Carpool Consulting - Cyber Insurance with Kyle Nichols
0:01
1 second
Kyle: a hacker will hack into their thermostat their IOT thermostat and they will crank up the heat and lock the owner out and
0:08
8 seconds
they will say if you don't get us
Sharon: Oh my God
Kyle: uh you know a Bitcoin or some sort of digital currency ransom payment we're going to
0:17
17 seconds
cook your house, yeah.
0:28
28 seconds
Sharon: Okay so my next guest is a managing director at-risk Strategies. He's worked in the insurance industry for 25 years
0:37
37 seconds
um and I see him so let's go see if we can get him in the car. Hey, you need a ride
0:45
45 seconds
ride
Kyle: hey Sharon fancy running into you
Sharon: how are you
Kyle: in my neighborhood
Sharon: very nice to see you
Kyle: or your neighbor our neighborhood
0:53
53 seconds
Sharon: both our neighborhood and I have a ton of questions for you
Kyle: fire away
Sharon: Can you tell us what cyber insurance is
Kyle: Cyber insurance is a policy that comes with a
1:03
1 minute, 3 seconds
suite of services to protect companies and individuals from cyber threats
Sharon: okay
1:10
1 minute, 10 seconds
Kyle: from hackers extortions accidental um release of information data all that
1:18
1 minute, 18 seconds
good stuff um and they have a component of first party. So if there's a claim they write a check to you or third
1:25
1 minute, 25 seconds
parties who who if they write a check it goes to not you, it goes to the Third third party who was injured or uh had
1:32
1 minute, 32 seconds
the claim happen against them
Sharon: so when we're talking about cyber Insurance most people think oh a cyber security
1:40
1 minute, 40 seconds
incident occurred
Kyle: right
Sharon: would it still apply to something that was a privacy incident ? I'm talking more like um misuse
1:49
1 minute, 49 seconds
of personal information by the company that was collecting it
Kyle: oh sure, yeah
Sharon: so would that be covered through cyber Insurance
1:56
1 minute, 56 seconds
Kyle: there are coverage grants that allow for, to protect the company against such accidental releases
Sharon: okay
Kyle: uh for sure i
2:05
2 minutes, 5 seconds
Sharon: If you wanted to get Cyber Insurance do you need to prove anything to the insurance company like walk me through it
Kyle: yeah the
2:12
2 minutes, 12 seconds
privacy posture the IT security landscape with and how the company operates uh are all looked at. How do you
2:20
2 minutes, 20 seconds
handle and treat uh sensitive information uh do you have like when I say clean desk policy, it's like hey at night like where are these files going
2:28
2 minutes, 28 seconds
that contain private information
Sharon: Right, okay they do like an assessment on you to determine you know whether you're worthy
2:36
2 minutes, 36 seconds
of insurance like how does that work
Kyle: Yeah it's kind of like uh going to Canada's Wonderland you have to be this tall to ride
Sharon: okay yeah thanks I know what you're
2:45
2 minutes, 45 seconds
trying to do, I know most of you don't know but I am very sure, so thanks for trying to bring that in Kyle
Kyle: no problem
2:54
2 minutes, 54 seconds
no problem
Sharon: That was rude
Kyle: we go way back so we're fine
Sharon: yeah you have to be worthy of getting cyber insurance. Why is that?
3:02
3 minutes, 2 seconds
It used to be really simple
Kyle: yeah uh we've seen an a lot of losses take place
3:08
3 minutes, 8 seconds
and insurance companies act on data so when they have all this information then they can start underwriting for it
Sharon: okay
3:17
3 minutes, 17 seconds
Kyle: and asking those questions and then as you go into more what I would say crucial Industries like healthcare
3:25
3 minutes, 25 seconds
technology data center type stuff um the underwriting gets uh pretty significant and so you do need, if I can do a little plug here, you do
3:34
3 minutes, 34 seconds
need a broker who understands what is required in those Industries in order to get insurance but also get the best
3:43
3 minutes, 43 seconds
insurance most appropriate insurance and the right cost coverage and limit in place
Sharon: right
Kyle: very shameful plug
Sharon: very shameful. Well okay all this talk is
3:51
3 minutes, 51 seconds
getting me hungry and someone told me that when you're on a road trip you like team McDonald's Kyle: yeah I do
Sharon: all right um
3:59
3 minutes, 59 seconds
so we're we're at McDonald's um hi there what can I get you
Kyle: small coffee small fries
Sharon: That's it
Kyle: That's it
Sharon: What about Big Mac
4:07
4 minutes, 7 seconds
Kyle: no way
Sharon: can we have extra ketchup
Mcdonalds: ketchup on the side
Sharon: yes please did she just ask me if I want a ketchup on the side
Kyle: yeah
Sharon: what what's my other option
4:16
4 minutes, 16 seconds
ketchup on my fries? do they do that?
Kyle: no I no they
Sharon: then why did she ask me that
Kyle: I don't know
Sharon: that seems like a useless.
4:23
4 minutes, 23 seconds
question kind of a waste of time do insurance companies ask useless questions what what what one useless
4:30
4 minutes, 30 seconds
question does an insurance company ask I know they do this for sure
Kyle: um I mean I'd like to say that all the questions have
4:37
4 minutes, 37 seconds
a meaning behind them
Sharon: okay pretend none of your insurance friends are watching this
Kyle: don't worry none of them will watch this. I think sometimes they ask.
4:46
4 minutes, 46 seconds
questions to to get more information around the company that might appear as being useless but they always have a
4:54
4 minutes, 54 seconds
have a they don't ask questions that don't have a meaning behind them
Sharon: so there's always a reason
Kyle: there's always a reason okay
Sharon: uh oh you're paying
Kyle: I'll pay
5:03
5 minutes, 3 seconds
oh thank you okay
Kyle: it's the most I can do
Sharon: what's what's your password
Kyle: uh yeah password is
Sharon: no no okay
Kyle: I'm now insurable
5:12
5 minutes, 12 seconds
Sharon: yes premiums um so they used to be extremely affordable
Kyle: yes
Sharon: um now it seems
5:19
5 minutes, 19 seconds
like those premiums have gone up uh what is going on with that
Kyle: premiums are a function of the capital deployment costs
5:27
5 minutes, 27 seconds
that insurance companies have and then they kind of narrow that down into industry and what the loss profiles look like and then down into the individual
5:36
5 minutes, 36 seconds
company itself
Sharon: okay
Kyle: and how they're handling their cyber exposure
Sharon: can you negotiate premiums by the way
Kyle: 100%
Sharon: okay so how do you get your premiums to go
5:45
5 minutes, 45 seconds
down, how do you negotiate that? like I understand okay you need to have good privacy posture or privacy security posture Etc
okay let's bust out the
5:54
5 minutes, 54 seconds
fries um but how do you like it
Kyle: I have to get through all this ketchup that you car there's your ketchup with the side of
6:02
6 minutes, 2 seconds
fries french fries, and coffee can't go wrong
Sharon: Privacy is like a french fry because
Kyle: it's the perfect compliment for
6:11
6 minutes, 11 seconds
your business meal it's that good
Sharon: I love that
Kyle: all right there you go
Sharon: um okay so okay how
6:19
6 minutes, 19 seconds
do you so give us the tricks how do you um negotiate your premiums
Kyle: for someone who has never bought cyber before
Sharon: mhm
6:27
6 minutes, 27 seconds
Kyle: are you are you putting ketchup on individual fries
Sharon: yeah how else am I going to do this in the car I wish we oh we do have napkins
Kyle: what we look for is
6:35
6 minutes, 35 seconds
how do we show their policies and procedures and their history in the best light and what resources have they
6:42
6 minutes, 42 seconds
committed to their IT systems and also what do they do to educate and train their employees
Sharon: so you you just have to
6:50
6 minutes, 50 seconds
hide all of the breaches that you've experienced have
Kyle: if you haven't been breached um just wait for it, right
6:58
6 minutes, 58 seconds
Sharon: So you're saying it's not a matter of
Kyle: if
Sharon: if it's a matter of when someone in your company is going to click on an email
7:06
7 minutes, 6 seconds
from the prince of Nigeria
Kyle: correct okay that that's a great case scenario to say okay let's game this out
Sharon: okay
7:13
7 minutes, 13 seconds
Kyle: If there was a breach what is your response; we establish what they do with their actual
7:21
7 minutes, 21 seconds
IT infrastructure what would they do with their uh colleagues and how they train and educate them what I like to say is like the best defense against
7:29
7 minutes, 29 seconds
cyber uh threats
Sharon: yes
Kyle: it’s a really well educated Workforce and a culture of risk awareness so it's the the front end and
7:37
7 minutes, 37 seconds
then the back end right if there is a breach how are you protecting yourself how are you responding yeah and that's
7:44
7 minutes, 44 seconds
Sharon: Yeah
Kyle: That’s one of the advantages of cyber Insurance because a lot of companies don't have a lawyer on retainer or a PR firm on
7:52
7 minutes, 52 seconds
retainer
Sharon: yeah
Kyle: but the insurance companies do
Sharon: this is where we need to like have a conversation, when is it
8:00
8 minutes
a bad idea to call your broker when you may not be sure if you experience a
8:08
8 minutes, 8 seconds
breach
Kyle: never a bad time to call your broker
Sharon: okay
Kyle: what we can do is let's suppose you think there might be a breach
Sharon: mhm
Kyle: but you don't know so what we
8:17
8 minutes, 17 seconds
like to do is say hey there's a circumstance that may give rise to a claim that checks the box for notification
Sharon: okay
Kyle: and what they would do is then they would say okay give us as
8:25
8 minutes, 25 seconds
much information as possible we would intake and manage the claim and probably get our client to
8:32
8 minutes, 32 seconds
call. We would call them to the adjuster
Sharon: okay
Kyle: and lay out the circumstances and they would say Okay odds are it’s not a
8:39
8 minutes, 39 seconds
claim but we're going to deploy resources to help you
Sharon: will your premiums go up in that situation
Kyle: well great question
Sharon: thank you
8:48
8 minutes, 48 seconds
Kyle: um insurance companies believe it or not are there to pay claims right they are we have had
8:55
8 minutes, 55 seconds
several insurers pay claims on Cyber
Sharon: so are you saying that that cyber insurance claims are paid
9:04
9 minutes, 4 seconds
more than they're not paid do you have any statistics on this
Kyle: I do not have statistics on that. Tenai Moyo is our cyber
9:12
9 minutes, 12 seconds
practice lead here in Canada she could probably tell
Sharon: not a shameful plugin she's actually awesome
Kyle: she is amazing
Sharon: okay here's another question for you
9:20
9 minutes, 20 seconds
You experience an incident not necessarily a breach yet I report a breach to you or
9:27
9 minutes, 27 seconds
an incident you're not contractually obligated to notify the insurer
Kyle: we would
9:34
9 minutes, 34 seconds
take direction from you to say
Sharon: okay
Kyle: we have your authority to notify the insurer we would then discuss the pros
9:41
9 minutes, 41 seconds
and cons of reporting it versus not reporting it
Sharon: do you have an obligation to report it to the insurer you must
Kyle: so,
9:49
9 minutes, 49 seconds
Sharon: you can't keep it a secret
Kyle: well I mean you you can but don't expect to get coverage 3 months later when you're like hey we've tried to figure all this stuff
9:58
9 minutes, 58 seconds
out we can't now we're going to claim against the insurance coverage
Sharon: you know tell me some examples of um breaches or
10:06
10 minutes, 6 seconds
incidents that occurred that the insurance company refused to cover
Kyle: so willful negligence like gross negligence
10:15
10 minutes, 15 seconds
Sharon: like what
Kyle: like telling us that you had multiactor authentication but in actual fact you didn't have it on certain
10:23
10 minutes, 23 seconds
aspects of your business
Sharon: one more example
Kyle: like notifications, so delay notification so we have had incidences
10:29
10 minutes, 29 seconds
in the industry where a client has tried to solve their own problem
Sharon: mhm
Kyle: and then 6 months later they say okay we have
10:38
10 minutes, 38 seconds
tried to negotiate with this bad actor and you know they're not listening to us we can't get them the money we're going
10:47
10 minutes, 47 seconds
to get you guys to pay for it now
Sharon: every time you submit a claim does your insurance go up your premiums
Kyle: uh not
10:53
10 minutes, 53 seconds
necessarily but more often than not yes
Sharon: hey if you were doing carpool karaoke
11:01
11 minutes, 1 second
which artist would you want coming in your car
Kyle: oh Bob Dylan
Sharon: oh that's a good one
Kyle: yeah
Sharon: do you know why
11:08
11 minutes, 8 seconds
so many people love Snoop Dogg's presence?
Kyle: oh boy this is going to be bad
11:15
11 minutes, 15 seconds
Sharon: why cuz he's a great rapper.
what I've never heard of Quishing
11:22
11 minutes, 22 seconds
Kyle: yea
Sharon: I'm probably like the last to hear of it for those of you like no idea what he's talking about
Kyle: I'm going to assume your audience
11:29
11 minutes, 29 seconds
is familiar with a QR code
Sharon: yeah I think
Kyle: so so you take your camera and you take a picture of a QR code and that enters
11:38
11 minutes, 38 seconds
you into a different website a portal whatever and they'll say hey get a coupon. scan this QR code but behind the
11:46
11 minutes, 46 seconds
QR code is actually malicious software that allows them to enter your operating system
Sharon: oh
Kyle: yeah and
Sharon: we're seeing more and
11:55
11 minutes, 55 seconds
more QR codes like everywhere like menus QR
Kyle: yeah your your commercials on YouTube
12:03
12 minutes, 3 seconds
right like they'll show an ad for a company or product and next to it is a QR code
Sharon: you're like on carpool Consulting and there's a QR code
Kyle: right
12:12
12 minutes, 12 seconds
Sharon: yeah pull out your camera let's see let's see is he actually going to do this
Kyle: it's taking me to a verified email
12:22
12 minutes, 22 seconds
address Rick rolls Rick rolls Playbook getting
12:29
12 minutes, 29 seconds
Sharon: I hoped you have insurance for that
Kyle: right this has been going on for years they find the most vulnerable uh place within the
12:38
12 minutes, 38 seconds
network to attack
Sharon: okay
Kyle: and a lot of the times it's actually through the most unexpected ways. there was a um a claim
12:47
12 minutes, 47 seconds
in the industry where um they came in through the um IOT connection of the
12:54
12 minutes, 54 seconds
company's aquarium
Sharon: wow
Kyle: talk about fishing yeah
Sharon: Ha! oh
Kyle: yeah we we've seen that and like you know HVAC systems, the
13:02
13 minutes, 2 seconds
target hack ages ago actually came through their provider so when we when we have subcontractors who are going
13:09
13 minutes, 9 seconds
into large Fortune 1,000 companies they get a a request for insurance right they say they send it to us we review the contract and it says oh you need to
13:18
13 minutes, 18 seconds
carry cyber insurance and they're like but we just we're hammering Nails right
Sharon: yeah
Kyle: and but the company is so concerned that if they ever plug into a system
13:27
13 minutes, 27 seconds
that they're not covered
Sharon: so so we're going to play game this is going to be so easy for you . don't look at it all right. on a risk rating from 1 to 5
13:36
13 minutes, 36 seconds
one being the lowest five being the highest risk
your IT guy naps through every cyber security training session
13:44
13 minutes, 44 seconds
because he says hackers would never dare target us do we call this optimism or denial
Kyle: ignorance is bliss
Sharon: what's that
13:53
13 minutes, 53 seconds
Kyle: it's denial denial
Sharon: so how would you break this you did talk a lot about like the awareness the culture and the training
Kyle: yeah it's a five cuz cuz that's
14:02
14 minutes, 2 seconds
part of the culture and it comes from leaders within the organization and leaders of that IT department
Sharon: Absolutely
Kyle: if they don't take it seriously
Sharon: no one will.
14:09
14 minutes, 9 seconds
Kyle: why should they
Sharon: yeah all right here we go your office toaster gets hacked because it's connected to the company WiFi and now it's emailing ransomware
14:18
14 minutes, 18 seconds
demands to HR; is this a crumb size risk are we looking at a full loaf of one
14:25
14 minutes, 25 seconds
Kyle: you're looking at um a full loaf of risk oh yeah and who buys an IOT
14:32
14 minutes, 32 seconds
toaster
Sharon: don't shame those people
Kyle: don't yuck my yum
Sharon: yeah yeah okay thank you Kyle this was thanks for the pleasure
14:41
14 minutes, 41 seconds
Kyle: Thanks for the lift and for the french fries and for the coffee
Sharon: thanks for covering it all
Kyle: yeah why am I thanking you
Sharon: yeah I don't know
Kyle: well you remember my password
14:50
14 minutes, 50 seconds
Sharon: right yeah safe with me
Kyle: good
14:54
14 minutes, 54 seconds
[Music]
