Cyber Liable, With Kirsten Bay of Cysurance

Hello, I'm Dan Thomas Chesky. And this is the connecting ID podcast. Welcome to the connecting it podcast. I'm your host, Dan Thomas Chesky. And joining me today is Kiersten Bay, CEO of cyber insurance. Kiersten. Welcome.

Thank you. It's a pleasure to be here today.

Yeah, I'm really looking forward to this, you know, I see your post on LinkedIn a lot and you're real active in the cyber insurance space. And I think this is a really hot topic right now that we're hearing whether you're an MSP or just a general business. I mean, cyber insurance is something everyone's talking about

Without question. And it's, it's funny. I sort of chuckled to myself periodically because I get very excited about this topic and it's not all that often that one can get excited about insurance type discussions. So we are seeing so many different changes and I think it's really become so top of mind for Maine the different types of organizations, that it's really something that people are interested in hearing about and understanding it does feel like a black box for a lot of people. So I'm delighted to be able to speak with you today and share some insights about what we're seeing and to really help people feel more comfortable and understanding it and perhaps moving forward and getting it for themselves.

Yeah, no, I think that's great. And look, I think one of the topics, you know, something I was been looking at and I've seen in a lot of your posts is just, there's a lot of risk out there. We see in the news that MSPs are the target. Um, that a lot of things are attackers and ransomware. Things are going after that. MSP. Why is it so important right now for MSPs to have the need, to have tech Eno, uh, cyber insurance?

Well, there are a number of reasons and the top reason is that many MSPs don't quite understand that they carry a dual type of brisk in their organization. One is the fact that they are a one to many technology provider. And so the truth is, is like most criminals hackers are fairly lazy and don't want to go one to one. So being able to penetrate an organization that has multiple customers and thereby the opportunity to monetize in multiple a multitude of ways at one time, it's certainly the way at it. The other of course is the Eno side, which is something that confuses people a lot. And that's really the errors and emissions side of the policy. And that is to protect the MSP from the risk of being sued and the liability that potentially can come with recommending a product that fails even by not fault of the MSP, but really just making sure that MSP has that liability coverage so that if indeed something goes wrong, either through a technology event or a services event that they're protected from that type of as well as a cyber attack or an outage that really is more related to the infrastructure and not related to this service or the product that was recommended. So that's a key element to think about just in a broad brush strokes of the tech Eno policy.

Oh yeah. I mean, that's something, you know, I don't think everybody thinks about that. I mean, we just, we go out there, we recommend services, we provide services to our customers as an MSP. Um, you know, so it's really thinking about that risk and making sure that you're covered. I mean, what's important from an MSP perspective. I mean, so let's say I have my tech, you know, coverage. I mean, what should I be doing internally though, to make sure because you know, we know insurance has regulations. Like I need to make sure I'm doing X, Y, and Z. I mean, what's really important that an MSP should be doing, if they have techie ano you know, what do they need to be doing to make sure that if a claim goes through their chances of it going through are greater?

Well, certainly the coverage is the key part, but there are other elements that are challenging for MSPs. And what we're seeing is that RMM RDP tool, remote desktop, those are the entry points. And so one of the questions that gets asked very frequently, both for MSP tech customers, as well as general customers, is the two factor authentication question. And so if you answer a yes, you do have to FAA turned on and then it turns out in the investigation that perhaps you didn't, it might be considered an error, but it also could be considered a decline. And so these are things it's really what we call like the basic blocking and tackling. So two factor authentication is extremely important. The other thing that we're finding is, is credential stuffing. And so it's also making sure that that password hygiene, and I know people talk about this all the time, but password hygiene is really important. And some of the dark web monitoring sites can be very helpful because not only for the MSP themselves, but also for their customers, we're finding that what they're doing is harvesting credentials. They relate the credential somewhat to the MSP and their related customer base. They break into the RMM tool and then they've stuck the credentials in and just keep running it automatically until they'd get a click unlock the key and then boom they're in. So it really is making sure that good password, hygiene patent, making sure that if you see that there's been a potential compromised email address out there, that those email addresses are. Um, but those passwords are being updated frequently, two factor authentication and then dual authentication, which is more of a process. And that's really around things like, um, money transfer invoices, where if you see someone changing their bank account information, their invoice information, both to the customer or upstream that you double check that they were intending to change those banking credentials or that those wires were really intended to be initiated, because those are the three elements where those losses are really becoming the greatest in terms of the entry point.

Oh, those are, those are absolutely phenomenal tips. And I think it's something that we keep seeing, you know, but you keep hearing, I mean, it's in the news. I mean, we're seeing a time and time again where just an MSP didn't have the two FAA on, or, you know, they, they, weren't monitoring for credential stuff offering in those different, different things that are going on in the dark web for themselves and their customers. So I think those are really good points that an MSP could take in and put into action, like right now to make sure that they're protecting their business and their customers, you know, you've been talking, you've been talking a lot about, you know, it really, it sounds like the, the cyber insurance market is really changing. I mean, you're saying like attacks are happening and things like that. So can you maybe give me the state of the cyber insurance market what's going on? What are we seeing? Like what's happening that, you know, we should all be aware of?

Well, it's really interesting with cyber insurance because it is by its nature, an evolving threat. You know, when, when the hacker figures out that they've been figured out, they move on to new tactics, tools and procedures. So the challenge was cyber insurance. That's very different since things like car insurance or flood insurance, if you live near a flood plain, you're going to have higher insurance and you need to have flood insurance. And those things really don't change very much, which challenging in the cyber insurance market is, is that it really is a moving target in terms of understanding how to rate those types of risks. And for a long period of time, the market was fairly soft, meaning that the pricing has been pretty good because there really wasn't good clarity on what those risk profiles look like. And for quite a while, there weren't really high claim activity where the event's happening. So it wasn't something that was driving the market to make an adjustment we've been seeing of course, and was reported that quite frequently, people see many, many more of these attacks happening all the time. Post COVID though. What we've seen is this really distributed attack profile that has ramped up claimed activities significantly, both for MSPs, but also for just general insurance. And it's tripling really down into the SMB customer base, which is driving a much faster claim rate than it has been previously experienced. What all that means is that prices are going up. And it also means that capacity. And what capacity is, is the amount of available insurance out there to write against certain risks is being taken down, particularly around MSP techie and O coverage because the attack profiles have been so significant. In fact, this morning, I was having a conversation about how there is concern that capacity reduction is coming even in a more greater fashion in the next month or two because of these risks. And so what people are going to be experiencing as increase in policies, um, in their premiums, um, more requirements around technology implementations. And this is an opportunity I think for MSPs, because they're really in the square point of handling the SMB customer base in a way to really help them become much more efficient and effective and managing security risks and compliance risks. And that has an intersection that I think is really just still really young in terms of its evolution and measuring those things against the risk of insurance.

Yeah, it is. It seems like it's getting crazier out there. I mean the cyber attacks and, you know, the ransomware and I mean, w what you're just talking about is how, you know, claims are going up. It just seems like COVID really, it spikes the overall security, uh, risk to an organization.

It has tremendously, and it's not terribly surprising if you imagine that you have a variety of people in a variety of security circumstances that are very different than was in the first quarter of this year. So now we have very distributed workforces, and we've also seen that people had malware drops on their devices while away now that some people are going back into the office, it's particularly true of the medical field is taking down entire networks because they were doing reconnaissance, the bad guy waited until they were back into a normal network setting. It triggered the system to say, Hey, I'm back in the normal network setting. And then they were attacked by ransomware. So it's, it's really, um, the distributed workforce has been a challenge for everybody. And this is one of the results of that. And then also I was reading an article the other day about the attacks on the school systems, um, and how they have limited capability around cyber protections. They don't have the ability to hire the appropriate staff to put in the right security protocols. And so they are ripe for disruption. And if you look at that profile and you think about, well, who else does that look like? That's also the asset, the customer base. And so there's a lot of reflection out there that similar, um, network instances, or just the lack of having the people and the resources in place to protect themselves has become a significant problem. And that's why having the right services components in place along with that risk management is really the next phase that I think we're going to see a lot of real growth in.

Yeah, it's just, it seems like it's going to continue to go, and there's gonna be lots of changes. And, you know, we're all gonna have to make sure that we're paying attention to adapt to the new requirements. And I want to talk about that for a second in terms of, you know, we say you need cyber insurance, you know, because we hear that things are increasing and we know, you know, the, the ransomware attacks, the malware, all those things are happening. So if you're an MSP today and MSPs that are listening right now, you know, how do you bundle or talk about, you know, cyber insurance through an MSP, you know, being an MSP because we hear it time and time. Again, I don't want to be in the insurance space. Like I don't, I want, I don't want to be an insurance broker. And I think they sometimes get it kind of confused to what it means. So like, what does it mean for an MSP today to really talk about packaging and pricing and having cyber insurance be a part of their conversation?

Well, it's true. And people are daunted by insurance, generally speaking. So, you know, it's not surprising that there would be some resistance to this. It's one of the things that we've really worked on to think about, how do we create a seamless capability for people to adopt these types of products without being afraid of the questions that are being asked or the process it takes to get through the binding process, the costs, et cetera, et cetera, all the, all the complexities, the licensing, et cetera. So what we did was we created a platform where we're a 50 state broker. So we have the ability to bind policies for anybody. And so on our platform, we work with service providers to be able to offer those programs. And because we're the registered agent, we've, co-branded with them to be able then to distribute those products and get those people on platform. And so there are a number of ways to be able to do that. Um, there are lightweight products that we have that are just what we call a standard flat fee. We call it essential. And, and because one of the hard parts was insurance. And I think that this is one of the primary drivers is the only thing you can really bet on an insurance is when you ask me a question, the answer going to be, it depends. That's the only certainty I can give you. So that's hard when you're trying to put a services package together for people. So we created a product that has standard pricing for people who have less than 10 million in annual revenue. And that way they can bundle it into a service package, they can meet if they're offering compliance products or other risk management products, it can just be a natural extension on. And I'm also seeing that many MSPs are making it a contractual requirement for their, their customers to have cyber insurance, to make sure that they're protected for any instances where that unfortunate phishing email comes in and they click on that there is actually protection in place for their customers. So we've tried to make it so that all of that can take place on our platform. We can represent all those products, we provide all the marketing materials so that they simply can make it an additional service, much like all the other types of products that are created to create additional value added services for that MSP, we've adopted this similar model by using our platform to do that.

Well, I think that's great. And I know I'm going to ask you this question is, you know, cause we just honest, so I don't want to be an insurance broker and he just answered that. And I know we, I know you're integrated in the compliance manager, which is a great product for, you know, all the compliance and, um, that they have a special section in there right around the cyber insurance. I mean, so you can access your platform through there. And, uh, what I think is unique and we're starting to hear this conversation and hearing more MSPs talk about it is they didn't know, like it's, it's showing the businesses that have these cyber policies, that there's actual requirements that they need to con you know, that they need to do. They can't just go buy insurance and think that if a claim happens because they got hit with ransomware, they're going to get paid out. Um, so it's important to be if you're the MSP and you know that your customer has a cyber insurance policy, like who is it? Like, what does it for, like what's going on in the policy? Because I think that's a big mistake. If people just think I bought cyber insurance, I'm covered, and that's not the case. I mean, you've been talking about it. You need to make sure you're going through and doing the different checklist. And can you expand on that a little bit? You know, if I'm an MSP having a conversation to someone that maybe has coverage today, uh, or they don't have coverage, like why we needed to go through the different steps to make sure they can get paid out if something does happen.

Absolutely. And this is really something that, that people need to be aware of when they're thinking about cyber insurance, much, like whether you're applying for life insurance or car insurance, that there are basic requirements that have to be fulfilled. And, you know, if you're not so healthy, your rates are going to be higher than if you're a healthy person or a younger person. So it's the similar concept applies. And, and so it's an opportunity for MSPs, but it's also an important thing, as you say, to keep in mind that your customer is going to have the expectation that when they check off the box, yes, I have a firewall. Yes. I encrypt encrypted data. Yes. I encrypted my end points that it's true. And that's often the blocker. When people get to those questions, they have no idea if they have encrypted end points. And if they do say yes and it turns out they didn't, that can be a real issue when it comes down to whether they'll be covered or not. So it, it, to me is a real natural extension. When we think about the providers who create infrastructure and technical support for people that they would also be the ones to help them understand what their environments are doing and how they should protect for them. And so if you aren't doing those things for people, but they're signing up for their insurance policies and representing that, that again, could be back to the tech, you know, policy because that they might have relied upon certain information that may or may not be accurate. So this is an area where these two things I do not believe should be decoupled between technology and cyber risk, because they are an extension of one another. And it really is about, you know, and when a lot of these municipalities and schools are being attacked, it was like, Oh, we'll just go buy cyber insurance. You forget about it. And everyone's, I know you can't replace fiber insurance or cyber insurance with technology and vice versa. And also the other key point is that we know that there are vulnerabilities in any system, no matter what, and that isn't a ding on an MSPs reputation or the service they provide to also recommend that someone be insured for cyber risks. And I think that that sometimes there's this feeling like, why am I commissioning the value of my service by saying, well, you should probably get this insurance when in fact it's just a risk curve and we have to be aware of that. Perhaps if you were driving your car and you're a great driver, someone could still run a red light and hit you. And those are the things that people have to orient their minds around in terms of these cyber threats as well.

Yeah. And I, something I wanted to kind of go into for a second with you is that I I've heard you speak on this a couple of times, and I've heard other MSPs and other insurance people out in the industry. People think they have cyber insurance. Like if their server gets hit with ransomware or, you know, something happens that the replacement I've heard, I've heard a lot of people talk about this, does every cyber policy. And it's just like a myth that I wanted to talk about is every cyber policy pay the ransom. Does every cyber policy pay the replacement cost at the same? I mean, those are some big things that people don't look into. I don't think when they're getting cyber insurance, they don't think about, well, if I have to pay the ransom, you know, this is what it covers. If I have to replace my equipment, you know, or that my customer has to get, you know, their cost, their equipment replaced. Are we getting old value today's value? Like, I think there's a lot of things that you got to take into consideration with cyber insurance. Isn't there.

Absolutely. It's a great question. And these are the areas where someone will send me. Yeah. But I can get a policy for$10 a month. And then I'm like, that's great. I don't know what that covers because it's not covering all the things that you just said. And so it's true. So what the one of them is ransomware, and that can actually be many types of extortion that exists in a network, um, many times and, um, policies. There are sub limited, which means I have a million dollar policy, but if you read down, it actually says, but if you get hit with an extortion event, that's really only$50,000 of coverage. So, and a lot of people don't understand that. And, and that's something to be really aware of. You want your policy to say that those, that program is to the full aggregate limit of your policy. Meaning if your policy requires all of that to be paid to that ransom event, then that's what happens. And, um, many, many policies are sublimited. They make them much less expensive, but at the end of the day, um, it's, you know, a thousand dollars a year or it's your entire company. So that's one of them that's really, really key. The other one before I get into the equipment, one is social engineering. Um, this is another one where there are a lot of lawsuits by many, many larger companies against their insurance companies who are saying, you know, I just wired$2 million out. It was a fraudulent wire, as it turns out, um, we want our money and they're like, but you didn't have coverage for that. And these are always ad-ons or what they call an endorsement to the policy. So it's very key to make sure that if you think you have that coverage, you have to double check that it's social engineering coverage. And again, those are typically less than the typical limit of the policy because they are not really related so much to, um, a technology event as social engineering. It's one-to-one so, um, but that's another area where many people think they're covered and are not. And then in the last is the betterment question, which is, am I going to have my equipment replaced? Oftentimes maybe, but as you say, it's going to be replaced at that old value that it was in. And so there are these things called betterment clauses, which are not that common. They're becoming more common policies. Val, they're probably one of the most important things in a policy because it allows you to replace your equipment and, or to add software that can actually help you mitigate against ever having this attack again. So there's a twofold, it's actually an upgrade to the system is also allowed when our betterment clauses, um, and it's really nice because it is the difference between you in a car accident, getting in a situation where they give you a partial replacement value of a car where you can't actually replace the car that you had today versus a full replacement value where you can go and replace exactly what you had and be comfortable that it is what you need.

And I just, I've heard you talk to MSPs about this and I see your different articles. And that really means a lot. I mean, it just, you can't go into say I'm buying cyber insurance. You really need to know. And I think it's just a, it's it shows that the MSP cares too, when they ask some of these questions to their customers, or when they're trying to, you know, to get a cyber insurance policy for their customers, just taking that stuff into consideration, you want to be setting that customer up for the best possible scenario in a not so good scenario. And I think it's really, really great, the attention to detail and what you guys do at cyber Sharon's to make sure that these types of questions are answered and you really, your team goes the extra mile and making sure the MSP understands what is going on. You'll jump on the phone with them as well. I just kind of want to end with this and get your last thoughts, but just how you guys really help the MSPs when they have questions or they're getting ready to get a policy, you know, for a customer and how you guys really answer all these types of questions like we just talked about.

Well, thank you. And it's our pleasure. I mean, we, we really love working with this community and it's such an important community. And, and the thing that I've been saying for a while that you've heard me say also is that this NSP community has created this infrastructure that has enabled all of us to be able to walk out of our offices one day and still continue to be productive and run our companies and do our business. It's a really important thing. We couldn't have done this five years ago. And so that's really a Testament to everything that's been built to facilitate what we do today in our workforce. And so we need to treat it with the same care is now to protect it and manage it in the way that needs to be. And, and so we really believe in supporting the FNB and the MSP community. And, um, the most important thing that I'll leave you with is, and they probably the easiest way to get to some of these questions is asking, what am I not covered for? Because I can give you this litany of things you're covered for, and many of them you're like, I don't really know what that means, but just know, I don't know what I'm not covered for. Please tell me what, what I'm not getting, or what's not to the full limit of the policy. If you can draw a circle around that, you will get a lot further and understanding the nuances of what actually exists and for yourself and for your customers.

Oh, that's great advice. And I mean, you're always just a, a wealth of knowledge in an expert authority in the space. And I just always am continuing to see the newest new things coming out from you. So I just appreciate you cyber insurance, uh, and just the knowledge that you have to help the MSP community. So I appreciate you being on, on the podcast today.

Well, my great pleasure. Thank you for having me and always, just let me know if you have any questions I'm here to help.

Yeah, no, that's awesome. And again, Kiersten, thank you for joining us. And I want to say thank you to our listeners out there for listening to the connecting it podcast. Make sure you subscribe and rate us five stars on the iTunes store until next time see you later.