Cyber Savvy
A successful cyber-attack has taken your company off-line. The FBI and CISA have been contacted. What now? As you know, if this hasn’t already impacted your business (either directly or indirectly), it will.
How can you make yourself a harder target, mitigating against cyber-attacks? What does all the terminology mean and why does it matter? What happens if an attack is successful?
Join DTC, Inc. as we outline, in a straight-forward manner, many of the issues surrounding cyber security which directly impact business owners. Our Cyber Savvy podcast episodes feature Mike Shelah as he brings in a new guest each month.
New episodes will be posted twice a month on the first and last Thursday, make sure to follow and subscribe wherever you listen to your podcasts, so you don't miss new content!
We would love to hear from you! Please send us your comments and questions to: AskUs@DTCtoday.com
Cyber Savvy
The Role of Cyber Insurance in Your Business with Steve Heller | Part 1
In this insightful episode of the Cyber Savvy Podcast, host Mike Shelah welcomes his longtime friend and insurance expert Steven Heller to discuss the critical role of cybersecurity insurance in today's business landscape. As a self-proclaimed "compliance nerd," Mike explores how proper insurance coverage represents the fourth pillar of his cybersecurity framework for businesses.
Steven shares his journey in the insurance industry and provides valuable perspectives on approaching risk management as an investment rather than merely an expense. The conversation touches on how insurance needs evolve alongside business growth, the importance of accurate information in insurance applications, and why proper attestation matters when securing coverage.
Tune in to discover practical insights that could save your business from unexpected financial impacts in an increasingly digital world.
Want to hear more? Past episodes are all posted, including on YouTube! Follow and subscribe on your favorite podcast app to ensure you don’t miss out on the conversation!
Mike Shelah (00:00)
Hello everybody. And welcome to the cyber savvy podcast. I am your host, Mike Shelah And the cyber savvy podcast is powered by DTC to learn more about us. Go to www.dtctoday.com and remember at DTC, we make IT work. All right. So I am really excited for today's guest for a number of reasons. If you've been listening to the show,
you know that I am a compliance nerd and that that's the next level of cybersecurity where you're following a specific framework around how you protect your business. And when I talk to potential clients,
I have four questions that I always ask them and I say to them, if you can answer yes to all four of these questions, then you don't need my help. You're doing a great job. And we're going to focus in on question number four today, which is,
does your company have a separate and distinct cybersecurity insurance policy? And I couldn't think of a better person to have on the show to talk about that than my dear friend, Steven Heller. Steven, thank you for being on the CyberSavvy Podcast. It's great to have you today.
Steven Heller (01:19)
know, great to have you, great to be here and looking forward to the conversation.
Mike Shelah (01:25)
Yes, yes, yes. All right. So Steven, as I told you in the green room, the very first piece of the show is called Business Person. You run a business, a successful cyber insurance policy business, as well as other lines of insurance. We'll get a little into that as well. But first and foremost, you are a person. So tell us something fun or interesting or maybe not on the back of the cereal box that we wouldn't necessarily know about Steven Heller if we saw him walking down the street.
Steven Heller (01:53)
Well, appreciate the question, and it's interesting, I do get this often. And, cause, you know, when you look at the journey of life, you know, I go back to what we're gonna take with us, and those are just experiences. So, in our personal lives, in our working journey, it's an experience. And...
As I've gotten older, one of the things that I've really, really embraced is nature. A passion of mine, other than insurance and helping people, is really connecting with nature. And over the last 12 years, for those who know me, I am an avid hiker. I enjoy whether it's just a local park that I've just become very attached to.
here in Baltimore County, or I had a great experience a few summers ago where I hiked through the Swiss Alps. And that was a guided tour, but all of that really, again, you talk about quality of life. And when you're out there and you're able to...
reflect and look at things more holistically. And that's what nature does. Nature allows us that pause where we can just take in the clean air and through your lungs, but be able to really think clearly. And really when you look at our challenges today, just as humans, is how much information can we filter? And so what nature
provides is really just that relief. It provides that filter to really help and so I really enjoy it and you know just it's becoming a big part of my life.
Mike Shelah (03:47)
That is fantastic. I must say, I don't know if you've ever talked about that with Andrew Rose, but a friend of the show and the former host of the Cyber Savvy podcast, but Andrew gets out there and gets after it. He's big into discovering and identifying different mushrooms and fungus. And he was telling me that a couple of times a year he...
Steven Heller (04:01)
Mm-hmm.
Mike Shelah (04:09)
completely goes off grid, like no cell phone, nothing, has a backpack of supplies and just lives that way for a couple of weeks, just so he can re center himself. So it sounds like the two of you have some interesting symmetries.
Steven Heller (04:23)
We do, we do. So thank you for that.
Mike Shelah (04:25)
So to get into today's conversation for
our audience, this was catalyzed by Steve and I reconnecting a couple of weeks ago. And Steven and I met hard to believe about 10 years ago at a university of Baltimore event, where they had asked different entrepreneurs to come in and mentor the students and just give advice and insight.
And I remember one of the times that I did it, Steven was there as an alumni and he had been asked to participate. Fantastic event because you get to talk with the future of our business world and hopefully they can learn from our mistakes, but hopefully we can give them some good insights as well. So Steven and I have been good friends for a decade now. And when we reconnected a few weeks ago, we were
on that business referral element, what are you working on? Here's what I'm working on, reconnecting. And we got on the topic of cybersecurity insurance and how it has really evolved over particularly the last five years. There's been an acceleration to how the product
works. So Steve, why don't you give us a baseline for your firm, how you serve the community overall, and then we'll go a little more specifically into the cyber insurance side of the world.
Steven Heller (06:00)
Yeah, so our firm, we started in 2009, and it was just myself at the time.
One of the reasons why I went into private practice, wanting to open up an insurance brokerage, is prior to that, my experience has been on the corporate underwriting side. And you hear the term underwriting, and so what does it really all mean? And really, that was the impetus of why...
I wanted to go into private practice because in our business it's very technical in nature and cost seems to be the common denominator of what we all understand. My whole goal in all of this in helping people really bring meaning behind what you're paying for.
And so when we went into practice, I was just myself, a vision, a passion, and a dream. But one of the things that really stood clear to me was the approach in our business is when we look at looking at and understanding exposure. Do you understand exposure? Do you understand what risk is? And more importantly, if an event were to occur,
is the policy that you currently have going to protect you. And so that opens up a lot of dialogue and really the impetus of why I started the practice because I would spend a lot of time with individuals, businesses, whether it be startups, whether these would be established businesses. And...
What I've come to find out is there's a lot of unanswered questions. And my role has really evolved into kind of being that tour guide, if you will.
To really help people, businesses, really make the right decisions, and ultimately it's your decision, my goal really is to make sure that you have the proper education. So taking that a few steps forward, that was at the beginning of 2009, and fast forward, today we have four practice areas within risk management and insurance. So we have a residential, a personal insurance
Division. We have a Commercial Insurance Division. We also are able to help our clients with life, disability, and long-term care needs.
as well as employee benefits. And so those verticals have really evolved based on what our clients' needs are. And being more of a boutique risk management independent insurance brokerage has really allowed us to become more holistic with our clients. And so for that, we've built a really nice platform. And to your point, Mike, being in the community, a resource to be able to help individuals and businesses become better protected.
And one thing I think the common theme that I've come to understand, it's not about being overinsured, it's not being about underinsured, it's really about having the appropriate levels of coverage. Because let's face it, at the time of claim, you're thinking, I paid for a policy and I expect my claim to be paid. And that's where a lot of conversations can.
start, but as I always say, at the time of loss, that's not the time to review your coverages. So really, that's kind of a starting point for us and really able to help folks out here.
Mike Shelah (09:40)
Yeah, I love that breakdown. So thank you because I tell people all the time that I'm in the risk mitigation business as well. And I'll look at this through the lens of a business owner for just a moment. There's a lot on the plate of a business owner. You look at, you're selling a product or service. Every business is doing that.
You may be selling products, you may be selling services, but the core of a functioning business is selling a product and or a service. And with that comes a lot of decisions. Am I going to be a brick and mortar business? Am I going to be a virtual business? Will my clients be local? Will they be regional? Will they be national? Will they be international?
Because every time you change the answer to just that question, your risk changes dramatically. And every time you add another element, am I going to have employees? That changes your risk profile. Am I going to have company owned vehicles? That changes your risk profile. Am I going to pay for my employees to travel via plane, via train?
that changes your risk profile. there are, if I keep going, I can probably list another hundred things that every time you add that question or answer that question, it changes the risk profile. So if somebody bought one of your insurance policies five years ago, it's probably, the needs are probably radically different than they are today, right?
Steven Heller (11:29)
I couldn't agree more. I connote it to tires on a car. Over time, if it's not capped up or it's not maintained, it comes out of alignment. And so this is a great point, Mike, because this is what we see oftentimes. Even policies that we write in our office for clients,
If there's not a proactive approach to making sure that we're keeping up with exposure, but more importantly, that we have mutual agreement from the clients that we serve that we are going to communicate around those changes, only then can we properly advise. And to your point, insurance is one of those things where, again, we can note it to expense.
I would just start to change that thinking a little bit, and it's not meant in a self-serving way. When you've worked hard for what you have and you have assets to protect and liability to protect, it's really important to view your insurance expenditure more as an investment in your business.
And when you look at it like that, when you are looking at budgets, you're working with your financial partners. I would emphasize the fact that let's start looking at insurance as an investment. And we hope it's the worst investment you'll ever make, because we don't want it to pay off. But all that being said, let's not view this as a drain on the balance sheet. Let's use this as a prerequisite.
to ensure our success, to make sure because at the time of claim, that could cause more financial impact if the right plan isn't in place.
Mike Shelah (13:27)
Yeah, I wholeheartedly agree. One of the things that we do at DTC, which I'm guessing is very much in alignment with your customers is what we call the quarterly business review. Now, most of our customers don't want to do it. Like, I don't have time, but understand that your business changes.
on almost a monthly basis. So every time you hire a new employee, that changes the trajectory of your company. And from our end, that's as simple as, okay, you just hired Bill. Is Bill getting a laptop or does Bill need a PC? Okay. Bill's going to have credentials for his Microsoft email account.
He's probably going to have credentials for software in the company. That could be accounts payable. That could be accounts receivable. That could be a CRM. That could be software that is used to service our clients. So every time you hire someone that shifts a lot of things and just on your end, you have one of your customers hires a new employee. Well, are they going to take
the medical benefits that your company offers. Are they taking it for themselves? Are you taking it for them and their spouse? Are they taking for them and their family? Are they taking the life insurance plan? Are they taking just the baseline that's offered by the company? Are they taking on, are they asking for additional? Do they want long-term disability? Do they want short-term disability? What's the value to that? Because somebody that's 25 years old is going to look at that very differently from someone that is 55 years old.
Steven Heller (15:08)
And that is absolutely correct. Because again, looking at from the lens of where we are in the life cycle, going back to exposure, what needs to be covered today versus what we should be looking at the future.
In my opinion, that just takes more proactive planning. Again, this isn't difficult, but I go back to communication being the lead on helping us on the risk management side when there are changes that may occur. You bring up some good points and while going back to the business owner being one, it's, this is just another piece of paper and you're just getting.
Mike Shelah (15:52)
Thank
Steven Heller (15:57)
get caught up in this sort of like, just going through motions because you wanna get through your day. Well, you know, I have to throw caution to the wind on that because when it comes to insurance protection and things that you are signing and attesting to, which is critical, which we'll get into, is that, you know, is what you're attesting to the reality? Or are you just signing an e-doc just to get it through your day?
very impactful if we don't truly understand the ramifications if those documents aren't represented accordingly and in acceptance with the carrier's policies.
Mike Shelah (16:42)
You just said the magic word and I want to spend some time talking about it. Attestation, because in the cybersecurity world, attestation has become a big topic. And we'll get a little more into that, into the second segment. But you know, I just, I would like you to unpack that a little. And from your perspective, attestation for your customers, you know,
To me, that means you're, you're taking personal liability for the things that are in the document. And is it as simple as that? You know, give, give us your thoughts on word attestation as it applies to insurance today.
Steven Heller (17:22)
Yeah, you know, it's interesting. When you procure an insurance policy, and I'll broaden this conversation and we'll drill down more in the cyber realm, it does start with an application or a questionnaire.
Mike Shelah (17:39)
Yeah, they don't just give it to you. They ask you a bunch of questions to know where you are. What's your risk profile?
Steven Heller (17:42)
Correct, correct. It's not like, you need
cyber coverage or you need home coverage or whatever it is. We're not just giving you a proposal, right? We are procuring information from you, the client. And that information is a testament. And it goes on record and can be reviewed at the time of.
as your word, and by the way, with every insurance application, there's all these legal disclosures on there. And so you are now having to sign that. And in the world of eSign, which I, you know, again, I put myself into the same equation. You know, have I been guilty of just clicking and signing? Well, I would just caution that take time to read what you are signing.
specifically in the risk management and the insurance field, because everything starts with the application. And by the way, it ends with the application at the time of claim. Because at the time of loss, what are the adjusters going to be looking at? Well, I can tell you specifically in cyber, they're going to be looking specifically on how those questions were answered.
Mike Shelah (18:50)
You
Steven Heller (19:06)
and if those questions were not answered correctly, this is where we see, and I'll again broaden this conversation out, I'll argue that 99%, and I'll go that high, of claims that are actually denied or diminished, and yes, you get into some valuation, and that I believe is somewhat of a negotiation if,
the claim isn't valued correctly. But I'm just talking on the premise of is this a covered loss or not? If the application, is your testament to what you do and how you protect the carrier, and by the way, that's how they're pricing your policy based on how you're representing those answers.
And at the time of claim, if that's very different, well, you may be surprised that that could be a denial of coverage if those questions aren't answered accurately. And being able to represent, because again, most carriers, if they feel that that testament is not correct or it doesn't correlate, will what they call reserve rights.
and they'll provide a reservation or rights letter. And when you receive a reservation or rights, it doesn't mean they're denying, it means that, we need to look into this a little more. And so that's why I go back to where it starts and stops with the information that's being exchanged between the insurance broker, which is us, and the
Mike Shelah (20:53)
Yeah, I'll give a great example of that. There's a, there's a big box life insurance company out there that will let you sign up for their life insurance by basically asking, answering five or so basic questions, but beyond a certain dollar amount of insurability, they will also ask for
a medical review. So they'll ask, you know, when was your last physical? We'd like to see the documentation of that. Do you have any pre-existing conditions? Are you a drinker? Are you a smoker? Are you 25 or are you 55? Are you married? Do you have children? Do you work in a coal mine or do you work in an office? Because all of these things impact the dollar amount that they're willing to insure you for and equally what they will charge you.
to for that insurance. And I say that because I think when it comes to insurance, that's probably the most relatable that anybody on the street can understand. yeah. When I applied for insurance, I could get a quarter of a million dollars without a physical, but beyond that, anything above that, they wanted me to have a physical or, and everybody's got all the companies have different rules.
which is why, you know, getting insurance, life insurance through your employer is helpful because you get sort of that baseline where you don't have to jump through all those extra hoops. get a, because, and the reason most people aren't aware of is because you're now in a pool. It's now not just you, you're in a predetermined pool that's been vetted and the risk has been distributed out. So the 25 year old that I work with is offsetting me as the 52 year old to a certain extent and they're transferring their risk out.
across the pool. I'm getting kind of nerdy about insurance, but when people talk about that, you, that's a big part of the challenge and you, as an insurance expert dealing with a lot of smaller businesses, you know, that risk pool, it's harder to distribute the risk and give everybody a balanced
quote, it really does almost come down to an individual case basis. When you're talking five, 10, even 15 employees, there's less of an ability to distribute the risk across the group.
Steven Heller (23:16)
I would agree with that. going back to more of the entry point, working with small business, it's really interesting because in the insurance underwriting process, and underwriting is really just, hey, let me procure information that the carrier is requesting.
and supporting documentation that we can adequately price your risk for the exposure. And going back to, are you really ready? I understand, hey, we don't wanna pay a lot for this. That's, recurring theme, understand. So I think it's really important to understand what can be purchased.
We talk a lot in my business about what we can't do and exclusions, conditions, and all the things that are really substantive at the time of claim. But I go back to approach being the key differentiator here. If we talk to a client that may not be, they may not check all the boxes, right? Because that happens where we'll meet with a client and they'll say, well, you we don't have a firewall or we don't.
have an MSP or we don't have a particular protocol that could be based on eligibility or based on procuring a particular coverage if they don't meet a certain requirement, then I think it's also important to revert back to what we can do today. Because I do believe
that hey, we may not be able to, based on what that company or individual is doing today, we may not be able to procure all of the vital coverages. So what do we need to do to get there? And I feel that it's really important as insurance advisors, advisors, business consultants, whatever capacity that we are, that we help
direct and lead businesses that if they really are interested in going back to what I was saying earlier, investing in protection, then we put the path and we create a path for them that, hey, maybe we won't be able to do anything today. Maybe we can. Maybe these are the things we can do. However, if you're willing to do X, Y, and Z,
then we can move forward. So I believe a lot of this is just educating on the process. Our biggest value that we serve the clients is, and this is the question that we're posed with, how do we attract more carriers to compete for your business? And this was a conversation we had a few weeks ago. It was an internal conversation.
This is the nice part about life in general because there's all these revelations. It's like, wow, I never really thought about it like that. I never thought about, you well, what is your, you you hear, well, how do you differentiate yourself or what's your value proposition? But then you come to find out is, hey, we are in a great space right now because we work with a lot of carriers. But I have to tell you that not all carriers are gonna want your business. So how do we get there?
And so really paving that road of saying, okay, maybe we check nine out of 10 boxes, great. Maybe we only check two out of 10 boxes. Okay, not a problem. But in order to obtain the result that you're looking for, these are the protocols. I feel long-winded there, but just to help guide the process to a better end result.
Mike Shelah (27:17)
Steve and I love it. So let's wrap up this segment here today. And in our next segment, really, because everything you just said is applicable to the cyber insurance. And we're going to talk about that in our, in our next conversation. But for our audience, it's been listening today. What's the best way to get in touch with you and your team to engage with you? How, how should they go about doing that?
Steven Heller (27:42)
Yes, so easy to get a hold of us. We have an easy web address, insurance at hellercoats.com. That's just our email. It's monitored all the time. My direct email is steven at hellercoats.com. And feel free to call me, my direct office line, 443-471-8614. I'm always available.
Mike Shelah (28:08)
we'll make sure all of that's included in the show notes as well. Steven Heller, thank you so much for being on this episode. And we look forward to continuing the conversation with you next episode. And for our listening audience, thank you for listening to cyber savvy to learn more about us. You can go to www.dtctoday.com. Cyber savvy podcast is powered by DTC. And remember at DTC, we make IT work. Talk to you soon.
Steven Heller (28:10)
Thank you. Thanks.
Wonderful, thanks.