How brokers help clients with supply chain vulnerabilities

The second part of our cyber power panel welcomes Anthony Dagostino, entrepreneur in residence at Forgepoint Capital, Matt Chmel, chief broking officer, cyber solutions, E&O/cyber broking, commercial risk solutions at Aon, Michelle Lopilato, senior vice president, director of cyber and tech insurance solutions at HUB International, and Nadia Hoyte, national practice advisor, executive and professional risk solutions at USI Insurance, to discuss supply chain vulnerabilities and top tips for brokers operating in the space.

To view full transcript, please click here

Host: [00:00:17] Hello, everyone, and welcome to the second of our CyberPower panel specials here at Insurance Business TV. Yes, that elite group of some of the biggest names in the cyber sector are back together. You may remember in our first edition they examined the impact of the pandemic on cyber insurance. And today we're going to look at another hot topic. But first, let's remind ourselves who is on that panel. They are Michelle Lopilato, who is the SVP director of cyber and tech insurance solutions at HUB International Ltd.

Michelle: [00:00:52] Hello, thank you.

Host: [00:00:55] Anthony Dagostino, who is an entrepreneur in residence at Forge Point Capital.

Anthony: [00:01:00] Hello, thanks for having me.

Host: [00:01:02] Nadia Hoyte, the national practice adviser, executive and professional risk solutions at USI Insurance Services.

Nadia: [00:01:11] Hello

Host: [00:01:13] And Matt Chmel, the chief broking officer and central region leader at Aon.

Matt: [00:01:20] Hi, how are you?

Host: [00:01:22] So everyone, I'm going to throw another huge question at you, if I may, because supply chain vulnerability has been a key issue with digital disruption, of course, driving the losses. So I'd love to get your perspective on how brokers can help their clients mitigate these risks. Anthony, I'm going to start with you.

Anthony: [00:01:43] Sure. Thanks, Paul. So supply chain risk could probably be an entire session in of itself, and it's so pertinent. I can't imagine how many different directions will take this conversation. I'll start with an oversimplification. And then your question was around brokers. I've been working with clients and working with clients anywhere from a restaurant ownership group with three locations up to some of the biggest manufacturers in the world. I mean, it really depends if you fit in one of the camps again to oversimplify. Are you focused on it or are you not? And you take those that are not focused on it and you really need to start somewhere. And sometimes it's it's a little concerning to have a procurement process, you know, the vendors that you're using, but you really need to ascertain what hurts if something in that supply chain or vendor goes down has an incident. Technological failure employees strike and it doesn't just have to be cyber, but you really need to figure out what hurts in your supply chain that's going to affect your bottom line. And that's one piece of it. And then how does that translate into the insurance coverage? Now, it's really interesting for the companies that have a handle on it, and they're doing the security assessments and they're doing the audits and they have contractual focus in there to look at the terms and conditions and IDs and rights and all of those things. Then it's kind of that next step further. They have it now there's a process. But what's really interesting is when you start to go back to the analytics, modeling out business interruption or contingent business interruption loss, if that critical supplier, vendor, independent contractor, what have you is out due to technological failure or an incident? How does that impact you from a pure dollars and cents? And how does that cycle back to contractual indemnification limitations, liability and your vendors and suppliers and getting insurance? So really, modeling out the business interruption, I think is critical and the guidance for those who are already focused on it. What we found in in the past and from experience is working with an organization is undergoing or has undergone a business impact assessment. And having that translate over to the insurance side has been eye opening and a lot of companies are doing a business impact assessment. But the risk manager, the insurance buyer or somebody else might not be involved in that and that might not be privy to it. So that gets really interesting when you bring a BIA into the insurance aspect. The other piece, I'll say from a and whether this is supply chain related could also not be supply chain related. But I think if a public service announcement on this because I've seen it gone horribly wrong way to often have a client fill out a forensic accounting worksheet proactively, don't wait until after the claim to start going through the business interruption and contingent business interruption loss worksheet. You'll have forensic accountants. It gets messy, but at least going through the exercise proactively to figure out what that supply chain risk could be from a dollars and cents version. Just it pays dividends at the time of the client.

Matt: [00:04:52] I would say, Anthony, all those are good points, right? I mean, I think when we work with clients, we really start with figuring out who are their vendors in their universe. And it varies significantly from client to client. Some have a very good understanding of who their vendors are and what they have access to, and others have a little bit poorer posture. So that's kind of step one is taking inventory of who the vendors are and what they have access to. And then after you do that, it goes taking it to that next level, like you mentioned and doing that actual assessment. Underwriters, as we mentioned earlier, have a kind of heightened bar for cybersecurity standards that not only extends to your organization, but the vendors you're utilizing as well, too, if they're going to extend that coverage. So a lot of times it is hard to get a vendor assessment done for every vendor, but at least for your key critical vendors, making sure you understand if they have access to critical systems, critical data that you are doing a proper security assessment, working with your IT team through the procurement process.

Nadia: [00:05:49] You know, I can't emphasize more the business impact assessment that was just referenced. It's huge. If I were thinking from a broker perspective, I think that the clients don't really appreciate what that universe looks like, and I think that that has been something that has been troubling. And it's equally important because for from a broker perspective, underwriters are now asking the question, so clients need to be aware of this particular information. You need to understand where they get that information from. I do think that, you know, companies that are more regulated have definitely a bigger presence when it comes to this. In some instances, they're able to identify their critical vendors and assess them on a fairly regular basis. It's those other companies that are quasi regulated or not as directly regulated as others that that fall into the latter half of that kind of category. But I think that from a broker perspective, that brokers have to realize that underwriters are asking these questions. So, you know, they are mandating that companies understand that more often than not. And I think what the attacks in both twenty twenty and twenty twenty one have definitely proven to the insurance marketplace is that that crazy notion of a cyber hurricane is real. So if it's real from a reinsurance perspective and certainly from a retail insurance perspective, they're going to start asking the questions about who your critical vendors are. There are a lot of insurance companies that are moving towards that from a language perspective, forcing the conversation around it. And I do think we're going to see more of that. So I think it's critical to understand who your supply chain is, who your critical players are and ensuring that risk legal compliance, privacy. Everyone has a hand in understanding that. And if I may say, I would also include the fact that I do believe that we should make sure our clients also understand that tabletops are important. But tabletops that also utilize this as part of the scenario is important as well. You need to continue to drive that conversation because I think we're going to see more of that. And that's certainly something that we're beginning to see from a property perspective. We're seeing property insurers for manufacturing firms place these weird property exclusions on the business interruption and certainly the contingent business interruption. Well, if there's no coverage there, the volley is going to be to a cyber insurance policy. Well, cyber insurers are going to start asking some of the more critical questions around your vendor exposure. So I think that's definitely something to be mindful of. I do think, too, that a lot of these brokers also have to appreciate back to the business impact perspective that for some companies, you know, the the the actual impact of a specific supply chain failure could be death. There is this notion of Killware that that is also sort of closely embedded in this whole notion of supply chain. And I do think that we need to make sure that brokers are talking with their clients with an understanding that there's not just one definition of what the risks are from a cyber perspective that each individual industry and some industry vertical have their own inherent risk and they need to be evaluated. And you also need to make sure that the off the shelf policy is manuscript or created in such a way that it speaks to the inherent risk. I think we're going to see more often than that, and I think from a broker perspective, because of all of the challenges in the cyber marketplace, there's been a lot of movement in insurance policies, from one insurer to another trying to get insurance and, you know, for something like supply chain exposures. And for some companies who have that more directly than others, that movement may create some angst may create down the road broker E&O's, because policies people are just moving from policy to policy because they're just trying to secure insurance. I think it's a lot to unpack. So to Anthony's point, we could probably talk about this for an hour because there are so many different tentacles when it comes to this particular exposure.

Michelle: [00:10:38] I mean, I think that these are all amazing points that you're all bringing up. I think it's important also to speak to not just those fortune. Thousands who are very sophisticated have large resources, legal teams who are really focused on this. The board is really directing their committees to do these as well. We have to really focus on that SME business, right? They are in the business of surviving. They are outsourcing so much to their vendors just because they cannot keep up with the pace of it internally. Obviously, we've been talking about the transformation of digitizing environments, and this is all part and parcel of it. So when I talk to my clients, they have not run. These business impacts, they have not inventoried their vendors. They're just not there yet. And I can help them get there as much as I want. But if they're not there and they're not ready and they're not really, you know, they don't have a strategy for this, for me, I really want to make sure that they're really reviewing their contracts with these vendors. Many of my clients are under this false impression that once they've signed the contract, that that risk is owned by the vendor. And I think that that is the biggest misconception that my clients have at this point in time, because what they're not looking at is the shift of liability back to them for the service that they are outsourcing to these vendors. So not only are they, you know, hiring these these vendors to perform all of these services for them thinking that they're getting better securities, it's going to be updated all the time. They're thinking, Hey, you know what, when they have a failure error or omission or a failure to do what they're supposed to be doing uncovered, and that's simply not the truth. I mean, these vendors obviously have their own sophisticated legal teams who are shifting all of the liability back to our clients who cannot withstand this type of law. So for me, it's a very big part of the conversation to get them to look at those contracts, what are they signing? What are they giving away? What are they taking on? How can we structure that policy to make sure that if they have some kind of a downstream event that affects them, they can withstand it and they can keep moving on? So for me, that is a big part of the conversation.

Matt: [00:12:57] No, that's a great point. I would say as part of that contracting requirement to everybody, and we're obviously heavily focused on cyber here. But a lot of what these vendors are doing is a professional liability or a technology errors and omissions exposure. So that should also be somewhere in the contract requirement when you're doing kind of your contractual review and best practices continue to focus on cyber, but also add in that element of professional or technology liability, depending on the services that are being provided to your organization. And then when you are a service provider, because many of obviously the clients on this webinar are also service providers for others. So that's you're looking at it from the other side of the scope. What are you exposing your liability to when you actually are that service provider or vendor? So that's another way to think about it from that side of the of the coin when you are that vendor.

Michelle: [00:13:45] Most of us have a lot of managed service providers in our own books of business, right? And how are we advising them? And they certainly are if their infrastructure as a service software, as a service cloud based provider and they have clients in these high risk classes, we have health care. Maybe they're, you know, f.i and they have information of all of these entities. What are they providing in terms of indemnification? Are they giving away the farm? And that's something that we have to temper with the fact that they still want to sell their software. So they've got their salespeople trying to change the contracts as much as possible to make that sale. And then you have the legal teams trying to make decisions on whether or not that sale is worth it based on the risk that they're taking on. So it's a very big discussion. It is on both sides of the house. And I think that as long as we were there for our client and making them aware of these issues, that's half the battle.

Anthony: [00:14:44] And I would add on to that security app development, just there's been an explosion in organizations creating apps for consumers and for business customers, which is great. It's great reach. The cost has come down tremendously to develop these apps, whether they're Android or Apple, any any kind of platform, but know who is developing your app and make sure that they're doing the security assessments on those apps is critical because those platform providers are not scanning the applications looking for security. It's a terms and conditions that are being attested to which holds some way, but it's not the end. All, be all so secure development apps is critical and making sure that there's a process around that because that does fit into the supply chain. It's really, really critical.

Nadia: [00:15:34] And if I could just piggyback off of Anthony's point, we've seen that loss in real life. We've seen events where the actual software solution was not in the client's direct environment, but it was a part of a provider provider's environment. So that is in real life right now. This is not something that we're talking about in in a far off land, if you will. This is something that we're dealing with right now. So I do think that it is critical like this conversation becomes even more so critical because there's more of that activity that is going to happen. And candidly, the way we're going, it's still going to happen, like there's going to be more developments. There are efficiencies that have been proven as a result of. Those technologies, so we can certainly see that that is definitely something we're going to see more often than not, that means that companies need to change their mindset around risk. And that's certainly something that, to Michelle's point, I agree, may evolve over time, but it's something that needs to evolve. It's not something that you know, we can sit idly by anymore because we've seen it in real life. We've seen these losses happen and they are very substantial.

Host: [00:16:50] All right. I feel bad for interrupting. Thank you, everybody. This is obviously a debate that could run potentially all day long, but we are a little bit short on time. So looking forward as we move into twenty twenty two. I just want to get from each of you your key message to brokers operating in this space. Perhaps a tip or a takeaway. Just something short or sweet that you want to leave our audience with. Anthony, I'm going to come to you first.

Anthony: [00:17:17] Thanks, Paul. I mean, the one tip I'll say, because it's helped me tremendously. I've been on the brokerage side. I've been on the underwriting side. I'm going to go back because we did talk about at length, but analytics analytics are there. The data is getting better. A lot of people punch holes and say, Well, it's not that great or I don't see anything. But you know what? It's a step in the right direction and working with the cyber cubes of the world and others of just modeling risk from a brokerage perspective, from an underwriting perspective, from a reinsurance perspective has been very, very helpful and especially in brokers to help them inform clients on risk, ascertain how much the purchase and even get them to understand why cyber insurance can help. I've just seen the benefits of it tremendously.

Host: [00:18:02] Yeah, thank you, Anthony. Great points, Nadia, I'm going to come to you now.

Nadia: [00:18:06] I guess I would add pre underwrite. So gone are the days that we just let the insurers questions drive the conversation about exposure or how insurers should view exposure. I believe that brokers need to be a little bit more aggressive in this particular area. They need to pre underwrite or understand what those levers are, what those trigger elements are, so that they're best able to bring that into the insurance markets. Insurers are overwhelmed right now. They're not going to search for those particular areas. So I think pre underwrite and going beyond the application questions to make sure that you're meeting the needs of the insurer.

Host: [00:18:51] Thank you, Nadia. These people know this stuff, don't they? Matt, can you keep the momentum going?

Matt: [00:18:57] Yeah, a fairly simple one. Start early. Time is on your side. If you're a client or you're a broker in this marketplace and you're going to get curveballs, you're going to get layers that may reduce capacity at the last minute. You may get some unexpected questions so early you can get out ahead of it. Getting that underwriting call schedule, getting that submission, kind of doing that pre underwriting that Nadia just talked about the earlier in the process. You can do that, the better. So you're not kind of scrambling at the last minute. I can tell you extensions are almost impossible or very hard to come by these days, so I wouldn't bank on that if you kind of are coming up against the wall of a renewal date.

Host: [00:19:33] So yeah, thank you, Matt. Michelle, there's some Haldex to follow here, but the final word is yours.

Michelle: [00:19:40] Thank you for giving me the last after all of these acts. Listen, be an advisor in. In order to do that, you really have to be a student of the transforming threat environment. You absolutely have to know what is going on. You have to read everything you possibly can. And at the end of the day, get involved in the claims. There's nothing that's going to be more valuable to you, whether it's in the building of the program, understanding how the claim is going to play out in consideration to the four corners of that policy and the language that is in it, or even the anecdotal evidence that you can give to your other clients and prospects based on how that claim goes out will really help you advise that client moving forward.

Host: [00:20:26] Brilliant. Thank you very, very much. Everybody to Michelle, to Anthony, to Nadia and to Matt for your expertise. And like I said at the top, everybody, these experts will be meeting on a regular basis. So watch this space for more and we'll see you next time here on Insurance Business TV.