Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
David Kruse - The Philosopher of Cyber Insurance
99 Plays1 year ago
This week on the InsurSec Podcast, listeners are going on a philosophical exploration of cyber insurance, guided by the wisdom of David Kruse!
Drawing on the ideals of Socrates, David advocated for the virtue of self-knowledge, encouraging the insurance industry to examine itself deeply and bring in diverse perspectives. In the spirit of Aristotle, he shone the light of logical analysis on cyber insurance issues, while epitomizing the examined life.
Channeling Kant's duty-based ethics, David suggested moral imperatives around ransomware that supersede pure utilitarianism, which Mill might propose. Yet he also embodied the pragmatism of American philosophers like William James in his solutions.
As the Dude might abide, or Aristotle opine on virtue between extremes, David walked the middle path between profit and ethics. His unique background combines the care for humanity of Humanists like Erasmus with the logic of Aristotle and systems thinking of Comte.
In the tradition of questioning thinkers like Socrates or existentialist Kierkegaard, David forces us to re-examine assumptions about talent, technology and cybersecurity. Like Plato's Philosopher King, he integrates noble ideas and practical realities.
So join David on the examined cyber insurance life, connecting with him to further explore the conceptual foundations of our industry.
Recommended
Transcript
Introduction and Lighthearted Banter
00:00:18
Speaker
Welcome to the Insureset podcast. We got your host here, Abe Gibson, Ryan Dunn, and our lucky guest this morning is David Cruz.
00:00:31
Speaker
David, you remind me, I told Will Brooks in fifth ball this morning, he looks like a guy that has a good chili recipe memorized by heart. And I would put you in that camp as well. You definitely have a good recipe in your back pocket ready to go whenever you want. You know what, I think that's one of the highest compliments you can pay a guy. And I'd say right back to you, a guy that has like really hard opinions on cherry versus mesquite wood for smoking a fortune.
00:01:01
Speaker
like that that is a hill that you are willing to die on you read me well you read me very well everyone stands podcast for the chili recipe disclosure at the end oh yeah yeah i told you i told you well david i feel like most people in the industry know who you are most of our listeners will know who you are
00:01:29
Speaker
But they'll know what you do.
David Cruz's Unorthodox Career Path
00:01:32
Speaker
But maybe just give everybody in the audience an overview of your background, how you got here. I've heard it before, but it's a good one and would love to hear it again.
00:01:43
Speaker
Yeah, yeah, you bet, you bet. So I came at this industry to get a bachelor's degree in theology and philosophy, which is how most people get to cybersecurity and see the response I've found. So did that graduate in about 2010 and not a lot of places looking to hire resident philosophers then. I was just as shocked as you are.
00:02:06
Speaker
So kind of went through a couple of varieties or careers was a nanny for a while was a bank teller and a banker for a while. Ended up in insurance because my wife knew the agent that represented her company.
Transition to Incident Response
00:02:18
Speaker
So he got me into it and then I started in 2014 and then throughout that five six year period.
00:02:24
Speaker
Um, founded and grew a cyber insurance practice at my former agency, the Houseman Group. Um, they're still around their cake and they're doing a great job here in Madison. Um, come 2019, there was an opportunity to pivot to the incident response world. So that's when I joined up with a company that was back then called Gilware JED digital forensics, which rebranded the detector defense, which was acquired by Arctic Wolf in 2022. And that's what brings us here. So what I'm doing now is essentially representing our insurance solutions.
Solving Insurance Risk Transfer Challenges
00:02:51
Speaker
portfolio on both pre and post incident and bringing that to the insurance community, whether that's on the brokering side or whether that's on the claims of the underwriting side. We know that there's a big funnel that influences the insurance risk transfer process. And what we're trying to do is bring solutions to each layer of that, whether that's new client acquisition, underwriting, risk control, claims management, that whole process we're trying to
00:03:18
Speaker
bring value to each layer of that funnel, basically. So that's what I'm doing here at Arctic Wolf. It's funny. I've never, in all the episodes that we've recorded, it's going to sound like we've recorded a ton, but maybe it's a large enough sample size to draw this conclusion. We have never talked to anybody
00:03:41
Speaker
And in my entire career, I've talked to two people that it was their plan to end up in the insurance ecosystem.
Attracting Young Talent to Insurance Industry
00:03:50
Speaker
It's just funny how that works. And I feel like cyber, I feel like the cyber insurance ecosystem is probably best suited to attract young talent. We just have a marketing problem. Maybe just to kick us off, how do we get more young people to make plans while they're in high school and college to enter the industry? Because I feel like we do have a talent gap and it's only going to grow if we continue to grow the way we are. Yeah.
00:04:19
Speaker
That's a fabulous question. I'd be lying if I said that I was an expert on Gen Z, I think, is what they are now. I don't know what it is they like. I think they're into Fortnite, maybe. I'm not totally sure what that is. That's apparently a big deal. If we worked Fortnite into here somewhere, I think we'd really be in good shape.
00:04:41
Speaker
You know, I think what the, I think the way that you can position that to somebody that is in that stage of trying to figure out what in the heck my career is gonna look like, I think you can sell it to them and say, you know, this is, insurance is such an amazing industry for being exposed to every other kind of industry.
Insurance as a Diverse Career Entry
00:05:00
Speaker
especially if you're at the independent agent level like I was, it was a very typical day for me. I ended up being, you could think of it like a cyber insurance sales engineer. All the other producers at the agency that didn't have quite a mastery of cyber, they would, you know, when we'd have their renewal meeting, I would come out and they would talk to the property, the GL, the work comp, all that.
00:05:20
Speaker
And then they would take me in to talk the cyber insurance piece. So a typical day would involve me starting out my day at like $2 billion general contractor, and then going to a small life sciences startup. And then after that going to a hog farmer in southwestern Wisconsin that somehow made like 2 billion a year, like you'd be you'd be getting exposed to such a wide variety of executive types and businesses that going and seeing that and seeing like how the you know,
00:05:47
Speaker
pardon the Hogg reference, like how the sausage is made at all of these different places. It really gives you an incredible exposure and an incredible network that you can rely on in later years. So I think that's to frame that up to say, hey, insurance isn't necessarily where you end up, but it's an incredible entry point into the business world.
00:06:09
Speaker
and you can decide what kind of business and what kind of industry you might wanna work in, because especially at that independent agent level, you're gonna be exposed to just everything, which is really cool. There's not many other industries that necessarily have, I mean, maybe like accounting, you might get a little bit of that, maybe in banking, you might get a little bit of that, but it ends up being something in that financial services sector where you serve your surrounding community, that you get that exposure to just,
00:06:36
Speaker
Just everything. So that's the only way that you could potentially do that, I guess.
Cyber Insurance at the Retail Level
00:06:41
Speaker
Yeah. Again, with some Fortnite spun in there. David. David, I think you might have cracked the code on how to attract talent just there. Hey, you know what? I bring value, Ryan. That's what I try to do. I know. I just think that's such a great way to describe insurance, right? A lot of people, and I say it too, it's the glue to society, right? It keeps everything running.
00:07:05
Speaker
Oh, yeah. And it's so true. When you're a retail agent, you're going to so many different types of businesses and you see how they operate. What do they rely on to make money? And so it's such a great introduction or introductory type of job to learn what do I like? Maybe I do want to
00:07:29
Speaker
you know, ring up sausages my whole life. I don't know. Maybe, maybe. Yeah, it's a, you know, yeah, just the ability to just get a basic totally, especially for me that, you know, I, the closest thing I took to a business class in college, I took the history of math, which is nowhere as close to a business class. And I took a business ethics class to satisfy my philosophy major.
00:07:53
Speaker
Um, so we read mostly about plane crashes. It was a real bummer, but like, that's as close as I want to like a business class. So, um, so when you look at what are some of the raw skills that you kind of need to function in the world, if you're in this business world, like insurance gives you exposure to a lot of that. Like this is what a balance sheet is. This is what a P and L statement is things like that, that, you know, I'm sitting there reading Thomas Aquinas and we never talked about that because he had everything.
00:08:22
Speaker
Like, insurance gives you the ability to understand some of those basic concepts that other folks might have picked up in college that, you know, I was off, you know, looking at other things and, you know, wasn't, you know, I was never forced to focus on those sorts of, uh, those knowledge areas. Yeah. Thomas Glass. Oh, yeah. He was the best.
00:08:45
Speaker
It kind of it kind of loose back to how we first met probably a year ago. Yeah. And we were kind of talking about just how retail brokers are somewhat of like the bottleneck in the industry in terms of translating
00:09:06
Speaker
cybersecurity and then how they interact with cyber insurance. Really, we were talking about just the importance of the retail broker being able to provide solutions and provide as much insight and answers as they can. What I really appreciate about your background is that you've been in those shoes
00:09:29
Speaker
and there's so many vendors and I don't mean this in a mean way, but they just haven't been in a retail broker shoes and they just don't understand. And then the way that they kind of approach the industry, it's just like, I think the best thing for you would be to go to spend like a month working as a retail broker and you just get it. And that's something I really appreciate about your background is you're able to speak from this position of like, hey, I've been there, I've done that. And it's refreshing to see people like that.
00:09:58
Speaker
I think that's so needed, especially in cyber. We look at this as this really hot, sexy, fast-growing market, and it's all of those things. It's a really fun, engaging place to be a professional. But when you bring that to that retail agent setting, we've got blinders out. We think cyber's this big deal.
00:10:19
Speaker
Have you heard of the property insurance market? Have you seen the dumpster fire that is property these days? And understanding that even if we think cyber is the most important thing in the world, right now your average retailer is being just absolutely hammered by their client because property premiums are going up 30% annually, 50%.
00:10:37
Speaker
for no apparent reason other than climate change and reinsurance, basically. And that's the tough thing that they're trying to land. And they're like, I get that your cyber message is important, but understanding the realities of what is demanding a retail agent's time and energy
00:10:56
Speaker
And frankly, what they get paid on too, like the cyber is a small portion of their world. But if you can help them understand, hey, this is an incredible wedge issue for you to get into accounts that you might not otherwise get into.
00:11:08
Speaker
And knowing where to place it within their tree of priorities, so to speak, you're going to be more effective in that. But you can only only know that if you've spent a month there, if you've spent a couple of years or what you've gotten to know what it is they care about and what drives their activity. And if you haven't done that, you're going to think that cyber is the most important thing in the world. And it's very important.
00:11:28
Speaker
but it's probably not more important than property or work comp right now. I mean, those are things that are demanding risk manager and agents time. So understanding where we fit in that context so that we can ask the right thing at the right time and not overextend ourselves and try and convince them of something that they're just inherently not going to be convinced of.
Proactive Cyber Insurance Measures
00:11:46
Speaker
Yeah, it's kind of like, we talked to Dennis Underwood a couple weeks ago. He runs Cyber Crucible, a decryption software company. And, you know, I asked him a question like, should we ever pay a ransom? And, you know, it was cool to hear his perspective because in my mind, I'm like,
00:12:05
Speaker
we should never pay a ransom. We should never pay a ransom. If you have sound, backup, and recovery controls in place, you should never need to pay a ransom. And he's like, well, just wait till that day comes and see what you're going to be thinking. And that's what cyber insurance is for us in the industry. We think of it as the most important line of business. And for many industries, it probably is.
00:12:31
Speaker
but wait till you're in, like being a retailer, shoes, going to a client meeting and having to explain like a 75 to a hundred percent rate increase on their other lines of business in this hard market. And then like also, Hey, like let's, uh, let's add this additional line. It's going to cost you another, you know, 20, 30 grand or whatever it might be. Uh, it's, uh,
00:12:52
Speaker
Yeah, all that to say, I think there should be some, some prerequisites for some people, including myself, like just talk, talk to more retailers. Cause it's, yeah, it's a, it's a hard role. It's a really difficult role. Are you a Lord of the Rings fan at all? Just got into it last month. Oh God. What? That and the Harry Potter, I'd never watched them. So I grew up in a very, uh,
00:13:19
Speaker
very concert my dad was a pastor okay so in the southern in the southern Baptist denomination in the Bible belt so we you know no Pokemon no you know no no Harry Potter none of that wizardry nonsense
00:13:34
Speaker
Okay. Well, you know, I hesitate to even say what I was gonna say, because I don't want to spoil it for you. But then again, the movie came out 22 years ago. Yeah, right. Statute of limitations on spoilers. I think we passed that point, David. Just like poor guy. Yeah. Well, it's got to do with helms deep in a drainage ditch, but we can get
00:14:04
Speaker
And David, you sparked something there. I kind of miss.
00:14:12
Speaker
The days for cyber insurance was the hot girl in the room or something. We're one of the best way you could say that. Now property is like what everybody's talking about, right? And yeah, I know you work with a lot of agencies. Have you heard from them at all? Has this affected their penetration rate from a cyber insurance standpoint?
00:14:38
Speaker
I think being able to deliver that message. So what it's done is it's just used up every available ounce of oxygen in the room. You know, I had lunch with a good friend of mine, who's a retailer here in Madison, probably month and a half ago or so. And I asked him, you know, hey, give me give me like a pie chart of, you know, what what conversations are you having with clients these days, you know,
00:15:01
Speaker
probably like five, six years ago, auto insurance was this big, nasty thing. Yeah. Property was easy. Cyber is easy. Auto was bananas in like 2016, 2016, 2018. That was the thing taking up all the oxygen in the room. Then cyber really had it. And now I said, okay, well, give me that. What does that pie chart look like? He's like, honestly, probably 90% of the conversations I'm having on how brutal the property market is.
00:15:23
Speaker
And then like everything else gets some remainder of that 10%. Um, so it's, he's, it's, it's not necessarily been more difficult to sell it. It's been more difficult to, you know, if you've only got an hour, hour and a half to meet with your client for your renewal, you know, you instead of cyber getting 40 minutes of that, it might get five minutes of that. So just the available time to handle that is just more constrained than maybe it would be otherwise. Yeah. Yeah.
00:15:53
Speaker
And I think that kind of speaks to an agent trying to make the cyber insurance process more seamless. And I know that you help agencies do that. I just would like to kind of give our listeners more insight into what you are doing for agencies and their clients to help make that cyber insurance process
00:16:18
Speaker
easier for them, so they can spend the rest of the meeting talking about property. Yeah, totally. And that's how we look at it. We think, okay, if we've got, you know, if there's X number of minutes that can be devoted to cyber during any one of these meetings, let's make sure we're A, using them most effectively so that the rest of the time can be spent on the property conversation, frankly, here. So what we've essentially done is we're partnering with retail agencies.
00:16:43
Speaker
specifically to deliver a suite of tools that their clients can use to actually reduce cyber risk. One thing that we've noticed over the past few years is that a lot of the different portals or platforms that service providers offer to clients are aimed at the financial risk manager. So it might be a portal that allows them to calculate the cost of a breach or read articles about rates and incidences, which are great things to have. Those are good things for people to have access to.
00:17:10
Speaker
None of them really help you reduce your cyber risk, though, or actually control it in a meaningful way. So we thought, well, let's arm retail agents with something that they can use to target the head of IT or the internal cybersecurity person, if one of you even exists, as opposed to just the financial risk manager. Because if we target the head of IT, that's how we can actually reduce the frequency and severity of a claim, which is in all of our best interest here. So
00:17:36
Speaker
What we've essentially done is create a portal that a retail agent can offer a client that allows them to do three things. It allows them to reduce the severity of incidences by building an incident response plan so they can respond to a cyber incident more effectively and more seamlessly. There's mountains of data to back up the claim that if you have a written incident response plan, a defined incident response team, and you've even taken it a step further and tested that incident response plan, you can reduce the cost of your incident by like 45%. That's from the IBM cost of a breach report in which
00:18:05
Speaker
is admittedly a contested report. But at the same time, that figure has shown up at the top of the factors that reduce the cost impact of a breach. Incident response planning has shown up on the top of that list going back many years.
00:18:21
Speaker
And we just anecdotally, from responding to thousands of cases, there's a marked difference in how incidences go when a client has a defined and tested incident response plan versus a client that's clearly never thought about this before. And then who would target me? We just see that from the cases that we work. We work thousands of ransomware cases. And the good ones are the ones where clients have a written tested plan. So we want to arm agents with the ability to offer their clients.
00:18:48
Speaker
that sort of tooling. The other piece that we look at is to say, okay, if we want to reduce the severity of claims that I are planning, if we want to reduce the frequency, let's target the most frequent cause of claims. In our world that we, you know, again, in all the attacks that we work,
00:19:03
Speaker
The most frequent cause of any incident we work is going to be some external exposure issue. That accounts for anywhere between 70 and 80% of all the cases we work on a quarterly basis. There's sort of this misnomer out there that, oh, David clicked on that link. He opened that email. Humans are the weakest link.
00:19:21
Speaker
I mean, if by human you mean the head of IT who didn't patch a system is the weakest link, I totally agree. But somebody clicking a link and allowing the ransomware happens maybe 10% of the time. That's not the most common way that these attacks happen. It's going to be some external exposure issue.
00:19:37
Speaker
So what we've given retailers the ability to do is arm their clients with scanning functionality that just scans for the vulnerabilities that we've seen lead to ransomware attacks. We're not trying to scan for everything, we're just trying to focus on the things that are most likely to get you wrecked. In 2023, it's October, we've seen 18 different vulnerabilities lead to ransomware attacks.
00:19:56
Speaker
18. There's 200,000 CVEs that exist. And just 18 are what we've seen leading to attacks this year. So we don't need to scan for everything out of the sun. We need to scan for the things that are most likely to get you wrecked. So we want to give retailers the ability to do that. And then the last piece are what we call them security project guides that are just, you know, we see regularly on the incident says that we work that
00:20:20
Speaker
Somebody that's an information technology professional as opposed to an information security professional, and they're different things. They have different names. That's how we know they're different things. An information technology professional, when we're talking about cybersecurity work, they are phenomenal sous chefs. They're not great head chefs because they're not security professionals by discipline.
00:20:41
Speaker
But like a like a line cook or a sous chef in a restaurant, if you give them a recipe, they can follow that recipe like nobody's business. They're very good at that. We see that all the time when we say, hey, you know, we're in the middle of a ransomware incident. We need you to do XYZ. They can do XYZ, but they would never come up with XYZ on their own.
00:20:58
Speaker
So the security project guides are designed to give them a way to sort of get out of the gate and start working on a security project like MFA implementation or logging and network monitoring, you name it. It helps them get them out of the gate and gives them almost like a recipe card for how they go about achieving the goals that they've got. So that's what we're trying to arm retailers with is the ability to give their clients a platform that helps them meaningfully reduce risk at a cost point that's an attractive one too. The platform is free, so that's a good cost point.
00:21:28
Speaker
Yeah. So you asked the question, that's the long winded answer. Again, I'm a philosophy major. Why answer a question in 100 words?
Prioritizing Cybersecurity Threats
00:21:39
Speaker
I thought what you said there about the 18 vulnerabilities that have led to ransomware is extremely powerful.
00:21:50
Speaker
that there's so much to be said about CVE, vulnerability, fatigue, and getting a list of 200 vulnerabilities does not help you become more cybersecurity. You could actually make an argument.
00:22:05
Speaker
against the opposite, right? Yeah, absolutely does. Cyber secure because you're spending your time, you know, spinning your wheels on stuff that's not actually a high critical vulnerability. And there's, there's such a, there's a marked difference between a theoretical threat and an imminent threat.
00:22:22
Speaker
The theoretical thread, yeah, you can have a 9.8. This is a 10 out of 10 ranked CVE. Yeah, that's bad. If somebody uses that against you, that's really bad. Unless thread actors are actually using that vulnerability, I don't care about it. At least I don't care about it until I patch the ones that we know that they're using.
00:22:41
Speaker
So, you know, sure, take care of all the 10 ranked ones that you've got. But if our goal is to reduce the frequency of claims and prevent cyber incidences, we need to focus on where we need to build our defenses in the direction of the attacker, not in the direction that we think the attacker is coming from.
Accurate Underwriting in Cyber Insurance
00:22:59
Speaker
So that's that's that's the hill I'm dying on. So this has been a hill that Ryan and I want to die on to the
00:23:10
Speaker
The external scanning without context is such a pain in the ass for everybody involved in the underwriting process, right? So I think it's great, especially, you know, pre submission like, you know, oh, I didn't know that, you know, this port was open and we're not running any, you know, critical services on this port and there's really no need for it to be open. Great. Let's close it.
00:23:40
Speaker
Explain to us a little bit about the approach. You're going a little bit more detail about what you mean by external scanning. What is it scanning for? You already spoke to how you prioritize it, but it's just a little bit more detail there because it's a topic of interest for us. Totally.
00:24:00
Speaker
I need to give credit where credit is due. I think, you know, when we first saw scanning come out as part of the underwriting process in sort of like late 2018, early 2019, it was a really cool thing. Like that is a notable evolution in cyber insurance. It's the evolution that says your actual cybersecurity posture matters and we are gonna take some kind of a step to actually assess your cybersecurity posture.
00:24:27
Speaker
Um, even if it's narrowly focused on the external exposure, like we're going to actually trust, but verify, and we can argue whether or not the verification process works as well as it ought to, but it's a good thing that this is happening. Um, the, the, the problem you run into is just some of the technology that's behind all that. It's, it's a little weak in the sense that like, yeah, you just drop in a web domain and the scan runs from there. And then I T people get ticked off because you're getting results from their web hosting company and not their own environment. And.
00:24:57
Speaker
It's that that's where the train sort of leaves the rails here. What I think the next evolution that needs to happen in this sort of scanning conversation, and this is something that we've enabled on our, the scan within the cyber jumpstart portal is
00:25:12
Speaker
If we think that cyber insurance, if we don't think it, we know cyber insurance evolved from among many places, the property insurance market. That's why business interruptions covered on a cyber policy. That's why there's so many first party coverage is built in. So if we think that the coverage evolved from there, some of the underwriting methods should pull from that as well. Why isn't there something like a cyber or property schedule? Every property policy has a property schedule.
00:25:37
Speaker
Why isn't there some cyber version of that where you report what your domains are, what your IPs are, and then we scan based on that? Because that's the insured self-reporting. Here's everything that we've got that we are responsible for maintaining. And if it's on that list, then great. We're going to cover claims associated with that.
00:25:55
Speaker
If it's not, then hey, we might go down that path. Ultimately though, that's, that's where the train sort of fallen off the track is that we're not with any great degree of accuracy, ensuring that we're scanning all and nothing but the client's environment. So.
00:26:11
Speaker
When we look at the scanning functionality we built, it starts by them self-reporting. These are all of our web domains. These are all of our IP address and IP address ranges. This is what we are responsible for maintaining. If it's not on this list, we are not responsible for maintaining it. So what we're looking at is the actual external exposure of the client's environment, not what we believe the client's external exposure to be.
00:26:33
Speaker
So there's a phrase that security professionals toss around that you can't secure what you can't see. You can't effectively underwrite what you can't see. So if you're using some scanning functionality that doesn't pick up everything within that client's environment, and you're not going to get that unless they're self-reporting it,
00:26:52
Speaker
then you're going to be ultimately looking past risks or vulnerabilities that do exist that you just haven't seen because there's a processor technology problem that's impeding that action from taking place. I love that.
00:27:09
Speaker
I freaking love that because David, oh man, I, there's been so many times where I've spoken very similar language about the, you know, cyber underwriting and property underwriting, right? And property of the SOV worksheet that you put together, it lists out every single property. When's the last time the
00:27:27
Speaker
The pipes have been replaced, electrical's been done, the roof, like all this stuff, right, that you're reporting on there. And cyber, there's no tools for, I mean, there are now, but two years ago, there were no tools for agents
00:27:43
Speaker
to gather this information so that they can report it to the carrier, right? They can do their due diligence on their end before going out to market. And so when I was at Trava, I had a lot of similar messaging like, hey, we need to empower these agencies to be able to do their job, right? Right now, it's all the carriers trying to underwrite it themselves. They're getting overworked.
00:28:06
Speaker
It's so cool to hear you speak about property underwriting and its relation to cyber underwriting and how we can fix that. I think your idea that you just mentioned about, hey, we should be self-reporting this stuff. If you want to be covered for it, self-reported, and if it's not on the schedule, it's not on the schedule, and it takes a quick sub-domain enumeration scan to
00:28:31
Speaker
Yeah, I mean, that that's one way to do it. And then the insurance, I we're getting down a path where I will fully admit that I'm not a technologist. So yeah, you can Yeah, the subdomains can will get you a good chunk of what you need. But again, you need everything, you don't need 80% of everything. So
00:28:49
Speaker
You know, I think the part of part of what's holding up this, this from evolving is you need brokers that can effectively talk about that. And you need an audience on the carrier side that can effectively receive that kind of information and messaging and know what to do with it. You know, we're still in a situation where a lot of cyber underwriters maybe came over from the DNO or EPL side. So that's kind of their background. You maybe have folks that are fresh out of college that have business degree and they're like, wait, your sub domain enumeration of what is that?
00:29:16
Speaker
at a time knew about, you know, statements is a 23 year old. So some of that infrastructure and foundation is being laid as we speak. So I think as time goes on, I think that's where we're going to get to. I think we all wish we were there now, but ultimately that's, if you ask me sort of, you know, we're having this conversation in 2033, I think that's where we end up because that's where we have to end up. That's the only way that this is going to make sense long-term. Yeah. Well, do you think that part, do you think part of the problem is
00:29:46
Speaker
that we've tried to approach cyber insurance almost like auto insurance and the whole like focus over the last few years seems to have been like how do we digitally distribute this how do we like it's a race at the bottom for application questions you know god forbid we have to fill out tokyo marines you know
00:30:07
Speaker
cyber application that's seven pages long. It's a race at the bottom to see who can collect the least amount of information to be able to get a findable quote. Do you think that that's part of the problem here? It's counterintuitive to the way the whole industry has been approaching this?
00:30:25
Speaker
Yeah, I think so. And, you know, again, if we could kind of take it back to what we talked about when we first
Balancing Market Growth and Risk Quality
00:30:30
Speaker
started how this, you know, the pie is consistently getting bigger and bigger and bigger and bigger. I mean, there's so much opportunity for carriers to get market share as this pie continues to grow. So, you know,
00:30:40
Speaker
You know, it's a risk-reward calculation that they're making, too. Like, hey, is it worth me getting a higher quality book of business in terms of clients with better risk controls at the risk of not bringing on as much market share because I've narrowed the eye of the needle that my clients have to pass through. Ergo, I'm getting fewer clients.
00:31:00
Speaker
So it's not surprising that we see that eye of the needle sort of opening and closing based on capacity availability and reinsurance availability and things like that. All of that impacts carriers' underwriting decisions.
00:31:15
Speaker
There's just, there's so many dynamics that affect that piece. You know, not just the sort of the security education level of the underwriters, the risk controllers at these carriers, but hey, how quickly do we want to grow as a carrier? And if so, are we willing to take on greater risk because we've got reinsurance that can support us or something like that? So it's amazing how deep that rabbit hole can really get when you like. Yeah. You mentioned, I think you mentioned on a comment on one of my posts. Yeah.
00:31:45
Speaker
you know the carrier that was
00:31:49
Speaker
getting their Underwriters Security Plus certified? Yeah, yeah. Their CompTIA. I think that's a good step. Oh, I thought that was awesome. I thought that was just the, when I, and this was in, oh gosh, this was probably April or May of 2020. So like, this is three years ago. Oh, cool. Oh yeah, it was awesome. So I got nothing but respect for that underwriting leader that said, hey, all my Underwriters, like you at least need this foundational security knowledge. Like,
00:32:16
Speaker
You need, you can't just keep saying, I need what, you know, I don't have to be dangerous. No, you need to know a little bit more than that. You need to know enough to be functionally proficient. So that's, that's what I mean, security plus is going to get you that, you know, you're not going to be, no, you're not going to see so anywhere with just a security plus, but you can have meaningful conversation about security with an IT or security professional if you have that. So I thought that was a really, really smart move.
00:32:39
Speaker
on her part to send her staff off to get their security plus. So she's since moved on to another carrier. My hope is that she's done the same thing there. We'll see, but yeah. That's fantastic. That's fantastic. I recommend it to everybody. It's a great, you know, there's different ways to get the foundational knowledge to be able to pass the exam, but I've found it incredibly helpful.
Arctic Wolf's Incident Response Strategy
00:33:05
Speaker
Obviously, there's this proactive side to what Artic Wolf is doing. Take us through what probably most people would know Artic Wolf as the IR firm. Just give us an overview of the way that you guys approach the industry and the problems there.
00:33:26
Speaker
Yeah, definitely. So the sort of foundational value proposition that we brought to the IR space when we, our first carrier relationships are with Beasley and Hartford going back to probably 2017 or 2018. So this is a long, long time ago. But what enabled those initial conversations and enabled expanding that to other carriers as time goes on, at this point it's about 30 or 35 that we're partnered up with.
00:33:51
Speaker
What's made those conversations effective is to say, hey, when you call us for incident response, you're not getting just a forensics investigator that's going to determine the root cause of the incident, the scope of infected individuals or confidential information. You're going to get that, but what we're going to be doing is running the restoration and recovery efforts on a parallel track to the forensics investigation because ultimately,
00:34:13
Speaker
If you were to stack rank what the insured cares about during one of these incidences, the outcome of the forensic investigation is maybe second, third, or fourth on that list. Number one is always, when can I start producing widgets again? When can I start swiping credit cards again? When can I start doing knee replacements again? Or whatever it is that they do, that's what they care about most every single time.
00:34:33
Speaker
Because every minute they're not doing that, they're losing money. And that's a very easy calculation for them to see. It's like, hey, how do I stop losing this money? So we came to market and said, hey, when we are doing this, we are not going to run these in subsequent tracks where we're going to do the forensics investigation, and then we're going to bring in the restoration team. Or we're not going to force you to deal with two separate vendors that might be competing for
00:34:56
Speaker
the IT team's resources and attention, we're gonna bring everything into one stream and bring that to you so that you can just make one call and get the forensics and the restoration as we've gone on. Since that, you can't be doing both of those things and not get involved in threat actor negotiation too. So that's a piece that we get involved in. And then obviously remediation of the initial threat too to kick the bad guy out of the system. You can't start forensics or restoration until you know that there is no longer a threat actor in the environment.
00:35:24
Speaker
So that's essentially what we've tried to do over the past couple of years is say, hey, you can make this one phone call to us and you can engage all of those services to satisfy the client need and not engage three different parties for forensics and negotiation and restoration. You can just focus on the one.
00:35:39
Speaker
And that ultimately gives, the claims professionals care a lot, almost tantamount, they care most about what is my insurance experience like? You know, they absolutely want to contain costs. They don't want, you know, claims leakage to happen. But really, claims professionals are really mission driven people in my experience. And they want to make sure that, hey, like insurance is just a promise that can only be kept by the claims professional. So how can we keep that promise within the bounds of what the policy says we should, we have promised?
00:36:10
Speaker
Yeah, so, you know, I've been interested in learning more about
00:36:19
Speaker
the claims processes as well as, you know, just, I've never been a part of an incident myself and I want to learn more about just what it's like to go through, you know, a full-scale ransomware attack, right?
Effectiveness of Cybersecurity Controls
00:36:39
Speaker
And we're in the process of bringing on, you know,
00:36:43
Speaker
an actual cyber criminal on the podcast. So I do get a burner phone and all this kind of stuff to be able to set this up. It's going to be it's going to be pretty interesting if we can deliver, you know, there's a lot of variables there. But yeah, one of the things I want to ask him is, you know,
00:37:03
Speaker
all of these new controls and requirements and things that companies are implementing, is it making it like a significant impact? And I'm curious just with the space that RR plays in this whole chain of events, do you have any insight on that question?
00:37:27
Speaker
Yeah. The question is, are all the control requirements showing up on applications? Is that making it meaningfully harder for hackers to do the hacking? That's what we're getting at there. The answer is, yes, it does. I mean, on an individual basis, the more you have defense in depth actually operationalized, that is going to make an incredible difference in the hacker's ability to hack you.
00:37:53
Speaker
That, I mean, there's a common security principle that says threat actors will always win. Given enough time and enough motivation on their side, they will find a way past time of fate. They will find a way past EDR. They will find a way past just about everything.
00:38:08
Speaker
So with that in mind, you just want to make it as difficult for the bad guy to do that and say, you know what, at some point they're just going to throw their hands up there and say, this isn't worth it. Like I just, because they're human beings and they want to pay day too. So if, if they calculate that their payday to get, you know, attack this company might be six months until they get a payday versus this company, that might be a six day payday.
00:38:30
Speaker
They're just going to go for that other one. So making yourself anything other than the lowest hanging fruit is going to reduce the frequency and severity of the incidences that you face. So I think we shouldn't think of security as this all or nothing proposition where like, hey, MFA either works or it doesn't. No, MFA will have a meaningful impact in reducing the incidents because there will be threat actors who are just sick of trying to hack you and they're going to go for somebody that doesn't have MFA basically.
00:38:55
Speaker
I'll give you an example from an incident that we worked a while back. When we're doing a negotiation, oftentimes the threat actors will share some information that they've acquired during the course of what they're doing.
00:39:10
Speaker
And they essentially said something along the lines of like, hey, we haven't gotten to the log for J vulnerabilities because we're still working on hacking all the exchange vulnerabilities from earlier that year. So you look at a situation like that and like, yeah, they're going to go for the one that's the easier path to pay dirt.
00:39:27
Speaker
which is a vulnerability that leads directly to a server that gives them remote code execution that allows them to branch more quickly. One of the reasons Log4j was such a slow bird is the threat actually had to learn Java in order to launch it, and that's an older coding language. So they're always going to look for what the easiest path to pay dirt ultimately is.
00:39:45
Speaker
So that's a it's so you, the more you implement those controls, the more difficult you make it for the threat actor to get to the pay dirt that you have. And they're just going to look for somebody else. So it's, it's sort of a both and like, yes, it's going to be more difficult to hack you, but you also can still be hacked if you are an attractive enough target for a client for a threat actor. Yeah.
00:40:09
Speaker
Yeah. And how much of that do you see? Because there's a lot of conversation now about systemic risk. And I've been thinking about it a lot lately. There's an aspect of it where I could see systemic risk in a systemic event being almost like an unintentional consequence. But to me, it just seems like it's all opportunistic.
00:40:34
Speaker
Yeah, like the majority of these attacks are opportunistic. It's just, you know, it's somewhat random in a lot of ways, just like, I guess opportunistic is probably better word than random, but
00:40:48
Speaker
Is that what you're seeing as well? It's just based really on what's the easiest way for me to get a paycheck. Yeah, 100%. Yeah. I mean, that's the reason that there's only those 18 vulnerabilities that we talked about, because they are things that threat actors know how to monetize very quickly. The analogy that I make is, imagine I'm a pitcher in a baseball game.
00:41:07
Speaker
You know, I've got a great fastball. I can throw that for strikes nine times out of 10. Like that's how I'm going to get my outs. Yeah. I could learn how to throw a knuckle ball. I guess like I could learn how to throw a really good slider and it, but even if I get really good at that, I might only get strikeout 60% of the time.
00:41:24
Speaker
I'm going to throw the pitch that I know is going to get the result I want. The threat action is the same way. It's the exact same motivation. They have a goal in mind, and they're going to follow the activities that are most likely to allow them to reach the goal that they have. What that means is
00:41:43
Speaker
They, they're going to find, they're going to scan segments of the internet looking for the vulnerabilities that they know how to exploit and then exploit those targets. And oftentimes they only found out who they've hacked after they've hacked them because they exploit the vulnerability and go, holy cow, I'm inside a pizza place. Holy cow. I'm inside Equifax. And they don't know that till after they're through the looking glass, so to speak. Yeah. It's interesting to the, the.
00:42:09
Speaker
I'm kind of curious on the statistics, right?
Cyber Incidents Reporting Discrepancies
00:42:12
Speaker
So there's a lot of statistics out there that just don't make sense to me in terms of like quantifying total cost of cyber security and cyber attacks and its impact. But then I also hear things like
00:42:30
Speaker
on the podcast that we have with Dennis. He gave us a little bit more insight on kind of behind the scenes, what goes on in these ransomware groups. And he was saying that a lot of the times these attackers, they
00:42:44
Speaker
We might ascribe like five attacks to them and then when they kind of retire or they move on to a different type of attack method, they'll release their decryption keys because it's just been enough time and they'll release like a 120 and it's like, well, shoot, we only thought that he had five successful attacks. What are these decryption keys for? Do you feel like
00:43:11
Speaker
How are we missing the mark there? Is this just stuff that's not getting reported? Or is it just not affecting these companies that their operation is enough for them to resolve it?
00:43:26
Speaker
Where's the gap there if you have any insight on that? Yeah. So in instances like that, if there's a decryption key that just hasn't been used, I mean, it's probably because there are good backups. I mean, that's your get out of jail free card. I mean, free being in quotes there because you still are going to have an operational impact.
00:43:45
Speaker
There's sort of this misnomer that you can just flip a switch, restore from backups at like 10 minutes later, you're good. No, you're still going to have an abortion period, but it's going to be much shorter and you're not going to have to pay the ransom if you choose not to. So in situations like that, yeah, maybe there were backups that were viable and they just decided, you know what, we're going to ride with that. Maybe they didn't have insurance and there was no way they could have purchased that decryption key.
00:44:08
Speaker
Um, maybe they decided to pull a John Wayne and have a stiff back and say, no, hell no, I'm not paying that ransom no matter what. Spoiler alert. Everybody thinks they're John Wayne before an incident happens. And after the incident, maybe 5% of people actually are. Um, if I were staring death in the face, I, I, I'd like to think that I'd have a stiff upper lip, but who knows. Um,
00:44:30
Speaker
But so, I mean, there's just because a threat actor has produced a situation where they have a decryption key doesn't mean that it's ultimately a product that's a market of one that that that product is only valuable to one company. So if the client doesn't think there's value in purchasing it, then the product is valueless so they can give it away for free because their one buyer has said, yep, there's no value in that. So, you know, on the one hand, yeah, it's how benevolent of them to to share the key.
00:45:00
Speaker
Hopefully, they're valueless because the only people that can use them have essentially said there is no value in purchasing it. Yeah. Well, you kind of touched on this. It's kind of a hot button topic.
Ethics of Paying Ransoms
00:45:16
Speaker
Should we pay ransoms? Is there ever a case where it makes sense? The FBI says no. Sure. In practice, should we?
00:45:28
Speaker
You know what? I think in some cases, there's very good cases to be made for doing it. I think we need to start from the assumption that nobody is enthusiastic about paying a ransom. That's an objectively bad thing for society, for the fact that ransomware exists. That's not a good thing.
00:45:47
Speaker
But there's this idea that, oh, well, we can either to pay or not to pay. Should we make this payment? The question isn't, should we pay or not pay? If a company's at the point where they need to purchase a decryption key, it's, do we purchase this decryption key or do we literally shutter the company?
00:46:06
Speaker
and just say, hey, we're all done here. That's where companies are usually at by the time they're actually buying that description key. It's because there's no other viable path to recovery for that company. And that's oftentimes the only way the company will survive the incident. So what that means is that the threat actor is going to get some kind of payment out of that. But at the end of the day is
00:46:30
Speaker
is keeping $400,000 out of a threat actor's pocket, is that better for society than shutting down a business that employs 400 people in a small town? I think you could very easily look at that and say, you know what? It really sucks that the threat actor's getting that money. It is more important to society that those 400 people stay employed and that they have health insurance and that their kids can get their annual physical before soccer practice. That's more important to us.
00:46:57
Speaker
So in a situation like that, it's the, and this, this sort of internal dialogue is something that every incident responder knows really well. Cause these are the, these are conversations that we have with the clients that we're working with. It's not a do we pay or not pay it's do we continue or do we not? And when you look at it in that light, the decisions are very easy ones to make.
00:47:18
Speaker
So in situations like that, it's, you know, there are situations where the ransom gets paid and there's often a good reason to do it, but nobody's sitting there with pom pom pom celebrating the fact that we, nobody likes that, but it's, it's, it truly is the lesser two evils in some instances. Do you feel like your educational background might, might help you kind of reason these moral dilemmas?
00:47:48
Speaker
There's two ways to look at that. John Stuart Mill versus Immanuel Kant. John Stuart Mill would probably say, yeah, go ahead, pay the ransom, the greatest good for the greatest number. Immanuel Kant would look at it from a duty ethics perspective and say, it is a categorical imperative to not pay the ransom because only do that which you would will to become a universal law. So he would say that, no, you shouldn't pay the ransom because we wouldn't want every single person paying a ransom. Air go, it is a duty to not pay it.
00:48:14
Speaker
So honestly, I thought about that. I love it. What would Bill and what would Kant say about making ransoms? I love it. There is an application for my education, after all. And the interesting thing, I have met more.
Philosophy Majors in Insurance Executives
00:48:32
Speaker
Everybody that says, ah, philosophy is a wasted major. It's not. Outside of my philosophy classes in college, I have met more philosophy majors in the executive ranks of insurance companies than I've met anywhere else.
00:48:43
Speaker
It's a stunningly high number. So if you want your kid to, you know, hey, go be a professor, philosophy is a great thing. To give them a philosophy degree, they might end up in the executive rank at an insurance company. Go for it. I think philosophy should be taught more than a lot of other topics in our school systems.
00:49:01
Speaker
I like to study theology too, but philosophy from the Stoics is my favorite Marcus Aurelius type of philosophy. I think there's an insane correlation between philosophy and just
00:49:18
Speaker
how our world operates in general, but also down to the mathematics that are behind it, right? So when you said that you study philosophy, it's an impressive field to practice and you don't just get a degree and it's done, you know, it's something that you
00:49:36
Speaker
uh, analyze constantly and you practice, you know, day in, day out. So I think if, if, if you're making comparison to athletics and like say accounting is baseball and finances football, philosophy is like strength and conditioning. It gives you the ability if you choose to use it to be better at just about everything else you try. So that's a, uh, I'll stop giving myself a pat on the back there.
00:50:06
Speaker
It's the last we made your thing to think, you know what? Maybe I am just a little smarter than everyone else. It's very easy for us to get high on our own supplies. Yeah, right. I'll get off that soap box and drink a glass of some kind of humility here. All right. I love it. I love it. Well, this has been a lot of fun and super, super informative.
00:50:34
Speaker
Just kind of wrap things up here. I feel like it's a little redundant to ask people or to ask you how to get in touch with you. But for anybody that doesn't know David and isn't already connected with him on LinkedIn, what's the best way to get connected with you and the whole team at RTA?
00:50:52
Speaker
The Fortnite chat, for sure. Fortnite. Are you a gamer? No, so I worked at a GameStop in high school, and working at GameStop is what killed the gamer in me. I think the last game I played was Fable when that came out in 2005. That's how I'm always done. If I found myself around an N64, we're going to be playing Super Smash Bros.
00:51:19
Speaker
That's about as deep as I get into it. So, honestly, LinkedIn is the best way to do it. Just comment on any post I've got or send me a message. That's the best way to do it. I mean, it's how we met for PTC. Yeah, for sure. Yeah, LinkedIn is on LinkedIn. That's how I would do it.
00:51:38
Speaker
Love it. Love it. Well, this has been, this has definitely been one for the books. Um, would love to have you on in, in like a year and do like a yearly podcast, have it, have it reoccurring. Yeah, absolutely. Thanks for coming home, man. This has been great. Yeah. Thank you, Abe. Thank you, Ryan. It was a pleasure.