Cybersecurity: Amplified And Intensified

28 - Cyber Insurance & Loss Prevention with Joseph Brunsman

September 06, 2021 Shiva Maharaj/Eric Taylor/Joseph Brunsman
Cybersecurity: Amplified And Intensified
28 - Cyber Insurance & Loss Prevention with Joseph Brunsman
Chapters
Cybersecurity: Amplified And Intensified
28 - Cyber Insurance & Loss Prevention with Joseph Brunsman
Sep 06, 2021
Shiva Maharaj/Eric Taylor/Joseph Brunsman

Joseph Brunsman joined the cyber and professionally liability realm in 2015 after serving as a Lieutenant in the United States Navy, working as an Anti-Terrorism / Force Protection Officer responsible for a billion dollars of equipment and 280+ military personnel. Prior to that he served tours as a Combat Information Center Officer and an Electronic Warfare Officer. During his enlisted time he was an Information Systems Technician dealing with Unix database management and network security.

Joseph is a 2003 graduate of New Mexico Military Institute and a 2010 graduate of the U.S. Naval Academy in Annapolis, MD where he obtained a degree in Systems Engineering with a focus on robotics system interoperability. He is the resident expert in cyber law, insurance and compliance—writing 2 consecutive books on the subject.  He enjoys Jiu-Jitsu, powerlifting, business theory, and biohacking.

Joseph Brunsman
 www.youtube.com/josephbrunsman
https://www.thebrunsgroup.com/
www.thebrunsgroup.com/book2

Eric Taylor
https://www.linkedin.com/in/ransomware/
https://twitter.com/barricadecyber
https://www.barricadecyber.com

Shiva Maharaj
https://www.linkedin.com/in/shivamaharaj
https://twitter.com/kontinuummsp
https://www.kontinuum.com/

Show Notes Transcript

Joseph Brunsman joined the cyber and professionally liability realm in 2015 after serving as a Lieutenant in the United States Navy, working as an Anti-Terrorism / Force Protection Officer responsible for a billion dollars of equipment and 280+ military personnel. Prior to that he served tours as a Combat Information Center Officer and an Electronic Warfare Officer. During his enlisted time he was an Information Systems Technician dealing with Unix database management and network security.

Joseph is a 2003 graduate of New Mexico Military Institute and a 2010 graduate of the U.S. Naval Academy in Annapolis, MD where he obtained a degree in Systems Engineering with a focus on robotics system interoperability. He is the resident expert in cyber law, insurance and compliance—writing 2 consecutive books on the subject.  He enjoys Jiu-Jitsu, powerlifting, business theory, and biohacking.

Joseph Brunsman
 www.youtube.com/josephbrunsman
https://www.thebrunsgroup.com/
www.thebrunsgroup.com/book2

Eric Taylor
https://www.linkedin.com/in/ransomware/
https://twitter.com/barricadecyber
https://www.barricadecyber.com

Shiva Maharaj
https://www.linkedin.com/in/shivamaharaj
https://twitter.com/kontinuummsp
https://www.kontinuum.com/

Eric Taylor:

That's right. They need a better grip.

Shiva Maharaj:

Oh boy, it's gonna be one of those.

Eric Taylor:

Yes, sir.

Shiva Maharaj:

Good morning. Welcome to another episode of cybersecurity amplified and intensified with your hosts, Eric Taylor and myself. shivah. Today we have with us Joseph E. frontman. And he's gonna have to tell us what that used for he is an insurance guy. And I know what you're thinking. We don't like insurance, guys, but like, we might want to make an exception for this one. What's up, Joe? How's it go?

Joseph Brunsman:

Hey, so he stands for excellence.

Eric Taylor:

There we go.

Joseph Brunsman:

No, I'm just kidding. I wish my parents were. That would have been pretty awesome. No, it's Edward. But yeah, actually, I don't like insurance guys, either. So.

Shiva Maharaj:

So what brought you to being the insurance guy to the stores? And by stores? I mean, I guess the tech community and and customers.

Joseph Brunsman:

Yeah, so kind of long story short, former, it got my bachelor's in robotics from the Naval Academy. Once I was getting out of the Navy, I was about 30. By that time, so I'd been in for about 12 years. And yeah, Eric knows, right, constantly being deployed, always gone. Even when you're home, you're working, you know, 1012 hours a day, sometimes not super conducive to starting a family. So I was married, and it was like, Alright, I don't want to be like 50 years old, you know, some, like 50 year old Oh, six, with like, a four year old on around, you know, that would probably be the death of me. So that's when I decided like, hey, time to get out, go do something else. Well, my father in law, who's also an academy grad, he'd started an Insurance Brokerage. And so his idea was, Hey, why don't you come try this out? If you like it, stick around. If not, just go do whatever you want to do, right? Because I was like, I'm gonna go really want to do like med school or law school or something like that. Until I remembered how much I actually hate going to school. So I did a little bit of research. Turns out that the average insurance guy, they're actually pretty old. So they're something like 75% are supposed to retire in the next seven years. So I was like, a lot of my competition is gonna leave. And we're dying. Yeah, we're ty. And let's be real, right? insurance, people are not generally the smartest.

Shiva Maharaj:

So in terms of I know, none of what you speak, I've never come across an absolute idiot in the insurance industry. Never.

Joseph Brunsman:

I mean, like, if you just look at the psychometric scale, right? You look at just median IQ by profession, right? So like, when you start getting into, like computer science, technology fields, right, that's generally at least a standard deviation or two, above the median in the US. So now we're talking for technology people, right? 115 130, IQs. Right. That's why like, you can't just teach everybody how to program like, it's it's not that simple. The insurance community, where I've added my level, which is agent broker, business owner level, it's about 104. So that means like, if I in theory needed to hire somebody extra, I could pick anybody off the street flip a coin, 50% chance they're gonna meet, I'll say average, insurance, IQ requirements.

Shiva Maharaj:

Are we talking about insurance? speedplay or msps? Because it sounds pretty similar. Dude, I'm sorry, what

Eric Taylor:

are you talking about general population? I mean, most of the folks that I've ever dealt with it's in, in any sort of insurance. They are closed through normal private sector retirement or just after and they're just looking to collect that additional income on top of their pension or, you know, Social Security check or whatever. stuff.

Joseph Brunsman:

Yeah, busy. What you know, and one of the problems is an era you can relate to this. And so consumer, right, like, we come from worlds where there's like, there's a publication for everything. Right. So when I left the Navy, like, let's say you're a cook in the Navy, and the commanding officer comes to you, and he goes, Hey, you're gonna go launch a tomahawk missile right now. And you're like, dude, I'm a cook. What are you talking about? It's literally follow these instructions, missile wolfire and go boom, somewhere. Hmm. Right. So it's, I mean, there's an instruction for everything. So when I came into the insurance world, I was like, Where's the instruction manual? Right? Like, how do I know that what I'm saying isn't just tribal knowledge, like, How do I know it's actually both real and correct. And there just wasn't really anything out there. So actually, at this point, I've written let's see 123 books on insurance. So the first one was on Edo. The second was on cyber insurance and cybersecurity law. So is the third one. The fourth book I contributed to which is right there. I contributed a chapter on insurance for blockchain and cryptocurrency and then I'm actually writing yet another book right now all on insurance for going SPS right specifically, like techie, you know, EP Li, D, you know, that kind of stuff. So a lot of it's really just been, you know, I just had to like teach myself and I've kind of been autodidactic my whole life anyways, like I've always really just hated school. never enjoyed it whatsoever, but it's something like I'm just naturally kind of curious in because I can bring in I also have a master's in cybersecurity law now. So Bring in that side, the insurance side, my technical background, I try to bring those three elements together to actually add value to people, right? Because any dummy can sell a policy, but that's really only a third of the battle.

Shiva Maharaj:

Why are you why book focused on msps? And cybersecurity? Why not just a takeout the target market of MSP is because I think everyone needs the same level. Let me rephrase this. I think everyone needs the same type of protection, just different levels based on their skill, if that makes sense.

Joseph Brunsman:

Yeah, so one of the issues is, what I've seen with msps is like, it's like one, they don't know what they don't know. Right? So I see msps, where they go to their journal insurance guy, right? And then obviously, chaos ensues. So they think they have what they need, but they actually don't. Right. And it sounds very technical. But at the end of the day, you know, if this field was that complex, they wouldn't let insurance people do it. Right. So a lot of the MSP community, like they don't even know what questions to ask, they don't even know what types of insurance they actually need. And then you get into the whole idea of risk management and risk transference,

Shiva Maharaj:

oh, you're going way over at the typical MSP. They can't even identify risk, much less management Come on.

Joseph Brunsman:

So think about this way, right? A lot of people listening to this, they either have cyber insurance, they're going to get cyber insurance, or very shortly, they're going to be forced to get it through some contractual requirement. Right for msps. Increasingly, it's a contractual requirements for their clients to handle and actually obtain their own cyber insurance policy. There's a very rational reason for that.

Shiva Maharaj:

I have a question for you there. And I hate I hate taking on other people's risk. And that's partly why I prefer levar side of the business as opposed to MSP. Do you really and by you, meaning if you're an MSP, do you really want to be part of that conversation telling your client, hey, you should get a cyber policy, because the way I look at that is, now you're in that risk chain, because you brought it up to them. And when they do when they go by the cheapest policy possible that doesn't cover anything, or carves everything out, they can say, Well, my IT guy told me to go again, policy, this is what I got, he probably looked at over and said it was okay. So it's his fault.

Joseph Brunsman:

Yeah. So as an MSP, you should not be giving any sort of official opinion on the quality of a insurance policy. Now, that being said, I do have a video. So I have a YouTube channel, if you just search for my name, it will pop up. I have a whole series of videos on there, literally just for msps. One of which is this is really for everybody, just basically how to understand and explain cyber insurance, right? It's like 10 minutes long. And I swear to God, you watch that video, you just repeat what I say, you'll know more than 99% of insurance guys tell him this stuff, right? It's not super difficult. Cyber insurance has two sides and four buckets, like that's it right? So the two sides is first you have to think about something called third party liability. Easiest way to explain that somebody wants money from your business. So that could be a client. That could be some sort of regulator. That could be a media liability claim. That could be PCI DSS, for example, payment card industry, data security standards, right class action lawsuits, somebody wants money from your business, generally, because of some type of cyber event that has occurred. The other side is what we call first party, right? Very straightforward. Things that you would pay for, or you'd be legally obligated to pay for if you didn't have insurance, right? So just two sides. People want money from you things you got to pay for. Within the first party, there's really only four buckets, and the first is going to be data breach. And then all of these coverage features they just fall into these buckets. The first data breach, you're looking at attorney forensics breach notification, credit monitoring, some business interruption there situationally crisis management, PR call center, that kind of stuff, right. Then you have the second bucket, which is ransomware. Right now, you're gonna have a lot of the same things. Attorney forensics, situationally Breach Notification credit monitoring, I don't want to get into why that is. But situationally, that could be the case. You're also looking at extortion payments and negotiator. Some type of like damage restoration, business interruption cause some reputational harm if clients leave following a breach, that's pretty much it, right? There's maybe some other kind of things that could fall in there. But those are really the big ones. From there, you have loss of funds, and this is where it starts getting dicey. Because I've read man probably well over 150 to 200 different cyber insurance policies because I'm a nerd like that. And Come on, man, I

Shiva Maharaj:

was expecting 1000s

Joseph Brunsman:

Idaho right. So these are from different carriers, but it's these are all different. And with that loss of funds, you got to be careful because there's no standard verbiage. Like there's no standard words in cyber insurance, yet. We're kind of getting there. But something like social engineering coverage, that could mean two completely different things. It just depends on what the definition of the policy actually says. And if there's of course any like amendments or exclusions later on. So as a business, you just have to figure out beforehand, unfortunately, beforehand, really what you're worried about, right? So some of these could be Hey, are you worried that like your CFO can get tricked into wiring money to a bad guy somewhere? Right? Well, then look for that type of coverage in the definition, are you worried that bad guy gets into your system tricks all of your clients and vendors into wiring money? It's not supposed to go, right, sort of like an invoice manipulation, reverse social engineering type coverage, you got that in there. There's kind of some other ones that are oddly in there, depending upon the carrier. But those are really the two big ones I think most businesses are going to look for. There's some like loss of contractual potential revenue stuff like yeah, there's all kinds of like little odds and ends. But those are the big ones.

Shiva Maharaj:

I have a question all night long. How are I know, this is gonna vary by insurance company? How are insurance companies defining a data breach these days?

Joseph Brunsman:

So the legal definition 90% of the time is going to be two things access and acquisition of covered information. by covering information, I mean, PII, Ph I, PCI, that type of thing, right? If you look in a breach notification law, it's gonna say this is the stuff that has to be protected, in essence, right? So social security numbers, driver's license numbers, don't forget about that one, bank account numbers with some method of access, credit card, debit card numbers with a pin associated with them. biometric data, in some circumstances, that type of information, right? So a lot of it's going to be really the forensics guy coming in and saying, Hey, we have a reasonable determination that this information was about access and acquired by somebody who wasn't supposed to have access to it, right. And that's, I won't get into a risk of harm analysis. But that's like 90% of what. And just to be upfront here,

Shiva Maharaj:

I think a breach should be defined as unauthorized access, not even exfiltration. Because there are too many ways to get away from having to admit data was exfiltrated. And the most typical one that I've seen so far is there's no indication that data has been taken.

Joseph Brunsman:

So we can, there are some times. So I've dealt with, and last year was probably two breaches a week, at least a breach of weak just for my own client base that I've dealt with. So like we will see circumstances where we just don't know, right? So often that'll be seen, like, if you have a company and they're purely US based right near you can probably attest this, right? You have a company there. They're only in the US, all their employees in the US and you have like weird traffic outflows to like Jordan, or Qatar or Russia or China, then we can probably say like, Okay, then the forensics guys, they are tracking back, what could that information have been? And they do kind of the all the forensics, super nerdy stuff that's beyond my comprehension. Right to help in that sometimes we get to a point where the forensics comes back, and they say, Hey, you know, like, you've got employees overseas, we got people using VPN, like, there's all of these kind of unknowns here. And so with that, we're just not sure if something's been acquired or not, right. Like, we know, there's been access, but we don't know if there's an acquisition of that information.

Shiva Maharaj:

It has a question that, how, who would you blame? If that's the answer they come back with because the first thing I think of Eric, maybe you want to jump in on this, if there's not appropriate logging to identify what was done by the bad guys, then whose fault is that? So go ahead. I

Eric Taylor:

was, I would go, I was sitting back and enjoy. I'm just list taking it in. I'm like, Hey, you know, maybe I won't say anything. This episode. That'd be a rare one. But, uh, yeah, I mean, a lot of times, that's what we actually do see, there's improper PowerShell logging, there's improper sis mon is improper, you know, logging of the firewall, you know, things have been, you know, deleted, blah, blah, blah. So a lot of the times their actions have been obfuscated, or not tracked at all. So when an IR firm like us comes back and says, hey, there's the logging to prove anything. So we always advise, you have to go on the assumption of data. exfiltration, you know, cuz you can't prove a negative Yep. Or you can't prove a non negative. So, you know, how does the insurance company really look at things like that, when we can't prove it? We, I mean, there's always those trade actors, you know, of ransomware certain ransomware groups will do and, you know, they are known for data exfiltration. Sometimes, most of the time it works. Sometimes it doesn't, but, you know, how does an insurance company wrap their head around that when I come back? I say, Hey, we have to assume data exfiltration, even though we can't prove it?

Joseph Brunsman:

Yeah. So so on our ends. What I've seen from insurance companies is they just default to breach notification letters, credit monitoring, right, like they just assume and there's a rational reason for that is because if we get that risk of harm analysis wrong, right, so like forensics comes back And they're like, we just we don't know, right? The insurance companies get probably going to default to notification of the clients. And the reason for that is if we screw that up, you know, on the business side, then now we're talking about regulators coming after you, right fulfill your notify late notification. And that just opens up a Pandora's box of all types of terrible awful things, where I call it the the investigatory death spiral. Right. So investigator comes in, you'll see this all the time, like with HIPAA. Right? So, you know, like,

Shiva Maharaj:

sorry, I don't think HIPAA works, but

Joseph Brunsman:

sorry. Oh, rarely, it rarely works. But when it does, it can lead to some crazy results. So like, there was a case where literally, the stereotypical guy left a laptop in the back of his car at a bar, laptop gets stolen, right? Turns out there was a potential for a bunch of unencrypted phsi on that laptop. So then they notify, right? Because they're like, well, we're not really sure. Then HHS OCR comes in, and they start digging around. And then they're like, Okay, see, you kind of handled this one correct. But it turns out, you have a bunch of other failures that you never reported. Right? And you're not adhering to hip a high tech, and you have issues with your business associate agreements, and just on and on and on. And that actually led to about a million dollar fine against that business.

Shiva Maharaj:

Right? We actually have to pay,

Joseph Brunsman:

we don't know. And that's actually that's a good point for anybody that has a cyber policy. So actually, this book right here, well, this is my copy, if you will go to my website, they can actually just download this for free. It's the bronzier comm forward slash book, too. And it's like 500 pages, so I wouldn't recommend you read the whole thing. But a good point to know is that regulatory fines and penalties literally it says, You ask an insurance guy, normal insurance guy, hey, if a regulator comes after me, do I have coverage for that? And they'll go, yeah, you have coverage for regulatory fines and penalties in your policy. The trick is the operative term in all of these policies, they're essentially gonna say, were insurable by law. Now, where is that insurable? By law? I have no idea. And I don't think anybody else has any idea. So let's say New York comes after you or Massachusetts, or Florida or Texas or Virginia or any state regulator. Are those fines and penalties insurable? Maybe, I mean, I spent hundreds of hours trying to figure this out. Could part of that cause of action be insurable? The other part uninsurable? Sure, right. What if the FTC comes after you? And now you have a 20 year consent order, and there's just a laundry list of cyber security controls? Like you're essentially mapping to NIST CSF after that, and you're hitting all the big pain points, and the expensive pain points, I will say,

Shiva Maharaj:

you know, the, the reason I asked if they pay, because with HHS, HHS, I have seen companies appeal the fine and HHS forget to come back three audit. I'm not saying they're competent.

Joseph Brunsman:

I'm just talking on the insurance side. Okay. And one thing, I think that people need to realize this is a this is a key point for businesses that they just don't know, and it will burn them. These Breach Notification laws, it doesn't matter where your business is located. It's where your clients are residents of. So let's say you're an accounting firm, and you're next to a military base within your small accounting firm, you may have to deal with all 50 different state and territory Breach Notification laws. But wait, it gets worse. When we say Breach Notification laws. That's really kind of a bad term. Because actually, many of these laws have cybersecurity requirements built into them, and regulatory fines and penalties if you don't adhere to those, right. So you may be in and I had this a firm in Virginia, they got hit with fines and penalties from the state of Massachusetts. And that's because they had a client who is a Massachusetts resident, right now, all of a sudden after that breach, right? These laws are gonna say, hey, these are all the people you have to notify. And there's various thresholds, various government offices, you have to speak to Massachusetts comes back and they go, alright, show us your Incident Response Plan, show us your breach response plan, show us your data recovery plan, show us your list of internal controls, ranges, on and on and on. And this firm just didn't have it. So they got pegged. And so one thing I think firms need to realize is many of these laws have something called a reasonable cybersecurity requirement. reasonableness is a legal term, right? That is not like, you know, what, like Shiva, Eric and Joe think, the best way to explain that if you're a business out there, and I'll use a military analogy here, right? If you're at the wrong end of a very long table, that see Eric laughing, because he knows where I'm going with this. If you're at the wrong end of a very long table, and there's a bunch of government bureaucrats, they're going to get paid on the first and 15th if it's world war three, they're still getting paid on the first and 15th if the world shuts down, they're getting paid on the first in the 15th. Right. They have no idea what it takes. To run a business, they have no idea what budgeting is or what your overhead is, they don't know any of that stuff, what they're gonna do is they're gonna sit there, and they're gonna go through the NIST cybersecurity framework, which is their standard, and they're gonna go line by line, and you, as a business owner have to say, after some events, why you did or did not implement certain controls, so things like MFA to fa, let's just get security awareness training, just use basic examples, right? I think what kind of generally apply to just about everybody, you're gonna have to explain to them why you didn't want to pay like a couple extra bucks per user per month. And that's just going to be a very hard sell, I would say. So there's a lot of businesses out there, where once they actually start to realize what laws could apply to them what those laws may reasonably mean, right? And we're not even talking about the Massachusetts law two, one CMR 17, or New York shield act, they just have lists of like, you know, 1520 things you have to do. If you meet those thresholds, which

Shiva Maharaj:

you think has the most stringent requirements? It's, it depends in terms in terms of post breach,

Joseph Brunsman:

I would say, Massachusetts, in terms of post breach, so

Shiva Maharaj:

on the citations, what you have to do the investigation, you know, the whole kit and caboodle that you'll probably have to

Joseph Brunsman:

run through, um, it kind of depends. So like, there's some states that they've got really stringent requirements on the front end, like Massachusetts, New York, situation in California. I think Colorado just passed a new law gonna dig into that one. I think it was, was it it's either Ohio, Iowa or Illinois, it's one of those where pretty much like after every bridge, they're going back to your legal counsel. Right. And they're asking questions, right? A lot of it's really just gonna depend on who not to be cynical here, who's the Attorney General? And if they want to run for Congress, that's really what it seems to boil down to CW could change tomorrow. Why do these Attorney Generals care? Do they really care about cyber riches? ruwan headline, yeah, it's what are they gonna say when they run for Congress, I stood on consumer protections, right on fighting the war against identity theft. Here's what my office did. So you know, what, if they have to bankrupt your company to do it? I don't think they're gonna care, quite frankly. I mean, the FTC has done it to businesses that bankrupt also.

Eric Taylor:

So one thing is that, I mean, you kind of struck up a couple chords here with me. And so we have been doing some consulting with some organizations, and they literally will look at me like, Oh, we don't have to worry about all a lot of these cybersecurity policies and things like that, you know, we're just a reseller on Amazon, Etsy, or whatever, you know, bullshit online portal, there is like, No, that doesn't matter, you are doing a direct shipment to a customer, it doesn't matter who your payment broker is, and who brokered the agreement of the product or services that you're doing, you're in customer is in said, state? Is that a fair assessment from a insurance broker standpoint? Or what? What's your take on that?

Joseph Brunsman:

Yeah, so I would say, you know, a lot of it obviously, is going to depend on the company, and what the particular fact patterns of their business are and what they're doing and where they're located and who their customers are, and what type of information they're holding. But I would just say, like, you know, broadly speaking, businesses have way more requirements than they think they do. I mean, way more. And even as a cyber insurance guy, I will just say, you know, cyber insurance is great, but it has its limits, right? There are many things that cyberinsurance cannot and will not do lion. So, for example, ask an average insurance guy, hey, if I get hit with ransomware, will the policy paid the extortion? What's the insurance guy gonna say? Yeah, it's right here in the declarations page, it'll pay up to whatever the sub limit or or aggregate limit is of that policy. Right? That's not necessarily true. Right. And Eric, you can attest to this,

Eric Taylor:

yet, I was waiting for you to go down this path.

Shiva Maharaj:

Also on a station. I love that.

Joseph Brunsman:

So like, when a business tells me like, you know, why am I paying for multiple backups? Like, what's the point of that when the policy would just pay to get my, my information back anyways? Like, what's the point? Right, so you get talking about, well, there's not always a promise that they're gonna give you the key, right? There's not always a promise that he's gonna work, although I think that's probably more rare than common, right? Because they're trying to run a business, even though they're evil bad guys. But like, let's say, you know, you could say, Oh, well, what if the damages like the damage the files through the encryption process, like, you just can't even restore those files? Right? Like, you're just never gonna get that back? So there's that but business owners, you know, they like okay, what are the odds of that? I don't know enough about it to even know if that's real or not. But if you get hit with a strain of ransomware, and this will come out on the forensics that's on the OFAC sanctions list. Effectively, that means it's against the law to pay the ransom. So I hope to god you have appropriate backups because if you don't, there's nothing I'm going to say to the insurance company because they don't want to get sanctioned by the US government

Eric Taylor:

to have either a ir for him either they don't want to get that but because oh my gosh, I've heard about an IR firm that I that I will keep out of it just because they're buddies of ours and we do a lot of work for him but you know, they got you know, some government officials. Pulling up some parts of bodies they didn't want ever inspected the Oh, that's just not something that any isn't a response from ever wants to go through. So it's Oh, hell no, don't not want to be on the bad side of that one.

Joseph Brunsman:

Yeah, if you're a business and you got hit with one of these strains, and everyone said, No, we're not paying the ransom, because it's against the law, like you're done. You're done. If you don't have appropriate backups, I think

Shiva Maharaj:

in more cases than not you are done, because most small businesses will never spend on anything more than Dropbox for backup. And let's be clear, here, Dropbox is not a backup, a whistle. So I,

Eric Taylor:

when I was back doing MSP, and you see this just was I have shivah, that companies will always say, Oh, we can't afford it, we can't afford it. We can't afford it. You know, we said on the show, many times, people, companies are going to do things as cheaply and as long as possible until they're forced to do otherwise. And as soon as there's a breach, there's a ransomware, there's some sort of impending doom, it is amazing, where how many couches, they're able to overturn, to find the effing money to pay whatever needs to be done to get their business back up and running again. So

Shiva Maharaj:

what you're really saying is as an MSP they will never pay you. But as an IR firm, they love paying you all we are pretty much right?

Eric Taylor:

Yeah, we'll go down that route. Sure.

Joseph Brunsman:

Well, here's what I tell people, right? Just do an internet search for breach response notification letter, right. Also, that exception, list everyone I've ever seen. I mean, maybe there's one that that hasn't said that that hasn't said it, but every single one I've ever read, it's always got a clause in there, we've increased our cybersecurity budget, we're implementing additional controls like blah, blah, blah, blah, blah. You can't just say that and not have a lawsuit filed against you. Like if you're gonna sit in that letter, right, that's a legal letter. You have to be able to back that up. So you know, one thing I think business owners don't realize, is just how painful that process would be, right? It's not, Hey, I got cyber insurance. I got hit with ransomware. Alright, I'm just taking a vacation for a week, you know, putting all the boys on vacation, we'll come back and start up when everything's good again, right? Like, it is not that simple. Like, there's so much more to it. And I've literally had, I hate to say it, but like, I've had literally just grown men on the phone just crying, right? Their business owners just crying, right as we're going through this, like, it's not fun. It's not stress free. And almost without exception, you know, it's gonna be if I knew it was this bad, I would have done XYZ, way beforehand, right? Because they end up doing it anyways. But sometimes you just got to touch the stove. Like I got two small boys, right? Right now I have one boy earlier, when he was about a year and a half old, he broke his elbow. Currently, my oldest son who's four now has a black eye because he tried to catch a golf ball. With his eye on it,

Eric Taylor:

he caught it just the wrong got

Joseph Brunsman:

it. He stopped it, he stopped it. So now he's got a black guy. And he's in a cast because he actually cracked his electron, which is the point of your elbow missing cracked it. And he's going to school on Tuesday with a black guy in a in a cast. You know, Excel people, like they're just not gonna believe you they want, you know, if you're like the stove is hot, don't touch the stove. Like they got to touch the stove.

Shiva Maharaj:

Speaking about touching the stove? How have you seen policy applications change than last year or even six months because of all ransomware? I got it. Imagine that. And I knew you're on the other side of this, because you're an insurance guy. But cyber security was to me was always a money grab by the insurance companies, they didn't understand the risk. So like, hey, we'll give you a policy. Worst case, we pay a couple $1,000 we're still net, you know, maybe a couple 100 couple $1,000. On your policy. Now you're paying anywhere between let's say 2020 1000 fewer cyber policy, but your ransomware costs your your ransom to half a million. The lawyers the IR, they're bleeding money. So how has the application process changed in your eyes?

Joseph Brunsman:

A couple things there. So I don't think it was ever a money grab per se. I think it was a like a territory grab.

Shiva Maharaj:

Sorry. rephrase that. It was a revenue generation initiative. Yeah, so let's be

Eric Taylor:

clear. So you know, when they were in Joe pie test, at least I'm thinking so because it's been my thought was, you know, when they were selling cybersecurity policies, it was just like, anytime you're getting any to any line of business, there was no metric to base the loss revenue on there was no risk assessment that you can be able to apply to this. Now that we're say 10 years into it. The insurance companies are actually seeing holy MC Fuck, we have a problem.

Joseph Brunsman:

Yeah. And they got a big problem. So there's kind of a couple issues with the cyber insurance world right now. Right? Like, I mean, take it from my purse. I'll be completely selfish here. Right? I've spent 1000s of hours. I mean, shit. I wrote two books, right? I've written like 14 some odd peer reviewed magazine articles, most of which were Completely based around cyber insurance, cybersecurity law. Really, I've been waiting. So I'm like, dude, I put all this time and energy into like this one very specific thing, like, when are the premiums actually going to go up? Like, when is that going to happen where the juice is going to be worth the squeeze in terms of all of the time and effort I put into this? Well, going back like five years, I think it was insurance companies realized, you know, there's not that many new businesses being created every year. So they thought, Hey, this is the growth area, right? Like, this is where the growth is gonna be, but they didn't really know what they were getting into. And so, as of right now, I will tell you insurance companies are losing money, hand over fist on cyber policies. So when you see like some insurance company, like, you know, they just finished another series of funding. And everyone's like, Oh, look at these guys are doing so well. No, those idiots are blowing through mountains of cash, right? They're not making any money. Really, what they're doing is you have the established insurance companies who are like, Okay, if we don't do this, somebody else's, once they get in, now, there's another broker in there, then they're gonna take away all the stuff we've always done, right? business owners policies, auto life, health, all the general line stuff. So they try to jump into it. And they were like, you know, they did the math, because it, they've got brilliant statisticians and mathematicians and actuaries on their teams. So they kind of thought, like, okay, we might break, even, maybe lose a little bit of money. But in terms of keeping the rest of the policies there, that's a strategic advantage we have to have, then you had a bunch of like venture capital bros, who jumped in, who were like, this is the growth area, and they're all trying to be like the Uber of cyber insurance, where they're thinking, hey, if I just burned through more cash than the other guy, as long as I'm the last guy standing like, I win this round, right, it's a winner take all mentality. Some of the, well, I'll just say this, we do have, and you guys would know who this is, I'm not supposed to know this, I'm not gonna tell you the name of the cyber insurance company. We just know, this is cyber insurance. I have my own issues with Kaseya, and their terms of service and all that. But they have a very lengthy questionnaire, they've been doing this for well, over probably 1015 years at this point. In the insurance world, we have something called a loss ratio, which is effectively just a ratio of how much comes in versus how much goes out. What you want to do is make that 100, right, what comes in is exactly what goes out. Because in the interim, you invest that cash that people pay you in premiums, you make money, what's called off the float. That's how Warren Buffett got so rich. Right now, the loss ratio at this insurance company is like, well over 170%, which means for every dollar of premium that comes in a buck 70 goes out the door, right? So they're just bleeding through cash. So what we're seeing is the application questions, you know, cybersecurity, they're really kind of only so many ways to cut that pie, right? Like, there's only so many controls that you can implement out there. NIST, CSF isn't, you know, really being updated in a large, sweeping material way. So what we're seeing is one, they're paying more scrutiny to the applications to they're actually mandating controls to some degree. So some of those are very basic. So you'll see, hey, you have to have cloud backups, when insurance companies doing that, like if you don't have cloud based backups, you're only going to get $75,000 in ransomware coverage, which Eric will tell you, if you're a business of any size, you might just end up paying all of that to him in forensics, and then the rest is coming out of your pocket. Right. And that would not be unheard of, well within the realm of possibility. So we're seeing they're being a little smarter. I would say they're still dumb, but they're kind of getting smart on mandating specific controls and paying closer scrutiny to the applications. And then we're also seeing a lot of these companies where if they just kind of don't have foundational things like while say antivirus, it's an hour, believe it or not used to be able to get a cyber policy without having that. Obviously, I said that now, MFA is a kind of backups.

Shiva Maharaj:

Can you really have anti malware? Or not? Can you really have antivirus and not have anti malware or one or the other? Whatever doesn't count? Uh,

Eric Taylor:

well even was like, you know, gravityzone, you could enable and disable certain modules. A lot of you a lot of the ones I mean, you've been in the enterprise EDR space a little long shivah.

Shiva Maharaj:

So your message I like using real tools. Bullshit, that is the MSP market and their tools I don't like I like companies that have real security behind themselves

Eric Taylor:

and promises. So you're a little fuzzy that you can enable and disable certain modules inside of the MSP platform, you know, AV EDR whatever the case is, so yes, you can very much easily have that. You know, even you're on based windows Oh s for defender, you're able to enable and disable certain parts of That's right. So Um, you know, the tools that we that mean, shubra use that we've talked about before, you know, a lot of that stuff is, you know, it is part of the suite. So, you know, you've got to pretty much almost take an act of Congress to try to get some of these things disabled. So it's kind of good for security, but you definitely struck some, some chords with me, because in all the incident responses, even the ones that, you know, we're allowed to be the front man, because there's not a quote unquote, panel. You know, that's, I don't want to get sidetracked on a whole different topic. But I've never once had them yet come back and say, What was their current insurance? Or there's currents compliancy regulation, they were going to what? What standards? Were they adhering to any of that stuff? They just are asking, Are you negotiating was surprised who's a threat I drove? Things of that nature? They're, they're not asking the questions that you're talking about yet. So before I go into self education, and this and all this, are you starting to see where companies or insurance companies are actually asking these things into nine claims? You know, when they are actually asking these questions, because I haven't seen it yet.

Joseph Brunsman:

Yeah. So you can go back to what was the name of the case is like cottage health was the name of the company. So essentially, like, what would happen is, you wouldn't see it on the IR side, effectively, if there's going to be a declaration of coverage, what we're saying is, it would be after the fact right, so like, they would go through, they would pay for all this stuff. And then they'd go back and try and sue the company, right? In which case, even trying to find a declination of coverage in any insurance vertical, right? Any type of insurance policy is really hard to do. Because a lot of the time either gets squashed before it ever becomes an issue that would go to court, or if it's kind of like after the fact, insurance companies are really smart, right? So they generally bring in if they're going to deny coverage on somebody, what they do is they bring in, I'll say an unbiased, third party law firm, right, that actually does the determination there. And then from that, then they say, hey, this, this outside third party, they said, Yeah, we're correct. We're gonna deny coverage here. And let's be real, right? Your mom and pop shop? Are you gonna come up with like, 250? grand, right? Are you gonna fight a court case against an insurance company, like, they would really have to do something outrageous. And so right now, what we're seeing is the light without getting like super nerdy, but the language of the policies is being more strictly construed. Right? It used to be, it was just the broadest policy language of any type of insurance you would ever see. And then it just kind of gets chipped down over and over over time, as they start to realize, okay, what are these kind of niche cases that we have to cover given this language, but now we want to change that. And so part of this too, is even things which arguably should be denied coverage. Because of all the venture capital money coming in. A lot of these insurance companies, I think, are just kind of sitting on the fence going, if this case is big enough to deny, it's gonna be big enough to make the news. And then people like me are gonna write about it and make videos about it. And then other insurance brokers who don't understand this stuff are just gonna go, Well, that's a company that denied coverage, nobody else seems to be doing it as far as they're aware. And so then they just won't sell that policy anymore. So there's just kind of like a lot of balls in the air, as it were, as to how all this actually plays out.

Eric Taylor:

Are you seeing an actual framework being adopted by the insurance group? You know, there's been a lot of stuff in the news about some of the top 50 insurance brokers getting together, you know, creating their own, you know, collaborative group and doing some sort of mandate. That's called the circle jerk, Eric. Yeah, well, no, this is called what's next is called the circle jerk where Biden gets together with tech leaders and discuss a new policy. That was that's a circle jerk. Maybe that circle jerk Part Two? I don't know. But you know, it's the sequel. Yeah, the sequel? To be continued. Um, I don't know what the industry is going to do. Yo, Mia shivah have been talking about this for quite some time. We want to see some sort of damn compliancy the fall down on businesses, you know, even do NCIS you know, version eight, doing fucking something. Let's do something we've got to be the center is bunch of dumb fucks when it comes to security when it comes to business.

Joseph Brunsman:

Yeah, so like, I mean, honestly, the laws are already there. I don't know what Biden's talking to these people about because the laws already exists in most states, and at the federal level, to really go after businesses for just terrible cybersecurity. So I think really the the most elegant solution to all of this because the states don't, obviously, like they don't have the expertise, right. Like if you're smart, and you're in cybersecurity, you're probably not going to work in a nine to five for local government. Like that's just you're not going to get paid enough right? gonna be like a third or quarter.

Shiva Maharaj:

Now, once you get me, you're going to work for a major company that donates to someone's campaign. And you really want to give up on your fundraising by going after these guys.

Joseph Brunsman:

What? Well, I think the most elegant solution to all of this is some type of as much as this makes me cringe, but some type of federal funding that gets allocated to the states to actually enforce their own cybersecurity laws,

Shiva Maharaj:

right? Because it's, I would take that one step further, I don't want it to be the states, and not that I have anything against the states, you have providers, or companies that deal with people in multiple states. Now, with the internet, you're no longer a New York company only dealing with New Yorkers. Let's make it a federally recognized standard that the states accept. So you're dealing with one compliance regime, as opposed to 50 or 51.

Joseph Brunsman:

It would be what I mean, you have like constitutional issues via the 10th. amendment. So like it would be, it'd be very difficult to do, which is why I was saying like, really, at the state level, just funding that because even like, if you even if somebody goes, Hey, what is pi? Like, what do I have to protect? My answer is it depends, right? Because each state has their own specific requirements on what actually is pie.

Shiva Maharaj:

So you can't the states except the guidelines of this. And I don't want to call it federal because I don't think it should be government mandated federal in terms of nationwide, can't they accept whatever those controls are, and the definition of those controls? And what have you.

Joseph Brunsman:

It would be I mean, the reason I think that state level is the best is because they're closer to the business. Right? And like each business, like when we say reasonable cybersecurity controls, you know, that's because it's just really hard to narrow down like, Hey, what

Shiva Maharaj:

are the absolute minimum controls that you have to implement? But right, because PCI, HIPAA sieges, all those other compliances they're being used elsewhere. So now you have a company, let's say, you're in the DC Baltimore area. Yeah, right here in Annapolis. So you're probably dealing with Virginia, Maryland, DC, three jurisdictions here. Oh, sure. How hard is that? On top of dealing with any federal requirements? administratively?

Joseph Brunsman:

It is? Well, I'll just say this, right. So obviously, our cybersecurity here is I'm gonna say better than 99% of insurance people that actually I've heard some of the laws going out of Maryland.

Eric Taylor:

It's crazy.

Joseph Brunsman:

Yeah. And so it's, you know, we don't have really any information that would be covered per se, right. So like, we're not, we don't have social security numbers, bank account numbers, that type of information. Right, they would actually mandate many of those laws. But then we tried to take the smart route going, Hey, we don't want to get hit with ransomware. We don't want to be down for a week, right? Because there's all types of like secondary and tertiary bad effects that can happen as a result of us being down. So with that, you know, we try to kind of kick it up a notch well above and beyond what I think is actually required of us. But to try and, you know, ultimately just depends on the business, right? Like, let's say if you have to pizzerias. So like, let's say you try to pass a law, that was like, for every pizzeria, they have to have these minimum cybersecurity controls, right? Well, it just depends on the business. Because one, now you're creating a barrier to entry to business, which we could already if that barrier is justified or not. But now we're kind of limiting upward mobility of people. But to what if one business is like, we're cash only, and we don't take any cards whatsoever. You just paid paying cash by the slice. And then right next door is another business that has the exact same revenue, the exact same employee account, and they're like, this is not 1950. We don't deal with cash, right? Like maybe we got a bunch of ex cons working here. We don't want people working with cash. And so we're only taking cards, right. So now they get to deal with all the various cybersecurity laws, right? PCI DSS just being one of them, like, how would you actually mandate what minimum controls they would have to hold? And that's where I really think that if we just started funding the states, right, those regulatory branches, I think that in a quick Hurry, when those stories, those stories start coming out, they're like, hey, this business got hit. And then regulators came in, I think that would really give a push. Right. It would be that impetus, I think, for a lot of business owners to realize it's not some like ethereal, faraway risk, right. Like they used to kind of say the same thing with cyber security in general. Right. It was the whole security by obscurity thing that would knock down security by obscurity on the regulatory side. But all that was standing I think, really, what we're gonna see, as slow as this, this process has been is that I think insurance companies and private companies are actually going to start driving really mandatory cybersecurity controls, right. So we're gonna see it where msps contractual require businesses to hold cyber insurance because of that those companies have to go get cyber insurance then cyber insurance companies as the mark It begins to mature, they become much more adept at figuring out what they can actually mandate or not.

Shiva Maharaj:

Let me ask you a question here. Why would I want to mandate my clients to have cybersecurity? cyber insurance?

Joseph Brunsman:

Oh, well, there's a couple good reasons, right one, I mean, we're all tech guys here. So what happens in an event where there's nothing you could do about it? Color a color. So let's say you have a business, there's some practical reasons behind this. Right. So you as an MSP, what is your techie, you know, policy for. And if you're an MSP listening to this, you should not have an E and O policy and a cyber policy, you should have a techie, no policy, I have a whole video on that on my YouTube channel you can dig into but your techie, no policy, it's not supposed to be meant as a piggy bank for every time, an end user does something dumb, right? So let's say the CEO of one of your clients, their cruise around on Facebook, against his own company policy, starts going to places he's not supposed to be, you know, hits the Facebook ad goes down that rabbit hole, then boom, ransomware comes in, right? Or they just didn't want any cybersecurity whatsoever, right? They're like, you're just keeping the lights on right here. Surely on the sysadmin side, I don't care about cybersecurity at all. And then they get hit. Well, in a practical sense, what you do as an MSP is so technical, that if you get sued, and if you go to court, you're probably going to lose. And I say that because I mean, just take any random 10 guys off the street and try and explain what you do. It's going to be mom and pop shop, they're out, you know, 150 200 grand, because computer guy didn't keep him safe, right? Even trying to explain what a framework is to somebody. Right? You could do the 32nd version or the 10 hour version. So think about this way, right? legally, I'll say generally, in a legal sense to bring a claim. The Supreme Court has said, there are three elements that need to be present, and an irreducible minimum, right injury in fact, traceability and redress ability. So let's say you're an MSP, like you did nothing wrong. It's 100% on the client, but you know, if you get hit with a lawsuit, you're paying out something. And the whole reason, like, Why do people hire msps? Because they don't want to know anything about any of this, right? Like, they don't want to learn about technology. They don't want to learn about frameworks, they don't want to learn about incident response. They're like, I pay you money, the computer turns on, I have some modicum of safety there. So let's go back to those three elements injury, in fact, somebody has to say that to prove I was injured, right, my business got hit with ransomware traceability operative term here. But for the activity or lack of activity at my MSP, I never would have been injured, right kind of makes sense. redress ability in today's day and age. But if he gives me money, right, if I'm, if I prevail in this lawsuit, and he gives me money, I will be made whole again. Right. And that will satiate my needs in this lawsuit. So let's look at the big ticket items that an MSP would have to or any business excuse me would have to deal with after after that, right. What's going to be like Eric said, right, the forensics costs, that incident response, the attorneys, business interruption, right, those are elements that you can find under an appropriate cyber policy. So now it's, instead of somebody looking at your policy as a piggy bank, when they do something dumb. It's the big elements, large dollar figures that redress ability, elements of article three standing to even bring a lawsuit that starts getting removed, right? Because in the absence of knowledge, we have emotion. So now we bring it back into the real world. And it's not I got screwed, I'm out, you know, half a million, it's the attorney sitting down with a client going, Okay, listen, the big stuff got got taken care of what's your cyber insurance policy. So now, you know, maybe it's gonna cost 100 grand to litigate this. And when we look at the causes of action, we can bring against the MSP breach of contract, trying to hit that limitation of liability clause, unjust enrichment, negligence, that kind of thing, you may only get 50 grant at the end of the day, right? So now, it's not this emotional. Oh, my God, I hate this person. It's my religion isn't 100 grand to get 50 grand back? If I win, if it's gonna say yes. And then there's also some other. So that's kind of like the nerdy side of it. There's also some practical sides to it. Right? If they're, let's say they come after you. Right. And let's say they went and they prevail on the claim. How long is that going to take a lot of businesses they cannot whether right, like Eric, if they don't have insurance, Eric speeding, and he provides services, Eric's gonna be gone, yo, Where's my money? Right? Like, you owe me money, like your bill is due. And Eric is not going to sit there I can't imagine if a client comes back to them. And the client goes, Well, you know, might be like six to nine months, maybe longer because the court system shut down. He

Shiva Maharaj:

might wait because I think Eric once said he's here to help people. Whereas not here to charge people to do a job

Eric Taylor:

look, unless I'm, I'm not gonna speak for all IR firms by any means, but I 95 99% of them, the first block our agreement is due upfront before any and all work is done. So if you're a business owner here, your 50 to 100 hours that you're contracting for, must be paid before time has started once that first block is adhere to, most companies will not renew that block until another block of agreement is paid upon. Sometimes there are concessions made, but that is so few and far between. You are getting up for hours upon hours in between block payments, maybe, on how big the blocks are.

Shiva Maharaj:

Yeah. So question for you, Joe. Now, for a lot of thought leaders in my industry, who are tip of the spear and smarter than I kind of, but they're all talking about get your clients to sign a waiver if they decline certain types of security this that are laughing. This is my personal opinion. I don't think those things are worth the paper that they're printed, signed, he signed on whatever you want to call it. And it's just a little flood. What are your thoughts as a insurance guy who's probably had some of those things crop up? Oh, yes.

Joseph Brunsman:

So okay. So the short answer is when we say limitation of liability waiver, what we're actually talking about is something called an exculpatory agreement. Rarely, that's the technical term we call limitation of liability waiver, kind of in general parlance, but legally, that's construed as an exculpatory agreement. Right? And effectively, what they're trying to say with these agreements, I think they have their place, but firms need to be very careful, right? I know a lot of firms are small shops, right? Like your industry has grown by leaps and bounds. But a lot of it was you know, a guy who did break fix for like, 1015 years. Then he got into the MSP side, right, I think was 95% of msps are under 5 million in revenue.

Shiva Maharaj:

And 99% of them as peers for one man shows.

Joseph Brunsman:

Yeah, so with that, you got to be careful, right? It's not as easy as saying, and this is the same with a limitation of liability clause in your contracts. It's not as easy as saying, Oh, my buddy has this. So I'm just going to borrow that language. Right? Like he paid his attorney. So I'm just going to borrow the language and send it out to me. Oh,

Shiva Maharaj:

you just go on to read it. You take it from there. And it's it's legal. I am joking for whoever's listening to this read.

Joseph Brunsman:

Legally, please don't do that. Please don't do that. So a little bit of background, before I get into, like, why I think they can be useful in limited circumstances is a little bit of background, exculpatory agreements, the legality of those and the enforceability of those depends on the state. So once again, it goes back into in the event of a dispute between the two parties, what mutual jurisdiction Have you both agreed that that argument will be held? Right? So I'll take a random state, let's say for example, and this could be wrong, I don't have the list in front of me, somewhere on my computer, but I want to pause the thing here. But let's say for example, in Georgia, they have very strict laws that say, yeah, these can be enforceable, but they have to have very specific language and any of it that language is not specific enough, it will be held against the person who tried to draft that letter in the first place. Now, you've just screwed yourself in an additional way that you didn't even know existed, because you just wanted to borrow someone's language. Right? Other states, they're very kind of laissez faire. And as long as it's not something that's against public policy, or just outrageous kind of to the common man, you're probably going to get away with it. Right. So there's a whole spectrum of enforceability or lack thereof, and it depends on the circumstance, the client, what you're doing, what that letter says, how it actually says what's in the letter,

Shiva Maharaj:

I want to put a little bit of context on it, because I think this is probably going to be the most apt example. It service provider goes to Joe Schmo. The client says, Hey, we have to put MFA on your systems to acteurs client says no, I don't want them MSSP provider whoever sends out a letter along the lines of Okay, we've we offered you MFA, we told you why you need it, you declined it. And we still told you why you should have it. But you don't want it please sign this to absolve us from any liability. Do you think something like that is going to work? If it comes down to education?

Joseph Brunsman:

Well, it kind of depends on the venue, right? Like, where are the cases being held? But like in a circumstance like that? What are you trying to do at the end of the day, right as an MSP, you're trying to be able to sit in front of a judge a jury, a mediator and arbitrator and say listen, I warn these guys, this was a problem, right? I even put it in writing. They acknowledged that I told him this was a problem and they still didn't want to do and if

Shiva Maharaj:

and what if they never sign it? Even though you put out a well laid out letter and can confirm somebody opened it not necessarily read or understood it.

Joseph Brunsman:

So assuming that it's properly drafted and legal in your jurisdiction, I would say even if you sent it to them, even if they refuse to Sign it at that point, that's better than nothing. Right? But even in that circumstance, we're getting to the point now where msps, they have to, how would I put this? Now we're getting into the, well, they're getting into a world that they've never had to deal with. And this gets into disengaging with clients, which is a friendly term for saying, sometimes you got to fire people, right? So for the MSP, they need to start getting into this, this mindset. And don't just trust me, right? It's the big brains at the insurance companies. But the actuaries and the lawyers, and the statisticians are saying, We're not even going to offer insurance to msps anymore. Or if we do, it's going to cost a lot more. So with that the risk is going up, right. So msps need to acknowledge the risk is there, even if it's not their fault, it could still be their problem, they got to get in that mindset. And so if you have a client, where you are getting to the point where you have to put out a liability waiver, there has to be that determination, your head of Okay, is this even enforceable? If it is, is this like the shot across the bow to say, like, Hey, we're really serious. Like, I don't like business owner, we like you, you're a good client, but I don't think you realize how dumb your current business practices are compared to what they should be. And then once you're getting to that point, now it's at what point are you going to fire that guy? Right? At what point is the juice not worth the squeeze to deal with these people, because the potential liability that's going to come back on your MSP, maybe it's just you got too much heat in the kitchen? Right. So there's increasingly I think, msps are gonna start firing clients. So that that's also kind of part of this conversation of when you're getting to that point, there's probably a pretty good chance we're gonna end up firing that guy.

Eric Taylor:

Now we just stepped into charge. Oh,

Shiva Maharaj:

I have a question here for you. Now. You've been, I assume been doing this for a couple years, right? no insurance thing. I come off the street off the internet, say, Hey, Joe, I need insurance. How does that process work with you? Sure. So can you walk me through, you know, hello to potentially signing a policy?

Joseph Brunsman:

Yeah. So there's, there's three parts to every policy. So the first thing to get in your mind is we call it an insurance policy, it's a legal contract, right? That changes the gravity of what we're discussing. This is a legal contract that you're entering into with an insurance company, there's three parts to every policy, right? There's the application. And that's where really, business owners tend to kind of freak out and really get into like the weird weeds, kind of like the nitty gritty said, kind of a couple pointers there, whether it's like tech, you know, application for an MSP or it's a cyber insurance application for a business, a lot of these are actually written by attorneys. So they may ask you questions that they want a binary answer, right? They want yes or no. And as tech guys, we know, sometimes it's a it's a, maybe it's a situational, it's, I have an equivalent control that's actually housed somewhere else, or this question doesn't apply to me, because it's yes or no answer. There's no na. Don't be afraid to add an addendum to that application, a separate sheet of paper that just says, Hey, here's a brief explanation, right? You try to put the legal onus back on the insurance company to ask the appropriate follow on question, right? Because business owners are always worried if I answer this wrong, will they come back and deny coverage? on me? The second part, which is the policy, like that's where I get to nerd out? Right, I go full nerd on policy stuff. And a lot of it is okay, what are you worried about? And then a lot of what I'm doing is what should you be worried about that you don't even know exists? So that could be let's say, social engineering coverage, right? Where, hey, maybe this is the policy for you. But there's rules you got to play by within that policy?

Shiva Maharaj:

I have a question for a while you're on this topic. And maybe Eric, you can expound on this or give detail. Eric shared with me an application last week, and this insurance company wanted his client or someone he's dealing with to identify the limits, they want to be covered for, for what you were just talking about. So I don't know if you can weave that in? To part of your answer. Sure.

Joseph Brunsman:

Yeah. So part of it is there's also there's limits, and then there's sub limits, right, so some things in that policy, they're only going to have like a fraction of what the overall limits gonna be. So ultimately, when it comes to limits, there's really kind of a couple things to consider. Right? One is the stereotypical insurance guy answer, how much insurance can you reasonably afford? Not really good answer to I actually have a whole video on this on my YouTube channel, right? elements of determining like what you need for cyber limits. It's going to be benchmarking against your peers. It's going to be you know, some sort of like I'll say in formal qualitative or quantitative risk assessment of what do you actually have on your system, right? And then what can you just get rid of because that's going to lower the cost of a bridge. People never think about that. But like, if you just get rid of stuff, like just get rid of it, that's just fewer people. We have to notify that brings the cost down. What type of risks Do you have to your business? Right? So is this something where you're worried that hey, we could have multiple breaches in a year, multiple small breaches, multiple large breaches, we could have a breach and we could have a class action. All of this kind of goes in to the formulation of how much insurance you actually need. Right. But at the end of the day, the one part that nobody ever talks about, which is why I think I've become pseudo famous on like Reddit in various, like MSP groups and cyber insurance groups, nobody ever talks about the compliance side, right? And that's actually what's gonna get you, that's what's gonna screw you at the end of the day. So I'll give you an MSP example. Okay, client gets hit with ransomware. What do we do as technical people, we go to the NSA, you know, the SLA of Satan or work, whatever you want to call it? Right? We go, Okay, what were we contracted to do? Did we do that? Is this our fault? Or not? Right? Like, check yes or no? Right? We go to the technical side. But going back, right, once again, we think of technical terms, because we have the knowledge, your client thinks of emotional terms, because they don't have the knowledge, right, they're not going to look at what the MSA said, There, they don't know any of that stuff. Right? All they're gonna know is I got hit, I'm out money, now. I'm angry. So the MSP is gonna sit there and they're gonna go, Well, this wasn't my fault. Now, in your tech, you know, policy. And this is the same for cyber policies, this is what's actually gonna screw you, at the end of the day, it's probably not a material misrepresentation on the application, it's probably not because you're missing some widget on a policy, right, that you just be flat out denied coverage, you could be missing some reimbursements. That could be sizable, if you get that wrong, don't get me, don't get me sideways there, but you're probably not going to be denied coverage, what's most likely going to happen? In your policy, there's gonna be two kind of key elements, one, you have to assist with the investigation of whatever claim that you're submitting to your insurance company, right? So they're gonna go back, they're gonna see all of the back and forth and the emails between like, say, if you're a company, the head of it, and the CEO, and the C suite, or if you're an MSP, like the trouble tickets, the conversations between the, you know, the head of the MSP and the business owner, just because it wasn't your fault, doesn't mean it's not your problem. What do I mean by that, in your policy, it says, you're required to report anything, which may reasonably bring rise to a future claim. And this is the same for all now we're getting kind of the, you know, side. So just because it wasn't your fault, doesn't mean it's not your problem, your client gets hit with ransomware. We sit there as technical people, and we go, we were not contracted to do anything that would have mitigated or eliminated that threat, right? That was the CFO on her lunch break, did something dumb against your own company's policy, maybe she disabled something, you know, enabled a macro on an Excel worksheet that from some random person, and you're like, that's totally on her. So you don't report anything, you renew your insurance policy, then you get hit with a claim, what do you think your insurance company is going to do? They're gonna go back, and they're gonna say you should have reasonably known they should have brought rise to a future claim, you're going to get blindsided with the declaration of coverage, because nobody ever explained to see you. And that's why people hate insurance companies, right. So there's, there's all of this compliance side, they're like insurance guys, one. In most jurisdictions, there's no requirement that the guy selling you the policy has ever actually read the policy, nor is there necessarily any requirement that the guy even understand the policy, nor is there necessarily a requirement that he should be able to advise you on if there's something better, that's an alternative out there. And there's kind of some rational reasons for that. But at the end of the day, the insurance community does just a terrible job of helping business owners understand this is a legal contract. In every contract, there's a back and forth, this is not a Give me your money once a year. I'll talk to you next year. Right? It's now you have a policy. Now we have to talk about how do you comply with this policy? because ideally, this is what I tell all my clients and they look at me sideways until they get it. Ideally, you only want to talk to me once a year, when I'm taking your money. Like that's, that's what you want. If you have to call me more than once a year, you're probably having a bad day, right? But what does that mean? If you have to call me You have to know the rules of the game, right? If you don't know the rules of the game, don't play the game. And there's tons of business owners out there that have cyber policies that have techie no policies, they have no idea how to play the game, and they're absolutely just gonna get burned. And I've literally last week I had a random business call me though Hey, man, I saw your videos online, we had the social engineering loss. Our insurance guy never told us that within this policy, it said before you'll get reimbursed you have to prove that you had a pre established callback number, right that you had a known entity on the other end of the phone, etc, etc. Both for that wire ever went out the door and so now he's out a quarter million and he does not have a quarter million to spare. Right and that's all because Okay, yeah, arguably, every business owner is supposed to read their policy in its entirety and ask questions if they don't understand something, but that's where the insurance guy right should be kind of adding value there. Like our job is not take paper or move it back and forth and just make money and kind of this like weird you know, abscess Right, like we're not just sitting there in the void, just generating revenue, like, we should be adding value somewhere in there. So, unfortunately, most insurance guys are just, they're not gonna add value, they're never gonna add value, they're not going to be around long enough to even know what to say to people. So for the business owners out there, the cyber risk is real, do everything you can to reasonably avoid that incident in the first place. But if you have that incident, you need to make sure you understand what that policy says, What's in that policy, and how to actually comply with the policy.

Eric Taylor:

You know, a lot of people, you know, just to break it down to layman's terms. You know, there's a lot of nuggets in there that people could take away from, but, you know, if you're in a tropical area, like Florida, or you know, you're subject to house floods or whatever, or even just a car accident, right, you get into a T bone, or you you know, cream the hell out of another car. And you ever go through one of those insurance seminars where you didn't have appropriate coverages, and they're coming back after you because you know, of liability, damages and personal damages. And, you know, all this other stuff. I mean, just take that and amplify that for your business about 10 times. And now you've got one of these conversations we're talking to you about? No, it's crazy. It's crazy. Well, Joe, unless shiver has anything I know, we were well over an hour. And I just want to thank you immensely for your time, we're definitely going to have to have a part two, and maybe three or four of these.

Shiva Maharaj:

I think we create our own panel and have him as our insurance expert. And we'll just call him the insurance guy from now on. But I guess I do have I mean, I do have a couple questions more about you. Are you licensed? Or are you able to operate in all the states? Or is there a geographical geographic area you focus on?

Joseph Brunsman:

We're pretty much expanding nationwide at this point. Unfortunately, I am not licensed overseas. I get tons of requests from like Australia and New brands in the UK and not not licensed overseas. But increasingly, we're just going further afield, and eventually we'll just be in every state minus probably like Alaska and Hawaii. So kind of just as a general rule, yes, Alaska and Hawaii.

Shiva Maharaj:

That's kind of messed up that Oh, I'm just joking. I'm just putting words direct to hate to me, not towards him.

Joseph Brunsman:

Well, Alaska, there's just not enough people there to really make it financially viable for me in Hawaii is just so far away, like timezone wise that I just don't want to be up at like one in the morning dealing with claims. I'm already up to one of the morning like, you know, reading and writing books and stuff like that. So eventually, we're going to be nationwide. But really, the standard I've put out for my team here is anybody that calls us gets out. And why do we do that? Because if I was a business owner, and I was like, hey, I want cyber insurance. I know nothing about this. And my guy's an idiot, like, I would want someone just to just to give me the lowdown, right just to say, like I did, like, here's the balance, you got to operate. And here's kind of generally what you need, what to look for big things to avoid that will get you in trouble. Like, that's what I would want. And so, you know, with that kind of like, the more love you put out in the world, the more love is gonna come back at you. And so really, I would say about 95% of the questions that I get asked, are actually already on my YouTube channel. So people would just search Joseph Brunson. And I've got like, 75 some odd videos on their

Shiva Maharaj:

slogan, oh, you need at least 80? Come on. I'm working. I'm working. I'm worried. Where do Where do our listeners get your books.

Joseph Brunsman:

So if they want to support the cause, and keep the wife happy, they can find it on Amazon, that's probably the best place to find it. You can always just download. Let's see, well, this book for free. On the Bruns group.com Ford slash Book Two, that's all about cyber insurance and compliance like cybersecurity stuff. And then let's see that book will be revised maybe within the next like six months or so there's just kind of like little odds and ends that have to get put in there. But the, you know, 99% of it's still valid. And then as soon as my book on insurance for msps comes out. I'll put a link up somewhere. I'll probably I'll put it on Reddit for free. And the various links later give it for free,

Shiva Maharaj:

charge them. Come on, well, dollar. Well, it's not too expensive, you know, they'd have to negotiate at least a quarter off of that come up with our Mickey

Joseph Brunsman:

Haller, like, honestly, like I we don't do in the traditional marketing here. So I've done probably every form of traditional marketing you can imagine. And it was just super painful and awkward and cold calling is terrible. You know, I put out information. It helps the world. And if people like what I say they can call me, we can do business, or I've many times where someone goes, Hey, I got your video from a friend of a friend of a friend. And this is exactly the problem I'm trying to solve. Let's do this. Right. And a lot of it is you know, in the insurance world. There's a Pew Research poll that came out recently. So I am more trusted than congressman But less trusted than a used car salesman. So I said, I don't know what that tells what that says about congressman but nothing good. Nothing good. Nothing good. So, you know, part of it is, by the time people end up calling me, right? There's none of that like, hey, let's establish trust. Let's demonstrate expertise. like they've already gone through those those hoops, right? So they're already like, this guy knows what he's talking about. I trust he's not gonna screw me over. I need this thing. That's my guy.

Eric Taylor:

Alicia, to be fair, just you brought up Australia? Do you really want to do business with a country who has declared war against him used twice in their history?

Joseph Brunsman:

You know, I would just say like, at the end of the day, what a business owners need, they need enough knowledge to be able to ask the right questions, right. And so my industry is so bad, and it's full of so many stupid people. That if I get hurt MSSP

Eric Taylor:

I think that it's up. Wait,

Shiva Maharaj:

I have a question for you. There was a certain reporting question you are in to listeners, I know we've gone way off base here. Yeah, Joe was an insurance guy who is the insurance industry's Kaseya? Oh, man,

Joseph Brunsman:

you know what, like, they've I've been asked so many times, to present at trade groups where I would actually like, know who these companies are. And I disliked talking to insurance people so much that I've refused every single one of them. Like, there's probably a million out there of just I mean, cuz you got to think, right. Like, there's, there's the insurance industry, like, it's, it's all built on paper, right? It's a paper promise. And so the problem with insurance is something like 98% of insurance guys leave within two years of becoming insurance guys, it's like, they don't even know what they don't know. And there's really not a lot of material. That I mean, they may learn some, like high level principles, but actual kind of like day to day concerns and issues that businesses would have, like, they don't even know those exists. And so, because it's a lot of like dial for dollars, right? Like, he would kill a kind of a thing. There's just people out there making outrageous promises. And their whole idea, I think, in the back of their heads is they're like, you know, I gotta keep the lights on, I got to pay for my rent. And by the time something goes wrong, like, I'm probably not even gonna be here, right? So like, Who gives a damn, like, I'll promise whatever I have to do to make $1. And it's just that that mentality leads to all sorts of terrible outcomes for business owners, right? where there were things that were entirely preventable, that if an insurance guy would have taken an extra five minutes, and just explained, like, what the rules of the game were, it never would have happened. Right? And it's anyways, I have a deep, deep disdain for the insurance industry, just by the nature of working in it, but there's a lot of really terrible, terrible.

Shiva Maharaj:

Let's look guys, bra, top three insurance providers in the cyber game, not necessarily for msps, maybe your three favorites,

Joseph Brunsman:

it really just depends. So because each cyber policy is different, like there's no real standard coverages per se, because they're all different. It just depends on the company. Right? So like one company, when they come to me, maybe we go through the whole list right now, I have about 108 questions or so that I asked new companies that want a cyber policy to really figure out all types of things, right, what what regulatory regimes, they may fall under, they got to go talk to their attorney about what cyber coverages they need to do. Some basic controls are missing. You know, one company, I'm like, that's a that's a Beasley policy. Like, right there. Another company, like adds a Hiscox or an app A or A CFC or it just depends. It just depends on the unique needs of that particular business.

Eric Taylor:

Gotcha. Cool. Awesome. Well, again, y'all, I've tried taking it out a couple times, but she would just trade rolls right over me sometimes, you know. I do want to say, the next book should be dubbed the crap you don't know, the insurance game.

Shiva Maharaj:

The insurance shit you don't know.

Joseph Brunsman:

Yeah, mostly about calling it I was thinking Electric Sheep. Right? Because it's just like a PDF that helps you sleep at night. There you go. We'll say that's like the working title as of right now. I gotta make turns not comedy. It's got to be tantalizing. It's got to get to people going

Unknown:

pokers and blah, blah, deep and tantalizing. An electric is not going to end well for any podcast.

Eric Taylor:

You know that that tides take people to places that only sell fans?

Joseph Brunsman:

Yeah, but anyway, yeah, I would just tell people like, you know, just fling myself on YouTube. There's, it's not like I'm saying anything magical. I've just spent a few 1000 hours looking into this stuff. Then you just boil it down. Right? So like, let's say your brother in law's your insurance guy and you're like, I can't fire my brother in law. Just Just Watch my stuff. You'll know what questions to ask you generally know what to look for. And it'll keep you up at night and tell your brother in law to watch and do stuff. Yeah, that ideally, yes.

Shiva Maharaj:

Ideally, and then you can franchise. Yeah, cuz I think I like to take 30% Just so you know.

Joseph Brunsman:

So like, the 30,000 foot view is I quickly realized, I will not change the insurance community, right? Like, I am not big enough to do it. And nobody really is big enough to change something that large. But what I can do is, I can actually get just normal people very concise knowledge to be able to ask the right questions that ultimately are going to force insurance guys to figure this stuff out. Right? So like, if an insurance guy was smart, like what would he do if he's like, I want to get into cyber insurance? I know nothing about it. What would he do if he was smart? He would literally just download my book for free watch all my videos for free and he'd be off to the races right? Like he would know HIPAA hi tech CMMC phurba TCPA can spam he would know all the foundational cases and case law associated with cyber insurance he would know the limitations of cyber insurance he would know what questions that he would know all this stuff. I mean, like it's out there for free but none of them do it.

Eric Taylor:

I think I know we know our next business feature shiver we need to become insurance salesman. maybe it'd be less stressful plus Oh,

Shiva Maharaj:

let's go build it. We'll franchise let's do it. It'll be the next all state

Eric Taylor:

are you gonna put me in dance from No, please don't answer that. I was like your primary. You know what, I'm gonna go with that joke. Oh, come on. It's a military guys. With that, I want to thank again, Joe for joining us today on a special edition of cybersecurity amplified and intensified. It's been a real pleasure. You know, conversing with you today. Please, please, please, if you've made it to the end of this show. Thank you again for tuning in. please go to our website amplified intensified. Please subscribe, download, and dadgummit tell a friend about us. help us spread the word. Until next time. Thank you so much.