An Interview with Christine Wiktor, Cyber Insurance Artwork

Legally Bond

A legal podcast on all things law and those who practice. Hosted by Kim Wolf Price. Presented by Bond, Schoeneck & King. For more information on Bond visit bsk.com. If you have any questions, want to speak with someone from the firm or have a suggestion for a future topic please email legallybond@bsk.com.

All Episodes

Legally Bond

An Interview with Christine Wiktor, Cyber Insurance

January 27, 2025 • Bond, Schoeneck & King PLLC

This special episode of Legally Bond is a part of Bond's 2025 Countdown to Data Privacy Day. Bond's cybersecurity and data privacy practice group co-chair, Jessica Copeland, speaks with Christine Wiktor, Area Vice President for Gallagher. Christine discusses how cyber insurance is crucial for organizations in today’s digital landscape and provides best practices for responding to cyber incidents and engaging with insurance carriers.

Speaker 1: 0:07

Hello and welcome to Legally Bond, a podcast presented by the law firm Bond Chenick King. I'm your host, kim Wolfe-Price. Today is a special episode as part of Bond's 2025 Countdown to Data Privacy Day.

Speaker 1: 0:19

First recognized in 2007, world Data Privacy Day is actually an international effort to raise awareness about data privacy and to encourage the protection of personal information online. So every year, bond, led by our cybersecurity and data privacy group, counts down Data Privacy Day with a targeted series of privacy-related articles that span a variety of practice areas and disciplines. This year, bond is going to explore topics such as employee cell phones, ai tools, challenges faced in financial, health care and educational settings, and much more. Jessica Copeland, co-chair of Bond's Cybersecurity and Data Privacy Practice Group, is guest hosting today's episode and is interviewing Christine Wichter, area Vice President of Gallagher and International Insurance Broker. So they're going to talk to you today about the importance of having cyber insurance policies in place for organizations of all sizes and the process of engaging with your agent and policy during a cyber incident. So many thanks to Jessica for once again stepping in as a special guest host and we hope you'll enjoy this episode.

Speaker 2: 1:31

Hello and welcome to a special episode of Legally Bond. I'm Jessica Copeland, chair of the cybersecurity and data privacy practice group at Bond, and we are here today, as part of our rollout of Countdown to Data Privacy Day, with a special episode on Legally Bond talking about cyber insurance. And who better to have that conversation with than Christine Wichtor, area Vice President at Gallagher. Christine, thank you for spending the time with us today and welcome to our podcast.

Speaker 3: 2:02

Thank you, Jessica. I'm delighted to be here talking to you.

Speaker 2: 2:05

Well, I'm sure that you and I are familiar with each other's backgrounds, but for the audience's sake, can you just give a little bit of background of who Christine Wichtor is and what Gallagher is?

Speaker 3: 2:15

Sure. Thank you, jessica. Again, I've really enjoyed getting to know you over the past couple years. We met when we were working together on a cyber panel several years ago. At that time, I was with M&T Insurance Agency. It was a subsidiary of M&T Bank, but on November 1st of 2022, m&t Insurance Agency was acquired by Gallagher. Gallagher is the third largest insurance broker in the world. This was a huge change for me, because I'd worked for M&T for 21 years. Two years plus later, I'm really proud of the work that my team did at M&T, but I could not be happier to be part of Gallagher's family.

Speaker 2: 2:50

Well, and it's great to be on a larger platform because it gives you access to a broader customer base and really a focus on insurance. Sorry to interrupt you, but you're listening to me by now.

Speaker 3: 3:02

Well, you actually cut into exactly what I was going to say. The resources available to me through the Gallagher network are night and day. It's unbelievable what resources I have and for being such a large company, I also have had direct access to Gallagher's market leader within the cyber practice, which is great for me to be able to go right to the top. He's brilliant and he's always willing to help me and my customers. Additionally, as part of being Gallagher, we are now partnering with our New York City office as far as placing our cyber insurance, which just helps with a benchmark of our market strength within the industry.

Speaker 2: 3:37

That's wonderful. So let's get into the real details of our conversation and we'll start on sort of like the more general sense. What trends are you seeing as we enter 2025, but really emerge from an excellent year of learning in 2024 in terms of obtaining cyber insurance coverage for your organization?

Speaker 3: 4:00

I can start with some really good news. So the market in cyber insurance really stabilized in 2024. And in looking forward, it looks like it's going to go that way moving forward, which is wonderful. There's additional capacity. Believe it or not, insurance cares continue to enter the cyber insurance marketplace, which means more competition and better pricing for my customers. We still are seeing ransomware and business email. Compromise claims are pretty prolific within the industry but, like I said, it's not to the point where insurance carriers are raising their rates or cutting capacity, which is wonderful.

Speaker 2: 4:35

Yeah, and I would echo that. I've seen and I'll say there's something consistent about data breaches, which is there will always be the next data breach. But the ransomware attacks towards the end of the year really started to uptick in my view and my experience, as well as business email compromises. But fortunately, a majority of our clients did have cyber insurance coverage, which helps to at least mitigate some of the costs associated with a data breach. And while I don't throw the word breach around easily, they were confirmed data breaches as I'm referring to them right now, so otherwise I would have called them incidents. So let's talk a little bit about the application process, especially for clients that may not be as familiar with what it takes to obtain cyber insurance, or for those that are maybe even just a startup organization that recognize the priority that should be placed on obtaining cyber insurance and what that process that looks like. So maybe a step-by-step of applying for coverage, if you could.

Speaker 3: 5:38

So initially I suggest you assess your needs first. Often I see companies purchase needs based on their contractual demands and I appreciate this is an important part of doing business. But I urge my clients to review their needs to make sure they're purchasing how much coverage they think they need. There's several ways to assess this. You can work with an agent or there's other tools to determine really what limits you should be purchasing, based on your exposure and your risk tolerance levels. I have some customers that prefer to take on higher limits knowing that they sleep at night, and same with retention structures too. Some do prefer to purchase coverage knowing that they're going to pay a higher retention, knowing that there's a reward in the form of a lower premium.

Speaker 2: 6:21

Maybe we could dig into the assessing what your organization needs. I find that there are clients that may be on the small side from an FTE standpoint but a large size organizations that are small in scale but maybe large for the type of data that they process. And how do you help navigate that?

Speaker 3: 6:54

I do. So that's why it's important to really rely on a benchmarking tool that really can help assess your needs and again it goes back to what you're required to carry contractually, and sometimes I do tell my clients to push back if I think the needs are in excess of what their true exposure is and your risk tolerance levels, and also what controls you have in place too. So that's working with people like you, that's working with technologists to see what controls you have in place to prevent a claim from happening in the first place.

Speaker 2: 7:21

And when we talk about finding the right policy for your organization, you know often I've heard well, we can't really afford to add any more coverage, we can't afford cyber insurance. It's way too expensive. At this point, can you just talk about really what the cost of a $1 million policy versus a $5 million policy, versus a $10 million policy is for the audience?

Speaker 3: 7:43

Sure, I mean. There's a lot of variables involved in how your policy is going to be priced, based on your exposures, your controls. Mfa is still number one as far as obtaining coverage at reasonable premiums. If you don't have MFA, we can find you coverage, but you're going to pay for it. But I've been successful in placing million dollars, which is an entry level limit policy, at $1,500, which is really inexpensive and a lot lower than we saw a few years ago. So if in the past you were reluctant to purchase coverage because it was cost prohibitive, please go back to the market and see if you can find something, because you might be pleasantly surprised by the premiums.

Speaker 2: 8:23

And we kind of are fast tracking this conversation because we have a limited time today, but you did mention MFA and you know it's one of my favorite acronyms when we talk about the importance of MFA. Is it considered a baseline point of security for an organization to have in order to obtain coverage?

Speaker 3: 8:43

Absolutely. As I mentioned, there's only a few insurance carriers that will even entertain providing quotes for a company if they do not have MFA, because it is such a baseline. They feel like if a company is not willing to invest in MFA, they're not sure they want to protect them because they might be pretty risky.

Speaker 2: 8:59

And the carriers will know whether or not an applicant has multi-factor authentication in place or other security measures in place at the application process right.

Speaker 3: 9:10

Correct? That's going to be a question on every single application. In fact, some carriers have you sign an attestation form, so you're promising that you do in fact have MFA. If it's found that you do not and there is a claim, there's a strong possibility that claim will be denied. So it's important that you're truthful on your applications is a strong possibility that claim will be denied.

Speaker 2: 9:29

So it's important that you're truthful on your applications. And what other kind of fundamental security measures could be in place at the application process? Or maybe a better question is what other topics does the questionnaire in the application cover in terms of the practices in place at the organization trying to get cyber insurance?

Speaker 3: 9:53

There's a lot of standard questions, but the one that stands out to me right now is the strength of your backup systems. A recent claim that I had, a client had a really strong backup system. So they did end up paying a ransom, but it was significantly less than what the original demand was and primarily it was because they could almost turn off their system and turn on their backup system and they lost little data. So that is something that's almost as important now from the insurance standpoint as MFA.

Speaker 2: 10:17

And that makes sense, especially in some industries like manufacturing, where their entire process would be halted if their systems are down and they didn't have a backup to start processing their widgets, if you will. So that makes perfect sense. What about employee training or password recycling or patch management? Any of those areas touched on in the questionnaire?

Speaker 3: 10:42

Absolutely, so I would suggest that you engage your IT team, either in-house or outsourced, to help you complete the questionnaire, just to make sure that you're answering everything, and it also could raise questions with your IT team. Hey, we don't have a patch system. Should we implement one? Great point? So?

Speaker 2: 11:00

let's pivot a little bit, to be more industry specific, and I'll give you an example how would you advise a small not-for-profit to be prepared for the application process and what to expect in terms of the affordability of cyber insurance?

Speaker 3: 11:19

As I mentioned before, if it was cost prohibitive in the past, I strongly recommend you reconsider searching for cyber insurance the marketplace I'm going to say this again, which is good news. It is stabilized significantly and the premiums are affordable. A not-for-profits in particular potentially could look for grants for funding options, and I would recommend that you talk to your finance team about allocating a part of your budget specifically for cyber insurance, because it really is. It's a great investment. It's transferring your risk for in many cases is a low premium.

Speaker 2: 11:52

Excellent. Well, christine, you and I have been on many panels and we talk about what our clients and customers think of late at night, when they can't sleep, and one of those is what do I do in the event of a data incident? What's the first step and how, if I have insurance, do I actually trigger or notify the carrier of the data incident?

Speaker 3: 12:19

One of the best things about having a cyber insurance policy is you have someone to turn to immediately. Most all of the cyber insurance carriers these days have 24-7 lines that you can call. A bad actor likely is going to strike when they think you're most vulnerable so, say, friday at 11 o'clock at night, sunday during a Bills game, perhaps because they want every opportunity to get you while you're down. So you can call this number 24-7. It's manned by specialists. This is all that they do and they can help you determine what the next step is. I've had customers who have called the line and it turned out that it was nothing, but they still found value in knowing how to remediate what they thought had happened. And if they do need to move forward with more specialists, the adjuster on the other line can help them get that set up.

Speaker 2: 13:03

And just to be clear, just calling that 24-7 number does not have the impact of filing an official claim on your insurance. Is that fair?

Speaker 3: 13:13

That is fair to say and they prefer that you call because if there is something they want to work to stop whatever is happening as soon as possible.

Speaker 2: 13:21

Well, and there are also many coverages that if you say don't call the 1-800 number, the 24-7 number, and have the approved forensic panel onboarded at the time that the incident is happening, that you might not be able to obtain coverage for any forensic costs related to the incident because you didn't first use the computer company that your cyber insurance has pre-approved. So that's really critical in terms of why you need to call that number first and foremost if you're in the midst of an incident.

Speaker 3: 13:57

Precisely. I have had clients early on in my career that the cyber was still new to them, so they tried to engage with their current IT professionals and unfortunately that was not covered. The cyber insurance industry wants to make sure that they're working with people who are qualified to handle the situation as promptly as possible. So you're spot on. You really need to make sure that you are set up with the appropriate representation right away by the insurance carrier.

Speaker 2: 14:23

Excellent, all right. Well, as I mentioned, we have a rather short special episode today, so before we go, can you maybe just give a few best practices or takeaways for procuring the right coverage for your organization?

Speaker 3: 14:37

Sure, my pleasure. I suggest that you truly understand your organization's cyber risks and vulnerabilities. If, like again, I can't stress this enough it's very reasonable these days. So if you are not purchasing it, I strongly consider to look for coverage. Not all policies are the same, so it's really important that you're working with an agent that truly understands how each insuring agreement will respond in the event of a loss.

Speaker 3: 15:02

A lot of other insurance coverages have forms that are standardized in the industry. With cyber, they're all proprietary still, so some of the instances that you want to be careful of are the ransomware limits, the business income limits, the contingent business income limits and the business email compromise. Those, in particular, you want to make sure are adequate for what your two exposures are, and then continue to monitor. What do you need moving forward? Sometimes a policy might outgrow, sometimes there's new coverages that might be on that are available in the marketplace and lastly this might come as a bit of a plug for you Cyber risk is more than just purchasing insurance, so you want to make sure that you continue to strengthen your cybersecurity posture with legal and technical experts. Your insurance carrier doesn't want to pay a claim, any more than you don't want to have a claim, so you want to do everything you can to prevent something from happening in the first place.

Speaker 2: 15:54

Excellent points, christine. Thank you so much. Thank you for your time. I do hope and expect that our audience will find value in it for sure, and I also want to thank our lead host here at Legally Bond. Kim Wolf Price is typically the one asking the questions. I had big shoes to fill. She's excellent at it, so I'm honored to be the temporary host today for this special episode. So thank you, christine.

Speaker 3: 16:18

Thank you.

Speaker 1: 16:24

Thank you for tuning into this episode of Legally Bond. If you're listening and have any questions for me, want to hear from someone at the firm, have a suggestion for a future topic, please email us at legallybond at bskcom. Also, don't forget to rate, review and subscribe to Legally Bond wherever podcasts are downloaded. Until our next talk, be well. Until our next talk be well.

Speaker 4: 16:45

Bond, schenick and King has prepared this communication to present only general information. This is not intended as legal advice, nor should you consider it as such. You should not act or decline to act based upon the contents. While we try to make sure that the information is complete and accurate, laws can change quickly. While we try to make sure that the information is complete and accurate, laws can change quickly. You should always formally engage a lawyer of your choosing before taking actions which have legal consequences. For information about our communication, firm practice areas and attorneys, visit our website, bskcom. This is attorney advertising.