Martin Hinton (00:04.28) Welcome to the Cyber Insurance News and Information Podcast. I'm your host and the executive editor of Cyber Insurance News, Martin Hinton, and two repeat guests today. Some of our earliest podcast guests, we've got Ralph Pasquarello and Craig Sikowski of Cyber Risk IQ. And the reason they've come back on today is they've got some news and it's relevant because we, in discussing this podcast, viewed it as a sort of telltale about awareness over cyber risk and the idea that protecting yourself from the realities of cyber crime and... ransomware or whatever else it might be. There's a bit of a telltale here as they're going to explain that suggests there's a greater awareness, greater sense that it's something that isn't just maybe, it's a thing that you need to worry about like so many other risks in business. So first off, Ralph Craig, welcome back. Thanks for joining us. Craig Sekowski (00:52.204) Thanks, Martin Ralph Pasquariello (00:52.879) Thanks, Martin. Martin Hinton (00:55.074) So who wants to go first? Who wants to tell us about the news? And then we can get into what it means. Go ahead, Ralph. Ralph Pasquariello (00:59.225) I'll let Craig go first because I'll pick up where he makes mistakes. How's that sound? Hey, Craig, no, seriously. We engaged with a large franchise this morning, global franchise. Craig, why don't you kick us off and talk a little bit about how AI is influencing everything right now. Craig Sekowski (01:06.434) He's not gonna be speaking. Craig Sekowski (01:23.628) So AI has definitely grown exponentially in the marketplace and good and bad, but let's start with the good. So I'll you an example. mean, Claude, meet those, right? It's giving you the extra step. It's the white hat. It's the good hacker, if you will, trying to defend clients. And I think it's finding things that bad actors have been a proponent in trying to get into infrastructure. So that's the good. The bad is black hat. Ralph Pasquariello (01:28.891) Thank you. Craig Sekowski (01:51.808) Some of the people are catching up quite quickly. And so we have to fight fire with fire, so to speak, with AI. So those are some things, the proponents that we have to take a look at. But that's the exciting news, that AI has now come to the forefront as a tool, as well as a weapon being used by a bad actors we're one step ahead. Ralph Pasquariello (02:11.759) Hmm. And also the things we speak about weekly is, you know, security is one thing, but we talk a lot about insurance, insurance coverages. And in the event of XYZ, if the reason is AI and the breach has gone bad because of AI, will your cyber insurance cover that? And that's a big question right now. So we're, Will it be excluded? Will there be endorsements in the future? So we see a lot of changes coming not only in the insurance policies, but the applications that you need to fill out in order to get cyber insurance. There will be addendums coming for AI. Martin Hinton (02:58.546) Yeah, well, I mean, it's a huge issue on the AI company side as well, right, as they try to, I feel like there's one lawsuit where they're trying to frame what AI has to say in the same way that the Citizens United Supreme Court ruling did is that, if you will, AI has a First Amendment right. So it can say whatever it likes and then it's responsible for itself, which I don't know how I think about that because I haven't thought about it enough. But that idea that it is, I mean, what we're talking about trying to do is put a box around something that that is we're not sure how big the boxes are what is capable of yet so it's a it there's a need to do it but it's it's uh... hard to do is that if you will ship is sailing through the hurricane Ralph Pasquariello (03:38.116) Right, right. And you mentioned, you know, the awareness and I think the awareness has grown, especially in corporate America. But the thing is that, like you mentioned, the company in England, we won't mention names, but big, big breach, right? And the thing is, when we meet with the feds that we meet with on a regular basis, they tell us, look, there's less than 15 % of all of the cyber attacks that are successful go public. So, you know, if it was 100%, then everyone would be scrambling to say, hey, this is real, this is going on. And, know, with 20 million attacks per day, there's a good percentage of those that get through and that are successful. not that we need to scare people, but yeah. Martin Hinton (04:29.198) I just have to, well, no, but well, I mean, listen, I mean, I, listen, we're afraid of fire burning down a factory. We're afraid of people robbing a bank. We've got, you know, insurance for financial collapse that's backed by the federal government to a couple hundred grand. think if I remember, at the top of my head in your bank account or each individual bank account, I think we need to double click on that percentage that's reported. The sources you're talking about providing you that information, these are not, Ralph Pasquariello (04:36.923) Hmm. Martin Hinton (04:58.744) people trying to sell you something. These are sources within the government. So just back up for a second and again, what percentage of cyber events and cyber breaches, cyber attacks are actually made public? Ralph Pasquariello (05:10.043) Less than 15 percent and and a lot of that is regulated like if you have health information like health records or financial records and it's over the number is 500 if it's over 500 then it has to be made public to shareholders etc and things like that but But the majority of just like ransom attacks and all that none of that gets public. I I brought in secret service agents to my clients before after they were hacked and they're they're down because of the ransom attack. And the first thing the CFO says is I don't want anyone to know about this. And and they have to honor that. Right. The forensics, the FBI and secret service, they have to honor that. So it's. Martin Hinton (05:53.272) Yeah. Martin Hinton (05:59.222) I mean, I think that the idea that 85 % of the problem goes unseen by most people. And by most people, we mean people who are potential victims of this crime, right? Like if from individuals or part of companies or C-suite executives or boards, the idea that you're only seeing 15 out of 100 problems is something that creates this misconception about the threat that exists, right? Ralph Pasquariello (06:21.595) Hmm. Martin Hinton (06:27.776) realizing how bad a fire can be or how much a bank robbery can cost you or whatever other business interruption that might occur that closes your branch for a day or stops you from invoicing or receiving funds for 10, 15, 20, 30 days. There is this idea that if it's only happening disparately and I only believe that because I'm only seeing it disparately, then it won't happen to me. This is the mindset. Right. And I think that that is changing. Ralph Pasquariello (06:42.074) Mm-hmm. Ralph Pasquariello (06:49.903) Hmm. Ralph Pasquariello (06:56.187) Thanks. Martin Hinton (06:57.294) You see this sort of like increasing awareness. There's a March report out today. I was just doing a piece on about something like half of global C-suite executives are actively looking to buy cyber insurance, which sounds like a forward progress, right? That's an advancement. The problem is actively considering, right? Let's back up. That means not insured, not protected for what insurance can protect. In discussing this call just a bit ago, you were chatting about the... Society of Risk Management Consultants and we discussed how the context there. So I wonder if you could tell me a little bit about that news as it relates to cyber risk IQ in you guys and maybe then we could discuss what we think that might mean and what we know it means or what you guys know it means. Ralph Pasquariello (07:40.389) Mm-hmm. Craig Sekowski (07:42.178) So there's a group called Society of Risk Managers and Consultants, and they're a trusted advisor. So they're the next level up. It's one thing to be known, and there's one thing to be trusted. But when you combine those as a known trusted advisor, they don't sell insurance, they don't sell the technologies, they're advisors and consultants, and that's what they do best. They're the elite consultants, if you will. So we were vetted, it took us about three months to be vetted. and invited to join their group because of our proposition. They've enjoyed it. We have a different spin and a value add for their clients because now we're a known trusted tool inside the industry, essentially. So that's helped us excel in our growth and our evolution. Very excited. They're worldwide in the group. There's only approximately 158 advisors worldwide. So we're very happy to be a part of that. Ralph Pasquariello (08:13.027) Thank Craig Sekowski (08:41.11) that group. Martin Hinton (08:43.564) Now, looking at that from the outside and putting on my journalist hat, it would seem to me that bringing cyber risk experts into the broader risk management consulting reality for global corporations and companies is an indication that they've thought, you know what, we knew this was a problem, but we need expertise. We need people inside the tent that we can rely on to communicate to the people who pay us for advice about how to manage risk and avoid risk and mitigate the realities that Ralph Pasquariello (09:04.123) Thank Martin Hinton (09:12.418) Bad things are gonna happen, mistakes get made, things go wrong and you need to be resilient in those moments, right? That's the magic word now in cyber is resilience for when it happens, because it's gonna happen. Do you think that that perspective or that take from my point of view, like a layman's way is an indication that there is a rising awareness about this and it's not now some sort of ancillary add on to your insurance policy or your corporate structure, cyber resilience as we look at some of the hacks that have across. Ralph Pasquariello (09:20.315) Mm-hmm. Craig Sekowski (09:22.838) What's? Martin Hinton (09:40.78) know, occurred around the world and in America, it's a pillar, right? In order for your company to be secure and reliable for customers and shareholders going forward, this is something we need to take as seriously as any other potential risk our company faces. Craig Sekowski (09:55.775) Absolutely. think the maturity of that conversation's definitely grown exponentially. Cyber is a gift that's continually giving. And in order to involve itself, I think that conversation has to mature. So we're part of that maturity and growth in offering our expertise into that, because that's what we do. You know, we don't do a gunshot approach. We're, we're rifled. And that's the one pillar, as you stated, that we can offer the expertise. Ralph Pasquariello (09:59.836) Thank you. Ralph Pasquariello (10:21.115) Yeah, and I think a lot of the larger corporations have grown. Not only, mean, they're not using a lot of bigger companies, not using managed service providers, know, MSSPs for their security. They have in-house, right? They've got a technology officer, a security officer, a compliance officer. So when we speak their language, which we have both sides of that house covered, right? Craig with his IT knowledge, me with my cyber insurance knowledge. and we combine those, we decrease those gaps between the CFO and the CTO and the CISO. And we bring them together to say, we need to make a nice sandwich here. We need to make sure that both sides are covered. And that makes a difference. mean, even just to bring some of these people together on the same team's call, it's like, wow, why are we doing this? and we flatten that conversation, they understand that, right? We're there, they hire us. We're not an outsider. We're now part of your team. We're doing an assessment for you to keep you in business, right? Because no one has told you that, yes, he bought an insurance policy, but it's not the right insurance policy. You shouldn't be with that carrier. You should be with this carrier. You have a lot of gaps. You have a lot of exclusions. And by the way, your limit is $10 million off. know, that's what we say, you know. Martin Hinton (11:52.706) Yeah. Craig Sekowski (11:54.179) What's a cyber liability blind spot is Ralph always refers to it. And he's also come up with a great training tool. It's the six questions you need to ask. And there's multiple of those questions, but there's so many people that they just shrug their shoulders going, never thought of it that way. So that's the extra nuance that we bring to the table. Ralph Pasquariello (11:58.362) Yeah. Ralph Pasquariello (12:15.035) It's the landmines. Craig calls it. Ralph finds a lot of landmines in your cyber insurance policy because no one reads it. They don't Go policy. So. Martin Hinton (12:25.006) Yeah, I mean, you touch on something that, well, there's two things you touched on that, pardon me. You touched on two things there. The first is that we see this in some of the reports you read about cybersecurity jobs and the roles of CISOs, the soft skills, the getting people in the room together and having them look at the same thing at the same time and be willing to have a communication that's honest. You said it flattened the conversation. That moment. brings about the awareness that there is this real and the phrase that gets used in the consulting world is like need for adaptive change. Like this isn't an old problem we can fix with old solutions. We have a new problem that we have not addressed properly. And this is, could, it sounds like I'm throwing companies under the bus, but huge companies, small companies, there is, you know, there's a lot to do. Now they've layered this new piece of pie on top of it. And it's a lot to take on board because it's complex, it's abstract. So getting people to be aware of that is a huge challenge. And it's one of the reasons you see a lot of CISO burnout. It's one of the reasons that there's a lot of movement through that position in the C-suite companies, apparently, according to what I read. But the second bit you mentioned is you got to read the fine print, right? You got to read the policy. it's because of the nature of cyber, you can't just check in once a year and do a questionnaire. So tell me about that part of it, the idea that this is With the regard to the cyber insurance policy, there's been that attitude once a year, you check the box, I got insurance. wow, lo and behold, I didn't have multi-factor authentication implemented properly according to the policy. So that breach isn't covered. There's that part of it, the literal coverage. And then the underestimation of the cost, right? We know the breach is going to be expensive. You can't do business for two weeks. I don't remember off the top of my head what the latest closed. Ralph Pasquariello (14:00.518) Yeah. Ralph Pasquariello (14:08.005) Mm-hmm. Martin Hinton (14:21.902) for business averages, but I think the last time we spoke, was three or four weeks, depending on what you saw and what you looked at. But as we've discussed, 85 % of these breaches aren't public. So there's a huge amount of information unavailable to inform that number. What we also know is that because of the nature of breaches and even, let's say, encrypted information that's taken out of an organization, that data maybe can't be broken. But with quantum computing coming along the lines, in a couple of years, you'll be able to break into that information potentially. Ralph Pasquariello (14:26.907) Mm-hmm. Martin Hinton (14:51.95) So there's, there's, you you say $10 million and someone could think, well, how's that not enough to deal with a cyber? It's not like you need to rebuild a building. Well, you might need to rebuild all of the things that makes that building have a purpose to run the company you have, right? The, technology, the remapping of networks and you know, and we, see this, right? People don't understand the problems with data sprawl and, and all the ways you can log in both through human and non-human credentials into your organization. All of this stuff, right? Are you sitting down with Ralph Pasquariello (14:59.898) Mm. Martin Hinton (15:21.582) corporations and advisors and sort of laying out these things to them and is there like this aha moment where they're like, I knew all of this was a problem, but Ralph, you've just really hit me over the head with it. Ralph Pasquariello (15:31.256) Yeah, well, it's it's not like you said, it's not just the business interruption, which is 25 days, 30 days, but the fallout because of that. Right. And a lot of CFOs underestimate that. said, well, we, know, well, Craig hears us all the time. We just paid the ransom and then we're back in business. like, no, no, no. You pay the ransom and then you pay another 10 million dollars on top of that because of third party damages. know, people don't realize a lot of times that a ransom attack Craig Sekowski (15:31.733) every day. Ralph Pasquariello (16:00.098) is business interruption, but it's also data breach because they exfiltrate your information. They have your information hostage. Therefore, when you lose control of your data, it's a data breach. HIPAA, you know, I mean, there so many people that get involved after that. So, Craig and I spoke at the Georgia Bar Association about a month ago or so. And now what we're seeing a lot of these third party damages with class action suits against the company that got breached by all of its people that were offended by that suppliers, clients upstream downstream. And now a lot of these guys are like ambulance chasers when it comes to a cyber event attorneys. So, so guess what? That third party damage that you had a sub limit for, for 5 million instead of 10 million. Martin Hinton (16:52.375) Yeah. Ralph Pasquariello (16:59.707) That now needs to be increased. So your overall limits, because it's a single limit, right? We need to bump those up as well. And that's what we're doing with our assessments. Craig Sekowski (17:10.658) Look at just that the notification costs, you we worked with a manufacturer that was really under insured. You talk about checking a box. They didn't really review their cyber policy for more than, you know, half a dozen years. And fortunately they had a ransomware and with the number of records, just the cost alone exceeded the limits of their insurance policy. And it was an eye waking moment. Ralph Pasquariello (17:35.301) Mm-hmm. Craig Sekowski (17:39.127) for that CFO saying, man, I've got to take a look at this. It's not for what's happened in the past. What's ahead future wise or something like that were to happen again. And then the B side of that is now our clients know that we can be breached. Are we going to lose clients over this? So very, very important. That's the one thought people aren't thinking of. Ralph Pasquariello (17:47.323) you Ralph Pasquariello (17:55.397) Yeah. Martin Hinton (17:59.724) Yeah, you touch on it. again, you know, people hear cyber, cybersecurity, they think it's all technical, these sort of soft skills and communicating the threat and then the reality of the reputational damage that can come as a result of. Listen, it's simple. I'll put it in simple terms. Business is about trust. You give a company vital information like your birthdate, your social security number, your credit card information, and they don't treat it properly or protect it well. Or you believe they didn't. Ralph Pasquariello (18:12.187) Mm. Martin Hinton (18:28.77) Right? That hurts your feelings. It hurts your chances of doing business with them. And back to the legal point of view, every cyber insurance conference you go to now has a panel that includes lawyers and the classes are getting smaller. The length from the filing of the class and the breach is shortening and lengthening, right? know, mean, 18, 24 months down the road, you think you're clear from that breach and suddenly, you know, 10 million records wind up on the dark web for sale and you're back where you were at ground zero, if you will, the day the breach occurred. and you're wishing you, the only thing you were dealing with was blue computer screens. I mean, that idea of it, for me, is something that betrays just how organized the crime part of this is. Do you think that that's another part of this that they don't, you when it comes to realizing the risk and the threat, right? You know it's there, but it's abstract. Do you think that part of this risk management organization's awareness is that these problems are real and, you you don't have to... Ralph Pasquariello (19:01.21) Mm. Martin Hinton (19:27.98) You don't have to just be a victim. are a lot of ways to protect yourself in the real time and then also to prepare yourself for the cost of breach when it occurs. Craig Sekowski (19:35.277) So I like to refer it to, know, Ralph and I work with various strategic partners and one of them is a cyber attorney. And I love his analogy. It's very simplistic, but all companies are walking in a high wire. That's your technology, your security measures and so on, but you're going to fall sometime, whether it's being pushed, breached, however you want to frame it. When you have that safety net, which is really your cyber liability, you want to make sure there's no holes and it's large enough to catch you. in case something were to happen. So I love that framework of taking a look at it from that lens. Ralph Pasquariello (20:10.898) So, and I like what you were talking about, Martin, you were saying about the people renewing their cyber insurance. So we, we engage with a national packaging company, pretty good sized company about two weeks ago. And they indicated that they have for the last 10 years, they have just renewed their cyber policy over and over and over, just renewed it. And I said, look, Cybercrime changes every minute. Cybersecurity tries to keep up with that. And for you to neglect even endorsing or making changes on your cyber insurance for 10 years, it's just ludicrous. I'm saying, and I used to say with my clients, we need to engage every quarter to make sure that your cyber insurance is keeping up to date with the threats, the risks. the claims, cetera, that we hear from the underwriters and actualists. So, but it's, it's just like a check the box and forget it. Let's move on. Let's just do business. But like you said before, it's, it's people are really aware of it now. They're cognizant of, because it's the rumors in the industry. Hey, did you hear about so-and-so? They lost $25 million in less than a week because of what happened or people losing $50 million a day. I mean, it's just, it's devastating. So, keep an eye on the ball. Craig Sekowski (21:41.901) So Ralph, I agree with what you're saying. And Martin, you mentioned it before, you were talking about different pillars of excellence, if I can use that term. People are, if you've got five, five being that last pillar being cyber insurance, you're checking the box for all of those and not looking at the cyber insurance side, leaving that flat. You've got to complete all five because they're really a part of that puzzle. Without all those together, you're not solid ground. Martin Hinton (22:11.628) Yeah, I was a Charlie Unger that to understand something you have to understand the incentive. And I heard an expression recently that I hadn't heard before and it's data is the new oil. And I loved it because certainly in the context of what's going on in the world now, it's easy to understand what you mean when you say oil. You mean something really, really valuable that people want to control. They want to have, they want to have access to, they want to, in some cases, limit other people's access to. So if you're a company with data and Craig Sekowski (22:25.462) That's true. Martin Hinton (22:40.334) I got a newsflash. If you're a company, you've got data, right? And the idea, particularly if you're a consumer facing company that encounters people through whatever transaction you might be doing online, there is a reality to how valuable that stuff is and the pass-through value of it in the criminal world. Do you think that, again, we touched on this number and I'm going to repeat it. 15 % of cyber attacks are made public, which means 85 % give or take are not. These are... the statistics and information you're getting from government sources, not people trying to sell cyber insurance. I wonder whether or not you think that that is something that's changing. Now, there's obvious news directly with you that the inroads you've made to become a reliable resource for risk management on a broader sense, the idea that this is a broad part of risk management. But as you look at the landscape now, is it every week, every day you're encountering people where you're like, oh, no, we're going to have to make some changes to how you're addressing your cyber insurance policy? Or do you ever encounter with someone and go, no, you're good. We'll talk to you in a quarter. Ralph Pasquariello (23:40.36) No, no. So I'll give you a good example. We just, I mean, we've been engaged with a lot of companies over the last couple of weeks, but one that we just engaged with when they filled out, we give them a little form to fill out. It's just a questionnaire. And we ask how many records do you have? You have not only processed, transmitted, or your third party is Care custody control of those records, right and people put a zero Like wait a minute you have 400,000 400,000 records that you have access to but you put a zero on the form and They're like, well, you know, we don't you know, it's one of our partners that they have it in their system But I said you have access that you're in this system all day long So you are vulnerable you and I'm saying Craig and I are trying to protect you because when it happens, you're to have enough insurance to cover those 400,000 records. You know, we're not the bad guys. We're the guy that's saying, hey, you know what? You need new tires on your car because they're bald. But it's amazing how many people think that just because it's not in their network that they're not responsible for it. Martin Hinton (25:05.41) Yeah, mean, the two things that jumped to mind there is that this issue, right, once upon a time when we had to store things in paper, right, you could physically see it. You got a rent check from the warehouse where your files were being kept, you know, was it seven years for the IRS in America and that kind of thing. But now digitally, we create this data sprawl and the governance of that data and the volume and the amount of it and the duplicity, right? The example that I think of lately about, and it's... does deleted ever mean anything and it's the horrible kidnapping or disappearance of the TV anchor Savannah Guthrie's mother and they were able to find ring camera footage even though she didn't have a subscription for the maintenance and the maintaining and recording and keeping of that storage of that recording but it was on some sort of backup Google server and that sort of thing and the the the idea I thought is you know there's going to be a day that comes where deleted means Ralph Pasquariello (25:47.855) Mm-hmm. Martin Hinton (26:01.388) you thought you didn't have it anymore, but it was just somewhere you hadn't looked yet, right? yeah, and this idea that that's just one example, right? So if you're a company and you say, we don't have security camera footage from that night because we don't keep it that long. And there was something caught on the footage that you in fact do have, but you just didn't realize. And it was a crime that, you know, or an event that somehow creates liability for you or even just reputational damage because you had footage that you could have helped the police with. Ralph Pasquariello (26:04.237) someone else has it. Yeah. Yes. Martin Hinton (26:29.964) These are the sorts of weird little things that you could pull a string on and you create a real problem for a company. I mean, that's an exaggerated example. But again, like this idea that people don't have any idea what they're storing. And on top of that, they don't have any idea how valuable it is and the liability that value creates if it's stolen. Ralph Pasquariello (26:35.899) Mm-hmm. Ralph Pasquariello (26:49.371) So, so, so Martin, you, you, you really struck a chord here. When I started writing data breach insurance, we were covering paper files that got stolen out of someone's office. That's when data breach was, you know, people were breaking into your office. So they go dump dumpster diving and they find all this material and data breach insurance way back when covered paper files. It still does somewhat. But, the funny thing is, with the with the records that we talk about the bad guys are you know I think we covered this before and you were you were like what the discovery time when someone's in your network and the bad guys in your network the discovery time is actually 200 days before you figure out they're in there so when when Craig and I tell people that they're like no way you know we're in there all the time we don't well it's like hide and go seek you know I mean it's So like you said, it's you're vulnerable when when they're in there for 200 days, they have everything they need, you know, so. Martin Hinton (27:54.488) Yeah. Craig Sekowski (27:56.226) Yeah. Martin Hinton (27:58.446) Well, mean, you know, listen, I mean, you guys know me, right? I'm apt to the fifth grader level. The call's coming from inside the house, and it's been coming from inside the house for two thirds of the year, right? Like the idea that these people are, it is the way you need to think about it. There is someone in the place you hold your valuable stuff, and they are walking around, walking through doors. They've stolen a credential, and you don't even notice them. They're in there. And that's... Ralph Pasquariello (28:22.606) Right. Martin Hinton (28:23.406) That's why we hear phrases like active monitoring and all that sort of thing. That's where this sort of thing starts to incredibly wise to have. And it's no different than having a 24 hour security system at a physical location, right? Or a guard that sits in a guard post and monitors 15 cameras 24 hours a day, right? These are the things that need to be absorbed into the digital reality. And because we've moved so much of what we value into digital spaces, we're slow to do this because we thought, it's safe now. Even my iCloud photos, right? They're stored away. I mean, what would I pay to get them back? And I think that, you know, when you, try to make things personal for people, like the things that you value on an individual level. Now imagine that on a company with 50,000 employees, right? The scale, 150 year old corporation with a, with a legacy tech stack. And, you know, in the case of the Marks and Spencer stack, you've got retail locations, you've got IT vendors in India. all of these people that you think you know where they can go and can't go, but if you're treating your vendors and giving them access like employees, does that access go away automatically the day the contract ends? Do you have to do it manually? Were they able to create a duplicate credential because they needed you to do something, but now it becomes this vulnerability? again, think about credentials. They're just keys. When you give the key to a maintenance person to repair something in your warehouse. Can they make a copy of the key and only give you the original back? These are the questions you need to be asking. Do you think people are asking them enough? Ralph Pasquariello (29:48.259) Mm-hmm. No. Craig Sekowski (29:52.906) No. Martin Hinton (29:54.857) No. mean, again, like I think I've said to you and one of the things about this world is the people in your world and come to this with this real enthusiasm for solving a problem, right? There is a real problem. The first big problem is we've got to make the people who are buying these things and taking these new steps to realize there's a problem, right? What do you think needs to happen going forward to create greater awareness? I mean, there's obviously journalism. Ralph Pasquariello (29:59.676) Thank you very much. Ralph Pasquariello (30:19.291) Thank Martin Hinton (30:20.29) But do you think that there's some bigger campaign that's needed along the lines of the sort of thing that made people aware of, I don't know, how dangerous cigarettes are or seat belts matter or, you know, what do you think? Ralph Pasquariello (30:31.801) We're trying. Craig Sekowski (30:34.962) It's continuous awareness. It's a continuous using your services, like you said, journalism. I think training, train, train and train again. think new, new solutions, new things that are happening in the marketplace. And again, it's trending new things that are happening that you have to be aware of. It's changing almost every day. Martin Hinton (30:56.332) Yeah, yeah. You know, there's the myth of the Sisyphus, right? The man pushing the stone up the hill and he never quite gets to the top and it's always pushing him back down. And that's viewed as like, you know, that's just life, right? That's what this is. There is a constant struggle here that requires constant activity, 24 hours a day, seven days a week. We know these attacks occur the Friday afternoons and around the holidays and that sort of thing. But everything that we know about behavioral psychology, so the Ralph Pasquariello (30:56.803) Mm, it is. Martin Hinton (31:25.218) that we can sell more soap or get people to watch more TikToks, they know and they're utilizing in a criminal nefarious way and absorbing that reality. Like this isn't kids in basements with hoodies eating hot pockets that their mom made them. This is highly organized, borderless organized crime that is often state backed, right? And I think to think about it like that, this is a formidable foe that you need to be prepared to defend against. Ralph Pasquariello (31:46.233) Mm-hmm. Right. Martin Hinton (31:54.894) In that context, we look at the cyber insurance market now, what do you think is coming for the next year with pricing, policy demands? And we talked about more constant monitoring or more complex moving beyond the questionnaire and the checkbox kind of reality. What do you guys see with regards to pricing and other sort of elements? Ralph Pasquariello (32:10.907) Yeah, pricing is flattened out. It's kind of a flat market right now for cyber insurance, which is good because it's a good time to buy additional coverages. And when we address clients and we talk to their insurance brokers as well, which we do a lot, when they go from a 10 to a $20 million policy, it's not doubling their premium like most CFOs think. We're just adding some layers. We start with the 10, we keep the primary and we add some layers to get the 20 million or whatever the number is. You know, we bumped one company from a 25 million to a 50 million, the healthcare company. So, you know what? They talk about return on investment too. We did a small company recently that went from I think two to five, two million. And the CFO was like, well, what's my return on investment? I'm spending another $15,000. I said, we just saved you $3 million. You know, he's like, what? Well, I said, you weren't sure for two and you need five. You know, so guys, people hate to buy insurance, but you need it. Martin Hinton (33:20.344) There is that that barrier reviewing this is purely a cost center is is one that getting chipped away at right there. The idea that this isn't this isn't a classic expense only line item in your budget. This is a very, very different reality given the threats of the Ralph Pasquariello (33:39.676) It's going to happen, right? It's like when I buy the insurance for my home every year, I'm like, the fire insurance, it's house is never going to burn down, but the odds of getting struck by a cyber attack or a thousand to one compared to getting hit by lightning here or whatever the odds are, probably a million to one, right? So it's going to happen. So be prepared to buy the right insurance when your security fails. Your burden goes to the insurance. The insurance kicks in. to make. Craig Sekowski (34:09.634) But I think it's sobering on our benchmark report that we put it in those terms, not just a analytical, your red, amber, green, we put it in dollars and cents. And I think that really resonates across board and flattens out that conversation with CFOs across the other C-suite. So they know if something happens, this is what it's going to cost and this is what it's going to hit your P &L. So they do listen. Ralph Pasquariello (34:19.417) Right. Ralph Pasquariello (34:33.989) Mm-hmm. Martin Hinton (34:34.402) Yeah. What about that? mean, one of things that I've chatted with people about is the idea that there's a real upside given the risk, right? And people not having the policies they need and maybe needing slightly more coverage, that there's a business opportunity for the cyber insurance companies to help make companies more insurable or a better risk. And the idea that they can bring discounts if they bring in, know, multifactor authentication or whatever other a measure that you might want to introduce properly. Do you see a trend in that direction where there's sort of a parallel cybersecurity, cyber insurance sort of relationship where a company might be able to get a discount from an insurer for changing the way they do things and implementing policy? Is that something you're seeing? Craig Sekowski (35:23.202) I do, and Ralph, I'm going to have you answer part of that, but part of the benefits, like just selfishly looking at our benchmark, we tell you the things that might be the deficiencies, but we also tell you what you're doing things right. And I think on the application process, and that's where some of the things are, you know, they're not well informed on the application when the clients are notifying to the underwriters. Here are the things we're doing well or here are the things that we've got in place. Our report and we're working with MSPs and MSPs or MSSPs to share that information. Underwriters welcome hearing that and seeing that so that they give extra, what's the word, credits or considerations on the policy. Ralph Pasquariello (36:10.203) Yeah, we do see that. You know, years ago, a lot of the underwriters didn't require certain security things, right? So when we come in and we give a client our security assessment, which we're doing, we're looking at the deficiencies and we have different markers and we say these three are critical. You need to fix these. Of course, the underwriters see that they have fixed these. And our report is almost like a certification that goes along with the submission. So, I think that's very, very valuable. And a lot of insurance brokers, and I'm throwing dirt or mud on them, but a lot of them just don't understand the intricacies. And we went through this again, a couple of weeks ago with the client that we are onboarded. They didn't have cyber insurance and their broker just sent them an application here, fill this out. They had no idea how to fill it out. I said, look, we'll walk you through it. We'll walk you through it. And you have Uncle Bob, who's your IT guy, you know, and we'll help him. And literally, I mean, it was a baby steps to fill out these 12 pages that the broker just said, here, fill this out. And he wasn't going to help because he couldn't help. And he doesn't want that liability because if it's filled out wrong, Martin Hinton (37:30.222) Yeah, yeah, yeah. Yeah. Ralph Pasquariello (37:37.765) Whose fault is it, right? If you have the wrong insurance and wrong limits, whose fault is that? And we're not here to point fingers. We're here to keep people in business. So. Martin Hinton (37:51.276) I mean, you touch on, there's a reality here, right? It's very easy to point out what's wrong, right? And when you're teaching your child to maybe walk or use a knife and a fork for the first time in there, one, two years old, you're incredibly patient and understanding that they don't get anything. And you need to let them fail and fall and they stumble and scrape their knee or they use the knife instead of the fork or whatever it is. You get to 13 and you're teaching them to... to have a dinner at a restaurant or, you know, sit quietly at the adult table, you don't have the same level of patience. And I think about this context for that, right? We are at the very beginning of this. We expect everything to be perfect in the digital sense, right? If a video doesn't play right away, we're annoyed. If a phone call doesn't connect or an app doesn't function, anything, we have, our patience is reduced to fractions of a second now. And I think that that's hurting our ability to remember that we are at the very beginning of Ralph Pasquariello (38:27.259) you Martin Hinton (38:48.61) the tech age and the information age, despite how much has changed in our lifetimes, that there is, we're at the beginning of this and there's still a lot we haven't figured out. And part of it is the downside. We rushed headlong into it because the upside is amazing. know, not having to mail letters, you can email them or, you know, all these really little things that, you know, you can pay wire transfers now instead of mailing a check. There are amazing ways that businesses become much more efficient. The consequences are we're really, really good at being like, I'll deal with that later, right? And we're coming upon or in the later part of it that it would be really wise to get right now so that as we move into the future and whatever future tech is available, it comes along without the bumps and bruises of the toddler days, if you will. So, mean, because I think you're right. I think that it's very easy to say, this company didn't do it right or that's wrong. But this is complex abstract stuff. Ralph Pasquariello (39:34.011) you Martin Hinton (39:42.636) And again, all you need to do is look at large, massive publicly traded companies that are making mistakes. So if you're a little business or a small business, don't worry. The joke I'm making, it's not quite a cyber crime, but the password to the Louvre was Louvre123, right? I mean, you know, they've got the most valuable art collection, arguably in the history of the world. On top of that, all the jewelry and that sort of thing. They did that. I mean, this is the kind of, this is a human problem, not your problem, not that company's problem. And I think that, you know, that that's something to keep in mind as we... look to solve and not blame is kind of the way I feel about it. So gents, I don't have anything more. Is there anything else you want to get into or anything you wanted to discuss today? Craig Sekowski (40:23.82) Mr. Pasquariello Ralph Pasquariello (40:26.011) I don't think so. mean we we this is our business every day Martin. We see it every day We see a lot of pushbacks. We saw a lot of people in denial and And we're we're friendly approach. We just want to show you how how why when where and if this happens, I Hope we can help you so Martin Hinton (40:29.91) Yeah, I Craig Sekowski (40:50.914) My final word being, don't be afraid to ask. Ralph Pasquariello (40:55.417) Yeah, but once you find out the answers, now you're liable if you don't fix it. Martin Hinton (40:55.766) Amen, amen, yeah, yeah, yeah. Craig Sekowski (41:03.234) That's true. Martin Hinton (41:04.43) That's true. Well, Ralph Pasquariello Craig Sikowski with Cyber Risk IQ. Gentlemen, always a pleasure. Thanks so much for joining us. We referenced a couple of things. We referenced a couple of things in the show today. There'll be some links in the show notes as well as ways to reach Ralph and Craig and Cyber Risk IQ. So you'll be able to find that there. Again, Ralph and Craig, thanks so much. Ralph Pasquariello (41:18.171) Okay. Martin Hinton (41:33.888) Everyone else, thanks for watching the Cyber Insurance News and Information Podcast. I'm your host, Martin Hinton. Enjoy the rest of your day. All right, hold on one sec, Let just make sure we got... Ralph Pasquariello (41:39.899) Thanks, Mark. Craig Sekowski (41:40.162) Thanks, Martin.