Leading IT - Podcast

Episode 22

The “Ins and outs” Cyber Security Insurance with Robyn Adcock, Cyber Technology Practice Leader at Gallagher Insurance

In this episode, Tom and Josh are joined by Robyn Adcock, Cyber Technology Practice Leader at Gallagher Insurance.

The chat highlights the challenges that both vendors and customers face navigating the Cyber Crime landscape affecting so many Australian businesses and the steps required to succeed.

Josh Rubens 

Welcome to Episode 22 of the Leading IT podcast hosted by me, Cloud Solutions Group CEO Josh Rubens and Tom Leyden, the Global Head of IT for international design firm Woods Bagot. The purpose of our show is for IT leaders to discover unique and valuable insights into current trends from both sides of the vendor client relationship paradigm. This show aims to tackle relevant and time sensitive topics like cloud security, COVID-19, strategy and leadership and how to deal with emerging IT threats and opportunities. In each episode, we also handpick an expert guest speaker, as well as a selection of trending stories, and share our thoughts about what they might mean for our industry. In this week’s episode, we’re excited to have with us Robyn Adcock, the cyber technology practice leader at Gallagher Insurance, to discuss the advantages and pitfalls of cybersecurity insurance. But first, let’s talk some headlines. G’day Tom!

Tom Leyden 

Hi Josh, thanks again for hosting the podcast. Looking forward to doing this in person one day!

Josh Rubens 

Yes, yeah, I think we’ve done 1 out of 22.

Tom Leyden 

One day, I hope I we can do it in person again, I see a future where we get together actually talk face to face. I hope that does happen soon. Yes.

Josh Rubens 

Yes. So in general, that’s probably a pertinent point, not just for the podcast…

Tom Leyden 

…not just for a podcast, I have got some some news. I’ll go first, if that’s ok. This one shiver down my spine. And I think it might do for many of your listeners. Microsoft on Thursday said it will raise prices as much as 20% for a bundle of software, called Microsoft 365, that includes Teams Outlook, blah, blah, blah. I think we’re all sort of waiting to see what would happen from a pricing point of view with with Microsoft, now that they’ve all convinced us that Teams and the cloud are the way to go, they’ve moved is under subscriptions. And now, now we’re seeing them sort of grinding up the price. It’s a bit scary. Just off the internet is saying they going to raise prices up 20 up to 20%. It’s not as bad as that I think they’re talking about some of the entry level prices go up $1 per user per month. So again, that’s not a big deal. But the E5 and the E3 licencing is certainly seeing a jump. The real problem with this, though is Josh is our ability to negotiate when you’re all-in with these kinds of vendors.

Josh Rubens 

Yes, so won’t surprise you, that was one of my ones. It’s also my first, but I do have a backup. Second one, so I’ll be okay. But yeah, that was definitely I just saw that sort of 10 minutes ago. And I think so, for some some balance here. And this is the first time they’ve increased the price in 10 years. So I don’t think we should all run, you know, screaming in the hills and, and having a crack at Microsoft. So. And they’ve mentioned they’ve added over two dozen apps to the site.

Tom Leyden 

The old added-value, we’ve added more value, therefore we’re going to charge you more. I hear that argument a lot from the vendors. And that’s only useful if you’re actually using those apps. But if you’re just using the basics, then it becomes it’s a moot point sometimes.

Josh Rubens 

True. But the fact is they have added 24 apps, and they have costs associated with that. So there is a balance there. And so yeah, as you said, the basic plan, it’s one US dollar from five to six, which is 20%. And the higher end versions are 12 and a half percent. And they said it’s not changing prices for the consumer education versions of the software. So but you’re right, there is no ability to negotiate with Microsoft unless you’re in the top two or two or three customers in the world, I would suggest even an organisation of the size and influence of Woods Bagot would have no ….

Tom Leyden 

Yes. So the right tactics, I think but probably not to disclose in this kind of call. But I think this is a bigger problem around you know, big global SaaS providers, in now, dominating the market space, absolutely dominating it. And because they’re doing a great job, no doubt about it. But what does that mean from a competitive point of view and for a pricing negotiation point of view. It’s certainly instilling some challenges ahead. It’s not just Microsoft doing that they’re all doing this one, but with the other vendors, just as you know, jumping up prices, knowing full well that the cost of moving is prohibitive for most people.

Josh Rubens 

It’s not new and Microsoft are not the only ones. As you said, they’ve just announced a fairly decent increase in the share price as well.

Here, they’re up 1.8%, a record high of USD295.96.

Tom Leyden 

So she’s a wish I bought those shares 20 years ago made? I really do.

Josh Rubens 

Yes. So my my replacement piece is that Microsoft acquired Peer5 Networks quite recently. So Peer5 works as an eCDN platform that is specifically to enhance Video Traffic. So they’re going to bake it into the Team’s platform. It’s around really, it’s a back end. It’s a back end thing. So it’s not something customers will have to instal on endpoints, but it’s really around improving that video experience, particularly for customers that have 1000s of users trying to do, really big broadcasts. And it’s about, competing with Zoom, add that to the market, trying to bring the user experience up to the level of Zoom. So yeah, that was that acquisition was made, I think, last week in the last couple of weeks by Microsoft.

Tom Leyden 

Well, that’s great. I mean, we’ve seen in the last few weeks, typically, with enhancements, from the demand from work from home, that Teams was growing a bit. And we do see some issues, the edge case type issues with Teams. So I’m glad that they continue to improve the product, but you know, 99% of it’s great. It is that 1% you know, there’s times when someone’s trying to do something a bit unusual, that tends not to cope as well as perhaps some of the competitors. Well, that was my main news, Josh. Do you have anything else?

Josh Rubens 

Yeah, I do. And it’s a real lead into our topic today, and talk about alarming. So it’s from the ABC, who, you know, I’ll admit I don’t politically normally follow but it was a really good article from last month, saying that Australian organisations are quietly paying hackers millions in a tsunami of cybercrime. The comment it’s making is that Australian organisations have been quietly paying millions in ransoms to hackers who’ve stolen and encrypted their data, there’s been a 60% increase in ransomware attacks against Australian companies in the past year. This is according to the government cybersecurity agency, the ACSC, in the last six months alone, so the size and frequency of ransoms, has increased significantly. And because it looks bad and harms reputation, most organisations do not declare it, in turn you know, there’s a bit of a vicious cycle there. So you’re essentially promoting that…

So before we get into you know, there’s a few more points here that are very relevant. What’s your comment on that, as an internal IT and about declaring we’ve been attacked and the pressure you may be under from a board not to declare?

Tom Leyden 

Yeah, look, there’s real pressure just to fix it quickly. And one of those options, I wouldn’t condone this, would be just to pay, the pressure’s gone quickly, they don’t make a big deal of that, “Let’s keep this out of the public”, our customers don’t need to know about it, let’s just pay these guys and get on with our lives. I certainly wouldn’t recommend doing that. But there is pressure from all sorts of levels in business just to do that. So no surprise that this is happening. And every time you know, you pay these guys you’re funding the industry, aren’t you, you’re just making them bigger and better and more sophisticated for their next level of attack. So it’s kind of disappointing as well. But we’re going talk about this in detail. Right, Josh?

Josh Rubens 

Yes, today. I’m also going to have a cyber expert on in our next podcast to talk about ransomware as a service and that market. But there’s a couple more points that I found also that I think are relevant, so there’s been three high profile attacks, there were two against Toll last year, in May of this year in March against nine in July, in June sorry, against JBS Foods. And CrowdStrike, who you know, one of the largest cybersecurity organisations in the world surveyed 200 Senior IT decision makers and security professionals across Australia. They found that two thirds of the organization’s surveyed had suffered a ransomware attack in the 12 month period to November 2020. And of those 1/3 had paid the ransom. Even more concerning the average ransomware amount was $1.25 million dollars.

Tom Leyden 

Wow. It’s a huge industry, isn’t it?

Josh Rubens 

Yeah, so that’s just in the survey. So that’s 55 million bucks. And then Rachael Falk, from the Cyber Security CRC, said most Australian businesses are woefully underprepared. And they’re calling for a mandatory reporting regime for cyber attacks. And this was also in the Herald Sun and The Age and other papers about they’re trying to pass a law that organisations have to declare. It also said, as you said that most victims are under an amazing amount of pressure to resume operations as quickly as possible. And the Press is talking about the pressure they’re under is immense. And unfortunately, they have to make the decision is that you know, a pretty binary decision to have, this is going to cost me X and I can recover by paying Y. And then they just pay it. And obviously, the the ACSC advises against paying ransom. But at times, you know, that’s not a commercially viable option. Right? If you’ve got, there are people in your industry,  massive fines for, in construction for not building, as much as up to 500,000 a day or whatever it is, and, to them  a million dollar fine, it would be, the cost of doing business.

Tom Leyden 

Yes.  Unfortunately. And there’s a lot of talk now, about putting directors of businesses on the hook for doing this properl,y for disclosing these issues properly. I think, you know, the other element of this is, what can the government, how does the government help us in this space as well? So no one wants to pay criminals, right? We don’t want to have to do that. No one wants to do that. But what if you call the Federal Police around these kind of issues, the responses are limited, and they don’t have the resources to help you in the space as well.

Josh Rubens 

Yeah. So I think very pertinent. So now let’s introduce our special guest, Robyn Adcock, the cyber technology practice leader at Gallagher Insurance to discuss the ins and outs of cybersecurity insurance. And whether organisations are using it as an excuse to under-invest in IT security. Robyn has more than 25 years experience in professional and cyber risk management in the Australian market. She understands the multifaceted cyber industry environment at both a local and international level, and more importantly, how this knowledge translates to her clients’ needs. Her focus is on educating the Australian business community and promoting the criticality of understanding, addressing and managing cyber risk. She works with a full spectrum of clients ranging from small businesses, to national and international organisations. And specialises in the placement of professional and cyber risk management and Insurance Solutions. Welcome to the show, Robyn.

Robyn Adcock 

Thanks, Josh. Thanks for having me.

Josh Rubens 

You’re welcome. Thanks for joining us. So I’m not sure if that piece of news was, was of interest to you?

Robyn Adcock 

That piece of news is very well known. So the interesting concept of all of those statistics is that insurance probably has paid a majority of those ransoms at an average cost of $1.2 million. So and this is why there’s such a pushback from insurers now to say, we can’t keep doing that. And I think my question to you actually, before, is, if these companies had had the right security controls in place, like, would they have had to pay these ransoms? So sorry, that’s over to you.

Tom Leyden 

That’s a really good question. Robyn. Yeah. So are you saying, are you implying that if these people didn’t have the basics or the essential components in place, and therefore they were, I guess, more subjected to these kind of attacks?

Robyn Adcock 

Yeah. I mean, if you look at the largest attacks, when you unpack them, there’s things like multi factor authentication wasn’t across the business. There wasn’t a proper password management. And these are basic controls. And these are potentially critical infrastructure. You know, organisations that have been breached.

Tom Leyden 

Yes. This is a really, this is really interesting, actually. So I, I think this can enter this piece, because I think, you know, as someone who is sort of forces out into users, we get a lot of pushback. And there’s a little bit of friction involved in rolling these things out. And we do see right at the top level, we see some challenges, they say “Hey, you’re you’re making it our job harder. IT people, what is this security stuff? Why do I have to…”, MFA for example, which is strange, but, “Why do I have to do this? What I just need to get on, I’ve got a big presentation cover up, blah, blah, blah, can you just make it easy for me?” So we’re seeing that right at the top level of board board level people saying that, putting that pressure down and we’re saying, well hang on this is, you need to do this guys, this is the reality. Are you seeing that as well across the business that that pressure coming right from the top?

Robyn Adcock 

Yeah, like there’s a whole new conversation I have seen in the last 12 months. So I’m across the industry and work with, you know, the small sector, the mid sector and large corporate ASX listed companies right across the industry. And so the challenge, I think has been, it’s a difficult conversation, because it’s a technology conversation. And so there’s a lot of ignorance around that. And historically, there’s been permission to be ignorant around that, because you potentially did that. The kind of targeted criminal attacks were against one business but now this is a supply chain, you know, problem. And so now you’ve got a huge impact with one attack. And so boards have been forced to look at this differently. And also security budgeting is part of has to be seen as part of the agenda. So the technology leaders of business are definitely coming now to the table and forming part of the board conversation, and they have to be there because they are the only ones that can talk to the security and resilience of their business. And so the boards are now learning and all executive leadership are now learning that this is the conversation that has to be had that everyone across the organisation, there has to be a culture throughout an organisation of the understanding of what the roles and responsibility is in relation to cybersecurity, so yeah, it’s very different now.

Josh Rubens 

Yeah, I mean, the other thing, you know, is that you hear some organisations saying, and Tom might of heard this is, what’s so important about our data? Who cares if they can see our data? You know, there’s a bit of I’m not saying it’s right, I know it’s wrong, but I’m just saying there’s a bit of “So what?”, as well, and also what you’re saying, you know, for some companies, and some IT managers and leaders sounds hard. I mean, not all, and we’ve spoken about this previously on the podcast Tom, is that not all IT leaders or, or more importantly, business execs, you know, the CIT is someone that should be having a seat at the table in the board meetings, you know, and on the exact leadership team. I think those organisations, unfortunately, still not in the majority.

Robyn Adcock 

There’s also, there’s a misconception, though, that all cyber insurance in particular, and cyber risk is all about just the releasing of, you know, private data. But the challenge now is what’s driving this change throughout business, in recognition of the risk is the ransomware attacks, because the ransomware attacks is all so about disrupting to a critical level businesses where they can’t function. And that’s what’s happening. And then you look at all of the revenue costs associated with something like a JBS livestock attack, which basically took meat production across the world down for three days. So an insurance policy covers all of the business interruption revenue attached to that business being down. So again, that’s why insurers are now looking at far more critically at the security controls before underwriting any kind of business that can be impacted by days and days of, you know, not being able to function.

Tom Leyden 

To just on that point there, because this is a question….so you’re saying that your insurance is worth seeking, as a kind of, picking up that the tab. So you’re starting to do more, I guess, in terms of pushback, or what sort of questions are you saying to ask these businesses? When you say push back, what what does that actually mean?

Robyn Adcock 

Well, it means that, you know, you used to have a proposal form to complete, which was a, you know, a set of questions that might say, Do you patch? Tick box. Whereas now, with a broker, we have a specific additional ransomware questionnaire, which has 43 questions with subsets of five A, B, C, D, E, within those questions, specific to ransomware controls. And so you’ve moved from, do you patch to how often do you patch when do you critically patch and you go through that whole process. And so then looking for, basically, what drives the questioning is the unpacking of the major claims. And so when you’ve got software being compromised, because it’s an end of life, then that becomes a problem for a business. If you’ve got end of life software, you now need to get rid of it, basically, or you’ll have a policy that will exclude a claim arising out of a known vulnerability. And then you now move, and you’ve moved, MFA is now compulsory across the business. And it’s even moved to, do have MFA for your, you know, administrative privilege. So you’ve just gone from MFA from a remote working all the way through to we’re watching the lateral movement of the cyber criminals, meaning you now have to secure all of your people with administrative privilege in a different way. So the goalpost just keeps moving. But the baseline controls have shifted so significantly, that without those baseline controls at that level, you’ll find it challenging to get insurance at all, or you’re getting insurance where they’re going to ask you to be a co-insurer on any ransomware event.

Tom Leyden 

Yeah, right. Yeah. So that baseline thing is quite interesting. So as you say, it’s not like, do patch to or how do you patch? But the challenge I guess for the IT manager, the IT Director is, How do we stay, how do we, how would we keep ourselves aware of that, what the baseline is? And how do we keep ourselves on top of those changes as they come through? So when we say baseline, are you picking up particular standards? Or is it just a matter of you going back through previous attacks and say, right, well, we step away from that and away we go? How does the IT guys keep themselves on top of what that baseline should be?

Robyn Adcock 

So the other thing that insurers are looking for is what Risk Management Framework are you following? Is it NIST? Is it Essential Eight? And you should have definitely a concept of what the risk is within the business. And you know, that should all form part of the board conversation around, what are the vulnerabilities and what do we need to spend to bring ourselves up to a point of acceptability in an insurance market. So I mean, it’s, it’s not just about, this is about protecting your business. Insurance is a kind of part of it, but it’s not all of it, it’s about understanding that, you know, if you’ve got my data, please protect it.

Tom Leyden 

I think it’s fantastic from my side of the fence anyway, because it just, it strengthens our business case. So we go back and say, you know, what, we need to spend this money on this security infrastructure, processes and people. And the business has got, “That’s great. But that’s, that’s essentially, we see that as a bit of a tax, we want to spend money on marketing, we want to spend my money on business development, blah, blah, blah. And cyber security doesn’t actually add to the revenue, right?” But when we turn around and say, look, we’re not going to get Cyber insurance, unless we do these things. That really strengthens our business case, as well. Are you seeing more of that kind of conversation happening as well?

Robyn Adcock 

Yeah, because I mean, essentially, say, for example, I’m an insurance broker, but generally we work with, you know, risk and compliance managers, insurance managers with CFOs. But the only people that can answer these questions are the IT team, the technology leaders. So we basically say, to the CFO, or whoever we’re dealing with that, please bring your technology leader to this table? And through that question set, it’s almost like a risk management tool. And so we prepare clients before we actually take them to the market. So that when we’re going through all of this, you know, extensive questioning, if we see something that’s missing, we say, okay, what’s the alternative control you have for this vulnerability? Because otherwise, we’re not going to be able to get your insurance. And I’ve actually sat in meetings where I’ve seen a CFO turn around and say, to the, you know, the Chief Technology Officer, okay, that now is a priority, move it along, whereas it is on a timeline as a project that got signed off instantly. Because without it, without the MFA across the business, they could not have got insurance.

Josh Rubens 

I’ve got quite a few comments tonight, if I may. So firstly, my comment is, you know, for someone who, we deal with a lot of clients in our world, what’s common with a lot of them, I don’t know if you share this, are quite immature in their, in their current, you know, security practices. The amount of customers who don’t have MFA is mind boggling because there is pushback from users. And a lot of customers seem to think, well, if I get a ransomware attack, I’ll just restore from backup. But, you know, we’re seeing a lot of cyber criminals are now encrypting the backups as well. So it sort of keeps on moving. So now you got to encrypt your backups. So there just seems to be in general, quite a lack of maturity in the customers maybe in the mid market more than at the top end of town. But I’m interested to see what you’re seeing there, as far as the current level of maturity?

Robyn Adcock 

Yeah, same thing. Like it’s, it’s, it’s an education process for everybody. It really is. And so, you know, to bring the technology people to the table and have these conversations, there has to be a realistic commercial approach as well. So sometimes, you know, we’ll go into the insurance market and say, “This is the journey they’re going on”. However, having said that, I’ve often sat in board meetings like two years ago, and you know, presented risk management, profiling and journey timelines and things like that, and insurers have accepted, okay, they’re here, and they’re on their way to here, whereas now, it’s more like, it’s time to be at the destination. So, you know, there isn’t any more time for the journey there really needs to be the destination. But yes, there is a challenge, definitely for mid market business to spend that money to bring those controls to a level that is acceptable. But it has to be that way. Because, you know, the cyber criminals are so clever. And as soon as there’s a vulnerability, you know, there’s a massive claim, and they turned off the endpoint protection and didn’t turn it back on. So, and that’s how they got in. So things like that …..

Tom Leyden 

So this is why we want to be able to get more details, it’s for the questions I had, as well with that, what were those horror stories? So you’re saying they turned off the antivirus for some reason? And that that leaves the door wide open. But what was your reasoning behind that?

Robyn Adcock 

Well, that’s just something that was a mistake.

Tom Leyden 

So it was really as simple as that. It’s just someone for some reason forgot to turn it back on.

Robyn Adcock 

 Yeah, exactly.

Josh Rubens 

So when you pay out, would you pay out Robyn? Would the insurance company pay out? And all that would be “No, you didn’t have that in place at the time. So that’s not covered?”

Robyn Adcock 

No, they’d pay out! The cyber insurance policies that actually, the broadest cover I’ve ever seen in insurance policy, and hence why they paid out billions of dollars, because, and also, historically, people have come to the insurance after the event and said, “Oh, I had this problem. I paid this ransom. Can you pay it under the policy?” And they’d have to do that. Whereas now, you know, they want to go to the table?

Tom Leyden 

It’s fascinating. So we can’t rely on cyber insurance just to be able to recover or “She’ll be right, we’ve got insurance.” We can’t rely on that anymore.

Robyn Adcock 

Well, you probably could have because when it was single, targeted attacks, but now, you can’t rely on insurance. I mean you can rely on insurance, in fact, in that the policy will work if you’ve got a policy. But if you’re just relying on the insurance to not spend the appropriate budget on security controls, the insurer will see that through the insurance renewal process, and then they potentially won’t offer you insurance going forward.

Josh Rubens 

So, Robyn, you said there’s a 43 page questionaire? How do you validate people just not ticking the boxes, just to get the cover? So is there a process of validation?

Robyn Adcock 

Yeah, you can’t just tick a button. So there’s 43 questions, not 43 pages. It’s 43 questions, but I mean, the beauty is you can hand it to a technology leader in the company, and they can eat it up or they can go, okay, we definitely have these problems. And now we have to have that discussion. And so we have that discussion. And we have that discussion with them. And with the, you know, the CFO or whoever the exact leaders are that need to be at the table to understand if you don’t do this, this could happen. And to be honest, the exec leaders are learning a lot about this as well. Ask them two years ago what multifactor authentication even was and they probably wouldn’t have even known. One of the biggest challenges I think across industry, even in our industry, is the understanding of technology. And so it’s  been put over there on the side and that’s all going on over there, and the business is running. But now all of a sudden everything is colliding. And as you say the government is putting a massive spotlight on the potential personal liability of directors that are not aware of looking after the cybersecurity posture in their business. So, elevated conversation.

Josh Rubens 

So what I’m saying is, and I’m not saying I do this … so if you get your car insurance that has a bunch of questions; “Is it always kept in a locked garage? Do your kids ever drive it? No, no, of course, not. Always in a locked garage. I mean that’s to get your premiums down. So how do you validate the honesty of the, I’m not saying people aren’t honest, but the honesty of the answers that you’re getting. Does someone actually go in and check things or what’s the process there?

Robyn Adcock 

That’s actually really interesting question. I actually think what I’ve seen is that, that the IT teams are actually so appreciative that they’ve been asked, and so they never lie. They love sitting at the table and saying, we actually made this recommendation to spend this money a year ago, but it wasn’t seen to be important. And so guess what? Now it’s important. And so I think the IT teams love being part of the exec leadership  and actually educating their business on what they need to do to protect their business.

Tom Leyden 

I think it’s spot on. It’s really good that someone else is asking those questions so that, you know, you bang on about resources required to do patch management, for example. And then that’s all their sort of priority right? Now. We need to blah, blah, blah. So finally, someone else coming in and different angle. Totally. So how’s your patch management guy, they are great. We’ll be talking about for ages, thank you for raising it. He’s what our plan is, we just need some money please to execute. We need to prioritise this differently. So I do agree with you, Robyn, that it’s not in the IT interest to to lie about any of these, it’s actually in our interest to, to inform the business on what they need to do to make them make them secure. And Josh, I recommend you should go back and visit your car insurance policy.

Josh Rubens 

Ha, I didn;t say I was doing that! I was just wondering what checks and balances are in place to validate what …..

Tom Leyden 

I think moving forward, though, I think now, it’s good. But then, you know, as we move through this, we’ll get weary whatever, then the business goes, Oh, hang on, you said you’d do this. It’s on the plan. But you haven’t done that. Why not? And then then there is, I think the IT guys are going, so think that was more complicated than we thought, Oh, so that there will be I think, a need for some auditing, I think that that’s going to be part of it. So I imagine the insurance guys will go, so can you show us your last cyber security audit? What was the result of those audits? Robin, do you say that process coming into it?

Robyn Adcock 

Definitely. And part of the, you know, how often do you do PEN testing? So another example is phishing training, right? Because 85% of the problems across the world are because of employees and people that you know, into the problem. And so, it used to be, do you do phishing training, tick that box, but in the subset, it’s like, how often do you do it? What do you do with the reporting of it? And how is that you know, changed sort of thing. And so all of those things matter, then they might go back and say 14% of your staff actually failed? What are you doing about that?

Tom Leyden 

I was just going to say, are you seeing, in the past, the problem was the IT guys and then maybe they see this with cybersecurity people as well, that they often aren’t invited. They might be invited into the board a couple of times. But then through this lack of communication skills, they kind of get pushed aside a bit. You know, they’ll be talking with a bit of technical waffle, they baffle the people on the board, and then they walk away, and they’re not invited back. Right. So are you seeing the technical guys trying to improve their communication skills, Robyn?

Robyn Adcock 

Yeah, absolutely. And as you say, it helps to have someone like myself at a table saying, this is how this works. This collaboration needs to work like this in order to get the end result that you’re looking for. And I mean, one of you, Tom or Josh mentioned, you know, premiums come down, premiums are never coming down again, unless they stop the ransomware attacks across the world, but it’s a manageable premium as opposed to an impossible premium. And it’s manageable. It’s good coverage as opposed to exclusionary coverage. So I think the tech people definitely across the business world have more respect.

Josh Rubens 

So a question I had is around nation state attacks. I’ve noticed a lot of policies cover crime, but not war or nation state attacks. Is this correct?

Robyn Adcock 

No, they have cyber write-backs. So nation state attacks are definitely covered.

Josh Rubens 

Okay, so is that a more recent change? Or is that something that’s always been there?

Robyn Adcock 

No, no, it’s always been there. You could never offer cyber insurance without cover for state nation attacks.

Tom Leyden 

Yeah. Okay. Well, that’s good to know. Josh, you have any more questions? You’re running out of time, right?”

Josh Rubens 

Yes, so my last question was, who are you seeing, as the customers that are typically taking up cyber insurance, and ones that are not, is there a particular profile that you’re seeing, and any comments you might have there?

Robyn Adcock 

I’m now seeing, if I speak to a client, if I had a 100% strike rate, you’ve got to have a conversation with someone that understands the risks, understands the concept of the technology and understands the insurance piece and the board governance and put it all together and have that conversation. And then it’s everyone’s taking up the insurance.

Tom Leyden 

Yeah, good. It’s a combination of as you said, it’s the risk people, technology people and the board coming together. I think it’s a really, really good, good point. I’ve got another question. Robyn, for the final question. You talked briefly about standards. Is it a particular standard, you’re seeing better than others? Would you recommend a particular standard if people look into the standard space?

Robyn Adcock 

Only that I mean, the government’s put a lot of focus on Essential Eight, they’ve tried to get it right. They’ve now restructured it so that they’ve got different levels of maturity, which is good. And rather than trying to bring everyone to a level three straightaway, so I guess we’re in Australia. So to that point, we should follow. I mean, I’m not a security person, but it’s up to you as to, you know, everyone knows their business and what the risks are, and what recommendations they should make to the board. But obviously, in Australia, Essential Eight is the one that the government is recommending, so…

Tom Leyden 

Do you get a level of assurance when someone says, “We’re Essential Eight, we’re fine.” Do you go, “Well, that’s going to be good.”

Robyn Adcock 

Yes, definitely. And insurers look for that, what Risk Management Framework Are you following? And, you know, that’s important now, too.

Tom Leyden 

Yeah, that’s good, too. It’s good to hear.

Josh Rubens 

Ok, my last question is, how do you determine price and cost of premiums?

Robyn Adcock 

All of those things, so those 43 subject questions, you know, there’s obviously entry level points now that are far more excessive, like more significant than what they were. The premiums have gone up, the premiums have gone up anywhere between 30% to, you know, 200%. And, and it’s obviously based on industry. And all these security controls the size of the business, the risk of the business, you know, like, if you’re a payment processor, challenging concepts, you know, those sort of things. So it’s based on industry and revenue and risk, really, that’s what it’s about.

Josh Rubens 

Okay, and finally, do you have anything you’d like to leave our listeners, with any takeaways, contacts to finish off with?

Robyn Adcock 

And yeah, that the security control is the most important conversation right now at a board table. And you know, you all need to take your place in that and that it’s, as a consumer, it’s really important to recognise the responsibility that all businesses have to protect our data, particularly when you know, there’s so many third party platforms, and  our data is going everywhere, basically. So it’s a really important conversation to elevate right now.

Josh Rubens 

And how can people get in touch with you if they want to go any questions?

Robyn Adcock 

I’m on LinkedIn, you can contact me on LinkedIn, or else I have my details with Josh.

Josh Rubens 

Sorry, I wasn’t trying to put you in an awkward position!

Robyn Adcock 

No, no, do contact me. I love, love this space. I’m passionate about this space because I’ve seen the ignorance in a certain way, and then just the head in the sand, and I love lifting people’s heads up. And to me, I really want to break down the complexity of it and help the technology leaders get the money they need to spend on their security. So you know, it’s a kind of a, very much a collaborative situation.

Tom Leyden 

Yeah, that’s why it’s appreciated, too. There’s finally another voice who’stalking about cybersecurity besides IT. So I think it’s really good, Robyn.

Josh Rubens 

Thanks so much, Robyn for joining the podcast. We really appreciate your time.

And thank you Tom, as always. I think it was a very good discussion.

Tom Leyden 

Yes, it was very  topical. Well, for me personally. Cyber Security reviews are always a fun time of year. So it’s good to know that there is a 43 question questionaire coming my way.

I think we’re alright, I just need to check a few things, pretty  much right after this podcast.

Robyn Adcock 

Thank you for the opportunity, it’s been really great.

Josh Rubens

Our pleasure

And thank you all for listening. This show is sponsored by Cloud Solutions Group. The podcast episodes are available on our website https://www.cloudsolutionsgroup.com.au . And as we mentioned, if you want to have a chat with Robyn, you can find her on LinkedIn, or you can contact me at jrubens@cloudsolutionsgroup.com.au. And a quick reminder to our listeners out there. If you’ve enjoyed the show, please subscribe. It’s available on all the major platforms. And please leave a review so we can reach new listeners out there and grow the show. And this will in turn help us produce more compelling episodes and content for you. And due to popular demand, we’ll now be making this show available by transcripts on our website, so stay tuned for that.

Once again, we appreciate your time. And look forward to seeing you again.

Tom Leyden 

Thanks Josh. Good on you.