Martin Hinton (00:02) Welcome to the Cyber Insurance News and Information Podcast. I'm the executive editor of Cyber Insurance News, Martin Hinton. And joining me today is Jessica Newman, the global GM of Cyber Insurance at Sophos. They've got some big news that they just announced we're gonna get into. But off the bat right away, first of all, Jessica, thanks so much for joining us today. How's your day going so far? Jessica Newman (00:22) Martin, it's a pleasure to be here. Thank you so much for having me and it's been a really exciting day so far for Sophos. Martin Hinton (00:29) It has been, it has been. That's a little tease. We're going to get into that in a second. But I think the headline really is that your professional career started as a high school principal. How do you go from high school principal to global GM of cyber insurance at Sophos? Jessica Newman (00:41) That is a golden question, isn't it? ⁓ Yeah, I spent about 13 years ⁓ working for Denver Public Schools. I was a teacher ⁓ working with a lot of ⁓ really kind of struggling youth in Denver. Got to eventually start up my own high school, which was really awesome. And just realized very quickly that know, cybersecurity was something that really impacts kids and really impacts career pathways for kids. Had some kids dealing with cyber bullying. I even had a student who was unfortunately wrapped up into a trafficking issue. I just, as a new mom and an educator was becoming really interested in cybersecurity. And I ended up after five years of running a high school, I ended up resigning and, ⁓ starting up a LinkedIn account and friending everyone in Boulder County to understand, ⁓ you know, what cybersecurity is and what, jobs in that space look like. and was really lucky to, find a few companies who, who gave me a shot. ⁓ and I think, you know, honestly, Martin, think teachers are, the best sellers out there. ⁓ Teachers understand how to take really complicated topics and break them down into bite-sized topics. They understand how to speak to people where they are and how to move them along at a pace where they can learn and understand things. And I think that's exactly what a successful salesperson does. so tech and data and cybersecurity business development has surprisingly come quite naturally out of my education background. Martin Hinton (02:28) Yeah, you fall back on your explaining to me like I'm a fifth grader kind of a dead. Jessica Newman (02:34) I feel like if I can talk ⁓ an 18 year old into staying in school, then usually I can convince somebody that their cyber controls matter as well. Martin Hinton (02:44) I mean, it's, we'll get into it, but it is an industry in a field where a greater level of broad understanding ⁓ is called for in some respects, but we can touch on that. You're at Sophos now. Tell me about Sophos. Jessica Newman (02:59) Sophos is an amazing company. It's a massive global company. I think we have over 600,000 customers globally. think north of 35,000 of those customers are MDR customers. And so just a massive ⁓ scale there to really have some fun with in the insurance space. ⁓ Our MDR is highly rated. It's a trusted vendor in the space. ⁓ And recently Sophos acquired SecureWorks too, which is ⁓ an IR operation that was highly regarded in the insurance space before. And ⁓ now we have that ⁓ within our purview as well. So really everything from small and medium sized businesses to large enterprises is where Sophos plays now. You know, we have leadership that is very bullish on cyber insurance. They're incredibly supportive and they understand that that's a space that is worth us playing meaningfully in. so they recruited me last summer to build out an insurance channel for them. Martin Hinton (04:08) And in respect to that, there's some news this week involving Spektrum Labs that we covered here and we're going to be posting this next week. So it'll be last week. ⁓ But tell me about that, that new latest news, the hot off the presses element of what's going on. Jessica Newman (04:22) Yeah, it's pretty exciting. Spektrum is really serving as our technical partner. are basically a transaction layer where we have a marketplace of carrier partners and a broker network as well, ⁓ keeping that broker tent as wide as possible, knowing that brokers are incredibly important. player in the cyber insurance motion. think that's where a lot of these initiatives have actually failed in the past is by sort of underestimating the important role that a broker plays or forcing people to use one broker or another. We're purposely keeping a very large broker tent for this motion. But basically what Spektrum is doing is really unique. ⁓ They are tapping into Sophos MDR telemetry and basically creating a very seamless motion for a customer to essentially prove that they've purchased and configured MDR properly. ⁓ And then essentially via API sending that information as well as some firmographic information out to the carriers who are ⁓ basically trusting their green lighted ⁓ token, API token, and rewarding those customers with enhanced insurance terms. ⁓ so working with a, with, with a carrier panel that also makes sure that we're, we're catching, you know, carriers that have an appetite for small and medium sized customers, well as mid market and larger enterprise, you know, working with, with name brand global carriers who, you know, understand that Sophos MDR is a really meaningful, ⁓ cyber control that actually does reduce loss ratio. ⁓ and so. rewarding those customers with enhanced terms. And all of this is done in a matter of a few minutes. So really in a few minutes, a customer can validate their controls and receive quotes to cross compare and bind one of those quotes in collaboration with their broker. Martin Hinton (06:33) I should mention we had a few episodes ago, we had Max Perkins on from Spektrum Labs. So I'm familiar with him and the company to the degree that one can be in short order. So you touched on a couple of things there that I guess I wasn't planning to ask about now, but I'm gonna. So you mentioned ⁓ the speed with which you can be assessed, I guess, through the app, the tool. That's huge now for small and medium size sort of companies or Jessica Newman (06:43) Yes. Martin Hinton (07:02) particularly smaller companies. Am I right in what I've read and seen and been told in places that, you know, speed of, you know, having your, excuse me, the big thing you touched on, two things really. There's the, you can't just say you have it anymore. You got to say you have it and then prove you have it with regard to the safety and security around cyber. And then an easy way to do that for small and medium sized businesses that are already pressured. A lot of small businesses have trouble doing the business, nevermind. working on the business. Are those two sort of pillars of this that are the big things for people to take away? Jessica Newman (07:39) Yeah, it's really an effort to take away the friction that currently exists in that whole process where, you know, customers are often faced with, you know, lengthy applications. They're answering yes, no, I have something or I don't have something in place. then insurers are in an awkward situation where they're just, you know, believing that or just hoping and praying that the customer is actually, ⁓ doing what they say that they're doing. ⁓ And then, you know, then there's ambiguity potential there when there is a claim, you know, did you really have MFA, you know, or MDR enabled across your whole environment? ⁓ Did you respond to these high level alerts? Did you patch certain vulnerabilities quickly? It's that kind of verifiable evidence that really sort of makes insurance work exactly as it should ⁓ rather than just based on a hope and a prayer. And I think, you know, we're in a moment where carriers, for example, are extremely hungry for MDR telemetry. They understand that MDR is a game changer as a security control. So underwriters are looking for MDR more and more. ⁓ Not all carriers really want to handle raw data, raw telemetry, right? They don't necessarily need that. But having a token from Spektrum is essentially packaging up that data in such a way that it's extremely consumable for the carrier. they know that it's been green-lighted and tested as sort of a pre-underwriting motion that then gives their underwriters confidence to offer terms. And so it's a unique play. Martin Hinton (09:29) Remembering a story I did very early in my career in television about underwriters laboratory the idea that you can certify something for being safe in this environment with these parameters and that sort of thing this is about creating and You you mentioned the word friction, but there's also with regard to cyber and the threats There's a bit of a fog around the dangers. This is all about making the process more uniform I say that because you've been doing this a little bit now and this particular form of insurance has changed dramatically even since you entered the field. I wonder whether you might start sort of, you know, what was different when you started or when you came into it, what did you encounter with regard to say the relationship between underwriters and brokers and how risk was assessed and policies was written? What are the big changes you've seen in the, well, how long is it now? Is it? Jessica Newman (10:18) ⁓ It's been about seven years now in cybersecurity total, and it's been about five in the insurance space. it really started, ⁓ I was selling dark web data for a company in Denver called Dark Owl. ⁓ And I was just lucky enough that they gave me a shot ⁓ to see where I would fit in in their company. And they were really gracious enough to give me a chance. And one of the first deals that I closed was actually Cowbell. Cowbell was in beta at the time. Coalition had launched, but it was very, very early on. Appay had launched, but it was very early. So these MGA's were really, these cyber focused MGA's were really just coming to market back in 2021. And I would say that those, was really, I then went to work for Cowbell ⁓ after that. And I think having that lens into what that kind of business, having a lens into what kind of data that business is looking for was really instrumental for me. I learned right away at Cowbell that inside out data is something that insurers are really hungry for. There are, for example, all kinds of... you know, outside with what we call outside in risk scanning that that really great companies like security scorecard and bit side and all of them do. And that's, that's more publicly accessible data. Obviously it's not so easy to create a crawler that goes and scans and, and, know, touches upon several hundred data points and collects it all and ⁓ makes a concise report on a company's threat posture. ⁓ But, what insurers lack is that inside out data, like what is going on under the hood of these companies? What's beyond the firewall? ⁓ That's the kind of data that really helps underwriters price and select risk. And so it was really important for me to understand that that's where the best of the best, people that are solely focused on cyber, the people that are most digitally enabled and data enabled. ⁓ That's what they're looking for. And that sort of informed my view into the market. ⁓ From there, I went and worked at Acresure Cyber Services, which is a massive brokerage ⁓ serving customers all across the, all over the world. And that was a really interesting lens as well, seeing what the broker, what the broker's role in the conversation is and how those conversations go between. brokers and end customers at Cowbell, you're removed from the policyholder when you're sitting at the carrier ⁓ in the carrier's chair. They're not the ones talking directly to customers, it's the brokers who are. so it's almost like insurance, it's almost like telephone tag. There's just so many players and different audiences and they all have different incentives, they all have different sales cycles. ⁓ These are the nuances that you kind of have to understand when you're thinking about how to put something together that's a large scale sort of strategic play like the one that we announced today. Martin Hinton (13:41) Do you, I mean, in thinking about the way that you touched on it now, when we spoke before the podcast, you talked about how brokers and buyers and carriers, they talk past each other. Do you think that that has slowed the growth of, say, cyber, or is that just inherent to the complexity of insurance in general? I mean, I'm just curious whether or not there's, go ahead. Jessica Newman (14:01) I think it's just human nature, honestly. think that people, any salesperson is going to sell the thing that they feel most confident talking about. And so, you know, if I sell MDR and email security, I'm not going to feel very comfortable talking about cyber insurance. And if I sell property and casualty insurance, then I may or may not feel extremely comfortable talking about specifically cyber insurance. And so, You know, it's there's a massive education effort underway to help other people, know, help other audiences understand the complexities of cyber insurance. And I think it's important to just keep that in perspective. You know, it's it's it's not like you can just tell something, tell something to someone once and they get it. It's it's got to be a message that's repeated over and over. And I think the battle we face is that, you know, it's nuanced, it's complex. And so you really have to move people into a place of comfort before they're able to evangelize and speak about it at scale. Martin Hinton (15:12) mean, so this sort of moves us into the next topic. And we sort of touched on this with the Spektrum Labs, Sophos news, but what Sophos is trying to build is something that addresses, I don't know, what would it be like the early issues of the childhood of the cyber insurance business that there are, you know, it came along in a weird way and then ransomware had the impact it had and we're gonna, what is it a flat cycle now? You know, the pricing, regard to pricing. You try to build something that sort of settles this MDR loop. you're talking about say, know, what I think, like what are the MDR providers giving carriers that they want? mean, you're like any business, you're solving a problem that exists. Information is that problem. And data outcomes, guarantees. What kinds of things are the carriers coming to you for? Do you see them not asking for that they need? Tell me about that part of what it is you guys do. Jessica Newman (15:59) Yep. Yeah, the MDR telemetry is critical to assessing risk ultimately ⁓ because it's, you know, the problem is with endpoint and with XDR as it's called is, you know, you can, it's sort of like you can have the fanciest tool out there. But if you don't know how to use it and you don't know how to configure it and you don't know how to manage it or you don't have a team to manage it 24 seven, it's just not going to serve you. It's kind of like an eight year old who has a fancy Apple Mac book and only uses it to just search on Google. know, it's like you're not you're not you're if you don't know how to utilize endpoint. And if somebody's not watching it carefully for you, then it's not as effective of a tool at predicting or assessing risk. MDR is a totally different ball game and I think carriers know it. And it's because there is a trusted, a massive trusted team constantly watching it. ⁓ You know, it's Friday afternoon. You may or may not have a security team that's watching the network on Christmas Eve or on Friday after or Sunday afternoon. But if you're using a reputable MDR service like Sophos, you can just kind of rest assured that somebody's watching it for you. And if there's an issue, someone's going to let you know. so, yeah, sorry, go ahead. Martin Hinton (17:40) No, I was just going to say, all of this feels new, The way we think about the sort of vapor of data and the information we store in companies and that sort of thing. But what you've just touched on then is the idea that if you've got something valuable, let's say it's an office building, we'll make it up as a digital office building. The idea of having 24 hours, seven day a week, 365 day a year security is not a complex thing to comprehend. I've got laptops in there and all sorts of other things, files and records and contracts. We've moved all these things we value into digital spaces. And what you're describing now is an efficient way for it to be protected all the time. And that means that people ensuring its existence feel more comfortable charging what they do. Am I simplifying it too much? Jessica Newman (18:28) No, not at all. I think you're simplifying it to a perfect degree. And I often use the analogy of home security or physical security because that's a mental framework that people seem to understand. And I think from where set, from where Sofo sits, for us, it doesn't really matter if it's a hard market or if it's a soft market in terms of insurance. We just want our customers to win. We want them to have access to best in class cyber insurance options, whether that happens to be at the moment, you know, priced less or when that shifts and it becomes a very hard market and cyber insurance is incredibly hard to acquire, MDR is going to be what gets them there. So it's an insurability factor as well. And that's really important, I think, because when you think about the insurance and, you know, when you think about cyber insurance as a larger market, it's going to go through cycles. It's going to shift and change appetite, risk appetite is going to shift and change. And that's exactly what it should do. There's gonna be times when carriers are bullish on healthcare or times when they're really nervous about schools or whatever it is. But we wanna make sure that our customers are winning really no matter what the cyber insurance cycle is in at the time. And I think this play does that because no matter what MDR is either gonna lead to some sort of enhanced coverage or premium discount. ⁓ regardless of the type of market that we're in. ⁓ Martin Hinton (20:06) That layer of it, like what it takes to be insurable for cyber now is in 2026. What does it mean in practical terms to be insurable? I mean, you've got controls in place, the ability to prove they exist and that they're working the way that they're supposed to 24 seven. What are the layers to insurability that achieve some of those discounts and, you know, I guess ideal policy conditions from both parties perspective? Jessica Newman (20:12) Thank You know, the typical players are going to continue to be the typical players. mean, there's no cyber application that's ever going to not ask about MFA data backup, an incident, incident response plan, ⁓ cybersecurity awareness training. Those things are going to stick around. think, I think the, ⁓ what we will move away from is the question, or hopefully move away from is the words, do you have. ⁓ I think, do you have it? It leads to yes or no. It's a binary sort of, I think, less, ⁓ complex question. I think what we're going to move towards is tell me, tell us more about how you've enabled or configured your data backup, your, your MFA, your MDR. ⁓ so I think that's where it's shifting or at least starting to shift. And then I think MDR too is not necessarily, that was not table stakes before. ⁓ that was not part of the kind of top, I wouldn't say it was mandatory to have MDR in order to be insurable before. I think when the market does harden again, when loss ratios are outrageously high, I think that that's gonna shift. I do think that MDR has a potential to become table stakes in the future. Martin Hinton (21:58) With regard to that and where the industry is now, when we spoke before, I think you used the phrase, we're at mile 10, not the finish line. And I guess that's a marathon at mile 10, not mile 10 of a half marathon. Take me through sort of the reality check of where the market is now as you see it. Jessica Newman (22:15) Yeah, I'd say, you know, back when I was working, you know, several years ago back at Cowbell, I, you know, I would be at a dinner party and someone would ask me what I do. And it would, it would take me at least, you know, like a nine sentence paragraph to explain what it is that I do. And I think now, now we're at least in like two to three sentence territory. ⁓ I think that people genuinely are starting to understand. completely outside of the cyber insurance space. I think people now conceptually understand what cyber risk is, that companies are being hacked, that it happens to everyone, this digital world that we're in is just a larger attack surface for threat actors. And so we're not fighting that education battle as much anymore. I think that we're much more. sophisticated, think carriers too are much more sophisticated now about pricing and assessing cyber risk. think, you know, four or five years ago, it was really just sort of, you know, thumb to the finger to the wind a little bit. We are much more measured and sophisticated now, but I still wouldn't put us much past mile 10. I still think that continuous underwriting, continuous verifiable evidence-based underwriting is not in the direct near future across the board. I think that there are some early acting large global carriers that happen to be more kind of less adverse to risk and more comfortable trying new things and being kind of more playing in this more innovative space. And I think when when those carriers prove that that kind of underwriting works really well in terms of, you know, lowering loss ratio, minimizing claims, things like that, ⁓ there will be fast following that comes after. Martin Hinton (24:18) Do you, mean, one of the things that, thinking about insurance, you renew your homeowners once a year, depending on your source of health insurance, maybe that's something you deal with once a year, but even if you're at a company providing it, there's the once a year, select your benefits or confirm your benefits sort of window of time. With regard to cyber, that's not the case ideally because of the nature of the threat, the nation state back, no, no, There's no geo-fencing. It can come from anywhere. Seven days a week, middle of the night, which is often when it does come. Do you think that that sort of need for the constant monitoring kind of attention in the policy and the underwriting is something that might come to pass? Or do you think that that's, you know, like we were discussing a little bit ago, needing to have, you don't have a security guard at your office for the first 10 years you're in business. It's there because the threat. there, the need for securities there. Do you think that that's the case or do you see it evolving away to a place where it's a little more like other forms of insurance? Jessica Newman (25:26) I think both of what you just said is true. I mean, I do think that a lot of carriers out there have a desire to do continuous underwriting and to even have premium fluctuating month to month or whatever it is. ⁓ In an ideal world, think that sort of dynamic ⁓ pricing with cyber insurance could be really interesting. And I know that some carriers have tackled that. I think ⁓ the problem is they just haven't had the continuous telemetry to do that continuous underwriting. The big X factor that's missing in the room is the data, the telemetry, the proof. And so because they don't have that, ⁓ it's really difficult to be, you chasing such a dynamic risk as cyber. You're right. I mean, it shifts month to month, war to war, country to country. There's so many factors that, you know, the size of your business, the industry class of your business. I mean, there are just ⁓ a million factors that go into determining what kind of risk factor you have. ⁓ But to date, just hasn't really been possible, especially because, you know, and even vendors that do have the ability to supply continuous telemetry, they might not have the scale, you know, they might have, you know, a few hundred or a few thousand MDR customers. And that's helpful for sure. But I think what makes this what today's announcement I think is unique is because Sophos has that scale. We have this massive global customer base, which gives us a really rich data lake around points of compromise and trends and all that kind of rich threat actor data, threat intelligence, ⁓ that informs the MDR telemetry and then given to carriers. ⁓ elucidates so much more of what's going on under the surface than just yes no I have it or I don't. Martin Hinton (27:36) I mean, you touched on something. I I don't like you mentioned war, which obviously with Iran currently one of the big cyber crime players, shall we say, there is this dynamic to it. But what you touched on just now is that even with the complexity, even with the complexity around the sources of the threat actors, who's motivating them beyond money. I mean, it's largely just money, but there are other motivations, obviously there is. an improvement in the pricing of this risk, right? It is getting better. Things are being worked out. I guess what I'm getting at is that the idea is that there's sort of a, know, throw the dart at the board kind of with your eyes closed mentality. That's not what we're talking about, right? There's a real thirst to see this form of insurance grow. And in doing that, they've got to seek out the ability to price risk more accurately. And part of that is what you were just touching on. Is that what you see as well? Or am I... Wrong. Jessica Newman (28:37) Absolutely, I think you're hitting it right on the head. it's not lack of desire, I think, that ⁓ pricing and selecting risk is well, ⁓ is difficult. think it's just ⁓ the data to do so has been missing historically. And so that's what we're aiming to provide. Martin Hinton (29:02) Now you touch on data and you touch on the amount of information, the volume of information. mean, again, I'm not a huge fan of using the warfare analogies outside of real warfare, but there is a constant to this that reminds me of that old warning about plans and that they don't survive contact. And if you're existing in a digital environment as a business, you're constantly in contact with the forces that could cause a business interruption or a data breach that results in, who knows what or how long, you might be discovering that there's records you didn't realize you were even retaining that are suddenly now on the dark web. That reality to this is one that, you know, my grandfather-in-law ran an insurance brokerage in North Kansas City. And he would talk about how it was like this segmented routine. I remember years and years ago, it's him telling me about his business. And again, with cyber, there's a very different approach. It's... There could be a fire any day. You could have a cyber attack any day. You have to have that kind of mentality about it. And there isn't really the fire department version of the cyber police, if you will. And I guess what I'm curious about is as we see the data become more analyzed and the evolution of the industry grows, do you see like the need for sharing of information across different groups and that there might be the need for a bigger pool of this information coming from I don't even know what sources might be to, again, continue the evolution with regard to having more information that allows for a better analysis of what threats exist and when they might be changing. mean, the monthly dynamic pricing struck me as a really, really non-insurance kind of variation and ⁓ malleability to the way things are done that is not something people would normally associate with their insurance policies. Jessica Newman (30:55) I think that, I mean, it would be my North Star that there's a lot more information sharing. I I think we've done a better job as an industry around that. And now that we have a five, six plus years of look back into, you know, at least these newer MGA's on the scene, I mean, cyber insurance is older than the last four five years. But I think post COVID, you you saw You saw the attack surface at companies grow and you saw adoption, think, really pick up from that era. And so now we have this look back. Now the industry at large is really doubling down and serious about data collection, loss and claims data. And companies are putting out great threat reports, left and right. I saw coalitions today. ⁓ Sofos just released one a week or two ago, ⁓ that there is a lot of ⁓ really high level thought leadership that's coming out. But I think that nobody wants to really put the real numbers on the, nobody's outwardly talking about the details and specifics around their claims and loss data, obviously. think, ⁓ in an ideal world, yes, we're sharing, we're all on the same team. mean, at the very end of the day, it's kind of good folks against threat actors. And, you know, we just want our customers to not have to worry about this stuff. We want them to be able to focus on what it is they do every day, whether it's a dentist or a school or whatever, they shouldn't have to worry about it. And so that's what I love about Sophos MDR and about this insurance plays. It's just, making it insanely, ⁓ accessible and attractive to somebody who ⁓ is maybe not a practitioner, maybe not a ⁓ cybersecurity trained individual, but just wants their business protected and wants to know that if in the worst case scenario, something fails ⁓ or my secretary clicks on something or my HR person accidentally clicks on something that if we do experience a loss, it's going to be mitigated very quickly. It's going to be contained. and it's gonna be a much cheaper loss than it would have been otherwise. So I think it's not about perfection, it's just about getting better, I think. And I think the industry as a whole is in earnest really doing that and is acting hopefully more collaboratively with each other. Martin Hinton (33:39) You touch on, think, my observation as an outsider is that having been to a few conventions, and I was at one earlier in the week in New York City, there is an energy about people in this space, whether it's the lawyers or the underwriters or the brokers or people in the security side of it, whether it's MDRs or something else. There is, at least having done journalism for over 30 years, spending a lot of time with people, trying to learn how to read them and sort of. gauge their honesty versus what they're saying, know, back to our, say you've got it, but are you really honest? This idea, there is this energy about it, which I only say because it's an observation I've made independently of yours that there is this, we have a problem, there are solutions to be had, there are solutions that we don't know that we're going to create that are going to come down the road. And all of that is, again, what's exciting about it to me as an outsider, as a journalist, that's sort of the core of any good business is you find a problem. You find a solution people are willing to pay for and that's how you pay your bills. And I think in a very simple way, there's a real like early days, I don't like the phrase gold rush, but that level of enthusiasm around figuring out how to do this, figuring out how to do it well with regard to things like the security and the underwriting and combining the sort of MDR with the policies and discounts that come along with that. being sure that people... you know, when you do your driving insurance or you do, oh, you've ever had a ticket in the last five years, you just say no, whether you have it or not. But now we're going to check your driving record, right? That idea is something about the business that I, frankly, I was surprised to encounter because, well, let's be honest, it's insurance. It's not something that you, I mean, you could throw the word cyber in front of it and maybe dot com once upon a time, but there is that there. mean, you, am I wrong in reading that? Do you get that? Jessica Newman (35:31) You're not. It's so funny because all my friends are teachers and none of them can really believe that I've kind of gone this route. my teacher friends are really fun people. They have summers off. They like to enjoy and travel and see the world. And it's a fun group typically. ⁓ When I pivoted into and sort of became more and more entrenched in this niche of cyber insurance. I kept hearing people say, nobody really intentionally goes into insurance, they just quote unquote fall into it, which is exactly what I did. ⁓ But I couldn't be more pleasantly surprised honestly. mean, insurance people are honestly really fun and I'm glad that you're picking up on that energy. think, it's a space where there can be a lot of creativity and building. And there are folks out there that are eager and hungry to do that. It's not necessarily this kind of old school, ⁓ I'm not thinking of the best way to say it, but kind of entrenched old school thinking, kind of conservative. there is that element sometimes, but I... I just think in general there is a lot of energy, there's a lot of fun, ⁓ brokers are a super fun group, carriers can be fun. Everyone is ultimately, it's a smallish family. ⁓ And I think there's a very healthy, collegial, ⁓ really community within this cyber insurance space that I really value a lot. Martin Hinton (37:18) You touched on it there and it sort of moves us into the beginning of the next topic and it's the future or what's coming next. And I don't think you can do anything in this world nowadays that would be considered journalism and not ask about AI. So here we are, ⁓ the 800,000 pound gorilla in everyone's room now, the economy, cybersecurity, cyber defense, cyber crime. Let's just throw it out there, AI. So what's that done in your world to date and what are the hopes that it might do going forward? regard to any number of the things we've discussed. Jessica Newman (37:50) Yeah, that's a great question. if I were more technical, I would probably have even more thoughts on it. But I think as it is today, AI is making manual work, like things, for example, like looking up NAICS codes, for example. ⁓ Things that have been traditionally very manual tasks, it's obviously making those things much easier and faster. I think in terms of ⁓ AI generated quoting pricing data and loss analysis. think it's being used to monitor portfolios of risk and portfolio performance. I think it's doing a lot of things very well. I don't, or at least to make our lives, I guess, easier and more efficient. ⁓ But I don't think that it's a tool that reduces friction, but I don't think it's yet like the core. product of what we're doing necessarily in the cyber and is certainly in the cyber insurance space. It's being used as a tool. And it's not necessarily, I don't think, ⁓ you know, transforming everything about the way that we price and assess and give and give out risk or give out policies. And so, ⁓ you know, I think in the security in the cybersecurity space, however, I think that is a different conversation where you're looking at the world from a attack surface lens. And I think when you have, I think about it as like almost like Dr. Seuss, like the butter battle book. I don't know if you ever read that. It's basically a cold war analogy about kind of weapons amassing on both sides. And I think with AI, it's kind of like that. It's like, if the bad guys are using AI, then the good guys need to use AI to combat it. And I know that Sophos is going to lengths to really embed AI into how we're doing things. And that's obviously a whole nother topic, but ⁓ I'm not like an AI good or an AI bad ⁓ person. I just think it's creating a lot less friction. It's making tasks much easier. I can't off the top of my head think of a specific example where it's, you know, It's the thing that one company is doing to do all of its things yet. Martin Hinton (40:22) Well, I mean, think like you, I'm not a technical person, but the idea that I've had in my head is that as the underwriting process demands more data and the assessment requires more information that's, you know, over time and perhaps new, that it gives you an ability to analyze it in a way like any huge volume of data you wouldn't normally be able to do with human beings. And that is again, something that you know, assuming it's reliable and effective and all those sorts of things, it becomes a great tool or potentially great tool in that respect. You know, you touched on it a little bit. The idea of AI is, and I appreciate I'm neither good nor bad AI either, but it's everywhere now. Do you, I mean, again, you touched on it. The good guys are using it. The bad guys are using it. Do you think that's, I mean, we see that, right? Someone's got aircraft. Someone else gets aircraft. they've got tanks. We've got tanks. That's not uncommon. Do you think it's just that natural sort of, we better make sure we're not missing out on that either? Or as you touched on, there are genuine uses that are there, whether it's just making people more efficient so they can pay more attention to something that's, say, a client. I'm kind of rambling on here a little bit, but I get, go ahead, sorry, sorry. Jessica Newman (41:43) I hear what you're saying. No, I hear exactly what you're saying. I think, ⁓ I mean, I think you're spot on. think, you know, with AI, it's, and I just lost my train of thought just now. Martin Hinton (41:59) That's okay. We both did. So let me back up a little bit. We're sort of touching on this very big thing, right? It's everywhere now, AI. And the idea that I'm sort of curious about is that there is all this stuff that happens in the MDR world, the 24-7 and that sort of thing. It's a layer of effectiveness on top of... Jessica Newman (42:06) Yeah, yeah, I do remember what you were going to say. Martin Hinton (42:23) the human beings that decide how it should be organized and how it should be executing its tasks and what it can see and where it can go, what permissions it might have or what responsibilities it can automate or make agentic. There is the potential for it to become something that serves the defender with great efficiency, as well as the underwriting process where you might have the ability to crunch data far more quickly for the purposes of writing a policy than you would have in the past. And I, you know, you think that's a fair way to think about it now? We'll see how it all works out. But what do you think? Jessica Newman (42:58) I absolutely think that's a fair way to think about it. And I think in generally, it's just making all of our work smarter. ⁓ But what I love, and we talked about this a minute ago, like what I love about the insurance industry is it's so people-centric, it's so relationship-driven, and it's really, it's about trust and relationships. And I just think, I really value that about the insurance, specifically the cyber insurance space is just, you you can't, you have to be a good steward and you have to. care about others, I think, to be taken seriously in this space. I think ⁓ AI is not going to, there's no replacing that. I'm not worried about AI just replacing a bunch of people, whether they're more kind of entry level or not in this space necessarily, because at the end of the day, it's so people driven. And I don't see that going anywhere anytime soon. Martin Hinton (43:59) You touched on it, we talk about people. sort of, we've dipped our toes in this topic, but I wonder about the small and medium sized business. I mean, do you ever encounter or have you heard anecdotes about businesses coming to Sophos or anyone else and thinking, you know what, and you sort of touched on it a bit ago as well. You know, I've sort of realized this is a problem now and I don't know how well I'm protected. I don't even know where to begin. Like, I mean, what do you think about that small? and medium-sized space, these incredibly vital business segments for the American economy and many other economies for that matter, where they are with regard to sort of perception of their risk and then the ease with which they can seek solutions and help and protection from the insurance side, from the cybersecurity side. What do you think they are in the, I don't know, is it life cycle? Are they before or after mile 10? Jessica Newman (44:53) I think they're definitely a little bit beyond mile 10, honestly. That's my honest take. There might be people out there that very much disagree with that, but I do think it's less and less of a conversation about if you need it. It's more of a conversation about what exactly do you need and how are you going to get it? ⁓ and that's where, you know, Sophos is a channel driven company. This is, this is a company that very much respects the MSP, the MSSP, the reseller channels. And, you know, the MSPs and MSSP are the ones that are, you know, really on the front lines with customers. They're the ones that are. really being pressured, I think, by a lot of customers about cyber insurance. And when I say pressured, I just mean they're being asked a lot about cyber insurance. And they too are a piece of this puzzle in terms of seeking solutions that are easy and, again, frictionless. And so that is, again, where Sophos just sits in a really unique position here to move the market in this way, because our partners really need something to go back to their customers with. And I think, you know, I want to give them that. I want to give them something very simple that they can, you know, a link that they can pass along. And if their customers have MDR, then they're going to, you know, click, click bang into a really great insurance option. ⁓ So that's my hope. And I think, you know, it's just about making it. cost effective. It's about making it incredibly transparent that like, you know, you're making this investment in your security. And so you should see this ROI ⁓ when it relates to your insurance. And if you can really draw that line very clearly, then then it makes a lot of sense to a CFO or a CEO of a small and medium sized business because they get it. They get that that risk is out there. They're just more thinking, all right, how do I admit? What's the what's the least output I need to protect myself? the best. ⁓ And so, you know, there's just really great bang for your buck solutions that that are going to do that. And that's where we want to enable the channel to really have something tangible to give their end customers. Martin Hinton (47:09) So if I'm a small and medium sized business CFO and I'm listening to this and I realize I have no idea or I'm not sure and I couldn't pick the CISO out of a lineup, what would I do in the next 30 days ⁓ to begin the process of sleeping better at night? Jessica Newman (47:17) Thank you. Do you have a broker? Do have an insurance broker? Martin Hinton (47:29) So, we'll take, no, I mean, so you begin with the process. Let's go with, you know, we know this about small businesses, right? They often start, they move fast, they're focused on the business, right? If they're selling stationary or hammers or whatever it is, they're focused on selling hammers. And the other things, whatever they might be, we need to repave the coffee room or whatever it is, those become secondary concerns. And I think a lot of times things that we can't see, particularly if they're not making money. Jessica Newman (47:57) Yep. Martin Hinton (47:57) become secondary concerns. So let's assume we've got zero. I'm at zero. I'm a small business owner. I have no idea. I don't even know what MFA stands for. I don't know what MDR stands for. I don't have an MSP. What does that mean? I have no idea. What do I do? Where do I start? Jessica Newman (48:12) Yep. Yep. So, I mean, this is kind of like, you know, I think about myself, I'm married, I have two kids, we both work. On weekends, I just don't want to spend time cleaning my house. It's not a task that I enjoy doing. And so I outsource it and we have the means to do that. And so I outsource it to people who really know what they're doing and get in here and can actually deep clean ⁓ my boys disgusting bathroom, which is... no easy feat. And so I think the question is, all right, are we buying? Are we building? That's, that's what small and medium sized businesses face. And they're really, really great. business decisions to outsource and to not build within. It's expensive to build. ⁓ Most small businesses out there are not going to hire their own security team to do 24-7 business monitoring. So that's why there are amazing MSPs and MSSP's out there who do this. I think the first thing that I would do is go find one in your area. ⁓ And you're asking a lot of questions to that provider about what their values are, how they operate, rate, but how the pricing works. And you want to find one that's really good, one that values, you know, cyber insurance as a risk transfer mechanism. And one that's just aligned with your way of thinking and you hire them. And in an ideal world, they've got some kind of ⁓ either a broker that a friendly broker they can attach to you or somewhere to go to find a friendly broker. And they're helping you find a cyber insurance policy. These things, mean, I think there's a lot of myth busting still to do out there in the small and medium sized space. mean, cybersecurity, cyber insurance, these things don't need to break the bank. You can get into a great cyber insurance policy for under 1500 bucks easily these days. so, and that's a million dollars in coverage, which, if you're a small business, that's usually, that's probably gonna be enough for you. And so, it doesn't... I think people have it in mind that cybersecurity is something that's way out here, that it's, don't understand it. It's gotta cost millions of dollars. I don't have access to that. And that's just not true. I think that you just need to find the right partner to serve you. And I think, you know, Once you do that, then you're on your way. mean, as long as you have someone watching your network and your operational security, then you've got a cyber insurance policy, you're good to go. Martin Hinton (50:55) You you, you, touch on something that I've asked this question to a lot of people. I can't remember where that we discussed it before the podcast, but as a consumer and a business owner myself, you, look at the dynamic now within cyber and it feels like it's a, if you will, a buyer's market in the sense that there's a lot of companies out there who are looking to grow. They see it as a growth area and you can, like you said, go talk to an, few MSPs in your area or whatever else it might be. And there is. the ability for them to create a situation, not like you have with Spektrum Labs, where you're like, well, you know, we can't do that, but we've got this guy over here and we've got this gal over here. We can bring them all together and you're going to love the price. won't change. And then when you go to do your cyber insurance, that's going to come down because you can prove you've got MFA properly installed across all your platforms and whatever other guardrails and stuff you have around your AI policy. You don't have an AI policy. That's a joke. But that idea that there is for a small business owner or medium sized business owner now who's like, another way to spend money. Yeah, but this is a huge problem. You could go out of business if you don't deal with this threat. And there is now an opportunity as this industry looks to grow to take advantage of. you know, not unlike it would seem if you switch from AT &T to Verizon, you're going to save money and get a free phone. Jessica Newman (52:15) Yeah, and I, you know, that's what I love about Sophos too, frankly, is just, it's kind of all under one house. I mean, you don't have to go here for something and to a different company for something else. mean, I think finding a provider that can give you most of what you need. So you're not looking at 10 different platforms and you're not, you know, dividing your attention between multiple different teams and things like that. I just think simplifying it, streamlining it, making it affordable. These are key metrics for success on uptake. And I think that we're getting there. I think more and more, mean, obviously there's still a lot more room to grow cyber insurance adoption and MDR adoption, but we're on the right path, I think, directionally. I'm excited to see how the next few years unfold in that way. Martin Hinton (53:05) So what do you think about the next 12 to 18 months? Is there anything in particular in the underwriting or that, mean, no one knows the future, Jessica. So I want that to be clear and on the record now. So we're not being held to any predictions because as we know it, could be a war here or there and God knows what might change or some other sort of unplanned catastrophic event that we tend to not plan for. What do you see on the horizon and beyond to the degree that your view is good? Jessica Newman (53:32) Yeah, I think you're starting to see a lot of consolidation happening in the market. You saw Zurich and Beasley. I think that's going to be happening more and more, where large global operations that might not have the expertise are going to acquire folks that do. And that's been happening, but I think it'll continue to happen. think pricing is pretty soft right now, and I don't anticipate that changing ⁓ a ton, but I do think it's maybe gonna increase and start to harden a little bit because I think some carriers are getting killed out there. ⁓ So I think... market wide, you're gonna see a lot of that kind of consolidation, people trying to find margin wherever they can, whether it's offering security services in-house or just getting creative in terms of different revenue streams. ⁓ But I think in terms of... I think the biggest shift we'll see in the next 12 months is with cyber underwriting. I do think that there will be a shift towards telemetry-based underwriting. At least that's my hope. I think people will see that it's, I think we're going to prove that it's a game changer and that it's something that the industry wants and needs. And we're going to be the first to prove that. And I think it's just going to spread. And then I think, you know, Ideally, that underwriting is really informed by real telemetry that's continuous and verifiable. And that's where we're headed. Martin Hinton (55:17) Yeah. Yeah. You want the air traffic control tower man, whenever there's planes in the air, not just some of the time, You touched on the consolidation now and it's funny. I mentioned the event I was at earlier in the week and there was a gentleman from Berkshire Hathaway and I remembered Warren Buffett at the prior, I think it was last year's ⁓ big annual sort of hoedown and he talked about, he was asked or I think he was asked about cyber and he was circumspect. Jessica Newman (55:26) Exactly. Martin Hinton (55:47) The gentleman from Berkshire Hathaway who was on the stage today made a comment about how much cash they have. And I thought, wait a second, don't reinvent the wheel, just go buy some of these companies that are doing it well and they've proven some sort of, so I think you're right about that. think, again, it's not unlike a lot of things like this where the expertise is, it's not really insurance expertise, right? It's a far more complex dynamic reality. You know, we've had fires and burglaries for years and years now, and this is not something that falls into that, weather pattern kind of reality. I wonder, yeah, that struck me as really interesting. ⁓ And funny that you would say it, because the Beasley deal, am I right to say that it was on and then it was off and then just this week they seem to have announced it's back, it's happening, right? ⁓ Jessica Newman (56:34) Yeah, I think that's right. I haven't been following it as closely, but I think in the past few weeks it's been ⁓ finalized and determined that that's what's going to happen. Martin Hinton (56:39) Yeah. Yes. Yeah. Yeah. Yeah. So as promised, we're coming up or we're at about an hour. Is there anything that we didn't get to that we discussed before that you'd like to touch on? Anything you wanted to mention, even if we didn't bring it up before that you thought of that you want to leave the audience with? Jessica Newman (57:04) You know, I don't think so, honestly. think just stay tuned. I think that, you know, our announcement today, you know, read the quotes from the carriers. I think they speak volumes about just where things are headed in terms of MD, just the value of MDR and the trust that they're putting in that service as a real indicator of risk. Martin Hinton (57:21) Yeah. Jessica Newman (57:28) ⁓ Just stay tuned. Maybe we can speak again in a year and see how all of this works out. Martin Hinton (57:34) I think it's a great idea. then I have to total aside a hat tip to the comms team. When press releases have those sorts of things, those external quotes, it is, I have a whole theory about AI created journalism and why they're starting to look like that. It's just very useful context, right? You know, because these are companies and they're not, obviously they have a stake in the game and all that sort of thing, but it is useful. It also makes the press release a little bit easier to read because they can be a bit. you know, flat sometimes. A lot of information, don't get me wrong, they're very useful and I get why they're there. But I was struck by that because you don't see that a ton. You see a couple of quotes from an exec with the company if it's a two company agreement. But that sort of, it really sort of elevated my thinking about the news in a way that I maybe wouldn't have had it elevated. So. Jessica Newman (58:21) I appreciate that. We were quite intentional about that. And so I really appreciate that. I think we wanted to leave. Martin Hinton (58:27) Yeah, yeah, no, I mean, again, like we touched on this, like the communicating the need for these services because of the risks that exists, right? And you could say, it's just someone trying to sell me insurance. They're trying to take more money from me. But there is a real danger here. And there is no like we've touched on. There's no fire department. There's no police department. You need a private enterprise and a, you know, a channel, as you said, of organizations to protect yourself properly. Maybe that changes. Maybe it doesn't. Who knows? But right now, these risks are real. you know, the phrase if not, but when is very much alive in the cyber risk kind of reality for businesses of every size. And I think that that is, you know, again, like part of communicating that to people is something that is a what makes me sort of interested in this field of journalism. And again, like we touched on, it's sort of the exudes from a lot of the people in the position you are that, you know, sure, I'm doing this. getting paid. We want to make money. I got a mortgage and all that sort of thing. But this also matters, right? This matters for. you know, the economy and people's personal sense of privacy and all sorts of things that, you know, I don't think we quite maybe all appreciate that that makes it interesting. again, I mean, it's an aside, but but just again, a hat tip to the comms team. I like that very much. ⁓ So, Jessica, anything else? Jessica Newman (59:41) I very much appreciate that. Thank you, Martin. I don't think so, just excited for things to come. We're creating real insurance advantage for Sophos MDR customers. So stay tuned and thank you so much for having me on. It's been a pleasure and as always, it's so easy to chat with you and it flew by. So thank you so much for having me and I look forward to speaking again in the future. Martin Hinton (1:00:10) Well, Jessica, my pleasure. Just so you know, in the show notes, there'll be links to Jessica and links to Sophos, and there may be a few other things we've touched on that we'll put links in there so that you can get to them easily. And again, yeah, Jessica, my pleasure. Likewise, real pleasure to chat. Very easy. It did fly by. So again, thanks so much. again, very, very grateful for the time. Everyone else, you've just been enjoying Jessica Newman, the Global GM of Cyber Insurance at Sophos. If you've got any questions or Jessica Newman (1:00:32) Awesome. Martin Hinton (1:00:39) comments, you can leave them in wherever you are. There's a comment section and we'll get an answer or perhaps we'll forward it on to Jessica because she'll be able to answer. And for the audience watching, really grateful for the time. Very, very thankful that you've been here till the end. I'm Martin Hinton. This is the Cyber Insurance News and Information Podcast. Thanks for watching and enjoy the rest of your day.