How Cork Combines Compliance and Cyber Insurance to Safeguard MSPs and Their Clients with Dan Candee

[00:00:02] I made a prediction years ago that there would be a combination of software plus insurance. Well, Cork is doing it and Dan Candee joined me to discuss what their business model is, how it works and how they're going to market on this bonus episode of the Business of Tech. Today's episode is supported by Huntress. Most cybersecurity solutions are built for massive enterprises with big budgets, not Huntress.

[00:00:28] They're the fully-managed cybersecurity platform built for all businesses, not just the 1%. Huntress purposely builds security solutions like EDR, ITDR, SIM, and Security Awareness Training to equip their team of elite threat hunters to handle the heavy lifting of security for you. When threat actors strike, Huntress' 24x7 Global Sock shuts them down before they're even on anyone else's radar.

[00:00:54] But they do more than just chase alerts, they lead the charge in industry research and knowledge, bringing expert protection and peace of mind. That's why users on G2 rate their EDR number one for growing businesses. To see how their expert threat hunting team gets the job done, visit Huntress.com slash MSP Radio. Well, Dan, welcome to the show. Thanks for having me, Dave. It's good to see you again.

[00:01:21] Now, I'm super excited to talk to you, but I wonder, particularly for our video listeners, you're coming in with a slight head wound. And I really appreciate you joining me for that, but I feel like I need to at least ask, hey, are you okay? This was not necessarily planned for dramatic effect for your video listeners, that's for sure. I happened to have my surgery yesterday.

[00:01:43] I've perhaps spent a bit too much time in the sun in my 49 years on this planet without the proper protection. So I had to have a bit of skin cancer surgery and everything is aces. I am good to go, but I do have the dramatic bandage. So well, then the one thing if listeners get nothing out there, it's that skin protection is a real thing. And take that seriously. Exactly. Which actually, in a way, sort of transitions really nicely because you're in the business of protection.

[00:02:14] And so I actually want to get, before I dive into some of the specifics, tell me a little bit about the way Cork approaches what you're delivering to MSPs and ultimately their customers. Yeah, you bet. Cork is unique in this space because we're the only company doing what we do. And we validate the compliance of 100% of the client endpoints. And we wrap that all up with the financial protection of a cyber warranty and insurance.

[00:02:43] And so wherever an MSP and their clients are in that journey, we can help. And it's actually relatively simple, right? We work with MSPs. We're 100% focused on MSPs. And thinking about their clients and the stack that all of the MSPs use in managing and servicing all of the clients, which is growing like crazy. What is there?

[00:03:08] 6,500-some cybersecurity solutions these days, if you look at the Canalys data, which is a complicated, messy, noisy space. And so at Cork, we try to simplify that. And we have over 75 integrations covering 93% of the market around EDR, RMM, and on and on. And API agent lists, really quite simple.

[00:03:35] And we believe in and support our MSPs and their tech stack. And we do an inside-out model. So we're able to look at every single endpoint, understand are they on? Are they secure? And then we wrap that all up with a cyber warranty and a connection into the cyber insurance world. Now, my longtime listeners will know that I predicted the emergence of a company like yours about four years ago,

[00:03:59] in that I said the obvious piece was to combine software plus financial services to cover made perfect sense. Now, what I want to understand, though, is there's some complex math there. Because the software vendors themselves assume no liability for failure. So you're taking on failure on their behalf, and you're accepting risk from the MSPs themselves.

[00:04:24] Talk to me a little bit about the way that you think about managing that financial risk portion of the business. Because you could theoretically be out a lot of money for other people's failures. Yeah. Great question. And one of my favorite comments that I get from partners is, this sounds too good to be true. Right? And so if you go back to your, you said four years ago, you predicted this. Right?

[00:04:53] And let me ask you, why did you predict this? Right? Well, because it's incredibly obvious in that the vendors themselves are not taking any responsibility for their own failures. Right? And it's the only market they can get away with that. This is not true for car manufacturers. It's not true for medical equipment manufacturers. It's not true for any other market other than software. So there's clearly a problem here. And someone will try and step in and solve it. But it's the financial math that's really tricky. And that's why I want to understand how you're addressing that. Yeah. Yeah.

[00:05:23] Well, you nailed it. And I wasn't the founder. The people that came up with this idea are people far more experienced in the space than I. Far more, you know, with a lot more time in the channel. And one of those people includes Austin McCord. Right? Who needs no introduction. Founded Dato.

[00:05:43] And Austin and John McNeil and a couple others were thinking about the same challenge, the way you just described it, which is how can we help partners think about the intersection of technology and financial risk? Because it's messy. It doesn't make sense. And it's complicated. And you've got all of these technologies that are basically saying, here, take this. Use it. It's great. And then step away from the liability side of it.

[00:06:13] And simultaneously, cyber insurance is a complicated thing that MSPs don't sell. Right? It's a highly regulated thing. And yet clients are asking MSPs to help with the cyber insurance journey. And that takes a lot of time. And there's some risk associated with that. And that's a complicated thing. And so, you know, Austin and the team, you know, we exist to solve that.

[00:06:40] And Cork is actively solving that. So it's been a lot of fun over the last two years figuring out how to do that really well, really quickly. And the joy I get is being able to show up with an open checkbook and actually writing these checks for partners and clients and doing that. Now, I'm not in the business of just handing out money. Right? And so that is the secret to all of this. But it's actually not a secret.

[00:07:07] And the reason it's not a secret is because of our inside-out technology, which is like walking up to a giant house that's at night with all the lights turned off. And with Cork, you can basically just, before you even walk in the house, turn on all of the lights and know what's going on in all of those rooms.

[00:07:29] And we do that because we're able to integrate very quickly, 30 minutes or less, like delivering pizza, right? In the old days, we're able to integrate with the existing MSP stack and understand where there's risk across 100% of those endpoints. But the way I think of it is I'm a car guy, right?

[00:07:53] And so, you know, most modern cars, they've got the alert system. So are your tire pressures low? Is your check engine light on? Is there a transmission problem? Are your light bulbs out? Right? You've got all of these systems. And that's what Cork does. It illuminates any problem at any point of the car.

[00:08:16] And then if something happens, if something breaks, we're there as a warranty function to be able to replace those things and pay for those things. And simultaneously, if there's an accident, we're there to also help make sure that insurance pays. Because we believe that cyber insurance is a really important piece of this. And cyber insurance carriers are trying to do a much better job. And we operate as a source of truth in this entire journey.

[00:08:47] Now, the portion of it that makes total sense to me is that you've got software that's checking the status of customers and making sure that everything is essentially green, right? And so in those cases, we know, okay, all the proper things have been done. They are in a good position. We should protect them because they have done the basics, right? They have proper authentication set up. They've got disaster recovery. Like, they have all of them. And you've got case studies that talk about that. That piece makes perfect sense to me because it is a very traditional insurance style play in that a bad thing happens to you.

[00:09:16] You have done everything that you're supposed to do. We can minimize against that. So this makes sense. Where I'm actually really intrigued to understand is there's also a realm in cybersecurity where, to use your car analogy, it is the manufacturer's fault. There's a defect in the product that they rolled out, right? It is terrible. So software manufacturers at the operating system level and at the application level are happily rolling out products that have issues with them.

[00:09:45] And they have no liability for that issue. Now, we know from a cyber forensic perspective that somebody can come in there and go, oh, yeah, they got in through this fault of the software, right? Maybe it's a zero day, right? Where it's just, hey, you had bad software. But the liability, unlike in an auto manufacturing situation where, in that case, they would say, hey, there's a defect in the vehicle. It's provable. The manufacturer of the vehicle is responsible in software.

[00:10:14] Well, that liability falls on the customer. Talk to me about how you're thinking about that risk balance. Because in this case, theoretically, you're on the hook for failures of the software vendor. Even more than that, we pay on human error. Meaning, if you really back it up, we're looking at the ecosystem at the client level.

[00:10:40] And we believe it is the universal right of businesses to survive threat attacks, to survive these cyber attacks. And so that is how we operate every day. I'll give you a real example, because you're asking me a question about if one particular technology were to fail. And I'm looking at it going, yeah, one could fail, two could fail, multiple could fail.

[00:11:09] And the humans involved in the business could fail, because that's actually what I'm seeing. When I look across the 2024 data, Cork data, real numbers, over 1.2 million incidents is what we witnessed. And 88% of the incidents came from human error of some sort. People doing something naughty, even though they didn't mean to do naughty, right? Something like it just happens.

[00:11:37] And so Cork's approach is that we can help the MSP do their job to create a more secure environment. Because ultimately, that's what the MSP's client is asking them, right? One of the many jobs is, please help me stay more secure. And that's why they write the checks. And so we work hand in hand with our partners to be the source of truth and to make that job really easy.

[00:12:07] So what we do is, you know, the daily dashboard, the daily notifications, and simply notifying if any of the endpoints are out of compliance and giving a window of a couple of days to be able to get those endpoints back in compliance. And if those endpoints are not brought back into compliance, then they're not eligible for a warranty payout. Just that endpoint, not the entire client. Very key point.

[00:12:35] And it's also a warning that, hey, you have to be careful because then the cyber insurance may not pay out because they would find that endpoint or that client at risk as well. And so we can really be very transparent and accountable to what's going on in that ecosystem. I want to give a real-life example, right? This is just from a couple of weeks ago from one of our partners.

[00:12:59] And this is a Canadian partner who really takes security and technology very seriously. For their advanced endpoint protection, they use Sentinel-1. For their remote monitoring and management, they use Ninja. Email security, Microsoft. Business continuity and disaster recovery, Data. Remote security and awareness training, Infema, right? So they have all these things turned on. They're all working.

[00:13:27] And within the Cork platform, all green checkboxes, okay? These are all approved for Cork warranty. What happened was this particular client is a construction company. We've given them a code name, you know, to protect their security. Well, construction companies have all sorts of things, right?

[00:13:51] In this particular case, it was an architecture firm that had been infiltrated by a threat actor to the point where they were in the architecture firm's email system. And as their normal process, they sent out an email to three people within the construction company saying, Hey, here's your invoice, $21,000 to pay this bill. And here's your new ACH. Please, please pay the bill.

[00:14:19] And to the construction company, everything looked legit. The right email, the right people, all the right stuff. And everything was validated. Only thing that changed was the ACH. They didn't pick up the phone to validate that the ACH had changed, right? Which is a great best practice that a lot of people talk about. And sure enough, they sent that check. Out went the money. $21,000. Cork paid, right?

[00:14:45] We paid because 100% of the things had been done correctly. And so that's one of the things that's uncovered by our warranty through this MSB and this particular product. And we believe that we have to show up for our partners and for our clients. So, Dan, I love your example because it allows me to actually ask the core question. Because you're right. 100% of the things that are done right.

[00:15:11] But I'd observe, but there's actually one thing that was done incredibly wrong. Their email system was vulnerable to penetration, right? Now, that's delivered by, I'm going to make a general assumption, one of two major vendors in this space, right? That manage email security. Who have no liability for any portion of access through their system.

[00:15:33] And by the way, they could choose to roll out more secure options of email or identity verified versions or build that in. But by the way, that's not readily accessible to most businesses. And this is where my question really comes. Because I would feel like you're the kind of business that would be highly motivated to have these vendors fix that. Right? Because, quote unquote, the customer did everything right.

[00:15:59] But they weren't even offered an option to buy an identity verified email system. That's not something they can buy because it's not available commercially. But if you're trying to do security communications, it should be.

[00:16:14] So this is where, like, the core that I kind of like to get your perspective on is, is, like, why are we not having more conversations as a security community about doing that kind of work to give customers the option to make the systems actually more secure? Dave, you nailed it. And that's a great question. And in this particular case, it is a supply chain attack, right? Where they're really moving up into the architecture that's been infiltrated and then through the email component.

[00:16:43] And trust me, you know, we are, we do take an approach where we work very closely with other technology companies to think about how do we close some of these gates on behalf of our customers. Clearly, I'm not in the business of trying to, you know, regularly write these checks, right? Right. And it's all in the spirit of securing our, the environment for our partners and clients in a much better way.

[00:17:13] And so as a technology company, we're trying to do more of those things. And that's a great place where there's room for automation and there's room for AI, right? And the connective tissue between us as tech companies. Okay. Now, what I also would be curious to know is, is, like, if it feels like there's the combination of cybersecurity plus financial warranties might lead to more complacency among clients.

[00:17:41] Like, is that something that you're tracking or able to watch for and have data for? Or is there a reaction that you're able to track? Like, how are you combating the risk of complacency? I love the question. And it's actually the opposite. Okay. And the reason it's the opposite is because we're able to illuminate where there's risk in all of the businesses. And because the risk is never static.

[00:18:04] The thing about cyber insurance is that it's, you know, relatively aged business, right? It's, what is it? The second oldest profession in the world, I believe is what they say. And this is going to show for the first. And so the model is relatively traditional, meaning it's a, you know, 12-month policy, right? But we all know as business owners that things change daily, right?

[00:18:30] You have a new employee or you let go an employee, which means that there is a new computer, right? There's a new endpoint. And you've got to address the endpoint protection. And so that happens how many times a day or a week or a month. And that means that all of these security protocols are changing so rapidly and the risk profiles are.

[00:18:51] So I say that because the compliance framework is always, the compliance framework is the same, but the attack surface is changing. And so that's why we are always working with our partners to illuminate what that looks like.

[00:19:07] What we have found using Cork data, again, reflect on Q4 of last year and Q1 of this year, is that when we onboard a new Cork partner and their clients, we are able to get them to 77% compliant within the first seven days. Meaning we're actually seeing that there's a lot of risk across those endpoints pretty quickly.

[00:19:35] And then the work of our partner success managers and our team is over the subsequent four weeks is to get them to the 90% mark. And normally we can do that pretty quickly, right? And we exceed the four weeks. That 90% mark means there's a, you know, maybe there's some sandbox accounts. Maybe there's some other accounts that are kind of light laying out there.

[00:20:00] But for the most part, we're really moving people to a point where Cork becomes the source of truth. And the partners are confident that they have closed all of the open doors across their endpoints. An example is, you know, let's say there's an accounting firm in Mobile, Alabama.

[00:20:24] And Mary in the accounting firm gets that new computer and has MFA but doesn't have the RMM turned on, right? And so we can help show that partner that, hey, you got to go send that tech. You got to have that tech talk to Mary, you know, quickly so that we can get her all set up because we know Mary is going to be a target, right? Or a threat actor. And so it's the opposite of complacency. It's us working quickly on behalf.

[00:20:52] The other piece is, you know, we got a strong partnership with Roost. Last week, I hosted a talk with the CEOs of like Aaron and Austin and Chris Day from ScalePad. But anyways, automation is the other great thing where we can just set those rules so that those things are automatically turned on on behalf of the partner's desired protocols. Now, I'm curious.

[00:21:22] I know you won't give me all the secrets off, but I'm a little bit curious as I sort of wrap up our discussion here a little bit. You know, the cyber insurance market has been described as the Wild West. And additionally, there's been a lot of struggle for those players to establish profitability and maintain their presence in the market. You're in the position of delivering warranties and having to potentially write checks.

[00:21:42] Like, how do you think about market conditions and what you need to do to maintain the level of profit to be, you know, a functional business at the same time knowing you have this insurance-like risk? Like, how do you approach that? That's another great question, Dave. We essentially have two elements of our business, right?

[00:22:08] And so we are hyper-focused on the compliance component of our business and the technology side of what we do. The second side is where we work very closely with insurance companies to back our own warranty component where we have our own captive. And, you know, that's a complicated and heavily backed piece so that we are always there for our partners.

[00:22:37] And by always there, I mean we have an SLA to respond within five minutes to any time a partner is requesting a warranty payout. We are handing over a $10,000 electronic credit card. And, you know, we have an SLA to reimburse partners and clients within two weeks, right?

[00:23:00] Like, we are always on the job when it comes to supporting our partners, which means we have to have quite a bit of, you know, support behind us in order to make sure that we do that day in, day out. And I'm very proud of that piece. At one point, I even had to pay for reimbursing a partner for pizza for the team, which I absolutely loved because we all got to eat, right?

[00:23:26] Anyways, you know, I'm able to control and support those elements for our partners and within our ecosystem. As I sit back and I watch what's happening with cyber insurance, you described it as the Wild West. And I don't think that's that far off. What I see is that the companies are really trying to develop better products. And then the brokers and some of the marketplaces are trying to get better, to be more responsive to partners.

[00:23:55] I see some really interesting things coming out. Companies like Fifth Wall who are working with Pax8 and developing something called Yukon, right? Like that's a pretty interesting solution. You know, there's a few companies that are really trying to show up and do right by partners. And I love and celebrate these things.

[00:24:17] Simultaneously, you know, there is not yet an easy button for partners to be able to deliver cyber insurance and cyber warranty and that risk management side to partners. Cork is certainly striving to do that, right? At the end of the day, without the monitoring and compliance insights, you don't have that source of truth.

[00:24:43] And so I believe that you really have to have the intersection of the technology and the financial protection in order to deliver it day in, day out. So what are you watching for over the next 12 to 18 months that you think is like kind of the most emerging trend that you're thinking about most? For me, it's always about simplification and giving time back to my partners. So I've mentioned automation.

[00:25:12] I expect to see a lot more of those types of services. The costs come down. The integrations go up for our partners. I think AI as a thing will just get embedded within a lot of the technologies.

[00:25:28] So, again, some of the existing companies, mine included, the services become more seamless and things like reporting, dashboarding, communication are really just are able to deliver some of the value to our partners and clients as they would expect. At the end of the day, we're all consumers.

[00:25:48] And so we like to be able to receive our information in a really simplified, fast format, just like we do in our personal lives. And it's a goal of mine to make sure that in our business lives, we have some continuity there as well. Dan Candy is the chief executive officer of Cork, bringing over 30 years of experience in growing small and midsize organizations.

[00:26:13] Before joining Cork, he held leadership roles at Amazon Web Services and Dell Technologies, focusing on strategy, channel, go-to-market, and operations. Most recently, he served as chief business officer at cybersecurity firm Total. Dan, thanks for joining me and willing to play with some interesting questions. David, such a pleasure. Always love listening to you and your amazing guests. So it's been an honor. Well, thanks a lot. I'll talk to you soon.

[00:26:43] FlexPoint offers a purpose-built payment solution from managed service providers, automating billing operations to enhance efficiency and cash flow. With features like accounts receivable automation, branded client portals, and secure same-day payments, FlexPoint streamlines financial management. Integrations with accounting software such as QuickBooks and Xero, as well as professional services automation tools like ConnectWise and Autotask, ensure seamless data synchronization.

[00:27:09] Experience improved cash flow and client satisfaction with FlexPoint's comprehensive platform. Learn more at getflexpoint.com slash msp-radio. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly.

[00:27:38] Give us a review, too. If you want to support the show, visit patreon.com slash msp-radio, and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech. Have a question you want answered? We take listener questions, send them in, ideally as a voice memo or video to question, at msp-radio.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn.

[00:28:06] If you've got a comment or a thought on a story, put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit msp-radio.com slash engage. Once again, thanks for listening, and I will talk to you again on our next episode. Part of the MSP Radio Network.