Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Brian Mahon - The MSP Insurance Guru
73 Plays11 months ago
We're blessed to have Brian Mahon, Cyber Specialist at EHD Insurance on the podcast. He shares insights from his diverse insurance career background. Brian offers some awesome perspectives on the need for improved cybersecurity education, emerging claims trends, the evolution of underwriting requirements, and how new technologies may impact risk management.
Recommended
Transcript
Introduction and Guest Introduction
00:00:19
Speaker
Welcome to the InsurSec Podcast. You have your hosts, Ryan Dunn and Abe Gibson, where we get to talk to cyber insurance professionals and cybersecurity professionals about
00:00:31
Speaker
the market and what new things are coming about and the intricacies of their backgrounds. Today, we have Mr. Brian Mahone, the cyber specialist over at EHD. Brian, why don't you introduce yourself to everybody? Sure thing. Thanks, Brian. I'm Brian Mahone. I'm a cyber insurance counselor at Engel Hanbride and Davey's EHD insurance. We're actually
00:00:55
Speaker
127-year-old retail insurance agency, kind of a regional player in South Central Pennsylvania. So I'm coming to you guys from my home in Lidditz, Pennsylvania. That's awesome.
Importance of Pennsylvania
00:01:10
Speaker
Brian, when we first met, you mentioned that you guys were based out of Pennsylvania. I mentioned Alta's partners that we worked with. They're somewhere, I'm forgetting their town right now,
00:01:26
Speaker
I didn't really realize how large Pennsylvania is until we talked about it. It's actually somewhat of a large state. Oh yeah. I have family from like Allentown. I don't know if that's you, but, um, I know Abe has ties to Pennsylvania as well. Yeah. I grew, I grew up in, uh, the Lehigh Valley in Nazareth and had to always travel to your, your neck of the woods to, uh,
00:01:51
Speaker
to win the state wrestling championship. Um, so it's a, it's a big, it's a big state. Got family in your area. Is that where you're originally from? So I'm from Wilmington, Delaware. So that's like basically South Philadelphia. And, uh, yeah, I spent some time out in Cincinnati, Ohio. Um, my girlfriend and now wife moved with me and she's from Franklin County, Pennsylvania, a little small town called Mercesburg. It's in between.
00:02:18
Speaker
Chambersburg, Pennsylvania, and Hakers Town, Maryland, right on the Mason Dixon line. But yeah, now we're in Lancaster, which is, I'd say the furthest possible suburb of Philadelphia, if you could even call it that. It's kind of its own place. But we're on the Amtrak line, which is great. And yeah, the Pennsylvania Turnpike. So EHD has always been headquartered here in Lancaster, but we have regional offices in Wyomissing, which is like the Redding area, kind of up northeast towards Allentown.
00:02:48
Speaker
And we have office out in Exden, which is a much closer suburb of Philadelphia and then an office outside of Pittsburgh and Cranberry Township. So we're, yeah, we're micro focused on Pennsylvania, but yeah, we do business nationally and even globally too. I have some customers in the UK and Germany, not so much in Asia, but mainly Europe.
EHD's Industry Focus
00:03:15
Speaker
Really cool. I would, I could be wrong here, but do you guys have, do you guys work with any kind of like logistics clients? Because I just remember I moved from Pennsylvania probably about four years ago. And I just remember it was just warehouse after warehouse. It's just like a sea of warehouses. Yeah. Interstate 81 is like the trucking corridor that like connects the Midwest to like,
00:03:42
Speaker
the Mid-Atlantic, New England region. So yeah, Chambersburg, I mean, you'll just see warehouses and warehouses and warehouses, and then up towards the Harrisburg area. Our agency, I wouldn't say is dominant in trucking. We're generalists, broadly speaking, but we're like a fifth construction, a fifth professional services, a fifth public entities, a fifth education kind of K through 12.
00:04:11
Speaker
And then maybe a fifth manufacturing is how our book as an agency breaks down. I think there's 40,000 independent insurance agencies in the country. We're a number like 95. So we broke top 100 a few years ago.
Brian's Journey into Insurance
00:04:28
Speaker
So, but yeah, I mean, you've got to be pretty in the weeds if you're going to specialize in trucking insurance, which we have one producer out next in who kind of had a background in like livery services, like he did a lot of like ambulance service companies, taxi companies, limousines, and you know, Uber kind of crushed that industry.
00:04:52
Speaker
Yeah. How did you, how did you get into insurance? I'm always curious about everybody's story. Oh yeah. You know, it's, Oh, my dad was a producer or Oh, I like stumbled into it. And
00:05:04
Speaker
I was comfortable into it story. So yeah, I'm a Delaware guy. I went to University of Delaware. My senior year actually studied abroad in Australia. And it was a business trip, right? So, you know, they had these big executives come talk to the class from DHL and Salesforce. And one of the guys that came and talked to us
00:05:25
Speaker
was like, oh yeah, I just invested $50,000 of my own money in this little startup called Avatar Brokers. And I was like, oh cool. I was an entrepreneurship major so him and I kind of hit things off and I asked him some weird questions of like, how do you sell something that's abstract? And he kind of exchanged information and we started Skyping back before Zoom and Microsoft Teams were a thing. Skype is real big in Australia.
00:05:51
Speaker
So he kind of introduced me to his team and made me an offer I couldn't refuse. So the day after I walked at graduation, I got a U-Haul and I drove to Cincinnati, Ohio of all places. And I was the number two hire of our US subsidiary of Avatar Brokers. So Avatar was
00:06:14
Speaker
a boutique retail insurance agency in Australia. I think they represented like 40% of publicly listed companies on the Australian Stock Exchange, which is very different than the New York Stock Exchange or whatever.
00:06:32
Speaker
uh, and they had a focus on life science. So apparently these scientists, computer geniuses, whoever they were would go to Australia, take advantage of like their research and development tax incentives and develop their, you know, their sleep apnea medical device or their pharmaceutical or their biotech startup. And once it got approved, they'd come to the US to sell it because like the size of the Australian economy is like the size of like
00:07:01
Speaker
Ohio's economy or something like that. So Avatar in Australia was basically losing all their customers once they would grow and move to the US. The insurance programs were basically flip-flop. So we were handling incoming referrals from Australia and they could set up and
00:07:23
Speaker
you know, like Medical Device Alley in Minneapolis, or they could set up in, you know, the bio manufacturing space in Maryland, or they could set up, you know, in Kendall Square in Boston. So, like, we did business all over these little innovative hubs, even though we were in Cincinnati.
00:07:38
Speaker
And then my partner David, the gentleman who ran the US subsidiary alongside me, I basically was his apprentice, learned everything he knew.
Working at Avatar Brokers
00:07:50
Speaker
I mean, we did, yeah, you know, renewals, certificates, endorsements, new business. We did the accounting, the operations account, the, you know, finance accounts.
00:08:01
Speaker
or the agency account dealing with our commission statements from carriers. He was a veteran. He's a very unique person. You should have him on the podcast. He had four eight-year-old boys at the time. I think they're now maybe 13. He had triplets when he was 18 and he was actually in
00:08:24
Speaker
I think, not Operation Iraqi Freedom, but he was in like Mazul in like 2001. So he has a bunch of crazy stories from that. And yeah, lost a lot of friends. But we, the other side of the coin other than the life sciences in Australia is we were right down the street from Wright Pratt Air Force Base in Dayton, Ohio. So we got a lot of, you know, government contractors, software,
00:08:50
Speaker
you know, weapons manufacturers, weird, you know, tech and life science business. How do you ensure someone who is creating a gun that shoots drones out of the sky with, you know, invisible rays like things like that, right?
00:09:08
Speaker
So virtually all of our clients had cyber at the time, and that was five years ago or seven years ago. So that's how I got into the industry. Very weird, I know. That's amazing. Yeah, that is amazing. I can really relate to your experience in writing super interesting risks. The firm I work for, Cothrum down in Fort Lauderdale,
00:09:36
Speaker
very similar thing. We were with Florida Venture Form and writing nanotechnology and life science companies. It kind of speaks to how cool insurance is because you get to learn about these really fascinating industries.
00:09:54
Speaker
that you really in any other job or just going through life, you really wouldn't have the opportunity to learn it because Brian, I don't know about you, but I had no interest in joining a nanotechnology company or a space laser company.
Business Models and Learning in Insurance
00:10:10
Speaker
So I think that's super fascinating. And I think people should speak about that stuff more. 100% agree.
00:10:18
Speaker
Today, I could be interested in aviation and go chase aircraft owners and hangar companies. Next week, I actually really like that restaurant I went to and started to get interested in hospitality. I'm going to call on hotels or restaurant owners, liquor liability and all that.
00:10:39
Speaker
So, yeah, we, my business partner, Dave and I would always say like, a career in insurance is almost like a career and, and all and a little bit in all businesses because you learn different business models, like some of these, like tech startups, like they were, you know, traditionally like, Oh, I'm gonna do my family and friends seed round, and I'm gonna go do a series A and a series B, and we're gonna go IPO. And like, that was what they were trying to do. And then other ones were like,
00:11:08
Speaker
We just operate off grants. We apply for these grants and that's our revenue and that's what we do. Other ones are like, we're going to develop the IP here and then we're going to flip it and sell it here. All sorts of different business models or just weird use cases. We had one company in Northern Kentucky
00:11:31
Speaker
It was a biotech company and some physician or researcher figured out some biotherapeutic process where I think it was pancreatectomies where you have to get your pancreas removed for whatever reason.
00:11:49
Speaker
And then you have side effects lifelong after not having that organ. He could somehow take out the isolate cells from that organ, do something to them, and then put them back in the patient post-surgery, and it would improve their quality of life long-term.
00:12:08
Speaker
like that was a really weird risk and like where exactly does the medical malpractice come into play like they're not really touching patients but like their people could have been in the room during the surgery like pointing a laser pointer and like guiding the actual surgeons so it's like very you know fine line of like
00:12:34
Speaker
When does med mal trigger like when does you know like contract manufacturers like when do they need you know like there's very nuanced things and the part that i liked about it is these people are geniuses and they have like you know phds from john hopkins and things like that and they don't know shit about insurance so you need to like
00:12:56
Speaker
teach someone who is, you know, is very smart, but they're like not business and insurance smart. So it's, it's, it's cool to kind of flip the script
Challenges in Retail Brokerage
00:13:05
Speaker
on them. And usually they're really grateful when they, when they get someone, you know, that gives them good advice. Yeah. And it kind of reminds me that the position of the retail broker is.
00:13:19
Speaker
Not only is it so important, but I just have a lot of respect for retail brokers. I mean, I was one at one point, but I was just kind of an idiot. Um, but there are so many smart retail brokers like you that actually, um, the ability to like work with a client that, you know, going in, you have no idea maybe how they monetize their product or how they create their product. And then being able to analyze their business and find, you know, what exposures they have is.
00:13:49
Speaker
When you're doing stuff like that, you're not just a salesman, you're really a consultant. It's really impressive when you see people with that ability, in my opinion. I think it's a real talent. When I was a retail agent,
00:14:14
Speaker
I mean, I specialized in technology type of, you know, SaaS businesses. Obviously I had like a few life science type of stuff come in and a few different other verticals, but when life science would come in or some industry that I wasn't extremely familiar with, I would struggle with like finding out what were the particular risks associated with that business. And I think it is a,
00:14:43
Speaker
understated talent that retail brokers have of being able to go to a business and say, Hey, I know you're thinking this might be your risk profile, but we're not including these three or four other factors that we should be accounting for. Right.
00:14:59
Speaker
Yeah. And we have tools that help us, but the best way to learn, I think in this industry is more of an apprenticeship model where it's like, hey, I'm the tech and life science retail agent. I've been doing this for 10 years and bring someone in and just, hey, you're going to learn on the fly. Just shadow me every day for a year.
00:15:19
Speaker
It was a great education in that regard versus, oh, I'm going to go get this designation or, oh, I'm going to use, you know, xi waves broker briefcase or something. You know, those things are supplemental, but I don't I don't think they're kind of core to to do what we do. So I've worked at, yeah, three different retail shops, all very different in three different states in the last like 10 years. So, yeah.
TechAssure and Knowledge Sharing
00:15:48
Speaker
What was the retail shop in Cincinnati? What was the name of that? It's called Avatar Brokers. We were part of a group called Tekisher, which is a non-profit.
00:15:59
Speaker
organization of various tech and life science specific retail brokers. So it was a global organization. So we were the US subsidiary of the Australian member of Tekisher. Nice. Ryan's smiling. What the hell? We both were part of Tekisher at the same time. Okay. I mean, I was there five years ago, you know, and I was part of the community. That's wild.
00:16:27
Speaker
Yeah, Garrett Georgi was the director at the time when I was. Yeah, he's at IMA now. And I'm really on it. I was going to say, you know, you were mentioning tech and life sciences and I'm like, this is exactly what I was doing. You know, tech assures, they're a great community, a lot of
00:16:49
Speaker
really smart agents and agencies are involved in that group, so huge proponent of them. Yeah, I agree. I like them a lot. Yeah, so they would kind of do biannual conferences from what I'm remembering, and they would switch up the geography every single time. So I think I went to, yeah, Scottsdale, Arizona for a few days, and Nashville for a few days. I think most recently they were somewhere in the UK.
00:17:18
Speaker
Yeah, they were in Italy. It's a knowledge sharing group, right? So they're just sharing best practices and tips and tricks and they have, yeah, you know, certain insured tech companies maybe come in to give them presentations on the latest and greatest or wholesale brokers or carriers or whatever. So yeah, it's a good group. I always love their events and the folks there. I think you hit the nail right in the head when you were saying,
00:17:47
Speaker
You know, it's not about the designations. It's not about, you know, the xi wave broker book, you know, whatever that was called. And it's all broker. Like that stuff. You can't learn insurance from reading.
00:18:05
Speaker
You can only learn it from practice, and the only way you're going to practice is being part of an agency that's going to throw you in the fire, but also potentially have somebody that you can learn under that's going to guide you in how to analyze risk of a business and what policy forms respond to a certain type of risk.
Unique Cyber Risks
00:18:24
Speaker
I had a virtual reality goggles company that I would insure, and they were in hospitals, and it was so that
00:18:34
Speaker
uh, doctors from all around the world could train. And with, with medical technology, if you're in Australia, you can be training with the group that's over in Florida. Right. Right. Yeah. It's a very unique risk. Super unique. And it was, what was odd is that you'd think cyber tech, you know, would be, um, but there'd be a physical harm potential there, but we also added it on the GL policy.
00:19:03
Speaker
Which was, you know, I would have never thought of that if I was just, you know, I obviously had Kevin who was helping me with that. Kevin Purvis, who's a managing partner at Cothrum, he identified that, but I would have never thought of that. And so it kind of just speaks to what you're saying. Like you need to work with people that are extremely brilliant, have been in the industry and can help guide you a little bit in analyzing that risk.
00:19:27
Speaker
Definitely. Yeah. It always reminds me of, I use, always use this claims example in cyber where you have like a dialysis clinic and they have all this, you know, equipment hooked up, uh, to the internet or, you know, runs technology that's crucial to their business. And if someone's in the middle of a dialysis treatment and they're get hit with a cyber attack and that treatment stops, you know, causes bodily injury or death, like your GL policy, you're going to pick that up.
00:19:57
Speaker
No, but your cyber policy could if it, you know, has some bodily injury coverage in there. And like, you know, if you're not in health care, do you care? Like, could you think of an example where that would actually happen? Like, I was talking about this with an IT company the other day, and they're kind of like, you know, I'm gonna go with the less robust, less expensive option. Not that I recommended it, but always, always kind of, you know, put
00:20:24
Speaker
as a retail person, put the options on the table and let the business owner decide. If you want to go all out and pay five or ten grand more and know that that's there if some crazy thing happens, even though it might not.
00:20:38
Speaker
pay more, go for it. But I never try to say, you know, a hundred percent, this is what you should do. Say, Hey, we went to 15 markets, four of them quoted. Here's the numbers. I analyze the best two. Here they are. Let me know what you think. Yeah. It's almost like a, sometimes whenever I would speak to a client in the beginning, I would say, there's two buckets we can go into.
Insurance Options and Risk Tolerance
00:21:03
Speaker
There's bucket A, which is a piece of paper.
00:21:08
Speaker
You'll meet all track limit requests, but it's a piece of paper or bucket B. We're actually going to go get coverage. Like what are you thinking here? Right. It's going to greatly affect how we market it, what we need to do. Um, so yeah, I think that's a great approach to, Hey, here are two great options that we analyze. You can choose how risk averse you are. Right. Where did you go after avatar?
00:21:35
Speaker
So yeah, Avatar, and they're still in business in Australia. They ended up divesting the US business. We probably made some decisions where maybe they weren't the best. We ended up buying into Applied Epic with a two person shop. It was like $30,000 and that was a waste of money. We ended up...
00:22:00
Speaker
One of our biggest customers did an IPO on the, I think on the NASDAQ and, you know, their board made them go with an AON or a Marsha Gallagher. So that was, that was challenging and my partner kind of wanted to go do other things more connected to the veteran community. And my wife was actually sick at the time. And partly we bought a,
00:22:27
Speaker
duplex that was like from like 1923. And, you know, it had horsehair plaster and, you know, old, old,
00:22:36
Speaker
knob and, you know, knob and tube wiring, like there was coal when we got new windows, like the guys that came out from installing the windows looked like, you know, they went in a coal mine because it used to, you know, be heated by coal. So, you know, she got sick, but the house didn't help. So we just needed to get out of there. And I ended up actually, I think I found them, I just like,
00:23:00
Speaker
Found my favorite carrier's website at the time, the Hartford, and just looked up all the agents that were appointed with them.
00:23:07
Speaker
And we ended up moving, I don't know if either of you are skiers, but I lived in Whitetail Ski Resort over COVID. It's in Pennsylvania. It's certainly not north enough to get a lot of snow, but it's a good place for the bunny slopes for learning. But my mother-in-law actually had a spare condo there that we lived in for like nine months.
Impact of COVID-19 on Work and Life
00:23:29
Speaker
So I commuted across the Mason Dixon line every day
00:23:34
Speaker
Hagerstown, Maryland. So I was working that I-270 innovation corridor stretching from Washington DC out towards Rockville and Bethesda and Frederick. We actually had an office in Frederick I went to a lot of the times. It was called Keller Stone Breaker at the time now. I think it's called Blue Ridge Risk Partners. It's a private equity Broad Street partner backed
00:23:58
Speaker
agency in that region. So there, yeah, you know, they were basically like, do Randy Schwantz, I win wedge program, here's your laptop, here's your computer, go for it. And $0 book. And, you know, two months into it, COVID shut down the whole country. I'm like, you know, calling all these phone numbers that basically are not going to go anywhere for years.
00:24:24
Speaker
You couldn't get people cell phones or at least we didn't have, you know, Zoom info or any sort of prospecting tool to scrape cell phone numbers at the time.
00:24:32
Speaker
And yeah, I'd be walking through these Class A office building lab spaces in Rockville, Maryland, and no soliciting signs everywhere. And it's just a ghost town. So that was fun. And we didn't want to live there forever. So my third agency, I finally
00:24:57
Speaker
I picked the geography before the job the third time, and my wife, she's actually a scientist, so she landed a job during COVID, working on the COVID vaccine. There's a company here in Lancaster. It used to be called Lancaster Labs. It got bought out by a company called Eurofins, so she was in their medical device safety testing department, so she did
00:25:19
Speaker
a lot of physics like, you know, if you put this drug in this packaging and put it in an airplane, will the pressure affect the drug and, you know, cause people to get hurt and stuff like that. So their customers were, yeah, big pharma. And that's what moved us to Lancaster. And I didn't want to keep driving two and a half hours to Maryland.
00:25:42
Speaker
And I ended up living in an apartment across the street from EHD's office. And I was like, oh, hey, like, there's EHD. Like, I talked to them years ago when I worked in Ohio and STARS kind of aligned and, you know, they had
00:25:56
Speaker
People who had retired who were no longer there and some people who left, didn't want to, you know, commute back in after COVID. So, uh, yeah, I ended up having a kid buying a house and switching jobs all in like a six month period in like 2020. Yeah. That's amazing. That is amazing. Yeah. Add COVID to the mix of all of those major life changes. Um,
00:26:26
Speaker
Yeah, during a pandemic, right? Yeah. Yeah, that's fun. That's awesome. So when you got hired at EHD, did you have in the back of your mind or was there any sort of plan for you to be like the cyber guy or were you kind of hired to a generalist role?
Evolving Role at EHD
00:26:49
Speaker
So yeah, I was hired into what we call an SPU, small business unit, select business units, a lot of different agencies call it, but we basically split our commercial PNC department, 10,000 in agency commission above and below. So I'm in the group that does below. I'm allowed to go over, but the guys in the larger group can't go under. So that's kind of how that works. So, you know, I do.
00:27:15
Speaker
I got a $100,000 book and I'm like, oh, grow it. And I typically do like $70,000 in new business a year and there's all like agency commission. So it's like tripled or whatever.
00:27:28
Speaker
So yeah, I do certificates, endorsements, renewals, new business. And yeah, I've always had this kind of professional services, white collar focus. Like I don't, I don't call on contractors. It's just not my thing. And, uh, during the pandemic, we kind of just started getting all these questions from our, you know, 30 or so large commercial producers all across the state from their clients of like, you know, what the hell is MFA and like,
00:27:53
Speaker
Our people are working from home now. Is there anything we should consider? I just heard this company down the road from us got hacked.
00:28:04
Speaker
Clearly, in the news, it got very trendy. I kind of raised my hand and was like, you know, EHD, you've been in Amish country for 100 years working with manufacturers and construction companies like I've been doing the exact opposite. I know cyber.
00:28:26
Speaker
So it kind of started off where I did some trainings for like our internal producers and account managers and then it kind of evolved into more client
Community Outreach and Partnerships
00:28:38
Speaker
facing. So like I've done
00:28:41
Speaker
webinars and lunch and learns to the local rotary club, the local chamber of commerce, local banks sales teams, partnering with a ton of MSPs. I actually own a site called Insurance for MSPs. So, hey, you chime in about all the great things you can do from an IT perspective and I'll chime in on the insurance piece.
00:29:03
Speaker
of a chocolate and peanut butter type of collaboration there. And even helping their salespeople answer questions about cyber insurance from their customers. So it's kind of evolved. Started doing a little bit of like co-brokering. We're like, hey, Brian, I got this referral. It's an IT staffing company. Like what the hell is techie? I'm a work comp guy. I've done work comp for 30 years. And I'm like, okay, it's your account.
00:29:27
Speaker
you deal with everything and I'll just carve that little piece out and I'll deal with that. So that's, that's kind of how it's, it's evolved. Yeah. It's, it's not, uh, from what, Oh, and another reason that involved, I actually went through Chubb and Carnegie Mellon's cyber cope insurance certification program in like, I think March of 21 or 22.
Roles within Insurance Agencies
00:29:51
Speaker
I can't remember. Um,
00:29:53
Speaker
So that that kind of like solidified it a little bit where, you know, I was in that class with a lot of like the Aons and Marsh and Gallagher folks. Woodruff Sawyer of just, you know, how do you structure this role at your agency? And I've kind of realized it's kind of one of two. You're either, you know, a producer and you just help out other producers as needed from a cyber role or you're just like,
00:30:21
Speaker
the cyber practice group leader and you have a salary and you do renewals and new business and the education piece. So we kind of decided to keep the cyber roles more of like a production sales type of person versus like a thought leader, you know, salary to count executive position. Yeah. Yeah. Um, the, I want to talk about the, the, the Chubb designation because I've,
00:30:50
Speaker
I've heard really good things and I don't want to put you on the spot if, if you didn't, but, um, I've just heard really good things about, um, the, the content and, um, kind of. Some people have told me that it's not like, like other kind of designations or programs from other carriers are like, you know, Hey, you know, here's some information seller product. Uh, and I've heard kind of the opposite about chubs.
00:31:19
Speaker
Yeah, I can talk about it. I wrote a little, I haven't written, I've been meaning to write a blog about like cyber insurance education, and I actually listened to your first InsureSec podcast with Mercy talking a little bit about that. Because it is kind of this black hole, and it's definitely becoming like more
00:31:43
Speaker
trendy or of interest.
Chubb's Cyber Insurance Program
00:31:45
Speaker
But yeah, I mean, the Chubb Carnegie Mellon program is great. I think it was like $5,000. I think maybe we paid half and Chubb paid half, which was pretty cool. I don't know who negotiated that or how that happened, but that was awesome.
00:32:03
Speaker
And I think it's like 100 hours of content. It takes about nine months to do it. It's hybrid. So there's like three, three-day in-person sessions where you actually fly into Pittsburgh and stay in Carnegie Mellon's campus. So they'll hook you up with a hotel. I think you have to pay transportation. And you get to meet everybody in the class, obviously, attend some outings and some in-person
00:32:28
Speaker
Uh class content and then in between those those three sessions and the last one's graduation, right? Um You do I think a two or three hour, uh week every wednesday. Um, it was every week You do a class And the content like I always say it wasn't You know chub is awesome and sell sell chub and you know, this is you know our nuances and have at it um
00:32:59
Speaker
But it was mainly how do you talk to CISOs or CTOs or the IT director, however the company is structured from a technology leader standpoint, and what are the important things and what's the difference between information technology and operational technology and different risks. Different industries have different cyber risks and how do you figure that out and what are they?
00:33:25
Speaker
Um, you know, how do you do a cyber coverage gap analysis where you can go through a property and casualty program and lay out to a potential insured of your general liability, isn't going to respond, or maybe your, your DNO has a little bit, or maybe your property has a little bit, but it's missing these key things. How would a full standalone cyber policy fill those gaps? Um,
00:33:52
Speaker
So yeah, cyber risk analysis, cyber insurance gap analysis. What's nice is there aren't really tests. I'm a certified insurance counselor through the National Alliance. I'll have their certified risk manager next year. But those tests are hard.
00:34:09
Speaker
You know, here's an hour of content. Here's a 10 minute break. Here's an hour of content. It's three days and then it's the test. That's, you know, 20 questions and three hours long. Like the CHUB program, like it's pass fail, right? Like you have to put in the work, but it's not like, Oh, you got a, you know, a 71%. So you pass. It's just like, you have to do the assignments as their, um,
00:34:30
Speaker
by the due date and you know it's group work like I think I was with another retail broker in like Oklahoma a chub underwriter and myself like we were a little you know team project so it's it's it's a lot like my like the NBA program I'm in at Penn State where it's a lot of group work and it's you know it was more like a master's level certificate um not not quite the same as like a designation where it's like you have this core topic and then you're tested on it
00:34:58
Speaker
So out of the, I'd say out of the 30 sessions or so that we had, maybe three of them were like over my head with like technical jargon of like, holy crap, I don't know what's going on. But for the most part, they were able to like dumb down the IT terminology. So non-IT insurance people could understand it.
00:35:18
Speaker
but also dumb down some of the insurance terminology so some of the IT people could understand it. So you might not know this, but people who go through that program are also from IT forensics firms and privacy attorneys and credit monitoring companies. It's meant for everybody who would be in that cyber breach response world.
00:35:41
Speaker
That's fascinating. I was going to mention Mercy because on our podcast with her, she mentioned the CHUB program. I think cyber is actually different. I actually think that there are some good cyber education resources out there. This CHUB Carnegie Mellon one being one of them.
00:36:06
Speaker
And I'm a firm believer in continuing education. And I think, you know, people finding resources like that can be super helpful to them. Yeah. And I forgot to mention that. That's a good point, Ryan. The child program does have a continuing education.
00:36:23
Speaker
component to it where I think there are two webinars per year that you have to attend to keep the designation. I mean, there's no class or attendance or testing, but they do keep track of attendance. And yeah, we have, I think, a Slack channel where you can kind of stay in touch with everybody. Yeah. That's really cool. Anybody just signed you up for it, by the way? Oh, yeah, really?
00:36:50
Speaker
I was going to ask because I saw it when I first got into the industry, into cyber. I really wanted to sign up for it, but there's not like a sign up here button.
00:37:06
Speaker
They take applications once a year and then they let you know if you get in or not. So it is selective and I'm sure, yeah, being representing Chubb from a retail perspective certainly helps from an applicant's standpoint. But I don't know that for sure. I can only imply. Abe didn't see the sign up now button and his brain exploded. Not quite like Amazon Prime or whatever.
00:37:35
Speaker
Yeah, I wanted to email them and say I'm trying to pay you guys money, but I can't figure out how to do it. Well, kind of, you know, we're talking about cyber, but I kind of want to get into the
Cyber Insurance Market Insights
00:37:55
Speaker
market a little bit. So you
00:37:59
Speaker
Obviously, you talked about working with MSPs and then different kinds of subsets of different industries, primarily white collar. And you've been in cyber for a while, even back to Avatar. What the heck is going on right now? What is this? I don't know.
00:38:20
Speaker
I think people who claim they know are sometimes full of shit because like if you look at like I'll look at coalitions, you know, data, and then I'll look at, you know, net villages and chubs and like,
00:38:35
Speaker
They all don't say the same thing. I always say it's like the big three. I mean, we're still seeing a ton of, you know, business, email compromise, social engineering. Oh, shit, I clicked on a link type of claims, the cybercrime. I mean, there is still some extortion ransomware out there, maybe not as much as, you know, a year or two ago. But then at the same time, like, I'll see someone post something or something come from a wholesale. We're like, oh, it's up, you know, 70 percent over last year. And I'm like, oh, well, crap.
00:39:04
Speaker
I can say like what we're seeing oh and then like third part third party supply chain risk right like we that's kind of my top three that I always see we randomly and I don't know if this is geography specific or
00:39:27
Speaker
you know, maybe other folks are seeing this in other parts of the country.
Resurgence of Traditional Crimes
00:39:31
Speaker
We saw a lot of like, old school, like forgery and alter alter alteration, like check washing claims at the beginning, the beginning half of the year in our area, where like, I guess the cyber criminals, you know,
00:39:48
Speaker
weren't feeling like they were quite as effective, so they reverted back to more traditional crime, where people's checks were just getting swiped out of their mailbox. I even was walking with my son in my neighborhood and an old lady stopped us and said, oh, me and my husband were a victim of it. Don't pay people in the mail with checks. I'm like, yeah, lady, I've never done that.
00:40:11
Speaker
No, people, people still do it. So it's what's the HD is like, we have a pretty robust claims advocate department in house. And we split it by like, like workers comp and everything besides workers comp. And we have one person who mainly does, you know, 99% of the cyber claims. So like, I can just call her up and be like, Yeah, what have you seen the last like couple months, a couple weeks. And, and that's really cool. Those are the types of things she tells me.
00:40:41
Speaker
I thought you were going to say like full limit breaking losses or something. That's crazy that the physical checks makes me kind of nervous. I haven't been watching out for that kind of stuff.
00:41:03
Speaker
Right. And we have, I live in a neighborhood with like a shared mailbox. So there's like 10 mailboxes on like one post and I get, now I'm like, now I'm nervous. I know what you're talking about. When I lived in an apartment complex a few years ago, the mailman was like, I had the key with all of them unlocked and was like actively putting in mail and everybody slots. And I was like, Oh cool. Like, let me grab my mail. He like freaked out on me and like,
00:41:29
Speaker
you know, it's a federal crime and blah, blah, blah. And I was like, Oh, shit, leave to lock it back up to grab my mail. But that's crazy. So the beginning of the year, we are seeing a lot of that. I'd say the bigger thing other than claims is just like what we're seeing when our folks are trying to apply for coverage, like we still have
00:41:52
Speaker
a lot of manufacturers, a lot of government entities, a lot of community health centers around South Central Pennsylvania who still don't have MFA fully implemented.
Cybersecurity Challenges in Industries
00:42:03
Speaker
They still don't really have a robust phishing cybersecurity awareness training program in place.
00:42:11
Speaker
You know, they they're like, oh, yeah, we're working on it. But like, it's not like 30 days from now. It's like, oh, yeah, we'll get it done by the end of the year or like we'll get it done next year. So that's, you know, and there and there's markets sometimes you might slip away with like an am trust or a cowbell or something like that. But I mean, the available markets dwindles immediately from, you know, 10 plus to less than three.
00:42:43
Speaker
Yeah, but I have seen some, I have seen some markets go back on it and last year it was a requirement and then now all of a sudden it's not. And that doesn't help your case when you're trying to advocate for, you know, better controls. And then it turns out like, well, I guess it's not that big of a deal because some of the insurance carriers aren't requiring it anymore. That doesn't help. Yeah.
00:43:11
Speaker
Yeah, I mean, I always tell folks, it's, you know, it's, it's, it's five things that are really determining your premium.
Factors Affecting Cyber Insurance Premiums
00:43:17
Speaker
It's like, you know, what do you do? What industry are you in? How much of it do you do? Like, how big you are? What's your revenue? Have you had claims? Yes or no. And if you have, like, tell us a story, like, about what happened and what you learn and why it won't happen again. Hopefully, it's no. You know, what's, how much data you have, what kind of data, PHI, PFI, PII, and
00:43:40
Speaker
What are your controls? And really, you can only control that last one, your IT controls and the process and procedures.
00:43:50
Speaker
It is all over the place, depending on the size of the risk in the industry in terms of what they want to see from a controls perspective. I'd like to see, and I think we will, a bigger emphasis on phishing security awareness training. I actually have kind of mentored a cybersecurity startup in that space.
00:44:18
Speaker
And it just has always seemed like the yin and yang to like cyber security, like, okay, like the belts, the belt and suspenders, like you get the cyber insurance, but like you also have to train your people to not click on shit. Because you can have, you know, a seam solution and MDR and EDR and 321 backups and, you know, you can be Fort Knox,
00:44:39
Speaker
you know, let's say, but you can still have like, somebody click on something, something gets through. So, you know, like, when I submit a cyber insurance application, and maybe I include, you know, their most recent monthly phishing test report of, you know, less than 1% or whatever, like, that should give me much favor more favorable terms from an underwriter. But like,
00:45:08
Speaker
The underwriters are like, I want my app and I just base everything off the app and my little bit site. And like, I could send you, you know, your sock to type two report. I could send you your fishing test report. Like it doesn't move the needle when it, when it should. Um, which I know is a big thing that, that yeah, you guys are trying to change. Yeah. The human factor is so, uh, it's such an interesting.
00:45:31
Speaker
problem there and it really unfortunately it comes down to repetition like you can't have quarterly social engineering testing it needs to be at minimum monthly it's just repetition of.
00:45:48
Speaker
OK, I get email. I see if it's the right address. Like, this looks funky. What do I do? And it's identification.
Phishing Awareness Tools
00:45:56
Speaker
And then, OK, I've identified this as suspicious. How do I handle it properly? I have the different scenarios there. And like this nonstop. When I was at Trava, we used a tool called infosec IQ. OK. Pretty good. There's some interactive stuff.
00:46:17
Speaker
I haven't heard of that one. There's a ton of them. Yeah, no before is like the big dog in the space. That's what we use at EHD, which I think is garbage from a personal perspective. I mean, there's, yeah, CyberCon IQ. There's, I think there's one through what the name is, the company. I don't know. Everybody seems like they have one now. Yeah. Your selective insurance carrier that gives a little free trial to one. I forget what it's called.
00:46:48
Speaker
But I've always had this issue from like the insurance professional standpoint of like the black and white and like where do we draw the line where like I would love
00:47:01
Speaker
to run a phishing test on all of my cyber insurance. But when I do that, like I'm no longer a professional insurance person. I'm now a technology consultant, right? And like, I don't have techie, you know, I have agencies, you know, so like, the kind of
00:47:19
Speaker
trifecta and the match made in heaven that everybody's looking for is the cyber insurance, how you're accessing it, or the distributor, or the agent advisor, and then the technology, or the MSP, or the phishing awareness. Things that App A and AlphaSecure are doing are
00:47:39
Speaker
Kind of interesting in that regard where they're trying to kind of fill that void and like do all three where it's like I'm gonna ensure you I'm gonna advise you on cyber insurance, but then I'm also going to Deploy some sort of yeah security tool To train your people Well, I'm curious so I I saw I saw screenshots of
00:48:05
Speaker
I could be wrong here, but I think it was the group behind the MGM attack and it was screenshots of how they approach phishing and there's just brute force violence.
Evolving Cybercriminal Tactics
00:48:22
Speaker
We're going to send somebody to your house and shoot up your family.
00:48:26
Speaker
If you don't give us credentials, right? Wow. That's kind of scary. I know, right? Because part of me is like, yeah, there's like these kind of like deceptive things that you train. Right. Like iPhone or whatever. Yeah. Yeah. But then there's another side. It's like, these are career criminals that are saying that they're going to come and shoot up my family.
00:48:52
Speaker
What do we do? What do you do in this situation? What would you do realistically if that happened?
00:49:00
Speaker
I have no idea, I guess. Report it to your IT director or your MSP. How do you know that that person has those capabilities? I mean, I know I have some friends that are computer nerds and they're like, yeah, man, like I've been like deep within the dark webs and like you can buy anything. You can buy an assassin. You can buy a bazooka. You can buy, you know, brass knuckles that are illegal or something like
00:49:29
Speaker
I guess if there's a will, there's a way, but at the same time, you have to put on your rational thinking cap. Like, okay, I'm a controller at a $10 million manufacturer in South Central Pennsylvania, and I get this email that somebody is going to murder me and my family if I don't give them my Microsoft 365 password.
00:49:50
Speaker
odds of them doing that are probably slim to none in like reality. But I don't know. I mean, you could get an employee that's, you know, maybe a nervous Nellie or anxious about something or they happen to watch, you know, some sort of crime show right before they came into work and they think that that's plausible. I don't know. But I do know that, yeah, these phishing campaigns, I have not heard of a brute force like
00:50:17
Speaker
Deep violence one before but usually they're just really sneaky like over cove it was all like oh hey like you know new they're releasing new test kits like click here to get your free one from like the body administration or happy halloween it's october twenty seventh like free candy in the break room like sign up here like
00:50:39
Speaker
They're just humans are emotional creatures. And I think if anybody's taken a psych 101 class, they can kind of realize that it's pretty easy to trick us. I mean, like if you think about the physical version of that, if you like next time you're just with somebody, just grab an item.
00:51:04
Speaker
have an item in your hand and just, as you're talking to them, just hand it to them and they'll grab, like they'll, nine times out of 10, they'll just grab it and they'll be like, why am I holding this? And it's, you know, it's an email version of that or a digital version of that. It's like the break room one actually is pretty good. Yeah. That's why I just,
00:51:24
Speaker
you know, we, we talk about doing, you know, repetition in, as I said that I'm like, there's just, I still, it still doesn't make me comfortable. It doesn't make me comfortable from, even from a wholesale underwriting perspective. And if I had, you know, control of a book, it wouldn't make me comfortable as an underwriter for, for a carrier. And so I just feel like there has to be,
00:51:47
Speaker
something better,
Emerging Encryption Methods
00:51:50
Speaker
right? That I don't know if there's something out there or something's coming, but like something that, you know, if you were to have some type of business email compromise, it's a second layer, right? Yeah. I was, uh, you know, I'm, I'm not, uh, the IT control wizard, but I was talking to a company maybe six months ago, that was a startup that, um,
00:52:15
Speaker
spun out some IP from like Ohio State, and they had come up with a new method of encryption, where it's like, the encryption is down to the actual file. So if it was like a PowerPoint file, it's like the .ppt file. And it's almost like when you send something in Microsoft 365, like, oh, you know,
00:52:40
Speaker
Ryan sent you this word doc Brian, like click here to access it and you open it up. You have to type in your email and you know, type in the password. It almost combines like, like
00:52:51
Speaker
encryption with that technology. It can bound three technologies into one. It was encryption, access, and identity management were all combined. And I thought that was pretty slick, where even if the bad actor had my password and was logging in as me and spoofed the MFA token, every single thing on my system they would go to click wouldn't open.
00:53:21
Speaker
Because it was encrypted somehow some way. I don't I didn't fully understand. I think it was called like anchor anchor security. Yeah. No, I know anchor. Yes. The file was anchored. They they read the back engineer like a ransomware attack. So if somebody steal your data, they've already encrypted it in some manner where like they they can't access it. Right. It's already encrypted in some way. Right.
00:53:51
Speaker
It's like ransomware for but on the good side. I really like their product good people Yeah, I thought that was really interesting even though I'm not like an MSP I'm not in that space, but I was like, huh like this just makes a ton of sense Yeah, it does. It really does
00:54:08
Speaker
That's awesome.
Biometric Authentication Technologies
00:54:09
Speaker
So yeah, hopefully there are going to be better things out there. Part of this, yeah, security conference I went to, you know, there's tons of vendors showing off their new tools. And there was another company there called Token. And he had these rings you would wear. So instead of, you know, something on your phone, like Microsoft Authenticator app,
00:54:29
Speaker
or some sort of token on your actual keychain or whatever, you'd wear this ring. So there's a biometric aspect to the MFA. So like Ryan couldn't take Abe's ring and put it on his finger and pretend he was Abe because the ring knew when it was on Abe because it was Abe's ring.
00:54:51
Speaker
It was kind of cool. Fingerprint or or something like that, but it was pretty cool. It was bulky. He was trying to get it down, but.
00:55:02
Speaker
Like you always see in doctor's offices, nurses will swipe their badge to let the computer let them on. Like you would just walk up and it would know it was you. Biometric wall, that's mega layered. No one, and even if someone swiped your ring, they couldn't put your ring on a BO. Yeah, because that doesn't biometric match. Yeah.
00:55:23
Speaker
So they're, you know, and like, that stuff's expensive. And like, you know, are the Googles and Amazons buying that stuff? Maybe. But like, well, me in South Central Pennsylvania, like my clients are gonna have that stuff. You got good old email based MFA. Yeah. Yeah. Like, firm believer in making your cybersecurity program dynamic and focusing on that.
00:55:50
Speaker
Um, rather than like, Hey, if I install this one tool, we're good. Right. I'll throw, I'll throw
Government Role in Cyber Risk Management
00:55:57
Speaker
a bomb out there. What do you guys think of the federal government backstopping cyber? Like they do like trio, like terrorism, risk insurance. I think it's completely necessary. I like, I I've been.
00:56:12
Speaker
I'll put it this way. I think that maybe it's not government that gets involved and maybe this is something that has to go through government, but just like if you were to get a loan for your business and you had to put in some type of property controls, you have to do the same thing from a cyber standpoint. I think there needs to be more regulation pushed down from banks, pushed down from investors.
00:56:39
Speaker
pushing more security controls and maybe there's a government angle there as well.
00:56:44
Speaker
Yeah, I had a call from someone who was in the trucking industry, and I think they weren't a dispatcher, but they were more in sales consulting, helping people get more loads or whatever. And he was like, you know anything about cyber insurance? I was like, yeah. He was like, I'm starting to see it in contractual insurance requirements for the first time. And I've been in this business like 20 years. And it was just, yeah, dispatching loads in the trucking industry. I was like, huh, never would have thought about it.
00:57:14
Speaker
I mean, from the tech and life science industry, I see it all the time where it's like, oh yeah, I'm an IT staffing firm and I'm working with Deloitte or Computeraid or Comcast and they want me to have $5 million of tech on cyber. No problem, that makes sense. But yeah, just like when you go to get an equipment loan or you go to get commercial real estate.
00:57:41
Speaker
The bank wants you to have that property insured if it burns down. I think there's a case for a lot of different contractual relationships and
Cyber Insurance as a Contractual Requirement
00:57:52
Speaker
industries. Hey, million dollars of cyber, we're throwing it in there. I've even had, we handle a lot of A&E and franchises, the old pretzel shops, they're in like airports and malls and stuff. Like their corporate company was looking at maybe we should have all of our franchisees carry cyber.
00:58:11
Speaker
Um, so they're, they're starting to ask for it, but they're not starting to mandate it. So they want to know if you have it or not, but they're not going to enforce them to have it. So it's, I mean, our lives are the foundation of our lives and our businesses are is digital. Like there's no arguing against them. I don't care what business you're in. Like you have some type of digital component.
00:58:34
Speaker
that's operating your business. I don't see how the government doesn't get involved in this. It is directly correlated to businesses being able to continue employing people and staying afloat and it's a national security risk. I don't see how we don't.
00:59:00
Speaker
Potentially, we could probably have a whole other episode on this. I need to upgrade my Zincaster account because we're running up on the hour and it's going to cut us off. No worries. I don't have enough time to give my opinion, but we can save that for another show.
00:59:21
Speaker
As we kind of wrap up here in the last minute, and I apologize for being so abrupt, but where can people find you? How can people reach out to you and learn more about what you guys are doing and what you do individually at EHT?
00:59:37
Speaker
Yeah, I'm pretty active on LinkedIn, just under my name, Brian Mahone, and insuranceformsps.com, ehdinsurance.com, and brianmahone.com for various insurances. So yeah, I have a YouTube as well. That's, I think, just my name.
00:59:57
Speaker
Sweet. Sweet. Well, this has been a lot of fun. And like I said, we probably could have gone for, I was joking about four hours, but it kind of seemed like we could have gone for four hours. I do really genuinely love to talk about cyber. So thanks for inviting me on guys. Absolutely. We'll have to do part two or something, but yeah, I appreciate you coming on and, um, yeah, looking forward to getting this released.