There’s no denying that cybersecurity risks in the workplace have increased exponentially in recent years. From the pandemic causing employees to work from home to Russia’s invasion of Ukraine, organizations are more vulnerable than ever.
That’s why it’s crucial to understand how to best protect yourself and your business.
On this episode, Eric Jesse, Partner at Lowenstein Sandler LLP, joins the show to give an attorney’s perspective on the importance of cyber liability insurance. Eric talks about protecting your company as a policyholder in today’s new landscape.
Join us as we discuss:
- Why companies should have their cyber liability insurance policies reviewed by knowledgeable attorneys
- Strategies for improving your security posture to reduce premiums
- How best to ensure your Cyber Liability insurance dovetails with other insurance policies to confirm you are covered across all types of cyber incidents
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player
Speaker 1 (00:06):
You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice, and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive. Welcome to the show.
John Verry (00:26):
Hey there and welcome to yet another episode of The Virtual CISO Podcast with you as always, John Verry, your host, and with me today, Eric Jesse. Hey, Eric.
Eric Jesse (00:36):
Hi. How are you doing, John?
John Verry (00:37):
I am doing well, sir. It’s a Friday afternoon looking forward to a good weekend. I’m sure you are as well. And you were kind enough to record this at 4:00 to 5:00 on a Friday night, so we’ll try to get you out of here on time. Okay?
Eric Jesse (00:47):
No, happy to do it.
John Verry (00:49):
So always like to start super easy. Tell us a little bit about who you are and what is it that you do every day?
Eric Jesse (00:55):
Great. No, thank you. So I’m a partner in Lowenstein Sandler’s Insurance Recovery Group, and I’ve been at the firm for 12, almost 13 years now. And we like to say that we’re on the side of good and righteousness, because we fight the good fight by representing only corporate policy holders in coverage disputes, against insurance companies. And so we handle all types of coverage disputes under all types of policies, whether it be directors and officers, professional liability, reps and warranties, and pertinent to our discussion today, cyber insurance.
And John, I do like to tell the story that when I was a 3L in law school, I signed up for an insurance law class and I had realized I had enough credits to graduate, so I said, “Insurance law, I’ll never need that.” And so I dropped the class, but here I am today as an insurance lawyer. And I was drawn into this area I think in part because the variety of the work, you get to touch so many different industries, practice areas, you see different issues. So this is the variety that is the spice of work life at least.
John Verry (02:06):
Yeah, it is nice working in any vertical that has lots of dynamic, doesn’t change. Otherwise it’s easy to get bored. Information security is an awesome field for that reason. I was explaining, my daughter’s coming into information security, she graduates this year. And I was trying to explain to her, even when you’ve been doing it as long as me, every day, 20% or 15% of what you do is brand new. So I’m sure it’s the same with you which keeps it fun. Before we get down to business, we usually ask, what is your drink of choice?
Eric Jesse (02:37):
All right. So this might be my favorite question of the day. So, it varies over time. I like to switch things up, but I do enjoy beer. And on the beer side, I’ll say I’ve recently gone back to my dad’s German roots and have been enjoying some German beers. And on the spirit side, I’m a fan of bourbon, so sometimes neat, sometimes an old fashioned and in the spirit of the Kentucky Derby being upon us, certainly a mint julep.
John Verry (03:08):
You know what, I don’t know that I’ve ever actually had a… I’m a bourbon guy, as you probably can see from the shelf. And I’m also a beer guy, we drink a lot of… The fun thing about beer is that it’s become a family thing where I’ll go to a different micro brewery or we’ll go to a bar that has 20 or 30 different types of really good fun microbrews on tap. And you sample them and it can really be something which is an awesome family event. You know what I mean? So I’m getting lucky enough that my kids of the age that they can imbibe. So it’s brought a whole new dimension to the family.
Eric Jesse (03:43):
Excellent. I have a few years before we’re there with my kids, but I’m sure we’ll get there.
John Verry (03:49):
You’re going to get there faster than you think. I can tell you that. All right. So you mentioned cyber liability insurance, which is why I asked you to come on the podcast today. So one of the more significant challenges from the pandemic is how work from home changed information security and security architectures. By creating more opportunities for more malicious people to do more malicious things. The numbers were staggering. Something like ransomware attacks hit 37% of all companies last year. You see numbers like 20 billion dollars. Now of course, many of these attacks ended up in claims against cyber liability insurance. So now we’re paying the price, because I’m chatting with clients and I’m hearing, “We might not renew our cyber, it doubled.” Or, “My cyber tripled.” What are you seeing?
Eric Jesse (04:40):
Yeah. So the answer is a lot and there’s a few things here that we’re seeing in different ways. So one thing is I always describe cyber insurance as the Wild West because the risks and their severity, they’re always changing when the insurers have to try and keep up with that. So they need to constantly be changing their policy forms, endorsements, their underwriting process. So cyber risks are obviously on the rise. The pandemic exacerbated those risks. Work from home certainly did as employees were using their personal and not work devices. And now we have the Russian invasion of Ukraine and insurers certainly have concerns about increased attacks as a result. And the president, a few weeks ago, confirmed those risks as he told American businesses to be on alert and to strengthen their cybersecurity. And so the insurers have been hit hard on the claim side year after year. And you’re right, that all translates into not only just the increased premiums, but increased policy retentions, which is the loss that the policy holder needs to incur before the insurance company is on the risks.
John Verry (05:56):
Is a retention the equivalent of a deductible?
Eric Jesse (05:59):
Yes. Think of it like that. They’re very similar. There’s also just the possibility of lower limits or sub limits being put onto these policies and just more restrictive terms and conditions. And so that’s one of the things we’re seeing when we’re reviewing just cyber quotes. I think another thing that’s worth mentioning here is just how the increased risks and claims activity is impacting the underwriting side of the insurers house where that’s the process where the insurers are evaluating the risk in actually negotiating and placing the policy. So there, a few years ago it was commonplace where a company could fill out a relatively short application, give it to their broker and get cyber insurance. And now the process is starting to become more intensive. So insurers are really wanting to probe and understand, “All right, what cyber security systems does a company have in place?”
They want to know what’s being done to train employees to address or thwart cyber attacks or prevent cyber attacks. And we’re also seeing something that I think existed many years ago and seemed to have died down, and now it’s coming back and that is underwriters wanting to interview chief information security officers and CTOs to really probe those security systems. And that’s a part of the process that companies can’t take lightly. They really need to practice and prepare for those interviews and have ready explanations for either real or perceived gaps. And the other point I wanted to make on this because this is the other thing we’re seeing is just how insurance companies are dealing with claims when they come up.
And this is where my policyholder advocacy and ensure cynicism will shine through, but insurers have been and I think they’ll continue to be just more aggressive and difficult on claims as they try and look for savings. So to be just even more cynical, we often say in our policy holder world, that when a company buys a policy and pays premiums, they’re really paying for the ability to try and negotiate coverage for a claim. And I’m happy to share just a war story to put that into perspective. And that is, we had a client several months ago who faced a ransom demand and the insurer only agreed to cover a small percentage of that demand. And so the client was going to have to make up this massive difference. And the insurer’s position was, “Well, the threat actor only stole data.”
They didn’t encrypt data at the company. And so the harm was, “The harm was done.” And that’s not how the policy works, the harm wasn’t over because the threat actor was threatening to release this data. And so we had to tell the carrier again, that how sensitive this data was, because it wasn’t just employee data. So employees are going to be harmed if this is released, it was financial information. The client operated in a very competitive environment, so there was trade secrets. And by the way, the insurers panel council recommended the payment here. So if we had to get involved and tell the insurance company, “Listen, you’re acting in bad faith. And under New Jersey law, the bad faith allows a policy holder to recover their consequential losses. So if we’re losing a customer because our competitive data is out there, you’re on the hook, insurance company.” So we did have the law and the facts and the policy on our side and marshal them to eventually get the carrier to pay in full, but we shouldn’t have had to do that in the first place.
John Verry (09:38):
So I was going to ask you a question. I was going to ask you how the insurance companies got themselves into this mess? But I think in a sense you started to answer that. Well, you talked about the fact that their underwriting processes early on were pretty immature. And I think from the folks that I know in the industry, I think a lot of that was, there was a giant pot of gold at the end of the rainbow. They did not have the actuarial data. They didn’t have the experience necessary to do that underwriting. And they said, “Yeah, we’ll write as many policies we can and we’ll catch it up on the backside.” Is that a fair assessment?
Eric Jesse (10:12):
Yeah, I think that’s right. So the way I’d answer that question is saying certainly the insurers were not underwriting as intensely as they wish they should have. So I think that’s the contributor here, but beyond that, I can’t really say that the insurers are to blame because the reality here is that this is just an area. Cybersecurity is an area that’s filled with major risks, changing risks, increasing risks. And the threat actors are persistent here in trying to find new ways to penetrate company systems.
And the other thing here is, the carriers were adapting to the risk. So I’ll give the example of ransomware where, several years ago, I think we would see ransom demands in the thousands or tens of thousands of dollars, and so insurance companies had sub limits of 50 or 100 thousand dollars in their policies, but the carriers, as those demands went up, the sub limits went up. So now we often see 1 million dollar sub limits for ransom or cyber extortion demands. And that’s good for policy holders, but now the carriers are being with the onslaught of ransomware demands, the carriers are going to have to pay at those higher supplements.
John Verry (11:30):
Yeah. I feel bad for everyone involved in the process in a way, the insurance companies, because the problem we were running into is we’d see firms getting cyber insurance policies for two, three, $4,000, relatively small amounts. Small companies. And when you think about it, the process of doing due diligence on a company is going to cost them that or more. So really what they ended up having is a situation where you couldn’t afford to do due diligence and sell the policy at that price point. Because the due diligence was costing more than the actual policy in and of itself. Now as these policies double in triple in price, and as we find ways of relying on, let’s say third party data, third party attestations, things of that nature, or maybe, “Hey, we’re willing to write a policy, but you have to be ISO certified.” Or “If you’re ISO certified, we’ll give you a discount.” I guess that’s really where the direction this is going to end up heading?
Eric Jesse (12:24):
Yeah. I agree with that. And I think you pointed out, that’s what I was seeing too, a few years ago, those relatively low premiums and there’s only so much time you can invest in underwriting that process. So I think the carriers will look for, lack of a better term, shortcuts through those certifications or you’re going to have just much more extensive insurance applications. Applications I saw a few years ago, were often just a few pages. Now they could be much more intensive as the cyber security systems and protocols have to be detailed in that application.
John Verry (12:59):
Yeah. So, we have the misfortune of having to review very often our clients, cyber policies. And to me, not only they’re complex, I would argue it’s legal lease and it’s actually a legal document. So what my question for you would be, what percentage of companies have their policies reviewed by a cyber liability insurance, cybersecurity knowledgeable attorney, and what percentage should have been reviewed?
Eric Jesse (13:31):
So, I think the answer here is not enough and all of them. I agree with you.
John Verry (13:38):
Well, you said in the opposite order though, all of them should and not enough do. Right?
Eric Jesse (13:47):
So you’re right. This is a legal document. If there is a coverage dispute, you’re going to have a court. You’re going to have a judge interpreting what that policy language means. So, you’re absolutely right. And so I can’t tell you the precise number of companies that are the percentage that have their policies reviewed by council. But the answer is that they all should. And I think there’s a few reasons why it makes sense to do that. So, as you mentioned, these are complex policies and frankly, as I mentioned at the top of the podcast here, we review a whole host of different policies. These are one of the most complex ones that are out there.
There’s a lot of exclusions, the devil’s in the details. You do have defined terms in these policies from A to double Z. And I’m not exaggerating when I say that. And so, we like to say you need a secret decoder ranked to understand what’s in these policies because in those definitions, in that minutia, is where the scope of coverage in those exclusions actually live. And then because these policies are complex, this isn’t something you should just purchase and renew and just put on the shelf and forget about it because you’re doing yourself a disservice, given the risks that all industries face on the cyber security front, these policies can be very valuable, can be very important and it’s worth the time and investment to get them right. And maybe some companies or a lot of companies don’t realize this, but oftentimes what you can do is you can negotiate. Try and negotiate for improved terms and conditions.
And council can help you put together that wishlist and you won’t get everything. And what you may get is going to depend on the premium because a carrier is going to approach a $10,000 policy different than a 100 thousand dollar policy, but you’ll get something and it’s helpful because once you get that improvement into the policy, it can carry forward as you renew. And then the other thing is you just need to understand what is required by these policies because you need to know about sub limit, so there aren’t surprises and other just requirements in the event of a breach or a claim.
John Verry (16:03):
So I think my answer to the do enough of them, I would say the vast majority of them don’t have anybody look at it, which is crazy, the more I think about it. And I know that not only do they not have legal review, I don’t think they have business review. We were working with a New Jersey county and we had reason to look at the cyber liability insurance policy as part of a project, and the main reason they had the cyber liability insurance project was a policy, was to protect a particular database that had a lot of sensitive information in it.
Personal identifiable information and health information of 60,000 residents of the county. And on review of the policy, they had a, I don’t know what the right word is, an exemption exclusion writer or whatever the right terms, but any database above 50,000 names was not protected. So you don’t need to be an attorney. You just need to actually be someone who… Someone’s got to sit and read the policies. And I know they’re painful. It’s like watching grass grow, paint dry for some of this stuff. But yeah, there’s a lot of stuff that can go wrong if you’re not looking at these policies.
Eric Jesse (17:06):
You’re right. And yeah. So I have on my web bio that my job is to read insurance policies cover to cover, and that’s what you have to do to really understand it. But I take your point there and you’ll be surprised how many times we see policies issued that exclude a major component of the business, or the thing you’re really hoping and expecting to be insured. Which is why even from a business perspective, you need at least need to do that page flip and also just make sure your broker understands what you’re doing and what the risks you need to have covered are too.
John Verry (17:44):
Yeah. So I am not a cyber liability insurance guru, nor am I a guru at all with regards to insurance as a whole. So in chatting with some of the folks that sometimes we’ll engage with, when we’re looking at cyber liability with a customer, what I’ve understood is that cyber liability is only a part of a broader, I call it umbrella of insurance coverage, and there’s things like crime and DNO and other policies that are important. And that one of the key things that somebody needs to be cognizant of is you have to understand how these pieces fit together, because you could end up with gaps in your coverage. It were over-insured and things of that nature.
I know we had a client, if I recall correctly, that they thought their cyber liability insurance policy would pay a claim because someone left a laptop at a car with 20,000 names on it, but that should have been covered by the crime policy, and it was either excluded in the crime policy or something of that nature. So can you talk a little bit about beyond, so I call you up and I say, “Hey, Eric got this cyber liability insurance policy. You want to review it?” Should they be asking you to look at one policy or should they be looking at the umbrella of policies to make sure that these things fit together in the way that they think they do?
Eric Jesse (19:01):
Yeah. I think what’s important from that perspective is I think the starting point is really to make sure that a company just has the right insurance program in place. Just at a starting point. So they have a cyber policy. Good. Do they have a DNO policy? Good. Do they have a crime policy? Good. Do they have a professional liability policy? Good. Those are things we want to just make sure companies have as a starting point. And then, at that point you want to drill down a little bit. And the reason you need to make sure that you have that panoply of coverage is a cyber incident can implicate multiple different types of coverage. So you could have a cyber incident. So you’re going to look to your cyber policy to respond to, for example, the third party claims brought by the employees or the consumers whose data has been lost or stolen.
But if there’s a public company, for example, that was attacked, there could be shareholder lawsuits brought against the board of directors because they’re going to allege that the board didn’t exercise proper oversight, didn’t make sure that there was the right cyber security systems in place. And as a result, the company was harmed, the value of the company, the stock price went down. And so there you’re going to need to look to your DNO insurance policy. So that’s part of the reason you just as a starting point, need to make sure that program or those programs exist.
And then, in the cyber context, you need to make sure that policy has the right coverages because for companies that provide professional or technology services, you can get coverage for that risk in a cyber policy. Companies that have media liability exposure. So you can get coverage for that in a cyber policy. Now crime, I think can be a little tricky because companies should have a crime policy for sure. But just in my experience, when a crime insurer has been faced with a cyber crime claim, like a fraudulent instruction or social engineering claim where you have this threat actor pretending to be the CEO of the company and pretending to email an employee to wire funds. That can be covered under a crime policy, but crime in my experience, crime insurers just resist covering those.
And so what I want clients to do is try and get cyber crime coverage added to their cyber policy, and I think just the claims handlers on the cyber insurance side are much more, just accepting of those claims. They have the right mindset to try and provide coverage. So it’s how we approach all the different policies that can be in play when we’re reviewing, are looking at cover or the cybersecurity risk.
John Verry (22:10):
A quick question, if something was deemed negligent and you weren’t appropriately covered under a DNO, could something end up piercing the corporate veil? If you’re the owner of an organization, could that happen? Let’s say that you’re an owner of an organization, you fail to put the proper information security controls in place. There’s a large, giant breach. Could the director, the owner of said company end up in a situation where that breaches the “corporate veil” and they’d have some personal liability?
Eric Jesse (22:42):
Yeah. I think that scenario is always out there. I know that piercing the corporate veil and these alter ego claims are often going to be very fact sensitive. So that’s just going to depend on how is that company being run. But, that can be one of the beauty of an DNO policy, for example, where that policy is designed to cover directors and officers. So if that corporate veil is pierced, to go after the directors or officers directly, you can look to your side, you can look to that DNO policy. The other thing that’s worth mentioning is a cyber policy too, does not just cover the company. It also will cover directors and officers and employees that are negligent. Obviously if there’s the rogue actor or the rogue employee, there’s not going to be coverage there, but for that negligent director or officer, that there can be coverage under a cyber policy if they’re being held responsible for that specific cybersecurity risk. Yeah.
John Verry (23:45):
Gotcha. Cool. Thank you. So, one of the other things that you need to be aware of, and a good attorney can help you figure this out I’m sure, is that cyber liability insurance policies often specify certain obligations. That you treat data in accordance to reasonable and appropriate security standards, or very often, your instant response requirements are usually specified and if violated can actually obviate coverage. So what should orgs put in place, pre or post purchase, to make sure that they understand those obligations?
Eric Jesse (24:22):
Yeah. So this goes back to my earlier point about you can’t just put this policy on the shelf and you need to really go through and understand what’s being required because I’ll use the example of the fraudulent instruction claim or the social engineering claim, where the policy may require that there be appropriate verifications put in place to make sure that the communication or the request to wire funds is authentic. So you need to make sure that you’re complying with that because if you don’t, and there’s still a resulting loss, that you could avoid the coverage that you’re expecting to have there. Another important component is understanding what the notice requirements are. That’s just the threshold obligation to getting access to the policy.
And it’s important to provide prompt notice of a claim or an incident because these are going to be claims’ made policies and an insurance company they can be very harsh. An insurance company can deny coverage for late notice. And so that’s why it’s so important to provide, number one, to provide prompt notice or the other thing that company should do is to try and at the negotiation stage of the policy, try and relax those notice requirements so that there’s language in the policy that says, “All right, if we’re late in giving notice, the insurance company can’t deny coverage because of that lateness.” And then unless the insurer could show they were prejudiced. Just another important component is consent. These policies are filled with insurer consent requirements. So for example, there needs to be consent for any costs that are incurred, for any settlement.
And this also ties into the computer forensic expert whose costs are going to be covered under the policy. So these policies will often require the policy holder in the event of an incident to use the insurers preferred or panel consultant, to work through the data breach and negotiate with the threat actors or pay the ransom demand. So, there’s a few things companies can do there. One is, if they have a preferred consultant that they want to work with, or a cyber security consultant, they should have that company endorsed onto the policy and have them pre approved, so that in the chaos of a breach, you don’t have to fight with the insurance company about that. You can just pick up the phone and call them. Or another option is just to do your own due diligence on who the insurance company wants to work with. Ask them who’s on their panel, so you can get comfortable with them.
John Verry (27:07):
Yeah. I think that is super important and was something that we always push for because like you said, you do not want to be in a situation where the faster we can contain an incident, the less impact it may have. And so minutes are critical, and not have it being in a situation to say, “Well, what company do we need?” And of course this is going to happen on a Thursday at 5:05, and now you’re picking up the phone and trying to call data forensics companies and no one’s answering the phone. And it’s not until the next day that you get this thing going. So you want to be in a situation, in fact, if you’ve got a high enough risk, you want someone who’s actually probably on a retainer. So that way they’ve got a defined response time that they’ve contracted with you based on that. So, yeah, I couldn’t agree with you more.
Eric Jesse (27:57):
I was going to say, and that’s the risk because we’ve seen it with clients before, where they call up their cybersecurity company right after a breach before they’re even telling the insurance company. And then the insurance company says, “Well, they’re not on our panel.” So that creates the risk that tens of thousands of dollars of work has been done that the insurance company might try and deny coverage for so better to get that preapproval up front.
John Verry (28:26):
Even worse, if they go too far down a path and let’s say that you don’t know a lot, one of the advantages of using an approved vendor from the insurance company is the fact that they are at least reasonably qualified to do the work. And if you’re not someone who knows how to research a digital forensics company, you might be better off using them. Because if you hire someone who doesn’t know what the hell they’re doing and they make a mistake and they destroy evidence, the insurance company could in theory say, “Hey, we’re not going to pay for anything at this point. Not only are we not paying for what those guys charged you, we’re not paying the claim because you didn’t follow a good process.”
Eric Jesse (29:05):
Yeah, exactly. They can say that. Yes, that claim, or this issue has now been exacerbated because the wrong people were involved. And I will say in terms of the panel service providers, the computer forensic firms, the insurance companies, I think they do have very well qualified service providers there. So I think that just as a general matter, policy holders can take comfort in knowing that the insurers have lined up the right companies. And that said, but still do that due diligence ahead of time and put in your contingency or your data or your disaster response plan, you need to have the name of that company, ready to go. Rather than trying to flip through the policy or having to go through, go to the website that’s in the policy where the panel is listed to try and find the right people. Get all that done upfront.
John Verry (29:59):
Right. So what most people may not realize is that if you have a breach and you are covered by cyber liability insurance, you end up following their formula. I’ve only been involved in it once, it was eye opening, but you’ll get what they often refer as a breach counselor. That breach counselor is usually an attorney that’s got some information in security knowledge. And in a sense, they’re defining the game plan for you guys to move forward. Now it would seem that their procedure might logically be slanted to shift some of the burden of cost to your team and or limit their coverage cost. So let’s say that somebody doesn’t have an attorney that reviewed their cyber liability insurance policy, but they do have a breach, should they get an attorney to represent their best interest as they’re going through the breach response?
Eric Jesse (30:57):
Yeah. So, just as we were talking about with the computer forensic expert and the panel there, the insurance companies will have their panel attorneys. And look, frankly, one of the benefits of these major benefits of these policies is that they do provide coverage for this breach response coach, which is an attorney. And they will provide defense costs if there’s a third party claim and you need to be represented by an attorney. But, where I expressed a lot of confidence in the insurers panel of computer security forensics, I’m a little more jaded on the panel council. And this is frankly just a tenth something we see under so many different types of policies. So it’s not just cyber because the insurers will point their council if that’s what’s permitted under the policy. And sometimes you can negotiate around that, but that panel council, their ethical and fiduciary obligations are to the policyholder and they must work in the interest of the policyholder.
And look, I’ve worked with plenty of panel counsel where they’ve done that, but there is certainly attention because panel counsel also knows where their next case is coming from, and it’s probably not the policyholders. It’s going to be the insurer. And so, the answer to your question might depend just on the magnitude of the claim, but I think it can be a good practice to have your own counsel, your own privacy or data security council, that you’ll have to pay for by the way, but just look over the shoulder of the insurer’s panel counsel to make sure that the claim is handled properly. And the other thing I’ve seen is panel counsel, I think rightfully so, because they’re appointed by the insurer, they are not going to opine on any coverage issues or engage in any coverage battle on your behalf. And so that’s where coverage council might need to be called in.
John Verry (32:49):
Yeah, and the other thing too is that I always find that when you’ve got a cybersecurity person talking to a cybersecurity person, that’s different than if you have a business person talking to a cybersecurity person. So if that council, the outside council, that’s the panel council, knows that you’ve got an attorney on your side and they’re involved in one or two of the conversations, I think it sets a level of expectation, “Okay, hey, somebody’s here.” I just think it raises the bar a little bit that they’re going to hold themselves to. And I think if there’s a, “I can lean this way, I can lean this way on this issue.” I think they’re going to lean the way that they’re not going to get beat up by your council on. Right?
Eric Jesse (33:33):
I think that makes perfect sense. And I agree with that. So, just having your own council or the council you want to be looking over the shoulder, just appear on the scenes, once or twice, and then can take a much more back seat. But yeah, I think that’s right. It does set the expectation at the very outset. So I agree.
John Verry (33:55):
I think we beat this up pretty good. Anything we miss?
Eric Jesse (33:58):
No, I think we covered everything. I’ll just emphasize that this is a policy that will be very important to many companies as the cyber risks just continue to grow, unfortunately. And so this is not a policy you put on the shelf.
John Verry (34:17):
So I’ll ask you our super special question. Give me a fictional character and you know what? The fact that you leaned into it tells me that you’re prepared. Give me a fictional character, a real world person you think would make an amazing or horrible CISO and why?
Eric Jesse (34:30):
So this will be my second favorite question after my favorite drink. So I’m thinking of a character that Jimmy Fallon used to play on Saturday Night Live, way back when probably in the early… He played that arrogant, know it all, computer guy who would just insult you in the process. So I think he’d be good maybe on the technical side, but would be horrible on the people side. And we talked about those calls that the cyber underwriters want to have with your IT people. I’m sure he would be horrible on that call. So, yeah.
John Verry (35:04):
So I asked you to give me one or the other, you gave me both with one. So that’s efficiency.
Eric Jesse (35:10):
Oh, really? I did?
John Verry (35:12):
Well you said he’d be very good on the technical side and he’d be terrible on the people side. So you gave me both. Do you bring that efficiency to your legal practice? Because I got to tell you people like efficient lawyers. So if folks wanted to get in touch with you with regards to your services, what’s the best way to do that?
Eric Jesse (35:33):
If you Google Eric Jesse and Lowenstein Sandler, I’ll pop right up. Or you go to Lowenstein’s Insurance page, I’ll be on there, but send me an email, pick up the phone and I’m always happy to chat and answer any questions.
John Verry (35:49):
Sounds good, man. Well, listen, here’s the good news, we got off in, I’m giving you 17 minutes back in your day on a Friday afternoon. So you are what? So I guess I am equally efficient. You’re welcome. All right, man, listen, you made a topic which is for some people not fun, fun. So I appreciate that. Thanks, man.
Eric Jesse (36:08):
All right. Good. I tried. Well, this was a pleasure. So thanks for having me out, John. I appreciate it.
John Verry (36:12):
Yeah. I appreciate you coming on, man.
Speaker 1 (36:16):
You’ve been listening to The Virtual CISO Podcast. As you probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.