Martin Hinton (00:05) Welcome to the Cyber Insurance News and Information Podcast. I'm your host and the executive editor of Cyber Insurance News, Martin Hinton. Before we go any further, if you could like, subscribe, share with your friends, tell everybody, sing it from the hilltops. We appreciate all the support. So moving on, today I have joining me Dustin Carlson, and he is the president of SRA 831(b) Admin, which is based in Idaho. And what all that means, what 831(b) means is really interesting, and we're going to get into that. But first of all, Dustin, thank you so much for joining us. I really do appreciate the time. Before we dive into you and your background a little bit, one of the things we did during the pre-call for this was you gave me a really good analogy for how to think about it in 831(b). And it relates to cyber insurance. And when cyber insurance doesn't live up to your expectations with regard to coverage or whether there was a policy issue, if you will, we can get into all that. But what is an 831(b)? Dustin Carlson (01:01) Yeah, well first off Martin, thanks for having me on. It's pleasure to be here. ⁓ 831(b), we kind of quickly explain it by talking about another section of the tax code, 401K. Everyone kind of knows what a 401K is. It's a retirement plan that allows you to save up for retirement, but it's tax deferred, so you get to build those dollars more quickly over time, ⁓ And 831(b acts much in the same way, but instead of your personal income, you're able to set aside... tax deferred dollars of your business's gross revenue to save up for a rainy day for things like a cyber breach, for things like a business interruption, like COVID-19, all of these types of events that seem to happen in today's modern world. Martin Hinton (01:44) So we're talking about, I mean, it sounds like a classic rainy day fund. Is that sort of one way to think about it? Dustin Carlson (01:50) Absolutely. Yeah. Tax deferred, rainy day fund. Yep. Martin Hinton (01:54) One of the things that we will get into is the notion that within cyber insurance, because it's relatively new and the policies can be quite complicated, particularly for smaller businesses and businesses that maybe don't have the ability to review their own cyber resilience and cybersecurity posture, is that when it comes time to a claim, ⁓ things go uncovered. And I just wonder whether, before we dive into any more detail, you could touch on that element of how the 831(b) is complementary to a cyber insurance policy. Dustin Carlson (02:24) Yeah, we, SRA, we design our policies specifically to really fill in gaps of traditional coverage. know, traditional insurance, they do a good job of covering things like property, like liability, but there's still a lot of gaps that get left. You know, they're for-profit companies at the end of the day and they'll only take so much risk. And so there's exclusions, there's sub-limits on policies, particularly like we'll get into with cyber. ⁓ But 831(b) is really designed to fill those gaps in. So to be... really a compliment around your Total Risk Management Program. Martin Hinton (02:57) Great, so there's your takeaway. What we're gonna get into is this other bit of resilience, this other way you can protect your business, your, and thus yourself, your employees and all those things. ⁓ Before we do that, Dustin, you're out in Idaho, I'm in New York City. How did you come to be in this line of work? Where did it all start for you? Dustin Carlson (03:16) Well, know, early on, high school, had dreams of being a doctor. My dad, on the other hand, was always a insurance agent. He grew a pretty large book here with farmers insurance, was who he was with here in Meridian, Idaho. And so it was kind of the family business, I guess you could say. You know, I was going to school to be a doctor. The 2008 financial crash happened and I kind of looked around and said, this business stuff is pretty interesting. I want to do that. And so here we are. You know, we started or I started with SRA in 2012. The ⁓ company itself was in 2010 and ⁓ itself was really born out of the Great Recession that kind of started in 08-07 where my dad with his successful book of business had a lot of commercial clients within it. And a lot of those commercial clients went out of business at that time. just because of the struggles of the 08 crash. And there were folks that he also had that were clients that they were having success. They were going to equipment auctions and buying equipment for pennies on the dollars. And he said, what are you guys doing? Like, how are you able to do this when I'm seeing all this devastation over here? What are you guys doing? And one of them said, well, I have this 831(b). And ⁓ that sort of set him down the road of learning all about 831(b) and then starting SRA and I joined in 2012 like I said and it's been ⁓ just good growth since then and we continue to try to the word of 831(b) and because it is not very well known in the business community even today despite it being passed in 1986 was when it was first introduced. Martin Hinton (05:10) You know, it's funny you say that because I had seen the phrase in the reporting I've been doing on cyber insurance and broadly insurance as a result of that. And I don't think I quite comprehended it. There's a phrase I've seen used and I wonder whether you could, the phrase captive and then micro captive. And I wonder whether you might explain whether that's something that is relevant or what I've read is not that accurate. What about that element of it? Dustin Carlson (05:35) No, absolutely. So an 831(b) is a micro captive. That's sort of the industry phrase, if you will. We call it an 831(b) plan just for the simplicity of, you compare it to a 401K plan, 831(b) plan, it kind of just clicks for folks at that point. You know, we also compare it to like an HSA, you know, health savings account where you might have a high deductible on your health plan. Well, if you have a high deductible on your property insurance or or other types of insurance, 831(b) is a great fit to be able to save up, you know, just like an HSA tax deferred dollars to meet that deductible and other exclusions. ⁓ yeah, micro captive, captive, the difference there is really just the size of the company. An 831(b) is a smaller type insurance company that's insuring a related business. And then a captive is just a larger version of that effectively. Martin Hinton (06:35) Yeah. So with that set up, again, we've used the phrase rainy day fund, you know, healthcare savings account. think the concept there is quite clear and it's, I mean, I, know, maybe this is an unfair way to put it, but I'm trying to simplify it in my own mind. And then for the audience, there's a redundancy here to the resilience that your insurance might create or, know, a plan B might create. It's sort of a plan B for the financial loss as a result of any kind of business interruption, whatever it might be. Dustin Carlson (07:06) That's right. Anything that your traditional insurance is just falling short on. And I think we're going to get into some of those with related to cyber. But, you know, even the property space today, the hardening of the market that's happened there because of hurricanes that have come through and caused devastation, wildfires in California. You know, we're seeing insurance companies that are pulling out of these states or they're putting on large deductibles that ⁓ that the homeowners or business, if it's a commercial building, owns. ⁓ And they're excluding things like wildfires, like wind damage in hurricane areas. So all of these things ⁓ you can fit inside of an 831(b) if you're concerned with, you know, how am I going to cover this? My insurance company says they're not going to. How am I going to be able to cover it if the worst happens? Martin Hinton (07:54) So you use the phrase traditional insurance, is a thanks for teeing me up because now we're going to move into the not so traditional insurance of cyber insurance. ⁓ This is a space that this sort of gap in coverage is quite relevant. It's relatively new insurance for the audience that's maybe tuned into this for fun. That means it's a little hard to underwrite the risk. There's not as much data about the risks that exist. The risks are very dynamic and evolving, AI being the latest. Dustin Carlson (08:02) Mm-hmm. Martin Hinton (08:23) steroid to be added to cybercrime and cybersecurity issues. When it comes to cyber insurance, there's a lot of misconceptions. I wonder whether you might bring from your experience some of those to life for us. Dustin Carlson (08:36) Yeah, you know, I think, like you said, it is still a very ⁓ early on product and insurance companies are still figuring it out, right? They're still ⁓ trying to capture the data, the loss data that is, so they can understand if I'm issuing a policy for this type of risk, what do I need to price it at in order to accept that risk ⁓ of the loss that might happen? And the data just really isn't there. particularly with cyber, the unfortunate thing is a lot of these cyber breaches kind of go unreported, a large majority do. We hear about the big ones in the news all the time, particularly now that I believe the SEC several years ago made it a requirement to disclose if you're a publicly traded company. But a lot of these on the private side, they just don't get reported and insurance companies don't understand what is my What is the loss potential if I write this type of policy? And so what that means is they're issuing policies that have a lot of exclusions inside of them, a lot of sub-limits for things like remediation, for example, paying for people's identity protection for an extended period of time. Certain states have these requirements. So lot of policies are going to have sub-limits for that type of loss. And they're going to exclude things. just always joke that if you have an event that happens to your business, you kind of need it to go perfectly for it to be covered by your cyber policy that you're buying off of the shelf from whatever insurance company. And really, that's where an 831(b) is a great fit because it can fill in those gaps that are left by the cyber policy that you're getting on the open market right now. Martin Hinton (10:25) I mean, you touch on something and for the audience sake, I'll dive in a little bit. The future is always unknown in some respects and we can have our plans. But with regard to cyber breaches, the complexity of what's referred to as the long tail of the breach where you might, you you don't know whether people maybe got into your system and were inside sensitive data areas for six months before the breach became aware to you. And then there's the long tail of, you know, maybe not realizing they got all the records, but thinking they got some and a year or two later you have a situation where you have a whole new group of people who suddenly you have to deal with things like, you know, credit monitoring and that sort of thing. I was at a talk late last year and part of it was the legal panel and it was all about how the classes for cyber breaches are getting smaller. And a lot of them are involving these sort of long-term kind of results that don't come up right away in the immediate wake of, you know, the blue screen of death that you might encounter on a Monday morning. You touched on a little bit of this. One of the things that people probably appreciate is that when you do an insurance, there's a sort of a checklist of things. Do you have this? Do you have that? And if it's a property and casualty, it might be smoke alarms or sprinkler system and that sort of thing. Within cyber, there are similar things like training for employees or multi-factor authentication. And one of the oddities there is that You could say you have say something like MFA employed by all your employees across the board. And what you realize is not unlike if you haven't replaced the batteries in that smoke detector and there's a fire and the insurance company goes, yeah, well, your smoke detector wasn't working. That's a policy problem. And we have an issue now with paying out the way we're supposed to. That is kind what we're talking about here, right? There's this sort of myriad of ways that a policy can be written. And then like you said, it needs to follow the event needs to follow that to the letter. Is that a good way to sum it up? Dustin Carlson (12:25) absolutely. You're exactly right. ⁓ You and you mentioned the human element here. That's the weakest link and a lot of these exclusions are tied to that element, unfortunately. Martin Hinton (12:36) You encounter this with some regularity. When you've dealt with business owners who maybe they had an 831(b) or maybe they didn't or they're coming to you because they realized they wish they had one, what sort of misconceptions do you encounter that are quite regular? Is it broad or are specific things? Dustin Carlson (12:57) You know, as far as exclusions within a cyber policy, ⁓ well, let me back up a second. know, a common misconception is, you know, a business owner seeing a cyber limit within their general liability policy. ⁓ But those carry a lot of the same exclusions that your standard cyber policy will, but they're also going to be sub-limited to that type of event. you know, if you have a... commercial general liability policy, let's say it's just covering you for a million dollars of liability, if ⁓ there's cyber within that, it's not the million dollars that you're gonna be covered for on cyber liability. If you're just relying on your general liability policy, it's gonna be some number below that. generally it's gonna be a fraction of that. So that's the first big misconception I would say. And then also, ⁓ in terms of exclusions on a cyber policy that you're getting, employee mistakes, not following proper procedures. These are common things that we run into where we're covering clients for those types of events. You the big one right now is phishing emails. You mentioned AI. know, AI has made phishing emails look very good compared to what they used to look like. You you used to be able to catch a spelling mistake or a weird exclamation point or whatever the case might be. But now they... They put those things through ChatGBT and they get a perfectly crafted email and that's what's going out to people within your company. They might get an email from a vendor one day and then the next day they're getting a follow-on email with either a spoofed email address or the email address might be one letter off from the actual email address so it looks pretty legitimate. ⁓ sending money to a fraudulent bank account because that email said, hey, we updated our banking instructions and go ahead and do this. And, ⁓ you know, that, that employee made a mistake. They didn't follow proper procedure. You know, they didn't pick up the phone and call a known number to verify those instructions. And so that type of thing is not going to be covered by your off the shelf cyber policy. And so these are the things I think business owners can, you know, go out and buy a cyber policy, go out and reference that section of their general liability policy and they might feel good that they're covered, but you know the devil's in the details as they always say. Martin Hinton (15:27) So we did some reporting today. came across, it was from late last year, I studied at, I think it was the University of Buffalo, and they surveyed something like 600 people who were training to become somehow involved in healthcare and be HIPAA compliant employees. And 58 % of them said there is a price that they would violate privacy and sell medical records for. So you've got the, we've got what you were just discussing, which is the inadvertent mistake, which is already a huge problem, right? And then you've got the malicious actor side of it too. was reading, I was reading this study and it was, you know, was fairly interesting, but it was an academic paper. So it was a little sloggy to read. And I was thinking to myself, man, you know, I mean, I know the bad guys exist outside the company, but the fact that they're inside too now, that's, it's, I mean, 58, almost six out of 10 people surveyed would sell. Dustin Carlson (15:57) Yeah. Yes. Yeah. That's a crazy percentage. Yeah. Martin Hinton (16:21) Yeah, I mean, it sort of gets to the sort of human beings, right? We do good and we do bad. And that's always been so, and I suspect it will always be so. Within cyber and within cyber insurance, what we've got now is the sort of flattening of the market and prices sort of stabilizing as people try to figure out the future of this. And does this become broader business insurance broadly? is it, like you said, is it part of your ongoing business coverage? Or is it stay this specialized policy? One of the things we've seen and we hear a lot about is the sort of questionnaire packets. And you've been doing this a while now. And I wonder if you might tell me, like, you you hear about them being pages and pages now versus, you know, very short once upon a time. I wonder whether you find that to be true and what you think that says about the thirst for, and we keep using the word data, but it's information about the danger that policyholders face from the underwriter and, you know, brokers' points of view. So what about that part of the... the way it's changing, like subtle little things like that to indicate the evolution or growth or change within the cyber insurance world. Dustin Carlson (17:27) Yeah, know, what that really stems from, going from not so many questions to a lot of questions, what it really stems from is insurance companies running into losses and saying, well, we didn't think of that one, right? Because it is such an evolving landscape, particularly in the IT space. You know, expect a lot of AI questions on your next cyber renewal when you go through that, because as this just evolves, the risk exposure for the insurance companies just expands and now they need to ask more questions on the underwriting application to understand the risk that you're asking them to take by applying for insurance. That's really what it boils down to and they have to gather these data points ⁓ to properly price the risk. You know, there's a phrase in this industry that there's no bad risk, there's only bad pricing and that's where cyber kind of is right now is they're trying to figure it out. ⁓ I think you mentioned the stabilizing of premiums on cyber policies and ⁓ that is the case, but what's happened with inside the policy itself is exclusions. So as they gather the lost data, they gather the data points from that underwriting application, from actual claims that they're having, they're beginning to wrap their minds around that risk ⁓ and They're saying, we'll charge this, but in order to do that, we need to exclude this type of loss because that happened five times last year and we don't want that one. So that's how insurance companies operate. ⁓ the question is, will it ever calm down for insurance companies because this is such an evolving industry or landscape, whatever word you want to use. Martin Hinton (19:15) You remind me of the phrase, get what you pay for. The idea that, yeah, you know what? The pricing stabilized because the policy is not as good as it used to be. Or we won't cover things that we once did, so we can't charge what we once did. There is being in business, and whether you're an employee or you're a business owner, there is the moment that sometimes we encounter. if we're doing things properly, we encounter these with some regularity where things don't go as you plan. Dustin Carlson (19:25) Yeah, exactly. Martin Hinton (19:43) and you have this moment where you're like, ⁓ no, this is not what I expected. So when you're dealing with a company or you've dealt with companies and they realize that they're not covered, that aha sort of moment, if you will, tell me about that moment, both from a practical point of view about how if they've got an 83-1B that steps in versus the maybe terror or horror or disappointment of realizing you aren't gonna be able to. recover those losses without dipping into savings or figuring out some other way to generate those funds. Dustin Carlson (20:18) Yeah, you know, when a company has a claim, means they had something bad happen to their business. So, you you're starting already in a negative space, if you will. And then if you're the insurance agent that needs to tell the client that, I'm sorry, you know, based on your policy that I sold you, ⁓ you're not covered for that type of thing. You know, a lot of time it's the frontline insurance agent that has to deliver that news. ⁓ because ⁓ they're the person there, I guess. ⁓ And so yeah, a lot of insurance agents, that's their worst day when they have to tell a client, hey, I'm sorry, there's no coverage for that type of event. ⁓ And that's ⁓ never a good thing, of course. Martin Hinton (21:07) You referenced COVID earlier and in preparing for this, COVID obviously created a lot of moments where business interruption for non-technical reasons landed on people's plates. And it really revealed that, again, people had misunderstandings about their policy, their coverage, what exclusions existed. ⁓ Do you think that's inherent to insurance? Dustin Carlson (21:29) Yeah. Martin Hinton (21:33) And is that a burden that should be more placed on the consumer? Like you should know what you're buying. You should read your policy and don't just treat, particularly with cyber, this once a year renewal process as some sort of, yeah, checkbox, the premium goes up 6%. Particularly with cyber, you need to be far more diligent than maybe with other insurance that you're familiar with the risks and the issues that can arise. Dustin Carlson (21:56) No, I'd say absolutely. ⁓ The business owners, they're short on time, they're running a business, but I would say they absolutely in their best interest to really dig into their policy. ⁓ The insurance agent that you might be dealing with, they're busy as well. ⁓ They're getting you through that renewal process, issuing the policy, and they might not always do their best at telling you, This was covered last year. There's this new exclusion this year, or really just explaining from the start what is actually covered within that policy. So business owners owe it to themselves to really dig in and understand what is covered under that policy. And you brought up COVID. I mean, during that time period, governments were deeming you non-essential and forcing you to close down for a couple of weeks or whatever the case might've been, there was massive business interruption. We all know that. The government launched PPP and the CARES Act in order to fight that. ⁓ And a lot of folks, they turned to their property insurance policy and they saw a section in there that said business interruption. And they went to their insurance company and said, hey, I need to file a claim. I've suffered a business interruption related to this COVID stuff. And ⁓ all the insurance companies said, hey, you haven't had any physical damage to your place of business. So there's no coverage for, no triggering event for business interruption. or they turn to the exclusion section and say, hey, there's an exclusion right here for pandemics. So there's not going be any coverage here. Some of the insurers took that all the way to the district court in the US and about 90, I would say 99 % of them lost. There were a few exceptions because the insurance company hadn't dotted their T's or sorry, their T's and dotted their I's. And so. By and large, folks learned a hard lesson then that the insurance policy is that I'm confident is covering me for everything is really not covering everything. And that's particularly true with cyber insurance. Martin Hinton (24:04) You touched on this before and the idea, and this is, if you will, a consumer awareness moment, that cyber is dynamic. Imagine with your property insurance, next year there were suddenly five more ways your warehouse or your office could catch on fire, as opposed to the three ways that exist this year, Cyber's like that and AI is one of the great examples because everyone thinks about AI and you've referenced this being used to weaponize the attacker and making Dustin Carlson (24:25) Yeah. Martin Hinton (24:33) phishing emails more efficient and the volume with which they can send them and target emails and all that sort of thing. The other really interesting thing is every employee seeks to become more productive and get work done by close to business Friday so they can get out for the weekend is the phrase is shadow AI where you might have, you know, what seemed like innocuous internal documents being placed into, you know, open source environments, if you will, or put, you know, put on the web, quote unquote. Do you think that like the Dustin Carlson (25:00) Yeah. Martin Hinton (25:03) Again, this is one thing to be very sympathetic, right? You don't like to blame the victim because you touched on it. Small business owners are not nine to five employees. They're often working longer hours, multiple days beyond the five day work week. And it's a great lifestyle for many of They love it, they're in control. But that comes at a burden. You have to take care of everything yourself. You have to mind everything yourself. And this is a new complex issue. It's a bit abstract because it's digital and the threats. I I don't know how any of this works. If I were the only one left, there would be no iPhones. There'd be no internet. And I think that for a lot of small business owners, they might be really good at getting the dry cleaning done or the cakes made or whatever it is. But this part of it is not passionate. It's not fun. It's insurance. No offense to everybody out there. It's a burden. And what I worry about as an individual and a person who wants the economy to do well and all that sort of thing is that Dustin Carlson (25:46) Mm-hmm. at the cost center. Yeah. Martin Hinton (25:59) We need to create a situation where people kind of get past the, it's a hard part and really lean into it because the scale of cyber crime is astronomical. And I mean, you could touch on that a little bit, but that idea that anyone watching this who might be a small business owner that sort of, you know what, take a breath. You can understand it. If I can understand it, you can. Steal yourself and don't give up when you're asking your broker questions, press away and make sure you understand. I mean is there a customer service sort of like a know awareness kind of moment here that people could take away? Dustin Carlson (26:31) Yeah, absolutely. think, ⁓ you know, small businesses in particular, they're, you would think not targets of cyber attacks, but it's exact opposite. And I think that largely is not known ⁓ in the particularly small business space that they are the majority of targets for cyber attacks. And I think what you said about really leaning into your broker and asking questions. That's definitely a great start. know, a lot of small business owners, they're good at their core competency, like you said, that what they're doing business as, ⁓ and they don't have the time to really lean in and do that. if the worst happens to your business, you'll wish you did, unfortunately. Yeah. Martin Hinton (27:24) So I touched on it. One of the things that I refer to this as the Moby Dick number, the high number for the cost of cybercrime globally in 2025. The number you see cited is 10 and a half trillion dollars. And to put that in context, that would make it the third highest GDP after America and then China. So an enormous amount of money. Compounding that is that much of the money you might pay in, a ransomware payment goes to fund the very nations that America would consider enemies or foes at the least. So places like Iran and North Korea. I there was a report late last year that fake North Korean employees who had taken jobs via remote work possibilities, thank you, COVID, and they had through use of AI appeared and sounded like someone else. And they're actually sitting in North Korea working for American companies with access to sensitive internal information and perhaps more than that. and that they had in the time they've been doing this through last November or so when this report came out, generated a billion dollars in revenue for North Korea, which is cash star because of the sanctions against them. have a real issue with liquidity. So that's a sort of very small example of the scale. I think the FBI puts the crime that's reported to them in the low teens of billions of dollars. The last report, which I think is for 2024, touching on what you just said, that there's this idea that I have that things won't happen to me. There's a small business and maybe it's just all of us. We're just teenagers at heart, right? Yeah, I think it is. don't want to be a small business owner. I don't want to throw me under the bus. But the idea is that we have this sort of mentality where we see things happen and we're like, well, that would never happen to me. Why would anyone ever steal from me? And again, back to the abstract part of the cyber threat and cyber resilience is that Dustin Carlson (28:59) I think it is all of us, yeah. Martin Hinton (29:17) I don't think we can appreciate that all the records you might hold digitally are very, very valuable. The identities you might possess or even if you've got credit cards on file so you can bill people for stuff they might buy on your website, if they've got an account. There is a real value here for this sort of thing and that's seen in the numbers. With regard to ransomware payments, and we touched on this when we did our pre-interview, you touched this already, huge numbers of them aren't required to be reported. There is... there is that missing data set for underwriters to assess the risk. And then also for leaders to motivate greater enforcement or greater cooperation internationally, because this is a global problem where there's no protection provided by geography. I wonder whether you might sort of tell me a little about the ransomware payment environment about all this. what about a ban or mandatory reporting to help create a greater understanding of the risks so that people can... insure themselves properly and look into things like 831(b)s properly and make sure they have, you know, the layered defense that we hear about in military terms for their business and their lifestyle and their livelihood. Dustin Carlson (30:26) Yeah, you know, I think a big, you know, hate to use this word, but a big stigma that is out there is, you know, if you say that you were, ransomware attacked and that you, you know, caved into them, you get kind of a stink on you, I think. You know, it's, ⁓ but the truth is, it's, anyone's susceptible to it ⁓ at the end of the day. And so maybe it's, ⁓ lowering that stigma of the fallout from that, ⁓ of having to do that. ⁓ you had to go get a Bitcoin so you could pay off some guy. I think people need to maybe ⁓ take a different approach to how that's treated. And then, I know some countries have explored, I think the EU was exploring banning ransomware, or sorry, ransom payments from ransomware altogether. And I think there's a logic to it, but does it really prevent someone from doing that? And then you're doubling the consequences for someone ⁓ by making that illegal to do. Because it's not going to stop the bad actors from still doing it unless everyone absolutely adheres to the law and doesn't do it, right? Martin Hinton (31:49) Yeah, mean, the one point that always gets brought up whenever I bring up the idea of banning ransomware payments is health care is enormously susceptible to cybercrime. And if you're a hospital and your records get encrypted and you've got surgeries planned, we're talking about life and death and they're not really in a position to say no. And again, to your point, there is almost this idea that being the victim of a cybercrime, clicking that phishing link, we're very comfortable blaming. the victim still to your point about the sort of shame someone might encounter. And there is genuine concern over reputational damage if you've employees, me, customers need to trust the businesses that they work with and that matters. But this idea that you are a fool for doing it is ridiculous. organized crime, I cyber crime is incredibly organized. And when you see things like records leaked from you know, the gangs with the cool names like they used to have when they robbed banks on horses, they are organized. There are schedules, there are Slack channels, are, you know, the inter-, there's one example out of the UK that was ⁓ the internal chat log and it was someone who got to work at the office building where they ran their ransomware operation and they had forgotten their ID and they couldn't get in, so someone had to come down to the door just like it might have been any other office to let them in to come into the building for their day's shift. And I think that that is Dustin Carlson (32:49) it. Martin Hinton (33:17) You know, the other thing is you don't need to be technical, right? I think that at least someone my age thinks that in order to be a hacker or a cyber criminal, you need to have some kind of computer expertise. And the truth of the matter is you just need the will. And you can hire people to do it for you, like you would hire someone to create a graphic for your website off Fiverr. Not saying it happens on Fiverr for the record, but that idea that it is incredibly sophisticated, state-backed, organized crime. that has proven enormously profitable for bad actors. And when you have that motivation in the human sense, they're going to find a way. And again, like the example I use is a bit like if you got called up onto the stage during like a David Blaine magicians type show and you were convinced you were going to be able to see him do whatever he did that allowed him to know what card you picked. You can't see that. And just like you can be fooled by a street magician or a through some once upon a date myself, someone playing three card Monte in Times Square. ⁓ You can be fooled digitally and maybe even a little bit easier because we're so Yeah, why would you think it's easier? Dustin Carlson (34:17) I would say it's easier. Yeah. You I think it's ⁓ really, so you you said you don't really have to be so technical to take advantage of someone online or to scam them. It really boils down to ⁓ the social engineering is really the weak link and because you're targeting that weakest point of the data breach protection or firewall, whatever you want to call it. ⁓ So, you know. You get people into these scenarios by sending them an email. You make it very urgent. Maybe you're posing as the CEO and now you're a low-level employee and you're getting an email from the CEO and they're telling me they need this done right now. So I think it's a lot easier to really prey on people's emotions and really get them to do things without thinking because you're triggering that sort of fight or flight response or whatever that is that's going on there. Martin Hinton (35:21) Yeah, I I've come to say now if you ever get an email that makes you think you owe someone money and it makes you feel uncomfortable and you have a sense of urgency, like you can't do anything else next, you have to do this, don't do it for 24 hours, like just ignore it. Because there is, I mean, everything we know about behavioral psychology and putting the milk in the back of a supermarket so you have to pass all the non-essentials to get to the essentials, that information is available to the bad guy too. And I think that that is, again, something as you... Dustin Carlson (35:34) Yeah, yeah. Martin Hinton (35:50) not only sit in this space as an individual, but if you're a business owner or a manager, to remember that there is a really, really sophisticated operation assaulting you all the time. And you made another great point. This often happens when we're under moments of distraction. We see spikes around the holidays. We see spikes around the lunar new year, particularly in Asia. We know that things are often done on weekends because that means that there are people maybe away or on vacation or not in the office. Again, these are not accidents. This is, again, a sophisticated, organized assault to make billions and trillions of dollars. Dustin Carlson (36:27) I'll give you another example. We recently hired a few new people here at SRA and magically those new emails were targeted by attacks with ⁓ our CEO emailing them saying, hey, I need you to do this, this and this. And I need you to jump on this link real quick and link up with me. they're even sophisticated enough to know like who's new at your business. that's the person I'm going to prey on because they probably haven't had a full training yet. So they're sophisticated in so many ways and the attack vectors that they have are pretty wild when you sit and think about it. Martin Hinton (37:06) Yeah, they are. And what's alarming about that is this is just the malicious part, right? If you have 30 employees at your company, you are in all likelihood dealing with vendors outside through your third party sort of supply chain. And then there's the non-malicious outages that can create these business interruptions. One of the things that we see a lot of in the phrase, it's bit misleading in my opinion, is supply chain vulnerability and the idea that... You wouldn't have an accountant if you're a 20 person company or maybe a lawyer on staff, but digitally you're connected to them and you're uploading contracts to the cloud and sending documents and records back and forth. There's also the acts of wiring money, but that creates real vulnerability because that transit is something that can be hijacked, if you will. So I wonder whether you think about like the software as a service environment and the cloud environment, the way that... a breach outside of you, you might have the best practices in the world. But if the power goes out down the block, your power goes out too, and you have a real problem. And I wonder whether you might sort of explore some of that element of the sort of risk to business interruption that exists as a result of third party dependency and even non-malicious outages. Dustin Carlson (38:20) Yeah, you know, I think cyber, it definitely gets the news headlines, know, cyber breaches, cyber attacks. I think this third party sort of dependency that we're all interlinked between all these services. I think that really flies under the radar today. You know, we particularly found that out last year, I believe it was 2025 with Amazon Web Services that went out for an extended period of time and you learned how many other companies are hosted by Amazon Web Services that you rely on to do business, ⁓ you might have been fine, but ⁓ Salesforce or ⁓ Slack, whatever you use to do business may not have been fine, right? And now you're affected indirectly, and now you're suffering a minor business interruption yourself because of this other interruption. So... As we begin to get more interconnected with the digital space that we're in, it's only going to grow. And then that's just the digital part, right? You mentioned power, the utilities going down. Just last weekend, we had the ice storms go through the South and Eastern US. Totally expect that we're going to have claims related to that, people's power being out for an extended period of time. ⁓ or maybe the roads were closed and they're not able to access their place of business. ⁓ So yeah, the third party dependency and again, business owners, do you have the time to sit and think about, okay, what happens if Salesforce goes out and how could they possibly go out? How does that happen? And that's just one vendor, right? And we all probably have multiple vendors that we're relying on. Microsoft, another big one. We've just in the last month or so, I think we've had two business interruptions related to Microsoft being down for a day or so. ⁓ So, you know, there's all these vendors that we rely on and ⁓ when they have a business eruption, it trickles down from there. Martin Hinton (40:25) I mean, you really do touch on the, when we flip the switch on these devices, whatever the device might be, or we log on to the website, whatever the website might be, or we open the app, whatever the app might be, the expectation, because we are lucky, because it's amazing what we've been able to create with regards to the digital economy, we expect it to work. And it works so often, even if it's a little buggy, maybe it needs an update or a bug fix, as they say, invariably, most of the apps you use work incredibly well. And most of the sites you visit work incredibly well. Most of the places you might shop work incredibly well. But when they don't, we don't have any idea what to do. I mean, the one that I always come back to is the Marks and Spencer hack because it gets a third party vulnerability where they have 50,000 employees spread from Manchester and Northern England to India for their IT and website elements. And the chairman Archie Norman testified before the UK parliament and he said, you what I realized is that just one of those people. commits the wrong click. And in their case, it was a sophisticated impersonation via an IT desk, I think a password reset, and you're in the system. for the American audience, Marks and Spencer's is a massive retailer. So think Target ⁓ or Bloomin', you can buy everything from a lamb's wool sweater to bananas at a big Marks and Spencer's in the UK. From April to July of last year, they could not fulfill order online, collected the store orders. So that entire revenue stream went away. Now they had cyber insurance, but this is a massive company who thought within the impression that they had cybersecurity locked down and they had resilience built in and it didn't work and it took forever to fix. And I think what I'm wondering about is a massive corporation publicly traded. It took a huge hit on the UK stock market. I think that they're gonna... They had $200 billion worth of cyber insurance coverage. The last estimate for the cost that they incurred is $300 million. They're a massive company with 150 plus years of legacy existence. They weathered the storm. Big guys can often weather the storm. The little guy, not so much. And I wonder whether or not, you touched on this earlier, we hear about the big hacks and these big companies, MGM. ⁓ know, Land Rover, again, Jaguar over in the UK, they weather these storms really, really well. And I wonder whether you might touch on whether that creates a misconception amongst the smaller people that they could too. What do you think about that? Dustin Carlson (43:02) I agree and a lot of these have just in the last two or three years are being disclosed because of the SEC requirements of publicly traded companies. ⁓ Companies like MGM, like Target, they have to disclose these things now. And I do think that creates a misconception for small, medium sized, privately held companies that they're not the targets of these. Because when I look at the news, it's these massive corporations that are being targeted. When really that's that's not the case, know over over half of all cyber attacks are targeting small businesses ⁓ And they do that because small businesses they lack the resources to combat ⁓ You know to even have the firewall in place to go about ⁓ Protecting themselves in those types of situations, you know large corporations like like an MGM They have the resources to weather that storm. Just from the cash flow that they're generating on a daily basis, a few hundred million to them is not the end of the world. for a small business, you talk about a few hundred thousand dollars, I mean, that's massive. And if you have to take that from cash flow, that's gonna potentially bankrupt your business overnight. And so, go ahead. Martin Hinton (44:19) I make, no, no, I was gonna say you make a really good point. There's the cost of the breach and then there's the cost of not being able to do business. So if you're a small business, imagine, mean, the numbers vary, but let's say the average closure time as a result of some kind of cyber attack is, I feel like I've seen a varying range of, in the 20s, three to four weeks. And I guess the question that raises is, okay, you can't make money for four weeks. Can your business survive? Dustin Carlson (44:46) Mm-hmm. Martin Hinton (44:47) I mean, that's the question you need to ask yourself. And if you don't, you need to touch base with your broker, talk to people like Dustin about what you can do to create some ability to survive that, even if you have to take measures to lower costs and unfortunate things like lowering costs. The big one that we're going to lower costs is laying people off. I mean, I think that that's something you want to avoid because that's a business eruption. Again, that's the long tail. If you got to rehire people and maybe the Dustin Carlson (44:49) Yeah. Martin Hinton (45:16) People you let go can't be rehired because they went and got other jobs because they needed to work. Now you've got to retrain people. These are the sort of abstract parts of this business interruption and the cyber attack that, again, I think people can kind of get their heads around. OK, if my warehouse burns down and I have 30 days where I don't have any furniture I can store to sell, I get that. I get that idea. One of the, sorry, go ahead. Yeah. Dustin Carlson (45:38) Totally. No, I just completely agree with what you just said. Yeah, it's something folks don't think because it is so abstract. It's just out there in the cloud. It's hard to grasp for people. Martin Hinton (45:53) One of the things that I've become fascinated with is business email compromise. Most of all, because I'm old enough that I used to pay rent by mailing a check in an envelope or FedExing some documents. There was an enormous amount of time or friction in the process of communicating via the written word, mailing letters, even faxing took more time. Email is this brilliant device, which perhaps has become a bit annoying now that you are bombarded by things you don't want to. see you and have to unsubscribe for. But there's a phenomenon where you get what's called business email compromise or invoice hijacking and you get a situation because people want to be paid by wire, you're wiring money from one account to another and someone somehow interrupts that communication and sends in instructions to send money to our new bank. it like you've touched on it looks like an email from your friend Jill at so and so company. and it's formatted correctly and you're like, okay, 30 days passes and you get a phone call from Jill and she says, yeah, we haven't seen that payment for that invoice. And you say, Jill, no worries. I can send it to your new bank. And Jill's reply is, what new bank? So tell me about business email compromise and how it leads to wire fraud and that element of all this. Dustin Carlson (47:12) Yeah, and this risk right here is one just in the last three to four years that we have seen a lot of uptick in just in our client base. And we do our best to educate our clients and it's still happening. ⁓ But yeah, this comes down to, ⁓ again, targeting that human element of the firewall. And ⁓ yeah, so you might get an invoice from a vendor that says, hey, here's the invoice for the services I provided, go ahead, you know, mail the check, send the wire. But shortly after that, someone who's in either your email or your customer's email, or it might be in the email of someone who was CC'd on the email. And then now that person, that scammer that's in there is able to capture that, ⁓ send an updated invoice and say, hey, I forgot or hey, we recently updated our banking instructions. Can you go ahead and send it to this new account? ⁓ And again, because you're dealing with humans, that person might not pick up the phone, verify those new instructions. ⁓ They might feel under pressure to get it paid because maybe you're up against the due date now. And so they send it out. ⁓ I'll tell you the other thing that we've seen recently too is a similar thing where ⁓ folks are basically dummying up a email chain of emails between the CEO, the controller, and there's all these emails history that you can go back and look at of them saying, hey, yeah, we gotta get this paid. And then they're sending it to the bookkeeper and saying, hey, can you go ahead and pay this for us? See the emails below for reference, right? ⁓ And so this is another avenue we're seeing now where they're just getting more sophisticated. ⁓ There's a word for that type of attack now that I'm not remembering right now, but just another avenue I'm seeing. Martin Hinton (49:13) Well, I'll look it up and it'll be on the screen right here when people see this. that's, ⁓ I mean, what you're talking about now is my mother was a big antique collector and provenance, like where something's been, like the idea that it has legitimacy through time. And I know who owned quote unquote the email chain. It all in our minds builds legitimacy, right? It creates increased value. I can trust this more. Dustin Carlson (49:21) perfect. Perfect. Martin Hinton (49:43) And back to our point about how we can all be subjected to the street con and the digital con and maybe even more easily in the digital con again, because we're used to this all happening fast. We click, we click, we click. Nobody reads terms of service. You click that box and the 10,000 words terms of service you agree to, have no idea what's in there. And the next thing you know, you're in arbitration over something that you didn't even think was going to happen. mean, that's a lot to say, but this idea that you, I used to say, Dustin Carlson (49:55) True. Yeah. Martin Hinton (50:13) Trust but verify and someone had managed me on a recent podcast and said Martin we've moved beyond that now it's don't trust and verify right you cannot trust people to be telling the truth. mean. Yeah, I I so again like as a point of order for the audience one of the other things is I was transferring some money the other day and the bank I was using someone called me and I know this person I deal with them often. Dustin Carlson (50:21) Yeah. Yeah, that's a good rule of thumb right there. Yeah. Don't trust from the very beginning. Yeah. Martin Hinton (50:41) And they said, oh, you know, I'm really sorry. We just have to verbally verify and call you. And I said, listen, I'll call him Frank. Listen, Frank, do not apologize. And in fact, if anyone gets mad at you, you need to explain to them why you're doing this. And it's so that they don't get their money back. Because I mean, am I wrong to say that if you wire money to someone and it's wrong, but the numbers are all legitimate, you're not seeing that money back. That's not coming back, right? Dustin Carlson (51:05) Yeah, highly unlikely that you're going to get that money back. ⁓ There has been one instance dealing with clients of ours where I've seen it come back. was Chase Bank actually, but the fraudster made the mistake of not moving the money from the account that it was wired to. So it was kind of a fortunate thing that happened there. ⁓ But yeah, a lot of times you're not going to get that. Martin Hinton (51:21) Yeah, they get exactly And you touched on this, like the way that you might be pressured to do something quickly or be spoofed into thinking that it's the CEO who's angry over email and not someone at somewhere else pretending to be the CEO. If you're not following your proper procedures or the procedures you say you have in your insurance policy, your cyber policy is not stepping in for this, right? Dustin Carlson (51:50) No, if they're not following, if your employees or whoever's, you know, the one that caused the breach, if they didn't follow the proper procedures that you have written, ⁓ or even up to just, you know, standard, you know, industry accepted procedures of handling these types of, ⁓ you know, cyber ⁓ procedures, ⁓ if you're not following it to some standard, you're going to get denied. And that's a very common exclusion within these cyber policies that if the employee isn't picking up the phone to verify the instructions and from a known number, by the way, because a lot of times the email signature will look right that there's spoofing, they'll have a phone number in there and then it's going to, you're calling the scammer at that point and then you don't even realize it. And maybe they have a voice ⁓ AI that's, modeled after the person you're used to talking to, because that's very easy to do nowadays. Especially if you're like Martin and have a lot of podcasts, ⁓ that's very easy to run through AI and model your voice now. And so you need to be calling from a known number, you need to have all of this written. And if you have written procedures for cyber and handling this type of stuff, you need to be training your employees on it. And if you're not doing that, how are they going to be able to follow those procedures? or even know that there are procedures that they need to be following. And if you're not doing that type of stuff, ⁓ you're gonna be left in the cold if you're relying on your cyber policy. And that's where a company like SRA, where we can come in and be sort of that ⁓ umbrella or catch all ⁓ for the company when that type of thing happens. Martin Hinton (53:38) You're picking up the next point. The only thing that occurred to me as you were chatting just then is that we've removed so much friction from the way we do business as a result of what we can do digitally. But when you're paying a bill, the thing I've started thinking lately is even though you can't actually hand the money to someone over the screen, imagine you've got $6,000 in your hand. Would you give that to the person you think this is if they were in front of you? You've got to put a little friction into it. ⁓ Dustin Carlson (54:07) Yeah. Martin Hinton (54:08) know, slow it down a little. And if someone gets mad at you, that's a warning sign. That's a red flag. If someone doesn't understand why you're, you know, taking the next step. So one of the things that we've discussed in the sort of broad notion here is that business continuity, the ability to continue doing business when the weather's bad, when there's a storm, when there's a flu epidemic or COVID or a cyber attack or a breach of yours or someone else's, this is all about being able to Dustin Carlson (54:15) fully. Martin Hinton (54:38) continue being resilient and the same way we think about that as individuals Cyber gets stuck in this space where it's a little abstract and it gets especially insurance and the insurance industry is creating a new product and a new revenue stream In my opinion that's heard its ability to be understood broadly as valuable to the general population particularly small businesses as we've discussed who are dealing with everything from their own record-keeping to their own HR They don't have you know layers of bureaucracy to deal with all the things businesses have to deal with Do you think that there's a need to sort of reframe cyber as business continuity? And then with respect to SRA and the 831(b), keep in mind that depending on who you are and what your risks are, not unlike say you're, you know, if you're 25, you could probably, you know, back squat at the gym and not worry too much about your L3 vertebrae. If you're 55, maybe you don't back squat so much anymore. You change your attitude between, based on the risk you face in those situations. And I wonder whether or not there's this need to sort of reframe the risks cyber creates and the cyber insurance and cyber resilience. And again, the SRAA 3 1 B idea is all about making you healthy and making your business healthy for, I guess, a rainy day. Dustin Carlson (55:51) Yeah, you know, I always say personal finance 101 is to have an emergency savings account, right? Like that's any advisor, that's what they'll tell you. And that's really what an 831(b) is for. And that's really what a company should have. Whether you're going to have it tax deferred or not is in the good years when you're making money and you have excess cash flow, the ability to set some of that aside, you know, preferably within a tax deferred vehicle like an 831(b) plan. But the ability to set that aside really sets you up to weather the storm to address those rainy days. And it can not even be a cyber event, right? It could be that you're building flooded and now you have to pay out a deductible on your property insurance. Well, do you want that deductible to come out of your cashflow in order to cover that? Or do you want it to come from a tax deferred account that you've been planning ahead for and saving for? know, God forbid these bad events happen, but when they do, ⁓ it's better to be prepared and have a fund set aside to address those types of things. So you're not borrowing from cashflow, you know? ⁓ During COVID, when people had business interruption, the revenue stopped, but those fixed expenses, they don't stop. And so how are you going to find ⁓ the ability to keep your employees on the payroll, keep your building lease going, ⁓ keep your commercial mortgage going, whatever the case is, how are you going to address that when something bad happens to your business? Martin Hinton (57:31) Yeah, I mean, again, think, I mean, if the rate of cybercrime and then, you know, the global experience of COVID, and again, the long tail of that from the point of view of inflation and supply chain issues, and I mean, the physical supply chain, these are, I mean, listen, we often do good when bad things happen, we react well, and whether or not we reacted well to COVID is a whole other series of podcasts, I suspect. But this idea that we, when you, a business is a life, right? It travels its history and good and bad happens. And you know, the good you tend not to need to plan for, you do need to plan for the bad. And with regard to the cyber threat, it is, it's bad. And I really can't understate that over, excuse me. I can't overstate that enough. So I would say, you know, before we close that there is, there is a real need for you as a business owner and even as individuals to consider. how cybersecurity is a real civilized thing to make sure you're handling. at any rate, Dustin, we've been talking about an hour or so, and I know I promised you when we got towards about an hour, Mark, I'd say that we didn't get to everything we were planning to, but is there anything we did discuss you'd like to talk about again or anything we didn't discuss that you'd like to bring up, anything people should know before we say goodbye? Dustin Carlson (58:57) You know, I just would like to reiterate that, you know, it's really, like you were just touching on, it's really important to be proactive and not reactive in these types of events. So, if you have the ability to, you know, work on your business and not just in your business and pull yourself aside ⁓ for maybe an hour, one week, here or there, dig into your insurance policies, figure out what you're covered for, what you're not covered for, and then, Once you have that knowledge, ⁓ then the question is, okay, how am I going to address these risks that I know I have and my insurance company is not going to cover? Or maybe I have a large deductible that I might be responsible for one day. And ask yourself, how am I going to do that? How am I going to address that? And I would say one of the things is ⁓ reach out to SRA, 831(b) Admin, and we're happy to be a... enhancement to your overall risk program and get you ready to weather the storm. Martin Hinton (1:00:00) So there'll be links to Dustin and SRA in the comments and the show notes wherever you might be seeing this. So you can find him there, although he's not that hard to find on the web. I mean, you make a really, really good point that if you find yourself in a situation where you're like, my God, I don't have this and I don't have that. And now my cyber insurance policy wants me to introduce MFA. You need to, it's hard, right? You need to react calmly and begin the process. You're not going to get it all fixed in a day. But like you said, like an hour a week or two 30 minute chunks a week, those steps could be hugely important to your business, to your livelihood and those of all your employees and that sort of thing. again, stepping outside the journalistic sort of impartiality, ⁓ having been doing this a couple of years, I would encourage people to do exactly as you said, is get a good assessment. And one of the beautiful things There's your service and what the 831(b) can offer. But because this is a relatively new form of insurance, there are a lot of insurance providers who are doing things like helping bring your cybersecurity up to the level that makes you a good ⁓ customer for them or a safe policy for them to issue at a price you like. it's a buyer's market out there, particularly in the flat pricing. So you can compare and maybe take advantage of a deal. I don't have any to offer off the top of my head. Just do anything else. Dustin Carlson (1:01:28) No, that's everything, Martin. I appreciate you having me. Martin Hinton (1:01:31) Well, Dustin, I really, really appreciate you putting up with some of my sort of a, explain it to me like I'm a fifth grader questions, but I hope that the audience and certainly I did got something from it. So Dustin Carlson with SRA 83 1B Admin out of Idaho. Thank you so much for joining us. I really, really appreciate the time. Like I said, there's all kinds of links to some of the stuff we've been discussing as well as Dustin and his company below in the show notes. So you can find him there again, Dustin really appreciate it. I'm Martin Hinton. Dustin Carlson (1:01:56) Thanks for having me. Martin Hinton (1:01:58) Executive Editor of Cyber Insurance News and Information. Thank you all so much for joining. Really, really appreciate it. If you would like, subscribe, share. If you've got questions, leave them down in the comments. If I can't answer them, I'll get them to Dustin. But again, thank you very much for the time. We really do appreciate it. And enjoy the rest of your day.