EP 5 Beyond the Brokerage: Cyber Insurance – What you don’t know CAN hurt you.

Show Notes

Welcome back to One Step Beyond Cyber! In this illuminating episode, your host Scott Kreisberg is joined by two industry experts, Tim Derrickson, and Joseph Cook. Tim is our resident Certified Information Systems Security Professional (CISSP), and Joseph is a seasoned cyber risk manager with over 10 years of insurance expertise at The Arizona Group.

🛡️ Are you safeguarding your business effectively against cyber threats? 🌐 Discover why businesses need both IT services and cyber liability insurance for complete protection. We'll highlight the incredible advantages of merging cybersecurity measures with insurance coverage. Don't miss this eye-opening discussion!

📜 Think cyber liability insurance (CLI) is all you need? 🤨 We'll debunk the myth that policy terms and conditions are irrelevant. Tim and Joseph dive into the importance of understanding your coverage in this sarcastically informative segment.

🤝 How often should you consult with your insurance advisor? 🗓️ Tim and Joseph share their insights, discussing QBRs, scanning, and the annual check-ins that can make all the difference.

📊 Is there a one-size-fits-all cyber insurance plan? 🤝 Discover why you should think of your brokers and consultants as trusted consultants, not just vendors. We'll break down the importance of understanding your compliance requirements and adapting to the dynamic needs of your business.

💼 Self-insuring your business against cyber risks? 🤯 Learn about the biggest misconception surrounding self-insurance and its limitations. Tim shares stories of businesses attempting IT/IS with underqualified family members, highlighting the risks involved.

🔚 In our outro, we'll summarize the key takeaways, leaving you with a clear understanding of why a proactive approach to cyber insurance and risk management is vital for your business's safety.

🚀 Don't forget to hit that like button, subscribe, and share this episode with fellow business owners. Together, let's navigate the complex world of cyber insurance and take our businesses One Step Beyond Cyber! 

Podcast Video One Step Secure IT - YouTube
Learn about our services https://www.onestepsecureit.com/

Host by:
Scott Kreisberg - CEO & Founder of One Step
Tim Derrickson - Sr. vCIO/vCSO- CISSP

Produced by Genesis Aquino
Music Production by Michael Stevens

----
LinkedIn:
https://www.linkedin.com/company/onestepsecureit/mycompany/

Facebook:
https://www.facebook.com/OneStepSecureIT

Twitter:
https://twitter.com/onestepsecureit

Transcript

00:00:00,000 --> 00:00:04,080
Are you ready to take your business and technology knowledge to the next level?

00:00:04,080 --> 00:00:08,000
Hello everyone and welcome to the next episode of One Step Beyond Cyber.

00:00:08,000 --> 00:00:10,320
I'm Scott Krishberg and I'm your host on the channel.

00:00:10,320 --> 00:00:15,040
Now before we get started, if you find any value in the content you receive today,

00:00:15,040 --> 00:00:19,520
do us a big favor, give us a review and give us a subscribe.

00:00:19,520 --> 00:00:22,080
Now let's get started and I'll introduce our panel.

00:00:22,080 --> 00:00:27,280
Most of you guys know Tim Derrickson because he's been on a lot of our previous episodes.

00:00:27,280 --> 00:00:34,640
Now Tim is our resident certified information system security professional and what's that short for?

00:00:34,640 --> 00:00:36,480
CISSP.

00:00:36,480 --> 00:00:41,600
And Tim, you also hold a company record for acronyms.

00:00:41,600 --> 00:00:45,280
So let's try to keep that down to a minimums or viewers can follow us.

00:00:45,280 --> 00:00:51,760
And on my left, Joseph Cook with the Arizona group who's got over a decade of insurance,

00:00:51,760 --> 00:01:00,720
experience and he too is a certified cyber risk manager, CCRM.

00:01:00,720 --> 00:01:01,600
And we got it.

00:01:01,600 --> 00:01:07,040
Wow, I'm surrounded by all these certified folks going to help make me look much smart.

00:01:07,040 --> 00:01:12,160
Now today we're going to endeavor to get into the conversation of cyber liability insurance

00:01:12,160 --> 00:01:18,480
and some of the most common misconceptions as well as how it can be the biggest godsend

00:01:19,520 --> 00:01:22,080
or a false sense of security.

00:01:22,080 --> 00:01:24,560
We'll see which one our viewers fall under.

00:01:24,560 --> 00:01:28,240
All right, but before we get started, Tim, would you do the honors of providing our podcast


00:01:28,240 --> 00:01:34,240
disclaimer? Sure, the purpose of this podcast is to provide news and information on cyber security

00:01:34,240 --> 00:01:40,960
and technology line regulations. And all data provided on this podcast is informational purposes

00:01:40,960 --> 00:01:45,040
only and should not be considered legal advice in a row.

00:01:45,040 --> 00:01:51,600
And you did a great job. Thanks for that. All right, let's kick off this episode.

00:01:51,600 --> 00:01:59,200
All right, guys, my first topic is going to be one that I think I hear most often is that

00:01:59,200 --> 00:02:07,040
and that is is this a one or another proposition like if, you know, Joseph, if they have your


00:02:07,040 --> 00:02:12,880
CLI insurance, why do they need IT people? Why do they need security protocols? Why do they need

28
00:02:12,880 --> 00:02:19,440
that and Tim? Why don't you tell us, cumbersly, if they have services like what we provide,

29
00:02:19,440 --> 00:02:23,680
they probably don't need Joseph, right? They always need Joseph.

30
00:02:23,680 --> 00:02:31,520
Okay, good. So let's start off over here. What's it you? Sure, I think that the two realms are

31
00:02:31,520 --> 00:02:37,840
forever going to be intertwined. Right? Think of it as walking a type of.

32
00:02:38,480 --> 00:02:45,680
So I feel like the cyber security folks help the clients or customers walk that type of.

33
00:02:45,680 --> 00:02:50,960
Okay. And the cyber policy becomes that net underneath in case you do fall off.

34
00:02:50,960 --> 00:02:55,280
Right? So it's really important that you learn how to walk the type of appropriately,

35
00:02:55,280 --> 00:03:01,680
but it's also really important that net underneath be properly rated appropriately sized

36
00:03:01,680 --> 00:03:05,840
and actually able to catch you if you do if you do fall. That's key. Absolutely.

37
00:03:05,840 --> 00:03:10,400
Yeah, thanks for that. Nobody wants to fall through the net. Yeah, you know, that's a great picture.

38
00:03:10,400 --> 00:03:15,440
So what about you, Tim? When you think about that? I think it's interesting that, you know,

39
00:03:15,440 --> 00:03:20,000
they're saying now that there are two companies, right? Those that have been hacked and know about it,

40
00:03:20,000 --> 00:03:26,960
and those that have been hacked and don't know about it. IT is there and security is there that is

41
00:03:26,960 --> 00:03:33,760
to put every of all these controls in place to make sure that you're doing the best job possible

42
00:03:33,760 --> 00:03:37,040
to stay secure. It's kind of like putting a lock on your front door. We're going to keep

43
00:03:37,040 --> 00:03:41,360
well the honest people honest. Now we're going to put a gate on in front of our front door.

44
00:03:41,360 --> 00:03:45,280
Just in case there's some people who aren't as honest there that are going to try and break in.

45
00:03:45,280 --> 00:03:50,080
No matter how big the gate sometimes on the other side, the person's bigger.

46
00:03:50,080 --> 00:03:58,400
And that's when your insurance comes in because it does help. And it's what they will be intertwined

47
00:03:58,400 --> 00:04:02,800
from here on out. And I think what's interesting too is the way that they work together at this point.

48
00:04:03,360 --> 00:04:07,680
Yeah, you know, it's a good point. I really love the picture you conjured up there. So

49
00:04:07,680 --> 00:04:14,560
if most businesses are walking a tight rope and they fall because they fall into either of those two

50
00:04:14,560 --> 00:04:18,800
categories of a business that's been hacked and knows about it or business that's been hacked and

51
00:04:18,800 --> 00:04:23,600
doesn't know about it, eventually they're going to probably fall off that tight rope. And they look

52
00:04:23,600 --> 00:04:29,200
down and they're like, "Oh, I got it. I got a safety net, right?" Is there... Do you... You know, you said

53
00:04:29,200 --> 00:04:33,040
they were intertwined in these two areas but can you kind of tell us a little bit about where they are

54
00:04:33,040 --> 00:04:39,200
intertwined and why it's important? Absolutely. So as the cyber insurance market has developed

55
00:04:39,200 --> 00:04:47,280
over the last 25 or so years, right? We went from what was... the most part our official market where

56
00:04:47,280 --> 00:04:51,840
they'd ask if you had a pulse and what your address was and sent you a quote somewhere between

57
00:04:51,840 --> 00:05:01,360
$1,000 and $1,500. And when claims were limited and cyber criminals were less active, right? That was

58
00:05:01,360 --> 00:05:07,200
a feasible model for everybody involved. But with the way things that have changed, that's no longer

59
00:05:07,200 --> 00:05:14,160
a feasible model. Okay. And so what you've seen is you've seen insurance carriers become more sophisticated

60
00:05:14,160 --> 00:05:19,760
on what cyber security controls are, how they can be implemented and they're starting to ask about

61
00:05:19,760 --> 00:05:25,920
those in the application process of trying to find insurance and then they're using those controls as

62
00:05:25,920 --> 00:05:32,080
part of warranty statements in terms of conditions and policy language at the time of claim. So being

63
00:05:32,080 --> 00:05:38,000
compliance and not answering things in a speculative or hopeful manner but answering things in a true

64
00:05:38,000 --> 00:05:44,080
manner is really going to be helpful at the time of claim to increase likelihood of that claim be covered.

65
00:05:44,080 --> 00:05:51,680
Great. And so from our perspective, how does working with a client that's maybe applying for

66
00:05:51,680 --> 00:06:02,000
CLI? Do people like you help them with that process and if so, maybe you could come in on, does it help

67
00:06:02,000 --> 00:06:09,040
with the premium price? I think definitely because when we get involved, especially when it comes to

68
00:06:09,040 --> 00:06:14,320
doing cyber liability insurance, we're actually the ones that are helping them reap these forms because

69
00:06:14,320 --> 00:06:21,680
it is technical. This is not something where it's laid out for them in not necessarily an easy

70
00:06:21,680 --> 00:06:28,480
manner. That's very precise, right? It's very precise. And sometimes it can seem ambiguous if you

71
00:06:28,480 --> 00:06:33,680
don't understand the terms that you're looking at, you know, we see acronyms in there that they might

72
00:06:33,680 --> 00:06:40,240
not understand. But even looking at just how backups are handled, you know, are they air gaps? I mean,

73
00:06:40,240 --> 00:06:46,240
there are things that are said that the laymen might not understand because air gap would be what?

74
00:06:46,240 --> 00:06:52,240
It means that there has to be a gap between when you did your backup to when you saved it and then

75
00:06:52,240 --> 00:06:57,520
there can't be a connection there for anybody to get back into the backup. No persistent connection.

76
00:06:57,520 --> 00:07:04,640
Correct. So there's all little things that we help with and we make sure that when Joseph gets that

77
00:07:04,640 --> 00:07:10,000
form, he looks down and he goes, okay, this is in itself assessment, right? So we're going to do this

78
00:07:10,000 --> 00:07:16,240
ourselves and it's going to be a little bit more precise of a yes or a no or specific answers of

79
00:07:16,240 --> 00:07:22,160
why there's a no. Are we using two factor authentication for everybody in our business? No, we use active

80
00:07:22,160 --> 00:07:29,840
directory to log in internally, but anything, right? Exactly. So the eyes glaze over but Joseph

81
00:07:29,840 --> 00:07:36,560
understands it or the broker or the interest claim people. And so then they're able to read it and

82
00:07:36,560 --> 00:07:41,760
when something does happen and it goes to them, they're able to come back and go, well, you said this.

83
00:07:41,760 --> 00:07:48,000
Right. And on that note, thanks. And on that note, like you guys from your perspective don't

84
00:07:48,000 --> 00:07:56,880
validate or verify prior to claim, do you? No, generally they won't. There's a little bit of practice

85
00:07:56,880 --> 00:08:03,200
starting to emerge with things like silence or bit site, which is ultimately like a credit score for

86
00:08:03,200 --> 00:08:09,040
your cyber hygiene done in a base level made from a domain scan or something similar. So they might

87
00:08:09,040 --> 00:08:15,040
find compromised email addresses or potentially an open port or something on a simpler level, but

88
00:08:15,040 --> 00:08:19,760
there's not validation throughout the process, right? They're not going to come out and run an agent

89
00:08:19,760 --> 00:08:25,200
on your on your network to see if all these tools are installed and figured the way you describe.

90
00:08:25,200 --> 00:08:30,640
So the value of having somebody like a one step in your atmosphere kind of comes into ways.

91
00:08:30,640 --> 00:08:34,960
Okay. The first way is that for the things that you are doing well to protect your entity,

92
00:08:34,960 --> 00:08:42,080
increase your cyber hygiene, you will receive some benefit on rate of your policy, terms of conditions

93
00:08:42,080 --> 00:08:47,520
or both. The second value is being honest about the things that maybe you're not doing as well as

94
00:08:47,520 --> 00:08:53,680
you could be doing does bring value because then you aren't tripped up at time of claim by a contradictory

95
00:08:53,680 --> 00:08:59,360
statement, right? At least you were honest up front and the carrier was fully aware that you didn't

96
00:08:59,360 --> 00:09:03,840
actually have to affect. You just had active directory, right? So they cannot try to use that

97
00:09:03,840 --> 00:09:11,600
against you at a later date. So it brings value into ways. So you're saying it's better to be honest

98
00:09:11,600 --> 00:09:17,200
and transparent with the insurance company. So it doesn't come back and when you fall off the

99
00:09:17,200 --> 00:09:24,640
the type or that there is a net there for you. Absolutely. And the legal precedent supports that,

100
00:09:24,640 --> 00:09:30,320
right? So if you look at the, is that could you give me an example? Sure, yeah. So the only case that's

101
00:09:30,320 --> 00:09:38,160
ever been awarded by a judge and jury to the favor of the insurance carrier, surrounding these

102
00:09:38,160 --> 00:09:43,040
types of claims, cyber liability claims, was a mid-size employer about 115 employees,

103
00:09:43,040 --> 00:09:48,560
the manufacturing sector who indicated to travelers insurance that they had MFA fully deployed,

104
00:09:48,560 --> 00:09:54,480
they did not. The time of claim, the reason that they were able to be breached was that lack of MFA

105
00:09:54,480 --> 00:09:59,280
and when it went to court the judge or he actually decided in favor of travelers. Yeah. So that

106
00:09:59,280 --> 00:10:07,440
dishonesty is the only in single case to date where a warranty clause has been supportive in insurance

107
00:10:07,440 --> 00:10:12,720
carriers and night claim. Do you, do you find that as we're moving forward especially when we start

108
00:10:12,720 --> 00:10:16,320
dealing more and more with these breaches that are going on and they are becoming more prevalent

109
00:10:16,320 --> 00:10:22,640
with cyber crime and syndicates? Do you find that the insurance industry is starting to change to be

110
00:10:22,640 --> 00:10:27,040
a little bit more proactive in the fact besides silence and those ones that you mentioned that they

111
00:10:27,040 --> 00:10:35,040
would be moving towards some type of test for that client or would it be a third party that might

112
00:10:35,040 --> 00:10:41,280
step in and go this is what we've done to provide some type of scan to see what's going on. Sure. I

113
00:10:41,280 --> 00:10:46,960
don't think they'll ever do it in-house but I definitely know that there is some progress being made

114
00:10:46,960 --> 00:10:53,040
towards scanning on a pre-basis even with some carriers they're talking about intermittent scanning

115
00:10:53,040 --> 00:10:58,640
so they may do it on every other month through orderly or by annual basis, right? So there's certainly

116
00:10:58,640 --> 00:11:04,240
talks of that and I think that only benefits everyone. So to give you a great example of that

117
00:11:04,880 --> 00:11:10,960
we'll be able to send a bit-site report to our clients and we just sent one recently to an IT

118
00:11:10,960 --> 00:11:16,640
director that allows them to close four open ports and shut down a couple compromised email addresses.

119
00:11:16,640 --> 00:11:21,760
So that's helpful, right? And it's helpful that your insurance carrier or your insurance broker can

120
00:11:21,760 --> 00:11:26,880
provide that to you. And will that help with pricing for when they're doing their when they're

121
00:11:26,880 --> 00:11:33,280
getting their rates? Absolutely. One of the biggest challenges with with that pricing, right? Is that

122
00:11:34,240 --> 00:11:38,800
in many cases, you know, if you're receiving a credit or a debit structure that's not going to be

123
00:11:38,800 --> 00:11:43,440
conspicuous, it's not breached on your policy, right? And you wear, so you're going to have to have a

124
00:11:43,440 --> 00:11:48,160
level of trust with your broker that's bringing you that product to understand where your price is

125
00:11:48,160 --> 00:11:55,680
falling but having close ports and having non-compromised email addresses is certainly a greater level of

126
00:11:55,680 --> 00:12:01,360
security than the opposite. So yes, it could only do positive things to your rates. Good.

127
00:12:02,160 --> 00:12:10,320
All right, take over. Oh! No, that's great. Those are great questions. So, you know, talking about coverage,

128
00:12:10,320 --> 00:12:19,120
though, is this a one-size-fits-all type thing and what should our viewers be on the look out for when

129
00:12:19,120 --> 00:12:24,480
it comes to terms, conditions, understanding what they're really getting coverage on? So,

130
00:12:24,480 --> 00:12:30,480
assuming you fall off this tight wire, how do we know the net's the right size, you know, so that

131
00:12:30,480 --> 00:12:35,520
it's like super comfortable and they know they're going to be fine when they fall in it. Yeah, so

132
00:12:35,520 --> 00:12:40,800
unfortunately, this is a younger insurance product, right? So, there's still a lot of room for

133
00:12:40,800 --> 00:12:46,080
growth on our side. So, some of the things that, you know, the insurance world is not doing well

134
00:12:46,080 --> 00:12:53,360
right now is uniformity of language. So, there's a lot of carriers calling the same act different

135
00:12:53,360 --> 00:12:58,160
things, right? And that's very frustrating because you're trying to compare different policy

136
00:12:58,160 --> 00:13:03,280
products and really understand what it is that you're getting and you may actually have that same line.

137
00:13:03,280 --> 00:13:07,600
I don't know what they're calling you two different things, so it takes a lot of discovery to find that out.

138
00:13:07,600 --> 00:13:13,920
The second thing that is really important to note here is, you know, insurance is very regulated,

139
00:13:13,920 --> 00:13:19,200
right? It's a very large industry and sometimes it's a little slow to make that tanker take a turn,

140
00:13:19,200 --> 00:13:25,520
right? So, a lot of your better insurance forms are based on what are called ISO or insurance

141
00:13:25,520 --> 00:13:30,640
service offices or forms. So, for your older coverages, general liability in the marine property,

142
00:13:30,640 --> 00:13:35,120
those are well established and they're a baseline for all of the carriers. So, you have that

143
00:13:35,120 --> 00:13:42,800
baseline you can expect from a coverage perspective. The challenge now with this young product of

144
00:13:42,800 --> 00:13:47,360
cyber liability in this very dynamic cyber risk that we're experiencing, especially in the last

145
00:13:47,360 --> 00:13:56,160
three to five years, right, is that an ISO form being as regulated as is is typically well behind the

146
00:13:56,160 --> 00:14:03,840
curve of what's being experienced today and will be experienced tomorrow in cyber risk. So,

147
00:14:03,840 --> 00:14:10,640
your best providers are non-admitted forms, which is kind of contrary to what is normally out there

148
00:14:10,640 --> 00:14:15,200
in the industry, but because they're not admitted and they're less regulated, they're more able to

149
00:14:15,200 --> 00:14:22,800
be creative and more able to be nimble and adapt to that cyber risk. So, you have this wild west

150
00:14:22,800 --> 00:14:27,680
where things are a little bit upside down in terms of non-admitted being more favorable than admitted

151
00:14:27,680 --> 00:14:36,320
at this time, right? And you also have just a absolute spectrum of variability and strength of

152
00:14:36,320 --> 00:14:43,840
coverage in terms and conditions. So, can companies use the generic type of form as well as their

153
00:14:43,840 --> 00:14:49,040
own or is how that works? They could, right, but if you're breaking down all of the cyber providers into

154
00:14:49,040 --> 00:14:55,920
let's say three tiers of competition, there's a standalone tier one and I won't mention them for

155
00:14:55,920 --> 00:15:00,560
now, but there's one company that sits alone in tier one for a variety of reasons. All you're not

156
00:15:00,560 --> 00:15:05,440
admitted carriers are essentially competing in tier two. And all your admitted carriers are competing

157
00:15:05,440 --> 00:15:11,360
in tier three, we kind of jokingly refer to them as cyber light, right? So, so that ISO form is so

158
00:15:11,360 --> 00:15:18,160
restrictive because of regulation that it really is just not doing what it needs to do right now. Got you.

159
00:15:18,160 --> 00:15:25,600
Got you. All right, cool. Thanks for that. All right, so the next topic I'd like to discuss is

160
00:15:25,600 --> 00:15:37,040
should clients have regular meetings with A, their insurance professional,

161
00:15:37,760 --> 00:15:46,400
M, B, their IT or cybersecurity or compliance professionals? Kim, I want you to tell you that.

162
00:15:46,400 --> 00:15:53,760
That's actually yes to both. Okay. I know that we do quarterly business reviews with our clients,

163
00:15:53,760 --> 00:15:59,120
we touch them, well, touch them because that might be bad. We contact them once a month,

164
00:15:59,120 --> 00:16:04,960
for all of our clients to make sure that everything is going well. I think that anytime there's a change

165
00:16:04,960 --> 00:16:09,680
in your environment, you're changing your posture. So if you add something in your environment,

166
00:16:09,680 --> 00:16:12,960
even to the point of some of these small businesses that just they put in a new

167
00:16:12,960 --> 00:16:19,200
router from their carrier, from their ISP, whether or centrally, or somebody else, not to.

168
00:16:19,200 --> 00:16:26,160
And they put it in and all the passwords are on the bottom and they don't change. Every time you put

169
00:16:26,160 --> 00:16:32,320
that in, you change your security posture and you need to contact your IT person to make sure

170
00:16:32,320 --> 00:16:37,360
your changing password is making sure you're going in and closing those ports and making sure

171
00:16:37,360 --> 00:16:40,720
that everything's set up the way it's supposed to be set up. But that also changes

172
00:16:40,720 --> 00:16:46,480
what you have in your environment for the insurance as well. So that could be anything from

173
00:16:46,480 --> 00:16:52,000
switches routers. New applications can cause changes to your environment in a little important,

174
00:16:52,000 --> 00:16:58,480
sometimes close ports other times. So yeah, you should be doing at least quarterly meetings. I know

175
00:16:58,480 --> 00:17:04,800
with your IT people, if they're not in the house, but you should be at least speaking with them once

176
00:17:04,800 --> 00:17:14,880
along. And I just mentioned scanning being done by some carriers. What about that with their IT folks?

177
00:17:14,880 --> 00:17:20,320
Scanning drawings. Scanning's should be done quarterly and my personal opinion.

178
00:17:20,320 --> 00:17:25,600
What is the scan? So a scan is going to go into what they call a vulnerability scan, which is going to

179
00:17:25,600 --> 00:17:32,320
go and look at all the things that we know of that is a possibility of a vulnerability or something

180
00:17:32,320 --> 00:17:37,680
going on in your environment that can be breached. So if you're doing it once again for me,

181
00:17:37,680 --> 00:17:42,560
best practice to be at least quarterly to go and look at everything because every time you have an

182
00:17:42,560 --> 00:17:48,080
update with Windows, because we know they do updates on Windows, there could be a vulnerability.

183
00:17:48,080 --> 00:17:53,280
Anytime you add something new to your environment, take something out, you're changing things,

184
00:17:53,280 --> 00:17:59,520
you might be leaving ports open that you don't need to leave open. So you want to at least

185
00:17:59,520 --> 00:18:04,960
once a year do a scan to look at your environment, but I would say best practice at this point would be

186
00:18:04,960 --> 00:18:10,720
at least quarterly and we have clients that do it monthly. Good. Awesome. Joseph, what's there you?

187
00:18:10,720 --> 00:18:18,320
I would piggyback off of Tim's comments that in that, when you're looking at cybersecurity,

188
00:18:18,320 --> 00:18:24,320
when you're looking at a TRANS program, an attorney, any of these trusted advisor roles,

189
00:18:24,320 --> 00:18:30,240
you have to realize that the products or services that you're engaging those trusted advisors for

190
00:18:30,240 --> 00:18:37,040
are living ecosystems. They're dynamic, things are going to change as your business changes,

191
00:18:37,040 --> 00:18:42,000
whether you're shrinking, whether you're growing, whether you're exiting a vertical, entering a

192
00:18:42,000 --> 00:18:47,120
vertical, whatever it may be, all of those have impacts with your trusted advisors and those

193
00:18:47,120 --> 00:18:53,360
living ecosystems that you're building together. So I don't know that there's necessarily a mandatory

194
00:18:53,360 --> 00:18:58,240
level of communication as sort of quarterly or by annual or anything like that, but it should be

195
00:18:58,240 --> 00:19:06,400
an open line of communication with mutual respect and trust. Yeah, I mean, I wonder if people view

196
00:19:06,400 --> 00:19:14,400
their insurance professional more as a vendor, as compared to a business partner or part of their

197
00:19:14,880 --> 00:19:20,880
team, their advisory team, right? That's how I view those that I work with, otherwise, you know,

198
00:19:20,880 --> 00:19:28,400
they're just a vendor. Sure. So is that how you like to operate? We certainly like to operate in

199
00:19:28,400 --> 00:19:34,160
the trusted advisor role. I think within any industry, there's going to be a certain base of

200
00:19:34,160 --> 00:19:40,320
clientele that will treat anybody like a vendor, and that's unfortunate, but it's a reality, right?

201
00:19:40,320 --> 00:19:47,200
I think ultimately what you're trying to elevate is the understanding that with these living ecosystems

202
00:19:47,200 --> 00:19:53,600
with these complex products and services, you're not just ordering off of a menu. These are not off

203
00:19:53,600 --> 00:20:01,760
the shelf products. These are in custom tailored to fit your needs, right? And with that in mind,

204
00:20:01,760 --> 00:20:06,320
you know, you have to understand there's going to be a little bit more of a process. There's going

205
00:20:06,320 --> 00:20:12,320
to be a little bit more of an exchange as it relates to information on an initial basis and on an ongoing

206
00:20:12,320 --> 00:20:21,440
basis, right? Really understanding that helps you understand that the yield will be better, right?

207
00:20:21,440 --> 00:20:27,680
From that kind of process. If you give a trusted advisor 10% of the information that they need to do

208
00:20:27,680 --> 00:20:33,920
their job, you're probably going to get about 10% of a solution. That's like when people go to a doctor

209
00:20:33,920 --> 00:20:38,880
and they start doing diagnosis, right? Sure. And they don't disclose some information that would be

210
00:20:38,880 --> 00:20:46,800
quite pertinent, and the doctor misses something, right? Sure. It's really critical for people to

211
00:20:46,800 --> 00:20:53,360
view these two professions as a trusted advisor. Exactly. And so, I also think that we also have to

212
00:20:53,360 --> 00:20:58,720
remember that nothing is set and forget anymore. It used to be, you know, back in the day,

213
00:20:58,720 --> 00:21:04,160
our days, you put in your antivirus and you just let it rot because it usually caught what you needed

214
00:21:04,160 --> 00:21:09,920
to catch. Nowadays, you just can't set it and let it sit. You have to watch it. And I think that

215
00:21:09,920 --> 00:21:14,560
has to do with insurance as well as you're making these changes in your environment to make sure that

216
00:21:14,560 --> 00:21:19,440
they know that you've made these changes as well, which could benefit you, right? I mean, you might do

217
00:21:19,440 --> 00:21:24,240
something that actually makes some happy and lowers your risk. Yeah, you can go both ways. Business is

218
00:21:24,240 --> 00:21:29,360
dynamic, right? So, you know, a business that, you know, adds a location or adds a bunch of people,

219
00:21:29,360 --> 00:21:34,080
that's a greater risk for insurance company, but it can go the other way, right? So they forget to

220
00:21:34,080 --> 00:21:39,360
call their insurance company if they've done it. Sure. They reduce their exposure then, they're forgetting to

221
00:21:39,360 --> 00:21:46,480
let them know. And not all risk is equivalent, either, right? So, you get to remember that in the

222
00:21:46,480 --> 00:21:53,360
United States, we have states, right? And every state has very different legal systems, very different

223
00:21:53,360 --> 00:21:58,720
perspectives on what might or might not be an employee, things of these nature, statues of repose,

224
00:21:58,720 --> 00:22:03,680
limitation, all that good stuff. So when you think about what you do, maybe here in Arizona,

225
00:22:03,680 --> 00:22:08,640
and you want it to expand it into, let's say, New Mexico or Colorado or Utah, it may not be the same

226
00:22:08,640 --> 00:22:13,360
level of risk simply because that state views what you do differently than the state of Arizona does.

227
00:22:13,360 --> 00:22:17,920
So don't be afraid to have these conversations. Good point. Yeah, multi-state business is good.

228
00:22:18,560 --> 00:22:27,440
All right. Hey, so this last topic for me is interesting because from your side, from the insurance

229
00:22:27,440 --> 00:22:32,960
side, I'd love to see what your feelings are and what any experiences are that you have with

230
00:22:32,960 --> 00:22:39,680
self-insuring, right? Because a lot of times we hear with our clients, no, I don't need cyber liability

231
00:22:39,680 --> 00:22:48,480
insurance. I'm going to cover it for myself. And then, conversely, Tim, do you hear about clients

232
00:22:48,480 --> 00:22:59,040
that maybe have family members or try to do things a little bit more efficiently, or overly efficiently,

233
00:22:59,040 --> 00:23:04,720
but they might not necessarily, that's sort of self-insuring, right? Because they're not necessarily

234
00:23:04,720 --> 00:23:12,400
bringing a CISSP, a true educated, individually, can look and try to solve things for the client.

235
00:23:12,400 --> 00:23:18,720
So let's start over here and see what you've got. Yeah, I mean, I think it's funny that you say that

236
00:23:18,720 --> 00:23:22,400
because you have anybody who works in IT knows that their mother or their father is going to call them

237
00:23:22,400 --> 00:23:28,400
as soon as we walk out the door and write, because something doesn't work. Yeah, absolutely. But yeah, no,

238
00:23:28,400 --> 00:23:35,600
there's, we actually run into it where we can't, we can't get hold of people who are handling

239
00:23:35,600 --> 00:23:42,320
their IT before we became their partner. And then it takes us, you know, it will take us days

240
00:23:42,320 --> 00:23:49,200
and sometimes months to run down configuration for things that should take us five or ten minutes,

241
00:23:49,200 --> 00:23:53,840
now pushes us down the road on trying to get these things fixed for the client. So

242
00:23:53,840 --> 00:24:02,640
when you use someone who is not a professional, you're taking the chance of one, not getting done

243
00:24:02,640 --> 00:24:08,240
right. And especially if we're going to say once again, we'll do hand in hand, you have someone

244
00:24:08,240 --> 00:24:15,200
set up your router so that when they put in their claims or they're going to set up their

245
00:24:15,200 --> 00:24:20,000
self-assessment, they say, do you have a router in place? They said, check, my router in place. Is it

246
00:24:20,000 --> 00:24:25,680
configured a specific way? Check, of course it was. My brother took care of it or my father. And I know

247
00:24:25,680 --> 00:24:32,080
that he does everything right. So then something does happen and then they get it, the insurance

248
00:24:32,080 --> 00:24:36,640
company gets it and goes, well, you said you did this, this, this and this and the guy goes, I did what?

249
00:24:36,640 --> 00:24:43,200
I thought I'd do that. I don't know. So I mean, no, I don't think that

250
00:24:43,200 --> 00:24:51,760
not everybody should be doing IT just because we know it's, I shouldn't be a gardener. I mean,

251
00:24:51,760 --> 00:24:56,080
I can go out in the back yard and I can plan to tree, I can set up the water, I can get it to go to

252
00:24:56,080 --> 00:25:02,960
a certain spot, but when it comes to tending their garden, I'm not the best and I'll be the first one

253
00:25:02,960 --> 00:25:10,160
to admit it. Right. And along that line, no, even if they say they have a family member or a friend

254
00:25:10,160 --> 00:25:17,280
of a friend or nephew cousin, it doesn't matter, sure. That is a true professional. And if they're not

255
00:25:17,280 --> 00:25:25,360
actually engaging with them on an agreement, correct, with expectations and all that documented,

256
00:25:25,360 --> 00:25:30,400
it's just, it's a family agreement. That's not going to hold.

257
00:25:30,400 --> 00:25:36,080
That goes by as well. So, but that goes by what we were just saying, you can't set and forget,

258
00:25:36,080 --> 00:25:40,720
you can't just set it up and go, here you go, this is not going to work for you and exactly

259
00:25:40,720 --> 00:25:47,920
the way it's supposed to from day one to day 365. All right. Good. All right, self insurance,

260
00:25:47,920 --> 00:25:52,720
right? There's a few, I've got a few dollars in the bank, sure, you know, CLI insurance, I don't

261
00:25:52,720 --> 00:26:00,400
know about you, but your company, but we might do ours anyway. It's been going up every year. So,

262
00:26:00,400 --> 00:26:09,760
sure. So, self insurance is absolutely a real thing. Let's start there, right? But the actual

263
00:26:09,760 --> 00:26:15,680
applications of it, whether it be a law-sensitive program, a single parent captive, a group captive,

264
00:26:15,680 --> 00:26:22,480
are sophisticated, time-consuming, and require a significant amount of actual cash on hand or

265
00:26:22,480 --> 00:26:28,240
capital, right? So, when a lot of people, particularly small to medium-sized enterprises, are using the

266
00:26:28,240 --> 00:26:33,440
term self-insuring, they essentially mean, I'm just going to keep that risk on my balance sheet.

267
00:26:33,440 --> 00:26:40,720
That's really what they mean, right? So, that's a scary proposition when you think about how hard it

268
00:26:40,720 --> 00:26:45,360
is to be a smaller medium enterprise owner and how hard it is to grow that entity in great respect

269
00:26:45,360 --> 00:26:52,000
to those people, right? So, certainly not wanting to risk that balance sheet. So, let's start with your

270
00:26:52,000 --> 00:26:57,920
standard cyber liability policy. That's a million dollar policy. So, unless you have a million

271
00:26:57,920 --> 00:27:03,920
dollars of cash that you'd like to set aside solely for the purpose of responding to a breach of it,

272
00:27:03,920 --> 00:27:10,000
you're really not self-insuring, right? Regardless of whether or not you're unhappy with the premium,

273
00:27:10,000 --> 00:27:15,040
which I could understand in some circumstances, right? Regardless of whether you're unhappy or have

274
00:27:15,040 --> 00:27:21,520
questions about your terms and conditions, you're really not going through the practice of self-insuring.

275
00:27:21,520 --> 00:27:26,800
You're just putting risk on your balance sheet. And one of the most important things to grow a

276
00:27:26,800 --> 00:27:32,720
smaller medium enterprise is preserving capital and preserving that balance sheet. So, the more you can

277
00:27:32,720 --> 00:27:38,320
do from an insurance perspective, from security perspective, from the legal perspective, any of these

278
00:27:38,320 --> 00:27:46,160
trusted advisors, the more you can do within a budget that is aligned with market fair, let's call

279
00:27:46,160 --> 00:27:51,200
it for these projects and services, right? The better your balance sheet will be. Excellent. I think

280
00:27:51,200 --> 00:27:55,680
also, and I think what's interesting about that too is the fact that when you start doing self-inserture

281
00:27:55,680 --> 00:27:59,360
or when you start talking about this, when you start doing business impact analysis and looking at

282
00:27:59,360 --> 00:28:05,600
risk, we go to the actual, we go to the insurance people to find out the numbers. So, I don't know

283
00:28:05,600 --> 00:28:11,920
how many times in Arizona that there's going to be a fire in our area. So, what I have to do is I have

284
00:28:11,920 --> 00:28:19,440
to go to an actuary somewhere and go, okay, in our area, how often does a fire happen? And then I have

285
00:28:19,440 --> 00:28:23,600
to look at the cost of the building, I have to look at what the probability is inside. I mean, there's a

286
00:28:23,600 --> 00:28:30,160
lot that goes into it. So, if you are self-insuring, you really better understand the numbers.

287
00:28:30,160 --> 00:28:36,320
You know what's funny is, it's a good point. What's really funny is self-insuring is actually still

288
00:28:36,320 --> 00:28:40,640
occurring because if people aren't truly honest and transparent when they're filling out that

289
00:28:40,640 --> 00:28:47,360
portion of the application. Sure, they literally just self-insured. They've created risk on the balance sheet,

290
00:28:47,360 --> 00:28:52,720
right? And the other thing you have to understand too, right, is when you think about, you know,

291
00:28:52,720 --> 00:28:59,200
small and medium enterprises being the backbone of our economy and our country, you're not just risking

292
00:28:59,200 --> 00:29:05,120
your balance sheet, but your risking jobs of your employees, right? You're really risking your

293
00:29:05,120 --> 00:29:10,960
community, not just your business. So, it's really, really important that you protect that balance sheet.

294
00:29:10,960 --> 00:29:16,080
All right. Well, this has been very, very informative for me. So, I'd like to just give a brief

295
00:29:16,080 --> 00:29:20,480
summary of what we discuss. Guys, don't forget to correct me if I don't tell you what correct me.

296
00:29:20,480 --> 00:29:32,880
Anyway, so, we've agreed that both CLI and your IT and security is important, right? That's,

297
00:29:33,520 --> 00:29:38,800
not just important, but intertwined. Yeah, I think at this point in business, in today's world,

298
00:29:38,800 --> 00:29:46,720
I don't think you can do without it, honestly. Okay. Good. When working with your provider,

299
00:29:46,720 --> 00:29:54,880
your CLI policy coverage, you really need to have a business conversation with that person to make

300
00:29:54,880 --> 00:30:04,240
sure that the net is big enough, and it's thick enough, and that you are protected to the degree you

301
00:30:04,240 --> 00:30:12,400
think you are being protected. Absolutely. And there's lots of great information that any good broker

302
00:30:12,400 --> 00:30:18,560
in this space has to help you benchmark as well. Okay. What size that net should be, right? So,

303
00:30:18,560 --> 00:30:26,400
we're happy to help. Awesome. And then, business being dynamic, constantly changing, right? You brought

304
00:30:26,400 --> 00:30:33,520
up all kinds of examples, switching out your cable modem or your router ports and all kinds of great

305
00:30:33,520 --> 00:30:41,280
stuff happening, adding and subtracting users. Any change whether large or small is an exposure.

306
00:30:42,560 --> 00:30:51,120
So, you need to have a regular cadence of meetings with your trusted advisors, right?

307
00:30:51,120 --> 00:30:56,080
Absolutely. So, we're going to grant it there. All right. And finally, self-insuring.

308
00:30:56,080 --> 00:31:04,480
So, way to go. No. So, self-insuring, big decision, definitely get into the nitty gritty with your

309
00:31:04,480 --> 00:31:09,680
trusted advisor. Make sure you understand what you're doing and make sure you're truly covered.

310
00:31:09,680 --> 00:31:17,920
And regardless of family members, friends that are in the IT or security business,

311
00:31:17,920 --> 00:31:24,880
if you're going to work with them, fantastic. But you're doing a injustice to yourself if you don't

312
00:31:24,880 --> 00:31:33,600
make it official. Correct? All right. Cool. I agree. Awesome. So, Tim opened this up with a great saying

313
00:31:33,600 --> 00:31:40,480
that there are two kinds of companies out there, right? One type that has been breached and knows

314
00:31:40,480 --> 00:31:46,080
about it and the second type of business is those that have been breached and yet to know about it.

315
00:31:46,080 --> 00:31:53,280
So, with that in mind, you guys, you need to be proactive, okay? Get with your professional.

316
00:31:53,280 --> 00:31:58,880
Don't wait for your renewal to show up and just write a check and pay it, take an hour or two

317
00:31:58,880 --> 00:32:04,400
and meet with your professionals and your IT professionals as well. All right, guys, that's going to be

318
00:32:04,400 --> 00:32:10,960
wrap for today's episode. I hope you enjoyed it. Just a quick reminder, review, subscribe.

319
00:32:10,960 --> 00:32:19,280
And until next time, I challenge all of you to keep on learning. Bye-bye.