Looking for a temperature/gut check and maybe life advice

C

cwm5

New Member
9
I'm a DevSecOps Engineer by profession and have been vacillating between transitioning to cybersecurity or starting my own consulting business over the next few years. I've identified "companies needing cyber insurance" as a demographic that has problems I can solve (cybersecurity monitoring and remediations).

As I understand it (which is admittedly not much), cyber insurance was issued by various companies years ago as a no-brainer to increase their revenue. As investors and boards of directors took notice, it's become an increasingly-common requirement for certain companies. Simultaneously, after paying out ransomware claim after data breach claim, the insurance companies have doubled the premiums over the past 12-24 months and the timeline to get a policy is now measured in months as the tech infrastructure of each potential insured is carefully audited and scrutinized. I envision a monthly/annual contract that would bring their infrastructure and operations up to snuff and minimize their hassle in satisfying their investors'/BoD's insurance requirement, as well as being part of any eventual incident response.

To understand the problem better, I thought I might take an online insurance class and get licensed as an agent or consultant, if only to not sound like an *** in meetings or get in trouble for saying "insurance" without a license. I don't think I want to sell insurance full-time, and it's probably easiest to just get a cybersec job, but I feel like understanding "both sides" of this area could be beneficial and a decent niche. I understand cyber insurance is typically an add-on to a P&C policy, so I've purchased the P&C course for now.

My main question is "what do experienced agents think upon first reading this?", and if it's something other than "You're a brilliant genius and the first person to ever consider doing something like this", any advice on alternate angles to look at or other places I might add value or seek contracting/consulting arrangements.
Finally, I have not identified anything obviously illegal or inherently unethical, but I also don't want to set any precedents, and again am kind of looking for a gut check/point in the right direction as I continue learning about all of this stuff.

Thanks!
 
You're not a brilliant genius and you're not the first person to ever consider doing this.

But I think you are on the right track.

Have something you are good at and run with it.

To discuss insurance as a consultant, making recommendations for coverage, you would likely have to be licensed. Check your state insurance department.

As an employee who becomes knowledgeable about insurance you don't need to be licensed but if you are going through the learning curve anyway, it wouldn't hurt.
 
Thanks. My initial google searches suggest the average cyber policy is in the $1-2k range ($100-$150/close), so I'm looking at it as more of a value-add to my IT consulting than the other way around at this point.

Since most cyber policies don't seem to cover post-incident upgrades, I'd want to sell upgrades beforehand/as part of the process, but what about paying myself for things that ARE covered by insurance later (e.g., billing them monthly for data backup, then billing their insurance as a service provider for the recovery, if needed)?

Like being an auto body shop and signing on with Geico on the side. I feel like people have gotten into trouble for similar things, but I also feel like they were being dishonest, and not inherently violating any laws or contracts by doing both, but I don't recall.

Do I really just want to sign up to be some insurance company's "approved service provider", like how doctors sign contracts with various providers? Is that even a thing with P&C?

Also, I guess the obvious question: any good/bad cyber insurance carriers? A quick google search turned up a diaspora of different domains which seemed to let me sell their insurance as soon as I emailed a copy of my license, which feels like a red flag. I also feel like companies are more likely to go through a well-known provider/their existing agent, so I'd want to get on with Travellers or something ideally (which seems unlikely on day 1 from what i've read here)?
 
I know nothing about cyber insurance so I'll speak generally.

As a licensed agent you could conceivably be appointed by an insurance company to sell its products. However, insurance companies that sell through independent agents have volume and profitability requirements. In other words, you would have to have an established agency that could offer a large enough volume of profitable business. That requirement may vary from company to company. Meantime you would probably have to obtain insurance for your clients through the excess and surplus lines brokerage system.

Again, to discuss insurance as a consultant, making recommendations for coverage, you would likely have to be licensed.

However, licensed or not, your knowledge of cyber insurance could certainly help you sell your services to your clients.

With regards to being a preferred provider and direct billing, you're comparing yourself to the collision repair industry that is involved in billions of dollars in claims. Insurance companies that have preferred repair shops are few and far between because, number 1, misunderstandings (lawsuits) may occur when a policyholder believes that the insurance company guarantees the work and, number 2, it is against the law in every state for an insurance company to require an insured to use a preferred shop, it can only offer it without demanding it. A preferred shop is permitted to bill the insurance company direct.

At your level I think it unlikely that you could become a preferred provider to any insurance company much less be allowed direct bill, though I could be wrong. All you can do is ask an insurance company marketing rep.

Meantime, when you bill your client for something that is covered by his insurance it would be up to him to relay the bill to his insurance company as part of his claim.

As for good or bad cyber insurance companies I did a search and found:

*Hartford
AmTrust Financial
The Doctors Company
HSB
CyberPolicy
*Travellers
*Chubb
*AIG
Beazley
Hiscox

The asterisked companies are well known quality insurance companies that have been around for a long, long time. The others I've never heard of, which doesn't mean that they are good or bad.

What follows is data from the National Association of Insurance Commissioners.

Top 20 Cyber Insurers in U.S. Including Loss Ratios: NAIC (insurancejournal.com)

I'm familiar with about half of those companies which have also been around for a long, long time.

Cyber insurance appears profitable for many of them.

That you were invited to sell for companies that you emailed, suggests to me that they are brokers in the excess and surplus lines market, or maybe small companies trying to break into a specific line of business.

Name them and I can check them out for you.
 
To what extent do you believe an insurance agent possesses knowledge in the domains of DevSecOps Engineering or IT at large? With this notion in your thoughts, ponder upon your own level of familiarity with insurance. It appears that, by your own admission, your grasp of insurance remains limited.

Many people tend to underestimate the intricacies of insurance. Popular Insurance television advertisements, striving to replicate iconic marketing campaigns like "Got milk?" and Apple's "Think different," have greatly oversimplified the concept of insurance, reducing it in people's minds to a mere commodity.

While obtaining your P&C license is indeed a step in the right direction, it may not necessarily impress potential clients or industry professionals within the insurance sector. Furthermore, it's crucial to recognize that this move exposes you to potential legal consequences in the event of errors or mishaps, particularly given your current level of expertise combined with your intent to sell cyber insurance.

Consider this scenario: If an insurance agent claimed to be a full-time insurance professional but had only completed a one-week course on cybersecurity, would you regard them as proficient in your field?

Not long ago, I was at an event hosted by Chubb, who I believe is the largest cyber insurance carrier in the US by volume. I spoke to their head cyber underwriter, who has a degree in risk management and countless insurance designations. By his admission, his technical knowledge of IT and cybersecurity was very narrow because his daily life is an insurance underwriter, not a cybersecurity expert.

I come from a tech background, having been a network technician, helpdesk, and marketing rep for a large technology company; I am on the cusp of completing my Bachelor's degree in Cybersecurity and wrapping up my Certified Insurance Counselor (CIC) designation. I have also been in insurance for a few years now. Even with this background, I don't consider myself a cyber insurance expert. I know the policies far better than many of my peers, but they are intricate and can vary greatly by carrier.

My advice: Unless you are genuinely inclined to delve deeply into the insurance realm, I would recommend sticking to your current area of expertise. You're already established in a high-paying career, and delving into the complexities of insurance may divert your focus and time away from your current strengths.
 
You are also going to need to check the cost of your E&O insurance (if you can get it) based on your comment about selling upgrades, which I assume means equipment and software. Last time I looked, a policy for an individual selling software and recommendations was in the stratosphere
 
Thanks for the replies. I admittedly am the kind of person whose understanding of insurance is limited to online Geico/Progressive quotes, and checking the same sets of boxes on my employer benefits each year.

> Last time I looked, a policy for an individual selling software and recommendations was in the stratosphere

Is this what I'm thinking of in terms of "insurance for tech companies is a hassle"? Can this be alleviated with things like unit tests in software, UL certs for hardware, vendor certification for service contracts, etc? (like how I got a discount on my car insurance by checking "Yes" to "Drivers' Ed" and "None" to "How many DUIs?").

Google auto-completed 'tech e&o vs professional e&o' so I guess I'll start with that.

I've been reporting to the CTO for the past few jobs and/or had ownership interest, which has exposed me to a ton of <business stuff> that being a web developer didn't, especially during M&A, and I'm hitting that Manager-or-Staff Engineer decision age/seniority. So I'm gonna give the "start your own business" thing a try (in progress).

Cyber insurance came across a month or two ago as a low-priority item for my main job, so this is part "how to cyber insurance" and part "wait, is this worth really digging into for the consulting thing?".

What piqued my interest the most were a handful of (tech) articles suggesting it's a 6-month, 5-or-6-figure process akin to PCI or ISO certification as of the past year or so. Our business manager has expressed a vague concern about the process in a "hey, we might have a project on our hands - but next quarter" kind of way. Then, when I google it, it seems like we might just need to fill out a brief survey, fax it over to our existing agent, and pay $1-2k to check the "Add cyber insurance?" box.

I guess I'm trying to evaluate how involved with insurance I want to/have to get, because I don't have any illusions of being even minimally competent after finishing this course (or of making any immediate profit, after reading these forums), but the $99 WebCE course seemed like a good start.

> While obtaining your P&C license is indeed a step in the right direction, it may not necessarily impress potential clients or industry professionals within the insurance sector.
> Furthermore, it's crucial to recognize that this move exposes you to potential legal consequences in the event of errors or mishaps, particularly given your current level of expertise combined with your intent to sell cyber insurance.
> Consider this scenario: If an insurance agent claimed to be a full-time insurance professional but had only completed a one-week course on cybersecurity, would you regard them as proficient in your field?

I usually work through a couple of relatively-inexpensive "weekend" certs a year (Lately: AWS, Series 7, LEED AP, WELL AP, P&C) even if I don't pursue the actual license or job (unnecessary legal exposure - and cost - as you point out). Some are fun/interesting and others help me understand the business side of things.

I wouldn't regard him as a proficient cybersecurity professional, but I'd rather work with him on a complex system or interpreting a bunch of grey areas. It feels less likely that I'll sell policies, but I feel the need to understand it as much as a business owner and infrastructure engineer, if not a competent agent or underwriter.

What does one do with a CIC and a Cybersecurity degree?

> Again, to discuss insurance as a consultant, making recommendations for coverage, you would likely have to be licensed.
> However, licensed or not, your knowledge of cyber insurance could certainly help you sell your services to your clients.

I feel like the advice I'm usually asked for is interpreting broad, technically-vague requirements like "Do we have XYZ in place?", while the coverage requirements are more or less handed down by investors/BoD's/RFPs, like "you need $1M in coverage and it has to include ransomware and data breaches" or whatever, but I've only had a handful of casual conversations (and basic google searches) about it so far.

Does the licensure requirement only kick in when "recommending coverage"? Is helping a client fill out the questionnaire/application packet a regulated activity? ("Yes, all accounts have MFA", "Yeah, the annual contract you signed with us includes an Employee Training Program that covers phishing, etc", "No, it looks like your BCP needs a few more items")

> At your level I think it unlikely that you could become a preferred provider to any insurance company much less be allowed direct bill, though I could be wrong. All you can do is ask an insurance company marketing rep.

I guess, at a minimum, I'd like to at least align some of my services to industry language, if only for SEO purposes. Secondly, I'd hate for a client's insurance to not cover my otherwise-covered service just because I'm not Microsoft-certified, a Trusted AWS Partner, or whatever. I guess I'm not too worried about direct billing per se, but it'd obviously be ideal to get on some kind of recommended/authorized list (or some kind of badge to put next to the BBB logo on my website!)
 
Since you like learning on the weekends, read this book. It covers the basics of cyber insurance.

Amazon product ASIN 057866416X
Additionally, if you're going to sell the policies, I am curious how you plan to insulate yourself from the incumbent agent from just hijacking your policy. You seem to like Google, so I suggest you search for an agent of record letter. Your competitors would love nothing more than you educating their clients about cyber, setting up the policy, issuing it, and then taking that client off your hands.
 
Perfect, thanks! It'll be here Thurs.

Personally, that's not far from my original idea, especially if he tells them they'll need things like a formal annual employee training program, ongoing vulnerability scanning, audit logging, 24/7/365 monitoring and alerting, an IDS/SIEM solution, a written Incident Response Plan, a Patch Management program, etc, etc, etc. :)

I think the "Insurance Consultant" license (whatever that means) sounds closest to my original intention, which was to walk the business owner through that process without getting in trouble for giving unlicensed (and/or terrible) insurance advice.

It seems that I mostly want to be a MSP/MSSP and probably not sell insurance on the side. I've been working for startups just as they start to scale, spend a year or two there, then they sell or merge with someone else. I've been through I think seven M&A deals since 2017 (another niche I'm pursuing) and it'd be cool to do all of the architecture analysis stuff without the layoffs part.

Who on the insurance side does <technical stuff>, like deciding what's acceptable and what's not? Is it basically a predefined list of major vendors, or does there exist a long process of reviewing network topologies, software versions, firewall rules, password policies, logging configurations, etc., like with other regulatory environments? (Becoming GDPR compliant, for example, was easily a 5-figure process and large companies spent millions.)

At the risk of making another bad analogy, perhaps I'm thinking along a boat surveyor or home inspection kind of line.
 
You must log in or register to reply here.

Similar threads

J
Do social media and websites help for insurance leads and marketing?
Replies
1
Views
378
wilhelmagency
wilhelmagency
Spin
Can I write a policy for a family member and pay their premiums?
2
Replies
10
Views
2K
David Morrison
David Morrison
S
life insurance online
Replies
2
Views
1K
SunnyDayForest
S
W
I need some clarification from real independent agents - Help!
3 4 5
Replies
44
Views
4K
TheBatman
TheBatman
Spin
Looking for guidance for resume
Replies
2
Views
1K
marindependent
marindependent

Latest posts

Back
Top