Paul Lucas 00:00:15
Hello everyone and welcome to Insurance Business TV for a Cyber special brought to you in association with Tokio Marine HCC Cyber and Professional Lines Group. And if you’re thinking when it comes to cyber, I know it all well think again, because today we’re not zooming in on the commercial space. Instead, we’re going to focus on personal cyber coverage. To some of you that may be a completely foreign concept for others, you may already know about the difficulties in convincing your insurance that they do indeed need the coverage. Even though the statistics are compelling. Nearly half around 47% of American adults have had the personal information exposed by cyber criminals, while one in three homes with computers are infected with malicious software. That’s according to the cybersecurity and infrastructure security agency. The growing cyber threat is making personal coverage a must have but what can you as a broker do to get clients the coverage they need? And what scams and risk mitigation techniques do you need to be aware of? To help us answer those questions and more, I’m delighted to welcome an expert panel. We have Kareen Boyadjian, VP, underwriting healthcare cyber, personal cyber and regulatory billing at Tokio Marine HCC Cyber and Professional Lines Group. Kristy Mouser, sales executive for employee and member protection solutions at IDX, ZeroFox. And James Saunders, personal risk Practice Leader at USI. So welcome, everybody. And to get us started. I mentioned some stats at the top there. But why does somebody need personal cyber coverage? James, let’s start with you.
James Saunders 00:01:56
Well, first of all, thanks. Thanks for having me, Paul, and enjoy being on this panel. So, you know, I think the thing to think about is with with cyber risk for the individual is it’s it’s grown, right, and it’s grown in the personal space, because there the technology and I guess, barrier for for the criminals themselves has become so much lower. So attacking individuals has become much more easy. But more importantly, the individuals just don’t have the safeguards in place. For the most part, most businesses and organizations have built up at least some level of infrastructure, larger corporations are out hiring people like a CISO to be in charge and protect the organization. But certainly they’ll go through internal education, on protocols about identifying bad emails, all those sorts of things that many of us even wear at work once a year with a educational session that we’re forced to go through, right, none of that exists in the individual space. So you have a low barrier of entry to commit the crime, a vast marketplace that you can go after, that really has very little protection in place. So it’s kind of created this this mass scale of attack where the individuals become a target. And many of the clients we work with, have, at times have more liquid assets than many businesses do. So it makes them a prime target for sure.
Paul Lucas 00:03:19
So individuals really are a target Kareen, but I guess that is still a common misconception that commercial is the only problem.
Kareen Boyadjin 00:03:29
The huge misconception. In fact, when most people think cyber, they think it’s a commercial problem or a business problem, it’s not a personal problem that they actually need to sort of, you know, look into a little bit further. And the truth of the matter is, I mean, for anyone who really read anything in the media pertaining to the ransomware surge, in 2020, hundreds of 1000s of businesses already fell victim to various ransomware attacks, which led to extortion demands, and all sorts of various exposures and problems that really fell on the shoulders of the people, because the people, it was information to the people that was being used as leverage throughout this 24 month period where everybody was just getting hit on a daily basis. So we were talking earlier, about 47% of people have already had their information compromised, that’s one out of two, it’s already a problem. It’s not something we’re preparing for, it’s already here. So it’s something that we all need to really start thinking about protecting ourselves for, because it’s not a matter of if it’s going to happen as a matter of when it’s going to happen.
Paul Lucas 00:04:33
And those are some stock words there, and Kristy, I mean, I guess the the idea here is that individuals are actually so easy to target.
Kristy Mouser 00:04:42
Yes, absolutely all. And I would say that actually individuals are the low hanging fruit. You have these large criminal rings, and they can buy information that as Kareen just mentioned, that’s already been exposed. And most of its six post on the dark web, they can buy huge amounts of information and just target large numbers of people and see what they get. And a lot of times they get a lot of hits and can, in one fell swoop make millions and millions of dollars or steal millions of dollars from from folks.
Paul Lucas 00:05:22
Thank you. It seems like having personal slides cyber product would would make a lot of sense. But Kareen, how does it compare to say Experian, for example?
Kareen Boyadjin 00:05:34
That’s a great question, Paul. And I think identity theft is certainly on the forefront of everybody’s mind when they start thinking about personal cyber because of various advertising campaigns, marketing assist, normally what we start thinking about, and the truth of the matter is, is those are not the primary exposures that we’re seeing today. The most common cyber personalized exposure that we see is cybercrime, and financial fraud. So experienced a number of other identity theft groups. I mean, they really focus on the ID theft part. They’re not reimbursing you for any sort of financial fraud, or cybercrime matter that could come through that it also includes cyber extortion, and cyber bullying. It’s not just about identity theft anymore. And to really expand your offering to include financial fraud, cybercrime, especially those that extend to AI, which I’m sure we’ll talk about a little bit later. But that’s the most crucial part that people really need to start focusing on and thinking twice about before, before proceeding with whatever they need to buy or protect themselves.
Paul Lucas 00:06:38
So it’s a Kristy, just to bring you back in as well is, is it fair to say that identity theft is a portion of cyber coverage?
Kristy Mouser 00:06:45
Yes, absolutely. It’s, it’s a very important component of cyber coverage. And however, as Kareen mentioned, it’s it’s not all inclusive, and as extensive as if you were to have a personal cyber policy. So it is an important piece. And our organization actually chose to partner to expand that coverage for individuals. And to do the part we do identity theft. And one of the things that makes us unique is that we have a big focus on privacy. And so we have a lot of privacy features, and things that help remove information, off the internet, some proactive features and those types of things. And we felt that it was important to partner with a a, a true cybersecurity insurer to create the whole package for consumers.
Paul Lucas 00:07:44
And us maybe the key point, James, would you agree this is the idea of presenting consumers with the total package?
James Saunders 00:07:51
I absolutely agree. So the ID theft is just a small portion of any event at this point, right. So I think almost every event incorporate some piece of it as ID theft. But what happens is well beyond the confines by the theft, which is really just a reimbursement of the soft costs and individual experiences, because an event has occurred. But it doesn’t, as Kareen mentioned, take that take into account any of the art costs of money stolen, or lost, or other expenses, like in a cyber bullying event. And in fact, I would even expand it to say that, you know, as this is this exposure grows, and the industry looks to address it. There’s a lot of things out there that even call themselves cyber, that are not fully capable of addressing the breadth of the issue, where some of the most common causes of loss such as phishing attack, and that sort of stuff may not be included. So if someone’s really looking to get up to speed on this, it’s really important to do your research. You know, in the personal line space, in particular, we’re used to seeing kind of standardized forms. And if you’ve seen one, you’ve seen them all, you kind of know what’s in there. And that’s just not the case when it comes to this particular exposure. And it’s important to have something really kind of encompassing and comprehensive and such as what Tokio Marine has put together.
Paul Lucas 00:09:04
And I mentioned that when we’re talking about sort of the deceptions that are out there, one of the the ideas that sort of looms large over the sector is that you know, the brokers might see it as well. My clients aren’t celebrities, they’re not professional athletes, so they don’t really carry a serious cyber exposure. Is that true? or what have you seen Kristy, I’ll start with you.
Kristy Mouser 00:09:28
Well, that’s actually not true. And in the same vein, as most of us lock our doors for our house. Know thieves are not just looking to break into houses that are multimillion dollar mansions, they break into all sorts of houses. And the same thing happens in cybercrime. They’re not just looking to target celebrities or multi millionaires or billionaires. They’re targeting all people and As we mentioned before, it’s really a numbers game they can gather information about the ordinary person and target them target mass numbers at one time. So it is absolutely not not just an issue for folks who are celebrities or high net worth individuals.
Paul Lucas 00:10:25
Yeah, so keep your houses locked and keep your cyber locked out as your your computer use locked down as well. James, let’s bring you back into your so agree that that’s a very much a misperception.
James Saunders 00:10:37
It’s a mixed conception for sure. Looking at and we’ve talked about all of us brought up the idea that this is really this this particular spaces industrialized. It’s about getting to the most people possible. So just a couple of things I’ll throw at you. In 2022. The report FBI reported over 800,000 complaints around cybercrime. So I last checked, I don’t think there was 800,000 celebrities, I’m sure there’s plenty of people on social media, I think they are but there aren’t actually right. So it is a volume game, right. And the second thing I throw out there is there was a billion dollars of losses related specifically to tech support crime that was targeting older, older individuals over 60. And again, it’s not celebrity based, it’s about easy attack, easy targets, small sum of money, move on, and do it in volume. So it’s really not true that this is the purview of the rich and famous, in fact, there is this this is so industrialized that this is really about attacking the masses, and small small transactions essentially accumulating too large sums, as opposed to going too hard, but high value targets for that one hit.
Paul Lucas 00:11:49
Yeah, what’s to say 100,000 Celebrities out there that I think we definitely qualify, Kareen, just to bring you back in as well. I mean, this is really something that Brooke is going to struggle to break down with the clients that sort of what happened to me concept, right? Exactly.
Kareen Boyadjin 00:12:03
It’s a little old me concept, like no one is ever going to spend actual time trying to hack, you know, my personal information, because who am I at the end of the day. And that’s precisely what the hackers want you to think it because it’s, if you don’t think that you’re worthy of hacking, or if you don’t think that your information is going to be valuable on the dark web, then you’re going to be a little bit more lax about guarding it, and exercising, you know, standard personal cyber hygiene to make sure that you’re protected. So, and for that reason, exactly. There is a much more successful hit rate on hacking or fishing, your standard high net worth individual or even mid mid net worth individual over a celebrity professional athlete or politician, they’re supposed to have their guard up as part of their job. Whereas, you know, the layman, let’s say is good and potentially think twice or three times about it because it involves effort. And it’s easier to think that it’s not going to happen to you. Which again, it’s already happened to one out of two people, at least on this call, let alone the entire country. So matter of time.
Paul Lucas 00:13:08
Yeah, well, let’s talk about another reason why people might think that cyber insurance isn’t necessarily for me, because they might think, well, there’s that big scary word called artificial intelligence looming over everything right now. Is it even possible for personal cyber to respond to those scams that are conducted by AI? James, what do you think?
James Saunders 00:13:32
So yeah, I think well, there’s a couple of things I’m gonna I’m gonna let Kareen get onto the the technical piece of it, because you know that that’s her specialty. But what I would point to is one to think about with the AI is actually makes it more important, because it is only going to allow the nefarious actors of criminal organizations to scale up further. Ai doesn’t need to break for lunch, it doesn’t need to go take a nap, it doesn’t need to go to the bathroom, right? So once they queue up the data at a breathtaking speed, the AI will be able to go through it, pull out the points they need to eat, get the email and push that out at a scale that will be hitting everybody, right? So even more. So I would say with the AI that’s going to drive the exposure larger, not make it smaller so that people don’t have to worry about
Paul Lucas 00:14:21
saying, well, Kareen, James has sort of beat you up that you are the expert on AI is that fair to say?
Kareen Boyadjin 00:14:28
Oh god I’m so far from but it definitely is something that we’ve researched a lot more in depth in the last few months, especially with how quickly it’s developing. But I do want to say that the key word or key phrase pertaining to AI in the insurance world is telephonic instruction. And that is what we’re starting to see most frequently being AI being useful, or at least in the personal cyberspace. So to expand on that, when you’re talking about financial fraud or phishing scams, it’s typically going to be limited to an email or something along those lines where not hearing a lot of telephonic yet or at least none. That’s convincing. Whereas AI can take my voice or Paul, your voice James, Kristy anyone’s voice on this call, or anyone who’s done a presentation, who’s whose voice is out there in the public, and can manipulate it to say whatever they want. So if they can make my voice, say whatever they want, and then they call my bank or another financial institution, my credit card company, what have you, and say, Wells Fargo, Please wire but $50,000 to an overseas account, or 100, grand to this account, etc, etc. Well, my bank tellers know my voice. And I’m not even considered a high net worth affluent person, let alone a celebrity or a politician or somebody who has, whose voice is a little bit more public a little bit more recognizable. If you’re taking that voice and you’re making it say whatever it wants, and that bank doesn’t want to give you a hard time because of your status or your financial position, etc. They’ll do it. And they’ll ask questions later, because they don’t want to add friction to that relationship. And at that point, once the money’s gone, it’s gone. I mean, whatever the FBI can do is a little bit minimal in that space, have the bank can bring it back. And it’s going to be challenging to do that. So you’re really going to be relying on reimbursement, and having a policy that’s going to respond to that type of circumstance and incident. Voluntary wiring is also another big one where a number of competitors won’t, won’t reimburse in the event that it was a voluntary act. So if you say, Yeah, it sounds, you know, this scam sounds convincing enough, I’ll pay the money. Will you agree to it? Therefore, we’re, we’re hold harmless, and that’s the majority of scamming. It’s the whole point of convincing you that it’s a real thing. So we’re going to be learning a lot of new things with artificial intelligence, especially as it develops its speed that it’s starting to. And having a policy that can adapt to the exposures of today, not just the exposure as a five, six years ago, is absolutely crucial.
Paul Lucas 00:17:01
And very, very scary concept. But I’ve been planning ahead for a while by having no money in my bank account. Kristy, I’ll bring you in as well, I guess it’s just really important to monitor what’s out there.
Kristy Mouser 00:17:14
Yes, absolutely. And I would say that is one of the keys to this is to monitor what’s out there and to make sure that you get as much information taken down as possible, and particularly taken down off the internet, which makes it easily accessible worldwide.
Paul Lucas 00:17:33
And I will let’s throw one final question at you all, if you don’t mind, I just like to get your perspective on what can be done from a prevention point of view to protect someone’s personal data, or information. I imagine this is probably Kristy’s area of expertise. But uh, Kareen, I’m just gonna throw it at you first. What do you think?
Kareen Boyadjin 00:17:53
I miss gonna echo whatever Kristy just said as far as making sure that you’re getting as much information of yours off the internet as possible. Constantly practicing proper personal cyber hygiene, adding various controls onto your bank accounts, your credit card, your credit card, accounts, everything that you can, just to make sure that there is as much as much outreach to you like MFA, and what have you, in the event that something actually does happen, because it’s just, again, it’s happening at such a fast pace that you just want to make sure you put up as many guardrails as possible.
Paul Lucas 00:18:32
Well, Kristy, let’s let’s not make anybody wait any longer for you give us some tips, please.
Kristy Mouser 00:18:37
Sure happy to do that. So a number of things that you can do, one of which is you can purchase a service that will go out and scan the Internet for data brokers who might be selling your personal information. And there are over 200 of those data brokers who sell information. And that was originally designed the data brokers originally came in business to sell your information so folks could market to you. But a lot of times that gets that information gets purchased by folks who are going to use it in nefarious ways. And so getting that information removed is very important. And having a service that will continuously monitor and make sure that it is stays removed, because a lot of times they’ll put it back up. So that’s one thing you can do. Another thing you can do is to make sure that you have a VPN, a virtual private network, app on your or software on your personal devices so that when you are in public, if you’re at a coffee shop or at the airport, using their free Wi-Fi that you are safe when you’re using that because that’s a very easy thing for hackers to do is to hack into your personal devices while you’re using public Wi-Fi. Another thing would be to me Omniture make sure that you have a service that monitors the dark web, and is looking for and your personal information and notifying you if your personal information or your login credentials to an account have been hacked, and that way you can change your password or take any other necessary steps that you might need to take. And then the last thing that I would say is, this is just a little tidbit from those of us who work in the industry that that we have learned. And that is that on the dark web, the one of the things that is very popular these days is your medical ID. So if you, your whatever your health plan, number is, if you have one of the major payers, whatnot, they will sell they they steal those numbers, and they sell those on the dark web, someone purchases those for they go for about $1,000. And they purchase those and then go get health care services. And then you that information is you’re going to get an explanation of benefits. So you need to open those, by the way when you get those in the mail. But the other thing is, is that’s a particularly heinous crime, because it that information now goes in the medical record, electronic medical record under your name, and that these information is now protected by HIPAA. So you need to have, you need to be watching for that and mindful of that, and then have a service that can help you in the event that something like that happened. And so our organization, as I mentioned, you know, partnered with Tokio Marine to provide that full coverage to have all the other things and the coverages that we talked about. And then, too, we provide that type of service that I just mentioned.
Paul Lucas 00:21:56
Yeah, it’s amazing. There are some devious people out there, James, I think Kristy has been very, very thorough, but anything that you would add to this?
James Saunders 00:22:04
Yeah, she she has in I’m gonna steal your just have your bank account, and D as a as a hot tip to give out to clients in the future. But it really is, the way I look at it is this is an exposure that can be mostly addressed with just some proactive risk management, right. And the way I think about it is in layers, there’s the behavioral layer, there’s the hardware and software layer. And then there’s the insurances, that backstop behind it, right. So that behavior layer, that’s the stuff like having good passwords, don’t use the word password as your password, right, all that, those sorts of things, right. Like, I think Kareen mentioned using multifactor authentication. So when you log into your bank, you also then have to get it code sent to you by text or email or call, so that you have to put that in before there’s just an extra step right to go in that there’s no cost, it’s easy to do, it’s actually more of a hassle for us. So that’s why people end up not doing right. And then there’s the hardware and software piece. So software, it’s this simple update your software. Many of us buy equipment and devices. And we don’t update the software or we turn off the automatic updates on our mobile devices, because we don’t like it updating when we don’t want it to. And all of a sudden, we’ve opened ourselves to the latest attack because this stuff is being updated. So regularly. On the hardware front, if you’re not already doing this, if you’re using a router in your house that was provided by whoever’s providing your internet, go out and get a new separate router of your own. There’s lots of good ones out there with at least a WPA two kind of security protocol in place, and utilize the guest and home network. The guest network is everything but one computer, right. So the guest network is all your mobile devices, anybody that comes to your house, anything that leaves the house and comes back. And then the home network is the one device your computer most likely that stays in the home. And that should be the only thing that does financial transactions if you can help it, because then that’s firewalled and protected in its own separate network, cut even away from your own mobile devices that have gone out and gone on WIFI’s and all these places carrying around all kinds of things. So be proactive, use good risk management, and that will address it. And then finally you can implement the you know, a backstop leg was Tokio Marine, which also includes some of those proactive tools of IDX as well, which is a great, great solution for many individuals.
Paul Lucas 00:24:30
And a lot of great tips there in a fantastic way to wrap things up. My huge thanks to all of the panel today, first of all to Kareen.
Kareen Boyadjin 00:24:39
Thanks, Paul, thank you so much for having me. James, Kristy. Thanks again for joining us today.
Paul Lucas 00:24:45
And to James.
James Saunders 00:24:46
Yeah, thank you for having me, Paul. Happy happy to do again. So thanks everybody.
Paul Lucas 00:24:51
And to Kristy.
Kristy Mouser 00:24:53
It’s my pleasure. I appreciate the opportunity.
Paul Lucas 00:24:56
And for all of you watching goes through your hopefully protected computer to screen and if you’re not protected yet, well you know who to call that would be Tokio Marine HCC Cyber and Professional Lines Group. And if it’s more information you want then check out the cyber channel or the Insurance Business America website. And we will see you all next time right here on Insurance Business TV.