What if the company you just bought came with a hidden cyber landmine?
M&A is risky enough. But when cybersecurity gaps go unchecked during a merger, the consequences aren't just technical — they’re financial, operational, and reputational. And most leaders don’t see the breach coming until it’s too late.
In this episode, Max Clark sits down with Kevin Thomsen, CRO of Maxxsure to unpack what really happens when cybersecurity is treated like a checkbox during mergers and acquisitions. They dive into risk quantification, breach modeling, insurance failures, and the dangerous disconnect between CISOs, the board, and private equity firms.
If you’ve ever asked, “Are we covered?” — this is the episode you need to watch. Because it’s not just a breach. It’s a $29M mistake.
TDD EP48 Kevin Thomsen
[00:00:00] Max Clark: Will kind of lean in, know, do all this good fun stuff. You wanna do any pushups, you know, get the, get the, get the blood flowing burpees. I, I've joked about it, but I, I think I'm actually gonna do it. Or like, make people do like five burpees before we record going forward. You know, like, get the endorphins rolling.
[00:00:18] Kevin Thomsen: Just fucking rep it.
Yeah.
[00:00:20] Max Clark: Just, five Navy seals go, know, like, can, can you
[00:00:26] Kevin Thomsen: Um, where are you gonna go in Europe?
[00:00:34] Max Clark: man, um, gonna be in, uh, in London um, she's filming in London, so she's gonna be finishing a, a project there. And so her kids are going out in June her boys are the same age as my boys, basically. So this started with a like, oh, come and hang out with us in London, kind of thing.
Um, so we're going to, uh, New York. [00:01:00] Edin brah. I've, I've learned the correct pronunciation. Is edin brah. Like,
[00:01:04] Kevin Thomsen: Okay.
[00:01:05] Max Clark: like, like, like come at me bra. You know, like edin brah. So, so Edin, brah. London, Paris, Sardinia, Sardinia, Croatia. then we're gonna do the, basically the entire tour of Italy. So Rome a Positano, Tuscany, um, Portofino, um, PISA Milan, and then
[00:01:32] Kevin Thomsen: That is a, that's a good one.
[00:01:34] Max Clark: oh, and then back to New York for a few days.
Yeah. It's, uh, or it's, it's gonna be, uh, I think the whole, the, the total deal is like 65 days in the road.
I can imagine that,
[00:01:47] Kevin Thomsen: Yeah, just the logistics of clothing and like bags.
[00:01:51] Max Clark: you know, it's actually almost better when you do it this long because you, like, normally you pack for, let's say a week and you kind of like. gonna [00:02:00] have a different outfit. I have like a week's worth of clothes and then it's like, I'm done. Right. When you get to this level, you kind of give up on that idea and you're just like, I'm dry cleaning and I'm doing the laundry regardless of what's
[00:02:10] Kevin Thomsen: Yeah, Like
and we just now need the fundamentals and we'll, we'll pick up along the way.
[00:02:15] Max Clark: Yeah, it's like, it, it almo. I mean, it literally almost makes it easier because you just cannot even mentally even think that you're gonna accomplish, like, packing for 65 days.
[00:02:23] Kevin Thomsen: Not even clothes.
[00:02:25] Max Clark: yeah. You know?
[00:02:26] Kevin Thomsen: Good for you. That's
So much fun.
[00:02:28] Max Clark: yeah, kids are, uh, finishing first and second grade so timing just kind of worked up. It was like, you know, let's just have a blowout like summer, 'cause otherwise we'd go to LA for two months and I'd be like, transient in LA Anyways,
[00:02:41] Kevin Thomsen: Yeah,
[00:02:43] Max Clark: time
[00:02:43] Kevin Thomsen: gonna be very present with your family and like, you know, a lot of the, um, there's a new book out, the Five Stages of Wealth.
[00:02:51] Max Clark: Oh, so he'll bloom. Yeah.
[00:02:52] Kevin Thomsen: Yes. I think we talked about this
and uh, just how precious time is and like [00:03:00] the, uh, you know what, what hit me was when they were talking about, you know, there's a good shot, you might only see your parents 20 more times.
[00:03:08] Max Clark: Do you know where he got that from? Who's been harping on this for a long time? Jesse Itzler.
[00:03:12] Kevin Thomsen: Yeah.
I think he talked about it at one of the, when we
saw him live down in Austin.
But I follow him. I love his content.
[00:03:19] Max Clark: So Jesse Itzler has been on this thing for a while now. This has been like his core talk, you know, like his core spiel for a while. And it's like, you've got 15 summers left. What are you gonna do with it?
You know? you're like,
[00:03:30] Kevin Thomsen: And that guy's killing it. Like
he is. He's present with his family, very meticulous on time and look at his output.
[00:03:36] Max Clark: yeah. But it's, it's, it's the, the idea of intentionality at that level of like, know, and so he's 50 something, but he talks about it. He is like, you know, like, how many summers of health do you have left? You know, do I have 20 summers?
[00:03:49] Kevin Thomsen: My, uh,
my father's, my father's starting, you know, he is selling his practice and they're getting older. I think he's what, 70? 74. And [00:04:00] they're looking at it like, listen, our knees or hips are good for another few, like till we're 80 and then what?
We're not gonna go, I wanna go to Europe now. Like, the time is now, like,
let's get going.
And that's hard for them.
[00:04:13] Max Clark: So I am, I, I'm always in this kind of thing where it's like, um, you know, like balancing responsibility of like future and investment and all these different things. Like this trip is so insane. Like, the fact that we're actually doing this and I've committed to this, or I've booked it and landed, told my wife, like, okay, we're doing it, like, is absolutely completely bad shit.
But, um, but, but then, you know, you take it apart and you're like, boys are gonna be, you know, are gonna be like, uh, seven and almost nine. You know, like, I've got five, six years of being able to do this kind of. Trip with them before. It's like sports girls college, like whatever else has kicked in, you know?
[00:04:56] Kevin Thomsen: Bless your heart, dude.
[00:04:57] Max Clark: and so now I'm like, I'm
[00:04:58] Kevin Thomsen: You won't regret it. You already know [00:05:00] that it's gonna, it's an undertaking, getting it done, logistics and like,
but once you're there and you're swimming and snia or having pizza on the streets of mal, like you're gonna be like.
[00:05:13] Max Clark: yeah.
[00:05:13] Kevin Thomsen: Thank you.
[00:05:14] Max Clark: So I've got, I've got this. I think I'm gonna try to pull off Asia next year. You know, 'cause like Sharon has, I mean, Sharon has family in South Korea. Like it's, you know, that we can, we can make a trip out of it pretty easily. Right.
[00:05:29] Kevin Thomsen: Yeah,
[00:05:29] Max Clark: so I, I wanna do an Asian run and then, um, and so that would be, so he'd be then eight.
And then I'm like, of wanna do an like a, a big, um, like Africa deal, you know, and go,
[00:05:42] Kevin Thomsen: Dubai, Africa.
[00:05:44] Max Clark: go do, yeah, go do a big Africa deal and, um. I mean, I have a, I have, I have a cache of Amex points, right? So if you look at like, what I've now just spent on this trip, like, I have 10 of these, like just in, in the hopper in terms of like [00:06:00] points balance.
So I'm like, okay, well maybe, you know, this is what the next 10 years of my life looks like. Just like, just like to just blow it out and these kind of things. And uh, you know, and if I get to zero, if I get my kids through college and launch into the world and like they don't have debt, but like, I have, you know, but I have no money.
It's like, ah, you know, I've done okay. You know, like it's,
[00:06:20] Kevin Thomsen: See, that's an unbelievable mindset.
Um,
[00:06:24] Max Clark: you know, like I, I mean, I, you know, I don't know. It changes, right? You start, this is original thought for me. Like a lot of this, you know, like watching itzler, like reading all this different stuff, like
[00:06:34] Kevin Thomsen: but that's the, but that's the point of books. You're sharing someone else's knowledge,
you know, like you're, you're taking its and bits and you're making it your own. Like, that's the beauty of, you know, being able to lean in and be motivated to actually better yourself and your family. I mean, that's, that's so good.
[00:06:56] Max Clark: Um, Amy, should have asked you this beforehand. Any questions before we get in [00:07:00] going? We're not gonna name names. I'm not gonna ask you names. This is not Gotcha. So like anything comes up, like,
[00:07:06] Kevin Thomsen: Yeah.
[00:07:06] Max Clark: we'll, we'll, you know, we'll cut. Right. so, um, otherwise it's the basically like, we're just gonna go riff for, for spiel, you know, and see where we end up.
Right.
[00:07:18] Kevin Thomsen: Perfect.
[00:07:19] Max Clark: Um, uh, I've already, I've already given you the, let's see, turn everything off stuff. So, um, anything else you wanna hit on before like we of like officially kick off? Okay.
[00:07:32] Kevin Thomsen: No, we're, um, I'm excited and, uh, I think we're going to, we're gonna have a good little rev.
[00:07:39] Max Clark: Cool. So have been wanting to have this conversation for a while now, so like, I'm, I'm, I'm jazzed, right. Um, I'll keep, I'll keep you pg. The, um, can you start off with just the intersection of cybersecurity risk and insurance?
I think this is probably like the, the fundamental piece here [00:08:00] that link together.
So
[00:08:02] Kevin Thomsen: Yeah. Alright,
[00:08:02] Max Clark: up. Who are you, what do you do? What's your company
name? Like, gimme, gimme the whole thing. We'll, we'll do the whole, let's do the whole dog and pony here. You know,
why not?
[00:08:09] Kevin Thomsen: so, uh, my name's Kevin Thompson
and the company is Max. Sure. Uh, we have, we were founded seven years ago. I joined two years ago. Prior to that I ran indirect sales at Zoom. I was there pre Covid, had a really good run, brought the channel along with me, you know, a lot of success there. And, um, when you're looking at the entire risk conversation from the top, the whole goal of the board or any fiduciary leadership is to de-risk the asset.
And so when you're looking at risk transference. Which is insurance. Then you're looking at cybersecurity, [00:09:00] which is remediation. You can either do two items, you can transfer all your risks to insurance. Most people don't. Just 'cause it doesn't economically make sense. And you can, as you very well know, you can endlessly spend on tools, technologies, people, processes, but there's no such thing as perfect cybersecurity.
So the third element is accepted risk. And so when you triage what your exposure is to the, to the, the bad actors of the world, a healthy blend of, do I have the right amount of risk transfers, which is the insurance based on your appetite and your capacity. And you know, quite
frankly the financials. So that if you were to hit, if get hit, how much could you stomach? Then there's that, Hey, we're gonna hire the top talent trusted advisor, bring in breast and breed [00:10:00] technologies to, you know, it's kind of like your tactical defense, right? It's your iron dome, and then there is that amount of risk that you just have to accept. Now most companies do that over a risk registry, whether that be software or, you know, on your Excel.
That is the, um, you really, your, your negligence defense that, Hey, we know that there's risks out there. We just don't have the money or the capacity to handle it now.
And then you forecast it out. Yeah. So like that's the intersection and it's really, really hard for companies to get it right because it's all different languages.
[00:10:40] Max Clark: You, you, you said two things that really trigger off for this, and the first one is, um, fiduciary, right? Like the fiduciary responsibility. when I was young and just starting out, know, back when I was, okay anyways, won't, we won't date myself. But what I didn't really understand at that time as a practitioner was this idea [00:11:00] of, of fiduciary responsibility.
Like, you know, and, and it was, and I realized after doing a lot of DR planning, I mean, again, growing up in earthquake country, right, it was always like the 10 oh had to hit, we would have to create plans of what to do and what our DR policy was around the earthquake. And then it would go to the board and the board would be like, oh, this
looks great.
Okay, we're not gonna do anything. You know, it was always very, it was always really deflating, right?
and it took, it took a little while as I was maturing to like really understand that. They had Ed, they'd, they had asked for a process to educate themselves to then make informed decisions around risk, and then decided that the spend to, to alleviate that risk wasn't responsible for the business or, or wasn't available to the business.
And then done their fiduciary responsibility. So that's like, that's the first thing that you kind of trigger off on here. When I think, when, when you say that is educating people of what the actual risk is and how to quantify that is really hard in cyber, right? Like, I don't feel like a lot of cyber practitioners are really, [00:12:00] we're, we're not talking the language of the business
in cyber risk really well.
[00:12:06] Kevin Thomsen: You nailed it. And that problem is from the top of major enterprise, down through your whatever local shop. It's just different. You know, I ask this question all the time, you know, do you know how to read music? And most folks say they don't know how to read music. And so if they were handed a sheet of music, they'd be like, I don't understand this.
Well, that is the same exact thing that happens when technology is talking in their language to the board. And then the same thing with how many people at, at a company understand the insur, the risk transference, the insurance policy, the exclusions, maybe two. So that's another language. And then you have the board, they have their own language and. You know, we have, uh, you know, there's good resource, but you talk to any top tier [00:13:00] CISO outside of securing the asset, which is the number one priority, the majority of their job is justifying resources. But where do they fall short?
[00:13:10] Max Clark: Mm-hmm.
[00:13:10] Kevin Thomsen: They might be talking in the acronym soup versus looking at risk through a financial lens. And that is, is a major crux.
[00:13:24] Max Clark: Let's come back to the acronyms here in a moment, right? It's, I get into this conversation with, with a, with a business leader or with an it, you know, leader. And, and when you start talking about the cyber people get into and there's all these different things you can do, like the cyber defense, MA matrix, the cyber maturity model, the this and that, and the next thing.
depending on what kind of enterprise you're dealing with, say, we wanna be somewhere in between. You know, they like, their scale in their head is like, we have zero security and here's NSA security and then maybe a couple notches down as like a bank. And we're not a bank, so we need to be somewhere between zero and the bank on the appropriate scale.
But then how do you [00:14:00] make decisions? technology and processes to say, okay, you know, you know, if you've, if you put NSA at 10 and you're, and this zero in the bank at like eight, right? Like, oh, we want to be at like a six and a half or a seven because that's where we kind of like Intuit that we want to get to.
And you're like, and, and, but, which makes a really kind of natural process. 'cause we're like, you know, people, we're comparative animals, like our brains work in this kind of thing. We have to find an association that, that, that works. and the other thing that you said that, that really kind of kicked off on this was, um, I, the mentality around cybersecurity.
I, I think for a lot of people still displaced as cybersecurity is an insurance policy. Like, people think that they're buying cybersecurity as like a way, you know, as an insurance for the business. And what I've, I'm, I'm curious what I want to, I want your feedback on this one because I've started kind of equating it to like, no, know, um,
you know, cybersecurity is the
[00:14:56] Kevin Thomsen: Mm-hmm.
[00:14:57] Max Clark: and the fire suppression in
the building. I. [00:15:00] So like if there's, you know, if there's smoke, you know, you can catch it before it turns into a fire. Or if there is a fire, you can, know, hopefully put it down before the whole building burns down. And then insurance like comes in and pays to, you know, for repairs.
Right. And I'm, I'd love to know what you're like, how you like,
put this into,
[00:15:17] Kevin Thomsen: Yeah. So how I look at.
Cybersecurity is your, your tactical defense. You are stopping the attackers for trying to find that, that one gap in the, you know, your armor, right? If you have a incident and you have security, again, personnel, processes, people, et cetera, the company still has to wear that loss, whether it be, you know, a ransom or a service disruption. Insurance is the vehicle to recoup from a financial [00:16:00] standpoint. And that is, you know, for the folks that had, and that were really, you know, had a lot of rigor around their risk transference. The episode that happened this summer with, um, with CrowdStrike, there were a lot of claims
[00:16:14] Max Clark: Mm-hmm.
[00:16:15] Kevin Thomsen: were denied because you weren't down for a certain amount of time. The, the, I would say the stewards of really having a true risk strategy understood that exclusion and negotiated down that, hey, our business, whether it be a casino, whether it be a bank, whether it be, you know, a, a very sales driven, you know, a recruiter, you, you name it, um, if you have an, a true understanding of your company's DNA and what your risk exposure is based on, all right, if we're down, what is this impactful?
You know, if the sensitive data were to be compromised, what is my dollar [00:17:00] amount out? And when you have that level of insight, which is measurable, like any good decision making, you run simulation, they made sure that their contingent business. Was anything after an hour or two hours they could re financially recruit. So the, the insurance element to that, again, going back to that kind of, that de-risking pie where it's transfer remediate except, um, it is when done right. Arguably the, one of the most important decisions a business leader can make is having the right structured risk transference to deal with bad actors. 'cause you're financially gonna be able to recoup. It's not a sunk cost.
[00:17:47] Max Clark: How do you help people manage this process? Right? Like, when I say process, I'm like, how? How are you educating? I mean, there's really two pieces of this, right? It's like you have to evaluate what [00:18:00] policy and tools are in place. that that evolves and that changes over time, right? Like what's the posture of the business is the language we would use, right?
So there's like cybersecurity, there's, um, backup and disaster recovery, and you know, all, you know what, what are the, what's,
[00:18:16] Kevin Thomsen: All right, lemme walk you through. This would be
actually really, this is really good and insightful for you. So let's talk the, like the mid two thousands, right. Um, when risk really in cyber started to really move up the org chart and you have, you know, where it was actually at the officer level of the company, typically the technology officer. You had the emergence of the big accounting firms, your Deloitte, your Accenture, your ey, your Charles River that would come in and do a risk assessment on a sampling of your data once a year. And that was considered blue ribbon, like the best practice. And they would try to quantify your risk based on sampling of your data [00:19:00] for governance, your, your CMDB, you know,
looking at, um, external scans, known vulnerabilities, et cetera. And that's a practice that is still happening today when you're up for your, uh, your, your cyber insurance renewal. They're taking bits and pieces and trying to give some sort of picture. Well, the, where the, the whole market has evolved to is like going to the doctor. Um, you could go to the doctor and you get a physical and they look at you and hey, you look good.
And, you know, I, maybe you could lose a few more pounds versus taking diagnostic inflammation, testing your blood, work, running, uh, all of the analytics and the test, getting inside and outside in a full body composition of your [00:20:00] data. The same practice is now being applied to, to risk
[00:20:06] Max Clark: Mm-hmm.
[00:20:07] Kevin Thomsen: people. Third and fourth party risk.
Your governance, certainly your asset inventory and vulnerability. Really that CMDD, uh, BD data, geopolitical. Do you have a factory, uh, in, in another country or do you have operations in another country? Do you have contractors in another country?
And all of that data is there today. The difference. Is, how are you correlating all these findings from all these tools that you already have and creating usable data to make a really, really smart business decision? And that's the practice of what risk Quant is today. It's not sampling, it's not static. You're actually able to API into whatever has what can be, and then [00:21:00] you take whatever is in what I call Excel hell, which is your governance, which is your financials, which is some of the people data. And if you can actually, uh, create telemetry around that data, you're gonna be able to see, Hey, here's where we're truly at from a posture and where our data is saying how well we're doing against the controls, whether it be a NIST or a HIP, or a PCI or
whatever framework you have, you, it's, it's a full audit. But once you have that, that. Risk quantified and you correlate it back to your financials. You have now just bridged the gap between technology and fiduciary leadership to then look at, Hey, do we like the picture we're seeing? And if we don't, what do we do next? Well, that's going to lead to insightful remediation.
Hey, maybe we should transfer more of the risk. Now that we actually understand that we, we, [00:22:00] we, you know, this is outside of our defined capacity or appetite from, from the risk committee. So it helps shepherd a very intelligent conversation. But it's all around your data. Just visualize different, and right now, and, and then we'll take a break here, is the CISO's responsible for that? Think about that outside of securing the asset and making sure that the bad actors don't go in. They have to take all the findings from all the tools they have right now, which, whether it be at Tenable Quas, your, your, your
XDR, your EDR, uh, whatever surface, um, uh, surface attack information governance, and you have to take all the findings from those tools, correlate the data, and then put it into a language that isn't native to you.
You understand tech, but how are you, how are you talking to your gc? How are you talking to your CFO? That's really, really hard. And the folks that are doing it well, [00:23:00] well, you, they're famous. But for the majority of folks that typically are introverts in the security space, having to articulate the need for resources and actually justifying it through a, you know, a financial lens is close to impossible
[00:23:17] Max Clark: So this is fascinating to me because I've, I've wondered for a long time and talked to people about this in terms of security as a byproduct of scar tissue, you know, and, and like, until, um, until your nab hopefully it's your neighbor and not you, right? Like it's the, it's the business down the street and not your business until, until something happens that.
that event that you're like, I don't ever want to go through that. Right. Um, what's another example? I've, I have, um, I have a client and, uh, they're, um, PE owned and there's, you know, one of the other port codes in their division had an incident, a massive financial penalty. Now of course, all the other port codes are like, wait, that happened to them?
We have to protect ourselves. How [00:24:00] do we prepare for that? But it really took that kind of reaction of, now I really know somebody. And it went from like, this will ha this could happen. Or the statistics are really bad to, like, I, I can, I can personify this a little bit more. Right. But so I've noticed that with a lot of people and a lot of enterprises where they, it, it takes that kind of triggering event to cross that, to cross the Rubicon and say, okay, now we have to do something about it.
[00:24:25] Kevin Thomsen: Yeah.
[00:24:26] Max Clark: And it's, it's really fascinating to think about this from the other side of being able to say, know, I guess I should ask you this question, which is. You have when you have your, your plot and your data points, right? And you, and you understand your data. And then you say, and you can overlay that financials, you know, what is the revenue of the business, right?
What's the, what's the what, what's the actual, what's the money here? What's the brand equity of the business? Right? Whatever the, you know, we should, I, I'm making an assumption. You should correct me here. And you're then talking about it from a, I I think I, I'd ask two following questions, [00:25:00] which is, are you providing people with scoring that says if you do X or Y, you can change this number up or down.
And then also, um, what the percentage likelihood of this actually happening based on what's occurring in the world. You're smiling at me, so I'm hoping I gave you a really good leading question there.
[00:25:17] Kevin Thomsen: Yes. And you know, I was on stage yesterday at a, at a big conference and, um, a point that really hit home was you have to treat cybersecurity and risk like an investor, not a gambler. What do investors do before any decision? You wanna open up a new office, you wanna open up, uh, you know, a a, uh, hire new folks.
You want to expand the business at scale. What do you do? You model it out. You run simulation, you get market analysis. Why isn't that happening in cybersecurity? Well, we know one thing we talked about at the top of the hour, it's intimidating. The
word [00:26:00] cybersecurity is extremely intimidating to financial leadership fact, right?
It's a different language. But if you can run simulation and tie it back to the universal language, which is dollars it cents. You now are leveling the field and then with the use of just, again, data and, you know, a ai, you can, if I do this, what will do to the probability of a possible breach, a possible scenario, if I buy this, what does that do to my overall, um, whether it be financial liability or how does this increase my actual tactical defense? And that is something that, you know, the market's starving for because it, it truly is a problem.
[00:26:56] Max Clark: Well, the other, I mean, the other problem here of course is like the dragon I wanna go slay is [00:27:00] tech marketing. you know, you come out with a technology that's like antivirus and they call it Next Gen Antivirus and it's called EDR, right? And then, and then an analyst comes out and defines a category and then everybody rushes into the category and says like, our fill in the blank widget also does that thing.
So that way they can check the box and like tack onto this, this like marketing wave that happens and then somebody starts redefining it and saying, we're no longer gonna call it EDR, now we wanna call it XDR because it's special and we're a special snowflake, right? And then everybody becomes XDR vendors and then you've got like this and that you, and, and you said acronym soup.
And I was laughing about it because, you know, we have an internal glossary just of like cybersecurity terms and it's, you know, we do this with a lot of different tech, but you know, it's like every day it's like there's another thing that you have to put on and define because, you know, and, and, and it also creates a lot of problems because, if I go and invest in this tool and then build a team and process around it, right?
Like, am I actually getting benefit out of it and what is the benefit I get out of it, right?
[00:27:59] Kevin Thomsen: Gambling.[00:28:00]
[00:28:00] Max Clark: Well,
[00:28:01] Kevin Thomsen: Most folks are gambling that they've hired the right security leader. That that secure leader has adopted the best possible insights knowledge from the market and has acted like it's their own money. How often is that really the case?
I.
[00:28:21] Max Clark: well, and the other thing that's really depressing, I'll never forget this. I had a conversation with a ciso, multi-billion dollar global brand, retail, you know, manufacturing, retail, and, um, his entire budget was $11 million tooling and staff, multi-billion dollar organization. Right. He had $11 million. the way that he was approaching that was his only responsibility was trying to do detection.
And, you know, it's like, could you, could you identify. Something on the environment and then isolate it. Right. And [00:29:00] there was no other goal in that. It was just like all he, he was just like, all we can do here is just to try to detect and isolate
[00:29:06] Kevin Thomsen: and
you know, the crazy thing is if you asked the owner or the chairman or the CFO of that board, hey, would you bet your career on that ciso? Irrespective of how good that CISO is, they would say. No, but
like that's the decision people are making by holding back the the necessary resources. The problem is to your earlier point, folks don't know what a bad day will look like.
[00:29:35] Max Clark: well, it's also they don't know how to sell it. Right. Translate it. This is, you know, I had another cybersecurity, you know, leader unicorn business. Right. You know, same thing cra you know, like I, I won't get more into that. Was asked, you know, what's the program need to look like? And this is, you know, prepping for IPO and it's like, oh, I need a million dollars a year.
And the business came back to him and said, we'll give you $50,000. Figure it [00:30:00] out. You know,
[00:30:00] Kevin Thomsen: Yeah.
[00:30:01] Max Clark: and, and the way he related to it, it was like, I am a very well paid fall guy. Where it was like he knew he was getting a high salary to ultimately be the name, that when something happened that was like, oh, you're out the door and you're the sacrifice that we have to make to the board when something bad happens.
And, it was like a really strange thing to like, like, to talk about of, you know, he just, you know, it's like you, you get in this position where it's like he wants to help the business, but he didn't have the tools or the ability to actually help the business because the, you know, you're like, you're stuck and you get in this position, it's just like, what do you do?
[00:30:37] Kevin Thomsen: Yeah, and like, so that's it all comes back to, and it's only gonna get worse. So at least back in the day, there was a human that they were trying to break through, but now you have ai. Who doesn't need a water break? Who [00:31:00] doesn't need a bathroom break?
[00:31:01] Max Clark: Mm-hmm.
[00:31:01] Kevin Thomsen: Relentlessly attacking the business. And now you, you hire, um, you hire, uh, the right tech and then you have AI also trying to protect it.
And it's this battle. It's this battle. And this is at the highest level of, of, uh, of security. But when it does happen, are you prepared to have your doors open the next day? And that is the job of the board. And when you are looking at risk and security, it's at one of the top boardroom items across the board. But the biggest challenge, and I keep on going back, is the communication, the language. One of the biggest challenges in the world is cybersecurity, but yet a board typically doesn't have a [00:32:00] cyber person.
[00:32:01] Max Clark: Mm-hmm.
[00:32:02] Kevin Thomsen: anointed on the board,
[00:32:03] Max Clark: Right?
[00:32:04] Kevin Thomsen: most boards have, you have someone who's, who's had an unbelievable career in finance.
You have someone a, a legal savant, and then you have some operations in, in revenue. You know, revenue founders. It's typically a board makeup. How many of them have actual past technologists, especially around security,
[00:32:25] Max Clark: Mm-hmm.
[00:32:26] Kevin Thomsen: where we know that it's crippling and the, the whole job of the bad actor is to find the pain point that's going to inflict the most pain to you, to make you squirm.
[00:32:38] Max Clark: So connect, connect other dots for me,
[00:32:40] Kevin Thomsen: Yeah.
[00:32:41] Max Clark: um, you're gonna go out and you're gonna build, um, you're gonna model out, effectively risk
[00:32:47] Kevin Thomsen: Mm-hmm.
[00:32:48] Max Clark: the company, right? And you're gonna get additional data from the company, and you end up with a, with an output that says, you know, here's, here's where you're at, right?
Here's, you know, here's your [00:33:00] score. And now attack that by doing one of two things. As you've said, you can either invest in, in tools and process in people, or you can, you can either lower it, right? So it's how do we lower this risk? Or you can displace it onto insurance.
[00:33:18] Kevin Thomsen: Yes,
[00:33:18] Max Clark: insurance is also really expensive and insurance doesn't want to, insurance makes money by not paying claims,
[00:33:23] Kevin Thomsen: that's right?
[00:33:24] Max Clark: company? They, they want you to be not risky. So this becomes now another element of this, which is I. Communicating with insurance that you are less risky, so that way you can afford to de-risk more of your financials and then, and be able to afford that de-risking. Right. So
[00:33:42] Kevin Thomsen: So
[00:33:43] Max Clark: those three dots or
[00:33:44] Kevin Thomsen: yeah, so the, the insurance point's really, really strong. So, uh, it is by design that the applications as basic and simple. Few questions and [00:34:00] the reason is, well, yeah, we checked, yeah, we're doing MFA. Well, what happens, you know, after, after an incident post forensics, you didn't have MFA on, you know, a print server. Alright, great. 30 cents on the dollar right out of the gate. Right. You're thinking. Um, and so they, yes, there's a lot of underwriting tools out
there, uh, for the insurers.
[00:34:27] Max Clark: Yeah.
[00:34:28] Kevin Thomsen: There is not a lot for the insured. And so what we have seen as a unbelievable practice and you know, thankfully we got a lot of really great stats, um, at, at max Sure is we're able to help articulate the risk better than the underwriters because we just have more data. The practice of the one-time assessment or the. Audit or assessment for renewal [00:35:00] is based on a sampling of data. Are you, do you have a tech stack? Are you running certain, do you have a ciso? Are you doing no before or some sort of training and you know, are there, are there controls and frameworks? Okay, great.
Check, check, check. Alright. You're in this industry, whether it be banking or finance or other, okay? Their algorithm spits out, all right, based on past claim
data, here's about where we're going to give you, and here's the exclusions that that come alongside
it. The broker's already got a lot of love of your other lines of business.
You might get taken to a few trips or games throughout the year as a leader. And so you alright? Yeah, we double down, you know, we have to eat that sandwich. Whatever they're serving, you gotta eat it. Just, how are you, how else do you provide any, how do you have leverage at the table?
[00:35:46] Max Clark: Mm-hmm.
[00:35:48] Kevin Thomsen: how. All right, so new tech, a new way to actually go about this problem is if I have insights into 100% of my [00:36:00] operational data across people, process, technology, governance, and you're actually running a risk program, not just a tech stack, you're able to come with a binder of, you guys have been treating me like a single A rated bond on triple A and here's why. And so you're now spinning the table of, Hey, treat me different. So I want my price the same, I want these exclusions taken out and I want you to double my limit. Or what other of the carriers out there are gonna want to take that business because you're proving that you are actually have your shit together. They want it. What? Bookie doesn't want to take a winner. What insurance company doesn't wanna take good risk.
[00:36:47] Max Clark: Right.
[00:36:48] Kevin Thomsen: so the whole idea around this, this new evolution around cyber insurance, can you actually depict that you're a [00:37:00] good risk? 'cause if you are, you have leverage and that's a major output to the game of de-risking your asset.
[00:37:20] Max Clark: We were talking before and. And got into an example, which I wanna talk about more. And this is where the rubber meets the road,
[00:37:30] Kevin Thomsen: Yeah.
[00:37:31] Max Clark: Right? Like we can talk about tech and we can talk about it. I mean, I'm a nerd. I get excited about this stuff. Like, I can't help myself, right? You're like, oh, oh, there's a new router on the market.
Like, what? Tell me all about it. You know? Like, even though I, I own no routers now, but, um, it, it's, it's a sickness. I can't get away from it. But, um, set the stage for me, you know, um, uh, industry vertical background, market segment size, you know, like [00:38:00] what's, what's the broad strokes? I
[00:38:02] Kevin Thomsen: Um,
[00:38:03] Max Clark: mean, this applies to everything, but I, I think probably the, the most interesting we, you know, we, we started talking about private equity earlier, so, and you need talk about like, investments.
So I
[00:38:12] Kevin Thomsen: what?
[00:38:13] Max Clark: let's, let's just go down that, let's go
[00:38:14] Kevin Thomsen: Yeah. Alright. That's great. Um, pretty regulated industry. Uh, private equity typically is investing in, you know, healthcare, finance software, you know, some manufacturing. But, uh, for one of our, our great, uh, one of our, you know, one of our largest clients, um, you know, there's, you know, 60 plus billion a UM and, uh, you. You said it earlier, they had an incident. Uh, and the incident is actually during a buy side deal, um, during integration,
which is
[00:38:53] Max Clark: Mm-hmm.
[00:38:54] Kevin Thomsen: you know, your guard's down a little bit, contracts have been signed. You might be, you know, the, [00:39:00] the, the seller might be, um, you know, be able to breathe a little bit. You, you know, the seller was also very cost conscious
to try to make the financials.
Uh, and quality of earnings look really, really
good.
[00:39:14] Max Clark: of course. Because
[00:39:15] Kevin Thomsen: You know,
[00:39:15] Max Clark: it hits their hits. Hits their
[00:39:17] Kevin Thomsen: it's before you enter into a mature setting. So there's this, there's this middle period where there's guard down and that's actually a major, uh, um, inflection point for, uh, companies. And, you know, there's been a lot of like breach data around that, that very sensitive 45 days, you know, post acquisition. Um, another big of the. One of the problems was that, you know, there are a hundred plus portfolio companies, um, with no standardization across. How do we benchmark and actually see who's doing well, who needs some help, [00:40:00] and then what's middle ground and how well are we doing against our peers? Right? Um, so when you're looking at, you know, the, like m and a due diligence, right?
There's quality of earnings, but you also wanna know if that company's holding a stick of dynamite. Conversely, if it's a sell side, hey there's quality of earnings, which is always, you know, third party audited. This is good risk. So in another world you're not gonna have to pay as much for security. So that could be a point swing on either way of maybe a less of an earn out, or it just helps, you know, the structure of the deal.
[00:40:37] Max Clark: Of course. Yeah.
[00:40:37] Kevin Thomsen: But when you're, when you go to any private equity ciso that actually works for the HoldCo, not the Portco, they are in Excel. Hell, they are managing the business through, all right, this company, right? We got a pen test over here. We have this data over here. The, you know, we're inheriting these tool sets. A lot of these [00:41:00] private equity firms don't wanna demand what you should do, because the idea of private equity is within five years, you're gonna exit the business.
So you
can't, you're not gonna sign for all these big contracts. You can give guidance, you can have certain pricing, you know, that pre-negotiated pricing, or, or, or, or or best practices. So the idea of this individual trying to protect now, someone that just joined your family, but you can't dictate what they're doing, and there's no real line like delineation line of like, here's what par is.
Are you over par or under par?
[00:41:35] Max Clark: And a lot of times these transactions, um, the Portco is still gonna have their own leadership. And they, and it's, it's just like fun, like dance where it's like, you know, okay, you're gonna do your own thing because you're kicking, you know, you're, you're, we want you to accelerate and we're gonna pour some gas on this and give you more resources to accelerate.
'cause we want to exit this thing in five years. But now you, now you, you bring up really, actually very interesting risk points, which is, [00:42:00] is it, you know, I like your phrase, is it a stick of dynamite, right? And, um. You know or not. Right. And And how do you know? Right. And it's not even just, how do you know?
It's like how do you manage that and then take that and apply that to then modeling for your entry and exit on an asset. And of course, money that has to be spent along the way changes that modeling for that entry and exit for that asset. And you know, people don't like investing in cybersecurity because it's not an ROI positive thing.
Like, it's not like, oh, sales. You know, once you have a sales motion in play, you know, if you go out and you two x
[00:42:37] Kevin Thomsen: It
[00:42:37] Max Clark: you
[00:42:37] Kevin Thomsen: operated. Yeah,
[00:42:38] Max Clark: Right. You know, like the goal of every business is to get to that point where you have really defined input output. Right. And
[00:42:43] Kevin Thomsen: correct.
[00:42:44] Max Clark: isn't defined input output for most people.
[00:42:46] Kevin Thomsen: No, and it's like, all right, well, yeah, like there's a methodology behind it. Well, what, you know, if one outta 10 get hit.
[00:42:53] Max Clark: Yeah.
[00:42:54] Kevin Thomsen: That's still good,
[00:42:55] Max Clark: Yeah.
[00:42:56] Kevin Thomsen: but when, and I'm, I'm happy that you, like you double [00:43:00] clicked on exactly that. We didn't even talk about the insurance or the governance. So when that season managing 100 companies, a hundred plus companies, how do you do it? Well, it's, it's whack-a-mole. But what is private equity really like KPIs?
[00:43:21] Max Clark: Mm-hmm.
[00:43:22] Kevin Thomsen: aren't they known for
it? Militant looking at everything like a unbelievable, like the sharp money,
[00:43:30] Max Clark: Yeah.
[00:43:31] Kevin Thomsen: but yet the gap operationally around cybersecurity and risk is massive and it's a massive opportunity for people to level up. How do you consolidate all the insurance carriers? Do you even have insurance? Is there a set of governance questions that you want to create some sort of constant across the board to actually level set? Who's doing well? Who needs help? Who, who's really lagging behind? Do they need further investment? Does the private equity firm [00:44:00] actually hire an analyst to, you know, ride shotgun for six months at that asset to, to help get the maturity up? These are all live problems
And
you can't do that with static one-time assessments or a pen test readout.
[00:44:17] Max Clark: and more interestingly, right, because as you said, if you're exiting the asset, now you have another challenge, which is everybody wants to go out and sell to pe to the HoldCo to go force their solution down to a Port Co. And the pe. It's in their benefit because then they get leverage and scale and, but then the flip of it becomes you have to exit and then separate, right?
You have to like acquire and. Bring everybody into the family. I like that. But then you have to like, at some point go marry them off and send them out into the world on their own or send them off to college, right? And then everything that you do has to go and be able to sever at the same time. Uh, it it, it creates some unique challenges.
[00:44:55] Kevin Thomsen: It does. Um, but it also creates an unbelievable opportunity [00:45:00] to actually look at this risk, really cyber risk that we're talking about, but it's really business risk. I, I, I mean, I, I almost wanna take the word cyber completely out of, uh, you know, out of our marketing. We
might need to have you
to do that Max.
[00:45:19] Max Clark: I'm, scribbling notes here, but I, I feel like I've missed some stuff. So I wanna, I wanna review this, right? So we talk about how do you, um, quantify the asset that you're buying or selling, right? To either, and again, you're negotiating a, a, a value in a price. So what future risk do you have?
Or what reduction of risk do you actually have impacts that? dollar amount, right? Because again, it's just risk transference. It's just, you know, who's gonna take that? Um, how do you, how do you scale that diligence? How do you then use that to then inform governance, right? And tracking, um, how do you take and then use that to improve [00:46:00] cost.
Cost, really? I mean, let's get back to it. Like, in just terms dollars, right? You want to, you wanna displace risk onto cyber insurance, onto insurance, right? How do you reduce the cost that displacement? And then make sure that if you actually do have an event that you're covered that insurance is going to pay you.
[00:46:18] Kevin Thomsen: We call that the, uh, the, the probability of a successful claim.
[00:46:23] Max Clark: Okay.
[00:46:23] Kevin Thomsen: Uh, which there's a metric there, but bringing it back to the, the, the, the top of the question, um, not a shameless plug, but that's exactly what I. We do, which is we have state, it all starts from your BIA. Most companies haven't run a true business impact analysis. Do you even know where the crown jewels are from a technology standpoint? Some have, you know, what's revenue dependent? Where's your sense of data? Where's your r and d? Where are your employees spending time, et cetera. Most of the BIA you would hire an IBM or one of those big accounting firms, [00:47:00] or Charles River, you know, uh, very well-heeled organizations.
And they would come in and, you know, they would run a, a, true business impact analysis, you know, send you a PDF, collect a check. The problem is that once that PDF's saved on your hard drive, it's not usable. So it all starts around the workloads of understanding where all of your sensitive data is. What we do is that data can be living in breathing. It just traditionally hasn't been based on the way that people have addressed.
[00:47:33] Max Clark: Mm-hmm.
[00:47:34] Kevin Thomsen: Risk. So once that data comes into via API or you have it in your Excel and you know we bring it in through ETL, now it's now it's living. Now it's living in a software that you can see. Well, you have your governance, so whether it be your NIST or other, because we're actually hooked into your asset inventory and your vulnerability [00:48:00] tools, you're able to see, alright, legal says we're good, we're in this shop.
But in reality, the operating environment is doing very poor against the controls that you've blessed. So now you call out, well legal and the board thinks we're a niche shop, so we're good. We check the box, but the operating environment isn't doing that well against the controls. So there's your call out for remediation and then you go to the trust advisor. Or you go to your team and you actually start to triage those items. So that's like from a tactical, but your financials are updated quarterly, so that's living and breathing. But the whole idea is for a owner or a CISO to be able to log in and see the top 10 risks of the day. And if you're managing those 10 over time, the power of com, you know, compounding interest, right?
[00:48:57] Max Clark: Yeah,
[00:48:57] Kevin Thomsen: gonna look at, that's how you actually [00:49:00] manage risk at, you
know, the best levels of cybersecurity.
[00:49:05] Max Clark: I'm, I'm laughing at the controls, right, because. Every industry you get nist, two, CMMC, hipaa, PCI, FedRAMP, you know, iar like, like, you know, TPN, like there's all these acronyms. I mean,
[00:49:18] Kevin Thomsen: Yeah,
[00:49:18] Max Clark: is acronym
[00:49:19] Kevin Thomsen: there's all sorts of AI governance ones. This just came out with an AI one. Yes.
[00:49:23] Max Clark: Well, but the joke with a lot of these things are like, if you've been through a SOC two process and then you're going through your annual, you know, audit and attestation around it, it's like what are the controls that you've decided to define as part of your SOC two com, you know, process. And like, is that control actually even relevant to actually improving the status of the business and the part, you know, and, and your governance.
Anyway, I don't wanna, I don't wanna sidetrack too much on that one. I mean, that'll be for another night. Um, you talk about like the top 10 risk, I mean, are you giving people like, you know, risk scoring, composite scoring or like, Hey, you've got a hundred million dollar business and you've got $25 million in the line that you need to go [00:50:00] tackle?
[00:50:00] Kevin Thomsen: Yeah.
[00:50:01] Max Clark: I.
[00:50:02] Kevin Thomsen: Yes, exactly. And we break it down. So there's one already that I, I I was just off of. They were a $300 million company. Uh, their estimated single event, their probable maximum loss was, uh, 29 million, which was about a year in change of their ebitda. The probability of it was 21% and they had a $5 million insurance policy. So, and then how we got to that 29 million was we break it down into the, the, the five breach types, PII or PHIR, and D, ip, source code, service disruption, uh, fines, fees and judgments, and then reputational recovery. And so, you know, based on past claims data, some other, uh, intrinsic data and using your data, we actually are able to come up with that, that, that, uh, that figure.
And then when you want, then you can double click into it [00:51:00] and then actually see really where, what systems is your cloud
[00:51:05] Max Clark: Hmm.
[00:51:05] Kevin Thomsen: your, your automotive fleet or your business critical systems, or, you know, said system that you have. Uh, based on your business, where is the biggest liability? Via workload. And then how well are you protecting that specific? So rather than this shotgun approach of of cybersecurity, you have a sniper lock approach to where should the next dollar be spent? And that all back to being able to justify back to leadership that, hey, we assign a dollar amount if this specific workload were to be breached, and here's the actual, if it were to be breached, here's where the pain could be inflicted.
How do you guys wanna deal with it? And we're just helping we bridge that communication gap,
[00:51:54] Max Clark: I, I love this.
[00:51:54] Kevin Thomsen: which is so
[00:51:55] Max Clark: I, mean,
[00:51:55] Kevin Thomsen: good.
Yeah.
[00:51:56] Max Clark: me, you tell me $30 million, single event [00:52:00] liability, 25% chance of that. It's like, part of it's, you're like, okay, so I have a seven and a half million dollars overhang. You know, right. Like, which isn't really true. You have a one in four chance of having a $30 million overhang, right.
With $5 million of, of protection against that. And, um, that's an uncomfortable number to think, you know, like statistically to, to, to rationalize. 'cause
[00:52:25] Kevin Thomsen: But Max, I mean, I
ask everyone every call, Hey, if God forbid you were, you had an incident tomorrow morning, could you pinpoint down to the dollar what your financial exposure is? And the answer is always no. Well, why, why don't you, why don't you have that? You've, you know, you, you've had to model out every decision you've ever made for the business
You've.
[00:52:50] Max Clark: long, how long does this take to deploy? Right. You know, because that's the other thing, like there's all these, there's all these great tools. You know, the problem with Tool Mess is like, oh, let's go buy a tool. But now we have to get somebody to run the tool. And then you have to decide [00:53:00] are you hiring and training and dealing with employee churn?
Are you, are you outsourcing the tool? Right. You know, like what I mean? So 30, you know, a company with a $30 million overhang, like how long does this take to actually figure that number out?
[00:53:13] Kevin Thomsen: Whether it be a nonprofit in Boston or a major global casino, uh, you're really looking at around three hours of implementation time.
[00:53:25] Max Clark: Okay, so you're a private equity company, you've got 60 billion a UM, you've got 140 port codes underneath of you, you know, and you're gonna go and deploy this and say within a span. I mean, you've gotta go legal
[00:53:37] Kevin Thomsen: We'll,
[00:53:37] Max Clark: everything
[00:53:37] Kevin Thomsen: I'll always say, we'll snap the line in 30 days
[00:53:42] Max Clark: Yeah.
[00:53:42] Kevin Thomsen: regardless, because if you don't have access to the data, you just ran a tabletop and you guys failed. If you do have your data together, you could get up and running in hours, but. From the point of the contract, we snap the line in 30 days and we, we want a readout.
And [00:54:00] for folks that can't get all their data in there, well that's a major problem because you just don't know where your shit is.
[00:54:06] Max Clark: Okay,
[00:54:06] Kevin Thomsen: others, it's alright, we're good, we're clean and we're running. You know, certainly the external scans like a via, you know, I think would be similar to like a security scorecard or black guy, you
know, where you're looking at the dark web, but it's then the internal data and a lot of folks based on, you know, the, the rigor at set company, um, it really is a garbage and garbage out. We can, I, I'm only telling you what your data is saying, but we just meet you where you're at. There's no force tool sets or anything. It's, we take the data from all of the, you know, the data points that we need to give you insights into, here's where you're at, and then it shepherds the conversation, here's where we should go.
And that's what people want.
[00:54:47] Max Clark: so I'm gonna, I'm gonna put this, I'm gonna say, let's say you have a, uh, 60 day sales cycle. You've got another, know, legal, right? You've got two to three weeks in legal review. So you're within two [00:55:00] quarters for the 140 port codes. You've got visibility into your entire financial estate from a risk score, you know, scoring standpoint to be able to make decisions
[00:55:11] Kevin Thomsen: Yeah.
[00:55:12] Max Clark: and say, you know, this is how much of, okay.
I love that. Now,
once that happens, I wanna talk about what happens next,
[00:55:25] Kevin Thomsen: Okay,
great.
[00:55:27] Max Clark: so you've, you know, you've deployed this, you, you know, like it's, this has been a, a mandate from, you know, you know, mommy and daddy has come in, right? And said, okay, everybody has to do this, your vegetables, right? Um, and, and this, and this happens.
And then now you know, have an analyst, you have, you know, leadership, whatever that takes a look at this and says, okay, now we see for each one of these entities, what's going on
[00:55:54] Kevin Thomsen: Mm-hmm.
[00:55:55] Max Clark: what happened? What happens next?
[00:55:57] Kevin Thomsen: Well, once [00:56:00] once you look at yourself in the mirror and you actually truly see like raw candor, here's where we're at. Um, right now, max sure has a bench of, you know, x Accenture, McKinsey folks. That will be your analysts. It's inclusive of the, of the, of the solution. Just 'cause I can't give you your data.
Hey, here's where you're at. Good luck. Right? That's a pretty poor, pretty poor business on the roadmap. Do I want. AI to be able to be, you know, kind of your, your, your
cyber caddy. Hey, which club, which club should I hit? You know?
[00:56:38] Max Clark: Yeah.
[00:56:39] Kevin Thomsen: but right now we, we, it's a very consultative approach to, all right, if I were you, this is how I interpret the data, this is what we should be prioritizing because this is where your, you know, the crown jewels are here, are suggestions for technology processes, [00:57:00] et cetera.
And then certainly we have insurance subject matter experts that, I mean, we, we ingest your application and your policy on every deal. So we'll do a full exclusions review and see, you know, it's called the, uh, continuous cyber insurance analytics. So you're actually able to see for the first time, oh, alright, we're, we're well covered here.
But man, I didn't, I wasn't aware of these blind spots. So either you stack another policy on that to, you know, um.
[00:57:29] Max Clark: Mm-hmm.
[00:57:31] Kevin Thomsen: Cover until your next renewal or when you want to, you know, show that you've improved security and that, you know, risk your risk really well and you're able to, you know, turn the tables of the, the insurance conversation.
So it really is a journey. There's no overnight fix to that. I wish it was much faster for people to go like, it's like a z pack, six days and you're good. There's no such thing in, in, in, in cyber and not with the [00:58:00] emerging tech and all the geopolitical, you know, nation states that are using this as
the utility. it's,
terrifying.
[00:58:08] Max Clark: it's a continuous thing, right? Like
[00:58:09] Kevin Thomsen: it's,
[00:58:10] Max Clark: it is a continuous thing. But what I'm, what I'm fascinated with is, you know, going back to like, okay, we've got an m and a target, right? You know, and, and if you're doing rollups, part of the thing with roll up is how quickly can you integrate and then create efficiencies and drive value, right?
And if know, and, and you know, part of, you know, and you're talking about due diligence and modeling, you know, part of that exercise and of course is like risk. And, you know, is there some, you know, thing that we need to know about that doesn't come up in diligence? And how do
[00:58:35] Kevin Thomsen: Right.
[00:58:36] Max Clark: this stuff faster, right?
Because, you know, are you offering three x, four x, five x? Like, how good is this business that you're buying and, you know, what does that look like? Right? On the smaller side, what's the real SDE, right? Like, all these things that, you know, come, come into play. But you know, okay, so, you know, companies bought, you know, so they integrate, they deploy and, and they take a step back and they say, okay, we thought we had everything covered.
We [00:59:00] don't have everything covered. We thought this company was doing sat, they don't, or they were supposed to have this, or they don't. Or they, you know, like whatever it actually is, you know, usually these things are gonna give you, you know, um, we're, we're trying to align, you know, um, you know, process with gaps and risk and then what, you know, what your actual event, you know, you say like single event, you know, exposure is and, and, and, and find these lines.
But, but there's beyond like protecting and helping companies protect from a loss event, as you get better at all these things, you have the other side of it, which is you are spending money on, probably there is some tooling costs. It's relatively non, you know, nominal for most businesses at this point when it really comes down to tooling costs.
But you have a real cost in insurance.
[00:59:46] Kevin Thomsen: Mm-hmm.
[00:59:47] Max Clark: As you're talking about, like my, my, my brain is going like, oh wait, there's like, there's the, and, and therefore, and therefore in this case is like, what's happening to your, your cyber policies across this? I mean, if you've, if you've got 60 billion a UM, like your [01:00:00] insurance policy across this thing is usually like a percentage point, two percentage point
[01:00:06] Kevin Thomsen: Yeah,
[01:00:06] Max Clark: I mean, for everything, not just for cyber, but I, I gotta imagine that's a pretty significant number for somebody.
[01:00:11] Kevin Thomsen: it's, it's significant. And you know, the insurance. Excuse me. The insurance companies are really smart in that they, they're LPs in a lot of these funds. So they'll go to private equity, private equity, at least the top 20. They're, they, they, they play that game. And so, but when you're looking at, in aggregate, uh, insurance costs have, um, they've gone up year over year, over year, and now they've plateaued. Well, now the policies are being hollowed out. The language that you have in, there's no more broad language. You [01:01:00] know, the, the CrowdStrike incident really affected, uh. Insurance. I mean, this was the kind of the summer of cyber, whether it be from united, the car dealerships, MGM, CrowdStrike, um, you see a lot of, um, carriers actually either trying to get out of cyber. We're really right at that. You know, we're only paying out 30% of the time. Like, that's the math. 70% is ours, 30% will pay out. We'll make it painful to pay out. But, um, when you're looking at total costs, so there's duplicate tools, great. That's, that's natural. That's the digital transformation. Looking at insurance, I think being able to have leverage to go, hey. I'm not eating that sandwich anymore,
[01:01:50] Max Clark: Mm-hmm.
[01:01:51] Kevin Thomsen: empowerment. And then when you really look at, you know, the, the, the other phase of it, which is the, the audit function. So we [01:02:00] have, uh, employees from Fidelity and Bank of America and other that, you know, and these were, you know, officer caliber folks and they said a lot of their PTSD came from audits and the amount of money that it takes, not only for readiness or the actual audit
[01:02:19] Max Clark: Mm-hmm.
[01:02:19] Kevin Thomsen: you are in Excel, hell, it was a, alright, get the Tiger team ready, we got two weeks, we gotta cram, we gotta get ready for the auditors. Well if all of that is already living and breathing in a software and you're able to tag evidence to. Not sampling in the audit, it's 100%. You can give the auditors just access to said portion or said workload. They can look, they can take first round and then come back with a shortened amount of questions.
You just, I mean, we're seeing reductions in like audit costs of up to 75%, which is just [01:03:00] bonkers.
[01:03:04] Max Clark: I mean, that's a, that's a, I, you, you,
it's my background is network engineering. I joke that now really what I'm doing for most of our clients is financial engineering. Right. You know, like it's really.
[01:03:19] Kevin Thomsen: It's
an instrument.
[01:03:21] Max Clark: it's, it's the thing and, and what's, what's really very apparent when you get into that world is like the real cost of a dollar, right?
And you say, okay, you spend a dollar to invest in a tool, it lowers the earnings of the business, right? So like what's the actual value of investing that tool versus having earnings? And then what does that tool giving to you in terms of increasing leverage to, to create additional earnings? Right? And we, we talk with companies and a lot of the big risks they look at is employee productivity, right?
If you have a development team and you lose development velocity because you have some incident that like cuts that off, how does that impact the value of the business? Because you lose, you know, velocity and, pe [01:04:00] the value of a dollar is different, right? When you're talking about professional investors, you know, taking and looking at your portfolio and increasing.
EBITDA by a dollar. I'm just using a dollar. But it's really more than that, right? But it like increasing EBITDA of a dollar isn't like a one for one number. It's like if you can reduce, if you can reduce your expense by a dollar, or if you increase in revenue net, net, when you increase that number by $1, that's really worth like $10 to you.
[01:04:26] Kevin Thomsen: Yes.
[01:04:27] Max Clark: and I, and I, and so this comes into like actual financial loss, like the pe if you have a portco with an out, you know, with a loss, that's insurance doesn't cover, you know, where does that money come from? Right? Okay, well now, now you have dollars going out that you never recoup. But if you're able to position an asset to increase the value of that dollar in some way, right?
Like, it's like who cares? You, you spent a dollar, but you got seven on the back end of it, right? Like that. Like that's really fascinating to you, you know, like, think about with this because you know, decreasing your [01:05:00] total, you know, again. You know, uh, I'll just say 60 billion a UM, you know, they're not spending $600 million in insurance probably.
But like if you're, if you're saying, you know, if you can reduce your total overall insurance costs and actually increase coverage of a loss by a hundred million dollars, that's worth a billion dollars to you. Right. Like probably maybe, you know, like that's get into funny money.
[01:05:24] Kevin Thomsen: And Max. It's not like this is like brand new. It's just been piecemeal together. How can a one-time assessment do that? It can't, but yet everyone's has their annual assessment that they pay one of the big guys to do
[01:05:43] Max Clark: Mm-hmm.
[01:05:44] Kevin Thomsen: we're saying from the disruptive, just like natural, there's evolution. How do you marry together the assessment? The actual usable data from the CMDB, your governance,
[01:05:59] Max Clark: Mm-hmm.
[01:05:59] Kevin Thomsen: [01:06:00] supply chain, where in the world you're working and the financials. And as a result of that, you're just able to have better output. Insurance is one audit fatigues another. True audit cost is another, right? And you're able to
actually see, nevermind challenging your MSP.
Hey, they said they're patching. Great, well, you're able to do a version spr like, well, no you're not. We have several tools that are not fully installed or why do we have 10 different versions of Chrome or WebEx or Zoom?
So it's just insight. It's getting tighter. 'cause data's better and better. It's dynamic.
And unfortunately, in cybersecurity, it's a decades old tradition to do a static. Readout on here's where the business is at, but that's not usable. And so if that's the one thing that is truly like the big takeaway even from this message is [01:07:00] that people are gambling, that their IT and technology is gonna get it right from a static readout versus treating this like an investor. But you're able to get up to the minute live data to make more accurate decisions
on cybersecurity budgeting,
on risk, transference on deployment of the next headcount.
[01:07:26] Max Clark: I mean, it's great. I mean, it's also not adversarial with insurance, right? Because you know, like the whole thing. You know, done. I can see how if this is done properly, right? You go to an insurance carrier and you say, Hey, we represent no risk. You're just gonna take our money for free, right? Because, I mean, you know, the insurance carrier is just trying to actually figure out how to model your risk and how much, you know, it's the same thing.
It's like, what percentage, what do I have to charge you as a financing rate in order to accept this risk?
[01:07:52] Kevin Thomsen: You nailed it.
[01:07:53] Max Clark: You know? And if you go back and you say, Hey, I can demonstrate that I've reduced this risk to you by [01:08:00] like X factor of whatever,
[01:08:02] Kevin Thomsen: Yeah.
[01:08:02] Max Clark: You know, somebody on the other side of the table's gonna be like, Hey, this is free money, right?
Like, to some point, it just, it, it changes that math a lot for
[01:08:09] Kevin Thomsen: And it's clarity on the communication, right? You're breaking down the silos of, you know, the board has a different language, it has a different language. Security has a different language, operations has a different language. Your GC has a different language. There's risks all evolve there and you have stakeholders and leaders there, but why are they, are they talking to each other as effectively and is there tools and technologies talking to each other?
[01:08:39] Max Clark: Who owns this inside of the enterprise going forward? I mean, is this, is this an IT function, a CISO function, A finance function, A legal function, A GRC function?
[01:08:47] Kevin Thomsen: Alright, so this is fun. So this gets into a little bit of my brand, but where the, the company was born through our ideal persona was the CFO [01:09:00] because we wanted to look at cyber through the eyes of financial leadership. And that was the whole thing because it was, it, this was built from a CFO that had to address, uh, insurance and cyber and they were intimidated by the topic.
So like, why can't it speak to me in my language? And that's what it was born from. I come from the partner community of trusted technologists, right? Technology consultants, big MSPs, MSPs
of the world. So a lot of their entry point is your ciso, C-T-O-C-I-O. So we, I have this overwhelming amount of deal flow, which is great.
We're blessed, we love our partners, but it's with that persona. But the product was built for this persona. So of course we've, you know, and we're doing well, but when you're looking at who really owns this, we want both folks to, [01:10:00] and that's not as easy as, um, it sounds,
[01:10:07] Max Clark: Well,
[01:10:07] Kevin Thomsen: often does the CSO really talk to the CFO? They're not best friends. Most companies. I say two out of 10 when I even ask, you know, do you talk to your CFO at least once a week? Say yes, two outta 10, which means eight folks don't have a relationship with the C ffo. So when you do have to preach to the CFO, that's how you get the, Hey, I'm asking for a million and I get 50, 50 K back.
[01:10:34] Max Clark: Mm-hmm.
[01:10:35] Kevin Thomsen: 'cause, and this, we're hoping bridge the gap between, um, this, the CFO fiduciary leadership and security because the loss numbers are material. And if you can go shoulder to shoulder on addressing risk, think how much better the actual company performs and the next dollar out of the gate is spent with accuracy, not gambling that the [01:11:00] technology guy or gal is gonna get it.
Right. That's a lot to wear on that technology shoulders. And it's not natural to them.
[01:11:07] Max Clark: So in the max Sure world. When, when a, when a company comes to you and is going through this process, I started out by saying like, okay, you know, intuitively we wanna be a six out of 10 in terms of protection, right?
[01:11:21] Kevin Thomsen: Right,
[01:11:21] Max Clark: get to that? Six out of 10? How so now they're getting an output that says your maximum single event cost could be this.
The percentage of that happening is, is this right? And then this is how you can address, you know, basically how you can address these numbers,
[01:11:40] Kevin Thomsen: right.
[01:11:42] Max Clark: you know, pick your program that you have deficiency in, or, you know, insurance. Um, how does that change the conversation or the viewpoint then of saying, you know, we have a perception that we have a $10 million overhang, right?
[01:12:00] It's like, let's go attack this $10 million overhang in risk. I mean, is it, is it really that simplistic at that point of saying, you know, or, or am I missing a piece of this? Mm-hmm.
[01:12:09] Kevin Thomsen: No, it's that simple. It's, it's your data speaking back to you to where you can actually tackle problems of, Hey, I don't like that. If we were to be breached, that this portion of the business is either underinsured or we don't have the right protections in it, and so we have some leakage. Now you're, you're, helping blueprint out. Where should time, energy, and effort be spent next to suture that up or transfer it or just really make the educated decision of, hey, we can't do anything about it. This is risk that we have to accept. Let's put it in the legal ledger. And you know, knock on wood that, you know, if we were to get breached or [01:13:00] an incident, this is documented and any class action or negligence will be completely expunged.
[01:13:09] Max Clark: I love this idea. I love and, and the, and here's, here's the reason why. It's, you talk about trying to connect an IT organization with a business. And anybody who's ever been through this process will go to finance and finances, like R-O-I-T-C-O, right?
[01:13:27] Kevin Thomsen: Right,
[01:13:27] Max Clark: real metrics they can say to try to equate what it is trying to do back into the business.
They can't really provide a lot of business value outcome conversation. They're having a like, oh, it's gonna cost us as much, this is what we're currently spending, so it's better for us. Right. You
[01:13:41] Kevin Thomsen: right.
[01:13:41] Max Clark: a lot of the time the conversation and, and trying to connect those worlds together is always a fun, I mean, that's the challenge.
Like, can you demonstrate that we're producing value for the business in a way that the business actually understands it? You know, can, if you put a dollar in here, this is what you get out of it. And a [01:14:00] lot of times it's very, you know, I hate, I hate getting into ROI and TCO conversations because it just means that people don't understand what's actually going on underneath of it.
And, um, such a, it's such a great to say. Here's what this actually means to you and what you actually care about,
[01:14:20] Kevin Thomsen: Yeah,
[01:14:20] Max Clark: dollar you know, at the end of it, and this is how you change, you know, or maybe you don't change. I mean, I, you know, I, I, I, like I said, I've matured, right? Like, maybe the answer is you don't change, you're accept you, you're comfortable with what that says, but have you educated yourself to the point where you actually can make that decision
[01:14:38] Kevin Thomsen: you nailed it.
[01:14:38] Max Clark: standpoint?
[01:14:39] Kevin Thomsen: You nailed it. Yeah. It's, um, you know, again, very blessed. It's a really fun conversation to have, uh, very engaging
when you ask questions like, you know, have you ever done an exclusions review on your insurance policy? Um,
do you know.
[01:14:55] Max Clark: people answer that? Yes. Like what's the,[01:15:00]
[01:15:00] Kevin Thomsen: Summer? No, my broker will. Oh, your, so your broker has your absolute best interest at heart.
Interesting.
[01:15:05] Max Clark: Okay.
[01:15:06] Kevin Thomsen: There's no, there's no liability there, you know, so, um, it's thoughtful and we're going after a huge market segment that is right for, uh, you know, optimization. And, uh, we got a great, we got a great team.
We're, we're hiring, we're growing. It's, it's good. Life's good.
[01:15:28] Max Clark: Kevin. it's, I I love it. Thank you very much. It's fascinating. Appreciate the time.
[01:15:33] Kevin Thomsen: Yeah.
Thank you, max. You're dear friend.
[01:15:35] Max Clark: it's, uh, I mean this is, this is, it's been fun to watch. I.
[01:15:39] Kevin Thomsen: Yeah. Just thank you. Thank you very much.
