4 Steps for a Successful Cybersecurity Webinar Full Webinar

Show video

Welcome everybody to the Integris national webinar here across, I think we have about 16 different states on this webinar today. I want to welcome everybody. This is Integris. We got Iconic IT that we've recently partnered with. We have Measured Insurance and we have ConnectWise as well. Today we're going to focus on the four steps for a successful cyber policy renewal.

We've been getting a lot of feedback from our customer success team, from our sales team, from our vCIOs about cyber insurance renewals, the cyber insurance marketplace, and what's going on in that realm. So we wanted to bring in the best of class in cyber insurance, as well as the best in class in terms of technology providers, to make sure we covered this topic for you. Quick housekeeping notes. This webinar is being recorded and will be distributed to all that registered. We will be paying attention to the Q&A and chat during the entire presentation.

We have the entire Integris and Iconic IT marketing team behind the scenes paying attention to that stuff. So please utilize it. You can drop your questions directly in there. I'll be paying attention to it as well, to make sure I ask questions in line with the presentation.

And with that being said to make sure everything's working, and to give our presenters some context, would you all mind just dropping in the chat where you're calling in from today? Where are you physically located in this remote virtual world that we now live in? And also what industry are you a part of? So if you could hit us with your location and industry in the chat we'd love to see that so the presenters can understand and hit on some of those hot topics. And then finally for all that attended today and gave us your time we wanted to send you all out a small, thank you. So we'll be emailing over a Domino's gift card. Pizza is on Integris this week. So with that, I'm going to check out the chat real quick and see where are we got? We got a, I'll read a couple of these off. We got Pennington, New Jersey and claims management.

Marketing and advertising Marquette, Michigan in the banking space, financial services. We got Wichita with accounting and CPA firm, a Duluth with a trucking company, New York city, real people casting for advertising. And I'll hit one more here. Denver with civil engineering. Thank you all for hitting us in the chat with those. I appreciate it.

It gives Zach and Jay some perspective with that. We'll get into the next slide here. Okay.

All right. Agenda. We're going to hit introductions. We're going to talk through the regulatory landscape.

Really, what's the cause that's making this all happen right now in the cyber and tech space. For number three, we're going to hit what's going on in cyber insurance. Zack's going to go into detail on exactly the differences. One of my favorite slides that you're going to see today is the difference between 2020, 2021 and 2022. And he's going to walk you through that, which I think is a very valuable piece of information on number four, we're going to hit cyber insurance, renewal considerations.

Then we're going to get into understanding cyber security, risks, and responsibilities, and then we'll wrap up, make sure we're getting after those questions. So with that, here's your panelists for today. We have Zach Atya. He is the Director of Insurance at Measured. Zack assist the organization in building innovative cyber insurance products, programs, and distribution strategies, his professional experience and academic background in cybersecurity management and policy helps him bridge the gap between cyber awareness, mitigation and risk management. Zack, thanks for joining us today.

Thanks for having me. Next up, we have Jay Ryerse. Jay is a CISSP and the VP of Global Security at ConnectWise. In 2021 and 2022, he was named a Channel Chief by CRN. He's trained over 10,000 people, including myself and some of the team members at Integris in the IT Nation Certify and other cybersecurity courses that he's an international speaker on cybersecurity and the impact of SMDs.

And he's the author of Technology 101 for Business Owners. You have myself, Jay, thank you for joining us. You also have myself, I'm Anthony DeGraw.

I'm the VP of Sales at Integris. I've actually have a unique perspective on this. It's not in my bio there, but I spent about the first 10 to 15 years of my career in the cyber insurance marketplace, working for carriers, managing general agents, as well as retail agents on specifically cyber insurance. I flipped over to the MSP side once I learned about that industry and now serve you all from that perspective. So real quick I wanted to touch on or open this up really to Jay and my myself, where Jay's gonna touch on this and myself on really what is the why? What's the current problem that we're all dealing with and why we have 145 people on this webinar today with cyber insurance and technology? It's clearly a very hot topic. So I just wanted to give the audience my perspective on that.

And then I'm going to transfer that that buck to Jay and Zach as well to just get an overall perspective from the MSP side. Once I, like I mentioned, we're across 16 different locations. Now we serve about three times zones.

From our perspective, companies are getting to hold higher levels of cyber liability insurance, whether that is getting pushed on them from their clients they serve or industries they represent. And then what we see is when they're going to get those higher limits or renew, even the current cyber insurance policy they have in place, they're getting significant increases in their premium, or they're even getting denied coverage for not having the right technology or compliance controls in place. And that's when they come and knock into us and it becomes an immediate need, almost like an emergency to get something done. So that's the Integris perspective on why this was such a hot topic. Jay, I'll throw it over to you. Well, again, thanks for having us today.

The volume of attacks occurring today and then the amount of the impact that we're seeing on small businesses is exponential. And you start adding in some of the geopolitical issues going on, whether it be, what's happening in Ukraine and that cyber attacks that they're suffering and what it would look like in the event that, we engaged, in that particular conflict it's going to create challenges for every industry as the number of cyber attacks actually increase over the next several months. Insurance is one of the ways to mitigate that risk and what we are firm believers in not only, having it, but obviously, keeping your policies and aligning towards assessing risk and when it comes to determining how much and what type of security insurance you actually need, I think Zach's probably best to cover that topic.

You have the fact of the matter is unfortunately everyone especially with the rise of ransomware was caught blindsided at by the rise in attacks. And that includes insurance carriers. And, I'm willing to admit the industry had a bit of a knee-jerk reaction to our, the current state of the threat landscape. And that has caused a lot of issues with insurance renewals, getting new insurance.

And unfortunately, insureds, all the folks that are on this call have been drawn the short straw and haven't really been given much guidance. And so what I'm hoping to. Relate to you all. And with the help of Jay and Anthony is to help provide a little bit more guidance and really partner with you guys to understand how you should be looking at the market as a whole. I'm not going to bore you to death with the details and dynamics of the cyber insurance market. But what I will do is try to hold your hand through and understand the way that the industry is thinking and, use that insider knowledge to your guys' benefit so that you can be competitive and protective come your insurance, renewal timer when you're seeking to purchase insurance.

Absolutely. I'll add in some final thoughts there, from my perspective on both sides five to 10 years ago when I was on the insurance side, almost every insurance carrier was coming out with a specific cyber product and all the language, all the terms, the limits liability. The cost structure, we're all completely different. And what you had is as typical supply and demand supply was through the roof. Every insurance carrier was looking at this as a as another opportunity to grow their business. And on the demand side, it was super low.

Zack and Jay were going back and forth before we, we went live on 5% of the market has cyber insurance. 10% of the market had cyber insurance. So the demand is still very low. The supply was really high, which made it to Zach's point.

There was some more one-click applications out there to get cyber insurance in place. They weren't asking any questions. They weren't following up on any risk management strategies. And then what happened over the last two to three years, you had significant claims that came through and now they're getting smarter about it. Like they always do with that.

We're going to go into some of Jay's slides here. He's going to run through them for you all. What's the cause of this.

What is the actual problem? The cause that is creating where we are today. So Jay I'm gonna turn it over to you. Thanks. So if we look at it from the perspective of understanding your cybersecurity, risks and responsibilities, who owns the responsibility is an important, as I talked to business owners all over the world they all feel like, in their business, they're too small that they're not going to be a victim because the attackers want the bigger, enterprise quality businesses. And then that's not really the case. So we think that we live in this perfect world with no traffic and no noise pollution.

The kids are out playing until the street lights come on, but in the cybersecurity space, that really isn't the case. And it became very evident in this last year. When president Biden rolled out an executive order focused on improving the nation's cyber security.

Now this particular document was targeted. The federal government agencies and businesses that do business with the government, but in my mind, and what we're seeing out there is this is just the first of many steps towards, pushing business owners and business leaders to secure their own data, which they have the responsibility to do. And then we started thinking about, what does it mean? It wasn't look like, I think in the improved detection section, what we see there is that we've all been too slow to deploy. And so if I look at what the order said, if I take 34 pages and consolidate it down to five key bullets, I'm gonna add my six, which is before you do anything in security, you have to assess where you are. If you don't understand where your data resides, how it's accessed how it's backed up, what security controls are in place.

None of the other controls are gonna know. So we look at this from the executive order, they said you've got to have it as a response plan, and I'm pretty sure on the insurance questionnaires. Now they're asking you, if you have an IRR plan, they want to see a multifactor authentication. They want to see endpoint detection and response also known as EDR, or maybe even MDR in your world. They want to see if you have SIM a security incident event management, which for the longest time was only an enterprise tool, but there are now solutions available for the SMB space and things you guys can be looking at. And of course, how would you survive a cyber attack? We call it backups.

But the survivability factor is, can become very important. And when we look at the hits that have happened over the years, I love pulling out some of the articles that you see out there. And this one's a little bit dated now because the number has gone up just a hair, but for small businesses that they've said that cyber tax cost a business, $200,000 on that. Now I blocked out there putting me out of business because we're not really seeing them go out of business. We're just seeing them suffer through months of time and recovery efforts to get back to normal. As a matter of fact the Pomona Institute says that it takes 66 days after a cyber attack occurs to get your business back to a normal operating condition.

And so we have to be aware of what's going on and why it matters. And I'm guessing if we pulled the audience, most of you have never been part of a cyber attack, or maybe you didn't know you are. We've talked about ransomware quite a bit.

I know that it'll be a topic today. I actually brought a sample of a message that pops up on a screen. Now I took it out of the text document and put it in here. So it's actually readable, but basically when a ransomware attack happens now, the attackers are putting up a marketing man. Our sales letter and how you want to read it. They're basically saying, Hey, as you figured out we've broken into your network and we have all of your data.

We've downloaded some of your data, which we stole some of it. And yeah, we've gone ahead and we've encrypted everything. And when you start to see these messages pop up on your screen, what was your team do? Now? I know you guys are gonna call it Integris. You're gonna call your insurance company, which is good.

But th these guys are getting aggressive, for this case that they actually talk about, the good news is we're here to help. The attackers want to help you. They have high standards, high morals they have to maintain. So they will provide you with IT support by offering a decryption tool, a security report that will show you how they broke in, then show you how to actually avoid this in the future.

And they'll do it for this case. Then this particular client a small $800,000. So, if you go onto this next slide, you'll actually see that where they actually go back and say, enter a thousand dollars.

And I love this one. There is no way that we will not fulfill our promises after you pay us. I really honor amongst thieves and I'm making light of this, but it's a really big deal. These attackers are in businesses in some cases, more than 150 days before they've been identified. So they've had time to steal your data, to figure out who your company is. And we are seeing the average ransom payment today is 10% of companies revenue.

So if you're a $10 million a year business, you should expect a million dollar ransom. And that really shows that we're not really prepared that really nice neighborhood we lived in. Isn't so nice after all. So what are some of the financial losses and how else might we think about them? There's a lot of different ways, but when I look at this, I think about the cost per record, and I pulled some stats here from Pomona student, IBM businesses with less than 500 employees. So enterprise is substantially worse, but if they're saying that the average cost of a breach is 2.9, $8 million, by the time that you recover, restore

bring data back, pay the ransom the recovery efforts the legal fees. The other thing is that come with insurance. It becomes very expensive. And some of you were saying, but Jay, our businesses leave it doing $3 million a year in revenue. That's okay. If I'm off by 90%, most of us are not prepared to take that kind of a hit, into our cash flows.

And that's really why I think insurance is so important, but how is it happening? Where are we seeing it on the cyber side? You know what? We're seeing emails, a business, email compromise, the FBI keeps putting these reports out there and typically half of all cyber attacks are starting in and around email. And it's social engineer. They're getting users to click on things they shouldn't click on in 2020, the average loss for business email compromise was $94,000. Next is ransomware.

I showed you guys a quick sample of ransomware, but we're seeing this now somewhere between 11 and 14 seconds, a ransomware attack occurs on a business here in North Korea. That's too many. So we ultimately look at this as a team sport issue.

We've got to work with you. We've got to work with, with Anthony's team and work with the insurance providers a lot like Zach's company to help make sure you're prepared for a cyber attack. At the end of the day, we actually talk about this thing called data responsibility and that this is where all I'll hand off to Zach to really dive into it.

We call this the data responsibility of PI. And so everybody understands what their role is in, in managing and assessing risk. And it starts with the data owner owns the liability and they establish the budget for protecting data. At the end of the day, the business owners or board of directors whoever's in charge owns that responsibility, but they want to pass that responsibility over to the it team, right? They want information technology team to own that responsibility.

The reality is that teams all are going to implement the solutions that the data owner has budgeted for on approved. And the lastly is this information security team, which most of you don't have. So you're gonna look to your partners like Integris to solve this. Th this is really where the information technology team and the data owners work together to assess risk, determine what the mitigation strategies look like.

Implement those words, appropriate, implement technology where appropriate, and of course, leverage insurance to help transfer risk. And so when you understand this pie, you start to think about cybersecurity and insurance very differently. And so I'm kinda curious, Zach, what do you think, is this a good way to depict that message? Yeah, absolutely.

I tend to think about it as, people, processes, technology which is something I'll get into in a little bit, but all of those things are very much, all the pieces to the pie. And when you look at a cyber insurance application, for example that's pretty much what every cyber insurance application is trying to get in terms of information when you're filling out those applications, all those elements that you just discussed Jay. Are part of that. So, Yeah, If I could quickly hit on some of Jay's points there, I'll start with the small side. Everybody thinks they're small when they're looking in the mirror and the 10 person company thinks they're small, the 50 person, the a hundred, the 500, because everybody's comparing themselves to something larger. And my biggest standpoint on that is the larger organizations, the targets of the world when they had their breach, we're spending a million dollars on cyber technologies, and they didn't have the people team behind it to back up those technologies.

So it doesn't matter where you're at. And. Even different than that, the budgets are different at each level of this, as we understand it. So think through that as well. And if you don't have that budget there, or you don't have the capabilities of that larger team, you're actually an easier target.

And it may make sense for them in a one to many type of situation for them to target an organization like yourself versus going after the targets, the banks of the world and things like that. So think through that, another thing I wanted to touch on is Jay was talking about the cost of a breach, and I think 2.98 million was on there. There's another cost of that, that we, that it's very hard to articulate an actual dollar amount. And that's the reputation cost of, you're gonna have to announce that. Even if you don't announce it, it's going to get out by your customers in one form or another. And I call that reputation hit that you will take from one of these incidents.

And the best way I've been able to articulate it to folks is when Equifax was breached, they lost 20% of their market cap within one week of that breach. So obviously they're a multi-billion dollar organization and 20% is a very large number, but Jay was getting at this, take that 20% number and attach it to where you're at today. And you can figure out what does that type of reputation hit going to do to your business or organization going forward, Zach? Sorry for interrupting you, man. I just want to get those two, two things in there. Oh no, all great points. And and those are all elements that are covered by a cyber insurance policy.

So for those of you that are. Familiar with what cyber insurance is. It's really a way for you to transfer the costs of a breach to an insurance company. Very much like you would in a car accident with your car insurance. But it's a very comprehensive, robust insurance policy. I would argue it's one of the most comprehensive policies that exist for transferring any kind of risk.

And that covers some of your first party Breach Response costs. It covers some of your third-party liability costs. If somebody is suing you for a breach in their privacy and private data and regulatory damages. So if you're not compliant with HIPAA, if you're in the healthcare industry or if you accept credit cards and maintain a credit card information, you'll have to be compliant with the payment card industry, data security practices. Framework there fines and penalties associated with that.

And then also theft of funds, cyber crime, that's all something else that's covered by by cyber insurance. So, at that let's dive in to see what's really going on in the cyber insurance industry. If any of you guys have any questions on cyber insurance, Anthony we'll find a way for us to meet in the middle and we can talk about those later on. So, the good, the bad and the ugly. This isn't a Western movie, although cyber insurance feels like the wild west and cybersecurity does feel like the wild west, but cyber insurance carriers in the early days, really as Anthony actually talked about earlier, really were writing anything. They were handing out cyber insurance policies super cheap.

In recent history I saw. $5 million policy at pulse that is $5 million worth of coverage for less than 10 grand. And just let you know folks those days are over.

And so there's more robust underwriting. So they're looking at applications. Some organizations are even employing four different types of scans to understand what your what the risk tolerance and your overall risk exposure is.

Which is a good thing because what that does is it helps create a more stable pricing structure over the longterm. I'm going to illustrate what those jumps are and what the failure of underwriting does to the insurance industry here in a second. But the other element is there's more support for insurance as a whole. Some cyber insurance companies are doing it better than others. The folks that measured, we feel like we're doing that right. Hence our partnership with integrisit.com and by virtue of

that partnering with ConnectWise. So I'm really trying to serve as your risk management experts is the goal there? The bad thing is there's not enough cyber insurance to go around. So, without getting too deep into the insurance technicalities the insurers that are providing the coverage, they're not there's not enough coverage for them to be able to deploy out to companies. So that's causing rates to go up right. Supply and demand.

And the other element of, and really the ugliest thing is the claim severity and claim frequency of both frequency and magnitude of claims as increasing. So that's really, that's quite frankly, that's really the biggest contributing factor to why pricing is increasing. So I did want to illustrate this and hopefully this really puts it in the perspective of what's going on in terms of pricing year over year. So let's say all else is equal.

And I use an example, a sector that is having a lot of trouble finding cyber insurance right now. Law firms, a lot of them are getting non-renewed and it's impossible for them to find coverage. So this is a client that we've actually seen. And I, we had some information about their past policies.

So I put this together to help illustrate this $18 million in revenue true SNB and same number of employees, same number, record, let's say all else was equal with in between these two applicants, right? The first. Had no sort of endpoint protection, that's EPP no training of their employees. And they had open RDP ports, which are, which is the remote desktop protocol.

Typically it's meant for remote work. There's a variety of reasons why you could have this port open. But it's one of the biggest contributing factors for an, an open door for threat actors to get into your into your systems in 2021. That was fine. They paid $12,000 for a $1 million limit.

A lot of times actually even cheaper than that to be quite honest but in 2022, look, what's happening with no end point protection, they're getting the client. They don't have any training. There was an increase in premium and some were even are also getting declined because of that reason. And then open RDP ports.

You're declined. So, that was really tough for them. So let's say that they at least had the EPP and or if they did manage to find coverage, they're seeing an increase of about almost 50, almost a hundred percent, sorry. Almost a hundred percent. Now let's look at applicant either they're in a bit better spot, right? So they're, the rates were lower because they had their endpoint protection in place.

That's training in place. We didn't have any open RDP ports. They have, they're a better posture. And the pricing is reflects that it's about 8,000, $8,000 a year in 2021, regardless because of the market.

And because even though they had a better posture, the entire cyber insurance market is reacting. So even though they did everything right, they're still seeing an increase, quite a big increase. If you look at it, so, regardless. They're paying about $14,000 instead of that 8,000. So, I hope this kinda, this illustrates a couple of things, one, the importance of having some bare minimum controls not just for protection, but also, how much you're coming out of pocket for insurance policy and hopefully being able to get an insurance policy, but also, unfortunately all the people that did have good controls in place, they're picking up the tab for all the bad apples in there. So, the bad apple spoils the bunch and that's true of insurance.

So the things to look for come renewal time there's definitely a chance that your coverage will be restricted. That could be either the amount of limit that you're being. Granted. I see a lot of clients that were, that had a $5 million limit policy in the past and the max that their carrier is willing to offer them.

I've seen as low as 1 million actually. But typically the five is getting pushed down to a three, a $3 million policy also increased the deductible. So in the event of a claim, the insurers want clients to have more skin in the game. And so in, in increasing the deductible, that means you're going to have to come out of pocket a little bit more in the event of a claim.

And in addition, it's not just the limits in the amount, but also the type of coverage that you're getting. I'm seeing sub limits for ransomware coverage, which is, in the event of a ransomware Breach it's a limit that's dedicated to what were to happen in ransomware claim like 10 paying the ransom as an example I've seen that instead of being full, this maybe 50% limit. So if you had a $3 million policy, you have a maximum of 1.5 specifically for ransomware. And again, that's a reflection of the amount of ransomware claims that are. And ransomware is not going anywhere.

In fact, it's evolving. So, there's a heightened sense of awareness for the controls that specifically address ransomware, right? So endpoint detection and response with that. Jay had mentioned earlier that has shown to th a shift from the model of what is called signature-based protection, where, I'm sure everybody remembers the days of McAfee and you're downloading, you've got to manually download your updates and you're just like, oh God, I gotta wait 25 minutes for this thing to download.

Those days are over in. So in, in shifting to endpoint detection and response, it's a much more dynamic way of protecting your business. And that has shown to be increasing the resilience of an organization and then regulatory changes. And Jay highlighted that earlier with the executive order we really saw a lot of that start in the EU with GDPR and California followed shortly. But what's called the CCPI.

There's a bunch of other states, Virginia just recently passed theirs. And there's a pipeline of states now that are looking to pass legislation largely around privacy and maintaining the privacy of consumers. But I think very soon as we saw with the executive order, there's going to be some mandates around cybersecurity controls as well. One quick point on this too. When I was in the cyber insurance space the number one thing I would do to separate one carrier from another is if you have that million dollar limit, I didn't want to see sub limits on there. And I want to make that very clear that what Zach is saying here is that you're probably not going to get that full limit that you're paying for across multiple different coverage parts.

It's one thing that you would want to push for it's things that you should be asking questions about or trying to increase those. I typically, now that I'm not in the insurance space, I can say this whenever you see a sublet. That means the insurance carrier is expecting a higher chance of loss in that category. And they want to limit their exposure, same things as it comes to exclusions and things like that. When you're reading through your policy, you want to make sure you're very clear on what those exclusions are or the modifications to different language, because they are very smart individuals. They look at this very deeply and if they're putting it there it's for a specific reason which means you should better protect yourself there.

Hey, I can't transfer this piece of risk to them. How can I better transfer this risk or get ahead of this risk somewhere else? Yep. All great points. So it can be pretty stressful come renewal time for your cyber insurance policy these days.

And is it possible for you to insulate yourself from all of this? Shake the magic eight ball, all sources point to yes, but also not really. And as evidence from what I had illustrated with that applicant be who had the good controls. Unfortunately, their pricing is still increasing because the industry as a whole is increasing their pricing. So, let's jump in and discuss that a little bit. In terms of, getting to the four things, in terms of how you can prepare for that cyber renewal.

You know how to prepare yourself. Assess. Jay is a big proponent for assessment. I, it's music to my ears when he starts talking about assessing your risk and assessing your exposure doing the actual mitigation. So partnering with Integris and connect wise to ensure that you're taking those steps to limit the potential for a loss, and then transferring that risk to insurance.

And we'll dive into each one of these a little bit more. So in terms of preparation, I break these into two phases. One is prior to even thinking about your, getting insurance quotes, filling out an application, it's really great.

And by the way, this is just a good practice in general, regardless of your, if you have cyber insurance or. Staying in touch with your IT department. They're, they've been sitting at the kids' table for a long time and now they're starting to join. The grownups are increasingly rapid pace.

So get in touch with any internal IT personnel that you may have now, or get in touch with the Integris' of the world. Your technology service providers on any changes that have occurred because, Integris is working very hard throughout the course of their services and throughout the year, making changes, making sure that you're up to date, get in contact with them about some of the changes that are being made and what that means for your business and how it protects your business. So, Inventory your assets. So hardware, software, shadow. It a, is a big problem shadow. It is basically, the ability for an employee to download Spotify on their company, issued laptops.

That's not okay. Your employees should not be able to do that. It's any sort of it actions that are being taken without the it department, actually knowing what security technologies are being used.

There may have been changes or upgrades to the technologies that you're using. And then the types and amounts of first and third-party data that you're handling. So first party data, an example of that would be your employees information, right? For HR reasons. And example of third-party information would be maybe intellectual property that you have that for another organization or any of your client, any of your clients, right? So if you're a retail business, any information that you might have on your clients, or if your healthcare, any of your patient data, that's all third party information. And then phase two is translating what you have from phase one into the application. And just because you have an application and a lot of them are, yes, no questions.

It would be who've you to also create some content. In addition to that application. So, provide a summary to your cyber insurance providers and tell that story as to why you would be a good risk to take on some of those changes. Some of the things that you can't necessarily see in an application, as is this client really taking security seriously? And are they optimizing as opposed to being reactive? Having that summary is incredibly helpful and Anthony I'm sure.

You could probably speak on both sides of this. Yeah, touch on that a little bit. Absolutely. One of the hardest parts about being in the insurance space and what Zach and his team have to do from an underwriting perspective is truly assess an entire business from a piece of paper and primarily, yes, no questions with whole number answers. How many people do you have? 50.

How much revenue do you have? 5 million. Do you do this? Yes. Or sometimes you get an FNA on there as well. When you're bringing your organization to an insurance carrier, and this isn't just for cyber, this could be for general liability workers' compensation, all of these you want to tell a story you want to tell them, and that underwriter through supplemental information, applications, whatever the case may be, your story, what are you all doing? And just by being proactive in that manner is going to get you brownie points on the backend, because they're going to feel like they truly understand or know who you are and that you actually put the effort into doing this. So I don't know how many brownie points you're actually going to get from Zach's team, but I understand you'll get something and you'll separate yourself from the pack of everything else they're getting.

On our side of the business, I've been seeing more and more of these where our customers are coming to us and saying, Hey, I just got my cyber insurance from. A lot of these questions are more technical. Can you walk through them with me? And in that aspect, we've been able to provide more detailed answers because a lot of times you're not able to provide those answers. You have something in place, but you don't know the specific details behind it.

We're able to assist with providing those detailed answers to make you look like a well-rounded risk that the insurance company actually wants to insure. Yeah. And Jay, I'm sure ConnectWise, makes improvements over the hood or under the hood over the course of a year or so, even communicating with you guys and understanding, even though they buy a certain solution from you guys, even just year over year, I'm sure there's improvements in secure and security improvements for the clients that they should understand.

Yeah. And it's not even just year over year. It's, we're seeing changes every 45 days, right? At this point. And while we don't work directly with the SMB community, our entire business model is built around supporting companies like Integris, then the capabilities that allow them to do a lot with very little security is a place where we're all working very close together, because there's so much more to it than just, Hey, I need to download it. And, on a new version of QuickBooks I've got a lot more to look at today than we ever had to. And so many people believe that the cloud is more secure or the pod is just somebody else's computer know we, we should call it what it is.

And so you, as the data owner on this call need to take responsibility to understand where that data resides, how it's backed up, how it's secured. I can't tell you how many times that the business owners that we've talked to after a breach believed that their cloud was secure. But didn't know what questions to even ask.

I think that insurance is really driving the change in those conversations. And, I'm working with Anthony and the team at Integris. You get that visibility you haven't had before. And I guess I'm going to answer live really fast. Laurie came in and said are our Apple products more secure? Sorry, Lori, they're not there was a belief that, that they were less compromised because early on there weren't as many Apple products out there as there were Microsoft products. But at this point, anything that plugs into a network and has, flashy lights is at risk.

That could be your copiers. It could be your wireless connections could be bring your own devices. It'd be a variety of different technologies out there. And so the assessment will help you understand what the risk is.

So then when you get to your insurance renewals and you're having these conversations you're approaching it with information and knowledge, as opposed to hoping that what you heard on the internet is true. Yeah. Yeah. That's a good point. And also your max, it's not like you're deep, you're deeply ingrained into the app, the apple ecosystem from start to finish. Eventually you're going to hit a Linux server or a Windows server or an Azure cloud infrastructure.

So, just because you have the Apple computer, maybe on the, marginally more secure. But overall you're still connected where you live in a connected world. So, on that point where we're actually seeing a lot of organizations that are increasing their complexity and they don't even know it meaning we got users that want to live on max and Google, and we got other users that want to live on Microsoft and windows, and it is completing what I call a split brain syndrome.

How you are creating an almost nightmare with no standardization in place for your internal team or your external team, because now it's, we need to protect all of this data over here. We need to protect all this data over here and the solutions to do those things are usually different. So standardization and part of our assessment processes, Integris is touching on that hardware, software, lifecycle management standardization. And why is it important? So, so you, eh somebody mentioned it, like you're almost creating more complexity and you're not just living usually on those things and those things like iPads and phones and all these tablets are getting more and more powerful. They hold more and more data.

They have more and more ability to access your company systems. So it is it, that can, when I see that going on, it, it concerns me greatly that we're all over the place. And now we actually don't know where our data is or you've got a lot of what Zach mentioned, shadow it going on. And it looks like I'm not sure if maybe the text got cut off of a slide, but really, in terms of assessment, you should take a holistic approach when it comes to assessing your risk. So not just your risk and exposure, but other it go assessing your security posture and taking a look at your security budget, that's something that you should be reviewing on a fairly consistent basis.

So assess how much you can spend and how much you're going to be able to fit within that within that pool the security threats that you're facing. So as an example, this is a piece of our dashboard that all of our insurance have, and we help to contextualize what these risks mean, and through a dollar amount. So this particular client, they there's the average cost of breach for them based on the risks that we've assessed and scanned for would be around $53,000. And it's it's a snapshot over time.

So, there, we do see the maximum liability, right? So there's a chance, be a one in four, one in 10 chance that, they may have to come out of pocket, 1.6 month, I believe this was a small client around a million dollars in revenue. So million dollars revenue in their maximum limit of liability is 1.6, almost 1.7. That's that? Can't be good. And then really just I'd mentioned this earlier, people, processes and technology. I like to call the people and most people in the security industry call it the human firewall.

What are you doing to not just actually, Jay had talked about the owner of the security owner earlier really what are you doing to make sure that everybody owns security, right? You're only as secure as your weakest link. And so there are ways typically through training that you can make everyone a champion for security, not just one person. You still need that one person don't get me wrong, but do what you can for everybody in your organization processes.

The incident response plan is a good example. Making sure that you have processes in place, whether that's, dual authorization on a wiring on wire transfers, or if it's. Being able to pick up the phone and call when you receive an invoice, ensure that invoice is correct.

And that the banking information is correct from the vendor that you receive it from just good hygiene. That's what it's about. And that technology, obviously you can't just buy something and think that it's going to work, but they need to actually be configured properly. So any existing security tools that you have, make sure that they're configured properly configured, and then having an open conversation with Integris or your S your technology partners about are there technologies, that can address additional risks for. Through points on the technology side.

We have a saying in our organization that the firewalls is only as good as the person who set it up. And a lot of times we see the SMB, even the mid-market community, buying the fancy best solution out there. And then when you go and assess the configuration of it, now it's wide open. That's a firewall example, but it exists across a lot of these technology solutions. And then down below we, we lead with gap analysis, right? Where are you at today? Where do you need, what does best in class look like? What are those gaps? And then how do you fill those gaps? Sometimes it's a technology.

Sometimes it's a training, sometimes it's policies and procedures. There's a lot of times that there's free things that you can implement to get things moving in the right direction. Yup. And real quick, go out and get your insurance, I feel like this is, it was a pretty good guide for it to get you all started on having a successful renewal. The one thing I would bear in mind is insurance is meant to address residual risk, right? So you took those mitigating steps and insurance for a long time, especially cyber insurance was a one size fits, all right, blanket coverage, all the same limits. But the fact of the matter is there are companies that aren't subject to PCI.

So do you really need that coverage? So having a true partner to help you understand what your actual residual risk is and how to transfer that to a cyber insurance policy that works the best for your business specifically that's extremely important. And then there are a few items. Like ensuring that you have full limits for ransomware. There's a lot of insurers that are cutting back those limits. As I've mentioned business interruption, there's a such thing as a waiting period, how long is it going to be until the insurance starts paying out for your business to be down? So it could be 48 hours could be 12 hours at measured. We have a zero hour waiting period.

So when you start losing business, that's the second that we start trying to pay you back for that lost revenue. And then cyber crime, making sure that you have coverage for a phishing attack when your organization is duped into sending money, where they shouldn't and the theft of funds. I like to say, to finalize the insurance conversation and the importance of it is we can only get you to about 95% secure.

It doesn't matter how big your budget is or getting all the right technologies or best-in-class things there. There's still the human element of this. And that's where that risk transfer comes into place. And Jane, we're going to follow a finalize with you. I think we have two or three more slides to go real quick. Yeah.

It's where do we start? What do I do now that I've heard all this information and we've already talked about the need for people, processes and technology, but we haven't talked about how they come together. Because there are some gaps that you find, and I use this chart help you identify what happens if you only have some people, some process, some technology applied. Obviously if you've got none of the above, you've got no defense, but if you've only got people, but no process and technology, you can't execute if you've got process, but no people in technology, you're wasting your time, a process with nothing to help it, but it doesn't do any good. If you only have technology becomes shelfware and Anthony, I was laughing at your firewall scenario where it's not configured correctly, but for those on the call, we were talking about McAfee earlier.

Remember back when we buy a new computer and it came with antivirus, maybe it was 90 days or maybe you've got a year and then it expired. I can't tell you how many times I'd meet with a client who suffered through a cyber attack or even before they did. And their anti-virus had been expired for, 320 16. That becomes shelf wherever. It's just technology.

Now, when you put people in process together, that's really good, but you can't scale technology is designed to allow us to do more with less and all said, and done people in technology. You're very inconsistent. Your processes aren't defined. So no one knows what they're trying to do, what they're supposed to be accomplishing.

You've only got process and technology. The people won't adopt it. So you've got to make sure you're working with your teams, and Integris can help you with this to make sure that you've got people process and technology in place to help protect yourself against cyber attacks. And if you've got that when it's time for your renewal, I'm pretty sure Zach's could be like, this is a great client for us to work with.

So, Anthony, what do you think about this? Yeah. I love this slide. This is the first time I'm seeing it from Jay and I've attended a lot of JS in persons and virtual things. From my perspective, this is a great one.

And to finalize their, if you put the people process and technology in place, you're going to get insurance from Zack and you're also going to get premium rates and you're going to be a long-term partner with your insurance carrier. So if you can get all those, so with that, that, that ends the slides and presentations here. We have two and a we got four or five questions in the chat in the Q&A section, we also have them in the chat. What I'm going to do right now is I'm going to stop the share.

And I'm going to ask the Integris marketing team, the Iconic IT marketing team. If they can assist with a poll, we're also gonna throw out a poll to all of you. So hopefully they can assist me with that in the background. There it is. Look at that. So if you all wouldn't mind taking one minute to just quickly answer this poll for us, that way after this, we can follow up with the most valuable resources to all of you.

I'm going to minimize this on my screen, and I'm going to get some questions go into Zach and Jay on my side, scroll up to the top here. All right. We got, Paul asks, is there a basic form of cyber insurance, the equivalent of a liability, of liability insurance for smaller companies or companies with a tight IT budget.

I would say so there, like I said, there's some bare minimums that, all companies, no matter their size should have in terms of security controls. And in terms of a bare minimum, a cyber insurance policy is meant to be a holistic approach to risk management. So, I would probably encourage that maybe you look at a lower limit because of the size of your company, as opposed to limiting the types of coverages that are included in the cyber and the cyber policy. Yeah, I would a hundred percent agree.

I think if you're in that situation, Paul or others, where you have a limited IT budget and budget for cyber insurance, I think that's where it's a key conversation between your insurance partner, as well as your IT partner. And having that joint conversation of right, this is the overall budget I have. I like to say everybody has a different budget.

Every time we walk into a different conversation, businesses, nonprofits, everybody has a different budget. How can we best utilize that budget to get you the risk transfer to insurance? And the technology tool sets from Jay's company and Integris and definitely lowering the limits of liability. I think if you're going from a million to 500,000 to a 100,000, that's going to assist greatly because you're limiting the exposure to the insurance company.

Jay answered Lori's question here in the chat, so we'll keep it moving. We got Brian's question. How much should SMBs expect to spend monthly slash per seat for core cybersecurity, technical controls like EPP training and et cetera. Brian, I hope you answered the poll. Our Integris team can reach out to you from our local region that is surrounding you.

And we can talk through that. We're very transparent about our pricing. Jay's team is transparent with us on our pricing. We can get you very specific answers on here's a layered security approach, and here's what each solution looks like. This is what you currently have.

This is what you do. So please reach out to on us. That's definitely a conversation we can help answer. And Anthony, that assessment is so important. So Brian, you shouldn't spend any money on cybersecurity until you have assessed to understand where your risk is. Once you understand what your risk is, then you can look at how do you mitigate, and then what's going to require technology and, or, other solutions to solve for.

So that's why there's not a one size fits all number to that question, Such a good answer, because there's so many times we come in and assess businesses and they think they need the latest and greatest technology, or somebody just emailed about a new solution and like their backups aren't even running today. Or they have local admin rights on all of their computers. Like some very basic stuff can be done to increase your cyber security posture without having to spend money. Let's keep it moving here. We got five more minutes. We're panelists going to address questions, read.

So I saw your questions in the Q and a I'm just getting them from two different angles. Give me one second. I know there were a little lengthy in the Q&A I'll make sure I get to it.

Great session. Thank you. I can't see the full name. It looks like Angelica. What about coverage from non-admitted carriers? Is that worth having? Yeah, absolutely. For a couple of reasons not admitted carriers provide a level of flexibility that the admitted, the quote unquote admitted markets, don't typically have the one thing to pay attention for, with a non-admitted product is the financial rating of the company that you are purchasing the coverage from because they're not being supported by the insurance departments of the states, and they're not regulated in the same fashion that.

Policies are it's paramount to ensure that the company would be able to sustain a large number of losses and still be able to be solvent enough, to be able to pay out the claims should they arise? Absolutely. And I've seen even, I've seen carriers have both admitted and non amended forms and they can work off both. And based on your risk profile, you may have to go to their non-admitted form because it's not approved in your specific state.

Is the trend for cyber insurance going to have all users having MFA set up and not just admins and VPN users. I'm not even going to go to Zach on that question. I'm just going to say yes. Elizabeth, hypothetically speaking, all processes discussed today in place, hacker attempts to get into with all of these systems in place, do they try another avenue or typically move on because the squeeze may not be worth the juice. J I'll throw that one over to you.

Yeah. I actually answered it and said that while we are seeing the trends in our security operations center has got 160 people on it worldwide. We see them move on to the next target. They're playing the volume game, trying to cast a wide net and get as many videos as they can.

So unless there's a very specific business case where someone's paying them to go after a specific named company, it's usually a hit and connect or move on. Absolutely. Yeah. That specific use case would be like, I see intellectual property a lot of times, Hey, you're a manufacturer. You have a specific process or technologies in place. You own that IP to deliver the car you're making, let's call it.

And they want to take that IP and go do it for cheaper elsewhere. That's where I see that specific use case where they're going to try a little bit harder. Yeah.

The perfect example of that is Coca-Cola that the amount of cyber attacks where people trying to get Coca-Cola's formulas, is unbelievable. You'd look back and scratch your head. Say, I can't believe that people care this much about it, but someone just wants the bragging rights for it. So it's, why people hack as a whole separate webinar we can do. It looks like Jay, you answered Rubin as well. And I want to make sure I get to Reed's question.

Reed real quick in the chat asked what is admitted, non-admitted carrier policy? Zack, I've been out of the game for a little longer. I'm going to let you take that one real quick from the top. Sure.

So an admitted product is one that's regulated by the states to put it simply and should an organ, should an insurer ended up becoming insolvent. The state will come in and pay those claims up to a certain amount on the carrier's behalf. So there is sort of a sense of security there. But also those products tend to evolve a little bit more slowly than the non-admitted products because they have to file and go through very lengthy, painful, bureaucratic processes in filing with each and every state.

It's not like there's like a national department of insurance and they just go there and it funnels out to the states. It's just if there's any insurance agents on there on the phone, you have to get licensed in every state. You have to go to every state individually to refile your policy, to submit for new coverages.

And that can take years sometimes. So a non-limited policy is helpful and that's why I go back to the financial rating is because those policies adopt much more quickly and adapt to the changing. And threat landscape more quickly pricing is more flexible as well. And so just check out that financial rating on the non-admitted product and you'll be in good shape. Absolutely. So we are two o'clock read specifically.

I just reached out to you you had questions about MSA and them being specifically targeted for larger organizations with limits of liabilities and stuff. I actually have specific work that I've done in that space of helping smaller consulting firms and stuff. When working with like a bank of America or a large company negotiate down those limits of liabilities based on their actual risk profile and the data and access they've been given. So reach out to me directly.

I shot you my email. With that, I'm going to finalize here. I want to be respectful of everybody's time. Once again, be on the lookout for two things in your email. Number one Domino's pizza gift card pizzas on Integris this week. And then number two, we will also follow up with a quick survey.

If you can ask or provide feedback on additional topics, you would like us to hear. We could go deeper on insurance and our partnership with measured. We can go deeper on the technology solutions and the SOC team that Jay and his team have built out. We're happy to go in any direction and we'll see you next quarter with that. Zach, Jay, thank you so much for spending, spending time with us today. Thank you.

2022-03-04

Show video