Martin Hinton (00:03.821) Rolling. Martin Hinton (00:26.382) All right, here we go. Martin Hinton (00:32.462) All right then, welcome to the Cyber Insurance News and Information Podcast. I'm the executive editor of Cyber Insurance News, Martin Hinton. And today we're going to be talking about what it's like to buy cyber insurance, kind of. You may be heard about MFA and training for your staff and cyber hygiene, and you have an incident response plan. Today, two gentlemen from SplitSecure joining me, we've got Tristan Morris and Dylan Hamilton. And they're going to talk about how there's more to think about in this space. And... the issue that underwriters and brokers and CISOs and regulators and the buyers of cyber insurance, all the things you need to be thinking about is there's this massive change from how these policies are written, how we take whether or not you're saying you've got things in place versus whether they're really in place, whether it be MFA or any other thing. So we're to dive right into that and this sort of constantly evolving and dynamic reality. So first of all, Tristan, welcome, Dylan, welcome. Tristan. Do I have that right? What do you think about that? What do think about what's going on in this space now? Tristan Morris (01:34.014) Yeah, I think that there's two big factors that are pushing the space right now. One, as probably most of your listeners are already aware, it's a very soft market. There's a lot of downward price pressure, which is changing the incentives on how policies are created. But the second is the broadening of the space. Companies like SMBs, manufacturing companies, companies you wouldn't think of as cyber heavy, are now becoming targets for cyber criminals. It is growing the market and in growing the market is changing the profile of the sort of customers that are being dealt with the sort of policies that have to be written. And this is part of the broader trend of adding more controls. Dylan Hamilton (02:11.798) You know, they could expand on that. Just to expand on that, there's a huge shift, not even on the insurance side or on the protection side, if you want to call it that, but on the attacker side, a lot of developments and advancements have been made in the technology and the strategies that we use to counter cyber attacks. And the cyber attackers have paid attention. They have changed their strategies. They have started looking at Martin Hinton (02:11.976) And go ahead. Dylan Hamilton (02:40.776) not just what can they access, but what can they do once they have access that achieves their goals in ways that they weren't able to in the past and in ways that are not currently addressed by current strategies. And that's something that cyber insurers are having to grapple with and starting to look at in a context of we're not sure whether we can quantify this. We're not, our old controls and our old methods are not perfect when it comes to identifying the real threats that are happening. It's just so much of what's evolving in the industry right now is going along those lines as both sides are advancing and it's a back and forth struggle. Martin Hinton (03:20.75) We'll dive more into this, but you're certainly talking about something that's very common. There's this massive gap between what maybe an insurer thinks is happening within any company and what they put on their questionnaire when they did their policy and what's really happening and what really causes a breach. Do I have that sort of generally right? Tristan Morris (03:39.33) Yeah, I mean, there's two factors here. There's the one that is, I think, sort of obvious, that the questionnaire captures a snapshot in time of the company's security stance. The company's security stance can evolve over time in ways the insurer is not necessarily aware of. But the other big one is exceptions. If a company answers completely genuinely, we consistently apply MFA. We have a policy of consistently applying MFA. That does not necessarily mean that MFA is applied to every single account throughout the entire company. Exceptions may exist and attackers thrive on those exceptions. They look for the weakest point in the company and attack it there. So for insurers, even if the survey is relevant and the customer is completely genuine in filling it out, which are not always a given, that doesn't mean it accurately reflects the real state of risk in that particular client. Martin Hinton (04:30.924) Understood, understood. So that brings us to split secure and the great free market reality. Here's the problem. You're coming along with a solution. So tell me a little bit about yourselves and split secure and move into the offering you have that addresses some of what we've just been talking about. Tristan Morris (04:49.784) Yeah, sure. I'll start by introducing myself. As you said earlier, I'm Tristan. I'm the CEO and the co-founder of SplitSecure. I co-founded it with Marc Tremblay, who I've known for about 10 years. I've spent my entire career in cybersecurity, so I'm new to the insurance space, but fairly long on the cybersecurity side. Marc and I met when we were both at Knox, which is Samsung's defense cybersecurity group. So we got our career started building security features for three letter US intelligence agencies and the Department of Defense. Dylan, do you want to introduce yourself real quick? Dylan Hamilton (05:26.582) Sure. So again, as I said earlier, my name is Dylan. I am the business development lead for SplitSecure, focusing particularly on the insurance industry at this moment. I'm actually somewhat new to insurance as well, as Tristan is, but again, we come at this from the cybersecurity side of things. And we've, again, just been trying in all things to look at what the root problem is. I think that's something that's very common in cybersecurity spaces in particular. And it's also something that's very common in insurance spaces. At the end of the day, financially and from a practical business perspective, it doesn't matter what people are saying the problem is. It doesn't matter what fancy tools and techniques that someone can advertise to solve it. We need to identify what is actually happening and what can we materially do to reduce risk. So in that respect, we've found a lot of crossover between what we've been trying to do and what the insurance industry writ large has always been doing. Tristan Morris (06:28.302) So to get into sort of the problem we solve, the way I've heard a couple of insurers express this, I'm stealing a quote here, I can't get credit for this, is that insurers frequently don't have a definition of what's good, they have a definition of what's bad. If you show an insurer an improperly configured system or an account or a credential that is not secured correctly, they can tell you it's not secured correctly. But having a definition of bad requires constant diligence. You have to be sure you've comprehensively surveyed the entire company for every example of what might be bad, which of course is impossible. This is where you see all of the scanning utilities that are coming up, all of the monitoring tools that some cyber insurers are picking up. But it's not possible to be sure you've captured every single instance which a company could potentially be doing something wrong. What insurers are looking for, I think what they need, is a definition of good. Something you can look at and say, I've affirmed you're doing this, and because you are doing this, I don't necessarily have to know the rest. have certain confidence in the amount of risk in this client. The way SplitSecure addresses that is we are a secrets and credential manager. So we're a PAM, we're an MFA, and we're an SSO that, to boil down the math, produces an audit log that is guaranteed to be comprehensive. So every account, every secret, every key protected by SplitSecure, there's an audit log that shows you all of those secrets, exactly what policies are applied to them, every time they've ever been used, what they were used for, who requested them, and if there's an approval chain, who approved what, when, and where. So this is something a cyber insurer can look at to immediately get a snapshot of the entire company of how are you storing your secrets, how are you protecting your accounts, what policies are you applying. And this can be automatically ingested to check that the company is maintaining good practices per their policy. Dylan Hamilton (08:18.676) And to expand on that just a little bit, what substantially differentiates split secure from other solutions in the PAM space? There are a lot of really good products out there. There are a lot of things that do audit logging that can help secure things in all the most advanced ways. Where we're different is that there's a term for this called a hub and spoke design. Most of these traditional PAM solutions are the central hub that everything in order to be secured has to pass through. That pass through process is what generates the log. And so what that means in practice is that your ability to trust the log is dependent on your ability to trust the provider. And this is not to say that the providers are not trustworthy. For the most part, they are. But again, we have to dig down to the very root of the problem, the very root of what's the worst thing that could happen, especially from an insurance perspective. And You have to acknowledge the possibility that some provider may be compromised. Something may happen. And then that log cannot 100 % be guaranteed to be accurate. And split secure's core difference there is that by virtue of the cryptography layered into this at every level, the core architecture of what's happening, that log is guaranteed to be comprehensive and operation cannot happen without it being recorded in the log and specifically recorded in a way where It's not dependent on us as a service to stay up and to keep things clean on our end. It is not on the blockchain, but it is quite analogous to it. Actually, there is just this immutable ledger that is tracking everything that is happening, every detail of what's happening. And it's a matter of math that it's accurate. It's not a matter of our systems working or the level of third party trust that you by necessity have to have in a third party. Martin Hinton (10:10.926) So when we're talking about PAM and MFA, they're not perfect. What are the dangers and the failures or the shortcomings that exist in them that you guys are seeing? Tristan Morris (10:25.518) I wouldn't describe MFA or PAM as having shortcomings exactly. I would say it is misunderstood. I think a lot of insurance questionnaires treat it like it's magic. Like, I'm going to sprinkle some MFA on these accounts, and so now I know these accounts are not subject to being compromised. MFA is like any other security tool. It makes certain security claims. Within the context of those claims, it's very useful. But outside those claims, it does not make any guarantees. So like your listeners may have heard of session hijacking. This is part of the new hotness. This is where the attacker is able to achieve some degree of control over the employee's device, allows the employee to authenticate via MFA. So the attacker does not bypass the MFA system in the technical sense. But once the employee is logged in and has opened a session to the accounting question, the attacker then takes control of the session on their device and is able to use the session to implement malicious actions. So this is an example of how even if you have MFA deployed correctly, it doesn't necessarily guarantee that accounts cannot be taken over. Your listeners might also be familiar with the fact there's a variety of different kinds of MFA, which are not all equally good. It's like SMS based MFA. It's extremely convenient. It is no longer considered a security best practice due to a wide variety of ways to circumvent it. The simplest of which is SMS redirection, which is when someone is able to get your SMS messages routed to their phone. and thereby bypass the MFA. For PAM, the security claims offered by PAM providers, CyberArk, PAM 360, et cetera, are very strong. These are still the best providers in the market for protecting accounts. But these tools tend to be so heavy, so difficult to implement, so complex in their execution, that they are in usage typically restricted to the most Martin Hinton (11:56.557) Yeah. Tristan Morris (12:22.144) sensitive accounts inside sophisticated organizations. I was at Net Diligence last week in Toronto. And one of the cases they brought up there was a bakery whose freezer was internet connected for monitoring temperature. The attackers were able to take control of the freezer and threaten to heat it up and spoil the over $100,000 of inventory inside if the bakery didn't pay a ransom. A bakery is never going to deploy CyberArk to protect their smart freezer. Like the main challenge with PAM tools is not security claims, it's coverage. Martin Hinton (12:57.358) That is a fantastic example of the way you can get in to someone's digital reality and jeopardize their business without it would never cross your mind. This is silly, but it's something I can't get not say. I always thought about the way you described the MFA and someone waiting for a legitimate user to use it to log on. You see people go through turnstiles to get into the New York City subway. One person pays and the other person stands really close to them and slides through the turnstile. behind them without paying and now suddenly they're both in and only one person paid the fee and I know that's silly but this sort of idea exists in the real world and it's not a new thing to think about. You piggyback someone else's entry into a secure place and now you're inside and that's when the real damage can occur. any rate, Dylan, do you have anything to add about all that? Dylan Hamilton (13:48.778) I was just going to expand on that, talking about those, you might call them old school techniques, like fair jumping, following someone in like that. The classic term for what a lot of cyber breaches originate from is social engineering. And that is someone, it is a phishing email. It is someone calling an IT department and claiming to be an employee and getting them to replace a password or let them into a system they're not supposed to be on. of stuff you can read cybersecurity books written in the 90s and 2000s and they're talking about this is the problem. This is what people need to be paying attention to. And if you look at what is causing breaches in 2025 in the era of big data and AI, a lot of it is still the same social engineering. It is the exact same techniques advanced in some ways. Obviously AI based phishing is a growing problem at this point. Someone not just calling and pretending to be the person they're not, but pretending to be your boss with an AI filter over their voice, something along those lines. So the specifics of the techniques have obviously evolved over time, but if it ain't broke, don't fix it is a prevailing theory. We had a lot of places in life and cyber attackers are no exception. Martin Hinton (15:02.19) Yeah, why would I change what I did yesterday if it worked yesterday and I think it's going to work today? Which sort of brings us to the next point that we discussed when planning this podcast and we discussed a 2025 breach report where, you know, correct these stats if I've got them wrong, but 40 % of payouts are caused by credential theft, 99 % of cyber insurance payouts in 2025 were ransomware related. And I wonder if you could take me through that because that's where we sort of get at the core of how If you will, the money leaves an organization as a result of a cyber attack. This is the sort of environment in the space in which the real damage happens, if you will, in the moment. Obviously there's the long tail damage of reputation and fixing things, but take me through that paper that we talked about. Tristan Morris (15:46.35) Let's Tristan Morris (15:51.308) Yeah, so the paper in question for those who want to look it up is the Verizon Data Breaches Report for 2025, supplemented by the IBM Data Breaches Report for 2025. If you want to pick up a basic understanding of how cybersecurity attacks actually happen, I highly recommend both of these papers. They're very accessible. So to run through the basics, about 30 % of all payouts are caused by credentials being stolen specifically through third parties. So you entrusted a contractor, you entrusted a vendor, you entrusted an auditor with credentials. That third party then got attacked. The attacker was able to steal the credentials and use them to gain entry into the enterprise. But the big stat is in terms of actual cyber insurance payouts. In 2025, 91 % of the money actually paid out by cyber insurers related to ransomware. Business interruption, extortion, hostage-taking behavior, et cetera. And the primary cause of ransomware is still credential theft. Attackers are able to gain credentials, typically admin or infrastructure credentials, which give them access to both the backups and the production system. They are then able to disable the backups and proceed to launch their ransomware attack. Dylan Hamilton (17:05.59) And to really put the scare quotes around that, that's representing less than 10 % of claims by volume. And that's equivalent to 91 % of incurred losses. Tristan Morris (17:10.861) Yes. Martin Hinton (17:11.117) Wow. So we're talking about a situation where the solution that was introduced probably didn't even solve the problem to begin with. it's, despite that, the solution is lingered. thus, I one of the questions I have in my notes is that why does it remain so dominant? It seems silly to ask now. The answer is because it works. I mean, is it that simple? Tristan Morris (17:33.582) Yeah, I mean, think about this intuitively. So let's say I'm a cyber attacker. I have gained control over your company's production environment, but I have not secured the backups. What do I actually have to threaten you with? A certain amount of business interruption, maybe a week or two. I can extract money from you on the basis that it will be very inconvenient for you if you have to restore from backup, but that's all I've got, which is going to limit the size of the ransom I can ask for. If I have control of the production environment and all your backups, I am threatening to kill your company. This could be the end of your enterprise permanently. I can extract as much as I believe you can pay. And for an attacker to gain control of both the backups and the production environment simultaneously, if you're doing that through technological means, is extremely challenging. They have to compromise the backup provider. This requires a very sophisticated attacker. But if they can get a legitimate set of credentials, which gives them access to both the backups and the production system, it's very straightforward. So for cyber attackers, stealing credentials to launch ransomware attacks is straightforward. It's a very well-established technique that's been around for decades. It results in the highest payouts. And it's something that consistently works because it lives in these exceptions. Frequently, all the attacker is doing is just browsing for some area where some employee has not correctly followed security procedure. And they wait, they find that gap in the armor, they are able to enter the company, and from there they escalate. Dylan Hamilton (19:04.148) Another way to phrase it is because these credentials exist because there is always this inherent vulnerability in the fact that you need a credential to log into something and if it exists, it can be stolen. It really is a scenario where the defender has to do it right every time. They have to be aware of all their accounts. They have to have MFA implemented perfectly. They have to make sure everyone using these accounts is following the proper principles for it. The attacker only has to get it right once. It is. Martin Hinton (19:30.786) I mean, one of the things that we've reported on is to play into this is the idea that identity sprawl and the number of credentials that exists and do accounts get deleted properly and we've got the human and non-human credentials. Give me a sense of how big a problem this is. mean, when you think about that, that's like a control measure for security for a company. you think people understand just how many, I mean, if you think about credentials of each one is a door into your Tristan Morris (19:39.779) Mm-hmm. Martin Hinton (19:59.692) valuable space and the place where you keep the things that matter. Do think most companies that you encounter or read about understand just how many doors there are in? Tristan Morris (20:10.732) Yeah, so there's a company that we have done business with. I will not name them for reasons that will be clear in a moment, but you've probably heard of them. They are a fairly big name. One of the questions they asked us when we were going through the process of onboarding them is, hey, we have a number of service accounts. I don't know what they do or what they're for, but when we disable them, things break. Could you help us figure out what these accounts are for? Who has credentials for them? Like what's going on here? IT admins and CSOs are well aware of the problem. And in many organizations, they're well aware that they don't have a handle on the problem, that this has, the number of accounts has proliferated beyond what they can actually control. But frequently they don't have a clear method of fixing this, or if they do, they don't have the mandate to potentially interrupt operations to address a security concern that may not feel immediate to the rest of the organization. There's a lot of tools out there. You you go to like RSA or other cybersecurity conferences. They talk about this a lot. They talk about transparency and visibility. That we're going to give you a complete list of all the credentials in your organization. This is the main appeal to the CISO. And these tools can be very helpful, but even when they're deployed, it doesn't necessarily fix the problem. I imagine you're a CISO, you deploy one of these tools, and what it spits out is a list of 20,000 credentials that are just labeled with alphanumeric designations, and it's not immediately clear to you, What do these do? Why do they exist? What is their purpose in my organization? It's not just a matter of knowing, it's about having a framework for tracking these credentials, for monitoring them, for understanding what they're for and how they're protected, which if your organization didn't start with that from the ground up, can be very, very difficult. Martin Hinton (21:56.172) I mean, this idea that you have to have an understanding of your landscape, your data to comprehend the threats you might be vulnerable to, it seems straightforward, but it is very hard as companies. I mean, there's an old joke, right? Doing the job and working for a company is not the same as working on a company. And these are the sorts of sort of... not revenue generating realities and that sort of thing. Is there a financial pressure you see when it comes to addressing some of these vulnerabilities that companies face? And the company you just made reference to, what was their reaction to what you did? What did you bring them? What answers did you provide? Tristan Morris (22:35.214) So I think the answer to your first question is straightforwardly yes. So there's another report. This is from Delinea in 2025. That 97 % of security professionals in the US and the UK report that their cyber insurance policies were influenced by their identity and credential-related controls. So it definitely factors into policy. PAM is, this is again from the same Delinea report, the single largest differentiator in how underwriters viewed insurability. particularly in industries like manufacturing that are not viewed as traditional targets. Yes, there's definitely a financial component here. The challenge is, I guess I'd say like immediacy. in that particular firm, sorry, I'm not going to talk about specifically what security changes they made because I do not want to reveal inappropriate details there. in the discussion with them, one of their asks was, can we lower our cyber insurance costs? Martin Hinton (23:22.008) channel. Tristan Morris (23:33.226) And for them, there wasn't a super straightforward path to that because their insurance provider does offer discounts for the use of certain tools, but they're already using those tools. And the more high level, hey, we've really taken the time to understand our landscape, index all of these credentials, really make sure principle of least privilege is enforced. That more abstract concept is not reflected in the policy. So in their case, their CISO is left making the argument of, know this is important. I know if I don't fix it, it will eventually blow up in my face. But it's really hard for me to make the business case that this is something that we need to allocate money to right now if there's no immediate financial reward for Martin Hinton (24:14.19) I mean, you. Dylan Hamilton (24:14.24) sales all the time in cybersecurity that prevention is the hardest thing to sell. Martin Hinton (24:19.084) I mean, we've done a lot of reporting and I've done a couple of podcasts recently. One was specifically with a management consultant whose job is, I it sounded like half psychiatrist for CISOs. I mean, you talk about a job with enormous pressure and you're a cost center that's vital to the profit center at the same time. It's a very, very dynamic role and you see the burnout. mean, the studies vary, but people not surviving more than a couple of years in this role because of the... the stress or whatever reason it might be is one of the odd human elements to all this where you have to sort of communicate this clearly and explain why this is important now and that sort of thing. You touched on tools and one of the things we touched on a little bit earlier on was MFA. And one of the things that I've noticed working on this in this field of journalism for a couple of years now is that the messaging to the broader public always seems to be slightly behind the the frontline threat, which is not uncommon. That's the sort of thing that happens. But for a long time now, people were saying, no, you have to have MFA. You need MFA personally. You need it professionally. And as you've touched on, it fails in practice too often. And it doesn't make it useless. And thank you for correcting me when I used that word earlier, because I think that was a bit absolute. It's like a lock on a door or having a deadbolt and another lock on the door. someone can still break in, but take me through the MFA reality as it stands now and how implementation and gaps and exceptions are everywhere and what the sort of landscape looks like now and how you see it needing to evolve. Tristan Morris (26:02.35) Sure. So briefly right now, if you're an attacker and you want to hit a target that's protected by MFA, you've got three options. The first is social engineering. Convince someone to let you in when they should not have done so. We covered this earlier, but this is still by far the most effective technique. You might be familiar with the change healthcare breach. It's arguably the single largest data breach in the history of the internet. That went down because the attacker was able to call an IT admin claim there was an outage and say, need to get into this account right away. It's an emergency and our MFA provider is down. Could you please disable MFA on this account so I can log in without it? And that was all it took for the attacker to get in. The second is more technological sophisticated methods, like for instance, session hijacking. I brought it before. Allow the person to authenticate with MFA and after they've done that, get in through the session that they have just created. The third is what's called info stealers. This is a program that rests on the user's computer, stealing information that passes through it and relaying it to an attacker. So I might use MFA correctly to log into my bank account, unaware that the info stealer is harvesting my bank account number and other information out of that session and then relaying it to the attacker. There are various ways you can pretend against all of this. I don't want to imply these are unfixable problems. There are good practices that make this very difficult. But I think To get to your second question, sort of where is this going? Expecting every business under the sun, particularly non-technical businesses and more traditional industries, to display good security practice on all accounts all the time is just not a realistic expectation. The industry needs to shift to good practice being the default. That if you deploy a particular tool or a particular practice, it is guaranteed to enforce certain claims on all accounts in a way that the cyber insurer can verify. So it is easy for an insurer to truly understand the level of risk and go back and going back to what I said earlier, instead of having a definition of bad and having to comprehensively survey the entire company looking for something bad, have a definition of good and say, I see that you're doing this good thing. I now don't need to know the rest to have certain assurances about the level of risk you as a company. Martin Hinton (28:21.784) Dylan, anything to add on that point? Dylan Hamilton (28:24.682) no, it fairly comprehensive. I think the only thing I might reiterate again is that, like you said, MFA is still good. It is not useless. You should still do it. It is worth reiterating that all of these kind of horrific stories that we're telling, there are ways to mitigate these risks. there are ways to look at what all of your layout is, what all your accounts are and put together a reasonable threat model for it. It is important to understand that not all credentials are created equal. There are credentials which genuinely do not have access to other things. There are credentials where if someone compromises this, they have access to one tiny little corner and that's it. You don't necessarily need to be as paranoid about those than you do about, in theory, your super admin accounts or something that really does have the capacity to change everything. One way that I like to kind of playfully refer to all this though is that there's something equivalent to a last turtle problem. We've heard the old anecdote of the old woman talking to the theoretical physicist and saying, I think the world is flat and it's balanced in the back of a giant turtle. And he looks back at her and goes, well, that's a very interesting theory, man, but what's under the turtle? And she goes, you're a very clever man, but you see it's turtles all the way down. To a certain extent, credentials work like that. There are, there's always another turtle under there's a credential securing the credential ahead of it, which is securing the credential ahead of it. At some point there is actually a last turtle. And that's the one that you can have all these protective measures on everything above that. But if someone can get from one credential to the next one, to the next one, to the next one, and get all the way to the bottom, that's the catastrophic scenario. And that's the one that even if there's some minuscule chance in practice of that happening. The fact that the risk is there is what has to be priced into cyber insurance policies because the amount of money that will be involved in that level of catastrophic loss is something that even with reinsurers help, it's going to be extremely difficult, if not impossible, to actually practically cover. So it's not just question of, we, by the nature of policy, have to pay this out? It's, can we financially pay this out? That's the level of... Dylan Hamilton (30:43.158) catastrophe that that kind thing could potentially have even if there's a minuscule risk of it. It requires pricing into the plant into the plan that you have and that invariably prices certain people out of the market and invariably affects how every part of this has to work. Martin Hinton (30:59.79) So thinking about it from an insurer's point of view, and one of the things you touched on now, and it occurred to me as you were talking, the both of you, is that MFA, it's very important to be clear about this, you should use it. Whether you're getting it from an SMS or whether you're using some sort of app to generate a code, whatever it is, it makes you more secure and you become an easy target without it. Exactly. Dylan Hamilton (31:23.392) Having MFA is always better than not having MFA. Martin Hinton (31:27.822) We sound a little doomish here, but it is for most people, it is still the best tool to add that extra layer of security to your bank logon or anywhere you've put your credit card or something like that. I these things, we have this everywhere now and I'm starting to see the point I made about the sort of the way that the public becomes aware of things is a little slower. It seems like a lot more apps now and a lot more websites are, I'm being told are. prompting people to try and turn on MFA. I'm starting to see, I don't know whether I missed it, but passkey is coming in and that kind of thing. From the insurer point of view, when you talk about MFA and like phishing resistance and that sort of thing and tying it to the right accounts, I just want to clarify one point. You talked about credentials that have limited access. One of the things that... You touched on again the Marks and Spencer's hack and Archie Norman talked about when he testified before Congress, the chairman at the time of Marks and Spencer's, the British retailer who was the subject of an enormous hack that paralyzed their business in some respects for months is that with 50,000 employees, and this was a sophisticated impersonation was the phrase he used. So it was social engineering. It was a call to an IT health desk and boom, someone was in. And he made the point that if... Tristan Morris (32:30.658) Yes. Tristan Morris (32:40.014) You Tristan Morris (32:45.262) CLEARING Martin Hinton (32:45.538) just one person does the wrong thing and they're suddenly inside the system. That's what I wasn't, it seemed like he was saying he didn't realize the scale of that entry once someone was inside. I wonder whether you could talk about that from an insurer point of view and whether or not there's the need for limiting access and how that might work. I don't feel like I'm not asking a very good question because you said three things in my mind is struggling to find the right way to put it. Tristan Morris (32:50.104) This is Martin Hinton (33:13.688) But this idea that you can dial this up or create layers or like you said, I mean, the turtle analogy is a great one. So I'm just wondering whether or not there's more to say about the extent to which that you can make this better than it is. Does that help? Tristan Morris (33:29.356) Mm-hmm. Yeah. So there's actually a term in cybersecurity for what you're describing. It's called principle of least privilege. This is the idea that each account should have the powers it needs to, you know, for the person who holds it to perform their job, but no more than that. The challenge with principle of least privilege is its work. It requires you to think about, well, for, you know, this particular employee, Joe Smith, What permissions do they actually need to do their job? How do I set up the account to have those permissions and only those permissions? It's much easier to say, trust Joe Smith, so I'm just going to give him super admin access and he can do whatever he wants. I'm sure he'll use those powers responsibly. When employees, the term is over permissioning, given too many permissions for their job. When employees are over permissioned, nothing immediately bad happens. Because for the most part, employees who are given these broad powers genuinely are trustworthy. So I can give an employee very broad powers and if anything it will seem to make them more efficient at their job because they now don't have to go through approval processes for these complex actions. And of course this conceals the fact that you've now created this potential catastrophe. You have a metaphorical giant pile of gunpowder waiting for one employee to walk in and light a match and then for the whole thing to explode. This is why, again, I bring up the idea of definition of good versus definition of bad. If you told me as a security specialist, go into this enterprise and confirm that principle of least privilege is enforced. I would have to audit every single account with sensitive permissions in the entire company. This would be a months long effort. And this is where a lot of cybersecurity consultancies make their bread and butter of doing these very detailed assessments. If, as an insurer, I want to to confirm this is obviously not possible. So as an insurer, what I have to do is again have some definition of ideal behavior and mandate that. So saying, for instance, if it's an administrator account, no one person can ever unilaterally have admin powers. The use of admin powers must be restricted to two or more people agreeing to log in as admin, as an example of a policy. Or another policy might be users can never modify their own permissions. So I cannot Tristan Morris (35:48.812) with the authority I've been given, decide I need more authority as a way of then escalating the amount of power I have in the organization. This is sort of like what I mean by definition of good and how something like Marks and Spencer could be prevented in the future. Dylan Hamilton (36:01.846) And it's worth mentioning that requirements like that are already becoming a new standard in certain industries. Digital assets, for example, if you're using stable coins as a bank, or if you're dealing with cryptocurrency in general, current digital asset regulations are that there can never be one person with access to key information. It has to be split among multiple people. There has to be redundancy and there has to be an ability for certain things to be locked behind a quorum. Like you need two or more people, need effectively multi-factor authentication expanded to individual people to have this at all. This is a regulatory requirement. And what we're seeing at the regulatory level, not just in the financial space, but in a lot of spaces is that kind of trend is if it's starting there, it will almost certainly continue and expand in that direction in other industries as well. Martin Hinton (36:56.43) So the next section I have in the rundown, and we've touched on a little bit of this, is why insurers don't always reward, quote, best practice controls. And this idea that you can, how to put it, let me refer to my notes, to our pre-conversation. There is this kind of. theory of controls and then the reality of controls and the verification is, I wonder the whole questionnaire process versus the dynamic reality. We touched on this at the beginning and I think that, you know, this is a classic difference with cyber insurance, right? You might do your homeowners insurance or your property and casualty or whatever might be once a year and you've got so many more employees and you had two bad accidents that didn't occur the year before and. You had some payouts and that sort of thing. The threat level and the nature and the dynamic nature of the threat that exists in cyber demands a much more dynamic sort of assessment of risk. And I wonder whether or not you might touch on the role insurers play in sort of navigating that to the extent they do. Tristan Morris (38:08.59) Yeah, so let me quickly toss out this qualifier. Despite the fact that insurers don't always reward best practices or feel they can't, or I think when we talk with insurers, they frequently feel like they're a bit at the mercy of the market. But the flip side, when you talk with enterprises, they feel like cyber insurers rule the world. Like the cyber insurance sector is the one making all the calls about what is good in the cyber insurance and everyone follows their lead. I think they are both true. Cyber insurers are the market makers in the space, but they are restricted by the fact that it's a soft market, not always having the tools they want. They don't always have the freedom they would necessarily be looking for. I think from the cyber insurer's perspective, this can be boiled down to three things. One, like I just mentioned earlier, soft market. There may be controls they want to implement, but they don't feel they necessarily have the market leverage to do so if customers would prefer that those controls not be implemented. Second is not having the right tools. So I may want to implement a control that principle of least privilege must always be enforced. If I don't have a tool that can actually monitor that in real time, I don't practically have the ability to enforce that control. And so these controls exist only in theory. But the third one, and I think may be the most important, is a desire not to be punitive. So nearly all cyber breaches can, in some sense, be attributed to negligence in the sense that the defender did something wrong, and if they hadn't done that thing wrong, they would not have been successfully breached. If as a cyber insurer, you say that any negligence on the part of the client voids the policy, you will never pay out a policy. To some extent, the defender has to be free to make mistakes because that's how these things happen in the real world. So you can consider like as referencing the examples we made earlier, if as a cyber insurer, I have a survey that says, do you use MFA? Do you consistently apply it? And the customer checks yes, in honesty. And then they forget to apply MFA to one account and that's the account the attacker used to get in. Then as a cyber insurer, I might feel then what good did MFA do? If you're not using MFA, I know you're negligent. That might be grounds to say you're uninsurable. But the fact that you are using MFA doesn't tell me you're safe. All I can do is look for things that are bad. And if I don't find them, hope that the rest is good. Tristan Morris (40:32.278) And this both means insurers can't reward best practices they might like to. A tool might not be strongly correlated. And it also creates sectors that are uninsurable. It's like you mentioned SMBs earlier. Like if I'm a cyber insurer and I want to offer cyber insurance to a bakery, my default assumption is there's no one in that bakery who has any understanding of cybersecurity good practices, because in most industries of that type there would not be. Which either makes the risk profile for them so high that I may not be able to offer them a policy they'd find appealing, or I may just decide that they're uninsured. Martin Hinton (41:08.94) You make a good point there. mean, this is despite how long cyber insurance may feel like it's been around, it's a very new product in the insurance world. And that idea that in almost every case, they could deny the claim based on some sort of policy failure and doing that would sort of corrupt people's ability to view it as a valuable way to spend money. I mean, am I hearing you correctly? There's a, I wouldn't say altruism there, but this idea that They don't punish everything as severely as they could is the idea. Dylan Hamilton (41:41.118) I might refer to it as a Catch-22. Tristan Morris (41:43.854) Yeah. There are breaches that are genuinely technically sophisticated and that hit targets that didn't do anything wrong. The Mission Impossible vibe breaches where an attacker uses zero days or their state sponsored or otherwise they use very sophisticated technological methods to break into a secure system. Those do happen. In terms of insurance payouts, they are a rounding error. They fall under the category of other. As a cyber insurer, the sort of incident that actually is going to matter to the financial bottom line is exactly like all the examples we've been given. One employee does something stupid. It creates a gap in the armor. That is the gap the attacker exploits. Now, all of the controls that they indicated on the questionnaire, even if they were completely honest in those answers, don't matter. And as the cyber insurer, you're left wondering, how do I handle it? What is the basis to void a policy? And I wouldn't say it's altruism. company that, you particularly in a soft market, a company that develops a reputation for never paying out is going to struggle to justify that their policies are, as you say, something good to spend money on. But where to split that hair? Where does, well, all attacks involve some degree of negligence turn into you are so negligent that this is actually grounds to avoid the policy and not pay out? Dylan Hamilton (43:11.894) And that has happened in the past. was travelers, wasn't it, that denied a claim from ICS because they were not just, there was only one MFA account that wasn't properly covered by MFA. It was systemic. And they were able to identify that and say, this is not just a one-off. This is a systemic failure to do the things you said you were doing. We are going to deny this claim based on that. So it is not impossible to do that. But as Tristan said, it's... big gray area between 0 % payout and 100 % payout and trying to find out not just where you can fall in there from sort of an aesthetic, vague subjective perspective, but also where can I quantify this? How much of what I think constitutes bad policy and bad compliance? What point on that scale can I say objectively, okay, from this point beyond denied? this is what we define as negligent versus above that, okay, yes, that was still negligent, but that's a mistake. Anyone could have made it for the purposes of PR. If nothing else, we can let this one slide to some extent. It's just being able to quantify where on that scale you can fall from a business perspective is the billion dollar question right now. Martin Hinton (44:31.406) Yeah, I mean, from the point of view of keeping business, seems like smart business could be dynamic in how you judge, right? And not be absolute in coming down and protecting your bottom line when maybe they've got other policies. When you talk about the underwriter perspective, one of the things we sort of touched on is sort of provable security. And from an underwriter point of view and... in this context, how does that look to them? And what do they want to be able to see? How does that frame for you? Tristan Morris (45:05.582) would say is approvable claims that are architectural rather than individual. So this is riffing on what I said before, that if to prove a claim is enforced, I have to look at every single account in an entire company continuously, it's not going to happen. That claim is unprovable. So as an underwriter, I want to see security that is baked into your security architecture. So if there are changes made that I might not be aware of or I might not be actively monitoring, I still have some reason to believe the structure of the company encourages good practices. I was like, let me use ourselves as an example. We use a CRM as most companies do. We have a policy that nobody other than our one CRM admin has the power to bulk export records because there is no reason why a regular CRM user needs to be able to export our entire customer database onto a flash drive. That's a very simple example of a consistent policy. If a underwriter is looking at that, they don't necessarily need comprehensive understanding of everyone who's on our CRM and exactly what permissions all of those accounts have. They understand that this sensitive permission is consistently locked down across the entire organization. You can take that very simple concept and apply it in a variety of other contexts. Martin Hinton (46:29.112) Yeah, you touched on something there, which naturally does tell us into the next section is we've been talking about individual companies and their credentials and their identities. What we know now is because the way the digital economy exists is vendor access, third party access and systemic failure. We sort of touched on this, but there's a broader sort of, if you will, battlefield here where this is occurring and there are... Threat points that might be, you're worried about your employees and their MFA, but it may not just be them that matter to you. And I wonder whether you could talk about sort of third party access and the vendor risks that exist because we see this a lot in claims and in breaches. What do you guys have to say about that part of all this? Tristan Morris (47:17.806) I mean, think statistically, at this point, it's fairly safe to say vendors are the single biggest security threat to their clients. If your enterprise is going to be breached, it will probably start with a vendor, either through credential compromise, credential theft, or just abuse of the vendor's privileges. The best practice I can recommend in this case is treat vendors like they were employees. So like there was one particular case two years ago now. This was with an automotive dealership. They had a vendor who performs credit checks. So someone comes in to buy a car, they take down all of this person's information, including very sensitive personal information like financial data, social security number, et cetera, send this off to the vendor to run the credit check. The vendor got compromised. The vendor had access to this database of customer information and there were no restrictions on use of it. So the vendor, the attacker through the vendor was able to download the personal information of every person who had ever purchased a car from this dealership and then use that for identity theft, identity theft, draining financial accounts, that sort of thing. So just like in the example earlier, I said, if you want to manage your CRM responsibly, there have to be certain permissions that are locked down and are never accessible to one person for any reason. You would say with a vendor, There are certain powers no vendor should ever unilaterally have. That if the vendor needs to do that for some reason, it has to go through you and your employees first to validate that the request is real. There's, I think, a mindset, particularly for IT vendors, of I just want to fix this problem. I don't want to understand what the vendor is doing. I don't want to have to be involved in this process. I'm going to give the vendor a bunch of permissions and sort broad discretionary power and just say, call me when the problem is fixed. And, you know, I'm not going to tell anybody how to run their business. There may be cases that that's what's necessary for a business perspective, but that is fundamentally putting the life of your company in the hands of the vendor you just entrusted with this power. And if that becomes a habit, eventually one of these vendors will prove unworthy of your trust. Martin Hinton (49:31.726) I mean, you touch on something that we see a lot, this idea that whatever the company is, for a lot of companies, the IT and the technical part is outside of the expertise, the interest, the focus of the day-to-day operation of the business. But when it breaks, it's a real problem, right? So if you're not able to invoice or receive whatever it is, I mean, the joke I make is if... If you had to put this down and you couldn't use it for the next eight hours, but you had to work a normal day, a lot of us would have real problems. you're thinking about if the internet goes out and the Verizon outage is a recent example of how disruptive and how incredibly fragile some of all this is, there is a reality here that that plays into the human element that we've touched on. The idea that people know that there is this, hire a vendor, they'll fix it, they'll bill us when they're done, and that's it. You need more friction in this relationship in order to... yourself. There needs to be, you touched on earlier, two people involved or don't give vendors these blanket permissions to go anywhere within a system. If they're coming to fix a specific part of something, they should only be allowed to go there. Or if that isn't possible, if they go somewhere else, you need to be able to track that movement within your network and alert yourself to it. That's the kind of thing we're talking about, which in some weird ways is so counterintuitive to the benefit of the digital economy and the the frictionless reality that we've created. And I know it sounds silly, but we used to have to mail letters and FedEx things and fax them. And now all of that doesn't exist that way. And when we have to add that back in to protect ourselves, even subconsciously, it seems to me from talking to people, there's this real resistance. Like people want to get things done fast. Employees have real pressure to do their jobs quickly. we see this where, again, back to the human element, you get cyber attacks. Approaching the holidays or the Lunar New Year or a long weekend or you know you get social engineering attacks where people realize that the CEO is going to be at his daughter's wedding because she posted about it on Facebook and that sort of thing there is all of these seemingly disparate realities by You all kinds of things in AI We haven't even touched on you can bring it into a place and create real vulnerability for a company that sits outside of you again. It's a bit like Martin Hinton (51:50.482) And it's a simple analogy, but it's a bit like leaving all the keys to every door in your office and throwing them over a fence to a workman and saying, okay, well, you know, come in and fix that and let me know how it goes. Let me know when you're done, bring the keys back. And you don't, did they make copies of the keys? There is this need to control these, like you said, like real employees. Do you meet a lot of resistance when you discuss that with people? mean, when you hear about this and other people talk about it, is there an attitude like, this is... something we've become numb to and this is just the cost of doing business now, these sorts of things, or is there a real energy to sort of try and limit this exposure and the financial burden that it creates? Dylan Hamilton (52:29.323) There are two fundamental truths of cybersecurity. One is that it is incredibly important and two, it absolutely sucks to talk about. No one wants to think about this stuff. It is not fun at all. Tristan Morris (52:29.326) I'll Tristan Morris (52:41.582) I would elaborate on that. The people who are really interested in fixing this problem are people who gave their keys to a workman and then got robbed. People who have been through the negative experience, they care a lot. People who have not sort of prefer to think that it won't ever happen to them. Martin Hinton (52:58.156) You know, Tristan, you touched on something and I can't believe when I started doing this work three years ago now, one of the first reactions I had is it seems like so many people have this teenager mentality. Like it's not going to happen to me. It'll happen to someone else. So that only happens to other people. And it pervades huge companies, small companies, people at every layer of the hierarchy of a company that there is. And it is so basic, the idea that you can't see it. I the one I've been using lately is the Land Rover Jaguar hack. If someone had blown up a factory that built Jaguars, that would have been on the cover of the paper in Britain for a long time. They would have done all these things. It cost almost $2 billion to the company. The GDP took a hit and it's of, you know, lost on people that this happens and that you need to put these implement, implement these things across the spectrum of everywhere your company operates digitally. I mean, is that the, is that one of the sort of outside of the cyber insurance that The broader reality of resilience within a company is that they need to have a much more comprehensive attitude about the threat that digital dangers face, as well as fire, theft, workers' claims, all of those other things that are natural and part of existence now that people know matter and need to be addressed and dealt with. Tristan Morris (54:20.578) Yeah, I the short answer is yes. I think the longer answer is fire is something that as a species we've been dealing with for thousands of years, we've got a pretty good grasp on it. If fire insurance had been invented 20 years ago, I think you'd still have a lot of chief fire officers saying, well, excuse me, that giant pile of oily rags hasn't caught on fire for several years. I think this represents a best practice. There's one bank, you've definitely heard of them, but I will not name them, who again, we got to work with. I'm talking to their CISO and asking, well, how do you store your most sensitive, like the most sensitive organization-wide admin credentials? How do you currently store them? And he says, well, just I'm admin. Clarify what you mean by I'm admin. And on his laptop, he opens it up, he logs into their secrets manager, turns it around to face me and goes, see, I'm just, admin on everything in the company. So that's how we manage these most sensitive credentials. I'm sort of on the call like stunned. go, you understand that if that laptop you're showing me gets compromised, it's over. Like a household name bank is going to be in the news cycle for an extended period of time by the severity of that breach. And he goes, yeah, but I'm, very careful. So, and, and that, attitude is very common because that individual Martin Hinton (55:43.31) you Dylan Hamilton (55:43.478) . Tristan Morris (55:47.65) has never been breached in his career. He doesn't think it'll happen to him. And we've talked with like dozens of CISOs who have that attitude. Jumping back to the insurance angle, like this is the problem as a, if as a cyber insurer, I was looking at that bank, I'd rate it as very low risk, very experienced CISO, a distinguished career, use all the right tools, all the best practices. And the impending catastrophe that has been created by this practice is completely invisible to me as the insurer. Martin Hinton (56:18.232) So we're coming up on about an hour and I want to transition everything we've talked about. We talked about the soft market now. What do you think all of this means for cyber insurance as we head sort of into the, guess we've entered the second quarter of 2026. What do you think's coming and how do you think the market's going to sort of react and behave in the next, as much as any of us can predict the future, the next few months or even to the remainder of the year? Tristan Morris (56:46.382) Well, I'm going to be a little dour and then a little optimistic in that order. the dour part, I think there's some big systemic risk coming down the pipeline. The first one of this is quantum risk. So we are probably three to six years away from quantum systems becoming practical to bypass a lot of present forms of encryption. That puts us anywhere from six to eight years before this starts being in the hands of cyber criminals. One thing I'd remember is data can be archived and then decrypted later. So an attacker can steal data now and archive it until quantum computing becomes more available and then get into it. So this is going to lead to massive systemic risk across a variety of industries. The second is systemic risk from vendors and service providers. This can be cloud providers like AWS or GCP, like the recent CrowdStrike incident, payments providers. These are becoming much more appealing targets to attackers due to the fact that these can cause industry-wide incidents that can merit much higher ransom fees. So that's the downside. The optimistic side, I think we are moving into an era of stronger and more efficacious controls paired with tools that enable insurance companies to actually enforce those controls effectively. So one example I brought up previously. which is enforceable by SplitSecure, but also by other tools that are coming down the line, is I want to specify as the cyber insurer certain rules about how sensitive accounts are handled, which have to be enforced organization-wide. And if they're not enforced, that is grounds for the policy. Rules like very sensitive admin accounts cannot be unilaterally possessed by one person. Would have detected that example with the CISO I gave before. There's now a variety of tools becoming available to cyber insurers to consistently enforce a definition of good practices across large enterprises or even small and medium businesses, which I think will greatly reduce the risk we're seeing from this just sort of human error driven classic attack mode. Dylan Hamilton (58:51.784) I think it's worth drawing comparisons to the past here. This was technically before my time, before I was an adult. But if you think back to Y2K, that was a very serious problem identified in advance. That was extremely real. If nothing had been done, that would have been catastrophic. Computer systems all over the world would have been crippled. It would have had a massive incalculable effect on the world economy. A lot of people did a lot of really complicated work to prepare for it. At the end of the day, the work was successful and the problem was neutralized to the point that some people look back and go, well, why did you K was a hoax? You know, there was never any problem. There was a very big problem and we fixed it. think a lot of the problems that we're describing here, we are still in the time period where these things can be fixed. have identified what we think is very likely going to happen. As much as there are smart people on the cyber attacker side, trying to innovate, there are also a lot of people on the defense side innovating as well and trying to get ahead of this. The fact that it is a back and forth. struggle does not mean that any of this future catastrophe is inevitable. It means that it's a risk that is absolutely worth being aware of something that as a matter of practice, cyber insurers have to price into their models. But as all of this stuff continues to advance, as everyone continues to get more aware of how all of the stuff is working and what things they should be looking at, we're going to see, I think a lot of positive changes on the pricing side on the ability to quantify. good practices as opposed to just picking through bad ones. There is a lot of room to continue to think there's a lot of room I think for a lot of people in the cyber insurance space to be the leaders on this side. They already are in a lot of respects, especially from the perspective of the policyholders. And I think they're just gonna continue to be opportunities in that field to be one of the crowd that's proactively addressing this problem and actively preventing the next Y2K rather than. just being aware of it and just bracing for the hit. Martin Hinton (01:00:51.598) So there's two things. I'll make you feel young because the Y2K example, the one prior to that that I'm old enough to remember was the hole in the ozone layer. Everyone says, oh, whatever happened to that? Well, we changed the way we did things and it went away. Like we fixed the problem, right? We can do that. And the joke I make is I'm an AmeriCAN, not an AmeriCAN'T. And coming to this field of journalism just in the last three years, one of the things I've been struck by is And it surprised me how interesting the insurance part of it is and the cyber insurance part of it, and then the cybersecurity part of it. And how so many people in your role sound like you guys do, where there's this, you know, this is a massive challenge, but it really matters that we continue to fight the fight, if you will. And there's a real energy and enthusiasm when you go to the conventions and you meet these people, people like yourselves, there is this sense of this matters. We are doing something important here. as much as it's disparate and we don't maybe have as much control from or oversight and guidance from exactly how it should be across all 50 states. And maybe we even need like global treaties between companies that are like-minded about how economies should legitimately exist so that we can protect when we know there's no borders that affect cyber crime. But that's a really, really interesting part of it. I think, you know, one of the parts of this that is interesting is the... pricing, right? You've got the underwriting changes in the next couple of years pricing. Do you think that the pricing to your point about cybersecurity controls is going to stay in line? Or do you think that prices might rise so much that companies just say, you know what, I'll run the risk? Or do you think that those two things are going to ride the storm sort of in a parallel? Tristan Morris (01:02:33.294) I think that pricing is a function of the market. I do think the market will harden with time, but it is also a function of the real risk in the portfolio, which is something that I am optimistic in the net will come down. One thing that I think is worth emphasizing is for cyber criminals, crime is a business. There are, in the traditional sense, the sort of street criminal. is somebody who might fall into crime because they don't have other employment options. This is the best thing that's available to them. Cybercrime is not like that. The people who become cyber criminals for the most part do have options for legitimate employment. They have made the choice for whatever personal or environmental reason that being a cyber criminal pays better than getting a job in a tech company. They are doing a risk reward calculation and there are moments when that risk reward calculation pushes them back into legitimate business that being a criminal did not pay out the way they want. I think to a degree in the present industry, cybercrime is viewed as something of an inevitability. It's a problem that we have never really been able to get a handle on. We do things to contain it, but it is a serious problem and always has been a serious problem. And there's a belief that it always will be a serious problem. I would view it more as akin to arson. There were points in history when arson for the purpose of insurance fraud was relatively common. Now it is something that still happens, but fire insurers have largely gotten a handle on it. This is no longer a significant contributor to the bottom line. I think over the next decades, we will get there with cyber insurance. Cyber crime will still be a thing that happens, but the real risk of it will have been dramatically reduced versus current levels. Martin Hinton (01:04:23.022) Well put, well put. So I'm gonna move to the close and as we try to at the end these, we've got some quickfire questions. So I'm gonna put a question, you can both answer. I say quickfire, take as much time as you like, but there'll be no punishments, there will be no quiz. So first question, what is one security control the market over rates? Dylan Hamilton (01:04:43.786) Basically anything with the term AI in it. To expand on that a little more, I would admit we are not an AI company. We are not necessarily bearish on it. We're also not necessarily bullish on it either. again, trying to look at it from perspective of what is it actually doing? What is it actually capable of? And from our perspective, what kind of access does it have? I think there's a level of, with AI products in particular, possibly unwarranted trust that when you let an AI agent run rampant through your system, when you let it have privileged access to things that you would also need a human to have privilege access to in order for it to do the things it's trying to do. There's an assumption that if someone were to compromise your AI agent, you will be able to tell from the logs that the AI agent is generating, you know, you'll be able to read the prompts at the either in a semantic context or just at the rote machine level. You'll be able to look back and see, okay, here's what happened. Here's what it did. I know all of this. can fix it. We can kill the machine. It's fine. I think there's an assumption that's not necessarily accurate there that those logs will be trustworthy. To go back to that hub and spoke example that I mentioned earlier, the notion that when you have a traditional PAM provider that all of your actions are going through that provider and the log is generated there, the log is generated at that pass-through point. So if in theory the pass-through point is compromised, you can't necessarily guarantee that the log will be So someone compromises an AI agent if something goes off the radar, as we're seeing, this is a thing that does happen. If the AI agent compromises itself, if it decides through its internal logic that, I need to get into this thing. They told me not to do it, but I'm just going to kind of do it anyway. There's not necessarily a way to guarantee that every bit of information that it's providing you is perfectly accurate. So again. Dylan Hamilton (01:06:41.832) not useless products by any means. There's a lot of things they can do to improve efficiency, but I think the level of trust that's currently put in them is unwarranted based on at least what we can quantify. Martin Hinton (01:06:55.308) And in data on that, what security control the market over rates, Tristan? Tristan Morris (01:07:01.102) I'm going to say anything that is not paired with some actual enforcement about execution. MFA, PAM, SSO, if the company says they do it consistently, but I don't actually check if they do it consistently, the efficacy of that control is almost certainly overrated from the attacker's perspective. Because like I said, the attacker lives in exceptions. Martin Hinton (01:07:22.168) So flipping that question, what's one control the market underrates? Dylan Hamilton (01:07:28.704) From a, I was gonna say, we might be saying the same thing. From a, at a broad level, I think it does still kind of underrate MFA as a concept. The implementation of MFA in practice can vary drastically from company to company, from person to person even. But the core idea of it is that in order to access this sensitive material, whatever it is, you need multiple things. You need to prove your identity, you need to have a secondary device, you need to have a little dongle, which is both an old school and a new school solution, something like a UB key. You need to have a physical thing in your possession that says you are now allowed access to this thing. That premise of not having a single point of which if you have this one thing you're in, if you need to have multiple things, that inherently increases the security of whatever it is you're trying to access. Just because instead of getting access to one thing, now the attacker needs two things or three things or however many you've set up. That core principle is very good. And where the issue is, is not in what MFA is in principle, it's what it looks like in practice. It's, you successfully putting it on every sensitive account? Are you choosing the correct things to have that are hard for someone to get all of it once? to get it, it's a weird place where it is both underrated and overrated. It's just question of understanding fully what it is and leveraging it to its true capacity. Martin Hinton (01:09:04.482) Tristan, were you gonna say the same thing? Tristan Morris (01:09:06.796) I was going to say the same thing. will just briefly add as an addendum to that going passwordless. I know it sounds a little old school that all of the very sophisticated companies have already moved on to being fully passwordless, but the majority of the market is not very sophisticated. And to an attacker, a password is just a bright red flag that there is a security vulnerability here. It means there is a credential that they know is going to exist. in the employee's device. if I can monitor their keystrokes and I can anyway get into their laptop, that's a credential I can steal. And once I have that, even if, or rather, if MFA is not properly enabled, the door is open for me to do it. Dylan Hamilton (01:09:45.526) In some ways it's analogous to traveling around Europe and if you've ever walked around in, or even Europe, any major city, if there are pickpockets around, they're looking for tourists. They're looking for people with the big floral pattern shirts, holding maps, looking around, looking kind of clueless. If you walk around just dressed in normal clothes with a shoulder bag and whatnot, you just don't look like a tourist. It's not necessarily that you couldn't be pickpocketed. It's that they're looking for the easy targets. So if you're... Martin Hinton (01:09:45.741) Laughs. Dylan Hamilton (01:10:13.512) a company that institutes password lists, you are now no longer an easy target. There are still ways that someone sufficiently dedicated could get by, but in terms of an immediate improvement in security, you're just no longer the lowest hanging fruit. And that's in a lot of context, all you really need to, again, substantially improve your security in a quantifiable way. Martin Hinton (01:10:36.782) Final question. What should every underwriter be asking about privilege access that they are not asking? Tristan Morris (01:10:45.506) What is the worst case scenario? So what is the account in your organization that if attackers get access to it, the company dies? The CISO may say there is no such account. That is untrue. There is always some such account or set of accounts. Sort of the best case scenario, you have every system in the company on a different admin account. That collection of admin accounts collectively comprises the worst case scenario. Then talking through, great, we've identified all the accounts that if an attacker seizes them, it is a catastrophic incident. How are those accounts protected? How frequently are those accounts used? How is the use of them monitored? If an attacker got into one or more of these accounts, how would you know? Do these accounts have the ability to disable the monitoring tools which are monitoring them and other very basic questions? Important in its own right, because you do care about protecting these accounts. But also as an underwriter, This is checking that the CSO has actually thought through these things, that they have seriously considered the worst case scenario and have made preparations against it. Martin Hinton (01:11:50.062) Concur, Dylan. Dylan Hamilton (01:11:51.534) I do concur with that. My version of that question would be look them in the face and ask, how do you treat your third party vendors differently from your employers or your employees in terms of access to sensitive credentials? And if their answer is we do not treat them differently, everyone is treated the same. That is the correct answer. Martin Hinton (01:12:13.432) So we're over a little bit over an hour, gentlemen. Is there anything we didn't get to that you want to get into? Tristan Morris (01:12:20.102) The only thing I will touch on is tooling. mean, obviously we're from a security tooling company, so we have a little bit of bias in that regard. But what I said earlier, I think for a lot of cyber insurers, the limitation is they don't see a practical way to enforce the controls that they want. There's a limit realistically to how much they can bother their customers. They can't be asking to re-survey them every couple of minutes. They need tools that make it possible to passively monitor compliance to these rules. that are convenient and easy for the customer. I think there's a lot of monitoring tools coming up in this pipeline, particularly on the underwriting side. Of course, on the credential management side, I'm going to plug SplitSecure as I think a very good solution for this. regardless from the cyber insurers perspective, I think a big step forward over the next few years is going to be finding tools that make it practical to do the things they've wanted to do all along. Martin Hinton (01:13:14.478) Anything to add Dylan? Dylan Hamilton (01:13:16.862) You hit on the head there, Tristan, right down to the plug. From the business development perspective, that was all I was gonna do is nudge you like, hey, make sure you, you know. Martin Hinton (01:13:25.646) So we've made reference to a few reports. And gentlemen, in the show notes for those listening and watching, there'll be links to that, as well as links to Splitch Secure and links to Dylan and Tristan's. Probably LinkedIn is maybe the best place to send you. But if you've got bio pages on your own website, we might do that. So you don't have to go hunting or Googling or AI searching. It's all right here for you. Before we wrap up, gentlemen, anything else you'd like to say? Tristan Morris (01:13:53.036) No, thank you for having us on. I'll just say for any listeners who like what they're hearing here, but maybe are struggling to take the first couple of steps, I'm happy to recommend tooling to anybody who wants to ask questions. And I promise I will not just plug my own product. We do have a reasonably comprehensive understanding of the market. There's a lot of tools coming up in this room. Martin Hinton (01:14:14.35) Well, listen, gentlemen, it's been really, really interesting to talk to you. You know, the nitty gritty and then also the broad reality of this and how it affects everyone from large corporations down to individuals is an important message. So again, thank you so very much for your time. Everyone else, thanks for watching. Like I said, there's information in the show notes if you want to follow up. If you've got a question or a comment, please leave it. If I can't answer it, we'll put it to Tristan or Dylan and see what they have to say about it. Again, thank you very much for listening and watching. I'm Martin Hinton. is the Cyber Insurance News and Information Podcast. Enjoy the rest of your day.