Martin Hinton (00:05) Welcome to the Cyber Insurance News and Information Podcast. I'm the executive editor of Cyber Insurance News and your host, Martin Hinton. And today, before we get to our guests, I'd like to ask you to subscribe and like because that always helps us grow. Now, more importantly, on to our guest. Today joining us, have Max Perkins. He's with Spektrum Labs and he's their Head of insurance solutions. So what does all that mean? What does Spektrum Labs do? I guess I could tell you what I read or we can go straight to Max. Max, first of all, thank you so much for taking the time today. Really do appreciate it. ⁓ Can you start by giving us a little background about Spektrum Labs, what you do? Just a tease there and we'll dive into some more detail as we progress. Max Perkins (00:47) Yeah, sure. Happy to. So at high levels, Spektrum Labs, we believe in cyber resilience and in making that into something that is real. And so when you look at the big broad strokes of what we're doing in Spektrum, we're building the cyber resilience ecosystem that organizations of any size or any nature can work in and work around to improve their cybersecurity posture. If you go to our website today, you're going to see our flagship product, which is Resilience. ⁓ Funny enough, and that's within our platform. And what does it do? It gives CISOs, Chief Information Security Officers or business owners, confidence that their cybersecurity tools are being validated and that the configurations of each of those tools that they're working. And it gives it to them in one platform. And the reason that that is important and doesn't exist today is because we have ⁓ a world full of cybersecurity tools that help organizations on their own, but together they don't usually talk to each other. They don't integrate and they certainly don't have a consistent standardized way of reporting back to their customers. So that's what we're doing. And so far so good. It's been really exciting. Martin Hinton (02:09) So you touch on things and we'll get to this, but the idea that all of that becomes important when you want to do things like get an insurance policy for cyber, all that sort of thing about verifying controls and compliances and all that sort of stuff. And you touch on a really, really big problem, right? It's disparate now. Like there are all these places that these things exist and being able to see them in one lens, if you will, is one of the big challenges we see across the industry. So we'll dive into that in a bit, but a little bit about you. How did you get here? I mean, think that it's always important to know about people, what interests to them about this industry, what motivates them. I mean, people say you're supposed to go into things that you're passionate about, but also good at. Tell us a little about how you got to this spot. Max Perkins (02:55) Yeah, I'll tell you my story. Try to keep it, you know, concise as it can be over the time. So, hey, look, I went to school, was a political science major. And that obviously has nothing to do with the space that I'm in now, but it helped me to think critically in going through that process and then fell backwards into the insurance world, the risk and insurance world. A friend of my family was the risk manager at SAP, a large global technology company based out of Germany, but I was living in Philadelphia at the time. Their risk manager was based in Newtown Square, Pennsylvania. And he set me up with a couple of exploratory interviews, fell backwards into AIG in 2006 and in the division that was underwriting errors and emissions, out of which kind of gave birth to cyber within that organization. And to give you just sort of, it'll make sense as you hear about what I've done over time. I was at AIG at a really interesting time. We went through the financial crisis and I chose not to leave. I chose to lean in really and try to learn as much as I could. AIG did a great job of teaching us in the commercial insurance organization, everything about it that made it safe, sort of ring-finch from the other problems that were going on there. And I say that that's where I sort of got my MBA of insurance, if you will, and ⁓ then went on from there to ACE, which is now part of Chubb. ⁓ Sort of always, if you look at my career, maybe going broader and broader and broader. So I was working on middle market accounts at AIG, large accounts at ACE across the country, and then joined Beasley, a Lloyds of London syndicate. And Beasley was interesting to me. And I think that really what took hold for me is that within the broader lens of insurance around the world, I started to get a feel for the Lloyd's Market culture and way of doing business and really understanding how that operated versus sort of an American or a more domestic corporate insurance environment. And I'm so glad that I joined it because I went to Beasley at a time where it's now become an incredible cyber insurance operation, but there were 10 of us at that time. That was in 2010. And we were just launching this product called Beasley Breach Response. And that was an amazing time to be there as we saw cyber risk come to play. We saw regulations come into play. And then selfishly and personally for me, I was offered the ability to go to London and to be there on a secondment. And I was on a secondment doing creating a role and stuff like that. And I was in the middle of hiring for that role and knew who the person is. And he's still there today. And realized, shoot, I would have loved to have done that role permanently and I didn't want to leave London. So I left Beasley to join Lockton In and that was where I got to get closer to the risk owner, to the end user customers who were dealing with, you know, running their businesses and dealing with the cyber risks themselves. And then thinking about what insurance means to them was with Locked In for several years during that time, moved back to the States. My wife and I knew we'd have a family. We now live in Durham, North Carolina. And I made one more move before coming over to Spektrum and that was also really important. And again, thinking and kind of thinking more broadly, I locked in, was seeing lots of different things, trying to help my colleagues there, but what I didn't get a feel for, and we talk about the disparate nature of cyber risk and the data that's around it. It was just in 2020, ⁓ did not feel good about the market's ability to understand its catastrophic risk exposure. and where we had points of aggregation and how we were capitalizing for it. And so I left to join a team of actually really good friends at Axis. And my job coming in was strategy and innovation, thinking about all sorts of different things. But the core projects that I was going to work on were capital efficiency. And in order to do that, you had to get your arms around the data and the modeling and all this stuff. And at the end of the day, when we got to the end of the road of those projects and we launched a securitized cap bond in 2020, well, launched in 2023 and at the end of 23 there, you saw how this lack of a standardized structured data set around cyber risk, that is holding back the models from maturing. And it truly means that in the world of risk, capital is inefficient. And, and, ⁓ my partners here at Spektrum, we had gotten together in early 22 and I was helping them think about it as they launched and really in 23 and then decided, you know what, I'm not just going to help them from the side. need to jump in because what Spektrum is doing underneath providing the services to our customers that I explained earlier, we're actually creating that standardized structured data set that then different organizations can share with each other. whether they be partners or whether they be ⁓ sort of subcontractors or whether it be for the use case of using it for your insurance application and improving the confidence of the underwriters so maybe you can obtain better terms in insurance. That's one use case. it's, just saw another one recently too where there was a company doing due diligence on another, on an acquisition and they came to us and they said, hey, can you guys. help us to validate the controls are there. And then we have an audited data set that can give us more confidence in this deal that we're doing. it's just amazing that this doesn't exist and we feel lucky to have the opportunity to do it. Martin Hinton (08:31) You one of my questions for this section was about a problem you saw early in your career that perhaps it still exists and I dare say you just asked that answer that question and it's it's largely about how risk is examined and looked at. I wonder if you could just drill down on that that issue a little more and what you think the solutions for that are and how they would come about. Is that something that needs an inter-wide agreement or because because the other interesting thing is you come out of the UK. Max Perkins (08:55) Yeah. Martin Hinton (09:01) or your experience in the UK where they are for a variety of reasons in my assessment, quite forward, I believe the government is quite forward thinking or attempting to be with regard to resilience and creating some sort of countrywide sort of defense for all of the threats that they see and they face. So tell me a little more about that element of the way risk is examined and the way it's, I don't know, the word quantified comes into my mind. I'm not sure that's the right way to put it, but tell me a little more about that. problem as it exists now. Max Perkins (09:32) Yeah, so I'll tell you about it now. I'll give you a quick sort of paint the picture of the past a little bit, because we have to keep in mind the context here where we're still early. Like relative to insurance, 300 plus years, 330 years or whatever of insurance in the world, we're only 20 years in at best. And some will probably say, ah, it goes back to the late 90s when we were dealing with Y2K and those issues around technology. I'd say in earnest, really, the cyber insurance market started to take root in 2010. And again, that was around regulation and it was around these insurance products making sense. was also the organizations because of kind of everything combined, organizations had to get their Head around it a little bit more. ⁓ Back then, we were trying to make a market. So we were trying to reduce the barriers to entry. So how are we analyzing the risk? We were analyzing the risk in broad strokes and making assumptions. on were you in healthcare, were you in higher ed, were you in education? What do we know generally speaking about those areas? And then as underwriters, what do we need to think about that are the low-hanging fruit? So back in 2010, did you have encryption on your laptops or your backup tapes? We weren't really digging into the resilience questions that are now in so much in focus because of what the world experienced in the late teens here. 2017, you know, we started to see ransomware events really taking root and shutting organizations down. So, ⁓ so, so you've got to keep that in mind because we really tried to, we're building a market. had to, and, and unfortunately that meant that for the first call it seven to 10 years, we weren't building a strong data set. wasn't, there was no consistency other than those low hanging fruit questions. And so when you don't have that, you can't. You really can't model the risk in the big sense. can't price it as well as effectively. You can't quantify it. know, the insurance CEO is asked how much risk they have to cyber. Well, they're going to tell you they know two things. They know how much total, you know, notional capacity they've put at risk. And then they also know what their best models are telling them. But there's a world to improve. So now ⁓ In today's day, Martin, it's similar. So it's similar in that we still think about, what industry you in? What's the risk profile that we're going to get for you? ⁓ What is the size of your organization? Is your organization large, global, multifaceted around the world? Is it small mom and pop shop with a brick and mortar store on the corner of the street? Or are you an online retailer? And that's going to tell us a lot of different types of things about you as an organization immediately. But instead of asking, I don't know, maybe three, four questions further, you're now, if you're the small mom and pop shop, you're probably being asked at minimum seven technical cyber risk related or security related questions that you may or may not understand. That's like a great thing to think about sometimes. And then if you're large and say you're large and you have some manufacturing facilities, and you're suddenly going from what's information technology, IT, to operational technology, which is OT, and those things are very, very different. Most folks in the world, I didn't know that before jumping into this space. You could be looking at a hundred plus questions that are very technical in nature that someone in your organization is going to have to answer. And based on those, sort of, the way that I like to put it, there are inputs that can help input, improve pressing. I would suggest that right now we're still more art than science there. We do need to get more towards the science where there's sort of a direct correlation. And I'm hoping that we're doing that as a market, as an ⁓ ecosystem really, and spectrum is part of that. ⁓ But now it's about giving that underwriter confidence to say, okay, here's where I know my range could be for the price of your insurance. Here's where I know my range could be for your retention. And the more confidence you give me, maybe the lower the cost, lower the retention, the more limit I'm willing to give. That's still the way it's operating today. And it's okay. It's not wrong. It's doing the best with what we have right now. If I talk about my colleagues on the underwriting side. The brokers who are the intermediaries representing the clients who are trying to buy the insurance, they're doing their job as a broker and taking full advantage of that and really putting pressure on the underwriters and trying to get the best deal for their clients. But I would suggest that right now we're at a place where we can all see the future and there's some significant improvement to be made here. Martin Hinton (14:31) So you sort of touched on the next question, the next topic, and it's in the sort of the workflow of either renewals or applying for cyber insurance, you know, from your seat, there are some things, broken seems like a hard word, but you said it there, you know, this is being built now, right? This is the ship at sea while we're working on it. So is it data quality, quote times, incentives? Is there like a mismatch between controls and outcomes? You know when it comes, I mean you touched on it, right? One of the big things that we talk about here, we talk about on the podcast is that small and medium sized businesses, which are the vast majority of the economy and you small and medium is a bit deceptive for people listening. You could have a billion dollars in revenue and be a smaller medium sized business in the American marketplace. But there are an enormous number of businesses because of the way people sell online and all that sort of thing that are genuinely small. Mom and pop more to stores. Maybe they've got a website up and they're selling some things and shipping them. And the exposure that creates with, right, you see the value as a business person. You're like, I can ship to someone in California and, know, whatever it might be, or you'd use it through all these ways you can fulfill orders for, say, a t-shirt design. That opens your door, right? You're on the internet. You're digitally connected to all these third parties and all these platforms and what are their security protocols and are the employees there doing what they're supposed to be doing. When it comes to the insurance application process, of workflow, what do you think needs to, what are some concrete things that you see that are are working now or other things that need to continue to improve? Max Perkins (16:09) Yeah, so let's, I think we think about the personas that are involved there. And so you touched on the small business and if I'm the small business, want to pay. I want to buy insurance. know that I need to buy insurance and I want to buy insurance because it's going to protect my business in the long run, but I want it to be as cheap as possible. I want it to be a simple process. and pretend I'm not Max Perkins coming out of the cyber insurance world, I want to understand what it is that I'm buying so that I can then use it. Because the last thing I want to do is spend money on something and then have something go wrong and I mess it up where it actually doesn't pay out. And then we start to go down a very bad road at that point. ⁓ And so what's difficult now, I would suggest, is ⁓ I think that I'm not sure that cyber insurance is easily understood by the small business owners as we might expect. I think I take it for granted. And if I look at a traditional cyber insurance policy, again, we were trying to make a market. We're trying to sell it. So we literally threw the kitchen sink of different types of coverages. We think of cyber risk. Most people probably hear the word cyber and they think, oh, electronic, or I have a website where I sell something online. It's beyond that. It's information security, it's operational technology, it's resilience, as we're saying, the ability to keep your operations going. ⁓ Whether you interface with direct customers or your business that's providing services in the background. ⁓ But you may not think, cyber risk, my cyber insurance policy is going to provide me coverage for things like, I don't know, defamation, libel slander, copyright infringement. It does. And it does. And so at that point, the small business owners that I talk to say, you know, I'm not convinced by this cyber thing. I'm not sure it's ever going to pay. And I also am convinced that I'm paying more than I need to because I don't need all of those extra coverages that have been loaded into it. So I think in some ways we need to simplify what the insurance policy is over time to make it crystal clear what the small business person's buying and then we need to very make the process very simple for them to to confirm what their security posture is because everybody knows if you're especially stateside like you're buying life insurance or some some form of insurance where you need to provide some blood tests and you need to have doctors sign up on stuff you know that part of part of the insurance process is to validate what you're saying about yourself is actually true well we can do that in the cybersecurity world pretty easily. And we just need to connect the dots because once the dots are connected, the buyer's process, you're talking about, workflows become very, very easy. Suddenly you go, I can think of a couple of worlds that are amazing to think about in the future and probably not that far off actually. One is I'm buying my security tool that's gonna help protect my business. They're gonna... protect my endpoints and they're gonna protect my email and then I have my multi-factor authentication. Those are probably the three things that the underwriters are really caring about right now. So what if I buy them and I buy this package and then at the end of buying it, it says, hey, you just qualified for cyber insurance. Do you want some of that? And that would be nice to me as a small business owner. Martin Hinton (19:52) Yeah, yeah. So you, you touch on something that very early on as I started to sort of explore this world and take on this sort of, I guess, niche journalism is that because the market is being built, you have this, you know, the, example I use is, is, is like a property and casualty example, which is, know, maybe 120 years ago, if you had a match factory and you had ⁓ a factory full of matches and you wanted to get fire insurance, the insurance company would become like, yeah, no, we can't insure you, but let me introduce you to my buddy sprinkler system. and smoke alarm and watchman and you know, like fire warden and you, can get you a discount on that. And when you put those in, I can also insure you at a rate you like and that I like, and the risk is fine. And we're in this sort of, you know, one of the things I've said to some small business owners, I'm sort of getting to this point. It's a really good time to go out and sort of investigate what exists for you, because there is a lot of competition. There's a lot of people sort of looking to see for this market to grow. Like you said, So in that context, are one or two questions or a few things that a small business owner might ask their broker about the process? if you're coming into this and you think, my God, I don't have MFA. I'm not even sure what that means. You know, is that the text I get? Because I think a lot of people are sort of, I mean, I am one of the people that if I were the only one left, this wouldn't exist, right? I barely understand how any of this works. I can watch any film ever made in my hand. And that's amazing to me. And I think that that sort of illustrates sort of the disconnect we have between how it all works and what that means in a risk point of view. So if you're a small business owner, you're sitting down with your broker for renewal time and you think, you know, what about this cyber thing? What would you, what would be a couple of questions you think that would be paramount? Max Perkins (21:38) If I think, you know, I'm gonna start with one where there's, there's not a really good answer right now. I'm thinking about this cyber thing. How much should I buy? Well, I'll tell you right now. They're not great answers because that how much the answer is typically driven by the models that we were talking about that are immature right now. Well, let's keep it simple. Let's think about if you're, you know, think about your risks and think about how much you buy in the context of how you operate your business. So if I know that I'm earning as an organization, $100,000 a month, and that's what I need to protect because downtime is the worst thing for me, and I need to be able to making sure that I'm back up and running and I'm paid back for the time that I lost, then look at it that way and think about how much you would need if there was an event that took place in your business that lasted two weeks. four weeks, six weeks, and what you would need to get back up and running. And then talk with, I would then ask my broker, okay, so this is what I'm thinking about in terms of the resilience and my ability to be operational. What can you tell me about what I should have in terms of the liabilities or third party elements of it? So the liabilities, and again, that's how long is a piece of string? Kind of hard to tell. But then the last piece that I would definitely be asking in terms of this is all sort of exposure and how much to buy. is, okay, broker, can you talk to me about what are the average ransoms that are having to be paid? And because I never want to pay one, I think it's a terrible thing that we're paying these threat actors. But I also realized that in order for me to get back up in two weeks versus being down for two months while I rebuild my whole tech infrastructure and company, ⁓ maybe that's the answer. And so how much, how much is it? Is it? $200,000 or is it that even a small business is to have to cough up 2 million? In which case, I need to buy 2 million. And that's one line of questioning I would have. What were you saying? I see you, Martin, about to jump. Martin Hinton (23:45) Well, I was just going say, you know, one of the things that I think people don't comprehend is that just if you're, if you had a fire, you're dry cleaner and you had to go through all the remediation to deal with that and replace and repair things and rebuild things. That's what happens in the digital space when you arrive on a Monday morning and everyone's screens are blue and you can't do payroll. You can't get on online to your bank. You can't see whether invoices have come gone out or, or all these things that you need to do to operate. it's there's a paralysis in this in this almost sort of vapory space that's the digital world that I think that people don't quite comprehend. And again, I always try to use examples. What if your warehouse burned down? Like, what would you do? Like, you have insurance for that. You need to think about that kind of protection in the digital space. And you touched on it as well. The recovery is complex and time consuming. And depending on what kind of you know, agreements you have with third party vendors, the sort of long tail of liability that exists is really, really complicated. And it's something that, you know, I think it's, again, it's, it's, it's a bit hard to comprehend because it's not, it's not a fire. It's not, it's not a broken window where you're like, someone broke in and you realize that something was stolen or some piece of equipment has been corrupted or whatever it might be. There is, there is this sort of a need to drill down. I guess. I was shaking my Head because I think what you were saying is really paramount, right? The idea is you have to explore this like any other possible thing that could turn your business off. What would it mean if you turned off your business for 30 days? You got 15 employees, you got mortgages, you got loans. It's something to keep in mind. And the expertise exists in the cyber insurance world to sort of help explore that. Well, what do you make a month? You made that simple question. If you can't operate for 30 days. What would you normally make in that 30 days? And if the answer is 50 grand, well, you need to figure out where that 50 grand is coming from. Maybe it's you've got savings, but you don't want to dip into that. The whole point of insurance is not to go to that nest egg. So I guess it was just, I thought it was very, very well put. You did touch on, and just to move on, the underwriting element of this. And one of the things that underwriters sort of struggle with is, you know, the data sets and that sort of thing. you know, you can, you can say, you know, no, we have MFA. Well, does everyone really use it? Like you've got the controls and then you've got how well they perform. so there is, you know, the, the, the, the phrase you hear is the box checking of, yeah, we've got all that. And then there's the reality in the real world, which touches on the human reality. So I wonder how you could touch on that part of it and how, how that plays into the underwriting element of all this. Max Perkins (26:30) Sure, And so I'd be happy to. And I think I'll start again with the persona of I'm the insurance buyer. If I were, say I'm midway through my insurance cycle, I know that in six months I'm going to be buying insurance again. In fact, I'm about to do this more closely than six months. We're 90 days out from when we buy insurance. I'm about to reach out to my broker from Spektrum and say, okay, I already know this because what I do, but I am going to ask him. What are you seeing as the best practices from underwriters for cyber controls, the security controls that we need to have in order for us to be one of the best risks or at least to qualify to being one of the best risks that they have so that I get the best pricing possible. And then what are the minimum standards? Because it wasn't that long ago that I remember being on the phone with a business owner, a friend of mine who's got quite a big business. And I said to him, you know about MFA. And he goes, yeah, yeah, yeah. I said, just so you know, if you don't have it by the time you come to your next cyber renewal, because he was complaining about the price of his next one, what would help him lower it? I said, here's the shocker. You're not going to be able to buy it. So you need to be able to answer that you have it and it's deployed across your environment, remote access, all these things, blah, blah, And he went, my goodness, do you know what you just said? I said, yes. And he said, do you know the impact that's going to have on businesses? I said, yes. And I said, promise I'm going to get into the underwriting process, but this I think it starts with the mindset of the business owner or the business leader. We are all used to a world, and you sort of touched on a little bit earlier, Martin, of the comparison to the physical world. I have a fire. We're used to investment in our capital, what we would say capital expenditures, physical environment. We need to make sure that we're not looking at IT investment and security investment as a nice to have. They are as critical as those old physical investments that we're all very comfortable and used to making in the mindset of a business leader, business owner. And if we don't make that shift, then we're not going to look after that original risk, that original asset that is keeping the business going. And so that's where, when my friend said that to me, I said, Hey, look, you're an asset light business. That asset light being you don't have physical space. your IT is how you run, you better be spending more money to run your business soundly. That's where it starts. And then let's talk about what we can transfer through the insurance world. And so right there gives you, if you turn that on its Head, that's what the underwriting leaders in the insurance world are looking at. It's okay if they're meeting with a Fortune 100 Martin Hinton (29:03) Yeah. Max Perkins (29:24) business set of business leaders who are buying this really sophisticated insurance policy, they want to know that the C-suite and the board appreciate this risk, this asset, and that they're looking after it because it's going to mean the health, that's going to indicate the health of the company going forward and its ability to respond and be resilient should something happen. So now we take that all the way down into the small business owner, they're looking for the same thing. And so what what are the underwriters sort of looking for? They're looking for more confidence in the underwriting checkboxes that are being checked because we hear it frequently that there are events that are going on where a control that, the person filling out the application probably, they weren't lying. They weren't being intentional, ⁓ intentionally misleading the insurance underwriter, but they might've misunderstood the way a question was asked. or they might have misunderstood what their IT person said was the application in their environment. And the underwriters are sort of saying, we need to be done with that. We need to get to a place where we see that something is validated and true. We know it to be true in that organization. And that is this missing link. it's actually is part of what we're trying to solve at Spektrum and are solving. ⁓ Why are the underwriters asking it? It's twofold. It's one, when they're working on one account to get confidence for that one account. And then the other is as they stack thousands and thousands of accounts, then you can start to do the actuarial analysis. And when you have validated data, that's what actuaries can really work with with confidence. Otherwise, the actuaries are gonna take a very conservative view. And again, it leads to that capital inefficiency and that's when insurance fails. So right now it's okay. And I think I've used the word it's broken. When I say that the cyber insurance world is broken, it's functional right now, it's fine. But the growth that we all want to achieve in the future, if we look at today versus that growth objective, the current model isn't going to get us there. the current operation, the way of doing business isn't going to get us there. And the brokers right now, because there's a soft market martin right now where the pricing is really low, it's really competitive, and the brokers... representing the client, I get it, they're trying to take advantage of that. They're trying to make their life as easy, their client's life as easy as possible. And it'd be a great thing if the broker said, hey, let's get this real validated data over. And the best brokers who I can tell you that are doing this right now, they're a couple, they are realizing by getting that validated data over to the underwriters and representing their clients that way. the broker actually begins to build a really good data set that they can use and be a better risk advisor. And that's when we really start humming as a market in my mind. Martin Hinton (32:25) You, ⁓ think I, some of the stuff I read prior to this, that the word proof and evidence come up in some of what I've seen and the idea that, you know, if you've got a factory with a sprinkler system, we'll look, there it is. And we have it validated every year so that it works or whatever other mechanism you might have for a physical danger. In, instead of playing English terms, when it comes to proving something like MFA or providing evidence to lower a premium that MFA is employed across your, like you said. It's so different now since largely COVID, right? You've got remote work. You've got people on their own home Wi-Fis. There's a lot of moving parts, I suppose. How does that work in plain English? Explain that to someone who, well, explain that to me. ⁓ Max Perkins (33:13) Let's talk through it. so we take a view similar to, it's funny, was in New York yesterday in a meeting with a former auditor and they started shaking their Head yes, yes, yes to what I'm about to explain. And so this is the way that we think about proof. So where we are today is an attestation. You're checking the box. I'm saying, I'm telling you that this is there. An auditor would look at that and say, same as same as we are in the underwriting world, that's an attestation. Well, the next step would be to say, and here's the proof of receipt. But the proof, like the proof of purchase just tells you that they bought whatever the control is and they may or may not have it in place. They may or may not have it configured well. And so we look at that and we say, okay, so if level one was the attestation, maybe level two is that I'm going to upload my proof of purchase or I'm going to upload the policy that we wrote internally that says I'm the security person. I have to have these controls in place because the policy told me that. Then we take one more step up and it's to the, maybe call it level three, which is, ⁓ I had an auditor. had, you know, name the auditor was in, was in our shop and they looked at everything that we have for security and here's their report. And they have validated through their own eyes that that the controls are in place. So that's great. That's getting us further up there. And then ultimately, because we're talking about the world of cyber, we're talking about the world of electronic code that can speak to each other and where you can actually, using code, you can cryptographically, you can use the code to confirm that something else is there. That is level four where that's taking the blood out of the human being, checking it. to confirm that yes, he said he's O positive, therefore he is. And we know it because we checked it. The same thing can happen in the cybersecurity world. And it can happen through ⁓ sort of read only API integrations that organizations use to run the security control itself. And so a third party can come in and validate it that way. And that really gets you to the ultimate view. according to the cybersecurity practitioners and the underwriters were all saying, my God, that would be great for us to have too. How do we do that in a way that doesn't interfere with the normal course of business? Because that's an extra step. ⁓ And so how do we do it leading up to a renewal or before a new business purchase? And so that's why in my mind, an ideal world, like we talk about the millions of small businesses when they're buying that security product, If somehow we can have the distribution of insurance, the small business insurance tied to it, then suddenly that control is validated on the spot. The broker's not cut out. The broker's still a part of the process. Their job has just been made a lot easier because they spend less time on the transaction, the binding of insurance, and they get to have more time for either bringing in new accounts or servicing their current accounts. And so that's Ideally what we get to and then in the larger space those things just take time We just all need to say okay We're going to take this next step and move up the proof chain if you want from one to four and validate these controls Martin Hinton (36:42) You said a few things there that reminded me of something I've heard from quite a few people is that this is one of those forms of insurance and policies where you need to be a little more dynamic in your approach and that maybe only thinking about it every year when it comes to renewal time is a misguided approach. A, because of the dynamic nature of the threats and how complex they are and there's no shortage of predictions about what AI is going to do in the next. ⁓ in the current year and that sort of thing. True or not, time will tell. But that idea that this is, this is unfortunately complicated and you probably don't know enough on your own as a small business owner or frankly even some very large business executives to comprehend this. This is an expertise that, you know, I've heard a lot of people just... say, and I wonder what you take on this is that this is more than IT. IT is you have to start thinking about it in a bigger way. And the example I've used to try and delve into that is that if you're, again, got a factory and there's a door and the door breaks, you have someone come in and fix the door. That's IT. The fact that the door is secure is a whole other thing. is the lock, you have two locks and my joke there is two locks is MFA, right? You need to do two things to gain access. the secure space where valuable things are kept. And this notion that, you know, again, I, cause I got, talked to a lot of small business owners, they feel a little overwhelmed. think that there's a real issue, maybe broadly, particularly in America with insurance in general, feeling like something you spend a lot of money on and you hope you never really need, but you do need it for all kinds of reasons. So another insurance bill is something that they're like, ⁓ God, another insurance bill that that attitude. And then it's hard to understand while Again, a lot of small business owners are really busy, right? These are not nine to five existences, right? And this is another complicated thing, but that's okay. You know, I mean, I'm a huge fan of the phrase American, not Americant. And so I think that there's something in there where like there's help to be had. And there's a lot of companies like yours that are, you know, looking to create this marketplace because the need to protect people from these risks is real. I mean, that's, I'm stepping outside myself as a journalist now. Max Perkins (38:36) They are. That's right. Martin Hinton (39:02) You should really talk to your broker. Like if you don't have it you're not sure, seek some advice. There's a lot of really smart people in this space, a lot of people who are excited about this. And I think that that's something to keep in mind. know, I wonder, given all that, are there any examples of, obviously you can sanitize these that you need to where you see applicants or you've read about or heard stories about people applying for something, but when it came to it, and even if they were answering the question correctly like you touched on earlier. In the end, the examination occurred of their answer, they were found to be incorrect about what they thought. There was a total misperception about their level of security. Tell me about that sort of aha moment, if you can. Max Perkins (39:46) Sure, just to make sure I've got it right, sort of in that moment of the incidents happening and say they have insurance, made the claim, and then suddenly the claims adjusters look at it and say, hold on a second, this happened because of a lack of MFA, yet you said you had it. Is that what you mean? Right. Martin Hinton (40:03) Exactly. We hear a lot of stories and we see a lot of examples of where people think they're covered and something happens and lo and behold, there's some kind of exemption that exists and there was no lying, there was no duplicity, it was just a mistake. Well, guess what? None of that matters, right? The payouts were due to whatever it is. Max Perkins (40:29) It's tough. ⁓ That one that I started to talk about, a lack of MFA at the time of the event, either across the organization or maybe in the lack of them of multi-factor authentication within a certain area of the business that was impacted. ⁓ That's happening frequently and the underwriters and the claims managers and the insurance executives all the way up to the top are sitting there going, why are we paying these claims? Why should we be paying these things? Because the cyber underwriters, when you talk about this question, their immediate answer, and I used to say this, ⁓ not possible. We pay every covered claim. And that is what we believe to be true, but reality is in the weeds. That's being the lack of MFA and the claims adjuster thinking, something's off here. It's being used as leverage to either negotiate down the payment, the claims payment, or it elongates the amount of time that it takes to get the claim paid. And the only reason that the cyber claims managers and the claims executives are not using the nuclear option. is because they're worried about the reputational blowback of being the first or one of the first in a market that is so competitive right now to actually rescind the policy and give you your money back and say, it's as though it never existed because you misrepresented yourself in the application process. To me, that's really scary. And the fact that that exists and it should exist, the insurance companies should have that right. They need to be able to do that in case somebody is actually lying in the application. Like I don't, that doesn't need to come out of it at the insurance policy. But the fact that that hasn't been used, I'm a little annoyed about because it's going on in the claims managers' heads. They feel like they're handcuffed and the small business people are concerned about it. And yet because it hasn't happened, we haven't really pushed ourselves to improve this application process to move from these attestations. The other reason that people get annoyed with insurance and they say, gosh, cyber policies don't cover anything. Well, there are limitations to what the cyber ⁓ insurance can cover. so let's, one example is espionage. They know that a hacker got in and stole their assets, their, their IP. And they know that that hacker stole it and it's going to be used by another organization. It might hurt that, that small business or large business. had this happen to a client of ours who was, architecture and engineering firm. they literally, had a business owner that, I'm sorry, one of their engineers was in China and looked across while on one bridge and saw another bridge that they knew was their own design. And that was not their project. And so therefore it was an espionage, probably act that where that that IP was stolen. And, ⁓ and you might want to make a cyberclaim, well, that's not covered. It's not intended to be covered. And that's, that's what I mean by where we were talking a little bit earlier about, need to make this so simple that every small business owner can understand it and have their expectations set around what they're able to recover from ⁓ cyber insurance. And then the other side of it, and this is something that I wish that more of our cyber colleagues, the insurance colleagues would appreciate sometimes, is that that's healthy. because it helps that small business owner to know what risks they retain themselves. Because that's part of doing business. You're going to retain risk, or you're to have risk that you cannot transfer. And having clarity on that lets me run my business better. And sometimes I think we forget about that component when we're trying to sell these policies and we're not being as transparent as we probably should be about what it covers and doesn't. Martin Hinton (44:37) You touch on the, know, again, all of this is an element of the human condition, right? It all sounds new, cyber digital this, but that idea, and it's one of the pieces of advice I remember being given very early in my career when I started managing people is that there are often conversations you've got to have and you're like, ugh, I don't want to have this conversation. I don't want to hear this bad news. And then the end, you typically only regret having delayed a difficult conversation. So if you know there's something that's got to, it's like tickling you and you're scratching you you're like, ⁓ deal with it. Just, just deal with it. Get it over with us. Open the can of worms and see what we'll see where you stand. It's hard to do in all sorts of respects. This one in particular, you touched on what I was kind of wanted to get into next was sort of the, the loss and risk landscape broadly, know, ransomware has been around forever. Now we're hearing about, you know, there's, there's the malicious issues that can occur in cyber. And then there are the. you know, poorly, poorly distributed updates, I guess would be a phrase in the news currently. I wonder when you see what's happening now, you know, there's a lot of talk about AI, but the bad guys have been doing, and gals have been doing just fine without AI. So maybe, you know, but we're seeing it with, you know, the talk of deep breaks and, you know, there's a few famous examples that exist out there, but even the way social engineering is used in the Marks and Spencer hack, people calling IT departments and using all we know about behavioral psychology plus now technology to fool people. Like a magician can make you believe that they actually pulled a rabbit out of a hat. You know they didn't pull a rabbit out of a hat. It did not appear out of thin air, but you wouldn't be able to prove that with your own eyes and your own senses. You see the trick. People have been conned on the streets and now in the digital realm for a long, long time. So guess I'm curious what you think about what's going on now and and the kinds of things that people should be be leery about and be mindful for. I say all that and the advice I've been given and I now pass on is that if you ever, ever get a text, a phone call or an email and it makes you uncomfortable or you have a sense of urgency that makes you feel like you have to drop everything, don't ignore it. Don't even do anything. If you really owe someone money like the toll system, EZPass, they will find you. It is easy to say, but that's the beauty of it from the criminal point of view. It's a very reliable tactic. So what do you think about the loss landscape, the threat landscape as we sit now and then over the next few months to the degree any of us can predict the future? Max Perkins (47:13) Yeah, sure. I think in terms of how I see it now is that the frequency of events has persisted. And while I think that the conflict war, Russia, Ukraine has taken time and attention away from certain hacking groups. And that was true. And we sort of felt that when that that conflict came to be, I'd say there is still a persistent level of events that are taking place. for all the reasons you mentioned, vulnerabilities in technology will be present. That's just part of technology. Technology, it's not perfect. You have to patch things from time to time. The threat actors figure out methods for getting through certain technology ⁓ security controls, and you have to update them. so that's part of it. ⁓ And so the frequency is still there. And I say that because I think there's some folks who have thought, gosh, it's kind of... It's kind of died down and we're not necessarily seeing that or hearing that. We're also picking up on the fact that, and I'm going to touch on the social engineering part sort of last, the first is that frequency is persistent. Second is that the threat actors are very smart. They're running businesses, right? And let's remember that they're running their own business and that they're out to earn income and they're probably having to achieve growth targets and like all of those things are probably very real. So something that's going on right now is sort of around the law firm space. Everything that I hear from some insurance ⁓ colleagues of mine points to the fact that law firms are being targeted by some threat actors because the law firms are quicker to pay a ransom. because they're trying to protect the privilege of their accounts and their clients and that privilege relationship. And they're worried about a threat actor being in there creating that violation of attorney-client privilege. And that's troubling. That's very troubling. And it's meant that I've just seen recently a couple law firms applying for their cyber insurance, smaller ones. And ⁓ where some underwriters are saying, you know what, no, we're gonna pass this time. And just outright because they're a law firm. So I think that's really interesting and something to check on because you think about the social engineering of getting in, that element to me is the social engineering of how I get 100 % of my ransom demand paid versus 50 % if it's negotiated down. So I don't know, that was something that surprised me a couple of weeks ago. Martin Hinton (49:58) You it's funny you touch on that and it reminds me of a conversation I had recently about, and it seems to be quite in the news, at least in the UK, and it's the idea of banning ransomware payments, right? Making it illegal to pay a ransomware. And the obvious, don't fund your enemy, don't reward the criminal, don't negotiate with terrorists, like that hard line. It sounds reasonable until... And you touched on law firms, but the example in the case, in the conversation I'm describing was hospitals, right? No, we have a heart surgery in 60 minutes. we cannot not have this information that we need in order to operate on someone. The whole process is reliant on very sensitive information. And if you freeze that information, are, people die. We know this has happened, right? We know this has occurred. And that's why one of the reasons hospitals, to your point about law firms, are so susceptible to attack. I there's also the issue with all the third party realities that exist and ⁓ the supply chain that they have for all the MRI facility that's not associated with the hospital, but it's connected digitally and all that sort of thing. And that's enough, right? We know that. mean, have you thought about or is that conversation in the industry in America, the sort of the banning of ransom, de-incentivizing ransomware in some fashion? ⁓ Max Perkins (51:20) You know, it's there and I've seen it sort of in the European context and then also in America. fact, where I live in North Carolina, ⁓ this probably goes back three or four years, there was a bill signed and put into law where public entities owned by the state of North Carolina were not permitted to pay ransoms without the governor's sign off, something like that. And ⁓ where it was getting scary is we do have ⁓ take the university health system owns, ⁓ I'm sorry, the university, yeah, the University of North Carolina owns a health system. ⁓ And that was a really good example that you just perfectly explained about why there was that concern. But the notion was like, look, we're gonna, if we don't pay them, then they'll stop, they'll go away. ⁓ Not necessarily true. What I would say though is that ⁓ I think as we, a, ⁓ business community are more cyber resilient. We are using backups. We're testing our backups. We're testing them in a way that we have documentation that they are working. If that's the case and they're separate so that the virus or the ransomware that's used isn't, the malware that's used isn't impacting your backups, then in theory, yeah, you can tell a threat actor, we're not gonna pay. We're gonna get back. running. You might have a liability issue if they've stolen your data, but at least we might get there someday. We're just, not there yet. And so I think the idea is, ⁓ it's probably the right thing. I would also say that based on some work that we do, and I know it's stateside and in Europe as well, the law enforcement and intelligence communities are working in a way to try ⁓ to almost ⁓ prevent these events from happening by pretending to be the bad actors and paying for, you know, paying for the access, if you will. There's something called an access broker out there. you cut it off at the Head there. Martin Hinton (53:30) Yeah, yeah, yeah. Yeah, you touched on something just a moment ago. We did a piece that went up earlier today about a new Dell technologies report and it's, it found very similar in the reality for business owners, large and small is it's not if, but when, right? Something is going to happen, whether it's an interruption because of a technical problem or malicious act, it's not if, but when. And in that mindset, while we figure out controls and we improve law enforcement and know, global treaties to deal with these people who can operate in the countries that protect them is resilience, right? When you fall down, how badly do you hurt and how quickly can you get back up? And that idea that, you know, have, you know, backups that are protected and all that sort of thing that allow you to at least keep operating. And then while you keep operating, you can address, well, okay, do we need to pay to deal with the liability issue that we're exposed to now because this data has been leaked? But that idea that you... you are gonna suffer this consequence. And we see it now, I the Dell piece, and I'll link to it in the show notes, ⁓ that there's a misconception at the highest levels of companies, big companies about how resilient they are. when see those talk amongst themselves, which they like to do, which is counterproductive in the sort of corporate competition sense, there's a real ⁓ fear factor, right? ⁓ I mean, when you talk to people off the record, they... use words like, cybersecurity sucks. mean like it's in a broad sense. And I think that that is something that you can protect yourself against, right? You can be resilient. You can have MFA. there are tools for this. it's just, again, like that idea, not if, but when we are gonna need to deal with this. So ⁓ yeah, very interesting. All right, so we've been talking about an hour and I'm gonna do quick. Quick lightning round of three questions with you for a second now. So bear with me. We can jump around if you want to think about one. So the lightning round finish. What's one prediction for the next year? It could be about insurance, underwriting, know, the threat actor, AI, prediction. The second question is one myth. What's one myth about all this that exists and persists that you would like to lop off and get gone, if you will? And then When it comes to CISOs, one habit that CISOs or the people managing risk of any company should adopt over the next year. So I'll go back to the beginning. Do you have a prediction for the next year? Max Perkins (56:10) Got a slew of them. I would say ⁓ prediction for the next year. We're at the time when the cyber insurance market needs to change in terms of right now, its pricing is going to need to change because losses are catching up with it. ⁓ That's going to have a big impact on ⁓ the small business owner to the corporate executive and what happens with their buy. ⁓ Also, it's going to have an impact where we're going to see some movement of ⁓ people around the insurance market. already seeing new brokerages being set up. We're seeing underwriters on the move. We're seeing underwriters becoming brokers and vice versa. Tends to happen when there's this moment of change coming. So I think that's good. And my prediction that extends to that is that I think we're finally at that moment. when we're going to start to get to some validation of data and controls and that we won't let go of it because I think that the cyber insurance market knows that in order for it to do its best job for its customers, it needs to stick by those requirements. So that's my prediction for this year in terms of macro. Yeah. Martin Hinton (57:19) What myth, what myth you'd like to see put to bed? Max Perkins (57:22) Ooh, the myth that I'd like to see put to bed is that... ⁓ I'm debating. There's all sorts of myths. I think it's probably maybe less of a myth and more of ⁓ a misunderstanding because there are those who say cyber insurance doesn't work. And I get into this argument all the time. And the answer to that is it doesn't work. And what you would continue on to say is it doesn't work unless our expectations are alive. And so there's some large corporate executives recently that told me, I don't really want to buy cyber insurance anymore. And I was like, ⁓ and they say, cause I'm not convinced that it's actually going to pay out. I said, well, what were your goals when you were buying it? When they told me, said, well, for the way that you purchase it, no, it doesn't make sense anymore. So probably shouldn't. And my cyber insurance friends are going to be like, Max, what are you doing? We need to keep selling insurance and growing this market. On the other side of it, cyber insurance. definitely works. It definitely pays out when your expectations are in the right place around what it's covering for you for. And also, again, back to this information, when you're being straightforward with your underwriters about how you're running your business and what cybersecurity controls are in place and how resilient you are, it will all line up and it will pay and it will work. And that is the way the future is coming. Martin Hinton (58:51) So if you had the ear of every CSO or risk manager, what would be one thing you think that they should ⁓ take on or adopt, one habit, one perspective that they should adopt for the next year? Max Perkins (59:02) For every see-saw, I'd encourage them. ⁓ I didn't know this until probably about a year ago. Every CISO, when they go into the boardroom or have to answer to executives in the organization, they are asked if we are secure according to our own standards or some third party standards and if the company is secure. And every CISO to a T has told me they never use the word yes to answer those questions because they can't. And what that means is that we are We're at a place in the world where we, in the moment, don't have confidence in our cyber resilience. And so what I would tell every CISO or risk manager is do everything possible to get yourself towards being able to say, yes. And I can tell you that part of what we're doing at Spektrum is contributing to that. And part of what others are doing and the security providers are contributing to that. And the insurance marketplace, that's part of it. Because part of being resilient is knowing that you're going to have the financial wherewithal to recover from something. So I would just, that's what I would encourage the CISOs. I wouldn't give up on being able to answer yes at some point. And it's hard for me to hear that most of the time they're saying, I don't know or it depends. That's the answer every time. Martin Hinton (1:00:29) Okay, well we've been talking ⁓ literally an hour and as I promised before we started recording, is there anything we didn't get to that you'd like to discuss or is there anything that we discussed that you'd like to touch on again before we wrap up? Max Perkins (1:00:42) You know, we didn't get back. You were asking about social engineering and I was just going to say, let's jump back into that and how it works. And I think it's another critical message for any business owner, us as individual people. ⁓ My wife and I were talking about it. We have three boys and they're younger age. They're not in the social media world now, but the lessons that we're going to be passing on to them. And just as humans that started that it's like, We need to operate in this cyber sense, whether it's our phones, our computers, whatever it is, where we don't trust. We verify in every situation. And that's something that we're going to be teaching our boys because there's been some real heartache out there where bad people are doing really bad things and taking advantage of young people or putting young people in such a position that they don't know how to continue in terms of in that moment or more broadly in life. And that's really freaking scary. And I want to see that end. Okay. So as a human level, it's that, but that same, that same principle should be also taken into business. And I, and I think in terms of social engineering, we help ourselves just like you see somebody come to your house and they want to enter. You're probably going to say, sorry, why are you here? I didn't call you. Let's do the same thing in our businesses when we have third party vendors or we have somebody texting us, somebody telling me, Hey, Max, your boss needs you to move X amount of money over to whatever. I'm not going to do that with actually getting my boss on the phone and saying, Hey, did you really want to do that? ⁓ we need to trust and verify. We just got to be better about it. And I promise it's going to help us all with this, the events that are. Martin Hinton (1:02:19) Yeah. I completely agree with you. And one barrier to that being the standard is the idea that we can't trust anything we see with our eyes on screens anymore, whether it's AI's cats or whether it's someone's invoice, the new bank routing information. And I think that if business owners all understand that that isn't personal, this is just us protecting ourselves, protecting you, protecting our industry, protecting our relationship. That is, you know, it's, it's, you know, I'll be right over, but let's just double check that this is the right place to go. and I'm talking about sending money to a new bank, right? Like, you know what? Wait 24 hours. And I think that that's a really, really important message. Well, Max, I admit, go ahead, sorry. Max Perkins (1:03:05) We often, you we're in a small business ourselves and we have investors and when investors are wiring us money, I continue to get phone calls from people who apologize when they say, I'm so sorry, but I need to validate all this information with you. And I stop them. And I said, no, thank you. Thank you for doing that. It's in your best interest and ours. And please don't apologize. That is what you. Martin Hinton (1:03:28) Yeah, I completely agree. I wired some money recently from a personal account and that I got a phone call from the person I deal with and she said, I know it's just so annoying. No, this is not annoying. Record the call, ask me my questions, make me use the authenticator app. No issue with this at all. know, mean, it's, unfortunately when we know that people take advantage of that, people get annoyed and they're in a rush and all that sort of thing. And that's when mistakes. can be, ⁓ you know, multiplied. yeah, now that's a great note to end on. Anything else? Max Perkins (1:04:03) That's it for me. No, thanks for having me. Appreciate it. Martin Hinton (1:04:05) All right. Well, Max Perkins, such a pleasure. Really, really enjoyed the conversation. I think we probably could do this again and maybe we will. So Max Perkins with Spektrum Labs, Head of Insurance Solutions. Thank you so much for the time. Really do appreciate it. Everyone else, please, if you've got a comment or a question, put it down there. What I can't answer, which is likely to be the case, we'll get onto Max and see what we can do. But thank you again for your time and thank you for watching. And again, I'm Martin Hinn. with cyber insurance news and information. Thanks very much for watching. Enjoy the rest of your day.