The average ransomware loss hit $353,000 this year 📈
Cyber Incident? Get Help

Cyber Savvy Broker: Alexandra Bretschneider

CyberSavvyBroker-AlexandraBretschneider-Header

As technology transforms the economy, businesses of all sizes have to navigate a new kind of risk: digital risk.

The most successful brokers will need to be prepared to help their clients navigate these complex risks. Our "Cyber Savvy Broker" series highlights forward-thinking brokers with the knowledge and skills to help their clients navigate this digital transformation.

Alexandra Bretschneider, VP and Cyber Practice Leader for Johnson, Kendall & Johnson, joined us recently for a conversation on how she stays ahead of the cyber curve. She shared how she works with her clients to think proactively about cyber risk management and how brokers can partner with their IT teams to become more cyber savvy.

How did you become an insurance/cyber specialist, and what has changed the most from the time you started?

I'm a little unique in the insurance world because my background was in IT consulting. I started my career in Big Four IT advisory consulting and then made my way into boutique telecom consulting. So, I saw technology and cyber-related risks from a different angle.

A couple of years ago, a leading insurance provider reached out and notified me that they had partnered with Carnegie Mellon to create a cyber insurance designation. They took their CISO program and modified it for brokers and insurance underwriters. I think that solidified the skill sets I was already developing and merged with the skills I had from my consulting days. It was a really important program in terms of improving the ability for brokers to understand what cyber risk is beyond brokering an insurance policy. 

In terms of what has changed — cyber risk has always been there. What cyber insurance looks like has evolved. We've seen that from the claims and types of incidents that are happening to the underwriting and the coverages.

The dynamic landscape is what keeps it interesting!

What is the biggest difference between selling cyber and traditional policies, like D&O and P&C?

I think cyber tends to drive fear for insurance underwriters, brokers, and buyers. The concepts behind other coverages, such as Employment Practices Liability for example, are coverages based on events that are more easily understood to the everyday business person. Technology isn't necessarily innately understood. The business world is comprised of "technology natives" and "technology immigrants" — distinguished by those people who grew up with technology ingrained in business operations, versus those that have had to learn it along the way. Those in decision-making positions are generally still technology immigrants. They didn't grow up with technology as part of how they live life and do business. So I think they have a greater discomfort with things they may not understand as well. Although cyber insurance has existed for two decades, it is a much younger risk and coverage than other lines of insurance, so there is a significant learning curve. Brokers must spend more time and attention educating their clients on the risk and coverages, which are also changing on an almost daily basis.

What cyber skills do you believe are essential in today’s landscape?

I think this relates to underwriters as well as brokers. A lot of underwriters came from underwriting Management Liability lines. They adopted cyber, and they've had to learn it. Not everyone was an IT consultant by trade or a cybersecurity expert. Therefore, I think the most important thing is the willingness to learn. I encourage brokers to sit down with their own IT teams and ask questions. It’s the best time to ask "dumb" questions without feeling embarrassed and get a solid feel for these things.

From there, sit down with your clients and understand what they have in their IT infrastructure and cybersecurity programs. Why do they have it? What are the gaps that they have? Where are they lacking? What resources can you bring to the table to bridge those gaps? And ultimately, what are their biggest cybersecurity fears? Brokers do not need to become cybersecurity experts, but they do need to understand the types of controls and navigate conversations between IT and Finance because cyber risk must be managed more holistically. 

Ultimately, communication is key — as it is with any line of insurance and any aspect of business. When I think of it specifically for cyber, insurance brokers need to start getting more comfortable speaking and translating what I refer to as three languages: IT Nerd, Insurance Nerd, and Business Owner. We have to navigate those three pieces of the puzzle and ensure all parties are aligned on how best to manage the risk.

What feedback have you heard from your clients after they’ve purchased a cyber policy

Outside of a claim or a potential claim, I hear from my clients when they want to take extra steps to prepare for an incident. They want help developing an Incident Response policy and to do a tabletop exercise to test it, and they start to ask questions about the role of the insurance in that process and what it's intended to do. I spent three hours yesterday afternoon conducting a tabletop exercise - I'm a big fan of them. By participating in the tabletop exercise, you (as the broker) can make sure your client considers you - the insurance - as part of the incident response equation. During the exercise yesterday, the CFO was asking, “Would this be covered? If the devices were down and we needed to replace them with new laptops, are they going to cover that?” It began to be a bit of a test of the coverage, and it improved their understanding and preparedness for what a cyber incident may entail and how the insurance will respond.

What does success mean to you in your role? 

It’s actually twofold. First and foremost, the ultimate measure of my success is that my clients go to bed at night feeling as though they are more prepared and more secure in their ability to respond to, and recover from, a cyber incident. I had a client tell me just in the last week that after working with us, they felt not only more secure, but more prepared. That’s the end goal. I want to help my clients feel better and take the angst and confusion out of managing cyber risk. 

The second part of success to me is that I'm striving for the recognition of JKJ having a superior client base in the eyes of the insurance world. What I mean is that I’d love for a carrier like Coalition to say, "Hey, because it's a JKJ submission/client, I know they are going above and beyond to improve the cybersecurity of this client. I feel safer and better about this risk because I know that the JKJ cyber practice is promoting tabletop exercises, reviewing their incident response plans, taking things a step further than just the controls and answering the yes/no questions on the application." So to me, success would also be the recognition in the form of improved terms, conditions, and pricing, and ultimately consideration from the insurance world in recognition of the efforts we're putting in with our clients.

What do you look for when recommending insurance partnerships to your clients? 

There are three components: quality, service, and price. 

One thing I’ve noticed a lot lately is that underwriters are so strapped for time that they're not underwriting with strategy and intention. It's become such a quick acceptance or denial of an application based upon a few vague, yes/no questions. 

As an example: there are organizations that have suffered cyber incidents and subsequently made significant strides to become better risks and improve their cybersecurity posture. Yet, there are still cyber insurance carriers who will automatically decline anyone with an open claim or who's had a claim in the last year. There needs to be a willingness to understand that story and appreciate the things that these organizations have done to improve SINCE the incident - why they are a better risk going forward. Going beyond the application and appreciating a client as more than a piece of paper is important to me. I’m glad that Coalition is one of the most willing to listen to these stories.

What do you see as the greatest challenges preventing the digitization of the insurance industry?

Insurance is traditionally a slow-moving beast, but you have to give it credit. I think cyber is a perfect example of how quickly it has adapted in the last two years. And unfortunately, it was a whiplash effect to the insurance buyers. Prices became exponentially higher, coverage was restricted, and there was significant underwriting scrutiny. But all things considered, the insurance world adapted very quickly to what became a dynamic and impactful risk. 

I think the biggest barriers are human nature and their resistance to change. We're also dealing with a world of such dynamic, complex, and widely impactful risks — from climate change to cybersecurity. We've been playing catch up by being reactionary, and we're trying to find that proactive state of managing risk. Insurance itself is a reactionary product. We're trying to understand those things better. That poses a challenge; just as we thought we've caught up, there's something new. 

Improve your cyber knowledge with Coalition

Cyber insurance is one of the fastest-growing insurance products and a huge opportunity for brokers to grow their book of business. Coalition's Cyber Savvy program equips you with the tools and knowledge you need to deepen your cyber risk expertise and advise (and protect!) your clients. 

You can access more free Cyber Savvy Broker resources to continue your learning journey.