally inaccurate or unintentionally accurate in their application and there’s some type of an incident?

Jack Liljeberg (13:01):

Yeah, I always, I’ve, I’ve been pushing my, my firms to just send their application to their it cuz they’re gonna know exactly how to fill it out, um, make sure we’re we’re there, there isn’t any errors, you know, in their application. Um, especially if they’re, a lot of, a lot of these policies will have certain language in ’em and if you say, if you don’t have MFA and you say you do, they’re not gonna cover a claim. Um, so we’re always gonna wanna make sure that we’re providing with the most up-to-date information about our law firm clients, um, what controls they have and making sure we’re being honest when we’re, uh, submitting the application.

John Verry (13:43):

Um, honest, uh, that makes complete sense. What about explicit, right? So you know, like within MFA or within endpoint protection, some of the things you talked about, right? There are different levels of things that you one might do, uh, in the ways things might be configured. Um, how, how explicit do you think people should be in their applications?

Jack Liljeberg (14:06):

I think the more explicit you can be, I, I think the more helpful it is. Um, the more you can provide detail on your, on your controls, I mean that just makes you the client, the candidate look, look better to the carrier. Um, yeah, I think the more detail you can add to the better,

John Verry (14:24):

Um, and I guess I guess that would also protect you in, in the event of an incident, um right. You know, because if, if something was configured a certain way where it could have been configured better, uh, you know, where they might have it, an ability to turn around and say, hey, you know, you’re not really covered because you didn’t have that configured right. But if you had specified that configuration, that would probably protect you.

Jack Liljeberg (14:46):

Yeah, definitely. No, I totally agree with what you’re saying. I think we always try to push on, uh, detail. You coming back to what I was saying before, the applications being so much more specific, um, just the more detail you can provide is the better.

John Verry (14:59):

Gotcha. Um, you know, I usually, you know, cause we get asked a lot about cyber liability insurance, you know, I usually tell clients to be careful of potential gotchas, uh, for example, exemptions and coverage. Um, I, I would guess that some of the same gotchas can also be a strategy for reducing costs. So, you know, in terms of tho those types of issues, um, any, any thoughts, any ideas, any advice?

Jack Liljeberg (15:27):

Um, I guess I’m a little confused what you’re, what you’re asking you mind.

John Verry (15:30):

Well, so, so as an example, we had a, a client years ago that was had coverage for a database that had, uh, they specifically were covering it for a particular database that was in a senior housing, uh, facility. And there was an exemption for any database with above 50,000 records and that database had 56,000 records in it. So the specific reason they bought the cyber liability insurance coverage in the event of a breach would not have been covered. Right. Because it was an exemption and they had done a bad job of reading it. So there’s a gotcha on that side. And then I was just wondering if, you know, a are there other gotchas that people should look forward, right? Some of these, these exemptions. Well let’s start with that. Are there other things that you would counsel someone to make sure that they’re looking at or what, what section of the, the cyber liability insurance policy they should be looking at to make sure that they understand what is and what isn’t covered?

Jack Liljeberg (16:22):

For sure. I, I think one, one aspect of the policy I’d always look at is, um, the cyber crime limits. Um, that’s been a huge talking point the last couple years. Um, b back in the day it would be pretty easy to find coverage for social engineering funds, transfer fraud. Uh, I think now these days every cyber carrier, uh, is somewhat it, um, you wanna make sure you’re looking in the forms endorsements, um, make sure that it’s actually covering a social engineering incident as well. Cuz most funds transfer incidents, you know, result from a social engineering attack. Um, so I think it’s always important to look at that language, make sure it’s it’s actually covering the, that incident. Um, I, I’ve seen a couple couple claims go bad where maybe they, they weren’t covering social engineering but we thought, not me specifically, but we thought that we, it was being covered and, um, claim and, and I’m not being, uh, and I’m not paying for the claim. So I think that’s something to really look forward to or look at. Um, cuz that can get a little tricky.

John Verry (17:31):

Uh, is there any other language to look for? Like I, you know, like I’ve, in, in certain contracts we’ll see maybe not necessarily cyber liability insurance, but we’ll see things like, um, uh, industry best, you know, systems should be protected reasonably and inappropriately or in accordance with industry best practice. Um, terms of that nature that you see in contracts that people should be aware of?

Jack Liljeberg (17:52):

Um, I don’t know. I’m not, I’m not actually really sure about that. Uh, I would’ve to look into that more. Um, but yeah, I’m not, I’m not really sure. Sorry. No,

John Verry (18:02):

No worries. Um, so, you know, I I’ve had the misfortune of reviewing cyber policies on behalf of clients and they’re certainly complex and increasingly legalese. Um, so what percentage of companies that you guys work with have their policies reviewed by a cyber liability insurance knowledgeable attorney and, uh, what percent should have those contracts reviewed?

Jack Liljeberg (18:27):

Yeah, I, I would say, um, when it, when it comes to our smaller, maybe smaller law firms, small to midsize, uh, I don’t think most of the time they’re getting reviewed, um, by, by their own attorneys. Um, I know our, our, our big law firm clients that we work with always do that. Um, I think that’s best practice. I think it’s always good to get a second eyes on on the policy, make sure nothing’s missed. Um, we always try to do our best on make sure there’s no gaps in coverage. Um, but yeah, no, I think it’s always a good idea to, to get a second eye on on your, uh, your policy.

John Verry (19:02):

Yeah, gotcha. So, so, so in general your recommendation would be is if you, if you are buying cyber liability insurance and it’s, and you, you’re probably better off having a, some form of legal review just to make sure that you know, you have or, or minimally maybe not legal review or legal review by somebody who’s familiar with those types of policies or understands insurance coverage I guess.

Jack Liljeberg (19:25):

Absolutely. Yeah, I totally agree. Um, absolutely we work with lawyers so that they are used to reading, um, policies, contracts, but uh, someone that actually maybe works in that space, you know, it’d be good to get someone to look at that.

John Verry (19:39):

So you’ve kind of touched on this a a second ago. So cyber liability is part of a broader umbrella of insurance coverages and you mentioned crime and d and o, et cetera. Um, how can somebody determine whether they have gaps in their coverage or they’re over-insured? Like who should, who should be reviewing that? Is that the broker? Because like I’ve seen situations where, as an example, somebody thought they could process a claim on the cyber liability insurance policy, but it was a laptop that had been stolen and it should have been covered by the crime policy and they were under insured on the crime policy. So, and that was what ended up paying as I recall.

Jack Liljeberg (20:19):

Yeah, no, I think I definitely should be a broker. Um, I think a sign of a good broker is knowing where there, where there is gaps in your coverage or where you’re over, over-insured. Um, kind of coming back to the, what you said, the crime, like I, I’ve been pushing all of my, my clients this year to buy a a crime policy just cuz it’s somewhat uh, easier to get, um, less, less costly and it does provide that, that full limit for, um, cyber crime, which is, uh, sublimited usually on a cyber policy. Um, so I think that’s when thinking about cyber coverage, I it’s always good to, to have that crime too, especially if um, cuz that’s, that’s where the actual financial loss, you know, is gonna be gonna be covered.

John Verry (21:06):

Uh, any other uh, types of, um, insurance coverages that you should be looking at in combination with your cyber liability insurance policy?

Jack Liljeberg (21:16):

Um, I think if, if you’re a technology based company you should look at some cyber and tech, you know, um, me personally, I don’t work on that a ton just cuz a lot of our law firm companies aren’t really tech based. Um, but I I know that that is something that a lot of carriers will offer tech, you know, with the cyber.

John Verry (21:37):

Um, and e o just for, for for people is errors and omissions, correct?

Jack Liljeberg (21:42):

Correct, yes.

John Verry (21:43):

Okay. So you’re saying like if you’re a SAS as an example so far as a service provider that that that tech e o would be something that would be important to look at?

Jack Liljeberg (21:52):

Yes, totally agree. Um, me personally, I don’t have a ton of experience with that so I wouldn’t be good at speaking to it, but um, I definitely have seen a lot of, a lot of policies where that has been added.

John Verry (22:04):

Sounds good. Um, we beat this up pretty good. Anything we missed?

Jack Liljeberg (22:10):

Uh, I don’t think so. I, I know, uh, maybe one other point I would say about different policies, like a professional liability policy, you always wanna be looking if make sure um, that it’s not, or check if it is excluding a cyber incident. Um, and you know, a lot of d o policies the same way they will exclude cyber incidents. So if you think you have coverage on your professional liability policy, she always would look into make sure you have a, a separate cyber cuz usually it will be excluded.

John Verry (22:41):

Cool. Um, I didn’t, uh, I didn’t know that, so that’s helpful. Uh, so, uh, Jack, thanks for coming on. I appreciate it. If folks wanna get in contact with you, what’s the easiest way to do that?

Jack Liljeberg (22:52):

Yeah, so you can send, uh, always send a question to my email, which is j uh, Lil Berg. It’s l i l j e b e r [email protected]. Um, and my cell phone number is (630) 240-0776. So always feel free to just shoot me a call if you have a question.

John Verry (23:11):

Awesome. Well thank you sir. I appreciate it.

Jack Liljeberg (23:14):

Yeah, thank you John. Appreciate it.