1
00:00:00,000 --> 00:00:07,920
Well, today on our Tech for Business podcast, Todd, our COO and CISO and Ann, our Quality

2
00:00:07,920 --> 00:00:15,920
Assurance Analyst and GRC Specialist are joining us to talk about cybersecurity insurance and

3
00:00:15,920 --> 00:00:21,560
compliance, where they overlap and maybe where they fall short.

4
00:00:21,560 --> 00:00:23,960
So I'm going to start with Todd.

5
00:00:23,960 --> 00:00:28,960
We have a cybersecurity insurance podcast and we talked all about what it is and who

6
00:00:28,960 --> 00:00:30,360
needs it.

7
00:00:30,360 --> 00:00:38,240
So I'm hoping you can give us a quick overview and maybe anything that has changed for cybersecurity

8
00:00:38,240 --> 00:00:42,560
insurance since that podcast, which was two years ago.

9
00:00:42,560 --> 00:00:43,560
Wow.

10
00:00:43,560 --> 00:00:44,560
I know.

11
00:00:44,560 --> 00:00:45,560
How long ago are you?

12
00:00:45,560 --> 00:00:47,560
Is it not wild?

13
00:00:47,560 --> 00:00:53,720
Yeah, I mean, I think the extremely brief overview is that we still believe in it.

14
00:00:53,720 --> 00:00:58,280
We still think it's probably something most organizations should have.

15
00:00:58,280 --> 00:01:03,280
There are reasons why you wouldn't get it and those typically are cost related.

16
00:01:03,280 --> 00:01:07,240
What's changed over the last couple of years cost would probably be the majority of the

17
00:01:07,240 --> 00:01:08,240
change.

18
00:01:08,240 --> 00:01:11,000
Before, it was kind of the wild, wild west.

19
00:01:11,000 --> 00:01:13,520
Every insurance company thought it was a pot of gold.

20
00:01:13,520 --> 00:01:16,200
They were going to get into it and they were offering insurance.

21
00:01:16,200 --> 00:01:20,880
And unfortunately, if you've been paying attention to cybersecurity and the world of attacks,

22
00:01:20,880 --> 00:01:22,360
it's gone absolutely bananas.

23
00:01:22,360 --> 00:01:25,520
And so there was a lot of payouts that insurance companies have done.

24
00:01:25,520 --> 00:01:28,840
As such, the insurance costs have gone up.

25
00:01:28,840 --> 00:01:32,480
The requirements to get it have become more complicated.

26
00:01:32,480 --> 00:01:34,640
And it's probably not terribly surprising.

27
00:01:34,640 --> 00:01:39,920
It's kind of the same old song for insurance in general, but it definitely matches what

28
00:01:39,920 --> 00:01:43,240
we see going on in within the industry as well.

29
00:01:43,240 --> 00:01:50,160
So Anne, because I really want to talk about where this overlap is in the compliance.

30
00:01:50,160 --> 00:01:52,680
Do you see overlap at all?

31
00:01:52,680 --> 00:02:00,960
Do you see businesses who have robust compliance requirements typically buy into cybersecurity

32
00:02:00,960 --> 00:02:05,760
insurance or are they just two separate entities?

33
00:02:05,760 --> 00:02:09,840
It's actually an interesting question.

34
00:02:09,840 --> 00:02:15,840
There are elements of, say, the financial industry that are already insured through

35
00:02:15,840 --> 00:02:21,080
FDIC, but even those rules are coming and evolving to make it harder.

36
00:02:21,080 --> 00:02:23,080
There is absolutely a correlation.

37
00:02:23,080 --> 00:02:33,160
Those that have higher regulations, I think, and in compliance frameworks, they definitely

38
00:02:33,160 --> 00:02:35,160
have that correlation.

39
00:02:35,160 --> 00:02:41,480
There seem to be more knowledgeable and much more risk averse in managing that risk with

40
00:02:41,480 --> 00:02:45,360
insurance and how it's covered.

41
00:02:45,360 --> 00:02:53,360
A lot of the financial industry, just as an example, not just through something like FDIC,

42
00:02:53,360 --> 00:02:57,560
is requiring a ransomware rider on their insurance.

43
00:02:57,560 --> 00:03:02,120
Now, it's not a suggestion.

44
00:03:02,120 --> 00:03:03,120
Interesting.

45
00:03:03,120 --> 00:03:05,440
I'm going to expand on that real briefly.

46
00:03:05,440 --> 00:03:09,760
I think Anne nailed it, but I just wanted to kind of really emphasize this.

47
00:03:09,760 --> 00:03:12,360
So the question was whether or not there's an overlap.

48
00:03:12,360 --> 00:03:17,360
And there are 100% is, if you look at the banking industry in specific, the FDIC is

49
00:03:17,360 --> 00:03:18,520
the insurer.

50
00:03:18,520 --> 00:03:21,440
So they're the ones that are driving it forward.

51
00:03:21,440 --> 00:03:26,120
And they have had a play in what the compliance looks like in the banking industry.

52
00:03:26,120 --> 00:03:30,400
So if you're in banking, you'll know this, but they have something called the FFIC, and

53
00:03:30,400 --> 00:03:32,600
I won't get into what the abbreviation means.

54
00:03:32,600 --> 00:03:37,040
But it is basically the playbook that says, the questionnaire, do you do this?

55
00:03:37,040 --> 00:03:38,040
Do you do that?

56
00:03:38,040 --> 00:03:39,040
Have you considered this?

57
00:03:39,040 --> 00:03:40,640
And it's all based on maturity.

58
00:03:40,640 --> 00:03:41,840
They had a hand to plane it.

59
00:03:41,840 --> 00:03:43,320
That wasn't solely of them.

60
00:03:43,320 --> 00:03:47,280
The government played a role in it and sort of the variety of other things.

61
00:03:47,280 --> 00:03:52,240
But to just really emphasize it as to them, it's so incredibly important that they're

62
00:03:52,240 --> 00:03:56,920
deeply ingrained on what compliance looks like in the banking industry specific.

63
00:03:56,920 --> 00:04:01,000
And you don't see quite that same involvement in healthcare in a few other areas, but it's

64
00:04:01,000 --> 00:04:02,000
still there, right?

65
00:04:02,000 --> 00:04:04,680
And I think that ultimately gets to where we're going to today.

66
00:04:04,680 --> 00:04:11,960
Yeah, so I was going to ask what those biggest overlap things are.

67
00:04:11,960 --> 00:04:14,320
Is it the simple stuff that we already know?

68
00:04:14,320 --> 00:04:21,880
Like you need MFA, you need EDR, or is the cybersecurity insurance companies really paying

69
00:04:21,880 --> 00:04:24,120
attention to those compliance requirements?

70
00:04:24,120 --> 00:04:28,160
Are they really making sure that they're including those things, or are they just getting the

71
00:04:28,160 --> 00:04:30,840
basics?

72
00:04:30,840 --> 00:04:33,000
It's all over the place to be honest.

73
00:04:33,000 --> 00:04:35,120
It depends, right?

74
00:04:35,120 --> 00:04:36,120
It depends.

75
00:04:36,120 --> 00:04:38,600
There it is.

76
00:04:38,600 --> 00:04:46,120
You'll still see insurance applications, cyber insurance, be two pages, and half of it is

77
00:04:46,120 --> 00:04:48,920
just location information.

78
00:04:48,920 --> 00:04:55,400
But you'll now see 15-page that want to know where you're storing your data.

79
00:04:55,400 --> 00:05:05,400
Is that it's almost like an audit questionnaire, more so than it is an insurance application.

80
00:05:05,400 --> 00:05:10,360
And it's really going through and saying, okay, we do get it.

81
00:05:10,360 --> 00:05:17,360
But in order for us to ensure what you want us to protect, this has got to be in place.

82
00:05:17,360 --> 00:05:24,360
And for the big ticket items like the MFA is the EDR is that kind of thing, that it's

83
00:05:24,360 --> 00:05:25,360
exclusionary.

84
00:05:25,360 --> 00:05:32,240
They may not cover you, but they may also say, well, tell us more on different elements

85
00:05:32,240 --> 00:05:37,160
of how do you secure your cloud environment?

86
00:05:37,160 --> 00:05:43,240
And I do laugh sometimes at the questions that are asked, because I would very much guess

87
00:05:43,240 --> 00:05:47,920
that a provider isn't necessarily going to know and understand how to you secure your

88
00:05:47,920 --> 00:05:49,480
cloud environment.

89
00:05:49,480 --> 00:05:55,920
However, we still have to provide or help our customers provide that information to

90
00:05:55,920 --> 00:06:04,040
say something that feels at least good in the whole scheme of data protection.

91
00:06:04,040 --> 00:06:09,400
It can't just be kind of fluffy answers about nothing anymore either.

92
00:06:09,400 --> 00:06:15,280
Yeah, so just from what I'm seeing over there, there has been one or two of our customers

93
00:06:15,280 --> 00:06:21,240
that have not had an in-depth review, but it literally is one or two.

94
00:06:21,240 --> 00:06:26,920
It's not like you're seeing a percentage of our customers don't need to go through this.

95
00:06:26,920 --> 00:06:29,720
It's almost shocking to me when somebody comes in and goes, oh, we didn't really even have

96
00:06:29,720 --> 00:06:30,720
a questionnaire.

97
00:06:30,720 --> 00:06:31,720
We just signed it and we moved on.

98
00:06:31,720 --> 00:06:36,680
I'm like, well, lucky you, because quite frankly, that is not the industry.

99
00:06:36,680 --> 00:06:42,400
And it is, to your question, if you're a fan of the podcast, you probably know this.

100
00:06:42,400 --> 00:06:44,560
There are certain things that we classify as non-negotiable.

101
00:06:44,560 --> 00:06:47,160
So there's the things you have to be doing.

102
00:06:47,160 --> 00:06:49,880
And they are in every single form that I see.

103
00:06:49,880 --> 00:06:50,880
That's MFA.

104
00:06:50,880 --> 00:06:51,880
That's EDR.

105
00:06:51,880 --> 00:06:53,760
Do you do cybersecurity training?

106
00:06:53,760 --> 00:06:55,840
What does admin permissions look like?

107
00:06:55,840 --> 00:07:02,720
De facto, blocking and tackling cybersecurity, those are in every single questionnaire.

108
00:07:02,720 --> 00:07:06,760
They are getting a lot more complex, though, to Anne's point, where you're seeing these

109
00:07:06,760 --> 00:07:10,080
15-page monsters.

110
00:07:10,080 --> 00:07:11,080
It's a monster.

111
00:07:11,080 --> 00:07:16,440
Some of them are just absolutely ridiculous, but it's not terribly surprising.

112
00:07:16,440 --> 00:07:20,520
If you look at the insurance industry, they are basically the kings of risk.

113
00:07:20,520 --> 00:07:21,920
They understand it inside.

114
00:07:21,920 --> 00:07:23,760
Now, they really do.

115
00:07:23,760 --> 00:07:27,920
They go through the whole, I mean, no, there is no other industry that is better prepared

116
00:07:27,920 --> 00:07:30,640
to define what risk looks like.

117
00:07:30,640 --> 00:07:32,640
They do it from an underwriting standpoint.

118
00:07:32,640 --> 00:07:35,480
Ultimately, they're saying, hey, we'll back you with X amount of dollars.

119
00:07:35,480 --> 00:07:37,920
And in order to do that, they're like Vegas.

120
00:07:37,920 --> 00:07:39,360
They know the odds.

121
00:07:39,360 --> 00:07:41,520
They know what the payout is.

122
00:07:41,520 --> 00:07:42,960
I hope I don't get in trouble.

123
00:07:42,960 --> 00:07:45,800
I'm looking over here.

124
00:07:45,800 --> 00:07:46,800
But they are, right?

125
00:07:46,800 --> 00:07:47,800
They know all of that.

126
00:07:47,800 --> 00:07:51,040
They are very statistically driven, so they know what it is.

127
00:07:51,040 --> 00:07:54,880
And they have looked to the compliance industry and say, well, how do you protect yourself?

128
00:07:54,880 --> 00:07:56,560
And then they've adopted those rules.

129
00:07:56,560 --> 00:07:57,560
But you can see it across the board.

130
00:07:57,560 --> 00:08:01,720
I mean, it happened in the auto industry when they did the airbag deployment.

131
00:08:01,720 --> 00:08:03,440
I think it was the, I read this somewhere.

132
00:08:03,440 --> 00:08:07,760
I was just going to use that example.

133
00:08:07,760 --> 00:08:12,120
They took the US government to court because the auto manufacturers are like, no, we don't

134
00:08:12,120 --> 00:08:13,120
believe in this.

135
00:08:13,120 --> 00:08:17,160
And they're like, you need to do this because this dramatically reduces the risk of injury

136
00:08:17,160 --> 00:08:18,680
and death in cars.

137
00:08:18,680 --> 00:08:22,000
So I mean, that's the kind of role insurance plays.

138
00:08:22,000 --> 00:08:24,120
And they know this stuff inside now.

139
00:08:24,120 --> 00:08:25,480
And so I'm, I'm bambling.

140
00:08:25,480 --> 00:08:26,480
So I'll be quiet.

141
00:08:26,480 --> 00:08:27,480
Go ahead, Ann.

142
00:08:27,480 --> 00:08:29,120
No, that was awesome.

143
00:08:29,120 --> 00:08:38,160
I always like to, to correlate something as, as what feels gooey like this to something

144
00:08:38,160 --> 00:08:44,640
that's known like the auto industry or your own auto insurance.

145
00:08:44,640 --> 00:08:49,800
It didn't used to be a requirement to have seat belts.

146
00:08:49,800 --> 00:08:57,440
You have to get a waiver to, to ensure a classic car that doesn't have shoulder belts.

147
00:08:57,440 --> 00:09:04,400
You have all those different, different elements that used to be just so like, like, we can

148
00:09:04,400 --> 00:09:06,040
we'll think about that.

149
00:09:06,040 --> 00:09:08,080
And then Todd's example, perfect.

150
00:09:08,080 --> 00:09:11,160
Like, no, these need to be here.

151
00:09:11,160 --> 00:09:16,400
And that's really where those MFA is in the EDRs have, have correlated into even different

152
00:09:16,400 --> 00:09:17,400
requirements.

153
00:09:17,400 --> 00:09:21,320
So to, to kind of, kind of come full circle to what you asked there.

154
00:09:21,320 --> 00:09:27,840
Now, not only standards in the requirements for operations in, in certain industries and,

155
00:09:27,840 --> 00:09:31,200
and regulatory frameworks, but they're required by insurance.

156
00:09:31,200 --> 00:09:39,160
So the one feeds the other, I guess it's, it's going both ways that, that I think, and

157
00:09:39,160 --> 00:09:42,920
it seems some industries are a little more behind than others.

158
00:09:42,920 --> 00:09:48,200
Financial seems to be kind of at the forefront in a lot of these.

159
00:09:48,200 --> 00:09:53,160
And that's good, that's good for all of us for our own protection of our, our, our own

160
00:09:53,160 --> 00:09:56,400
financial data and, and money for that matter.

161
00:09:56,400 --> 00:10:03,800
But we want our, our organizations to, to be risk averse with our, with our funds for

162
00:10:03,800 --> 00:10:04,800
sure.

163
00:10:04,800 --> 00:10:11,680
But as it goes to just kind of extrapolating on that, where we get to what, what might

164
00:10:11,680 --> 00:10:17,560
be behind a little bit is, is the different elements of their cyber policies.

165
00:10:17,560 --> 00:10:25,120
And one thing I'm looking at as, as we're looking at these for our customers is, it's

166
00:10:25,120 --> 00:10:33,560
not even necessarily the, the monetary loss that you're compensating for or the risk that

167
00:10:33,560 --> 00:10:35,360
you're compensating for.

168
00:10:35,360 --> 00:10:42,920
But a lot of, in most, to be honest, are, have a reputational riders within it.

169
00:10:42,920 --> 00:10:52,200
So your, your insurance now is covering what might happen if you end to fix something for

170
00:10:52,200 --> 00:11:00,160
you reputationally, it should something happen that there's even marketing firms to that

171
00:11:00,160 --> 00:11:05,520
specialize in, in this incident management or, or cyber incident management.

172
00:11:05,520 --> 00:11:11,320
So it's really evolving in such a light speed way.

173
00:11:11,320 --> 00:11:18,080
And I think of the reputational, especially in, in say healthcare, in that it's, it's

174
00:11:18,080 --> 00:11:23,560
very difficult for say, let's say a clinic lost a lot of data or was ransomed and they

175
00:11:23,560 --> 00:11:25,040
can't guarantee it.

176
00:11:25,040 --> 00:11:33,200
Not only are there requirements of, of, of healthcare data loss, PHI and that, but reputationally,

177
00:11:33,200 --> 00:11:39,280
I wouldn't want to go to the clinic anymore and what they can do to try to gain and retain

178
00:11:39,280 --> 00:11:40,800
the business.

179
00:11:40,800 --> 00:11:45,040
So those are weird things that are now included in our cyber insurance that never would have

180
00:11:45,040 --> 00:11:46,040
been before.

181
00:11:46,040 --> 00:11:48,920
Even a year, a couple of years ago, you didn't see that.

182
00:11:48,920 --> 00:11:49,920
Yeah.

183
00:11:49,920 --> 00:11:51,120
I mean, it's, it's interesting.

184
00:11:51,120 --> 00:11:54,440
There's a lot of stuff that, that and covered that I kind of wanted to expand on.

185
00:11:54,440 --> 00:11:57,480
I, she kind of mentioned, no, no, no, no, you're great.

186
00:11:57,480 --> 00:11:59,320
I thought that was fantastic.

187
00:11:59,320 --> 00:12:04,840
But, but the, the comment that you had about the banking industry being slightly ahead and

188
00:12:04,840 --> 00:12:08,920
my comment of the insurance company has deeply ingrained in that, right?

189
00:12:08,920 --> 00:12:13,200
They know that they need to do this and that might be a reason why they're a bit ahead.

190
00:12:13,200 --> 00:12:17,200
One of the benefits that I think you can see is coming from the insurance and maybe people

191
00:12:17,200 --> 00:12:22,160
don't love the concept of using insurance as a benefit, but most people have it for

192
00:12:22,160 --> 00:12:23,160
a reason.

193
00:12:23,160 --> 00:12:26,360
The benefit of it is they don't care about the industry, right?

194
00:12:26,360 --> 00:12:28,960
Their statistics are the same for industry across industry.

195
00:12:28,960 --> 00:12:29,960
They don't care, right?

196
00:12:29,960 --> 00:12:33,960
They're a couple of years ago, it used to be like the banks were that got attacked because

197
00:12:33,960 --> 00:12:37,360
that's quote unquote, that's where the money is, but it doesn't matter anymore.

198
00:12:37,360 --> 00:12:38,360
Everybody's got money.

199
00:12:38,360 --> 00:12:39,760
Everybody's got money is in business to make money.

200
00:12:39,760 --> 00:12:43,200
And so the, the attacker really could care less what your industry is.

201
00:12:43,200 --> 00:12:45,160
And the insurance company doesn't care your industry.

202
00:12:45,160 --> 00:12:48,660
They just aren't trying to make sure that they're, they're giving you what you need and

203
00:12:48,660 --> 00:12:49,660
helping you out.

204
00:12:49,660 --> 00:12:53,980
So they are the ones driving that regulation across industry.

205
00:12:53,980 --> 00:12:56,200
So you will see it start to standardize.

206
00:12:56,200 --> 00:12:57,960
Right now it's a bit fractured.

207
00:12:57,960 --> 00:13:00,960
You've got the FFIC from the FDIC.

208
00:13:00,960 --> 00:13:03,120
You've got HIPAA and the healthcare.

209
00:13:03,120 --> 00:13:06,000
You got CMMC coming from a government perspective.

210
00:13:06,000 --> 00:13:10,400
At some point, they're very, they all mirror each other to a larger degree, but it is going

211
00:13:10,400 --> 00:13:15,760
to come together and that is what we're seeing in the, the questionnaires that are coming

212
00:13:15,760 --> 00:13:16,760
to us.

213
00:13:16,760 --> 00:13:17,760
It's very standardized.

214
00:13:17,760 --> 00:13:19,360
It's the same things over and over again.

215
00:13:19,360 --> 00:13:22,080
I did like the reputation thing too.

216
00:13:22,080 --> 00:13:25,240
I thought that was really good stuff because there is a lot that goes into it.

217
00:13:25,240 --> 00:13:27,280
You're trying to rebuild trust after that.

218
00:13:27,280 --> 00:13:28,560
And what does it look like?

219
00:13:28,560 --> 00:13:32,320
We do tabletop exercises with our customers very often.

220
00:13:32,320 --> 00:13:35,280
And when we do, we do a ransomware one, right?

221
00:13:35,280 --> 00:13:36,800
You've got to pay it.

222
00:13:36,800 --> 00:13:40,040
And then, you know, we kind of go down the supply chain too and says, well, what happens

223
00:13:40,040 --> 00:13:45,280
if this happened to one of your suppliers and almost every one of those businesses says,

224
00:13:45,280 --> 00:13:46,960
we'd stop working with them.

225
00:13:46,960 --> 00:13:50,640
And so we get to ask the question, really, is that, is that what you need?

226
00:13:50,640 --> 00:13:52,000
Is that what the answer is?

227
00:13:52,000 --> 00:13:53,520
Do you need to dig into it further?

228
00:13:53,520 --> 00:13:54,800
Do you need to understand what happened?

229
00:13:54,800 --> 00:13:57,520
Do you need to understand how they're remediating it?

230
00:13:57,520 --> 00:14:00,600
Because what if that was you instead?

231
00:14:00,600 --> 00:14:01,600
How would you recover?

232
00:14:01,600 --> 00:14:03,400
The turnaround is fair play now.

233
00:14:03,400 --> 00:14:04,400
Right.

234
00:14:04,400 --> 00:14:08,040
So if it wasn't just them, the supplier, now what?

235
00:14:08,040 --> 00:14:10,160
So it's a really interesting thing.

236
00:14:10,160 --> 00:14:12,000
And again, I'm tangenting a little bit.

237
00:14:12,000 --> 00:14:16,240
And again, because that's what happens in every podcast.

238
00:14:16,240 --> 00:14:18,600
It's really interesting to kind of look at how that works.

239
00:14:18,600 --> 00:14:22,480
And I thought that reputational stuff that Ann covered was fantastic.

240
00:14:22,480 --> 00:14:24,200
It's interesting.

241
00:14:24,200 --> 00:14:32,240
I also thought as I was just kind of the correlations, a lot of it is the now show me part of an

242
00:14:32,240 --> 00:14:41,960
audit where you can easily, the yes, no questions of insurance applications have gone the way

243
00:14:41,960 --> 00:14:42,960
side.

244
00:14:42,960 --> 00:14:46,800
It's the yes, but now show me what evidence.

245
00:14:46,800 --> 00:14:47,800
Yeah.

246
00:14:47,800 --> 00:14:48,800
Yes, you have EDR.

247
00:14:48,800 --> 00:14:49,800
Okay.

248
00:14:49,800 --> 00:14:50,800
What kind?

249
00:14:50,800 --> 00:14:51,800
Who manages that?

250
00:14:51,800 --> 00:14:54,480
And if my kids would say, what's their last name?

251
00:14:54,480 --> 00:14:55,480
What's their parents name?

252
00:14:55,480 --> 00:14:57,880
Like that's my kids say.

253
00:14:57,880 --> 00:14:59,200
What's their, what do they do?

254
00:14:59,200 --> 00:15:00,760
Where do they go to school?

255
00:15:00,760 --> 00:15:03,560
Like we want more information, please.

256
00:15:03,560 --> 00:15:08,960
That we want to make sure that we're validating that it's not just a, does someone, do we

257
00:15:08,960 --> 00:15:09,960
have end point?

258
00:15:09,960 --> 00:15:10,960
Yeah.

259
00:15:10,960 --> 00:15:11,960
I think so.

260
00:15:11,960 --> 00:15:15,360
Asking someone down the hall and sure, check.

261
00:15:15,360 --> 00:15:22,160
Well, you can't really do that anymore because you have to be able to prove where those go.

262
00:15:22,160 --> 00:15:27,640
And that's where you're even, even your, it's the correlation back to car insurance.

263
00:15:27,640 --> 00:15:35,240
You're saying that all your cars have all the safety mechanisms as would that model

264
00:15:35,240 --> 00:15:38,520
year and whatnot.

265
00:15:38,520 --> 00:15:45,720
And if that were to change or not be true, you're eliminating yourself out of the game.

266
00:15:45,720 --> 00:15:53,120
Your insurance can say, sorry, you've eliminated yourself from coverage by doing X, Y, Z or

267
00:15:53,120 --> 00:16:03,000
not being completely forthright or having the right information on your policies or applications.

268
00:16:03,000 --> 00:16:07,840
I highlighted what I thought one of the benefits was of insurance.

269
00:16:07,840 --> 00:16:09,480
The downside, because it's only fair, right?

270
00:16:09,480 --> 00:16:10,920
We got to talk about the downside.

271
00:16:10,920 --> 00:16:12,720
The downside is exactly what I just covered there.

272
00:16:12,720 --> 00:16:18,120
The downside is that it's getting extremely complicated and it's very hard for organizations

273
00:16:18,120 --> 00:16:20,040
to fill them out by themselves.

274
00:16:20,040 --> 00:16:23,680
So the comment she made is, do we have end point protection or do we have EDR or is it

275
00:16:23,680 --> 00:16:24,680
the same thing?

276
00:16:24,680 --> 00:16:29,440
Those are complicated questions and most organizations are not well equipped to answer them.

277
00:16:29,440 --> 00:16:33,800
Inevitably they come to organizations like CIT or other professionals in the industry

278
00:16:33,800 --> 00:16:36,400
that say, here, let me help you through that.

279
00:16:36,400 --> 00:16:41,200
Again, the downside is it's unfortunate it's in a situation where you can't answer it on

280
00:16:41,200 --> 00:16:42,320
your own.

281
00:16:42,320 --> 00:16:45,120
The plus side to that is there are people that can help you.

282
00:16:45,120 --> 00:16:47,600
It's not usually an incredibly onerous process either.

283
00:16:47,600 --> 00:16:52,440
It's as long as somebody's working with you and they can tell you your control is a logical

284
00:16:52,440 --> 00:16:54,480
control like X.

285
00:16:54,480 --> 00:16:58,540
Your control is an administrative one like Y.

286
00:16:58,540 --> 00:17:01,320
Those kinds of things will help you answer those questions and you can get through them

287
00:17:01,320 --> 00:17:05,120
in a relatively painless method.

288
00:17:05,120 --> 00:17:08,760
If you're curious, if you haven't gone through one and you're curious what it feels like,

289
00:17:08,760 --> 00:17:10,920
it's like when you try to get life insurance.

290
00:17:10,920 --> 00:17:12,280
It feels like that.

291
00:17:12,280 --> 00:17:13,280
It's brutal.

292
00:17:13,280 --> 00:17:14,280
That was my net?

293
00:17:14,280 --> 00:17:16,280
We're on to Nate, Todd.

294
00:17:16,280 --> 00:17:17,440
It is.

295
00:17:17,440 --> 00:17:25,760
It's gone from just a couple questions about your random location.

296
00:17:25,760 --> 00:17:28,440
What do you do for a living?

297
00:17:28,440 --> 00:17:33,320
Will be at your house, give you a health test, a blood test, and go ahead and answer this

298
00:17:33,320 --> 00:17:40,360
hour and a half of questions about your family lifestyle, history, health history, blah,

299
00:17:40,360 --> 00:17:41,360
blah, blah.

300
00:17:41,360 --> 00:17:47,160
We're clarity, not currently asking for blood to the best of my knowledge, but.

301
00:17:47,160 --> 00:17:48,160
Right.

302
00:17:48,160 --> 00:17:50,160
Oh, man.

303
00:17:50,160 --> 00:17:57,040
So, is there any, we talked a lot about how these two entities really work together.

304
00:17:57,040 --> 00:17:59,600
Are there any places where they fall short?

305
00:17:59,600 --> 00:18:07,080
Maybe places where insurance is saying, we're not interested in knowing about that specific

306
00:18:07,080 --> 00:18:11,840
compliance requirement or helping you with that or covering that, where do they sort

307
00:18:11,840 --> 00:18:14,240
of diverge, if at all?

308
00:18:14,240 --> 00:18:17,000
I would answer this from a different angle.

309
00:18:17,000 --> 00:18:22,920
And that's, Matthew and I joke all the time, another one of the CIT staff that does these

310
00:18:22,920 --> 00:18:30,640
podcasts, that the devils of the details, they fall short where you may not have read

311
00:18:30,640 --> 00:18:37,520
what would be included or what the writers, what the exclusions, inclusions are within

312
00:18:37,520 --> 00:18:39,360
the policy.

313
00:18:39,360 --> 00:18:45,760
And I even try to counsel my teenage boys, please read the fine print.

314
00:18:45,760 --> 00:18:47,240
It's real dull.

315
00:18:47,240 --> 00:18:48,240
It's real dull.

316
00:18:48,240 --> 00:18:54,160
It's not, but when you find the little gems in there that could really hold up, that's

317
00:18:54,160 --> 00:18:58,600
where you can go back and say, no, we need this to cover ransomware.

318
00:18:58,600 --> 00:19:01,640
I don't see that anywhere in my policy.

319
00:19:01,640 --> 00:19:08,400
If we're going to go this far, we need this to be to the ability to cover our network,

320
00:19:08,400 --> 00:19:09,400
replacing our network.

321
00:19:09,400 --> 00:19:10,920
What does that mean?

322
00:19:10,920 --> 00:19:13,160
And go the extra mile.

323
00:19:13,160 --> 00:19:20,680
And again, back to the car analogy, it's really going through and ensuring personally that

324
00:19:20,680 --> 00:19:22,720
your policy doesn't fall short.

325
00:19:22,720 --> 00:19:24,560
Do you need full replacement?

326
00:19:24,560 --> 00:19:27,240
Do you need reputational?

327
00:19:27,240 --> 00:19:35,400
Do you need, I hope I wouldn't, but I mean, just as trying to stay along those lines.

328
00:19:35,400 --> 00:19:41,880
But if it doesn't cover glass, the different writers don't cover glass, and that's really

329
00:19:41,880 --> 00:19:44,240
important.

330
00:19:44,240 --> 00:19:46,280
Does it cover your hardware?

331
00:19:46,280 --> 00:19:47,400
What does that look like?

332
00:19:47,400 --> 00:19:49,560
Does it cover your hardware in six months?

333
00:19:49,560 --> 00:19:51,320
That's not acceptable.

334
00:19:51,320 --> 00:19:57,200
And that's where reading the fine print is kind of the, I don't see that.

335
00:19:57,200 --> 00:20:02,320
I don't see that any one writer or sorry, policy or application falls short.

336
00:20:02,320 --> 00:20:08,240
It's really looking at what it covers, what you're signing up to and what your needs are.

337
00:20:08,240 --> 00:20:15,800
So it's hard when the responsibility falls on either customers or organizations that

338
00:20:15,800 --> 00:20:22,040
aren't really in tune with what it means to replace their environment or adjust their

339
00:20:22,040 --> 00:20:26,480
reputation, ransomware response, that kind of thing.

340
00:20:26,480 --> 00:20:30,880
Yeah, I think again, and covered it extensively in details.

341
00:20:30,880 --> 00:20:36,160
The question to me of are there areas where there's problems, it's ironic that I mentioned

342
00:20:36,160 --> 00:20:40,200
there are some insurance organizations that may not have the maturity where they ask the

343
00:20:40,200 --> 00:20:42,360
in-depth questions yet.

344
00:20:42,360 --> 00:20:47,480
That may be a great example where Ann's highlighting, does this actually give you the coverage you're

345
00:20:47,480 --> 00:20:48,480
looking for?

346
00:20:48,480 --> 00:20:51,520
So you should look, you should pay attention to that and dig into the details of what

347
00:20:51,520 --> 00:20:52,520
that means.

348
00:20:52,520 --> 00:20:56,320
There's all kinds of things that are the devils in the details, as she said.

349
00:20:56,320 --> 00:20:59,920
There are things like when do you contact the insurance and I'll be honest with you,

350
00:20:59,920 --> 00:21:01,920
almost every one of them says immediately.

351
00:21:01,920 --> 00:21:05,760
So the very first thing you do is you don't break glass and grab the fire extinguisher,

352
00:21:05,760 --> 00:21:09,840
you call the insurance company and if you work with a CIT, that's the very first question

353
00:21:09,840 --> 00:21:13,880
we ask you, you call us and we say, have you contacted insurance yet?

354
00:21:13,880 --> 00:21:18,560
So those things are in the contracts, you do need to look at them to make sure that you're

355
00:21:18,560 --> 00:21:22,080
getting what you're hoping to get, whether it's the amount of coverage, what the coverage

356
00:21:22,080 --> 00:21:25,640
costs, covers, et cetera, that's all incredibly important stuff.

357
00:21:25,640 --> 00:21:31,080
So businesses that have cybersecurity insurance, this seems like a silly question, but are

358
00:21:31,080 --> 00:21:37,600
they better positioned to meet those compliance standards than others or is that kind of the

359
00:21:37,600 --> 00:21:38,600
same?

360
00:21:38,600 --> 00:21:39,600
It depends.

361
00:21:39,600 --> 00:21:40,600
Yeah.

362
00:21:40,600 --> 00:21:41,600
Totally.

363
00:21:41,600 --> 00:21:44,280
I think the answer is yes.

364
00:21:44,280 --> 00:21:45,440
It goes both directions.

365
00:21:45,440 --> 00:21:49,520
If you're making progress on cybersecurity, you're most likely making progress on your

366
00:21:49,520 --> 00:21:51,600
compliance and vice versa.

367
00:21:51,600 --> 00:21:55,160
The ones that make it the most easy for us to walk through with them is if you're in

368
00:21:55,160 --> 00:21:59,960
a banking industry or something along those lines and you have been working on your maturity,

369
00:21:59,960 --> 00:22:02,880
we just zip through the questionnaire because we already know that you've got a lot of these

370
00:22:02,880 --> 00:22:04,200
pieces in place.

371
00:22:04,200 --> 00:22:08,240
There are occasions where there are things within them that are much more complicated

372
00:22:08,240 --> 00:22:09,400
to achieve.

373
00:22:09,400 --> 00:22:14,760
So for example, we see regularly as they say, do you have multi-factor authentication on

374
00:22:14,760 --> 00:22:18,800
every switch and so on and so forth, which is something that's ridiculously complicated

375
00:22:18,800 --> 00:22:20,880
to do, at least it is today.

376
00:22:20,880 --> 00:22:24,000
And so the answer typically for a lot of that, for most organizations, is no.

377
00:22:24,000 --> 00:22:25,720
That doesn't mean you can't get insurance.

378
00:22:25,720 --> 00:22:27,920
It just may impact the premium.

379
00:22:27,920 --> 00:22:32,000
And again, they may not know exactly what they're asking or how that is.

380
00:22:32,000 --> 00:22:34,440
But again, if you've got the right people, they can say, well, no, we don't, but our

381
00:22:34,440 --> 00:22:38,920
compensating control is X, Y, and Z. And you may be able to work your way through it.

382
00:22:38,920 --> 00:22:42,120
But again, partners can help you with that.

383
00:22:42,120 --> 00:22:46,920
That compensating control concept, completely part of compliance.

384
00:22:46,920 --> 00:22:49,920
That is something that your examiners would typically look for.

385
00:22:49,920 --> 00:22:53,000
So to end out today, I have one more question and then I'll open it up.

386
00:22:53,000 --> 00:22:58,120
If there's anything else that you wanted to share or we didn't get a chance to cover.

387
00:22:58,120 --> 00:23:06,640
So in very simple terms, compliance feels like this thing that you have to meet or you

388
00:23:06,640 --> 00:23:10,480
are going to get fined, you can't function.

389
00:23:10,480 --> 00:23:15,800
Cybersecurity insurance is this optional thing that is a huge safety net.

390
00:23:15,800 --> 00:23:20,120
And if you don't have it, you may also not be able to function as a business.

391
00:23:20,120 --> 00:23:27,760
Which one do you think is more effective in motivating businesses to prioritize cybersecurity?

392
00:23:27,760 --> 00:23:35,560
It's an opinion, you know, I don't know.

393
00:23:35,560 --> 00:23:40,680
I think it depends on industry, but it depends.

394
00:23:40,680 --> 00:23:43,320
It depends.

395
00:23:43,320 --> 00:23:49,680
I really think that there will always be organizations and even individuals that will

396
00:23:49,680 --> 00:23:55,240
wait till something breaks to think about getting a certain type of insurance no matter

397
00:23:55,240 --> 00:23:57,560
what it is.

398
00:23:57,560 --> 00:24:04,080
I think that that compliance element though drives more people from certain industries

399
00:24:04,080 --> 00:24:15,360
to be more aware of their risks and seek that risk mitigation tool insurance to support

400
00:24:15,360 --> 00:24:18,360
them in operations.

401
00:24:18,360 --> 00:24:22,360
Yeah, I think and nailed it again.

402
00:24:22,360 --> 00:24:26,520
The answer to me is it's probably a neck and neck race.

403
00:24:26,520 --> 00:24:32,280
I would probably give the slight nod to compliance depending on industry.

404
00:24:32,280 --> 00:24:36,360
You just don't see the same kind of adoption and say manufacturing as you do in some of

405
00:24:36,360 --> 00:24:37,360
the others.

406
00:24:37,360 --> 00:24:39,240
And that's not to say that they aren't making progress.

407
00:24:39,240 --> 00:24:40,360
I'm not picking on anybody.

408
00:24:40,360 --> 00:24:46,240
I'm just saying the industry specific, you don't see quite as much adoption on it.

409
00:24:46,240 --> 00:24:51,200
The reason that I would say compliance is slightly ahead is because more often than not, if you

410
00:24:51,200 --> 00:24:54,520
have a compliance industry, you most likely have a board that cares.

411
00:24:54,520 --> 00:24:58,560
And the last thing and it's somebody in compliance wants is to get something from an examiner

412
00:24:58,560 --> 00:25:02,840
that comes back that says they have an item that needs board attention.

413
00:25:02,840 --> 00:25:06,320
That is something that scares the crap out of almost every organization that I've ever

414
00:25:06,320 --> 00:25:07,320
worked with.

415
00:25:07,320 --> 00:25:08,320
Right.

416
00:25:08,320 --> 00:25:09,320
You don't want to do it.

417
00:25:09,320 --> 00:25:10,320
Yeah, you don't want to take it to the board.

418
00:25:10,320 --> 00:25:13,480
It's rare that you give attention to certain things like that because it looks like there's

419
00:25:13,480 --> 00:25:15,680
something not going quite right.

420
00:25:15,680 --> 00:25:21,520
But ultimately, I think the answer really ultimately depends on the risk appetite of

421
00:25:21,520 --> 00:25:22,520
the organization.

422
00:25:22,520 --> 00:25:27,360
If that organization feels like they like to mitigate risks and get them out of the way,

423
00:25:27,360 --> 00:25:31,080
then you're going to see that they're going to adopt it much more readily and it won't

424
00:25:31,080 --> 00:25:36,720
matter whether it's insurance or a compliance in those type of situations.

425
00:25:36,720 --> 00:25:40,880
What you're typically going to see is insurance isn't this thing that's hanging out there

426
00:25:40,880 --> 00:25:44,800
as a hammer that you have to have that's going to force me to do it, which quite frankly

427
00:25:44,800 --> 00:25:47,680
is the reason why a lot of people do insurance do it.

428
00:25:47,680 --> 00:25:48,960
I'm sorry, not insurance.

429
00:25:48,960 --> 00:25:51,960
Do a lot of security things is because they've got this hammer out there that well, they're

430
00:25:51,960 --> 00:25:53,800
made me.

431
00:25:53,800 --> 00:25:58,120
If an organization is really low on the risk level, they're going to use insurance as a

432
00:25:58,120 --> 00:25:59,200
level of defense.

433
00:25:59,200 --> 00:26:01,080
It's not going to be it forced me to do it.

434
00:26:01,080 --> 00:26:03,560
It's just another tool in the toolbox.

435
00:26:03,560 --> 00:26:05,720
This was incredibly interesting.

436
00:26:05,720 --> 00:26:09,840
They aligned a lot more than I thought they were going to, which is great.

437
00:26:09,840 --> 00:26:13,400
So thank you so much, Todd, and for joining us today.

438
00:26:13,400 --> 00:26:17,080
If you enjoyed this podcast, please like and subscribe.

439
00:26:17,080 --> 00:26:25,000
If you have a question or a topic you'd like us to discuss, please reach out to us at infoatcit-net.com

440
00:26:25,000 --> 00:26:31,320
or head out to our website,cit-net.com slash podcast and we'll be back next week with an

441
00:26:31,320 --> 00:26:43,520
all new episode.