Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Matthew Thomson - Cyber Liability Practice @ M3
120 Plays1 year ago
Matt Thompson joins us to discuss bridging the gap between cybersecurity and insurance. With over 15 years of experience spanning the Air Force, offensive security, and leading cyber programs, Matt brings invaluable perspective to managing cyber risk.
In this episode, Matt explains his transition to insurance, driven by the desire to continue serving organizations against cyber threats. We explore the advantages of red teaming, educating clients on cyber exposures, trends like passwordless authentication, and implications of supply chain vulnerabilities.
Matt shares advice for insurance brokers on understanding their role as risk advisors and how new agents can get up to speed on cyber insurance. We also discuss the many nuances of the cyber insurance landscape.
With rare insight from both worlds, Matt examines how cybersecurity experience enhances cyber insurance conversations and risk management guidance.
Matthew Thomson's Contact Info:
LinkedIn | [email protected]
Recommended
Transcript
Introduction and Backgrounds
00:00:15
Speaker
Awesome. Well, uh, Matt, it's great to have you on the ensure sec podcasts. Uh, we have your host Abe Gibson and ride done here sitting alongside Matt Thompson from M3. He is a cyber guru who is also on the cyber panel over at tech assure.
00:00:35
Speaker
Matt is a former Navy, is that correct? Air Force. Air Force. Well, that's a perfect mistake. But former Air Force and now leads the cyber practice over at M3. So super excited to have you on that.
00:00:52
Speaker
Thanks for having me. Yeah, of course. So, uh, you know, I, you know, I, I know that we talked a little bit about how you have always, uh, you know, you've always been in cyber in some capacity, but you know, let everyone know what you know, where you came from, what intrigues you about cyber, what,
Cyber Security Roles Explained
00:01:13
Speaker
uh, what's going on there. And then, uh, we can also dig into some, uh, cyber horror stories or you name it, or, you know, move it, vulnerabilities, stuff like that.
00:01:22
Speaker
Yeah, so my background is a little bit unique in the cyber insurance world, especially on the brokerage side. I came from over 15 years as a cyber practitioner. So I started my career in the Air Force as a cyber ops officer.
00:01:43
Speaker
I was running the network for over 40,000 computers and servers in the Air Force in Europe and kind of my first assignment.
Cyber Security to Insurance: A Transition
00:01:55
Speaker
So a 22 year old Matt had just a little bit of responsibility. Yeah. Are you sure you want me to do this? Exactly. Exactly.
00:02:05
Speaker
So I got a really good perspective of the types of threats that are out there that are facing us and some of the first bigger nation state attacks that our country faced in responding to them. So I got very familiar with some of the incident response process.
00:02:25
Speaker
early on, and that's in the mid-2000s. From there, I went to one of the three-letter agencies in the intelligence community, and while there, I got the opportunity to be part of a red team, which is basically, we act like the hackers and break into other systems. Our customers were other US government entities,
00:02:49
Speaker
And it gives a real good perspective to, again, what the nation state hackers or other hackers are capable of. And it really starts drawing your mind to, huh, what can I do with this data or this access to the system or anything like
Supply Chain Risks in Cyber Security
00:03:05
Speaker
that? And then having to report that up to executive leadership within US government entities as to why they should invest time and resources into fixing some of those things.
00:03:19
Speaker
What's the, you know, I hear red team, blue team. What's the deal with that? Because I mean, I'm not really familiar with it.
00:03:28
Speaker
Yeah, so red team, what that enables is the ability to look like an attacker, so compared to a penetration tester, a penetration tester generally just wants to break into a system or prove that there's a vulnerability available, and then they kind of end there like, okay, I exploited the vulnerability, you need to patch that.
00:03:50
Speaker
Red Teamer is going to look at, okay, so now I was able to take advantage of either a technical vulnerability or social engineering or physical vulnerability that you might have. They've got a lot bigger breadth of attack surfaces that they can go after. And then they'll say, okay, now not only did I gain access, but
00:04:12
Speaker
What data can I steal? What funds could I potentially manipulate
Risk Management and Cyber Insurance Education
00:04:16
Speaker
or steal? Could I affect your production line? If you listen to the Darknet Diaries podcast, there's
00:04:25
Speaker
There's been one, they'll have guys on there who have done different tests. One said they got into a hospital system and could have affected a surgical laser. So the breadth of what the impact is, is really where that red team assessment comes into play.
00:04:46
Speaker
and where it compares to a blue team. So a blue team is really kind of your defenders of a network. So they're sitting there watching either like a security event monitoring solution or the endpoint detection response. And they're in there kind of watching what's happening, searching for some anomalies. That's where it gets into what's deemed threat hunting. So I'm looking for something that may be going after my crown jewels in my network.
00:05:14
Speaker
So that's really where that comes from. Damn, that is insane. I mean, you were doing that on other government entities or were these US-based companies or foreign companies? US government entities. So, you know, they would come to us.
00:05:32
Speaker
and say, Hey, we want you to test us so that we could hopefully find and fix it before a foreign government or foreign cyber criminals
Industry-Specific Cyber Risks
00:05:42
Speaker
could do the same to them. So that's like a format. Is that like a form of pen testing? I guess. Yeah. Yeah. It's just way more in depth. Yeah. Yeah. I've always, I've always been super curious about, you know, how much we leverage
00:06:00
Speaker
good hacking, right? I guess Red Team is a better way of saying it, but like, you know, there's always these examples of people saying like, oh, I'm a hacker, but I'm a good one. Or I'm an ethical hacker, right? Yep. I guess you would fall into that. Oh, yeah. Yeah. And there are all kinds of firms out there that do that. You know, and then later in my career as I
00:06:26
Speaker
I got out of the Air Force and came back to Wisconsin where I live now and I ran a couple of cyber programs and we would pay companies to come in and do those penetration tests, a red team assessment, particularly when I worked at a credit union.
Future of Cyber Security: Passwordless Solutions
00:06:43
Speaker
That was part of our annual audit. They wanted to know that they were doing external testing more than just even our phishing testing had a firm come in. They did the penetration test, they did social engineering test, a physical test where they tried to break through our wifi, you know, all of those types of things.
00:07:05
Speaker
So you, you had obviously a very extensive career in cybersecurity. And then I was looking at your LinkedIn page and it's like all of a sudden I see cyber liability insurance, uh, as your most recent experience, obviously M3 and the team there kind of take us through that transition from the security world to the insurance world. Has that, has there been any like.
00:07:33
Speaker
I guess you could say road bumps or has it been a pretty easy transition? Yeah, I think, thankfully, I've got the advantage of coming in a little bit post-COVID. I can see how early on in the insurance industry, people coming to organizations and saying, hey, do you want to buy the cyber insurance?
00:07:56
Speaker
You know, when I was at the credit union, we were purchasers of cyber insurance. So from a financial world, we understood the cost associated. If we had a breach of PII and financial data, there was a big impact there, but a lot of small businesses, medium sized businesses that maybe are manufacturers or, you know, M3 has got a big construction real estate book, um, that weren't as concerned about a fiber insurance.
00:08:24
Speaker
I think when COVID hit and remote work and increase in ransomware, that really has
Vulnerability Management and Underwriting
00:08:31
Speaker
made businesses reconsider and know that it doesn't matter what type of business you are, you can be a target. And there are so many cyber criminals out there that it's all targets of opportunity. It's not necessarily that they're specifically going after your organization. It just might be your organization has a certain piece of software that they know how to break into.
00:08:53
Speaker
And you just happened to be on that list of organizations that have that software. Now, that's a really good point. I actually, you know, a lot of businesses, and I'm sure every agent out there would know this or hear this, but so many businesses like, well, I'm a small business or I'm a medium sized business. What does it matter immediately? I'm not important.
Cyber Policy Evolution Across Industries
00:09:21
Speaker
Why would they go after me?
00:09:23
Speaker
that right there is huge. The fact that they have this type of software, boom, right there, you're on the list. And that software has some type of vulnerability in it. They know that they can get in there. I mean, it's game over there. So that's actually a really good point, Matt. Yeah. I think the other thing is small businesses often, I mean, they still have to sell their product or their services to other businesses or end consumers.
00:09:53
Speaker
One or the other, the cyber criminals, if they don't think they're going to make a lot of money off of that business, yeah, they may deploy ransomware. But the other thing that they'll do is they'll utilize the relationships that that business has with other businesses and try and exploit that trust and supply chain to further their, whatever their goals are. Yeah, I'm pretty sure, I'm pretty sure that, isn't that what happened with Target?
00:10:22
Speaker
Yeah, I think, yeah, they used a vendor to use HVAC vendor and that HVAC vendor soft, you know, the hackers got in, they realized, Oh, this HVAC vendor, you know, manages the systems for target.
00:10:37
Speaker
they were able to infect a update to the, you know, the control systems for running the HVAC systems. And then they, once they got into target HVAC systems, they were able to maneuver their way over into the point of sale system. That is wild. I always hear, you know, people would just talk about how internet of things, devices are the most vulnerable things out there.
00:11:06
Speaker
But I did not know that happened. Talk about like a wormhole, you know, just completely exploiting that to get into like the main infrastructure of the company. That's wild.
Trends and Predictions in Cyber Insurance
00:11:20
Speaker
And that's why you saw like criminals, you know, a couple of years ago with the solar wind hack where they really were going for, they know solar wind is used by so many businesses, you know, especially in the large enterprise space. And so.
00:11:36
Speaker
SolarWinds being a trusted IT system, and they were able to get in and modify the software that when updates pushed out to those larger businesses, it now infected their system. Yeah. That is crazy. You hear all the time supply chain risk.
00:12:07
Speaker
Right. And that's one of a real life example of like how, I mean, that is so difficult. If you, you could be so stringent about what type of third-party system you're using. And just because they didn't have like a vulnerability patch in their updated software, it's just crazy. And I think that brings the full circle back into why fiber insurance is so necessary because
00:12:36
Speaker
You can have all the best systems, or do all the quote-unquote right things, you could be patching, running endpoint detection response, have a blue team, all of those things, but at some point, if there's a dedicated enough attacker, they will find a way in. So you need to have some sort of risk transfer mechanism to cover those circumstances.
00:13:04
Speaker
I'm, uh, I'm going to do a shameless plug here. I came up with a phrase at Trava secure for the known and sure for the unknown. That's trademark for everybody out there and try it. All right. Um, yeah, I, uh, that's super interesting stuff. I, I'm just,
Effective Cyber Risk Communication
00:13:24
Speaker
I'm super curious about like.
00:13:29
Speaker
Matt Thompson was in cyber warfare, practically, day in, day out, and announced insurance. Like what, what made you look at insurance, right? And then, you know, how has that been, you know,
00:13:49
Speaker
spearheading that with M3 and working with that on their team over there. Because I'm familiar with M3. I'm familiar with their work. They're a great, great agency. So just super curious about what you've been doing there and how that transition has been too. Yeah, I think one of the big things about M3 is
00:14:10
Speaker
We're more than just an insurance broker. We like to be a risk management advisory, really helping our clients in the past, particularly around your physical risk. We've got a team that'll go out and train an organization on active shooter training or a lot of the slip strips fall and all different types of other risks that businesses face on a day-to-day basis.
00:14:37
Speaker
as, you know, I forget which publication it was, but as they said, you know, data is the new oil and, you know, as we get into like AI is the new electricity and, and, and all of this technology is, uh, really starting or continuing to impact businesses. Um,
00:15:02
Speaker
One of the things that I really liked was the ability to come in with my background and talk to non-technology professionals, generally a head of risk or a chief risk officer, risk manager, a CFO, whoever it may be within these organizations.
00:15:23
Speaker
and help educate them on what cyber risk really is and why they need to consider the cyber risk as they apply to their organization. So it ultimately, you know, I look back what is one of the reasons I went into the military because I wanted to help defend our country. So, you know, I look to being able to come to a broker like M3 as how can I help
00:15:54
Speaker
supply chain helps with the economics of our country. How can I continue outside of the military to help our country, even if it's in a small way, but really helping these businesses understand and being able to manage that cyber risk.
00:16:10
Speaker
Yeah, I mean, that's huge. It's like, you know, insurance is the glue that keeps the world together. And, you know, you're at the perfect point when, when you get to be the risk manager. I mean, if you're helping one company, I mean, we just had an example, when HVAC company affecting forget, you help one company, you could be helping out tens, you know, tens of companies. I think that's super honorable. Um, and it's like,
00:16:43
Speaker
You're not just stopping at insurance, right? It's a, it's a lot, your job is a lot further than that. And, um, you take it to heart. So it's, I think that's super honorable. I, I completely agree. I think a lot of people should have that.
00:17:01
Speaker
thought when they're, when they're thinking of themselves as insurance agents, they should be thinking of themselves as risk managers. But I mean, you are, your job is a lot more serious than just selling a policy, right? You're, you are keeping people employed. I mean, God forbid a cyber attack happens in a small business, they're laying people off. I mean, they can't, that's a million dollar thing right there. So, um, you know, you're protecting employment, you're keeping the balance sheet going.
00:17:28
Speaker
Um, keeping the lights on. So the job is a lot more serious than it looks. I wish people, you know, when you go to, when I go to a bar and I tell people I'm in insurance, they're like, all right, dude, like go away. I wish people would take me seriously. Yeah.
00:17:47
Speaker
I think it's just a misunderstanding or lack of understanding. Yeah. Well, maybe it's because there's, you know, uh, they bought their auto, you know, insurance policy through Geico. And so they, that makes the perception, you know, if I can do it through Geico, then I can buy my walk through an online platform too. Right. Exactly.
00:18:10
Speaker
Yeah, yeah, Matt. So you, you obviously have this unique perspective, almost being able to think like an attacker. And I'm sure that that has incredible pros when you're, when you're talking to businesses about cyber exposure and cyber insurance. One thing that I'm particularly interested in is there are so many agents.
00:18:35
Speaker
out there that want to like smaller agencies that want to get into cyber they really haven't sold it before they don't really know where to go to learn it do you kind of having been in the cyber security world and then out in the insurance world is there
00:18:54
Speaker
one side of the coin that you think helps more, is it more helpful to understand the exposures and kind of the cybersecurity aspect of things, or is it more important to understand just, this is what the cyber-entry agreement looks like? Oh, that's a tough question because, you know, I think each industry has, the biggest thing is the
00:19:19
Speaker
the vocabulary and different acronyms and all of that as you come into each one. The hard part with technology is it's all man-made, therefore it can be manipulated in whatever way
00:19:41
Speaker
somebody whatever they can come up with. So I think the biggest thing there is being able to understand that not every system or network is set up and configured the same way, which unfortunately has led to a lot of questions that we get from our client and insured
00:20:08
Speaker
on when the cyber applications come out. And that's one area that we're able to help a lot because we can help with that translation and working between whoever's in charge of risk or finance or whatever a client who often in the past has always just sent the application over to their IT team and said, hey, fill this out. And there's not the conversations happening between both of them as to the need between the, so it allows,
00:20:36
Speaker
uh myself and my team to come in and and help communicate that so i don't think there's necessarily a right or wrong one way or the other i think a lot of it is getting out to outside of you know what normally might be your comfort zone so you know in the past i went to a lot of cyber conferences and it was all fiber people talking about fibery stuff you know um
00:21:03
Speaker
And then now I'm in insurance and there's insurance conferences and, and risk conferences. And, and we go to, you know, I've been at a ready mixed concrete conference and I've been to a healthcare conference and, and all of that talking about cyber insurance. Um, so I think a lot of it too is just, if you're an.
00:21:23
Speaker
trying to get into being able to understand and sell cyber insurance more, seeking out and finding either an IT or cyber group locally that maybe you can touch base with somebody and ask them questions and learn from them.
00:21:38
Speaker
or finding that trusted, you know, CIO or CISO within either some of your current clients or throughout your network to sit down and chat with and say like, Hey, let's talk about this. What does this mean to you and what's the value here? Or, you know, when, when we give you this application, where are the struggles that you have that you can help me that I can then further to my other clients.
00:22:06
Speaker
So I know I can answer necessarily which one I think is better at worth. I think it worked really well for me coming from over 15 years of fiber experience and then coming into the insurance industry, but others may see it differently. Yeah. You mentioned something about a gap of communication for a lot of agents whenever they're trying to get the application filled out.
00:22:31
Speaker
They send it to the client and the client sends it to IT, but there's no communication between agent and IT typically. IT fills it out, sends it back to client, client sends it back to you. It's tough to validate that information, whether it's right or wrong. Frankly, the IT staff isn't being paid to fill out that application, so they're just trying to get it complete and done.
00:22:59
Speaker
I'm curious if you have any, like, is there anything that you do differently or is there any type of way that you approach that situation so that you're getting better and cleaner information and also faster information?
00:23:15
Speaker
Yeah. I think some of it is just inherently, um, with my background, being able to speak both languages. Um, so I'm able to say to our client, Hey, let's, let's all get together and let's talk about some of these items. Um, cause they'll often send an email or they'll get something from their IP team. They forward it to us. Or we get the, you know, many of the carriers are running the external scans and I have no clue what the heck this means and what I should do about it.
00:23:44
Speaker
So, I think that one area, another area is how do we look at some of the emerging technologies that are coming out, the inside out scanning that
00:24:02
Speaker
As organizations are moving to the cloud, I forget, I've recently read an article about Amazon is looking at how they can provide some information to insurance companies, like authorized by a client, but saying like, okay, yes, this person or this organization follows what we consider best practices and, you know,
00:24:26
Speaker
Obviously you're quite aware of Ryan with, with trauma, but there's some other organizations out there too, that, that are looking at how can we alleviate some of the quote unquote gray areas of, you know, where many applications are yes, no. How can we provide some of the other content around it so that underwriters are making their decision based off of the best available data to them.
00:24:56
Speaker
Yeah. Yeah. I did see that Amazon hard quality. I thought that was super interesting. I am curious. I feel like there's something behind that that I'm not seeing yet, but there's gotta be. Yeah. I was reading and I'm like, okay, that sounds really nice of Amazon to do, but.
00:25:19
Speaker
It'll be really interesting whether that to get preferential terms and get the word out that, oh, for an insurance carrier, we really like Amazon because they're giving us this data. So now you're going to get better terms if you're using Amazon versus Google or Microsoft. Maybe it's something else. I don't know.
00:25:43
Speaker
I, oh man, should we go down to the conspiracy rabbit hole here? Not like like scumsters drawer and like tries to get the tin foil cap on before. Oh yeah.
00:26:03
Speaker
Yeah, I think there's got to be something like that where they're trying to play off of insurance. I'm surprised like a web hosting hasn't done that yet. You know, there's like a lot of times you'll see these vulnerability reports come back and they'll have like an open port, but it's not the specific company's website, right? It's the hosting service. And so if you're using like a specific type of hosting service, you're obviously not going to have that issue.
00:26:31
Speaker
Um, you know, we, I remember seeing, uh, a company that they're hosting service. They have these three open ports and hosting service on their website says, Hey, we know these are, these are open, but you know, this is why it's not a problem. Um, to operate websites or, um, yeah, that's actually something interesting. I, you know,
00:26:58
Speaker
A lot of times what people will find is they sign their company up or they're insured up for a carrier that does these vulnerability scans. And sometimes it's almost like counterproductive.
00:27:16
Speaker
Right. I've seen a few reports that are God awful and just raise alarms. And it, it, all it does is it pisses the CFO off because he's now he goes to the IT staff and he's like, what the hell is going on? IT staff goes, everything's fine. We swear. And then the guy don't believe you go back to the agent. You know, now he's like.
00:27:38
Speaker
No agents trying to, you know, scurry and try to get everything together and they're going to the carrier. And so it's like, just because the carrier sent out this one report, the agents, the CFO is sidetracked because they're freaking out about something. They're going to get like canceled or, you know, you name it. So they freak out, they get sidetracked and then they tap the agent, the agent gets sidetracked. They have to tackle that. It's like a completely unnecessary fire. I just, I.
00:28:07
Speaker
There's got to be a better way. And, you know, I know carriers like Coalition have had pretty good success with that, you know, what they call kind of active monitoring or, you know, making awareness of their insurance that, hey, this is out there. And frankly, if organizations weren't doing it in the past, it's one of those ways to really help mitigate some of those risks. So, you know, from a,
00:28:37
Speaker
sitting in a broker position, I think the biggest thing is having those conversations with your insured, your client ahead of time saying, Hey, with this carrier, you may get these emails. They may not always be applicable or appropriate, but there's something you should look into. And I think just setting that expectation of what it is and so that they're aware of why it's happening.
00:29:09
Speaker
I really think that that's the biggest thing. And that goes back to as a broker, what's your responsibility to at least understand what the product that you're delivering to your client is? Yeah. Yeah. Yeah. Getting out ahead of it's huge. Kind of not to change the subject, but I guess to change the subject.
00:29:36
Speaker
M3, I feel like M3, especially with cyber tends to kind of, I don't want this to be taken the wrong way, but it tends to be like you guys punch above your weight class. Like there seems to be, like everybody in the cyber world knows about M3, at least from the people that I know of, but M3 wouldn't be like a top five agency in terms of size that would be a household name. So you guys tend to punch above your weight class.
00:30:06
Speaker
I know that you guys have a really robust program for credit unions, correct? Correct, yep. I was kind of curious, so you were at a credit union before this. Was M3 the broker for that credit union? Is that how you got connected? Yeah, so M3 has a partnership with
00:30:31
Speaker
Well, it used to be CUNY Mutual Group, but now True stayed. So yeah, M3 for multiple years has been the broker for the cyber pieces that many credit unions utilize. I forget what the percentage of credit unions is that we write their cyber policy for. But it's pretty significant.
00:30:58
Speaker
And, you know, that's been a really good way to help keep M3 on the front line of that
00:31:10
Speaker
cyber awareness, cyber product, even being able to have some influence on how cyber insurance continues to evolve. So yeah, I think M3 is always looking at ways that we can continue to help organizations in some of the different or somewhat of a specialty line, if you will.
00:31:40
Speaker
Well, I think it's pretty incredible to be able to say that you ensure a whole number percent of an entire industry in the country, much less the majority. I can't wrap my head around that. That's actually insane.
00:31:59
Speaker
Oh, yeah. Yeah. We typically get like, yeah, you get like a 0.01% market share of an industry, right? If you're a credit union and you're not working with M3, what are you doing? Who are you talking to? Who is your business?
00:32:18
Speaker
In every industry, there are those accounts that you might not want, so maybe that's those. Or there are still some credit unions that have ancillary insurance brokerage, so they might be using their own internal. True. I don't think it'll ever maybe reach 100%, but the fact that that's a possibility, you never know.
00:32:45
Speaker
What are, what are some other industries that you guys tend to like knock out of the park or specialize in? Yeah, we have a, you know, M3 likes to align to different practice groups or industry groups. So our, our producers, our accounting executives.
00:33:03
Speaker
really have focus areas, so we have a significant presence in construction and real estate within the Midwest and across the U.S. We've got a manufacturing practice group, a senior living and social services practice group.
00:33:28
Speaker
building more of a healthcare practice group. So we've, we've got some good focus in those areas. Um, I'm sure I'm forgetting some and all my other co-directors will probably shoot me for, but, uh, put me on the spot.
00:33:46
Speaker
But, you know, I'd say those are some of our biggest, um, oh, food and egg, you know, but it's an agricultural, it's really big. So we've got a pretty significant presence in some food production, agricultural, um, you know, that that's a whole supply chain from farm to table. Um, that's a big area for us too.
00:34:14
Speaker
Yeah, I'm trying to come up with cyber exposure right now and perform table.
00:34:19
Speaker
But, you know, oh, there is, I would say it's probably, uh, some type of payment processing. There's data there. And then, and I mean, business email compromise is pretty universal, but yeah, but I'm not thinking of the whole supply chain. I mean, you look, uh, you know, we had one client, they weren't the client of ours at the time. Um, they're a newer client of ours, but they had, um, they.
00:34:47
Speaker
they had a co-packer in the northeast that faced a ransomware incident and that co-packer was putting milk in cartons and that ransomware incident took down their production facility for two weeks and as you can imagine milk is a pretty you know
00:35:11
Speaker
just in time, you need to process it, get it in carton and get it out. So two weeks of now product that you're having to pay the farmers for, and then you're just dumping. That's not only to the co-packer, but also to our now client. That's a business income loss there that would
00:35:34
Speaker
from ransomware and I mean you look at what happened to the colonial pipeline a couple years ago so it's that whole supply chain and where where the business income loss can come especially as it can affect production lines you know internet of things or
00:35:52
Speaker
programming logic controllers, things that are driving the systems that are automated production lines or even just the monitoring around those to say
00:36:07
Speaker
If I'm running milk through, does it boil to a high enough temperature so that I know that all the bacteria potentially killed out of it before I'm sending it off to the shelf because I'm then worried about recalls or anything related to that. So, you know, I think that's where, again, talking with organizations around.
00:36:29
Speaker
You may think you're just a food producer, but have you thought about this and the effects of the supply chain and both upstream and downstream from you? How does that affect both your clients and your customers, your vendors, all of that when it comes to your operation? Yeah. Blue collar business, white collar exposures.
00:36:54
Speaker
I apologize to our listeners and viewers, but my self-diagnosed ADD is just firing right now. This milk conversation has just got me thinking about raw milk. Have you ever had a raw milk? Because I really want to try it. Yes, I have.
00:37:18
Speaker
You know, I, I, I really want to try it. I was looking one up the other day and I think, I mean, I don't, isn't he, is he illegal in the U S? In some states. I think in Florida, it's like you have to go direct to the farmer.
00:37:38
Speaker
And I get it. Yeah. I have a family who in the past, you know, they were dairy farmers. Now they've moved to just having beef cattle. But so that's where I got to try raw milk when I was younger. But we were out at the farm and my cousins were like, Hey, try it straight out of the, you know, the milk paint. All right. I, uh, yeah, my, I found this farm out in California. I might as a family visit.
00:38:05
Speaker
Anyways. Yeah. Back to cybersecurity and insurance. Well, I hate to, I don't want to make light of any claim, but that's, but a dairy related cyber claim might be the most Wisconsin thing I've ever heard in my life. Our cheese is gone.
00:38:32
Speaker
You want to start an uprising in Wisconsin, you know, have our cheese. Oh, I, uh,
00:38:43
Speaker
How about this? Matt, I'm sending you a bottle of bourbon. How about you send me a block of cheese? Yeah, a block of cheese. I think what you really need to do is come visit and have cheese curds. So anybody you have to know about cheese curds. I never had cheese curds. I need to have that. There's the fried kind, which is like mozzarella sticks on steroids and so much better. But then there's the fresh cheese curd.
00:39:08
Speaker
You go to a dairy and you get them like they were just made, you know, two hours ago. And when you chew them, they squeak, which is. Yes. Squeak. Wait, I just had these. I was up in Clayton, New York. I've stayed in New York and, uh, they're calling it squeaky cheese. Yeah, probably something similar. Yeah. Cheese curdling is what we call them. It worked what I've done ever. It completely derailed this conversation.
00:39:38
Speaker
All my food and egg clients all love, love it though. So yeah, that's awesome. That's awesome. Matt, maybe take us through, um, just kind of as we, the, you know, I want to be respectful of your time. Um, take us through, I think I saw a post that you might've put out something about.
00:39:58
Speaker
kind of the rise of passwordless solutions and kind of to get back on the cyber rails. Give us kind of your opinions and thoughts on that kind of new way of doing things.
00:40:16
Speaker
Yeah, so it's funny that you bring that up because I was just talking with one of our clients about it this morning. So passwordless, I won't say is like, you know, widely out there.
00:40:31
Speaker
But Microsoft is investing in passwordless and I'm sure others are too. And really, the mentality thus far has always been with security comes more friction, harder for the end user and everything. And this is really where I think it gives IT and security teams the ability to come back and say, hey, actually, we're gonna bring you something that is easier
00:41:02
Speaker
the long run that you know there might be some harder points of setting it up but in the long run so much easier you don't have to remember these 20 plus character passwords that are you know upper lower special character number that you have to change every 60 or 90 days and yeah the things that everybody complains about and really what it turns into is something that having come from the the military that the military has actually been using for since the early 2000s
00:41:32
Speaker
But in a different way. So the new passwordless solutions are slightly different. But the way the military had it was, I had what was called a common access card that had a little chip on it, that I, you know, all the computers there had a little card reader, slid that in, punched in a fixer eight digit pin,
00:41:51
Speaker
And I was logged in and I could log into any system, U.S. government system, with that. So I didn't have to remember long password or anything associated with those types of systems. So what Microsoft, because I've implemented this in previous roles,
00:42:09
Speaker
is doing is utilizing the big data and large data sets that they have in the back end to say, hey, I can recognize your computer. So once I sign in on my one computer, my laptop or desktop, it creates a key value that is stored only on my computer that can only be unlocked by a pin.
00:42:35
Speaker
So, or by a biometric or something like that. And then through different single sign-on mechanisms, in addition, you can then log into multiple systems with that same capability. So now, instead of these long passwords and a prompt to your phone and this, that, and the other, it's pushing the processing on the backend.
00:42:58
Speaker
So the first time you do log into a new computer, it's going to be put in your username password and a pin or a one-time password that you get for that new system. And then after that, the pin in that system becomes, it's still multi-factored because it's the system and then something you know.
00:43:17
Speaker
But it unlocks the potential for a lot less friction and they're what are called phishing resistance. So it's not like I can steal your username, the password, or the token that your system is using to negotiate that login process. I'm so curious about that.
00:43:46
Speaker
Is it, um, is it the, is it safer because of the hardware that it's recognizing? Yeah. Do you think hardware and like large compute power? So think of it.
00:44:02
Speaker
It's adjacently similar to how in the US we've moved from a slight credit card where that your credit card number is within that magnetic strike but unencrypted to now
00:44:18
Speaker
you put slide in your credit card or the tap and it's a chip that you have to unlock it using a pin and then it sends the data. It's not exactly when you get to the low, low level technologies, exactly the same, but it's on that same kind of wavelength as that. So that's where it really greatly increases the security, but lowers the barrier to entry of it.
00:44:49
Speaker
And more and more like public websites and you'll see more and more banks coming into that. And there'll be more and more personal, you know, use of it in your personal life. Um, there's another thing out there called a UB key, which is a little device that he can either slide into the USB port or can be Bluetooth. And you can use that to like log into banking websites and all that. Not all banks support it, but some do. Um, so that's really where that password list piece is.
00:45:19
Speaker
Have you used it personally, that method? Uh, I, in previous roles, yes, I've used, uh, the Microsoft solution. So not on my personal side. Um, I want to use UPC. I just, I've been too lazy to implement it. Um, not too lazy, too busy. Yeah. I'm just kind of curious how it, how it, uh,
00:45:48
Speaker
Is it, is it a significant improvement for MFA fatigue? Absolutely. Yeah. That's awesome. Right. I, um, I don't trust myself for the UV key because I'll lose that in two seconds. I mean, I was just without a wallet for two weeks. We're going to stay away from that one for me. Yep.
00:46:15
Speaker
And, uh, the wall, I put an air tag onto your UB key. Yeah. Oh man. Oh, that's great. Yeah. I, you know, I think.
00:46:33
Speaker
That will be why it seems like it's going to be widely adopted. It always, you know, I feel like it goes military, commercial, personal, and that it kind of always trickles down. Like we're starting to see personal cyber stuff really started to pop up now. Like, Hey, personal emails, stuff like that. I, um,
00:46:55
Speaker
I'm curious, this is also kind of a change of subject, but I really wanted to tap into this move it vulnerability thing going on right now. What industries are you seeing that super related to? What is it? Everybody says move it, move it, move it, but what is it and what is going on to remediate it right now?
00:47:20
Speaker
Yeah, so Move It is a piece of software that's used for file transfers, large file transfers that usually happen between businesses. Knock on the wood, I don't think we've seen any of our clients yet affected directly by the Move It vulnerability. I probably shouldn't have said that because I may regret it and get a call this weekend.
00:47:49
Speaker
I know there are a large payment processor in the UK that does payment processing or HRIS for British Airways, I think was one of their clients, was affected by it. So it's a piece of software that is inherently out there publicly because it's for large file transfers between organizations. So it has to be available on the public internet kind of by design.
00:48:18
Speaker
So, and I think they've continued to have a few vulnerabilities. So it, you know, it kind of comes down similar to that, that diverse supply chain discussion around how are you validating the practices of your IT vendors or other
00:48:37
Speaker
critical vendors that play into your operation and what is their process and really in your third party due diligence, are you asking, do you have a vulnerability disclosure process? Do you have a code review process? Do you have
00:48:58
Speaker
firms coming to do a web application penetration test or an application penetration test against it on some form of quarterly or semi-annually or what have you. So that's the biggest way to protect against it. The other piece being
00:49:23
Speaker
back into your organization's pat process and when a patch for critical software like that is released, how quickly can you get it up and running? So when insurers are asking about your backups and all of that, a lot of that also plays in your patch management process.
00:49:45
Speaker
to have a good patch management process, you have to have good backups to know, okay, I'm going to push this patch to this software out. It might break something and I might have to restore that from a backup to, you know, to roll back from met before that path. So, you know, a lot of this winds up really becoming intertwined. Um, I don't think move it is that much different from, you know, some of the exchange vulnerabilities that we've had in the last
00:50:14
Speaker
18 to 24 months that we've seen significant proxy shell and some of those. So it's kind of the flavor of the week right now. And when it does not move it, it's probably going to be something else. So really, again, back to organizations just need to understand the software they're buying. And it's kind of the triangle of when you buy software or really anything,
00:50:45
Speaker
You can have three or you can have two of the three. You can never have all three. You can have a cheap fast or good. Yeah. That's a good one. Um, yeah, I, um, I think you, I, what I've seen from that is a lot of healthcare companies have that type of vulnerability.
00:51:09
Speaker
Now you mentioned, and Abe, you got something just coming off, but you mentioned patching and how that's related to data backup. Are you translating this to underwriters? Is that something that you're explaining to them? A lot of time it depends on what carriers we're working with.
00:51:35
Speaker
carriers like Coalition, they kind of get that and understand it. But there are some other carriers and they're getting significantly better. A lot of them, while the underwriter themselves may not be a cyber expert because they might be writing all professional lines or something like that.
00:51:58
Speaker
they've got their internal cyber team. Like we were the travelers, I know they've got a cyber team that if we have to push them on something,
00:52:08
Speaker
we can get in contact with their cyber team. You know, Cowbell has their risk engineering team that can help with some of that. So I think carriers are getting a lot better about it. So it's a little bit easier to have those conversations around that. And that's where I think also informing underwriters around
00:52:32
Speaker
You know, for a period there, if the external scan was bad, it was like, oh, we don't want to touch this one. But being able to have conversations with them around, okay, maybe the external scan doesn't look great, but here are the compensating controls. You know, the scan, for some reason or another, due to whatever business requirements that they've had, may not be able to patch this system or patch this vulnerability.
00:53:01
Speaker
but maybe they've got a web application firewall in front of it that's going to help prevent many of the attacks against it and can monitor for that. Is it going to fully eliminate that risk? Probably not, but at what level can it become an acceptable risk?
00:53:22
Speaker
There was, there was a question for a while there where it was like, are the external scans appropriately painting a picture of the company's cybersecurity infrastructure? Frankly, I mean, if they have like a pretty unnecessary port open and it's actually directly related to their website, it might be a good, like if I was a hacker, I would use that as like a, like, Hey, are they actually paying attention? But, you know, I think.
00:53:47
Speaker
that underwriters have gotten more comfortable with these bone scans and are more comfortable with the conversation of, okay, yes, this is a vulnerability that we've found, but let's dig deeper into what they're actually doing about it. Um, you know, what's their residual exposure at the end? I agree. It, it can definitely be a P for the puzzle, you know, where I always in the past had struggled a little bit in.
00:54:13
Speaker
Where is the vast majority of the data I'm adding to the systems? It's behind the firewall, which they're not able to scan for. So I'd say it's oftentimes more an indicator of a really bad client than a really good client. Could that middle ground to really good client
00:54:37
Speaker
externally, they're probably going to look close to the same. Um, so how do you differentiate those two? Yeah, absolutely.
00:54:50
Speaker
Well, that's awesome. Um, and Matt, thanks so much for, for coming on. And this was one that I think we could probably do a second episode. Thanks for having me. And maybe we'll have to do a one year anniversary or something. Yeah. How can people get in touch with you and M3, uh, if they've listened to this and they want to get to know you or learn more about M3?
00:55:20
Speaker
Yeah, find me on LinkedIn. If you look up Matthew, M-A-T-T-H-E-W, and it comes in without a P, which is often mis-dub, so it's T-H-O-M-F-O-N.
00:55:33
Speaker
Or else I'll look us up on m3ins.com. So we've got a link to all of our directors and producers and all of that there. If you find me there, that'll have the ability to send me an email or forget if my office phone is on there or not. And worst case, I can give my information to throw in the show notes if we need be. Yeah, the show notes. How long is it? Awesome.
00:56:03
Speaker
Awesome. Well, thanks so much, Matt. It was great having you on and really looking forward to releasing this episode. Awesome. Thanks for having me.