IB Talk

A winning cyber strategy approach

In the latest IB Talk podcast, Arch Insurance’s Jamie Schibuk, brokerage executive vice president, professional liability and cyber, and Rich Gatz, vice president, cyber claims, will discuss common misconceptions about cyber claims and how the market can dispel these. Find out how the cyber insurance marketplace is evolving, and how Arch's position in it also evolves and grows.

Liked this episode of IB Talk? Don’t miss upcoming episodes, as well as a weekly news roundup from across the globe – just be sure to follow on Apple Podcasts, Spotify or Stitcher below. You can also find IB Talk on Podbean. https://insurancebusiness.podbean.com/


To view full transcript, please click here

Narrator 1: [00:00:05] Welcome to IB Talk, the leading podcast for the insurance industry across the United States, brought to you by Insurance Business. 

Narrator 2: [00:00:14] This episode is presented in partnership with Arch Insurance. In the latest episode of IB Talk, we are joined by two leading cyber experts, Jamie Schibuk and Rich Gatz of Arch Insurance to discuss what you should be aware of when it comes to cyber claims and some of the most common misconceptions. 

Bethan: [00:00:42] Hi, everyone, and welcome back to IBA Talk the Insurance Business America podcast. I'm Bethan Moorcraft, senior editor at Insurance Business. And in this episode, I'm joined by two experts from Arch Insurance to discuss the state of the cyber insurance market and what it takes to deliver exceptional levels of service. A wide range of challenges. It's my pleasure to welcome Jamie Schibuk, Executive Vice President of Professional Liability and Cyber at Arch Insurance and. I'm Rich Gatz, vice president of Cyber claims at Arch Insurance. We're going to share some insights on Arch's successful cyber strategy with that. Jamie, Rich, welcome to the show. 

Jamie: [00:01:20] Thank you. Excited to be here today talking about cyber. 

Bethan: [00:01:25] It's great to have you on board. So this conversation requires a little bit of scene setting. So Jamie, I'm going to come to you first. How would you describe the current state of the cyber insurance marketplace? 

Jamie: [00:01:38] Yeah, So thank you again. And it's been a very interesting two years. And the cyber insurance market, it's been there's been a lot of changes. There's a lot written in the news about the changes in the cyber insurance market over the last two years. You know, the hard market conditions have drastically changed the overall marketplace. We've seen rates rapidly rise over the last two years, a contraction in capacity and a lot of different changes across the marketplace. I think one of the things that's been very interesting as an insurance underwriter in this current marketplace is that one of the bigger changes has actually been the increase in and transparency and information that we get from our insured clients. And that's really first and foremost is one of the things that we've been excited about as as underwriters in the marketplace as this market continues to evolve. So from the perspective of an underwriter, I think certainly hardening market conditions are favorable for growth. It's nice to get the increased pricing to be able to manage our capacity in the marketplace. But I think one of the things that that Arch as a company has been more excited about in the marketplace is, is this increase in information that we're getting from from our insureds and the increase in the transparency. So we're getting much more and better information on cyber insurance controls from our clients than we had in the past. And this really allows us to to really focus our underwriting and to get our insurance into ultimately a better state of controls. Because as we collect this data and information, we're able to better inform our underwriting processes and and ultimately arrive at a better product with better prices for our insurers as we incorporate this information into into our underwriting process. And while certainly there's been a lot of pains in the market overall with regard to cyber insurance purchasing, and I think a lot of the insurers have felt a lot of that pain, I do think that the market has done overall a very good job in terms of collecting more information, asking the right questions of their insureds, and really ultimately differentiating risk, much more so than what was being done in the past. So that's ultimately, I think, what created a great opportunity for for Arch to enter the marketplace in a much bigger way than we had historically. 

Bethan: [00:04:21] Mm hmm. That's really interesting. And, you know, Jamie, like you said, I think that increase in information and data transparency, it really speaks to kind of more maturity in the marketplace, which is certainly very positive. And it opens up opportunities, as you said. So can you tell us a little bit more about Arch's cyber portfolio and your position in this marketplace? 

Jamie: [00:04:44] Yeah, sure. So I think if you look holistically at Arch as a company and what our reputation is across a number of segments, it's that we are a true specialty company. We focus on specialty lines of business where we feel like our underwriting can really differentiate ourselves. We also run sort of in the in the opposite direction of of a lot of the market cycles. So we really like to position ourselves as being a solution provider in those hard market conditions. And I think cyber is really a great example of the execution of that strategy. So if you go back two years ago, our cyber portfolio was was fairly small. It was under $20 million in gross written premium. And then I think as the market changed, the market changed as we've been talking about. Arch truly saw an opportunity to be a much bigger solution provider in the marketplace, a really an opportunity for us to grow into the hard market and be, you know, at the forefront of our clients minds and be thought of as a solution provider. And so we really stepped on the gas the last two years in the cyber market to, as I mentioned, being under $20 million really only a little over two years ago to last year finishing well over $100 Million in gross written premium and going into this year expecting to finish well over $300 million on gross certain premium out of the US. And I think where we've really tried to position ourselves as is, is that true solution provider? So I think one of the real challenges in the hard market was that there was there was definitely a lot of checkbox underwriting that was going on in the marketplace if you didn't have, you know, certain key items or controls, really, there was no opportunity for you to get coverage. And I think what we really tried to do was to dig deeper into the controls, better, understands our clients environments and not necessarily focus so much on that checkbox underwriting, but really differentiate ourselves in the underwriting process, you know, getting on on calls with insurance, trying to better understand why a certain control wasn't in place, what mitigating factors they may have, and really understanding all those details so that we could put terms on the table. The other thing I would say as well is that, you know, we really saw an opportunity to expand capacity, I think while others were contracting capacity, we saw it as an opportunity to get favorable terms and conditions, be a solution provider and expand our capacity in many places. So that really drove a lot of rapid growth into the portfolio. And so we've really tried to position ourselves for that growth and really continuing to be a top market player. I think, you know, if you look back two years ago, we may have been a 30 or 48th largest player and today we're well within the top ten market players. And that's a position that we want to continue to grow and continue to maintain where we are in the marketplace. And we're really excited about being that solution for our clients. 

Bethan: [00:08:15] Yeah, well, that excitement's understandable. From $20 Million in GROSS written premium two years ago to hopefully 300 million this year. That's really quite explosive growth. And Jamie, you mentioned kind of just now some differentiation in your underwriting strategy and can you shed some light on some other ways that Arch is kind of setting itself out in this marketplace and differentiating? 

Jamie: [00:08:40] Yeah, sure. Sure. So I think, you know, a couple of things I would like to mention, too. I think, you know, a lot of that growth in the marketplace. We had to we had to build up the staff quite a bit. Right. So, you know, I think it's certainly you can in a hard market, it's easy to get positions on towers by just putting terms out into the marketplace. But we wanted to be more than that. We wanted to be seen as somebody that provides a really high level of service to our customers and clients and really differentiate ourselves in that way. So in order to do that, we had to add massively to underwriting staff. So we more than doubled the staff over the last year or so, adding underwriters across the country so that we could provide those quick turnaround times, that high level of service because, you know, it's great when you can provide that capacity, but if you can't provide the service to back it up, then ultimately that's going to fall apart and you're going to have a poor client experience. And ultimately we wanted to make sure that we're having a great client experience. I think the other thing that we've done as well is we've continued to add to our vendors across the risk management cycle. And I think, you know, one I'll mention security scorecard. You know, what's interesting about that is it's a tool that allows us to do an outside scan of our clients and identify key vulnerabilities. What I think was interesting in utilizing these tools is there's a number of carriers that do use them. I think where we've tried to differentiate is really incorporating some of the risk engineering component into these tools. So in addition to adding to the underwriting staff, we also now have two cybersecurity risk engineers on staff, one of which we actually pulled internally from Arch's own SOC. So almost from the customer's standpoint, as well as another individual that joined us from a security company. And so what that's allowed us to do is to be in more of a consultative role with our clients. So when we run a scan and we identify key issues, the risk engineers are brought in to validate those findings, make sure that they're true, positive findings, and then to engage in dialogue with the clients about what was found, what mitigating controls in place may be in place, or how can clients improve that risk posture. The other thing that they've helped us to do is to identify some of the best tools in the marketplace, and that's information that we can. Pass along to clients. And we've even been able to get quotes from some of these security firms on more favorable terms for clients so that they can continue to improve their risk posture. So I think ultimately we want to be really well aligned with our clients from a risk management standpoint, and that's really been helpful in differentiating ourselves in the marketplace. And then the other piece is claims. You know, I think we brought on Rich Gatz more recently as our VP and head of Cyber Claims. So we're really excited to have Rich brought into our product offering and and really help us to continue to differentiate on the claims side as well. 

Bethan: [00:12:08] Yeah, thanks, Jamie and Rich, that's a great place to bring you into this conversation. As Jamie said, you recently joined Arch as vice president and head of Cyber Claims. Can you tell us a bit about your background and why you decided to join Arch? 

Rich: [00:12:22] Yeah, thank you, Jamie, for those kind words. I am very happy to be at Arch. A little bit about my background. I'm an attorney by trade. I started off in private practice litigation before moving to just kind of serendipitously handling directors and officers and employment practices liability claims for the US insurer and then just kind of moved around a little bit until around 2013 where I was handling large law lawyers, accountants claims, and this is right after the Great Recession. And so it was a little bit of a wild, wild time because a lot of businesses had went out of business or had become defunct. And so I had a very large amount of very expensive claims. So those was in front of senior claims staff almost weekly. And at the end of one of these calls, one of our technical directors said, Does anyone know what Bitcoin is? And again, 2013 and I actually happened to know what Bitcoin was because cryptocurrency is a little bit of a hobby of mine. And so I tried to explain what Bitcoin was and distributed ledger technology to a roomful of insurance executives and no one understood a word I was saying. So I ended up drafting a white paper that went to, I don't know, apparently the upper echelons of the company. And a couple of weeks later they reached out and said, Hey, Rich, we want you to be the technology subject matter expert on our normal cyber policy. And I had no idea what a cyber policy even was at that point. I'd never heard of it, never come across it. I was just primarily handling claims, the professional liability and financial lines context. So I spent the next six weeks, eight, 10 hours a day drafting a policy from scratch and just completely fell in love with this area of insurance. And so since then, I've been trying to focus more and more on my practice and my professional career on privacy, data security, cybersecurity related claims. So got a couple of designations from the International Association of Privacy Professional and worked at Coalition, which is a startup that solely focuses on cyber insurance before moving to Arch. And the decision was was difficult. But I've worked with Arch for several years. I've had a lot of colleagues that that work here and frankly, the reputation of Arch in the workplace, not just with consumers but with insurance. People that actually work in insurance is top notch. So when I was lucky enough to win this opportunity, it was something that I was very excited to do. 

Bethan: [00:15:04] That's great to hear. Now, I'm sure that your day to day job is so interesting. You know, cyber claims are intriguing to me because the risk is ever evolving. There's always something new every single day. So Rich. I mean, are there any common misconceptions about cyber claims that you're aware of? And and how can the industry dispel these myths? 

Rich: [00:15:26] Yeah, I think there is, especially because cyber insurance has come to the forefront of kind of the societal zeitgeist just over post COVID because of in part the ransomware epidemic. So one of the things I try to do on social media and conferences I speak at is to really try to let people know what cyber insurance is and dispel those myths or rumors. And there's a couple that really stick out in the front of my mind. One is that cyber insurance is just for companies that work in technology. Unfortunately, these bad actors, a lot of times they do specifically try to focus on a specific entity or individual. But a lot of times too, it's just sarin. It's just winning the bad luck lottery and having some issues with your network framework or your network footprint or not having something. Correctly diagnosed or leaving yourself open to the to the Internet, to the world that results in a cyber claim. Right. And so any company that is working with computers or any company that maintains or aggregates personally identifiable information or private health information needs cyber insurance, because I've been on way too many calls with people that luckily they did have cyber insurance, but their entire business was just absolutely destroyed as a result of a cyber incident or not knowing what to do or how to respond to to a ransomware event or even a business email compromise or even gift card fraud. Right. And so there is a need, I think, for cyber insurance. And it's a very, very helpful risk mitigation tool for companies. Another one that I think kind of goes hand in hand with that is that cyber insurance doesn't pay claims. I've been seeing this more and more and a lot of it is arising out of kind of some of the requirements that cyber insurance companies have in order to get that cyber insurance. And that's just it's just blatantly untrue. Cyber insurance pays a lot of claims, which is part of the reason we're dealing with a hard market in cyber insurance right now because of all the claims that have been paid over the past couple of years. And, you know, it's one of those things where I try to tell and not not evangelize, but, you know, the benefits of cyber insurance is that we help both you, the unnamed insured and your customers by helping secure your network, helping identify when notification is necessary, arising out of a breach of personal identifiable information. And so the goal of the cyber insurance policy is to be that risk mitigation tool. And so the chances of a claim not being paid are fairly, fairly small. And usually there is specific exclusionary language or there would have to be a very material misrepresentation in the application process, which we really don't see very often at all. And then the third and last piece is just, you know, a lot of people seem to think that cyber insurance is similar to kind of an auto or homeowner's policy or another business policy where you just kind of do everything, try to resolve everything on your own and then provide a bill to your cyber insurance carrier. And that's that's really not the way that Arch is and other market leading cyber insurance companies are because we want to help you from minute zero. Right. And we really want to be that asset and to allow you to recover from a cyber incident quicker and more efficiently. And so I tell all my policyholders all the time, and I do this on every place I speak, even if it's not in front of policyholders to report early report often make sure that you're notifying your carrier of anything that kind of makes that spidey sense tingle a little bit in your stomach, like, huh, That was weird, right? Just out of an abundance of caution. Just because there's a good chance that by getting the proper consults in there or even just talking to a knowledgeable claims rep, you're going to diagnose something or see if there's going to have to be additional investigation, either forensically or legally, to ensure that you, your company and your customers are safe. 

Bethan: [00:19:51] I like that. That cyber spidey sense, that third point, Rich, that ties nicely into something else that I wanted to ask. So, you know, cyber is often grouped together with professional lines. Now, are cyber claims different from other types of professional lines claims? And a second point to that, does Arch's value proposition or approach ever change between these types of things? 

Rich: [00:20:14] Yeah, I think that there is a big difference between cyber claims and your typical med malware's malpractice or just miscellaneous professional liability. You know, just because primarily the cyber insurance policy has both first party coverage and third party coverage. So not only are you getting the benefit if you are sued by an entity or individual arising out of allegedly harmful acts that you have made may have committed or things you may not have done that damage someone, but the actual named insured is covered for damages. And so because of that, we're able to help and assist in a much with alacrity. Right. Like if your business is down, your computers are encrypted, we can get legal forensics remediation in place that same day to assist you and hopefully defray any type of business interruption loss. Right. And because of that, too, and this kind of segues into another differentiation between professional lines claims or other professionalist claims, I should say, is that there is a lot of activity in the forefront of a cyber. And not only that, but there are shorter tail claims. You typically don't have a cyber claim that's open for six months to a year. Right. It's really, really quick turnaround because you're trying to get the insured back up and running as quickly as possible. So because of that, you need an immediate and exigent response, right? You need a claims team that's going to really be available from minute zero and have the tools and vendor panels to assist in the recovery and mitigation of the cyber incident. And so that is kind of Arch's value preposition is intense and efficient customer service for our policyholders. And so I don't I don't think our value proposition has has changed. But I do think that when you're handling cyber claims, you do have to be more agile, you do have to have a better understanding of the different consultants that are involved and how to facilitate those relationships between them to effectuate that customer service and those positive results as part of the claims transaction. So yeah, I mean, I think we're going to continue to do what Arch does and what they do very well. And again, that's service. Our policyholders assist our broker business partners in the sale of market leading policy language and then also make sure that we're adapting to the cyber insurance, cybersecurity, marketplace and landscape, because that's a differentiation with professional liability and financial lines claims too, right? We're not really seeing a huge change in SCC law on a monthly basis. Right. Or, you know, the medical malpractice jurisdictional laws or issues don't really get updated to a point where things are massively different. Right? Whereas in the cyber insurance marketplace, you have those types of things, right? Like you've seen I'm sure we've read all about the war exclusions and the ransomware epidemic, and now we're dealing with a lot of funds transfer fraud. Right. And so, again, that value proposition doesn't change. But how we effectuate that value proposition is going to have to be dynamic to make sure that we're on top of everything for our insureds. 

Bethan: [00:23:42] Mm hmm. That's really interesting, Rich. Thank you. Now, everything you've both shared so far really highlights how complex and interesting challenging the cyber insurance marketplace is. Jamie, to close, I want to come to you with one final question. How do you see this cyber insurance marketplace evolving and how might Archer's position in it also evolve and grow? 

Jamie: [00:24:07] Yeah, sure. So I think one of the things I mentioned earlier was around engineering risk. I think that that is the direction that the market is going. So clients are providing us with a multitude of information about their controls. We're leveraging outside scans of their networks. And then I mentioned bringing in these risk engineers to really try to improve a client's environment, their security, which ultimately reduces the likelihood of a claim of an interruption in their business, and obviously also benefits the carrier by potentially reducing loss ratios. And I think one of the things that we talk a lot about is this continuous improvement cycle where we're getting underwriting data, we're getting claims data and then feeding one into the other as well as the risk engineering component so that we're constantly continuing to improve the data and information that we're getting, utilizing that information to improve our insureds environments and and business resiliency as well as our underwriting and loss ratio. So it's really both on the client side and on the carrier side of leveraging this continuous improvement cycle to continue to get better. And I think ultimately the carriers that execute on that, the best are going to be the ones that will be the market leaders and that at Arch we think we've put in place the pieces of that continuous improvement cycle to be the ones that are top notch at executing on that cycle and ultimately winning with clients and brokers. 

Bethan: [00:25:51] Excellent. Thank you, Jamie. Someone once told me that the only constant in cyber insurance is change, and I think that's a very true statement. Jamie, Rich It's been really interesting to hear how Arch is tackling cyber and managing to provide innovative solutions and achieve excellent growth. So thank you both very much for joining us on the show today. 

Jamie: [00:26:13] Thank you for having us. 

Rich: [00:26:16] Thanks a lot. 

Bethan: [00:26:17] Thanks also to our listeners for tuning in. I'm Bethan Moorcraft, senior editor at Insurance Business. And this was IBA talk. Thanks, everybody. 

Narrator 2: [00:26:27] Thank you for listening to this episode of IBA talk. For more from the team at Arch Insurance, visit them at archinsurance.com. Thank you for listening to IB talk for the latest episodes, be sure to follow us on PodBean. You can also tune in on your favorite listening channel. Find us on Spotify, Stitcher and Apple Podcasts.