Introduction of Hosts and Guest
00:00:20
Speaker
What's going on everyone. Welcome to the ensure sec podcast. We got Ryan done myself and Abe Gibson and our pleasant guests. Some people call him coach. I call him Mr. Andy Runyon, sir. Welcome to the podcast. Great to have you on. And thanks. Thanks for how about you introduce yourself. Let them know what you think.
00:00:43
Speaker
Yeah, so I'm Andy Runyon, the MSP partner success manager with Fifth Wall Solutions. And I've been doing this cyber insurance thing for going on five years now, which doesn't seem that long for an almost 42-year-old dude.
00:01:02
Speaker
in the cyber world, as you guys know, five years is like a lifetime with what's happened, you know, especially since COVID. So just real quick background, education, spent 10 years in the classroom, moved into sales, broke into insurance in 2019, and, you know, really found a niche in cyber when I was with AccraSure.
Andy Runyon's Career Journey
00:01:27
Speaker
But I was a generalist and I knew that I wanted to specialize in cyber. And then I moved over to Brightline Insurance Services out of Dallas, Texas, still on the retail side. Had the opportunity to specialize, had the opportunity to do nothing but cyber and tech ENO every day, really enjoyed it. But then this opportunity came for, you know,
00:01:47
Speaker
opened up for me to come over to the wholesale side. And really the biggest thing for me was to work specifically with managed service providers, right? Those IT guys, I found out over the last three years that, you know, those relationships between an MSP and a cyber specialist can be extremely symbiotic and helpful to both sides, right? Like we gotta have them and they gotta have us.
00:02:11
Speaker
So, yeah, the guys at fifth wall were phenomenal and a lot of alignment and decided to jump headlong into this thing back in September.
Impact of COVID on Cyber Insurance
00:02:21
Speaker
Yeah, that's awesome.
00:02:24
Speaker
for people that are going to listen to every single episode, it's like we're doubling up on fifth wall. Um, it couldn't think of a better shop to do that with. Uh, so, so you've been in, in the cyber insurance game for five years. And like you said, that's, that's a lifetime. Um, so you went through like massive changes. Um, obviously, you know, COVID wasn't even on anybody's radar five years ago.
00:02:49
Speaker
Maybe give us some insight from kind of the roller coaster that that's been any stories or anything notable that you've experienced over the years.
00:03:02
Speaker
Yeah. So the biggest, the biggest change, um, you know, in 2019, uh, for the most part, and I'm painting with a super wide brush here. So like, take, take this with a grain of salt, right? For the most part, cyber crime was pretty much relegated to fortune 1000, maybe even fortune 500 and above, right? Like it was, they were going after the big dogs, right? Um, and so cyber insurance at the time in 2019,
00:03:27
Speaker
when I was going knocking on doors saying, hey, you guys need to think about this, most everybody's response was like, we're too small, they don't care about us, or, or too rural, right? Which, I mean, again, going back into the M.S. citizenship, like that, you know, folks don't even understand that that we're there located geographically doesn't matter at all. Right. So really, really hard discussion. And I honestly, me personally, I was doing a lot of med mal then I was doing a lot of professional liability.
Challenges with Cyber Insurance Applications
00:03:56
Speaker
for doctors. Well, man, COVID hits. First thing, nobody's wanting to do med mal, right? Like, first of all, you can't even, you know, people are trying to figure out, you know, the country's falling apart. They're just trying to make it five o'clock every day, right? So they don't want to talk to a stupid insurance guy. Number one, number two, the med mal carriers are going
00:04:15
Speaker
We don't know what's going on with this. This is a new disease, right? We got doctors saying it's not real. We've got other, you know, I mean, like, regardless of what you think about COVID, it was a really wild time and professional liability. Nobody wanted to touch it with a 10 foot pole. I mean, as med miles doing this man, cyber win.
00:04:31
Speaker
You know, it took off. Don't have to tell you guys preaching to the choir here, but you know, the shift to work at home created all kinds of vulnerabilities in the small to medium-sized business space. Cybercrime went through the roof. We started seeing claims. And the biggest change for me has been not just the necessity for the small to medium-sized business to have cyber, right?
00:04:52
Speaker
but the underwriting that goes behind it. And then now the confusion that has resulted because of that, right? The end user, the insured, they're being asked questions, you know, we do a great job as the industry of coming up with three letter, you know, EDR, MFA, right? So they're being asked all these questions about stuff that they have no idea what it means. They're sending it to their MSP or their tech guy. The tech guy's filling out the app going,
00:05:21
Speaker
These questions suck, you know, I don't, I don't like, you know, I mean, yes, but no, but there's only a yes box and a no box.
00:05:29
Speaker
Nobody is talking to the insurance guy. He's just flipping the half over, right? And then you get these binary yes, no questions. And there's just so much of a disjoint from insured to retail broker, retail broker to wholesaler, wholesaler to carrier. And when you throw in all those stops along the way, there's a really, really good opportunity that what's going on at the insured level
00:05:58
Speaker
is completely and totally misrepresented by the time it gets to the carrying. There's a ton to unpack there, right?
00:06:08
Speaker
You know, your, your piece about the applications, you know, is something that Abe and I talk about. And then I feel like it's, it's starting to be discussed a lot is, you know, these are static applications, right? And it's asking yes and no questions to questions that are just like, we're kind of doing that, but like not completely. So I don't know if I'm misrepresenting information here or when I'm presenting, if it's accurate or not. So.
00:06:37
Speaker
Um, you know, that's, that's something that, you know, I think we're all trying to lead the charge on, right? Is like, okay, how can we make, what can we provide accurate information here that can supplement the application that accurately describes like, Hey, this person actually is investing in their cybersecurity. How can we portray that to the underwriters so that they, you know, even if they're in a bad class code, they can get coverage or they can't get reasonable coverage at a reasonable price.
00:07:05
Speaker
So, you know, yep, and so
00:07:08
Speaker
So here's a great specific story directly to that, right? And I'll leave names out of this as much as I can, right? To protect the innocent. So local I'm from saw if you can go by the by the Redneck accent, right? So local Northeast Arkansas School District purchase cyber insurance before COVID, right? Larger school district premium would hover. I think it was around 15 to 20,000, right? For the first couple of years.
00:07:40
Speaker
we start doing some of this underwriting stuff. And you guys know that post COVID underwriting, depending upon what carrier you were with, could be five questions. It could be 30 questions. It could be, you know, I mean, it was all over the map, right? So they got the nasty old MFA question for the first time in their first renewal post COVID. Again, premium was around 20. Well, it's the school district, right? They are one-to-one technology. They've got kids in fourth grade carrying around Chromebooks.
00:08:08
Speaker
Guess what the binary answer to get on MFA was, right? Of course. Right. So premium, despite the fact that they have a very, very secure environment, despite the fact that they had not had, you know, for a breach, that premium goes from 20,000 to 58,000 dadgum dollars in one year. You're talking about a school district in rural Arkansas,
00:08:34
Speaker
you know, that's hiring another teacher almost, right? So, you know, those those binary questions, the network scans, you know, and I mean, I've seen you guys, you know, I love the launch and how you kind of thrown some knives out there joking around with the gym, it's some of the carriers and other other, you know, wholesale brokers, I think it's great. But you know, not way again, with the name, some of these carriers roll in and they pop a network scan.
00:09:04
Speaker
And it's like, oh, you've got all these vulnerabilities. You're a 65 D, you know, well, yeah, how many of those are print reports that have no access to anything that would even matter, right? And, and that school got crucified, you know, on the MFA question and on a network scan on two things, right? Neither of which had anything to do with their actual security posture and their premium went, you know, up by 38 $36,000. And the way
00:09:32
Speaker
The way it was dropped on them was, you know, last minute probably, and it's like taking a leave it type of thing.
Role of MSPs in Cyber Insurance
00:09:39
Speaker
Um, you know, and that was like, that was something that I think, you know, we should really learn from moving forward is like, there needs to be some type of transparency if there's new, you know, and it's starting to be like that. Right. If, if.
00:09:55
Speaker
If carriers or reinsurers are going to be pushing towards tighter security controls, they are starting to let people know at conferences. They're starting to let people know just word of mouth, like, hey, this is coming down the pipeline, get your clients ready. And really, it's only going to be the agents that are on top of this that are going to be able to be dynamic and able to fix it for the client. And so that's why whenever I talk to businesses, it's like,
00:10:22
Speaker
You know, be with like, I don't care who's doing your property, your GL, your EPLI, like you need to be with a cyber specific agent because this stuff is so dynamic and it's changing rapidly that a generalist and as you would know, a generalist wouldn't be able to do it. But you know, if you got the cyber coach now, you know,
00:10:58
Speaker
I can needle the generalist role a little bit because I was one for a time. And I'll tell you what I saw in that generalist role, to your point, Ryan, and that's an excellent point, is there were businesses when I was a generalist, but I knew cyber really well, that our agency got a shot for the first time in decades, right? Because we had a cyber guy, right?
00:11:22
Speaker
And, you know, you're right dead spot on that this is a different duck, right? And we've done a really, really poor job as an insurance industry, conditioning people, you know, a million dollars in coverage is enough. Start working on it about 45 days. It's supposed to be 60, but 45 will be okay. And if you get busy, shoot it to me within four weeks of renewal.
00:11:47
Speaker
Like a million is not enough if you have any revenue on deck, right? You may need five, 10 million, right? If you don't have MFA on, right? And you're going to get raked over the coast for that. You know, I've got a client right now that's an electrical cooperative that we're working with.
00:12:05
Speaker
And their MFA install is going to take about two months to get fully from the... They started discussing it with their MSP to when it's fully complete. It's about eight weeks, right? And when you tie that into the liability plan, you either don't have coverage or you have sub-limited coverage until it's completed. That needs to be a part of the discussion.
00:12:28
Speaker
And timelines need to be set of, hey, we're going to review this 120 days out from renewal. We're going to try to get you a renewal app as soon as we can. And then we're going to start marking a plan or setting the course of what needs to be done on the control side. What can we expect from a coverage standpoint? Are there any changes? Is the premium going to go up? Do we need to go to market? Who are the carriers in the last year that have shifted into your sector? Who are the carriers that have shifted away from your sector?
00:12:56
Speaker
Dynamic is a phenomenal word. It changes the goalposts move if you're a football person and know that analogy, right? The goalposts move just about every month in the cyber. And along those lines, I'm curious what your perspective is on this, given your new role and what you've been doing at Brightline with MSPs. What would you say, and it might depend on the situation, but what's the role of the MSP in this process?
00:13:27
Speaker
Yeah, so and this is just what I've seen organically, right? And it's kind of. It's a neat story, man. I were where this this all happened like it was just. There was a moment in time I went to a tech conference in Jonesboro in 2021 and this I had just come into the state of Arkansas. RCSA was a guy named Mark Kirby and Mark was speaking publicly. I think for the first time if not, it was one of the first times he had spoken as the CSA for Arkansas.
00:13:57
Speaker
And man, he's saying, hey, we're here to help. If you're not familiar with this, the guys in the audience, cybersecurity infrastructure, security agency, they are a free resource that's tax funded to help small and critical business sectors become more cyber secure. Right. And anyway, so he's given his number out and look around and like everybody's playing on their phone. Right. And I'm like, God, this guy could be a huge resource for us. So I go talk to him.
00:14:23
Speaker
At the end of the conference, they replied back to all of the conference attendees and hilarious for a tech conference. They didn't BCC, they just CC'd everybody. So your boy got 200 code leads, right? I got 200 email addresses and sales brain kicked in. I just went in and code emailed 200 people.
00:14:47
Speaker
Well, the only person to respond back within the first day was an MSP, right? So that right there said something, right?
00:14:55
Speaker
And he called me and he was like, man, I'm Jim Bryant is a buddy of mine with Pinnacle IT now, uh, formed a really, really good relationship over the last two years. And he was like, I need help. We're getting these apps. I've got people asking me about cyber insurance. I'm not an insurance agent. Right. And so what kind of organically formed out of that was this little relationship of we would go to chambers of commerce. Uh, Sisa would speak, um, kind of.
00:15:23
Speaker
I guess organically is not the right word. They're just totally not attached to anything, right? Like agnostic to, they're just giving you cybersecurity information. And then from that, hey, if you've got tech questions and you need IT help, here's, you know, Jim and his group is over here. If you have liability questions, Andy's over here, right? And what we found in that process, so long, long answer to a short question was that
00:15:49
Speaker
The MSP was needing help with the liability and the insurance side of it and the app and who are the good markets and is this premium right? Like they're telling them 15K, is that high, is it low? So benchmarking on is the price good? Is the coverage enough? And how do I fill out this app? And then what we need their help with, right, is if I send a, at the time, and we've matured since this, but if I send a 12 page CFC app to a business owner, he's going to get about eight questions down and go,
00:16:18
Speaker
I don't know what the hell this is talking about, right? So, MST to be involved there, you know, not necessarily, it's not their wet signature, right? Like they're not attesting, but we need them at the table, you know, helping the business owner understand what exactly they're doing and what they're not doing. Yeah.
00:16:36
Speaker
Yeah, and it's, I was talking to Ryan about this yesterday. Outside of the MSP channel, there seems to be, like the cybersecurity industry wants to rely on referrals from insurance, the insurance channel. And, you know, you go to any cyber conference and it's just all cybersecurity vendors, just like hawks trying to get partnerships set up.
00:17:03
Speaker
I've always thought that's like so completely backwards. Like it should be the opposite. Like we shouldn't be starting with insurance.
Fifth Wall's Strategy and Support for MSPs
00:17:10
Speaker
So that I think that there's a real bright spot in the industry where we do have like what what fifth wall is doing and you know, starting with the MSP and then working on the insurance program after we've after we've approached like how do we assess our cyber risk? How do we mitigate our cyber risk? Then let's transfer it with insurance once we've done all that work.
00:17:32
Speaker
kind of, you know, obviously you got a new role here. I'm sure you're really excited because it's a perfect fit. Take us through kind of what the vision is there with your role and what you plan to do. Yeah, so with fifth wall's relationship with MSPs and in all 50 states, you know,
00:17:51
Speaker
Look, I mean, it speaks for itself, right? Like the process that you are talking about there, there are so many, over a thousand MSPs that have heard Will Brooks or Reid Wellock or Wes Messer or somebody go, hey, here's the concept. And they go, yeah, we need help with that. Right. So like the concept speaks for itself through.
00:18:10
Speaker
And really what I do is those MSP relationships, every MSP looks different, right? You've got some MSPs that are very sales driven. They have a very mature sales team of 15, 20 people, account managers, right? And they're out trying to win new business.
00:18:30
Speaker
and it is a sales-based model. You have some MSPs that really push in on compliance, right? Like they have a chief compliance officer and they stack in purposeful verticals of healthcare with HIPAA, right? Financial stuff, FTC, you know.
00:18:49
Speaker
My job is to come alongside the clients that we have, really understand how their bill, what they do, who their clientele is, and then based on how they interact with the liability side of things, the insurance, how can they leverage
00:19:04
Speaker
marketing, the Loda app, my knowledge set, how can they take us to their clientele to benefit their business in the best way. And it's going to look different for everybody out there. Some people may have a real education need
00:19:23
Speaker
And it's like a mini webinar series. Some people may have, uh, a sales team that an old football coach, when I say the word ignorant, that's not negative. I had an old defensive coordinator that would say ignorant all the time. He said, just means you don't know, you know, the sales team may do library insurance, you know, so it may look like setting up a monthly call with their sales team to go over, you know, Hey, what, what is good, right? What, what markets are struggling right now?
00:19:51
Speaker
What are some things, what are some red flags that maybe we need to take these guys to the market? I've got one client that has got a ton of V-CISO work, right? And with those V-CISOs, we're working on those guys with some processes. Like I said before, what are we doing at 120 days out? What are we doing at 90 days, 60 days, 30 days, right? What are we doing halfway through the policy period and trying to help those V-CISOs?
00:20:16
Speaker
Um, bring value to their clients around their cyber liability program. So, I mean, that's the long answer of the shorts. Short answer is working with our MSB partners to, to, to, you know, drive success of their organization. Yeah, that's huge. And, um, I know that you mentioned Reed and my good friend, Will Brooks was throwing paint at me for missing the last podcast.
00:20:45
Speaker
But, um, you know, you also have Dustin Bolander over there. Like, you know, you guys have a great team over at fifth ball. Abe and I have a lot of respect for you guys. I've, I've had the pleasure of chatting with Reed and Dustin at, at length about this issue. And they've, um, you know, they've been on top of the.
00:21:06
Speaker
Hey, how do we prepare people for their cyber insurance renewal? But also like during the policy period, what can we do to help these clients feel like they need to fix their cybersecurity infrastructure, right? You know, if there are new vulnerabilities, how do we make that known in a streamlined fashion, right?
00:21:33
Speaker
Um, and so, you know, I, I know that they've worked on some, some really, uh, good stuff there. And, um, you know, so hopefully, uh, some of that stuff will come to light. I don't want to steal their thunder right now. I'm going to, I'm going to refrain and I know, I know where he'd like to keep things under the covers until it, until it comes to light though.
00:22:11
Speaker
MSPs helping their clients become more mature, more cyber resilient,
Importance of Incident Response Planning
00:22:15
Speaker
right? Like here's a great example, right? We want to use the coaching thing. One of the biggest gaps that I see in the industry that is not yet quite tied as much to premium and deductible, like MFA is, is incident response planning, right? Like it's asked. But if you don't have one, or if you've got a template, they're not going to kill you like MFA, right?
00:22:37
Speaker
But for the coach, right? Incident response planning. I mean, that's huge for me. You know, I tell people all the time. Right now, I'm a junior high baseball coach. I coach eighth grade baseball team. I used to be a head high school baseball coach. Think about if we were in the state tournament, win or go home, and I gave the kid the butt sign.
00:23:00
Speaker
for the first time all year, right? And the kid doesn't execute that bond. He pops it up and he gets out and I'm like, man, what are you doing? You can't get the button, right? Like, that's on me, right? Like, that's my fault. Like, I should have.
00:23:15
Speaker
For months preceding that event, I should have been baking that into practice. We should have been taking time in other games to make sure, you know, there should have been a lot of things being up to that moment to prepare that child in that moment for the call that was that was executed, you know, and.
00:23:34
Speaker
It's that way with our planning, man. You can't download a system template, slap your name on it, and then when you have a breach, whip it out and think that it's going to help, right? There needs to be things going on throughout the year. It needs to be updated. You need to have tabletop exercises. You need to customize it. Make sure it's off the network. All of that stuff, right? That way when things do hit the fan that you can execute and kind of
00:24:00
Speaker
straight that means that is so spot on. And from a gap standpoint, like that is something that nobody's talking about. Like nobody's talking about it. Like, sure. Like we all know it's there, but it's almost like nobody wants to address it because it's a, it's a big issue. It's all been, you know, if you look at the, the response times and how, and the drivers of all this costs when it comes to cyber insurance policy, it's.
00:24:27
Speaker
You know, it's the incident response, but it's also like the forensics that are associated with that. Like it was a serious issue there. And I'm going to give a quick shout out to my, uh, my old firm that I worked on the retail side bathroom, uh, down here in Fort Lauderdale. You know, one, one of the things that we would win business off of is like, Hey, do you have insurance implemented in your incident response plan?
00:24:52
Speaker
Most of the time, people would be like, we're an incident response plan. To your coaching point, it's a massive opportunity to coach a prospect on what they should be doing. But then Cothran would take it a step further and we would sit down with the client and their IT staff and we would do an exercise and implement the insurance into their incident response plan, or we would build the incident response plan. And so that was back in
00:25:23
Speaker
I was back in 2017, 2018. This is like, wow. Over ahead of the game. All right. And so I had to give him a shout out for that. And he just sparked that in my mind. In your analogy to coaching, the Bunt analogy is like prime. It's so true.
00:25:48
Speaker
Do you see anything else going on right now that can be related to that? Like, yes, it's a response, but are you seeing anything that's like, Hey, we're not even like, like we all know it's there, but you know, I can't think of anything, but I'm curious if you see it.
00:26:06
Speaker
Yeah, no, I would say, you know, and I alluded to this earlier, the MFA thing is still sometimes a struggle and man, it just shouldn't be, you know, I mean, that's basic blocking and tackling.
The Role of MFA in Cyber Insurance
00:26:16
Speaker
You know, we still pretty mature organizations that are taking, you know,
00:26:23
Speaker
Double the insurance rate with double the deductible and a ransomware sub limit of 250 K when the full policies at two and they don't know why right so I know MFA sounds like basics. But man, I still run across pretty regularly organizations.
00:26:43
Speaker
that can't make a full attestation to multi-factor authentication, and then nobody within their team has connected that dot between, this is why our insurance sucks, right? Like, this will be one issue is why, you know, I was working with a client that had a 250K sum living on ransomware recently. And I asked him, I said, you know, is our initial consultation? I said, man, why is that?
00:27:07
Speaker
And he was like, honestly, I didn't even know it was there until you pointed it out. And I said, well, do me a favor. I said, call your agent, call your current agent, and ask them why it is. And I said, dinner on me if it's not multi-factor authentication. And he called me back like three days later, and he was like, well, you don't have to buy dinner. So the MFA issue is still not quite solved as it should be. And to dig deeper into that,
00:27:34
Speaker
Man, there, there is a sister recommendation that came out at the end of 2022 that just like flew totally under the radar. And you want to talk about something that nobody's talking about sister straight up said every organization that can should move towards passwordless fishing free MFA. And if you say in 2023, passwordless fishing free MFA, if people think you're speaking Greek, they're like, what is that? Right. And, and there's not understanding.
00:28:04
Speaker
there's not a full understanding that MFA is basic blocking, blocking and tackling, and we gotta have that on there, right? And then when you expand on that, it's like they don't understand the difference between Microsoft Authenticator and like what our friends at Traitware do, right? The guys at Traitware have got a solution that, and I'm just using it as an example, there's other password lists, there's UB keys, right? Like there's other stuff, but the guys at Traitware,
00:28:29
Speaker
You log in biometrically with your face, a QR code sent to your device. Um, your, uh, your, your device has to be within 50 feet or your phone has to be within 50 feet of the device. I mean, like that is insanely more secure than me typing in. I love pineapples number 18. Right. And, and, you know, maybe on a sticky note, you know, I would say, no,
00:29:17
Speaker
the best, most secure solution out there. I think that that is, that's a gap that we still see and deal with. Yeah. And speaking of passwordless, I, you know, when I first heard about it and kind of understood, you know, what it was and how it helped, I kind of thought it was like, it was like salvation, but it really is a tool. But have you, have you seen it implemented? Cause I mean,
00:29:44
Speaker
In practice, I'm like, this solves so many issues. Not only is it so much more secure, but it also reduces MFA fatigue. And I get that myself because I'm limited to some of my platforms, SMS-based authentication. I'm just like, this is so annoying. But have you seen it implemented in the wild?
00:30:06
Speaker
Yeah, I have. And honestly, and this is, I mean, again, at fifth law, we're vendorized and agnostic. This isn't an endorsement of anyone, you know, we're talking in general about passwordless, right? The UbiKey solution, I mean, I've seen demos on that. And I mean,
00:30:25
Speaker
You got to have it. And if you don't have it, you can't get in. Right. But it's it is much quicker. Right. What the guys that trade where do what I what I've seen with them and what I think is really me, particularly in the health care space. Right.
00:30:40
Speaker
Whenever we think about something bad happening, we always think about ransomware or funds transfer fraud in the outside in, right? What a lot of times people don't think about is insider threats, right? What if a malicious act happens from somebody at a workstation that's employed by that organization?
00:31:00
Speaker
Well in the hell, and I've seen this guys, I was in healthcare sales for years. I can't tell you the number of workstations that I've seen with a yellow sticky note that says password one, two, three on it, right? And every single nurse that cycles through that station. So if there was an insider threat or an insider issue, it's like, who did that? Right? Like who was, who was there then?
00:31:23
Speaker
And some of that passwordless stuff, I mean, you're authenticating with your biometrics, right? Like, you know exactly who was at that workstation and when they were there, you know. So some of the stats I've seen on some passwordless stuff is you talk about MFA fatigue. And listen, this isn't an indictment of Duo or Okta or anything like that. There are people out there
00:31:45
Speaker
that need Duo and Okta today. But some of the passwordless stuff can cut that login time by half and then the security measures of it are pretty impressive. And yeah, I've seen it in the wild and I've seen folks
00:32:01
Speaker
I mean, it's stupid to think that if we look at it from a 10,000 foot view, the idea that I get frustrated with doing something for 40 seconds to protect millions of dollars, that just seems insane. But we're humans, right? Like we're, we're built for speak, we're, we're creatures of comfort, right? And like the idea that I've got to stop what I'm doing to do something that I don't want to do, it doesn't matter what it is.
00:32:24
Speaker
That's just in our nature. But, you know, yeah, it can it can reduce that. I think the insider threat point is a good one to bring up because it's obviously, it's, it's wildly overlooked.
Addressing Insider Threats
00:32:36
Speaker
And, and it's one of those things that, you know, most business owners would think that's not us. But I heard a story of, you know, it was a small business and their
00:32:50
Speaker
One of their their admin people their their boyfriend was a drug addict and they they flipped sensitive information for cash stuff like that that you would never think about and It's there. Listen, I'm not I'm not
00:33:06
Speaker
spring around you, but I mean healthcare clinic, right? Two doctors coming together and this is rural Missouri. Two doctors coming together. One was on paper charts. One was on electronic charge. So as they're merging for the new year, right, they're converting charts. Well, ex-girlfriend was employee of Dr. A and ex-boyfriend was a patient of Dr. B. When his stuff got uploaded, she just went in, looked him up. Why after they had broken up, he had contracted an STD, right? So she,
00:33:35
Speaker
green, shy, Facebook messenger to all of her friends, right? And, and, you know, that's, I remember when I was first in the clinic about the doctor kind of came in and shut the door behind him. And he goes, let me give you a hypothetical, right? And he, and he, and he went that old scenario and he was,
00:33:58
Speaker
or insurance files they respond there. And I said, first of all, yes. Second of all, that doesn't sound real hypothetical. That's wild. That's what you deal with, man. That is absolutely wild. I mean, like you can put all the security blocks in the world out there and that's
00:34:21
Speaker
uh yeah here's is that him and i think that might be him that's crazy that's crazy well um you know it what you guys are doing at fifth wall it's obviously like the
00:34:37
Speaker
This is the way that it should
Future of Cyber Insurance Industry
00:34:39
Speaker
be done. If you're an MSP and you're not working with fifth wall in some capacity, I don't know what you're doing. Take us through, I always like to ask this question. I'm asking everybody it because people are in my comments talking about the sustainability of the way that we write cyber insurance right now. What are some of your projections over the next
00:35:02
Speaker
you know, let's say five, let's do five years and then maybe 10 years. What needs to change? If anything, are we going to have an industry in 10 years?
00:35:14
Speaker
Yeah. First of all, really, really high level. If I didn't think that we were going to have an industry in 10 years, I wouldn't be sitting here, right? I've, you know, over the last five years, I have professionally chosen to network myself and push into this cyber thing. And if I didn't think that cyber insurance was going to be around,
00:35:37
Speaker
you know, in 2033, I wouldn't be in this chair. I'd be back coaching high school baseball, right? Maybe not. But anyway, another show.
00:35:51
Speaker
Here's the other thing. And the only thing, I'll break it down to like one thing that I see right now that has to change. And we've mentioned it already, the application process has to change, right? Like, I mean, we have to get away from sending clients at the insured level. We've got to get away from, hey, if you want a CFC quote, fill out this seven page CFC app. If you want a Tokyo Marine app, fill out this 12 page. Like,
00:36:17
Speaker
and people will not do it. It's already a hard enough sale. They already don't understand it. So we've got to get away from paper apps. There's got to be some synchronization there. I love what we do at Fifth Wall. Again, don't want to spill the total beans, but we found a way to make that lift on the client very, very light. So the application process has to be fixed, number one. The application questions
00:36:44
Speaker
need to get better. They need to get more in depth. And our side of the fence has to understand we need to hire cyber people, right? Like a buddy of mine tagged me on LinkedIn the other day. He was like, Hey, I've got this buddy that's getting into cybersecurity. He wants to work for a cybersecurity company. Does anybody have any advice? And I jumped in there and I was like, yeah, don't forget cyber insurance. You know, like
00:37:06
Speaker
Go work for a carrier because we've got to understand more about the landscape in order to ask better questions. That way we can better understand the risk, right? So those things, I would say cleaning up the HAP process, you know, better questions, better conversation between insured and carrier and making sure we fully understand the risk.
00:37:27
Speaker
And then, you know, kind of at a holistically level or at a 10,000 foot level, just change is going to be the name of the game, right? Like, I don't know what it is. I don't have a crystal ball. I don't know enough about the tech side of it to say, you know, MFA is the straw that starts the drink now and it's going to be, you know, EDR in six. I don't know that, right? But my, my guess is, is that whatever we're doing in 2023,
00:37:56
Speaker
it's probably going to look super different by 2026, right? Like the landscape will continue. The insurance application thing is, I know we talked about it at the beginning, but it's super fascinating to me that it is the way it is about this static application.
Standardizing Cyber Insurance Processes
00:38:20
Speaker
And like, hey, if you want to go to CFC, fill out this app. If you want to go over here, fill out this app.
00:38:25
Speaker
It's really kept a lot of agents away from selling cyber insurance and it's really kept a lot of insurance out from selling cyber insurance. I think the more that we can
00:38:41
Speaker
consolidate that make it a little bit more streamlined similar to how you know this kind of happened with workers copy they created the court application now granted it's all yes and no questions but like similar from a high level perspective what they need to do is like.
00:38:57
Speaker
more like, hey, how do we take a NIST framework? How do we take a CIS, V8, like a survey, and how do we apply that to analyzing cyber risk from an underlying standpoint? Also, and I love what I would like to see is some standardization of like questions based on a framework, right? Like NIST or CISRA recommendations, whatever, right?
00:39:22
Speaker
And then the other part who is, is like, man, I would love, and this is just like dreaming because it's probably never going to happen. And, and man, for those of you out there and, and LinkedIn land or, or webinar land and don't take this the wrong way. I am not a huge regulation guy, right? But God bless. There needs to be some regularization or regulation around language and cyber policies, right? Like.
00:39:46
Speaker
go back end user go back to the insured right the like they'll ask me okay if i pay a ransom is it covered
00:39:54
Speaker
Yes. Okay. So that found, well, it's named three different things depending on who you write it with, right? Well, what if I accidentally or my clients or my employees accidentally wires 80 grand to a bad actor? Is that covered? Yes. Well, what's that called? Well, it's called funds transfer fraud over here. It's called cyber crime over here, right? Like I would love, love, love. I mean, if you honestly asked Andy Runyon, if you could change one thing about the cyber insurance industry when you wake up tomorrow,
00:40:21
Speaker
Standardized language, you know what's so funny me. I don't know when that happened because any I I've been Dealing with cyber insurance for over eight years now and it was always this it was always the same like the language the language was standard like as in like the you know, not the specific definitions and the exclusions the the wording used like ransomware and
00:40:45
Speaker
uh, invoicement and manipulation of social engineering. Like it was standard and suddenly it like people started coming up with all this different verbiage. We've got funds transfer fraud and it, it wastes time when it comes to analyzing cyber policies. It makes it, uh, a lot, you know, a lot more difficult on the agent to be able to properly educate their client on what the hell is going on. I completely agree with you. I honestly, and here we are back. What's up.
00:41:16
Speaker
No, I said, here we are back yet. Why do you need a specialist? I mean, we, four or five different examples, but that's a great reason. Yeah. I, um, God, I, I, I'd like to see that as well. Um, you know, I, I, um, I w to me, if you looked at cyber industry back in 2019, 2018,
00:41:45
Speaker
You know, the collaboration between agent and carrier was very, very limited. And now I'm seeing so much more collaboration. And so maybe that can be solved through this collaboration. I'm telling you, like it was a very select few of agencies that were consulting carriers on how to fix cyber insurance and make it easier for agencies to sell it, you know, underwrite it, that whole thing.
00:42:14
Speaker
Um, COVID already messed up every suggestion made, but then now, you know, and I mean, like think about why that was though. And let's, I mean, you guys are really good at kind of stabbing the elephant in the gut and calling the spade a spade. Let's call a spade a spade. Why was that? It's because nobody was doing it. It wasn't making them enough money. Right? Like if, if, if I was principal agent.
00:42:36
Speaker
and an account made me in revenue, $100,000. Let's just use round numbers. Odds are in 2018, 2019, and still to a degree, that cyber revenue might be, what, like three, four grand? Maybe, you know? So, I mean, and I'm not trying to be ugly. It's just the truth, right? Like if I'm making 100K on work comp, business auto, and the BOP, and you know, and the health insurance and all that stuff,
00:43:02
Speaker
Why am I going to spend a finite amount of time that's available in my day chasing $3,000 of revenue and trying to fix that? And, you know, that's, we're back to
00:43:15
Speaker
having a specialist, dealing with somebody that cares, that specializes in it. And this is where we spend the majority of our day or all of our day, you know, is talking about this stuff. But yeah, it's the same reason that you see large agencies in your area when you go and you say, hey, I need help with cyber. They go,
00:43:35
Speaker
Hold on just a second, you know, and it's like, Hey, is, is bill here? And, and, you know, and bill has five clients that have cyber and he's a cyber specialist. Right. Um, and a lot of, a lot of agency principals look at the premium on those accounts where they've been and they go, you're not where we, you aren't going to make enough money on this. Yeah.
00:43:58
Speaker
I'm back in it, guys. My camera died. Technical difficulties. But one of the ways that I appreciate your style, Andy, in fifth ball, too, is I tend to be a complainer. And I'll just kind of complain about the way the industry is. And I try on some things to change it or do the work that needs to be done to improve the way that we do this thing.
00:44:28
Speaker
you guys take it to the next level where instead of sitting around and complaining about, hey, things aren't working optimally, you guys do the work and you put in the hours that it takes to actually fix it without a lot of support from the other parties and the value chain of getting a cyber insurance policy placed.
00:44:50
Speaker
If there's, you know, there's a couple of ways to work with fifth wall, but if somebody is interested in working with fifth wall, what's the best way to get in touch with you or get in touch with the team there?
Opportunities for Collaboration and Innovation
00:45:03
Speaker
Yeah, so a couple of ways.
00:45:06
Speaker
You can hit me up on LinkedIn, right? I mean, we're very LinkedIn active. Myself, we're Will Brooks, pretty active on LinkedIn. Just shoot us a DM, shoot us a connection request. My email address is Andy, A-N-D-Y dot
00:45:21
Speaker
Runyon, R-U-N-Y-A-N at fifthwallsolutions.com. Pop me an email. And we've got two sides of the house. You know, if you're out there in agency land and you need some help, I know you guys are doing your work, you know, don't step on toes there. I mean, we can't help on the agency side, but like for me, you know, for me,
00:45:43
Speaker
I'm gonna be on the MSP side of things, right? So like if an MSP is out there and they listen to any of this and they hear, hey, we need some help, reach out to me directly. I mean, my job specifically is to make sure that MSPs in our network succeed and they have the resources that they need. So shoot me an email, shoot me a LinkedIn request, jump in my DMs, whatever we need to do. And just let me know where,
00:46:11
Speaker
where the pain point is. I've heard it all, right? Like I've heard MSB say apps that are killing us. Like we have told our clients.
00:46:20
Speaker
no more than three apps a year. I've heard them say, it's my sales guys. They need to be pushing cyber insurance and they don't know the first thing about it and I need some training. I've had some of them tell me it's a compliance thing, right? Like we're offering compliance services and I really think it would be good for our clients to understand the connection between compliance and looking really dressed up and tied up when you go to the cyber insurance market.
00:46:50
Speaker
There are a lot of different ways that that fleshes out. I love it. I love it. I've said it again. I'll say it again. If you're an MSP and you're looking at this podcast or listening to it, I know that there's some in my network. They probably already have spoken with you, but if they have it, they definitely need to.
00:47:08
Speaker
because you guys are playing chess while everybody else is playing checkers. So appreciate what you do, man, your content, everything. We love it and keep doing it. Well, and listen to come back at you there, what you guys are doing as scenarios and what your goal is, right? Which is kind of what I like. I'll pay a compliment back, right? Like I love disruptors.
00:47:35
Speaker
Like I was, I know I keep going back to the coach thing, but it's my mantra. So let's roll with it, right? I was just having the other day we were talking about football programs in our state, right? And there is a particular football program that is, um, has not been successful over the years. I hear more out of those guys. Well, you know, this is the way that we've always done it.
00:47:58
Speaker
Okay. What have your results been, right? Like that, that, that used to hold water when you go to an A every year, right? And, and what I love about you guys are the fact that you're disrupting things right now, right? Like, uh, you're going to make some people mad, you're going to rough some feathers, right? But like all in that industry that, that need to be fixed, right?
00:48:21
Speaker
And what I love about y'all and about the kind of the scenarios vision is like, man, the way that we've always done it, that's not a good enough excuse, right? If clients were suffering because of that, if agencies were suffering because of that, you know, just this is the way it's always been. So kudos to you guys. I appreciate that.
00:48:46
Speaker
Coach, you're going to get me running through a wall, man. I love it. I love it, man. It's, you know, you're so freaking right. Like, Hey, well, um,
00:49:00
Speaker
Having you on is a pleasure. Keep crushing it at fifth wall. The MSPs that you bring on will be happy that they work with you. And we look forward to seeing you in the LinkedIn world, seeing you in the cyber insurance world, and hopefully meeting up in person soon.
00:49:20
Speaker
Yeah. And thank you guys for setting this up, man. I mean, regardless, I mean, you know, um, we're in the same space and I'll tell you this, and this is for anybody out there that's thinking about getting into cyber or cyber insurance. I believe this in my heart of hearts, right? Like just by personal faith and abundance principle guy. I think that there's a spot for everybody, right? But especially inside right now, especially inside, if you do it well.
00:49:46
Speaker
and you go to work every day trying to help people, man, there is room for you and cyber if it's at the retail side, if it's at the hotel, wholesale side, hotel, wholesale side, right.
00:49:57
Speaker
Oh, there, there is room at the table right now in cyber for people that want to come in and do well. Right. And I mean, you may, maybe, I mean, we're, we're 50 minutes and you may still be going, how in the world, why are two guys that are essentially in the same space sitting here talking about this? Are they not competitive? No, man. Like they're, I mean,
00:50:22
Speaker
They're high out there for everybody to eat. If you're going to do it right. Yeah. I know, I know, uh, the leaders at fifth wall to believe in that vision too. Like there's plenty of pie for us to eat. You know, we, as long as we keep on working collectively together, um, you know, sure we're, I mean, if people looked at us both, they'd be like, wait, aren't they competitors? Like, why are they talking to each other? But, you know,
00:50:46
Speaker
There's plenty of out there and we have to be working collectively to fix this. It doesn't take like the one solo guy driving the, you know, the mission across the finish line. No, it's, it's all of us believing in the same type of vision and working towards that. That's going to create the message and make the changes that we need. So, uh, completely agree, man. And I hope, I hope others in our industry adopt that vision as well.
00:51:12
Speaker
I saw numbers out there the other day and I don't know if this is correct or if it's been changed or what. The estimations in the United States, there are 60,000 MSPs.
00:51:20
Speaker
Right. I mean, if we, if we deal with the thousands of guys, it means that there's 59,000 other MSPs out there that need. Right. So that's, um, you know, I, I just think, you know, that, that there is, there's enough bad out there. Um, and I don't mean the fairy is bad. I mean, just, you know, people that have either gotten lazy or people that haven't cared to push into it or people that maybe they just don't fully understand it. There's enough bad out there that.
00:51:49
Speaker
If folks will push in and do it the right way, then everybody can help and financially profit. Love it. Well, this has been one for the books. We're going to have to have you on again in the future and hear about all the things that you've done and not just about what you're going to do.
00:52:10
Speaker
And Andy doesn't know this, but we're going to send him an invite to speak at our Insuresite conference and spread the gospel.
00:52:28
Speaker
You know, one of the things that, you know, and the older I get, the more I'm learning this. One of the things that I've been gifted with, right, since I was a kid, was like, I can stand up and talk and it came from right. So, no, would love to work with you guys in a public format moving forward. And, you know,
00:52:49
Speaker
Man, really, really excited about the direction that this is headed with scenarios with us, with the market as a whole. You know, I'm not going to name any names from the from the comments because I think better. Yeah, right. Like, I think they have a legitimate point. Like, it's not cutting dry, right. But man, just in my heart a horse. I'm just not there yet. You know, I think that there's a lot of love it. Love it. Sweet. Thanks, man. I appreciate you coming on. Thanks, Andy.