Cybersecurity Insurance with Ben Y.

This is an interview with Ben Yingling of Crawford Yingling Insurance, about the topics of cybersecurity insurance and insurance policies that cybersecurity business owners should consider. ***PLEASE NOTE: Insurance policies can contain many complex variables. Every insurance product and every person’s needs are unique. The information in this video and article is intended for educational purposes only and should not be understood to constitute any type of professional, business, or insurance advice.

Matt from StartaCyberCareer.com:

Hi, this is Matt from StartaCyberCareer.com.  I’m in the offices of Crawford Yingling Insurance with the owner of Crawford Yingling, Ben Yingling.  We’re going to talk about cybersecurity insurance today, and insurance that you need to look into if you’re thinking about going into cybersecurity, and especially if you’re starting your own business.  Ben, thanks for letting us come into your office and talk with you about insurance.

 Ben Yingling:

Thank you, Matt.  I’m thrilled to do it for you.

Matt from StartaCyberCareer.com:

I appreciate it.  So, let’s start off with that general question, as best you can in layman’s terms, because this is very complex.   How would you describe cybersecurity insurance? What is it?

Ben Yingling:

It’s a great question.  It’s a question that we get often from a lot of people, and it’s a loaded question.  It is a complex policy. So the way that I can describe it – I think I’ll do it in two different ways.  It protects a business from the costs associated with a breach. Let’s say you get hacked and your customer data was somehow compromised.  The costs associated with that business of hiring somebody like a security analyst to come in and figure out what happened, those types of costs, which can range…I mean if you think about the Target breach…in the hundreds of millions of dollars.  So you have that part of it that pays for those costs to that business. But then you have the other part, where it pays for damages done to somebody else. So for example, if Target was sued by millions of people, a class-action suit, there are costs associated with getting sued for some sort of security breach within your system.  That is probably the easiest way I could explain it, but know that there is much, much more to it.

Matt from StartaCyberCareer.com:

So, with cybersecurity insurance, I assume that you’re seeing a lot of companies and a lot of your clients interested in writing policies on that?

Ben Yingling:

Yes.

Matt from StartaCyberCareer.com:

I know that you work with large clients, small clients, individuals, businesses.  In general, what is your recommendation for who should have this type of insurance?

Ben Yingling:

Anybody that has client data.  So, let’s take my company, for example.  Making up a number, let’s say we have a thousand records.  If we don’t secure our system and somebody gets access to that data, they can send something off of our email list, who knows what could be with that email.  The people open it. We’re responsible for securing our network. So a small business like mine, and then the biggest companies in the world, have this stuff.

Matt from StartaCyberCareer.com:

So you’re saying that this in general, cybersecurity insurance would cover that type of situation to reimburse you for costs to correct it, but also any kind of litigation that might be against you for what has happened? 

Ben Yingling:

Usually, in layman’s terms, that’s how it works.  But checking individual policies (is important.) That’s why it’s so important to talk to an independent agent about it because the policies are all different.  As you know, Matt, and as probably a lot of the viewers know, cybersecurity is a moving target. Every single day. So with crafting policies, they’re all very different.

Matt from StartaCyberCareer.com:

And that’s a good point to throw out here, because Ben is doing his best to explain this in general terms, but every single client that you work with has different needs.

Ben Yingling:

Absolutely.

Matt from StartaCyberCareer.com:

And anybody watching, you would have different needs.  Ben can’t speak specifically to your situation. You should talk to an agent if this is something you’re interested in, to give them your details of what you need, and the agent can help you find the specific solution for your situation.

Ben Yingling:

Absolutely.

Matt from StartaCyberCareer.com:

One question I had about this, and I don’t know if anyone’s ever asked you this before.  With most issues in insurance, the incident and when you find out about the incident, are at the exact same time.  You’re in a car accident and you know about it immediately. Your house burns down and you know about it very quickly.  Cybersecurity is not that way. So if someone had a cybersecurity insurance policy here in 2019 and we find out about a breach today, but the breach actually occurred in 2015, how would the insurance companies seem to to handle that?

Ben Yingling:

That’s a great question as well, and I don’t want to get into the technical details, but what it has to do with is the type of policy that you have.  And again, going back to your point, it’s incredibly important to seek out somebody with the expertise of the policy. There are ways that you can cover yourself retroactively.  Why would you get the coverage if you couldn’t do that? But without diving deep into policy language, I’d have to do that (look at the policy language) in order to explain that.  You can get coverage for retroactive events, it’s just a matter of how you structure the policy.

Matt from StartaCyberCareer.com:

So, if you’ve been in cybersecurity since 2016, but you don’t decide to get cybersecurity insurance until now, there are options to potentially get that?

Ben Yingling:

Maybe.  That gets very complex.

Matt from StartaCyberCareer.com:

Your agency is an independent agency, is that correct?  Can you explain to everybody the difference between an independent agency like yours and then the non-independent agency?  

Ben Yingling:

Sure.  We represent multiple different carriers.  We have here ten different carriers, where some of the mass-marketed insurance carriers you see on the television, they only represent themselves, and just one line of business.  So, we give our clients ideas and choice . We’ve been guiding and protecting generations. That’s what we do.

Matt from StartaCyberCareer.com:

So of those ten or so insurance companies that you work with, how many of them offer some type of cybersecurity insurance?

Ben Yingling:

That’s a great question.  Our two main ones, which are the leaders in the industry, are Travelers and Hartford.  Those are those are the big two. They ensure some of the biggest companies in the world.

Matt from StartaCyberCareer.com:

When did you see cybersecurity insurance really start to take off?  Because you’ve been in this business for a while.

Ben Yingling:

Yeah, about ten years.

Matt from StartaCyberCareer.com:

I imagine ten years ago, it wasn’t something they heard about much? 

Ben Yingling:

I went to a professional organization class in Chicago four or five years ago and really learned a lot about it.  And let me say this also. It’s good to know that the actual insurance part is only a stopgap. Cybersecurity is an enterprise risk management function.  So having the insurance is important, but also it’s just as important as teaching your employees not to open emails from people they don’t recognize, or don’t ever transfer money without verifying it far and between, and that’s why you should invest, and we do as a company, in that kind of enterprise function .  Whether you’re the biggest company in the world, or whether you’re a one-man shop.

Matt from StartaCyberCareer.com:

So let’s shift gears a little bit into not just cybersecurity insurance, but insurance in general, that someone would need if they want to go into cybersecurity and be their own boss, maybe have their own company, or be a subcontractor.  They’re their own employer. If someone came to you. And again, Ben is not providing direct advice to anyone. This is very general. What would you suggest if someone came to you and said “I’m thinking of starting my own cybersecurity or IT company.”  What do they need to look into when they start talking to an agent?

Ben Yingling:

That’s a great question, because I get that a lot.  They’re coming to me and usually they’re saying. “Look, the government wants me to do this or XYZ company wants me to do that,”  The first thing I’d say is, what are your contractual requirements?  

So let’s say you’re going to work for IBM and you’re doing some sort of IT security as a subcontractor.  You want to make sure you have a good understanding of what they’re requiring from an insurance standpoint.  So what we ask our clients is make sure you give us your subcontractor agreement that’s saying you’re required to have XY and Z.  And then we review that. And frankly, especially if it’s a newer startup, we review the costs with them and say “look, you’re going to be investing ten thousand dollars a year, so if you’re contract’s worth fifteen thousand, maybe you don’t take that contract?” 

Matt from StartaCyberCareer.com:

Okay.  But obviously anybody who’s trying to start their own company, they’d be foolish to not look into insurance?

Ben Yingling:

It’s certainly a risk tolerance.  Sometimes you’re required to have it, but people have different risk tolerances.  Our mission statement is “guiding and protecting all generations,” so what does that guiding mean?  It means to me, I’m giving you the full spectrum of your exposure. It’s your choice, unless you’re contractually required, where it’s not your choice, to say I’m comfortable assuming this risk or I want to transfer this risk in the form of insurance.

Matt from StartaCyberCareer.com:

Is that a general business insurance policy, and then the cybersecurity insurance is an add-on?   

Ben Yingling:

You want to keep general business insurance, liability and cyber usually separate.  Although newer policies, especially for small businesses, have pretty good add-ons to those small business policies, but if you’re starting an IT consulting firm or you already have an IT consulting firm, you’re going to want to get a standalone policy that’s tailored specifically to what it is you’re doing.

Matt from StartaCyberCareer.com:

A lot of people shop online and I imagine people obviously shop online for insurance as well.  With what we’re talking about today, is it feasible for someone to shop for their business or cybersecurity insurance online, or do they really need to come in and talk to an agent to get the expertise to find that fit?

Ben Yingling:

Well I can only speak for myself, and my view is you’re buying a contract.  And for me, I don’t tend to shop for contracts online. However it’s growing, and it’s been very commoditized.  Whether you’re talking about your auto insurance, or home (insurance.) That’s really up to the consumer, what they feel they can do.  What I found a lot specifically with businesses that are scaling up is, they originally did shop online, and then they get into some more complex contractual requirements.  Higher limits or language requirements. The online shop just can’t provide that type of expertise. That’s my opinion. 

Matt from StartaCyberCareer.com:

And the risk of the person who is looking into it missing something that they’re not aware of.

Ben Yingling:

Sure.   When is the last time your website asked for the contractual requirements for your prime contractor, or reviewed the actual policy language, if it’s a defined event that triggers coverage?  I mean, that’s kind of getting into the weeds, but that’s the type of stuff that websites are incapable of doing.

Matt from StartaCyberCareer.com:

Independent agents are in every town, everywhere. So anyone watching has access to someone or probably a few near where they are.  What are some things that they should be looking for in an agent when they decide, “I need this type of insurance.”? What should they be looking for in an agent to start off with?

Ben Yingling:

I think you start with, naturally today, look at their reviews.  We have over, a little plug for us, fifty five-star Google reviews.  And that’s definitely a place that you start. If you’re in an industry, you want to ask what experience do you have in that industry.  Some people do IT. Some people do construction. You want to ask those types of questions, and interview them. What is their process? What is their mission statement?  What does that look like? Those are the things you want to be asking. Look at their carrier makeup. The insurance companies they represent. How long have you they represented them?  Those are the type of things you want to ask.

Matt from StartaCyberCareer.com:

Where do you see cybersecurity insurance going 10 years from now?

Ben Yingling:

When I was in Chicago at that professional development conference, one of the things in terms of premium dollars, they expect over 20 billion dollars to be spent on cybersecurity insurance in the next decade.  Which is a huge number. So, where do I see it going from an underwriting standpoint? It’s really the wild wild west. Because cyber risk is is changing every single day. And you as much as anybody knows that.  So that’s kind of where I see it going.

Matt from StartaCyberCareer.com:

Any last thoughts or comments that you would throw out there to anybody watching who’s interested in getting into cybersecurity, and they know at some point they have to look into insurance?

Ben Yingling:

Reach out to your independent agent.  We’re here in Westminster, serving Maryland, Pennsylvania, Virginia, and Delaware.  We have a national reach though. We have national carriers. And I’d be happy to talk to anybody about it.  But you should definitely talk about it. If you have somebody who you know, reach out to them and I’m sure they’ll do a great job for you.

Matt from StartaCyberCareer.com:

And tell about your business and how they get in contact with you.

Ben Yingling:

Great.  Crawford Yingling insurance is our business.  We are on all of the social media platforms. Our website is CrawfordYingling.com, and we’ve been in business for a hundred years.  As I said, our mission statement is “Guiding and protecting all generations.”

Matt from StartaCyberCareer.com:

Thanks a lot for your time.

Ben Yingling:

I appreciate it, Matt.

Matt Day

Matt Day

Matt Day is a cybersecurity professional with over twenty years of experience in the IT, cybersecurity and technology training fields. He holds CompTIA A+, Network+, Security+, CySA+, and Cisco CCNA certifications, and is the author of the book CCENT Troubleshooting Guide.