Raising Tech
Back to all episodes

Mitigating Cybersecurity Risks & Protecting Your Senior Living Community with Cyber Insurance

November 04, 2023
Amber Bardon, Rafael Haciski

In this episode of Raising Tech, our host, Amber Bardon, has an intriguing conversation with Rafael Haciski, Vice President of Commercial Insurance at Johnson Kendall Johnson (JKJ), about how JKJ's personalized services allow clients to focus on their businesses while JKJ provides direction in managing cybersecurity risks.

JKJ's cyber practice is focused on creating risk management programs and educating clients on the importance of cyber incident response and changes in insurance terms. Discover how JKJ is keeping Senior Living communities properly covered by listening to the full episode! 

Raising Tech is powered by Parasol Alliance, The Strategic Planning & Full-Service IT Partner exclusively serving Senior Living Communities.

Amber Bardon: (00:00)
Welcome to Raising Tech podcast. I'm your host Amber Barden and today our guest is Rafael Haciski, who is the Vice President of Commercial Insurance at Johnson Kendall Johnson, also known as JKJ, which is a full service insurance brokerage with a large senior living group. Welcome to the show.

Rafael Haciski: (00:17)
Thank you Amber. Thank you for having me.

Amber Bardon: (00:19)
To start off with, just dive a little bit deeper and give us a little bit more background about yourself and about your company.

Rafael Haciski: (00:24)
I am a former attorney turned insurance broker. I was a white shoe lawyer defending Fortune 500 companies for about a decade and just sort of general business litigation and then that kind of delved into insurance coverage disputes where we were adverse to the insurance carriers on large denied claims. And I segued from that and was pulled into the insurance brokerage side where I currently work with a little over 300 plus Senior Living communities on their insurance and risk management. JKJ is a little bit unique from a makeup standpoint where most brokerages focus on geography focused on where they are for their business. We serve the nation, but we chose to kind of delve into industry segments instead. So we have a senior living group, we have sports and entertainment group, we have a real estate group and international group. All of those require sort of above and beyond insurance and risk management services and we provide that from a hands-on approach.

Rafael Haciski: (01:19)
I would say a lot of brokers place coverage and then are out of sight, out of mind, onto the next account. We're very unique in that when we place the insurance coverage for our clients, that's the beginning of our story for that year. We're action planning the policy here, identifying loss trends, figuring out where we're gonna deploy our risk management and safety services from our office to our clients so that when we come back to the renewal following year we have a good story to tell the market that then allows them to get a little bit more flexible when it comes to pricing and coverage considerations. We're a little bit unique when compared to our competition out there. Another thing I'll add is we're an independent brokerage, in the insurance world right now is seeing a lot of acquisitions and mergers and affiliations.

Rafael Haciski: (02:02)
There's shareholders. We at JKJ are our own shareholders and we're going be that way for years to come and we're proud of that fact and we know that that really lends a lot of value to our clients because they know that the people they're seeing on the screen or the people they're seeing in their office who are providing those services are the people they're going be working with throughout the relationship. It is a very family atmosphere at JKJ. We all are in it to win it and if we win account, we all win an account and we're excited to provide our services to more and more organizations out there who have such a heightened need. Cyber obviously being one of those.

Amber Bardon: (02:32)
We're definitely gonna dive a little bit more into the topic of cybersecurity insurance on this episode today. But before we get to that, I'm just curious, what can you share that you're seeing as some of the top trends in the insurance area that senior living providers should be aware of?

Rafael Haciski: (02:48)
Funny, when people ask questions like that, I always like to kind of go to the end. What I mean by that is go to the bad thing that is going to happen or has happened because that's what insurance carriers have to do when they underwrite an opportunity. When they look at a new account for renewal purposes, they have actuarial analysis and folks out there who are looking out and seeing what could happen from a claim standpoint, from a frequency standpoint, from a severity standpoint, what's going to happen. Then also what is the organization doing from a protection standpoint that addresses those concerns and those claims that could pop up. COVID really turned things upside down because it forced underwriters at the insurance carriers to underwrite to a future that people did not know what was going to happen. I think that in turn really created a lot of market volatility from a pricing standpoint, from coverage terms were going to be offered by these carriers.

Rafael Haciski: (03:36)
So right now I think what we're seeing is, I wouldn't say a plateauing, but the dust is finally settling post COVID in a time where we really didn't know what was happening or what was going to happen. Then as a result, COVID tweaked things a little bit. For example, from property standpoint I can say that very large organizations all the way down to personal homeowners alike have experienced extreme rate hikes when it comes to property coverage. It's because of the fact that COVID has increased labor costs, increased material costs, the cost to replace things has gone up. There's a lot of fluctuation volatility, I guess you could say right now we are all kind of doing our best at JKJ to keep our clients ahead of that game and kind of doing things that really do benefit the organization from an enterprise risk management standpoint, but also in a best-in-class standpoint.

Rafael Haciski: (04:19)
All the great risk management tools that are utilized by our clients allows me and my team as the broker for the organization to pitch that community or that organization, that company in the best light possible for the insurance carriers. That really is a need right now. The carriers need to hear a story, they want to figure out what's the plan from a strategic standpoint, what are they doing that's different from all the other similar organizations down the road that you know, makes them better than the other or makes them less likely to have something bad happen that then would have to be covered. So there's just been a lot of like volatility I think over the last couple years post covid and fortunately now I think we're starting, you know, flatline a little bit when it comes to renewals and how things are looking out there.

Amber Bardon: (04:58)
Can you elaborate a little bit more on what providers can do to help protect themselves and prepare and some best practice tips to deal with these risks and changes that you just mentioned?

Rafael Haciski: (05:08)
A lot of times we find, unfortunately, is that people are busy and think that the busyness factor really negatively affects risk management. When we come into an account and we perform a mock audit, mock mystery shopper walkthrough of the organization from our safety guys who all come in and point fingers at things that should be tweaked or changed or fixed, a lot of times when we present our findings, it's the first time that the executives are hearing about those things. That tells me that we are all way too busy and do not have enough time to focus on what's important or prioritize on what's important because what you don't know is going to kill you. That's what we've been finding a lot is that when we're coming out and pointing our hand on a new account, the things that we identify are things that really were not known prior to our involvement. We know that those are the items that insurance carrier will look for the minute they step foot on a community. It's really about staying ahead of the game, giving yourself enough time, enough runway, pre-renewal to sort of figure out how you the organization look from an insurance standpoint and what are you are doing to better that look. Not a lot of that is happening right now. So we really try respectfully, politely to push on that a lot because we know that will benefit the organization from a risk management standpoint.

Amber Bardon: (06:17)
Just to walk me through, how do you guys go about that? Do you have like an assessment or a checklist that you're measuring the community against some standards?

Rafael Haciski: (06:24)
I like to say it's sort of a test drive of what JKJ does from a service standpoint, but really it also helps us identify where the problems are. We'll come out in the onset of meeting CEO, CFO who typically handles the insurance program. We'll say, "Hey look, let one of our guys just come out to your community for a day and you won't even know that he or she or there. They will do a walkthrough and come back with a extensive report on what they found that they inspected the, the parking lot, the parking garage, the boilers, the basement, the roof, whatever it is." That report becomes square one towards what do we together need to do to make this organization a little bit more buttoned up from a risk management standpoint. Similarly, we'll ask for lost data. I mentioned before about going to the end of what bad thing will happen and then reverse engineering the claim to make sure it's covered, how it's handled, et cetera.

Rafael Haciski: (07:13)
We like to take loss data because that's what the insurance carriers will do when they're looking at a renewal is evaluate the loss experience for that specific organization. That loss data will tell us where claims are coming from. Is it the CNAs who are getting hurt on Mondays because maybe they're getting hurt actually on the weekends and bringing their injury into the organization. That loss data really helps us identify specific to that organization where the problems are coming from. Finally we like to take a look at the current program. The current insurance package insurance is basically a contract. Page 1, it says you're covered for everything and there's 150 pages after that that says maybe, you have to do this if you want that. By the end, people don't know what they're covered for or what they're not covered for. So by us collecting those policies at the beginning of the relationship allows us to identify what's covered, what's not covered, if those coverage terms or those coverage aspects match up with the operations that that organization is doing because a lot of times we find that folks don't realize that they're not properly covered and that's where we really shine.

Amber Bardon: (08:14)
Let's talk a little bit about cybersecurity, whether people like it or not or whether it's good or bad, the insurance industry has really pushed all of the communities to take cybersecurity really seriously and that's a big shift over the last couple years. It's to the point now where I feel like a lot of other entities are getting involved in the security aspect. So financial auditors, with all of this information, with all these changes, it can be really hard for a community to understand what exactly do they really need to do because at the end of the day, most of the changes that they're making and they're implementing and they're going ahead with it can be very disruptive to operations and they're doing it primarily to be able to get cybersecurity insurance. That's what's really driving it.

Amber Bardon: (08:52)
What we've seen is, we've had financial auditors come in and and say things like, " Oh now you need a 14 character password" and you need all these things that are not actually being required by insurance companies. So can you talk through that a little bit? What are you seeing as the trends? What would be your advice to a community to help prepare for this?

Rafael Haciski: (09:08)
I'm going to take a step back further and just go a little insurance geek for a moment because I think it helps. Back in the day before all of this cyber stuff was a thing, most organizations have general liability policy that covers slips, trips, falls, property damage, that basically if your organization gets sued, your general liability policy hopefully would step up way back when there was a little bucket of money within that GL policy, that general liability policy that was saved for cyber related events.

Rafael Haciski: (09:36)
Fast forward a couple years after that and carriers realized that cyber was beginning to become an emerging risk from a just exposure standpoint as a result that they did is instead of providing that little bucket of money in the GL policy, they said we're now just gonna bake in an exclusion that says we the carrier will not pay for any cyber related events in the GL policy.

Rafael Haciski: (09:57)
Out of that was created the cyber liability world, it's a little bit unique because it's what's called a first-party and a third-party coverage party in that it's protecting your stuff, your organization's servers, files, et cetera. Also it's a third-party coverage for when you're going to get sued for potentially data breach or a ransomware event that the HIPAA information has been released inadvertently from the organization. So really the cyber policy is a unique hybrid form that was created out of the GL policy, having that exclusionary terms in there for cyber events. And then the other problem you have is that other policies, GL auto property, they're on what's called an ISO form Insurance Society Office form, ISO. What it means is that when you take those forms off the the cabinet and look at the terms, there's going be boilerplate language where everything starts from a coverage standpoint. Cyber does not have an ISO form, which means that every carrier has their own language when it comes to what coverage they'll provide and what coverage they will not provide.

Rafael Haciski: (10:58)
That makes it incumbent on the broker and the organization to identify, like I mentioned before, the coverage terms of the policy that you're buying. What are you really getting out of the policy and is it going to be protecting what you need? Further along those lines, you now have conditions that get attached to the policy that says you can only get this coverage if you do XYZ. If you put MFA in place, fill all your firewalls, all of that stuff.

Rafael Haciski: (11:24)
The carriers now are getting a lot more intelligent when it comes to the underwriting aspects and the requirement aspects of what they require from the organization from a protection standpoint. Similar to almost like a property program. I'm gonna look at a building and I'm say "I'm the carrier, I'm not gonna cover that building because you have not put sprinklers in the attic."

Rafael Haciski: (11:40)
"Well I'm the cyber carrier, I'm not going to cover that organization because you have not put MFA in place." So those terms and conditions have started to really kind of pick up steam and have become a little bit more onerous. We're going to provide you coverage but you have to do all these things first and all those things first cost money, it's flipped organizations upside down because they're scrambling to make sure that they're brought up to speed as best possible and are protected but also presentable to the carriers so that they get the coverage. In the end I think the key here is to pressure test your cyber policy. First of all, buy cyber coverage, you have to do that. Two years ago, three years ago, I had people in the nonprofit world come up to me and say, "Hey, I don't buy cyber liability and I don't need it because I'm a small nursing home."

Rafael Haciski: (12:20)
I said, "Well, you're a small nursing home and that's why you're going to get hacked so you better be buying cyber." Right now, we're seeing a lot of that happen where you folks hopefully are buying the program but then now they're getting pushed by the carriers to get things in place so that they're properly protected as best possible per the carrier conditions. What are you doing pre-loss, pre-loss mitigation services? Are you doing those fire drills similar to doing a fire drill for property again, you know, ringing that bell and making sure everybody gets out of the building, let's make sure that they do that right. Well let's do a cyber fire drill and how many times are you doing that throughout the policy year to educate your staff, educate people at the organization about cyber risk and how clicking on that link is maybe not a good idea or it's okay to call the person who allegedly emailed you with that PDF that you don't know what it is.

Rafael Haciski: (13:04)
It's all of those things that really we have to kind of focus on and it's moving at such a fast pace that keeping up with the changes and fluctuations in what carriers are in the business versus what carriers are not in the business and what has to be done to be best in class. All that stuff really requires a partner, a consultant JKJ. We're very proud of the fact that years and years ago we started our cyber practice knowing that this newfound exposure was gonna be a big one and something that a lot of organizations are gonna have to consider.

Amber Bardon: (13:32)
It can be really confusing for a community to have all this different information coming from so many different aspects and to really know what they should move forward with because like you said, all of this stuff costs money and or has an impact on operations. So the big one is obviously MFA, we're running into challenges with staff having to carry phones when they're not supposed to have phones on the floor.

Amber Bardon: (13:51)
Can you talk a little bit more about MFA, because I know that's a big one. What are you seeing? Are you seeing it for everybody? For just email users, VPN remote access?

Rafael Haciski: (14:01)
That's a common request from the carriers and really starting to see it be a requirement across the board. I'd be remiss if I didn't bring up the fact that the application, the document that is used to begin the renewal process that is filled out by the organization and presented to the carrier then takes that information and begins to underwrite the opportunity. The information that's in that application is so vitally important because what'll happen is the carriers at the time of the loss months and months after say a renewal has taken place, will go back to the application. We just had this unfortunately, where it was represented in the application that they had MFA across the board, sure enough, there was a ransomware event and the sort of forensic IT that took place identified that the hacker got through a hole that was supposed to have MFA in place and did not.

Rafael Haciski: (14:47)
The carrier found out about that and they came back and said, "We're not going to cover this claim because you said that you had MFA in place and you did not." Very simple argument, but it's something that should have been identified well before. Again, that identifies that cruise control mentality. I think that I've mentioned that a lot of these organizations do when they're doing through the applications, going through the things that they've done so far from an IT standpoint. As a result we're seeing a lot of our renewals, actually almost all of our cyber renewals involve the heads of IT at the organization who can speak those acronyms and talk about what they're doing from a security standpoint competently and also identifying, "No, we don't have MFA in that area. We need to put that in place." Definitely is a hot topic right now with carriers. They're going to come in and perform network scans before they even speak to us or the organization similar to what a hacker would do. We're aware of that and we need to make sure that our clients are prepared for it as well.

Amber Bardon: (15:37)
It's definitely been a challenge because not all of the insurance carriers out there can accurately define what they want. With MFA, we had one situation where we could not get them to tell us what they wanted, if they wanted it just for email or all domain users. They just really couldn't define what their own requirements were. So that's definitely a challenge that's going on as well as just figuring out what does this all mean and what exactly needs to be applied and how should it be applied when there's multiple methods.

Rafael Haciski: (16:02)
One of the most common cyber incidents that happen out there right now is ransomware events, social engineering theft, email compromise, data breach, all of those require some door to be open or some hole to be available for the hacker to pound into. The scary part is, is that unlike criminal who walks into like a jewelry store and steal all the diamonds, hackers can go into the organization and just sit there and just observe for months, if not years on end. Look at the calendars of the executives. See when so-and-so is out and when can I send that email from the CEO that says "I'm at the dentist office, but I need to see that W2 right now. So email it to me right now, right now, right now." We're also hung up on getting things off our list and making our inbox shorter.

Rafael Haciski: (16:43)
It feeds into that where the claim is going to happen because of the folks on the other end just aren't being complacent. They're focusing on something else. That hole has been there and open carriers don't really know how to underwrite to that. And so that's what we're seeing. From a pricing standpoint, from a cover standpoint, it's trending upwards because I think carriers are still figuring out what they're covering and what they're not covering from a cyber standpoint. And again, as you know, things are changing by the month when it comes to how and when these hackers can get into the organizations.

Amber Bardon: (17:10)
It's a whole new world. And like I said earlier, really the credit does go to the insurance companies for pushing the issue of security because without that I don't think it ever would've happened. I think a lot of providers weren't willing to invest the cost or the time or the resources to implement a lot of these measures.

Rafael Haciski: (17:25)
Another area I would just bring up is prevention, the during, which is the insurance, but then the aftermath. I might have made this analogy in previous conversation I've had with you, but you have a burning building, you know to get the heck out of the building and not get burned. You have a cyber event, organizations don't know what to do. Their wi-fi goes down, their IT goes down altogether, email is out, the phones don't work. All of that stuff happens. And so what are you doing from an incident response standpoint? Who are you engaging from? Legal forensic, who's on the panel? Who's been pre-approved by the insurance carrier? Who are we calling to handhold us through this very bad thing happening because I don't know if you've been in the office when something like that happens, but we're all running around like chickens with our heads cut off trying to figure out "how do I get my email back up? Why am I not hearing from anybody?" Having that proper incident response plan in place as well really helps organizations navigate through that. It's not if, it's when you're going to get hacked and brought down.

Amber Bardon: (18:17)
For every community out there that's listening, if security is not one of your top priorities, hopefully this podcast will help convince you to put it on your priority list. Rafael, this conversation's been really interesting. Thank you so much for coming on the show. Is there anything else you want our listeners to know?

Rafael Haciski: (18:33)
Give yourself whatever time you think you're giving to get into your next renewal and double that because the time is your friend and the longer runway you can give yourself to adequately prepare for the next renewal or bringing up your organization to your best-in-class light that I mentioned. Really do that. Find a broker out there that actually does know what they're doing. We are proudly a Two-Time Cyber Broker of the Year, beating out all the big guys when it comes to the service model that we have at our office, what we provide for our clients. I mentioned that review of the cyber policy or loss analysis. We do that as sort of our spade work to show folks who potentially would like to work with us. What we can do, it allows us to really red light yellow light, green light the policy and say here's where we've identified problems in your program. We know we can help and fix those problems. And then at that point it's the action point of where do we go from here? Pressure test your program. Don't let just the real bad claim be the thing that's going to attest what you've put together from an IT standpoint.

Amber Bardon: (19:29)
And where can our listeners find you if they wanna learn more about JKJ.

Rafael Haciski: (19:33)
All over LinkedIn, Johnson Kendall Johnson. We're also out and about at many of the senior living and other related conferences, LeadingAge. Most, if not all of the denominational conferences, within that LeadingAge bucket. LinkedIn is typically the best way to find me. We're there and happy to serve.

Amber Bardon: (19:49)
Thank you so much for joining me today.

Rafael Haciski: (19:50)
Thank you. Appreciate your time.

Amber Bardon: (19:52)
And listeners, you can find more of our episodes on RaisingTechPodcast.com. You can send us feedback on this episode or if you have an idea to submit for a future episode, you can also find us at that link. And as always, thank you for listening.