You found the backup wrap up.

The only podcast dedicated to the unsung heroes of the data center backup admins.

In this episode, we explore the critical world of cyber insurance

with cyber expert Mike Saylor.

Discover why it's more than just a safety net.

It's a proactive tool in your cybersecurity arsenal.

We'll uncover the evolving landscape of cyber policies, debunk common

misconceptions, and reveal strategies to maximize your coverage from

understanding policy nuances to leveraging your insurer's expertise.

This episode is packed.

It's also filled with great stories from real cyber

incidents that Mike has been on.

By the way, if you have no idea who I am, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery and

disaster recovery for over 30 years.

Ever since.

I had to tell my boss that there were no backups of the

database that we had just lost.

I don't want that to happen to me.

I don't want that to happen to you.

That's why I do this.

On this podcast, we turn Unappreciated Backup Admins into Cyber Recovery Heroes.

This is the backup wrap up.

I.

Welcome to the show.

Before we get started, if you could just take a moment and click the

subscribe or follow button wherever you are listening or watching

this podcast, that would be great.

I.

I am w Curtis Press, AKA, Mr.

Backup.

And with me, I have my elevated air conditioning consultant

Prasanna Malaiyandi how's it going?

Persona?

I am doing well, Curtis, and I'm glad that you're not sitting there sweating.

Yeah.

So, uh, I, I wonder if I'm the, I I can't be the only person that has done the

thing that I'm talking about right now.

You might be the only person.

Well, like technically, like when people mount their AC units in like

a high-rise building, they mount it off the side of the building.

Yeah,

kind of the same.

yeah.

So

I've

thing is,

someone do that inside the house.

yeah, so the thing is, I live in an HOA world, right?

So if I, what would be I.

Perfect for this setup would be a window unit.

I don't, I live in Southern California.

Most of us don't have ac but since I've moved my office upstairs and I've got sun

in the thing, you know, I've, I, I need something to cool off the room for me.

Right.

But I'm not allowed to put a window unit air conditioner, uh, per my HOA.

So I bought one of these, you know, standalone portable air conditioners,

but it was too big and it was in the way, and so I mounted it on the wall.

And

Yeah,

this very, well go ahead.

and I think you need to clarify.

You mounted it on the wall above where someone may have their head while

they're lying down and taking a nap.

That is definitely part of the installation.

Uh, and that person may be my granddaughter when she's, you know, so

it definitely needs to, uh, be sturdy.

So I have these, these, these, um.

Brackets that are designed to hold 200 pounds and the thing is only 60 pounds.

Uh, but yeah, I, I should actually take a picture of it for those that are watching

this, uh, on video, I should actually take a picture of it and put it in there.

But, uh, I, as usual, I consulted with you along the way.

Yeah.

and, um, you were particularly helpful with the, um, the

condensation line, uh, issue.

Um, but, um, so what, what do you, what do you think of my install?

What do you think?

it's, it was good.

Yeah.

And the fact that you, so we should also clarify that you then took this

idea and you did it again in a different

Yes, yes.

And I learned,

to V two.

I did, I, I, I made improvements, but I learned nothing because

I made similar mistakes when I was building the second one.

Uh, yeah.

So now, so I have this one that if it fails, it can fall and fall

onto my sleeping granddaughter.

The other one, if it fails, it falls on me.

So, um, you know, I just, the, the whole, the whole house could be taken

out and a structural collapse, but I'm sure everything will be fine.

be fine.

You use 200 pound brackets.

You're good

200 pound brackets and

leg screws.

yeah, four and a half inch lag screws, uh, six each on each bracket.

So

Yeah.

screwed

overkill

not screwed into drywall.

I'm not, I'm not an amateur here.

Yeah.

What is the air conditioner attached to the brackets?

Uh, the air conditioner is, um, what do you

Nope.

the air conditioner.

There is a shelf around, there is a shelf containing, there's a shelf on

the brackets, and then there is a.

What do you call it?

Um, a what?

but height of said lip is about two inches.

It's the, the lip is uh, six inches, sir.

Five and a half inches.

And so if, if there was an earthquake, I, I, I am considering additional strapping

because I do live in Southern California.

Yeah.

You should at least put a strap on that thing,

Yeah, yeah, yeah, yeah.

Uh,

that

anyway,

I'll be fine.

I, I did, I didn't bring this up to have my design criticized

You sure about that?

That's what you keep me around.

anyway.

Well, our guest today, he is the repeat guest.

Very excited to have him back.

He's been in it and cyber for over 30 years and just finished his doctorate in

business with a focus on cybersecurity.

He is the CEO and incident response lead at Black Swan Cybersecurity

and a friend of the pod.

Welcome to the show, Mike Sailor.

Thank you guys.

Great to be back.

Absolutely.

Mike, we're gonna talk, uh, this episode, and by the way, I want to.

Formally tell everybody for those that are fans of the pod, that listen, the

reason that Mike is back is that Mike has agreed to join me in writing my next book.

Um, I was, I, you know, I've been working on this for a while, got a contract with

O'Reilly and then realize that really, even though, you know, I specialize in

backup with sort of a, a minor in cyber, I would say, uh, you know, I needed

somebody that is doing this every day.

And so I brought Mike in.

And so Mike, I'm super excited that you're joining me on that.

So, uh, those that are listening to the pod on a regular basis

get used to Mike's voice.

He's gonna be here for a while.

Um, we're not gonna let him go until he is recorded at least 400 episodes.

Anyway, um, so today we're talking about, we're gonna, we're gonna

talk about cyber insurance, um, before we talk about, because this

is, you know, as part of our very.

You know, huge series here on, um, ransomware and related topics.

Um, cyber insurance plays a role in that defense.

One of the things you're, you should have been hearing us say is that you've

got to do all this stuff beforehand.

The best way to, you know, prepare, you know, to respond to a cyber attack is

to prepare to respond to it beforehand.

Don't wait until you get one.

Uh, to suddenly ask, do we have a cyber insurance provider?

Um,

Tony, Tony from Spectral Logic, right when he was like, yeah,

we got hit with ransomware.

And

yeah,

they had just signed up for cyber insurance like

they did.

before.

That's right.

Um, talk about great timing.

Um, yeah.

So we're gonna talk about cyber insurance.

Before we do that, there's sort of, sort of a, a subtopic that I want

to talk about, and that's this, this concept of assume breach.

I, I'm sure that you, that you, uh, have heard this phrase a lot, Mike.

What, what does it mean when, when, when people say they should assume breach?

Well, there's a couple, uh, a couple of different perspectives there.

One, it's something I've, I've, I've preached a lot in that it, it's

not, it's not if, it's when right, it's going to happen statistically,

whether it's an accident or intentional, it's gonna happen.

Yeah.

and the other part of that is when, when bad things do happen, you've gotta come

at it from what's the worst possible.

Scenario, and hopefully it's, it's not as significant as, as that, but

you've gotta, you can't just treat an incident as, uh, you know, you

can't just put a bandaid on it.

You've gotta, you've gotta really dig into it and figure out, uh, what it is

and how bad it is, and what's the scope and, uh, the, the impact, uh, so that

you're, you're addressing it properly.

And so I think Curtis, when we talk in the backup space, if we throw

out an analogy, it's like when you're doing backup testing, right?

Don't just test, Hey, I'm just gonna go restore a file, right?

Actually figure out what does it mean for like a DR test, or to figure

out like what happens when this application fails and all the other

dependencies that I need in order to be able to recover my environment.

Yeah, I think what, when I, again, you know, making an analogy to the backup

space, I've had a lot of experience in the backup world, and one thing

that I have seen time and time and time and time again is that everybody

backups, hardly anybody restores, right?

They, they, they just, they don't, and, and that's one of the reasons that I ended

up specializing in this because I happen to work at a bank where we had 12,000 end

users and they, and we had a tech support line, and any one of those 12,000 people

could call and ask for a restore of a file anytime, and they did it all the time.

We got like 10 restore requests a day.

Right.

Um, and again, I, I know I've said it before, but my favorite restore

that I ever got was a request to restore a file called Resume Doc.

And, um, and we're like, is that how that's pronounced?

You're like, I don't think that's how that's pronounced, but, um, the, so

most people don't restore, most people, even if they live in, depending on

where they live, they may or may not.

They, they, um, they probably haven't suffered a natural disaster, a terrorist

attack, um, you know, a, a fire that takes out your entire building.

Most people have not experienced those things.

And so they develop, I think over time a lackadaisical, um,

attitude towards those things.

And they also, I remember one meeting that I was in with a large company right

up the road from me, where when we were trying to get them to have a DR plan,

the response was, well, if that happens, I'll probably be dead, so I won't care.

Right.

When we talk about a cyber attack, none of those things are true.

Right.

You, like you said, Mike, um, you know, the odds of an individual

organization being a attacked by some level of cyber attack that cripples

your organization, whether or not it's ransomware or, or whatever type

of attack, but some type of cyber attack that impacts your organization,

the odds are essentially one-to-one.

Right?

It is pretty close.

It's gonna, especially over, over a long period of time, it's

Right,

Yep.

right.

And you've got to be, because you know, and I know that I say this a lot, just

like with, with terrorism, you, you have to be, uh, right all the time.

The attacker only has to be right once, right.

And unfortunately in cyber, sometimes the attacker doesn't even know he is

right yet, until he is, until your company's down and you're calling him

for help and he is like, oh, I got one.

Yeah.

Sometimes they don't even know.

That's interesting.

I would, I, I guess I would assume that they, yeah, I, I would assume that, yeah.

Well, I, they do, right?

I mean, they're, these ransomware companies are, you know, especially

the initial access brokers, right?

Um, they are, they're just throwing all kinds of stuff at the wall to see

if they, if anything sticks right.

mm-Hmm.

Automated attacks, scripts, ransomware stuff that goes out

in emails, that's just blanket.

Pool of emails that go out and statistically, you know, some percentage

of people will click on it, stuff gets infected, it automatically negotiates

and does stuff, and the bad guy doesn't know that he got you until

you call and ask, well, how am I gonna pay the ransom and get my data back?

He is like, all right, well,

Yeah.

Uh, not at our company.

No one at our company would do such a thing.

to us.

No,

Yeah.

That,

I think you're I wanted to say, I think you're right.

I think, I think there, the, the, the majority of organizations focus on having

a backup strategy not a restore strategy.

yeah.

Well, you know, and it, it, it's, I mean, there's a lot of reasons for that, right?

You know, I, I feel for my backup folks, doing the backup is so hard.

Um, you know, it shouldn't be so hard.

But doing the backup is so hard.

You, you, you know, you focus, like, what I remember was we spent all of

our time focusing on the backup window.

Backup window.

Can I fit my backup within the backup window?

Right?

And, and all of the design is focused on the, on the, um.

The performance of that backup to get it done.

And there were elements, and I'll throw multiplexing out for those that

have been, you know, those that spent time long enough to be backing up to

tape multiplexing is a perfect example where, um, it was a ingenious backup

design that solved the problem with tape, but it made, it made backups way

better, but it made restores way worse.

And, um, go ahead.

because you would be doing backups like 99.998% of the time.

Yeah.

And so you're optimized for that versus that one restore.

But that one restore is what's gonna bite you.

Yeah.

The one restores the one that's gonna get you fired.

Well then, I mean, if we go, if we go back to the left from.

The, the backup jobs and how long they take are, are you even, are,

are you backing up the right stuff?

So, you know, it is just doing what we're told and we've gotta

build technology and solutions that satisfy the business requirements.

And if, but, but very rarely are we able to go back to the business

and go, Hey, we're, I'm backing up a terabyte a day and it costs, you

know, $80 a tape plus people to do it.

And now we're gonna, is are, do we need to do that?

Can we, can we classify data and identify the right data?

And, and then I, I worked for a $5 billion telecom that did not have

classification or even good data, uh, data identification or consolidation.

And they were, it was dictated to, you will back up everything

and we will keep it forever.

when we had a DR assessment done, we would've been out

of business in $5 billion.

Telecom would've been outta business in two weeks because it would've taken

almost an entire week to get all of the backup tapes back to the location in

order to determine, back to the restore strategy, what's our dependencies

and what's our, what's the process?

And one of the other thing that that contributed to, uh, going outta business

was that some of those initial like bare metal systems that we'd have to

restore those, those backups were on nine track tape didn't have a nine

track tape device to restore it from.

Hey, Mike.

a ton of stuff.

But

you're, you're old.

the business side, I mean, I think it a lot of times just

does what we're told without.

Uh, effectively pushing back or dictating back to, uh, uh, the business

about helping us do our job better and more efficiently and all that stuff.

So,

yeah.

I, I, I hear you.

I used to be an auditor, so I audited the technology environments.

Like why are your tape jobs failing?

Well, we had to kill it 'cause people were coming to work and we were consuming

the network and, you know, that kind of, the backup's never, never finished.

So the main topic of this particular episode is about cyber insurance.

And honestly, I, I don't know how long cyber insurance has been around, but from

my experience, I went from never having heard of it to hearing of it all the time.

And there was this where, and where I started hearing about it was

people say, oh, well we need to get cyber insurance because these,

like, they didn't have it before.

And then they said, well, we're gonna need to get these cyber insurance.

And mainly their purpose of getting cyber insurance, from my opinion, was

to get somebody else to pay the ransom.

Right?

And then the cyber insurance companies wised up and said, yeah,

that's not how this is gonna work.

Um, but there is still a role.

I mean, they, and they still.

You know, are there to pay the ransom depending on the policy.

But what do you see today if I don't have a cyber insurance company or I

have the wrong type of a cyber insurance company, what would you, what role do

you see the cyber insurance company playing in today's cyber defense world?

Well, it's definitely evolved and matured, uh, to your point, uh, about when,

when did cyber insurance come about?

It's been around for over 20 years.

I think the first couple of cyber policies I saw were actually kind of free.

They were, they were throwing.

It in with the umbrella policies.

That's kind of a, if you get this, then we'll throw in cyber for you for

free or at no cost or something, you know, insignificant, like a hundred

bucks a year or something like that.

Because back then, and this was, this was before ransomware, even though it was

around, was really prevalent and you know, the ransoms weren't millions of dollars.

They were, you know, a hundred dollars in a, a Domino's gift card.

Yeah.

One Bitcoin.

so, right.

Uh, so the, the evolution of cyber insurance is really, uh, aligned or,

or, uh, as a result of the evolution of cyber crime and the interest in insurance

companies to delineate those risks.

You've got normal corporate risk and then you've got this other stuff

and there's different policies for these different types of risks.

And cyber has evolved as one of those kind of, uh, threats of, of

threat that they want to delineate.

And so over time.

You've gone from, uh, we, we have good just general company controls

and we get cyber insurance.

And now, today, and, and it's gone through this, this true evolution of, uh,

not only on our side from a consumer of what we need, but also on the insurance

side about what should they cover and, and what are, what, what should

we consider from a risk perspective.

'cause believe it or not, there's still not a whole lot of uh, on

the cyber side an actuarial side.

You know, like normal,

Hmm.

insurance would have still not a whole lot of, of historic data on

the actuarial side for them to be real comfortable and, and accurate

Risks.

policies and stuff.

So today they're doing what they can, uh, you know, they send you a questionnaire.

You, you, you tell them the things that you do or don't do and, and they

determine whether you qualify for their insurance and if you do what your

premium should be based on the risk that they assume, in your particular case.

Well then in.

Other things you've gotta consider is whether, and, and this is to your

question Curtis, about well, what insurance companies are out there

and what kind of policies there are, there are different policies.

There's the, you know, bare minimum, you know, we'll help cover, you know,

business expense, uh, for an outage.

And that's it, you know, up to, you know, some, some dollar amount.

I think the most, um, the most coverage I've seen in a single

cyber policy is 5 million.

So if you need more coverage, you've gotta get multiple policies.

Hmm.

but policies have small print.

and, and I've played on both sides.

I've played, I've played the role of supporting the victim of

a, of a crime and, and working with them to get the claim.

And I've, I've played the, the auditor on the insurance side to

help them determine whether or not they should, should approve a claim.

And some of that is based on the small print and one of those small print.

Things that, that insurance companies tend to throw in there

to protect themselves is are things like terrorist attack or was it a,

Nation state.

It was an international nation state attack.

Because they tried doing that for one of the attacks.

I can't remember which one it was.

I think Lloyd's tried to get out of paying by claiming that

it was a nation state attack.

mm-Hmm.

Basically declaring an act, essentially declaring it an act of war.

Right.

Yeah.

and, and threat actors are becoming more comfortable and, and

conversant with, with these, uh, particular aspects of a policy too.

'cause they want to get paid.

And so, as an example, an insurance policy may say that they will

only cover a domestic attack.

Well, if a bad guy, whether they attacked you initially, internationally

or not, if they find out your policy has that stipulation, then

they will back out of that attack and redo it from a domestic host.

quite literally.

and in a lot of cases, they're gonna do their own reconnaissance on and, and

eventually find your policy documents and

I was

and all these other things so that then when, when they do post your ransom, it's,

you know, they're, they're gonna start

for that number right below what the policy covers.

Uh, well, in, in some cases it's, it's, it's a little higher

Yeah.

they want to negotiate.

Yeah.

you know, I'm gonna ask you for nine, but you've only, and, and they know

you've only got five in coverage.

And then they're, they're gonna settle for four and a half and they're, you're

gonna think you got this great deal.

Uh, so there is a game that's played, um.

are, there are stipulations from insurance companies based on the type

and the amount of coverage you need.

Mm-Hmm.

different insurance companies have different products, I

think is what they call them.

Uh, Lloyd's has 'em, Beasley has 'em, there's any number of other, uh, pretty

well known and there's a ton of brokers, uh, that resell, you know, whatever the,

the actual carrier or underwriter, uh,

So,

is,

so it's just like home insurance or car insurance, except

now they're cyber insurance.

So.

So there, there was a part in there where you talked about, uh, negotiation.

Um.

Uh, does the cyber insurance company, do they play a role

in that negotiation aspect?

They can if you in, well, yes they can.

Uh, so.

But it depends.

Uh, some, some organizations try to handle, you know,

the incident on their own.

'cause they don't think, uh, you know, maybe they can, they can self-fund

a ransom or they don't wanna involve their insurance company because

they're afraid their premiums are gonna go up, or it's gonna hit the

news or whatever the case may be.

So there's that independent, I'll, I'll, I'll handle this on my own.

Mm-Hmm.

Uh, then there are insurance companies that, uh, are more of

a, an advisor and they don't have, or maybe they partner with or can

refer you to a ransom negotiator.

And then some of the, the policies, uh, the policy carriers have their own ransom

negotiators that, will work with you and.

Try to, and a lot of those negotiators are well versed in, in

whoever that ransomware gang is.

So if you've got, you know, the Lazarus group or, uh, lock bid or black suit

or whoever it is, when you call your insurance company and you say, I've

got this ransomware thing, they're gonna ask you for some particulars.

And based on that, they're gonna assign you a ransomware negotiator that, that

has worked with that, that group before.

so very strategic and familiar with their, their, uh, behavior.

So we've kind of talked about the financial aspects.

What are other things that the cyber insurance companies

can offer to their clients?

Uh, other than.

Like helping with the negotiations and paying ransomware.

Well, it kind of starts with that questionnaire.

Uh, so when, when, when you, when you go looking for, uh, cyber insurance,

you're gonna get this questionnaire about the things you, they would

hope that you have in place.

And so that's a good starting point.

That's kind of basic cyber hygiene.

although there are some questions that, that I've seen on some questionnaires

that I just, I don't think they're relevant, but it maybe to that,

maybe to the insurance company is.

So that's a good starting point.

And, and you can just google like cyber insurance questionnaire and,

and, and see what I'm talking about.

I hope MFAs on there.

It should be.

You're right.

Uh, I haven't seen one recently, uh, that didn't have MFA on it.

Uh, but there are some things that, uh, some organizations

can't, uh, or think they can't afford, like 24 7 monitoring, like

Hmm.

small five person credit union or a, a mom and pop shop that needs cyber insurance.

They're like, there's, how am I gonna cover that?

Yeah.

Hmm.

so what, you've either gotta go figure that part out to qualify or just keep

shopping around for different insurance providers that may not ask that question.

so first of all, there's this list of things that to consider doing to implement

good cyber hygiene in your organization.

So there's that.

I mean, that's free.

Yeah.

Uh, but then once you, uh, once you're engaged with a

cyber insurance carrier, um, I.

want to hear from you.

They want to know you've got questions.

They want to know that you're willing to improve your

environment and your controls.

And, they want to establish a relationship with you so that when

something does go wrong, you feel comfortable talking to them and you know

Mm-Hmm.

and they know who they're talking to and, and there's some familiarity there.

So when they do give you advice, it's based on what they know about

your company and not just some, you know, bullet point out of a book.

Yeah,

those insurance

go ahead.

often have relationships with other service providers.

So if you need something specific, your insurance company already has

a list of pre-approved, uh, service providers or people or companies that

they will also, if, if you do file a claim, um, are kind of pre-approved

to get, uh, to get covered by a claim.

So, so it sounds like you're talking about other basically, uh, response

team, companies like yourself that, um, that you can, you can develop a

relationship with the insurance provider.

The insurance provider can help you develop a relationship

with these other response.

So is that what you're saying is they can help introduce

you to these other companies?

Absolutely.

Um, and so, and, and ideally, and, and I like the way you phrased that because it

sounds like that's something you, you, you do ahead of something bad happening,

uh, which is always something I suggest.

Get to know your neighbors before your house catches fire and you're

away on vacation and you're calling someone to get the garden hose out.

Uh, you, you need to meet all of the people and, and at least have at least

one conversation and know someone's name and have the right phone number and

what their role could be and how they could help figure all that out today,

uh, before something bad happens, I.

Yeah.

thing, Mike, uh, I know we've been talking a lot about sort of ransomware,

but cyber insurance also covers more than just ransomware, right?

It's, I think you had mentioned previously, right?

It's incidences.

Right.

And so, you know, any, anything can be an event.

Uh, I broke my computer, I lost my computer, uh, someone

may have stolen my password.

That's an event you tell somebody and, uh, you know, the, the person responsible in

your organization that, that does, that intake then has to, to assess what they're

being, what this event is, and classify it as a type of incident if it is one.

And then what kind of criticality goes along with it, based on

that, that classification of that incident, you know, stolen laptop.

Okay.

Well, if it's, if it's the, you know, the receptionist laptop,

uh, probably not that critical.

But if it's your field auditor that visits 20.

a month and all that consolidated data is on there, and well,

is it encrypted or not?

Or, you know, what all the, all those details help us assess

and classify this incident?

Well, then that assessment could also place a value or a

risk impact on that incident.

so for example, if that laptop stolen with that much client data on it,

and you're in California and they assess you $2,500 per client record,

Yeah.

there's who knows how many records on there.

Well, there's a, there's a, there's a value to that.

It's not just the replacement cost of the,

Laptop.

Yeah.

so there's a regulatory, uh, issue there too.

Uh, and then well, does your cyber policy cover regulatory issues?

And so there's all these things that you really need to

us understand your business.

First, what do we do here?

What kind of data do we handle?

Uh, where is, where is it, how does that stuff flow?

And who's responsible for all these things?

Then you go get a, a policy, uh, that helps you cover that stuff.

Uh, and that's not the, that, that, uh, level of detail, or it is not

in your cybersecurity questionnaire.

They're not gonna ask you the value of a stolen laptop with client data on it

they don't know your business either.

Now, the umbrella, umbrella policies do that.

Mm-Hmm.

want to know what kind of business you, you're, you're in, what services you

provide, what kind of data you handle.

But your cyber policy, for whatever reason, hasn't gotten to that level yet.

So we've had an incident.

What?

What do we do now with regards to the cyber insurance?

How does that, how does the cyber insurance company, how is it

involved in an actual incident?

Well, I'll tell you in my experience dealing with cyber, uh, both on the, you

know, just basic broker relationships, but also the, the underwriter, um, in most

cases it's a broker we've, we've dealt with, but they all want to be contacted.

As soon as you think you've got a problem, it doesn't matter how big or small they

Hmm.

to help be a part of, the response and give you the right advice and help you

calm down and, and think rationally.

Good luck with that.

well, and, and a good, a good example of that is, uh, we

had a, a credit card merchant.

Uh, you know, so they're a small, a small business, but they actually

process a ton of credit cards and they had a breach, a ransomware breach.

And they started calling everybody in the world.

They called three different cyber firms, and we all showed up together.

We're like, I, it's funny seeing you here.

Why, why are you here?

Well, it's the same thing.

You're so overkill, right?

She, she called in the National Guard, the, the, the army, the

Canadian Royal Mounted Police.

They all showed up at the same time and she only needed one.

Uh, and it wasn't just cyber.

She called three cyber firms, four or five it MSPs.

She called a backup company, a forensic company.

She called law enforcement.

I mean, her, her office was in a, a shared, uh, tenant space, and

we all couldn't fit in her office.

It is like we had to wait outside and go in one at a time.

definitely overkill.

Well, if she had called the insurance company first one, they would've

helped advise her on what's the normal response to this thing.

Hmm.

here are some pre-approved experts that we, we know these, the,

you know, these groups, uh, are effective and, and they'll help you.

And they're already pre-approved on our list.

So if you do file a claim, no issue and get reimbursed for that stuff,

that would, and that's how it, it, it played out eventually, you know,

I don't remember if it was me or somebody else suggested let's get

your insurance company involved.

and once she did, they

So she,

and

so she called everybody but her insurance company.

That is correct.

Because,

I think that's, that's common.

A

yeah.

a lot of organizations, I feel like if I call my insurance

company, my rates are gonna go up.

Well, even if your rate did go up, I think the, small, medium sized business

cyber insurance policy is probably between 1,550 $500 a year, depending

Mm-Hmm

your risk and your coverage.

If your policy went up, if your premium went up, maybe 10%.

right,

mm-Hmm.

bucks at the most versus, you know, millions of dollars in ransom or expenses

that your insurance company will not reimburse you for because they were

excessive or not covered or whatever.

So the fear is there, but the rationale is not,

Yeah,

Well,

They're like, I don't

but,

rates to go up.

But really, do you understand what that looks like

On a completely separate matter, having nothing to do with

cyber insurance, I am involved.

With a company who had to contact their insurance provider, and

they were terrified about it.

And one of the things that they were worried about is if this all comes to

fruition, they were also worried about being canceled and, and then, and then

not being able to get a policy after that.

How, how valid is that?

Worry.

It, it's somewhat valid.

And, and for two, for two primary reasons, the first reason that you

would get canceled after involving your insurance company, whether it's

a claim or, or part of, or just a claim or, or also part of the response

Mm-Hmm.

in, if the insurance company, determines that.

All of the information you provided them upfront that

Ah,

qualify for this policy was false or negligent or

Yeah.

lying is bad.

Regardless.

Well, even if you, even if you just filled it out because you

didn't know you can't, you can

Hmm.

ignorance, but it was still inaccurate.

Right.

So then, then you're gonna get dropped because they figured,

they found out that you shouldn't have been approved to begin with.

And then the second, the second one is just gross negligence.

It doesn't matter if you've got the best security controls in the world and in

good sick, good hygiene, and, and you, you were immaculate and accurate on

their, their qualification questionnaire.

This incident happened.

you were negligent in responding to it.

You didn't call them timely, you didn't apply the right resources to,

to mitigate and solve the problem.

And you just, you were just like, whatever.

I've got insurance coverage.

And you waited till the end of the day and,

Hmm.

hope that insurance company covered it.

And, they're gonna go, yeah, that's not the way this works.

Uh, and even if they do pay your claim, they're probably gonna drop you.

you.

and I'll, I'll add this.

Even, even in a perfect world, uh, you did everything right.

You had all the good stuff in place.

The insurance company thought the response went well, uh,

everything was covered in a claim.

Or even if you didn't have to file a claim, you figured out how to do this

without your minimums or whatever the

Mm-Hmm

But you solved your insurance company and they want that.

So even at the end of the day, in a perfect world, they're gonna come back

to you postmortem and just double check.

what could we have done different?

To keep this from happening and so that it doesn't happen again.

mm-Hmm.

Just know that, that they're gonna want to be involved in the, in the postmortem

as well, even in a perfect world.

I was worried you were gonna say even when everything goes right,

they still might cancel you.

Yeah.

That's what I thought you.

do they also consider Mike like looking at the dollar value of the claim

they do.

They do.

and so if, if, but there's all these other factors, just like insurance companies do.

They've got all these factors, they've got all their formulas

and all this good stuff.

so even in a perfect world, everything went fine and you've got a $5

million policy and you maxed out that policy, whether it's ransomware,

uh, you know, they, they asked for 5 million or it's some combination

of ransom and expenses and stuff.

Loss, uh, loss or people you had to bring in to help.

So there, there's this formula that says if, if you exceed some

percentage of your coverage, uh, it kicks in these other activities.

And so whether that's, Hey, you need to go get, you need to bring

in a, uh, an external auditor that you pay for, uh, that's gonna give

us a report and give us comfort

Mm.

based on your industry or the type of data you handle, uh, you've now gotta

become certified in, you know, like ISO 27,001 or, or gonna have a SOC

two type two, you know, activity done.

Uh, there are, uh, cases I've, I've heard of, uh, I have in, in

probably man, uh, 14, 16, almost 18 years of doing incident response.

I have not seen a, um, a cyber insurance company like, put

the hammer down on somebody.

I've not seen anybody get canceled.

but also, I mean, I, I was involved in an incident response as part of a team.

And so that's the normal thing to do,

Yeah.

Right.

some company that just maybe didn't respond well and called

their insurance company.

Maybe those are the ones that got

Gotcha.

time.

Uh, but I, because of my role, I have not seen that that result in, uh,

the responses that I was involved in.

Involving your insurance company as soon as possible.

one establishes comfort and credibility with them.

Uh, they want to be part of the discussion.

Uh, but two, in, in a lot of cases, I think, like I mentioned, they, they

deal with incidents all the time.

And so they

Right.

give you guidance and direction and feedback about what you're doing

or what, uh, questions you may have or, or doubts you may have.

So there's, there's definite value in,

Yeah,

them, and they wanna be involved as soon as possible.

What about their involvement before the incidents even happened?

certainly, and, and I, I preach this all day long.

You, you've gotta, you've gotta train and practice, uh, before the game.

And the, uh, game day is when incidents happen.

And if, if your team doesn't show up and you don't know who's, who's on first and

what play to run, and, uh, whose role is, uh, you know, the roles are defined.

And, and if you don't have all that in, in, in place, then your

response is not gonna be as effective or timely as as it could be.

And so we, we want them, we want organizations to do what are called

tabletops, at least, at least once a year.

Hmm.

Uh, brainstorm about all the, the things that could significantly impact

your, your company like ransomware.

Uh, and then develop a scenario, have a third party moderator come in and,

and run everybody through it and kinda lead the, you know, be the referee.

Hmm.

and one of the things that we always stress is, you know, a lot

of organizations think that their, their team is just their employees

and their subject matter experts.

You've really gotta expand that because when you think about an incident.

depending on what the scenario is, uh, you want to involve outside people.

It could be your, your outside legal counsel.

It could be, uh, law enforcement, uh, but almost in every, in almost

every case, uh, you would want to consult your insurance company.

And so your insurance company and your tabletop exercises,

your broker, uh, is a great idea.

Uh, and for a couple of reasons.

One, uh, very often the only time you've ever talked to them is the

day you, you got your policy, and, and, and you're, you're looking

for the quote for your renewal.

That's really it.

Do you really know your insurance broker?

Do you know what their process is?

If you do have an incident and you need to file a claim, or you need help finding

a right resource and who's covered by, know, their, your policy, uh, get all

that stuff, uh, uh, in a, in, in your incident response plan and involve them

so that you, you know, who, you know who Bob is and they know who you are.

And, um.

and just real quick, that exercise alone is going to a lot of value.

I, I did an incident response where they thought they only had

$5 million in cyber coverage.

threat actor actually knew they had 10,

and so their, the ransom was $8 million.

And this company, and, and, and, you know, I'm, I'm working on information

that I'm provided, which is the same understanding that the rest

of the incident response team had, which was, we only had $5 million.

So how in the world are we gonna get it down from eight to something

covered by the insurance policy?

And we were on this zoom at like three o'clock in the morning.

This happened on a Friday.

So this was Saturday morning, we were on a Zoom and somebody came

in at, you know, maybe they were down the hall and, and bringing in

some donuts or coffee or something.

And they were in the background, uh, kind of like about as far away, uh,

as Curtis's bookshelf behind him.

And we were talking.

We were talking about $5 million, you know, only having $5 million in coverage.

And that person stopped and looked down in the camera and said, you know, we

have two $5 million policies, right?

And everybody in the room was like, where did that come from?

And who are you?

And what, where's that information?

Uh, well, to make matters worse, worse, uh, back to understanding your policy.

They did have $10 million in coverage, but it was a self-funded policy.

Hmm.

means you're covered up front, but you're gonna have to replenish that over

Yeah.

Oh, interesting.

uh, in addition to their premiums, they had to, they had

to put money back in the pod.

So absolutely involve your, your insurance company in your

tabletops, get to know them.

Uh, treat them as an extension of your incident response team just

like you would your legal counsel.

Uh, tons of value there, tons of experience, um, and good advice.

So you, you talked about, uh, involving them upfront.

You talked about how they can put you in touch during an incident with,

uh, these third party companies.

I, I, is it done where you talk to them in advance and say, listen in.

Can I get to know?

The, you know, pick your, the things that you're most likely to be hit

with, let's say a ransomware attack.

Can I get to know the company that, um, that I would be talking with

during a, during a ransomware attack?

Is, is it, is that done as well where people do that upfront?

Well, I'll answer it, uh, two ways or, or two parts.

Uh,

Okay.

it is, it, it, it is possible to do, but very rarely is it done.

Okay.

Because people don't call their insurance company until something bad happens.

But if you called them and said, Hey, I'm, uh, we're, we're, we're building

out our incident response plan and we want to get to, you know, we wanna do all

this prep work we don't have, we don't have a good forensics, uh, resource.

We don't have a good, uh, you know, extended it remediation resource.

We've got like five people, and if something bad

happens, we're gonna need 10.

Right?

Uh, so the insurance company will say, here are approved

vendors already on our list, and here's their contact information.

And absolutely call them and say, we're just getting ready

for, you know, D-Day and we wanna

Mm-Hmm.

we, we know who you are and you know who we are, and is there any paperwork

we can get outta the way today?

Uh, so that when we do need to engage you, it's not a, you know, we don't

have to go through legal review and, and waste time on paperwork

Yeah,

be able to focus on, on truly getting us back on our feet.

And a lot of, a lot of those organizations will do $0 retainers, especially

gonna.

Absolutely.

Call them and say, do you guys do retainers?

I ideally $0.

'cause I mean, I don't think we're at, we're at risk, but you never know.

And so I don't want to tie money up with, with, with you if I don't

Yeah, just get the paperwork out of the way.

gets your terms and conditions.

Any MSA, any blanket statement at work for incident response.

And um, in a lot of cases, even if it's a $0, retainer, you're kind

of at the top of the list when, when people start calling for help.

Yeah,

I like it.

Any final questions?

Persona.

no, this was fascinating because like you mentioned earlier, Curtis,

we had heard about Cyber sec, uh, cyber insurance, but just getting

down into this level of detail is

Yeah, it's great.

Yeah, I, I love the idea, obviously, obviously you have to

get cyber insurance in advance.

That's the one requirement you have to get it in advance.

I like that.

Just the fact of talking to a cyber insurance company, just talking with

them, you're gonna get that list and that that list is going to help you,

um, you know, give you a list of things that you should have been doing

already and that you can add to your, you know, you can add to your world.

I like that.

I like this idea of contacting them in advance, getting to know them in advance,

involving them in tabletop exercises.

And I really like this idea of using them because they're, they're the

ones who are, because they're the ones that are actually paying, uh, ransoms.

They're the ones that are.

Going to be most likely to have relationships with companies that

will minimize those ransoms, right?

And so the, the people and the companies that they then put you in

touch with are going to be top-notch.

And I really like this idea of getting to know those companies upfront.

I love the idea of the $0 retainer.

Um, you know, just, just priming the pump

Mm-Hmm.

that when you have an incident, you know, like you said, you

have one phone call to make.

Uh, and it sounds like that first phone call, um, you know, should be

the, the cyber insurance provider,

Definitely one of the first phone

One of

one of the first ones.

Who, who do you think should be the first, the legal.

you gotta call your mom first.

I

Okay,

mom, I'm not gonna be home for a while.

I, I think the summary statement here is that, you know, the cyber

insurance folks get, you know, talk to them now, get to know them.

Now, the, the, the more you get to know them and, and I think

that is not normal, right?

I, I don't think that's normal to, like, I don't contact my car insurance company.

Right.

But in this case, uh, getting to know them in advance, uh, is,

um, is definitely the way to go.

All right, well, uh, thanks for coming on Mike,

Anytime I enjoy it,

and thanks again persona,

No, thank you Curtis and Mike.

I hope to have you back on the podcast and I'm sure we'll have great topics

and discussions around cybersecurity.

and, uh, thanks to the listeners, you know that you are, why we do this.

Otherwise, we're just a couple of guys in a mic and that is a wrap.