#14 – Cyber Insurance
Feat Will Brooks from FifthWall Solutions
Transcript
This is the business Tech Playbook, your source for it. Help for your business. I am so glad we're finally having someone that doesn't like Starbucks in the podcast besides myself. Will, thank you for coming. We have Will Brooks here from what was the company? I think I want to say five guys, but I know I'm way off.
Speaker B:It's definitely not five guys.
Speaker C:We're all hungry now. Fifth wall.
Speaker A:Fifth wall.
Speaker C:Okay. There you go. Five guys on a fifth wall.
Speaker A:I'm not going to lie, I saw the invite and I haven't met you before and I'm like, is this a restaurant that we're going to be talking to?
Speaker B:I mean, basically, except way more insurance.
Speaker A:Tell us a little about yourself.
Speaker B:Exactly what was that?
Speaker A:Rob, tell us about yourself and what fifth wall is.
Speaker C:Yeah, so fifth wall as a whole is a cyber insurance only wholesaler. So effectively, what that means, the way I like to explain it is you have these insurance companies that say, wow, there are a lot of agents in the country, and it's really annoying when they all email me for quotes. So I'm going to use one person instead or one organization. That's fifth wall. So we become the person all the agents go to and then we go to the carriers to get the quotes rather than them having to deal with a billion personalities. Right. So we shifted our model in 2019 when the pandemic started up 2020 because security got really complicated around cyber insurance. So we started partnering with security providers to say, hey, this actually makes a lot of sense. So we kind of built out a whole security channel from there.
Speaker A:Very nice.
Speaker C:Me. I guess I have to talk about myself, right?
Speaker B:Please.
Speaker C:I like to wear fun shirts and I don't have a fun shirt on right now, but that's because, well, it's dirty. Or they are dirty. But yeah, I don't know. I'm a guy who is a self ascribed tech junkie. I love technology. I like taking things apart to see how it works and putting it back together. And typically when the Internet or a computer in my home growing up went down, it was usually my fault and somehow I found myself falling into the cybersecurity space. And it is awesome because it's right up my alley.
Speaker A:Wonderful. Well, before we go too far, I'm your host, Rob Zolson.
Speaker B:And I'm your host, William Boat, owner of Etop Technology and the Business Tech Playbook Podcast.
Speaker A:Well, clearly here we got a guest on to speak about cyber insurance. We've had a bunch of different questions. Even in our first topic, we mentioned that the five easy steps for security you should consider cyber insurance. That spiked a lot of questions. So I'm glad you're here, Will, so much.
Speaker C:Yeah, happy to be here.
Speaker A:Now, you said you just fell into the career. What exactly got you here again, at least in this technology space?
Speaker C:Yeah. So I've kind of, like, had this secret desire to break into the tech space for a long time. But for anyone who's not in the tech space, or it took them a while to get in, it's tough to break in. Once you're in, you're in. But it's you know, I was working as a pastor of a church down in St. Thomas in the Virgin Islands, and I moved back here because it was like a one and a half year kind of deal. Moved back to Long Island where I grew up, and I was doing some part time music stuff, and I was like, okay, I can't live on Long Island without that or just doing that, so I need to get a real job. So I walked down the street two blocks from where I was living at the time to an insurance agency and got a job working in normal insurance. So no cyber at the time because this was pretty new. I mean, there wasn't a whole lot going on in the cyber space. It was around I just we weren't doing it. And then I hated that job. So after two years, I was like, I never want to do insurance ever again. So I left, lo and behold.
Speaker A:Foreshadowing.
Speaker C:Yeah, lo and behold. Five years later, four years later, a friend of mine said, hey, I work for a company that does cyber insurance. You interested in looking for a job? And I was like, yes, because I need a job, but also insurance. And I started working at Fifth Wall on our agency channel. So when we got started as a company, we were working with agents and then we had this whole MSP channel going on. I was like, what the heck is that? I want to be a part of that channel. So as I continued to kind of work my job, I talked to our president and I was like, look, I want to get in on that tech side. And now the rest is history. Now I'm just a nerd who does podcasts and videos and LinkedIn stuff and also talks about insurance all the time.
Speaker B:That sounds like the perfect person to have on a podcast about, I guess let me explain a little bit about goal is here at the Business Tech Playbook, and it's really to de jargonify and remove acronyms from business. Tech executives are very busy, but they need to know enough about technology to make a good decision. And so our goal is to kind of hit a target profile of probably a CFO named Brian. They have a lot of things going on, have to make a lot of technology decisions, but at the end of the day, they don't need to know technology, but they still have to make good decisions. So as we walk through this process, remember, less acronyms is way better. And our goal is to educate and inform that busy executive.
Speaker A:And we'll pause you along the way in case there's some alphabet soup we need to clarify on.
Speaker B:Exactly.
Speaker C:We're going to talk a lot about EDR, MFA, nga.
Speaker A:How dare you?
Speaker B:Exactly. Okay, so early detection, honestly, a lot of that gets covered in our podcast number one, which is the five core controls that you need for cyber insurance. But at the same time, we will definitely demystify the conversation that we have here in the insurance space.
Speaker C:Yeah, fortunately, insurance doesn't have a whole lot of acronyms in its coverages. They're all pretty I mean, they definitely need definition because most people who look at them are like, what the heck do any of these do? But at the same time, I don't think there's any acronyms, which is nice. There are a couple PCI, PciI, all that stuff.
Speaker A:But we'll hit them as they come.
Speaker B:Yeah, exactly. We'll do the air horn. Exactly. We'll stop and we'll go back and we'll try to explain it as clearly as possible.
Speaker C:Perfect.
Speaker A:Well, BJ, you want to start the questioning?
Speaker B:Yeah, good question. Yeah, he totally just threw me under the bus there. I was like, I could start.
Speaker A:Don't you worry. I always have questions.
Speaker C:I actually have a question. So you actually legitimately got questions about cyber insurance that you need answered?
Speaker A:Yes, absolutely.
Speaker C:Go figure.
Speaker A:No, they're real BJ. I know what that look is. Those are real questions. Absolutely.
Speaker C:Yeah.
Speaker B:All three people that listen to this podcast emailed into podcasting top technology.
Speaker A:I'm going to start on the worst question that we could possibly throw at you. If we're talking about Brian, the CFO business manager, business owner, that's not technology savvy. I get when we have a customer, especially when we're onboarding or auditing a customer, we ask, do you have cyber insurance? And they look at me like I just made up a term like blinker fluid. So to start off, let's go with the basics. Here Brian's listening in, and he probably clicked the podcast wondering what the hell we're talking about. Cyber insurance. What on a high level, what is it, and why would a business need it in the first place? I know it sounds stupid.
Speaker C:Well, my brain immediately went to why are you asking them? Why are you asking them if they have cyber insurance in the first place? As a cybersecurity person, it's weird, right? I mean, typically you get the insurance conversation from your insurance agent down the street.
Speaker A:I can answer that because I like to sleep at night, that's why.
Speaker C:Bingo. So there's a couple of pieces to this, but the way that I like to explain it the best is that unlike all those other lines of insurance that people get business owners policies and auto policies, everything people are familiar with. There's this thing called cyber insurance which protects your network like it protects your business from if someone who is trying to hack you. I mean, I'm trying to say this in really basic layman's terms, right?
Speaker A:We appreciates it.
Speaker C:There's a person who is a hacker or a threat actor, as we like to call them. I just did air quotes, which I realize now no one's going to see, but a threat actor that is trying to get onto your system because they want to basically destroy your livelihood and then ask for money to make it not happen, right? So cyber insurance says, hey, we're going to kick in if that happens. So it is kind of like a form of crime insurance on one hand, because there's this criminal activity where a breach or a credentials compromise or something happens, but at the same time it also has all these liability coverages built in. And to define that simply, people are going to be really upset because now you have customer data that's leaked, you have information that is out there and you need to notify people. You may have to monitor credit depending on what state you live in, there's all these laws and procedures you have to follow and that's kind of like the incident end. But why I bring this up and I ask that question, why you as a cybersecurity person would ask that question, is because what's happening is that cyber insurance is quickly becoming part of an overall cybersecurity strategy. It's not an isolated thing. It's not sitting out on its own. It's part of the security that you need to be aware of as a business around the cyberspace. So if you have an incident, no one's impenetrable. There's no such thing as 100% protection from a cyberattack. So if something were to happen, or as I like to say, when something happens, you want to have the assurance and to your point, Rob, that I want to be able to sleep at night. Right? You want the assurance of knowing if you have the cyber insurance that you're protected from the cyber attack. And then as someone who provides security, you want the assurance of knowing your clients are protected from those cyber attacks. There's kind of two sides there and incident response is not just, hey BJ, get me back up online, right? Know my computer's not working. There's a screen on it that says, pay me a million dollars or you can't access your computer, fix it, right? This is not it work. There's a lot that goes into it. Forensics gets involved, lawyers get involved, it gets crazy and the funds start to go through the roof and it costs a lot of money. And cyber insurance covers a lot of that. Incident response cost.
Speaker B:Well, as a person who does a lot of the asking of our clients, when does your cyber renew? I send a lot of our customers over to fifth Wall just for them to review, even if they stay with who they are with, because it helps me sleep better at night, knowing that it's part of our customer's overall resilience plan. And so it's like avs part or antivirus is something backups are part of. It like having a disaster site is part of it. Having a disaster recovery plan. It's one of the layers in your company's protection. And it's like, ten years ago, it was $800 for a ransomware, and now it's not uncommon to see several hundred thousand to a million plus. And didn't Caesars just pay $15 million? Yeah, they paid solidly into the seven figures for restoration, and MGM is still down.
Speaker C:Casinos are going to be targeted for a while now.
Speaker A:Yes.
Speaker B:Makes sense. They're very cash heavy. Typically.
Speaker C:Typically.
Speaker A:So, follow up questions. Brian's again, this is the persona of Brian, the CFO. Brian, the business manager. He hears that, okay, cybersecurity great. It covers hacks. What else does it cover? If I have a homeowner's insurance policy, it covers people having an accident on my property. It covers a storm. But they always have the question of what other things does it cover? Well, guess what? My homeowners insurance covers my kids treehouse. My homeowners insurance covers someone slipping in my front yard. It covers all these other things. What does cyber insurance cover besides just third party malicious entities? Does it cover my data going corrupt or a server dying?
Speaker C:Yeah, actually. Well, it depends on what type of policy you have. Right. And one of the things we always try to encourage clients on in our conversations is to know what is covered and to look for a comprehensive just. A comprehensive just means kind of all inclusive cyber insurance policy, because there are a lot of things going around that opposing is cyber insurance that don't actually provide the coverage it should. So the things you want to see on a good cyber insurance policy, yes, there is stuff. So, like to BJ's points, there's coverage towards ransomware. So negotiating down the ransom, depending on the state you're in, actually paying part of the ransom out from the insurance policy. But I guess I could walk you through this way. When an incident happens, like I said, you have forensics and legal getting involved. So the first step is you're getting legal and forensics involved. And that right there is part of the coverage. And then from there, forensics needs to determine who needs to be notified, what credit needs to be monitored. Is there any PR that needs to be done, is there any fraud response that needs to be done? All of that plays into the coverage. So you have to determine what's needed, and then you actually have to pay out and fund what is needed. On top of that, there's a lot of things that are going to actually help your business out. So not just the liability side, but let's say you're I guess statistically I made a video about this recently. Statistically, it takes about 14 to 16 days to fully recover from a ransomware attack for on average. And that's not something like MGM like we said, but on average, I'd believe that.
Speaker B:I'd love to send us the link to the video and we'll put that in our show notes.
Speaker C:Okay.
Speaker B:Because realistically, I can't imagine. I mean, 14 to 16 days is probably a pretty short timeline. Yeah, it seems like a full recovery.
Speaker C:Except when your business is absolutely not running, then it's stressful as I'll get out. So a cyber insurance policy also will cover business interruption, loss of income during that time. So part of the coverage will say, hey, you know what? You're not making any money right now, but we're going to fill in that gap. Right. And then you brought up data replacement, you brought up hardware replacement. That's all on there. There's cybercrime coverages. So there's like specific instances like business email compromise, electronic theft, they call it, where someone calls HR and they pretend to be an employee and they swap out bank credentials or things like that. Right. And there's no real system in place. So there's all that kind of stuff, pretending to be someone you're not, gift card scams, all those things are covered. My favorite line of coverage, which I don't know how prevalent it is today, but it's called cryptojacking, where effectively a threat actor, a bad guy gets on your network and they just leach your resources over time, and you don't even know. And they're just mining for bitcoin, using your resources. And then your electric bill goes through the roof and they'll cover that.
Speaker B:Really? I've definitely heard of it. But, I mean, we stay as on top of our client security as we possibly can because that's a bad deal. I mean, if you ever wonder why your computer is running like crazy slow, it could be Sophos or it could be cryptojacking. That's interesting. I didn't realize it would actually cover your electric bill due to that cryptojacking.
Speaker C:Yeah. So one other one that I love to bring up because a lot of our partners are completely unaware it's on there. But if you're a small business so MGM people are going to talk about it for a while. Caesars people are going to talk about Clorox. People are going to talk about for a while. They all had incidents. But at the end of the day, I'm not going if I need Clorox, I'm going to go buy Clorox. If I really want to go to Vegas, I might still look at an MGM casino. That's not going to destroy. But if you're a small business that has 100 employees and you undergo an incident and not 100 employees, 100 clients. And all 100 of those clients are now being told, hey, you know what, your credentials might have been leaked. Your personal, private information that we had on file might be out there on the dark web. Now, that hurts your reputation. So a cyber insurance policy will actually pay to hire people to come in and do reputational damage control. Yeah.
Speaker B:That's crazy.
Speaker C:That's a big one.
Speaker A:Now, again, just going back to the original question, is there anything outside of third party malicious actors? Like, just say they weren't hacked, no third party threat involved, the company going down, and it was just day to day issue of something corrupting on their server. For instance, would this be covered under a cyber insurance or a cyber insurance? More or less. Again, each policy has its own coverage, more or less. Covering just malicious actors, I would say.
Speaker C:And this gets a little weird, right? And this is why we always say, get your policies looked at, because you need to read the policy definitions to really understand. Typically, a policy will kick in due to a and this is all it says, talk about real, simplified cyber event, right? So if a cyber event happens, the policy, then you have to read another definition that explains cyber event. Then you have to read another definition that explains the pieces of cyber event, right? So it works down. There are a little weird ones. So one of the coverages you find on a policy is multimedia and IP liability, which is really like internet privacy. And we've actually initially and the policy language is starting to change. There was a story that came out last year about a hospital that had it was a hospital or medical facility or something that had a login portal where patients could log in and they could find out what their prescriptions were when they renewed all that access to all their medical records, things like that. And then all of a sudden, they realized that they were on Facebook and they were getting advertisements for their medicine, and they were like, this is weird. And it turns out that this medical portal that was supposed to be private had metapixel tracking in their portal. So this became a privacy breach, and there were some cyber insurance policies that didn't have clear language around that. So even though it wasn't a bad guy trying to get in, it was considered an incident that would have been covered under this multimedia and IP liability. So carriers were starting to change their language. For the most part, these are going to cover cyber incidents that are malicious or someone trying to get in on the network.
Speaker A:So you're saying that when Joe intentionally spills coffee in his laptop, we can't call that a cyber incident?
Speaker B:Shucks yeah, but that's why if you go to our hardware episode, we talk about getting pro support plus warranty that covers your accidental damage or air quotes accidental damage. It goes back to it's part of the you know, this is why servers need to be under warranty from Dell, and you need to have backups, because that's what you restore from and keeps your business. Not if a client calls me and says, my building burned down. The way I handle the incident is dramatically different than, hey, I have a ransomware on my screen because it's like how we approach it is just dramatically different. Like if the building burned down, go straight to restoration. But again, this should be spelled out in your disaster recovery plan and also something you've pre discussed with your insurance, hopefully ahead of time. You never want to find out if your insurance is the right thing after an incident has happened, whether it's cyber maliciousness or you had a bad corrupted drive or your building burned down.
Speaker C:No, that's all really good. And it makes me think too of what we were talking about, about the cyber insurance being part of the overall cybersecurity strategy. You have issues where people need to recover from these cyber, and you as the cybersecurity provider, it's really important to you to be able to come in and make the I don't know what I'm verbally processing at this point.
Speaker B:So part of the way I look at it is I want my clients to be around both before and after a cyber event. And so if we've made all of the pre, we've done all of the pre planning back to what you said, there is no perfect plan. We stress over our solution and how we do things extensively because we want our clients to never have a problem. But when there is a problem, I want my clients to be in business on the other side of that. So just from a purely selfish point of view, having my clients properly insured gives them a much higher resilience to be a client two weeks after that event. Can they even afford to pay for a recovery?
Speaker C:Yeah, no, definitely. And I guess that's a big talking point of what we say to a lot of our partners is like, yeah, you know what? For a client, it's really important that you have cyber insurance coverage because you want to be able to survive an attack. For someone like you, BJ you have these clients who, if they can't survive an attack, because usually the minimum limits that we provide on a policy is like a million dollars, right? So we're saying in most cases, a million dollars, depending on the size of your business. So let's say it's a particular business. We'll say, hey, look, a million dollars is good for your business. In most cases, if you have an incident, it probably won't go higher than that. A lot of times it's based on revenue. So don't take what I just said. As I make 200 million a year in revenue, a million is enough for me. That's not how that works. But what we want to be able to do is help you survive the blast radius of an incident so that when it happens, you don't lose a client. BJ and your client is able to stay in business because that's their livelihood. Now, all business is done online today.
Speaker A:You're the expert here when it comes to what people should have for amount of security. But you said it's measured on revenue, but it's also the type of business correct. For instance, if you have a million dollar business versus a million dollar business, that's HIPAA, I would consider that HIPAA business more at risk and would be assuming they would need more coverage. Is that correct?
Speaker C:Yeah. There are three deciding factors on eligibility for cyber insurance and pricing. And that bottles down to your industry, your revenue and your security posture. And usually that security posture piece isn't so much of a pricing thing as much as it's, we're going to look at your revenue and we're going to look at your industry. And based on those two factors, certain levels of security are going to be required. Right. So you could have a small tax prep service that's making 200,000 a year. Their security needs to be decent, but it doesn't need to be off the charts. But you have a manufacturer that's making over 100 million a year. Don't even get me started. You're going to have to have way more than the bare minimums, like you probably talked about on podcast.
Speaker B:And that's the thing is we try to treat all of our clients relatively the same. We enforce similar controls to every single client regardless of revenue, because I want them to be insurable and I want them to be resilient. I want to be able to know going in that they're going to survive in a potential attack. And that's part of why we have these conversations. But with the security aspect, I mean, you said revenue and industry, industry really drive the cost. Is security driving the whether you get.
Speaker C:It or not, typically every now and then there are a few security controls that a carrier might look at and say, hey, if you get this, you'll save some money. Most of the time carriers have a I almost picture they have like a little chart where they say, what's your revenue, what's your industry? Okay, this is all the security you need in order to get a policy with us, right? And that's for the most part how it works. So when I'm having conversations with clients, I'm like, look, this is not going to be a conversation about how you save money. Cyber insurance is an investment just like your cybersecurity, and on some level we want to be able to save you money. Fifth, Wall has near global access to the cyber market. So typically we can, but for the most part it's usually a conversation first about saying this is about maturity in the cybersecurity space. What do you need to do in order to consistently keep your business a good risk to the cyber insurance carriers. And just because you got insurance last year doesn't mean this year your security is good enough to be eligible. It's shifting like crazy. Rapid shifting. Sands well, but the five main controls.
Speaker B:For insurance that the carriers look at are what EDR. So early detection and response. So it's a tool that goes on your machine that looks for behaviors and such multifactor. So whether that's duo Microsoft Authenticator, there's a lot of different tools to do that. Security Awareness training where that's you train the end user, right. Backups and patching. Correct?
Speaker C:Yep.
Speaker B:I've heard rumors that there might be. Right. So critical there's a CVE rating system. So critical. Vulnerability something, I forget what the acronym is.
Speaker C:Let's say experience.
Speaker B:Yeah, exactly. But those five controls are basically what most insurance carriers are generally looking for now. Right.
Speaker C:Those are going to be your top five. Yeah. I mean we like to say you must be this tall to ride this ride. If you don't have those then you're probably not getting a policy at all. And if you have one, chances are it's not a good policy or you fudge some answers on your application which puts you in a dangerous spot. Something I like to point out about cybersecurity Awareness training that can be sometimes bit of an annoying one for employees. Like, okay, I know how to watch a video for five minutes and answer questions that I probably knew the answer to before watching the video. But I have friends who work in the space who have no idea what this stuff means and are not the most tech savy people. So to go watch these videos can be annoying for them. But when you can drop statistics, like 82% of incidents are due to human error. Right. Like 99% of incidents in the Microsoft space would have been avoided if MFA were enabled. These controls make sense as to why carriers are looking for them. And on top of those you're starting to see a couple of other ones and some of them work in the background until you absolutely need them. Right. So email filtering is becoming a popular one. Like we want to try and limit the number of spam emails you even ever see. And then another one which causes a lot of chaos is the local admin rights being removed. It's not chaos in the chaotic way, but in the frustrated employee way. Because I want to install Spotify on my computer, you're telling me I have to ask BJ to do that and.
Speaker A:It'S like, yes, I'm going to stop you there.
Speaker B:Every single time I'm going to stop you there.
Speaker A:So those are listening. Administrative rights on a computer. If you're not familiar with what this is, let's go. Just a hair of a deep dive. If you buy a computer from Walmart, you already have admin rights. That's why you can do anything. And when it says are you sure? You just go okay and you move on. That way you have all the power and control to make all the mistakes in your personal computer you want. You saying okay and giving the installer software whatever you're trying to do, permission to do. What it needs to on the computer is a risk. But when it's your personal computer, if that blows up, so be it. When you're doing it on a work computer, that's when you can get malware viruses, threat actors, anything let in the computer. So if you take away that permission and all you let them do is run the application that's already on the program, you have locked down your computer in one of the best methods. So if you'll see in a lot of these businesses, lawyer offices, healthcare industries, they've taken that away and you have to call someone to get permission to install that or have an It representative install that for you, that's one of the greatest methods of security that we can offer, is taking that accidental. I didn't know what I hit. Okay. To permission away from the end user.
Speaker C:Perfect. Exactly our way to describe that.
Speaker A:All right, just going a little detail about you said the five most common requirements and then you went in detail out of those. I want to know which ones would you reject a customer on? Which would the average insurance company say, if you don't least have this, we're not going to do business with you.
Speaker C:Those were those first five BJ was talking about.
Speaker A:All of those. They have to do them all typically to get cyber insurance.
Speaker C:I mean, I say as soon as you hit like 5 million in revenue, you need to have all of those. Sometimes if you have less than that, maybe the endpoint detection response might not be entirely necessary. I would say the absolute necessities are going to be MFA, which is that multi factor authentication. You get the code, you plug it in after you put in your password. I always like to say the most important controls are the ones that cause just a little bit of minor inconvenience, but go a really long way. So MFA is a big one. The security awareness training is a big one. And the backup solutions, which granted, that's one of those ones that typically get done in the background, but having a robust backup solution where those backups can't be altered or changed by anyone, it's literally an image that cannot be altered and it can restore. Right. And that's the whole idea behind that. And then patching is really important. So I would say EDR is maybe the one that you can get away with not having still, but for the most part, even that one, they're starting to crack down on more BJ.
Speaker A:Can you clarify EDR before we continue?
Speaker B:Oh, goodness. So there's probably a hundred EDR products out. Oh, please, please do.
Speaker C:All right.
Speaker B:I like to see what an insurance guy does.
Speaker C:Yeah, I like to explain it this way. So your house, you have an alarm system, right. You have a way that you have the front door that's bugged. You have the windows that are bugged. You have the basement hatch that's bugged, and as soon as one of those gets open, it triggers an alarm. Right. So I like to say EDR is like that for your network. So all the places that someone can get into your network has a little alarm on it. And Basic EDR says, hey, as soon as that entry point is tripped, an alarm goes off. But then they have something called managed EDR where that alarm is not just going off and you're waiting for the police to arrive. You actually have someone at the center who wants to make sure and shut it down and make sure everything's good to go. Is that a fair analogy?
Speaker B:That's pretty accurate.
Speaker C:Yeah.
Speaker B:I like that. I'm totally going to steal that, too.
Speaker C:Perfect. Great.
Speaker B:I don't really explain it that often because we just include it for our clients. Like you said, it's right to play must beat us tall to ride. So for us, it's one of those things where I need to rest well at night, and it's not something I'm willing to let clients make a choice on. They just need to be protected. And so it's one of the smallest pieces that I can pay to have a safe network.
Speaker A:And we promise that there will be a future episode on EDR on this podcast coming very soon. One of my personal favorites. Just to highlight one solution you can go look up that I've enjoyed even before I went to Etop, is Huntress. We use it at Etop. I was tickled pink to see that they were using it when I got hired. It's a great platform to look into. If you're listening now, I want to make one little point from my neck of the woods. I am in north central Minnesota, and in the upper half of Minnesota, we like to call this the least tech savvy place of the nation. We still got people that still have party telephone lines from the 60s just to give you an idea of how some of the technology is up here. So what they were doing in my area, and this might be in your rural community as well, is they were offering cyber insurance as an addition to your normal business insurance. And the person that sold it to you didn't know what they were selling to you. They said, for this much, we can tack it on. Sign here. And you didn't do anything. They didn't do an audit, they didn't check anything. Now fast forward to right now. They sold you that policy six years ago. Now they're doing renewals, trying to see exactly what's going on. So they'll be sending you a form in the mail. They'll be asking you these five most common requirements and more information to audit where your business is for something that they sold to you a while ago that no one knew exactly what they were selling for. So I'm seeing now in my local area businesses that have had cyber insurance for the last six plus years and are now being dropped because they never did the form, and they're looking into it, and you don't have these what they consider minimum requirements. So if you think that you have cyber insurance now, that may very well go away in your next renewal period.
Speaker B:Yeah, go for it. Will, I think I'm probably going to lead you into what you were wanting to talk about, but tell us the difference between a writer that gets added onto your general liability insurance, which is probably what Robbie's talking about, versus a separate policy, and kind of the difference.
Speaker C:Yeah. So I would say what was first happening is you have a general liability policy, which covers all these different liabilities for your business, and some of them have the ability to endorse. And endorse is a fancy word for change to your policy. So make a change to your policy that adds a cyber component to it. And when you think general liability, you generally have liability. So when you add cyber to that, now you generally have cyber. It's kind of like, do you know the stores dollar General and Dollar Tree?
Speaker A:Yes.
Speaker C:Right. So I always like to say and they've changed since then, during the pandemic and inflation, all this kind of stuff. But Dollar Tree was the place that everything always cost a dollar, but Dollar General was where everything was generally a dollar. Right. So it was actually more than that. Usually it's like you pay $3 for plates, not a dollar. Right. And so cyber insurance tacked on to a general liability policy. You generally have cyber, you kind of have it, but usually your coverages are very low. You're missing a lot of those coverages we talked about earlier. And if you have an incident, I mean, I've seen some general liability tack ons that are only $10,000 total in cyber coverage, and that's like nothing. Or you have one that says a million dollars in cyber coverage, and then you read the fine print and it says, well, it's really just a million towards legal fees. You beat me, so not your business.
Speaker A:You beat me to my next punch. Those add on services, I had three businesses that had an event I love that, by the way, that's positive connectivity for a negative thing. They had a cyber event that they needed to actually do claiming, and like, oh, I never knew my coverage limit. I never knew that it only did lawyer fees and they lost their business, or they had to merge with someone else, or they had to get creative because they didn't have the capex to cover, I don't know, losing their entire business for I would like to be.
Speaker B:Clear that this was not at Etop Technology.
Speaker A:That this no, this wasn't even anybody I've worked with in the past. These are friends that I've never worked with. They're just my social friends. That has happened to okay. Yes.
Speaker B:I just wanted to be really clear about the expectations of what we do versus good clarity there good clarity there.
Speaker C:Yeah. And I guess the other side of that, right, and what it sounds like you were bringing up was now the agents were shifting them over to a more comprehensive policy. So when those endorsements, those change policies, those riders, they require very minimal underwriting, if any at all. So there's not anything needed to get one. It's just like, sure, we'll tack on some cyber liability, whatever, versus now you're looking at a comprehensive policy where now we're not going to pay out $100,000. We're going to pay out a million dollars if you have an incident. So now all of a sudden, this means a lot more to us, where we have a lot more to lose here if this risk is bad. So what happens is you have these questionnaires that have gotten longer every year, have required more and more every year. They get ridiculous, and clients will often look at them and they'll say, I don't know what any of this means. And if they don't have a security provider like Etop, what they run into is, well, I'll just answer this myself. And if they answer it incorrectly and they're actually misrepresenting their security posture to the insurance company, if an incident does happen, the insurance company has all the right to say, we're not paying this claim.
Speaker B:Well, I had a client of ours actually, I sent it over to you, Will. It's a franchise, and they had an option to get cyber coverage through their franchise, and he sent me over the form, and it's a pretty typical length insurance form at this point. It's probably eight, seven, eight pages. He's like, I think I can probably fill it out. I'm like, no, you don't have the first clue. I'm not trying to be mean. I'm not trying to be rude, but you don't know what we are doing for you. You know what we do, but what you see is we take care of your day to day. What you don't see is how we're making sure everything stays working if there's an incident. And so it's like you fill in the gross revenue, you fill in the company information, because those aren't necessarily things I need to see. But you don't know if you have EDR. You don't even know what the acronym means. And again, not to be condescending, it's part of why we're doing these types of podcasts. But your It person should be helping with probably seven or eight out of the eight to ten pages, because you really need to think about the answers to the questions. And a lot of what I end up doing is I put a lot of extra typewriter, I put a lot of extra notes in the application explaining exactly how we do it, what our implementation is. Because if they accept it at that point and buy into the insurance. I've fully explained upfront what your posture is, and they can accept that risk. And so I don't just do yes or no answers in almost every situation. I try to have an actual answer for every single question because it helps the insurance company have a better understanding of what your risk is.
Speaker C:Yes. No, that's perfect.
Speaker A:When I go get auto insurance, I like to treat things with common sense. When I go to auto insurance, of course, my auto insurance is going to make me pay more or drop me entirely if I've got too many speeding tickets. But on the other side of the coin, what can we do? Because if I go to State Farm, they'll say, I'm going to put this little device in your car. It'll monitor how you drive. And guess what that'll do if you're driving well, we're going to save you like 30%. What is a cool thing that you can tell Brian that probably has cyber insurance, looking into it on how he can save money on his business, cyber insurance. And this is a big one. I found this on many forums that people were reaching out for like, a personal pack.
Speaker C:I'm trying to answer this without pitching my company pitch.
Speaker A:Your company, brother.
Speaker C:Well, I mean, the reason I say that is because a standard approach to getting an insurance policy right now, you have safe driver discounts and you have hey, you're this age and you have had zero accidents. Oh, that makes you a good risk. We'll give you a discount for that. Oh, you're in school, we'll give you a discount for that. Oh, you took defensive driving, we'll give you a discount for that. All of those things lead to discounts. Really? The only eligibility requirements for car insurance is you need a license and you need a car. That's pretty much it. And don't have a ton of accident record, right. So that's pretty much it. Now, when it comes to cyber you got something to add? BJ before I go into I was.
Speaker B:Just going to say so part of, like you said, the reason you could get discounts on drivers. My guess is that they have had enough years of data points that they can safely say if you're in school, you're less of a risk. So we are willing to give you a discount. My guess is that with Cyber, they don't have enough data to be able to give you a discount. If you happen to have backups, it.
Speaker C:Goes back to correct. They don't have enough data. Cyber. In the insurance landscape, cyber is still a baby. So there is that the actuary tables are still being built, underwriters are still determining good versus bad risks. The data rolls in. It takes usually two to three years to compile all of that. So the interesting thing is cars, even though they get smarter, usually as cars get smarter, they get safer cyber. As the internet progresses, as technology progresses, it actually gets more dangerous. So the challenge here is that they're trying to keep up with a rapidly evolving threatscape. And so it actually makes it harder to say, hey, if you have these controls, you're going to save money. And I usually have to push. You have two things, get good security because that's going to make you eligible, and then get as much like shop out your policy to as many possible carriers as you can. So if your agent just presents you with an option, oftentimes one of my responses is to say, hey, you know what, have you shopped it out everywhere you have access to? Or did you just go to the four companies that you have direct access to? Because like I said at the very beginning of this podcast, we're a wholesaler and a wholesaler has access to all these companies that an agent can't access directly. And usually the lack of direct access makes the agents not really want to approach that if they can avoid it because it's more work. Right. So I think in terms of saving money, it really comes down to are you marketing yourself out to as many carriers as possible?
Speaker B:I think it might come with time based on how as they build their data points. But like you said, I do think they're dealing with a landscape that's changing on a daily basis.
Speaker C:Yeah. And on top of that, most of those insurance companies, I don't want to speak mean they don't know a whole lot about cybersecurity. Underwriters typically see a long list of check yes or no. And I have a friend who's an underwriter, a really good friend of mine, and he is encouraged by the insurance company, hey, you would need to learn what all these things mean. So join webinars, try to explore, try to understand. So they are trying to learn. It's not like they're just sitting there in a bubble. Right, but at the same time, if you're adding more and more security to this list, they have this ever growing laundry list of things to learn. So a lot of these insurance companies aren't they're kind of behind on what good security is in the first place. A couple of years behind. Right. So even if insurance is saying you need to jump this high, is that really to be considered safe from the current cyber threatscape? And that's where I think that you're going to see carriers start to emerge who are completely cyber focused, but they're cyber focused primarily from the cybersecurity perspective and they're saying what really makes someone a good risk and how are we going to offer tangible discounts based off of that that's going to emerge somewhere? And then you're going to also, this goes back to what I was going to talk about before, where I said it's not important, but it is. You say, oh, I have MFA and it's turned on and I got the policy. But now three months into your policy term, you say, hey, BJ, MFA is being really annoying. Can you turn it off? And that's where you say, if I turn this off, you will no longer have cyber insurance coverage. Right. It's that kind of thing. So I think we're also going to get into a world of active or continuous underwriting where now it's no longer just you attested to having something, but there are actual monitoring. How do I put this really simply? There is a way to monitor that. You don't turn those things off. And if you do, they warn you, hey, we're going to cancel your policy in 48 hours. Or something like that. Right.
Speaker B:I really think it's just a matter of time and it goes back to I think everyone's going to start requiring that level. I think my life insurance is through John Hancock. And so I log an exercise activity, I get points. It keeps my premium down. If I go to the doctor, I get points. It keeps my premium down. If I do none of these things, my premium goes up every year. So I think you're going to see the same kind of thing happen for cyber very soon because like you said, they're having to so that way they can stay abreast of what's a current risk profile look like. How do we gauge that?
Speaker A:Yeah, well, I have one last big rabbit hole and this is a good one. And I don't think people understand. So when you I'm going to use the car analogy again. When you're in a car accident, you hit a deer, your first phone call is not to an insurance agent saying, hey, I hit a deer. Help me. Your first call is to calling a paramedic to address your wounds, to call a tow truck to get your vehicle taken care of. And maybe tomorrow morning or the next day you might reach out to your insurance agent saying, hey, this happened. Here's the police report. I need help and reimbursement. In cyber insurance, what are the steps when something happens? What should the end user do? What should the It department do? And what's your part in the insurance agency? Paint it like a bouncing ball. Issue happens, what's the next step?
Speaker C:You got to call your carrier right away because unlike a car accident where it's like, all right, let's exchange information and then as long as no one's hurt, let's be on our way. And then you can call the insurance company and you can do all that stuff, right. No, this is very different because the pressure the It guy is going to get is my computer is not working. I need to get back up online. This is going back to what we're saying at the very beginning. Fix my computer. Right. But as soon as it is determined that something isn't right, that's where the insurance company needs to be called because the insurance company wants to get forensics in there before anything is changed, right? So we always like to say, hey, It guy or cybersecurity guy, your job is isolate the incident. So if you can shut down the endpoint, that entry point, if you can shut that down so that the bad guy can no longer access the systems, great. But don't restore the system from backups because you might wipe out all the evidence that was there of what happened in the first place, and then forensics can't do their job, and then your claim might not get paid out at all, or at least fully, because they can't determine the extent of all the issues. So the first thing you want to do is get the insurance carrier on the line. And a point I always like to make is a lot of times it does get just like you did, it gets related to car insurance accidents, right? I don't want to notify my car insurance carrier because then my rates are going to go up. And that's the fear, right? Oh, it's just a little fender bender. My rates are going to go up. The problem with a cyber attack is we always say you put your carrier on notice even if you're not sure if something actually happened. And that's very different from the other insurance space because we're always thinking, premium increase, premium increase. But in the cyber insurance space, most states have laws around how you're supposed to respond to a cyber incident. So if one has happened, the carrier needs to be prepared to start getting everybody on board that needs to be on board, getting the funds allocated, all that kind of stuff, so that if it turns out something happened, everything's ready to go. And that's why they bring in lawyers. They bring in lawyers to represent you, but they also bring in lawyers to make sure you're doing everything you have to do to stay compliant by state requirements based on that incident, all that kind of stuff. So by putting the carrier on notice, if nothing ended up happening, awesome. Now no one has to pay anything and we're in a good spot if something did happen, now everything runs faster and smoother, and that's the ideal.
Speaker B:As an It guy, it pains me to know when to call the insurance person first or the carrier before you start fixing problems, because as an It person, my very core wants to be a fixer. But then I've also realized as a business owner that you have to play the game and you have to play it properly in order to win. And so part of that game is, what does your incident response say? You reach out to your insurance carrier, you put them on notice, you tell them, hey, we might have an issue. Like you said, it's following the right steps. And so it's painful as an It person or a security person to just not start fixing the problem. But again, the difference between your building burned down and a security incident are so different and how you respond to them need to be different.
Speaker A:Yeah, I started my It career like 2007, 2008, and let me tell you now, in 2023, I've done a lot of steps. First it was break fix. Then I went working on business machines. And then of course, It departments blending into a managed service where I take care of multiple different businesses. And throughout that, if something happened and something was malicious, lock it down, clear it out, restart it and get him up. Because downtime is the enemy now. The change is so drastic that I'm sorry this has happened. Lock the system down. Call insurance. It's such a weird thing for me from doing this for so long and how the biggest fundamental of keeping the customer up completely stopped to call insurance as the first step after you shut down. The endpoint. Trust me, it's just as shocking for us as it is for you listening to this. But that's what the insurance is for. It's going to cover the downtime. And I've had friends that you said metal manufacturing. I've had friends in that space where they have four different locations in different states and they get hit and it's taking down 50, 60, 70 employees. And what he's yelling at me, screaming at me in the face is, I need these people up. I'm bleeding money because each one of those wages are going to be paid if they're working or not. And I'm like, Whoa, whoa. That's what the cyber insurance we signed up for you is for. We're going to lean on that. And it did save time and time again through these different situations I've seen with other people, other scenarios. It's not your natural instinct, but trust us, call the insurance company first.
Speaker C:Absolutely.
Speaker B:In a future podcast, we will go into like disaster recovery and incident response further. But please talk to your It provider, talk to your It person, talk to your insurance, cyber focused insurance agent about incident response and disaster recovery. Because having these things pre thought out ahead of time makes such a big difference, like just night and day. But are we all insuranced out, everyone?
Speaker A:I mean, we've done this now for almost an hour. Will, you got any last notes, anything that we missed that's crucial?
Speaker C:I think probably just because who we're targeting in this podcast, my biggest advice to anyone around cyber insurance is it is very complex. It's very like if BJ brings it up to you, he says, hey, you should get your cyber insurance reviewed. A lot of times we go push that off and say, I got an agent, my agent can handle it. And that might be true. Some agencies have a cyber focused person who really knows cyber insurance. And those people kill it. When it comes to cyber insurance, most agencies, in my experience, do not have that person. So don't immediately brush off the opportunity to have your policy reviewed because it's really important based on everything we just said, to make sure that you can withstand an incident. So when your cybersecurity person breaches the subject of insurance, which I assure you is very awkward for them because they're not licensed in insurance, it's not their world. But at the same time, when they breach the subject, I'd say be receptive to it, just to the point of, hey, I need to be able to understand what I have coverage for because my business is my livelihood and my business is also online. I mean, that's just the reality.
Speaker B:I haven't met a not online business in a very long time at some level.
Speaker A:Well, Will, thank you so much for coming on.
Speaker B:Seriously, thank you.
Speaker A:If you want to find a good insurance, cyber insurance policy, you can reach out to Fifthwallsolutions.com. I don't know if Will's going to be your representative, but one of his team members, I'm assuming, is that correct? Would be someone to talk to.
Speaker C:One of my team members, yeah. But reach out, go on to Fifthwallsolutions.com or I mean, honestly, one of the beauties of working with Etop is you get access to us directly. I mean, you can go to Fifthwallsolutions.com, but the first question we're going to ask you is, who's your cybersecurity provider? Because we need that person. We need to understand as much as I'd love to say, here, fill this out and tell us all about your cybersecurity. A lot of times, business owners don't. I mean, I wouldn't be able to answer my cybersecurity package, and I know a lot about cybersecurity, right. That's not what I do at my business. So you need someone who can answer those questions for you. So, yeah, that's where I would leave that. But also on LinkedIn. Follow me. LinkedIn.com. Wilbo but the L is a one that's a lot of fun videos on there.
Speaker A:Wonderful. We'll have that links in the description. And again, if you're looking for a It department or managed service team Etoptechnology.com, we're pretty good.
Speaker C:Which just going to throw this out there for about eight months. I did not realize that Etop was just BJ's last name spelled backwards.
Speaker A:So when I figured that out no one knows.
Speaker B:No one knows. It's a secret.
Speaker C:Well, the good news is you can edit that's, right?
Speaker B:No, we'll probably leave that in because why not? Goodness.
Speaker C:All right, then.
Speaker B:That's right. Well, we appreciate you and thanks for listening. Yeah, like, and subscribe and all that fun stuff.
Speaker A:Until next time.
Episode Notes
Find out more about your cyber Insurance options at https://fifthwallsolutions.com/
For more episodes got to http://businesstechplaybook.com
Find more on LinkedIn: https://www.linkedin.com/in/william-pote-75a87233
This podcast is provided by the team at Etop Technology: https://etoptechnology.com/
Special thanks to Giga for the intro/outro sounds: https://soundcloud.com/gigamusicofficial