Cyber Crime Junkies
Socializing Cybersecurity. Translating Cyber into business terms. Newest AI, Social Engineering and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manages cyber risk.
Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast
Cyber Crime Junkies
Biggest Cyber Insurance Mistakes To Avoid
Joined by Joseph Brunsman discussing how to avoid cyber insurance mistakes, biggest cyber insurance mistakes to avoid, and how to transfer risk for SMBs.
Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-446
Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com
Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.
🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!
Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/
Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast
Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!
Biggest Cyber Insurance Mistakes To Avoid
Joined by Joseph Brunsman discussing how to avoid cyber insurance mistakes, biggest cyber insurance mistakes to avoid, and how to transfer risk for SMBs.
the importance of cyber insurance and the challenges businesses face in navigating the complex landscape of cyber insurance policies. They highlight the four main buckets of cyber insurance coverage: third-party liability, first-party breach/cyber coverage, loss of business income, and miscellaneous coverage. They also emphasize the need for businesses to carefully read and understand their cyber insurance policies, as each policy may have different coverage terms and exclusions. The conversation also touches on the rise in cybercrime, the increase in cyber insurance policies, and the importance of proactive cybersecurity measures.
Topics:
how to avoid cyber insurance mistakes, biggest cyber insurance mistakes to avoid, rising demand for cyber insurance, Joseph Brunsman, biggest cyber insurance mistakes, biggest cyber insurance risks, understanding cyber insurance risks, how to transfer risk for smbs, how small business can transfer cyber risk, cyber insurance, cybercrime, coverage, affordable cybersecurity practices for small business, best cyber security tips for small business, best new ways small business can reduce cyber risk, cyber security risk for small business, cyber security small business, how small business can reduce cyber risk, how smaller businesses can manage cyber risk, how to handle a data breach for small business, latest advice on cybersecurity for small businesses, low cost cyber security for small business, low cost cyber security practices for small business, low cost cybersecurity practices for small business, managing cyber risk for small business, new cyber security tips for small business, new ways small business can reduce cyber risk, new ways smaller businesses can reduce cyber risk, outcomes of a data breach for small business, small business harm from data breaches, liability, breach, loss of business income, policy
Chapters
· 00:00 Introduction and Overview
· 01:08 Understanding Cyber Insurance: Coverage and Technicalities
· 04:51 The Complexity of Cyber Insurance Policies
· 08:28 The Importance of Trust and Brand Protection
· 13:32 Navigating the Challenges of Cyber Insurance
· 17:58 The Rising Demand for Cyber Insurance
· 23:25 Prioritizing Cybersecurity: Cyber Insurance as a Reserve Parachute
· 26:39 The Importance of Cyber Insurance
· 28:00 The Role of Cyber Insurance in Risk Mitigation
· 28:52 Understanding Loss Ratio and Trends in Cyber Events
· 30:42 Exclusions and Classification in Cyber Insurance Policies
· 32:35 The Challenges of the Cyber Insurance Application Process
· 34:01 The Need for Collaboration and Feedback in Application Process
· 35:52 The Importance of Comprehensive Application and Decision-Maker Involvement
· 37:13 The Uber Data Breach Case and Lessons Learned
· 39:01 The Role of Addendums in the Application Process
· 40:26 Navigating Breach Notification Laws
· 52:14 Prioritizing Cybersecurity and Collaboration
Takeaways
Cyber insurance is essential for businesses to protect against the financial and reputational risks of cyber incidents.
Cyber insurance policies typically cover third-party liability, first-party breach/cyber coverage, loss of business income, and miscellaneous coverage.
Businesses need to carefully read and understand their cyber insurance policies, as coverage terms and exclusions can vary.
The rise in cybercrime and the increase in cyber insurance policies highlight the need for proactive cybersecurity measures.
Compliance with breach notification laws and regulations is crucial for businesses in the event of a cyber incident.
Dino Mauro (00:10.904)
Put some whiskey in my coffee and we're off to the races here. Just like a Monday morning. Just like in the same recipe, Exactly.
Good stuff.
diesel that drives the truck, it did. And diesel can get expensive. Right, and diesel can be expensive. That is true. Joseph Brunsman in the studio today, we're going to talk about avoiding multimillion dollar mistakes and navigating new cyber insurance rules and changes. So Joseph, welcome, sir. I appreciate you being here.
I mean, Joseph, for people that don't know, you're a cybersecurity expert. You're a bestselling author of two incredible books, both of which I've read. Damage Control and Open Before Crisis. Excellent, excellent. Treatises, books, of research. It was great. Your background includes graduating from the United States Naval Academy, serving in electronic warfare and as a combat information center officer.
You hold a master's degree in cyber security law and you are currently president of Brunsman Advisory Group. So welcome, Joseph. I appreciate you being here. Welcome, Joseph. Hey, thanks for having me, guys. Appreciate it. So let's get right to it. The first thing I want to talk about is this.
Dino Mauro (01:40.152)
Let's first just go about addressing cybersecurity insurance from a high level start from the beginning. What is it? What is it covering and what is the technical thing? it not? Got it. So super high level here. What is cyber insurance? Two sides, four buckets exclusions. And that's pretty much it. Right. So it's like if I, you know, say you're with a car guy.
and you go to a car show and you're like, what's that? And he's like, that's like a 32 drop top coupe. And like, what's that? Well, that's Porsche 918 Spyder. They all kind of have something in common, which is generally they're going to have four wheels, a steering wheel, accelerator, brake, et cetera. So cyber insurance is a lot the same way. So you'll have different terms for the same idea of what's supposed to be covered. But relatively speaking, what are we looking at here? We're looking at two sides, four buckets, exclusion.
So the two sides, you're going to have third party claims and you're going to have first party claims. Now what does that mean? Third party claims that somebody wants money from your business. All right? liability. Like liability. Right? Yeah, exactly. it's probably the easiest scenario there is after some type of cyber event, let's say a data breach, right? A bunch of social security numbers got stolen. Your clients could band together and bring a class action claim against you. Very common.
Yeah, or let's say a regulator comes after you, right, for failing to have appropriate cybersecurity standards. That's what that's going to be part of, right? How about a HIPAA compliance fine? good question. yes. So there is kind of one little fun fact that think every business owner needs to be aware of. So if they all look at their policy, right, if they ask an insurance guy, hey, are regulatory fines and penalties covered?
So in this instance, we're talking about say HIPAA. So HHS OCR comes after you. We could be talking about the Federal Trade Commission. We could be talking about all types of other organizations, state attorney generals. Those penalties are insurable, were allowed by law. Now, where exactly is that insurable? I don't know. I mean, I have an idea in about two thirds of states to kind of what I can point to.
Dino Mauro (04:06.241)
But frankly, we just don't general. Yeah, just general. Generally, what do you see? Are things like that covered or? I know it depends on the state. It's so hard to say because we don't even have the case law to point to. Right. So unless somebody decides they're going to fight it right. You know, you were an attorney in a former life, right? So unless somebody is going to fight it and I can look at the case law or let's say an insurance company denies it and then somebody.
brings a lawsuit, and now we can say definitively how that was ruled one way or another. We just don't know, right? And the insurance companies are obviously very tight -lipped about that because every case is going to be unique, so they're not going to opine on their own policy language. And frankly, a lot of these statutes where they can bring these regulatory fines and penalties after some type of cyber event, they're just so vague with what types of laws they can utilize that
You know, a lot of it's really going to be, I think, to the judge, frankly, if it even gets that far. But the problem we have there is who wants to put their business name in court, right? Saying, hey, after a cyber event, they alleged all these terrible things we did. And then because of that, we are going to fight that because our insurance company says we can or we think it's insurable. People just don't want the bad publicity. So we just don't know. It's a really tough one.
Right, so that's viability. What about first party? what's the other? Yeah, what's the other bucket? So first party, there's four buckets inside of a first party. And we're going to call that data breach slash cyber event. loosely speaking, because it depends, but loosely speaking, a data breach is access and acquisition. So they have to get to it and steal it. PII, PHI, PCI. Right, so we can think.
healthcare records, credit card numbers, security numbers, et cetera. Secret information, like confidential information that's not supposed to be exposed to the public. Precisely, right. Or it could be a cyber event. So that'd be like a business email compromise, right? Where even if there's no social security numbers on your system, you got a bad guy poking around your network, things need to happen from there, right? So that's bucket number one. So what about wire fraud? So let me ask you this.
Dino Mauro (06:28.905)
In that scenario, when you have business email compromise, and I've got a couple clients right now who have like financial businesses, Mortgage, mortgage banking, ones of wealth management, and they've had wire fraud, right? Where it's social engineering, it's a data breach, but it actually involves the transfer of funds to the wrong account. They switch the accounts in either the payoffs or the invoicing or whatever.
Is that something that's generally covered? OK. So we'll get there in a sec. I'm jumping in. The way to think about these buckets is it's just an easy way to have a very distinct category. But often the buckets are going to overlap. Right. So the second category there was ransomware. The third category is what I call loss of funds. Right.
The first two categories, data breach, ransomware, the coverage elements necessary there are pretty well ironed out. We've been dealing with it for a long time. We know what has to happen. We know that if you have a ransomware event, could be damage and data restoration that's necessary. could potentially, you're going to need a negotiator, ransom payment, et cetera. And we should talk about that ransom payment here in a second, because that's part of the exclusion. So remind me.
So the third bucket is what I call loss of funds, right? So like, yeah, you could have a business team, a compromise, right? So could be bucket one and bucket three, coverages come together. But this is where business owners really need to start paying attention. Because if I say terms like social engineering, or I say terms like wire fraud, invoice manipulation, what does that mean? It doesn't mean anything. It only means what the
policy says it means. So you may... Each policy defines an event and what would be covered or what's not covered. Yeah, so it's very situational. Wow. Right? like, that's important because the CEO may go to the, we'll say the CFO to be like, get cyber insurance, right? And the CFO goes, hey, IT guy, fill this thing out. Make sure we get the right thing.
Dino Mauro (08:55.229)
And the CEO is really worried about social engineering. So the IT guy goes, OK. And then IT guy goes, hey, I need a quote with social engineering. And what's the insurance guy do? Hey, here's social engineering. Now, that could be precisely what the business needs, or it could be exactly what the business doesn't need. it's all about the scenario. So people have to stop thinking, because these are not
terms defined by statute. Like even the term cyber insurance, that's just an idea. That's not an insurance industry term. It's not a legal term. It's just this idea that people have. yeah. Wow. Yeah. which makes it really hard to look up court cases involving. Yeah. Makes it way harder. So for this third bucket, businesses really need to just
honestly read the definitions. And then on top of that, certain policies are going to have like maximum caps, right? Something called a sub limit. It's probably 99 .9 % of policies. There's going to be a sub limit. That's going to have a direct ramification on the internal controls because maybe you're a business wiring millions of dollars a week. Right. And the limit you would have if a bad guy tricks your CFO
into wiring your own business money somewhere it's not supposed to go, you may only have a hundred thousand. So in that case, that's going have a direct impact on the cybersecurity controls, right? Administrative controls, policies, procedures that you put in place. In addition to that, many of these policies now have rules before reimbursement. And this is one of those things that you have to understand that most jurisdictions
There's I'll say, legal duty for the insurance guy that's selling you this stuff to even read the policy, understand the policy, advise you if say there's a rule in their So brokers that are writing for premium don't necessarily have to be clear in giving the proper advice, unlike one size fits all insurance like auto liability. Right, exactly.
Dino Mauro (11:19.639)
coverage, which is like the same almost in every state, right? With a couple of variations, but generally, you know what you're getting. And the brokers have to have to if they say something would be covered, they could be bound by that. So you're saying there's different rules in cybersecurity insurance. Yeah, it just depends on the policy, right? the policies are they define is that because there's a lack of case law? Is it because it's so new and there's a lack of a
a long line of story decisions? Yeah, why is that? Yeah, it's, all these insurance companies just they're kind of doing their own thing. There's no. I'll just put it this way. Like, what is a what is an automobile accident? Right. The National Highway Traffic Safety Board says like, this is what an accident is. Right. This whole data set, you can go back 100 years and you can say, OK, if you're
a 16 year old male in this zip code with this type of car and you drive this many miles. yeah, it's codified, it's litigated, there's case laws, hundreds of years of case law. There's tons of stuff, so you can define it pretty clearly. Yeah, and with cyber can't do that with a cyber security breach or a wire fraud or whatever, because it's so different depending on the business and depending on the event itself. Yeah, I mean,
anybody watching this, could probably just hop onto their favorite web browser, right? Just type in two different strings of a phrase there, right? One is ransomware events are going down. One is ransomware events are going up. And you'll see both articles pop up. Like it's been that way for years. Why? Because we don't have a centralized database. And there are, without getting too nerdy, there are a bunch of legal reasons why. And so we don't have a
Centralized database and insurance companies can pull from we don't have really just standardized nomenclature that the court system use each insurance company I Would like to think they're acting in good faith, but I'm an insurance guy so I battle with insurance companies all the time We're writing for premium right they're gonna nod and sure it should be covered in
Dino Mauro (13:47.117)
and then write the premium, right? mean, that's of the reason why they got that. That's part of the reason why after the last few years, because they wrote for premium in the beginning. Now look at what that's going on in the market now. Yeah, it's just a blip. know, like, you know, in 2008, when I was coming into the insurance industry, there weren't that many data breaches. Now there's a few, but that's going away because before there wasn't that many. Unaware of how cybercrime works and how well funded it is.
and how it's only getting worse exponentially week after week, year after year. It's two years from now will be much worse than it is now. Interesting. Yeah. And it's... If you just look at the statistics from the insurance carriers themselves, what's going on in that market space right now, you can see exactly where it's going and what's going to happen. So let's talk about that. What are some of the new industry changes and the latest exclusions? Walk us through some of that stuff, Joseph.
So let me take one step back real quick. The fourth bucket, just for everybody watching here, is what I call miscellaneous, but situationally important. Hey, you know, this is a live stream, so I want to bring up what somebody on LinkedIn just brought up, Scott Chetten. Scott Chetten. A great example of confirmation bias. You'll always find what you're searching for. Great point, Scott. It's true. Absolutely. Absolutely. What I'm trying to write about this stuff and educate the public,
Man, that's a hell of a problem I deal with all the time, right? So I'm always searching. I have to go to both sides of every argument and try and figure out what is most likely to be true given the data sets that XYZ For this client, yeah. For this client, what is the most likely thing? precisely. Yep. So that fourth bug, miscellaneous but situationally important, it could be things that are...
super useful and necessary to the organization, it could be things that are entirely useless. So that could be like reputational harm, bricking coverage, crypto jacking coverage, all those sorts of things. And if people go on my YouTube channel, just search for my name on YouTube, you'll see a video called how to We'll have a link down below and for people on the podcast, we'll have your books and everything else linked too. So great stuff. thank you. Yeah, very cool. Absolutely.
Dino Mauro (16:11.949)
As far as the changes that are coming up, I'll preface it by saying this. The cyber insurance industry for the last, arguably 10, 15 years has functionally said, you can take a Rolls Royce, you can park it in the ghetto, you can leave the windows down with a full tank of gas, no tracking whatsoever, and leave the keys in the ignition and just walk away.
And if that car gets stolen, we'll pay you for it. Obviously that's not a good model as far as business goes. That's not a great business model, right? Because it's not a Ford Pinto that is parked, you know what I mean? Where the actual damage would be very limited. And if they actually get away with it, it's going to explode on them anyway. why is that?
Why is it because they've been writing for premium because of the increased demand or what? I think that every insurance company was it's really kind of two things. One, you had the traditional insurance companies going, if we don't do this, somebody else will. And maybe our insurance company, have four five different insurance policies with the average business.
If we're say travelers insurance and we don't do this, well then the Hartford is going to do it. Their agent is going to come in and take over all these other policies. So it's just a matter of survival. have to do this. And frankly, they were like, you know, candidly, when you talk to these guys, they're like, we have no idea what we were doing. We have no idea how to price these premiums. We have no data sets to pull from. So we were just shooting in the dark.
Right? They were like, hey, actuary do there were no actuary tables. There was nothing built out for this. Yeah. It just, wasn't there. Right. So they lost phenomenal amounts of Concurrently you had all this venture capital money pouring into the market saying, Hey, you know what? Cyber insurance is the next big thing. We got to get in now. We can burn through all this capital we've raised.
Dino Mauro (18:34.003)
in the interim of burning through this capital, we'll figure out, we'll get the data sets we need. Which kind of turned out to not really be true. That didn't really come to fruition, did it? Yeah. No. I came across the, me, I want to get your feedback. I came across the findings from the National Association of Insurance Commissioners, group I'm sure you all know. NAIC. NAIC, right there. Yeah, we don't deal with them all the time. But they were saying like,
some of the major trends is the massive amount of increased demand. So the number of policies, just check out this, check out this stat that they published. Like the number of policies issued and enforced, these are in the millions, right? 2015, there was like 2 .1, right? And by 2020, it doubled. So this is an explosive industry, right? Like it's really, they're,
the massive amount of demand that businesses have because of the rise in cyber crime is really driving a lot of this. Yeah, and it's the sad part about that statistic is I'm going to just all throughout a number here, conservatively, 99 % of those cyber policies have never been read by anyone, not the guy that bought it, not the guy that sold it.
I love it. Lack of due diligence in something that is your brand. Now people will spend millions of dollars, don't get me started, people spend millions of dollars in decades, right, buying a great CRM. will have higher app developers to develop the CRM. A sales team, they'll train the sales team, they'll build the brand and they'll go, we don't need to train our people on
Security awareness, that's not right. You don't invest in like the fact that we have remote workers now like, you know, what's the if there's a data breach, what's gonna cost me 10 grand? Fine, right and six months later like they find out that they were breached like it's not even something that they know about right away. These guys are in there for more than six months.
Dino Mauro (20:52.845)
stealing data, spying, gathering up stuff for other breaches, that stuff. And then they're destroying these brands. mean, we've seen, Mark and I have seen, there's a law firm in town that's been around since 1964. Like, and we've six months after a breach. Not because they were bad attorneys. Not because they were bad attorneys. attorneys. Because their clients don't want to work with them anymore. Why? wants to give them their information.
Yeah, everybody, everything anybody does is commoditized. Let's be honest with ourselves, right? You can find it somewhere else. And so the reason they're with us, the reason they're with you is because they trust you. Well, data breach is a torpedo right to the heart of that, right? It destroys crust. And so that's why I'm so shocked that they're not taking this more seriously. So I'm not surprised getting back to the
increased demand, I'm not surprised by that because they should all have covered Everybody should have They should have it. But now walk us through why they don't read it. Why don't they know about it? Do they assume that it's like auto policy? I've never read my auto policy. Like I did back when I was an attorney in the 80s and 90s. I read auto policy. I know I'm covered, right? And so that's it. Is it that type of mentality? I think it's a couple things.
One, it's like cybersecurity in general, right? To have a different analogy here. It's so overwhelming. Yeah, people think it's really complex. Yeah, a lot of people. They're like, this is so complicated. And it's so, I'm like, it's crime. It's not that complicated. But you boil it down, it's not that complicated. How some of the biggest breaches occur, it's a few steps by.
by ill -intentioned people. It's not that complicated, right? No, it's really not. I think it's, people see this 100 -page policy, which is a legal contract. think people need to understand. We say insurance policy is a legal contract. Business owners don't just sign legal contracts without reading them, without having their attorney involved. But somehow, cyber insurance policies, people just don't care.
Dino Mauro (23:19.181)
right? They're just sitting there going, well, I... Isn't it more important than their CGL policy or their... 100%. ...where policy? if somebody slips and falls on the production floor or they get a workers' compensation claim, okay, that's covered and it's not going to the heart of your brand. You're not going to lose customers because... Right, because somebody had a slip ...slip and fell in the production floor. You're not losing customers because of that.
You'll have to make a claim. He might be out of work, things like that. But you're not losing customers. It's a cyber breach. And everything can stop. know what? I don't care if someone's selling me a fish or a car or a piece of software. All of that's built on trust. Fundamentally, that's every business deals with, is trust.
Because we specialize in one thing that the other business doesn't. So there has to be some element of trust there. And whether you lost a bunch of social security numbers or you get into a bunch of like trade secrets, intellectual property that just gets stolen, published somewhere it's not supposed to go, you're losing trust, right? And that is the one, that's the one thing that businesses cannot afford.
to lose. And so even though I'm like the cyber insurance guy, my first recommendation to every business out there is, know, cyber insurance should be seen as more of like a reserve parachute. Right? Like you wouldn't just explain that. What do mean by that? Yeah. So I'm a huge proponent of defense in depth. And I say that from both a selfish and a practical perspective. Right.
The idea here is if you have to talk to me more than once a year when I'm taking your money, you're probably having a really bad day. And business owners who have never gone through these type of events drastically underestimate the amount of stress, time, and money that actually pours into it. So yeah, maybe you're deductible or your retention's only 5, 10 grams.
Dino Mauro (25:46.157)
What about all the man hours you're gonna have to put into this? I mean, we're talking serious amounts of time. What happens when every single piece of proprietary information your business has built for the last 30, 40 years is gone? You have no competitive advantage in the marketplace left. There's always something you don't want other people to see. And we've seen online where client lists get published.
with exactly what those people are buying, they're I mean, think about the law firm. They have all that attorney client privilege, the stuff that their own family members don't know that they're going to tell an attorney, right? It's almost like a priest or a psychologist or something like that. They're telling things that just the world does not know and is never meant to know. Same thing with medical professionals, right?
They are know things about your body, your history that nobody knows. then in business, yes, psychologists in business, there's intellectual problems. There's new products that they're going to launch a year from now that'll give them a competitive advantage against their competitors. The world can't know about it yet because they're not ready. Right. When that happens, that's a separate issue. All of that is even a separate issue.
than the loss of trust between customers. Like the loss of trust between customers is an overriding one, but that in and of itself is a lot of harm. And you know, people have this idea that it's just bad guys going after you. Your competition is absolutely, if you're a business of any size, your competition is in every available open source intelligence mechanism possible to find out what you're doing.
And if it just so happens that all of your entire database of information is now published online, they're going to find that and they're going to use that. they're going to find it. Of course they're going to find it. They're going to find it one of two ways. They're either going to simply download the Tor browser and go and get it, right? Or they're going to be approached. They're going to be approached by the hacker. Right? Because that's part of the double ransom.
Dino Mauro (28:09.537)
When you think of R Evil, or Russia, like one of the first guys that created the double ransom, right? Yeah, we're going to make you pay to get your data back, but we're also going to make you pay for us not telling your competitors about what we just saw and what we have in a copy of. Right? So, A, you think you're not going to Yeah, If A, you think you're not going to pay us, think again. Because A, you're going to pay us just to get the back.
They're also going to pay us a second amount for us not to tell and share the copy that we made of what we'll give you back, that extra copy that we have to the media, put it on social media, put it on the surface web. You don't even have to go to the dark web to get this. We'll be giving it to your competitors. and they'll have that or evil does that. They all do that. Yeah. And they put the screws to people. there are you can find it online where bad guys have left
voicemails to the executives like on their personal cell phones. Absolutely. hey, this is such and such from such and such, you know, cyber gang. You surely wouldn't want your social security number, your daughter's social security number, your wife's social security number. then, maybe the, you know, maybe someone in the C -suite is, you know, playing around on the side, right? Not exactly being the most
forthcoming with their relationships, right? I mean, that happens in large business. And so that's going to come out. mean, they will, they have no qualms about destroying your business and destroying your life, which is why I say just do everything you reasonably can to avoid this. And that's why I think cyber insurance is a reserved parachute. And increasingly, if you have a sizable cyber event and you try and renew that policy,
it's gonna be really damn tough. It's gonna be very hard. You know, that's a great point, Joseph. The cyber policy is not the prevention piece in this puzzle. No. That's not the prevention piece. That's not how to for white this coming forth. It's not it. This is a last step gap measure. and I will say that one of the people that are watching this is my wife.
Dino Mauro (30:34.829)
And she does read all of our policies. So thank you, Kemp, for that. I do appreciate that because Lord knows I don't. So if I had one, I would probably read mine. Yes, exactly. You should get insurance. So I do want to ask you this. One of the other things that the NAIC talked about is the loss ratio has drastically increased from like what 40
What did they say from 43 % up to 73 %? What is the loss ratio? Like I think I know what it is, but walk walk the list. Yeah, maybe explain that in a high level So a loss ratio is expenses divided by premiums Okay, so how much money they get by writing premiums compared to how much they pay out? Exactly
Yeah, right. it's total expenses. So that's everything from like administrative overhead to paying out claims, etc. divided by what they're actually bringing in in terms of premiums. Now, what you're seeing there, and it's kind of a weird term because it's a very vague term that doesn't necessarily really encapsulate what's going on.
But I think the most important part there is not even really the term, it's the trend line that you're seeing. Because what we're seeing is, I think we could loosely say, but confidently, cyber events are going up in frequency, right? And or they're going up in severity. And what does that mean? People at my level, at the broker level, we tend not to attract too many Mensa members. But the people running the insurance company,
Those guys, know, Harvard Business School, Yale undergrad, They can read a trend line and they can see where this is going. And that's why there's all of these new exclusions coming into play. So there are things in insurance policies. It depends on your carrier, depends on your business. Hopefully you've read your cyber policy, but you may have an exclusion in there, let's say for a widespread event.
Dino Mauro (32:58.093)
Right, so they add this little thing into the, you know, it's maybe on page 89 of 94 of a policy or something. And it says, hey, if the insurance company classifies this as a widespread event, then - they classify it, not the industry or the court system. Yes, But if the people that have to pay on your policy decide that this is in this classification, it's not covered. Yeah, and what the insurance companies are doing.
It makes sense. saying, if we they're looking at this going, you know, tomorrow some new vulnerability could come out and just shut the whole thing down. We as an insurance company, we don't have enough money to pay for this. We don't have the historical data to back this up. So we need a check valve here to make sure we're not going to go insolvent because obviously that's also very bad for society. And people have other types of policies with that company.
Well, that's the intention of the agreement. intention of the agreement is to share known risk. The intention of the agreement is to share known risk. The insurance company, they're not all, it's not a bad, it's not necessarily an all bad thing that they're doing because what they're trying to say essentially is, is we'll help you, we'll help you stay solvent and we'll back you for what we both know about right now. But because it's evolving every single week, if it's something that's a new trend, look,
we would never write the policy if we knew that's what you wanted covered. Right? about what happened in the case of it? Does that parallel to the case with travelers and ICS? Okay, good point. mean, let's let's let's let's go over that. So that has to do with like application risks. When you apply for new cybersecurity insurance or you're renewing your policies coming up for renewal, you've got to fill out that
application and there's that it also involves notification. What do you have to do when you are breached? Right. Do you have to tell the attorney general? Do you have to tell local law enforcement? There's states vary on that. But let's walk us through that. So Joseph, walk us through like in general, what are some of the application risks out there today that weren't weren't really around a few years ago? So the biggest risk, I think if people just take a step back, right, they could say, OK,
Dino Mauro (35:25.143)
We know insurance companies are losing money here. And what's the easiest way for a cyber insurance carrier to deny coverage? They're going to say, hey, you put something on this application that wasn't true, right? Or what we would call in the insurance industry, a material misrepresentation. Meaning, they known, had you told them the truth, they would have done something different. They would have either limited your coverage,
they would have not covered you or they would have written the policy and charged you a lot more premium. Exactly. And so the danger I think every business owner needs to take away from this is cyber insurance applications touch every aspect of a business. Right. You can no longer just say, hey, I T guy filled this out. No, because technology is a river that flows through every aspect of a company. It's not like 25 years ago.
when we had two versions of our lives. We had our business that we were running in reality. And then we basically had this electronic, newfangled digital version. But if that broke down, we still operated fine. It's your business. Right. It doesn't work that way. You can't pay employees, can't pay vendors, can't pay suppliers. You can't get on your CRM. can't find your clients. can't communicate with your clients. Everything stops when there's a data breach or an outage. So it's much different. Precisely.
Yeah, so the biggest problem I see with businesses, if they really want to get a handle on this, they have to understand that one, cyber applications touch all part of an organization and there has to be feedback on that application. Right. So what I see from the one poor IT guy that has to fill it out is he won't even know if the CFO has two person integrity on wire transfers.
over $25 ,000. How would he know that's not his job? That's a great point. Likewise, when a company just says, hey, CFO, go get this. Hey, IT guy, go get this. They're going to look at what their own worst case scenario is. And they're going to ensure for that risk. Right. But the CEO, maybe they're super worried that, hey, if we get hit, a bunch of our clients are going to leave. That's reputational harm.
Dino Mauro (37:50.753)
Whereas the CFO is gonna go, hey, you know what? If we wire a ton of money to some bad guy and that's not insured, I'm gonna get the ax. So that's what I'm worried about. And the IT guy is gonna go, hey, we have a ton of infrastructure here. I'm super worried about both bricking coverage and maybe our vendors going down. It's like dependent business interruption, because I don't wanna get fired. So what I see is cyber policies get steered to whoever's filling it out in their worst case scenario.
because it makes sense, but there's other parts of the business that are impacted. So really what needs to happen is there's got to be a powwow with all the decision makers to get together and say, okay, what are we actually worried about here? Then as the application's filled out and different parties are going to have different parts of that, right? Coming back together saying, okay, does all this make sense? Then once the quotes come back, then going,
back to the insurance guy and saying, this is what we're worried about. Show us in the policy where this type of scenario could be covered. All right. So it's kind of, so when we get to, yeah, so in that scenario, that's kind of what happened with Travelers versus ICS. They have a data breach, ransomware attack. Again, the second they and they get bolstered. Right. They go and they bolster up their things, they get renewed.
in the renewal policy, they do an application, they say, do you have multifactor authentication, MFA, right? It means basically when we log on, it'll send you a text or it'll send you an authentication to make sure that it's you, right? It gets to like the bank does, like anybody does that we use nowadays. It's part of everyday life. And basically they said, yes, we do, right? On the application, they basically said, yes, we do. And then,
the second data breach occurs and it is a server that is compromised by ransomware. And then they put the claim in and Travelers does what Joseph? so part of the policy is you have to comply with the investigation. You got to give up material. That makes sense because the insurance company needs that to potentially defend you down the line. They got to know what's going on. And it turns out that this, was called an MFA attestation that had
Dino Mauro (40:14.911)
effectively questions that were just unanswerable, truly. It turns out that no, they didn't have MFA on allegedly, I'll say, because the case is ongoing. They allegedly still didn't have MFA on routers, switches, firewalls, et cetera. And the key point there is the IT guy, what I believe likely happened is he's pressured into filling out that application and it goes out the door.
Hey, we got to get this done. this out. they did from from what I've read in the in the case and some of the research discussing the case. It looks like they had MFA, but they had it on like a firewall. They didn't have it on everything. They didn't have it on everything. And in particular, they didn't have it on the server that did this. And so that's where it gets into when you're doing an attestation. It's like an oath. Right. And when you think of it, you try.
You think of a witness that's going to testify enough. What do they have to swear to that they're going to tell the truth and the whole truth? Meaning you can't tell a partial truth, right? Partial truth. It's not true, right? It's got to be the whole truth, which means, yes, we have MFA, but we only have it on the firewall. That would have been the truth. That would have been the whole truth. And so they still could have done that though. Like how do they do it when you're in the application process, Joseph, in the industry?
don't they have an option of doing like an addendum, meaning explain what you mean. Don't just check the box. Say, here's an addendum. Yes, we have MFA, but we only have it on this. Will this suffice? And then the insurance company, they can say, yes, that'll suffice, but here we're only going to cover you this much, or we're going to charge you a higher premium. Or they'll say, no, that's not going to suffice. We're not going to cover you. Or they'll give you a chance to put MFA on everything. Exactly. And then we'll cover you.
And that's, it sounds so simple. Every conference that I go and speak at, my biggest point on applications is unless it is 100 % without question, a yes or a no, you add an addendum, literally just a word document at the end. Just explain what you have going on. Why is that important? You're trying to put the little onus back on insurance
Dino Mauro (42:41.613)
C addendum A, C addendum B, right? And just a word doc, this is what we have, we're happy to discuss or something like that, or let us know if you need us to do more or something like that. That way you're explaining and then if there is a breach at least, and the insurance company doesn't read the addendum, right? At least you told them, right? Exactly. If they don't read it, that's on can do it. Yeah. Yeah. But you to be 100 % forthright with that or as we're seeing bad things happen.
That's a big case because travelers sued them to cancel the policy, basically just retroactively go back to the beginning. Right. So they'll return the premium and they'll say, look, this policy never existed. So that's a pretty harsh, pretty aggressive. They're trying to make law on that one, which is pretty cool. And what's worse than that is they're going to ask when that business, if it turns out the travelers is correct and the policy gets rescinded.
That's not a declination of coverage. We can explain that to underwriters. Hey, they wanted something covered. It wasn't covered under the policy. That's a rescission. A rescission is effectively you live in court. It says you did. Every underwriter is going to Google the name or Bing or whatever the name of that company when they apply. Yeah. At least for the next three to five years, they will not have cyber insurance.
It's equivalent to being a, it's equivalent to trying to get auto coverage for your car if you've been a fake plaintiff making up claims and going to the chiropractor falsely and charged with insurance fraud. You're never going to get your car insured because of that. It's like being a truck driver that can't get insurance for his big rig. At a higher level, there's a lot more responsibility.
on business owners today and on internal IT, CIOs, IT directors, et cetera. There's a big change because of the changes in the cybersecurity insurance industry and because of cyber crime. They have to take this process more seriously. So they need to collaborate with outside IT consultants that are in the industry, insurance brokers that know what they're doing, right?
Dino Mauro (45:03.319)
Joseph, legal counsel, HR, like all of these people need to be engaged in that application process. like this reminds me of the Uber story because the Uber story, first of all, what a great like rise and fall story. Like what a, it changed the transportation industry as we know it, all starting one night at the Lee Webb conference in France where two like wealthy kids
who like sold startups were like, they're there to like change the course of the world in technology and they couldn't get a freaking cab. And so they go, well, this has gotta be better. We've got to be able to solve this. And they did and it changed all of our lives. Like pretty impactful stuff. It's like Steve Jobs level stuff. That's a great rise and fall story of Uber, like the bro culture, all the lawsuits, Calinec and the CEO, like it's a great story. But for cybersecurity,
aspects and internal IT. Their data breach, which was a massive one, and it was actually two, two, right? The first one happens and their chief security officer, Sullivan, is dealing with the FTC at the time. And while that happens, there's a second one and he doesn't tell them about it. then they actually
he and the former CEO actually go and try and keep the second one quiet because of stock price, because of an IPO, because of publicity, because Lyft is a competitor. There's a lot of societal reasons, right? Pressure on them. then now the end result is he's facing federal prison. Like he was indicted. He was indicted. He tried to get it dismissed in September. In December of this past year,
The federal court said, no, you are going to trial. So that trial is coming up in the next few months. A lot of eyes are going to be on that because it's the first time in history that an internal IT person is facing federal prison for the way that they handle the data breach. Right? Yeah. It's brutal. Or maybe a better term would be failed to appropriately handle. Failed to appropriately identify a breach.
Dino Mauro (47:26.221)
What did they do? They tried to pay the hackers like $100 ,000 each and they claimed it's for a bug bounty program. Right? So they have this bug bounty program. these tech companies have apps, they're like, hey, we'll pay somebody $100 ,000 if you can show us a vulnerability because that's a good, that's the gray hat, white hat hackers. That's exactly how it works. That's how works. That's how we know these apps are secure.
Because we have guys that can be bad, but they're doing it for a good cause. And they'll show the tech companies what the vulnerabilities are so they can fix them, fix the bugs. Right. It's why when we have apps, they will go and we'll get an update on the app because it says bug fixes. Right. Yeah. That's how they knew about it. Right. They found something. Right. So what happened here is they he had allegedly and all of this is just allegations. We don't know. We didn't we weren't there.
But he allegedly paid these guys instead, he actually paid the ransom, right? To get the data and the systems back operating. But he claimed it was under a bug bug. Right? And then didn't disclose this to the FTC. And then there was a change in the CEOs. And then he didn't, he wasn't forthright with the new CEO. Then the new CEO terminated. So really, really be worthy of a whole Cybercrime Junkies episode right there, Dave. Yeah.
It really is. in your book, Joseph, you talk about like notification, you talk about the Uber case, and you talk about notification laws. So walk us through that and then we can wrap up. there's different states require different things, right? When you have to tell law enforcement? Yes. So there's, we call them breach notification laws.
Probably not a good term. I wish we had a better term for it. We can blame California for that. many of these state laws, there's two parts to it. The first part is they could have data security requirements built into those laws. And what business owners typically don't understand, if we're just talking about state laws, the state breach notification law that generally applies, it has nothing to do with where your business is located.
Dino Mauro (49:51.861)
it's where your clients or residents of. you could considerably. it's like in Indiana, have the state, have the attorney general has the wall of shame. So you have to notify and your company is on there, the date of the breach and then when they were notified. Right. And then the type of breach and the number of people that were affected. And what's interesting is the timeframe is always more than six months.
But usually like it's like, yeah, we found out about it on or the breach occurred on this date. We learned about it on this date. And within 45 days, we told the government. But the point is, it's like their hackers are inside without their undetected for a long, long period of time. which is not unheard of that the bad guys are in there for a long time. And I think the probably the biggest point I want to say in the beginning here is
Businesses have no idea how complex this is to deal with even, let's say a guy loses a laptop and it's got credit card numbers on it. You can't run forensics on that. So now we immediately have to default to, we have to notify everybody that reasonably could have their info on that laptop. Right? It's a very, very difficult thing to do. And that turns into this just complete spider web of state laws, potentially
federal laws involved, you're gonna have all sorts you're in compliance, if there's compliance, there's that Texas Christian Hospital where somebody lost one tablet. was like a work tablet. They lost it when they were checking into the airport. And it wound up being a three and a half or 3 .1 million dollar HIPAA fine for that one device. Because on that device, they were able to access PHI, private healthcare information.
Yeah, just in mental violations. Yeah, all these laws, all these different states, once again, it depends on where your clients are residents of. So it's huge patchwork spiderweb. They all have different requirements. I've read all 50 different state and territory, British notification laws. They're all different. And you have and you have a substantial is there a percentage that it applies to or does it apply to any question? Right. Like if I'm a business and we have
Dino Mauro (52:18.719)
a couple locations in Indianapolis, Chicago suburbs, but we do most of our business, but we've got a couple California clients. We've got a couple clients in Arizona and some on the East Coast. Will we have to notify those states as well? Well, you have to notify first, you have to notify those residents in accordance to those state laws that apply to them.
But then within those laws, there's gonna be different thresholds, the different timelines for the different states to say, okay, who has to be notified? there's various state laws out there that if you reach, if it's even one person, you have to notify this guy. Yeah, like in Indiana, I think it says 100, I forget the number, but there's a number of residents. So if it's above this number of residents that were affected by the breach, you have to notify the state of Indiana's attorney general's office.
So it's something like that. So if California says 50 and you have more than 50 California residents that were at risk here, you have to notify those residents and you have to notify the attorney general in that state as well. Which brings us back to kind of go full circle here. There are regulatory fines and penalties in many of these laws and many of these laws have just these.
very vague requirements, called reasonable cybersecurity standards. Now what is reasonable cybersecurity? And I'll stop yapping on this note. The best way to explain it is if you are at the wrong end of a very long table and you have to go through the entire NIST cybersecurity framework line by line and validate why you did or did not spend money on something as far as security controls go.
to a bunch of government bureaucrats that are gonna get paid on the 1st and the 15th if World War Four breaks out, they're still getting paid. They don't care and they have to validate their own existence to keep the funding going. Think of the downtime, the energy, the cost of having to make yourself compliant post breach. It's unbelievable. And those ongoing compliance costs, those are not insurable. No.
Dino Mauro (54:36.493)
Let's say the Federal Trade Commission comes after you. They've gone after big businesses, small businesses, sole proprietors, defunct organizations. Those are 20 year consent orders with like 25 different mandatory things. Plus you to get, you know, third party attestation to the validity of what you're doing, which all just boils back to, yeah, I'm the cyber insurance guy. You only want to talk to me once a year. You have to get cybersecurity in order. Like that's...
Like step one, sit down, even if you're a CEO and you're listening and you have no idea where to start, go to your MSP, sit down with your IT guy and just go, hey, I want you to just give me a wish list, right? Rank order, biggest bang for the buck in terms of increasing our security. Let's at least get a plan in place.
even having a plan. Incident remediation plans, incident response plans, what will happen if there's a breach? Make sure that when you have remote workers that there is EDR, there's endpoint detection response involved, and then clearly, absolutely make sure you are training your employees who get online. Because as we always say, it doesn't matter how much you spend on infrastructure,
and servers and firewalls. If our employees let them in, none of that stuff matters. We let them in right around all that stuff, like phishing emails, going to the wrong site, putting in USB drives, you name it. There's a whole host of things that users do because they're just unaware. So Joseph, thank you so much. Bestselling author Joseph Brunsman. Check out his YouTube channel. We'll have it in the link.
Check out the books available on Amazon, Damage Control and Open Before Crisis. Joseph, thank you so much. It not be the last time that we speak. will talk to Absolutely. Thanks, Joseph. Thanks, for joining. We appreciate it. Have a great day. Thanks, everybody. Bye. Hi, Cybercrime Junkies. Thanks for listening. Got a question you want us to address on an episode? Reach out to us at cybercrimejunkies .com. We explore why cybercrime grows daily.
Dino Mauro (56:52.609)
how it is funded, productized, and organized, how to protect yourself, and where cybercrime goes to hide. And thanks for being a cybercrime junkie.