Joining me today in the Gone Phishing boat is cyber security insurance expert Wes Spencer. We will share with you the 5 things you must have to make up a good cyber insurance policy.
Watch the full episode below or listen on Apple/Spotify Podcasts. (links to Apple and Spotify on the Gone Phishing page!)
Episode 5: Listen on Apple
Full Episode 005 Transcript:
00:00:00:12 - 00:00:23:20
Connor Swalm
Welcome to Gone phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swan, CEO of Food Security, and welcome to Gone phishing.
00:00:29:09 - 00:00:50:13
Connor Swalm
Hey, everyone, thanks for joining us. And today we have a special treat. We have a guest that has joined us on the Gone phishing boat where Spencer is not only a great friend of mine, but he is an expert in all things cyber insurance in cybersecurity. And I have brought him on to discuss what is really a wild world of cyber insurance.
00:00:50:13 - 00:00:51:14
Connor Swalm
Wes, thanks for being here.
00:00:52:04 - 00:00:54:18
Wes Spencer
Hey, you're welcome. Thanks for getting me on the boat as it float, by the way.
00:00:55:02 - 00:00:58:22
Connor Swalm
Yeah, the boat floats. If you put enough fingers in enough holes, that water's coming through.
00:00:59:00 - 00:01:00:15
Wes Spencer
Perfect. The only kind of boat I float.
00:01:00:17 - 00:01:19:12
Connor Swalm
Yeah. So I promise we have more fingers in our holes in the boat right now. So we're good. We're good to go. But I've known you for quite some time, Wes. And cyber insurance feels like it is a it's not a recent thing, but it feels like it's now recently become a hot button topic. So I figured we'd talk about cyber.
00:01:19:19 - 00:01:25:01
Connor Swalm
So what is cyber insurance? I know that might be a pedantic question, but let's start there.
00:01:25:12 - 00:01:45:20
Wes Spencer
Yeah, I mean, I think everyone knows kind of what it is, but you're like, wait, I cannot define this thing, right? But it's pretty simple. It's really just a specialty insurance product that's specifically designed for cybersecurity events, whether it's like ransomware, business, email compromise or any of those other kinds of like stacked kinds of things where you hit some kind of breach and it costs a lot of money.
00:01:45:22 - 00:01:48:18
Wes Spencer
That's what a cyber insurance is, what it's all about.
00:01:49:05 - 00:01:58:10
Connor Swalm
Yeah. And so what are the essential pieces of a cyber insurance policy or cyber insurance coverage is what are some of the things you're seeing?
00:01:59:00 - 00:02:20:12
Wes Spencer
Yeah, so good question. First of all, there's good cyber insurance policies and there's bad ones. And you should definitely know. And here is an easy take away if you are listening to this today and you're like, Well, how do I know if I have a good one or a bad one? We probably have a bad one because if you have a good one, there's a lot of stuff that you have to go through to be eligible for and they're not super cheap these days.
00:02:20:12 - 00:02:40:14
Wes Spencer
They're critically important, but not super cheap. So typically I tell people this all the time, you're not sure you either don't have it or you got a bad one, right? And so a bad one is one where it's literally like it's like a writer or it's got a warranty. We just stick on to like general liability. In other words, someone goes to a carrier and they're like, Hey, ah, to an agent, hey, I need some kind of cyber insurance.
00:02:40:14 - 00:03:02:18
Wes Spencer
Like, Okay, cool, we'll just stick this little thing that covers maybe $50,000, maybe $100,000 onto your general liability. So some kind of cyber digital event, you're covered. The reality is those never pay out. They have what's called exclusions everywhere, which basically means they're not designed to pay out. It's not because someone did it because they're being malicious. They just didn't know that those things are junk.
00:03:03:00 - 00:03:24:17
Wes Spencer
A good like a standalone cyber insurance policy corner is crazy important because it covers a whole bunch of things you may not have thought of, which we can talk about, right? But at a high level, things like not just do I pay the ransom or do I not, but things like business, like loss, things like reputational damage, public relations, digital forensics, not like legal help.
00:03:24:17 - 00:03:36:04
Wes Spencer
Like there's a ton of stuff packed into it and it's arduous to go through it and it's not cheap to get anymore. So it's critically important. But, you know, the game is really changed as far as like eligibility for it, if that makes sense.
00:03:36:08 - 00:03:57:02
Connor Swalm
Yeah, no, that does make sense. I know you and I have talked a lot to specifically about some interesting carve outs that you've seen on cyber insurance policies that are you know, they're becoming one thing you've been telling me is cyber insurance policies are becoming not more complex, but better at actually understanding what the risk is to a business from the cyber security perspective.
00:03:57:11 - 00:04:11:22
Connor Swalm
And we have a list or rather, how do I want to phrase that? There's five things that at least you've told me and other people have not said are completely inaccurate, that are the essential pieces of a cyber insurance policy, are the things you need to do. What are those five things?
00:04:12:16 - 00:04:28:16
Wes Spencer
Okay, great question. So I kind of liken it to this whole like you must be this told ride like, you know, remember when you were a little kid corner and I'm sure you weren't always the tallest kid in real life. You no fence and you went up to those rides and you know, you didn't even hit the green.
00:04:28:16 - 00:04:45:00
Wes Spencer
You didn't hit the yellow. You're in the red in like the, you know, the basically the ride bounces, like get out of your kid, come back next year and you know, all your other buddies get on. And so here you are, you know, thinking like, oh, all by myself, you know, and you're I that's a real it's a real thing in the cyber insurance world.
00:04:45:00 - 00:05:06:09
Wes Spencer
It's also a real thing that the carriers have gotten this point where, like, look, because we carry the risk to this stuff in were the ones that are going to pay out when something bad happens. We're not in the business of taking a bad risk, like that's how they think, which makes total sense. And so what doesn't make a total sense is what they've done is they've consolidated around five controls that are all really important.
00:05:06:15 - 00:05:23:04
Wes Spencer
But please don't listen to what the ones I'm going to give you right now and come back and like, well, what's your must not be a real security guy, because what about this one and this one and this one? Sure. There are a lot of other ones that are really important, too. But from a carrier perspective, these are the five they want to see.
00:05:23:04 - 00:05:44:16
Wes Spencer
So the first one is what you would expect multifactor everywhere. So you got to have it in place. And here's the deal. If we run into those situations, we're like, well, the CEO will never go for it because he's like 74 years old and he doesn't check email. He's not going to put MFA on. Too bad. So sad where in this day and age where everyone's got to have it and it's not as bad as you think it is anymore.
00:05:44:16 - 00:06:01:08
Wes Spencer
It's not really that disruptive. It's got to be everywhere or you're not getting coverage. The second thing is backups, and it's got to be what's called segregated backups, which means that like off they're like, not on your network and they're what's called immutable. So they got to be in in a way where no one can delete them, not even you.
00:06:01:08 - 00:06:18:18
Wes Spencer
They're only deleted by the retention policy. So if a bad guy gets access to your network, what are they going to do? First thing you do is jump right into your backups and delete them. So offline segregated immutable backups. The third is EDR. So it's like endpoint detection response. I liken it to like a home alarm system for your network.
00:06:19:01 - 00:06:40:17
Wes Spencer
It's really good at seeing what's happening on those computers, looking for signs of weirdness and then alerting on it. So that becoming a big deal. The fourth one, I'm asleep, best for last. So about that corner. The fourth one, though is vulnerability management. So like, are you actually patching stuff like finally the carriers like, look, if you got some critical vulnerability and it's over 30 days old, why should I pay out for the breach?
00:06:40:17 - 00:07:03:21
Wes Spencer
Oh, here's laziness. That's how I think. And then the fifth one is one that, you know, just a little bit about it. It's security awareness training in phishing testing. They finally drawn this line in the in the sand corner with like, look, training people goes a long way. We got to have it in place. So it's now a mandated control that they want to see every single small and midsize business going through in cybersecurity awareness, training and testing users.
00:07:03:21 - 00:07:04:17
Wes Spencer
It's that important.
00:07:04:22 - 00:07:11:03
Connor Swalm
So so if I heard you correctly, those five things are required by is it every policy you're seeing these days.
00:07:11:21 - 00:07:29:10
Wes Spencer
It's just about every so here's here's what'll happen if you don't have those five controls. Some carriers like in all five of them, it's not like pick your favorite best three out of five. Most carriers just say you're out. You're just too much of a risk. I got a lot of other potential clients. Why? What I tell you.
00:07:29:10 - 00:07:43:14
Wes Spencer
But some of them will do it sublimating. I'll give you an example. I talked to a client who didn't want and like, we're not paying for this air thing. And so the carrier came back and said, fine, you want $1,000,000 in coverage will give it to you. But if you have a ransomware attack, we're only paying out 250 K.
00:07:43:16 - 00:08:01:04
Wes Spencer
That's it. We're not paying out anymore. And so what? So. So some of them will do Connors. They, like, sublimate away their risk, their damages. Yeah, but my point and here's I said back to the client like, so time out. Do you not know that ransomware attack is going to cost you at least $1,000,000? So you're really rolling the dice here.
00:08:01:04 - 00:08:16:06
Wes Spencer
Do you really want to have a situation in which you now have 750 K and exposure? By the way, this EDR thing is going to cost you like 20 grand. So like how does this make sense? And they never thought of it that way. When I called them on it, they're like, Oh, okay, well, I guess we should get it then.
00:08:16:06 - 00:08:18:14
Wes Spencer
I'm like, Yeah, you should get it. So, yeah.
00:08:18:23 - 00:08:40:08
Connor Swalm
So, so a question I've been thinking about is these five things. Are cyber insurance policies actually diving into what what people are actually doing in their businesses? Is this in response to the loss ratios that you and I have talked about a bit over the past previous years? Or is it actually an attempt to create additional security now it's being pushed by cyber insurance companies.
00:08:40:19 - 00:09:00:04
Wes Spencer
So. Okay, great question. So keep in mind, do I hate on the carriers all the time like they're trying their best, bless their heart. Right. But like, they're really not good at this stuff. They they come out of I mean, the insurance world is centuries old, is probably a half millennia old at this point in that crazy. And so, like, this whole cyber thing is like dark magic to them.
00:09:00:04 - 00:09:23:09
Wes Spencer
Like, they view it as like you have these dark sciences and throw stuff into the witch pot and salt with their chicken over your head wherever it lands is like that's that's where cyber insurance is. I joke. But like, so what they're doing is they're very reactionary and what they're doing is like, okay, where we see a lot of breaches, we're going to come back very reactionary, very knee jerk and say, well, I guess if we had have these things in place, then the breach we named may not have happened.
00:09:23:09 - 00:09:40:01
Wes Spencer
And that's where those five came from. And it also means that's where we're going to see new requirements come out because they ask a lot of questions in the questionnaire as they're doing that to get enough data to where they can kind of figure that out if that makes sense. And so just expect things to change a lot and don't expect consistency from the carriers when it comes to that.
00:09:40:04 - 00:09:59:16
Connor Swalm
Yeah, I remember talking with it might have been dusted or maybe it was read it before about that and that the average somebody somebody mentioned the average cyber insurance policy went from ten pages of questions to now it's like over 30 pages of questions. And it's not just do you implement MFA, it's where how often do you rotate the passwords?
00:09:59:16 - 00:10:19:16
Connor Swalm
Very often as well? Or how do people get access to that one time passcodes? Is it SMS? Is it app based? Is it do you do this through your SSL in some way, shape or form? Now it's actually getting into the details, I guess. Now the cyber insurance carriers have data on while breach would have been prevented because these credentials wouldn't have been abused because the MFA would have stopped it in these scenarios.
00:10:19:16 - 00:10:22:10
Connor Swalm
Is that kind of a thought process that you're seeing direct?
00:10:22:12 - 00:10:40:14
Wes Spencer
That's yeah, that's the way they want to go long term is they're data nerds, right? They can tell you if you're this gender, you drive this car this many miles in this location, this time of day, you cost me this much. They can't do that with cyber yet and they're desperately trying to get there. So they're still in the data collection and they say, let me know what kind of data they need, but they're getting there.
00:10:40:19 - 00:10:44:04
Wes Spencer
Fast forward ten years. I think we'll see a lot more consistency around those things.
00:10:44:21 - 00:11:10:09
Connor Swalm
That is great. I think that'll be a lot. Like most insurance, it will be great to have and it'll feel in your heart at the entire time, probably. Yep, yep. I feel like it's I feel like it should be obvious. Why does all of this matter? Why does cyber insurance matter? Well, you brought up a case. It's like, are you really willing to or can you are you capable of going out of pocket in the case of ransomware, in the case of your business being interrupted, keep in mind it's not this.
00:11:10:10 - 00:11:29:03
Connor Swalm
I had this conversation that must be the other day. It's not is something getting stolen? It's How long is your business shut down while this is being figured out, was their reach, was their information stolen? Are they still in the systems? Could you actually not work for two months and still have a business on the other end of it?
00:11:29:03 - 00:11:35:19
Connor Swalm
So preventing that or having some kind of lever to pull in a parachute, so to speak, is really important.
00:11:36:18 - 00:12:02:07
Wes Spencer
Exactly right. Just at a super high level, if you haven't really understood like the cost ramifications of a breach, you've got to I mean, ransomware on average, 16 days of outage time just like heart out, not including restoring systems would take your monthly revenue slashed in half. What does that do to you? I can tell you MSP after MSP have told me stories, when I go through these breaches and I'm lost customers left and right as they go through a year hemorrhaging clients, and that's not easy.
00:12:02:12 - 00:12:14:05
Wes Spencer
And there's reputational damage that comes in. There's digital forensics, there's law, there's legal costs in lawsuits like these are things that the 1 billion ticker gets hit really quick. A lot of a lot of people just don't recognize that.
00:12:14:16 - 00:12:34:21
Connor Swalm
All of us are probably very familiar with how expensive lawyers can get on both sides of the equation. And I'll even give a shout out to our friend Robert. If you want to figure out how bad a breach can get, go listen to the hundreds of times he's talked about it publicly. And the the way he describes it all make you make you change the way you act for sure.
00:12:35:06 - 00:12:42:22
Connor Swalm
So thanks so much for being here with us. I always, always love chatting with you, so thank you again for being willing to come on here and chat with us about cyber insurance.
00:12:43:09 - 00:12:44:06
Wes Spencer
Any time, my friend.
00:12:44:14 - 00:13:10:03
Connor Swalm
Absolutely. Hey, if you all want to find out more about creating high quality security awareness training campaigns that actually engage the employees to help change their habit, then check out since security know a little bit about the company at phin security, that's page and subscribe or click the link in our shows. I'm Connor Swan, CEO at Phin and thank you for phishing.
00:13:10:12 - 00:13:12:18
Connor Swalm
See all my.
