Martin Hinton (00:05)
Welcome to the Cyber Insurance News and Information Podcast. I'm the executive editor, Martin Hinton. And today we've got Trent Cooksley. He's the chief operating officer at Cowbell.

some of you are gonna know what that means if you tune in into this. But first of all, Trent, thanks so much for joining us. I know you're a busy guy. Tell us a little bit about your background. How did you get to this point in your career? And then we'll dive into a little bit about Cowbell and the small and medium sized company space, the cyber risks they face, the services you provide.

the landscape you see now and to the degree any of us can't predict the future, what you see over the next few months and even year. So Trent, again, thanks so much for joining us.

Trent Cooksley (00:41)
Thank you for having me, Martin. Yeah, Trent Cooksley, co-founder and chief operating officer at ⁓ Cowbell I started my career on the Chicago Board of Trade actually as a bond trader. And I quickly learned that that was more of an athletic event than ⁓ an intellectual one. So that was fairly short-lived. But I've spent the majority of my career in the insurance space, both in helping build companies.

⁓ as well as at Fortune 500 insurance companies. And so ⁓ spanning across all functions and really ⁓ working in many different ⁓ areas. I've been exposed to ⁓ everything that happens within an insurance organization and always with the technology bent. ⁓ always with the idea of how data and technology could improve outcomes, improve.

functions ⁓ efficiencies. ⁓ In 2019, I ⁓ co-founded Cowbell with my partners and we are a ⁓ cyber focused MGA that also has a lot of cybersecurity services that we wrap around our policies.

Martin Hinton (01:59)
And I'm right to say that you specialize in providing services to small and medium-sized enterprises, is that correct?

Trent Cooksley (02:05)
Yeah, that is correct. We specialize in businesses up to a billion dollars in revenue.

Martin Hinton (02:11)
Yes, small has a whole new context when it comes to this realm, We're not talking.

Trent Cooksley (02:13)
Yeah, micro,

SME, and mid-market.

Martin Hinton (02:18)
One of things that we see in the small and medium-sized space is what I've referred to as a bit of a teenager mentality that maybe you could argue even exists at much, much bigger companies. But this idea that the cyber risks that enterprises face now are things that happen to other people and that they won't happen to me. And I wonder if you could just frame the situation that the companies you work with and other companies in that space face now in the real world. How dangerous are things like business email compromise?

business interruption as a result, ransomware, ⁓ the variety of ways that companies can be financially impacted in the short and long term.

Trent Cooksley (02:58)
Yeah, I think the mentality is as much that it won't happen to me as I don't have the exposure. ⁓ And so what we see a lot is smaller organizations don't feel like they're a target or they actually have the type of brisk or exposure. ⁓ Well, we don't really do a lot of stuff online or we don't really have, know, computers aren't our business. And we hear these kinds of things.

⁓ even from companies that are using computers and they're online all day long. The other thing is they, a lot of times, leverage third party services to manage a lot of their technology bench. And so they feel there that it's not really an exposure base. But it's not accurate. ⁓ The threats that really large companies face go all the way down to micro businesses.

⁓ We've seen companies as small as hundreds of thousands of dollars in revenue being being ransomed. Anyone can click on ⁓ a malicious link that comes through. ⁓ If you think about business email compromise, social engineering, ⁓ that's pretty ripe. And a lot of times in smaller organizations, the ⁓ attention to those details isn't there as much ⁓ in bigger companies. And so

⁓ They obviously have it, they don't see it, ⁓ and they don't really understand that they have the actual exposure to the risk.

Martin Hinton (04:34)
When you look at those sorts of risks, what types of things mitigate them? When a company comes to you, let's create a kind of silly scenario where someone comes to you and goes, I don't have any of this, I don't have any MDR, we don't do MFA. What are the things that you start to introduce? You mentioned that it's not just insurance, but it's the security part as well, which are sort of hand in hand. I wonder when you look at the landscape, what are the things, if there were three, for example, that you would...

demand an SME have that you would recommend that they look into.

Trent Cooksley (05:07)
Yeah, ⁓ so that's kind of on the control side. I think I would actually ⁓ back up and kind of first see what they have on for the exposures that they do. ⁓ most SMEs do have a little bit of cyber cover included in a package policy. So maybe a BOP that has ⁓ an endorsement for cyber. And the problem is that those policies aren't really built around modern attacks.

and ⁓ they're built around old school ⁓ data breach models. And what we do at CalVal is like to solve is the operational side of the cyber risk. stopping business email compromise, restoring, getting their systems back online, negotiating extortion, ⁓ if it happens, providing immediate incident response.

And for micro business, in lot of cases today, we also provide ⁓ free ⁓ cybersecurity training. So that's an important one to kind of stop some of those human errors ⁓ that occur. ⁓ So that doesn't come with the policy that they do have. So, I don't feel like I have the exposure, but if I do, I think I have some data breach ⁓ cover within my package policy. And they probably do, but it's pretty limited in terms of the...

the exposure that is available and it's pretty limited into the limit that they have. So we have kind of a suite of services around our policies that's a lot more vast. It can be worth thousands of dollars on its own. But when you talk about MFA, I would say the first thing I would talk about with a really small organization is just employee training. Like making sure that you're leveraging the capabilities that you do have, maybe what your MSP brings to the table.

and that you're ⁓ trained in ⁓ following up, clarifying when you're sending money to somebody, even if you think you know where you're sending that money, having some controls in place that you follow and that you adhere to.

Martin Hinton (07:12)
Yeah, so you touched on a couple of things, business email compromise. there, to the degree you can, what are the top three concerns? What types of attacks do you need to look at? mean, social engineering, business email compromise, you those sorts of things. Are those the ones that we're seeing most these days?

Trent Cooksley (07:29)
Yeah, so at the top of the list is typically business email compromise, what we've seen for the last 12 months. It's still kind of the workhorse for SME losses. It just shows up constantly. ⁓ Ransomware ⁓ is number two and it's ransomware. So it's pervasive, ⁓ prevalent, nasty, nasty business. ⁓ And that can have follow on effects of data breaches.

privacy violation incidents. And that's another thing that sometimes small businesses don't believe they have exposure to is privacy violations, ⁓ litigation that can come from that. I mean, we've seen the class action, the classes start to get smaller. ⁓ And so those are going after smaller businesses. It's not just really large class actions now. It's sometimes can be small class actions. ⁓

I've heard anecdotes of ⁓ some billboards ⁓ advertising, have you lost your data? We're building a class action. And so I haven't seen that myself as an anecdote, but I've heard that that exists. And then a little bit on the third party or the vendor compromises. So understanding what your supply chain looks like. ⁓ SMEs are increasingly getting hit because a supplier or a software vendor was compromised and they can't work. So there's a contingent piece as well.

that some people might not understand that they're exposed

Martin Hinton (08:56)
I mean, one of the things I try to do is I try to put these in terms that my simple brain can understand. And when you think about email or you think about the supply chain connection to a software provider, these are transitory areas, right? One of the things we know about email is it's an amazing tool for efficiency. I I'm old enough to remember having the FedEx letters and fax things. And that all took time. And there was a process there that added friction to any kind of business event. And obviously,

not unlike the stagecoach going from one town to the next, it's vulnerable between towns. The email creates that vulnerability because you're in this space. is there a way you talk to SMEs about these risks to make it clear to them that they've got to do more or they need better protection? How do you sort of illustrate that? Do you use examples of events that have passed in the past that happened to similar companies? I mean, is there a marketing element to that when you're sitting down with a potential client?

Trent Cooksley (09:50)
Yeah, there absolutely is. ⁓ And we do a lot more of that communication with our agents and brokers who are having more conversations with the actual actual SME. And then we're trying to give them all of the ammunition for that. So we'll share claims examples with them on, OK, here's a here's a two million dollar account, ⁓ two million revenue accountant and an example of a ransom that occurred or an example of.

you know, somebody in a department that exposed data and kind of what the follow-on effects are that. And then what the kind of suite of services that ⁓ we would come in and help them with. Also, if it happens without, you don't have ⁓ insurance, know, like a lot of folks don't know where to turn. ⁓ And so, you know, that's another big piece of the policy is that, you we want you to call us. We want you to call us right away. We want you to call us if you just think something might have happened.

And we can help see if there really was an event and walk you through the steps to address it.

Martin Hinton (10:55)
So

you touch on something we're going to get to in a second, the incident response idea and the idea that if your warehouse catches on fire, you know what to do. You call 911, right? That's not complicated. When you sit down with a new customer or you come to the renewal point, what are the sort of data points when you look at them, you've touched on a few of these that impact the underwriting process and the nature of the policy? And one of the things about this

you being at this a couple of years now is unlike a lot of other insurance and even a lot of other business agreements, there's a real, like you just said, call us if you think, call us if you're not unsure that there's a much more sort of ongoing relationship than I think people assume would be normal within a conventional, other type of insurance environment. You think that's a fair way to expect people to look at it and ideally would to maintain the protection you want?

Trent Cooksley (11:49)
Yeah, absolutely. So if we kind of go back to some of your email examples, it still leads for access because it's cheap and it's scalable. And so that's scalable for bad actors to kind of do that across the board. And now they're starting to get stealthier. We've seen, and this is not capital specific, it's market wide, but vishing has increased 422%, I think was the number that I heard. So that's basically...

a social engineering scam where fraudsters use phone calls or voice messages to deceive individuals into revealing sensitive information. And you only need about eight seconds of somebody's voice ⁓ to be able to create an entire, for AI to use that to be able to create an entire ⁓ attack factor for vishing or deep fakes, et cetera, what ⁓ they may be. the controls that we would look for.

that are most reliably cut severity down and frequency. ⁓ Number one, booth needle is MFA. So, ⁓ and I say MFA everywhere, but especially for email, key financial applications as well. But MFA now becomes this really broad term and it's not properly enforced, not just enabled.

or deployed. It really has to be ⁓ properly enforced. And that's going to be the biggest vector. If you dial it even ⁓ more detailed, it's specifically around VPN and RDP. ⁓ again, when we're talking about SMEs, where their exposures lie, ⁓ many use Microsoft. ⁓ In fact, ⁓ it's the lead tool for small businesses. And ⁓ Microsoft has a large amount of ⁓

exploits because it's so broad based and there's so many users that it's just a big target. ⁓ And so it's a frequent target for cyber attacks ⁓ and stolen or weak passwords are involved in most of those breaches and VPN and RDP often expose services to the internet. So it makes them really, ⁓ really vulnerable. So that's number one. ⁓ And then when you do have a little bit more ⁓ technology stack.

⁓ You want to like really think about your your endpoint detection. So that's where you get into your EDR your MDR ⁓ Small businesses rarely notice the intrusion without a human-led service ⁓ Or they're just getting it someday when they kind of come into the office and you know that they have a blue screen of death ⁓ and so endpoint detection and response if you can if you afford it because it is an expensive many don't think they can afford and you know, can get back to our small business example and

That's another thing that you have to talk about is ⁓ where you're allocating resources to. And then backups. What are you doing with your backups? How are you managing your backups? If you have those three things in place, you're in a much better position ⁓ than the average Joe.

Martin Hinton (14:58)
Yeah, so you touched on the blue screen of death. You come in on Monday morning and you can't access anything. Payrolls frozen. You touched on the incident response idea and that you want your clients to call right away. What is that process like? I mean, we know that there are the immediate costs and the immediate things. And then there is the idea you just touched on it now. How long have they been in our system and that sort of thing? All of that, the sooner it's like any problem, right? There's that old saying that most of the...

conversations we regret, we only regret having delayed having them, right? The stress of it, call right away. Why does that matter so much? I mean, it might seem obvious and I'm sure it will be, but why is that so important that as soon as you see smoke you think could be fire, let's make sure it isn't?

Trent Cooksley (15:43)
Well, the longer a threat actor is in the environment, the ⁓ worse the outcome is going to be. And the more quickly you can ⁓ get to ⁓ what has happened and address it, the outcome is much, better. it's just speed is of critical importance. And so ⁓ this is kind of when we talk about ⁓ what's the timeframe.

between when you first figure out what's going on. And a lot of cases in the example where maybe we got kicked off on ⁓ is something may have been going on for a while, especially in a larger organization. Because when you get to that point, ⁓ depending on who the bad actor is, it's ⁓ certain groups, they want to be in there for as long as possible, ⁓ do as much damage before they get known. But in most cases, it's about, you

smash and grab type of scenario, especially for small businesses. So isolate the issue, get an incident response team to disable or compromise, disable the compromised account or endpoint, whatever it is. Maybe end the ransomware process that's occurring, save data before it gets encrypted, et cetera.

If it's over four hours, ⁓ you're basically looking at full domain encryption, and then it's all on the table, right? You may be losing everything that you have. Now you're talking about data exfiltration. Now you're talking about ⁓ privacy issues, and then you're also talking about ransom. And even when you do have a ransom, it doesn't mean that that's necessarily gonna stop all the rest of those bad things from happening. So that's kind of just the importance of speed.

Martin Hinton (17:36)
Well, you just touched on it now, the idea that from entry to things being absolutely taken, if you will, is four hours. That's not a lot of time, right? I mean, if someone's on vacation or the CEO's on a plane, these sorts of things, and we see this with the tax, right? They occur in the buildup to holiday when people maybe aren't paying as much attention or that sort of thing. So you illustrate the point there that...

They're using speed to their advantage. The bad guys are using speed. So you need to react quickly too, right? know, the fire trucks tend to slow down at red lights. Maybe they don't stop, right? And there's an urgency there because every second matters. It is literally like that. One of the things that we had discussed in the notes that we shared before this is the cost, right? For an SME, you touched on the cost of the policy and the insurance and it's a new layer and a new insurance cost.

and it gets put into a, it's not a profit center, it's a cost center, and that mindset can build some reluctance. When you see these breaches happen that don't involve you, or you look at the sort of landscape broadly in the economy, what types of costs are we talking about? Like how much money? Put it in terms that, you know, someone who's not even in this space or doesn't even have an SME could go, man, that's a lot of money. If that happens a lot, that's bad for the economy. Theft and crime are bad.

Because this crime is sort of vaper, right? It's not like a bank robbery or an armored car heist or a violent crime. It doesn't happen with any real evidence. And in the world of news, which I come from, if it bleeds, it leads, means that it gets attention, right? We in the news business, we don't report planes landing safely. We report planes crashing. So to the degree you can sort of visualize this by imagining dollars and amounts and time and the stress psychologically, what kind of like

firm numbers can you put on this sort of thing?

Trent Cooksley (19:32)
Yeah. Well, talking about the stress, like psychologically, ⁓ it's interesting also the human reaction to the event, ⁓ because you feel violated, but you can't see the violator. ⁓ and you can't see exactly what happened. So people are actually, ⁓ typically not willing to talk about it. ⁓ you know, if your business gets broken into, you're see the broken glass land all over the floor and you're going to see the perpetrator on your camera.

That's not what happens here. So there's also this kind of different type of reaction to these events. And so there's a lot of people who they don't want people to know. They're scared about that. And I get it as well, because then you're looking at your customers are going to go, ⁓ are you safe with my data? Can I trust you? All those kind of things. But the delays in recognizing the incident, where maybe an SME thinks, well, it's just an IT glitch.

right, or something like that. So then there's a delay there. ⁓ Email downtime. So when payroll invoices, customer orders stop moving, business halts, ⁓ you've got potentially third party negotiations. And I'm leading up a little bit to your to your exact question, but you've got third party negotiations. You know, if a vendor is compromised, you're on their timeline now, right? You're not on your timeline. And data validation. What was accessed? You know, what was taken? You know, again, if you compare it to going in your house, you go

and inspect your valuables and you can kind of tell pretty quickly what's gone. That's not how it works here. So if I would put it into some numbers, I mean, I think the last time I checked the worldwide threat issues here are like $10.5 trillion, right? So that's the big funnel at the top. ⁓ And if you look down to an individual type event, ransomware and downtime, you

400 to $4 million. If you're down 18 to 50 days, which is, I believe, the average downtime in 2025, even if your backups are good, but you can't restore them in time, they're incomplete, they're reinfected. So you're talking millions of dollars right there. And it doesn't matter what size you are in that case. mean, if you're really, really small, you may be out of business. And so what's the cost there?

infinite if you're out of business, ⁓ Paying, now if you didn't have someone to help you, paying an MDR or MSP that you've never actually used properly to come in, so you're gonna pay them 50, 60, $70,000 for that work. You're probably at another 50, $60,000 for false positive chasing, things that you're looking at there.

Martin Hinton (21:58)
Yeah.

Trent Cooksley (22:21)
manual patching and vulnerability, do you need to bring consultants on? a couple hundred thousand dollars, a couple hundred thousand dollars there. ⁓ If it's a business email compromise or an employee ⁓ phishing incident, you know, that could be, you know, a million dollar wire transfer. I mean, how much money are you sending to sending to vendors? So the expenses can can creep pretty, pretty significantly. ⁓ The average severity for

Martin Hinton (22:47)
We.

Trent Cooksley (22:49)
know, lot of incidents for small businesses in the three to four, $500,000 range. And so that's kind of on average what's happening.

Martin Hinton (23:00)
So we're talking about a lot of money and you just use the Moby Dick number, the $10.5 trillion, I think it's last year globally, ⁓ lost to cyber crime broadly. And to put that in context, and I'm sure I don't have to do that for you, that would put it third in GDP after America and then China. when you think about this, because the issue I think that happens a lot as well in the reporting, and I wonder about this from the...

the public perception point of view, both from SMEs thinking they need protection and the public generally having understanding how broad and widespread this problem is, that this sort of thing happens everywhere. There's no geographic barrier. There's no time zone barrier. And you can be operating out of Macau or Central Africa or, know, probably not, I maybe the US, but you wouldn't ideally. But these ideas that AI has created this opportunity to

force multiply a few people via email. The scale of it is astronomical. And then you would let down to the individual pain and it literally four or $500,000 can put a lot of companies out of business. Nevermind the fact that there might be 60 or 90 days where you can't do business. I try not to be hyperbolic about this stuff, in a couple of years of doing this, I'm stunned by the scale. And I wonder whether you generally when you travel your life, whether you think people get that when...

you maybe talk about this. Do you think people understand how big a problem this is in the general population?

Trent Cooksley (24:34)
I don't think so. think people know it's an issue and they hear about it or they read something, you know, when there's a big event. But I think it gets back to your point is maybe they don't know anybody that it's happened to, but even people that it's happened to sometimes, you know, aren't thinking about it for the next time. So it's pretty significant. And you mentioned AI and we haven't talked about

how that can scale what we're talking about even to a greater degree. mean, there was just an incident ⁓ in September where a Chinese state-sponsored actor built ⁓ a custom orchestration layer on top of Claude. ⁓ And they automated 80 to 90 % of ⁓ multi-stage espionage campaign. They targeted 30, I believe it was 30 big firms. So they weren't targeting SME, but they were targeting

30 big firms and that would be consistent with what we would see out of China because it also you mentioned where maybe the bad actors were depending on their location. There is a little bit of a different reasoning for why they're doing what they're doing. And so if the folks operating out of Russia, ⁓ the folks operating out of Iran and the folks operating out of China are kind of all have different goals. ⁓ But at the end, it's kind of the same for the victim.

⁓ in a lot of cases, except China isn't really looking for ransom. They'll just throw it in at the end after they've gotten what they They want to just to do it. They don't really care about that. ⁓ if you go back to this Claude incident, I would encourage people to look up the details because it's really fascinating. And I actually think that it

Martin Hinton (26:11)
Yeah, yeah.

Trent Cooksley (26:26)
might be a good thing that it happened because it didn't cause a ton of damage. Anthropic really addressed it really, really quickly, which is a good case study for kind of maybe what's going to happen next. And it shows an example of a real world proof of an agentic AI, like lowering the bar. And this is like nation state stuff, but what about just a criminal, right? Like when you can deploy AI across, you know.

thousands more endpoints than you were able to get to on your own. ⁓ That's real. And that's a real threat that is happening today. We actually, you know, we've seen some examples where we believe it's probably AI ⁓ created.

Martin Hinton (27:14)
You touch on, they did come out very early and if you will lay their cards on the table to make it clear. It's interesting you say it that way because, and I thought about this in the last year or so we've got a piece on a report about CISOs and how they value being able to openly talk to each other about what they're seeing and the threats they're seeing. it's sort of counter intuitive to the nature normally of particularly competitive corporations where you wouldn't be sharing insights from the inside of your building.

But because these threats come in the dead of night from everywhere, the idea that there's a more collective need for defense and understanding or intelligence or information gathering. And it sort of reminded me that we are in a new new age with this sort of thing, despite the fact that it feels like we've had cell phones forever and that sort of thing. I'm old enough to remember mailing checks with a stamp to pay my rent. it's mindful that when new things are starting, information sharing can often help protect everybody.

kind of provides that rising tide lifts all boats kind of scenario, at least in my mind. So it's just interesting to hear you characterize it. Because I felt the same thing when I saw it. was like, they really didn't hide this. A lot of companies would have been like, ⁓ no, we're fine. Everything's good over here. And that didn't happen. ⁓

Trent Cooksley (28:28)
Yeah, I think

I was, I was impressed by how they ⁓ detected it quickly. They killed the sessions ⁓ and they disclosed like immediately. And so that's really the first publicly documented large scale, agentic AI orchestrated attack. And I also thought about it from an underwriter perspective. So now there's a, ⁓ a concrete benchmark ⁓ that has justification for one.

what we're looking at as underwriters when we're trying to price a risk or think about a risk, ⁓ but in the AI space as well, but also what if someone wanted more expanded higher limits or broader AI specific sub limits ⁓ or they wanted more favorable terms and they can show that they've invested in defense stacks, AI defense stacks, right? Because I mean, the good guys have AI too, right? Like, so it's not like the bad guys are the only ones who have it.

The good guys have it and the good guys might have better AI than the bad guys do. So ⁓ there's kind of a case for both sides to kind of, and how we're looking at it. And obviously anybody who is following what's going on in the AI space, ⁓ the amount of speed is ⁓ incredible. This is an area where I actually don't think that the general public really understands the amount of speed and what's on the horizon.

⁓ in terms of what AI is going to disrupt or creatively destroy ⁓ in positive ways. Maybe it'll be a little bit longer term for us to get there, but we have to be in our space. Organizations really have to think ⁓ really deeply, one, about how they're deploying it, and it should be, but think about how they're deploying it, the new exposures that they're...

they're going to be creating for themselves and for their partners, but then also how to use it ⁓ to prevent bad actors from exploiting them.

Martin Hinton (30:32)
Yeah, I mean, I'm not optimistic or pessimistic. I view it almost like ⁓ this brilliant tool that, you know, the joke I've made is it's like a hammer, right? If you use it poorly, you smash your thumb. And if you use it well, you drive the nail home. Or the steam engine, you know, at the beginning of the industrial age was very simple and it had all these remarkable improvements created for it to be used in a specific ways and specific industries. And AI is very much that sort of, I mean,

In some respects, it's almost like it's still a raw material because we haven't really utilized it and understood exactly the good and the bad that comes with it. But it does get me to our next question. You touched on this and one of the things about this is that, when it comes to renewal and coverage design, you gotta ask questions, right? What types of questions and, I've had this conversation recently with a lawyer who does, works at a big firm and he's been doing insurance for a long time.

20 years ago, cyber was like one question on the questionnaire and now it's like 10 pages of the questionnaire. There is this fast evolving reality and the threats are coming in various ways. What types of things do you look at when it comes to sort of the renewal phase and the coverage design currently? What type of things should people bring up and what kind of questions should underwriters be asking?

Trent Cooksley (31:52)
Yeah, that's really important. ⁓ And also it's in an area where it's not just about questions because you don't know what if you're going to be getting an answer that is ⁓ accurate to the question you actually asked. And so great example there is MFA. I that's a question that ⁓ is asked across the board. But if you're not asking

the question appropriately and comparing it to the scans that like Calvo utilizes a lot of our own scanning that can give us insight ⁓ into what we're seeing from an underwriting perspective. But MFA, ⁓ how you ask the question, where it's deployed, backups, ⁓ like, I mean, those are kind of some, they're basic, but you know, it's the basic things that actually matter. And so we don't need, at Calvo, we don't need a

whole NIST application or to ask 50 questions. But kind of comparing those questions to kind of what you believe to be true about the potential risk that you're looking at is sometimes even more important than the actual question that you're

Martin Hinton (33:11)
You touch on it and one of the things that sometimes forget to do, someone might watch this and they're not in insurance and they're not tech. The range of the way MFA can be employed is a bit like cars, right? You could have a Honda Accord or you could have a Porsche 911, right? Like there is that scale of it. Is that a simple layman's way to think about it? That all MFA is not equal?

Trent Cooksley (33:35)
that is a layman's way. actually, ⁓ I have a, a basketball analogy, ⁓ for, ⁓ for kind of questions on, ⁓ and, and, and, how they're, and how they're asked, excuse me, how they're asked. so if you think about someone saying, you know, we, we, have anything, ⁓ you know, that's kind of like, ⁓ the,

the point guard going, you hey, I got number one. I got, I got number one, right. ⁓ and then you've got the coach saying, you know, we, we, we switch and we protect the rim. ⁓ okay. Then, then you've got a playbook that's drawn up really nicely and you've got, and you've got all those plays, but you know, when the point guard actually doesn't fight through the screen and somebody slips out and they've got a wide open three. And then, ⁓ if you were not picking and rolling appropriately and someone's getting by the defense actually kind of like.

kind of falls apart. So that's actually with MFA. So it's nice to have, you know, hey, I've got it. But really, it's in terms of the the execution of it. So how is it deployed? Is it enforced? Like a lot of times, ⁓ well, you know, so and so down in the warehouse doesn't like to use it. So you know, well, we don't make him use it. So okay, well, then you don't really have it because you've got you've got you've got an exposure.

Martin Hinton (34:57)
Well, you touch on sort of one of the things that we wanted to move on to is the idea, and you mentioned this earlier, the conversations you have with brokers and education and the way you talk to them about the product and what to ask. What are the top two, three reasons that submission stalls or gets declined or what are the best brokers? What questions are they asking? Talk to me about that relationship there.

Trent Cooksley (35:21)
Yeah. ⁓

The good brokers front load the work. ⁓ So really give us complete, accurate submissions on day one. Understanding what our sweet spot is as well. There may be revenues, industries, control maturities that I'm comfortable with, that a competitor is not comfortable with. And so...

That's our job to educate brokers on that what we're looking for. They can't just guess. So, you know, it's definitely a symbiotic relationship. But even more valuable than that is they kind of act as coaches for their their policyholders because they're on the front lines of having those conversations about why it matters. Why are they asking me this question or how do I answer this question? like that's turning no into a yes by guiding clients.

through quick, high impact fixes that can move the needle for everyone. ⁓ And we provide a lot of that as well. So, okay, you have EDR, but maybe an MDR solution is better. Cowbell actually can offer that for you. Cowbell actually can ⁓ look at how the policy is constructed if you're working with them on your MDR. So you may get a more favorable terms ⁓ because of that.

⁓ being open about what the questions are. You know, another one that just like gets really hairy is how the organization is constructed. So like, do you have, ⁓ you know, a lot of subsidiaries and are you including these subsidiaries and ⁓ what kind of systems do they use? That's a one that's really tricky and it...

comes back to bite everybody in the end and on the claims scenario. So that's an important one that great brokers would be able to describe just by looking or understanding from knowing the policy holder going, hey, they've got kind of an interesting structure. And you see this a lot with older organizations, family businesses. ⁓ That happens quite often. And then you get into a claim scenario that something happens with an uncovered subsidiary that they assumed was covered and then they're not.

So that's something that only a broker typically is going to be able to.

Martin Hinton (37:47)
You make a good point and you touched on this with regard to vendor risk and the sort of interconnected nature of so much of what we do now and the brilliant friction that has been removed by digital commerce or the digital economy or whatever it is, but that also creates vulnerability because all of that stuff is traveling to paraphrase that Senator from Alaska, down the pipes of the internet and those pipes are vulnerable to bad actors. it is, you you make a great point like

brokers who understand the complexity of this mosaic of the way a company might be organized through subsidiaries or vendors or whatever might be is one of those things. It's almost like having a personal trainer who's on their phone while you're working out or one who's making sure that your form is 100 % right on every rep. There's a real range in the quality that they provide. And that sort of brings me to my point, and I've raised this with other people, so I'm curious what you think. From an outsider, from a journalist's point of view, one of the things I see now is that

Cyber insurance, know, until this year really, there'd been this amazing sort of pace of growth within the industry. The CAGR was depending, you know, 21%, 26%, 18, 19%, but double digit growth every year. And there's obviously the need to protect companies and create the resilience that insurance helps with and then the security that comes along with it. And then companies aren't just providing insurance. You're providing advice. You're providing guidance to brokers and you know, is it MDR or EDR? What do you need?

that for SMEs that are maybe aren't sure about their sort of situation with regard to cyber resilience, there's a real ability to sort of shop around and seek out a best case scenario that there's a lot of companies growing in this space and looking for growth in this space. Do you think that's a good way to think about it? There's a lot of new kids on the block to put it in simple terms and that it's a good time to go shopping, unless there are clients of Cowbell, of course, that you can look around for. ⁓

services that really make you comfortable with what you're paying for and hoping you never need.

Trent Cooksley (39:49)
Yeah, so the threat landscape really exploded. 2019, 2020, COVID exasperated it. 2021 and the insurers who were playing pretty heavily started to get hurt on the claims side and reacted to that. One was not having modern ability to underwrite risks at speed and scale.

and also be equipped for the changing landscape and how quickly that happens and the new types of threats that occur. ⁓ There's not gonna be, I'm guessing, but I'm guessing a hurricane isn't gonna come through South Dakota anytime soon. So you don't really have to underwrite for that when you're talking about property, right? From an insurance perspective. But there is gonna be some new type of hurricane.

come across the ⁓ digital landscape that no one is prepared for. I guarantee it. I don't know what it'll be, but something's going to happen and people are going to be surprised. It could be attacking a new type of software. It could be an AI related type of exposure that we haven't been able to Hollywood scenario ourselves yet. And so it's really important to be really active. And that's one of the reasons why Calvo was founded was because there was a market opportunity.

and we put together insurance, ⁓ cybersecurity and technology chops together to be able to do that, to be able to react quickly. And there were some other competitors that came into the market and did the same thing ⁓ as well. And we had a lot of success because it was fit for purpose. ⁓ And then there were some copycats that came in. So more supply came into the market. And quite frankly, the...

companies that were buying also got better themselves. And so I have the credit to them, but also credit to the new players who came in and kind of showed what could be, what the possibly was, how to protect yourself. Put all those things together and there are more competitors in the space to go out and see what's available. What we do at Cowbell to ⁓ entice potential policyholders.

It's not just about the policy that we provide, which is very, very competitive. The services, the claims experience that we're going to bring to the table, which is of utmost importance. When you do have a claim, you want that experience to be top notch. We think about that. We care about it every day. And it's important to me. So I watch what's kind of going on there. But also kind of the services that we provide around it, the free employee training. And these are the things that you could also be out there looking at.

⁓ from different parties to purchase for an organization that's going to make you a better risk. It's going to lower your costs overall. It's going to be preventative for types of events. So again, go with your MDR, penetration testing, supply chain, what's your supply chain risk? All those types of things are opportunities ⁓ to ⁓ improve the cybersecurity posture and hygiene and not have to use insurance, which is the goal at the end of the day. No one actually really wants to use their insurance policy.

Martin Hinton (43:14)
Yeah, I know, there is the I remember having chat with someone about property and casualty back in the day. And the joke I came up with is that right now we're in this era where the insurance broker goes to the warehouse and says, listen, we can't insure your match factory. But let me introduce you to my buddy over here, Sprinkler System. And we'll give you a discount on that sprinkler system. And once you get that installed, we're going to insure you at a price we like, a price you like, and you're less likely to burn down.

And we're in this of very growth era of this, which is evidence, despite some of the softness of the market now, in how it's grown and the upside, that so much of the business, and you see this now, that small and medium-sized companies are sort of a growth area for companies like yours. Do you see it that way? Is there a lot more clients out there to be had?

Trent Cooksley (44:07)
Absolutely. And I think that's a pretty good, that's great analogy, right? Like we, I can't insure you, and this is another evolution that's happened is, you know, we would see quite a few organizations not want to share information ⁓ with us because, you know, they were concerned about exposing privacy ⁓ or they were concerned that they were going to expose themselves because it

what they were gonna show us wasn't very good. But no one would expect ⁓ an insurance company to insure a large building without looking at it or without understanding it. And no one would say, no, you can't look at my building before you insure it. That's not the case as much anymore. And a little bit because of kind of what you just said, well, if I can't see anything, then I'm gonna, this is what I can offer you.

which might not be very good coverage and it might not be a very good policy because I don't really know what I'm insuring. ⁓ And ⁓ that's not a very good business for me to be in is to put risk capital at risk when I don't understand what that capital, what the risk I'm actually taking on. ⁓ And so now we see a lot more willingness to share much more information, give us information that's behind the firewall. One thing that Cowboy has is

but we have our connector platform. So one, we've got our services platform and we offer some of those services ourselves. And then we also partner with third parties that we have vetted who we believe are best in class and we will make recommendations and there might be discounts involved there, but at minimum we'll have said, we've vetted these organizations and they've met our standard, they've met our litmus test and we'll share that with our policyholders. But then we also have our connector platform.

What Connector platform does is it allows for our policyholders to log in to our platform with their third party credentials and expose a little bit more for us to really underwrite that. One, that makes underwriting really, really smooth, but it also lets us help them and say, here's some things that we've noticed. Now we, of course, do this without the Connectors. So we identify ⁓ CVEs on a daily basis from our Threat Intel team and we're

going out to our policyholders and informing them if they have this vulnerability, here's how you patch it, here's what's going on. Maybe ⁓ it's a stoplight system. So hey, red light here, this should be done within the next 24 hours. This is yellow, it's pretty important, but it's not an immediate threat. And then green, hey, this is an ongoing issue that you're gonna wanna monitor. So we're always giving those alerts to our policyholders. If they're utilizing the connector, it's just more.

rich in data and will actually be able to identify things even a little bit sooner. But our Thread Intel team has proven themselves to be very early on in identifying new CVEs, typically before the government has even sent out their standard notification. And so our policyholders are out of the game in those cases.

Martin Hinton (47:17)
As you were talking, I was imagining smoking

the bear on the side of the road with the, what's the forest fire indicator? You know, like today we're yellow, tomorrow we're green, today we're red. And that idea that because of the dynamic nature of these threats, one day is not the same as the last and that's not the same as tomorrow. And you need this sort of, you know, for better or worse. And I think it's for better because the benefits of the digital economy are, you know, more than I can name, that's for sure. But again, it's one of those things that, you know.

where there's money and we put all these valuable things in a digital space, there are always going to be people who try to break into that quote unquote safe and steal what we value for their own benefit. And it's interesting to hear you talk about it. You touched on this a little bit ago and as we move to wrapping up, I just want to address the issue of systemic risk and the idea of some sort of, you I don't know if the impact maybe is the sort of cloud fair brief outage or crowd strike, but that sort of idea that there is...

systemic risk, a few people I've spoken to recently say that that's the one thing that they're worried about, how companies would react to that and what that would mean to markets and all sorts of really big ideas about that. I wonder what you might have to say about that in any more detail than you have already.

Trent Cooksley (48:30)
Yeah, it's probably the 800 pound gorilla in the room. And the real reason is because we haven't experienced ⁓ anything that has had a really large impact, broadly speaking. So, ⁓ and we have experienced ⁓ some larger ⁓ events and we've been able to manage them pretty well as an industry. That's both the insurance industry and the ⁓

policyholders or the businesses who are impacted from that. mean, just two weeks ago, AWS was down for like 12, 13 hours. That particular event isn't really gonna have a big impact from an insurance standpoint. So the scenarios that people are kind of thinking about sometimes get into Hollywood scenario territory, is fine because that I guess will be the real big event.

So it's on everybody's mind, but we think about it in terms of how we're pricing and with the policies in terms of how we're modeling it. So there's a bunch of companies that are really doing a lot of deep work on modeling it. ⁓ It doesn't keep me up at night. Actually ⁓ widespread unconnected frequency keeps me up a little bit more because ⁓ that's kind of like really much more real in terms of like.

is can happen quickly and you can kind of see those. And the other thing with a lot of zero day events is it's more like a rolling issue than it is a big explosion. So sometimes on the outer edge, you on the edges, you can get ahead of it. And so that makes me feel a little bit more comfortable when I look at some of the scenarios going, OK, well, something happens and it's going to impact certain organizations. But other organizations are going to be able to get ahead of it and prevent it.

⁓ SMEs rarely have true redundancy. So, a compromised MSP or identity platform that can create thousands of simultaneous incidents overnight. So it is true, it is real, but I do think that the industry's really thoughtful, have been really thoughtful about thinking about it and are starting to get tested in certain, there have been four or five events over the last two years where

where the industry has been tested. And I think they've held up.

Martin Hinton (51:01)
Yeah, I mean, the ones that are tech related, not malicious, are a little easier to, whether as a layman or a member of the general public psychologically. And I wasn't trying to buy a car when the CDK ⁓ ransomware attack occurred, but that's one that always comes to where you suddenly couldn't buy a car the way you were buying a car. You have to use paper. And that's where you think if that were scaled to every industry,

It's one of those things where you would probably have a brief moment where people were like, we're in this together. We're all shut down. in some way, psychologically, I wonder whether that might mitigate the long-term effect of it, presuming it doesn't keep happening. But it's an interesting point. So I want to move to the end. And one of the things that I shared with you were some three questions. So I'm going to fire these at you and you answer as you like. What control SME is under invested?

Trent Cooksley (51:56)
⁓ phishing resistant MFA everywhere, privileged access management. It's the number one attack vector. Modern identity governance and training.

Martin Hinton (52:09)
Yeah, so we touched on that and identity governance, are you who you say you are? And it is, I mean, we see it now, right? You can't believe your eyes. There's so much AI slop, I think is the phrase I've seen around that's not even real cat videos. There are enough real cat videos. I don't understand why we're making them.

Trent Cooksley (52:25)
It

is amazing how many people are still sending wires to fraudulent areas. And it's not always their fault, right? They get tricked. But sometimes it is just laziness. ⁓ And ⁓ so just have some controls in place.

Martin Hinton (52:48)
⁓ So one coverage part most misunderstood.

Trent Cooksley (52:54)
Social engineering, for sure. People think a full limit applies. It's typically not full. It's typically sub-limited. What does it really mean? What really has to happen? What are the prerequisites for it? it's a, ⁓ probably, absolutely the most misunderstood.

Martin Hinton (53:12)
Yeah. Broker habit that wins more, better quotes.

Trent Cooksley (53:17)
Proof day one. So give all the appropriate information right away. If we have that, we can turn around quotes in seconds.

Martin Hinton (53:30)
Is there any metric you watch weekly that others ignore or something that know that I don't want to give away your secret sauce, but is there something you look at with a particular interest?

Trent Cooksley (53:40)
I have been spending a lot of time really digging into the time between initial compromise to detection and ⁓ containment. ⁓ and that's something I wasn't watching as heavily a couple, a couple of years ago, but I do believe there's some indicators, some really good indicators, ⁓ leading indicators for our, for our business on, ⁓

we think will happen over the future. that's something that I've been keeping a good eye on.

Martin Hinton (54:13)
Yeah,

one is, yeah, there are a people that said that to me. the time is money, kind of. When you see that, it really is something that can impact the long tail and even short term impact of a breach. So we've been talking almost an hour, and as I promised, ⁓ we didn't get to everything. So I wonder if there's anything we didn't get to that you want to touch on, or if there's something we touched on that you'd like to say a little bit more about.

Trent Cooksley (54:41)
This was a pretty broad based conversation. had a lot of areas, ⁓ if I, the one area where I still think we need a lot of education is just to the small business segment and the wise. We actually kind of started with this, but I do think it's really, it's really important. ⁓ One is there's still a lot of uncovered organizations ⁓ across the globe and they have these exposures.

⁓ And the more buyers that we can bring in to the market is, well, that creates a really healthy insurance market. It actually drives prices down for ⁓ everyone involved and it creates ⁓ just a lot more hygiene around ⁓ the partners that your organizations are dealing with, right? And so that can be done a little bit through when you enforce it through contracts, which a lot of

a lot of organizations do, right? They prove to me that you have cyber insurance before we're gonna do business together. But there's still a huge opportunity for ⁓ the market to mature in the take-up rate. just education, conversations like this on kind of how diverse and detailed ⁓ this segment is, is still really important. And I think it's.

Martin Hinton (56:05)
I mean, you touched on a very, I mean, obviously your point about insurance is well taken and understood, but broadly the idea of collective defense, right? If all of us are strong and resilient, then all of us are collectively, again, back in my life, know, rising tide lifts all boats. There is that idea that, and because of the way the interconnected nature of things, you know, I think of the Marks and Spencer hack where Archie Norma, the chairman, testified to parliament in the UK.

50,000 employees, I think he said, if just one clicks something, I think it was one person on an IT desk fell to a social engineering attack and boom, look at what happened. And I mean, there've been a few in the retail sector in the UK and then obviously Jaguar Land Rover is another one where you had single source suppliers suddenly out of business. I think the government's talking about stepping out. I can't remember what happened that moment, but yeah.

Trent Cooksley (56:58)
Yeah, it's not just for the insurance industry. It's do it for your country.

Martin Hinton (57:02)
Well, you know, you

make a really, really good point, and I know it's sort of off topic, but there is this, I have a few nieces, but one of my nieces is 11 years old. She's in sixth grade, I think, in the New York City public school system. And she tells me the other day, pardon me.

She tells me, have an 11 year old niece in the ⁓ public school system in New York. She's part of her health class. She's taking cybersecurity Why MFA matters, why you should have complex passwords. You're putting things that you really care about into digital spaces. You need to protect them like you would if they were in the real world, quote unquote. Because they are in the real world. This stuff is in the real world, even though we can't see it as all ones and zeros and silly, know, not that smart people like me have trouble getting it clear in our head.

Trent Cooksley (57:44)
digital

Martin Hinton (57:45)
Well, Trent Cooksley, Chief Operating Officer and co-founder at Cowbell First of all, thank you so much for taking the time. I really do appreciate it and for entertaining my questions to try to bridge some of the sort of understanding between layman and simple journalists like myself and people like you who real experts in this. Thank you very much for the time.

Trent Cooksley (58:05)
Thank you.

Martin Hinton (58:06)
And everyone else, thank you so much for watching. If you've got a comment or a question,

Please leave it there. I'll try and get an answer. And if I can, I'll come back to Trent. We've referenced a few things in the podcast. We'll have links to those in the show notes. Again, Cyber Insurance News and Information Podcast. I'm Martin Hinton, the executive editor. Thank you so much for the time. Enjoy the rest of your day.