No Cyber Insurance. Still Got Paid.

TDD EP 52 Audio

Max Clark: [00:00:00] Joe, I've wanted to have this conversation for a while. Really appreciate you joining and talking about this. end up talking with, um, you know, companies a lot about. Cybersecurity. Right?

It's a big topic for a lot of people and what's always been missing for that conversation for me is the other side of it, which is we have this impact and what cybersecurity insurance is, and a lot of times maybe the tooling is to help reduce premiums on your, on your policies. but there's also this insurance angle of it. so, , I'm really happy to be able to talk about that and to get into, you know, what else happens here for, for companies.

Joseph Cook: Sure.

Max Clark: and if you could, we're gonna, we're gonna talk about one specific example, and if you could set the stage for me and, and, and gimme a little bit of background and talk about, you know, industry, you know, like pre-event, like what, what are the, you know, what was

Joseph Cook: Sure. Yeah. Yeah. So, uh, just, just disclaimer, you know, no company [00:01:00] names will be shared, whether it's the insurance carriers or the actual private entities, but we will give industry, we'll give

Max Clark: Yep.

Joseph Cook: size, scope, things of those nature that can make the story relevant. Right. And, and hit home to those that may be similar.

Uh, so in this instance, uh, this was not too long ago. Within the last 30 days actually, uh, we had a, a manufacturing client who has two entities, a parent entity and a subsidiary entity. The parent entity has been around for many years, 20 plus years. They're a, uh. Component parts widget manufacturer, primarily rubber and metal goods, small gaskets, bolts, nuts, nothing

Max Clark: Mm-hmm.

Joseph Cook: know, compelling or, or, no.

Nothing hazardous or, or no dangerous finished goods or anything like that? Very much a, a small, uh, widget manufacturer. Um, they take up a decent amount of square footage. You know, they, they have a, a, a good sized local operation, 15, [00:02:00] 20 million in, in annual revenue or sales. So, so it's a good sized local, private employer.

Right. Um, not too long ago, uh, they spun up a subsidiary company and it shares manufacturing floor space with them. Mm-hmm. Uh, it does have its own tax id, it does have its own set of employees, and the reason it was spun up as a subsidiary was because of the fact that while it's also in manufacturing, it does something different.

So if you've ever received a package. That package might have an item that's breakable in it. There's those foam inserts that protect that package. They cut those foam inserts to spec, so they get big sheets of foam. They take, you know, essentially a eraser plate, and they make the incisions and cuts to fit the speck of, of the manufacturer that has the finished good that needs the phone to pack the product.

Right. So they've spun this subsidiary. So here's these two [00:03:00] companies, uh, they're owned by the same husband and wife. They're both local Phoenix private companies in the manufacturing space. So there's, there's the scene of, of who they are, what they do.

Max Clark: and manufacturing. Even when you get into, um, like high tech CNC process automation, a profile for that company is you, you know, maybe a few people in an office on computers,

Joseph Cook: Mm-hmm.

Max Clark: of people on a line, whether that's, you know, running the line, producing the product, doing quality control, shipping and receiving

Joseph Cook: Yep.

Max Clark: functions. you know, like I've, I've seen a lot of cases where I. know, you might have, uh, a manufacturer that's got 500 employees, but maybe there's only 50 in a front office or in these like, front office roles. So

Joseph Cook: Yep.

Max Clark: yeah. I would, as you know, say similar probably profile here. Is this where I go?

Joseph Cook: Yeah, very standard, uh, overview there of, of how the, you know, [00:04:00] employee layout is gonna be within a manufacturing firm. Very much, it's, it's gonna be on the production side is where the payroll is gonna skew, right. Uh, you, you talked about higher tech manufacturing, CNC machines, and I think that's a little bit prescient to this story as well.

So the, the widget side, the, the rubber and metal gasket bolt side, that is CNC based. So those are iot devices. Whereas you can imagine the cutting of the foam is not CNC based. That is manual labor. Right. Uh, so, so not as high check manufacturing, if you will. And, and that's prescient in this way. So, uh, the subsidiary entity was the entity that ended up having the cyber breach event now.

Max Clark: wait, before we get into that,

Joseph Cook: Yeah, yeah.

Max Clark: the pro, I don't wanna say the problem, but, um, and I'm, I'm curious for your feedback on this and what you experience, right? 'cause you're, you're helping companies ac acquire insurance,

Joseph Cook: [00:05:00] Right,

Max Clark: We, we help people acquire technology. You help people acquire insurance, so you have a similar conversation with a similar company.

Joseph Cook: right.

Max Clark: a lot of times, especially in the non-tech spaces, people will say, oh, we're not doing anything that we need cyber insurance for. We're not at risk. We're not a

Joseph Cook: Yeah.

Max Clark: You know, like, you hear these, you hear these statements all the time. And for me it's like, well, if you're connected to the internet and you have email, you're a target.

Like, like you, sorry. You're just there. And, and, um, I. You know, without throwing anybody under the bus too much. Like, how much of that applies here in terms of, you know, what sort of base infrastructure do they have, or protections do they have in place around this? You know, were they on the, like, got some, maybe we've seen this happen to our friends, we've got more, or like, you know, how, how do they, how do they approach this before?

Joseph Cook: Yeah. Yeah. So they have a, a relatively [00:06:00] limited, uh, IT budget, uh, it, it is outsourced, but it is probably not, uh, as robust as a spend could be for a company of that size, let's put it right. Um, interestingly enough, you, you know, and I, I think maybe I'll, I'll. Back up a little bit and, and share the high level structure of what a cyber liability policy is based on you, you know, where you were going with it.

Um, you, you see people have a sensitivity if, if they feel that they're more connected to the internet, if they feel like they use the internet more to generate revenue, right? So, so a cyber liability policy at its core is three components. There's a first party component, so you're the named insured.

We'll use our firm as the example so we don't have to name anybody else, right? So if Arizona Group is the named insured on the on cyber policy, first party coverage agreements are those that would provide dollars to the Arizona group for costs that they would incur [00:07:00] as a result of a cyber breach event.

So things like lack of ability to generate income because we can't access our network reputational harm.

Max Clark: Mm-hmm.

Joseph Cook: The story went out on channel three that we were breached, so on and so forth, right? So first party is, is protecting, or, or, or, you know, indemnifying, the name insured policy holder for costs that they would incur as a result of that breach.

Then third party is, is the protection or indemnification for those organizations that you interact with. It could be a material supplier, it could be a, a vendor of a SaaS product, it could be a financial institution, uh, so on and so forth. It could be all three of these things, right? So in the event that the breach originates in your house, but somehow affects them or impacts them negatively, um, and you are held liable for that, that's where that third party component kicks in.

So, so you see more sensitivity around those two issues. And while those have [00:08:00] a, a. A severity component, right? If, if you're seeing a loss that impacts those coverage agreements, it's more likely to be a large loss. Here's where I feel like a lot of people lack the sensitivity and take the mix. So the third component is cyber crime.

So this is the digital movement of money, right? Whether you are a, a very sophisticated tech business or not, or whether you're cutting sheets of foam with a razor blade in 2025, somebody in, in your organization uses a computer to pay bills, right?

Max Clark: Yep. Yep.

Joseph Cook: So you can be the least technical company on earth, but somebody, at least one person in your organization uses the computer to pay bills.

And if that's the case, that's where I feel like there's a lot of miss here and a lot of lack of sensitivity where there should be sensitivity. So, so, you know, invoice manipulation, phishing. Fraudulent inducement, any of your [00:09:00] social engineering type attacks are what you're looking to, to, uh, cyber crime for coverage on.

Right. So, so that was the case here. Um, just like any other manufacturer, technical or non-technical, the subsidiary entity that cuts the foam, they order large batches of foam and then their main supplier had an invoice be spoofed by a bad actor and they paid the bad actor the spoofed invoice.

Max Clark: Oh, okay. Not great. Okay. So, um, let's, let's, okay, let's back up a second. Let's talk

Joseph Cook: sure.

Max Clark: that, what that attack looks like in practice, right.

Joseph Cook: Yeah.

Max Clark: right. You know,

Joseph Cook: Yep,

Max Clark: It, it, I mean, it is an attack, right? So

Joseph Cook: yep,

Max Clark: how do these start? You know, you, you, you, you rattle off a, you know, a few different, like social engineering attacks, right?

But we can, we can talk about those

Joseph Cook: yep.

Max Clark: but it all comes back to the same thing, which I, I think is pretty basic. Right.

Joseph Cook: [00:10:00] Yeah, so you, you know, many times you're, you're looking at business email compromise, right? So, so you, you've got, uh, an

Max Clark: the

Joseph Cook: accurate

Max Clark: can we just talk about how I love the acronyms in tech and cybersecurity specifically, and now it's business email compromise is BEC, which sounds like something your cat does when it's coughing up a hairball. It's kind of going,

Joseph Cook: It does, I'll let you know, I resisted the urge to say law bass. Um, so, so I was trying to not, uh, go into off binaries and scripts, right?

Max Clark: I'm, I'm in a spicy mood this morning apparently. 'cause I wanted to do my cat, my cat impression. Right. But I can't help it, you know? Anyway. Sorry. Sorry.

Joseph Cook: No, no, you're fine. Right. So, so Lova being a very elegant attack. Right? But I think in these cases it's more of a BEC, a business email compromised type approach. So, so somebody's sitting in the network, they're sitting in the email, and, and they're waiting for an opportunity to strike. This could be, uh, [00:11:00] you know, a known time of the month when invoices are, are coming in or being exchanged for reoccurring orders, like your main, you know, material from your main supplier.

It could be when, uh, an executive who normally handles something is on vacation and maybe there's an opportunity to, to fool someone, Hey, I'm, I'm in the Caymans and I need a gift card. Send it over here, kind of thing, right? Like business.

Max Clark: All. And you said, you said a couple things that are also really important, and I want to come back to a little bit down the road, which was, you know, they could be on the network, they could be in your email. You know, this is something where maybe a compromise has, has happened in and they've done some profiling and they know, it's like, okay, you know, here's suppliers and here's timeline and they're gonna develop a little intelligence.

And by the way, this isn't from the standpoint of like, I need to be in your email for 60, 90 days. This could just be like, I'm getting into your email and I can just [00:12:00] read back 60, 90 days and just look for patterns and things. Right.

Joseph Cook: Of course. Yeah. And, and you know, I think it's, it's important to, I, I know this has been mentioned in, in many, you know, uh, conversations, but it, it should continue to be mentioned. They are criminals. They're not stupid.

Max Clark: They're, they're really good at their job.

Joseph Cook: Right, right. Like, yes, it is illegal. Yes, it is unethical. Yes, it is immoral. Uh, but they are good at it and it is a business model, right? So,

Max Clark: Okay.

Joseph Cook: yeah,

Max Clark: I, I feel like we're gonna jump forward and backwards a little bit, which is fine. Right. So, um, I want to, I want to, I wanna re come, remind me, I wanna come back to how email was compromised, but let's talk about the attack and the attack unfolding, right? Which is,

Joseph Cook: sure.

Max Clark: this is a, they're in the email and they see this vulnerability and what happens.

Joseph Cook: So, [00:13:00] so essentially they, you know, decided that they thought the, the office manager who usually pushes the button on bills was someone that they could target.

Max Clark: Mm-hmm.

Joseph Cook: they had, you know, discovered enough intelligence to say, okay, this is clearly the main supplier of the phone. They, they make a regular order every month.

The order is somewhere in this bandwidth, depending on, you know, needs for the month, but it's pretty tight within a 10 to 15% range.

Max Clark: Mm-hmm.

Joseph Cook: This is what their invoice looks like. This is where they normally send payment, so on and so forth. So they spooked up a pretty good looking invoice. And as you can imagine, one of the only things that changed was where to send the money, right?

Um, it was a, it was a regular type amount. It was, it was the right logo, it was the right format, all of the above. And the office manager pushed play on that payment and sent $64,000 to the wrong person. 

Max Clark: [00:14:00] How I feel so bad for this person. Um, and by the way, this, uh, this is not unusual, like, like this, this is not like, I think for anybody, if you're listening to this or you're watching this, right? Like this is not, this isn't a, this is every day I. happens every day. Right?

Joseph Cook: Yeah.

Max Clark: so frustrating about, it's like every day this is happening to somebody, I feel really bad for this person.

Okay, $64,000 out to the wrong place.

Joseph Cook: Yep.

Max Clark: What happens next?

Joseph Cook: So you're, you're gonna look to, you know, an order of operations, if you will, as, as how you're gonna try to,

Max Clark: Well, how long did it take them before they even realize that $64,000 went to the wrong place?

Joseph Cook: they, they figured it out pretty quick. Uh, they figured it out within 48 hours, right?

Max Clark: fast. Yeah.

Joseph Cook: Which is fairly fast, but in, in the notion of trying to claw those funds back, it [00:15:00] may be a little slow, right? So you, you go through an order of operations in these, these events and unfortunately there's, there's been a shift because of the amount of activity in one of those order of operations.

So I'll, I'll share that when I get there. Obviously, if you can claw that money back and just make your yourself whole by clawing the money back, that's your, your first practice. Yep. Yep. So if that's, that's available to you, you can catch it in time, you can claw the money back, stop payment, whatever it may be.

Obviously that's the most ideal outcome. Well, if that's not the case, the money is, is now gone. The, the next step is you're, you're gonna want to talk to your financial institution right now. This is where the shift has started to happen. And this is because you, you, you know, you know, as well as I do a lot of, of, of cyber breach events or self-report right now.

So it's, it's hard to, to gain, you know, real insight as to how many people are affected or to what scale. But estimations in 2023 were that 80% of small [00:16:00] businesses had some sort of social engineering attack during

Max Clark: wait.

Joseph Cook: 2020.

Max Clark: stat.

Joseph Cook: Yep. Yep. 

Max Clark: and just repeat it one more time for me. So in

Joseph Cook: That, that

Max Clark: what percentage of small businesses had

Joseph Cook: 80% had a social engineering event in 2023. So this is very common, and again, that's why I say, you know, the, the cyber crime piece is where I feel like there's not as much sensitivity as there should be and where people are taking a miss because they think, oh, I'm not a, a techie company. Right. Uh, you still pay this.

So, so you've got this financial institution perspective because of the frequency that where they used to say, okay, we will give you the funds back and we'll probably make you sign up for some sort of fraud training and we'll probably make you approve all your payments daily for the next six months kind of thing.

But we will give you $64,000 back. That's mostly going away. So now they're saying, alright, we will try to help you claw the money back, but if we can't [00:17:00] claw the money back within 30 days, you're on your own. Or if we can't claw back within 60 days, you're on your own and the money's gone. So in this instance, they waited the timeline to see if the FI could claw the money back.

The FI was unsuccessful in clawing the money back. And so now you're on your own. The 64,000 is not coming back. So the next order of operations is, do we have any sort of insurance policy, like the cyber liability policy that that could help us here? That could, you know, subject to a deductible, reimburse us the rest of the funds.

So our loss is really the deductible at this point, rather than the full 64,000. Right. Well that's where this story is, is a little bit interesting and has a little bit of a twist. So because the parent company, the larger company is, you know, IOT devices, CNC machines, it's a larger operation. The parent company did have a cyber liability policy.

Max Clark: Hmm.

Joseph Cook: The subsidiary entity, because it was a smaller entity, a startup entity, [00:18:00] non-technical manufacturing, non iot did not have a policy. But if, if you've been doing this for a while, like I have, one of the things you know is that within every insurance policy, not just cyber liability insurance policies, there are clauses as to whether or not subsidiaries can qualify for coverage and under what context or circumstances.

Max Clark: Mm-hmm.

Joseph Cook: So in this case, we were able to use that subsidiary clause to find coverage. For the subsidiary entity, even though it did not have a primary policy. So is that good news in this, this anecdote? That's good news in this anecdote. Should the subsidiary entity have its own policy? Yes, it absolutely should.

Because as I read you some of these verbiages, if you'd like, right? You'll see quickly that clause is not gonna save most people, most of the time. We got a little lucky here, right?

Max Clark: Y you know, not to like disparage insurance, but insurance companies [00:19:00] make money by not paying out money. Right? Like the more money you pay out, like a hurricane comes through Florida.

Joseph Cook: Yeah.

Max Clark: business with an insurance carrier that has any exposure to to, to hurricane in Florida, gonna get an email that says basically like, oh, like X, Y, and Z is now happening as a result of this nationwide. Um,

Joseph Cook: So. I, I wanna, I wanna address that real quick 'cause that, that's just not how insurance companies make money, right? Insurance companies are very, very low margin companies, and I'll explain that. They make money by, by investments and, and by volume into investments. They do not make money collecting policy premium.

Many times they lose money collecting policy premium. So, so when you look at any insurance carrier, the, the way they, you know, iterate how successful they are is what they would call a combined ratio. So a combined ratio is fixed expenses plus claims [00:20:00] dollars paid out, divided by premiums collected, right?

So, so your fixed expenses, you know what those are, those are your payroll, your bi, your billing overhead, all that stuff. The thing you don't know each and every year is what claims dollars you'll pay out.

Max Clark: Mm-hmm.

Joseph Cook: You know, you're essentially running a, a business without knowing what your cog are, which is a challenge, right?

Um. So, so a successful insurance company, if an insurance company had an awesome year, right, where they were considered to be a very profitable company, they would run a 93, 94, 90 5% combined ratio, which means their margin was five to 7 cents on every time. It's not a high margin industry. They do not make money simply by collecting premiums.

The way they make money is all those five and six and seven senses that they collect from hundreds of thousands of clients. That total out to a good sum of money, gets invested,

Max Clark: Mm-hmm.

Joseph Cook: and the interest on that large investment is, is where the profit comes from. They don't make money [00:21:00] by solely collecting premiums.

Max Clark: Well, not solely collecting premiums, right, but

Joseph Cook: Yeah.

Max Clark: understand what your loss ratio is, or what your payout ratio then affects that number pretty significantly, right? And

Joseph Cook: It does. And so, you know, if you look at like, say auto for example, everybody's feeling stress on their auto, whether it's personal auto or commercial auto. The reason people are feeling stressed is because a lot of carriers, if you isolate the auto line, have been running 125% combined ratios. So they're losing 25 cents on every dollar.

And when something like that happens, insurance companies have three, three tools they can really use. Right. And I think this is where, where you're driving at, and I wanna tie it with a bow at the end here. So when insurance companies are experiencing a lack of profitability, and like it or not, they are for-profit entities.

So if you have an issue with them being for-profit entities, that that's a moral and like systemic issue. But currently, right, they are for-profit entities, so they're gonna operate that way. So, so they have three tools they can [00:22:00] use. They can either A, raise prices and we see this all the time. Right now, they can't just raise prices ad hoc, you know, they, there are regulations nationally and by state.

So Arizona is a use and file state, meaning you have to file something with the department of insurance has to be approved, and then once it's approved by the department of Insurance, you can use it. So, quick sidebar, if, if you look at the struggling California insurance market, right? The, the reason for that primarily is there has not been a rate refile approved in that state since 2018, which means you're, you're asking insurance carriers to sell policies for 2025 exposures at 2018 rates.

If you run a business right now, imagine if someone was legally compelling you to charge your customers your 2018 price in 25, how incentivized would you be to operate in that arena? Pretty low incentivization, right? So they, they can raise prices, but it, but it's not an ad hoc, they can't just do whatever they want.

If, if they get [00:23:00] the, the filed rate. Increase, they will raise the prices per their actuary algorithms. The next thing that they can do is they can say, okay, our terms and conditions, what's in the policy? The legalese. Maybe we're overexposed by giving too much away in the legalese, so we need to change the legalese that we're not overexposed.

So they can do that. They can change change TNC. Conversely, if they wanted to be more competitive in a marketplace, they could make the legalese better, more, more, you know, advantageous to the customer to try to gain market share. So they do it both ways, right? And then finally they can say, okay, certain industries are causing us a lot of exposure.

So on, on cyber crime, right? Maybe we're not gonna write accountants anymore. Because accountants pay bills for other people, right? So, so there's certainly things where they say, okay, we're really getting killed in an industry vertical or two. That doesn't mean we don't wanna write cyber anymore and we don't wanna raise our price.

'cause we feel like our price is good for 80 [00:24:00] or 90% of our customer base. But the 10% of our customer base that is killing us on losses, we can't afford to let them access this product at this price anymore. It's just not gonna sustain it.

Max Clark: So I've seen a lot of insurance renewals for cyber

Joseph Cook: Yep.

Max Clark: and require tooling and attestation around tooling and attestation around, you know, program.

Joseph Cook: Yep.

Max Clark: factor to, into all this?

Joseph Cook: Yeah. Yeah. So. Cyber liability, relatively young product, uh, in, in the market. You know, depending on who you ask. It was 98 or 99 when the first product came out. The real, real product that we see today. There was a, a electronic data compromise, an EDC product that came out in the er, early nineties, late eighties, but that is a different product.

So anyway, um, being such a young product for a long time, it functioned in a very artificial marketplace. There was no underwriting, not because they didn't want to, because they didn't have any data to even set up any meaningful underwriting.

Max Clark: [00:25:00] Mm-hmm.

Joseph Cook: you, you have this process of essentially, are you a company?

Do you draw, breath, or have a pulse here? Here's a cyber liability policy for $1,500. And,

Max Clark: Right?

Joseph Cook: and some of that was them trying to gain enough market share to get real data, to create real underwriting. That takes time, right? It's not something that can happen overnight. So, so between the, the time lapse component, and then of course we had a, a massive event in 2020 that that caused a massive shift towards work from home that many companies were not ready for, from a cybersecurity or IT perspective, which caused a massive influx of breach events and ransomware events and, and anything you can think of, right.

That also what was kind of a catalyst for enhanced underwriting. When we, when we first came outta Covid, you, you know, a couple years later that [00:26:00] enhanced underwriting, the questions were written as if they were sophisticated, but the, the people that were reviewing the questions didn't really know what they were asking.

So there was a lot of frustration for a good 12, 18 month period where you would have people fill out applications and then get really ridiculous questions. So I'll give you a great example. One of my clients is FedRAMP certified.

Max Clark: Okay. Big deal.

Joseph Cook: Yes. So FedRAMP is, you know, like a hundred more controls than SOC two, right?

That as a compliance framework is pretty intense, right? So we send, in this application, it says we're FedRAMP certified. We get a question back from an underwriter, do they use MFA? We're like, 

Max Clark: Yes. Yes. They used MFA. Yeah.

Joseph Cook: and many other things, right? Uh, they are safer than most companies out there, right?

Max Clark: know what [00:27:00] you're talking about without telling me you don't know what you're talking

Joseph Cook: Exactly. So this was like the, this was very much a friction point for a period of time because you had these applications that were getting lengthier, and it's not as if the questions were unfair. They, they were fair questions in many contexts, but the people that were underwriting them were not as educated as they should have been.

Right. So you had frustrated customers, you had frustrated folks like yourself in the IT brokerage space or the MSP or MSSP space. I feel like we're finally getting to a point where there's enough expertise on the insurance underwriting side that they actually understand a little bit what they're asking now.

Max Clark: Yep.

Joseph Cook: now, now to your point, you, you know, they're wanting controls potentially depending on the carrier. They're wanting attestations, and those attestations are usually specific to tools. They're not, you know, holistic or enterprise or anything like that. Yes. There are controls that they're, they're looking for people to have, uh, you know, that is something where.

I [00:28:00] think if you looked at those controls and you looked at attack vectors today, they're usually a pretty good heat map that overlaps, right? They're, they're sensitive to the issues that are causing a lot of the problems, and they're hoping that you have some basic controls to, to stave off those problems.

Now, they'll, they'll be flexible based on what is, is realistic for an entity of your size, right? So example, if you're an organization under 10 employees, in many cases, having Defender would be considered a firewall for an organization under 10 employees because they, they get, you're not gonna go out and get a next gen firewall with four people, right?

Like, that's just not a cost you're gonna include. So there is some realistic flexibility at this point based on size of organization. As far as attestations, that's relatively limited right now. There are carriers that use those, those, you know, they, they become a point of contention in the sense that.

There they can be used punitively. And there's, there's one landmark case where they were [00:29:00] used punitively, and that's the only one that exists still. And that was years ago, uh, three years ago, I think at this point. That was a 150 or so, uh, manufacturing company in, in the Midwest. Uh, they had attested to travelers that they had MFA deployed.

They did not, uh, the breach was a result of lack of MFA and the claim was, was ultimately denied. And that was upheld by a court in, in that, their local jurisdiction. But that's the,

Max Clark: I mean,

Joseph Cook: yeah,

Max Clark: but that, that creates, right, that becomes another risk vector for a company, which is, oh, we think we've got a security mail gateway in place. But it turned out we didn't turn it on.

Joseph Cook: yeah.

Max Clark: or

Joseph Cook: Yep, yep. Yeah.

Max Clark: removed configuration, or we, there was misconfiguration or, you know, we're doing security awareness training, but we weren't, or we were doing this, but we weren't, you know, like

Joseph Cook: Yeah. So.

Max Clark: for everything but these 10 accounts and one of those 10 accounts got exploited, right?

Like.

Joseph Cook: Let me tie it back to how the policy functions, right? So within any policy, and this is [00:30:00] not specific to cyber liability, this is any liability policy that that exists. There's a statement in there. It'll be called a representation clause or a warranties clause. Different companies call different things, but it's one of those two things, right?

Essentially that's a statement in the policy legalese that says, we as the insurance carrier received information from you and and your representatives to your broker, and we took that information to generate your policy, terms, conditions, the limits that we offered you, the deductibles we offered you, the price that we offered you, all these things in the event that we find out, whether it be at time of loss or not at time of loss, that some of those things may have been untrue.

Here's how we're going to react. So, so to me, when we're talking about cyber liability specifically, I. Having awareness of your representations or warranty clause and, and how advantageous they are to the customer versus how non advantageous they are to the customer

Max Clark: Mm-hmm.

Joseph Cook: important when you're buying that insurance right now.

And then know [00:31:00] that when you are signing an attestation, the way that works, so there's a low form you sign, right? That attestation gets built into the policy right next to the representation of warranties clause. That's where that goes. So in the event that you're not signing any of them, you're just dealing with that clause as is.

But in the event that you sign an attestation, that's where it morphs into the policy. It gets it seated right next to that reps and warranties clause. So I'll give you a couple of examples and, and you can see quickly the, the spectrum of these, these reps and warranties clauses. So to me, there, there's a provider out there that I would consider on a, on a podium type temp arrangement.

The gold provider and their rep and warranties clause is actually called innocent non-disclosure. And it's, it's one sentence and it says, unless we can prove that the non-disclosure or misinformation was reckless or deliberate on your part

Max Clark: Mm-hmm.

Joseph Cook: and you know that it, you knew that it would harm us. We [00:32:00] cannot seek to deny your claim.

Max Clark: Right. So you're proving fraud basically as the standard for, for, okay.

Joseph Cook: That is very advantageous to the customer because the sys, you know, the, the, the examples you just described of, we thought we had, you know, an email monitoring tool turned on and we didn't, that may not have been reckless or deliberate. You may have genuinely thought that you may have an email from your outside it.

Yep. It's turned on. And who are you as the COO of a manufacturing company to disagree with your IT guy as to whether or not the email filtering is turned off. Right.

Max Clark: right.

Joseph Cook: So that to me is very advantageous. A, be because it leans customer, but b, it leans customer in such a broad and vague way. That it, it remains advantageous in the dynamic environment of cyber risk where you're going to be changing tools where VA vectors are gonna change of attack.

It doesn't pin you down to certain things. It basically just says, unless it was you being really reckless and deliberate and lying to us on [00:33:00] purpose to try to compel us to pay a claim that we otherwise shouldn't have paid, we cannot even seek to deny your claim. We just pay your claim. That is, that is fantastic.

Conversely, there are reps and warranties clauses that exist that will say something to the effect of, in the event that, you know, it was you or your broker or any other party we talk to at any time that was representing you or had agency for you, uh, and, and you know, it was not reckless or deliberate, but it still remains untrue, we can void your policy abio.

So at its inception, we'll return the premium to you, but we owe you none of the duties under this policy.

So. I tell you that, to, to tie this all up in a bow, like I told you I would, there's a lot of fearmongering around insurance companies and whether or not they're gonna pay claims and legalese and all these different things, and insurance policy is a contract. It is not [00:34:00] weird for insurance carriers have contracts.

Every business industry uses contracts. That, that is such a, a weird thing to, to try to scapegoat insurance for, right? Like, oh, they had a contract and they used the verbiage of the contract, right? Like everyone does that. The, the, the bow I'm, I'm putting on this here is when you're looking at a quote or a set of quotes and one quote is $1,700 and another quote is $3,500.

The reason for that may be that the $1,700 quote has the reps and warranties clause that allows 'em to void your policy at an issue at the drop of a hat. After

Max Clark: Mm-hmm.

Joseph Cook: 34, 30 $500 quote may have the innocent non-disclosure clause premium. While not a perfect system is, is the tangible representation of the risk that the carrier thinks that they're sharing with you.

So if, if the premium is very low, [00:35:00] that's them communicating that the contract is gonna say they share very little risk with you,

Max Clark: Right.

Joseph Cook: right? And if the premium is high, that's them communicating. We feel like we're sharing a pretty good amount of risk with you.

Max Clark: Mm-hmm.

Joseph Cook: And then again, I, I think it's a little bit interesting, you know, all, all for-profit business models, if we said, okay, we're gonna loan you a million dollars, or potentially loan you a million dollars, and we'd like $5,000 as interest on that potential loan that we may have to give you per a set of terms and conditions.

Any small private business owner would consider that $5,000 of interest, to be fair on a million dollar potential loan.

Max Clark: Right, 

Joseph Cook: That's what insurance is, 

Max Clark: right.

Joseph Cook: right?

Max Clark: So in this case, subsidiary, not technical, didn't have it

Joseph Cook: Yep.

Max Clark: technical or, or perceived technical [00:36:00] enough, right. Where they had it.

Joseph Cook: Warrant.

Max Clark: they had,

Joseph Cook: Yep.

Max Clark: they had C and C machines with OT and there's a bunch of other stuff. And the understanding, like the damage that would actually do, you know, put them in a position where they ended up with this policy. And, and, and to your example. Fortunately, the sub ends up being covered by the parent because of the relationship, um, from, I, I guess, I guess from like breach discovery to Okay, we actually have coverage, how much time has lapsed for this business?

Joseph Cook: Uh, we're inside of 90 days,

Max Clark: Mm-hmm.

Joseph Cook: uh, through the whole process between the, the time it happened, the fi doing their investigation, and potentially, you know, trying to claw back money. Of course, unsuccessful in this case, all the way to talking to us, going through our order of operations, filing claims, all that good stuff.

Were inside in 90 days.

Max Clark: Okay. And then on that, [00:37:00] so we'll just, we'll be very like, specific here. So on that $64,000 loss,

Joseph Cook: Mm-hmm.

Max Clark: much was covered? Mm-hmm.

Joseph Cook: So, so they had a limit on the parent policy of $250,000, subject to a deductible of $10,000. So they pay the 10,000 and the remainder is covered. So yes, you know, they still technically are out $10,000, but they're not out.

Max Clark: less than 64. Yeah.

Joseph Cook: Yeah, yeah,

Max Clark: Um, what kind of, now this one is relatively straightforward. You we, we compromised your email. We tricked somebody into sending money to a PlayStation, have sent money, money went out the door. What kind of post event investigation, remediation was pushed onto this company? I mean, did insurance come and say, Hey, we want, you know, incident response, we want forensics, we want an evaluation. they not? what, what actually happened here?

Joseph Cook: sure. So, so the, the IT provider that they [00:38:00] used performed forensic it to the best of their ability, uh, at the early stages. And at that time, insurance, you know, no client claim had been filed. So insurance had not miss anything out. Uh, but yes, if you're asking how the insurance is gonna function, the answer is when an insurance company is made aware that there's a cyber breach and there's a cyber liability policy.

They will absolutely want forensic it to be part of that. And that is part of your contract. Just like many other liability policy types, they have kind of copied you, you know, a a, an idea that is not novel in insurance, but now placed it onto cyber liability policies. So, uh, I'll give an example. The EEOC right?

The Equal Employment Opportunities Commission, that's existed for a long time. There's been a policy that you can buy to protect your entity called Employment Practices Liability for a long time. When you buy an EPLI policy, because that's an old coverage and established coverage you get generally through most of the reputable [00:39:00] providers access to a national or regional EPLI specialist law firm

Max Clark: Mm-hmm.

Joseph Cook: that will either give you a, a, an amount of time for free or unlimited amount of time be.

And, and the reason for that is it's cheaper for the insurance company to pay a national law firm on a retainer. And not pay claims when they shouldn't have to pay claims than it is to just pay nuisance claims. Right? So it's value added service and the vested interest to protect the client, but also to not pay claims if there's not fault or liability on behalf of the client.

So same thing here with, with breach events being so common now and, and with figuring out what happened when it happened, how it happened, who did it, all these things being very prescient to whether or not the insurance company should or should not pay that claim

Max Clark: Mm-hmm.

Joseph Cook: whether or not there is or is not liability on behalf of the client.

Right? Um, they have retained forensic IT firms regionally or nationally based on the carrier and [00:40:00] that's who they use as a master service provider to come out and do that. Forensic it as part of claim response.

Max Clark: Now money going out the door, different investigation, different remediation, right? Like this is email was compromised. How

Joseph Cook: Yep.

Max Clark: How do we resolve the compromise? You know, are there changes that we need to put in place to prevent this type of compromise in the future? Which is, you know, I mean, look, look right, you know, people will say it's technology, but I'm sure there's a decent amount of process and, and training and people, things that changed as well as a result of this.

I don't know how much of that you can talk about, but, um, when we, if we shifted gears and dip our toes into ransomware, right? The

Joseph Cook: Sure,

Max Clark: incident response in forensics changes a little bit, right? Because now you're talking about like. A completely different can of worms. Right.

Joseph Cook: yeah. Yeah. So I, I have a, a different client that I can, you know, give you a high level overview of a story [00:41:00] on with the ransomware. And it was a amazing story in how successful they were in not paying the ransomware and how fast they were back up and operating. Um, this is also a local Phoenix company, gross revenues 30, 35 million annually.

They're a thin client, zero client manufacturer.

Max Clark: them. Good for them. 

Joseph Cook: Yeah. So,

Max Clark: made a big difference in, in their recovery. Yeah.

Joseph Cook: yeah. Yeah. So they, they manufacture thin clients, you know, zero clients, they do custom operating systems, whether it's macOS, Lennox, windows, whatever it may be. So it was President's Day, uh, I believe three years ago now. They had a skeleton crew in the office

Max Clark: Always.

Joseph Cook: because it's a holiday.

Right. And, and, you know, holidays are pretty infamous back days.

Max Clark: again, professionals,

Joseph Cook: Yep,

Max Clark: what they're doing

Joseph Cook: they do.

Max Clark: it's tested, right? There's this,

Joseph Cook: Yep.

Max Clark: process to ex exert maximum pain and leverage on you.

Joseph Cook: Exactly. Yep. They, they know that, you know, that the director of it is probably [00:42:00] on a, a boat somewhere and Cabo. Right. He's not there for s day, all this good stuff. So, uh, the, the dreaded power cycling starts

Max Clark: Oh

Joseph Cook: right on all, all the units and, uh, pops a message, you know, pay us. Such and such amount. The initial ask was 800,000 and you know, there there's,

Max Clark: and by the way, just as a little aside, by the time this Ransom is, is launched, they usually understand how much revenue you have and are sizing the demand based on what's the maximum likely payment they can get outta you based on paying. They can exert like going to a $30 million company and say, we want 800 grand.

I mean, they're not

Joseph Cook: yeah.

Max Clark: for $30 million. You have the ability to write a check for 800 grand probably. Right? Like

Joseph Cook: Lemme put a point on it for you.

Max Clark: Yeah.

Joseph Cook: Yeah. Yeah. So they're, they're very much to the point of if they can, you know, breach wherever they breach and then move vertically or horizontally over to like a CFO's computer and [00:43:00] they can pull up a p and l or a balance sheet or something that shows cash on hand suspiciously.

The ask looks very similar on hand. Right. If you put those two numbers together, they're very similar numbers. Sometimes the same number.

Max Clark: so

Joseph Cook: Yeah, yeah. Weird, right? Um, so, you know, this, this company thankfully, has excellent cybersecurity practices. Internally.

Max Clark: Mm-hmm.

Joseph Cook: They have a, a strong relationship with the local MSP that does a good job and they have a strong relationship with us, and, and they have a very good cyber liability insurance policy.

So between all of the, the minds, right, between all the efforts they've made, pre ransomware

Max Clark: Mm-hmm.

Joseph Cook: all the efforts made by all the parties to, to help them with forensic it, to evict, to utilize their backup, so on and so forth. They had fully evicted and not paid the ransomware and were back up and [00:44:00] running inside of 72.

Max Clark: It's, it's such a example of why a little, like an ounce of prevention is just worth so much here. Right? Because. Having, having basic things in place, like proper backups, immutable backups, you know, the ability to source, you know, like, you know, I was having this conversation the other day and it's like, a breach is gonna happen statistically.

It's just gonna happen. The difference is whether or not you can identify it, how long it takes to identify and can you clearly identify when and why and how,

Joseph Cook: Mm-hmm.

Max Clark: far back you have to go to be safe. Right? And, able to say, Hey, look, you know, know the breach took place at, you know, 7:42 PM on last Thursday, and let's just go back to the backup on Wednesday.

You know, and, and we're not recovering, you know, like it, it's such a huge difference for an organization.

Joseph Cook: So I, I was on a podcast just, just earlier this month with some folks from [00:45:00] Iron Mountain and we were talking about the same, you know, claim example with the same client. And while, while they had triple redundancy on backups, including I renewable, that, that's fantastic. But one of the things that we felt set this particular client apart in this instance was they didn't just have the backups.

They regularly tested the accessibility and viability of the backups,

Max Clark: Such a big deal.

Joseph Cook: right?

Max Clark: deal.

Joseph Cook: Like.

Max Clark: a basic thing. It's not, the backup actually work?

Joseph Cook: Yes. Yes. So, you know, you, you hear a lot of people get really fluffy and really excited because they have, you know, double redundancy or triple redundancy and they've got this in the cloud or whatever, but they haven't tested the viability or accessibility of that backup in three years.

Max Clark: Ugh. And, and by the way, it's not even, does the backup work or does the data work, it's like how long does it take you to pull the data back down from wherever you put it to recover it? Right? You're like,

Joseph Cook: Yes,

Max Clark: oh, you've got this small pipe and you gotta pull down, you know, X amount of terabytes of [00:46:00] data. You know?

Okay, great. That recovery's gonna take you, you know, four days and download, you know, like,

Joseph Cook: yes, yes.

Max Clark: what? You know, like.

Joseph Cook: Yep. And you know, in, in our conversation, you know, the next next point we made was, this is a great use case for 5G because if you had access to 5G and you had three terabytes of data, the speed at which you can recover is very different then 4G.

Max Clark: yeah, in my, in my case, in my world, I tell everybody, if you don't have 10 gig to your office, like what are you doing at this point? You know, like

Joseph Cook: Sure.

Max Clark: it's now, you know, like, I get it. You know, not everybody wants to write that check, but, you know, it's not that expensive. It's so, you know, like, it's a very, you know, I mean the, the price to put 10 gig in somebody's office at this point is what a T one cost when I was starting, you know, in it like, let's be real here.

You know, your people were paying, you know, for one and a half Meg, what? You could get 10 gig at this point for now. So like, it's, it's, anyways, I don't want, I

Joseph Cook: And the point you just made though is, [00:47:00] is so important to both of our industries and, and many industries that work in trying to help businesses prevent, prepare, all, all these things, right? Take risk off the balance sheet, so on and so forth, is that many private businesses can afford the cost of 10 gig to the office.

It's extra per month, but you can't afford, many private businesses can't afford a cyber liability policy. Is it a little extra per month? Yes, it is. Do you know what most private or small enterprises can't afford? $800,000 in ransomware,

Max Clark: Yeah.

Joseph Cook: right? Many private, small enterprises have a little extra money per month to to speak to prevention, to speak to protection, all these different things. They don't have boatloads of cash to survive a a disaster

Max Clark: so many people are still like in this mindset of like, I'm not a target. It's not gonna happen to me. I, I'm not at risk, I'm not. Interesting. I'm not a bank, I'm not a defense [00:48:00] contractor. Hmm. Yeah. I

Joseph Cook: security.

Max Clark: but like, um, y you know, and it's, it's hard, it's hard to, it's hard to convince some, you know, like talk somebody out of like, like a, a, a belief that just isn't grounded in any sort of truth or reality.

Right? Like, you're, like, the world is flat. You're like, no, it's not, it's round. You know? And like, well, no, it's flat. You know, and like, I'm not a target, you know? Like, how do you, how do you, how do you help somebody like get over that line of like, no, you've got a computer. Like, sorry, like this is just it.

Mm-hmm.

Joseph Cook: Yeah, I mean, there's, there's a certain amount of people that you're just not gonna help right there. There's, there's no amount of talking or, or creative thinking that you could apply that's gonna bring them over that fence. But I think, you know, the best thing that you can do for those people that potentially could be helped is, is help them, you know, understand and consider [00:49:00] risks that they may not have otherwise considered.

So, I'll give you an example. One of my largest clients is a landscaping company. And they technically call themselves vegetation management because they do right, right of way clearance for the largest power company here in Arizona. So essentially they, they go out to all the land in the state of Arizona that is owned by that very large power company

Max Clark: Mm-hmm.

Joseph Cook: and they make sure that all of their equipment is not exposed to overgrown vegetation.

Max Clark: Right. So immediately like number one concern for insurance is workers' comp and, and injury. Right.

Joseph Cook: You're, you're thinking, you know, the classic big three, right? General liability auto work comp. Right. But, but here's where, where I'm going with this. They have a fleet that's approaching a hundred vehicles and in that fleet, inside of every truck, they have a tablet for each employee.

Max Clark: Dispatch job notes,

Joseph Cook: All good

Max Clark: CRM

Joseph Cook: stuff.

Max Clark: like all this stuff. Yep.

Joseph Cook: Checking [00:50:00] off that you put your PPE on that, your DID vehicle inspection, all the goodies right? If they're going to remote and rural places in Arizona to do right of way clearance on vegetation on behalf of a power company, whose network are they on using net tablet. 

Max Clark: I, I mean, it depends. That's, that's, I mean, that's interesting, right? I guess it depends. Cellular is not available everywhere, so it's probably not exclusively cellular access. Right.

Joseph Cook: So all of a sudden,

Max Clark: company is the power companies network, you know, and, and probably in a lot of places people don't realize this, but power companies run fiber along their utility poles and run their own networks to their stations in the middle of nowhere, so they have access to it, you know?

Joseph Cook: yep. So here you are on a company issue tablet.

Max Clark: I see where you're going with this. Yeah. Yeah. Yeah.

Joseph Cook: Yeah. I put my, my glo, my goggles on and Yep. I, I made sure I held the chainsaw the right way. And you're filling out your report or whatever, and it's at that point that a bad actor uses your tablet as, as the vector to get to [00:51:00] a major utility company.

Max Clark: Whoops.

Joseph Cook: and in that case, right, with this particular client, when we, when we phrased it that way, when we said, Hey, you could very well be an access point to a major utility company by way of those company issued tablets, they bought a large cyber liability policy. They got it

Max Clark: they

Joseph Cook: right.

Max Clark: invested in, in a reasonable amount of cyber, you know, tooling, process, people protection, everything else as well with it. I mean, this is not, this is not theoretical though, right? Like,

Joseph Cook: It's not at all

Max Clark: target biggest example, like one of the first ones Target had ran, you know, had, had, had key loggers and stuff running on their point of sales terminals, and that was their HVAC contractor, right?

Like

Joseph Cook: a hundred percent

Max Clark: you know,

Joseph Cook: running a Bluetooth diagnostic device on a rooftop AC unit. And it was an unsecured, unprotected Bluetooth diagnostic device. And that's how they got in, right? So the, the other thing too is, you know, in the scope of what we [00:52:00] do. You, they, the, the revenues for this company, while they work for other entities, 80% of their company revenues are tied to that contract.

Without that contract, they don't exist

Max Clark: Right.

Joseph Cook: or they don't exist in the way that they exist today. Right. Even if, even if they do persevere, it's incumbent upon us as people that are trying to counsel them and, and offer them protection to help them realize, Hey, you have that exposure to that power company. If you don't protect that exposure, you, you are not protecting 80% of your revenues

Max Clark: Well, and that's not even like exposure in terms of like, oh, you're responsible for whatever happens, you know, like financially, but realistically, you're co contract is null and void at that point with them, and

Joseph Cook: If you can't make them right,

Max Clark: you're, you're

Joseph Cook: them.

Max Clark: everybody off, right?

Joseph Cook: Yeah. They, they are not going to entertain a negotiation. Uh, whether or [00:53:00] not they continue your services, if you don't have the opportunity to make them whole, the only way you have an opportunity, even to attempt to preserve that contract at time of loss is to say, don't worry.

We have a policy, it's gonna make you whole.

Max Clark: Right.

Joseph Cook: And then maybe you persevere. But if you leave them holding a $3 million bag or a 5 million bag, they're calling somebody else.

Max Clark: So we were, we, we were talking about incident response briefly. Um, every, well, every, every is too much, almost every major MDR vendor, MSSP in the mark is offering some version of incident response, right? And it's usually a, a relatively small retainer, you know, they tax onto it. So, know, fi less than 5% of the overall MDR costs would be an IR retainer.

And, you know, of course, if you have a lot of, you know, a lot of endpoints and a big MDR, you know, the incident response retainer might be a blip on the radar for you. And one of the things that's [00:54:00] nice about having that in play, right, is the company is then a little bit more predetermined on what they're, who, who they're gonna be at the table with, right?

Like we've had an issue, like we're using our vendor that we've selected that with our runbooks we've already developed and we have this sort of thing, opposed to calling the insurance company, the insurance company and saying like, we're gonna bring in X, Y, and Z that you've never met or talked to before.

They're gonna be there tomorrow, like with

Joseph Cook: Yeah.

Max Clark: laptops. Like, open your doors up and like, know, this might feel uncomfortable for you. Right. What's, um, um, how is that evolving now with insurance companies in terms of, you know, third party ir, what you need to do in place? Advantages, disadvantages, whatnot.

Joseph Cook: Yeah. So, so the, the overarching perspective of any vendors that, you know, insurance companies are, are going to choose. And provide to you and or [00:55:00] within this, the, the policy language, say you can choose your own and, and we will pay, you know, their costs as a result of accepting the claim. The overarching perspective has just been, please make sure they're a specialist.

Right? So, so if you have an, uh, a breach event, don't hire your nephew who took one computer class at Mason Community College. Right? Right. Please, please hire an expert, a, a specialist. Um, so, so,

Max Clark: frustration I have because there's, you know, all basically every MSP in Telco and whatever company is trying to get in the space and say, Hey, you know, we're security experts now. And I'm like, well, let's go talk about what your MSP actually is. And you're like, oh, you know. got 12 engineers and they do it desktop support for us and install our printers.

And like, and you're like, I'm sure they're really good at that. I mean, no, no, but how, how do they have ex, you know, experience and education and skillset to actually do your security here? You know, it's, it's different.

Joseph Cook: Yeah. Yeah. That sounds more like break fix, right? [00:56:00] Um, YY you know, the, the evolution in terms of, you know, maybe you do have an outside relationship that has more familiarity with you, that you've maybe done, you know, disaster recovery training exercises with or built a disaster recovery plan with all, all of these things that would be presumably helpful at, at time of loss.

Right? Again, as long as they're an expert, insurance companies are pretty open-minded, um, but within the providers that they're, they're giving to you, so they'll say, Hey, we have x, y, Z provider that we use in the southwest region that we use nationally, or whatever it may be. They're trying to allow you to start developing a relationship with them by including some of those other services as part of the policy.

Right. So they'll say, Hey, you know, this is the, the forensic IT or breach response firm that we use, but they also do security awareness training.

Max Clark: Mm-hmm.

Joseph Cook: They also can help you build out a disaster recovery plan.

Max Clark: Mm-hmm.

Joseph Cook: these are [00:57:00] all things that will be given to you either fully subsidized, so at no additional cost to you outside of the policy premium or significantly subsidized.

So if it's a thousand dollars on the open market, it'll be $200 for you as a policy holder. So it's 80% off. Right? And, and hopefully if you're using that, if you don't have your own relationship already, now you're starting to build that relationship and you're gaining value, right? You're gaining value of putting your people through security awareness training.

You're gaining value of having a disaster recovery plan where you may not have otherwise had one, but you've also started to build a relationship with that firm in case you ever actually have to interact with them.

Max Clark: I wanna talk about this term, um, fiduciary responsibility, right?

Joseph Cook: yeah.

Max Clark: I spent most of my life in Southern California, which means that every year every organization I've ever been involved with, there was this conversation around DR. And it was related to the potential 10 point or earthquake and California turning into like an island and all these different things, right?

Joseph Cook: Yep.

Max Clark: And, [00:58:00] and at the beginning of my career was really frustrating for me because you'd spend a lot of time, a lot of energy, produce a plan, come up with budgets, identify vendors, go through this whole thing and, and deliver this report, you know, to the, executive team. And that would go and get wrapped up and then go to the board and the board would read it and say, oh, this looks great.

Thank you very much. We've decided not to do it. And it was very frustrating, very frustrating. Until at some point I realized that the whole point of the exercise was to. You know, provide board with, um, uh, with enough information that they could then make a judgment and do their fiduciary responsibility at the company, which was, okay, we've evaluated this

Joseph Cook: Sure.

Max Clark: and we've determined that it doesn't make sense because the cost of, or the expense of it versus the likelihood of the risk of the event is not warranted.

So thank you very much for doing the report, but we're not gonna move forward with it. Right. And, and that was a big unlock for me, like mentally, because then I understood what I was actually working towards. Not that I was like actually getting this DR site, you know, turned up. [00:59:00] Right.

Joseph Cook: Right.

Max Clark: Um, how is that evolving with cybersecurity and insurance and, and fiduciary responsibilities now?

Because, you know, you, you, you read, I'm reading a lot of things. It's like, are we gonna see personal transference of liability right. Onto an executive team or onto a board for some of this stuff?

Joseph Cook: So we haven't yet, and it's funny that you asked me that question 'cause I actually wrote an article about this on LinkedIn. Um, this is in my article, was specific to the duty of care, right? So as, as a board member, you have certain duties.

Max Clark: Mm-hmm.

Joseph Cook: you owe, uh, to that entity that you serve on the board for, and, and specifically the duty of care is the one that's being attacked right now.

So there's no, uh, successful case where, where that veil to transfer the risk on the board has, has occurred yet. Right. It has not been pierced yet, but there is certainly attempts in, in many jurisdictions to do just that. So essentially [01:00:00] the, the vector is this by, by those you know, um, legal professionals, it is.

You are a member of a board. You have enough information and oversight of an entity to reasonably establish that there is a cyber risk and that you should have a cyber liability policy and that you should have outside it.

Max Clark: Mm-hmm.

Joseph Cook: you get X amount of budget to that outside it and have such and such tools based on your size and scope and based on your size and scope, you should have X amount of limit and, you know, terms and conditions and so on and so forth.

So, so in the event that, you know, you didn't do either of those things at all, so you didn't engage it or you didn't buy a cyber liability policy at all and or you engaged it and you bought a policy, but you should have bought a $5 million policy and you bought a $1 million policy and you should have had $150,000 IT budget and you had a $35,000

Max Clark: Mm-hmm. Mm-hmm.

Joseph Cook: tho.

Those are the cases we're seeing right now, and at some point [01:01:00] that that domino will fall, right.

Max Clark: of this is just like, uh, I don't wanna say like an ignorance defense, but being able to say, like, I, I, there was, I, I had no reasonable expectation that I knew this information because of X, Y, Z. So therefore, the duty of care is limited versus saying, you know, at this point. You know, 2025, we've had so many breaches and there's so much events that you can't, you can't pretend like you didn't know that MFA was important, or you can't pretend that you didn't know you needed a cyber insurance, right?

Joseph Cook: Yeah, that's where it's, it's it's starting to get unreasonable and that's why you're seeing so much heat in this area of tort right now, be because of the fact that, you know, many people now accept or acknowledge that cyber is, is enterprise risk. And if it's enterprise risk, you can't say I, I shouldn't have reasonably been aware.

Right. Um, so now you're talking about duty of care. Now you're talking to about having to be engaged on these items. And I, I, I am confident that that domino is gonna tip in, in inside of the next three years.

Max Clark: [01:02:00] Don't be that use case.

Joseph Cook: Yeah,

Max Clark: I mean, you do not wanna set this case law. Do not be the precedent here, you know, like,

Joseph Cook: that's gonna be an unfortunate company, whoever that is, they're not gonna be feeling good about it.

Max Clark: um. Okay, let's, I, I, I might come back to this in a second, but going back to, um, going back to the original example here, insurance, you know, forensics happens, identify breach, remediation and hopefully has occurred insurance, you know, minus deductible pays out. Um, what's the follow on for them for this? You know, I don't wanna say like from like a lessons learned, but like what changed as a result of that?

I mean, I have assumptions. I'm really curious to hear the answer though.

Joseph Cook: Yeah. So, you know, in, in the, the notion of cyber crime specifically, right? In this case, the, the manipulated invoice. Typically, uh, with, with good cyber insurance carriers, and that was the case [01:03:00] here. There was a security awareness training that was offered to the whole staff,

Max Clark: Mm-hmm.

Joseph Cook: was not a cost, that was within the, the cost of the premium.

Uh, but beyond that, the risk control measures that they undertook were additional verification prior to sending payment,

Max Clark: Mm-hmm.

Joseph Cook: right? So, so, yes.

Max Clark: people. Mm-hmm.

Joseph Cook: Yep. Processing people. So typically, you know, when, when things are going good and people are feeling comfortable, you, you see an invoice that seems reasonable, seems like a, a regular source and you don't go, another step to verify you, you just hit pay,

Max Clark: Mm-hmm.

Joseph Cook: You hit the green button, that's lit up. So now what they've done is, you know, they've engaged a secondary verification, and that secondary verification is at first a phone call to an individual at the material supplier. That has ability to, you know, send an invoice of that amount [01:04:00] and then after the phone call, they have that person who they just spoke to on the phone sign and return a document with that invoice amount on it, that date, so on and so forth.

So it's processing people,

Max Clark: Did they end up changing tools?

Joseph Cook: to my knowledge, they haven't yet changed tools. Uh, not, not that they necessarily don't believe that they shouldn't consider that, but they haven't pressed go on changing tools yet, to my knowledge.

Max Clark: Right. Impersonation prevention, relatively standard feature for most of the major email gateways. I. Um, big complication, especially for the smaller businesses, is it requires you to be on an enterprise license of your collaboration suite. Right? So I feel like, especially in the smaller seat count businesses, they don't want to go there just yet 'cause of the cost.

So I get that if you're, uh, you know, it again, if you're manufacturing, you got a lot of people on the floor, not a lot of people on email do you really want to go [01:05:00] there, but,

Joseph Cook: Sure.

Max Clark: uh, I would, I would imagine that they probably, um, have changed their insurance policies somewhat as a result of this.

Joseph Cook: So you, you know, in this case we, we, we always take a look at, okay, you had an event for $64,000. You currently have a limit that would apply to that event of $250,000. We always wanna make sure, is the two 50 enough? Right? So, so 64, well, inside of two 50 we're okay on this particular anecdote. Right?

Max Clark: Yeah.

Joseph Cook: But do you send money in excess of two 50?

If so, how often?

Max Clark: Right?

Joseph Cook: Um, and in some cases they never do. Right? The, Hey, the biggest payment we've sent in the last 24 months is $102,000. Cool. Two fifty's gonna be just fine. But in some cases they say, Hey, you know, once a quarter we send a payment for a million bucks. Well, oh shit, you know, two 50 million, [01:06:00] right?

Max Clark: well, that, but that's also a very specific, you know, risk profile and, and, and mitigation for cyber crime of invoice fraud, you know, of, of, of payment fraud. But, you know, there's also ransomware, right?

Joseph Cook: Yep. Yep.

Max Clark: know, do you, do you now evaluate, do you have proper backups? You know, do you now evaluate, do you have a proper system to detect breaches, you know, and find source of breach?

Do you have a, you know, runbooks to deal with that? Like, you know, ransomware is a different profile for you than like, oh, did we send a payment to the wrong place?

Joseph Cook: It, it is, you know, I, I think when, whenever no event occurs, there's, there's certainly a, a period of time and it, it'll be shorter or longer depending on the client and the severity of the incident, but there's certainly a period of time where there's a heightened sensitivity. For most people, at least the next 30 days, there's a heightened sensitivity.

Depending on the severity event, it could be longer than that. During that period of heightened sensitivity, you definitely see more engagement

Max Clark: [01:07:00] Mm-hmm.

Joseph Cook: all the people that hopefully they would've been engaged with more often prior to the event, right? So we start to get a lot more engagement. All of a sudden, there's a lot of questions about their policy that they never had before, right?

All of a sudden there's a lot of questions about limits for things like ransomware that are another profile, uh, or, or lost business income, so on so forth. You also see a lot more questions towards folks like yourselves or towards their NSP or NSSP if they have one. Or if, you know, they've, they've got some limited break fix man hours, but their, their, their IT provider can be an MSP.

All of a sudden they're reconsidering that, that, you know, uh, contract or they're reconsidering a, a, a new software stack or whatever it may be. So yes, you see a heightened sensitivity and a lot more engagement for a period of time, and you're, you're just hopeful that that's meaningful, that they take something away from it. Joe, what's, what's something that you wish, um, business owners, executives, board members, um, [01:08:00] what's something that you think, what's something you wish people in these positions understood or, or thought about more as it relates? I mean, we could say cybersecurity, but let's just really call it cyber crime, like how they protect themselves from cyber crime.

Yeah, I, I, I wish that, um, you know, there was, there was more of an awareness towards the. The frequency and the reality that it is, I, I wish that there was more of a, a desire to, be educated, um, not only on your own, but to, to trust those sources that can, that can help you with their expertise. Uh, I, I feel like, you know, I. For both of our industries, cybersecurity and for insurance. There's, there's definitely a tendency by a, a good chunk of buyers to [01:09:00] view us as vendors, to view us as order takers

Max Clark: Hmm.

Joseph Cook: And not to view us as consultants with a level of expertise in a, in a important industry. so if, if anything, you know, I, I would encourage people to. Um, reframe how they position their relationship with their cybersecurity professional and their insurance professional.

Max Clark: Yeah, I mean, 'cause quite seriously. We're trying to keep you in business. I, I mean, I mean, I, I, I have this really weird view of, I, when I say weird, I, I think when we got to it, you know, I, I, I view my job for, for a long time now is making people's lives better. Now we happen to use technology in order to effectuate that outcome.

And, um, I also will express it as you know, I am here to help companies grow. Scale, you [01:10:00] know, and, and why is that? Right? You know, when companies grow and scale, they hire more people, people have better outcomes lives, you know, families are impacted. I've been on the other side of it. I've been, I've been inside of organiz.

I, I'm a, I went through.com days, right? Like, you don't wanna be on the, on the receiving end of a layoff. You don't wanna, you don't have anything to do with it. You don't have to be on the side. That's like. Like doing the layoffs, you don't wanna be on the side is receiving the layoff. It's terrible. Right.

So, but um, and I look at it the same way with, with, with cybercrime and cybersecurity. It's like you do not wanna walk into your office one day and have your screen reset and see ransomware, like it's just not a good place to be.

Joseph Cook: Uh, you know, I have a similar perspective. I started my career at a very large firm, a top five, publicly traded global firm, employees, multi-billion dollar enterprise. while I very much realized I like this industry quite a bit, mission, you know, in, in serving. [01:11:00] Top 100, top 150 companies just didn't suffice what I wanted to do.

So I, I'm at a local firm now because for me, I view my job as community impact. Sure. If, if I can give good consultation and good advisement and good insurance products to my local, small and medium business. Owners that help protect them when they need it most and help indemnify them when they need it most and keep their business solvent and operating at at their lowest possible time.

I'm impacting my community,

Max Clark: Mm-hmm.

Joseph Cook: Like to me it's community impact. That that is a hundred percent how I view my job.

Max Clark: I find a lot of, um, cybersecurity. Is externally driven for companies, right? They end up going through a compliance framework, which is usually a supply chain requirement. They wanna do business with some other, you know, organization or they fit with whatever industry, so therefore [01:12:00] they have to adhere to a cyber sec, you know, a, a compliance framework, which then requires certain cybersecurity activity.

Um. I've seen it driven from insurance. Oh, we want to, we, we need insurance because of the, you know, usually also, again, because of some requirement, so we have to have certain things in order to get insurance. And so I'm finding that's pushing the needle forward. But what I haven't really seen yet, and I don't know really the, the like inflection point happens.

I'm curious, you know, what, what your, your thoughts are on this of like, people actually just understanding that we have to have this like. You, you lock the front door on your house. Not because necessarily you've been burglarized in the past, but just because you know you have to lock the front door on the house.

And at what point do we get to a, a position where, you know, people just understand, like you just have to have this stuff.

Joseph Cook: Yeah, so, so very interesting. You, you know, thread there. Um. When you look at insurance as a concept, right, it's, it's a risk pooling concept. [01:13:00] So you may not need access to this insurance product and this insurance limit at this time, but you may in the future. So we all pay in premiums together. This creates a pool of money and hopefully at the time you need to pull from that pool of money. Your policy terms and conditions supports you being able to pull at that time. Right. So, so when we look at, you know, what compels people to buy insurance products, there's kind of a, a three tiers

the, the most common tier, the, the bottom part of the pyramid that's very large right now is legal compliance.

So the state of Arizona says you must have a policy. The registrar contractor says you must have a policy by.

By statute, you, you buy that policy, that that's the biggest, you know, tranche of buyers go up the pyramid. The next tranche of buyers is contractual solvency. So B2B, private enterprise to private enterprise, you have to meet a compliance framework.

You need to have such and such insurance. So you buy a tool, you buy a policy, not because [01:14:00] you're particularly interested in it or care what it does. Other than the fact that it unlocks that contract and allows you to generate that revenue,

Max Clark: Yep. Yep. I, I see that every day. Sure.

Joseph Cook: yep. Yep. And then finally you get to that smaller portion of the pyramid, and that is the people that say, okay, we've done steps one and two and, and we're not gonna pat ourselves on the back yet, because honestly, those are the things that every company should do. Be be contractually solvent and be legally compliant. Um, now we're gonna say, okay, based on the operations that we undertake. Right. We do incur risk naturally. Not that we're out there looking for it. We certainly try to manage that risk. We certainly try to, you know, avoid risk where we can avoid risk, but in the event that we can't manage it or managing it doesn't allay it all together and we can't avoid it, we're naturally incurring some risk.

And that risk could be to the company's balance sheet. That risk could be to the company's employees. That risk could be to those [01:15:00] vendors or services or consultants that you work with. That risk could be to your community, to your neighbors in your strip center or whatever it may be. What can we do reasonably within the, the, the company's, you know, uh, affordability to say, let's consider other products and services besides legal compliance and contractual compliance to protect ourselves, to protect our employees, to protect our vendors, to protect our neighbors, all these different things.

So. When you think about what insurance concept is conceptually as a risk pool, fact that that that top part of the period is, is the smaller portion also part of the reason that insurance premiums continue to rise. Because there's not enough people paying in, but lots of people that want to take out, right?

So, so if we could flip that pyramid

Max Clark: Mm-hmm.

Joseph Cook: the larger part of the pyramid was the people that did all three of those things, and the smallest part of the pyramid was the people who just wanted to be legally compliant. We probably have [01:16:00] pretty. 

Max Clark: This also, I mean, opens up like another vein. I mean, I mean Commer, you know, insurance is a for-profit business, right? So at what point do we start seeing insurance companies that are really looking and doing deeper risk assessments, you know, for insurance and saying, Hey, you know. We've, we've done a relatively thorough evaluation of you.

As a result, you know, you're relatively low risk and so therefore we're gonna give you a really good insurance product at a very low premium because we don't perceive a lot of risk here. I mean, I would imagine the same thing in like general liability or whatever theft. It's like, you know, we've got a fire system, a fire alarm, a security guard at this or that, or the next thing you know, you cross over a certain number of boxes and your premium goes way down.

Like if you're in a brick building with fire suppression and 24 7, you know, people on site versus if you've got. You know, a, uh, a, a a, you know, two by four construction building in the middle of the wilderness with no, with nothing, [01:17:00] right? Like different risk profile, right?

Joseph Cook: Yep. And, and much of that is already encapsulated within underwriting, within actuarial algorithms, whether that's, you know, conspicuous or not conspicuous to the general consumer. So to give you an easy example, if you've ever had a, a policy on, on a building a property policy,

Max Clark: Mm-hmm.

Joseph Cook: there's something called PC class or protection class.

So that's a one through 10 scale, and that is literally a scale that it iterates your distance to emergency services. Which notably as it relates to protecting a building a fire department,

Max Clark: Mm-hmm.

Joseph Cook: right? So if you are a brick building and you have a sprinkler system and you're also PC class one, so there's a fire department across the street, very unlikely that you have a fire total loss.

Max Clark: Right.

Joseph Cook: But if you were a, a frame two by four building. Is 45 minutes from a, a fire department that is private service only that you have to enroll to. Right. If you have a fire, [01:18:00] you're probably going to burn all the way down, even if they leave as soon as they could possibly leave. And even if you subscribe to that private, to that private provider.

Max Clark: How sophisticated is insurance underwriting with cybersecurity at this point? Because there's a tool question and then there's a process, you know, and people question, right? So going and saying. You've got this tool versus that tool versus this other tool. Like when we do, you know, tool evaluation fu fundamentally, right?

It's like I, I can tell you that like, you might think that this is a good tool, but it's actually complete junk garbage, you know, and you really should get this other thing instead. And like, how, how deep is the insurance policies getting into like aid, you have the tool B, which tool are you using? C do you have the process in place?

D do you have like a third party, you know, that can, that can help you with scale, you know?

Joseph Cook: Sure, sure. So you, you know, the, the, the sophistication and the elegance of the underwriting is, is going to increase based on two [01:19:00] things primarily. Um. A, the, you know, size of the client.

Max Clark: Mm-hmm.

Joseph Cook: really. The size, the scope, and then the limit that's being asked for, right? So, I, I, I actually have an ongoing one right now with, with a SaaS AI company, uh, that works in the telecommunications space. And they now need to take their limit from 5 million, 5 million occurrence aggregate to 10 million, 10 million to stay compliant with their contracts. The underwriting on this one has been pretty sophisticated. They're a decent sized local company. They work in telecommunications. They have, they have SaaS and ai, and they're looking for $10 million of limit from that insurance company. So again, you, let's call back to earlier. If, if someone was asking you for a potential loan of $10 million, we might wanna charge them some interest and have an idea of what's going on or.

Max Clark: And make sure they can pay you back right.

Joseph Cook: Here's the 10 bill. You know, that's best of luck to you. Uh, that's a significant amount of money. So the, the underwriting [01:20:00] on this one has been, uh, pretty sophisticated. but, but it, it will evolve based on the size, scope, and, and limit being asked for. So if you're asking for a million dollar limit on a digital marketing firm that has $600,000 of gross receipts. You're not gonna get a lot of heavy underwriting questions. Right? And, and you know, there's tools that they use too, right?

So if you're familiar with like a, a bid side or security scorecard, type out outbound packet, domain scan type tool, a lot of the carriers are using those as pre underwriting tools. Now, not the be all end all, but it's something for them to potentially look at and say, are they at least trying? To have a, to have a, a, a, you know, a reasonably protected entity or is this thing really a mess?

Right? Based on that outbound packet perspective,

Max Clark: [01:21:00] Mm-hmm.

Joseph Cook: 360 view. Right. You've got the outbound packet, you've got the inside the firewall. That's, that's not a bad perspective to have, but it depends on the size, the scope, being applied here.

Max Clark: Right. Makes complete sense. Joe, thank you so much. This is fantastic. I, uh, enjoy, I enjoy getting, you know, the other view of this always

Joseph Cook: Well, thanks for having me on, max. I appreciate it. Certainly a, a good time to, to chat with you and, uh, yeah, I, I know that, uh, insurance gets a little bit of a perspective sometimes, but, uh, I,

Max Clark: I.

Joseph Cook: can absolutely tell you there are good people within this industry that are really trying to use that, this product to help.

Max Clark: Absolutely.

​

‍