Managing the Financial Impact of Cyber Risk

David Finz, Esq., RPLU, is a cyber-insurance specialist at Alliant Insurance Services. He helps organizations mitigate financial risk by educating clients, negotiating best-in-class coverage, and providing expert claims advocacy, ensuring businesses navigate the insurance marketplace with confidence and protection.

In an exclusive interview with CIOReview, David Finz, Esq., RPLU, shared his views on how claims expertise drives leadership and innovation in cyber insurance.

Key Experiences That Defined My Path

I am an attorney by training, and when I transitioned from the practice of law to the insurance industry 20 years ago, claims was a natural point of entry for me, from the standpoint of understanding contracts and liability. Around 11 years ago, I established a focus on cyber insurance, given the growing necessity for businesses to secure coverage. I joined Alliant in 2020 to be part of an industry-leading team that helps clients manage cyber risk, offering the full spectrum of risk consulting, analytics, brokerage and effective claims advocacy services.

Coaching Teams Under Cyber Pressure

A claims background offers greater insight into the importance of the right policy wording in helping a client realize a recovery on a loss. While brokers are focused on pricing, limits and retentions, the specific phrasing can often determine whether a claim is covered or denied. When I collaborate with our broking team on a placement, I bring the experience of having handled seven and eight-figure losses so we can ensure that the coverage is “fit for purpose.”

It's also important that we educate our clients around how to secure the most mileage from their policy and to integrate the insurance factors into their incident response planning. We accomplish this through drafting customized playbooks and conducting tabletop exercises that engage the C-Suite in real-time decision-making around plausible loss scenarios.

Levers That Shape Best-in-Class Terms

There is a range of security controls that underwriters look for that relate to specific threats and exposures. These are too numerous to set forth in their entirety here; however, Alliant conducts an exhaustive risk assessment to help clients identify areas for improvement and to enhance their insurability.

 

​You don’t need to become a cybersecurity professional, but you need to be able to converse with CIOs and CTOs and understand the challenges they face

One example of this relates to fraudulent payment or wire instructions, which often emanate from social engineering attacks. Having an established callback procedure, whereby the insured authenticates the change in instructions with the requesting party via a predetermined number on file (often referred to as “out-of-band” authentication), can often be a prerequisite for coverage or can result in increased sub-limits for this type of event.

Rituals That Drive Skill Growth

The members of our specialty claims team are truly lifelong learners. This includes publishing a monthly newsletter to share expertise with clients and colleagues around legal and regulatory developments, and the sheer exercise of researching and drafting this content perpetuates an educational process. Attorney members of our team are frequent lecturers at Continuing Legal Education seminars, guests on podcasts and authors of articles in industry publications. The non-attorney advocates hold weekly meetings to share information around market behavior and fine-tune best practices around claims management and incident response.

From Trend to Prototype: Real-World Impact

The rise of AI offers both promise and peril to cyber insurers and brokers. On the one hand, AI can be used to gather threat intelligence, assess risk and mine loss data to better correlate specific security controls to the likelihood and severity of attacks. Conversely, threat actors are using this technology to craft increasingly sophisticated phishing attacks, requiring a heightened state of vigilance from businesses.

One Key Lesson for Aspiring Professionals

There are two pieces of advice: the first is to learn the fundamentals of the cyber threat landscape and how the coverage responds. You don’t need to become a cybersecurity professional, but you need to be able to converse with CIOs and CTOs and understand the challenges they face.

The second is to take advantage of the mentoring opportunities available through their employers, alumni network and professional organizations such as the Risk and Insurance Management Society (RIMS) and Professional Liability Underwriting Society (PLUS). This is a relationship business, and while remote work has its advantages, there is no substitute for meeting in person.