Demystifying Cybersecurity & Cyber Insurance for SMBs
Megan: Let's see. All right. Hi everybody. Thank you. We're just going to wait a couple of minutes for a few more people to get signed in and join. And then we're going to get started. So, just give us a couple of minutes and we'll get going here.
Jim Goldman: Hi, everybody.
Ryan Dunn: Hey, Jim.
Jim Goldman: Are we going to be on camera? Is my camera angle good?
Ryan Dunn: Yep.
Megan: You look great, Jim.
Jim Goldman: Thank you.
Ryan Dunn: We're rock and rolling right now.
Megan: All right, everybody. We can go ahead and get started with demystifying cybersecurity and cyber insurance for SMBs. We have our panelist, Jim Goldman, here, or our moderator, Jim Goldman. And then from Trava, he's our co- founder and CEO. And we have Dan Wilford, who's the Chief Information Security Officer from Blue Team Alpha. And then Ryan Dunn, the Director of Insurance from Trava as well, who will be joining us and talking through all of these exciting topics today during our panel discussion. I am going to go off camera, but know that I'm here and checking out the chat. So, if you have any questions, feel free to drop them below in the chat or in the Q& A section as well. And we'll work through those questions throughout the time here. But I will kick it over to you, Jim, and we can get started.
Jim Goldman: Thanks so much, Megan. Well, welcome everybody. On behalf of Blue Team Alpha and Trava, we are thrilled to be here today to talk about demystifying cybersecurity and cyber insurance for SMBs. Those two topics may sound like they're kind of unrelated, or opposite ends of the spectrum, or from two totally different industries. And what we hope today that you'll get is that they're actually quite integrated. And in fact, you can't do one without the other. We're going to try to make it understandable. And before we get into the objectives for the seminar, I want to just tell a little bit about myself, and then have our two panelists introduce themselves as well. As Megan said, I'm Jim Goldman. I'm CEO, co- founder of Trava. Real briefly, in terms of my career, 20 years of as a Purdue professor, started the network engineering degree program, started the cyber forensics program, went to the FBI and was a lead cyber investigator in the FBI Cyber Crime Task Force, both criminal and national security cyber squads. And then went back to industry, Exact Target, which became the Salesforce marketing cloud. Finished up my career by starting the security governance risk management and compliance organization at Salesforce for all Salesforce globally. And then we founded Trava. Dan?
Dan Wilford: Hello everyone. This is Dan Wilford, CISO of Blue Team Alpha. I retired Air Force Cyber Command. And then I was looking for ways to work from home for the first time in my career. And I found this great little company called Blue Team Alpha. And basically, we provide cybersecurity services to all 16 critical sectors in the United States. And our goal is to be America's Blue Team.
Jim Goldman: Great. Thank you, Dan. And welcome. And Ryan?
Ryan Dunn: Hey, guys. Ryan Dunn, Director of Insurance here at Trava. I have not been in the FBI or the Air Force. But prior to Trava, I was a insurance agent that primarily focused on cyber risks, cyber and tech risk. And as an agent, servicing businesses and business owners. A big problem I continued to see was people were struggling to obtain cyber insurance and obtain proper cyber insurance. There was applications were getting longer, premiums were increasing, and coverage was starting to be taken away. So, that's why I joined Trava's mission in trying to tackle this problem. So, we're excited to share with you information about demystifying this whole sector when it comes to cybersecurity and cyber insurance. Because as we all know, it's not the most exciting topic as a business owner. However, it is extremely important in your ability to operate and continue to make money for your business. So, inaudible-
Jim Goldman: Continued to stay in the business.
Ryan Dunn: Yeah, exactly. So, extremely excited to share with you some knowledge. And hopefully, that you leave this and you feel more comfortable around this topic.
Jim Goldman: Well, thanks Ryan. And I can't think of two better qualified individuals to talk about these two topics. So real briefly, let me go over the objectives for the webinar, so those that are listening can anticipate what we expect them to get out of it, and then can evaluate the effectiveness of the webinar based on these objectives. So, first of all, we'll hope that you'll understand the difference between cybersecurity and compliance, and their relationship to cyber insurance. So, there's three key terms, cybersecurity, compliance, cyber insurance. Secondly, we hope that you'll understand the best approach to starting a cybersecurity program. So, it's not just conceptual, but we're trying to leave you with some actual action items, next steps, processes, that type of thing. And then finally, we hope that you'll understand the basics of cyber insurance and how to know what's the right cyber insurance for your business. So, those are our three objectives. And so with that, I'd like to start with an opening question to each of you. And the question is this, could you please for your particular area, in your case, Dan, the current state of cybersecurity, and then in your case, Ryan, the current state of cyber insurance? So, let's take about five minutes each. I'll watch the clock. And Dan, you're up.
Dan Wilford: Yeah. So, something that I've been working on a lot lately is understanding the entire environment from beginning to end. What are organizations? What are American companies dealing with? And what are their concerns? What are the regulations? What are the different frameworks? And what I've noticed is that from our customers and our partners, we're always trying to figure out what is the best framework? And what are the relevant controls? So, I spend a lot of time reading, probably at least four hours a day reading about new threats. I'm reading threat intelligence. I'm reading all the open source reporting that's coming out so I can understand the landscape from the attacker's point of view, and what are the new vulnerabilities, what are the new exploits, what are the new threats? But then I have to switch hats. I have to spend another part of my day reading about regulations, reading about frameworks, reading about compliance. So at some point, those two things, those two worlds collide. And when I have a customer that comes to me and they say, " What framework should we use? What security controls are relevant?" I can't give the same answer to everyone. We're looking at all 16 critical sectors. And you're talking about hundreds of thousands of entities within those 16 sectors. And they're all unique. All environments are different. So, you have to take a customized approach, very hands on, very manual approach, to every situation. You look at the environment.
Jim Goldman: Look different, yep. Yep.
Dan Wilford: Yeah. Something that I have to do, even before I get into a call with someone, I have to research that sector, that company. What are their threats? Understand the risks that they're facing. Who are the most likely attackers, what are the most likely initial attack vectors? And then try to merge those two sides of my brain from the attacker's perspective and then from us, the Blue Team, what can we do to prevent all of those bad things from happening?
Jim Goldman: Okay. Hey, let me ask you a quick question, Dan, for the benefit of our audience. This notion of sectors, some people in the audience may not be familiar with InfraGard and the US government, and how they've identified these things. I don't necessarily need you to list all 18. But just give some examples. And what's this whole sector thing about?
Dan Wilford: Yes. So, there are 16 critical infrastructure sectors within the United States that were determined through various groups that were asked this question, what should be considered critical? And then how do we group them together? So, other countries, I've worked with other United Nation countries and other NATO member nations. And they all go through a similar exercise at some point in their development where they say, " We need to define what is a critical sector." So, the US over the last decade came up with 16 critical sectors. And it's stuff like the finance industry, financial services. Stuff like energy sector, food, food sector. You have healthcare. You have communications. You even have dams. In the US, our dam electro infrastructure is its own critical sector.
Jim Goldman: Right.
Dan Wilford: And then each one of those sectors has an agency or a department that is responsible for coming up with a protection plan. For example, if you're in the food business, the Department of Agriculture along with Department of Health and Human Services are going to help you come up with a security plan.
Jim Goldman: Correct. Correct. Okay, great. That was great. Thank you for that, Dan. Ryan, may be a challenge, but I know you can do it. How do you summarize the current state of cyber insurance?
Ryan Dunn: Yeah. So I mean, you hit it right on the nail with what you're alluding to. It's somewhat of the wild, wild west out there, right. And frankly, the way I like to put it is nobody's happy in this situation right now.
Jim Goldman: Right.
Ryan Dunn: And that's what we're working towards, right. We want to create an industry or a silo of an industry that is going to be working in the benefit of the business owner, and the insurance carrier, and the agent altogether. So, what do I mean by nobody's happy? Well, if you look at the insurance carriers right now, they're getting slammed by claims volume. There's a lot of claims going on right now in the cyber insurance world. When you look at the agencies from an agent's perspective, it's very tough for agents to be communicating cybersecurity to their clients. There is cybersecurity requirements being pushed down by insurance carriers that as insurance professionals, we are not cybersecurity professionals. And so, trying to communicate that effectively and in a way that your client trusts what you're saying is very difficult. And so, there's a big value proposition right there that's being lost. And there's very few touchpoints as an agent has, it's roughly four times a year. And then most importantly, the business owner is either not obtaining coverage because they don't meet the cybersecurity requirements, or they're jumping through hoops to get it, right. They are installing multifactor authentication throughout their company at the last minute, installing EDR. And sometimes these solutions can be extremely costly depending on how large your organization is. And so, receiving these requirements a month before you have to renew your insurance is not a great place to be in. And it's not working out for anybody. So, that's the problem that we're trying to solve, and as well as Blue Team Alpha. And so, we're looking forward to the future path here.
Jim Goldman: Great. So Ryan, you said nobody's happy, and gave some examples of that. Could you just dive in a little? You mentioned it just now. Could you just dive in a little bit more on that point in time, that renewal activity, and the different roles that are going on, different concerns? So, you got all three parties involved at renewal time, the carrier, the agent, and the business owner. So, just talk about the current state of affairs at renewal time.
Ryan Dunn: You mean the current process of how that's going?
Jim Goldman: Right, right.
Ryan Dunn: Yeah. So currently, the current flow of how that's going is a carrier, an insurance carrier, which is your Chubbs, your Travelers of the world, they are producing an application that they're sending to the agent. That agent is sending this PDF application over to the client. Once that client fills it out, whether it's them or their external MSP, a scan is being run by the carrier. Now, these scans are outside of the agent's control and outside of the client's control. And so, what happens there is there's a lot of the times there's false positive information that alarms the client, who then gets frustrated with their MSP or MSSP. And so, it's a really broken line of communication, right. You're having PDF applications being filled out and being sent through email, which is not necessarily a very secure way to be exposing how you're protecting your business and what your data backup recovery time is. And so, it's very segmented across the board. And so, it's very important for us to work towards a way of making that a more seamless environment, a seamless and secure environment. So, that's the current flow of how information is being processed. And it needs to be fixed.
Jim Goldman: And the desired outcome and making it more seamless and secure is that all three parties that are pretty unhappy right now will someday be happy.
Ryan Dunn: Yeah, exactly. It'll be a lot more easier flow. Information will be verifiable instead of unverifiable.
Jim Goldman: Right. Right.
Ryan Dunn: And that's an important state that we need to get to.
Jim Goldman: That's our desired state. That's exactly right. Okay. I think that was a really good description from each of you as to the current state. So, let's now move towards the desired state, if you will. But let's keep it practical at the same time. Instead of coming up with a huge long range plan, what I'd like to ask each of you to do is just talk about a single, the one most practical thing that a business owner could or should do today in regards to, in Dan's case, cybersecurity, and then in Ryan's case, cyber insurance? So Dan, back to you. Where's the poor business owner start? Because this whole thing is so overwhelming.
Dan Wilford: Yeah. And I'm probably going to give an interesting answer to this that you might have never have heard. I'm going to suggest that organizations start with compliance. Now, you might be saying, " Wait, that doesn't make sense. Compliance is the end goal. We're trying to be compliant, right." I don't agree with this concept. What I'm trying to encourage organizations to think about is compliance being the very first step. Get compliant first. Understand your environment, and your regulation, your regulations and rules, and what is the best framework for your organization. Get compliant with that framework immediately first, and then you go deeper. Then you read between the lines. Because these frameworks, they're not specific enough to cover every possible scenario. So, what you can do, for example, let's say you take Center of Internet Security, the CIS version 8. The one that just came out. They have three levels of framework that you can follow, which they call the implementation groups. The very first implementation group is what we consider cyber hygiene. If you do those controls that are identified as cyber hygiene, that's something you could do immediately. You can start on it today and finish it next week. And now. That takes care of your implementation group one, say CIS compliance. Boom. First step. And then you can go deeper. You can go to the implementation group level two or even level three. Level three is when you're compliant with every single control they have, which are they call them safeguards now, formerly known as sub controls. But there's 153 of them. So, if you get to that level, now security is a high priority. Now you've gone deeper, and you've customized the framework to fit your environment.
Ryan Dunn: Dan, I actually really like that. It's somewhat similar to the insurance world when you say that because when you think about these cyber applications, it's really baseline stuff that they're asking for. Data backup recovery, multifactor authentication, endpoint detection response systems. That's basic, right. And so,`` I think that's an interesting take.
Jim Goldman: Yep, I agree. So Ryan, with that said, enlightened us on the cyber insurance side from a business owner's perspective.
Ryan Dunn: Yeah.
Jim Goldman: What's one thing that a business owner could do independently to more or less assure that they'll have a smoother time in obtaining or renewing cyber insurance?
Ryan Dunn: Yeah. First step, get cyber insurance.
Jim Goldman: Try to.
Ryan Dunn: Yeah. Try to get cyber insurance. I'll dig into what I think is the most important first step in a second. But if there's anybody on this call that is iffy about whether or not their business needs cyber insurance, you need to think about how insurance was created and the reason why it was created for businesses. Businesses used to rely on physical structures to operate and make money. Now, we rely on digital infrastructure. Your business' ability is primarily built off of a digital framework. And so, if that's the case, then you need to be obtaining insurance to be making sure that your business can operate in the event that it is your payment processing system is down, for example. But the single most important step that you could take right now is you need to be making sure that you're working with the proper insurance agent. A lot of people like to go to their friend down the street, who may be doing their auto insurance. However, you need to be working with an agent that is going to be proactively helping you through this process. It's not easy to obtain cyber insurance anymore. And so, you need to be making sure that you're working with an agent that will be providing you information about what you need to do to obtain cyber insurance five months before renewal, not two months, right. And being proactive about that conversation. You also need to be working with an agent that's going to be offering some type of risk management assistance for you throughout the year. And that can be as easy as information as to what your vulnerabilities are going on throughout the year. Or, " Hey, we ran a phising simulation on your business, and a few people clicked, right. And so, now you need to pay attention to your. and that's somebody that you should be working with.
Jim Goldman: Hey, Ryan, without going into a whole tutorial on cyber insurance, I know when a business owner starts to consider it, there's this thing called first party liability and third party liability. And depending on the nature of the business they're in, one or both of those may be critically important. Could you just in really plain terms talk about the difference between those two?
Ryan Dunn: Yeah, absolutely. So, one is going to be in relation to a cyber event affecting your business, and the other is going to be a cyber event that's affecting partners, one of your partners business. Somebody that uses your system to operate their business, right. I hope that's simple.
Jim Goldman: Well, yeah. So, let's just play that scenario because I think the first party is very understandable. So, the third party liability is a little bit more interesting. So, just take it one more step and say, " okay. So, I'm a SaaS company. I have a software platform, right. That's my business. I'm running it. I've got customers on it." That customer that uses my SaaS platform and some supporting function to run their business, right, is the third party.
Ryan Dunn: Yeah.
Jim Goldman: If my application has a problem, gets breached, or whatever. So, you just want to play that scenario out for us.
Ryan Dunn: Yeah. There's actually an example of this. It's starting to get a little bit longer ago. It was a little bit over a year ago. But if anybody recalls, there was a pipeline that was shut down that caused a massive gas shortage on the West Coast of Florida. And a lot of people thought that that was a pipeline failure, as if the pipeline had broken. But actually, what had happened was the company's third party software they were relying on had failed. And so, they weren't able to run payments. And therefore, could not sell the gas. And so, that's a good real life example of how if you're a software company and there's other businesses that rely on you to deliver their products and services, that you have some type of liability there.
Jim Goldman: Yep, absolutely. Absolutely.
Dan Wilford: I have something to add to that, Ryan. So, that attack, I believe you're talking about the Colonial Pipeline.
Ryan Dunn: I am.
Dan Wilford: So, that was a ransomware attack. And this was a very big case for us in the cybersecurity industry because this was the first time that the President of the United States declared a State of Emergency based on a cyber attack, a ransomware attack. They got a whole government response to that, which led to a lot of movement in the cybersecurity industry. Where now, the government is getting more involved. Where before, they weren't that involved.
Jim Goldman: Right.
Ryan Dunn: No.
Jim Goldman: Right.
Ryan Dunn: Absolutely.
Jim Goldman: Hey, while we're on that topic, we have a question from one of our listeners. The question is, and this may be difficult to answer, but I'm going to pass it along anyway. How do you know if the provider for cyber insurance is reliable? Is there a checklist similar to the auto insurance?
Ryan Dunn: I'm assuming provider as in carrier such as inaudible-
Jim Goldman: Yeah, I'm assuming that as well. Yeah.
Ryan Dunn: Yeah, that's actually a great question. Your agent should be providing you some type of comparison. And there are agencies out there that provide some type of checklist of, " Hey, these are your 10 things that you should be paying attention to." And it's also industry specific, right. There are general things that you should be obtaining as a business owner. Definitely social engineering, definitely business interruption, definitely dependent business interruption. But when it comes to your industry specific things, there are a lot of, the classic term is your first page provides you all the insurance, and then the rest of the 140 take it away. And so, every single industry is going to be different. And those, they're called exclusions. They're going to be implemented depending on what industry you're in, right. And so, I would definitely be working with your agent to be reviewing and paying attention to those exclusions rather than what is on that first or second page of what is covered.
Jim Goldman: Very good. Very good. Okay. So, I feel like those next steps seem pretty practical for your respective areas of cybersecurity and cyber insurance in today's circumstances. But now, let's just fast- forward a little bit, and talk about what does the future hold? And I guess start by is the future bright or not so bright? And then describe it a little bit more. So, what's your vision of how cybersecurity and cyber insurance can evolve and eventually come together? Because that was the premise of the whole webinar at the very beginning. That in fact, these are not two topics, but one closely related topic. So, yeah. Let's go back to Dan on what's the future hold? How do we get there? How does this all tie together?
Dan Wilford: Yes. I do have a specific answer for this, and it's not great. The future, to me, it looks like it's getting worse. And I do trend analysis. I do predictions as a part of my daily routine trying to understand where we're going in the threat landscape. And what I've seen is organized crime. They're not focused on drugs as much anymore in the physical world. They're in the cyberspace domain. And what they're doing is extortion. Now, the most popular form of cyber extortion right now, of course, is ransomware, right. And that's been around for going on a decade. A couple years ago, they added a second level of extortion, which is data loss. So, they're going to steal the data, threaten to leak it, and then get you in trouble with regulators because you have a data breach. Now, the new thing that I'm just now starting to see emerge is a third level extortion, which is the distributed denial of service attack. So, the ransomware groups, the gangs, the criminal organizations that are doing these attacks, they're going to do all three attacks to an organization. They'll do the ransomware. They'll steal the data and threaten to leak it. And they'll attack your digital presence with this distributed denial of service. And so, there are things you can do at each level. Insurance is really going to help you, provide you the coverage to pay for those things because things in security have cost. And then what I'm able to do, what security companies like Blue Team Alpha are able to do is help shape the security budget so it matches the threat. Every organization has a different threat profile. And what you want to do is customize the budget based on the organization. So, you don't want to pay too much for security, but also, you don't want pay not enough. So, there is definitely a balance act. And what we do is we do quantitative analysis. Quantitative is different than qualitative. Qualitative is what everyone is familiar with. Low, medium, high threats. Quantitative is better because you're mapping the cost of these security solutions over to the cost of the threat itself. How to recover, how much will it cost to recover if an attack is successful? And when you map those two together, that can help shape the security budget and get the right balance.
Jim Goldman: Yep. Dan, I actually applaud you for taking that stance and describing it. I've done a couple of webinars now. And if people are interested, I'm sure Megan can hook you up with the podcast recording. And basically the premise of my podcast was it's not cyber crime, it's cyber warfare.
Dan Wilford: Yeah.
Jim Goldman: This is way more serious than I think most people take into account. And it really goes back to where you started, Dan, with the notion of the critical infrastructure sectors of the United States. And literally, the entire company, the entire country, excuse me, the entire economy is at risk. We're only seeing almost like sporadic attacks right now. But the day could and may well come when this gets more coordinated. And it's a nonstop cyber assault rather than these isolated cyber attacks. So, on that positive note, Ryan, let's turn it over to you.
Ryan Dunn: I kind of need to take a breath after that. Jesus. I mean, you guys are spot on unfortunately. I think we just saw the other day, Canada had to stop its stock exchange due to some cyber incident.
Jim Goldman: Yep.
Ryan Dunn: And so, yeah. It's definitely getting into the main part of our economy. But even though cybersecurity seems to always be a catch up game, we're always trying to play catch up with a new threat. On the cyber insurance side, we're starting to see somewhat of a positive uptick. Right now, and I see the trend becoming more positive as we go. But the future, what we need to be getting to, is we need to be able to predict and value risk a lot more sufficiently.
Jim Goldman: Yep.
Ryan Dunn: We also need to provide our customers the ability to give accurate feedback on their current cybersecurity infrastructure. And then additionally, we need to be providing more education, and more tools, and providing more information to the business owner as well.
Jim Goldman: Yes.
Ryan Dunn: So, there's a lot of really positive opportunities out there that are being tackled right now. If we just dive into a few of those, we need to, when it comes to providing our customers accurate feedback, right, we need to be, that's ongoing scan feedback, right, from an insurance perspective. What are we seeing? How can you improve yourself? And it's related to that compliance point that Dan made. Insurance needs to be in the driver's seat on this and getting people cyber secure. We need to be the ones that are educating these people. And so, I see the future of cybersecurity, a lot of it in a big part, being driven by the insurance world.
Jim Goldman: Yeah. I think you're actually absolutely right, Ryan. If the awareness to the average business owner comes from the need for cyber insurance, right, and they find out that they're not measuring up, right. They don't qualify for cyber insurance. And therefore, they go about becoming compliant, as Dan said, to a framework. And they implement the necessary security controls. That's a good thing.
Ryan Dunn: Yeah.
Jim Goldman: That's exactly what we need to happen on a much broader scale. And so, it sort of doesn't matter what motivates the business owner to move, whether it's because they realized they wanted cyber insurance and couldn't get it, or they had a customer that said, " You need to be SOC 2 compliant, or we won't give you this contract." So, it really is this kind of cycle that cyber insurance can play almost like a motivational role in improving the cybersecurity. Then it becomes a cycle because these businesses are now more cyber secure. They can qualify for the cyber insurance. And cyber insurance then really plays the role it should play, which is that safety net that might be needed in extenuating circumstance. Low probability, right, circumstance. That's what insurance is supposed to be.
Ryan Dunn: Yeah.
Jim Goldman: It's not supposed to be the 50, 50 coin flip that you're going to get attacked by ransomware.
Ryan Dunn: Yeah. And if we look at right now, we need to make it easier for business owners to get to that point, right?
Jim Goldman: Yeah. Yeah.
Ryan Dunn: And so, a large part of what we're seeing right now is business owners, whenever they're filling out their applications for insurance, they don't even know that there's sometimes inaccurate information being portrayed to the carrier, right?
Jim Goldman: Right.
Ryan Dunn: And so, we in the insurance world need to be doing a better job at making it easier for the business owner to portray what their cybersecurity infrastructure is so that the carrier can give accurate feedback to the client.
Jim Goldman: Yes. Yes. Yes.
Ryan Dunn: And additionally, they need to focus on making money and operating. And so, we need to be aware of that, right?
Jim Goldman: Yep. In the cybersecurity world, I often use the analogy of a medical diagnosis. And so, think about this, right. If you were really ill and you went to your physician's office, and they handed you a 14 page PDF questionnaire to fill out about your symptoms and then use that to decide how they were going to treat you, that probably wouldn't work so well, right?
Ryan Dunn: Yes.
Jim Goldman: So, what do they do? They use instrumentation, right. And they take measurements directly.
Ryan Dunn: Yeah.
Jim Goldman: They take your blood pressure. They take your temperature, et cetera. They do blood work, et cetera, et cetera. And they get direct objective data on the state of, in this case, your physical system. Where we need to get to in cybersecurity and cyber insurance is that same direct instrumentation on an ongoing basis and get rid of the 14 page PDFs.
Ryan Dunn: Yeah. Get rid of the PDFs, implement some more verifiable direct line of communication between the client and the carrier.
Jim Goldman: Yep. Absolutely right. Okay. How are we doing on time? I guess we're doing pretty good. Dan, any comments to that before we go to Q& A?
Dan Wilford: Yeah. I was just going to say, I'm a big fan of data. I do still interview customers when we're doing compliance work. I still want to talk to them and see their feeling about their own security program. And I ask them to try to judge on a scale of where they're at, are they aware of this particular problem? Have they discussed it? Have they budgeted it? And then after talking to them, then you look at the evidence itself. And this is the same way auditors are thinking. They want to see evidence of a security control being implemented. They want to actually see the control working. It's one thing to talk about it, it's another thing to actually get the data and observe it.
Jim Goldman: Yeah. No, you're absolutely right. And we live in a changing world. And everyone involved in this triad of carrier, business owner, agent, has to almost be willing to change the way things have always, we can't use, " Well, that's the way it's always been done," as an excuse any longer. We have to be open to doing things in new and different ways. And you're absolutely right. I've got a couple of questions related to this. Dan, I think this first one should go to you. Why can't customers get accurate cybersecurity feedback?
Dan Wilford: Yeah. I saw the question, but I'm not sure I understand the question. What do we mean feedback?
Ryan Dunn: I think, Jim, the questions alluding to carriers providing inaccurate feedback to the client.
Jim Goldman: Got it. Got it. Yeah.
Ryan Dunn: So right now, sometimes the carriers are providing a monthly vulnerability report to their clients. And I was just in one of our agency partners offices the other week. And they showed me an example of one of these reports. And it was a Microsoft Excel spreadsheet with a bunch of jumbled up numbers and letters. And so, it's there's a lot of false positive inaccuracies that are being delivered without any validation of it. And so, what does that do? First of all, the CFO or controller, whoever's in charge of obtaining insurance is getting this feedback. They get all up in arms because they're being told that their cybersecurity is not good. And so, they go to their MSP, or MSSP, or internal IT staff, and they're getting mad at them. And there's going back to them saying, " Hey, there's nothing wrong here." And they have to get on a phone call. So, there's a lot of feathers being ruffled for out of a false positive. And so, we need to have a more seamless environment where that communication is being delivered.
Jim Goldman: Yeah. I think that's exactly right. So, on the one hand, you've got a party sharing highly technical information with an audience that isn't equipped to understand that highly technical information. If we go back to the medical metaphor, if your physician does a bunch of tests on you, and comes in, and then uses highly technical medical and anatomical terms, physiological terms with you, right, as if you were a physician, right?
Ryan Dunn: Yeah.
Jim Goldman: You're not going to understand it because you're not a physician. Well, if cybersecurity engineers talk cybersecurity lingo with people who aren't cybersecurity engineers, you're going to get the same result.
Ryan Dunn: Yeah. They're going to be looking back at you with 10 heads.
Jim Goldman: Saying, " I don't understand a word you're saying. I'm sorry. I'd like to fix this." Ryan, there's a question for you. How would you help a client with providing better information to the underwriters?
Ryan Dunn: Yeah, absolutely. I love this question. So, a big piece of this is, as if I were to speak from an agency's perspective, right, I would want to create what we call a marketing presentation. And marketing in the form of you're marketing the client to the carrier. And so, the way that I would help a client is through that agency. We would help run the scans to help that client out. So, you run the scan. You have a survey filled out, baseline survey, that provides some type of readiness report. And then once those actions are taken, then help create a marketing report of the cybersecurity maturity of that client and provide that to an underwriter.
Jim Goldman: Absolutely.
Ryan Dunn: If an underwriter is seeing at first look how mature somebody's cybersecurity infrastructure is, as well as the fact that you're running external and internal scanning on them, they're going to look very favorably on that client, especially if it's a hard to place client. So, for you, Michael, as an agent, that could help increase business for yourself as well as increase your conversations with your current clients.
Jim Goldman: So, maybe as a final wrap up, I see this coming together. I just want to throw one question, one scenario out to each of you, how you see this from your perspective. And that is the value of, or the likelihood that the once a year check- in at renewal time is the right way to go in the future in terms of this tighter integration of cybersecurity and cyber insurance? Ryan, what do you see happening in the future there?
Ryan Dunn: So, you're talking about the once a year check- in from the agency?
Jim Goldman: Yeah, once a year they're going to scan your environment.
Ryan Dunn: Yeah.
Jim Goldman: They're going to decide then for the next 12 months, yes, no, here's your coverage. We'll see in 12 months.
Ryan Dunn: Yeah. That's just it hasn't been a winning formula. Jim. I mean, you and Dan are aware of safe today isn't safe tomorrow.
Jim Goldman: Right.
Ryan Dunn: And so, Jim, you have a lot of sayings about this. But, yeah. That'll never work. Continuous underwriting for cyber is the future. If we were to look at the telematics model of auto insurance, although it's very different, it's very similar as to where the cyber insurance world needs to go. There needs to be continuous monitoring of the client's cybersecurity infrastructure. And then if there is big, let's just say a Log4j type of vulnerability out there, the carriers and agents, if I were an agent, I would want to be able to articulate to my client like, " Hey, we've scanned your environment. And we've found that you have a Log4j. You should fix this." But having that ability to scan your clients or your insureds. If they have that vulnerability there, is extremely important.
Jim Goldman: Yeah. Yeah.
Ryan Dunn: Absolutely inaudible-
Jim Goldman: And that may sound like a radical departure. I can see agents recoiling and saying, " Well, I don't want to be in that business." But at the same time, if you think about it, the good agents and brokers have been in the risk management business for years.
Ryan Dunn: Yeah.
Jim Goldman: They just haven't necessarily been in the cyber risk management business.
Ryan Dunn: Absolutely. Absolutely.
Jim Goldman: Dan, what do you think of that?
Dan Wilford: I agree. So, continuous cybersecurity is something that we are definitely moving towards in the industry with continuous asset discovery, continuous vulnerability management, email security. Once a year is certainly not enough. And quarterly is not enough. Monthly is not enough. You start looking at 24/ 7 continuous security. Now, you're getting to the point where you can defend the organization at all times from all angles.
Jim Goldman: Absolutely right.
Dan Wilford: Another thing that I would caution organizations to be aware of is the fact that right now, today's security is not a commodity. So, a lot of organizations, they look at all of us security companies and say,'Well, you're all offering the same thing." But it is not truly fungible. Every organization has their own bias, and their own perspective, their own way of doing security. And there are some that are better than others. There are some that are more comprehensive. There are some that are faster. Some that are more thorough. So, it is very good to know who your cybersecurity, the preferred cybersecurity, providers are for your insurance. What do those partnerships look like? So, you want to find a good combination of good insurance along with good cybersecurity providers.
Jim Goldman: Yep. Yeah. Absolutely right. And another thing that came to mind as you were talking was there's this notion out there that, so if we spend N number of dollars this year on security, granted we haven't in the past. We're going to invest. We're going to do the right thing. Then we're done, right? That's it.
Dan Wilford: Never done. I would just say. We're-
Jim Goldman: Never done. Never done. Yeah.
Dan Wilford: What we can do though is we can be a shield. We can be a shield to the organization to keep you in business. Another part of cybersecurity is business continuity. Like you said, this is about risk. At the end of the day, this is all risk. Whether or not we're talking about a cyber attack or some kind of physical disaster, it's the same concept of keeping the business running.
Jim Goldman: Absolutely right. Absolutely right. One more question, a little tricky, maybe politically charged. But we've never shied away from that. Who do you listen to find better cybersecurity firms?
Dan Wilford: So, I have a lot of sources. But really, I've been looking at CISA lately, this Critical Infrastructure Security Agency. Fairly new agency that's focused on critical infrastructure security. So, they provide a lot of guidance. I read everything that comes out. And so far, it's all been valuable information.
Jim Goldman: Yeah. And in terms if they're talking by security firms, they're talking about vendors. I mean, my advice is referrals from trusted colleagues, other businesses in the industry. I always think customer referrals are the strongest and most valid recommendation.
Dan Wilford: Definitely. Yeah.
Jim Goldman: Okay. It looks like we don't have any more questions coming in. I think we're about good. Any closing comments? Maybe just one closing comment from each of you. And then we'll say goodbye.
Ryan Dunn: And Dan, you want to go first?
Dan Wilford: I'll just say thank you for inviting me to this. I don't get out much, but I do like sharing knowledge. I wish more companies would try to share their knowledge and information, because I strongly believe all of us security and insurance together, we have a shared mission. Okay. We're trying to protect American business from all of these threats. The top four, these threat actor, these nation state actors that are trying to attack American companies, we have a duty to do the best we can to protect American businesses. So. If we work together, our chances of success would be much higher.
Ryan Dunn: Yeah.
Jim Goldman: Ryan?
Ryan Dunn: I love that. Yeah, I love that, Dan. Absolutely. It needs to be a team effort. And I would just say as a closing comment, I just really appreciate everybody taking the time to come out and listen. I really hope that you gained some knowledge here. And if you did, if have any other questions, feel free to reach out to any three of us. I'm sure we'd be happy to help. I thought the Q& A section was great. So, I appreciate everybody for chiming in there.
Jim Goldman: It's always good to make it a little bit more interactive. It makes it more fun for everybody.
Ryan Dunn: Yeah.
Jim Goldman: I also want to thank Megan for being our moderator today. And everybody, please take a look in the webinar chat section. Megan has posted several resources there with links. So, and I think they disappear quickly when we end the webinar. So, if there's something that's of interest there, be sure to click on those links quickly. And thanks very much for joining. Thank you, Ryan. Thank you, Dan. Great job. Greatly appreciate your time. Let's do it again soon.
Ryan Dunn: Yeah.
Jim Goldman: Thanks very much everybody.
Ryan Dunn: Thank you.
DESCRIPTION
Join our educational panel of cyber industry experts for a discussion that is designed to demystify the relationship between cybersecurity maturity and cyber insurance for small- and-medium-sized businesses. Walk away with real action items to take back to your team in order to establish your own comprehensive cybersecurity program, including cyber insurance.
Our panel of experts will cover:
- How to sort through the noise of cybersecurity and cyber insurance (and prioritize strategies)
- Key questions to ask your tech team and your vendors when assessing cyber solutions
- Ransomware and the business of cybercrime - How cybersecurity companies, insurance companies, and businesses can work together to combat this threat.
- Cybersecurity vs. cyber liability insurance (What's the difference? And do you really need both?)