Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Joe Erle - Joe Cyber 2.0
52 Plays11 months ago
Abe and Ryan have the witty Joe Erle, aka Joe Cyber 2.0, on the podcast. We cover everything from gas prices and conspiracy theories to his philosophy on paying ransoms.
Joe offers some cool perspectives on niche markets in insurance, the importance of certain policy language, improving risk postures, and why the cyber warranty debate gets him fired up.
Connect with Joe Earl on LinkedIn.
Recommended
Transcript
Introduction and Day of the Dead Banter
00:00:18
Speaker
Welcome to the insure sec podcast. I'm your host Abe Gibson got Ryan Dunn here as well This week we have Joe Earl also known as Joe cyber version 2.0
00:00:33
Speaker
Show man, how you doing? All right. We'll see if that nicknames sticks. I'm doing good doing good. I'm having a great Thursday Happy idea that lets Muertos. Yeah There we go. Is that today day of the day?
Joe Earl's Career Journey
00:00:48
Speaker
Yeah Well, sweet I didn't I gotta celebrate well, I had some Chipotle so maybe that was my way of celebrating Cool so we usually like to start the show with
00:01:01
Speaker
What's your background? How'd you get here? Because everybody has similar aspects to their story and there's other parts that are really unique. So we're always curious to hear, how did Joe cyber become Joe cyber? All right, so I had a feeling you'd ask this question. My dad was in the Air Force and this was his second career being an insurance agent. So I already ran in my blood a little bit and then
00:01:31
Speaker
My brother took over for him, my older brother Gabe, who is now the president of C3 where I'm at. And yeah, so I was out of college at Cal Poly and looking for something to do. I started with a company called Fastenol. It's a industrial sales company out of Winona, Minnesota. It's a,
00:01:58
Speaker
Fun place to work for someone right out of college. I got to do some outside sales stuff. I got to learn a little bit about different types of businesses and everything. So it was a good first job. I kind of noticed that I wasn't going to be able to move up there very fast. It was kind of an old boys network.
00:02:23
Speaker
You know, I wasn't really doing the kind of stuff that I thought I was going to do, like graduating out of business school and everything. And like the, the day that I told them I was going to quit, like before I told them I had to like clean the bathrooms as like an assistant manager, a store. I was like, I'm so quitting. I'm like cleaning the bathroom, all like, all like entitled and everything. But anyway, I, uh,
00:02:48
Speaker
I quit there and I got a job at a small agency where of course I was the youngest person there. Everybody was like 50 years or older. I think you've heard the story before. I was like the go-to tech support. And yeah, so I was there for seven years and then I transitioned when Gabe and his partner started C3 insurance. Cool. So you
00:03:16
Speaker
Were you primarily focusing on commercial lines at that first retail shop? Yeah. So I, I exclusively did commercial lines. I did a lot of, I was pretty much a generalist. I kind of picked different companies to call on. I started off like calling restaurants. I called manufacturers, you know, I did like the.
00:03:39
Speaker
generalist thing or, you know, you have a hot price on workers comp and then you kind of call that line of business and try to, you know, make a dollar out of 15 cents. If you know what I mean.
Transition to Cyber and Tech Focus
00:03:53
Speaker
Yeah. Oh my goodness. That, that, um, that generalist life is,
00:04:01
Speaker
is tough. So you went from being a generalist at C3. Have you always been, like when you made that move to C3, were you always, was it always in your mind that you wanted to kind of niche and focus on cyber or did you have another niche before that? Or were you a generalist at C3 when you started? Take us through that. Yeah. So I've been kind of dabbling in cyber and tech, you know, and everything. And
00:04:31
Speaker
Well, the issue was that there wasn't like a lot of premium in it. So, you know, it was kind of like, yeah, I want to do tech. I'm interested in that. I want to do cyber, but like the premiums were so small that it felt like it wasn't like a good way to build my book of business and everything. But I think what I would tell
00:04:58
Speaker
brokers out there that are thinking about doing cyber and doing tech, you know, and all that is that don't worry about like the premiums and everything. Just do what you're interested in and the premiums will come and just become the best at selling or, or learning, you know, the backend of whatever you want to specialize in, whatever you're interested in. Yeah. Yeah. Joe, I,
00:05:25
Speaker
I completely agree with that. When I was starting out as a retail broker, the cyber and techie and no premiums were six, five, eight grand. And I'm watching guys who are generalists and they're getting commercial auto policies and they're getting some property policies and the premium is triple, you name it, it's 10 times bigger, especially down here in Florida. Right.
00:05:55
Speaker
I kind of believed, I hate to say this, but I believed in the process of my belief in that cyber was going to be a driving risk in business. And so I think people should take what you said to heart. Don't worry about the premiums. The businesses will grow. You will specialize in that sector. And the other opportunities will come from that. Your name will get passed around.
00:06:22
Speaker
you'll get opportunities that you didn't even think that you would get. Absolutely. So you mentioned, did I
Clarifying Tech Background and Podcast Dynamics
00:06:31
Speaker
hear that correctly? You had some type of IT background or? I mean, I got, not really. I just kind of was like the young guy at the company. I didn't have a technology project management emphasis on my MBA. But besides that, I didn't really
00:06:52
Speaker
pursue any like technology field before going into insurance. Yeah. It's kind of funny. I hear that story a lot where there's, you're like the youngest guy in the office and then they just like look to you as tech support. It's like, I didn't sign up for this. Right. Yeah. Speaking of being the young guy, do you guys want to just go pull a Joe Rogan and Elon Musk and go shoot a
00:07:21
Speaker
80-pound bow at a Cybertruck right now. Right? I think I got a bow back here. Yeah, I got a bow. I definitely could get the whiskey part down. I can just walk over there and get some whiskey if you get one. There you go. But Joe Rogan and Elon Musk is just like a match made in heaven. Yeah, right. We should just hang out all the time and just record it.
00:07:51
Speaker
There is a similar version of that and you wouldn't believe what the pairing is, but Theo Vaughn and Tucker Carlson. Okay.
00:08:12
Speaker
It's like, it's like one is not like complete opposite of like not spoon fed. And one is like completely like trust fund baby, but they're the same person. So it's just, okay.
00:08:27
Speaker
Oh my gosh. I just want to, I just want to, um, you know, a lot of people don't watch this. I just, I just want to make it clear that, uh, as a, as a host of the show, I feel very uncomfortable right now because I have one guy that has two first names and then the other guy has one too many buttons undone. Hey, you weren't here before. No, you gotta depend on that.
00:08:54
Speaker
He started buttoning up his bun, I said leave it open. I got on camera, I go, wow, I have way too many buttons undone. And I started to do this and Joe goes, don't do that. Now it looks like I'm in front of school.
00:09:12
Speaker
Sometimes the top, the second to the last button is too
Deep Dive into Cyber Insurance Policies
00:09:16
Speaker
high. It's just not right. I'm just busting those chops. Well, now for everybody that's not on video, I have it buttoned now.
00:09:28
Speaker
Yeah, so nine minutes in and completely off course, which is completely on par for when we all hang out. So back to back to Joe cyber here. So we I mentioned online because you are one of the rare retail brokers that puts out content about cyber. Take us through
00:09:57
Speaker
that kind of transition from being a somewhat of a generalist, a joining C3, and then now being a specialist in cyber. How did you learn it? Because that's like the biggest thing. You have a CIC, right?
00:10:17
Speaker
Yeah, you have a CIC, you have a CRM. Yeah. And that stuff touches on cyber maybe like for an hour out of the 60 or 70 hours of course work that you have. Yeah. So how did you learn it? I mean, I just learned it from selling it. I mean, I had to learn the ins and outs of the policies in order to go against other agents.
00:10:47
Speaker
Like, there's a lot of differences in the form. And when I work with more sophisticated companies, we actually go through the differences in the form instead of the differences in the coverages, because everything looks the same on the surface. But there's a lot of little things that can change what happens if there's a claim.
00:11:15
Speaker
I can think of two big carriers that don't cover for a rogue employee. So if an employee gets all disgruntled and decides to leak your information, I think it happened a couple of times last year in big profile companies, then you don't have any coverage for that. But you would think that it's a data breach, right? But since it came from the inside, there's no coverage.
00:11:44
Speaker
I don't know, like other stuff, like some companies don't even have a hammer class where they'll split the cost with you if you decide to not settle. They may just say like, well, we'll just cover for what we said we were going to settle for and you cover everything else. So there's some big changes in that which take a lot of control out of the hands of the
00:12:09
Speaker
insured or the customer where they would otherwise be able to, you know, go on and fight something instead of, you know, having to settle. Yeah. Yeah. I mean, your, your policy is only as good as it responds, right? You see these, uh, I mean, and they're, they're,
00:12:32
Speaker
They serve their purpose, but I call people that compare strictly on deck page, deck page warriors. And it's very misleading to do that. I mean, a lot of people only sell from deck page just because that's the only thing that they know how to sell. They don't know how to read through a policy.
00:12:54
Speaker
There's not many Joe Earls out there in the world. I think if somebody has an agent like you that can actually read through the policy form and tell you how it's going to respond and the differences in that, that is more valuable than being able to read through a deck page and explaining every single type of coverage. A second point to that is there's a reason why these insurance policies are 150 pages long.
Using ChatGPT for Policy Analysis
00:13:23
Speaker
Right? The first 10 pages give you coverage and the next 140 pages take the coverage back. Right. And I got to give credit to guys like you too, that helped me go through those policies and point stuff out. Cause I'm not familiar with every single cyber policy, but I know they've all come across your desk. So I definitely leverage wholesalers and other experts like you guys.
00:13:51
Speaker
Yeah. And, and, and just to pass that on, I want to thank chat GPT for, for helping me out. Um, have you done that where you put a contract and like contract wording into chat GPT and ask it for red flags? Absolutely. Yeah. I don't rely on it exclusively, but I, you know, I think it does a good job. Um,
00:14:21
Speaker
to point out red flags. Yeah. And then obviously I want to go and actually read the language, but yeah, it's pretty awesome technology to be able to have that. I think, um, I think things like chat GPT are helpful if you know what you're doing.
00:14:34
Speaker
Like if you're able to decipher like whether or not chat GPT is like completely wrong or not, or like a little bit off basis, that's the only way that chat GPT is valuable. If you're just like using it and just, and you find yourself in a position where you're like, I am a hundred percent trusting that this is accurate. I have no idea whether it is or isn't.
00:14:55
Speaker
Then you're a lawyer got in trouble for that. Like a, like a fake case that chat GPT made up in order to like, and they like filed it and everything and they got him a bunch of trouble. So how embarrassing would that be? Yeah. Use that your own risk, right? Yeah. Yeah. Yeah, for sure. So are you.
00:15:21
Speaker
When you're working with these businesses, one thing as a wholesale broker, I tend to be somewhat removed and I have so much respect for retail brokers because not only do you have to be able to communicate effectively with the client, you really have to know yourself even better than a wholesale broker because I think the
00:15:45
Speaker
The sign that you know something is that you're able to explain it to people in terms that they can understand.
Trends in Cyber Insurance Market
00:15:51
Speaker
I hopped on a call with one of our retailers to work with a client and I was like, dang, I totally forget. You really have to know your stuff to the point where you're able to
00:16:06
Speaker
I don't want to say dumb it down, but but take a client through like, explain it to me like I'm five, explain it to me like I'm 10, explain it to me like I'm in college all the way through that process. How, how much are these businesses that you're working with are first time buyers versus businesses that are that currently have a policy and you're selling
00:16:38
Speaker
know, against an expiring or against an incumbent agent that offered some sort of cyber coverage? Yeah, I think probably 60, 70 percent already have a cyber policy. Oh, really? Yeah, because I'm more talking to upmarket companies. The smaller companies, it's kind of
00:17:06
Speaker
70, 30 the other way. Five years ago, it would have been like 80, 90%. I've never had a cyber insurance policy, but people have wised up. And also there's been more requirements for cyber insurance for either through the supply chain with the vendor requirements, government requirements, and a new
00:17:31
Speaker
uh, regulatory requirements, which are also government requirements. Right. Um, but yeah, so I'm seeing a lot more of it and especially upcycle with all the high profile stuff going on, you know, like a billion dollar food processing company, the average ransomware request from them is like 35, 40 million. So they know that if
00:17:56
Speaker
They have a loss like that. It's going to wipe them out for at least like two, three years profits. So they kind of have to, one, put the controls in to buy the cyber insurance as part of the whole risk management process. I mean, they can't.
00:18:17
Speaker
They can't cover everything with cyber insurance and they can't cover everything with the controls that they put in place with their IT spend. But, you know, you can get pretty close to covering most of what you need to cover between the two of them. Especially if you can tower out with the right limits. It brings up an interesting question that I think would be valuable to everyone, you know, what
00:18:43
Speaker
When it comes to C3, what type of clients, typical types of businesses are you guys dealing with? Are you dealing with a lot of middle market? Are you dealing with large enterprise? What do you see come across your desk a lot? Yeah, so it depends. Most, probably 80, 90% is middle market here at C3. That would probably be the majority of our revenues. We do have different divisions here for personal lines. We have a small business division.
00:19:13
Speaker
Um, and then, uh, for example, our life science guys just goes, oh, just goes after public companies. Uh, so there's a lot of different, uh, variation between all the brokers here, but I would say most of them are middle market. So, you know, at least 20 million and revenues. Yeah. Yeah.
00:19:41
Speaker
The public company side of thing is I feel like it's going to be it's starting to get really interesting with the SEC.
Challenges for CISOs and Regulatory Emphasis
00:19:50
Speaker
I think that's a huge opportunity to to work with these boards. Yeah, I'm thinking of SolarWinds. Yep.
00:20:05
Speaker
Yeah, I mean, I feel for these CISOs, I mean, they're kind of put in between a rock and a hard place. I mean, I don't know what happened at SolarWinds, but from the articles I read, it seemed like that guy, the CISO there raised the alarms internally and the leadership there didn't really take it seriously or didn't give them enough budget to actually do something.
00:20:34
Speaker
So I think he just kind of quieted down and went along with it so he could keep his job, which is, I don't know what I would have done. I mean, the other option is whistleblowing, right? And a lot comes with that too. That's going to also ruin your life. So you just kind of have to pick the worst of the two evils.
00:21:01
Speaker
Yeah, I mean, I guess if you're really representing the shareholders, you have to whistle blow. Yeah, I think that this was more of like, from what I understand, I could be wrong. And I'm sure that there's tons of people that know the ins and outs of what happened better than I do, but it seems like
00:21:19
Speaker
This was the SEC's kind of sacrificial lamb. And there's been a huge, there's been a huge emphasis from the SEC on, you know, kind of making a poster child because they're, the SEC is very concerned about the, some sort of nation state attack that causes some, or some sort of systemic event that
00:21:48
Speaker
you know, creates like a cyber security version of, or cyber. Cyber apocalypse. Yeah. Apocalypse. Something similar to like 2008 with real estate. So they're trying to. Joe got way too excited when he said cyber apocalypse.
00:22:09
Speaker
Well, I think you shared something a little while ago about the cyber apocalypse. And there was an article about a $3 trillion risk in the meta-sphere of cyber insurance of a supply chain hack that could be the supply chain hack to end all supply chain hacks or some sort of thing like that. What are your thoughts on that?
00:22:38
Speaker
Um, so I thought, I thought the, the report was probably done by actuaries that know absolutely nothing about cybersecurity. Uh, it was just like, I mean, theoretically could something like that happen? Yes. But we have the same called, uh, we have the single controls that we have in place that mitigate a lot of any of the possibilities that they describe from happening. So it almost would be like.
00:23:09
Speaker
It was, it was just like, it was, it was almost like impossible. I hate to use the word impossible. It's just like, there's no way that anything similar to this is ever going to happen with the world. Unless like, unless like people just start dying and then there's like nobody to man any sort of like managed, you know, uh, security systems, it would just be impossible. It kind of,
00:23:38
Speaker
Honestly, it kind of made me think of like, like a prophecy, like, is this like the ending in the Bible type of thing or like the end in the matrix movies, like, right. It's like the one, the one systemic war to end it all. Right. And I mean, I think we're talking tens or tens.
00:24:03
Speaker
tens or maybe even hundreds of years before we see something of that magnitude effect. Uh-huh. Uh, so I just, I think that. Yeah. I mean, you could argue like.
00:24:20
Speaker
somebody could hack into Hoover Dam or something and open up the floodgates or, you know, overload a nuclear power plant. I mean, didn't Israel do that to Iran like five or 10 years ago, where they put him back another like six, seven years? Oh, yeah. Yeah. What was that? A nuclear bomb or something. So, I mean, the worm
00:24:50
Speaker
It's really interesting. Did you guys know the details on that? No. There's this weird device where some spy went in there and he didn't even have to plug it in. He just went close to the computer and put it into the computer by just being close to it. I don't know how to look that up, but I thought it was super interesting how that got implanted in their nuclear power plant.
00:25:20
Speaker
I'm looking at it up. I don't know the details on that at all. That's super interesting. Well, we don't need to do anything. Honestly, I'm just curious because something of that magnitude has to be in
00:25:43
Speaker
the plan, like, you know, there's so many different options that what's going on right now could happen. And like, that's gotta be in the card and the stack. Yeah. I mean, like worst case scenario, they like hack into the military and start launching nukes, right? That's like worst, worst case. Then we're all screwed. Doesn't matter at that point. It doesn't matter. That's what, that's what part of this stuff, that's like part of the, the doomsday rhetoric. It's not helpful because
00:26:14
Speaker
It's like if the doomsday event happens, the fact that there is a cyber attack of some sort is like the least of our worries. Yeah.
Cyber Market Stability and Nation-State Exclusions
00:26:24
Speaker
Agreed. And it's at the same time, it's like impossible. Like everybody reads it and they're like, okay, like make it more real. Uh, reports like that just don't really seem like people just won't believe it.
00:26:42
Speaker
I think it's like an out, I think it's an out, like I think Munich Re is getting like scared of the cyber market and they might, you know, eventually leave it. I think that Lloyd's might, we started to see this when they, um, when they, you know, exclude excluded, uh, nation state attacks. Um, so I think that it might just be like an out for them to say that they want to leave the cyber market, which.
00:27:12
Speaker
When we have a soft market like we do right now and it's a race to the bottom, I don't necessarily blame them because I'm sure that combined ratios are going to be just ridiculous. See how they can even call it. Excluding nation state attacks seems like you're excluding a ton of different attacks. Is it just the nation state themselves or nation state sponsored?
00:27:40
Speaker
It's very cool. I mean, pretty much every single hack from like North Korea is nation state sponsored. I mean, there's no like free people there. Yeah. Yeah. Yeah. There's not. I thought it was like entrepreneurs in North. I mean, I guess there's hackers that are trying to get like news from the outside and like trying to give people, you know, information inside, but
00:28:07
Speaker
I mean, SolarWinds was a state-sponsored Russian group that launched that attack. So it happens. Yeah. And for all those that are worried about premium size, if Munich Re pulls out, you won't be worried about premium size.
00:28:32
Speaker
That would cause crazy ripple effects within the marketplace. I mean, Munich Re is on so many different types of papers. What do you think their market share is? No idea. I don't have an idea. Are they doing a lot of the reinsurance? Well, yeah, they're doing a lot. I mean, I would almost maybe say
00:29:03
Speaker
30% maybe. I'm crunching numbers as you can tell. That's the hardest I've thought in a way. He has a database of reinsurance, a market share. I'm just going based off of previous conversations and where I've seen Munich re on paper and in conversations.
00:29:29
Speaker
You know what's funny about doing this podcast is it seems like it's going like really slow because I listened to you guys on like 1.75X.
00:29:40
Speaker
Well, you're just trying to get through it. Just like, you know, you listen at whatever, you know, times you can like comprehend and still like retain the information. So it's funny because I'm like, this is kind of going slow, isn't it? Just like turn it up to like 1.5, 1.75. You'll be good. Right. I mean,
00:30:07
Speaker
I kind of want to switch up topics here because you guys know that I'm, I've been boiling since last evening, reading an article that apparently six months old. Here I am thinking it's breaking news and I'm like, Oh, great. Six months old, but it doesn't matter. Um,
00:30:33
Speaker
Kaseya with the cyber warranty product, not cyber insurance product. Joe, I'm just curious what your initial thought, you know where I stand on this matter, but curious what you think about cyber warranty products. I know you've read through the Saphos cyber warranty, just curious what initial thoughts are. Yeah, so I haven't seen the actual Kaseya cyber
00:31:02
Speaker
a warranty or cyber insurance policy. I know that it's limited and that they advertise it as if it's a comprehensive cyber policy, but it's nothing like you'd get from a company like Coalition or another mainstay cyber insurance company.
00:31:25
Speaker
They just list third-party liability costs, incident response, network extortion, business interruption, digital data recovery, but there's a lot of stuff that isn't mentioned. What about funds transfer fraud? That's one of the main claims for cyber insurance, social engineering, which is part of funds transfer fraud.
00:31:49
Speaker
Do they cover that or not? And that's the biggest thing that I sell, is the social engineering part. I think what bothers me the most about the conversation in general is the pitch that it's replacing cyber insurance or it's somehow a replacement for cyber insurance.
Critique of Cyber Warranties
00:32:12
Speaker
Like this article that I was reading, the gentleman that was speaking on behalf of CASEA was like,
00:32:18
Speaker
basically saying this is a more affordable and better, more comprehensive coverage than cyber insurance, which is absolutely insane to me because it's not cyber insurance. It's cyber warranty, which responds differently. Uh, they, they serve different purposes. There's completely different coverages. Yeah. It's more like a reimbursement policy. They're not going to pay for his dollar. Do you, do you not buy auto insurance because you have a warranty on your car? I mean,
00:32:50
Speaker
It blows my mind. There's several companies that are guilty of this, and a lot of them are the larger entities, the more enterprise-like companies that are basically saying, hey, once you're with us, you're good. You don't have to worry about it.
00:33:11
Speaker
And you don't have to worry about cybersecurity is what I'm alluding to. And so that also just really gets me going because you have people like Joe. So many people out there, a lot of people in our discord that are fighting to the nail with clients and insurance on the proactive side. It is already hard enough to get people to move on putting in cybersecurity. And these large enterprises are not making it any easier. Absolutely.
00:33:41
Speaker
Joe, I think you were member number one of the Discord. Was I? I think so. Yeah. Yeah. I think I was on there, like, messing with mid-journey while you asked it. I can't believe we actually reviewed those sounds. Number one. Number one. Number one. Number one.
00:34:07
Speaker
Better fact check that too. Going back to that, there's a lot of different coverages that are left out of these warranties or insurance policies like multimedia liability. Media liability is like a mainstay on a lot of these because especially for tech companies,
00:34:30
Speaker
Personal advertising injuries excluded from general liability policies. And it has to be covered under this type of policy, especially with all the content that's going out there. The PR coverage. So coverage to have a PR campaign to create goodwill towards your company after a breach. The expense to tell everybody that their data was breached.
00:35:00
Speaker
That's crazy. That's a main expense if you have a data breach. So, and like, uh, some of these companies are actually like Safos in their defense, they said like, this is kind of like a car warranty. You need to still buy car insurance, you know, but like it does feel like it's misrepresented a little bit. They say they have a million dollar policy, but it's really only a thousand dollars per seat that you buy.
00:35:30
Speaker
So if you only have like 50 people, that's only $50,000 in coverage. You have to have a thousand seats that are licenses that you buy in order to get it up to a million. Uh, so a lot of them are, you know, the devil's in the details, right? So, you know, I, and I will say in like, so size assurance is the partner of Kaseya. That's who they chose as the warranty and.
00:35:59
Speaker
There is clearly a disconnect between side assurance and what Cassay is saying because side assurance is pretty clear that they're not cyber insurance. They specifically state they're a cyber warranty product. I even saw on one of their policies, it was like the MSP thing that they still needed to have tech E&O insurance coverage if they wanted to buy this policy.
00:36:27
Speaker
Sisurance is clearly saying, hey, we are not an insurance policy. We're a warranty product. You even still need to have insurance if you want our product. And yet, Kaseya's messaging to their MSPs is not that. And so that also kind of threw me through a loop. I just, I don't understand how a company of that size could get away with language like that and how that doesn't get caught by illegal or how that doesn't get caught by marketing.
00:36:59
Speaker
We're blowing the whistle right now, Ryan. I guess so.
00:37:03
Speaker
What I want to understand is why, like, what's the purpose? I don't understand the purpose other than like, like, why, what, like, is it just a mark? Like, what's the perceived value? It's, you know, it's a way of selling more licenses because that's if like, for example, for the Saffos policy, if it doesn't originate from a device that's covered with Saffos,
00:37:29
Speaker
endpoint detection software, then it's not covered. So we got to make sure this is on every computer, every laptop, every phone that's in your company in order for a warranty to cover it. So there could be something there too. But I mean, I'm just kind of... And so I guess another reason why I'm so passionate about this is because I built a marine warranty product. And I just, I saw firsthand how bad
00:38:00
Speaker
a warranty can be. And so like, just speaking to just like we were saying, Joe, how you make sure that your clients have a policy that responds well. Like that is so huge about cyber, I mean, insurance in general, but like, you know, I haven't gone through this on these products, but who's the TPA that's managing these claims, right?
00:38:27
Speaker
Are they a TPA that specializes in cyber? Or are they a TPA that specialized in, you know, managing claims for, uh, education, uh, book warranties or something. And now that they're, now they're working in cyber, um, there's not a ton of TPAs out there as a small world. And so I'm just curious, like who the hell they're using as a TPA. Um, so I'm super interested in that. Um, and anyways, I,
00:38:55
Speaker
Clearly I've been bothered by this release. And the incident response, like language on this, one of the flyers I saw was like, yeah, you can, your MSP can respond to this, you know, but at a maximum of $200 an hour. So you're going to have to pay the other $200 an hour that they're charging. So.
00:39:22
Speaker
I mean, I know I'm harping on this, but like when you buy a car from a factory, there's a factory warranty that comes with it. I mean, sure, you can buy like an extra two years of coverage from like a third party. So I think the purchasing behavior of this is a little odd. Like the MSP is saying, hey, we'll do work for you if you want to.
00:39:49
Speaker
If you want to, uh, ensure our work for you will give you, I don't, I don't, I just don't understand the, the value
Necessity of Cyber Controls
00:39:58
Speaker
there. And so it's just, it's very odd to me. Oh, I think people just feel safer if there's a warranty or, or something. Um, and it makes the, maybe the business with between the MSP and the customer more sticky. Cause if they change MSPs and they use a different
00:40:18
Speaker
endpoint detection software, they're going to lose their warranty. Yeah. I feel like they're losing some kind of value that they had, even though it wasn't worth the paper I was written on. Yeah. What, um, what are you using right now with, um, with your clients and
00:40:43
Speaker
I kind of want to talk about controls because there's something interesting about cyber retail brokers. You have to not only understand the insurance, but the control aspect of things, unlike any other line of insurance that I know of. Do you feel like
00:41:06
Speaker
Postures have improved over the last few years or like is it still a struggle to to get people to implement MFA, you know enterprise wide I think that the That most companies have MFA that I talked to and Most the people that I talked to already have like a managed service provider that
00:41:34
Speaker
is going to make sure that they have that kind of thing. And yeah, there's still companies out there that don't have it. They're usually small business, but maybe you guys could tell me, like, are you guys sitting on large, you know, companies with no MFA or is it just kind of like... It's interesting.
00:42:02
Speaker
When the infrastructures get like a lot more complex, you know, rolling out something everywhere to where you're, you're answering the, the, the application question completely accurate. Right. Cause it's pretty, yeah, it gets pretty, it gets pretty challenging. MFA on your email and your main systems or, you know, we just started using this.
00:42:30
Speaker
software, but we don't have MFA on it yet. This company that we use doesn't have MFA.
00:42:40
Speaker
You probably have tons of different types of MFA because a lot of the times you're using the native MFA capabilities built into the software whereas other ones might have single sign in where other ones you can log in with your Microsoft or Google account and then leverage that MFA. There's just so much nuance.
00:43:05
Speaker
And documenting that is crazy. Is that even security, even document that? I guess you need a checklist. If you have a good cyber consultant, they're going to list all your cyber assets and go through each one of them one by one.
00:43:30
Speaker
and check off the risk with using them and ways to lessen the risk of using those certain software platforms or cloud platforms. So I lean on MSPs and cyber consultants a lot. I need them in my life.
00:43:57
Speaker
You stole that from me. I always say I need more Joe in my life. I need more MSPs in my life. I need more MSPs in my life. Oh my gosh. Have you seen the contract requirements are becoming a huge part of the cyber insurance buying process? Do you feel like most of the time they're requesting
00:44:26
Speaker
adequate or reasonable limits versus like, cause I've seen some that are out there. It's just like, you know, that the premium on like for a startup, like the premium on, you know, a 10 mil cyber and tech, you know, policy, even if they have like.
00:44:42
Speaker
50 grand in revenue is going to be probably like close to their revenue. It's like, what do you expect them to do here? Have you seen the contract requirements been somewhat reasonable or what's your opinion on that? Anytime a company's working with a utility, they tend to have like a $5 million limit. Otherwise, it's usually like one or two million.
00:45:10
Speaker
But if they're working with like a state entity or utility, it tends to be like five or 10 million. Yeah. On the one or two, do you ever run into instances where you're like, Hey, I know that they're requiring one or two, but I really feel like you should be, you should have more. You should maybe have a full five. Yeah. A hundred percent. I mean, depending on the revenue of the company, you know,
00:45:34
Speaker
there's definitely a way to quantify how much insurance they should have. Like your buddy Cyber Steve, right? He has a really good tool on quantifying how much insurance you should actually have. I don't know what goes in the black box there, but it's a pretty slick tool.
00:46:00
Speaker
Did, uh, did cyber Joe meet cyber Steve? There's only, there's a, there's only one person get to keep the cyber insert first name.
00:46:22
Speaker
I don't know.
Ransomware Payment Dilemmas
00:46:24
Speaker
I don't know if this thing is going to stick. We'll see. You know what, Ryan's is marine warranty Ryan. Oh man. There's nothing like getting death threats from boat owners. That'll really be good. I promise you, I thought I designed a good product.
00:46:52
Speaker
I guess it's not. It's a tough lesson to learn at 24. Yeah, I think there was a guy on your Discord server that said, this guy had a perfectly good drive chain warranty on his $60,000 truck. But since he did the oil changes himself, he didn't take him to an authorized service provider, and no warranty was void. Yeah, automatically.
00:47:21
Speaker
It's wild. It's wild details, right? So I got a couple, I got a couple more questions for you, Joe. Um, this one's super off topic, but I like to ask people that should we ever pay a ransom? Well, let me think about that. If we're living in a perfect world.
00:47:51
Speaker
and nothing embarrassing could get out about you, then I would say never pay ransom. People just will accept you for all your secrets. That music was too good. Kind of went like that. I liked it. We're having some fun on this one. Yeah, pay the ransom unless it's to like known terrorist groups
00:48:21
Speaker
and it's against a lot of pay it. Yeah. Well, some people have a convincing argument that you shouldn't. It's like your duty to this country to not pay a ransom, which I get, but it's like you put yourself in the shoes of somebody that just got hit. Well, we had two large food groups that we insured.
00:48:49
Speaker
And one of them had cyber insurance and paid the ransom and got back into business in like two days. And the other one was like, F that I'm not paying these guys a cent. His, uh, his MSP said, Oh yeah, we can, you know, get all the data back and everything. And it ended up taking like more than a month to just get their basic systems up and running. And the company went out of business. So, I mean, just pay the ransom.
00:49:19
Speaker
you have insurance for it. I mean, if you're smart enough to buy insurance, just be smart enough to pay the ransom and move on with your life. Yeah. And I mean, that's one of the important parts of...
00:49:33
Speaker
I don't see it too often, but it's one of the important parts of having a pay on behalf policy. Just let the carrier take care of it. I can't even imagine what it's like to get hit with ransomware with a reimbursement policy that has to be really scary. I was just having this conversation at lunch on whether or not you pay ransom. And it's like, there is no right answer. It's not a right answer because
00:50:01
Speaker
It's the answer is it depends, I guess. And we'll never pay a full price, right? Yeah. Yeah. Negotiate. That's actually, um, I met a guy at net diligence Philly. Um, and he was the guy who like ends up paying the, uh, ransomware, the, the, the hacker, um, the bad actor.
00:50:31
Speaker
He's the one that holds a Bitcoin and pays it on behalf of the carrier and then gets reimbursed which is like an insane Place to be in but like what a hell of a job you get to negotiate with Bad actors and then you get reimbursed and you get a nice spiff on top of it. I mean Just because you hold a bunch of Bitcoin. So and that's how that's why we got into it He just has a ton of Bitcoin and he was like why not just position myself as the
00:51:00
Speaker
the independent third party that can pay, you know, do the payments. Yeah. I wonder if carriers are just like banking Bitcoin right now while it's low so that maybe when they need to pay it, when it goes up again, they're paying.
00:51:17
Speaker
$20,000 Bitcoin rate, even though it's at $60,000 at the time. That's an interesting thing I've never thought about. Kind of like how Southwest, a while back, bought a bunch of gas. Yeah. Dude, you must have been saying gas where you're at.
00:51:38
Speaker
Bro. Bro, the gas is horrible here. Really? So bad. So bad. What is it like? It's like $6 a gallon. Shit, I thought mine was bad. I was about to get it. Wait, his is worse than mine. And my wife's car takes premium, of course, since, like, my worst. It's like insult to injury.
00:51:59
Speaker
It's like 50 bucks to go to work. I never thought I'd be an electric car guy, but I think my next car is going to be electric. I'm just done paying those prices. Yeah. We're going to need some relief. Oh, god. You know what, Joe? I think that matches your eye. That's a romance car.
00:52:26
Speaker
I thought my gas prices were bad. We're about $5 for regular. So, I mean, we're close. Yeah. I mean, it depends where you go to. I mean, Costco might be like $550. Damn. Holy shit. It sucks. Yeah. I complain about my like $315.
00:52:51
Speaker
Well, we could go into conspiracy theories, but I think in California, they're artificially inflating the price. So more people go to electric. Probably. There's potential for that. Probably. And I think before elections, the price is going to go down too. So watch around October next year. What a surprise. People will magically forget. Me and my team fell ahead of it. Yeah.
Future of Cyber Insurance Requirements
00:53:18
Speaker
So do we want to talk about mail-in ballots?
00:53:28
Speaker
Oh, it's been the last five minutes, just super political. Well, here's, I always kind of like to wrap things up with what's, you know, what's your opinion on the future of cyber, cyber insurance? What needs to change? What are we doing? Well, just kind of give us your overall sentiment of the industry.
00:53:57
Speaker
I think we should stay the course with requiring MFA and endpoint detection and backups and leave that as the minimum requirement. And people that do more than that should get significant discounts and people that don't have that shouldn't be able to get insurance because it's just irresponsible.
00:54:26
Speaker
You would think such a sensible idea as that would be just a given, but it's not. Yeah. I think there's definitely some carriers out there that are probably going to hate themselves in a year because of the little, like the little bit of information that they're required to get a quote and sign someone. It is crazy.
00:54:54
Speaker
It makes your job a lot harder, Joe. That's why Abe and I always are like, we commend you because still being able to educate your client on the value of investing in their cybersecurity related to cyber insurance is being like, you're being completely like, your legs are being taken out from under you while you're speaking about that importance and
00:55:22
Speaker
Anyways, stay the course man. Right. And if you have, if you don't have those things and you, you're able to qualify, that's great to get that stuff, you know, going, because even if you have a cyber policy, once you start having claims, you know, your, your prices are just going to go up. So, I mean, it's just in your best interest to have those controls and they're not that expensive anymore. Absolutely. Absolutely.
00:55:52
Speaker
Well, Joe cyber version 2.0. Where can people find you? Uh, they can find me on LinkedIn.
00:56:06
Speaker
Or they can just email me at joe at c3insurance.com and I'll point them in the right direction. So it's Joe Earl on LinkedIn. Don't search Joe Cyber because you won't find anything. But he should change it to Joe Cyber. Well Joe Cyber 2.0. Joe Cyber 2.0. There you go.
00:56:28
Speaker
There you go. I love it. New and improved. Joe, thanks for coming on, man. This was a lot of fun. Thank you, guys. We appreciate your time. Thanks, Joe.