What Every Business Needs to Know About Cyber Insurance

Paul Jackson: Wherever you are in the world. Hello and welcome to THEOS Cybernova podcasts. Before we begin, I’ve got a quick favor to ask from you. There’s one simple way that you could support our show, and that is by hitting the follow or subscribe buttons on the app that you’re listening to the show on right now. It makes a huge difference in helping to get the show out there to as many people as possible.

So please, please give us a hand and click that button now. Thank you very much for.

The THEOS Cybernova podcast hosted by Paul Jackson.

So here we go with yet another fantastic episode of Theo Cybernova podcast. I’m Paul Jackson, and each week I’m digging into the latest trends, challenges and innovations shaping the cyber security landscape. As well as talking to a fantastic mix of leading industry experts, thought leaders, legal eagles and technologists all with a particular focus on the Asia-Pacific region.

So whether you’re a professional in the field or simply curious about staying safe in the digital age, we hope THEOS Cybernova will offer up valuable knowledge and actionable insights for everyone. Today, I’m delighted to welcome Rory Young to the show. Rory is based in Hong Kong and is a prominent figure in the cyber insurance ecosystem. Rory, thanks for joining us today. And rather than me reading your bio, why don’t you tell us a little bit about yourself, your professional journey and how you ended up in Hong Kong?

Rory Young: Yeah, thanks for that. And I just wanted to start by saying I’m very excited to be on the podcast. Today is my first podcast. I’m participating in. I’m a long time listener, as it were, in many different podcasts, namely Rugby and Sport etc. but I’m really pleased to be here.

So yeah, look, I am Rory Young. I head up Marsh’s cyber practice in Hong Kong. I started off my career around ten years ago now, so I graduated from university. I didn’t study anything to do with cyber whatsoever. I actually studied politics and international relations, and it’s a bit of a bit of a weird journey, really. I knew that I wanted to enter into kind of the London chuck a suit on every day in the morning, go into work.

I was applying for a number of different, different jobs, and it just so happened that I basically found an insurance job that I got to further down the line with an interview process. I happened to play rugby with an individual that works or his brother actually worked for the company ended up randomly basically joining this cyber team at a company called Lockton, and since then I haven’t really looked back.

It’s been, you know, two weeks. It took me to fall in love with the industry. It’s very sociable. The actual work itself, from respect to the risk management side and the sales side and the client piece, I think it’s quite an exciting industry if you’re not familiar with it at all. And from a cyber perspective, it’s I found that the cyber insurance market is a lot of younger than, say, the marine industry you’ll find.

So it didn’t take long to when you’re in Lloyd’s of London and you’re sort of walking around from box to box and you’re seeing that ecosystem of all the insurances that companies are buying got, you know, riveting away. And, you know, all the marine brokers were doing for 50 or 60 years potentially. And that, you know, they’re in their sort of twilight their careers to some extent.

And the cyber insurance market was a lot different. I feel like if you, a 20 something year old and you had 3 or 4 years experience under your belt, actually you were becoming a bit more of a senior body in that world and quite quickly realized, well, I realized it was quite lucky to accidentally fall into it and really, really enjoy not just the actual solution that I’m involved with being cyber, but actually the insurance industry as well. It is quite special and from Lockton, I you know, I worked as a Lloyd’s of London broker. I was doing most of US domiciled business. You know, it’s a very, very popular kind of product to buy in the US for a number of reasons. And we’ll get into that later on. And I put my hand up to do something a bit more retail focused, you know, directly in front of clients and Lockton, basically sort of said, look, go to Hong Kong. We don’t really know much about that part of the world. We have all this business coming in from the US, but we don’t have anything from Asia. We want to grow Australia as well. And that’s really that’s why I came out to Asia in the first place. It was an exploration from Lockton’s perspective. The local office didn’t necessarily have an expertise in this area as well.

So I was going in and being that subject matter expert, which is really well received, and since then I haven’t left

Paul Jackson: Familiar story, right?

Rory Young: But yeah, exactly. Exactly. Is, it is a familiar story, you know, that 1 or 2 years becoming a bit more and I’m actually getting my PR in Hong Kong in a few months time, which is exciting.

But, yeah, I joined Marsh just over three years ago. But yeah, very, very similar role is leading a team in respect to cyber and technology and multimedia, insurance businesses. But that really is kind of the crux of how I started off and why I’m an insurance, why I enjoy it and why I’m here today, really.

Paul Jackson: Fantastic. And look, you know, I know what you’re saying about the insurance. Well, the ecosystem being very social whenever I go to insurance related events, I think net diligence is probably the pinnacle of this. It turns into one very big social event, and there’s a great sense of community  amongst those who are involved. Right?

Rory Young: Yeah, definitely. I, I think especially in London, if you think that there’s only, you know, a handful of live trading floors that exist in, in, across any industry and you have the stock exchange, you have the metal exchange and then you have Lloyd’s of London. It’s and it does captivate a certain individual is very sociable. You’re expected to be in front of people is about relationships. And I don’t think many people or maybe it’s changed a little bit, are actively seeking to enter into this industry. I think it is changing a bit, but the characters you get tend to be quite similar. They are very sociable and yeah, you do tend to find them probably staying a little bit later in the night than other sort of industry professionals you’d expect.

Paul Jackson: Yeah, and it’s great to have another rugby player on the on the show as well. We had Dicky Wong on an earlier show who’s a, great rugby player and, and yourself who’s a he’s obviously given a lot to that rugby community which is so strong in Hong Kong. And, it’s great to see.

Rory Young: Yeah, yeah. And I’m still playing. I’m not I’m not sure how many years I have left in me, but it’s, Yeah. No, I’ve, I’ve played for 25 years consecutively or something like this now. So something that’s always going to be part of my life.

Paul Jackson: I think I’ve played many more years than that. So you’ve got a few more to go. All right. So let’s go. Let’s, start at the very beginning, you know, because, the insurance industry is often a little bit misunderstood. So let’s start with some of the basics, right? The difference between a broker and a carrier. I mean, it may seem obvious to you obviously yourself, but to many, what are the key differences?

Rory Young: Yeah, absolutely. I think the best way to look at this is, is, analogy that maybe people are more familiar with. So I tend to basically relate my role as to a real estate agent as a broker. So if you think that you’re a first time buyer of a house or you’re looking to move house, you’re not going to do that on your own, right?

You’re going to hire basically a real estate agent. They’re acting as intermediary. They’re listening to what you want, where you want to live, what size a house needs to be, and the house you can probably look at as the policy, the coverage that you’re looking to get access to. You’re giving a very broad understanding as to what specifications you want, what risks that you have, exposures you may be concerned with, and basically my role as that real estate agent, that real estate broker, is to give you advice as to which builder and what house that use actually suits your organization.

What’s the best price? What are you looking for? What are the specifications. And that’s really kind of the key, the key roles in the insurance industry that house in that builder that they insure, they’re the product. They’re the ones that actually materially the thing that you’re buying and me as the role of the broker, we’re here to give you that expert advice.

It’s how you what makes sense, what’s right for you. Is there a better deal on the table? Can I move next year all these types of questions. And so that’s probably the best way to understand it

Paul Jackson: I would say that’s a great analogy. Thank you. But obviously the market is evolved. There’s a lot of competition out there. So much you know as a company you offer value adds don’t you really to your to your clients, that goes above and beyond finding the right insurance product or solution for, for them.

Rory Young: I think it’s difficult as a broker now to operate in a way in which you’re just solely relying on price and a product and seeking out a solution from insurers. I think, you know, the insurers pride themselves on basically giving the same quotations and pricing to any broker. So, Marsh, yeah, we are the largest, you know, insurance broker in the world. But if you had, you know, a local broker or smaller broker that you dealt with, actually you get the same quotes from the big insurers that you would get the same from us.

And so, how we differentiate ourselves, is very much, I would say, the process in, in how you go about buying cyber insurance. We have, you know, a number of tools that help you actually understand how good you are at cyber risk. It starts with a self-assessment tool that we have. We put a lot of work and effort in understanding basically what the insurers focus on for their underwriting, and giving you an insight as to what the outcome will be before you even go to the market.

And this is a tool that, you know, over a number of years it’s been developed and, you know, tens of thousands of clients that use this. And that’s really gives us a head start on a bit of a differentiator amongst our competitors by giving clients that kind of insight. And we couple that self-assessment with some of the analytics surrounding loss quantification as well.

So if you think most clients that we deal with, especially in Asia where cyber insurance, although is a growing solution, is still, you know, purchased by not that many organizations or businesses compared to other lines of insurance. The questions that they ask is, okay, well, how am I at risk? What is my risk? And we can kind of sit there and say, okay, well, we have this self-assessment tool. You go through this process, we’re going to give you a really good insight as to how strong you are. This framework give you a score. We’re going to give you a traffic light as to these 12 key controls that we know the insurers focus on, we know that you can have a good outcome, a bad outcome.

We know areas that we can advise you to improve, and that’s going to have a positive impact on your perception from the insurers before we even actually having these conversations. And like I said, we then can use that data to kind of give you a rough idea from a loss perspective, how big the issue you have when it comes to cyber risk.

So is it a $5 million problem or is it a $50 million problem? And everything in between from an average loss amount to a really catastrophic, you know, 1 in 500 year event? And so that kind of process that we have and how we kind of deal with clients, I think is our differentiator its, yes, you want to get the best quote, but really where they’re giving you advice as to how to improve the quote, how to get the best from the market and how much limit you should be buying, and really kind of embedding ourselves, I would say with your enterprise risk management strategy.

Paul Jackson: Right? So I mean, this is really well explained. And when you talk about, cyber insurance, you mentioned that it’s, it’s not, as much uptake in cyber insurance compared to other more traditional lines of insurance. Are you seeing that change in our region? Are you seeing an uptick. Is it static? Is it dropping? I mean, what’s the what’s the current situation regarding the Asia-Pacific region for cyber insurance?

Rory Young: Yeah, that’s there’s definitely an uptick. And I you know, to give you maybe an anecdote and then I can give you some stats. But I remember even when I first moved here in 2018, lots of the conversations I was having with clients around it. Okay. Well, what literally is the policy? What does it do? How does the coverage actually work?

And I think since then you fast forward, you know, now seven years. And actually the questions that clients are now asking is, okay, well how can I improve my coverage and is the limit appropriate for me. And it’s a lot more technical. And so my observation just over that period is has definitely changed. And that that means that in general the actual buying communities is, is grown a lot.

From a for statistics perspective, I know that Swiss Re did a study a couple of years ago, and I think they cited that the actual premiums that were being placed in Asia were growing around 30 to 32% year on year. From, you know, the mid 2000, 2010’s to 2022. And so that’s massive growth compared to some of the other areas of insurance that you might think about.

And I know the S&P, I think last year they were speaking about a pack as a region, being kind of the fastest growing market for cyber insurance globally. It still makes up you only around 10%, maybe even less than that. But it is kind of the fastest growing. And we can see, you know, 30% from a growth rate perspective in general compared to other lines of insurance is kind of unheard of.

Paul Jackson: Are there more carriers now entering our market as a result of that growth, or is it the same, same sort of players?

Rory Young: Yeah, there is, there is I think there’s kind of there’s twofold explanation as to an increase in the insurer interest. I think in this part of the world, I think it’s carriers that have been present here or certainly have been operating in Asia. They’re certainly looking to enter into the market a bit more seriously. So they’re the ones upgrading their policy wordings and investing in the underwriting and investing in the claims handlers.

And they’re actually looking to make a bit more of a serious play for market share. And then you are getting brand new insurers. MGA’s,   smaller insurers that are kind of entering in as well. And so that definitely has led to a position where if you’re an insurance buyer today, you’ve got a pretty good situation where the competition between all these insurers is quite rife.

And as we know, when the capacity and the supply is, you’re going to get a pretty good deal. And that’s what’s happening with most of our clients today.

Paul Jackson: Interesting, interesting. So let’s talk a little a few specifics around cyber insurance and how it works in terms of, we’ll say, you know, they have an incident, right? So, firstly, let’s talk about the, you know, the whole process of what happens. Right? Suddenly they’ve got a data breach. They’re an insured company. What should they be doing? Because when we talk to clients often, they say, oh, well, we don’t really know, but the insurance company will handle it. And, you know, if we get a breach, we’ll just call the insurance company and it’ll be sorted. I mean, that’s kind of a fallacy, isn’t it? Really? And, what do you how are you guiding your clients around this to be better prepared for an incident rather than just saying, hey, I’ve got cyber insurance.

Rory Young: Yeah. No, I, I’ve always sort of sat there and with it and you get a whole range of clients maturity. Right. You get some businesses, you know, have designated cyber security teams and they’re very used to putting together, incident response plans and putting together, you know, their senior management.

And, you know, you sit there and go, actually, the policy won’t be super active in terms of them responding to an incident. It’s going to be designed to kind of pay for all their costs and expenses once they’ve actually, you know, arrange to sort the issue out. And they’ve hired all the expert vendors and the forensic investigators, etc., and then the other end of the spectrum is clients that don’t even have a codified incident response plan.

I would say, you know, cyber policy in some ways can act as a breach response service. It can be built in quite heavily in terms of the response that these clients can have. And now each policy will have a designated breach code. You will have a number, typically this will be, you know, a law firm or an it data in response recovery firm such as THEOS.

And once there’s an incident we really encourage the clients or businesses to get in contact with that individual. And that breach coach will then coordinate, depending on what experience that client is having from an incident perspective, what vendors are needs to be engaged. So if you’re experiencing a ransomware attack, you’re going to want understand how that incident occurred.

You’re going to want to, you know, introduce an icy forensic investigation that’s really important. You know, if you were to use the analogy of your house being broken into, the first thing you do is checking if that person is still there and how they’re operating and what they’re stealing, etc.. And you’re going to want to understand whether or not, you know, you need to engage a law firm if data has been stolen or do you have notification requirements? Do you need to engage a specialist ransomware negotiator, even if it’s a delay tactic, are you thinking about paying a ransom and the policy will look or look to pay for all of those costs? Like to reimburse the business for those costs. But I think most importantly, it’s about connecting them with those individuals is the policy will have the means for the business to go, okay, I’ll call this number or email this individual, this business and then them that that business there will then help coordinate that response of all these different vendors that maybe, possibly needed for an incident.

And then at the end of all, as the broker is basically getting as much of that reimbursed by the insurance company as possible. So we go from representing an organization with buying an incident occurs, and then really is outsourced service providers that are going to be, you know, assisting you with all these types of loss and costs and potential liabilities you’re experiencing. And then thereafter, we’re getting involved again by saying, okay, let’s take all these invoices, all these costs or these damages that you may have experience, and then we’re going to help you go to the insurer and get that all reimbursed again. And that’s kind of the rough, the rough workings on how a policy will react.

Paul Jackson: So I think one of the biggest gaps that most companies don’t realize is that actually, you still need those legal protections in place, you know, when you have an incident. So a lot of time is wasted, you know, during an incident with signing, you know, those legal contracts with the various vendors such as ourselves, who are obviously incident response providers. And it’s quite frustrating when I see companies that we’ve talked to and said, look, get that out of the way beforehand, that that as part of your incident response planning, get the find the vendors you want to use, get instant response retainers and sign the contracts so that you don’t have to waste time when you when you house is being able to use your analogy or your house is on fire.

And that still message is hard to get through sometimes because they just go, oh, we got cyber insurance and they’ll take care of it.

Rory Young:Yeah, it’s honestly a quite a big concern of mine is, you know, we’re getting through the stage. We’re talking about this growth of the cyber insurance market and more clients are buying. And we’re seeing this trend. And it’s not going to go it’s not going to change. I don’t believe. And a concern is, you know, a client buys cyber insurance expecting them, as you mentioned, to perform this role automatically. But they’re not doing their homework and they’re not doing the crisis preparedness. They’re not doing any simulations. They’re not engaging their senior management. How ultimately we are making these decisions. And then the policy doesn’t work as to how they think it would. And so, you know, we emphasize that with any policy that we’re helping a client purchase, we’re at least doing some sort of onboarding with the insurance claims team. Typically, you know, the breach coach will be involved in that process.

And then also, you know, we do also have, you know, cyber risk advisory consulting capabilities that run these crisis simulation. I know that, yes, lots of companies will be doing this. And once that actually occur then, you know, we’re comfortable with that. We know the policy will react because the client’s going to be using it well. So yeah.

Paul Jackson: So the other issue is around deductibles because you know, those are becoming increasingly larger. And to my understanding anyway. And you know, when we managed incidents, yes, there’s always been major incidents which are going to cost huge amounts of money, which then the cyber insurance is important. But a lot of incidents we find if we react quickly, we can actually put the fire up. To use the analogy again within the cost of the deductible so it wouldn’t even touch the insurance. How are you guiding your companies in in terms of having a plan B, if you like, for instance, that fall below the, I’m using the right terminology on the right

Rory Young: Spot on. Absolutely. Deductible self-insurance. And it turns out yeah, it’s actually it’s a good point Paul, because what we’re actually seeing now a bit more of a trend for insurers to be offering those types of costs for free within certain time frames.

So, you know, there’s quite a few insurers now that as part of a standard quotation or policy, they’ll say, okay, well, the first 72 hours, 108 hours of an incident, that any of the costs that you may spend through, you know, an I.T forensic firm or law firm, the insurer is just going to wear themselves so you don’t have to worry about kind of breaching that retention level.

And you know, and it’s they’ve got vested interests. They know that if you’re a business and you’ve got $1 million worth of retention, you might be concerned about picking up the phone and engaging someone. And then actually it doesn’t breach retention and then you’re on the hook for those costs. So the insurers sit there and they go, actually, we’re incentivized to make sure that clients are using the policy or engaging these vendors because the more help they get in that mitigation in those early stages, and the more the less likely is going to be a big claim or a liability at the end of it.

So  you are seeing that trend to be a lot more common these days, and it’s a massive benefit to clients, right? You know, you’re not having to worry about a retention or a deductible. And you know, you can get access to at least free advice for a certain time frame if that law firm is an incident response. Forensic firm, whatever it may be, which is which is positive.

Paul Jackson: Okay, again, that’s good to know. So what are the what are the things? So say you’re a new purchaser now for cyber insurance and you’re listening to this, episode and you’re going, well, I’m hearing all these sort of stories, anecdotal online about, well, I had cyber insurance, but it was identified as a nation state or something, and therefore there’s a gotcha and they’re not covering me anymore. Or, you know what? What are the kind of things I mean, is that true, for starters? And what other kind of things should, should new purchasers of cyber insurance be looking out for there’s gotchas?

Rory Young: Of course, I’d love to sit here and say that there’s no gotchas. And, but, you know, a good broker always helps poor in this situation. Right? But, yeah, this is an interesting one. You know, the state backed, you know, war type exclusion. That was an interesting one when it, when it sort of first came out because there’s a lot of attention, a lot of press that was sort of saying, well, if it relates to a nation state, causing a cyber incident and cyber policies won’t react.

And it’s not it’s not true to begin with. And I think a lot of that related to the market was trying to find its feet to define what actually a war like acts under a policy could be like. So, you know, this is off the back of, you know, the war in Ukraine and from, Ukraine and Russia.

And all the insurers were concerned that that situation, commercial businesses in Ukraine, we’re going to get caught up in the crossfire of a military action. And so it was quickly determined that that type of loss just simply was not sustainable to be insured by the capital markets of the cyber insurance world. And what there was determined is that, you know, certain thresholds have to be kind of met in order for that definition of war to be breached. It has to be a physical war being use. It has to be breaching a certain threshold of severity. So we’re talking about the whole nation state being shut down in terms of its infrastructure, hospitals, financial institutions, for it to kind of be falling into the category of a war like acts. But in reality, all of this state espionage, all of those kind of, you know, state backed attacks that we are seeing clients face from, you know, a commercial perspective. They’ve always been covered. And I’ve never seen any issue from an insurer’s point of view or from a client point of view with those, you know, suspicious links to a certain country having an issue being claimed. As long as it doesn’t basically relate to a genuine tanks running across the ground or infantry fighting a military battle, the actual espionage side, it can be covert.

But to your to your point, I think, yeah, there’s a few things like ransomware we spoke about a little bit. It is a prevalent claim that we see today still makes up, I would say, the lion’s share of the claims that we witness. And it used to be coverage that was hard to get. You know, the market 2 or 3 years ago went through quite a big change in the way in which insurers expected minimum controls to be in place for clients, even qualify for insurance.

And if you didn’t get to that minimum requirement or that minimum standard, then restrictions of late relations, a ransomware would be in place. So co-insurance or supplements. If you ever read those words or hear about a broker talking about those that basically bad, it’s limiting you getting access to what could be full policy limit or you gain full access to your coverage.

And that may still exist in some policies. If insurers are looking to get away with keeping their kind of exposure in relation to that loss managed, from a global perspective, and actually in reality today it should be pretty standard coverage. The other things as well, I guess to, to kind of keep an eye out, relate to, common vulnerability, timelines and patching. So some insurers will say, you know, a as severe critical, you know, CVE that is 9.0 and above, it has to be fixed within 15 days. And if it’s not then that will impact you gain coverage. And that’s something to just be aware of as a new time buyer. And the same goes for end of life software. Some insurers may say, you know, unsupported software is not included. Or they might say, you know, if end of life software, you’re not doing anything about it. After 90 days when the vendor stopped supporting it, then that could cause an issue. That’s certainly something to keep, to keep an eye on. And the other one would be just potentially an infrastructure failure. So there’s some insurers now that are defining a kind of major cloud service interruption or outage as a definition that they would look to potentially add restrictions into their policies as well. So if they were saying, you know, if Amazon Web Services (AWS) was to go down for longer than 72 hours, then we would only pay 50% of the business interruption you would experience thereafter. So those are kind of I would say the major points.

Paul Jackson: Okay, all very interesting points there. What about ransomware? So you touched on it just briefly. There are insurers still covering the cost of the ransomware. I mean, and are there any again, exclusions as to that, that kind of coverage?

Rory Young: Yes, it’s definitely, definitely got friendlier. So I spoke about this friendlier market condition that we that we’re currently in. It’s insurers are definitely covering ransom. And as your you’ll be aware pool. There’s kind of two major sections to a ransomware claim right.

There’s cost to fix. It mitigates it remediated so it can navigate to restore backups. All those types of costs. There’s never going to be any argument from insurers point of view as to that being covered under the policy. And then the second part of the insurance relates to the actual payment of the ransom itself. And, you know, in Asia or certainly in Hong Kong, there is, coverage for this. So we don’t witness or we don’t see that necessarily as a super common coverage that is paid. Because actually, most of the claims we see all fixed or circumnavigated or mitigated through the cost that you spend through a data forensic investigation or other cyber specialists, extortion specialist, etc.. That being said, if a business turned around and had no choice and they had no backups and their business was failing and there was suffering, you know, business interruption costs on a day and day basis, and it was decided, agreed by all parties, including the insurer.

Absolutely. The ransom could be paid as well. And we have had clients pay quite significant ransoms in relation to that. It’s just not that rare. Sorry, it’s not that common. It’s quite rare.

Paul Jackson: Okay, so what’s the off the top of your head? What’s the biggest ransom that you’ve seen paid? I think in Asia we’ve seen the, you know, 5 to 6 million USD paid.

I know elsewhere in the world is, you know, certainly double digits high ten. There’s 20 mils in ransom being paid.

Paul Jackson: Pretty punchy.

Rory Young: Certainly is.

Paul Jackson: Yeah, but I think, again, you made the point briefly earlier and certainly coming at it from an incident response provider perspective, negotiating with the, with the, you know, with the, the threat actors is actually quite an important component of the investigation because, it delays things. It gives you breathing time. It allows us time to investigate. It allows us time to fix things without needing the payment. But it has to be done in a professional way. And again, that comes back to the incident response planning, right, that you need to have the kind of connections with those professional negotiators who are able to convincingly communicate with the threat actors and, you know, facilitate that delay, which again, you know, is beneficial to the, to the victim.

Rory Young: Yeah, I totally agree. And I think it’s funny, we, you know, most businesses that we speak with, they’ll have some sort of policy or agreement in reaction to dealing with ransomware. And they will and they will say to us, you know, we have an absolute certain not paying a ransom policy. And that’s what we say. But when push comes to shove, we’ve seen the same businesses turn around and be the quickest to actually try and get the ransom paid directly. And then it takes us is the broker. And certainly, you know, a company like yourselves to actually go, okay, well, let’s actually approaches logically this enter into this sort of negotiation stage, even if it’s purely to delay. Let’s get the proof of concept for the data that that they say they hold on you. Let’s see actually if they are, you know, legitimate companies in an accident and go through that processes.

So I don’t think many organizations as you might think something and you might, you know, have a certain policy in place. But really until you know, you are faced with it you’re your businesses is being interrupted and your backs against the wall, do you really kind of understand how much help do you need? And you are going to need that help, really?

Paul Jackson: Definitely. So, one last question for you around the insurance side of things, and switching things around really, because obviously as a, as a buyer of insurance, you want to make sure that you trust your carrier and that they are properly, you know, walking the walk, so to speak. And I know the, the insurance authority in Hong Kong, which is obviously where we’re both based, is, has brought out another update to their GL20 recently, which, applies to the insurance industry and their cyber security standards. Do you want to just briefly elaborate on what that means for the insurance carriers?

Rory Young: Yeah, absolutely. I think the long and short of it is that the insurers that are authorized in Hong Kong, are being made to align themselves much more closely with the other financial institutions in how they operate under the HKMA, which kind of makes sense, right?

If you think about the way in which they operate and the premiums and money etc. is involved, but they insure is at the end of last year, they’ve basically been asked to commit to inherent maturity assessments and risk assessments, and they’re submitting it now, to the IA. And basically this agreed risk, inherent risk that they face, there’ll be certain obligations that these insurers when will needs to kind of jump through in terms of satisfying their cyber security maturity. And that could be anything from only having to do yearly assessments internally to external audits to, you know, actual threat based, simulation attacks. But it’s, you know, it’s a positive step. I think lots of the insurers from our, you know, my perspective, they’re looking to grow their market share in cyber insurance. Yet they haven’t necessarily had to abide by like you said, any of the regulations or abide by these standards, as it were themselves.

And so it’s always a positive step that the insurance industry, the insurance authority is taking and, you know, they’re it’s funny, we’re now getting quite a few inquiries from local insurers and reinsurers in Hong Kong to talk about cyber insurance for the first time. So I think the biggest shift has been, you know, these insurers are now having to put their own frameworks together and their own governance.

They’re concerned about the incident response and recovery. They know that cyber insurance can help with those costs. All the compliance and reporting that didn’t exist before, they’re now facing that type of risk. And so they’re coming to us and we’re kind of helping them actually buy a product essentially for the first time.

Paul Jackson: Well, I think that’s probably going to give a lot of comfort to the chief information security officers, who have to go through all the pain of providing all the information to get cyber insurance, to now know that they are feeling the same sort of pain. The other side of the table. So that’s all good, right? Oh, good. And all right. So look, and if anyone listening wants to know more about cyber insurance market, there’s no better person to talk to that Rory. And I’m sure you’d be very open to having, chats with anybody who’s listening. And, you know, you’d welcome any, outreach to, to explain more in more depth about any concerns that anybody may have about, obtaining or getting better deals on cyber insurance.

Rory Young: Absolutely.

Paul Jackson: I always close these, these podcasts with, a question. And it’s around music because, I always love to know what the, the experts I get on this show are actually listening to, because it’s my way of unwinding. I’m a big vinyl. I’m an old guy. Right. So I love vinyl records, and it’s my way of, sort of relaxing from what is a very stressful sort of job that we have. And, I always like to know what my guests are listening to currently. What are you listening to, Rory?

Rory Young:I’m listening to a lots of London Grammar at the moment, so I don’t know, they’re just they’re really ticking the box in terms of certainly on the commute on the way to work is a bit deeper, a bit more. So, they’ve got a few songs, you know, punchier, but certainly I just, I love that kind of female vocal over a bit of chord. And that’s really kind of like, yeah, satisfy my I’m using these at the moment.

Paul Jackson:  Really? And I’ve been listening to London Grammar as well. So that took me by surprise. I was expecting you to be a kind of JayZ man or something like that. There you go. Look, It’s been a real pleasure having you on the show. And thank you so much for taking the time to explain about the insurance ecosystem, which I know is a huge challenge for many of our listeners out there. Thank you very much.

Rory Young: Thank you, Paul, thank you.

Paul Jackson: So, THEOS Cybernova was presented by myself. Paul Jackson, the studio engineer and editor was Roy D’Monte. The executive producer was myself and Ian Carless. And this podcast is a co-production between THEOS Cyber and W4 Podcast Studio.

The THEOS Cybernova podcast.