Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Kirsten Bay - Co-Founder & CEO of Cysurance
94 Plays10 months ago
Kirsten Bay - Co-Founder & CEO of Cysurance
Recommended
Transcript
Introduction and Trigger Article
00:00:18
Speaker
Welcome to the ensure sec podcasts. You have your hosts Ryan Dunn and our host of the ensure sec after dark after dark podcast Travis Kroger.
00:00:35
Speaker
And on today's podcast, we have a special guest, Kirsten, the CEO of SciSharence. Kirsten, great to have you on. Thank you for having me. Great to see you today. Yeah, absolutely. So to give everybody some background on how this got together and bringing you all up to speed,
00:00:57
Speaker
There is an article that I found that I had some somewhat aggressive opinions on that I posted on LinkedIn.
Kirsten's Journey to Cyber Security
00:01:09
Speaker
And Lane, the CMO of Sci Assurance was great enough to reach out to me personally and say, hey, we'd love to have our CEO on.
00:01:20
Speaker
Um, whether it's clear the air or just, you know, talk to, uh, what the post is about, you know, what, uh, what can be cleared up on that article, just stuff like that. And, um, you know, I want to thank lane for, for doing that. And, um, and the side assurance team for reaching out, uh, this will be a great conversation.
00:01:39
Speaker
and very interesting to learn more about cyber warranties, where they fit in, what problem are they solving, stuff like that. So, Kirsten, we'll start it off. I'd like to just give our viewers and our listeners just kind of your background. How did you get to this side share and steal and what led you here today?
SciShurance's Mission and Model
00:02:02
Speaker
Well, I like to say I'm a serial student, otherwise that's the cutest route that probably many of us have gone on in this point of our lives. I like to say I'm seasoned. It is an interesting one, but I started my life in supply chain and financial risk analysis and analytics. And so looking at the impacts of supply chains and also portfolios with geopolitical risk, financial risk, intangible asset valuation modeling risk, those types of things.
00:02:31
Speaker
So I spent a lot of time with financial products, as well as looking at broader implications to workflows and bottom lines of companies from a very different perspective than cyber. And many, many years ago, probably about 18 years ago, I participated in a book with
00:02:49
Speaker
a bunch of Bell Labs engineers on built-in security. And I always like to say, and I was like, so you mean securities? And they're like, no, like why? Not IES. And that sort of opened up this whole world of cyber to me. And the model was, how do we develop a built-in security model to help organizations become more secure? Because jumping ahead, that's what we are faced with today. And I was like,
00:03:15
Speaker
Well, yeah, but we have these business considerations and so we need to think about those things. And so I ended up working in these government working groups in cyber with DHS and then started working in threat intelligence and running threat detection companies. But always with this lens of how do we create a better integration between
00:03:33
Speaker
Financial metrics of a business and the mission of the business with security as the enabler right and so when we started say sure it really is what was with what's with this mind that we needed to find a way to show how products were being effectively.
00:03:51
Speaker
effective in solving cyber problems, but also helping the business mission understand how to quantify those risks. And insurance is a great way to do that. And it was long my belief that having a way to drive a financial outcome and to be able to tangibly see that outcome would have more effectively helped the security teams articulate why they needed to make investments, how things were actually working, and where those gaps existed.
00:04:16
Speaker
Yeah, that makes kind of sense. And I think we're all aligned on that issue. I think, you know, all of us on this podcast are all trying to figure out ways to do that. You know, we're at scenario cyber. We're trying to do it from a wholesale perspective. Travis trying to quantify that and articulate that to clients from a retail agency standpoint. So, yeah, definitely understand the mission to wanting to solve that issue. I, you know,
00:04:46
Speaker
To also give some background to everybody, Syassurance is a cyber warranty product, right? Not entirely, but to start with you. Okay, well, that's a perfect place to start then, right?
Cyber Insurance vs Warranty
00:05:01
Speaker
What is Syassurance? If it's not a cyber warranty, it's a cyber insurance policy. And can you describe exactly why it's not a cyber warranty or why it is a cyber insurance policy?
00:05:14
Speaker
Well, it's both actually, and there's a reason for it. And so to the point that you are making in your post, which actually I don't fundamentally disagree with actually, it's partly why we created the solution that we did. So there are two components of it. There's the certification warranty part of it, and there's the insurance part of it, both of which we support.
00:05:37
Speaker
So to give some context about the warranty or it's really the certification is that we certify the providers who participate in our program and we take them through a full underwriting process to be able to understand how effective their solutions are. And part of that, as you well know, is part of the reason why we ended up in such a difficult cyber insurance market is because we had random check boxes all over the place of things that people were doing but weren't
00:06:06
Speaker
completely doing or entirely doing or thought they were doing but weren't doing. And so the idea was, one, how do we actually verify that they're doing those things? And two, how do we know that, so I call it internal controls and external products, right? So internal control wise, are you doing sort of the fundamental basic things you should be doing? And then are you using products that are effective in helping you solve other problems beyond, do you have MFA on or have you patched?
00:06:34
Speaker
But do you have defense in depth? Really is the question. And how do we prove that to a market? So what we wanted to create was a layered risk model where we were able to say we've certified this particular product. So we talk about we talked about Kaseya, since Kaseya is the host of this particular scenario. But what we did was we certified that stack.
00:06:56
Speaker
Why? Because it has a managed SOC, so we understand that we can look for incidents inside an organization and remediate them before they become a major incident. Endpoint management, credential monitoring, because obviously we know that credential theft is a huge component of phishing attacks, phishing monitoring in an internal environment, so through
Educating MSPs on Coverage
00:07:18
Speaker
email. And then, of course, the Bullfish product, which is like a phishing simulator slash
00:07:27
Speaker
awareness training program. And so really what it did was it fulfilled the check boxes of what we believe would really reduce risk. And so what we think about it is the cyber seatbelt. And so it differentiates this warranty then that goes to customers is we put skin in the game because what we're trying to do is help orient organizations to you are investing in solutions that work well and can reduce the severity and impact of an incident.
00:07:54
Speaker
Now we all know that incidents are still going to occur. So it's not you failed at doing your job, but more you mitigated the risk. And because we have those in place, we have certain policies that sit behind it that are greatly reduced in cost because one, we shoulder a portion of the financial burden, but also we can fundamentally demonstrate that these organizations are doing the right things. And so what we're really doing is helping shift those investment dollars a little bit out of insurance
00:08:24
Speaker
and back into security and trying to give credit for that. And so there are two products. And so the product, the insurance product we have in the market actually has the warranty as a conditions precedent so that we know that we have certified that product. Got it. What's interesting about that is when Travis and I were reviewing the policy,
00:08:49
Speaker
So I built a marine warranty company, right? I partnered with marine dealers and wrote their warranty. And so when we were reading the policy, it was reading like an insurance coverage, right? It wasn't, and so we were like, is this an insurance policy or is this a warranty product? Because it was like, it wasn't necessarily, when you looked at the way it would respond, it was responding as if it was ensuring something.
00:09:17
Speaker
That's great clarification and very interesting. I think that also kind of brings up just education around this type of thing is massive. I wanted to hop in there. On the retail side, I'm running up. I work with a ton of MSPs and I love it.
00:09:46
Speaker
I run up against warranties very frequently. What type of education are you providing to your MSPs, to your wholesalers, however you're doing this, to note that yes, this is technically a warranty and an insurance policy.
Coexistence of Warranties and Insurance
00:10:05
Speaker
but it won't have all of the coverages that may be necessary in the event of a cyber attack referring back to that post of the whole gambit, right? There's really clearly some education that needs to go on there. What have you done to help educate Kaseya in this point?
00:10:26
Speaker
Well, we do a lot of education, and one of the things that we have done, and Lane and our CMO team have created, is our Sisurance Institute as a means of being able to drive thought leadership around not only the providers who are certified in the program and how and why they're doing what they're doing,
00:10:46
Speaker
but also to help organizations understand the why of how these pieces fit together and why it's advantageous to have it that way. And to the point of the warranty is set around specific key perils, obviously ransom, business email compromise, business interruption, some compliance related events, but our policies extend out into all the traditional coverages. And so we have to, the one that you reviewed is tied directly to the warranty
00:11:14
Speaker
We have a secondary one that adds on some other pieces. So I wanted to be clear about that, that it can be as skinny or as broad as we want it to be. So just so that it doesn't feel like it isn't addressing the primary needs that organizations have.
00:11:29
Speaker
But that's how it was designed. And you're right. And I would say that our biggest challenge, we have two challenges, one of which I want to ask you about as well, if I may, which is that one is helping people understand how these pieces fit together and why they're meaningful. And the layered risk model for me is a big deal because
00:11:52
Speaker
When I saw this real adjective around what I call cyber totals, we need to get more cyber fender benders, is getting more of that into the warranty where we could show and demonstrate that incidents are actually much lower in severity when we have these controls and we can verify them.
00:12:14
Speaker
through the years that we've had this implemented, we can fundamentally demonstrate that. And when we see incidents even now where it's becoming severe, we see that, oh, you didn't have a sensor in front of that particular portion of your system. And oh, gee, if you'd had it, then that would have been a much different outcome. And so part of it for us is fundamentally proving what that looks like. So that's one piece of it. But the other piece of it is that
00:12:39
Speaker
There is this channel conflict forming in the brokerage market, which we don't want to have, right? We want to be able to support. And so to your question on the wholesale piece, you know, we have the ability to work with brokers, but that's probably one of our biggest challenges in terms of the education is
00:12:57
Speaker
We're not freezing brokers out of this market. We actually want them in this market with us. And so the question is, you know, how do we educate and help organizations understand that beyond the technical components of, Hey, this is why we've done this and how we've done it. And these are the providers who do it well and et cetera. How do we then make it a conversation that we can all have together and that we can jointly support that in the marketplace? Yeah. I think, uh, you know what Travis has run into is.
00:13:27
Speaker
And I'd like to know if, because I did read that to have a size insurance policy, you need to have a, an insurance policy in place. Correct. If you're an MSP, yes. You do need to have a tech, you know, okay. Got it. Um, so, you know, what Travis has run into, uh, I haven't ran into this personally yet, but obviously I've heard around just from the industry.
00:13:53
Speaker
People are saying, well, I have this warranty. So why would I need insurance? I have the cyber warranty. Why would I need insurance? And so I agree with you. I think there's a place for both of them. So how do you combat that? Or are you saying, hey, this is better than having an insurance policy, is having just a side insurance policy?
00:14:20
Speaker
Well, so by side insurance policies, you mean our insurance policy or our warranty? So in our FAQs, the number one point that we make is this is not a replacement for an insurance policy. This is augmentative. So this is for out-of-pocket costs. It allows organizations. So if an organization, and we have thousands of companies enrolled in our program,
00:14:43
Speaker
And for those who participate in our program, it sets the layer of risk model and they have access to a greatly reduced cyber insurance premium based on that. If they're in other programs, it helps us support what you might want to consider as like a deductible buyback essentially. So we have many organizations who when they don't use our policy or haven't had one,
00:15:05
Speaker
that they use it as a means of actually increasing the retention of their policy so that they can reduce out-of-pocket expenses and also know that there's a backstop for them or maybe that they don't even need to trigger their policy because it's a small enough attack that we can do the remediation, support that incident, and just keep moving in and it's just a notation and then a file. So those are the things really for us that we want to use it as a way of either expanding coverage for organizations, backstopping,
00:15:34
Speaker
risks or when there are sub limits in a policy that might have reduced ransom as an example where they have a ransom supplement, this can be augmented to that. So we're not trying to replace an insurance policy with warranty at all and would never suggest that someone do that. Clear point. You know, it's like, especially in that article, what was interesting was it was specifically speaking to that. And that's why I think I became
00:16:04
Speaker
I was so aggressive in my standing on it. Usually I like to have an open mind about this stuff and like to ask questions first, but I was so aggressive in my opinion on it because I felt that I've seen cyber warranties come out and I've seen cyber insurance policies for almost a decade now.
00:16:28
Speaker
And I'm like, why, you know, why was it a conversation of, Hey, either, or it should be a conversation of both. Right. You know, and, and I think there needs to be a lot more conversation, education around this because the, you know, I'd love to. And part of that is knowing, okay, where does that warranty piece fit where that cyber insurance policy doesn't like, where, where is the gap that that warranty is coming in and, um,
00:16:55
Speaker
So I'd love to educate people on that right now if you could dig into that a little bit.
Warranties in Risk Management
00:17:01
Speaker
Absolutely. So as we get that fork in the road, right, for organizations like for the product providers who use our solution,
00:17:13
Speaker
One of the reasons why we structured the product the way we did was because I don't want to necessarily pick on any providers, but those who like it's $1,000 an endpoint or up to, to me, candidly, I feel like it doesn't really help because what we wanted with this product was to demonstrate that these controls reduce risk
00:17:39
Speaker
in the going with the provider that reduces risk for both the end customer as well as the insurers, the carriers themselves. And so what we're trying to do is create that bridge of we're giving carrier visibility so that they understand how well those products are performing. And initially, and I'll tell you, it took a long time, right? You know how carriers are. They're not the speediest
00:18:02
Speaker
groups in the world. But now we've gotten a lot of consensus where they're really on board because they're seeing how incentivizing organizations to invest more
00:18:14
Speaker
and more strategically into their security posture really does have better outcomes since we've been able to demonstrate that. So what we're really trying to do is one, if you have gone the path where you have your own policy, and we have many use cases in this where we've been able to support, we see organizations with 75,000, 100,000, 200,000, $300,000 deductibles, right?
00:18:37
Speaker
they don't want to pay that out of pocket. And of course, they chose those deductibles much like when people buy car insurance, they're like, yeah, sure, I'll do a $5,000 artifact. Well, then they have an accident. They're like, Oh, criminy. That's a lot of money. And so and so what we were saying in the warranty side of the businesses,
00:18:55
Speaker
If you make this additional investment and we're in very comprehensive stacks, managed detection response, which are expensive products to buy, if you're investing 60,000, 100,000, 200,000 in a managed detection response platform,
00:19:11
Speaker
I want to know that you're going to catch it quickly enough, that's going to offset my risk, but I'm still going to pay $100,000 out of my pocket. And so that's one way that we support that particular arc is to manage incidents that way. And because many of these organizations have incident response teams,
00:19:28
Speaker
we're able to quickly remediate because, as you know, you've probably seen many of claims where the quicker you get to it and the quicker we start solving the problem, the less expensive it is to solve the problem. So it's really trying to drive an incentive behavior on the end customer side, while demonstrating to the carrier market, you don't have to shoulder this entire financial burden having blind spots all over the place.
00:19:56
Speaker
No, that makes complete sense. I really like the part where you're both the warranty and the insurance policy. The question that came to my head as you were discussing that is, are you working with any other insurance carriers,
Partnerships and Brokerage Challenges
00:20:13
Speaker
right? You're saying they're slow to move. Right now, it's on dual paper backed by Tokyo Marine Kill.
00:20:23
Speaker
From what I can read, pretty cookie cutter policy. Are you working with some of the more advanced ones at all? Yeah, so I can't see which they are yet, but we have three new carriers coming into the market in January and will be both for domestic and international release.
00:20:43
Speaker
That's been the big change for us is getting that kind of traction, demonstrating the book to bind ratios as well and how there really is a need and a desire to link those together and that sales motion. And because that was a big question the carriers had, it wasn't even that they didn't believe in the philosophy because it certainly helps them. Their question was,
00:21:06
Speaker
Do we want to put all this time and effort into creating a policy and going through legal and getting the ratings and blah, blah, blah, only to find that you've written seven? That's not helpful to anybody, right? Yeah, that's a good point. Who's actually selling these policies? Is it the MSPs or do you have like insurance people in-house that are licensed in these states or how does the whole sales process even work?
SciShurance's Sales Process
00:21:36
Speaker
Right. Well, and that's sort of the question I'm sort of putting back to you. But to answer your question, we're a 50 state licensed agency in addition to being an MGO. So we write those risks. And so we support that. And what's ended up happening a little bit is a little bit of channel conflict, right? Which is brokers are like, hey, wait a minute, you're stealing our customers from us. And we're like, we don't want to steal your customers. So the MSPs help.
00:22:01
Speaker
And really it's MSPs, but it's also the product companies themselves. We have very strong alignment with an Arctic Wolf deployment and obviously Kaseya and Sophos and others. So we were in many different products. And so obviously the MSP is a strong component of that delivery model for the channel. And so we help develop the sales content for them so that they, and we have a whole portal system where they can come in and get their rating and get their policy. So that's certainly a path.
00:22:31
Speaker
But one is we're not trying actually to disambiguate the broker at all and have opportunities to participate. And that's a question that I have for you is because we are reducing the cost of the policy, there is some like, well, why would we work with you? Although what we're finding is that we're seeing a lot of unique or more complex risks for organizations who
00:22:55
Speaker
are paying very high premiums and are trying to figure out how they make that additional security investment and reduce that insurance cost. So my thoughts are how can we get that out there too, that this really is a program for everybody and not that we're trying to squeeze the broker out of that conversation.
00:23:12
Speaker
Yeah, so going back to what Ryan said about MSPs kind of selling this as an insurance policy. You don't need to talk to your insurance broker. I think that
00:23:26
Speaker
That could change by saying, hey, talk to your broker and see if they can sell those products because you are eligible for a heck of a discount, right? There is a way where you can blend those two worlds together and make them work cohesively. My main concern though is the education. Again, these MSPs, they're very smart when it comes to security. They're very smart when it comes to their products. They don't know a lot about cyber insurance. Right.
00:23:56
Speaker
Right. And that, and we're really trying to shoulder that burden for them, right, where I like to say, think of us as your insurance subsidiary of if you're a cassette partner or a sofas partner or whomever right that that it enables us to carry that water and then how do we
00:24:12
Speaker
support that in the brokerage market that, hey, you know, there's an opportunity for you. If your customers are using Sophos, have you checked into this as an option, right? And I think that's, so you're a hundred percent correct. And I think we could probably all brainstorm together on how to start to really facilitate that conversation so that it becomes more mainstream or more accepted as an opportunity to change how these are required.
00:24:42
Speaker
Yeah, so yeah, I think like we've stated before, that education piece is absolutely huge. You said you're a licensed agency. Now, are you expecting to operate in a more wholesale fashion? Or are you expecting to be more retail? What's the vision there?
00:25:05
Speaker
We do have a wholesale component to our business and so that's certainly an option. We operate with many on a sub brokerage agreement. So it depends on how, like if someone's coming out from a retail or if they want to go on a wholesale basis, you know, what are your thoughts? I mean, you act as a wholesale basis, right? So is that something that you would be interested in doing to look on a wholesale basis or would you, what are your thoughts on that?
00:25:33
Speaker
Uh, from your guys standpoint. Yeah. I, um, I love the wholesale stance just because it allows for, um, you can educate brokers and MSPs alike and you can play that, you know, director, I guess you could call it where you're, um,
00:25:52
Speaker
You're not stepping on that retail broker's shoes and you're allowing for the collaboration between MSPE client and broker and you're kind of coordinating that rather than being disruptor. And so I love the idea of a wholesale stance for you all. That's great. It's a lot easier to educate insurance people about insurance products. That's kind of my two cents.
00:26:21
Speaker
Yes. Well, and it's still complex. And I find, and what's interesting for MSPs, as you know, is that many of them use brokers as lead generation for all the security gaps that are starting to form. And so there is a natural ecosystem, I think, that exists in that discussion. And so the education piece, to your point, is still
00:26:43
Speaker
really important. I mean, I have some that I'm reviewing now. And part of it is, is that they're like, whoa, look at all these things that we have in our current policy that's not in your policy. And then like, the words are different. It's all the same. And so it's really hard. I mean, when you, when, you know, one is dependent business interruption, other is contingent. It's like, you know, even the brokers get confused at times. And so it's like, when you get down to managing coverage, let alone, you know, this is a new way that we're looking at how to manage risk.
00:27:13
Speaker
It's a lot to take in. Yeah, absolutely. And when we're talking about these coverages, and to Travis's point, it's really easy to educate a broker, especially one that's focusing on cyber, on the cyber insurance policy. When we were reviewing the policy, one of the gaps we saw in it was there was no crime in the policy. Right. And we have an add-on component to that.
00:27:44
Speaker
So that's what I was saying, that that's our absolute base form. And we did that so that we could get standardized because there are some groups that they're not eligible for crime. And so depending on what sector they're in, so we have our base form and then there are endorsements that we can make to create higher contingent, interruption, breaking cybercrime, all those good extras that people need and want. That's right. Yeah.
00:28:12
Speaker
mentioned that when he sent that over was that there were additional coverages there. Yeah, because you know, that was, as we all know, that was like, one thing that stood out to us were like, well, crime is, you know, one of the leading, you know, claims that's going on right now. I don't think it's ever going to be going away. So that was one thing that stood out to us. You know, and I think
00:28:38
Speaker
But like we said, I think that's where a broker comes in as somebody that can review that policy and understand what is being sold to the client and what is not being sold to the client. Absolutely. And there's also a business email compromise crime in the warranty product as well. So some people choose to just use what's in the certification warranty and not add it on. So because of the additional coverages, that's part of why there's that separation as well.
00:29:07
Speaker
You know, one thing I wanted to touch on was if you looked at my post, there's some visceral hate towards, towards warranties. You know, is there going to be a, like a campaign to try to turn these visceral hate into education? Like what, like there's, there's definitely some people out there that are closed minded to ever
00:29:37
Speaker
thinking about accepting a cyber warranty. I have always had the position of, I think there can be both. Part of that is because, frankly, I was still wanting to learn more about where the cyber warranty fit, and you've already gone through that, but go ahead. Well, I was going to say that I kind of understand the visceral hate, frankly, because it's difficult
00:30:03
Speaker
If it were, if I were a security provider and I have a warranty, which I think is where a lot of that visceral hate comes from, because there really aren't like independent certifying people who are looking at this. That they don't, they're all written so that they'll never have a payout. That's why there's this visceral hate, right? I mean, that's the whole point. What we're actually trying to do is look at.
00:30:26
Speaker
how we have a large enough actuarial pool of candidates and data to demonstrate what works, what doesn't work, so that we're our certifying body, but also that we're independently looking at these organizations and we're warranting it as opposed to saying, you know, I'm XYZ, MDR company, and I'm so fantastic. I'm going to give you this warranty only for a year up to a certain event points, you know,
00:30:53
Speaker
caveat caveat caveat it's like no we do it by company and every company gets the same amount and as long as you're doing what you're supposed to be doing and and this is the friction point for us a little bit is but you have to actually have your endpoints deployed and i had a conversation with a product company and they're like well that's ridiculous i mean you know that all kinds of people don't actually deploy all their stuff and i'm like and they just make it shelfware and i'm like
00:31:20
Speaker
that is precisely the point we're trying to make. So. Just implement it, silly people.
Role of MSPs in Security Deployment
00:31:32
Speaker
Yeah, see it every day. Every day. I had a question kind of based around that. So a lot of this warranty, this insurance product falls on the shoulders of the MSP
00:31:47
Speaker
because they are ultimately the ones that are deploying the security. They're the ones that are selling this warranty, selling this insurance product. With the MSP in mind, I know that there's things that, I mean, you don't have to be certified to be an MSP, right? My barber has to pass more tests than my managed service provider does.
00:32:12
Speaker
how can you ensure, that's not insurance, but ensure that MSPs are doing their job, right? And not giving you guys a bad name. Well, it's a very important element of it. And it's partly why
00:32:28
Speaker
We not only look at the MSP because we're in a lot of just strict product companies as well. So that there is that ecosystem so that we get to see data from different perspectives. So like, for example, with the Kaseya example with rocket cyber, you can see whether all those endpoints are on or not.
00:32:45
Speaker
Right, and so that's that's the key thing where you can see with phone scan whether the vulnerabilities can't have been completed. So, so the managed stock component of all these implementations for us is a really essential part of those deployments because it gives us different visibility.
00:33:02
Speaker
And you're right, and this is also something, but on the flip side of that coin, it allows MSPs to say and demonstrate to their customers, they are doing the right things. And in fact, we originally started this program many, many years ago for the benefit of the MSP because many MSPs weren't doing security in the way that they're doing security now. And so it was a tool to help them explain to their customers, this is why you need to move upstream.
00:33:28
Speaker
And I'm going to put my money where my mouth is to be able to provide you these services and to demonstrate that this stack is really what's needed to solve for these problems and for these fears. Because you don't want to wake up in the morning with ransom on your machine, right? And if you do, let's remediate one machine, not all of them, right? And so those are the things that we're really trying to help support the sales motion for MSP to get their customers into the right deployments. Yeah, that's huge.
00:33:56
Speaker
I, um, you know, you made a point there that I am a crazy firm believer in. And it's something that I've been talking about for a while now is the validation piece. Right. It's something that I know Travis, uh, has to battle with on the front lines as a, as a retail agent is it's like, you know, they, he sends out an application it's.
00:34:19
Speaker
answered, even if the MSP is filling it out, the way it's worded is sometimes a little vague. It's like, Hey, are you doing this? Yes or no? And it's like, well, we kind of are like, so is it a yes or a no? You know, the questions are a little bit vague. And additionally, let's just say they are doing an EDR role. Do you have, like you said, like a managed SOC component of that? Um,
00:34:45
Speaker
Or, you know, how is do you have MFA is SMS MFA? Like what type of MFA is it? Right? There's so many, it's, there's so many layers to each of these controls that the application doesn't go into. Now, are you guys gathering all that data?
00:35:01
Speaker
whenever people are applying for this insurance coverage. Yes, as much as we can. And that's the nice thing. And in addition to that, when we look at some of these installations, like around, let's talk about the MFA or the patching requirements as an example.
00:35:17
Speaker
One of the things that we're able to do when we have these conversations is it's a manufacturing environment. And there is a Windows machine, like a Windows 97 machine, XP machine running. And all these people throw up their hands and go, oh my gosh, you're terrible security people. And it's like, well, no, actually this part of our manufacturing environment, we can't upgrade. We can't change it. It would cost us a bajillion dollars to do that.
00:35:39
Speaker
So what we try to look at, because we're security practitioners as well, is, well, let's look at compensating controls. Let's talk through what that looks like for you. Or not all of these types of installations can run agents in order to have a key put on it to be able to have MFA. So that's fine, actually. But what are you doing about it? Are you ring fencing it? How does someone actually get into that environment? Is there a privileged access management component to this? These are the questions we ask to
00:36:08
Speaker
help organizations think more critically around those deployments so that they don't feel, to your point, that yes or no question, you can't answer maybe, or kind of, or most of the time. But the problem is that's actually the answer.
00:36:25
Speaker
And so we're trying to help lend a little pragmatism because we also understand the installations that they have and how effective they are. And when we look at that, we look at organizations and say, like the providers, well, what's the firmographic makeup of your organization? How much?
00:36:42
Speaker
healthcare do you have versus financial services versus manufacturing? And if you have high amounts of those or a large percentage of those organizations, what are you doing to make sure that you're watching their environments differently than florist person over here who has a chain of florists? Kirsten, were you listening to our other podcasts?
00:37:06
Speaker
Well, you know, I have worked on, you know, the other side of the line. Oh, my God. We talk about compensating controls like like every day. I mean, it's just it's such a big piece of the conversation that doesn't get told right now in the story of applying for insurance.
Underwriting Challenges and Solutions
00:37:24
Speaker
So it's like, hey, you don't you don't have this. So what are you doing about it? Right. And we have a very
00:37:35
Speaker
I want to say it's like a semi-manual way of gathering that data. And it seems like you guys might be operating similarly. I mean, you guys are working directly with Kaseya, and like you said, Arctic Wolf, and I think a few other players. Is that like an auto feed, or is there a manual process to that underwriting piece?
00:37:58
Speaker
It's a little bit of both. As you see, the challenge is it's very difficult to identify the portions of the network that require those controls, other than you can see a machine popping up that hasn't been patched, and so you can query why that's the case. Or when you're looking at web application firewall type scenarios, like why are there open ports here?
00:38:21
Speaker
It's the paint by numbers allows you to fill in most of it, but there are still some colors you have to choose yourself. And that's just really having a conversation.
00:38:31
Speaker
to understand what the environment is. But the fortunate thing is it's not even 50%. It's probably 25%. And when you're going into an environment where you have someone who has an employee benefits platform where they're looking at how they ensure and support employee benefits, chances are they're going to have some interesting deployments because they're a platform.
00:38:56
Speaker
or if you're a manufacturing environment, that's just a standard question. What are you manufacturing? Where are you manufacturing? What's the machinery like? And how much connectivity does it have? I mean, my stovetop has Wi-Fi connectivity, which for me, for the life of me, I understand why. So those are the things that we try to tease out in those types of discussions. So are you hinting at you guys will be providing a cyber warranty to IoT devices as well?
00:39:27
Speaker
No. That might fall in the uninsurable class. I just want to know that if there's some attack against some water facility, it didn't go through our stovetop. Yeah. Good luck to anybody trying to do personal cyber and incorporating that type of stuff. It would be an interesting thing to try to accomplish, but oh my god.
00:39:57
Speaker
If commercial is taking this long to kind of catch up to speed, I can't imagine how long personal will take. Well, and to your point, I mean, the interesting thing about that is like when we have gotten organizations that have IOT manufacturing facilities and I've, and I've gone back to the carrier and said, okay, well let's think about how we want to ensure this. And they're like, let's not. Yeah.
00:40:17
Speaker
or we need six policies stitched together in order to make that happen. We only take 3% of the risk on this and you can find 20 other partners. One thing, one thought I had while I was reviewing the policy and reviewing your guys' stance, where you said, you guys are partnering like we said, the Casayas Arctic Wolves,
00:40:46
Speaker
And I see a component of potential risk aggregation there where you're aggregating a ton of risk into one security platform.
Risk Aggregation and Carrier Collaboration
00:40:56
Speaker
And something that I speak about is when it comes to underwriting,
00:41:02
Speaker
It's not necessarily the industry that is the leading risk factor. It's accumulating security roles and that can be a leading risk factor when analyzing stuff. So do you see that? I'm sure that's a question that you get from carriers whenever you're pitching. How do you combat that or what's your message around that?
00:41:21
Speaker
Yes, well, accumulation risk is probably the first or second discussion point that we have with carriers. And so there are a few of them. One is that's partially why we ensure that there's techie and no coverage at the provider level so that we make sure that there's that separation, particularly if they're an aggregation point where there might be a supply chain attack. So those are what we look at with the warranty specifically, not
00:41:50
Speaker
not the policy, but that it really is intended for first party coverage so that you click on the link, a thing happens, right?
00:41:59
Speaker
That's a piece of the warranty that I think is critical because what we're really trying to do is manage environments, not the entire world with that instance. Of course, when you look at the policy, there is dependent coverage, dependent business interruption coverage, systemic coverage, et cetera. So those coverages are there. And the other pieces, there are a few. One is that you have multiple products together.
00:42:22
Speaker
Like in a cassette that they can't jump from one product to the next so we did a lot of diligence around how their segregation there between the products.
00:42:32
Speaker
so that there isn't potential aggregation risk there. And then on the other side, to the earlier point around if you have groups that could be attacked en masse, either through some type of zero day or vulnerability that's identified, how do we manage that? And so one of the things is by having multiple MDR providers, it also gives us very different viewpoints of how organizations are monitoring, detecting,
00:42:58
Speaker
those evolving threat patterns and attacks surface. And so those are other ways that we have a different level of visibility than is common just because we have a much different view into the world than others. And so that allows us to control those risk components in a more granular manner.
00:43:20
Speaker
Understandable. Yeah, you definitely keep alluding to this data that you're picking up. It seems like these companies are willing to share some of this data with you. And so is that happening? You guys are being able to monitor that granular.
00:43:40
Speaker
Yes, and more all the time. And so most of it really, there's not pushback so much as the technical limitations of how do you get API polls and how do you do it anonymously and those things. But those are all the elements that we can see because we can also see broad movement and evolution of risk. And that's always my concern. My biggest concern in cyber really isn't around the controls that people are implementing.
00:44:08
Speaker
They are, they aren't doing it and carriers can decide whether they're uncovered or not. The thing that concerns me more is that if you have some evolving zero day or you have some new way that a threat actor is going to attack an organization or multiple organizations and
00:44:28
Speaker
And it's through some odd vulnerability that a patch pops up quickly because there's this evolving risk. Are you triggering an exclusion by accident? And those are the things that I think going forward enable us, more of the global us, to be helpful to organizations because
00:44:46
Speaker
That's where there's still is I think that silent cyber risk for both parties, right? The carrier not realizing or not seeing that there's this risk that may cause them large aggregate risk. And then on the end user and the insured side where I might be triggering an exclusion, but I think I have done or thought I have done all the things I should have been doing. And I think those are the things that the global we need to improve a lot to get alignment between those two points. Yeah.
00:45:15
Speaker
Absolutely. Well, that's Kirsten. I mean, in my mind, I think you've covered like a really good gamut of where you guys are positioned. I really appreciate what you said about how there's room for
00:45:39
Speaker
for warranty and insurance and that you got, I mean, it's not like you're just saying it here. It's clear to me that you all have taken that stance with your product offering, right? Yes. Um, and so, you know, I do, I do appreciate that. And I would like to, uh, you know, try to assist in, in educating, Hey, how, you know, how can we educate everybody on
00:46:06
Speaker
Uh, the fact that size assurance is not just saying, Hey, cyber warranty is here to replace cyber insurance, but it's here to, um, to supplement it. Right. And, um, I would like to clarify one that actually brings up another point, uh, clarify one thing you did allude to, um, the cyber warranty, having like a lower deductible and like a easier way of accessing.
Warranties in Coverage Strategy
00:46:33
Speaker
Are you.
00:46:34
Speaker
Is that saying that the cyber warranty is primary in responding? What we think about it is it's somewhat
00:46:45
Speaker
of an excess layer in a certain sort of way. So I guess the answer in insurance prolongs, it depends, since it's the only definitive answer we can ever give. Often, and the reason why it depends isn't because it's our preference, it's really the preference of a carrier if we have the warranty with an organization with a different insurance policy.
00:47:06
Speaker
And so in those instances, what we have found is that we act in a deductible buyback kind of role. So we're sort of in tandem, but we're first dollar in until the guy exceeded that or exceeded their deductible or that there are supplements in a policy where we're supporting or a co-insurance feature or something else. So it's more of a tandem
00:47:35
Speaker
implementation for outside carriers. In the instance of when it's bundled with our insurance policy, we're first dollar, but the whole policy, we're part of that policy. And so we're responding as the insurance policy and that we're the first dollar in. Yeah. You bring up something interesting there because you mentioned excess and that kind of gets me thinking like,
00:47:59
Speaker
You know, something that an insurance broker is absolutely vital on is making sure that there's a strong policy form and primary so that they can get access layers and building those limits, right? And that's a big driver for insurance purchasing behavior, right? I want to do business with Walmart and they're requiring $10 million in coverage.
00:48:23
Speaker
All right. Have you guys been running into any issues there? Travis, I don't know if you want to chime in with anything surrounding that, but. Yeah, I don't have anything good to say right now, so go ahead.
00:48:39
Speaker
Yeah, you know, the towers are critical, and so it helps a little bit also in creating that tower so that there is a little bit of augmentative coverage that helps them continue to build. I mean, but we're seeing the same thing. The bigger challenge we see isn't the ability to provide the capacity and fill out the requirement.
00:49:01
Speaker
It's more the organization who is $8 million in revenue and needs a $10 million policy. And so often we get in the situation of trying to help negotiate on their behalf that like in the realm of physics, this isn't possible. So when I was a retail agent, I focused a lot on venture capital, private equity risks and their portfolio companies. And naturally a lot of portfolio companies are
00:49:31
Speaker
800,000 in revenue and they need 10 million in limits. And so that, um, those always interesting going to bat for them with a character like, Hey, so this is kind of awkward, but, um, I need 10 million in coverage and the company just started last year. Um, but then it's awesomely big deal with this really big company and it's not, it's promise here. I promise.
00:50:00
Speaker
Yeah, I can see how that's a big thing. I would be interested to see that happen in practice because we have these conversations all the time as a wholesaler with carriers like, hey, will you be willing to sit on top of this policy? It's just something that is always a conversation like, have you ever had any pushback on that or has that ever been an issue?
00:50:28
Speaker
No, we really haven't had that challenge. And we're fortunate to have a lot of support in the market for building those excess layers. And mostly, we're still seeing fives and sevens. The tens are not as common, thankfully. And as you well know, the biggest challenge is the market just not wanting to put that much
00:50:52
Speaker
capital to work in most instances. But we're seeing that softening as well, those broader towers. But the healthcare sector particularly, we saw a lot of pushback where we had organizations with $10 million and the most the carrier is willing to do is six
00:51:09
Speaker
And they were writing 150% increase per million on that six, on each million of that six. And that's when people really start to go, well, what do I do? And that's how often we get involved in those discussions is, well, I'm going to go get better security because that will help. And so we want that to be true. Got it.
Future of Cyber Insurance and Collaboration
00:51:29
Speaker
Well, Kirsten, thank you so much for coming on here. It was a pleasure speaking with you. Likewise.
00:51:38
Speaker
And if people want to reach you or reach out to SciShurance, how can we do that? You can go to scishurance.com and there's an info sheet that you can fill out and reach out to us. And if there's an opportunity for us to put something together and work together to
00:51:59
Speaker
bring something to the market or educate the market together, I would be certainly open to that as well. And if there's feedback from those listening of the things that they would like to hear more about, we would love to hear that too. So we want to be transformative to help organizations be more secure, to help the brokers do better in helping to support their organizations with helping them understand why it's so important to have cyber insurance because there's still a massive opportunity.
00:52:27
Speaker
You know, I don't know, there are many out there who don't realize that cyber is the fastest growing element of the PNC market and that by 2030, I believe that cyber will eclipse the total written premium of all other PNC lines. So it's here to stay. Let's figure out how to get this done and make it something that won't be remaining hard market forever.
00:52:48
Speaker
Yeah, absolutely. And that's a shout out to Barry on, if he ever listens to this. I don't know if you know Barry Rabken, Kirsten, but he thinks that cyber insurance will be eliminated soon. So he thinks it's going to be gone, which is interesting. I obviously completely disagree. And I actually think cyber insurance is the most insurable line of insurance that we've ever seen. So yeah, thank you again.
00:53:18
Speaker
Is that an open invite for brokers to reach out to you? Absolutely. Absolutely. Yes. Okay. Awesome. Well, Kirsten, I'm sure we'll be seeing each other around. I hope so. Thank you again so much. And hopefully we'll reach out soon. Well, and thank you for the opportunity to have this discussion and really look forward to being able to share more ideas in the future. Absolutely. Thank you. Thank you.