In this conversation, Jeff Severino and Nathan Borghardt discuss the importance of cyber insurance for small businesses. They share their background and approach to cyber insurance, emphasizing the need for risk transfer. They highlight 12 low-cost measures that small businesses can implement to reduce their cyber risk.
The conversation also explores the costs and consequences of cyber attacks, the sophistication of cyber criminals, and the future of cyber insurance. The speakers stress the importance of engaging with insurance professionals and seeking education and resources to navigate the complex cyber insurance market. They emphasize the need to align with trusted professionals and continue to expand the market for cyber insurance.
Takeaways
Chapters
Try KiteWorks today at www.KiteWorks.com
Don't Miss our Video on this Exciting KiteWorks Offer!
Try KiteWorks today at www.KiteWorks.com
Don't miss this Video on it!
The Most Secure Managed File Transfer System.
In this conversation, Jeff Severino and Nathan Borghardt discuss the importance of cyber insurance for small businesses. They share their background and approach to cyber insurance, emphasizing the need for risk transfer. They highlight 12 low-cost measures that small businesses can implement to reduce their cyber risk.
The conversation also explores the costs and consequences of cyber attacks, the sophistication of cyber criminals, and the future of cyber insurance. The speakers stress the importance of engaging with insurance professionals and seeking education and resources to navigate the complex cyber insurance market. They emphasize the need to align with trusted professionals and continue to expand the market for cyber insurance.
Takeaways
Chapters
Try KiteWorks today at www.KiteWorks.com
Don't Miss our Video on this Exciting KiteWorks Offer!
Try KiteWorks today at www.KiteWorks.com
Don't miss this Video on it!
The Most Secure Managed File Transfer System.
How Business Can Transfer Cyber Risk
Today’s episode is about how business can transfer cyber risk. Look small business today is getting pummeled by cyber attacks and Jeff Severino and Nathan Borghardt from Lockton Affinity join us in the studio to walk us through a practical and clear 12 step program for getting your organization on the mend and helping your cyber security defenses. There’s a lot most business owners and leaders in organizations simply are unaware of when it comes to what actually happens in a data breach from the victim point of view.
That and more is in this episode.
This is story of how business can transfer cyber risk
Summary
In this conversation, Jeff Severino and Nathan Borghardt discuss the importance of cyber insurance for small businesses. They share their background and approach to cyber insurance, emphasizing the need for risk transfer. They highlight 12 low-cost measures that small businesses can implement to reduce their cyber risk. The conversation also explores the costs and consequences of cyber attacks, the sophistication of cyber criminals, and the future of cyber insurance. The speakers stress the importance of engaging with insurance professionals and seeking education and resources to navigate the complex cyber insurance market. They emphasize the need to align with trusted professionals and continue to expand the market for cyber insurance.
Takeaways
Chapters
Dino Mauro (00:23.31)
Today's episode is about how business can transfer cyber risk. Look, small business today is getting pummeled by cyber attacks. We're joined in the studio by Jeff Severino and Nathan Borgaard from Lockedin Affinity. And they're going to walk us through a practical and clear 12 step program for getting your organization on the mend and helping your cybersecurity defenses.
There's a lot that most business owners and leaders in organizations simply are unaware of when it comes to what actually happens in a data breach from the victim perspective. That and more is in this episode. This is the story of how business can transfer cyber risk. Come join us as we dive deeper behind the scenes of security and cybercrime today, interviewing top technology leaders from around the world.
and sharing true cybercrime stories to raise awareness. From the creators of Vigilance, the newest global technology newsletter, translating cyber news into business language we all understand. So please help us keep this going by subscribing for free to our YouTube channel and downloading our podcast episodes on Apple and Spotify so we can continue to bring you more of what matters. This is Cybercrime Junkies.
And now, the show.
Topics: how business can transfer cyber risk, how small business can reduce cyber risk, low cost cyber security practices for small business, 12 step program cyber security, best security tips for small business, 12 steps to be better cyber secure, top 12 steps for cyber security, affordable cybersecurity practices for small business, best cyber security tips for small business, best new ways small business can reduce cyber risk, cyber security risk for small business, cyber security small business, how smaller businesses can manage cyber risk, how to handle a data breach for small business, latest advice on cybersecurity for small businesses, low cost cyber security for small business, low cost cybersecurity practices for small business, managing cyber risk for small business, new cyber security tips for small business, new ways small business can reduce cyber risk, new ways smaller businesses can reduce cyber risk, outcomes of a data breach for small business, small business harm from data breaches
Dino Mauro (01:59.17)
Well, welcome everybody to Cybercrime Junkies. I am your host, David Morrow. And in the studio today, we have my cohost, my illustrious, always timely cohost from Kansas City, Logan Potberg, who's back is sore from shoveling a lot of snow today. And we have a really cool episode today. So we've got Nathan and Jeff from Locked in Affinity.
And I'm going to let them explain their roles and let them kind of walk everybody through what Lockton does. It's in the realm of cybersecurity insurance, which is very important for small to mid-sized businesses, especially as we talk more on the, on the mid part of that SMB space, but their approach to it is very consultative. We have a great relationship with them and there'll be links in the show notes.
to their organization there right in Kansas City. Locked in is a global phenomenon, but they are really leading the charge for the SMB space. So Nathan, Jeff, welcome. Yeah, we appreciate you having us. And Nathan and I head up approximately a $30 million unit of small business cyber insurance, serving what we call Main Street America.
I think it's a great place to start just to talk about our background and then we describe ourselves as the Forrest Gump of the cyber insurance market. And then what I mean by that is almost 10 years ago, we were both operating in segments that had nothing to do with cyber. And our teams kept coming to us saying, you know, hey, you need to check out this one product specific to small law firms, because we do a lot of malpractice for small law firms around the country. And we're not tech guys. We kind of threw it to the side.
And they said, and they kept saying, well, you know, this is affecting large law, but it's starting to bleed into small law. Let's take a look at it. We took a 12 page app, gave it to our head of IT at the time and they couldn't fill it out. And we said, oh, this isn't going to work. The price points too high. The applications too complicated for the average everyday small business. Lo and behold, the designer that came back six months later, three question app. And that today is the largest standalone small law firm cyber program in the US. And from that.
Dino Mauro (04:15.062)
funded off into accounting program for small accountants, real estate and title, and the cyber market has just evolved over eight or 10 years. And we think our approach of not being IT professionals and really speaking to Main Street America and keeping things simple has created a very interesting practice to serve a need for small businesses right now that are just, they're facing this issue and it's just really hard for a lot of business to understand. So, they kind of, if you want to add anything to that, rambling.
A lot of what we do, like Jeff said, is very consultative and we act kind of as an internal wholesaler for Lockton. So we work with a lot of other brokers and roughly a thousand agencies across the country who transact with us, as well as the Lockton series on the small business. And like Jeff said, there's a lot of consultation in there because there's no consistency within the cyber market today. So it really takes somebody that's
well-versed in the applications and the coverages to really walk somebody through it. Because again, there's no consistency from what one carrier or one NGA is calling a certain coverage versus another. So it does take a pretty unique team to be able to go through and weed through all that and be able to explain how it connects with the actual coverage and the business needs. Absolutely, and I really like your approach. So share with us, let's step back a little bit. When...
business owners of a, you know, two, three, you know, anywhere from 50 to 500 employees, leaders in those organizations, business owners, and they wanna reduce their risk, they wanna reduce, they wanna offload that financial burden, right? And that's what insurance, that transfer of risk. What generally, just generally speaking, I know some of your products will offer different things, right?
But generally speaking, what are the things that cybersecurity insurance covers? Because there's, I just hear a lot of, I hear a lot of wrong things. People are like, well, that's never covered. Oh, that is covered. And I'm like, we need to talk to somebody that's doing this because we need to spread the actual, like not promulgate more myths, right? What can you guys share with us?
Dino Mauro (06:34.01)
I mean, I think there's two parts to that question or two answers. And I think the story I'll tell is I got brought on to a customer proposals, roughly a $30 million revenue business. It wasn't a small business by any means, medium sized business. And the owner had a, I'll describe him as a Southern California, he had long hair. And they introduced me as the head of cyber, which I thought was a very interesting introduction. And he says to me, Hey, that's me too. It's hilarious. Because I got my engineering degree from nowhere. So like, that's great.
And before I could even say anything that the owner says, he says, Hey, look, I just want you to know, I think cyber insurance is a load of, of horse crap. I mean, he literally starts off the call that way. And I said, well, it's, it's a very interesting start to the meeting. And I said, look, I think the way you need to think of this and any business owner needs to think of this is the cyber insurance is just the risk transfer part. That's all it is. It is just the risk transfer. You're taking the risk from the business and you're transferring it over to insurance policy.
And that's where you need to start. And then I said, well, let me back up and talk about what you're actually transferring. And if you're willing to absorb these risks, there's no reason to buy it. And in fact, I think if we're looking at a small business, we studied our claims data for 10 years. We had an outside company called Tetra, they've since been bought and the names changed. We had them look at our data and say, for small businesses, is there any commonalities in our claims data? Is there anything we can come up with at low cost or no cost the businesses should be doing?
And if you really look at it, we came up with 12 items and we said insurance is somewhere maybe in that five to 15 items on the list of things small businesses should be thinking about and doing. But let's back up to this risk transfer. And I told this gentleman, I said, look, whether you have insurance or not, these are the things you need to think about. Number one, if something were to happen to your system, so you come into work, you're shut down, what are you gonna do?
The very first thing you probably need to think about is, do I have an IT company, an outside company, a contact, a resource that I could pick up the phone in my time and need contact and that they're not going to take advantage of you in a tough situation? Do you have that mapped out? Do you know who you call should you have any issue that you could start having do some work or mitigate whatever problem you're having? I said, now if you truly have an extortion claim. And when we talk about what are the cyber insurance policies paying?
Dino Mauro (08:52.298)
I like to think about it in terms of the college football top 25. So today it's Michigan, they won the national title. Well, the number one claim area is extortion. Arnaud Wick, it's the Michigan of what the insurance policies are paying. It's the Taylor Swift of cybercrime. 100%. So if you're buying the policy, it's for number one, that extortion protection. Number two is the social engineering funds transfer. So that's your Alabama, that's your Georgia, that's number two. And then there's this huge gap.
that maybe drops you down into the 10 to 25 range and that someone gets into your system that's not related to extortion and your system, it breaches your system through email system. So those are, that's the claim side of it. But to jump back to the risk transfer. So we've got our IT professional that we're going to call, they're not going to take it back. So number one, yeah, let me, let me, let me back up. So you've got about these, these 12 things, because really, whether a small business,
California do, right? If, if, regardless of whether they engage in cybersecurity insurance purchase and transfer that risk or not, these 12 things are reality, right? So if the system shuts down, they will have to have somebody that they want to call, right? That's correct. And then number two is one. Number two is okay, if we truly have an issue, and they breached our system.
and we've got customer data, employee data, do we have an attorney we would call? Do we have an attorney we would call that's just gonna navigate us through the things that an insurance policy would take care of? Things like, do I have to offer credit monitoring? Do I have to notify my employees, my former employees, my customers that I've had an issue? So it's just these things to think about. Then number three. How do you communicate to them, right? Like how do you explain the breach legally?
without disclosing too much or right? Like that's a What are your duties? What are your duties? Do you have healthcare information where you've got HIPAA that you've got to deal with? Do you have, in the case of some law firms we've had that have been attacked, they've had to notify former partners. Imagine the damage there. You know, having to notify a former partner who's competing for you for local business or your clients and you've got to notify them that you've had a breach and some of their case files are now out.
Dino Mauro (11:15.278)
potentially in the public. Oh yeah, that's not going to be a suit at all. You're not going to get sued at all. Holy cow. And so these are just the things we're working through, whether you're going to file, what was taken. You've got your return cash on hand as a business, your balance sheet. If I'm shut down and I have my daily expenses, I have my payroll, my lights, my insurance, my cost to run my business, is my profit affected? These are just all things in the public. An amount for ransom. Do I have the cash in here? What about an amount for ransom? You might need to call the... And you're exactly right.
Yeah, you might need to cough up to 300 grand, 500 grand, a million bucks in Bitcoin. Like, do you know how to do that? Do you know how to do that? Or will that attorney you're hiring help you convert that to Bitcoin? So that's exactly the way we approach it and say, think about these things as a business. We'll get to those 12 things you could be doing at low cost, no cost that are going to keep you out or at least reduce the chance that you get into these situations.
But if you've got these other things squared away, you've got the cash on hand, you've got that attorney, you've got that IT, you know how to convert the Bitcoin, then I'd strongly, depending on, if you've got all that in place, I'd strongly recommend not looking at risk transferring and buying that insurance. It doesn't make sense. You've got it all squared away. If you don't and your business isn't in a position where you can absorb that risk, then it's...
then it's a situation where you look and say, what is my cost to risk transfer that to get, so I'm picking up the phone, it's a 1-800 number, and these things are in motion, because that's really what it is. And I think if we, if businesses or insurance people are taking it somewhere else, then, you know, then I agree with the guy saying, you know, I don't believe in this, but that's not what it is. Yeah, absolutely. So all of those elements add up to the 12. Am I understanding that correct? Because I, like under each one,
there's really like five or six subsets, right? So that makes sense. Those 12 are slightly different. And so the outside company that we had take a look at the claims data, they came back after putting an analysis of it. And they said, look, these 12 items, I would have every small business do. They're low cost, no cost things. And they're what is causing the root cause of these people getting into these systems.
Dino Mauro (13:28.862)
And so Nathan and I turned it into some marketing materials again with the idea that if you're not an IT professional, if you're just regular people like us, could I understand it? Now, we then went to 118 pages, about 10 to 15 pages for each of the items and got a little more technical, but it was stuff that you could just hand to your local IT guy or the kid that set up your server if you're not a big business and have them quickly implement. And a lot of things are just settings.
or just thinking through processes. Absolutely. The configuration. Yeah, it's the configuration. So many businesses are going to the cloud, and then you hear all these breaches in the cloud, and they're like, oh, the cloud's not secure. Yeah, it is. You have to configure it right, though. I mean, that's the whole point. We describe it as leaving your home, and you wouldn't leave your windows and doors wide open. And a lot of businesses are just leaving their windows and doors wide open.
And they're not even getting individually attacked or targeted. They're getting pulled in when they're searching for groups of businesses that have these vulnerabilities. Yeah. And, and, and we do the analogy of the home break in because it really, cyber crime, it really is crime. It's just crime online. And, and we do the analogy that when small businesses get sold a box, right? Like there's so many cybersecurity vendors that are like, literally we have this box. If you install this box, you will be secure.
And I'm like, that's not cybersecurity. Like, that's not the way it works. Right? It's a holistic approach. It's it's about layers, right? Because that is like, somebody coming in, they they're like, we have this outstanding, you know, military grade front door, and you will you can never penetrate this front door, go buy it. And that's great. But cybercrime criminals aren't dumb, right? And they have specific
modus operandi, just like criminals. And if you know, in your neighborhood, every Wednesday morning, between four and 6am, they're breaking into homes just like yours through the side laundry room window, what good is that steel door in the front going to be right? Cyber criminals are going to look at that and go, that's a great door. I'm walking around the side, right? Like, we're not going to go in through the front door, we're going to go into a side window.
Dino Mauro (15:48.562)
And so that's why understanding what's on the dark web, what the top tactics are, what they're doing today, because it changes all the time, will really help organizations defend. So I really like that. So you explain, look, maybe you don't need cybersecurity insurance, but you still have this risk regardless. And so you can transfer that risk. We have one bet phone basically, where you can pick up when every minute counts, because
when a ransomware attack happens, your icon, you can't use your computer, your icons turn white, right? Like everything is broken down, like you can't get on your phone, you can't check your email, nothing's working. You now have an 800 number where you guys will then engage legal, engage systems, and then there's also the technical audit aspect, right? That root cause audit, because...
they have to go in and find out exactly what happened from a technical perspective, don't they? Because if they don't, they're gonna come back, they're gonna come right back in. Average cost of forensics. And again, keep in mind, this is with contracts and relationships that do high volumes of business. So if you're out on your own with your IT professional, it's all more expensive. If you buy a dollar cart yourself, it's gonna be a lot more expensive than exactly our average cost of forensics is $10,000 just to find out what exactly happened.
And if ransom's involved, the average cost of forensics is in the six figures, a hundred thousand range. And so that's just the forensics part to diagnose what happened, what files were taken, what was out there, not the remediation steps. Well, Jeff's example of talking to somebody who says, you know, I don't need cyber insurance on the flip side of that, especially in the small business space. You talk to people and they say, I have cyber insurance and you say, Oh, you do. Okay. Well, let's, let's take a look at your policy. And they say, well, it's an endorsement.
You know, it's in their liability policy or it's on their professional liability, something like that. You see, you really start to talk to them about that. And you see they don't have coverage for anything that's happening today. No ransom, no social engineering, nothing like that. It's all third party liability coverage. It's a notification cost. It's data breach. That's it. But these people are lulling themselves to sleep saying, Oh, I checked the box. I, I paid $150 for my cyber policy endorsement.
Dino Mauro (18:06.138)
on my underlying coverage and it's not protecting them against anything that's occurring today in the marketplace. So it's an educational piece. That's a really good point, Nathan. So is that on top of like a D&O policy, like a directors and officers liability policy, or is that on top of a CGL policy, like a commercial general? Like where are those endorsements usually tagged on? It varies. You know, there's some in the professional liability space that has no cider.
a cyber policy that can be attached to it. BOPs, a lot of times, or package policies, have a cyber endorsement that can be added on. That's generally what we see in the marketplace. But that's all just third party. Correct. Oh, wow. You know, and the other thing that we see that's just been eye-opening to Nathan and I is when you sit with these businesses that have lived through this. And I think that would be the biggest thing I would communicate to. Oh, that's what changed my whole life. That's what changed my whole life. When I started to meet business owners,
that went through it and the emotional, like there've been guys that have passed out. One guy had a heart attack. Like it's, they see their whole lives flash before their I think when I first started this, I was a lot like that customer with the long hair that I referenced. I mean, I was sitting there, is this, is this real? Is this, is this really affecting these businesses? And I think Nathan and I have had a front row seat over the years of sitting now with business owners that have lived through this.
And we see so many businesses. There isn't a week that goes by that I don't have a small business owner telling me, like, I don't need that. I'm good. It isn't going to happen in Iowa. It isn't going to happen here. It isn't going to happen here. We see it all the time. Yeah, we see it all the time. Like it's not, we're rural. We're small. They're not going to get us. So long as you don't go online, you're fine. Just don't ever go online. And when you sit with these businesses that have had to live through this, we just had one the other day tell us if, you know,
it would have put us out of business to not have a million dollar risk transfer. The amount of time and energy and just that we've had to take away from our business to address this and keep the train on the tracks. It's unbelievable. And in the cases of ransom too, another resource that we have to bring in, in a lot of cases, is professional negotiator. And people don't even think about that. I mean, we'll have to bring in a professional negotiator.
Dino Mauro (20:32.446)
That's an art form because one of the things we do these public service initiatives where we're training people on best practices and how to be prepared. One of the things that we do is we just show a phone to like when we're presenting in front of a board. We're like if that phone rang right now, are you prepared to download Tales and Tor? Get on a talks channel on the dark web and negotiate with a Russian cyber criminal. Because if you don't have.
insurance coverage in a plan in place. That's exactly what they're gonna ask you to do, right? That's the reality and they're just, they're like, that's not us, that doesn't, that's not gonna hit us. I'm like, that's exactly, you're exactly who they wanna hit. 100%. Yeah, and in the countries that they operate, in the areas that they operate, it's not illegal. For them to come in and ruin your business and to extort you and blackmail you,
It's not illegal. Like their programs are designed, right, to not hit CIS countries, meaning the Russians speaking all the different dialects, the Eastern Bloc, the Iranian blocs, the North Korean blocs, like their programs will not work on organizations using those languages. They're designed for us. And I say us, but it's also.
Canada, Australia, UK, right, EU, but it's but that's what they're designed for. And nobody's going to touch them so long as they don't affect anything where the Kremlin has ties or right. I mean, even though they're not run by the government there. But that's what's going on. I mean, you're spot on. But and I tell small businesses, you got to understand that.
you're up against. You know, I think they're in my mind when I first started this, I thought it was this kid in Northern California. Yeah, that's exactly right. That's exactly what we explained. We're like, you think it's a kid in a hooky hoodie, drinking Red Bull all night, cracking code, really, really smart. No, no, no. In his mom's basement. Yeah, I thought that's what you're up against. But that's not I mean, these are multi-level.
Dino Mauro (22:50.182)
office buildings set up in foreign countries. They're very well capitalized. They're highly intelligent. It's a profitable business model. And they continue to find, you know, innovative ways to extort victims. And I think people just don't conceptually understand that's what you're up against until you have to live through it. And then the other thing I think, it was just eye-opening for Nathan and I, we had lunch, we had dinner.
in New York City with a business partner of ours, and they do a billion dollars of US cyber premium, and this was the CEO of the insurance company. He was an interesting gentleman, and Nathan and I, again, we're not really IT background people or pretty naive in some of the regards of that, how it all works. We asked him the question, we said, where's this going? You know, 10 years from now, we've got this cyber practice, Alacta Affinity.
We're proud of it. We think we do a really good job of serving our clients. Where is it going in 10 years? Is it going to be here? And he looked at us and he said, without a doubt, 100%. And I said, well, how do you know? And he said, and his answer was fascinating. And I share it whenever I can with small business owners. He said, look, he said, do you remember the oil pipeline attack on the United States? He said, it was done by a group out of Iran called the Dark Side. And he said, the US government sent over Bitcoin.
And then Bitcoin was supposedly not able to be decoded. And if you really look back, the US government figured out a way to decode that Bitcoin after it was paid and pull it back. And then it was in the news and it was gone just as fast. And he said, that was a message to the world. He said, the message to the world was, we've got all kinds of technology and capability, but we keep our cards very close to our chest. And we do it because national, you know, world security, we like to not let everybody know what we're capable of and not capable of.
And he said, the message also was our critical infrastructure and our utilities are off limits, but US businesses are fair game. And he said, so they're not, they could stop it. The US government could stop attacks on US businesses very, very quickly, but they're not going to, and they're not coming to help. And he said, these businesses are on their own. And I think Nathan and I left there and said, okay, our value proposition or what we're trying to accomplish is important because we've got
Dino Mauro (25:10.03)
We've got to get to the small businesses and say, look, this is what your exposure is. You're on your own. The government isn't coming to save you. Do you even understand what your efforts? That is so shocking to hear that they have the capability, which they do. You've seen it too. They infiltrate some of these dark web markets. They take them down. A few weeks back, Black Hat. Was it Dark Side that was involved?
The dark side was involved and then they got kind of broken up and then they turned into dark matter. But all of these groups there, it's like a hundred and eighty five people and they're all they just rebrand periodically. It's it's some of the same. There's ties to oligarchs, all of that. And what's amazing is, you know, they take them down and then they get back up. They take them down, they get back up. But they can you see it when.
when somebody is attacking the wrong places, even in the US or in Western countries, they're gonna lock it down. They're gonna say, that's off limits. So it's so true. I mean, it's not unlike traditional crime either, right? I mean, like even because there's just, there's a limited number of resources and effort that can be applied. And so you have to say, well, this is still the Wild West. That's a part of risk. And
American businesses, that's what it's all about, right? I mean, you have the freedom to go and be captains of industry, but there's risk. There's inherent risk. And I think what you guys are doing is just fantastic. Let's segue a second and talk about the application process because I think that's so interesting because if that's not done right, correct, that can create other risks later on down the road, can't it?
Oh, absolutely. And, and, you know, Jeff made the comment early on, um, about the long application and our head of IT couldn't even complete it. You know, and you start talking about giving this to, you know, a husband and wife who own a business, right? They, you know, they hired Best Buy to set up their, their computers for them. You know, they have no idea what controls they have in place. And, and what we see often is they don't understand the questions, so they don't answer them. That's one. Two is,
Dino Mauro (27:35.414)
They say, well, yeah, we've got this all set up. We hired a professional to do this for us. So they check yes on everything. Yes, we've got all of these controls. We're secure. But what happens is at time of claim, going back to the forensics comments earlier when they're running forensics on that, figuring out where the claim came from, they don't have MFA on remote. If they don't have an EDR in place, then there's a possibility that the carrier is gonna deny that claim. So it's really just an understanding. And again, carriers, MGA's,
markets, whatever you want to call them, they all have different words, different coverage definitions. So some things, every word in those policies has been litigated, right? Like, absolutely. Right. So they all are terms of art. They mean different things. We have to understand what that is. Yeah. And some of, uh, some of the carriers they'll throw a coverage into, you know, an ensuring agreement over here.
Another carrier will throw it in separately over here. So if you're looking at these different policies and you're not well versed in it and you don't know how to read the policy itself to see where that coverage lies, you could have a gap. And that's important for brokers to understand. There's a lot of brokers out there that we work with that tell us they're scared of cyber. They don't understand it. It's a new market. And because of the difference between all the different carriers and application questions and coverages, they don't even want to engage with cyber.
because it's too confusing right now. Right. Well, what do you guys recommend? No, I'm sorry, go ahead. No, that's exactly where I was going. The advice I would give to a business owner or a controller, and what Nathan and I see is just, they're so used to, there'll be one person, they'll be centered up on their insurance portfolio. So they'll be used to doing all the insurance transactions, and this is just a little bit different. And so I think the advice I would give them is just separate the cyber application from the normal insurance process.
They're used to just filling out all the applications and then they get to the cyber and they're either doing it themselves and going, oh yeah, I've got all this. Or they're taking it to their IT or their person that set up their server. And we're seeing that a lot of IT professionals are working very hard just to keep businesses moving. And there's sometimes a real apprehension when you bring them an insurance application and you don't properly explain that, you know, hey, look, I need you to be honest. I don't need you just to, out of fear, tell me I have all these things because you're going to think that
Dino Mauro (29:56.526)
you know, the controller or the business owner doesn't think they're doing their job. We see a lot of that. And so then at the time of claim, they go, well, I gave this to my head of IT and he said when we had all these things, but you never did. And so I think it's just this awareness of slow down. There's a lot of resources. There's a lot of things out there to help you should you not have these controls that are on these applications, but just get it to the right person, slow down, be honest, and then work through to get the controls in place. And I think there's just a lot of.
checking the box and then saying, well, it won't happen to me. Uh, or passing the buck until it does happen. And then there's a problem. Yeah. And, and wasn't it about a year and a half ago or so we saw that ICS and Traveler's case in, uh, in central Illinois where manufacturer had said they had MFA and they had it on one, I think one firewall, but they got ransomware on a server. Well, that server didn't have.
And so they had said we have MFA, but they didn't clarify. And so generally what I've read is they should, when they're applying for the insurance, just put an addendum to say we have MFA, here's what we have it on, right? Just be right to like tell the whole truth and just be transparent because then travelers could have, you know, adjusted their risk, maybe adjusted the premium or adjusted the risk, either not written them or
wrote them for a smaller amount or something like that, right? Like that's, it's still not going to blow up the deal necessarily. You're exactly right. Okay. So do you have like a standard recommendation that business owners should do? Like who should they run their application by? It's probably different, I imagine for every organization, but is it general? Do they run it by their lawyer, their IT provider? Is there a certain.
standard that you're seeing or a trend or no? It's all over the place, especially in small business. I mean, it really is all over the place. And we're getting on more and more calls with the business owners to walk through the application, really explain what these things are. If they're lucky enough to have an IT professional that works with them, a lot of times we're on the phone with the IT professional, walking through what these things are and how it relates to the insurance coverage itself.
Dino Mauro (32:17.994)
So really, you know, as with everything cyber, there's no consistency on who's filling it out. Right. Who are some of the bigger players? I know that there are a lot of insurers have gotten out of the market is like, who are some of the bigger insurers in cyber security? Is Travelers a big one? Is Travelers one like who? Travelers is the big ones, you know, Travelers and Chubb, you know.
Those are some that we see a lot in the marketplace. We interact with them quite a bit as well. They're those holistic carriers who have cyber as an offering. There's other cyber only carriers, coalitions out there in the world. They've got a lot of premium as well. At Bay is another one that we see quite a bit. Beasley's kind of in and out of the market. Just kind of depends on the risk. CFC has a big presence out there.
I mean, there's a laundry list of carriers and names that you would recognize, and there's a lot out there that you maybe wouldn't. There's smaller carriers coming into the space. Right. We've seen some new entrants. I mean, QVE, which is a big financially backed company, just entered the market, so that's good, gives consumers more options and helps with pricing. And then, London, and Lloyds of London, have played a huge role in the cyber market in the United States, for dating back to the inception of cyber insurance, you know, 20, 25 years ago. And they...
they continue to have a huge presence and then play a big role in the US cyber market. So, you know, it ebbs and flows. And the other thing I would say about the US cyber market for people to understand is just the property market on fire and auto market on accidents. There's tons of actuarial data. People can predict the losses. They know how to remediate it. This is a completely different animal. There's no data and I describe it as the sharpest turns we've ever seen in the insurance industry. So market just.
pivots so quickly from a hard market, soft market, people running in, people running out, prices up, prices down. And I think that's going to continue at least for the foreseeable future until people can get a little better handle on what they're up against. Yeah, absolutely. So what is some, as we're wrapping up, and you guys, and we'll have links to Locked In, and you guys have a phenomenal blog, by the way, on your site, which is,
Dino Mauro (34:36.974)
gives some great, great insight. What parting thoughts or what kind of advice would you give to business owners that know, I mean, they generally have cybersecurity concerns, they know they either need or want cybersecurity insurance, they don't know if they can afford it, they don't know what it should do. What would you say to them? Nathan, you wanna go first? Sure. I would say engage with your agent or your broker.
You know, have that conversation, have them explain it to you. And if your agent or broker can't for some reason, if they're just not well-versed in cyber, you know, all these carriers have different resources out there. You don't necessarily have to be a policyholder with some of these folks. You can give them a call on their 800 number. They can walk you through an application. You can engage with people who are familiar with both the information technology, the information security and the insurance piece of it to help walk you through that. There's a lot of these markets out here today that
are really focusing on the small business. They're the ones that need the most help. And like we talked about earlier, it's 85% of the market in the United States. So they really need to invest some resources there. So ask questions. It's scary as a small business owner, but if you don't ask the questions, you're not gonna know the answers. So just engage with your broker, ask the questions. Yeah, and I would probably say, over the years we've met a lot of people, whether it's through IT, whether it's through IS, information security, whether it's the insurance side.
And my advice would just be align yourself with people that have the right intentions and their heart in the right place. Because there's just a lot of fraud going on out there. There's a lot of people getting taken advantage of. But at the same time, there is a group of people and we've been fortunate enough to meet a lot of them that their hearts in the right place and they're trying to help small business to try to educate them. They're trying to lay out options and say, look, I'm not just trying to
run a bill up or stick you with something you don't need. But here, let me explain this and let me help educate and let me help give you the tools and resources you need. There's a lot of that out there if you get to the right place. That's excellent. That's fantastic. So Lockdown Affinity based in Kansas City, but you guys have a national presence. Fantastic. Thank you. Thank you so much. Any other parting words, any other thoughts that you'd like to...
Dino Mauro (36:54.686)
like to share, we really appreciate your insight on this. What's coming up next for you both? What's on the horizon? Are you guys doing any presentations coming up? Are you speaking at any business events? What's on the horizon? We do a lot of CLE presentations, continuing education for law firms, because we have pretty big law practice and they're a top five industry that gets hit. We also work with a lot of the healthcare risks because they have the HIPAA.
and HIPAA compliance concerns. So we do a lot of speaking around the country just to help educate lawyers and then give them their education credits. But, you know, and again, I think where we're at as a practice and it ebbs and flows with the years, we continue to build out and have more options than we did even a year or two ago, which is just good for the consumers and good for the market and make sure we've got options in a quickly pivoting industry. Nathan.
Yeah, I would agree. I mean, we're constantly scouring for markets. You know, we get solicited a lot from different companies. Like Jeff said, new entrants or maybe somebody that is established, but we don't work with. We do a pretty thorough job of looking through their policy form and making sure they kind of meets our standards. You know, Lockton has pretty high standards from a policy form standpoint. We won't write with just anybody. So we do a good job of vetting those coverages and those policies before we actually start transacting with them. So.
you know, we're going to continue to grow that practice. Um, as the markets continue to shift, we need lots of options because every, uh, every entity is different. Every business owner is different. We need to have options to satisfy all of them. Fantastic. Well, Hey, thank you both. Uh, Jeff and Nathan, thank you guys both. Uh, excellent insight. Um, I, I know our listeners will find a lot of value here. So
Dino Mauro (38:45.366)
Well that wraps this up. Thanks for joining everybody. Hope you got value out of digging deeper behind the scenes of security and cybercrime today. Please don't forget to help keep this going by subscribing free to our YouTube channel at Cybercrime Junkies Podcast and download and enjoy all of our past episodes on Apple and Spotify podcasts so we can continue to bring you more of what matters. This is Cybercrime Junkies and we thank you for joining us.