Cyber Savvy Broker: Jessica Klipphahn
As technology transforms the economy, businesses of all sizes must navigate a new kind of risk: digital risk.
The most successful brokers must prepare to help their clients navigate these complex risks. Our "Cyber Savvy Broker" series highlights forward-thinking brokers with the knowledge and skills to help clients navigate this digital transformation.
This month, Jessica Klipphahn, CPCU, AINS, CLCS, Cyber COPE Ins Cert , North America Middle Market Cyber Leader at WTW , joined us to discuss the industry. Jessica has more than a decade of experience in insurance and began dedicating all of her time to cyber two years ago. In our conversation, Jessica shared what she prioritizes when placing coverage, how she helps clients when they experience a claim, and why manufacturers face additional challenges in managing cyber risk.
How did you transition from selling P&C to selling cyber?
I learned organically about Cyber in a prior life when handling all lines of coverage for my clients. I immediately recognized the importance, especially given the ramp-up of companies becoming more digital across operations. To get up to speed on cyber insurance, I soaked up as much as I could from our carrier partners. At the time, cyber was in a soft market, so conversing with clients and placing business was somewhat easier. The process was much smoother; you could get a quick quote with a few questions online, but it was more difficult for specific industries. For example, if I tried to sell cyber to a manufacturer five years ago, they immediately resisted and said, “We don't take credit card payments,” or “We don't sell anything online. We don't have cyber exposure.”
Now, every company is digital. Ransomware has made people rethink the impacts of cyber attacks. The increase in supply chain attacks and third-party vendor breaches means that anyone can feel the impacts of a cyber event. These third-party events can create a ripple effect that has yet to be determined. That's why the industry is so reactive from an insurance perspective. We saw this with Solarwinds, Kaseya, Kronos, and we’re still seeing it with MOVEit.
What is the number one thing you look for in a cyber insurance policy when placing coverage?
“Coverage first” is our approach. We won’t cut coverage for costs. When looking to enhance coverage, we emphasize to our clients that it's not just a matter of getting them what they can buy.
Beyond that, we look for policyholder resources. We have been pushing that hard with our clients. With chaos in the marketplace over the past two years, I've found that policyholder resources are well-received because there is more of a sense of IT governance in organizations. There's more buy-in from the C-suite and throughout the organization. Leaders now understand it's not just an IT problem. When you have a cyber incident, it’s a problem for the entire organization. Therefore, the prep and pre-breach resources we can provide to our policyholders ahead of an incident are easily prioritized.
How do you help your clients proactively prepare and respond to cyber incidents?
Realistically, it's not a matter of if you'll have an incident, but when. Many organizations have been hit by social engineering scams lately. AI has allowed bad actors to be more sophisticated in those attacks, and it's easy money. They don't have to spend time preparing for a ransomware attack, which takes longer to carry out and may or may not result in ROI for them.
I try to prepare my clients by being realistic and asking them what they plan to do to protect themselves. Insurance is just a backstop. It is not intended to be a catch-all. I use analogies from the P&C world for the clients to understand this better from a risk management standpoint. Does your building have sprinklers in the event of a fire to mitigate loss? If not, there aren’t many carriers that will want to take on that risk, or they will charge you substantially more for not having proper protections in place. It's the same way we look at cyber now.
Today, proper risk mitigation tools like endpoint detection and response (EDR) or multi-factor authentication (MFA) can (and should) be put in place ahead of time for underwriters to price accordingly for that risk.
We’ve seen a lot of success from our clients taking advantage of tabletop exercises or IR planning via their policy. When an incident does happen, it is truly mitigated because they have contained and isolated the incident. It's still scary, but preparing beforehand benefits them and the carrier because they’re better prepared to handle a claim and reduce the severity.
When your clients experience a claim, how does your role change?
Instead of being a risk advisor, I pivot to coordinator. I don't have to get too involved with claims because we have Cyber claims advocates at WTW, which is the best for our clients. I facilitate connecting the proper individuals, ensuring they have what they need. That includes preparing clients to know whom to call and when. Most carriers use approved panel vendors, so I let clients know that carriers will contact the appropriate parties, and they can move forward from there.
What industries do you work most frequently with? And then what are the most significant risks facing those industries?
I work with many industries at WTW, given our vertical focus, but I think manufacturers face some of the biggest challenges. Historically, they haven’t invested in cybersecurity or cyber risk transfer, such as insurance.
Two or three years ago, we looked at the most targeted industries. Manufacturing and healthcare always made the top of the list and saw the most claims. But I wonder if they’re truly targeted because of class. I think it’s more likely that bad actors are opportunistic. They have access to exploiting more vulnerabilities in those industries because, historically, the budget or investment has not been made to protect those organizations.
Manufacturers have a considerable business interruption risk. If a threat actor shuts down their operational technology (OT) environment, production halts, and they leak revenues beginning minute one.
In manufacturing, they often have two different operating systems: IT and OT. It’s shocking the number of organizations that don't even have true insight into their OT environment, whether it's accessible from the outside, and what it could do if a bad actor moved from the OT into their IT environment. These are the conversations we have with manufacturing clients to raise awareness because they can't protect what you don’t know about. Many of these systems tend to be legacy systems. Unfortunately, they often can't apply controls like EDR to a legacy manufacturing OT system. The challenges remain more prevalent in this industry.
How do you help your clients implement cybersecurity improvements that will allow them to secure or keep coverage?nbsp;
We stay very close to our carrier partners to ensure we understand their needs. If there are hot-button underwriting controls that we need our clients to understand in advance, we address them long before renewal.
In the hard market, we went from not asking about MFA to requiring it to be implemented. If MFA was not enabled, clients weren’t insurable or couldn’t get ransomware coverage. We now have clients proactively asking what they need to do and what controls they need to implement to get coverage, which is a good thing.
These conversations are continuously happening for us. Coalition and many other carriers run versions of an external vulnerability scan, which is an outside view of risk. If we ran a scan four months ago and then we run it today, things could look very different. We offer our clients access to resources like that throughout the policy term so we can get ahead of any remediations necessary before renewal.
Improve your cyber knowledge with Coalition
Cyber insurance is one of the fastest-growing insurance products and a massive opportunity for brokers to grow their book of business. Coalition's Cyber Savvy program equips you with the tools and knowledge to deepen your cyber risk expertise and advise (and protect!) your clients. You can access more free Cyber Savvy Broker resources to continue learning.