Home Breadcrumb caret Podcasts Breadcrumb caret What’s on Dec? | Episode 29 | Cyber Insurance: From coverage pitfalls to market cycles What’s on Dec? | Episode 29 | Cyber Insurance: From coverage pitfalls to market cycles Sophia Kudlyk, senior vice president of Hub International Ontario’s cyber practice, discusses the state of the cyber insurance market. She gets into how the Canadian cyber market cycles lag behind the US, coverage pitfalls, and how insurers are advising clients on whether or not to pay out ransomware demands. May 26, 2026 Stream this episode and others in our series on Spotify, Apple Podcasts and YouTube. Featuring: Sophia Kudlyk,Senior Vice President, Cyber Practice,HUB International Canada’s cyber insurance market has changed a lot since the days of the COVID-19 pandemic. Ranging over the years from hard to soft market conditions, the current state of the market is best described as “cautiously stabilizing,” explains Sophia Kudlyk, senior vice president of Hub International Ontario’s cyber practice. In this episode, Sophia discusses some common coverage pitfalls and why the devil is often in the details. She advises clients on how to ensure adequate coverage, what’s important from an incident response perspective, and the pros and cons of back-up systems. Text Transcript: Intro | Jason Contant: Hi, I’m Jason Contant, associate editor at Canadian Underwriter and co-host of our podcast series “What’s on Dec?”. For this episode, I sat down with Sophia Kudlyk from HUB to discuss the state of the cyber insurance market in Canada. We explored some common coverage pitfalls, how to ensure clients are properly covered, and how cybercriminals are adjusting their methods. First thing I wanted to ask you is, you know, what’s the current state of the cyber insurance market? Like, I’ve heard before that the U.S. market is hardening and just wondering if the same could be said of Canada as well. Sophia Kudlyk: Yeah, so the way that I would describe the market today is cautiously stabilizing. We’re coming out of, you know, a few years of really difficult and turbulent years. I’d say no surprise, but the pandemic really thrusted the cyber insurance industry into a really difficult and challenging time. Ransomware specifically was the front runner at that time that really just tanked a lot of, you know, claim severity and a lot of organizations and how they viewed cyber risk, they became targets overnight. So, we’re coming out of a few years of really difficult market conditions where now we’re seeing a really steadier pace, and I would even say to the end of 2025, there was a softening. So there was a lot of growing competition, a lot of increased capacity as well. So despite the claims environment not really changing or getting any better, social engineering fraud, ransomware are still front runners in all the cyber claims landscape. We still see a lot of increased appetite from insurers and reinsurers as well too, so that led to a lot of, you know, rates being flat or even decreasing. Despite organizations increasing their revenues or exposures, we saw a lot more broadening of terms towards the end of last year and then the start of this year. Contrast that with the U.S., we’re slowly starting to see signs of hardening again. So this is driven by both rise in claim severity as well as reinsurance pressure, and traditionally Canada has always lagged by a few months from the U.S. as well too. So, although we are still benefitting from those softer market conditions, my prognosis is that window may be narrowing quickly in the coming year. Jason Contant: Yeah, like you said, I’ve heard the same sort of broadening terms, right. Like you have more terms, but the pricing I’ve heard is actually decreased fairly substantially from what it used to be, so that’s what you’re seeing as well. Sophia Kudlyk: Absolutely. So it’s an interesting time to be in the broker seat because we’re advocating for our clients to really take advantage of these softening market conditions, really invest in their risk management strategies, their spend. Let’s try to see what we can leverage out of your policy to help bolster your overall cyber hygiene. Now is the time to take advantage of the softer market conditions, the premiums that you are perhaps ‘saving on,’ and reinvesting that into your cyber risk hygiene, or even higher limits as well too. So we’re seeing this as a unique moment in time, but, just like anything in the cyber realm, it doesn’t last forever. It switches a lot quicker, the market conditions oscillate a lot quicker than any other line of insurance, in my experience. Jason Contant: Are you seeing sort of uptake with that with clients like picking up, you know, like you said they’re sort of ‘saving,’ do people pick up like more limits for example or anything like that? Are you seeing your clients do that? Sophia Kudlyk: We always try, and that is always sort of the anchor of the conversation around, “Here’s what cyber claims cost today, here’s why we believe higher limits are necessary based on the complexity and sophistication of cyber claims we’re seeing today.” Now contrast that with the economic conditions that most businesses, you know, are up against, it’s a very difficult time for a lot of industries as well too. So of course we are met with, you know, perhaps some of those organizations reinvesting that or transferring the savings that they may see on the cyber into other lines of insurance that aren’t seeing a softer…of those conditions. So, however, that’s one element of it, so the majority of cases that we’ve seen is that clients consider but are making that conscious decision to reinvest elsewhere. Where we are seeing that reinvestment happening is on incident response planning, tabletop exercises as well too. So there’s a big push on more collaborative effort from an organization top down. That’s been a really positive change that we’ve seen lately as well too. So reinvestment comes in many forms it’s not always buying higher limits, it could be reinvesting into your organization’s overall strategy and what cyber risk is and how do you prioritize what those pillars should be on that roadmap to resilience. Jason Contant: I know you mentioned incident response and I know we’re gonna talk about that later, but one of the things I wanted to ask you about as well was sort of the common coverage pitfalls or sort of blind spots that you’re seeing with cyber. Sophia Kudlyk: Absolutely, and this is the front-running conversation for any broker. Where we’re seeing some of the most common blind spots are in the third party or supply chain incident space. A lot of clients assume that their policy may respond when that vendor gets hit. So because they’re transferring out that function, you know they’re safe or it’s up to the vendor, when in reality those ‘business interruption’ triggers or ‘contingent business interruption’ triggers can be quite narrow and nuanced. So it really goes into the details and how important it is to really understand that service interruptions caused by that supplier. Maybe they need to be endorsed, maybe that supplier needs to be listed. There are different nuances depending on the carrier that you’re dealing with that limit that type of language. So, you know, speaking more broadly, third party risk is covered, there’s a lot of layers to that conversation that need to be addressed and it’s all about asking the right questions and making sure that you’re really getting to that point of comfort and mutual understanding with your client. Another element that has always been one of the top front runners in cyber claims is social engineering fraud. So this is when you know someone is tricked into either parting with information or with funds as well too. So we are seeing sublimits in that range are very common in the cyber industry at 250,000. Sometimes, you know, there’s a notification and verification that needs to be provided in addition to the fraudulent instruction. So it really again depends on the coverage and the wording and how it’s listed. Also, if there are other lines of insurance that also cover the social engineering fraud, perhaps it’s listed on a crime policy, perhaps it’s on a financial institution bond policy. So coordinating those coverages, which applies when, has to be a coordinated effort as well too from the insurance perspective. Last but not least, business interruption. That’s a really, really common one that we’re seeing if, especially in a ransomware scenario where operations are shut down and there’s revenue bleed. There’s traditionally a lot of waiting periods associated with business interruption, most commonly 12 hours, and it only responds when a security failure is confirmed. So, again, going back to that origin, perhaps it’s not your outage, perhaps it’s a vendor or a software bug or a misconfiguration. That can often fall outside of what that trigger for business interruption really is. So the devil is in the details and it’s really, really important that these topics are not just glazed over but the details are negotiated based on the operations that the business has to protect against. Jason Contant: Yeah, so given I guess there’s three main ones, right, like third party sort of incidents like social engineering and that, and BI, right. Sophia Kudlyk: Yes. Jason Contant: So given all these pitfalls, like how can clients, I guess, make sure that they’re properly insured against these pitfalls? Sophia Kudlyk: Absolutely. Well, I’m a little bit biased, but working with a broker who specializes in cyber I think is really, really critical. This bridge between the technical and operational, depending on which audience member you’re dealing with on the client side, you really wanna sure that you’re bridging that conversation between legal, between IT, between the executives and operations. So that often requires the level of depth and understanding and having seen those cases proliferate, right. So what does the claim really look like and how can we apply that to our conversation? So, I think also in terms of while reviewing these changes with businesses and clients, you wanna make sure that you’re rooting yourself in the trigger of the policy. So that trigger could look different for a different industry, right. Most cyber now affects every industry, every size of business, we can all agree on that. But really what we wanna do and dissect is really ensure that the triggers and the exclusions are really looked at in a lot of detail. And upon every renewal, there needs to be a gap analysis that’s being conducted. It’s not just a premium comparison, there needs to be a little bit more of an evolution of the conversation around what changes has the organization seen in the past and where do they wanna go and where do they wanna grow in order to future-proof that cyber solution for them. So, I think a lot of the time, I’m not gonna overcomplicate the answer, but it’s back to basics on coverage. So carefully reviewing those details, not assuming, really reviewing what those waiting periods, triggers, and definitions are. I think that that can be the best form of preparation from the broker side. Otherwise, if I were to recommend clients, for clients, ’cause a lot of this falls outside of their control, conducting those tabletop exercises and testing those incident response plans and policies within the organization, the more there’s comfort built with that, the easier it is to respond and know what to do, rather than being in a state of panic and reacting you can be a little bit more proactive in understanding what comes next. Jason Contant: So, do you target it specifically like, okay, here’s a ransomware attack, how would you respond, like phishing reviews, that sort of thing? Sophia Kudlyk: Yeah, and I think the better tabletops and incident response planning exercises we’ve seen are conducted with legal professionals that are able to tailor the situation based on the industry, the size, and the organization, right. It’s not very useful if you’re speaking to a manufacturer about PII data, right, we’re focused on different types of exposures. So how do we test what the reality could look like in a comfortable simulation? Jason Contant: Yeah, so also in terms of planning, like what do you think is important for clients from like an incident response perspective? Sophia Kudlyk: Yeah, so incident response is near and dear to my heart. As I mentioned, I spent a little bit of time there during the pandemic, so I really saw an influx of claims and perhaps even how under-prepared organizations were to deal with the level of sophistication and ruthlessness of cybercriminals. I think right now, speaking to the market conditions and, you know, what we’re up against from a adversary perspective, there’s so many resources available within the insurance policy that…insurers are waiting for clients to take advantage of them. So the uptick on those has been historically low and what we try to encourage as clients is now is the time to really reinvest into what those elements are. There’s a lot of panels and rosters and great information and resources that are available, but it’s only as good as, you know, as the organization who’s taking them up on that. So you don’t often have to go out and pay for these expensive exercises, try to see what’s included within your insurance policy as well too. That’s the best form of incident response readiness. Speaking of developing that plan and taking advantage of that offering, really wanna make sure that your incident response plan is not just sitting on a shelf gathering dust, it’s actually being tested and improved upon and documented. Contacts change, people move on, both on the company side but also on the vendor side. So really just making sure that those changes are really aligned. And historically, when we’re putting the spotlight on incident response, the first 24 to 72 hours are often the most critical, and the sequence of steps, what it takes to trigger a policy and effective collaboration. So notifying, you know, that breach response team, who is that for you? And getting and understanding what actually has to happen next and where we’re coming from and where we want to go. So, a lot of the time there’s this 1-800 number, we don’t really know where it goes, who are we’re gonna get in contact with. So we often try to be proactive with a lot of those introductions so that you’re not meeting the people who are going to help you when the hour, if the hour comes, right. So a lot of the times there’s nuances on insurance policies as well too when it comes to breach response, incident response vendors, breach coaches. There needs to be perhaps an approval necessary, especially if you wanna go off panel. So a lot of organizations, they may have their ideal partner there, but if it’s not vetted with the insurance company there could be an uncomfortable situation where those sunk costs are not covered. So the reason that is, is because there’s these relationships that are developed with insurance companies over years and years and years, there’s thousands of incidents, there is pre-approved rates as well too. So we really wanna make sure that we’re protecting that client experience as much as we can from the broker and the insurance angle, and the only way we can do that is by validating the partners that we work with and hold them to that standard. So going ‘off panel’ is often one way to get yourself into hot water. And then last but not least, I think regulatory notification timelines, they’re constantly changing by industry, globally, depending on where the organization conducts their business as well too. So having your finger on the pulse as to what they are, what’s required within what timeframes, having that documented in a baseline understanding can, again, help move that process forward a little bit more efficiently. Jason Contant: Yeah, no that’s really interesting, Sophia, that you mentioned sort of the steps, right, that you have to take because I’ve heard that quite a few times. Like one example somebody gave me was the worst thing you could do is say you have the contact or, like you said, the 1-800 number or the contact of your insurer that you need. Worst thing you could do is have that on your backup system or so, or not even your backup like on your computer and then it goes down and then you’re like, “Now who do I contact?” You don’t have it on paper or anything, right. Sophia Kudlyk: That’s so true. Jason Contant: So people have said- Yeah, like, that would be a perfect example of, “Okay, now where do you go?” Or like you said, if you meet them for the first time, it’s a whole new relationship you have to sort of start when you’re at your most panicked level ’cause you just had a breach, for example, right. Sophia Kudlyk: I completely resonate with that, Jason, and I think that one thing we always recommend our clients is sometimes going back to paper is the easiest way as well too. So one thing that I wanted to make sure I mention is that encrypting your insurance policy and not labelling it on your desktop as ‘cyber insurance policy.’ Again, that’s a sure-fire way to get targeted by threat actors as well too. So really making sure that you’re keeping and storing things in a right place, including your insurance policy, including your incident response plan, making sure that everyone knows at what point they are being tapped in and where to go next. Even simple things like chat, right, chat being disabled or having personal phone numbers documented as well too, if your work computer or work phone is also affected. So it’s these things that you don’t think about until you’re in that situation that a lot of professionals in the incident response field can recommend, common touch points based on the lessons that they’ve learned as well too. Jason Contant: Yeah, and so you mentioned threat actors, so one of the things I was gonna ask you is, you know, from what I understand, like cybercriminals are kind of adjusting their methods obviously, right, to sort of get around backup systems and stuff like that. So, you know, how do you prepare clients now when criminals are kind of stealing data directly? Sophia Kudlyk: Yeah, you know, it’s unfortunate, cybercriminals are always evolving a little bit quicker than we are as well too. And I’m glad that you brought up the topic of backups because I think it’s one of the most important sources of protection, especially in a ransomware scenario. However, when these backups are not tested or they’re unviable, you’re really putting your fate back into the hands of the cybercriminal as well too. So it’s not just having those backups, it’s when were the last time that they were tested? So often, you know, within the cybersecurity community we refer to the 3-2-1 backup rule, which means keeping three copies of your data stored on two different media types with one copy offsite. So that layering of protection really just makes sure that your backups, if they’re in the cloud and you’re unable to access them, you’re not in that really difficult situation again. However, cybercriminals have evolved because backups have been such a great resource and crutch for a lot of organizations who find themselves in that situation. Cybercriminals have evolved in this double extortion tactic now too, so we’re seeing that more prevalent where they’re not just extorting the business to get the data back. Let’s say the organization has that data and they’re like, “We’re good, we don’t need to pay.” Now there’s that additional extortion that’s being levied, which is like, “Okay, you have your data, that’s great, but now we are going to extort you to not publish that data.” So even if you can recover yourself, you’re not out of the blue just yet. There are legal and regulatory implications, of course, if that data has left the door, and what is your obligation as a business if that data were to be published as well too. So, preparing for the legal, reputational, regulatory implications of the ‘threat’ of not to publish as well is really, really important and can’t be overlooked. And clients need to really understand that legally and reputationally, and even from a policy standpoint, what is covered and what are the gray areas of, “All right, we don’t negotiate with threat actors, but we are in a situation too where we are still incurring legal costs in order to deal with the ramifications of that data leaving the door.” Jason Contant: In terms of ransomware, from what I always hear, like the sort of I guess public policy is don’t pay the ransomware unless you don’t have backups, is what I’ve heard is sort of like that could be an example. Would you agree with that or… Sophia Kudlyk: Yeah, so it’s a hot topic for sure, and the way that we anchor the conversation around the pay or not to pay decision is it’s always a business-driven decision, and a lot of insurers are placing that responsibility and the onus of what is best for your business back on them. Of course, you have the support of the legal, professional and forensics team that is able to help you get to a decision and quantify what the cost of making that payment or not making that payment really, really is. If we are turning away from that, what is the cost of restoration and rebuilding and how much time will that take? Does that outweigh what the actual ransom demand is, right? So, overall it depends on the policy. However, I would say that more often than not you will see that decision being placed back on the business with the understanding from the insurance company that we understand that you need to do what you need to do in order to save your business at a certain point. Outro | Jason Contant: That wraps up today’s episode. We hope you enjoyed the discussion. Thanks for tuning in, and we’ll see you next time on “What’s on Dec?”. Print Group 8 LinkedIn LI X (Twitter) logo Facebook Print Group 8 Related Podcasts CU Interview | What’s on Dec? | Episode 28 | How taking a career risk pays off Image What's on Dec? CU Interview | What’s on Dec? | Episode 28 | How taking a career risk pays off Joe D’Annunzio, president of BrokerLink, tells the story of how he got into the property and casualty industry. He traces his professional background, which took him through the U.S. and back into Canada, and how the biggest risk of his career paid off. April 21, 2026 What’s on Dec? | Episode 27 | Shifting brokerage ownership models Image What's on Dec? What’s on Dec? | Episode 27 | Shifting brokerage ownership models Randy Carroll, CEO of brokerage Ai Insurance Organization, provides an in-depth look at topics affecting the Canadian P&C brokerage channel, including producer-to-owner models, talent retention challenges and the shifting commercial lines market. March 17, 2026 What’s on Dec? | Sneak peek into What’s on Dec? in 2026 Image What's on Dec? What’s on Dec? | Sneak peek into What’s on Dec? in 2026 Canadian Underwriter Editor-in-Chief David Gambrill and Associate Editor Jason Contant discuss the expansion of CU’s What’s on Dec? podcast, including a new CU Interview component and YouTube channel. February 24, 2026
What’s on Dec? | Episode 29 | Cyber Insurance: From coverage pitfalls to market cycles Sophia Kudlyk, senior vice president of Hub International Ontario’s cyber practice, discusses the state of the cyber insurance market. She gets into how the Canadian cyber market cycles lag behind the US, coverage pitfalls, and how insurers are advising clients on whether or not to pay out ransomware demands. May 26, 2026 Stream this episode and others in our series on Spotify, Apple Podcasts and YouTube. Featuring: Sophia Kudlyk,Senior Vice President, Cyber Practice,HUB International Canada’s cyber insurance market has changed a lot since the days of the COVID-19 pandemic. Ranging over the years from hard to soft market conditions, the current state of the market is best described as “cautiously stabilizing,” explains Sophia Kudlyk, senior vice president of Hub International Ontario’s cyber practice. In this episode, Sophia discusses some common coverage pitfalls and why the devil is often in the details. She advises clients on how to ensure adequate coverage, what’s important from an incident response perspective, and the pros and cons of back-up systems. Text Transcript: Intro | Jason Contant: Hi, I’m Jason Contant, associate editor at Canadian Underwriter and co-host of our podcast series “What’s on Dec?”. For this episode, I sat down with Sophia Kudlyk from HUB to discuss the state of the cyber insurance market in Canada. We explored some common coverage pitfalls, how to ensure clients are properly covered, and how cybercriminals are adjusting their methods. First thing I wanted to ask you is, you know, what’s the current state of the cyber insurance market? Like, I’ve heard before that the U.S. market is hardening and just wondering if the same could be said of Canada as well. Sophia Kudlyk: Yeah, so the way that I would describe the market today is cautiously stabilizing. We’re coming out of, you know, a few years of really difficult and turbulent years. I’d say no surprise, but the pandemic really thrusted the cyber insurance industry into a really difficult and challenging time. Ransomware specifically was the front runner at that time that really just tanked a lot of, you know, claim severity and a lot of organizations and how they viewed cyber risk, they became targets overnight. So, we’re coming out of a few years of really difficult market conditions where now we’re seeing a really steadier pace, and I would even say to the end of 2025, there was a softening. So there was a lot of growing competition, a lot of increased capacity as well. So despite the claims environment not really changing or getting any better, social engineering fraud, ransomware are still front runners in all the cyber claims landscape. We still see a lot of increased appetite from insurers and reinsurers as well too, so that led to a lot of, you know, rates being flat or even decreasing. Despite organizations increasing their revenues or exposures, we saw a lot more broadening of terms towards the end of last year and then the start of this year. Contrast that with the U.S., we’re slowly starting to see signs of hardening again. So this is driven by both rise in claim severity as well as reinsurance pressure, and traditionally Canada has always lagged by a few months from the U.S. as well too. So, although we are still benefitting from those softer market conditions, my prognosis is that window may be narrowing quickly in the coming year. Jason Contant: Yeah, like you said, I’ve heard the same sort of broadening terms, right. Like you have more terms, but the pricing I’ve heard is actually decreased fairly substantially from what it used to be, so that’s what you’re seeing as well. Sophia Kudlyk: Absolutely. So it’s an interesting time to be in the broker seat because we’re advocating for our clients to really take advantage of these softening market conditions, really invest in their risk management strategies, their spend. Let’s try to see what we can leverage out of your policy to help bolster your overall cyber hygiene. Now is the time to take advantage of the softer market conditions, the premiums that you are perhaps ‘saving on,’ and reinvesting that into your cyber risk hygiene, or even higher limits as well too. So we’re seeing this as a unique moment in time, but, just like anything in the cyber realm, it doesn’t last forever. It switches a lot quicker, the market conditions oscillate a lot quicker than any other line of insurance, in my experience. Jason Contant: Are you seeing sort of uptake with that with clients like picking up, you know, like you said they’re sort of ‘saving,’ do people pick up like more limits for example or anything like that? Are you seeing your clients do that? Sophia Kudlyk: We always try, and that is always sort of the anchor of the conversation around, “Here’s what cyber claims cost today, here’s why we believe higher limits are necessary based on the complexity and sophistication of cyber claims we’re seeing today.” Now contrast that with the economic conditions that most businesses, you know, are up against, it’s a very difficult time for a lot of industries as well too. So of course we are met with, you know, perhaps some of those organizations reinvesting that or transferring the savings that they may see on the cyber into other lines of insurance that aren’t seeing a softer…of those conditions. So, however, that’s one element of it, so the majority of cases that we’ve seen is that clients consider but are making that conscious decision to reinvest elsewhere. Where we are seeing that reinvestment happening is on incident response planning, tabletop exercises as well too. So there’s a big push on more collaborative effort from an organization top down. That’s been a really positive change that we’ve seen lately as well too. So reinvestment comes in many forms it’s not always buying higher limits, it could be reinvesting into your organization’s overall strategy and what cyber risk is and how do you prioritize what those pillars should be on that roadmap to resilience. Jason Contant: I know you mentioned incident response and I know we’re gonna talk about that later, but one of the things I wanted to ask you about as well was sort of the common coverage pitfalls or sort of blind spots that you’re seeing with cyber. Sophia Kudlyk: Absolutely, and this is the front-running conversation for any broker. Where we’re seeing some of the most common blind spots are in the third party or supply chain incident space. A lot of clients assume that their policy may respond when that vendor gets hit. So because they’re transferring out that function, you know they’re safe or it’s up to the vendor, when in reality those ‘business interruption’ triggers or ‘contingent business interruption’ triggers can be quite narrow and nuanced. So it really goes into the details and how important it is to really understand that service interruptions caused by that supplier. Maybe they need to be endorsed, maybe that supplier needs to be listed. There are different nuances depending on the carrier that you’re dealing with that limit that type of language. So, you know, speaking more broadly, third party risk is covered, there’s a lot of layers to that conversation that need to be addressed and it’s all about asking the right questions and making sure that you’re really getting to that point of comfort and mutual understanding with your client. Another element that has always been one of the top front runners in cyber claims is social engineering fraud. So this is when you know someone is tricked into either parting with information or with funds as well too. So we are seeing sublimits in that range are very common in the cyber industry at 250,000. Sometimes, you know, there’s a notification and verification that needs to be provided in addition to the fraudulent instruction. So it really again depends on the coverage and the wording and how it’s listed. Also, if there are other lines of insurance that also cover the social engineering fraud, perhaps it’s listed on a crime policy, perhaps it’s on a financial institution bond policy. So coordinating those coverages, which applies when, has to be a coordinated effort as well too from the insurance perspective. Last but not least, business interruption. That’s a really, really common one that we’re seeing if, especially in a ransomware scenario where operations are shut down and there’s revenue bleed. There’s traditionally a lot of waiting periods associated with business interruption, most commonly 12 hours, and it only responds when a security failure is confirmed. So, again, going back to that origin, perhaps it’s not your outage, perhaps it’s a vendor or a software bug or a misconfiguration. That can often fall outside of what that trigger for business interruption really is. So the devil is in the details and it’s really, really important that these topics are not just glazed over but the details are negotiated based on the operations that the business has to protect against. Jason Contant: Yeah, so given I guess there’s three main ones, right, like third party sort of incidents like social engineering and that, and BI, right. Sophia Kudlyk: Yes. Jason Contant: So given all these pitfalls, like how can clients, I guess, make sure that they’re properly insured against these pitfalls? Sophia Kudlyk: Absolutely. Well, I’m a little bit biased, but working with a broker who specializes in cyber I think is really, really critical. This bridge between the technical and operational, depending on which audience member you’re dealing with on the client side, you really wanna sure that you’re bridging that conversation between legal, between IT, between the executives and operations. So that often requires the level of depth and understanding and having seen those cases proliferate, right. So what does the claim really look like and how can we apply that to our conversation? So, I think also in terms of while reviewing these changes with businesses and clients, you wanna make sure that you’re rooting yourself in the trigger of the policy. So that trigger could look different for a different industry, right. Most cyber now affects every industry, every size of business, we can all agree on that. But really what we wanna do and dissect is really ensure that the triggers and the exclusions are really looked at in a lot of detail. And upon every renewal, there needs to be a gap analysis that’s being conducted. It’s not just a premium comparison, there needs to be a little bit more of an evolution of the conversation around what changes has the organization seen in the past and where do they wanna go and where do they wanna grow in order to future-proof that cyber solution for them. So, I think a lot of the time, I’m not gonna overcomplicate the answer, but it’s back to basics on coverage. So carefully reviewing those details, not assuming, really reviewing what those waiting periods, triggers, and definitions are. I think that that can be the best form of preparation from the broker side. Otherwise, if I were to recommend clients, for clients, ’cause a lot of this falls outside of their control, conducting those tabletop exercises and testing those incident response plans and policies within the organization, the more there’s comfort built with that, the easier it is to respond and know what to do, rather than being in a state of panic and reacting you can be a little bit more proactive in understanding what comes next. Jason Contant: So, do you target it specifically like, okay, here’s a ransomware attack, how would you respond, like phishing reviews, that sort of thing? Sophia Kudlyk: Yeah, and I think the better tabletops and incident response planning exercises we’ve seen are conducted with legal professionals that are able to tailor the situation based on the industry, the size, and the organization, right. It’s not very useful if you’re speaking to a manufacturer about PII data, right, we’re focused on different types of exposures. So how do we test what the reality could look like in a comfortable simulation? Jason Contant: Yeah, so also in terms of planning, like what do you think is important for clients from like an incident response perspective? Sophia Kudlyk: Yeah, so incident response is near and dear to my heart. As I mentioned, I spent a little bit of time there during the pandemic, so I really saw an influx of claims and perhaps even how under-prepared organizations were to deal with the level of sophistication and ruthlessness of cybercriminals. I think right now, speaking to the market conditions and, you know, what we’re up against from a adversary perspective, there’s so many resources available within the insurance policy that…insurers are waiting for clients to take advantage of them. So the uptick on those has been historically low and what we try to encourage as clients is now is the time to really reinvest into what those elements are. There’s a lot of panels and rosters and great information and resources that are available, but it’s only as good as, you know, as the organization who’s taking them up on that. So you don’t often have to go out and pay for these expensive exercises, try to see what’s included within your insurance policy as well too. That’s the best form of incident response readiness. Speaking of developing that plan and taking advantage of that offering, really wanna make sure that your incident response plan is not just sitting on a shelf gathering dust, it’s actually being tested and improved upon and documented. Contacts change, people move on, both on the company side but also on the vendor side. So really just making sure that those changes are really aligned. And historically, when we’re putting the spotlight on incident response, the first 24 to 72 hours are often the most critical, and the sequence of steps, what it takes to trigger a policy and effective collaboration. So notifying, you know, that breach response team, who is that for you? And getting and understanding what actually has to happen next and where we’re coming from and where we want to go. So, a lot of the time there’s this 1-800 number, we don’t really know where it goes, who are we’re gonna get in contact with. So we often try to be proactive with a lot of those introductions so that you’re not meeting the people who are going to help you when the hour, if the hour comes, right. So a lot of the times there’s nuances on insurance policies as well too when it comes to breach response, incident response vendors, breach coaches. There needs to be perhaps an approval necessary, especially if you wanna go off panel. So a lot of organizations, they may have their ideal partner there, but if it’s not vetted with the insurance company there could be an uncomfortable situation where those sunk costs are not covered. So the reason that is, is because there’s these relationships that are developed with insurance companies over years and years and years, there’s thousands of incidents, there is pre-approved rates as well too. So we really wanna make sure that we’re protecting that client experience as much as we can from the broker and the insurance angle, and the only way we can do that is by validating the partners that we work with and hold them to that standard. So going ‘off panel’ is often one way to get yourself into hot water. And then last but not least, I think regulatory notification timelines, they’re constantly changing by industry, globally, depending on where the organization conducts their business as well too. So having your finger on the pulse as to what they are, what’s required within what timeframes, having that documented in a baseline understanding can, again, help move that process forward a little bit more efficiently. Jason Contant: Yeah, no that’s really interesting, Sophia, that you mentioned sort of the steps, right, that you have to take because I’ve heard that quite a few times. Like one example somebody gave me was the worst thing you could do is say you have the contact or, like you said, the 1-800 number or the contact of your insurer that you need. Worst thing you could do is have that on your backup system or so, or not even your backup like on your computer and then it goes down and then you’re like, “Now who do I contact?” You don’t have it on paper or anything, right. Sophia Kudlyk: That’s so true. Jason Contant: So people have said- Yeah, like, that would be a perfect example of, “Okay, now where do you go?” Or like you said, if you meet them for the first time, it’s a whole new relationship you have to sort of start when you’re at your most panicked level ’cause you just had a breach, for example, right. Sophia Kudlyk: I completely resonate with that, Jason, and I think that one thing we always recommend our clients is sometimes going back to paper is the easiest way as well too. So one thing that I wanted to make sure I mention is that encrypting your insurance policy and not labelling it on your desktop as ‘cyber insurance policy.’ Again, that’s a sure-fire way to get targeted by threat actors as well too. So really making sure that you’re keeping and storing things in a right place, including your insurance policy, including your incident response plan, making sure that everyone knows at what point they are being tapped in and where to go next. Even simple things like chat, right, chat being disabled or having personal phone numbers documented as well too, if your work computer or work phone is also affected. So it’s these things that you don’t think about until you’re in that situation that a lot of professionals in the incident response field can recommend, common touch points based on the lessons that they’ve learned as well too. Jason Contant: Yeah, and so you mentioned threat actors, so one of the things I was gonna ask you is, you know, from what I understand, like cybercriminals are kind of adjusting their methods obviously, right, to sort of get around backup systems and stuff like that. So, you know, how do you prepare clients now when criminals are kind of stealing data directly? Sophia Kudlyk: Yeah, you know, it’s unfortunate, cybercriminals are always evolving a little bit quicker than we are as well too. And I’m glad that you brought up the topic of backups because I think it’s one of the most important sources of protection, especially in a ransomware scenario. However, when these backups are not tested or they’re unviable, you’re really putting your fate back into the hands of the cybercriminal as well too. So it’s not just having those backups, it’s when were the last time that they were tested? So often, you know, within the cybersecurity community we refer to the 3-2-1 backup rule, which means keeping three copies of your data stored on two different media types with one copy offsite. So that layering of protection really just makes sure that your backups, if they’re in the cloud and you’re unable to access them, you’re not in that really difficult situation again. However, cybercriminals have evolved because backups have been such a great resource and crutch for a lot of organizations who find themselves in that situation. Cybercriminals have evolved in this double extortion tactic now too, so we’re seeing that more prevalent where they’re not just extorting the business to get the data back. Let’s say the organization has that data and they’re like, “We’re good, we don’t need to pay.” Now there’s that additional extortion that’s being levied, which is like, “Okay, you have your data, that’s great, but now we are going to extort you to not publish that data.” So even if you can recover yourself, you’re not out of the blue just yet. There are legal and regulatory implications, of course, if that data has left the door, and what is your obligation as a business if that data were to be published as well too. So, preparing for the legal, reputational, regulatory implications of the ‘threat’ of not to publish as well is really, really important and can’t be overlooked. And clients need to really understand that legally and reputationally, and even from a policy standpoint, what is covered and what are the gray areas of, “All right, we don’t negotiate with threat actors, but we are in a situation too where we are still incurring legal costs in order to deal with the ramifications of that data leaving the door.” Jason Contant: In terms of ransomware, from what I always hear, like the sort of I guess public policy is don’t pay the ransomware unless you don’t have backups, is what I’ve heard is sort of like that could be an example. Would you agree with that or… Sophia Kudlyk: Yeah, so it’s a hot topic for sure, and the way that we anchor the conversation around the pay or not to pay decision is it’s always a business-driven decision, and a lot of insurers are placing that responsibility and the onus of what is best for your business back on them. Of course, you have the support of the legal, professional and forensics team that is able to help you get to a decision and quantify what the cost of making that payment or not making that payment really, really is. If we are turning away from that, what is the cost of restoration and rebuilding and how much time will that take? Does that outweigh what the actual ransom demand is, right? So, overall it depends on the policy. However, I would say that more often than not you will see that decision being placed back on the business with the understanding from the insurance company that we understand that you need to do what you need to do in order to save your business at a certain point. Outro | Jason Contant: That wraps up today’s episode. We hope you enjoyed the discussion. Thanks for tuning in, and we’ll see you next time on “What’s on Dec?”. Print Group 8 LinkedIn LI X (Twitter) logo Facebook Print Group 8
