Learning Without Scars

S4 E11•June 29, 2024•57 min

Shielding Your Business from Cyber Catastrophes: Insights on Cybersecurity and Insurance

Send us Fan Mail Can your business survive a catastrophic cyber incident? Learn how to shield your company from devastating financial losses with insights from our guests, Kevin Landers of Rocketwise and Joseph Brunsman, a cyber insurance expert. We start by discussing the urgent need for annual technology audits in dealerships to mitigate risks and comply with FTC safeguards. Kevin highlights the importance of conducting thorough risk assessments and engaging vendors with self-assessment questionnaires. Meanwhile, Joseph sheds light on the critical role of cyber liability insurance in protecting your business from financial fallout due to cyber threats. Uncover the complexities of cyber insurance and the personal liability risks for business leaders in the wake of a cyber catastrophe. We'll explore the limitations of cyber insurance, such as waiting periods and sublimited coverage, and the intricate process of filing claims. Learn about the heightened scrutiny from insurance companies on third-party risk management and vendor security, as well as the legal and financial responsibilities of data owners versus data holders. Discover the rising trend of class action data breach claims and what it means for businesses that fail to manage third-party risks effectively. Finally, we tackle the evolving landscape of cybersecurity and insurance. Understand the distinctions between data holders and data owners and the impact on educational institutions and compliance with data laws. We share personal anecdotes of hacking incidents and discuss the potential for increased security measures mandated by insurance companies and government bodies. Learn practical advice on enhancing your security posture and the implications of rising premiums and tightening underwriting standards. Join us for an hour of expert insights and practical tips to keep your business secure and resilient. Visit us at LearningWithoutScars.org for more training solutions for Equipment Dealerships - Construction, Mining, Agriculture, Cranes, Trucks and Trailers. We provide comprehensive online learning programs for employees starting with an individualized skills assessment to a personalized employee development program designed for their skill level.

Transcript

0:21

Aloha, and welcome to another Candid Conversation. Today we're joined by two rather timely guests, Kevin Landers from Rocketwise, who many of you have already heard and read. But what is interesting to me is we are being joined by a particularly talented young man by the name of Joseph Brunsman, who's in the insurance business. And the subject that I would like to have this conversation cover relates to the hack that we saw on the industry last week on the ADP dealers, some 15,000 of them in North America. And the reason I want to start this conversation is I don't know that very many people out there have a good understanding of the implications of being hacked and what it can and will do to your business. So with that as a starting point. Let me ask each of these young men to introduce themselves and we can get started. How about you start this one, Kevin, seeing how they know you?

1:30

Sure. Well, Kevin Landers with RocketWise. As you mentioned already, our focus primarily is IT and cybersecurity. And at RocketWise, we focus solely on the equipment dealership space. So this event over the last week or so has been... Definitely something that we've had folks dealing with and learning about and trying to educate users and dealers on. So that's us in a nutshell. Over to you, Joseph.

2:05

Okay, Joseph.

2:07

Hey, I'm Joe Brunsman. Ostensibly, I'm just an insurance guy, but I love cyber insurance. I've wrote the best-selling book in the nation on the topic of cyber insurance and cyber law. Former IT guy. I got my degree in robotics, went on to Cary School of Law with a specialty in cybersecurity law. And now I do a ton of cyber insurance. And I love talking about cyber insurance, despite the fact that my wife thinks I'm a giant dork for loving such a niche industry. But I think it's super cool. I'm excited to talk about stuff that 10 years ago. I couldn't pay people to listen to me talk about it. And now it's, you know, the coolest thing going on. So I'm just happy to be here.

2:56

Wonderful. So let's get started. Kevin, you last wrote a blog for us that we published actually from a timing perspective. It was on the Tuesday night of the week in which ADP was hacked. And we ran concurrent to that one on insurance industry on the on-highway trucking world. relative to cybersecurity. And in that blog, Kevin, you talked about having what you and I called inspect what you expect. And you went forward and talked about what dealers need to be looking at. So from the perspective of what happened last week, I believe every dealer should have a once-of-a-year review audit of their quote, technology from all aspects of risk. And let's start there.

3:57

Sure. Well, to your point, alongside that blog article, you and I did an initial podcast, our first together, right at that same time. And one of the things that you and I talked about was, hey, what are these dealerships going to do to mitigate risk if? Their ERP or their dealer management system is breached. And we actually talked about one example, a dealer built back from like 2019 that had a data breach. And the FTC had a fun conversation with. So, yeah, I mean, it's kind of, I don't know, it's a little eerie that we've had that conversation. We start talking about inspecting what you expect. And then all of this in pretty much the same week. So, yeah, I mean, you know, to your point, let me pause. What was your original question? You need to edit that part out. I'm thinking

5:06

every dealer needs to have an audit of technology, like they have an audit of financial statements that they put out for the government for taxation. And it's more than that. Yeah, well. You know, I suspect you have a product that's a standard product where you go out and offer inspections, audits of differing levels. Is that true?

5:36

Yeah, that is correct. And we do. And, you know, one of the things that we talked about going back to the podcast and when we were chatting last, one of the things we talked about was the fact that, you know, most dealers. seem to be underestimating things such as FCC safeguards and their responsibilities in light of that. Even their responsibilities in regards to cyber liability insurance or even worse, their need for cyber liability insurance. And that being said, you know, what we've seen in helping our dealers, even just begin the conversation of getting the cyber liability insurance taken care of because it's usually the more immediate, you know, not the thing that they're like, you know, they see the most need in because it directly impacts them not losing money, right, in their eyes. But in doing that, we help them to realize that most of these carriers are expecting you're doing risk assessments as well, you know, not just the FTC expecting that happening once a year. And so, you know, yeah, it's something that you need to have going on. Now, I don't, you know, that being said, you know, we're having this conversation in light of the CDK event. And, you know, that happened with a vendor within that vendor's environment as far as we know to date. And so it's a little hard to, you know, run risk assessments on those vendors to some degree. You know, one of the things that we talked about last was self-assessment questionnaires. asking your vendors the tough questions that your liability insurance providers are asking you, similar or even harder questions, so that you can document the risk that you are aware of or how you're mitigating those areas of risk that you've identified, etc. But that being said, you know, the idea of having risk assessments, yes, every dealer, every business for that matter should be doing risk assessments. The idea of doing them annually, I guess I kind of raise an eyebrow at that just because on average, by the time that a threat actor or malicious actor, whatever you want to label them, has been detected in your environment, I think the average right now is like 290 days that they've been in your environment by the time you detect them. So the idea that you're going to wait 365 days and let them camp out and hang out with your team for 290 days is a little bit scary.

8:28

Part of this whole series of discussions, Kevin, gets us to the place, and it isn't going to happen in one or two or three, but gets us to the place of what they need to do on a daily, weekly, monthly, quarterly basis. But you open the door, and with Joe's pedigree, law, robotics, technology, I don't think anybody out there listening in the capital goods industries that buys and sells product understands how much at risk they are, but not for their business. What we haven't talked about is the customer out there. It's a crane. It's putting up a 40-story skyscraper that the crane just had a wire cable break, needs a replacement, calls the dealer. The dealer doesn't know how the hell to find it. So the customer's at risk as well. And that extension is much more exposure. So here comes insurance. And, you know, I'm a part of Lloyd's of London, peripherally Aon. And the history of Lloyd's and how they got started was information communication at people with binoculars all around the world watching wooden steam, you know, sailboats. carrying material around. So their advantage was early information. I think everything in the world relates to time and space. And Joe has now I'm going to ask him to start, but I bet you the exposures and the details that he's going to bring us make what you and I do disappear in significance, Kevin. Am I right, Joe?

10:23

I hope I can live up to that. I will do my best to shock and amaze you with the knowledge I have.

10:33

I think that, well, who are all the players that goes into, say I have an insurance policy that protects my business from a cyber attack. And I just got hacked and my business has been out of service for five working days. And I call my insurance agent up. and say, okay, I got a policy here that allows me to get reimbursed for business interruption. What do you do to verify the claim? Who gets involved? And does it change by order of magnitude? It

11:13

does. It does. So before I answer that question, let me just reinforce what you guys were talking about earlier. So, you know, we go all the way back to 2012. That was the FTC ruling in the... in the matter of Franklin's budget car sales, where it said, hey, dealerships are holding large troves of PII. You were subject to the FTC safeguards rule. A new FTC safeguards rule just came out, was it earlier this year? And much more stringent than the last one. So it's like, all right, well, just because it wasn't your fault doesn't mean it's not your problem, car dealerships. And then on top of that, in the matter of GMR transcription services, that was 2014. where the FTC said, hey, you are responsible for the security of your vendors. So third-party risk management, frankly, like, hey, if you're a car dealership, equipment dealer, et cetera, it's like you're really good at that thing. You are not a third-party risk management assessor. It's just not what you do. Just like, you know, I can mow my lawn. I just hate doing it. So I'm trying to hire somebody else to do it. So it's like, hey. dealerships start leaning more heavily upon the subject matter experts because the risk is there. Now, as far as the business interruption reimbursement, I tell, and this may sound weird because I'm the insurance guy, but I tell all of my cyber insurance clients, hey, a good year for you is when I talk to you once and I take your money. That is victory. A bad year for you is we're talking twice because you're about... to have a really bad month and you're having a really bad day currently. And so I think these dealerships would do very well by themselves to start taking a much harder look at cybersecurity because now hopefully their eyes have been opened. It's like, hey, this can materially impact the revenue of our organization, right? IT, so to speak, is not this black hole that we just chuck money into. It is a necessary business expense. Just like we pay the power bill to keep the lights on. We have to do this. And those rules are only going to get more and more stringent. And these dealerships need to know, like the leadership of these dealerships, if they go back to the Drizzly case, which was late last year, the FTC is now holding ownership personally liable for data security.

13:47

Let me reinforce that or emphasize that. The Federal Trades Commission, the FTC, is holding the owners of a business, the executive of a business, personally responsible and thus liable for any penalties. Is that a fair statement?

14:10

Absolutely. They're coming. In the case of Drizzly, they put a 10-year consent order on the CEO because of a cyber issue. And with that 10-year consent order, Now, I mean, the data security requirements go through the roof. The cost you're going to have to expend is astronomical to get these third-party assessors. They're going to know the federal government's going to be poking around, critiquing everything they do. So they're going to be paying people on the back end that you don't even know exist to look over their stuff before it comes to you. And it's an absolute nightmare for a business to go through.

14:48

And it follows him. And it follows him. He or she. Like, if they go to another company, all that follows them. So you sell your nice company drizzly and, you know, want to be on the board somewhere. What board wants to take that risk?

15:05

Yeah. So let me let me let me interrupt and put a pause out there just for a quick second. Yeah. If I was to pull 100 people that own dealerships of whatever brand, how many do you think are aware of that?

15:22

Zero. Unless they watch my YouTube video.

15:26

Well, we'll take that too, Joe, just as an aside. Joe's going to start writing blogs for us. I just made it public, so now you've got an obligation, buddy. Ah, you got me. To Kevin's point, this follows you as a statement on your skills as a leader of a business. Like if you lose money. As a leader for two or three years, you're going to have a hard time doing something outside of that company when you eventually get fired. Okay, so let's come backwards now, Joe, to we have this catastrophic event. The owners are held personally liable. How can they be protected from an insurance perspective, a legal perspective?

16:14

Well, to a certain degree, you can't. You can't insure everything. My side of the equation, the insurance industry has just done an atrocious job actually explaining to people that cyber insurance does not solve all woes. Legally, it can't. There's plenty of moral hazards. There's plenty of case law that reflects that. And so kind of a basic answer is, hey, within a cyber insurance policy, you most likely have a dependent business interruption reimbursement type clause where hey, somebody you're relying upon, right, that's a vendor, you need that guy to generate revenue for your business, a la CDK Global. If they go down, your business cyber insurance policy can step in and start reimbursing some of those losses. Now, yeah, they probably have that on their policy, but there's caveats to that, which is one, there's going to be a waiting period. It could be hours. It could be days. I've seen up to two weeks.

17:23

Whoa, is that long? Oh, yeah. Oh, my.

17:28

And then you got to think, okay, well, on top of that, there's kind of practical limitations. It's probably going to be sublimited coverage because insurance industry is saying, hey, we're insuring your company, not everybody else. So there's going to be a finite amount of money there. You're going to have to submit that claim. Now you have to work through that whole process. Every cyber policy is different. So I have to... speaking kind of broad strokes here, but we don't actually know how long this is going to go on for. So, you know, the insurance guy answers, oh yeah, if these guys go down, you'll get reimbursed for it. The technical answer is, nah, there's rules to the game. There's limits to how much you're going to get reimbursed. And then now you might have to evidence that particular loss. Now you got to think, okay, does your policy have a forensics accountant who's going to come in? Then we got to start saying, okay, and practical terms, the easiest way to evidence how much money you lost is, well, what did you make last year, right? During the same period of time. Now, maybe your business was crushing it last year. Maybe it was doing terrible last year. It's doing amazing this year. And so there's so many variables there to deal with that, you know, the short, the short synopsis is, hey, talk to your insurance guy, look at your cyber policy. Right. Determine if you want to file that claim or not, because there's obviously long term repercussions to filing cyber claims. You got to start kind of weighing the economic decision there in your own personal, I'll say, comfort with risk. And hey, regardless, I'm going to say that every single cyber insurer that's insuring these dealerships, this is their wake up call. and we've seen it in other industries already, they're going to start saying, are you doing third-party risk management? Are you actually holding your vendors to the same levels of security that you're obligated to hold? People have been answering that question. They have not been doing the due diligence. And so now it's like, well, next year, they're going to be really asking questions. They might ask for proof. All right, show me your vendor list. Who are they doing? Do you have the stock reports for these guys? I love you. And if you don't, you're toast.

19:48

That's perfect. So two things. You mentioned a forensic accountant come in and looking at them. How about law enforcement? Do they get involved as well? Yeah.

19:59

So that brings an interesting twist to this whole saga. Now, CDK Global is obviously a massive organization. At least a billion dollar company. I think there are probably more. All over the world. I know here in the US, it's at least 15,000 dealerships that have been impacted. In the breach notification laws, it will say, hey, if law enforcement gets involved, you can put a pause on all this breach notification, etc. Now, what dealerships and just businesses at large, to be fair, don't understand is that, yeah, maybe CDK Global. Just entirely screwed up and they did something completely boneheaded and it's entirely their fault that all your client's information just got stolen. Well, look in the MSA, look at every single state and territory breach notification law in the United States. It's going to say CDK is the data holder. You dealership are the data owner. So guess what? You're paying if it comes down to it, you're going to be paying for. attorney, forensics, breach notification, credit monitoring. And on top of that, guess what? There are, as of last year, and it's only ramped up, latest numbers from Dwayne Morris, there are 45 class action data breach claims filed every month in the United States. So let's imagine you're a dealership. Maybe you weren't super tight on that third-party risk management, right? Maybe you're not even to blame, but you have some advantageous plaintiff's attorney out there. You have tens of thousands of clients who were sent their breach notification letters. Bam, now you're facing class action claims, potentially in multiple jurisdictions. And you're going to want your cyber policy to deal with that. But to make it even more complicated, and hopefully everybody's following me so far. Tell me if you're not. But because we don't really know what's going on. We heard it's a ransom event, at least according to the latest Coveware report. 70-some-odd percent of ransomware events also include data exfiltration. So this could be, right, you could have second-order, third-order ransoms coming. Yeah.

22:22

Sorry, well, they're saying what, well, the group that supposedly are the ones that carried this out, they're known for second time. Oh, man.

22:34

We're in the bulls. Joe.

22:36

Basically, not only ransoming your data, but like you said, exfiltrating it and getting

22:45

it a second time. There's so many interesting levels to this. And one of the things I'd like everybody to think about is the difference between a data holder and a data owner. Because that's significant. For instance, that learning without scars. We have student information, student data. There's a law in Canada that requires anybody who has student information to have the server for the computer system on which they hold this data be in Canada. Now, that's an interesting story. I deal with the committee that controls or is... is doing research and making recommendations to the federal government up there. And I talked, I know two of the guys personally, and I have for a long time. And I say, okay, tell me where my server is when it's in the cloud. And they come back and say, well, geez, we don't know. And I said, of course, that law is stupid. However, I've been able to find a learning management software product that allows me to have control of the cloud for our business in Canada, which means then it works all around the world. difference between a data holder and a data owner. In this case, I own both, but the school owns the student data personally. So, you know, who bears responsibility gets a little tricky. The other thing that both of you have mentioned is a review of every supplier that deals with every person who's involved in buying and selling. And most of those vendors, with respect to them, have their head in the clouds in this one as well. I don't think that people have a true understanding of what the hell happened. And here's evidence of that fact. There was an editorial written, two pages worth, in the last five days responding to this outage. In essence, just waving it away. It's a blip on the radar. Doesn't matter. And one of my clients this morning when I got up at four o 'clock, I see a text from him because I sent this article around to a bunch of dealer principals owners. And he said, this guy is nuts. He said, how much business are we going to see drop in the month of June in the gross domestic product in this country, in the tax collection at the state level in this country? You know, the order of magnitude of this stuff is beyond people's expectations. So I take you to the next place. Should I have on my financial statement a reserve for data interruption? Like I have a reserve for theft. Like I have a reserve for non-payment of bills. Should we not be talking at that level of security and seriousness? And maybe 1% of your sales needs to be set aside against your P &L?

25:52

I think it's... It's a good idea simply because there are so many variables at play. And frankly, you know, I nerd out on this stuff for a decade and all day, every day. And I read all the reports and I get really in the weeds. And there's just so much that we don't know. And this environment is evolving so fast that. Frankly, no one attorney, no really even a team of attorneys can actually say, hey, what's really going to happen here? What's your exposure going to be? Having a cash reserve, I think, is a good idea for any business because, hey, sometimes it snows. You need to bust out the emergency food because you can't get to the grocery store. You were talking about the magnitude of this issue. What dealers... don't yet know because it's not their world. The insurance industry is really looking at, they're looking at this in a real difficult way because there's only so many cyber insurers that really insure dealerships actually. So now you have this giant potential aggregation of loss. So what are insurance companies going to do? They're going to go, okay, what are the terms and conditions? of our policy here. Because, hey, you're held as a customer of the insurance company to the clear and conspicuous terms of that policy, even if you didn't read it, you didn't understand it, and your insurance guy never told you about it. So within most of these insurance policies, they're going to say, hey, if you have something which could potentially become a claim, a la CDK, you have to report that before you renew your insurance. Now, your insurance renewal is an arbitrary day of the year and law enforcement is definitely involved, intelligence community is involved. We're probably not going to know for quite some time what happened. Hey, if that rolls through your renewal period, right, you renew your cyber insurance, you're like, ah, we don't know yet, whatever, right? No one said that there's been a breach yet. And then CDK Global comes out and they say, oh, hey, by the way, all this information got stolen or there's... evidence that's on the dark web, et cetera, obviously insurance companies are going to go, what's the easiest way to save billions of dollars? They're going to say, well, let's take a real hard look at that notification provision. And most business owners just don't know that that's a thing. They're thinking, oh, well, if I have a cyber claim, I have to report it. And it's like, no, there's something called a written notice of circumstance in most of these policies. And just given the magnitude of this issue, It's like, hell yeah, the insurance industry is going to go, well, do we want to pay out billions of dollars or do we want to try and deny a claim because

28:58

the case is on our side?

29:01

Yeah. So to get back to your original point there, Ron, it's like, yeah, you probably should have some money set aside and you don't know. Hey, what's the probability that the FTC is going to come knocking? What's the probability that, say, your state attorney general is going to say, well, Did you do third-party risk management? Were you adhering to our reasonable cybersecurity safeguards? What are the odds that a class action claim is going to rise against you? And business owners don't know the breach notification law that applies depends on where your clients are residents of. So maybe, right? I bought my truck from a dealership in Pennsylvania. I'm a Maryland resident. So if my information got stolen, they have to adhere to Maryland breach notification law. Maybe they had a guy come from Massachusetts. Now they're subject to 201 CMR 17. That's 18 different administrative, technical, and physical safeguards that they have to evidence. And guess what? The AG is going to ask for, hey, where's your written information security plan? What are you doing with third-party risk management? And I would wager a lot of these dealerships simply don't know that information. They don't have those policies in place, much less are they enforced. And they're about to get a real big wake-up call that this could get very, very bad, very, very expensive in a whole bunch of ways that they probably don't even want to know about.

30:32

Let me go back. Joe,

30:34

go ahead. Well, I've actually been dying to ask you, Joe. Yeah, so the FTC could... There's a couple of ways this thing can play out, right? Just from the FTC safeguards side of the equation, right? To your point, CDK is the data holder. The dealerships are the data owner. You know, in tossing it through my head, I came up with three scenarios. One was they go after CDK and they leave the dealers alone. They go after the dealers, they leave CDK alone. They go after both. And or I guess there's a fourth option. And that is, you know, does the federal government just go? you know what, the June auto sales are going to be drastically affected by this. CDK says we're probably not going to get you back up anytime before the end of the month. So this may carry on into July. So, you know, July sales could be down. What is, you know, I guess the thought is, does the federal government just give a pass? Does FTC just go, you know what, this is so massive that we're just going to, you know. not chase it. Is that an option? And I guess from my standpoint, on one hand, I'm like, that would be a great reprieve. But on the other hand, it would be like a huge disservice because as we've all been saying, the dealers just aren't, this is an area where most of them are oblivious and don't think that they're a target.

32:10

Yeah, no. So to your point, back in the 50s and 60s, when quote, data processing, huge monolithic batch processing machines were doing banking. I'm kind of like Joe. I'm a maniac as far as details and reading and keeping up with what's going on. The people that were committing hacks on banks then that I dealt with running computer centers all had prison records. They'd been to jail. caught. They'd been sent away. But what I found that was more intriguing, which is exactly what you're just saying, Kevin, the bank didn't want to let the public know that they'd been hacked, that they lost millions of dollars, because that made a statement to their clientele and what that was going to do to their business going forward. So, you know, the CDK or the dealership or both, forget that. It's every single dealer management system supplier on the planet. It just happened that CDK went public because it was so large. But I can take you to 10 dealers right now that have been hacked in the last three years that

33:27

digit

33:28

penalties were found and identified, and they didn't get any reimbursement. This is huge, this damn thing, and I don't think anybody understands it. I'm hoping you two guys can be start of enlightening. No, I'm serious as hell. start to enlighten the people that, hey, wait a second, boys and girls, this is something you've got to pay attention to. Two last points. One was a lot of these hacking, these are very smart people. And there is a lot of money that they're being able to get. So they're going to continue to hack until we find a way to stop them. This is either hacking or phishing or whatever. You've all heard about social security records, national health care records, all of this stuff that's been hacked. So the stands, the countries whose names end with stand, they have a whole bunch of people that are working and they're trying to catch us every single day. The second part of the question that bugs me. I personally have been hacked our bank accounts a couple of times. Once because of a trip in London, England, that the hotel that we stayed in, their network wasn't particularly good. Another one where the modem that connected to a network, they just bypassed the whole damn thing and went right to the network and there was nothing as a protection inside the modem. So they were coming, the hacker was coming in via the modem, just like they were another store. I mean, good Lord. And Kevin, like you said,290 days before people recognize it. Lord love me. What happened in the 289 days before? This is, this is damn good. We got to know you

35:07

really, really well.

35:08

Yeah, this is serious as hell. And I don't think people are paying attention. So Joseph, continue being a nerd, my man, not only technology wise, but legally. That's a nice combination.

35:22

Drives my wife nuts.

35:25

That's why she married you.

35:28

That's right. That's right.

35:29

I'm like, I got you. You're stuck now.

35:32

To answer Kevin's question about, you know, is the FTC going to take a look at this? Right now, FTC chairwoman Khan has just been losing hand over fist and it hasn't stopped her yet. And so, I mean, this is a circumstance where they're... So many people are impacted and it has such a massive potential economic detriment to our country and really to many countries around the world that I would be shocked if they don't. I mean, it would just, I'd be dumbfounded if the FTC did not go after, start looking into CDK Global and what's been going on there.

36:20

What we're going to see is a whole hell of a lot more regulations come out, and rightfully so. Because without that, people won't know what the hell to do.

36:32

Yeah, and there is actually the component of the average consumer has zero control over their information once it goes into these dealership systems. And so I'm not particularly a big fan of large government, but it's like, okay, this seems to me to be... a very rational reason to have the government come in to say, we have to protect the end consumer. And if that means we're putting the screws to a billion dollar corporation, Chairwoman Khan has had zero qualms about doing that. Now, will the FTC go after dealerships individually? Probably unlikely that they'll do that, but that's probably more the territory of you could have various attorneys general. Obviously, the plaintiff's bar via class action claims. Once again, I would be dumbfounded. If it turns out there's actually a data breach here, I'd be shocked if there's not. Probably, given the scope of this, a class action claim launched in every single state. Actually, probably multiple class action claims. Then you start thinking about, okay, how is this going to impact the insurance side? What I often tell people is, You know, yes, I'm the insurance guy, but before I ever did insurance, I was an IT guy. And it's like, you're going to increase your security the easy way or the hard way, right? You got two choices here. Now, the easy way is you go, all right, this isn't going to get any simpler. It's not going to get any easier. How do you eat an elephant one bite at a time? So we might as well just jump in, get this thing going, lock it down the best we can. So that way, if we do have regulators, if we do have attorneys coming after us, we can evidence we did the best we could with what we had. We just happened to get bit, right? The hard way is what everybody is about to experience, which is insurance companies mandating things, right? Governments starting to mandate additional controls. And you'll see in every single, every single breach notification letter, it'll always say at the bottom, Like, hey, magically, we have found more money to increase our security and we're ramping it up, et cetera, et cetera. Right? Every single time. You're going to see that. So anybody listening to this, hey, just go look up publicly available breach notification letters. There's, I think,12 states off the top of my head where you can find this. Just start poking through and they're all going to say that. Right? So it's, hey, don't wait until like two weeks before you get your renewal. to suddenly figure out that your insurance company is saying, hey, now you need EDR on every single endpoint. Why don't you have a 24-7 SOC? Where's your third-party risk management reports? We want to see this policy, etc. That's just not enough time to implement that stuff. Just do it the easy way, which is I always tell all my clients, okay, I don't have insight into your network architecture. That's obviously not what I do. I'm your insurance guy. I know some stuff based on the questionnaire. The easiest thing to do if you're a dealership is you're not an IT guy. Go to your MSP. Go to your IT folks and say, give me a wish list to increase our security. Rank it, right? Biggest bang to the buck, moving down, right? Like what can we do right now to increase our security, right? At what cost? And then just start chipping away at it. And one thing I would add, to get a little even dorkier here is one of the benefits of being an insurance guy is that I get to play the idiot and nobody ever calls me out on it. So I was at a conference and I was sitting in the back in the speaker's room and they had actually brought in a plaintiff's bar attorney who did class action claims following data breaches. So he's like, what are you doing here? And I said, oh, I'm just, I'm the insurance guy. Just here to talk about cyber insurance. And then I proceeded to pick his brain for the next half hour. And one of the things that he said that always stuck with me is I was like, hey, super very self-important attorney guy. What's the one thing you see, right, when you're going through discovery and you subpoena stuff and you're like, I got him dead to rights, I'm buying a new boat. And he's like, ah, it's simple. He goes, every single time. He goes, we start subpoenaing emails about data security between say like management and IT, right? And IT every time, right? There's an email where it's, hey, we need this thing. We have this giant vulnerability. This is really bad, right? And then management goes, ah, we don't have the money for it. He goes, dad to rights, got him. He's like, daddy's buying a new boat. So I was like, all right, what's the reverse of that, the obverse of that? Like, what would you hate to see? And he goes, oh, it's super easy. He goes, plan of action and milestones, POA and M. He goes, no business has unlimited funding. He goes, but what would really kill us is if somebody came in front of the court and they said, yeah, we got hit. And you're right, we didn't have that control that would have fixed it. But we had sat down with the CIO, CISO. you know, CFO, CEO, the board. And we had a plan and we said, all right, we don't have unlimited money, but given the funding constraints we have, given the prevalent risks that are, you know, present in the world, in the next four months, we're going to implement this, right? And then in six months, we have to reassess this. And then a year from now, we're going to have funding for this, right? And he goes, juries, juries would love that. He goes, juries, he goes, you know, juries will side with you. If you show them like you were trying to be responsible, he's like, but if you were intentionally irresponsible, daddy gets a new boat. And so I would just urge everybody, go to your IT folks, get that plan in place and start saying, okay, what do we need to do to start chipping away at this problem? It'll save you. It's good stuff. Okay.

43:01

So let me, let me go into a different direction again and, and think just in terms of the insurance industry. I think almost everybody over the last 12 months has seen insurance premiums go up rather dramatically. And I'm pretty sure that most people haven't really thought about the function that the insurance industry provides to society at large. And that if we don't have insurance, we don't have money to do anything. The insurance industry is probably the largest financial collection agency on the planet. You got car insurance, you got health insurance, you got home insurance, you got liability insurance, you got all of these insurances that you pay a little bit every month. But that little bit every month in the United States probably covers 200 million people,200 million adults,150,000 million children I'll leave on the side. It might be smaller than that. So in the last 12 months, almost everybody's seen, I think the average is 32% increase in insurance premiums. Then go forward and look at events, special events, hurricanes, Katrina, earthquakes. All of a sudden, the insurance industry changes the game. Long-term health insurance, they change the game because financially it doesn't work anymore. And if it doesn't work anymore, writ large, it affects society in general. The federal government is putting money out. The state governments are putting money out. Where the hell do you think they get the money? From the banks? that are holding the cash for the insurance companies. So this is real. And then let me, chapter B to that is, we all have car insurance if you have a car. You have health insurance. Read the policy. Do you know what the qualifiers are for the liability, the 250 grand or 500 grand that you've got in coverage if you have an accident or if you kill somebody? Look at the restrictions. Find out what they are. It's a really important aspect of our lives that we've taken for granted forever. In school, I'm an educator. I think everybody in high school should learn about insurance, what you need to do, the good, the bad, and everything else about it. I'm a fan of everybody being able to be smart enough they can come to their own conclusions or smart enough they know to whom they should talk and ask the question, like Kevin just said. I believe the order and magnitude of this puppy is. immense. And we haven't got a clue at leadership in business. They want to sell a machine. They want to make some money. You know, they have no, so here it comes, boys. Like you said, Joe, this could be class action across the country, across the world. Every car dealer, every truck dealer, every equipment dealer. Wow.

45:59

Well, and to make this, to add, I guess, one final wrinkle. Let me quote from Understanding Insurance Law 6th edition that might add a little, I wouldn't call it clarity, a little, I don't know, spice to this whole conversation. So, quoting here, the default rule is that agents and brokers have no duty to advise their insureds about the adequacy or appropriateness of the insurance coverage they purchase. Or about optional coverage that might be available. Now let's segue that into the fact that, hey, you know what? The insurance industry is not super fun or not super excited about shelling out hundreds of millions, billions of dollars because of one event. And so there are plenty of business owners out there where they have to understand, hey, they never read their cyber insurance policy. Well, guess what? The guy that sold it to you, he probably didn't read it either. And even if he did, he may not understand what it actually says because he kind of needs at least some modicum of IT knowledge to begin with. And so, hey, guess what? Cyber policies have, some of them, they have widespread event exclusions, right, to save the bottom line of the insurance company so that they don't go bankrupt. Now, there's different thresholds in that widespread event exclusion. And so, somebody listening to this. has that on their policy, and they probably don't even know it. And then they're going to have potentially critical vulnerability exclusions, right? They need to know what that is. They need to talk to their IT folks about that, right? There could be zero-day exclusions. There's all types of potential ways that cyber insurers could get out of coverage if they can get away with it. And so, you know, my point here is, hey, cyber insurance, it's a reserve parachute. Right? It's when the full defense in depth for your business has been penetrated. It is not the go-to answer. Right? It is not, oh, something happened, let's get cyber insurance. Cyber insurance is getting really tired of paying out on stuff that should have been patched. Right? It's a moral hazard for the insurance industry. They're doing everything they can to try and get away from paying out for that stuff.

48:23

Let me throw another wrinkle on that. At the end of World War, excuse me, at the end of World War II, when the military came back in the United States, Congress decided that the insurance industry could provide special recognition of that group of clients, returning veterans, which allowed the insurance company then to start, instead of having 100% of the universe that they were insuring covering everything, they could have 10% of the population be specially insured at a different rate. So now we started putting out a whole bunch of things. And in medical insurance, anybody who's had a partner who's had breast cancer will realize that their insurance premium went up dramatically because their wife or partner had all of a sudden fallen into a different pool. And as a personal experience we had, our insurance rate doubled every six months because my wife was all of a sudden in the pool of breast cancer people. That's not true in all states, but it was in this particular case. We're from Canada, so my wife said to me, we can't afford this. I'm going back to Canada where we get coverage. This is serious. I thank you guys a lot. I think we've opened a door here, and I hope you guys don't mind if I open that door often with you, because we've got to educate people. We've got to get people better coverage, and it's ahead of time, for instance. The apartment building disaster in Florida cost a couple of billion dollars. We had a fire instance here in Honolulu that cost a couple of billion dollars. Who do you think paid for that? Every person in this damn country, because the premiums went up. Who's going to pay for the hack on CDK? Every single person. So if we can have, for Joe, a class and kind of people that have done specific things to mitigate. like Joe's indicating, and that Kevin can create products and assessments to allow you to prove the point, then we can have different insurance rates for different risk categories. For cybersecurity, you look after things, it's rate a buck. You don't look after things, it's rate five bucks, whatever the hell it is. I suspect that's going to start happening.

50:54

Oh, it already is.

50:55

Get out on a limb with me on that one?

50:58

No, it's already happening. I'll say five, six years ago, cyber insurance was the wild west and I loved it and it was super fun because I could get anything I wanted at any amount with any term and condition that I could throw in there. The underwriters had no idea what they're doing. Insurance companies are just happy to get some money and everybody was hunky-dory. What we're seeing really in the last few years is like 40 years of policy evolution just squished. into a couple years you know and it's a really difficult area and as uh charlie munger uh was recently quoted as saying cyber insurance may be rat poison right there's a lot of insurance companies they're writing this stuff because they think they have to and it's a economic issue and it's a competitiveness issue but they're not super excited about it to be honest and so If you actually look under the hood, a lot of these cyber insurers and you talk to the underwriters, you talk to the actuaries, there's a whole lot of question marks and they're getting a lot more serious about what they're willing to insure, what they're not willing to insure. And so, you know, companies, it's like, hey, maybe you've gotten away with your small organization and you have literally zero security and your, you know, cousin's uncle's nephew's best friend comes in every six Thursdays to, you know. Make sure that Outlook is working right. Those days are over. And you will not get cyber insurance. And you're going to get hit. You're going to get crucified by the plaintiff's bar. Something's going to happen. I mean, hell, I had one client where they just happened to do a tax return for this one attorney for one year, five years ago. His information got breached. Class action claim. Right there. Right? So, you know. People think, oh, they're only going after the big guys. It's like, well, if they go after the big guys, it's going to impact all the small guys. But why rob Fort Knox and get shot in the face by a tank when you could go after 20 small credit unions, Bonnie and Clyde style, and get away with it for quite some time? And there's no – people often ask me, well, why doesn't law enforcement do something about this? And I'm like, think about it this way. If you're – let's say you're a smart kid. in some third world country somewhere, in a day, you can make more money than all of your ancestors combined since the dawn of time. And there's no extradition treaty. They're probably never going to find you. And damn it, you want that Ferrari. Well, hey, there you go. Right? That is, it's like terrorism. You have to be right every time. They only have to be right once. And so this problem is not going away. It's only going to get worse. You throw AI into the mix. It's going to get a million times harder. So on that, you know.

54:00

The Nigerian prince emails are going to get so much better. Yeah.

54:04

Yeah. So, you know, we've broached so many things. It's like skipping a rock over the ocean. And you mentioned Charlie Munger, one of my favorite business guys we're going to miss immensely. Rat poison is a great analogy. You're killing the rat, but you haven't stopped the rats from breeding. And that's the point he's trying to get to on that. So at this point, I'd like to close this one off. I think we've succeeded in introducing the subject and the seriousness of the subject and giving people some things to think about. Kevin, what do you think?

54:41

I think you're absolutely right. I mean, listen, I love Joe. I love just sitting here and learning from this guy. Every phone call we've had, I think, has gone way beyond anything we thought it would be. And anyway, he's a wealth of knowledge. So I've just enjoyed it. And yes, I think we're just starting to crack the surface. I mean, you know, you can't just rely on your IT and you can't just rely on your insurance carrier. Neither one of them is going to 100% bail you out. And it's like anything else. I mean, you just got to, you know, you got to have options. You got to layer things on top of one another. And unfortunately, this is the space. I mean, it's not just the pick of these dealers, right? I mean, small business in general.

55:30

It's everywhere.

55:31

You know, dealership just has to be my expertise and your expertise. And, you know, they no longer are going to be allowed to put their heads in the sand or to your point, put their heads in the clouds.

55:45

Yeah, I agree with you.

55:46

And hopefully, yeah, hopefully we can continue this conversation. hopefully wake up some folks and help them to figure out what they need to be inspecting and whatever everybody's expecting of them.

56:02

Joe, how have you enjoyed this last hour? Oh,

56:07

it's fun. I was nerding out on this stuff for like a decade and nobody cared and I couldn't pay someone to listen to me talk about it. So I always think it's fun when I get to just nerd out on stuff that I think is super interesting. It's constantly changing. It's always evolving. Yeah, I get to bring in the legal side a little bit and the insurance side and some of the IT stuff. I get to mix and match all this stuff in my head. I get to help people and I think it's awesome.

56:38

Well, I thank you both for the time today. To everybody out there listening, thank you for your involvement. I look forward to having you with us for the next Candid Conversation. Mahalo. Thank you for listening to our podcast. We appreciate your support. Should you have any thoughts or comments, please don't hesitate to contact us at www. learningwithoutscars. com. The time is now. Mahalo!

Shielding Your Business from Cyber Catastrophes: Insights on Cybersecurity and Insurance

0:00

0:00

Related Episodes

The Vanishing Distribution Channel: A Candid Look at Dealer Challenges

The Vanishing Distribution Channel: A Candid Look at Dealer Challenges

Mar 31, 202561 min

Troy OttmerReturn on AssetsMedium-Duty Trucks

Your Business Is Already a Target, Whether You Know It or Not

Your Business Is Already a Target, Whether You Know It or Not

Mar 24, 202551 min

CybersecurityEquipment DealershipsKevin Landers

Rethinking Business Systems: Innovation and Adaptation for Success

Rethinking Business Systems: Innovation and Adaptation for Success

Feb 24, 202565 min

Mets KramerBusiness SystemsInnovation

Revolutionizing Dealership Security and Marketing

Revolutionizing Dealership Security and Marketing

Jun 30, 202460 min

CybersecurityEquipment DealershipsCDK Hack