<p><strong>Speaker 0</strong>: <span>The US. Cyber market is definitely growing exponentially um worldwide. We're seeing that the numbers are at about a $14 billion market today and the expectation is that it's going to go up to 26 billion by 2026. And I think what's fueling it is just the necessity of the product in that. Um It's not just an insurance product that provides you with, with funds if there's any loss, but it's also a service that you're providing. And I think</span></p> <p><strong>Speaker 0</strong>: <span>the difference is if you think of yourself, um, you're the owner of a business or a large corporation and you come into work on Monday and there's a skull and crossbones on your computer and you're completely encrypted and down and they want you to pay a ransom to get back up and running. What do you do? It's a situation that companies have not faced before.</span></p> <p><strong>Speaker 0</strong>: <span>Um In the US, companies are used to property damage, companies are used to getting sued, but this is a very unique experience. And so what we provide in terms of cyber insurance is the service to get you from stock to go from my, my system is down to how we're going to get back up and running and then all the costs associated with it</span></p> <p><strong>Speaker 0</strong>: <span>and the policy covers a lot. So essentially it, it emanated out of data breach notification laws. So laws were passed. Um We don't have a US national law. Um but we do have state by state and each state has its own laws in terms of what needs to be done when you provide information to a company and that information is stolen.</span></p> <p><strong>Speaker 0</strong>: <span>And so the, the product really emanated of that out of that, what was taken and who do we need to tell about it? And then how do we fix the problem? And so what we provide essentially is, um, an attorney to, to let you know what obligations you have, whether it's with the federal government, depending on what industry you're in, um, whether it's your customers, whether it's your employees. Um, and then also fixing the problem, you know, do you have to recover the data? Who do you have to notify,</span></p> <p><strong>Speaker 0</strong>: <span>um, hiring a, a computer forensics firm to come and fix it? Um And so we at Axel, we are there for you to, to work with you. Um And our claims team is fantastic in terms of getting you there. Um And so that's essentially fueling the growth. It went from a situation back. Let's just use 2005, 2006, 2007 when it kind of started to grow and it was in its infancy and it was, do I even need this product? Is this a problem?</span></p> <p><strong>Speaker 0</strong>: <span>And then we read about all the high profile breaches, you know, in the newspaper, day after day after day and then,</span></p> <p><strong>Speaker 0</strong>: <span>you know, it started to get out there. Maybe I need this. Um, and then there was this belief. Well, it's large corporations, I'm a smaller entity. I don't necessarily need to get this, but now everybody is a victim. Um, and, and, and, and anybody can be hacked at any time. And there's an adage in cyber insurance. There's two types of companies, those who have been hacked and those who don't realize they've been hacked. Um And so it, it's an absolute necessity I think to, to have this product because of what we provide.</span></p> <p><strong>Speaker 0</strong>: <span>Obviously, we hear a lot about ransomware. But what is it, what, what are we talking about here? Why is it so expensive? Why is it such a big deal?</span></p> <p><strong>Speaker 0</strong>: <span>And we've seen really a change over the years in what ransomware has become and it's become a lot more complex. So at its core, ransomware is, um, the criminals have encrypted your system. So you would come into work, the entire system is down and there's some sort of ransom demand saying if you don't provide us with X amount of money, you will never get back on your system again.</span></p> <p><strong>Speaker 0</strong>: <span>Um Or there's the double whammy of um, not only are you down, you can't get back up, but we've also stolen all of your information and if you don't pay us money, we're going to release it to the world. And now it's gotten even more nefarious. It's an extra step and it's really more specific to health care, but they have pictures of, um,</span></p> <p><strong>Speaker 0</strong>: <span>someone in surgery or, you know, someone, um, you know, in the nude or, um, you know, being examined or um, someone has cancer and, you know, showing how awful this person is doing physically. Um And so those are all angles they use to try to extract the ransom from you. And so if you take just the garden variety ransom ware if you will the encryption.</span></p> <p><strong>Speaker 0</strong>: <span>So in that sense, it would be, your system is down, you cannot conduct business whatsoever. Now, let me just note it could be, your entire company is down, it could be one part of your company is down, it depends on the size of the company, a very large corporation. It would be every single system is down. It would, but it could be, your shipping is down, your payroll is down, hr is down something like that.</span></p> <p><strong>Speaker 0</strong>: <span>Um And then they would say, you know, to get the decryption key, uh We want you to pay this money to us. So what we're looking for is, do you have viable backups that are uncorrupted? Um And so in an ideal world you would say to the criminal. No, thanks. We're ok. We have our backups. We're gonna be back up and running hopefully pretty quickly. And that'll be that.</span></p> <p><strong>Speaker 0</strong>: <span>But then there's now the added, um, issue of, well, what have they taken and, and might they put that on the dark web for everybody to see. So it could be personally identifiable information of your customers. It could be confidential, business information, personal health information.</span></p> <p><strong>Speaker 0</strong>: <span>and the company has to decide, um, do we want to pay the ransom and trust the criminal that if we pay $10 million they will destroy this information and not put it on the dark web. Um And so it's really an economic decision and what you're also looking at is um the time it's going to take. And so, you know, essentially if I pay the ransom, I should be up and running in three days, that's three days worth of productivity.</span></p> <p><strong>Speaker 0</strong>: <span>If I don't pay the ransom, we might be down for three weeks and we can't lose the three weeks of productivity. So now we need to go ahead and pay the ransom. Um</span></p> <p><strong>Speaker 0</strong>: <span>or it's some sort of hybrid. It might be um you know, if we pay a certain portion of the ransom, we'll get this back. But we have backups for, for this and it, you there's actual ransom negotiators who do this for a living and that's one of the services that we provide. So</span></p> <p><strong>Speaker 0</strong>: <span>if a company doesn't have cyber insurance. There's no way they would know who to contact necessarily, um, to, to work with these ransomware negotiators and it is an actual negotiation. So it might be, um, we demand $10 million. Well, what do you have? And they actually show what we'll call a proof</span></p> <p><strong>Speaker 0</strong>: <span>of life. Here's an example of what we've stolen, we're going to release it. Um, and we would say, you know, we're gonna pay you 2 million and they say 5 million and it actually goes back and forth all the while behind the scenes trying to get the backups up and running and hopefully the backups would not be corrupted. So the cost in terms of insurance or without insurance is you need an attorney to figure out what your rights are. You need um,</span></p> <p><strong>Speaker 0</strong>: <span>a forensics firm to determine what information was stolen. You need the negotiator to, to do that. Um And also you need um, a company to recover the data. So it's not like if you have backups in five minutes, you turn a switch and you're up and running. You have to, it's a huge onerous process to get all of the data back from your backups up and running. So there's the data recovery expense and then there's the</span></p> <p><strong>Speaker 0</strong>: <span>business interruption expense. So if you're down for three weeks, how much profit are you losing in those three weeks. So we would cover that, we would cover the attorney we would cover the forensics, um, the negotiation, et cetera. And then after that, after you've notified folks and said</span></p> <p><strong>Speaker 0</strong>: <span>you're our customer, we've had an issue, your information has been stolen. There might be a lawsuit emanating out of that. And so then there's the third party lawsuit, class action lawsuit and we would cover, um, the cost of defending the lawsuit. We provide you with one of the top attorneys in the industry at a highly favorable rate and then work on settling that lawsuit. And then the final part is the regulatory aspect. So the government is involved as well</span></p> <p><strong>Speaker 0</strong>: <span>and what they're essentially doing is making sure that you're doing everything right and they can uh levy fines and penalties against the company and we would cover that as well. So when you think about ransomware, um I think people tend to just think about the, the number of the, the</span></p> <p><strong>Speaker 0</strong>: <span>dollar value of the ransom. So $5 million ransom demand, it's a $5 million claim. No, it's a lot more than that. So you might pay the $5 million ransom, still be down a week, have a week of business interruption and then all the ancillary costs that I discussed before.</span></p> <p><strong>Speaker 0</strong>: <span>So in terms of the underwriting process, um as the technology, in terms of what the hackers are using and just the technology in general has gone from more rudimentary to more complex. The underwriting process has become much more in depth um</span></p> <p><strong>Speaker 0</strong>: <span>in terms of the amount of questions asked. So II I joke and say, you know, when the first policy was sold, the question was, do you have a computer? Yes, here's a policy. And now we're looking into a lot, a lot more. So, um we have our base application where we ask certain questions and then we have a um a ransomware, a specific application and you would need to fill in both. Um</span></p> <p><strong>Speaker 0</strong>: <span>and really what we're doing is trying to just have an understanding of what is your security posture as a company. And there's certain things companies would need to have in order to get a policy. And also just how is the company viewing it in general just to get into the technology, for example,</span></p> <p><strong>Speaker 0</strong>: <span>every company that we would insure would need to have multi factor authentication for remote access. Um Also they would need viable backups. So in a situation where um there's a ransomware attack and the system is literally encrypted and there's nothing you can do. Um You need to, we need to make sure that that company has backups that are not attached to the network that ideally they could say to the criminals, we don't have to pay the ransom because we have backups and we can be up and running fairly quickly.</span></p> <p><strong>Speaker 0</strong>: <span>Um And then also patching, you know, anyone knows there's constant, you know, patches that you have to, you have to take care of and so are you, are you doing that? So those are</span></p> <p><strong>Speaker 0</strong>: <span>definite must haves, but then overall, we're looking at the company holistically um is, is the company um you know, invested in, in terms of cyber security and you know, not we have an it person and that person takes care of it. The CEO needs to be involved, the CFO needs to be involved, the risk manager needs to be involved. Um The Chief information Security Officer needs to be involved.</span></p> <p><strong>Speaker 0</strong>: <span>Even the marketing folks need to be involved because the marketing folks might say, hey, if we put cookies on our website that'll drive revenue or if we put pixels on our website to, to view what, what folks are doing that'll drive revenue, but maybe you're not allowed to do that. And so you need the legal team to make a determination. So we want to make sure that the company is taking it very seriously. Are they monitoring their systems 24 7? Um</span></p> <p><strong>Speaker 0</strong>: <span>You know, are they doing penetration testing? Are they looking at the dark web to look at, you know, traffic? Um Do you have endpoint detection and response in place? Um Do you have email filtering? There's a lot of things that you need to look at to make sure they have that. And then in terms of the ransomware, um as I had mentioned earlier, the backups, if, if you had a situation where um your system was encrypted and you, your, your, you know, your whole business is down, could you get back up and running fairly quickly?</span></p> <p><strong>Speaker 0</strong>: <span>So it went from years ago, it was really more of an it issue and you know, let, let that person worry about it to now the entire company needs to be involved. So what we're looking at, do you have these certain um security tools? Um Are you doing training? But also is it something that we feel the company is investing in and taking very seriously?</span></p> <p><strong>Speaker 0</strong>: <span>We work very closely uh with our broker partners. And so, um our, all of the business that we get is fed through us from a broker and the brokers are also um highly sophisticated in terms of their know-how. And we have incredible relationships with the top brokers and we work with them to determine what questions um you know, should we be asking um what do their clients need to have in order to get a policy?</span></p> <p><strong>Speaker 0</strong>: <span>Um should there, you know, should there be a claim we work very closely with them? And it's really a symbiotic relationship. It's not a case of, you know, they provide us with some business and then they're off to the side, they're with us the entire time and most of our clients, um we've worked with them for years and years and years through a broker. The last thing the broker wants to do is have to year after year, switch insurance. Companies, they want to, they want to have a long term relationship.</span></p> <p><strong>Speaker 0</strong>: <span>And at A XL, it's very important to have that long term relationship that we have a trust in them. That their cybersecurity posture is very strong and that they have, you know, top folks working on that from their end and they want to know that we're asking the right questions that we're providing the right service</span></p> <p><strong>Speaker 0</strong>: <span>is pre breach, post breach. And in the event of a claim, we are going to be there for you side by side, whether it's paying the loss or whether it's working with you to, to get through it and, and give and providing you with the top vendors. So, um it's a wonderful relationship we have with our brokers and we're very thankful for them. And</span></p> <p><strong>Speaker 0</strong>: <span>um I think that's what makes us one of the top markets because the brokers love working with us. Um I would note that because of the growth, there's been a huge influx of new insurance companies coming into the mix, whether it's literally a new insurance company or insurance companies that hadn't written Cyber before.</span></p> <p><strong>Speaker 0</strong>: <span>Um And that's where we really have an advantage in that we have over a 10 year track record of having, you know, the top folks on both the underwriting and claim side to work with them. And so there's really this trust factor that we have with our brokers.</span></p> <p><strong>Speaker 0</strong>: <span>So at XXL, we have a 24 7 incident response team. Um and that is part of the claims team. And it's one of the things that we're most proud of and we think it's extremely important for our clients, obviously hackers or data breaches or ransomware attacks do not occur necessarily between the hours of nine and five. So what would happen if there was a situation on a Friday evening? Obviously, you can't wait till Monday morning at 9 a.m.</span></p> <p><strong>Speaker 0</strong>: <span>So we have a 24 7 hotline which is um handled by members of the claims team.</span></p> <p><strong>Speaker 0</strong>: <span>Everyone on the team is an attorney with years and years of experience. They're working around the clock to make sure that they're on the phone for you. Should you be in your time of need? And so what differentiates us, I think from some of our competitors is that our claims team handles the issue themselves. Whereas some of our competitors would say just call this law firm, just call this um third party administrator and</span></p> <p><strong>Speaker 0</strong>: <span>they don't necessarily view or have the best interest in the customer. So for us, when we're handling it, our customer, our client, we are there for you. If you hire a law firm or you hire um a third party administrator, their customer is the insurance company, not the person. And so it gives our customers um a really nice sense of comfort knowing</span></p> <p><strong>Speaker 0</strong>: <span>this is the person who I'm gonna be speaking with, um who works for the company who understands the coverage. So there's two things that essentially you want your 24 7 team to do to go through the coverage. This is what we cover, provide to them. The understanding that I've handled hundreds or thousands of these situations and there's no problem. And where their value really comes in is in terms of what vendors do you need to hire. So for example, the system is down,</span></p> <p><strong>Speaker 0</strong>: <span>there's nothing a company can do. We would say, ok, for this type of situation, we're gonna, we, we want to hire this particular forensics firm. They have worked with this ransomware gang for years and years. They know exactly how to handle that or, you know, might be industry dependent. The these guys are great with manufacturers or municipalities. It depends. Um So we know what forensics firms to hire.</span></p> <p><strong>Speaker 0</strong>: <span>Uh we know what notification firms to hire. If we have to notify customers or employees, we know what attorneys to hire. And then also where the rubber really hits the road if you have a ransomware situation and there's a demand for, let's just say $20 million clearly, a company would not know how to handle that. And so we work specifically with companies who do the negotiations and would actually facilitate the payments. Um And so,</span></p> <p><strong>Speaker 0</strong>: <span>you know, should there ever be an incident with one of our insureds? You don't have to worry immediately. You're going to be on the phone with someone from our team who handles hundreds, hundreds of these, who are going to say, don't worry about it. You're going to be absolutely fine. We have the best in class vendors that we work with at the best price. That's another thing that I think is important</span></p> <p><strong>Speaker 0</strong>: <span>because of our market position in cyber. We're able to, um, work with the, the best at highly discounted rates. So if you don't have Cyber insurance and you want to hire a company, a or law firm, a, I'm going to make up the number, maybe they're charging $1000 an hour, we have them for $500 an hour.</span></p> <p><strong>Speaker 0</strong>: <span>Um And so it's a huge differentiating factor and it provides a lot of comfort. Additionally, in terms of that, if, if a company is hiring a law firm, the law firm then has to check back with the insurance company, it's an extra step. We don't have that. You're working straight with us. So if you have something on Christmas Eve, New Year's Eve, and believe me, we've actually had those plenty of times. You wouldn't believe it. But that is a good time for hackers to, to strike New Year's Eve or Christmas Eve thinking that they'll be closed. We're available to go. Um</span></p> <p><strong>Speaker 0</strong>: <span>And um, you know, it's a system that we've had in place for years. It works great. And I think it's something that really differentiates us additionally. Um We provide pre breach services before anything happens. So we again have best in class um experts who can work with you to make it to decide what do you need to fix. So there won't be a problem. So this would be a situation where um we felt that your security posture was good enough to issue you a policy.</span></p> <p><strong>Speaker 0</strong>: <span>But throughout the year, you're working with one of our recommended vendors again at a highly discounted rate to make sure that everything you're doing is proper. Um One of the things we provide is something called a tabletop exercise, which is a term of art for the industry. Essentially, it's just a dry run of what's going to happen.</span></p> <p><strong>Speaker 0</strong>: <span>So you don't ever want to have a situation where you haven't thought about what you would do beforehand. So if it's, you know, two o'clock on a Tuesday and there's a ransomware attack, you don't want everyone at the company running around all nervous, what do we do? What do we do?</span></p> <p><strong>Speaker 0</strong>: <span>So, a tabletop exercise is something that is very beneficial for our insurers to do. So, they've done it already in case there is a situation. So we would set our insured up with, um, a, you know, a best in class attorney, forensics firm and we would do kind of a dry run. Um, and that would be at a discounted rate.</span></p> <p><strong>Speaker 0</strong>: <span>So a lot of talk about ransomware. Um, if you were to just Google Cyber, it's always gonna be ransomware that gets all the attention. Um But there's a lot more, um, and a lot more that we cover and it's, it's the new weave that we really see is what I would call um, unlawful collection or wrongful collection privacy type claims. So every time you go on a website,</span></p> <p><strong>Speaker 0</strong>: <span>they're tracking what you're doing. And the question then becomes is, did they tell you, are you aware of it? Um And in many instances, the customer or the employee is not aware of it. And so we're seeing a lot of these class action lawsuits come out. Um And it's a real money maker for the plaintiff's attorneys and it's, it's something that, um you know, that, that companies really need to think about. So just some, some examples, um</span></p> <p><strong>Speaker 0</strong>: <span>one is um biometrics and so many employees when they come into work, it might be a retinal scan. Um And so does the employee know that, um you know what in terms, what is happening in terms of that information? Um You know, that's a lot more in depth information information you might not want to provide versus credit card information.</span></p> <p><strong>Speaker 0</strong>: <span>Um And so there's statutory damages associated with a violation of, in this case, it's called the Biometric Information Privacy Act. There's penalties of, it could be $500 per person, $1000 per person, $1500 per person, depending on how egregious it is and specific to this law. It's called a, uh it's every time. So if you have an employee who came to work for a year and they took a retinal scan</span></p> <p><strong>Speaker 0</strong>: <span>and either you weren't aware of it or you were aware of it, but they weren't securing it properly. Um You know, you didn't consent to it. Um, the damages could be astronomical. And so there's, there's biometrics, there's also um, the video Privacy Protection Act, which is essentially you're on a website and you're viewing a video and the company knows you're viewing that video and is that um a violation of the video Privacy Protection Act? Um</span></p> <p><strong>Speaker 0</strong>: <span>Additionally, we have what's called session, replay claims, which is what it sounds like. It's um the company has a replay of your session on the website. So you pick company A and you clicked ABC and D, they know that you clicked ABC and D and is that a violation of the law? Um</span></p> <p><strong>Speaker 0</strong>: <span>And, you know, it's not necessarily nefarious. Um It, it really is because they want to drive their marketing. So they want to know if you go on a website, what are you looking for? So, you know, if, if you're looking for shoes or, you know, um sporting equipment or, or this or that, um now they can target ads for you and that's really what it, what it comes down to. But the main thing we're seeing now is what we would call meta pixels. And so that is where essentially</span></p> <p><strong>Speaker 0</strong>: <span>the third party website is hooked up with Facebook or which is owned by meta. And so you're on a third party website and you're looking at ABC D and E that gets filtered to Facebook. And then when you're on Facebook, Facebook is now targeting ads to you because they know you looked at that. So it all comes down to, did they tell you they were going to do this? How long do they keep this information? And is it a violation of the law?</span></p> <p><strong>Speaker 0</strong>: <span>So that's something we really have to look at and ask questions about. So it's not just, um, are you going to get hacked? This has nothing to do with hackers, but this is, you know, are you aware of that? This is even an issue that's going on?</span></p> <p><strong>Speaker 0</strong>: <span>And plaintiff class action attorneys are chomping at the bit to bring lawsuits nationwide regarding these issues. So if you take large corporation X and they, they are actually taking your information and filtering it to Facebook or just using it for their own purposes and you're not aware of what they're doing or they're not safeguarding it properly. Um You know, that that's something that there could be lawsuits for</span></p> <p><strong>Speaker 0</strong>: <span>in terms of what's ahead for the cyber insurance market. What makes cyber a blessing and a curse if you will is it's always changing. So, if you think about other lines of insurance, whether it be directors and officers or property, um, or casualty, there aren't gonna be that many changes year over year. It'd be, you know, fairly, fairly static auto.</span></p> <p><strong>Speaker 0</strong>: <span>Um, but with cyber, it's completely different what we were thinking about in 2006 versus 2012 versus 2018, completely different. So, if you think of even just ransomware, um, you know, in 2016, no one ever heard of ransomware. And then in 2018, 1920 it's burgeoning and the original ransoms were $300 500 dollars. And now ransoms could be anywhere from, you know, 1 million to 5 million to 10 million. So it's always changing.</span></p> <p><strong>Speaker 0</strong>: <span>And then also the threat vector, how are they getting into the system is always changing? So we might say, you know, multi factor authentication for remote access is the most important thing. That's what you need. And then two years later,</span></p> <p><strong>Speaker 0</strong>: <span>now that's, that really has nothing to do with anything. Or your passwords need to be 18 characters long. And then we find out, well, really that doesn't make a difference or there's something called um a Pam tool, privileged access management. So who at a company has privileged accounts to do certain things and who doesn't. Um So maybe that's what we're focusing on, but that may change. And so it's just the cat and mouse game and the tactics are always changing. Um</span></p> <p><strong>Speaker 0</strong>: <span>in terms of what the threat actors are gonna do and, and then, you know, it's, it's responding and trying to get ahead of it. So in terms of what's to come,</span></p> <p><strong>Speaker 0</strong>: <span>we don't know in many senses. Um however, we do know, as I mentioned before that it's growing, it's, it's a product that is an absolute necessity</span></p> <p><strong>Speaker 0</strong>: <span>and the market penetration of how many companies have. Cyber insurance is still lower than you'd think. So, most large, large corporations of course have Cyber insurance, but a lot of middle market, smaller firms do not have Cyber insurance. And then we're looking at this worldwide. So Cyber insurance is much more prevalent in the United States than it is around the world. But there's certainly a need for it in, you know, the UK and France and Italy and Hong Kong and Singapore and wherever.</span></p> <p><strong>Speaker 0</strong>: <span>And so that that's kind of where we're going to see, see the growth now because of the growth. Um we've seen a lot of added competition into the market. So if I think back to 10 years ago, um this isn't an exact number off the top of my head, but, you know, maybe there, we would have had 8 to 10 competitors. Now we might have 30 competitors. And so we really have to differentiate ourselves from our competitors. And so what we discuss is we have the, the top on</span></p> <p><strong>Speaker 0</strong>: <span>the writers in the industry who are, you know, know what to ask. We have our 24 7 breach hotline to be there for you, um connections with the top vendors in the industry, whether it be law firms, forensic firms, um ransomware negotiators and we have a track record of paying claims and that, that's also an important thing there. The worst thing that could happen to an insured is they have a situation</span></p> <p><strong>Speaker 0</strong>: <span>and then the insurance company is trying to get out of paying a claim. That's not the case. Here, we are, we are looking to find you coverage in order to pay the claim. We're not looking to deny the claim. And when you work with our claims team, you know, you're gonna get</span></p> <p><strong>Speaker 0</strong>: <span>highly professional folks with years and years of experience, um, who are attorneys who have just a real understanding of this. And so in terms of what's to come, I think, you know, we, I think we're going to see the growth. Um, we're going to see different ways that, that the Attackers are, are coming</span></p> <p><strong>Speaker 0</strong>: <span>different types of lawsuits, different types of laws, um, that we're seeing whether it's, you know, in the US, specifically, whether it's state specific federal, um or it's international. Um, but it's a very dynamic, very interesting space to be in that that's always changing.</span></p>