UnHacked

Welcome everybody to episode 27 of unhacked where we empower, overwhelmed, busy, disgruntled sometimes, business owners who, you know, concerned about cybersecurity and mostly just wanna outsmart Russian hackers, keep their own money, and stop giving it away in the form of ransoms and, and other stuff. So, I'm Justin Shelley, CEO of Phoenix IT Advisors. I work with businesses in the Dallas Metro as well as out west, Northern Nevada, Utah, Idaho. And I am sitting here with my usual cohosts, Brian and Mario, and then we've got a special guest I'm gonna introduce here in just a second. So, Brian, tell everybody who you are, where you're from, what you do.

Alright. Well, my name is Brian Lachapelle with B4 Networks. We're based out of Ontario, Canada. And when people ask what I do, I always let them know that I'm a technology whisperer. Essentially, we help business owners remove the headaches and frustrations that come with dealing with technology in a business.

And then we make that technology into a strategic advantage by, as you know it, Justin, improving 1% better every day.

1% every day. That adds up to a lot. Alright. Brian, thanks for being here, Mario. Tell us about yourself.

Brian, CEO of Mastech IT. We are located in the, New Jersey, New York area. And just like Brian said, we, you know, we also help, business owners stay secure and safe so they can sleep better at night, knowing that their business is gonna be there the next day.

Alright. And recently, I learned you are from Egypt. Did not know that until our last episode. So it's funny how long we've been talking. I didn't know that anyways.

Alright. And last, certainly not least, today, we have a special guest. We are sitting here with Joseph e Brunsman as labeled on your video here. Joe, this is a this is a first for me having found somebody on Reddit. I don't know.

Found you posted in in an MSP forum on Reddit about cybersecurity insurance, and I thought that was cool as shit. So I pulled up your video and I watched it. A lot of things caught my attention, which we're gonna come back to, and then I learned about who you were a little bit. So let me let me tell you what I know about you and then you can fill in any gaps and and correct me where I'm wrong. But, a public speaker, I love that.

It's, you know, you've heard I'm sure we've all heard that the fear of death and the fear of public speaking are very similar. In fact, some will argue that the fear of speaking is greater than the fear of death. I'm not sure that's true. But, anyways, public speaker, so you've overcome that. Best selling author, by the way, I just bought, I think, your most recent book.

It'll be here Monday, and I will be reading that. You obsess over tech, E and O, cyber insurance, cybersecurity law. Is that where you have your master's? You have a master's degree in either cybersecurity law? Yeah.

That's right. Yes.

Yep. I do.

Cyber cybersecurity law. And then I think my favorite is former IT. Can you tell me a little bit more about your background in in IT?

Yeah. So, damn, I'm getting old. About 20 years ago, I enlisted in the Navy as an IT. And the whole Okay. The whole reason that even happened is if anybody here is prior military, right, you go in, you take something called the ASFAB, which is like an aptitude test.

They sit you down in a room, and at the time, the detailer comes in and he goes, alright, man. You scored high enough to do whatever you want, and he just throws me this 3 ring binder.

Oh, shit.

And he goes, pick a job. I'll be back in 5 minutes. What? And I'm like, you know, being 17 at the time, I had not thought that far ahead. So I'm kinda just flipping through, trying to figure out, like, what am I gonna do for what seemed like the rest of my life?

So every job in the Navy just happened to have a picture that's attached to it. And so I found a picture, and it had a bunch of lightning bolts. And I was like, damn. That looks cool. What's this?

And it was IT. And it was, you know, radio communications, satellite communications, computer networks, really what we'd call rudimentary cybersecurity these days. And I was like, hey, man. That sounds awesome. Let's do that.

And that's ultimately how I became an IT. And then long story short from there, I kinda tapped out everything I could do in the navy, in a very short period of time. And so from there, I just applied to the Naval Academy. There's a very long story about tater tots and how I got in. But, anyways, yeah.

So I applied to the Naval Academy and got my degree in robotics while I was there.

Robotics? Okay. Everything. Damn. Yeah.

You've been you've been around the block a little bit. So okay. And now quick question. Before that, you did did you have an interest in technology, or was this just, like, really where you started cutting your teeth on tech?

Sorry. My headphones cut out there for a sec. One more time.

Oh, okay. I said, did you before you went into the navy, did you have a prior interest in technology? Did you, like, tinker with stuff, or or was that really where it all started? Uh-oh. We're having technical difficulties.

We'll have Mario

sing the song.

And as soon as you can hear it, raise your hand. Mario, go.

You don't want me to sing.

I don't think we want

I do many things, but I am the most tone deaf person you'll ever meet in your life.

Oh, no. No. That's me. Yeah. I hear the tone very well in my head, but then when it comes out of my mouth, it doesn't sound anything the same.

Okay. I'm back, and everything's working.

It is? Yeah. Okay. Cool.

For some reason, Bluetooth just shit itself.

Yeah. That's kinda what it sounded like.

The outside your building hacking you.

Yeah. So

sorry. Bluetooth. You're trying to ping me with Bluetooth.

That's gonna be our lead back in. You've been hacked. Yeah. For reals for reals, the Russians got in, and they they fucked up Joseph's.

Good thing he drove into his insurance.

Yeah. I might know again.

He might yeah.

Okay. So

this probably like these IT guys, they sure have a lot of freaking technical issues.

Listen. We can't put that on Jesus Christ, Mario. Stop. Let let's let's get back in here, guys.

Alright. Free.

Alright. I'm gonna mark this. Alright. We're back, guys. We had some technical difficulties.

And I think it was convenient because right as I asked Joe if he had any prior experience with technology before going into the navy, conveniently, he had some problems with his technology. So we're not gonna make him answer that question. Clearly, he doesn't want to. That's fine. We're gonna move on.

So here's the thing, guys. Today, you know, and if if you've been following us, you've been listening to us in previous episodes, I I think it's at least, almost every episode we've had, somebody in mentioned cybersecurity insurance, because I firmly believe and and we're gonna come back. We're gonna wrap up with the formula like I always do, but I've got this formula that I really believe gets us to just about maybe call it 97% secure. But there's always the variables. There's always the unknowns, and and I really push a cybersecurity policy on that.

And it's it's hilarious to me. I went and met with a client a couple years back and asked them about their cybersecurity policy, and they're like, they let me square in the eye. I shit you not. And they said, Justin, we don't have that because you told us we didn't need it. What the fuck?

So here's what I'll never allow somebody to believe again is that I don't believe in cybersecurity insurance. So we mentioned it every episode, and today, we are going to do a deep dive. Joe, that's why you are here. So, again, you I I mentioned this before, but you you jumped on an MSP forum on Reddit, and you dropped a video that I loved. And here's the thing that caught my attention above everything else that you said was that you make, correct me if my numbers are off, or an agent makes, it could be anybody, roughly between 2.50 to $300 in selling a cybersecurity policy.

Is that correct? Is that close?

Yeah. For a good one. So

For a good one. Oh, Jesus.

Kind of the kind of the rough numbers. You know, if you're an SMB out there, imagine you have a $25100 policy. Now for the insurance guy, typically, to do it the right way, he has to go through something called a wholesaler so he can look at many, many different insurance companies because there is no best cyber insurance policy. It depends on the business, their risk factors, etcetera. So the actual agency or brokerage, at the end of the day, they're probably gonna get 10% of the overall premium.

Now if the guy you're working with, your insurance guy, is an employee there, he might make only half of that. So imagine you have a $25100 policy, the brokerage, right, they get 10%. So that's $250, and they pass half that on to the insurance guy

at the end

of the day. And that's you gotta remember, man. That's pretax, and inflation is a bear. So it's it's this really weird world where it's something like 85% of insurance folks last less than 2 years.

Okay.

And, of course, you have the Dunning Kruger effect. Right? So it's like, hey. When you're brand new, you think you can quickly know everything, and then you realize it comes back down and you go, holy shit. This is, like, way more complicated than I thought.

There's so many ins and outs and markets changing and all these dynamics, and you kinda start slowly coming up. But, you know, I've been obsessing over this since, well, about a decade. I mean, just writing books on it, writing articles, doing public speaking. And I'll just say there's plenty of stuff I don't know. I roughly know what I don't know, so I have some security in there.

Start. That's a start.

And then the danger is always, what do I not know that I don't even know exists? Because, like, you know, this is not, you know, it's not like you're taking calculus, and you could do calculus 1, calculus 2, calculus 3, and it is just a set framework that you always operate from. This is constantly dynamically changing, and to really do it well I mean, I'll just say it outright. It's it's more of a labor of love for me to do cyber insurance than really a way to smartly grow a business. Because to do it well, you have to have at least some background in IT, or you are hopelessly lost and you will never understand it.

Then you have to know the insurance side, and then it really helps to understand the legal components because all three of those interplay. You could do any one of those 3 and make more money than doing cyber.

Yeah. I mean, that's that's exactly what caught my attention. I'm and I think you mentioned that the average policy, I don't know, is a 100000 pages long or something, plus or minus. Right? But the point is if you're making average insurance agent is making a buck 25 on a policy, and I'm coming to him saying, hey.

I need I need good cyber insurance. I need to make sure it's got everything covered. Please go out, search everything, find the best thing. Let me know for sure I'm covered, and he gets compensated a $100, $125. I don't have a lot of confidence, Joe, that he's really putting his time and heart into it.

And I'm scared right now. I'm not gonna lie. But it does answer a question I've always had because I've tried to partner up with other insurance companies and say, hey. Let me help you sell cyber. And I know there's some some legalities in that, but, like, let's do a a seminar together, a webinar together, and we'll talk about how important cyber insurance is, and you just, like, go in and clean up all the money.

That was how I saw it. It's odd that nobody really took me up on that offer, and now I know why.

Yeah. I mean, it's something that people also need to understand too here that, generally speaking, the insurance guy, he doesn't even have a responsibility to advise on what he's selling, nor can

I point that

Yeah? I could never find anywhere where it says that the insurance guy even has to read what he's selling. Right? Much less advise on it. Now contrast that, the business owner, who obviously doesn't know anything about cyber insurance, that's ostensibly why they're going to an insurance guy to begin with.

Mhmm. Right? They are held to the clear and conspicuous terms of the policy even if they didn't read or understand them. Right? So Right.

You know, if you're an average business owner and you say, oh, here's this OFAC exclusion. You have no idea what OFAC is. You don't understand that sometimes that means paying the ransom is illegal. Like, you could just gloss over that. Right?

Much less when you start getting into the nuances of legal verbiage, because these are legal contracts, of what's a direct loss, what's an indirect loss, when do you wanna see that word, when do you wanna see the other word, how that single word can really make or break you, right, much less, you know, additional exclusions and warranty statements and all this other stuff that goes into it. It's a crazy system at the end of the day.

So here's, well, here's what we're gonna do because, like, the more you talk, the more despair I sink into. I'm not gonna lie. And so we're gonna set this as a goal for today. Let's end today's episode with some amount of hope to the business owner and and letting them know how to navigate this. And, Joe, I've got Brian and Mario here who have come with some questions.

I've got some questions, time permitting, but but we're gonna set that as our goal. Does that work, guys? And and now I'm just gonna turn everybody loose, and we're gonna we're gonna break this beast down and keep focused on how do we help a business owner navigate this situation. Alright. The forum's yours.

Alright. I got a question, and it was directly related to one of your videos. So you had talked about how in one of your videos, there's a lot of exclusions in, cyber, cybersecurity insurance specifically surrounding where a business owner fills in the forms and attest that they have certain provisions in place. What happens if they don't or even if they thought they did, but they don't because they didn't understand the verbiage? Mhmm.

Do they still have insurance? Do they not have insurance? How does that all work?

Yeah. So I will caveat this by saying we have the McCarran Ferguson Act here. So insurance law is dictated at the state level as opposed to the national slash federal level. So there's always caveats. I'm not giving you official insurance or legal advice.

Fair. Alright. So the general answer to that is, you know, we saw in a case called the ICS versus Travelers where somebody effectively, just kinda lied on an application. They just checked the box on a bunch of things that they just weren't doing. And to be fair, they never should have even seen that application, so that's really the insurance guy's fault.

But okay. Probably didn't know what MFA was or VPN, so he's just shelling out applications. Now in that case, if you just blatantly make a statement that you know is false, that's generally construed as a material misrepresentation, and they can just void your policy. Right? Just cancels the policy.

You're done. Claim doesn't attach. Game over. Right. You're you're

You don't know that until you go to make a claim. Right?

Yeah. So, like, if you're a business owner and you have, like, somebody internal who fills out those boxes, I mean, you may not know depending upon the size of your business. Right? If the CFO says, yeah, we have 2 person integrity on wire transfers and it turns out they're just not doing that, that could get you in trouble. Now really where the market's headed because, you know, insurance companies don't like it when I make videos about them and it kinda goes all over because my videos strangely go to some, like, very big places, like, companies much larger than mine, and it has this impact.

So where they're going, trying to prove a material misrepresentation in court is actually really hard. It's very rare. And so that's not really the biggest concern moving forward for the SMB. Where they really need to focus on, they need to start looking at the bottom of the policy and work their way up Because where we're seeing the market going is just outright exclusions to coverage. Right?

So instead of trying to go to court, risk a bad faith claim, which is super expensive for the insurance company, get a bad name in the news, They're just gonna put in the policy buried all the way down at the bottom. Oh, hey. By the way, the thing you read on page 25, we're gonna change that on page 65, and now here's all these additional, right, terms, conditions, exclusions, etcetera. So things like, critical vulnerability exclusions. And if you're a business owner listening to this and you're like, what is a CVE, and how do I find out what the CVSS is of the CPE, And how do I know that it is implemented within a certain amount of time?

Well, the answer is go talk to your MSP about patch management, but that's what they're doing. Right? So the insurance industry is saying there are things that we can true as moral hazards. So for example, legacy hardware and software. The insurance industry goes, what's a moral hazard for us to ensure this?

Because the business owner isn't gonna pay the extra money to update this hardware or software when he's just relying on us to foot the bill if something goes sideways. So that's a moral hazard for us. We're incentivizing bad behavior. Same with critical vulnerability exclusions. You're incentivizing bad behavior at the policyholder level because they don't have to pay attention to what their patch management regime is.

They're just, well, you know, if something happens,

the insurance

will pay for it. Right? So that's where the world of cyber insurance is really headed because cyber insurance companies are really getting tired of paying out for unpatched systems, people that don't have MFA on email. I mean, like, really fundamental basic things. Social engineering scams is the big one right now.

They're just tired of doing it. So that unfortunately puts a lot more burden on the business owner. Because, you know, if you don't have someone that just eats and breathes this stuff, it's too easy for some insurance company to slip an endorsement into page 70, and no one sees it. And the business owner doesn't know that it's a problem until disaster strikes, and then they're they're out a lot of money.

Wancho, do you do you work with just strictly cybersecurity policies, or do you do other, insurance policies as well?

Yeah. So I do what I call the professional lines. So Mhmm. In comparison to what I call the general lines, which I also call the boring lines of insurance. So, like, you know, I'm a tech nerd, so I love tech stuff and tech policies and and all that.

So I focus on e and o, tech e and o, cyber insurance, some EPLI and d and o, and that's it. So, like, if if you ask me a question about, I don't know, life Car insurance. Health, auto, homeowners insurance, I'm like, I know it'd have to be dangerous. I've read a lot of case law, but, yeah, it's not my expertise.

Okay. Now I I have a question for you. And Mhmm.

You

know, I've seen this, you know, you know, a lot. You know, if if 2 companies are working to together and one of them gets compromised and they're you know, a hacker gets into their changes, like, a a word document with, like, ACS ACH information and, you know, where, the bank, you know, the bank is completely to the hackers or whatever and they the the the one company sends it to another company. That other company ends up making a payment to the hacker's bank account.

Mhmm.

Who essentially is who who's at fault? Can, you know, company a sue company b? You know, what ends up happening with that? You know, because, you know and what is the insurance gonna cover? Do you have to have, like, 3rd party insurance to to cover somebody else?

Can you kinda talk a little bit, about that?

Sure. So so in this scenario, correct me if I'm wrong, you have company a, bad guy goes into company a, right, and ends up telling bad guy through company a, tells company b to wire money. That money ends up going to, say, bad guy's bank account. So it is possible to ensure that under something called, like, a reverse social engineering type coverage. The reason you have that, and and it is sublimited, pretty strictly, but, generally, the reason you have that is this is kind of funny, but if the insurance company didn't, they would just get sued probably for a bigger amount of money under the cyber insurance policy anyways.

Right? Or it could be an E and O claim. So, yeah, you can you can cover that. Now the problem that I'm seeing with organizations that I touched on in that video is they're being overly reliant on cyber insurance. So whenever I say, yes, it's possible to cover that type of scenario, The subtext to all of that is what I tell all of my cyber insurance clients.

A good year for you is when I call you once and I take your money. A bad year for you is when we're talking twice because your week just went to shit, and your month is gonna be terrible. And you might have a pretty stressful year based upon what happened because now I mean, I've already had clients where they get hit. They call me. Class action claim gets launched against them, which is now, I mean, just going exponential.

Last year alone, 45 new class action claims, got launched following data breaches every month. Right? So the plaintiff's bars figured this out. So they got hit. They had to deal with that.

Clients are leaving, then they have a class action claim launched against them through the discovery process. Now regulators start poking around. Many of those regulators, they didn't know that they were subject to to begin with. Regulators start asking questions. There's more exposure.

All that gets in the news, and it's just bad on top of bad, on top of bad, on top of bad. And from a guy, for whatever it's worth, from a guy who's dealt with 100 of cyber events, I would tell you it's directly against my financial benefit if you have better cybersecurity. But I'm telling you to do it anyways because that's the right thing for you to do as a business owner because you only wanna talk to me once. Right? And if we're talking twice, ideally, it's, hey.

We had these mitigating controls in place. It's contained into this small area as opposed to my entire company because I have had grown men crying on the phone as they're talking to me because their business just imploded, and there's

nothing left. That, no, Joe, I a statistic that I have heard and that I regurgitate on knowing if it's true or not, is that a large percentages of a large percentage of businesses after a breach like this, these devastating and I don't mean a little one that gets contained, but a major one. Do you see them going out of business? Do you see them recovering back to where they were? What's the outcome generally speaking post breach?

Okay. So that actually I'll put on my nerd hat here for a second. So that goes back to Thank you.

Thank you.

It was something like 1 third of businesses are out of business within 6 months of a breach. Right? And that goes back to this flyer that the Small Business Administration put out ultimately. So I I I literally spent the better part of 2 weeks tracking this down the the trail.

Oh, I love you right now.

There is well, you may not love me in a second. There's no statistical basis by which they made that argument.

Okay.

But that's not to say that you can't go out of business. So for example, if you don't have immutable backups and you get hit and your backups are encrypted, you have nothing. Right? I mean, there's just nothing left to pick up the pieces. So Yeah.

That's also not to say that you may have wished you've gone out of business depending upon what occurs because Fair. Fair. Like, I just tell every business owner. Well, I'm like, Hey, go, go look up public breach notification letters. Right?

Just throw it into your favorite search engine. Go look it up. Go look at the last paragraph on the first page. It's almost always there. They always say, hey.

Magically, we have found more money to put into cybersecurity. We're taking a round turn on this thing.

Right? And

I know that makes that makes you guys at MSPs laugh because you're like, they always say they don't have it. But it's like, hey. I'm the guy that makes less money if you have better security. I'm the guy telling you, go spend more money over there. Right?

Cyber insurance only goes so far. And so, like, you don't wanna find out if your insurance guy read your policy or not. Like, you just don't even wanna know that question.

Yeah. Right.

You don't wanna know if all the relevant parts of your organization have been properly briefed on your cyber policy because, hey, maybe, you know, your CIO or your CEO bought it. He never told the CFO that there's an exclusion to payment, and you have to evidence that you have, you know, wire transfer procedure in place, and you have to show that it was followed and all these other things. All of that gets lost in the sauce very frequently. So the the best answer is you only wanna talk to me once a year. Yeah.

Like, it all it all just boils down to that. Like, go get better security. That'll make your life a 1000000 times easier. And after a breach, you're gonna have to show that you've increased security anyways because the insurance companies are gonna demand it. The underwriters are gonna demand it.

You might get non renewed. You get kicked back to the open market. You're gonna have to put in those mitigating controls anyways, and now it's super short time frame. Obviously, the MSPs are gonna charge you more as a business owner because now they gotta take everything over here and redirect it over there to get you to get you good. It's like, don't do that.

Just have a plan of attack. Right? Do formal informal risk assessment. Talk to your MSP. Say, okay.

Where are we? Where do we need to be? And as a business owner, I would urge you, hey. MSPs don't do what you do. You don't do what MSPs do.

And so, yeah, you're gonna ask questions that maybe you think are dumb and are very basic for the MSP. Just like if they're asking about your business, they would also ask questions that may seem dumb or very simple because it it's just 2 different worlds. So

Right.

I tell all my clients. I'm like, hey. I don't know your network architecture per se. So go to your MSP and say, hey, man. If you had unlimited money, right, rank order, biggest bang for the buck, what do you think I should do?

And then just talk about it. It's it's really that simple.

I love that. That's actually, you know, I I'm ADD and I I shift focus level. One of the things I've said in the introduction to this podcast, several times is, you know, that we do help business owners filter through, you know, where do you get the biggest bang for your buck with cybersecurity? There's there's a million recommendations out there. There's a million ways to skin this cat.

Where do we put our money? And that's not always an easy answer, and the answer today might be different tomorrow. So, Yeah. I mean, I love that. Alright.

Brian, Mario, next questions, next thoughts.

So I I I you know, thank God, knock on wood, you know, we haven't had a a client that has been breached. You know, I think the majority of our clients do have cybersecurity insurance. But we usually in the event something does happen, what do you usually tell, the client to do? Is it the first call they you know, obviously, after they speak the MSP, are they supposed to call, like, the or call you, you know, the insurance? Are they supposed to what are they supposed to do in in event something like that does happen?

Caveat, it kinda depends on exactly what the circumstance was, but the general answer is notify your insurance company. And the bad news there is, hey. Your business got hit. You're running a business. You got deadlines.

You got clients who want things. Maybe your law firm, the court wants things. That all just stopped because I mean, I hate to say they'll get to you when they get to you, but they're gonna get to you when they can get to you. And now it's obviously depending upon the circumstance. You're gonna have to talk to the claims guy.

That's kinda step 1. Then they're gonna have an attorney that's provided to you. You're gonna have to review and approve that engagement letter, which if you've never done that before as a business owner, you're gonna have a million questions. So maybe you wanna retain your own attorney to look at that for you. That's gonna take extra time.

Then there's forensics, engagement letter, findings, right, scope of work, on and on and on and on and on. And so the short answer is talk to your insurance company, get the ball rolling. Kind of the more involved answer is you're about to spend a whole bunch of time learning about things you never really wanted to learn about, but it's it's an involved lengthy process at the end of the day. Right? And so

you as What do we do as an MSP that, you know, that person because I know there's gonna be some clients that says, well, I can't wait that long. I need you to bring me back up right away, and we'll deal with that after.

So the the big disconnect I see, I'll blame my mother-in-law because she'll never watch this. So my mother-in-law, bless her soul, and my brother-in-law was also, worked in the IT field, I'll say loosely, for the navy as well. She just thinks we know everything about every piece of technology ever made. Right? So I I've literally never owned an Apple product in my life.

I hate Apple. I think it's made for teenage girls. Right? Other people love it. I'm like, okay.

Cool. Whatever your opinion is. Like, I just want shit to work. I want, you know, it's business productivity software. It doesn't need to look pretty.

She does something to her iPhone, and she comes to me or my brother-in-law, and she's like, hey. I did this. Can you just fix it? And I'm like, yeah. I'm just gonna, like, hop on the Internet and be like, what is this?

How do I return it back to factories? I I don't even know what it's called. Right? Like, all kinds of weird stuff. That's the way business owners view MSPs.

Right? So it's it's like saying, you know, hey. A dentist and a neurosurgeon, you call them both doctors. You don't want one doing the other guy's job. It's gonna be a hatchet job.

Right? So while there are plenty of tools that you as MSPs can bring to bear on that problem, you are not an attorney. You are probably not a full blown incident response team. Right? Because there's bunch of legal caveats that come with that.

You don't wanna be testifying in court. There's insurance implications for you. So the business owner has to realize, hey, This thing happened. I have subject matter experts over here. Right?

They are at my disposal if I pay this deductible and go down that road. That's ultimately the business owner's decision. It's a risk management, risk tolerance type issue. Some are every business email compromise, notifying insurance company. Others, it's, oh, ransomware?

Alright. Restore from backups. Right? Very nonchalant. So with that, they have to understand it it's a it's a risk management issue, but you as the MSP, there's only so far you can go pragmatically Yeah.

Right, to help those folks out because you're not their attorney. You're not full blown IR. So, you know, it very well could be that you go, yes. We can do this thing for you. We can just you got hit with ransomware.

We can restore from backups, but there could be an attack loop in there. There could have been an exfiltration of data. Right? You could have contractual issues. We don't know any of that.

So how about you sign this liability waiver that says, I told you so. You told me to pound sand, so you're not gonna hold me liable. Right? We could be destroying forensics evidence. There'll be all types of issues here, but, like, I'm here to help.

But This was your decision. Conditions.

Yeah. Yeah.

And that's where it should

be. Interesting. I like that. Brian, did you have any more?

Well, just based on what you said there, it sounds like a really good approach for any business owner to have would be to have I mean, they have their incident response plan, but they should also have, what are we gonna do in the meantime if we do get breached? What are we gonna have in place to continue our operations and continue our operations, like, being functional as most as best we can without destroying the forensic evidence, without going resorting to restore files immediately because it sounds like what you're saying is we should wait for the insurance forensic team to give the all clear to start the restoration process in some cases. But in the meantime, the business still has to continue to operate, so they probably should have a separate plan on how they're gonna do that. Is that does that sound

I'd ideally,

yeah. Obligation to do that? Do they have an obligation to do that in the policies in some cases as well from a business interruption standpoint?

Kinda. So they do, I mean, they do have a duty. You know, it's like if you're there's a big storm outside your house, a tree limb breaks your window, and now it's flooding your house. Right? You do have a duty to try and get the tree limb out of the window to not have a bunch of flooding in your house.

It's a little more nuanced in the cyber world because there's so much of it is just completely beyond the average business owner, and I will add completely beyond one person. I mean, I read state breach notification laws for fun, and I can't I can't even yeah. Like, I I came down one night. It's, like, 2 in the morning. I was in, I was at my house at the time.

I was upstairs in my home office. I come downstairs, and my wife is like, what are you doing? And I'm like, hey. I just read all 50 state and territory breach notification laws. Did you know driver's license numbers are just as important and costly to lose as your Social Security number?

I was

like, people don't know this. I gotta write an article on this. You gotta stop giving away your driver's license. And she was like, bless my wife. She's like she's like yeah.

She just goes, okay, nerd. Can you go to bed? And I'm like, no. I gotta I gotta sketch this article out. Right?

It ended up getting published. But there's there's so much that the average business owner doesn't know. And frankly, I'll give you an example. What breach notification law applies after a breach? If you ask the business owner, they'll go, well, I I don't I'm in Virginia, maybe, so Virginia.

Or I'm in Texas, so it's Texas. Wrong answer. They could be subject to all 50 different state and territory breach notification laws, which also have their, many times, their own data security requirements, which can then be enforced by their own various, state attorney general under a myriad of different laws that I don't know if that's insurable or not because I've spent way too much time trying to figure that out. It's just a big question mark. Like, there's just so many things the average business owner doesn't know that I would say, you know, hey.

Before you go, I don't wanna spend $5, you know, for what I think is very minimal. Eat a slice of humble pie and say, I think it's minimal based upon my very limited knowledge in this particular area, in which case, other people probably have much greater knowledge. So maybe I should just reach out to them, call it, you know, an expensive learning ex you know, expense or something like that. You know, life coaching. Right?

Call it life coaching, business coaching, something like that. You'll learn a lot. But, yeah, there's just there's so much they don't know. I mean, you know, I could just go on and on and on about really how complicated it is. I mean, if you have let's imagine you're next to a military base.

You might have to deal with all 50 different state and territory breach notification laws. You have one client that just happens to be a resident of the state of Massachusetts. Right? Or maybe you're in Florida and they're a snowbird. Well, surprise, were you complying with 201 CMR 17?

Probably not. You've never heard of it. It's 18 different administrative physical and technical safeguards that you have to evidence. And, oh, yeah. The Maryland AG will reach out to you and say, show me your breach response plan.

And you go, who are you? Why are you asking this? And, oh my god, is this the end of my business? Right? And the easy answer is, don't play that game.

Right? Do everything you can to not play that game, because it's it's a hell of a learning experience.

So when you say do everything you can not to play that game, you're talking about put all the the cybersecurity precautions you can in place so you don't have to deal with insurance. It's better to be preventative and proactive with the cybersecurity side rather than rely on the insurance side.

Yeah. Because it's like, an example I'll give is, let's say you have health insurance and you eat yourself into a diabetic coma.

Right.

Okay. Yeah. You have insurance. You're having a rough day. Right?

Like, that that's it's not where you wanna be.

Yeah.

Right. Right. You know, it's very much, like, I'm telling people. Yeah. You know, they don't wanna touch the stove.

It's hot, and it's painful.

I use I use the analogy, you know, when you're crossing the street. Sure. The pedestrian has it right away, but a lot of good that does when you get hit by a 10 ton truck.

Okay. And and people still walk out in the street with their phone in their face.

Yeah. Yeah.

Would that able to look up?

Yeah. So I guess that's the same analogy here. Right? Yeah. Sure.

You have a cyber insurance. You have you have all the protections. You know, like, you've you've you've covered yourself with insurance, but, really, it should be the other way around. You know, you should have as much cybersecurity protections in place, technology, enough controls, and insurance is the last resort. It's the last thing we fall on if all else fails.

Yeah. It's it's that when your entire defense in-depth has failed.

Right.

Yeah. When Yeah. Like, the Swiss cheese model in the military. Right? Where they just got through defense number 1 and number 2 and number 3 and number 4 and number 5.

Yeah. Then you say, well, damn it. We did everything we could. They got through. Let's deal with this problem.

Right? Like, that's I I will just add here. One of the benefits of being the dumb insurance guy in the room is I get to play the dumb insurance guy in the room. So it's it's really quite handy. So I was I was at a conference once, and I'm sitting in the back, and they had a plaintiff's bar attorney in the room.

And you could tell because he's wearing Gucci loafers and a pinstriped suit, and he looked like quite a piece of work. And so I said, hey. I do insurance. What do you do? And he's like, oh, I'm an attorney.

And I'm like, really? What type of attorney? And he goes, I sue companies after data breaches.

And I was like,

wow, man. Like, that's really wild. I'm like, what's that smoking gun that you find every time where you're like, you're golden? He goes he goes, oh, I call that the, daddy's getting a new boat email. And I was like, man.

Alright. Well, what's that email? And he goes, super simple. He goes, CEO, right, board of directors, whoever it is, they get a brief from whoever's in charge of IT, and that guy says, hey. Here are the problems that you have.

And then without skipping a beat, there's always a follow-up email where the CEO goes, okay. Yeah. I know that's important, but, you know, we're gonna put money into x y z. Right? Or we don't have money from that.

And then they put money somewhere else, and that's how they peg them. They go, you knew there was a problem. You obviously acted with willful negligence, right, in regards to my client's personal data, and now their lives are destroyed. You knew there was a problem. You just didn't wanna fix it.

Right? That obviously looks really bad. And I said, well, what is the daddy's not getting a new boat email if that exists? And he goes, oh, man. It's simple.

He's like, super simple. He goes, plan of action and milestones. I was like, what does that mean? And he goes, it's super easy. You sit down and there's a document.

And it's, you know, CEO, you know, CISO, CTO, or MSP, CFO, etcetera. And they sit down and they say, okay. Where are we at? What are the risks? Where do we wanna be?

Now based upon our budgetary restrictions, because no business has unlimited money, here's how we plan on attacking this problem moving forward. He goes, that'll sink my ship in a heartbeat because now you look like a very reasonable, responsible business person. And so, like, anybody listening to this, I am also a business owner. I understand inflation is a bear. No one has unlimited money.

But I would say, just sit down with your IT folks and say, where are we at? Where do we need to be? Let's attack this problem. Right? And then, obviously, you have to stick to the plan or modify it as necessary.

So keep a record of that, but that's a really good way to show, hey. I I wasn't just, you know, pissing into the wind over here. Like, I knew it was a problem. Right. We were getting after it.

We just happened to get hit in the interim.

I love I love everything you just said because I I talk to my my my business owner or my my clients all the time about how cybersecurity is like a journey. We won't be able to do everything all at once, but we'll have an action plan, and we will get Justin, say it?

1% better every day.

You got it.

And I mean, like, Joe, that was a here. That was a mic drop. I mean, the cut, we're done. I'm gonna take that clip, and I'm gonna blast it everywhere.

Yeah.

That's probably the best information I've ever heard on this subject. So thank you. Thank you. Thank you for that. Yeah.

And, Joe, I know you've got a hard stop coming up. We're not there yet. But I do wanna kinda move this towards wrap up. So, Brian, you go first. Mario, you go first.

Really quick. Key takeaways. If you have a final question, throw that in now. And then, Joe, go ahead and answer these relatively quickly so we can get you to your next appointment.

Brian. Sure. Alright. So my key takeaways from this session, I mean, that last part was was it. It just, cybersecurity is like a journey.

Start implementing things. Don't don't put your head in the sand. I I I had a I went to a a cybersecurity talk, and I told the audience cybersecurity and we we asked the question, is cybersecurity your problem or, like, who who's responsible for it at your organization? And, you know, everybody said, oh, I got an IT guy or my MSP, and my rebuttal was no. You are responsible.

Not just you, your leadership team, the CEO, the CT, like, everybody across the entire spectrum at that company is responsible for cybersecurity. It's not one one person's, responsibility. So key takeaway is you are responsible. You are the one who should be, implementing these things and treat it like a journey. You're not gonna get it all done in one day.

Create an action plan. Follow the action plan. Work with your MSP or work with your IT person. And, essentially, like I say, at the end of every one of my my talks, get 1% better every day. Alright.

And I have no questions.

Okay.

I'll just add to that real quick. So you're right. The, Brian, the FTC, Federal Trade Commission, would agree with you. Just go look up the Drizly case. I have a whole video on it on my YouTube channel.

But here, the kind of the crux of it was, they were using encryption that had already been broken. The CEO ended up being held personally responsible and liable for that. So not only does that business now have a 20 year consent order with a 1000000 things, attached to it, which is gonna be very expensive, but also the CEO has a 10 year consent order. So if you're a CEO out there and you think this is somebody else's problem, the FTC can come after you. They've gone after big companies, small companies, giants, sole proprietors, defunct organizations just to prove a point.

And one of the the items of that consent order, it effectively says, this will follow you no matter where you go if you were handling any type of sensitive information. And so unless you really like your job or you plan on retiring and flipping hamburgers and not taking credit cards and cash only, it's a 100% your responsibility. So Yikes. You know, the path to brilliance is paved with stupid questions. Right?

That's how you get there. So put your ego on a shelf. You don't know what EDR is? Just ask, man. There's plenty of IT guys that are Right.

You know, we're more than happy.

We can't shut up about it. We'll tell you.

Yeah. Yeah. For sure.

Short short form of that is, you can outsource the the work and the and the the tasks of securing, but you can't outsource responsibility.

Yeah. Exactly.

Good point. Mario, what you got?

So, I mean, my my key takeaway is, like, I've always believed in, you know, going to the expert matter, you know, you know, with every field. But, I mean, I I Joe, I think you've taken this at a, you know, higher type of expert matter. You know? Like, I am definitely very soon gonna reach out to you to go over my policy, and I'm pretty sure that it doesn't it doesn't it's not as good as probably some of the stuff that you've seen. So the you know, I I I really appreciate everything you've said today.

I do have one question that I it did kinda stick out to me during one of your, webinars that I saw. Can you talk to, you know, briefly about cyber war, exclusions? What what is that? And, you know, if you could kind of speak on that a little bit.

Sure. So the I think I have, like, a 30 minute video about this on my YouTube channel, which really just boils down to we don't have any idea how these things are actually gonna play out. At the end of the day, there's there's too many question marks. This is really coming from 2017, the NotPetyvirus that resulted in 1,000,000,000 of dollars, of damage. So the insurance industry is obviously very concerned that one nation state goes to war with another nation state, and if only there was somewhere in the world where nation states were on the brink of war that happened to have very advanced, cybersecurity intrusion teams.

So, yeah, the insurance industry is very concerned that you could have the spillover that could effectively bankrupt their entire company. Because of that, they've tried to draft these new cyber war exclusions, which they just blatantly missed the mark. I mean, there are really key terms that are just not defined. And so it's kind of another one of those areas where that's a game you don't even wanna play as a business owner. Right?

You wanna try and lock that system down to the absolute best of your ability given your financial constraints because you don't wanna find out later on that, you know, the cyber war exclusion endorsement on page 75 doesn't mean what you think it means because you're interpreting that as a layperson and not as somebody who's read into the law. And it's a mess. It's a it's a giant mess, and the easy answer is just don't play that game if you can at all avoid it or mitigate that risk to the best of your ability.

Awesome. Thank you.

And I'm I'm gonna kinda wrap this up with, like I said, Joe, the more we talk about this, the more I sink into despair. But I want to end with the positive notes and what I heard as as just the ultimate key takeaway and and I think I'm quoting you directly, it is get better security. And usually when I come on to these episodes, I I go into it, and I think I'm pretty smart, Joe. I'm not gonna lie. I have a little bit of an ego.

And I always think, you know, we're gonna talk about this stuff, and I already know it. I'm not gonna learn anything. And today rocked me a little bit. I mean, I learned some stuff, that has my full attention where, you know, I clearly need to do a better job. And I I mean, that's all I think about with my clients, but there's more.

So the good news is, well, the bad news is stay away, get insurance, but that is not your first line of defense. That's your absolute last line of line of defense. Get better insurance. I love those, daddy's getting a new boat emails. I will be chopping that up and blasting that everywhere.

And and what I'm looking for from you as as a sign off is I have this formula that I've just come up with it in my own brain, and and this is what I tell people. And I want candid feedback from you on, you know, if I have blind spots here. And what I tell people is to use the best information you have, ideally, outsource, you know, somebody somebody, who this is their world to protect your technology, protect your data, and protect your people. Use industry standards, best practices, research it, know it, live it, whatever. Do that, and that gets you to about 75% safe.

I can sleep at night. I'm close. Mhmm. But there's that still that 3% that does keep me awake. And for me, that is get solid policies and procedures, both what to do if something goes bad, from a a CYA move, but then also how do you keep money coming in?

How do you keep business operations going? Have those policies and procedures at least thought out and then wrap the whole thing up in a good insurance plan. That gets me to a 100%, at least peace of mind. What are your thoughts on that formula?

No. I think it makes sense. The main value I see in at least trying to sketch out what your response is gonna be. We have this saying in the navy, and it goes, when in danger, when in doubt, run-in circles, scream and shout. And it's it's to remind us that, you know, you better have a plan for these potential issues that could pop up because if you don't, you're just gonna be running in circles screaming and shouting.

So one of the primary problems I see with organizations following some type of cyber event is, you know, the good idea fairies start sprouting out of the ground because they never had a plan on what to do. Right? People just assumed it was gonna be the other guy. And so, you know, some poor guy has to talk to the insurance guy. One of the partners is gonna have to be the liaison with the insurance company.

1 of the other partners has to be the liaison with the attorney. Somebody's gotta be overseeing all of this. And when you don't have those people and those rough procedures at least mapped out, there's so much infighting that starts occurring because nobody has a defined role and responsibility, and that just makes, 1, everything way harder. 2, I end up getting phone calls from different people who are requesting different things, completely contradictory, so it just gums up the works. And that makes everything more expensive in the long term and increases the odds that some regulators are gonna come after you.

So, yeah, I think that totally makes sense. And, you know, once again, cyber insurance is when defense in-depth has failed. Right? It is not your primary parachute. It is that reserve parachute to keep you from going splat.

So

Right.

Keep that in mind. And I I think you wanted, like, a positive note to end Yeah.

I've got one.

To end.

Okay. That'd be great. Alright.

You know, the I think of something, like, the median IQ of an insurance salesman is 97.

K.

Which is to say the average business owner is gonna be smarter than the guy who sold on the stuff to ultimately keep out of trouble. So at the end of the day, you know, these policies are not rocket science. Right? The 95% answer is a business owner minus these very subtle nuances. Right?

That's just the last 5%.

Okay.

The easy answer is you have 2 sides, 4 buckets, and exclusions. The first side, somebody sues you after a cyber event, regulators, clients, class action, etcetera. The other side is 4 buckets, data breach slash cyber event. Ransomware is bucket number 2. Bucket number 3 is loss of funds.

Bucket number 4, miscellaneous, situationally important. So Okay. The easy answer is, hey. It's not that hard to get cyber insurance. Just go to the decision makers.

Say, what are you guys worried about? What's that, like, oh, shit. I'm definitely getting fired. Cyber event. CFO, it's wiring money.

CEO, it's probably reputational harm. Right? People working in the technology world, it could be ransomware, bricking, encryption of backups, whatever that is. Then you could just take those scenarios to the insurance guy and say, really, 2 things. 1, is this covered?

And then 2, show me where it's covered. So you can just figure a lot of this stuff out. I have a video on my channel. It's like, understanding cyber insurance in 10 minutes. You watch that, you're gonna know more than 95% of the people selling you this stuff.

So you can get pretty damn close, and it's that last 5%. So I think, you know, most people would be confident getting a 95% on a test. You know, I was the, seize get degrees type of guy, in in public school. So, you know, you can get pretty damn close, and then just read through it. And if something looks stupid, if there's something you don't understand, ask questions.

Right? We don't get paid to shuffle paperwork back and forth. We're here to try and help you and answer questions, so take advantage of that.

I love that. Okay. God. I thought you had a mic drop before. There's another one.

We're gonna go ahead and let it hit the floor this time. We're gonna wrap this up. As always, we we have a standing offer that, you know, jump on unhack. Live and you can schedule an assessment with any of us. And we will run through and we'll we'll look at your technology.

We'll look at your policies and procedures. We'll show you where the gaps are, and we will create that plan of how you should move forward. It's exactly what Joe said you should do, to ward off the attorneys. So, that is a free thing that we offer. Please reach out out and, and take us up on that.

And then last, certainly not least, I know I already said that once, Joe, I asked you at the beginning. I'm like, hey. How would we tell people to get a hold of you? And you're like, oh, just hit Google, because I'm everywhere. Yeah.

And and I say that it almost sounds like I'm I'm I I don't know. But I I hit Google just to just I'm like, really? Yeah. You're everywhere.

So

I I did notice I've been calling you Joe the whole time, which is how you said to address you. Do the Google search on Joseph Brunsman, because that is how you pop up on Google. And then, Joe, what type of clients are you looking for if if, you know, who should be calling you where you can do the most good?

Oh, well, I love working with MSPs and tech companies. And then Okay. As as for cyber insurance, pretty I mean, we'll help everybody, simply because I understand the frustration of trying to figure this out from scratch. And when I was doing this 10 years ago, there was just nothing, which is why I ultimately went to law school and proceeded to learn almost nothing because the answers just hadn't been created yet. So I was like, oh, well.

I used the GI bill. It was free. I'm like, alright. But I understand the frustration. So, you know, anybody that reaches out to us, we're gonna help anybody.

And if it's a problem I can't solve, I'll push them to somebody that I know can solve that problem. Because, you know, this shit is hard and it's complicated and it can be seemingly overwhelming, but, you know, at the end of the day, if it was that hard, they wouldn't let me do it. So, you know

Right. Right.

Everything will be alright. Yep. I

think we could all probably say that. Alright. So, guys, we're gonna wrap this up on hack dot live. If you'd like to schedule an assessment with either Brian, Mario, or myself. Brian and Mario, as always, thank you so much for being here.

And, Joe, I I cannot thank you enough for taking time to be here. I thought it was kind of a long shot when I reached out to you, so I really, really do appreciate that. And I will be hacking this thing up and spreading it all over the place. Great content, great information. So Yeah.

Joe,

I'll I'll be reaching out to you. Definitely, you know, I I definitely wanna review some stuff for, my business. So, you'll definitely hear from me soon.

I appreciate it. And as they say at, as they say at Chick Fil A, my pleasure.

So There we go. Yes. They do. Great business model. Alright, guys.

Stay on the line. We're gonna wrap this up, though, and we will see you all next week.