Media Thumbnail
  • 0.5
  • 1
  • 1.25
  • 1.5
  • 1.75
  • 2

Get A Grip on Cybersecurity & Cyber Insurance

This is a podcast episode titled, Get A Grip on Cybersecurity & Cyber Insurance. The summary for this episode is:
What is one thing a business owner should do today?
01:35 MIN
How to find a trusted advisor?
01:34 MIN
Diagnosing your cyber posture
00:35 MIN
Intersection of Cybersecurity and Cyber Insurance
01:04 MIN
Cybersecurity Solutions
00:53 MIN
Everyone's got a guy
01:13 MIN
Motivation is compliance
00:55 MIN
Apathy in cybersecurity
01:42 MIN

Today's Guest

Guest Thumbnail

Ryan Dunn

|Director of Insurance, Trava
Guest Thumbnail

Jim Goldman

|CEO & Co-Founder, Trava
Guest Thumbnail

Joe Johnson

|President, Ostra Cybersecurity

Jim Goldman: Well, good afternoon, everyone. This is Jim Goldman, CEO of Trava. I will be your host and moderator today. We can see that we have people joining, we're up to 25 participants already. We're going to give folks just another minute or two to log and then we'll get started. So please stand by. And as Megan is pointing out, please feel free to use either the chat feature or the Q& A feature, that you should see at the bottom of your screen, at any point in time. I'll be compiling those and we have a schedule where hopefully we have plenty of time to allow for question and answers. We'll take just another minute to wait and then we'll get started.( Silence). Okay. Let's get started. Welcome everyone. Once again, my name is Jim Goldman, I'm CEO and co- founder of Trava Security. Welcome to today's webinar. I think you'll find it both informative and enjoyable. We have two great speakers with us today. And I'd like to introduce them at this time. Joe Johnson is CEO of Ostra. He's going to tell you a little bit more about Ostra, as well as his view of the current state of cybersecurity in just a moment. And our other panelist is Ryan Dunn, who's director of insurance here at Trava. What I'd like to do is just open up with an opening question and give each of us panelists a few minutes to just talk about their view of their respective area. Joe, would you take a few minutes and just do your best to describe the current state of cybersecurity as you see it? And then we'll ask the same question to Ryan.

Joe Johnson: Yeah, absolutely. Thanks, Jim. First of all, just a brief background on me. Like most of you out there, I'm a business owner as well. And cybersecurity is new to me as of 2019. And so I was, and still am in most of your shoes. A little context for Ostra, we do three primary things in the cybersecurity space. We do multiple layers of defensive tools. We feed all those logs into our SOC and our SIM, think of it like an XDR. And then we've got a team of security experts to set up, maintain, configure. As well as threat hunt and remediate. So that's my perspective of cyber over the last three years and the exposure that I've had. And so as Jim asked me to think about the state of it and then approach that and then feed it into Ryan from two perspectives. First of all, from my point of view, cyber's a new issue to most of us. As business leaders, we did not grow up learning how to deal with it, right? There were no classes on it in school. We didn't grow up building budgets and leading cybersecurity teams as part of our overall executive leadership team. In fact, many of us still have uneasy conversations with our IT leaders, just because we feel that they're so much more knowledgeable about IT than we are. But cyber's even more complex and definitely more serious. So we're still finding our way. And that's one of the biggest things that I'm seeing out in that space. But of course, cyber threats are increasing exponentially by the day and the market's trying to figure out how to support us. And I think it's confusing a lot of us out there because there's a lot of noise. And so as we see and hear and feel all of these different threats and we aren't comfortable with how to do it, because we've never grown up doing that before, we're asking ourselves a lot of questions of what do I really need and who can I trust and how do I know what is better for me? And that's going to be a theme that you'll hear in our conversation today is helping to identify how do you handle that situation and who do you go to so that you can feel comfortable about it? And then as I try to segue this over for Ryan, I'd say that the cyber insurance space is definitely in a similar spot in that they're still trying to catch up. If you think about insurance, and it's a very old industry, it's successful when they have a lot of data, right? If cybersecurity's new, that data doesn't currently exist, their underwriters and actuarial scientists just don't have a lot of things to work off of. And it's constantly changing. What was a risk threat and profile five years ago looks totally different today. And the clients or the businesses that they're protecting are still trying to get caught up. No knock on anyone who's out there, they're doing the best that they can, but the things that we see are they're asking the wrong questions, right? If you filled out that insurance application and the questions that they're asking, doesn't really tell you if these are the right things to do to make sure that you have a better risk profile or not. They're just throwing everything they can against the wall. And then unfortunately the people that are answering it, and I don't know if you've ever had to sit and answer those insurance applications, you read through that thing and you're like, I don't know. I think so. Maybe. I'm not even sure what that means. And so you have a lot of people that, no knock on them, might not be qualified to answer it because the questions are just too technical or might not even apply to the business. So oftentimes they're submitting applications with inaccurate information. And then once they're submitted, I don't think anybody's validating that information to say if it's true or not, like, do you have 2FA? Well, one is anyone validating if that's true or not? And 2FA on what? What do you mean by that? 2FA means a lot more than just a simple, do you have it, yes or no? And so, as a result, we're trying to assess a risk profile, but we don't know how to do it. And the information we get back is not good. So what do you think is going to happen? The result is massive increasing claims and who's left to put the bill and nobody's happy. Ryan, I don't know, turn it over to you.

Ryan Dunn: Yeah. Joe, you stole my thunder on the last point. No, I'm playing with you. But absolutely. I'll give you a little background on myself and just build off of what Joe said, because what he said is absolutely correct. And I'm sure it's something that everybody on this call has some knowledge of or is experiencing those problems. In my prior life, I was a property and casualty insurance agent. So I serviced businesses, mostly specialized in the tech E& O and cyber insurance lines. And the writing was on the wall when I was an agent. And the problems are even worse than they were, it was just a year ago that I was an agent. They're even worse now. But to build off of what Joe said, nobody is happy in this landscape that we're in, right? The business owner is dealing with insane premium increases, after having, most of them, no losses. And the insurance agent is not happy with requirements being pushed down by carriers and them having to try to relay that information to their client. That value proposition and that trust is being broken now. A lot of the times, the agents are uncomfortable relaying that information. Because they're not specializing it, they're not a cybersecurity expert, right? You have clients and agents not happy. And then you have the carriers that aren't happy, because, like Joe alluded to, they're throwing darts against a wall blindfolded right now. Some of them have been trying to use actuarial tables. And we all know that that's an impossible way to predict a loss on the cyber insurance side. And so they're really just asking," Hey, do you have these controls? Hey, do you have MFA? Do you have EDR?" Just basically saying, okay, if they have these, there's a good chance that they're not a bad risk. That's basically what the conclusion that they're getting to. And then I'll go back again to the client side of things and that application that Joe talked about. Those 14 page applications, it's getting down to the point where clients are starting not to purchase cyber insurance because it's such a pain to at least get a quote. And if they get a quote, it's astronomical in price compared to what they're used to. And so that's really the landscape. And as we keep on going through this panel discussion, we'll dig down deeper into what are the causes of that and what's the path forward from here? How can we create a better environment for business owners and all?

Jim Goldman: Well, thank you, Joe and Ryan, that's an excellent opening, albeit somewhat depressing and perhaps overwhelming. A couple of the points that I wrote down, one, as Joe said, cyber threats are increasing exponentially by the day. Two, the past is not a predictor of the future. And therefore, the conclusion is, in fact, there are no actuarial tables for zero day threats. And so it's this whole new of having to look at both cybersecurity and cyber insurance and the intersection of the two. The next question for the panel is, okay, so given the current state, which I thought you both did an outstanding job of describing, this might seem overwhelming with no clear path forward for the average business owner. What do you see as the most practical, single thing, or maybe a couple of things, that a business owner could or should do today? Let's be very specific about what some of the people attending the webinar today should do today in regards to cybersecurity, in the case of Joe, and then cyber insurance, in the case of Ryan.

Joe Johnson: Yeah. Thanks Jim. I think it does sound doom and gloom if you're looking at it from a reactionary standpoint, right? Because then it's already too late. I think the great business owners out there know that if you start with the strategic plan and you execute your plan, you're usually going to be in pretty good shape. The way I would describe it is good hygiene, right? Most of us don't have the experience or the knowledge or the expertise to figure this out. So the first thing I recommend is find a trusted advisor. Find somebody who you can go to, that's an expert in this space, that's interested in protecting your organization, not just driving sales for their organization. And the first two things that you want to do with that trusted advisor, because they're the experts, are, do a complete assessment and really understand what you're working with. What's in good shape and what's not. And use that and turn that to a strategic plan from a security posture standpoint. And just ask them some basic questions. What's our current state? What's our future state? And how do we get there? And as business leaders, we've grown up learning how to assess what good answers look like and what crappy answers look like. And listen for unbiased objective answers that are specific. And then incorporate reasonable solutions.

Ryan Dunn: Yeah. And speaking on that trusted advisor thing, we do talk about insurance agents as most of them don't specialize in cybersecurity. But there are some out there that do. There are some out there that have put in the work to specialize in this field. If you are a business owner and you are looking to risk transfer over to a cyber insurance policy, I would definitely be looking for an advisor, specifically that focuses on the cyber insurance space. And there's ways that you can find them, right? It's simple question that you would be using to vet anybody, right? How many cyber insurance policies have they written this year? Right? Questions like that, get an understanding of who they're working with. And also, the insurance advisor should be painting a landscape for you for the future." Hey, this is where you are. These are the things that are coming down the pipeline. And this is where the premium is going." you really want that advisor to be setting expectations appropriately. And that alone will tell you that they have a pulse on the market and that they're paying attention and that they're going to find the best markets, or the best price for at the best coverage for you. If there's any insurance agents on here, I would highly, highly suggest looping in the client's internal IT staff or MSP, and even the MSSP and having a collaborative discussion rather than trying to be the expert in everything. I think that would make for a very helpful and healthy path forward for that renewal and for any renewals coming up.

Jim Goldman: That's great. Well, thank you, Joe and Ryan. The theme that I heard across both of your answers was the notion of the need for a trusted advisor. And the example I sometimes use in regards to cybersecurity to illustrate it, because for whatever reason, it seems like assessment is skipped and business owners, due to marketing or whatever else, buy this security tool or that security tool, et cetera. And so the analogy I often use is if your car had a problem, would you pull into the nearest auto parts store, grab a shopping cart and just start buying some random parts from the auto parts store, without knowing what's wrong with your car? Well, it's no different with your cybersecurity program. Don't go start buying, in this case, parts, right? Don't go buying a random selection of security tools and expect that's going to give you a comprehensive cybersecurity program, if you don't have an assessment done beforehand. Thank you guys for that very much. The trusted advisor, that's obviously a good next step. Let's move forward a little bit. We've talked about the current state. We've talked about, in practical terms, what's one thing that the folks on the call could do to get started. Let's just almost wax philosophic a little bit here and think about what's the future hold? For each of you, and maybe take a little bit longer, because I know this is a more complicated answer, what's your vision for how cybersecurity individually, cyber insurance individually, and then how cybersecurity and cyber insurance from a combined standpoint, what do you see things looking like? How can cybersecurity and cyber insurance actually start to come together in the future? Maybe we'll reverse it, maybe Ryan, you can go first this time and then we'll get Joe's perspective.

Ryan Dunn: Yeah. like I was stating in the last point, I might keep this one brief because I think Joe and I have some pretty strong opinions as to where it's going. But what I had talked about previously was having an agent talk with an MSP, right? Or your internal IT staff. Where I truly see cybersecurity and cyber insurance moving is a completely more collaborative experience rather than having it completely segmented. And the result of that could be outstanding. I personally see, within two years, three years, we'll say three years, that insurance applications for cyber will be obsolete. Because you will have the ability to assess a company's vulnerability structure or any security vulnerabilities, through scans. The MSP or the internal IT staff will already have the security controls documented. And so from there, if you just make it a more transparent environment to the insurance carrier or through your broker, where is the need for the application, if all that information is verifiable? That's a hell of a lot better than where we are right now. Joe, I don't know if you concur with that or if you disagree, if you think that's too aggressive, but anyways, I'd love your-

Joe Johnson: I agree with you. Technology will allow us to get that critical information to the people that do the underwriting, right? Take that homework off of the CFO's desk or the IT director's desk to answer those questions and actually go validate it. There's still going to be some things in place that you are going to need to manually verify, such as policies and procedures and are they in place and are they in practice? But I also believe that the more organizations that are going to be held to certain different certifications, that's going to be a third party certification that will also help validate, someone just has to verify that those things are in place. I think we're going to see great progress when mid- market and below businesses feel more comfortable understanding their risk profile and start to put more consistent things in place. Once we start to see more consistent behavior on the front end of preventative work, and that starts to drive a decrease in frequency and severity of claims, we are now going to be able to give that information to the underwriters, to truly assess and create those actuarial tables as to what it's going to be. It's just going to take time because the market and the industry hasn't evolved that we have a critical mass of people doing consistent things to infer any type of analysis or output from it. I mean, it's really interesting, a lot of times people are taking action because someone's pushing them into that direction." I need a cyber liability cert so I can do business with this client." Well, that's why they're getting it. But would you go on vacation and leave your front door open because you got insurance on your home? No, you still got to do the preventative measures. We just haven't figured that part out yet, as a mid- market and below because it's a new topic for us. We're learning. Right? Which is fine, we just have to accelerate that learning curve. And I just don't want more businesses to get hurt along the way. It's a painful lesson to learn.

Ryan Dunn: ...It's a hell of a learning curve. What Jim said earlier in the segment, right now, it's like going to an auto parts store and just buying a bunch of stuff. Right? You're just grabbing stuff. And I feel like a lot of business owners that are on this right now probably have that sentiment of regarding cybersecurity and cyber insurance. It's like," I keep on buying all this stuff. My guy keeps telling me, I need this. I need that. Every year it's a new product that I need." I would feel, I mean, Joe better than me, you're a business owner. I'd feel like empty handed, I'd be like," What do you mean I need another thing? I just invested$50, 000 into all this work, all these tools and I'm still left with a bill.."

Joe Johnson: Yeah. It's frustrating and it's overwhelming, especially because you're putting a lot of trust into somebody else's hands. And that's why I think finding somebody that has that holistic view of your entire cybersecurity posture, that doesn't just benefit from a point based solution, but looks at you all the way from," Hey, I'm going to help you do your assessment." To," We're going to have an incident response plan in place." And everything in between and consult you on it. But it's incredibly frustrating to go invest money and this point based solution or that point based solution, and then be told," Oh, that's not good enough. You need another one. Or that one's not good anymore because the markets past them and now you need to put something else in place." So flexibility is key. And where the budgeting ends? I have no idea because it feels as if you can spend endless money on cybersecurity solutions. But eventually there's going to be consistent approaches that say," Regardless of what your position is and your point based solution, a good solution encompasses these things." And that's what a really strong advisor will tell you, a vCISO, because most people don't need a full on chief information security officer. But they don't know what the specific point based solution might be, but they do know what the components of a healthy meal is or a well running vehicle looks like, right? And then they'll help guide you and say," Go to the shelf and look at these two or three. And here's the pros and cons of them." But that's the type of person that people are going to want to find to help them navigate that space so that they don't wake up six months from now and be like," What do you mean I have to go now do this?" There's a long plan that they've put in place, that fits your budget, that helps take care of the more serious stuff first. And then you tackle the rest later and you're consistently staying on track.

Ryan Dunn: Yeah. I hate to plug Ostra right now-

Joe Johnson: Oh, go ahead.

Ryan Dunn: ...but I know that you guys do at a phenomenal job on that flexibility standpoint and making companies able to be more malleable to that situation of, if a certain product is out of date, that they've been overrun by the market, Ostra gives them that ability to improve upon that, right, without having to reinvest into stuff. Another point about the future of where cyber insurance and cybersecurity is going, I always say, and I know your team over at Ostra repeat the same sentiment, that everybody has a guy named John or somebody they've been working with for 20 years, that's been their IT guy, right? Who's always controlled their IT stuff, like," Oh no, we got a guy. We have somebody, we're good." Right? But in reality, nobody's been checking on that, right? Nobody's been auditing what they've been doing really. I mean, especially for the small businesses, what CEO or CFO really has the time, other than to make sure that the balance sheet checks out for the investment, really has the time to validate what they're doing is the right path, right? And so I know that your team always talks about keeping the IT and the security in two different departments. Right? And then I have one extra layer to add to that, and that is the role of the insurance advisor should also have a tool or something that could help validate what the MSP is doing as well. And so that extra layer could help prevent that business owner from feeling like they keep on investing and stuff and they just don't see any type of return. I really think that could help with that.

Jim Goldman: I feel like I'm hearing a theme here. I wrote down a few words as you folks were talking about that. I wrote down compliance, documentation, third party certification, auditing, validation. Maybe starting with Joe again, because I think probably there's several folks on the call that don't quite understand the difference between security and compliance. Or security and this certification or that certification. Maybe give just your own opinion of how does compliance fit into all of this versus security?

Joe Johnson: It's interesting, compliance is probably a reason that a lot of businesses are actually doing some healthy security practices right now. Most of the early adopters in this space were in financial services in healthcare because the government required them to meet certain regulations. Right?

Jim Goldman: Right.

Joe Johnson: And some of those regulations are around how you're structured. Some is around process and policies and you name it. And so cyber insurance is part of that, the assessment's part of it, having an incident response plan is part of it. So much of what a healthy cybersecurity posture looks like helps you satisfy your regulations and meet compliance or gain certain third party certifications. And so those actually are really helpful. So there's some of them that are more robust than others. But we're even starting to see more large Fortune 500 ecosystems doing vendor risk assessments. And they're holding their vendors and suppliers to certain compliance standards. All of these things where, to compete in a certain space and to be successful there, you have to meet certain certifications and have certain compliance things in place, all are pointing towards a strong cybersecurity posture on the front end. Right? So as much as we'd prefer people just did it because it's what's good for them, it's almost as, if I don't know about you guys, but I'm not always the best at flossing my teeth, but definitely four to six weeks out before I go to the dentist, I start flossing. Right? Because somebody's holding me accountable to doing that. And that's what these certifications and regulations are doing in other industries. And I only see that continuing to grow. And while it might start to become cumbersome and burdensome for others, it is going to do a good thing of creating more of an adoption of the right practices.

Ryan Dunn: Yeah. And we're definitely-

Jim Goldman: Ryan, go ahead. How do you see compliance or third party certification having an effect on cyber insurance, if at all?

Ryan Dunn: ...Yeah. I mean from the cyber insurance standpoint, I'm sure everybody on this call right now is experiencing it, but we're starting to see compliance push down from an insurance standpoint. Right? If you don't have MFA, you're an automatic decline, you can't get coverage anywhere. Now they're implementing EDR. Right? And I completely agree with Joe's... what he was saying about how compliance drives people to... I mean, it holds them accountable. It drives them to have better security measures. And truthfully, I don't think us as just an ecosystem of small business, medium size businesses have done a great job of trying to get ahold of it. It's been in the rear view mirror, even so in the past five years. And so although I see sometimes compliance being problematic, sometimes, from the insurance side, I still, in the end, it's still better for the overall ecosystem, as long as we want to keep on doing business online and I don't see that going anywhere.

Jim Goldman: Yeah, I think it's a matter of perspective. I mean, as Joe properly pointed out, a lot of the motivation for some business owners for compliance is they're being told by their customers or their potential customers," We love your product. We'd love to do business with you, but you have to be..." fill in the blank, SOC2 compliant, ISO compliant, CMMC compliant, et cetera. And so that becomes a sole focus. Just give me the paper, I need that certification paper, whatever it takes. It's not that I'm trying to develop a comprehensive cybersecurity program. So that's backwards and somewhat unfortunate. Does it make them more secure than they would've been otherwise? Probably. But it's missing the point. Right? And so I think we all agree that ideally we'd like the risk assessment and the cybersecurity program development based on that risk assessment to come first and compliance to come afterwards. Another theme that I heard both of you hinting out there in terms of the future is just the notion of continuous. In other words, continuous monitoring for security's sake, continuous compliance monitoring for cyber insurance's sake. Right? Sometimes we refer to this somewhat tongue in cheek as telematics for cyber. On the insurance side, it's not unlike what's being done in the automotive insurance industry where, if you're willing to plug this little gizmo into your computer point in your car, we'll watch your driving habits and consider reducing your rates over time. Maybe just talk about that notion of continuous monitoring. I know this is a subject that's near and dear to your heart, Joe, from the security side. And then maybe, Ryan, talk about, if you look in your crystal ball, what do you think the role of continuous monitoring in cyber insurance might be in the future?

Joe Johnson: Yeah, I discussed this a decent amount, that front end application and questionnaire and approval, and even that assessment is a point in time. Right? And it only means that at point in time, were you satisfying a certain risk profile? But there are certain things that you can do to make sure that those blinky lights are on and that things are doing what they're supposed to be doing, day in and day out. And as a business leader, I want to make sure that I didn't just pass my test on April 1st, but I want to make sure that my company is 24/ 7, actually protected and not at risk. And if I were an underwriter, I'd want to make sure that's the case too, because, man, as soon as your guard's down, those bad guys, they're just waiting to leap and pounce at you and you have to have that constant and continuous approach. And I think more and more people are starting to do that. I mean, we're definitely seeing a trend in the growth of MDR services is skyrocketing, right? And that might be directly tied to what the cyber insurance is looking for. Can we detect something so that we can quickly respond and reduce the severity of the impact of it? Well, I think that there's a more important thing than being able to detect it, but maybe trying to keep those people out. And so that might be the evolution of where things are going. But we are seeing more and more people doing the constant detection out there so that they can respond more quickly, which is better than nothing.

Ryan Dunn: Yeah.

Joe Johnson: It's progress.

Ryan Dunn: Yeah. It definitely is progress. And it's going to be the new and true thing in cyber insurance. Every single year, carriers are rolling out something new, right? Two years ago was MFA. Then they made it mandatory last year. And then some of them started to implement the EDR aspect as well. And this year coming out is the continuous monitoring thing. So everybody on this call that has a cyber insurance policy, make sure that you are reviewing with your agent. There's going to be a few carriers releasing new endorsement on your policies, enforcing a continuous monitoring or cancellation clause, which will say," Hey, we found these three vulnerabilities. If you don't fix these three vulnerabilities in 45 days, your policy is canceled." And so definitely keep an eye out for that. That is 100% percent coming down the pipeline from a continuous monitor standpoint. And what they're trying to do is they're trying to, like Joe is saying, is if there is a problem, they're trying to catch it in time to decrease severity. Because right now, they're not doing that. The response to cyber claims is what's driving costs and it's too slow. They're trying to get a better grip on that severity portion, right, with that continuous monitoring. But I promise you, next year, there's still going to be claims and we're still going to see this 100% increase in premiums next year. Nobody's going to be happy and there's going to be a whole new toy out there that insurance carriers are going to be releasing. And it's just, they're going to keep on throwing darts until something sticks. Right? It's the only thing that they can do.

Joe Johnson: The reason that they're slow is because they say things like," Hey, we found these three vulnerabilities and I need you to fix them in 45 days." That made me CR because you want to know what? The bad guys have already found those vulnerabilities and they're not waiting 45 days. You have to respond way faster than that.

Ryan Dunn: Absolutely. Yeah, man. I feel for them though, because they want to be competitive in the market. Right? If you're to choose as a business owner, you're like," Okay, my policy's going to cancel if I react in 45 days. Or my policy's going to cancel if I don't react in one day." Right?

Joe Johnson: Yeah. I understand.

Ryan Dunn: And they're going to be like," Well, I crosstalk 45 days." Right? I completely feel for them, why they selected 45 days. But I'm with you, from our perspective, that is just not okay. And that doesn't do anything, it doesn't move the needle. It's a virtue signaling of insurance carriers.

Joe Johnson: Progress.

Jim Goldman: Ryan, you mentioned the word endorsements. And for the benefit of at least some of the people on the call that maybe don't understand the intricacies of cyber insurance, without turning this into a whole tutorial on it, maybe just explain how cyber insurance is maybe different from other, more comprehensive, standardized types of insurance that they may be more familiar with. And that all cyber insurance policies are not created equal. And that they really ought to understand what's covered and what's not covered. And that in fact there are these options that are called endorsements.

Ryan Dunn: Yeah, absolutely. I mean the ones that you'd be most familiar with, if we look at it compared to personal lines, you can look at your auto, your home insurance. On the commercial side, if you were to compare it to property policies. Your auto insurance is completely commoditized, right? What you get is what you pay for and there's really, there's no differences in policy forms and how they'll react. And so if you're looking at cyber insurance, the way I always put it is the first two pages give you the coverage and the rest of the 135 pages take away coverage. Right? Just keep that in mind, whenever you're reviewing the coverages and you're thinking about price and you're like," Well, I have all the same coverages for if you're..." There's no apples to apples," I have all the same coverages and this one's lower in price, so I'm going to go with that one." Well, that may not be the case, right? There could be a carve back endorsement. And a carve back endorsement is, say on the deck page, it gives you the coverage. Well, on page 78, it's taken it right back from a, let's just say bodily injury. Right? If you have bodily injury coverage, and then page 78, it says bodily injury coverage is excluded. So be very mindful of that and make sure you're walking through that with your agent. It's the same, compare it to property insurance. In Florida, they pay attention a lot to hurricanes, right? So you pay attention to your wind deductible and that's pretty much it. Right? In cyber insurance crosstalk-

Jim Goldman: Ryan, talk a little bit about just a few examples of the endorsements that wouldn't necessarily be included by default. For instance, folks on the call may take for granted that they've got coverage for social engineering fraud or ACH fraud, but that may not be the case, right?

Ryan Dunn: ...Yeah. It's definitely industry based. But those endorsements can come in the form of contingent business income, right, is a good example. You have business interruption, which is if your product doesn't... it fails to perform, right, and you're not making any money. Right? But what if you're causing your clients to not make money, right? That's contingent business income. That's just a good example of something to pay attention to.

Jim Goldman: Okay, great. Well, we're coming up on time for questions and answers. So if there's folks out there that have questions, please put them in the chat or the Q& A box. Maybe let's turn it a little bit more towards the solution side. And Joe, take a few minutes and talk about Ostra and the market you're trying to go after, which is the business owners were talking to today, and really how your product fits perfectly into trying to solve this problem that we've been describing here.

Joe Johnson: Yeah. We were built specifically for mid- market and below. Because we knew what the Fortune 500 companies did. We knew the resources that they had to build the best cybersecurity solutions out there. And we knew that just wasn't available to mid- market and below, right? You have to be able to have great tools that do a good job. I'm not talking consumer grade tools off the shelf at Best Buy. These need to be enterprise tools. And there's a fundamental difference in the caliber of what they have. And then you have to be able to pull all of these different tools, point based solutions, and get them to work together and talk together. And that's a pretty big undertaking, not only financially getting these organizations to even want to engage with you because of your size, but then also the expertise to actually figure out a way to make that work. And then of course, right, we choose that first because those are the preventative layers. We put multiple layers of defense up, makes it harder for the bad guy to get through. Nothing's 100%, but if you've got multiple layers, you're in a pretty good spot. Then of course, we got to constantly monitor it. We run all of those logs through our SOC and our SIM, we correlate the data, we slice it and dice it. And then we feed it with the world's best threat intelligence. We have people constantly threat hunting. The cool thing that I think we can do with the way we set it up is we can actually go in and remediate. So if we see something that's a concern, we don't just send an alert over to our clients and tell them," Hey, go figure it out, go check out Jim's computer. We saw something fishy." We actually go in and look at it and take care of it. And Jim doesn't even know, he's just doing his work. And then obviously, most of these organizations don't have cybersecurity resources and expertise and people to set up and maintain and configure it and threat hunt and remediate. So we figured," Hey, why don't we just build a complete off the shelf, out of the box solution that looks like an outsourced cybersecurity solution, that's accessible and affordable for mid- market and below. So they don't have to go out and figure out all these different things. They can just plug us in, could set it, forget it and move on." And that was it. The small, medium business owner has so many other things to worry about, we wanted to make it easy and simplify it for them.

Jim Goldman: That's such a great point, Joe. It's so easy to get sucked into the mistaken notion that," Well, I can afford to buy that tool. And I'm smart enough to install that tool." The tool is not the problem. It's the tool results and deciding what do I do now? That's the problem. That's where the value ad comes in. We've had a question come in that says," You indicated that you need to do a risk assessment. How do we determine what something like that'll cost?" It goes back to, and I'd like each of our panelists to give their perspective, but in my opinion, it goes back to what Joe said initially, find a trusted advisor. That trusted advisor, two things. One is, they should be doing that risk assessment against an industry standard framework. What we mean by that is there are industry standard frameworks, couple of the better known ones are the NIST, National Institute of Standards and Technology's Cybersecurity Framework, usually referred to as the NIST CSF, 23 or so different control families. I think it's 108 different controls. Or another very popular one that we use here at Trava, in addition to the NIST one, there's something called the CIS version eight, the Center for Internet Security version eight. It shouldn't be Joe's frame... no offense, Joe. It shouldn't be John's framework. It should be an industry standard framework. And they should be able to tell you, if they've done it enough, if they get the proper automation and the tools and the platforms and so forth, they ought to be able to give you pretty much a flat price for doing that. It's not a big customized time and material thing. At Trava, we do that on a very repeatable, automated basis. It's not a big deal.

Joe Johnson: Yeah. There are different sizes and flavor as to what type of assessment that you want to get. And all of them should be able to tell you how much it's going to cost and what depth and breadth you're going to get with it.

Jim Goldman: Right.

Joe Johnson: A good analogy would be, you can do your annual physical and maybe you don't even get lab work done. Right?

Jim Goldman: Right.

Joe Johnson: Well, how much confidence do you have that the doctor feels good, that they know what's really going on? And all the way up the other end of the extreme is you can go to Mayo Clinic and do a two day overview physical, and they're going to inside, outside, top to bottom, and you're going to feel really good walking out of there that they gave you that full assessment. And there's everything in between.

Jim Goldman: But back to the point you were making earlier about the tool. You do the assessment, but what's the actionable data? What's the nature of the output that says," Okay, what do I do about it?" It's one thing to say," Here's everything that's wrong with you." It's another thing to give you something that says... And I always go back to, what do I do today? Give me one step that I start on. And again, here at Trava, we not only put together the baseline cyber risk assessment, but also give you the something called a risk register and a risk mitigation roadmap. So it's like, here's your top risks and here's what we think the basic steps are to mitigate each of those risks. Those are the kinds of questions you should ask for, that's what you want to be looking for.

Joe Johnson: Absolutely. You're not going to score perfectly on those assessments.

Jim Goldman: Correct.

Joe Johnson: And then it's finding that really good third party, ideally a vCISO, that can help you take your assessment, analyze it and turn that into an action plan, based on priority and impact.

Jim Goldman: Okay, great. Great.

Ryan Dunn: Yeah. I'd actually like to add to that, Jim, because-

Jim Goldman: Please.

Ryan Dunn: ...when you talk about risk assessment, insurance is a piece of that, right? How your insurance policy will respond if an incident happens is part of your risk. And so, I mean, that part of your risk assessment wouldn't cost anything, right? Any agent that wants your business, or is your current agent, should already be doing that for you, explaining to you every coverage that you have, every coverage that you don't have.

Jim Goldman: That's a very good point. Yeah. A free analysis of your cyber insurance coverage is really table stakes.

Ryan Dunn: Absolutely.

Jim Goldman: That's very good. We're coming to the end here. I would just like to open it up, Joe or Ryan, any closing comments? And we'll just see if we get any more questions coming in and then we'll wrap it up.

Ryan Dunn: I don't have anything in particular from a closing standpoint, other than I really hope people learned something from this and found the time valuable. I understand that this space can be a little bit cumbersome, but like we said, and we've talked about many times, if you have the right people on your team, they'll help you navigate this appropriately. Just be very mindful about who's advising you through this whole landscape.

Jim Goldman: Great. And Joe, how about you?

Joe Johnson: Yeah. I'll leave with two things. We talked a little bit about, a lot of times we'll talk to business owners and the biggest challenge is apathy. They don't think that they're at risk. Or they take action because somebody's requiring them to take action. Or they'll tell me that," Nobody who wants my data. I don't have anything to worry about here." The one thing that is getting people's attention is ransomware, right? And so I think if they understand what ransomware is and the impact that ransomware has on their business and their business operations, because as business owners, that's tangible, I can't operate my business, I can't collect money, I can't pay money, I can't communicate with my clients. And then all the downstream impacts of that, most importantly to many is reputational risk. I think understanding ransomware is going to cause cyber to be more of a relevant concern for these businesses. And as much as I don't like ransomware, if it catches the attention and causes people to take action, that's great. And then it's overwhelming. A lot of the business owners I talk to, they're up at night because they don't know where to go and what to do. And so think about this journey in cybersecurity as really four main stages. The first one, I would say is learning your environment. And that's where you do your assessment. Your second stage is developing that plan, right? Work with that vCISO. Put together training for your employees. Draft your policies and procedures. And then execute on that plan, put your defenses up, put the solutions in place and the services and all these different things and make sure that they're working continuously. But then hope for the best, prepare for the worst, prepare for an event. Right?

Jim Goldman: Right.

Joe Johnson: Just because you're doing all these things, doesn't mean it won't happen. Hopefully it does. But put an incident response plan in place, make sure that you're doing your penetration testing. Make sure you've got a strong cyber insurance policy and you actually know what it means and what happens and what doesn't. Understand what are the approved vendors from your carriers, if you do have an incident. And make sure that all that is on paper and in writing. And don't save it on your computer. Because if you have a ransomware event, guess what you can't go access? Your digital files.

Jim Goldman: Excellent. And one other point to just elaborate on ransomware. Ransomware is nondiscriminatory. Ransomware cyber criminals do not just go after enterprises or governments. They go after anybody and every body. They go after health systems and hospitals and small doctors practices and small manufacturers.

Joe Johnson: Yeah. It's not cool to shut down a hospital so they can't process patients.

Jim Goldman: But they do it. Yeah.

Joe Johnson: I know. These people are sick.

Ryan Dunn: Yeah. That is sick.

Jim Goldman: Okay everybody, we greatly thank you for your time. We hope you found this both somewhat enjoyable and informative. We have dropped a summary PDF in the chat, but we'll also be emailing it out, along with a replay recording link after the webinar. And please visit Ostra. net or TravaSecurity. com to learn more about the services and speak with a team member. We greatly appreciate your time. Have a great day.