Martin Hinton (00:04.046) can wait. Talk. Okay, one other thing pardon me Kyle at the end Before you cut off just let me confirm this records locally to avoid having issues with uploading download speed It's usually like 99 % done by the time we finish Stop talking so there's not any real delay, but every now and then there is and it's not a big deal But the other thing is I don't know if it says it on your screen What you're seeing is lower quality than will wind up being used which is probably standard knowledge these days, but Kyle Jude (00:18.871) Yeah. Kyle Jude (00:27.49) Okay. Martin Hinton (00:36.95) One never knows, like I said, trust with Verify. All right, so here we go. Kyle Jude (00:40.321) Yeah, I just saw that. Martin Hinton (00:46.424) Now need to get my, I gotta get my TV face on. Martin Hinton (01:03.256) All right then, welcome to the Cyber Insurance News and Information Podcast. I'm your host and the executive editor of Cyber Insurance News, Martin Hinton. And joining me today is Kyle Jude. He's a program manager with Veracity Insurance Solutions. And what we're gonna be talking about today is largely small business, cybersecurity, cyber insurance, and how to summarize Kyle's recent op-ed that he wrote for us. They're not so much being targeted as they're being swept up in an elaborate complex and organized scam operations. So Kyle, first of all, thanks so much for joining us today. How's your day been so far? Kyle Jude (01:42.497) It has been great, Martin. Thanks for having me. I think it's really important to provide this information to as many people as possible. So I really appreciate you putting this together and allowing me to come talk. Martin Hinton (01:55.886) Oh, my pleasure. I mean, I think one of the things that we will touch on is that small businesses are really the backbone of the American economy and other places for that matter. And they have a lot going on. And one of the things that's come into the world for them, not super recently, but fairly recently in the grand scheme of things, is this threat that cybersecurity and cyber attacks present. And I guess maybe we could start if I run a small business, if you're talking to small business operators. The attack is designed to feel normal. What happens? How does it begin? What's the start of all this for a small business? Kyle Jude (02:36.355) You know, it can start many ways, but a lot of times it's a simple email or a text message or a combination of the both. You might get a phone call saying, hey, I need you to do something. And it's very urgent. And they stress the urgency of needing you to do something and almost reward you if you do it. So when you're looking at a cyber attack, It'll come from something that you're familiar with a lot of times, whether it's an employee, a coworker, a boss saying, hey, I need you to go do something for me. I need you to click this link and enter this information. I need you to go buy 50 Amazon gift cards and send me the QR codes, whatever it might be. But a lot of times you're going to see that it stresses urgency and you need to get something done as quickly as possible to fulfill the need. Martin Hinton (03:35.854) That phenomenon is not about cyber. That's not about the digital world. That's the human nature of a good con, right? They make you feel urgent. And I've said in the past and on other podcasts, if you ever get a text that makes you feel like you need to stop everything and send someone money, don't do it. Like ignore it for 12 hours or sleep on it. You know, it's a bit like that advice. If you win lottery, don't tell anyone for a year or something like that. When you talk about this, like what are the attackers? actually do when this happens? The thing you discussed in the op-ed is this sort of, and you just mentioned this is multi-vector, right? It's a layered approach where one email might not seem that urgent, but an email and two texts and maybe a missed phone call starts to create that sort of tingling in your spine. I mean, is it that simple? Is that what we're talking about? Kyle Jude (04:26.049) Yeah, I mean, a link can put malware on your computer and then they could sit there for weeks, months, a year, two, like, and you might not know that you've been hacked or been affected by a cyber security breach until, you know, something goes wrong. So it could be as simple as clicking a link and then nothing happens. think, okay, the link was bad. And then you go type in a website or whatever to reset your password that that the text message or email asks you to do. But a lot of times nothing happens immediately. And then all of a sudden you're noticing that your systems are shut down, your passwords are locked out, your customer's information has been stolen and perpetrated on the internet or the black web somewhere. And it might not, you might not know for, you days, weeks, or months afterwards that you've even been attacked sometimes. Martin Hinton (05:28.846) You touch on another, again, this is crime, right? We say cybercrime, we say cyberattack. What these are are just evolutions of the fact that forever, as long as there have been people, someone will try and steal what you value. There are those people out there. And I wonder whether or not you might touch on the way this works from the point of view of the breadcrumbs that we sort of filter through our digital lives, whether it's social media or whatever else it might be, that are used by these attackers to create the... the urgency that you touch on. Kyle Jude (06:01.281) Yeah, so I mean I can give you an example. So I have a phone number from the Dallas-Fort Worth area where I grew up. And I'm looking on my phone right now and there's in your text messages, there's your normal text messages and then there's a spam section. So I don't live in Texas anymore, but I'm getting text messages from the Texas DMV, from the Department of Motor Vehicles saying, I need you to do this right now. You have citations and all these things. And I have text messages sitting here, five or six of them. stressing the urgency that I'm gonna get my driver's license suspended if I don't do this right now. And so they prey on, you know, the location of where your zip code is. They will look at your Facebook page and say, I see that his spouse is named this or he works at a company. And they do social engineering to, you know, learn what they can about you and then use those details that are all over the internet these days because everybody's life is on the internet in the digital space and they use that to their advantage a lot of times. Martin Hinton (07:10.86) You touch on something that we've reported on a great deal. And it's this idea that, you know, one post about, you know, the Yankees won the World Series. I'm so happy. And another post about, you know, liking this particular deli in the Bronx and stuff. And you can create a picture from all these pieces that allow you to take advantage of someone. It really is something people need to keep in mind, isn't it? And as a small business owner, when you need to use these social media. platforms to promote and market and sell. There's a real kind of pull here between being secure and maintaining security and a real profile of cybersecurity and also exposing yourself in a way that makes people think, I like this person or I like this business. They've got a good brand. It's a real tough nut for some people. Is AI making it better or worse? It seems to me like you can't trust anything you see anymore. Kyle Jude (08:06.883) Well, the AI makes it a lot easier for the criminals because I can go and say, give me everything you have on Martin Hinton right now. And it'll scrape the internet and it'll return 100, web pages that your name's listed on. It'll probably give me your social media accounts and everything. And so it makes it so much easier for these perpetrators to gain access to your information and find out those crucial details too. really make it think like they're sincere and they're actually someone you know or they're trying to help you when in fact they're just trying to take advantage. Martin Hinton (08:45.39) You've touched on this and something I've said before, and I'm sure it's crossed your mind, there's a bit of an attitude like, it won't happen to me, sort of the teenager mentality that it'll happen to someone else. And I just wanted to stress the point, and I see whether you agree that even the most savvy person can fall victim to a street con. And it's a bit like if you think you can't, or you're not going to fall victim to something like this, it's a bit like thinking you could get up onto a stage with a master illusionist like a David Blaine type in... and be able to see how he does the trick, right? I mean, is important that people pack away their hubris and their pride and think, you know what, it could happen to me and I need to maintain that sort of defensive posture? Kyle Jude (09:26.615) Yeah, mean, you think, there's all these tech forward companies, these multi-billion dollar companies out there, UnitedHealthcare, T-Mobile, Clorox, all these other huge companies out there that have experienced 100 million, 200 million multi-billion dollar cybersecurity losses. And if they're so tech forward and forward thinking and up to date with security, and it can happen to them, It can happen to anybody. And so don't think that just because you're a solo proprietor or you have a small business making a couple hundred thousand dollars a year that you're not the target of these people because the same acts that they're perpetrating on these larger companies, they're doing on everybody. So it's not just they're targeting big companies. casting a very wide net and seeing what fish they can catch. They might catch a whale and they might catch a minnow. And it really just depends on what falls into their net at Martin Hinton (10:37.72) I mean, I would presume and I've read that that reality is exacerbated by AI because you can attack a thousand targets at once as opposed to once in a while. You can automate responses and filter for which phone numbers get answered or which people reply to text to see whether they might be more likely or more relaxed in those interactions. Is that something that you see? Kyle Jude (11:03.009) Yeah, you you do expect with AI because you can call companies these days or call a number and 90 % of the time the first thing you're talking to is an AI. And some of them sound really realistic. You know, I've called my cell phone company the other day and I was talking thinking I was speaking to a person and they're like, let me get an agent for you. And I'm talking to an AI for 10 minutes trying to express my issues to them. you know, the rapid advancement in AI, it's quite remarkable. It's good for us as a society, but it also has, you know, it's threats and dangers that if you're not aware, you know, you can easily fall victim. Martin Hinton (11:52.012) Yeah. So we've discussed the idea that you can become a victim. Why would you want to avoid it? And the obvious reason if you're in the business context is the cost. And we don't hear a lot about small business cyber attacks. There's not a lot of mandatory reporting outside of a few industries and a few regulations. Most small businesses aren't in that sort of situation, if you will. So we hear about, 10 grand here, 15 grand here. But the cost. And we see this more and more as companies have the ability online to sell products from, say, New Jersey or South Carolina around the globe. They're collecting enormous amounts of personal information and credit card information and that sort of thing. Where does the cost exposure jump? And take me sort of through that idea of, you know, we think, know, 100 grand, 10 grand, 50 grand, but it can go up. dramatically from that and it can also last a long time and issues can arise a long time later. We hear this phrase the long tail of a cyber breach or incident response. What about that part of it? Kyle Jude (13:00.461) So if you're thinking, someone has some information and I'll pay them a fine or I'll have someone come and update my computer systems, I'll be back in line later today. That's not how it works. Most of the time when you're attacked or you fall victim to one of these online crimes, you're going to be down out of business for several days. several weeks, it could be months. And it's not just, you know, the cost of fixing your computer equipment, it's the downtime. So let's say this happened to someone that sells goods online, and it happened at Christmas, and now you can't fulfill any orders because your systems were hacked. So you're going to lose a lot of revenue from that. Plus, you have to pay for, you know, every single one of your customers that you kept their information online. to make sure that their information isn't used. So then you're having to pay for notifications. You have to pay for a press release potentially. All these other factors come into play and it's not just, oh, $10,000 because my systems were hacked and I was down for a day. It's the $10,000 plus A, B, C, D, E, and F that are added on top of that that take a potential $10,000 loss and now you're looking at $150,000, $200,000 or. or more and then the bigger your company is, the more customers you have, those numbers can rise exponentially very quickly. And instead of $10,000, you're looking at $10 million, $100 million, depending on the size of your company. Martin Hinton (14:44.598) You in the op-ed, which is linked in the show notes, so you can go read it if you like, you touched on a few specific examples. The first, if I'm not mistaken, was a payroll diversion. I wonder if you just run through some, know, as opposed to abstract, this kind of thing happens, but literal ideas to the degree you can with, you know, scrubbed personal and sensitive information. Kyle Jude (15:06.787) So yeah, so this is a real claim from one of our customers. And basically what happened is one of their employees got hit with a link that says, you need to update your banking, routing and account information when moving to a new system. So they click it, do it, and weeks go by, months go by, and they finally realize they have been paying this person's payroll into someone's account that didn't work for the company. They don't know who it was. And I don't know about you, but if it was me, I would've been like, where's my paycheck? You know, the day after I didn't receive it. But I guess this person just didn't do that. And $53,000 later, you know, we had to reimburse the company and made sure that their employee was able to get their paycheck. And so that's just one example that you know, that we see out there. And it's just a different type of loss that you wouldn't really expect to happen as, you know, hey, update your banking information and we're going to steal your paycheck. Usually, usually you think, okay, they're going to hack my bank account, they're going to take money out of my account, or they're going to get my credit card information. But, you know, it can happen all sorts of ways. And in this case, they actually found a way to get paid directly from the person's employer. Martin Hinton (16:36.462) That's a neat example, right? You've got the payroll, there's no long tail. Are there common hidden costs that might come from a similar breach that beyond the, if you will, capital, the $53,000 in this case, that there might be, if you will, other costs that pop up later? What are some of the hidden costs that you might not be thinking about if you're a small business owner and that scenario, you're like, I could see that happening, but what else can get layered on top of that to touch on what you said earlier about how costs are built? Kyle Jude (17:06.755) Yeah, so you got $53,000 in payroll, but that's not the only cost that you see with a loss. Now you're have to pay a cybersecurity expert to come and look at your computer systems at your company and go through and find out how the breach occurred, which can take weeks sometimes or months, depending on how advanced the attack was. And then you're going to have to redo your security systems. You're going to have to put additional firewalls up and... block the accesses that it came in. You're going to have to potentially update to do payroll systems. You're have to go through and recollect information from your employees. So that costs manpower, that costs hours. And so you might have $53,000 in payroll that was stolen, but then you have thousands and thousands of additional dollars added on top of that, that are having to be paid out to fix. what was messed up in the first place. Martin Hinton (18:06.83) It reminds me that we're so used to everything happening instantly, right? If a video doesn't play right away, we move on. If the app doesn't open right away, we're frustrated. That's what it's trained us to do. The incident response for a cyber attack is like any investigation. takes time. It's comp. It's often very complex and it's sort of counterintuitive because you would think that, it's digital too. They can just plug in something and analyze my, you know, car engine and get instant results about what codes might be saying this isn't working, that's not working. And it doesn't work remotely like that typically with a cyber breach investigation. Am I right to say it that way? Kyle Jude (18:43.507) no, because with the investigations, a lot of times there's foreign actors that are at play. So it's not like Sally down the street, you know, stole something out of your mailbox and cashed a paycheck. It's someone in another country that is probably sitting in a room with, you know, a hundred other people, gained access to your systems. Now they've shared that information with all these additional people that are doing the exact same thing as them. And... The United States government has to work with other governments to find them and it can be very complex and convoluted. And a lot of times you can't do anything about it except to try and patch the hole that was made and repair what was made. But a lot of times the perpetrators of these crimes are never found. There's no repercussions from their end because they are, sometimes they're state run by foreign governments that need. money and capital so they're actively hacking companies in the United States that they know have money. Martin Hinton (19:49.358) Yeah, I mean, I think that's another point that we should drill down a little bit is that this is not, it's not vandalism. These aren't, these aren't, I mean, I can't make the joke with kids in hoodies eating hot pockets in their mom's basement much more, but that idea that these are complex, highly organized operations, whether it's just a highly organized criminal operation, but also perhaps an highly organized criminal operation that has the blessing of a foreign entity. foreign government, so they have geographic safety, right? They can be operating from a place where there is no jurisdiction for, the U.S. government to go in and investigate, never mind find and punish and retrieve stolen goods. I mean, do you think that that's something that a lot of people understand? I say that because at the RSA convention last week, there were several, and I forget which one it was, but former heads of the national security sort of apparatus of the American government. And one of the words used to describe cyber attacks and stuff is that we've become quote numb to it. And I wonder whether or not you think people are numb to it or whether or not you think people still aren't even aware that it's that big a problem yet or is it a terrible combination of both in parallel. Kyle Jude (21:04.931) You know, I think it's a combination of both. You have an older generation that grew up without technology, without cell phones, without computers. And then you have a newer technology, newer generation that grew up on it and they expect everything right here and now in this instance. So it's a combination of both where, where you have the people that are just, you know, unaware of how easily your information can be out there. And then you have the people that, you know, this isn't going to happen to me because they're, you know, of a younger generation. potentially be a little bit naive. Martin Hinton (21:38.138) You touch on another point you made in the op-ed and that's sort of the fact that prevention is hard and what you just described is sort of the instant gratification society. The idea that if you get a piece of information or you get an email in, depending on how you segment your life and keep your barriers up, you jump on things right away. You want to deal with things right away. Talk to me about how that reality makes prevention so hard. Kyle Jude (22:02.913) Yeah, you know, you used to get a letter in the mail and you would sit down, you would read it over dinner or, you know, after work for the day. And now you're getting an email and you have a deadline says, okay, I need to respond to this within an hour at most because they are needing this information. And in what used to take time to transact, no longer does that. It's the same thing with checks. I mean, I don't know if everybody's seen the movie. but catch me if you can with Leonardo DiCaprio where he's bouncing checks here, here, and here, and it would take four five days for that check to process because they got to send it across the country to the bank. And now with the digital age, it takes seconds for a check to be cashed online or a transfer of funds to happen. It no longer is one of those things that takes days for funds to settle. And I think that's something that A lot of people of the older generation haven't quite grasped yet. And some of the newer generation, I know my daughter, for instance, thinks that it's all fake money anyway, and she doesn't care. Martin Hinton (23:18.574) I mean, there is the, I mean, again, the adding a bit of friction to the process. I was saying to someone recently, you when your bank calls to verify a transfer, you might be annoyed that you couldn't just do it on the app. the context that we're thinking about this and talking about this, you should be grateful for that bit of friction, that moment of pause, that, you know, sleep on it kind of moment. Do think that's something that people should remember? particularly if money's involved. Kyle Jude (23:50.015) 100%. Two-factor authentication is your friend. Using one of these authenticator apps like Google Authenticator, whatever you're using, use that. Use a text message authentication. Use an email authentication to where it's not just your password anymore. It's the one thing, and then they're sending you a text message or an email, and you're having to get a code. And don't share that code with anybody else, please. because that's another way that they get you is they want you to share that code with them so then they can access your accounts. But no, two factor authentication or any sort of roadblock that is put up to help slow the ability to send money, whether it is 30 seconds or five minutes or whatever it might take, it's crucial, especially with people that have small businesses because You know, you might be the only person there and you might be working, you know, front lines in a cash register as a small business and you're doing 10 things at once and you might just hit that button and say yes. But if you have the time to sit and think about it for five seconds, you're like, this doesn't seem right. And so even that little delay can really help. Martin Hinton (25:06.31) You touch on, we've touched on the urgency and you just said something again there that one of the things that people should know is that these sorts of attacks occur when we're known to be busy. So last minute on a Friday when everyone's trying to get out of the office or right before a vacation or a big holiday season. I did a piece last year about a spike during the lunar new year in Asia and that sort of thing. There is, despite it all being digital and cyber and mystical ones and zeros, There's a very real human element that the bad actors take advantage of in this situation. You touched on layer defense there. You used that phrase. And again, you think of MFA, that's like having two locks to open a door, right? Just a little bit to slow you down. And if you're a little bit harder to steal from, someone else won't be and the bad guy will go somewhere else. Is that another sort of perspective that people might want to consider that? You know, this is going to take me 10 extra seconds to log on, but this 10 seconds could be a big deal. Kyle Jude (26:07.243) Yeah, exactly. extra 10 seconds can save you thousands and thousands of dollars and you know, irreconcilable harm to your company that can happen. So I agree, Always use that. Martin Hinton (26:22.435) You. Yeah, well, you know, I was doing some banking earlier today and I got two or three authenticator apps and I was like, which one does this bank use? And I had myself, I had to have a little moment with myself where I was like, calm down. This is all good. You don't want to send this to the wrong person, right? Like this is the way it's supposed to work. On that front, like experience or education is something that you espouse within the business. So your organization represents or the insurance Is it insurance canopy that's got 350,000 small businesses within it? that, So tell me a little bit about that sort of idea that. Kyle Jude (26:58.005) Yes, insurance company, that's correct. Martin Hinton (27:05.143) there needs to be some formalized reality. And do you see that as a business operation or do you think that that's something that given the scale to which society and civilizations have embraced the digital reality and we've sort of thrust everything we value into digital spaces to the degree we can, everything from our money to family photos, that there needs to be a sort of more broad outside the business community, sort of awareness and education that's literally like has a formality to it that will help deal with this problem. Kyle Jude (27:35.767) Yeah, no, mean, I think if cybersecurity hacks were more mainstream, I guess it's just not as sexy as big crime is on the internet. But in reality, it is big crime. Like billions and billions and billions of dollars every year are stolen. It just might be in small incremental factors. And so, with Insurance Canopy, we try to educate our customer base as well as you know, others on the internet as much as possible about, you know, what does cybersecurity insurance do to help protect your small business? How can it work for you? What does it cover? What does the process of filing a claim look like? What other steps can you do to protect yourself besides just having insurance? So insurance obviously is a great thing, but there's other factors you can do such as the two factor authentication that will... help protect you even further and getting as much awareness and education out there as possible. Martin Hinton (28:41.81) I mean, you touch on in the early days of say property and casualty, this is a joke, just to be clear. You could imagine insurance company going to a warehouse and saying, listen, we'd love to insure you, but you're not insurable against fire. But we've got this thing called sprinkler systems. If you will, MFA of the day, if we install a sprinkler system, which we can get you a discount on, and we can insure you at a much better price and we'll be happy, you'll be happy, and you're going to be less likely to have a fire that does a lot of damage. We're in a sort of similar phase now with cybersecurity insurance where, you know, the insurers like this is a real threat, you should protect yourself. Insurance isn't the only solution. You mentioned education. How do you see that playing out as you go through your day right now? Kyle Jude (29:28.131) Yeah, it's amazing. Anytime I do a webinar or write an article, I stress the urgency of cybersecurity. It's up there with any business. You got your GL that protects you, and then you have cybersecurity. And as we get more digitally advanced and the AI becomes more advanced and the ability to use that to get into the computer systems and and social engineer attacks against people. know, cybersecurity is slowly overtaking the need for general liability in lot of cases, especially with the use of digital marketplaces where people aren't really going into stores sometimes. You know, I know some people that have a business and they don't have a storefront, they run it out of their garage and everything's done online. So they don't. have someone that can come and slip and fall in their store like you might see at a grocery store, but they have a real threat of someone accessing their computer systems where they house all their customer data. Anytime someone pays with a credit card online to buy something from them. And so the threat is ever growing and ever expanding and educating them is more important than ever. Martin Hinton (30:49.674) Yeah, I mean, in some respects, we've shifted the threat from the physical world to the digital world. And because we can't see it the same way, it's a little more abstract for people. It's something that I've always thought. And the one example that someone gave me recently was that the Land Rover Jaguar hack. think it cost $1.8 billion, was the last number I saw in the press. There was a hit to the GDP. all these suppliers, mean, the government basically stepped in with a backstop, to put it very simply. If someone had taken a bomb and blown up a Jaguar factory, that would have been on the cover of the paper every day for a month, right? That is, but the cost is no less saving the physical rebuilding and any potential loss of life or injury. The cost is still there and it doesn't resonate in the same way, does it? Kyle Jude (31:42.999) No, it's not flashy. so, you know, it's just not, it's not carried the same way on the news. I'm sure if, you know, 60 minutes or somebody picked up and they, they stress the urgency of cybersecurity risk and they, they're like, do this in front of, you know, a hundred million Americans. Maybe someone would think it's flashy, but it just doesn't hit right. It doesn't hit right for, when you, when you see, you know, a bomb explode. especially with the war that's going on right now, you see bombs exploding every day and that's what's on the TV, that's what's catching everybody's eye because it is there in your face. And cybersecurity is in the shadows. Your hackers are working in the shadows, they're not out there. You can't put a name to the face or a face to the hack. It's harder to, I guess, present a lot of times. That's why platforms like yours are so valuable because it gives some real credence to the threat that's out there and it gives people a place to go and learn. So I do appreciate that you do that because it really is unfortunately not a flashy crime such as robbing a bank vault or something like that. Martin Hinton (33:08.27) Right? Yeah, so no need for a getaway car in this crime spree. So let's move into the sort of underwriting renewals that what you refer to, I think, is the checkbox problem. You know, we're used to doing our insurance once a year and maybe we pay a little more or there's a new phenomenon. Like I recently redid my car insurance the last couple of years and I was told to with non-insured drivers that you might have an accident with, which was kind of irked me, but that's OK. When you do this, you can't just check box. You got to really analyze the policy. Tell me about your side of that relationship for small business owners. Kyle Jude (33:47.331) Yeah, and so, you know, that's something that we've been working on a lot on our end as well, because we do have automatic renewals for our insurance policies. You know, you go in and you purchase policy, you have a credit card on file, and your policy will automatically renew year after year. But you have to take the time as a business owner to look at your business. How much did you grow? What have you been doing? Did you have any big life events? Did you go and move to a new building? Did you update your... computer systems, did you do all these other things? And you need to let your insurance company know because they're the ones that are protecting you in case something goes wrong. And if you're not updating them, most of the time you're gonna be underinsured or uninsured for some of these things that might come up because you just haven't protected yourself fully. So my thought process on making sure that you're updating your insurance is, anytime you have a life event change. You you get a new car, you automatically update your car insurance. Same thing with your business. If something changes with your business, update your insurance and keep it up to date as frequently as possible. I mean, obviously at least every year you want to do it, but as frequently as possible. And so we've been looking at some things, you know, internally that, you know, we do. We do quarterly emails out. We do some other things for our customers to say, hey, just checking in, making sure that your systems are up to date, all your policies up to date. Has anything changed? Call us. We can answer any questions. So we do stress that out to our customers as well as, you know, talk to a licensed insurance agent, whether it's us or whether it's someone else. Talk to someone that is knowledgeable and knows how to protect your business. and get counseling from them because they're there for a reason. You have to be able to sell insurance, you have to have a license, you have to learn about what the different coverages are and learn how to protect and you have that fiduciary responsibility to protect your insurance and your customers. so always talk to an insurance agent if you can. Martin Hinton (36:06.958) What are some common misconceptions about coverage? You can say, I've got $100,000 or a million dollars worth of cyber insurance. There's a big but there, right? What does that policy say you've got in effect across all devices, whether it's MFA, what's your backup policy? And obviously, since COVID, the issues of remote work and that sort of thing have come up where you have situations where you have to wonder about people's. know, cybersecurity in their homes and how vulnerable their internet of things are or Wi-Fi network might be. When it comes to that kind of thing, what are the things that business owners are sort of maybe thinking that they're covered and they're actually not covered and they didn't actually buy that level of protection or protection against that specific thing? Kyle Jude (36:53.219) So one of the most common things that I see with cyber reliability insurance policies is sublimits. So you might see that first line on your declarations page that says you got $100,000 or $250,000 $1 of coverage, but a lot of times when you read through the insurance policy, there are sublimits. And so you might see, I've got $10,000 for cyber ransom coverage or something is excluded altogether. And the most important thing I can say is, again, Talk to an insurance agent, read through your policy documents. If you do have questions, reach out and find someone that can help answer those questions because not all insurance policies are the same. It's very infrequently that you actually find two that are the same. And so you might have $100,000 cyber liability policy. I might have $100,000 cyber liability policy, but we might not be covered for the same thing because there are those... exclusions that can be listed there or those those supplements that can be listed there to where we're just not insured the same Martin Hinton (38:00.494) mean, what I'm hearing you say is you got to do your homework. If you get your policy, you got to be, you have to be your own keeper. You have to ask tough questions and make sure you understand it. And if it's not being explained to you in a way you understand it, don't give up, right? Kyle Jude (38:15.587) Yeah, mean, there's just like AI can be used to perpetrate some of these crimes. AI is your friend a lot of times in these factors as well. So get on ChatGPT or GROC or whatever, Claude, I don't know, there's so many out there these days, but get on the AI and ask them. It's pretty remarkable what you can do. can plug your insurance policy, you can just drop your entire declarations page in there and you can ask it and be like, am I covered for? X, Y, and Z, and it will be able to review your insurance policy for you and say yes or no. Well, 99 % of the time from my review, it's pretty accurate. Martin Hinton (38:56.686) Yeah, I have a similar experience. Yeah. So when it comes to new buyers, like how do you like you listen, I mean, one of the things that I've I've said to people is that insurance is one of those things you need. You wish you didn't have you hope you never need, but you need to have the policy. It's a weird cost center for businesses. So when you've got new companies coming in and maybe they they realize that they don't have cyber the way they thought, just like we were discussing. What are the ways you sort of bring them, if you will, into the fold of understanding why it matters and then, if you will, converting them into customers of yours? You've touched on using examples and that sort of thing, but take me through that process because, I don't, listen, I'm in a for-profit business. I make no bones about that. There are a lot of for-profit businesses, but I think insurance fits in a weird space in America, and a lot of that has to do with health insurance. Kyle Jude (39:34.955) Yeah. Martin Hinton (39:51.906) But broadly, we're seeing it rise with regard to homeowners insurance in places and auto insurance in other places, depending on what's going on and trends and weather and that sort of thing. And that can have a sort of negative effect on the, if you will, brand of any particular industry. they're always out for something more. They're just trying to sell me something more. I personally, just so we're all clear, don't believe that's the case. I think cyber is a very different beast and the awareness of how how bad the fire can be to put it in fire insurance terms is something that I don't think people understand. But how do you talk to people in the sort of professional environment? I sound like I might be at a cocktail party. When you're sitting down with a small business owner who comes in and they want to make sure they're covered just like we were discussing, what do you do to sort of, I don't know, is convert them a too strong a word or to make them see the wisdom or at least understand what the upside is? Kyle Jude (40:46.435) But when I talk to my wife about insurance, falls asleep. So I can't do that. one of the things that I do in just for you, any business owner, what can you sustain as a loss and your business still function? Is it $5,000? Is it $10,000? Do you have enough in the bank that you can sustain a million dollar loss? What is it that you lose that money today? and your business isn't the same. And you really have to look at your business and understand what you can sustain as a loss. So is it worth paying $199 a year or whatever it might be for a cyber liability insurance policy to give you that peace of mind that if something does happen, your business isn't going to close stores tomorrow. sorry, go ahead. Martin Hinton (41:44.174) I mean, you touch on it there and I don't think people quite appreciate how long some of these outages in doing business can be. And I mean, if you can't sell anything, you can't collect any money, you can't pay any bills for a week, two weeks, that's putting a lot of companies in their sort of buffer zone, headache space, right? They're not in the position to deal with that. I mean, is that enough? I mean, do you go into specific examples about other companies? I mean, do have any favorite anecdotes that make people go, that sounds like it could happen to me? Kyle Jude (42:20.259) Yeah, mean, think of when was it T-Mobile or Verizon was hacked last year and their cell service was off offline for 12 hours. How angry were people that they couldn't conduct business using their Verizon cell phones. They couldn't make phone calls and all the issues and the anger that it caused. What do you think it's going to do to your customers if they can't access your website and buy your goods? can't in touch with you, you can't fulfill their needs, they're gonna go somewhere else a lot of times. And so it's not just the multiple hours or the multiple days that your business is offline and you can't sell right then and there. It's the irreparable damage that you've done to your customer base in the long run that's gonna hurt you. Martin Hinton (43:14.894) Yeah, I mean, I was at a conference a couple of weeks ago here in New York City, and a gentleman in one of the panels described the sort of nature of our digital existence as, quote, incredibly fragile, close quote. And I think that, you know, it sort of led me to think, you know, when I have this conversation now with people and I'm trying not to make them fall asleep like your wife, the idea is imagine this didn't work for the next two days. You couldn't use a phone. Kyle Jude (43:35.907) you Martin Hinton (43:44.546) You couldn't use your cell phone. Your cell phone was unavailable. And I, you know, we can barely not pick them up every 10 minutes during the day, a lot of people. I think that that for me is, it's amazing how much we rely on just that singular advice. There's that expression in, it comes from the military, or at least that's where I learned it when I used to do military history documentaries is two is one and one is none. And the redundancy that exists. doesn't seem to be there for a lot of this space. Do you think that that's, you one of the things we sort of didn't really touch on is like backups, for example. And I wonder whether you might talk about, you know, that concept in this, in how we're talking about this now, like the idea that, okay, you've got all of your customer emails and their accounts, where are they saved? Tell me about what that, how that matters. And I guess I could, if I could beseech you to speak to me like I don't understand, like I'm a fifth grader. Kyle Jude (44:42.605) No, you make a very good point there is you should have redundancies. might have a computer that you use your laptop and you're typing all your customers information on there and that's where it's stored. You're getting emails. But have it backed up somewhere else. Whether it's in the cloud, you have a dedicated server in your office that's in a back room that you never touch, but you're storing stuff there. And having those redundancies is very important because If you do get hacked and you lose everything, what are you gonna do if you don't have another way to get it? I mean, yeah, it's, everything, if like you said, if everything is on this cell phone that you have in your hand and you don't have it anywhere else, if something does go wrong, you're in some big trouble. So. Martin Hinton (45:35.244) Yeah, and you know, one of the things I, as much as this matters and as much as that can go wrong, I always try to, in these conversations, I don't want to straddle the doomsday scenario too far. We're not talking about something that is unfamiliar to us, right? We know that you have a spare tire in your car, right? Well, most of us, or you have spare batteries for maybe if the power goes out for a little bit. There's a little bit of redundancy. You've got maybe, pantry with some canned goods. And then some people take it to a much greater extreme with a, you know, bug out bag and all sorts of things. This mindset is one that is inherent to modern life and perhaps even human existence before modern life. And I guess I wonder whether or not you might have any comment about the idea that this isn't that unfamiliar. It's just a little bit abstract again, because the ones and zeros that make Netflix able to, you know, play every movie in creation on my phone anywhere I happen to have a cell phone signal is something I can't understand and wouldn't be able to replicate doesn't mean I can't have two factor authentication to protect my credit card that's on file with them. Kyle Jude (46:42.275) Yeah, no, yeah, it's very true. I think when they stopped putting CD and DVD players in computers and really we moved to that full digital space, that's when the need for backups of everything really took off. And geez, what was that 20 years ago that now it feels like? I don't even know. yeah, I mean, it's been a need for a long time is to... to have a way to store that really crucial information for yourself, whether it's personal or for your small business or a large business and have those redundancies that if something goes wrong, you can go and you can find that. Yeah, I wish I knew how Netflix did it. I mean, I'd be a billionaire, no. Martin Hinton (47:29.006) Yeah, exactly. I settle for a couple hundred million. I'm not greedy. We've sort of danced around the cyber insurance part of this. We touched on it a few times here and there. What do people need to know about this? know, it's got the word, I mean, there are all kinds of insurance. And I feel like if you throw cyber or digital or cybersecurity into a phrase, it creates almost an invisible barrier. Kyle Jude (47:35.491) I'm Martin Hinton (47:56.686) for understanding or it makes people feel like, I'm never gonna get this. It's not like that, I don't think. But it is something that requires some lifting. And I wonder whether there's anything in particular about that before we sort of move toward the close that you wanna add on about what you guys do and the environment that you exist in and the policies you write and the process that you go through. Kyle Jude (48:19.287) Yeah, like the most important thing I can say is the barrier to entry to protecting yourself and your company, it's not as big as people think. You know, you think, I need an automobile policy and it's thousands and thousands of dollars sometimes depending on what you have. When you're looking at, you know, a small insurance policy to protect your business, you're going to be looking as little as like, you know, like seven, eight bucks a month. And so, So the barrier to entry to protect yourself and your business isn't as large as people think. And there is insurance out there that is scalable to fit any insurance needs. insurance is not a one size fits all industry. It's customized per individual a lot of times to fit their needs. so. You might not think that there's something out there for you, but call, ask the questions, and 99 % of the times, there is a solution out there to help protect your business. That's really one thing that I would like to have. Martin Hinton (49:28.536) Great. touched on that one of the things that we touched on is that this is very organized, very sophisticated. This is an adversary that should be respected, right? So that you don't take your security for granted. One of the elements of that, and you sort of touched on this with your reference to your Texas cell phone is the fact that there's always new types of attacks and new methods for attacks being sort of. you know, looked at or evolving and that sort of thing. And I wonder whether you have any comments about, you know, additional comments about the cross-state pattern, me, the cross-state cyber attack pattern that you mentioned or whether there's any other, you know, issues coming out that you're seeing or you're looking at and that, you know, you think people should know about. Kyle Jude (50:14.349) Yeah, and you know, it's just, it's a general trend that we've been seeing is, you know, it's these attacks, they're not focused on one individual person. Like I said earlier, these perpetrators are out there trying to cast a wide net. And it's not just hitting someone in Memphis, Tennessee. It's attacking someone in Memphis, New York, Los Angeles, Denver, the entire area. They're attacking individuals the same way and it might not be you that gets, you know, hit, but it's probably going to be someone else in one of these areas because they're casting such a wide net across state lines, across entire networks that it makes it very difficult to stop a lot of times. And the only thing you can really do is be vigilant, you know, take that second to breathe before you respond to an email, before you click a button. Use some of those tools at your disposal, two factor, multi factor authentication, things that can protect you. And that's really the only thing that I can really like stresses is it's not just you that's being attacked. It's such a wide fast. I guarantee you everybody that listens to this has been hit with a cyber security attack, whether they know it or Martin Hinton (51:43.084) I mean, you touch on, you know, the, we've talked about the reporting of this and it seems to me from a sort of my weekly, well, every couple of times a week, I will do a Google search and I'll look for local news sources. And it seems to me that particularly local TV stations cover, you know, this school board had to pay 200 grand for this, that there's a lot of reporting on the local level. So from a person's point of view, that's something that I'd encourage people to do. The other thing is if you hear about something happening in Florida, and I say this as someone who started hearing about the, I don't know whether it was the DMV or maybe it was EZPass tolls or something like that and it was a story out of Florida, if you're hearing it happening in Florida this week, it's coming to where you are if it's not already here. So that idea that these things travel through geographic space with very little barrier, not unlike the weather, is again, a sort of mindset that people... might be wise to take on. I do think that that's a fair way to think about it? Kyle Jude (52:41.257) 100%. Yeah, you're right. It's because I can travel a thousand miles in, you know, an instant with technology being on the internet. It's not like you're getting in a horse and carriage driving across, you know, the vast wilderness like it used to be you're getting in a car. You can affect tens and thousands of people across such a wide area in an instant with technology. Martin Hinton (53:10.606) So we've been talking about this in the small business context. And as we move to the close, just wonder whether we might spend a couple of minutes talking about the personal, family, cyber situation, you know, an area of particular interest for me. I once upon a time did classic investigative journalism in television. And we would do a lot of stories about the elderly being scammed, already a susceptible population group. I wonder if you could. I think the phrase you use is you need your own architecture in the op-ed. And I wonder whether you might take us through sort of the personal mindset, you know, like having a family past phrase or whatever it might be. Tell me a little about the basics of home architecture for cyber protection. Kyle Jude (53:56.451) So if, yeah, use something that's unique to you. mean, the worst thing you could do is use password 123 when you're trying to protect yourself. Use something that's not easy to think of. Like you have it posted on social media. know, my dog's name is Jack and he was born on January 21st of 1990 or whatever you put. And it's just, sorry, about that. My dog was just barking. So I hope you couldn't hear that. So, but if you're looking at, know, what is basic home architecture, it's what does your security layout look like to protect yourself? Like, what am I going to do to protect myself? Martin Hinton (54:31.731) Not at all, not at all. love dogs here at the Cyber Insurance News, but not a problem. Kyle Jude (54:56.547) So what steps have I taken to put into place? What does my security or what does my computer systems and my data systems look like? How am I using passwords? Am I using the same password for 800 things or do I have to have passwords for different devices? And making yourself, putting up walls of defense if you can. Martin Hinton (55:19.554) Yeah. Yeah. I mean, you touch on two things there. mean, the family passphrase, just to clarify, is this idea that within your immediate family, parents and children, there'd be something that you can say to each other that nobody would guess. And the example is a Liverpool football club fan. I've used this isn't my family passphrase for the record, is that if my daughter calls and says, I've had an accident and I need you to Venmo this guy $1,000 or he's going to call the police. She would say, did you catch the Man United game? Aren't they the best team ever? And I would know this is not my daughter. This is a scam. This is an AI made to sound like my daughter. But that idea that beyond a password, you have something that is contextual to your family, that's a secret. Is that an overly simplified way to think about it? Kyle Jude (56:09.325) I mean, you're right. I have something with my family that we use. I'm not going to say it here, but yes, we do. And I think it's a great idea, whether it's a phrase or you text a specific something or you're able to say, hey, look at my location on my phone because we all share locations with each other. And where are you located right Something as simple as that. So I mean, yeah, definitely there's many ways you can do that to help reduce the risk that you face and the vulnerabilities you have. It's just what suits you in your household the best. Martin Hinton (56:54.802) And again, we've talked about this at several points during the conversation. That's friction, right? A moment of pause, somewhere where you let maybe it's just your subconscious sending a message to your conscious saying, yeah, this don't feel right. Take a breath. know, why is someone suddenly asking for $1,000? They've never done this before. The urgency they play on. So yeah, that's sound advice. Do you, I mean... One of the things we've touched on is the way personal information, because we share so much now, can be used against us. That applies maybe more here than any other space, right? The idea that you can be taken advantage of because you posted about a wedding or a vacation. mean, when social media first came online, one of the early pieces of advice is don't post photos of yourself on vacation until you get back, because someone will be able to find your home. and they'll know you're not there because you're posted vacations about being in Aruba or Washington DC. That's a very basic idea, right? Kyle Jude (57:57.037) Yeah, yeah, it's like home alone. They know you're gone and they're gonna come take everything you have. just try and being as socially aware as possible that you're not giving someone the ammunition to take advantage of you. Because they're gonna try and find any ways to get that ammunition that they can. And if you're just openly giving it to them, they're gonna... They're going to use it. Martin Hinton (58:29.74) Yeah. So we've been talking about an hour and as promised, we maybe didn't get to everything, but I want to rattle off a few things here. And I wonder if in a word or two, you could tell me where they fit in the scale of what I think we would call a minimum viable defense for your cyber reality, whether you're a business owner or an individual or a family. And so I'll start MFA. Kyle Jude (58:53.091) Number one, give yourself that buffer. Yeah. Martin Hinton (58:58.336) unique passwords and then changing them. Kyle Jude (59:03.099) very important and don't use the same password across all of your devices. Don't have the same password for your bank as you do your email. Use something unique for each service that you have. I know it's a pain in the butt to keep track of, but there are some great security key chains out there that you can use to help you keep track of those so you don't have to remember everything. Martin Hinton (59:31.414) offline and cloud backups. Kyle Jude (59:34.403) crucial for people that have small businesses. Because if you don't have any way to restore your information, you're swimming up a creek without a paddle. Martin Hinton (59:48.6) training, phishing training and payment verification processes. Kyle Jude (59:54.135) Very, very important. All these things that you're touching up, they could all be number one because they all work so well together. And if you're doing all these things and you're in conjunction with each other, then the likelihood that you're going to be attacked is much less. Martin Hinton (01:00:17.474) And then last but not least, cyber insurance policy, knowing the inclusions and the conditions and the exclusions and the limits and the sub limits, where does that fall? Kyle Jude (01:00:29.347) And you say two factor authentication, I see insurance like, yeah, I mean, it's right up there with number one. You know, like I said, what can you afford to lose if the answer is not zero, like you need insurance and it's there. It's would you rather pay $10 a month or would you rather pay $10,000 potentially at one time? Martin Hinton (01:00:57.614) So what's one mistake you see small business owners make over and over? Kyle Jude (01:01:02.909) I'm saying I will get to that tomorrow and pushing things off and not not taking care of things when they need to be because you your delay could make you vulnerable and it you know just it's worrisome for me as someone that that you know cares about what happens to these people I you know I might insure these 350,000 people, but I truly care about their business. I call them, I talk to them on the line, ask them questions about how their business is doing, check in with them, seeing how things are doing. A lot of times, obviously I haven't talked to 350,000, but I check with some of them. And I do care, and the delay that happens, it worries me. Martin Hinton (01:01:57.634) Yeah. So I'm a small business owner and I'm watching this podcast or I'm seeing this clip on social media somewhere and I'm thinking, what's one thing I should do right away? I don't know anything about my situation. I've been too busy trying to sell my things and build my business. I've been trying to do the business, not work on the business, right? The big challenge as you've touched on for small business owners is the improving of the business, not just the operating of the business. What's one thing they should do? this week right away. Kyle Jude (01:02:29.357) Change your passwords. But seriously, you probably haven't updated your passwords in forever. That's probably the first thing I would do is look at when the last time you've updated your login information. Second thing I would do is make sure that I have two factor authentication turned on for everything. And third is make sure that I do have insurance to protect myself. Because those first two things can be done in two minutes and then. you know, take some time to make sure that you're properly covering your business. Martin Hinton (01:03:04.654) And I would just say, don't feel guilty if you feel like you're not up to it, because let's not forget that the password to Louvre was Louvre123. So big organizations can make these mistakes. They can be inadequate. You can avoid the Louvre123 problem, right? I think that's important to remember. Last sort of quickfire question. As much as any of us know what's coming in the future or can predict the future, I wonder whether you might... Tell me whether you see small and medium sized businesses facing any particular new threat or new trend or a new tack pattern over the next six to 12 months or in the future in general. Kyle Jude (01:03:40.439) You know, cryptocurrency is ever evolving and with the potential new legislation that's coming, regulating cryptocurrency and it being ever more popularly used in businesses as methods of payment, protecting yourself and being able to protect your businesses from those additional threats that are coming in the future. That's where I see the next real evolution is, it's becoming more more popularized and widely accepted and it's gonna be much harder to track. Martin Hinton (01:04:26.648) So like I said, I don't know if we got to everything, but we've been talking just a touch over an hour. Is there anything we didn't get to you think that's important for people to know about all this? Kyle Jude (01:04:35.683) I think we touched on a lot. The one thing I just want to touch on and stress again is take the time, look at yourself, look at your business, and make sure that you are protected. Because if you're not going to do it, no one else cares more about you and your business than you do as an owner of a small business. So if you're not going to do it, no one else will. And take that time. Martin Hinton (01:05:05.048) Is there anything that we didn't plan to discuss or you'd want to bring up? Anything else you want people to know? Kyle Jude (01:05:15.917) Call us if you have any questions. We're open. Go to insurancecanopy.com and call us. And everybody is a non-commissioned insurance agent, so we're not here to take your money. We'll answer questions if you have. Martin Hinton (01:05:30.888) And so you all know that there are links to Kyle and insurance canopy are in the show notes. So you'll be able to find them just as easy as that. So yeah, by all means. I mean, think what you've touched on and we've touched on throughout this is that there's a lot to be done to protect yourself and the resources and information are out there. There's a lot of free resources. It's a very fast growing element to the insurance industry. So there's a lot of people trying to grow this sector. So. from a buyer's point of view, that creates competition. I think that those are all things that small business owners and even large businesses can take advantage of. I mean, we're gonna move to a wrap up, but I ask, do you think that's a fair way to think about this particular moment in the industry? Kyle Jude (01:06:12.003) Yeah, cyber liability is becoming more more common and it's offered more frequently by carriers. So that competition is good for the consumer and the people that need the insurance because the prices are coming down a lot of times. So that's great. Martin Hinton (01:06:27.586) Well, Kyle, if you have nothing else, I just want to thank you flat out. Very, very interesting conversation. Very important stuff here for the small business owners, for them individually, and then frankly for the economy on a whole because of their importance to it. Again, thank you so much. Kyle Jude (01:06:33.175) What? What? What? Kyle Jude (01:06:43.873) Hey, it's a pleasure, Martin. Thank you so much for inviting me and I look forward to seeing what you got next. Martin Hinton (01:06:51.064) Great. Well, I appreciate the kind words about us. again, I really grateful for your time. Everyone else you've been listening to Kyle. Everyone else you've been listening to Kyle Jude, Program Manager at Veracity Insurance Solutions discuss small business issues in the cybersecurity and cyber insurance world. Like I've said, there are links to Kyle and all kinds of resources that we may have discussed through the course of the show in the show notes. So you can find them there. Thank you so much for taking the time to tune in. Please share, like and subscribe wherever you might be watching this. Kyle Jude (01:06:56.781) Thank you so much. Martin Hinton (01:07:20.994) And we really, really appreciate that support. Again, I'm Martin Hinton, Cyber Insurance News and Information Podcast. Thanks so much for taking the time. Enjoy the day.