Best practices for Canadian businesses to get and keep cyber insurance coverage: Tough lessons learned from U.S. hardening market

JP WILSON: Good morning, everyone. This is JP Wilson. I'm the organizer of what, I think, is going to be a very interesting, practical, and commercial-oriented, high-level discussion of trends in the Canadian cyber insurance market, looking down south to the US as to a pretty shot-across-the-bow, claims-related case from last year. I'm also the CEO of GCRA Corp.

If anybody has any questions, you will not be able to talk to yourselves or amongst yourselves. You will only be able to talk to the panel. If anybody has any questions after this event after you confer and discuss internally, you can reach me at jpwilson@gcracorp.com.

A few housekeeping. You will be on mute the entire time. You cannot unmute that because we have 30 minutes plus 15-minute Q&A. We may even run over. We apologize for the late start. We were having technical issues here in New York. I hope everybody can hear me. In addition to not being able to talk amongst yourselves, but only being able to talk--

BRENT ARNOLD: By placing questions in the Q&A.

JP WILSON: Yeah, by placing questions, thank you, into the Q&A. Thank you, Brent. I got distracted by a message that just popped up. Our video, also, is not working as part of the technical issues that we've been throwing our fist at our systems. So if you need to see what the very graceful Miss Hirschorn looks like, please look her up on LinkedIn. I'm just a mug. You can also look at my mug shot on LinkedIn.

But let's move forward. Before I introduce everyone on the panel, I want everybody to understand that this is not going to be-- although they have their place-- a talking heads event. We encourage you to send questions again either during or after this virtual fireside chat.

Because in the end, what we're going to try to achieve is to show, at least in the Canadian market, how good faith, goodwill, with everybody incented by their own interests, SMEs and enterprises on one side coming in for new coverage or to renew their existing coverage, and on the broker and carrier side, what they are doing to lower their future claims risk, we can meet in the middle literally during a session, a negotiation session at a virtual conference room.

If both sides come together, we believe one of the major takeaways from this event will be, it is not simply hoovering premiums and denying claims left, right, and center. It is working together to ensure that insured gets covered, gets the coverage that they anticipate and are paying for, and the insurers are properly protected as a business.

Let's go around the room, starting with our good moderator from Gowling, Brent. And then we'll move on to Roger Hakala from BFL, Canada, Pauline from BFL, Canada. I'm not going to try to pronounce up your name, Pauline, so you can say it. And then Avi Mali from Zurich, Canada.

BRENT ARNOLD: Thanks, JP. Thanks. My name is Brent Arnold. I'm a partner in the Toronto office of Gowling WLG, where I practice as a trial and appellate litigator and data breach coach in the world of cybersecurity.

ROGER HAKALA: I'm Roger Hakala, a national practice leader of financial and professional services at BFL, Canada, located in the Toronto office.

PAULINE GARDIKIOTIS: Good morning. I'm Pauline Gardikiotis. I'm the vice president of claims for the western region of Canada, located in Vancouver. I lead our claims team in Western Canada. And I'm also a practicing lawyer.

AVI MALI: Hi, everyone. I'm Avi Mali, underwriting specialist for Zurich, Canada, cyber and professional lines, based in Toronto.

DEBORAH HIRSCHORN: Good morning, everyone. Deborah Hirschorn. I'm the managing director for the US cyber and tech E&O claims. And we are partners with BFL, from Lockton of course. Sorry, forgot to mention that, the most important part.

JP WILSON: Brent, I think it's up to you now.

BRENT ARNOLD: All right. Let's kick it off. And I'll talk fast because we started late. Thank you, everyone, for joining. What occasions the discussion is an interesting case, as JP said, out of the United States, interesting, and perhaps, somewhat alarming for insurers and potential insurers looking to get coverage for cybersecurity issues. The case is Travelers and International Control Services, Inc.

And just by way of quick background, ICS is a tech company that experienced a ransomware attack in May, 2023. It had a cyber policy from Travelers. And Travelers was brought into the loop to respond to and investigate the circumstances of the breach, and in the course of this, discovered that while ICS had claimed to have multi-factor authentication and had indicated this on their application, they didn't have MFA installed for everything across all aspects of their platform.

And this is alleged to have allowed the attack to be facilitated. As a consequence, Travelers started an action which resulted in what in Canada we would call a consent judgment, alleging material misrepresentation on that application by ICS with respect to the multi-factor authentication. So the order was issued, again, on a consent basis on the basis of those allegations.

And the policy was thus declared void from inception. The legal effect of that, of course, is that it meant the coverage never existed. It's as though the policy had never been applied for, which, of course, when it happens to an insurer, it leaves the insured to respond to the situation and absorb the costs themselves.

So, a few different issues come out of this. What is a material misrepresentation, and what does it look like? And what are the potential outcomes or consequences when such a misstep is alleged or indeed found to have occurred? So, I want to start with our US panelist, Deborah. Tell us about the effect that this decision has had in the US.

DEBORAH HIRSCHORN: So, this decision has really emboldened some carriers, not all, to really look at the MFA issues a bit more closely. And what does that mean? It means that when a ransomware matter comes in as a claim, the carrier is really focusing on the MFA piece. So, questions will be asked of the client on initial calls. Did you have MFA in place?

So, it essentially seems like some of the carriers are underwriting the file again. And they will look back to the application to make sure that the answers that the client is giving them on the call matches that application, which just wasn't done prior to this particular case. So, this case has really brought the application and MFA to the front of the carriers' minds.

BRENT ARNOLD: Right. Let's talk about the Canadian market then. And I'm going to start with you, Avi. Well, first of all, are cyber Canadian insurers looking at this end? And if so, how are they looking at it?

AVI MALI: So, Canadian cyber insurance experienced pretty high claims volume in 2020, 2021, in mostly ransomware. So as a result, the underwriting and application process is a lot more detailed and extensive. Just as Deborah was saying, we want to ensure that we're providing coverage to clients who really understand their cyber risk and how to manage it.

Insurers now have minimum control requirements in order to provide coverage. Some insurers even have these as conditions built into the policy. And the representation of those controls materially impacts the terms, including the limits we're comfortable putting up, the retention, and the premium charged.

So for example, the MFA example, if say, a policyholder stated that they have MFA in place on 100% of endpoints. But then after an incident, we find out that it's closer to 30%, as insurers, we would need to prove that if we had known, the policy terms would have changed.

So, we have a few options here that once we determine if there is a misrepresentation, one would be terminating the policy. In this case, the policy would be canceled, going forward. But the claim could be still handled. Another could be denying the claim. But in this case, you'd have to prove that there was fraudulent activities involved, adjusting the premium, excusing the misrepresentation.

And the last resort being rescission, meaning that, as you mentioned, any prior claim would not be covered. And it's treated as if it's never existed. This is definitely the most difficult route. It can lead to litigation, many parties involved. It's not the preferred route for insurers either, which is why we say, full transparency in the application process is critical, whether on the application form or during a call, as we anticipate that all parties are acting in good faith here.

BRENT ARNOLD: Thank you for that. And it's worth noting that this will be of no surprise to Canadian viewers. Somewhat remarkable if you don't litigate it in the US is the fact that the case went from claim to judgment in a matter of months. That never happens in Canada. So, if you're looking at litigation here, my insurance colleagues are smiling because this has been their experience, too. If you're litigating in Canada, you can expect a protracted fight if only because of the way that our courts scheduling works. So, it's not something that's going to be resolved for either side quickly.

If you don't mind, Avi, can you give us a little more insight into the kinds of controls that insurers are looking for? I mean, multifactor authentication identification is probably the one that most people will have heard about. But what else are insurers looking for?

AVI MALI: Sure So, there's a few tools where we can manage, so on the endpoint detection tool, for example, multifactor authentication, but also responding and being able to recover from an incident. So, having a proper incident response plan in place with roles and responsibilities established and being able to know how to remediate an incident when it does occur is definitely really important as well.

BRENT ARNOLD: Right. Thank you. Let's look at this from the brokers' perspective. Roger, how are brokers advising clients in light of this? Has it made a difference yet? Or do you anticipate it will if it hasn't?

ROGER HAKALA: Brent, I think that the concerns were already there previously with a lot of the brokers. And what we advise our clients even before this was front-page news, the key thing is, always looking for accuracy and applications that are being completed. What this has allowed a lot of us to do, though, is really push harder for our clients to actually understand what the severity and the impact is if they don't actually complete the application appropriately.

Where we do find some of these items, where there's a difference, though, as far as the way that the market's approached them, some insurers have taken an approach where they said, if you don't have multifactor authentication, they've got a warranty that they put on all policies, regardless of how the application is actually completed.

What we do find, though, is that the smaller organizations, when you get into those SMEs or SMEs, depending on how you characterize them, it really is that discussion that's got to take place from our perspective with the client to guide them through that application process and make sure that they really do understand what they are putting on that application and making sure that the right people are actually involved in that process from their perspective.

Our job is to make sure there's a higher level of awareness with our clients to be able to go through that, also, understanding and being able to explain credibly what the differences are in the terms and conditions that we're being provided by the various insurers as well. So, we want to avoid the pitfalls in the event of an actual claim happening.

So, it's really just how you have to think about bundling the entire discussion up with the client to be able to have that. And just because it's a larger client doesn't mean that they necessarily are sophisticated enough to actually have all the adequate controls in place as well.

BRENT ARNOLD: Interesting. And is this a more involved process or a more involved discussion from the brokers perspective with the customer than it is for other kinds of business coverage?

ROGER HAKALA: Absolutely. It's become a lot more technical. Having somebody on board that's able to be more of that risk advisor as far as giving guidance through the process of everything from the application to helping our clients become more cyber ready or cyber resilient in advance of having a claim, and just in order to purchase the coverage now with where the market is at, is something that has to be done. So, the prework has to be done just on the front end to be able to make sure that the coverage can actually be secured in the market more often than not now.

BRENT ARNOLD: Right. And if I can ask, who do you want to see, who do you like to see, at the table on the customer side on these discussions? I mean, my own experience has been, you have the person responsible for procuring insurance. There is sometimes a disconnect between them and other parts of the organization. And this strikes me as a kind of coverage where you need a much more integrated approach on the customer side to make sure they get it right.

ROGER HAKALA: Absolutely. In best-case scenario, there's a CISO that can actually be at the table that can be involved in the application process. We put them on a call with the insurer as well to be able to have that conversation. A lot of the times, what happens is, now within a lot of the insurer side, they've got the technical experts as well. So, it's not just the frontline underwriter who's involved in that conversation.

So, between the CISO and their technical team on the insurer side, that makes a big difference as far as where the conversation goes. If it's not a formal CISO that you've actually got, then part of it is, who else is in a role that actually has that kind of oversight over what's happening on the IT side. And if it's an outsourced party who's managing the majority of those services, get them as part of that conversation as well.

BRENT ARNOLD: Right.

DEBORAH HIRSCHORN: And also, [INAUDIBLE] I just like to add, it's not just the CISO. If you're a private equity firm, and let's say, you have 48 porticos, those folks need to be involved as well. That's one of the issues that we've been seeing is, you have one CISO for, maybe, the parent, the PE firm, who fills out that MFA questionnaire for all the portcos. And then you find, lo and behold, down the line that there is an MFA issue. Those folks need to be involved as well. It's almost as if you were writing them separately. They need to be part of that discussion.

JP WILSON: And I take it, Deborah, when you say a portco, you mean a portfolio company.

DEBORAH HIRSCHORN: That's correct.

JP WILSON: OK. Sorry. It's for those that are not deep in the lingo. I would also add that what Deborah just noted is something that is a gnarly issue for everyone, particularly being able to do it at scale. But third-party risk management is increasingly on a daily basis, becoming a thorn in everyone's side, not only of mission critical, but also secondary and tertiary. And then every one of them has their own third party.

It is my understanding, I think the last quote that I saw, in excess of 60% of hacks are done through weak third parties. And it can get incredibly serious. I know of an admin in 2020, a US admin, who had a third party that did real-time P&L that had information stolen from two of their largest clients that were simply looking two of the largest hedge funds. And so, TPRM is quickly becoming something that you have to get your hands around if you're a company, even if you are a SMB $15-million annual revenue, $50-million, whatever the story is

And lastly, I would note-- sorry for interrupting, or injecting, but I think it's important-- for enterprise that have their own third parties, I think it's quickly going to become a fold-in. Even if they're not a portfolio company, it's going to be part of the consideration as to whether to extend coverage, and on what terms, what's the premium, what are the limits and other terms.

BRENT ARNOLD: Absolutely, absolutely. And yeah, I can tell you anecdotally the breaches that I've dealt with in the last year, half of them-- it's a lower number than the statistics, but it's still a high number as far as I'm concerned-- were incidents where the attack vector is some vendor providing backend platform support of one kind or another. So, it's a nightmare. It's a nightmare from a privacy compliance perspective, for that matter, too, because you're required to pass those obligations down the line to the third-party vendors. And I don't see enough discipline on that.

But focusing back on that communication within the company-- and you talked about the communication within the portfolio companies that's crucial-- but I've seen this fall down even in a much smaller setting where it's a single entity. I've seen incidents where part of the risk management or whoever procures the insurance, the IT group and group responsible internally for security doesn't know about it, security has put plans in place, incident response plans, for instance, that result in things like, they hire a different vendor to deal with the forensics.

They retain a different law firm, and then later on, find out they've put themselves offside the terms of the policy because the people that got the insurance didn't talk to the people who were devising the incident response plans. And so, when the response happened, they were not at the same table, were coordinated, and they didn't have the same information.

So, you can end up putting yourself off your coverage pretty quickly if you don't make sure that your response takes stock of what the coverage says. And really-- I suspect no one on this call will disagree with me-- the first step in your incident response plan might possibly be, should probably be, making sure that you're aware of what your insurance policy requires you to do.

So, we went down a bit of a rabbit hole there, but it's a productive rabbit hole. I want to make sure that we finish the overall discussion of how different parts of the insurance world are viewing this decision, this Travelers case. So, Pauline, I'd like to throw it over to you. From a claims perspective, this something that's worked its way through yet? And if not, what do you anticipate seeing?

PAULINE GARDIKIOTIS: Thanks, Brent. So far, we have not seen it work its way through to the extent that it did down in the US. It's not uncommon in Canada to have a bit of lag in terms of trends that we're seeing in the US. And from speaking to Deborah previously, I understand they're seeing it more and more frequently. We haven't seen that. But that's not to say, it won't happen.

As Avi said, I would anticipate Canadian insurers would be much more reluctant to go the path of rescission because of the fact that there's a very high legal standard that has to be met. It's not a very popular move. And it's considered sort of an extraordinary draconian remedy in the contract world. I would say that from the claims experience in Canada, typically, a misrepresentation or an error in the application isn't discovered until a claim arises. And at that point, it's far too late.

So, what we normally see when a claim arises is, there's some sort of cyber event that results in a loss to the company. The insurer investigates to determine how the loss was caused. And then there's the opportunity, as Avi said, to go back and look at what information was presented to the insurer at the time that the policy was placed. What did the application say was in place in terms of controls or mitigation to prevent those kinds of losses? And that's where the discussion about a misrepresentation would come up and be identified.

So, at that point, you're already into a claim. So, you're reacting. And there's various paths that the insurer can take, which Avi laid out. But unfortunately, the company is now facing a double whammy. Now you have a situation where you've been the victim of a cyber event, and you're dealing with the financial cost of that attack. And then on the flip side, your claim is in jeopardy. So, it could be anything from a denial to avoiding or to a rescission.

But the reality for the company that's been hit is, now they're facing that double whammy. They're uninsured. And they've got all of these costs that they now face and have to pay for directly, so recovery costs, bringing in legal advisors, if there's a privacy breach, the forensics team to determine what happened and help repair it, technical assistance.

You're facing downtime if your systems are locked down. And then if it's a ransomware claim, you're facing the whole specter of paying a ransom or negotiating it. And then if sensitive information has been taken, you're looking at those notification costs. So, it's not a good place to be in. It's a reactive place to be in.

And although we haven't seen the trend hit Canada, as JP mentioned, the shot-across-the bow approach, I don't think it's something that may never happen. I think we have to be prepared for it. And I think that insurers could still deny a claim because of a misrepresentation or an inaccuracy or an omission in that original application, and then you're left holding the bag.

BRENT ARNOLD: We've been talking about this, which I appreciate, from the insured's perspective. It crosses my mind that this also creates enormous problems for the insurer because for a product where we started off, and when it hit the market without the sort of actuarial data that you would have to allow you to anticipate risk, anticipate your payouts, we're now in an environment where if you're having to rely on the accuracy of the data provided, and we're discovering that there may be significant instances where it's not accurate, it's hard for the insurance companies to figure out what they're-- to anticipate their risks, again, I would think.

Because if they're forecasting on the basis that all of their insureds, I know it's not like this, but all of their insured have multi-factor authentication at exactly the level you'd want, and it turns out that's not the case, it must make it hard for you to do business.

PAULINE GARDIKIOTIS: Well, I live in the claims world, so that's probably a better question for Roger or Avi. But I would say that from what I've seen, the trends that Roger mentioned in terms of, you have to have that guidance, that informed, educated guidance when you're approaching this insurance, it's not an off-the-shelf insurance. It's very specific. And it's very hard for the companies to ignore it, I think, at this stage with all the events that we've seen in the last few years and the increasing reliance on technology and the increasing innovation in technology.

BRENT ARNOLD: Absolutely.

ROGER HAKALA: And if I can add to that, I think the one thing that you've got to realize is that it's industry-agnostic as far as who's a target. The hackers only have to get it right once. You've got to be right 100% of the time in protecting yourself. And that's not just-- cyber insurance should really be the fallback position. It's more a matter of what are you doing internally from your own controls to try to protect yourself from the front line exposure that you've actually got.

The big challenge is matching up who the right insurer is for the right client in the event that they don't have all of the adequate controls, or how quickly can you actually get them up to the right level that insurers are wanting to see. So, it's bridging that gap to make sure that they are going to be somewhat cyber-ready when they do have an incident.

And it's not necessarily mapping out the entire incident response plan and everything else. But these are simple things where, have you even turned on multi-factor authentication. It's a function that's there. Are you using it or not? And how difficult is it to actually do that? So, some of the basic things that actually happen through the process are what this can actually-- how the insured should be thinking about it. But they're not necessarily thinking that way until it's brought to their attention that they should be a lot more aware.

Surprisingly, though, in other companies, then you'll look at it, and the c-suite is the one driving the cyber purchase and the exposure around it and wanting to make sure that-- and this is whether it's a private company, public company, doesn't matter. But they are the one who is driving that discussion a lot of the time saying, let's make sure we don't want to be the one that's front-page news in the event of having an issue.

BRENT ARNOLD: Absolutely. So, we're going to save some time at the end here for questions from the audience. I have one that's come in. But I want to make sure that we end the formal part of this program with the discussion to allow people to leave feeling armed and assisted on this. For the road ahead, what should organizations looking at procuring or maintaining their cyber coverage be looking to doing? What are the best practices? What does the gold standard look like?

AVI MALI: I can go first on that, please. So, Roger mentioned this earlier as well that, spend time on the application, have a CISO involved in that process, so just asking the right people internally for assistance. The risk manager should not be filling out these application. It may not even just be one person from IT Security. CISO might have to go through these questions with multiple people within the IT security team as well.

And then I'd also say, ongoing communication with the insurer and the brokerage as well. Insurers are always open to scheduling calls to discuss cyber risk in detail and keeping us informed of any significant change in cyber risk landscape, for example, major system upgrades, acquisitions, new business ventures. I mean, organizations are constantly updating their software, hardware, service providers, and practices. And there's a higher need for communicating all that with the insurance and the brokerages.

BRENT ARNOLD: Absolutely. Anyone else want to weigh in on that?

PAULINE GARDIKIOTIS: Sorry. Go ahead, Roger. And I'll go after you.

ROGER HAKALA: All right. I'll just add my two cents. I think the one thing that, as a client, they've got to be thinking about the time, spend the time, invest the time, start early in the process, review everything for accuracy, but also be a lot more proactive on what they're actually doing. Think of the fact that you have a checklist that is essentially being provided in the application. What are the minimum standards that insurers are looking for?

If you use that as a risk management tool, as a starting point, what a great thing to be able to navigate through, just to be able to see what you should actually be having. And so, there is time to remedy the situation before having a claim and in order to get the coverage. But some of the minimum standards that we talked about, just as far as MFA keeps coming up time and time again, but what's happening for penetration testing or what are you doing for employee training around cyber awareness.

Doing the whole thing of planned phishing attacks that your IT team is running as those virtual items, tabletop exercises. There's a whole host of things that can be done. It's more a matter of what's within the scope and the comfort level and within the budget of what a client can actually do. So, as an insured, they've got to be thinking about some of those next steps.

But part of it, too, it's also around looking at just their business resilience overall. It's enterprise risk management, not just looking at it from cyber standpoint. But it's also the longevity of their organization being able to function longer term. And that's what makes a difference. So, to Avi's point earlier, you want to make sure that everyone does have a seat at the table, and they are taking the time to have the conversation between the insurer, the brokers, the intermediary, and the insured as that one that's getting the advice from the parties involved as well.

PAULINE GARDIKIOTIS: And I was just going to add that for those people who might be on the call that already have cyber insurance in place, it might not be a bad idea to go back and revisit the application with your broker to make sure that it is accurate, that you're running it by the technical experts in your arsenal if you didn't do that in the first place because it's easier to fix before an event hits than it is after.

And then the second point I wanted to make is that many of the carriers are a resource. And so, if you do have a policy, or if you're exploring a policy, having the technical experts within your company speak to the technical experts at the insurance company is very, very helpful. They have a lot of resources, a lot of advice, and can provide some guidance to help you make sure that you're doing the best you can to insulate yourself against these attacks.

BRENT ARNOLD: If I can add one other resource you might think about bringing in on, this is your external counsel if you've got external counsel serving as breach coach advising you on cyber matters. Sound self-interested for me to say that, but it's a tool that I've seen work effectively in the States. I mean, this is one of the most important forms for your business is going to fill out. And there's potential legal risks to be thinking about as you do this.

So, getting some advice on that end as you do the application and as you look at what your coverage options are, I think, is probably helpful, and I think, also underused in the Canadian context. Deb, is there anything else you want to add on this? In a moment, I want to turn to the panel for final thoughts. But anything you'd like to add on this best practices discussion?

Well, we may be having some technical issues there. So, why don't we move on to that discussion? And then I have a couple of questions here that I want to bring to the panel. Any final thoughts on all of this? If you had one final message to give to the folks that are watching this about this issue, what would it be? I don't know who wants to go first.

ROGER HAKALA: I'll kick it off. So I wish to say that, just to reiterate and I can't emphasize it enough, take it seriously as the process, not just around buying insurance, but as far as risk management and the exposure that you've actually got. It doesn't mean that you've got to have a risk management team or a CISO necessarily, but just look at the people that are responsible for IT, legal, even HR, so they know what the exposure is from a records standpoint internally on that end. But think of it as a process and a learning experience to go through that.

The other thing is, to Pauline's point earlier, the insurers are a great resource to tap into as well in this process and actually looking at insurance. But the insurance really should be the backstop and the advisory services that come along with that to help you navigate through when something does happen. But at the front end, just have to be serious about this and actually roll up your sleeves and dig in.

BRENT ARNOLD: Yeah. Don't treat this like title insurance where it's a thing we do instead of proper due diligence. Anyone else have some thoughts on this, final thoughts?

AVI MALI: I agree with Roger. Just understand the materiality of these controls have a big effect on the actual terms that are presented. I just wanted to say, one of another main implication of misrepresentation is difficulty in obtaining future coverage as well. Insurers may view rescission as a red flag, making it harder for policyholders to obtain coverage or may even result in higher premium because it's a perceived increased risk. So, that's definitely one implication as well.

BRENT ARNOLD: Absolutely. I think Deb is still having trouble with audio. But she has provided me a comment to share along here, a couple, actually. One, multifactor authentication questions are not a one-size-fits-all issue. Clients and brokers should be reviewing these questions and make sure that they're really drilling down on what's being asked and what's being answered.

And Deb also says that, do you have MFA shouldn't be the question. There has to be multiple questions in the application process to avoid a situation like we saw in this case where it's, perhaps, a gray area as to whether or not the answer is yes, we have it, as opposed to, do you have it on all the things, which is, of course, what the insurer needed to know. That's an excellent point, Deb. Thank you.

I have a question and a comment, film festival style, a comment and a question. Let me start with the comment because this actually addresses something that I put to the panel earlier about some of those technical measures that ensure insurers are looking for. One of our attendees points out that some insurers are requiring air-gapped backups to protect from ransomware as a purely cybersecurity best practices matter.

That's absolutely what you want because if your backups are in the same place as everything else, you can lose the backups at the same time. And I see that 30% of the time. And that makes you very, very much more in the discussion about paying than not, than you would be otherwise.

Also, he points out the generally accepted definition of air backups. What is that? Well, it could be the copies located in the same cloud provider in the same region. It might be that the copy is in a different region, but still the same cloud provider, might be that it's with an entirely different cloud provider, all of this assuming you're in the cloud, which of course, a lot of businesses are. So, these are questions to be thinking about, and also making sure that you're understanding the question that's being asked in the application process.

And then we have a question from one of the panelists, one of the viewers. When will brokers and carriers prioritize MDR or XDR, in addition to EDR, the latter of which only accounts for 15% of the attack? And whoever wants to answer this, perhaps, I can ask you to unpack the acronyms for the non-insiders who haven't, maybe, been through this process before.

AVI MALI: So I can go first, I mean XDR, MDR, EDR. The base application will include an EDR tool as having, yes or no. But when we actually dig in a bit further, and if it's a larger company with more endpoints, that's when we would get on a call with the client and see what other increased tools that they use.

And that's when discussions with our risk engineer, who's our in-house cyber risk consultant, would ask these questions on what's the next step after an EDR. So that's when those discussions would happen as well. But on a base application, I agree that the carrier's applications are just limited to just having, do you have an endpoint detection tool.

BRENT ARNOLD: Right. Any other one? Anyone else want to weigh in on that? It's a technical question, but a useful one. And my cat says, hi, by the way. All right. Sorry. Go ahead.

ROGER HAKALA: I don't want to get into the weeds too much on that. But the one thing that I would say is that, again, this comes back to the varying degrees as far as where that source of endpoint detection is going to come from. Is it a third party that you're actually utilizing? Is it something that's actually right on your servers that's actually defending every step of the way?

So, it's always a matter of, people don't know what they don't know necessarily as far as what they can possibly do and what is available to them to be able to do that. We do find it depends on which industries. I find that the financial services or financial institutions industry, probably top notch as far as looking at the EDR, as far as what they actually are doing. They've been doing it for quite some time.

There's industry specialists that have really just catered to them as organizations to be able to do that because they've looked at it and said, there's an opportunity. We know that every day, they are getting attacks. And it's multiple attacks on a regular basis. How do you defend to be able to make sure that that's going to be the right thing to do?

So, there are certain situations where we've seen that specialty as far as where firms are providing it to certain organizations. So, it's really available. It's more a matter of, do you know even that it is there. And where does the discussion end about the begin or end, between the insurance side of it becoming the true risk consultant on that side and really advising what other services are available that our clients, maybe, should be thinking about as well to help better protect themselves holistically on that end.

BRENT ARNOLD: It's an excellent point. Thank you. Let me just take a moment to, first of all, thank the panelists. It's not easy to get this much talent and wisdom on the insurance side on a single call. So, thank you for taking the time out of your day. I have found our discussions useful. And I know that the folks watching at home have found this useful as well. To those who have tuned in and there's lots of you, thank you so much for making the time to listen in on this.

I understand the recording is going to be made available. If there's anything you want to go over again, and as JP said at the beginning, please do feel free to reach out if you have any questions. It's in all of our interest to make sure that everyone out there understands this stuff as much as possible. So, we're happy to have those discussions with you. So with that in mind, thanks, everybody, and have a terrific day.