Cyber Safeguard: Navigating the Essentials of Cyber Insurance

[00:00:00] All right, happy to have you along my fellow tech enthusiasts.

[00:00:22] I'm Sam Bushman with Network Providers Inc. .com, NPI Tech Guys.com for the podcast site and the radio broadcast site.

[00:00:31] That's NPI Tech Guys.com. Thanks for being alongside with the ride.

[00:00:34] Hopefully that'll be educational and entertaining as we keep an eye on tech so you don't have to.

[00:00:38] Jay Harrison is alongside for the ride. Welcome, sir.

[00:00:41] Howdy guys.

[00:00:44] We're doing absolutely fantastic. Hope you are as well.

[00:00:46] I've also got Newman with us.

[00:00:48] And what's your title, Newman?

[00:00:50] Are you just like everything tech? Is that what it is?

[00:00:52] Pretty much everything.

[00:00:54] Master Geek, more CSO for Network Providers, but master Geek for all everybody else.

[00:01:00] All right, master Geek, Sam Bushman.

[00:01:02] And tech so you don't have to.

[00:01:04] You know what I want to talk about insurance today?

[00:01:08] Cyber insurance specifically.

[00:01:10] It's a complicated world out there, Newman.

[00:01:13] So it is beyond belief what's gone on in the last couple of years with cyber insurance.

[00:01:21] Just with cyber insurance alone, a lot of people ask me, hey do I need it?

[00:01:27] And the answers are always the same.

[00:01:29] Well, bad actors are everywhere.

[00:01:32] Employees are not trained.

[00:01:34] And do you have security policies and procedures in place?

[00:01:37] That would kind of answer that question whether you need it or not.

[00:01:43] And I would say this, you know when people ask do I need it?

[00:01:47] My response is this.

[00:01:48] It's kind of a risk-reward analysis the way I look at it and say, you know what's at risk for you?

[00:01:53] Let's kind of document right down the things that could be at risk if you don't have it.

[00:01:57] So let me just ask you if, for example, ransomware took over your network or took over your storage of files

[00:02:04] or whatever reference point you want to refer to.

[00:02:07] Would you recover?

[00:02:08] What would happen to you?

[00:02:09] If all of a sudden, you know your quick file was corrupted and ransomed or this and that and all the way down the line.

[00:02:14] Your email, your corporate documents, your storage, your drive, your backups, what would happen to you?

[00:02:19] How catastrophic and financially problematic would that be for you?

[00:02:24] That's kind of the start of the discussion right, Neman?

[00:02:26] Oh it is.

[00:02:27] And the fact is, do you have the controls and policies and procedures in place that you can actually safely say

[00:02:35] to your CEO, we can be back up within an hour of ransom.

[00:02:41] I don't think a lot of companies can do that.

[00:02:44] And even with the cyber insurance form, I mean it's listed out in three sections on most of them.

[00:02:50] It's network and security controls, ransom controls and fishing controls.

[00:02:56] Where does ransom come from?

[00:02:57] 80% of the time?

[00:02:59] From fishing.

[00:03:01] Emails. Wow.

[00:03:03] The reason it's broken down into those three areas, folks, is those are the most catastrophic of all.

[00:03:08] And what you need to remember is even if you get cyber insurance and you put it in place and dot the

[00:03:13] eyes and cross the teeth with the contract, if you're not living up to what the contract mandates you do,

[00:03:19] you might end up in a situation where ransomware happens, fishing happens, some of these problems occur.

[00:03:24] And the insurance is going to say,

[00:03:27] they're going to do their investigation, they're audit, they're internal, whatever.

[00:03:30] And if you don't have your ducks in a row, keeping up your end of the contract,

[00:03:33] they're out, Newman.

[00:03:35] That's correct.

[00:03:36] And the biggest thing that we find is the cyber insurance is all about

[00:03:42] multifactor authentication.

[00:03:44] If you don't have it, it's not,

[00:03:47] it's not could it happen?

[00:03:48] It's when will it happen?

[00:03:51] That's the whole key to this insurance is that they just want you protected.

[00:03:56] And if you're not following it, they're going to cancel your contract.

[00:04:02] Now, it's interesting to note too that there's all kinds of PCI complaints related to credit cards and financial transactions where you've got a document,

[00:04:09] the security of kind of your stack of its on your website or who you're going through for payments and your gateways and

[00:04:15] how much is controlled on your local computers versus how much is in the cloud and who controls what?

[00:04:19] And when you certify the PCI compliance, it's a massive, massive bunch of questions that are very detailed that you've got to double down and do.

[00:04:29] And if you don't, I don't want to say lie, but if you don't understand it and document it right,

[00:04:35] that can come back and bite you in a big way financially as well, right?

[00:04:39] Oh, you end up getting a larger percentage taken out of all your transactions that you get.

[00:04:45] And a lot of people, you know, they do this with PCI.

[00:04:49] They get these transactions and everything.

[00:04:52] And then the company says, hey, we can save you money if you answer these questions and put these controls in place.

[00:04:58] And they never really read the email.

[00:05:01] They just, oh, it's just another information email where it could have actually saved you quite a bit of money in the long run.

[00:05:09] Jay, you want to chime in here a little bit?

[00:05:11] Yeah, I've done these PCI forms before and they're very long and most companies.

[00:05:17] They can't understand it, especially if IT is not your thing.

[00:05:20] If that's not what your business is about, there's a lot of complex questions about wireless access points

[00:05:26] and how numbers are stored and tokens and everything else on your network.

[00:05:31] And it could be difficult for the average small guy to do.

[00:05:35] I totally agree and that's where never providers can help.

[00:05:40] A lot of times people ask me, how can I lower the premium?

[00:05:44] And I said, well, there's some basics.

[00:05:46] One is our cyber security IT compliance checklist that you can download and view off our website.

[00:05:53] The other is provide cyber security training every six months.

[00:05:57] That way your employees are actually in the know, create policies and procedures.

[00:06:03] But the most important is you have to audit the environment either by yearly or yearly

[00:06:10] so that you know that your baseline is secure.

[00:06:14] And maybe you have to get a managed sock or even something like network providers provides

[00:06:19] is a VCSO virtual security officer that can help with the base lining

[00:06:26] and gets you compliant with these regulations.

[00:06:30] And just so people understand when you talk about that security officer,

[00:06:33] most small to medium companies are like well we can't just afford a person, you know, to do that.

[00:06:37] So a lot of times when you go to NPI for something like that network providers,

[00:06:41] ink dot com to learn more to get to get signed up to discuss some of these things.

[00:06:46] But I bring this up because you get a fractional, a fractional officer kind of like people

[00:06:51] do fractional CEOs or fractional CEOs or this kind of stuff.

[00:06:56] It's similar in that you can have basically an outsourced fractional security officer

[00:07:00] that really understands it can actually take the time consistently to keep up on it

[00:07:04] because it's not a one and done thing either, Newman.

[00:07:06] No, it's not.

[00:07:07] And I mean, it can be one quarter of the cost of hiring.

[00:07:11] I mean, these guys require close to 150,000 a year.

[00:07:16] That's not including insurance everything.

[00:07:17] So with that, it gives you the ability that we can actually manage your security

[00:07:24] because we want to take the approach of even if you have another IT company,

[00:07:28] who's monitoring the monitors.

[00:07:31] You should always have a second party to monitor the security side of it

[00:07:36] and give you a complete and unbiased review of your entire system.

[00:07:44] I'm convinced it's about keeping records too.

[00:07:46] So if you can do these reports go through these things, train your employees

[00:07:49] and you can document that in meaningful ways,

[00:07:51] then if you ever need to do with the insurance company, you can say, hold on.

[00:07:54] We train our employees every six months.

[00:07:56] Hold on. We have this security expert in place.

[00:07:58] Hold on. This is the checklist we're using.

[00:08:01] Here's the last five times or four times we've filled it out over the last year

[00:08:04] or two or whatever the case may be.

[00:08:06] And you can document that.

[00:08:07] Then even a lot of times they're audits, even if something's not perfect,

[00:08:11] if they know you're really doing the best job,

[00:08:12] you can, there'll probably be willing to work with you on it knowing that it's a complicated

[00:08:16] industry. Even the best can't have it perfect because things change.

[00:08:20] Sometimes there's zero day vulnerabilities and all these kind of things that,

[00:08:24] you know what? You can prepare for most things and you can reduce your risk reward

[00:08:27] analysis big time. But you can't make it zero either, Newman.

[00:08:31] That's correct. And things that network provider can help with

[00:08:35] is the baseline as you talked about.

[00:08:37] Get a baseline. Know where you're at so that

[00:08:40] you can do changes in that and schedule the changes so that it's not so harsh

[00:08:46] on the environment and cost you money and things.

[00:08:49] But also we have great next-gen antivirus.

[00:08:52] We also have spam and fishing protection that is

[00:08:56] AI based and amazing. And we can do all this plus we have regulation experience

[00:09:01] of over 15 years. So we've been doing this a long time

[00:09:06] and we know how to help people and what to do to get them focused.

[00:09:10] It's important to realize with this insurance too there's kind of basic cyber

[00:09:14] insurance that you can get for different things

[00:09:17] and the more detailed the insurance becomes the more liability protection you have

[00:09:20] that that drives the premium up. But what also drives the premium up just so

[00:09:25] people kind of understand this is if you are in a special

[00:09:27] industry let's just take finance. Finance a lot of times has

[00:09:31] fiduciary responsibilities that go along with it on top of it.

[00:09:34] If you run say pharmacies or these kind of different things oftentimes there's

[00:09:38] hypocompliance that needs to happen or if you're a physician or a doctor's

[00:09:42] officer, a dentist officer, there's all these other compliance things on top

[00:09:45] of it that make it even more uniquely specialized with more regulations

[00:09:49] that man unless you have somebody that does that all day you'll never keep

[00:09:53] up Jay. What do you think Newman is the

[00:09:57] percentage of businesses small maybe even medium-sized businesses

[00:10:01] that are buying ransomware insurance or cyber security insurance?

[00:10:07] Right now it's about 40% to 45% is what I'm seeing

[00:10:12] and they're paying outrageous amounts because

[00:10:15] they marked questions wrong on the form when they could have actually

[00:10:19] implemented those very quickly before filling out the form

[00:10:23] so that they could then be protected and say yes we now have to factor on

[00:10:27] and we're very happy. And even the insurance companies will come back and

[00:10:32] say when you say no are you sure you don't want another day or two to

[00:10:36] implement these things to make sure it's a yes

[00:10:40] because the insurance companies are not out there to just take your money they

[00:10:43] they ultimately want you protected they don't want to pay

[00:10:46] right yeah that perfect world that take your money and they wouldn't pay out of

[00:10:49] penny ever right it's not like insurance right

[00:10:53] right now this is interesting too when when Newman says 40%

[00:10:56] answer your question for small to medium businesses I want you to kind of

[00:10:59] understand the more you get towards a medium business the more likely they'll

[00:11:02] have some kind of a cyber insurance the tiny or the company businesses are

[00:11:05] hardly ever don't have it it's probably maybe at the best

[00:11:08] 15 20% for the small companies when I'm talking small I'm talking about

[00:11:12] what 50 employees are less kind of stuff oh yeah yeah correct

[00:11:16] and so if you have if you're a company like that and

[00:11:19] and you paid for it but you didn't do your due diligence you know you didn't

[00:11:22] have somebody come in there and all of a sudden your insurance

[00:11:24] company sees that or is able to prove it and say oh we're not

[00:11:27] we're not paying on this claim because you didn't do what you were supposed to

[00:11:30] or whatever do you get your premiums back I'm assuming you're just out all

[00:11:33] that money that you paid in you're out all the money

[00:11:36] and they talk to other companies so there if you try to apply to another company

[00:11:42] they're going to ask why were you denied at this company when you had full

[00:11:46] insurance and they're gonna they're gonna talk and

[00:11:50] and you're gonna put you on a blacklist and you simply will not be able to

[00:11:54] obtain insurance at all correct and that's that's where we don't want to be

[00:12:00] and we want to find your compliance you know and it's funny because you said

[00:12:04] HIPAA HIPAA is now by December they're coming out with a new

[00:12:09] ruling for HIPAA those are gonna require

[00:12:12] a version of NIST compliance with HIPAA so this is something that's going to

[00:12:18] actually rock the medical world because they're

[00:12:21] gonna have to start really complying with security

[00:12:24] unlike they have been defined NIST for our audience

[00:12:30] NIST is a level of security protocols and procedures that the government

[00:12:35] has defined that will help through different agencies including

[00:12:41] you know say CIA the the DOD Department of Defense has been the big one

[00:12:48] and what they do is is that the NIST is a regulation to be able put in place to

[00:12:53] know that any of the sensitive information that

[00:12:57] the government gives you as a vendor you're not doing the

[00:13:01] fariest things with you're not allowing people to

[00:13:04] acronym that defines standards defined by the government

[00:13:07] correct and the standards relate to protocols and best practice and everything

[00:13:11] else under the sun it's complicated documentation that

[00:13:14] yes the acronym that defines that set of rigs if you will

[00:13:19] and I've learned that I'm a whole new level of geek because I've read the whole

[00:13:23] thing so not many people are doing that right

[00:13:28] I haven't read the whole thing but I've read some of it and I'm telling you

[00:13:30] that it's complex and the nuances and the details are really

[00:13:34] where the difficulties start to occur you can't just be like um

[00:13:38] you know my my COO or my this person or my accountant or whatever you know

[00:13:42] they're pretty good tech guy whenever we have a problem they fix it they fix

[00:13:44] the printers they do this they do that yeah that's great but you can't assume

[00:13:48] that person is on the level that it takes for true compliance you just

[00:13:52] can't you're right because it isn't true and you can't just walk into

[00:13:57] CMMC or NIST compliance and think that you're going to be done in six

[00:14:01] months it's a year and a half commitment to get everything done you have

[00:14:06] so many aspects to it that if you don't have somebody that does it

[00:14:11] day in and day out and is prepared for this then it's going to be even a

[00:14:15] longer process now we've kind of set the stage to have people believe this is

[00:14:20] so complicated and so you know I mean you're going to lose your shirt and

[00:14:23] stuff like that we don't want to scare everybody and make people panic

[00:14:26] what we want to do is highlight the reality of the situation so you're

[00:14:29] clearly aware what we don't want is well you didn't tell me it was to that

[00:14:32] level no yes we did but what we want you to understand is with the right

[00:14:36] people involved complicated things become simple

[00:14:39] and things that seem to be over your head or that you'll never get done

[00:14:42] if you have the right people in place that have done this time and time and

[00:14:45] time again they can navigate through those nuances

[00:14:48] very quickly and efficiently actually and so that's something we really want to

[00:14:51] kind of point out that getting the right people aboard is the key

[00:14:55] it truly is and you know you take your cyber insurance forms there's some

[00:15:00] most forms are two to two and a half pages there's some which are almost

[00:15:05] eight pages long and deals with everything in security

[00:15:09] it's all in what the company's wanting and what they're looking for

[00:15:13] for the liability and so with network providers

[00:15:17] we've been able to provide our current clients with

[00:15:22] that for free we'll go in we'll take their cyber forms

[00:15:25] we'll get them prepared anything that's not outstanding

[00:15:28] we'll actually approach the customer say hey look let's get these implemented

[00:15:33] we can do it within the next two days and it's going to lower your premiums

[00:15:37] because you're able to say yes to things

[00:15:40] once we do all that the customer is extremely happy

[00:15:44] even if you're not a current customer but you want to find out where you're at

[00:15:49] we're actually providing a free risk assessment

[00:15:52] that you can register for on our website and we're doing that till June 30th

[00:15:58] I mean it's a $250 risk assessment and all we do is we walk in we

[00:16:03] put an agent on we report it we uninstall it

[00:16:07] and then we'll have your report in the next two weeks

[00:16:10] and now we're having no two if you ever want to sell your company

[00:16:13] or if you ever want to get a loan for your company

[00:16:16] if you can document you have these things in place believe it or not I've even

[00:16:19] heard of corporate loans giving you a discount on your interest rates because

[00:16:22] you have all that stuff in place but it doesn't end the value that can be

[00:16:25] provided and believe it or not um you think it's super expensive at the

[00:16:28] start and it may seem like it but in the end I think there's ways to save

[00:16:31] money that offset most of that too

[00:16:34] you're so true I literally heard about that bank thing the other day

[00:16:38] and uh it's it's amazing what just a little bit of security awareness can do

[00:16:44] and we're not saying that you have to have all these controls and everything in

[00:16:48] place we're simply saying to to answer these questions

[00:16:53] you're going to have to know that you have two FMA involved

[00:16:57] you got to know that you have next year an anivirus involved

[00:17:01] and you got to know that you have a fishing

[00:17:04] protection where it's scam and fishing protection tied in

[00:17:10] yeah it's important to know too I mean you've got a lot of experience with

[00:17:13] the table you got Newman that's all things tech you got the owner of

[00:17:16] network providers incorporated that used to work for Zion's bank and security

[00:17:21] that's where Newman and the owner Jay Matt I've got a lot of experience

[00:17:25] not only in IT I've been at it for a long time more than you know about 40 years I

[00:17:29] guess um but I've got insurance former I was insurance licensed and I was

[00:17:34] also mortgage license for for residential and

[00:17:40] corporate or you know business mortgages corporate mortgages

[00:17:44] and and you gain a lot of knowledge about insurance how the audits work and

[00:17:47] how appraisals work and all that all that applies to IT

[00:17:51] different topic but the principles are the same you make it claim you better

[00:17:55] pack it up with documentation you got a problem or something that doesn't

[00:17:58] you know on the surface make sense you've got to have a letter of explanation

[00:18:01] defining it okay the same thing is true in the IT world if you document your

[00:18:05] stuff that's half the battle because with that documentation if you continually

[00:18:09] follow up on it you've got a situation where hey

[00:18:13] it's easy to know where your holes are without that documentation without

[00:18:16] that quote roadmap you have no idea Newman oh

[00:18:20] and that is so true Sam it it's the fact that most regulations as well as

[00:18:26] any standard security process and procedure

[00:18:30] should have at least 13 months of documentation

[00:18:34] and change management control and even if you're a small business

[00:18:39] you don't have to worry about that if you if you look at our company and look at

[00:18:43] what we provide we can actually give you that structure in a drag and drop type

[00:18:49] atmosphere where we have the policies and everything defined

[00:18:52] and we can even show if you have an IT

[00:18:57] administrator we can show them how to do the audits

[00:19:00] and document them so that you're protected

[00:19:03] and you're you'll pass these with flying colors

[00:19:08] I think that you know documentation is key I also think making sure you train

[00:19:12] your people your people can be the worst in terms of more than even computers

[00:19:17] come people can be the worst problem they can also be your greatest asset if

[00:19:21] they're trained right Jay you do a lot of training

[00:19:25] the companies you work for and stuff like that right yeah I do and I find that

[00:19:29] documentation is super helpful not just for yourself

[00:19:32] and when you're trying to do things or expand things or improve things but if

[00:19:36] you ever have a problem and you have to bring in a third party let's say you

[00:19:39] have a meltdown or cyber ransomware whatever

[00:19:43] that documentation can save you days for getting other people up to speed to help

[00:19:46] you get out of a jam

[00:19:49] nomen it's it's so true and you know if there's one thing that I would say to

[00:19:54] implement which is it's a little awkward if you haven't taken drama in high

[00:19:58] school you know but a tabletop discussion

[00:20:02] simply get all the players in the company together

[00:20:07] and roleplay okay we just got ransomed what do you do what do you do

[00:20:11] who's gonna do this who's gonna do that

[00:20:14] that is stuff that's also now being talked about

[00:20:18] in the cyber insurance forms and this is stuff that vcs o does

[00:20:23] or the chief security officer he should be holding these

[00:20:27] every six months so that people it's like a fireman you don't want them to come

[00:20:32] out and take your house and put the fire out if they're not fully trained right

[00:20:38] well yeah they might decide to do the wrong things with electricity it'll go

[00:20:41] really the neighbors house and it's not on fire

[00:20:45] but you know you got to have an instant response plan to an IRP in place

[00:20:48] to where it's like hey yes when this happens do we just pull out the plan and

[00:20:51] follow it or do you scrambling go oh my gosh what do we do who do we call

[00:20:55] where do we i'm looking in the phone book what are you doing i'm you know

[00:20:57] the key is that instant response plan i think nomen yep and we actually

[00:21:01] have all of that fine because almost all the insurance

[00:21:06] companies want a security plan in place and we have that documented that we

[00:21:12] can we can help you with and really it's just it's amazing that we've been

[00:21:18] able to acquire all these things based upon the regulations we've done

[00:21:23] and what we can do for the customers final thought day

[00:21:27] um i i think that it's good to have all that stuff i definitely i mean i agree

[00:21:30] with you guys you got to have it and i know npi can help people if they don't

[00:21:34] that disaster preparedness plan that it data security policies

[00:21:38] make those things happen i would say this too it's something that i want

[00:21:43] people to understand you don't need to just look at the end and then say my

[00:21:48] gosh i'll never get to the it's like a 26 mile marathon

[00:21:51] you look at the end and you just go i'm not even going to start

[00:21:55] but you can't think of it that way you got to just say listen i'm going to start

[00:21:58] on this thing i'm going to run the first mile i'm going to worry about as the

[00:22:01] first mile okay i know i've ran a mile before i can run a mile okay

[00:22:04] and then once you get that done you're like hey can i run another mile you know

[00:22:06] what i think i can and they say it's mile 17 18 where people get their second

[00:22:10] wind a lot of times it's kind of like that with this stuff once you get started

[00:22:15] and if you just relentlessly keep kind of plotting along

[00:22:18] that's a little bit like the tortoise in the hare too before you know it it's like

[00:22:21] hey we're way further along than we thought would be so take a little bit

[00:22:25] at a time you know roe wasn't built in the day newman

[00:22:29] it really wasn't and you know being built like Chris Farley i'll

[00:22:33] i'll be at the finish line helping them so

[00:22:41] all right so there you have it ladies and gentlemen network providers ink.com is our website

[00:22:46] you can sign up between now and June uh now in june where you can get what is it free

[00:22:55] yeah it's free it's actually a risk assessment no cost and we'll even provide a

[00:23:01] full 30 page report on how your system is it covers multiple aspects including patches, firewall

[00:23:09] external IPs two factor and all your user accounts and that so it it covers quite a bit in this

[00:23:16] Chris could say all right you can get started for free ladies and gentlemen what an offer

[00:23:20] that is network providers ink.com if you want to do that and we don't mean this to be just a big

[00:23:24] ad if you want to go to other companies by all means do what you think is best i'm just telling you

[00:23:28] you've got a friend in the honest it business with network providers ink if you want to learn

[00:23:32] more about our podcasts and radio shows and share them with your friends and you can go to

[00:23:37] npitech guys.com you can sign up for our email list which will let you get all kinds of cool

[00:23:43] notifications this is part of the training that i was talking about too uh i just got an email

[00:23:47] from npite because i'm on the list and it says this cyber security tip if this type of alert pops

[00:23:54] up do not click on it and then it goes through and kind of explains and you can get those for free

[00:23:59] if you go to network providers ink.com or npitech guys.com you can get those for free and those

[00:24:04] those really help if you spread those through your company and people kind of pay attention to them

[00:24:08] just reading those little blips whenever they come out every day every couple of days whatever

[00:24:13] they're not they don't overwhelm your email but that you know they come out reasonably often

[00:24:16] but if you pay attention to those pretty soon you just get smarter and smarter and smarter with

[00:24:20] these little teeny blips but after a while it's like hey uh a wealth of knowledge is transferred

[00:24:25] all right there you have it um insurance get a partner that knows how to help you navigate

[00:24:31] that complicated topic of cyber insurance thank you Newman thank you Jay thanks to everyone listening

[00:24:36] we keep an eye on sexy you don't have to npitech guys.com thanks so much and making a great tech day will