In the compelling finale of this three-part insurance series, host Kirsten Howe and insurance expert Dean Myers tackle the coverage that keeps business owners up at night—cyber insurance. Dean shares fascinating real-world stories, from ransomware attackers offering customer service hotlines to disgruntled employees planting digital “time bombs” in company systems. You’ll discover why this isn’t just another insurance policy but essential business survival protection that covers everything from system failures to deepfake fraud. Dean reveals the surprising realities about whether companies should pay ransoms, how insurers use “white hat” attacks during applications, and why Silicon Valley startups are outpacing traditional insurance giants. If you think your business is too small to be targeted or that basic IT protection is enough, this episode will be a wake-up call you can’t afford to ignore.
Time-stamped Show Notes:
0:00 Introduction
1:12 What is cyber insurance, and why it’s the broadest coverage for such esoteric risks?
1:48 The comprehensive scope: system failure, ransomware, business email compromise, business interruption, contingent business interruption, and forensics coverage.
2:15 Why cyber claims require hiring attorneys, CPAs, forensics experts, claims adjusters, and legal counsel, unlike traditional workers’ comp claims.
2:45 The two key reasons carriers provide such broad coverage: rapid system restoration at the lowest cost and mandatory industry claim reporting.
3:48 How cyber insurance provides both first-party and third-party coverage, protecting you when you accidentally send infected emails to clients.
4:37 Real-world business email compromise: When hackers send fake invoices to your clients from compromised email accounts.
5:10 Why cyber attacks almost always originate overseas in countries with lax cybersecurity laws and accountability.
5:37 Will cyber insurance pay ransoms, and when is it appropriate?
6:42 Real claim story: How a tired CPA two days before tax season fell for a phishing email with a partner’s name containing just one extra letter
8:25 Why paying ransoms creates a “bull’s eye on your back” and marks you as a repeat target for extortionists.
11:06 Cyber insurance qualification requirements, why multi-factor authentication is now absolutely mandatory across all carriers.
12:15 “White hat” mock attacks: How insurers test your system vulnerabilities during the application process using the “open parking spot” analogy.
14:41 Insider sabotage case study: Bay Area law firm manager discovers her job posted on LinkedIn, teams up with IT brother-in-law for revenge.
15:53 The emerging deepfake threat, how voice cloning technology is creating new fraud risks for fund transfers.
16:25 Protection strategies: Using “trip questions” with personal knowledge to verify client identity during suspicious calls.
17:12 The AI counterbalance: How artificial intelligence may help prevent cyber claims in the future.
Get in touch with Dean!
Dean Myers
Core Insurance Agency
dmyers@thecoreagency.com
925-876-1303
https://www.thecoreagency.com/
Transcript:
Hello and welcome to Absolute Trust Talk. This is our video podcast here at Absolute Trust Council. I’m Kirsten Howe, and today is our third episode on insurance with the same guest, Dean Myers, the owner of Core Insurance Agency. Dean’s agency is an independently owned commercial insurance brokerage firm. If you listened to our last two episodes, you know that he has a particular specialty in errors and omissions policies for professionals, certain categories of professionals. What we’re going to talk about today, though, honestly, is the thing that I’ve been most looking forward to talking with Dean about, and that’s cyber insurance, because I think there’s got to be some really great stories in there. So, I saved the best for last. Hopefully, you all agree. Dean, welcome back. Thank you so much for being here again.
Absolutely. It’s my pleasure. Thanks so much for having me, Kirsten.
It’s my pleasure, actually. I’ve learned so much along the way. So this is our third episode. We’re going to talk about cyber insurance. Let’s just start with the basics. What is cyber insurance?
Well, cyber insurance covers all the coverages. I think cyber insurance is the broadest for such esoteric coverage. It covers system failure. It covers ransomware. It covers what we call business email compromise. It covers business interruption. It covers contingent business interruption. It covers forensics. We hire breach coaches. When we get a claim, like most claims—like workers’ comp claims go to the carrier, and then they assign an adjuster—when it’s cyber, well, they’ve got to hire an attorney, they’ve got to hire a CPA forensics, they’ve got to hire a claims adjuster, they’ve got to hire legal counsel. I mean, it’s very broad, but really for two reasons. One is that the carriers want to protect and restore your system, the computer system, as quickly as possible at the lowest cost possible. Secondly, more and more of these carriers are reporting these claims. I think there might be an industry or legal reason they need to report these to a database. Unlike general liability, for instance, they don’t report these claims to an industry database. However, a cyber claim that affects you affects everybody, and we need to be aware of these things. I have so many stories, there’s no way—I mean, we’d have to do multiple podcasts. And some of these claims are crazy, and most of them, I think, to a large extent, are preventable. Unlike many other claims, where it’s just happenstance—an injured worker trips and falls, or gets hit over the head by a falling beam if they’re a contractor—cyber claims come out of the blue, and they send off shock waves because it affects the entire business, and then potentially beyond.
Okay, so that is very interesting. I mean, I guess it covers just such a vast—it provides a very broad set of remedies or fixes, just because the one thing that happened had to do with a breach of some sort of your network, your internet connection. It’s anybody who’s using the internet.
Exactly. And some coverages are first party, as we mentioned in previous podcasts. Some are third-party. General liability—this is both first and third party. You could be sued because you sent an email to one of your clients, and that email contained a virus, an attachment, or a link. We’re seeing more and more of that, and your client clicked on that link, and boom, there’s damage. Or sometimes your email got compromised, but you didn’t know it, and somebody who hacked into your system sends an email to one of your clients saying, “Listen, here’s the latest invoice. This one we forgot about, you know, so-and-so in my office just was on vacation,” and so, “just pay this invoice.”
And my client pays the invoice to some guy in Russia?
Oh yeah, exactly. And it’s almost always overseas, because most countries don’t have the same level of security and accountability, particularly in Russia, that we do in the United States. If you get nailed in the United States for cyber warfare or cyber attacks, you’re going to jail for a long time. In Russia, well, they may reward you for it—share those techniques with us.
Pretty much. Yeah, I mean, not to be picking on Russia, but it could be anywhere, any one of a number of countries where the countries have lax cybersecurity laws.
Yeah. Okay, so you mentioned ransom. Would cyber insurance pay a ransom?
They would pay a ransom. They’ll advise the carrier if it’s the right thing to do.
What’s that? Is it the appropriate thing to do?
Well, you know, sometimes in a knee-jerk way, I had a claim recently with an accounting firm that just paid the ransom—$55,000—and then they went back to the carrier and said, “We just paid this ransom. $1,000 deductible, so deductibles are really low. Can you reimburse us $54,000?” The carrier said, “No, we didn’t authorize that. We wanted to do our own forensics,” but for two reasons. One is we’ve got to make sure the claim’s legit, because there’s $40 billion annually in fraud in the insurance industry. Not that carriers are committing fraud—it’s false claims or claims that are being inflated, so they need to do their investigative work. Is it a legitimate claim? And that goes beyond cyber. The second thing is, well, we want to protect your system. We want to know the source. Now, ransomware, more and more is being—this accounting firm, two days before tax returns, April 13th, one of their CPAs was so tired and busy that they clicked on a link they shouldn’t have clicked on and shared their login information and password. Now, most of us are thinking, “That’s crazy. Who would do that?” You’d be surprised. It happens. If you’re tired, you’re busy in the middle of things. It came from a legitimate source. It came from one of the partners, but the partner’s name had an extra E in it where it shouldn’t have, like Myers is M-Y-E-R-S. It could have been M-E-Y-E-R-S. Something so subtle as to escape the attention of a highly trained CPA, and they’re sharp people. I insure them for their E&O. They’re really good, but it happens—they’re human, as you said previously. Well, the gig’s up, but if you start paying that ransomware, 50/50, you’re going to get your system back. So, how do you trust the person who committed this crime against you, then all of a sudden, “Oh yeah, we’ll give it back. Yeah, we’ll be nice people.” Well, some of these ransomware affiliations have their own 800 customer service numbers. “Hey, we’ll set you up on Coinbase. We’ve got your back. We’re going to help you through this process.” It’s like, wow. And from what I’ve heard, it’s pretty solid customer service.
But the insurance company needs to investigate all of that and make sure it’s legitimate. Make sure you’re actually going to get your system back if you pay the ransom?
Yeah, they’re not going to keep after you.
Well, that’s a brilliant point, because that’s what happens. You got a bull’s eye on your back now.
Yep. So that, I mean, that’s what extortionists do. They get you to pay once, and now they know “I got a sucker coming back, they’ll click on my links and they’ll pay immediately.”
It might make sense not to pay the ransom and figure out another way to get your system back.
Well, in most cases, yes, because when you think about $55,000—I know most people think, “Oh, they’re going to ask for millions.” They’re not going to do that because they want to get paid. They want to get paid. And most cyber policies only have a million-dollar limit. You can get more. But I think the thinking, what we’re seeing, the trend, is they’re going after smaller and smaller businesses that don’t have the robust protection, the endpoint detection response. Do you have software? I’ve seen claims where we have these time bombs, where if an employee’s name is removed from the database, it’ll trigger a virus within that system, so if an employee gets fired, you know, they’ve got a backup plan. They’re going to hold their former employer hostage if their name is removed from the database, so it’s just sitting there. Well, most small businesses wouldn’t have the software to know if there’s a stranger roaming around or a virus, in this case, roaming around in your system until it’s too late. It’s already released.
Exactly. That’s fascinating. You just create your own severance package.
That’s a great way to put it. Oh my goodness, but it happens. I have a son-in-law who’s in IT. He could do all these things. I won’t say where he works, but it’s not difficult. The thing is, if you have access to the system, especially if you’re a coder or that’s what you do for a living, it’s not hard. And there are millions and millions of those employees.
You mentioned that it’s really not that expensive to buy cyber insurance. But is it hard to qualify? Do you have to prove things to the insurance company, like, “We have all these securities in place”? How does that work?
Yeah, you do, but there are things you should have in the first place, like multi-factor authentication. You should have more than one password or method, such as a key, or get an extra layer of protection. Multi-factor—MFA—multi-factor authentication. That is an absolute requirement. There’s probably at this point no carrier that would insure any business that didn’t have that. And then from there, you’re going to need the appropriate firewalls, you’re going to need antivirus protection. Most of these carriers are doing—and incidentally, most carriers writing cyber are not your traditional AIGs and Chubb. These are startup InsurTech companies out of Silicon Valley with names like Cowbell, Coalition, and Corvus, and they all start with C for whatever reason. I mean, these kinds of techie-type names, but they’re very good at what they do. When you apply for insurance, they may put on what’s called a white hat. Some of your viewers probably know what this is, and they’ll do a very simple, non-intrusive, but mock attack on your system, just to see if there are any open ports or any ways of entry into your system. It’s kind of like having an open parking spot in your building’s garage. You can’t get out of your car unless there’s an open parking spot. Once there’s an open parking spot, you park your car and roam into the building. So that’s what they’re looking for. Now they’re not going to attack you with a virus or anything like that. They’ll run a test. It’s free of charge as part of the application process. They show those results with the client, with the law firm in your case, but it’s also part of the underwriting profile as well. And they may come back and say, “Listen, we can insure you, but it’s going to cost you eight grand. But if you fix these things, it’ll cost you three grand.” It’s not just an eligibility, it’s also a cost mechanism.
Got it, okay. Once you get your multi-factor authentication in place, which you said is absolutely going to be required no matter what, you could just start the process, and they’re going to help you figure out what else you should have.
Exactly. And it serves them as well. Now I think the requirement is going to be at some point that you’re going to have to have an IT person. The accounting firm that I alluded to earlier, and I’ve seen this with law firms as well, has somebody on staff. It could be a legal secretary, or it could be a bookkeeper if it’s an accounting firm. I have a degree in computer science, but you don’t want me as your IT person just because I have a degree in computer science. We’re trying to get industries that are vulnerable to cyber attacks away from trying to split hairs, so to speak, and hire either in-house IT or have somebody, a vendor specific to that type of industry IT, because now in the application there’s going to be a section the IT person has to complete. It’s only four or five questions, but that’s going to be another requirement if it isn’t already.
Okay, got it. So rather than saying, “Okay, my paralegal is also our IT person,” no, don’t do that. An actual IT person.
Well, yeah, because the IT person’s going to be current, and they’ve got to be like, “This is seriously my job. I have to do it.”
Exactly, and some of the claims I’ve seen are self-inflicted. I had a claim recently where a woman was a firm manager of a large law firm in the Bay Area, and she was on LinkedIn one night, and she saw her job was being advertised—”We have an opening at this law firm for a firm manager”—her job. She got mad, so she hacked in with her brother-in-law, who was an IT person, and destroyed files because she was mad at the law firm. So she comes in Monday morning, and there’s havoc in the law firm. The managing partner says, “We think you were behind this.” And she said, “Yeah, you’re going to fire me anyway.” “We’re going to fire you. We’re going to promote you!” But now you’re fired.
Oh my gosh. So at least it wasn’t a virus. You were able to unwind it, but it was disruptive. No IT person could have prevented that. I mean, they probably could have tuned it to some extent, but I guess, I mean, if your own employees are going to sabotage you, that’s got to be hard to protect against.
Right. There are some things that are just—well, and we’re going to get into deepfakes. There’s going to be a whole new slew of claims where you call and verify. Like, one of the claims we see is funds fraud transfers, where your client says, “Oh, transfer, we got a new bank.” Well, then you call and verify, and a lot of law firms don’t do that, and you hear the person’s voice, and it sounds like your client’s voice, and you think it should be. And then you ask a question, “Hey Dean, how was your vacation in Hawaii?” And I say, “Oh, it was great, Kirsten. It was wonderful.” Well, I didn’t vacation in Hawaii, you know, I vacationed in San Diego. You have to have these trip questions that only you would know the answer to, that aren’t public information. There are ways you can deal with the call verification. I’m sure some people are thinking that’s easy to get around as well, not if you have personal knowledge of your clients.
Yeah. Now deepfakes, oh gosh.
It’s coming. Artificial intelligence could work in our favor as well to prevent at least the claims process. So there are counterbalances to everything in insurance, and we think this one’s going to work in our favor.
Okay, excellent. Thank you so much for sharing what you know about cyber insurance, about all of it—the E&O, the general liability. Thank you so much. This has been such an informative series, and I think really important for people to know and understand, and at least have a jumping-off point.
Yeah, I hope so. It’s been my pleasure. Thank you so much, Kirsten.
You are welcome, and thank you all for watching and listening. I hope that you learned even a tenth as much as I did and enjoyed yourself along the way. We look forward to connecting with you next time.
Resources Related to This Episode:
- Absolute Trust Talk Ep. 187 Are You Risking Everything? The Insurance Your Business Can’t Operate Without https://absolutetrustcounsel.com/187-are-you-risking-everything-the-insurance-your-business-cant-operate-without-part-2/ Absolute Trust Talk Ep. 185 Are You Risking Everything? The Insurance Your Business Can’t Operate Without https://absolutetrustcounsel.com/185-are-you-risking-everything-the-insurance-your-business-cant-operate-without/
- Absolute Trust Talk Ep. 89 Why Your Family Might Need Lifestyle Insurance and the Latest Opportunity Benefits https://absolutetrustcounsel.com/089-why-your-family-might-need-lifestyle-insurance-and-the-latest-opportunity-benefits/
- Absolute Trust Talk Ep. 52 Estate and Financial Planning with Life Insurance https://absolutetrustcounsel.com/052-estate-and-financial-planning-with-life-insurance/
- A Will is Not Enough – Securing Your Legacy with Estate Planning Life can change in an instant. A will is not enough to be prepared. Get free access to our actionable E-book Guidebook #1 and start protecting your legacy today. https://absolutetrustcounsel.com/guidebooks/
- Learn how to comfortably define gray areas and assess your unique needs to build a secure future now effortlessly. Check out Guidebook #2, Estate Planning Beyond the Basics, here > https://absolutetrustcounsel.com/guidebooks/
- Get our free introductory guide to the most used estate planning tool, family trusts, and understand how we plan to help protect your family. Guidebook #3: https://absolutetrustcounsel.com/guidebooks/
- Absolute Trust Counsel would love to offer access to our Incapacity Planning resource page: https://AbsoluteTrustCounsel.com/Incapacity-Planning/. We’ve collected our top planning information all in one place so listeners can find videos, guidebooks, blog posts, and a host of information with tips and strategies on implementing, planning, and protecting themselves and their loved ones.
- We’re pleased to provide a library of e-books to address common estate planning questions and concerns in practical, easy-to-understand language. https://AbsoluteTrustCounsel.com/Resources/.
- ASK KIRSTEN: If you’d like Kirsten to answer your question on the air, please email her at Info@AbsoluteTrustCounsel.com.
[AD] Estate planning addresses many vital factors about your future and legacy. Where do you get started if you don’t have an estate plan? If you do, how have new laws and life transitions changed? Will your plan still protect you? Regardless, you deserve control over your wants, needs, goals, and hopes for the future. We can help you understand your options and, legally, how you will best be protected at all touchpoints. Get started today by scheduling a free discovery call so we can discuss your needs. Visit https://absolutetrustcounsel.com/scheduling/ or call us at (925) 943-2740.
Clips Related to the Episode:
