Joseph Carson:
Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast brought to you by Delinea, and I'm the host of the episode Joseph Carson, chief security scientist and Advisory CISO. And it's great to be here with today. We have an exciting topic and a very important topic for many organizations, and I'm welcome to play an awesome guest.
Joseph Carson:
Dara Gibson, welcome to the show. If you can give the audience a little bit of background, who you are and what you do and some fun things about yourself.
Dara Gibson:
Absolutely. So thank you so much. I'm joining actually from Phoenix, Arizona, where it's still 115 degrees out, even though it's October. Right. It's incredibly warm summer, but we make it through. And each year we always threaten to move. But I have been in cybersecurity a little over five years, and I found my niche of cybersecurity insurance. And my point in doing that was to really align with the expectations of incident response.
Dara Gibson:
And through that I had to learn the language of cyber insurance and understand a claim and a regulatory and a claim adjuster and how that fits in with the incident response. And through that, I became a certified cyber insurance specialist and now I'm working on my certifications in Arizona to make sure that I can speak more towards the language of, you know, insurance as a whole.
Dara Gibson:
And really learning as I go. And I've joined Optiv about a year ago to really launch our insurability services program and move that forward to work to the best capabilities of our clients and help them navigate the programs of insurance.
Joseph Carson:
Fantastic. Well, welcome to the show, and I think this is a really important topic for today. So, you know, cyber insurance is something that many organizations have realized that it's a must have. You know, it's almost you know, it's almost as mandatory as you need car insurance, You know, when when bad things happen, you need to be able to have the money to recover and continue your business.
Joseph Carson:
And, you know, the realization that, you know, when cyber attacks do happen, they are very costly and very impactful to the business. And the last thing organizations want to be doing is taking away from the business revenue in order to keep the business going, because sometimes that's their, you know, the revenue they have to grow to to operate, to continue providing services.
Joseph Carson:
So something become very important. What have you seen for organizations? You know, what's the motives that organizations have for obtaining cyber insurance that you've seen?
Dara Gibson:
Well, actually COVID, when everybody made that transition to work from home, then the insurance companies had to really transition their expectations. So a lot of people at, you know, back five years ago were like, oh, I have insurance, I'm good, or I have cyber controls, I'm good, I don't need both. Whereas because of COVID, that particular incident in time in history that changed the industry overall and changed the cybersecurity industry overall, and people now began to see the fact that it wasn't an either or situation anymore.
Dara Gibson:
It really is a combination of the two. Building insurance into your risk management program and building controls into your risk management program. That's where the benefit actually truly came, because people can truly, really withstand that event. A lot more securely now because of the fact they've put those cyber measures into place and they've also put the cyber insurance into place so that financial risk, as well as the mitigation of the security risks, have been, you know, defuzed a little bit.
Joseph Carson:
Absolutely. I think for many, they realize that, you know, organizations who've had cyber incidents, especially, you know, a lot of the increase in ransomware over the, you know, recent years as well, in conjunction with people working from from, you know, from home and remotely that increase those risks and the exposure that organizations had from ransomware. And as a result, organizations realize that when those do happen, it is very costly, it's very expensive.
Joseph Carson:
Incidents are not cheap. And when they do occur, they dig into a lot of the companies profits and money and they realize that they need to have that offset of, you know, financial safety net for, say, you know, that ability to make sure you've got some funds that you can dig into. Many years ago, you know, this was you know, it wasn't something that organizations struggled with cyber insurers because years ago it didn't cover the, let's say, the tangible value of data.
Joseph Carson:
It was very much, you know, tied to the assets themselves. Right. And that is definitely yeah.
Dara Gibson:
I wouldn't be dating back to the nineties. That's where, you know, the concept of data insurance came into play because you were protecting credit card information and making sure that that financial transfer was taken care of back in the nineties. It wasn't till the, you know, late teens that the insurance company is like, oh, we now have to start, you know, financing these back end destructions of systems and networks and laptops and that as such the actual physical property.
Dara Gibson:
Right. And that's that change of the insurance policy came from just a liability to now an overall program of, you know, financial transfer across the board. So it's no longer it's it takes into account the first party and the third party across the you know, to make sure that everybody is protected in when that time comes. And there also insurance companies are also now providing a lot of proactive measures.
Dara Gibson:
So they're not just playing Whac-A-Mole at the end anymore. They're really providing additional services and reaching out to vendors to say, hey, you know what, Delinea has great programs, Optiv has great programs. Let's work together with these vendors to make sure you're protected in the first place. And, you know, down the line, you're also able to follow through with incident response services.
Joseph Carson:
Absolutely. I think one of the biggest stories that I've seen a lot of insurers vendors can turn the path is that they've been involving and even some have acquired it's response services. So they're actually really getting in more hands on into the response side of things. And what they're realizing, I think in the past couple of years, what's happened is, is that as insurers dove into this, you know, previously it was being covered.
Joseph Carson:
As you mentioned, things like property insurance was was covering those physical assets and other realized that need to go beyond that. But they don't do jump street in not realizing the frequency of the risk not realizing the financial impact of the risk and they got exposed significantly financially. A lot of insurers kind of were certainly kind of how they can make money out of this.
Joseph Carson:
But I think over the last even the last year or two, I've seen a lot of maturity. They started to really understand the sort of getting more hands on, involved in its response and working closely with those vendors and companies who provide those services. And they start realizing what things can actually prevent. What if something was in place?
Joseph Carson:
What would have stopped the attack from happening? And that's what they're starting to say.
Dara Gibson:
Would stop the attack would help. It would make it more soften or.
Joseph Carson:
Make it more make it more difficult, for example, and are more costly for the attacker. So are more noisy. But it would definitely, you know, make sure that it is not as easy or, you know, to reduce that risk.
Dara Gibson:
So sometimes it's simple as cybersecurity awareness training, teaching your people not to click on that shiny object. And I know strong.
Joseph Carson:
Strong.
Dara Gibson:
Powerful.
Joseph Carson:
That's right. Using unique passwords across multiple accounts. Sometimes it's these simple things.
Dara Gibson:
Password to across all of my accounts.
Joseph Carson:
Oh, who's.
Dara Gibson:
Here personally say that is is is perplexing.
Joseph Carson:
Yes. And sometimes even when you get into the password policies you know, some still have, you know, six, eight characters and like even eight characters. And it's you know, that was the recommendation what you think about. Yeah, yeah. That was a recommendation ten plus years ago. We've come a long way since then, you know, And I even get into, you know, sometimes you want to get to characters and you want to get into passphrase you want to change.
Joseph Carson:
And to your point is a lot of that can be done through cyber awareness training into and can can joining that with good policy and practices. Well you know combining those efforts into it. So you're actually making sure that you not only educating, but you're putting the controls in place to make sure that is happening and you can measure it as well in practice.
Dara Gibson:
Absolutely. Incident response plan, having the people practice and, you know, understand how that process works, who to call, what you know, what is the insurance hotline, what is the vendors hotline, what how do we start a response should the need arise, really understanding that it takes the people practicing these policies and procedures to truly understand how to impact the and lesser make a less of the severe severity of the incident as a whole?
Joseph Carson:
Absolutely. Because when you do need to act, you you know, let's say an incident does occur. You need to act with speed. That's one of the most important things. The quicker you respond sometimes, you know, the significant impact you reduce the even and that all results in costs, you know, quickly respond. The quicker you get, you know, mitigate, the quicker you eradicate the attackers, you get back to operation.
Joseph Carson:
That all has a massive cost and time can make a huge difference. Sometimes I've even seen it, you know, making a difference of hundreds of thousands of dollars and even millions. The quicker you respond and this gets really important is that when you do sign up with insurance policy, a lot of those policies do determine you. No. One is how you respond to incidents which vendors, you know, might be certified as it's responders.
Joseph Carson:
So you want to make sure that you have you know, if the insurance policy says here is vendor A, B and C that you're allowed to work with, you want to make sure you've got a relationship. You don't want to be the first time you're calling them is when an incident occurred. You want to actually to point simulated practice it, know what things they they will expect from you.
Joseph Carson:
What are you going to recommend The audience? You know, if you do get into the situation where the policy you know the insurance policy saying, here's the vendors, what would you suggest? You know, some of the preparation, they get prepared for?
Dara Gibson:
Well, and also understanding that you may have already built a relationship with a vendor that may not be on that incident response panel, talk to your insurance company, talk to your broker, talk to your, you know, the carrier as a whole. They may that company may already have insurance rates already pre-approved. They so they may not be on the vendor panel, but they are already approved to be the vendor responder.
Dara Gibson:
And that gives the the ability to utilize somebody that you already know and trust and can utilize and you can use them in your incident response. They may not be able to do the forensic side of the house because you always want that third party agnostic viewpoint of the forensics. But you can have somebody do your remediation and restoration based on your ex, your trust of your relationship that you've built.
Dara Gibson:
Again, this goes back to communication. Coach K, the basketball coach in the U.S., said, you know, communication is key and understanding that is across the board. No matter what you sport, industry, business, it's communication. And talking to your insurance carrier, talking to your breach coach, talking to your own internal stakeholders, that's where this comes into play. And understanding how you work together and communicate these processes is the first step.
Joseph Carson:
And it was an interesting thing is, you know, there's been a lot of chatter in the last year. Orion's You know, when an incident does occur, a lot of sometimes compliance will determine, you know, such as I'm based in the EU compliance will say you need to follow GDPR, therefore you need to notify data protection authority. But in X amount of time, hours, and now you're seeing insurance policies were saying before you actually do anything, you need to contact insurer before you do anything else.
Joseph Carson:
And I've saw numerous conversations of different about this particular clause that they're adding in the policies. It was really interesting that they were coming back and saying actually what that really does mean because because there was a lot of confusion in industry, because two point the terminology sometimes is very different when we talk about in security world and the terminology in the insurance world are not the same.
Joseph Carson:
And that's one thing I will say is make sure you're on the same page of when you do sign a contract, you do get an insurance policy, make sure you're on the same page. But what the terminology means, because sometimes we might be talking about two different things and the specific area in the response, you know who to report it to first.
Joseph Carson:
So the insurer did say so when they shared with me some of the process, they said that actually what they mean by that is that if you incur costs before you contact insurer, the costs that you incur beforehand may not be covered. So that's where they're getting into. The point is that they want to make sure that, you know, they're involved.
Joseph Carson:
And when you make the claim, it's anything after the claim that is covered. So and some things might be covered before depending on basically how they define that policy. But it's not to say that you won't get covered. It's to say that they want to make sure that any cost that, you know, is covered is part of the claim process itself.
Joseph Carson:
So that's one thing. They did clarify another.
Dara Gibson:
And they also have relationships with the outside vendors. So you may have paid X dollars and they've already built a relationship for Y dollars. So it's correct that slight difference that they're like, well, we could have covered this, but we can't cover that. So. Right. That's where understanding the terminologies and what's actually documented is, is critical.
Joseph Carson:
And even some of the policies, even there was even the discussion online was social the past year review. And it was interesting because some company she went on the path and they got they got insurance and an insurance policy. They specifically focused around data recovery and remediation. And what they started realizing was that in the IT and security world, data recovery and remediation insurance pool, in terms of their understanding of it, means that it's actually restoring data in insurance world.
Joseph Carson:
It could also mean paying the ransom. So there was this there was separate understanding about what data recovery meant.
Dara Gibson:
Some people will have a ransom portion of their correct and they've completely segregated that out out of their, you know, data recovery part.
Joseph Carson:
And it's gets into is really making sure and the point of that specific clause is to make sure that you're on the same page as the insurer when you're talking about what data recovery means. So getting in sort of the fine print, getting into the details and this brings me to a next question I've got for you is arrival.
Dara Gibson:
Time before you go into ChoicePoint. Is make sure that when you're talking on those communications that you're including your legal provider, excluding your insurance provider, you're including your vendor. So everybody is understanding the different terminologies and where each point lands.
Joseph Carson:
Because they come from very different viewpoints into, you know, what what security is. And they come from a very much a traditional insurance background. And now they're bringing a lot of security experts in-house as well to really help with them the terminology also and make sure that it is aligned. And this brings to another major topic was around exclusions, which has been getting a bit, you know, over the year.
Joseph Carson:
They've had the standard exclusions in place. My background, my first introduction into cyber insurance was in the maritime industry, ironically, and it was my my kind of time in that goes back into the early . So when when let's say one one ransom, what meant that it was a pirate attacking a vessel and that vessel heads, you know, a been attacked and therefore a lot of it was, of course the the the shipment, the containers that was that ship was carrying.
Joseph Carson:
But as my introduction into what insurance meant, and in a lot of those piracy claims, it was this exclusion of terrorism, an act of war and stuff like that. And we're starting to see those types of you know, they've been standard insurance policies for years, for centuries. Yeah, absolutely. For a long, long time. But now then, of course, they've been added into the cyber insurance policies quite frequently.
Joseph Carson:
And we're starting to see how that's playing out. There's been some massive cases over the years. I think the one that was notable early this year was the Merck case with not picture and and that made pretty big headlines because it did mean that, you know, in that case, the way that the Supreme Court actually viewed it was that Merck was not a legitimate, you know, military target.
Joseph Carson:
So therefore an act of war clause in an insurance policy would not be justified. And it set up the two camps, those two two camps that went separate directions in this, which meant that companies so the insurers are thinking about, well, okay, okay, any company we've insured that is not a military government legitimate target that puts that clause at risk.
Joseph Carson:
That they may not have had the the the way out that they may have assumed because and the bills in almost all cyber attacks, we can have some type of attribution back to nation state which is which is unfortunate. You know, whether or not those criminals are acting as mercenaries or organized criminals or nascent state backed a lot of cases.
Joseph Carson:
You pointed to government or nation state because of locations, geographical attribution or they previously did work or sometimes they work on behalf of and sometimes they do their own thing. So it's always very attribution is always very difficult. But then you got the other side of the camp, which is that these organizations who also have parts of their businesses, those military and government contracts and now the clauses they're thinking about, well, okay, those clauses will apply and they're starting to think about.
Joseph Carson:
So what what what's your view on the exclusions and what other types of exclusions have you seen them put in policies?
Dara Gibson:
When I've seen some of the exclusions be actually worded, it it I my understanding is sometimes it has to actually be declared an act of war and then the policy still covers it because war has not been declared in that particular situation. So that way the policy still is upholding and has to honor it. And that that's what happened in Merck as well, because that client was not an act of war.
Dara Gibson:
Right. And therefore, that's where that's where that transpired. Some of the other exclusions I'm seeing there, they're fixing by putting new portions into their policies. So one part of the policy may exclude ransomware and ransom payments, but they've added in, you know, in part a portion of the policy and saying, well, now we'll cover it because you bought this part of the policy as So it's again, it's truly understanding what the policy is stating and where where it actually is covered because you want to you want to make sure that you're not making that assumption, Oh, I'm totally covered.
Dara Gibson:
And then you're like, Well, I wasn't worried at all.
Joseph Carson:
Especially when they're coming on the renewals because you used to be you get this one massive policy intended to cover everything. But now I've seen insurers have thousands of policies that have separated out into these very micro policies for very specific things. At a certain point you might get data recovery, then you might get this response, you might get, let's say, security awareness, you might get other types of even controls in place.
Joseph Carson:
You might get the ransomware payment and where it used to be in the policies Unlimited, it was seen as security.
Dara Gibson:
Or you limit you're only allowed to use so much of that part of your policy. So yeah, a sub limit in that category I guess would be a more appropriate.
Joseph Carson:
And then there's also the deductibles as well. You know you have to to have some upfront payments are covered you know that you have to cover yourself. So it's quite interesting. So, you know, to your point, absolutely, the policies are getting so very, very specific that as you're going through a renewal, you might want to make sure that you understand.
Joseph Carson:
Does the policy still cover what you assume that you may be getting in the past?
Dara Gibson:
And again, that's that's including all of your stakeholders, your legal provider, your insurance carrier, your cyber vendor, because you want to make sure that all of those people are part of the conversation. And you also want your internal stakeholders involved. You have means, including your H.R. department, that means including your privacy department, and that means including, you know, the other the I.T.
Dara Gibson:
And the technical people of your of your internal team as well, because there's a lot of those menu questions that you may not be able to answer, but that other person can. And in the end, the data privacy component is critical because they're finally saying, oh well now we need to actually abide by these data compliances that are set up.
Dara Gibson:
GDPR was like the, you know, the first bird first, right? But now we've got a lot of states over in the U.S. and we're aiming for different cyber privacy policies.
Joseph Carson:
All different, which is I, I wish it was more on a federal level to be honest, because it was just one for.
Dara Gibson:
Everybody else.
Joseph Carson:
Right? Because otherwise you're just creating so much extra work. And that's why GDP came in. Right? I was one of the technical reviewers in GDPR, so I reviewed all of the early versions. Oh, well, let me give the feedback into is this technically possible? So that's what you get into. I wish I could go back and change a few things closely, but but it was a great foundation.
Joseph Carson:
And then, of course, to your point is, like other governments have taken the same step. You know, in the U.S., it's the states have taken the same step. And what I find, though, is that, you know, a lot of these cyber insurance policies do kind of overlap with a lot of compliance and regulations as well. So I think what one thing you find is that if organizations do have some compliance that they had to meet, whether being a PCI compliance for financial institution or, you know, HIPA for medical or SOC compliance or even ISO.
Joseph Carson:
And in this framework, I do find there's a lot of overlap. Do you find it due to any specific ones that might help more or, you know, if you do find organizations already compliant with some regulation that does help them accelerate the ability to obtain cyber insurance?
Dara Gibson:
Yes. On and in the individual aspect of insurance map their own expectations. So some insurance carriers policies, some pooled honest sample GMC. And as you said, there's so many different frameworks. But you will notice, as you said, that if you've completed a SOC two exam or you really are compliant with PCI, a lot of the times you can answer your questionnaires to be like, Oh yeah, we have that in place.
Dara Gibson:
Yeah, we've practice our tabletop exercise for incident response. Oh yeah, we've protected our data from that component of it. And so that's where the overlap does really positively impact insurance because you can, you can answer those questionnaires a lot more significantly with ease and efficiency. And that's where that that allows you to have that flexibility to say, yeah, we've answered that.
Dara Gibson:
A lot of times, though, the insurance industry has all of their own expectations and their own wording of, well, this company just wants MFA. This company wants MFA on their admin rights, this company wants it on the overall, this company wants it. So really creating a cohesive structure in the industry, industry as a whole, which is why PCI came, which is why HIPA came, because they wanted to create that overlying umbrella of, you know, cohesive comprehension and I think we in the next few years will see that with the insurance industry as well, because there are so many frameworks and controls that you can put in place.
Dara Gibson:
And just because one person names it one thing and you know, with the fancy acronyms and everybody likes to appreciate, right, they all can have the same broad understanding.
Joseph Carson:
That would be great actually, to come, you know, to have a consolidated insurance industry framework that basically means that, you know, and it also means easy transferable, maybe one year, I daresay, to change insurers. And therefore, I don't need to go through the same process again to obtain a very you know, went through it once. Why do we do it again?
Joseph Carson:
Because. And it means it's transferable. That makes us, you know, much more standardized. I think that'll be a great approach to have a, you know, a cyber insurance framework that allows you at least understand about that that you can prepare for as well. So you're not actually having to find out the first time when you do contact and and try to obtain insurance that you're already, you know, can have some type of framework that you can actually already check beforehand and then you can choose which insurer to go to, which I'm sure.
Dara Gibson:
Yeah.
Joseph Carson:
So so absolutely. That makes the.
Dara Gibson:
Auto industry the auto industry says you have to have airbags, you have to have seatbelts, you have to have brakes in your car. Right. And then so now we're in the same situation with the cyber insurance industry saying, you know, you've got to have these controls in place. It creates a better security framework.
Joseph Carson:
Absolutely. You know, rather than one insurer saying you need brakes, but you don't need an airbag ransom saying, you know, you need an airbag, but you don't need the seatbelts. So centralization does help and it means that your expectations are a lot more easier to follow. What types of what types of security controls are being required, what solutions.
Joseph Carson:
You mentioned MFA, what other types of things you're seeing insurers require in order to become insurable.
Dara Gibson:
Detection and response. Really understanding that the your end point agents or your network agents have that detection and response capabilities. And sometimes it's easy enough just to have it managed by an outside vendor because now you're completely covered. some businesses, you know, you're still going to close at : and your security guy may leave at :. Well, after at p.m., the threat actor knows that Fred went home.
Dara Gibson:
And so you having that overall seven capability of detection, your response is crucial. Absolutely. Cybersecurity awareness training I've seen on multiple insurance carriers. And that's one of the key elements. One, as I mentioned, one coming up is privacy for , because a lot of lawsuits came into play and it wasn't the ransomware or the business email compromise this year.
Dara Gibson:
It was the lawsuits from the privacy regulations. And so insurance is now responding and saying we need to be better at privacy compliance to make sure that that's also covered in the insurance policy as well. So, I mean, there's some and so many aspects of it now, MFA privileged access, managed access.
Joseph Carson:
I've seen I've seen the bite. It's like, you know, the more mature policies I've seen policy access management becoming mandatory. Some of the other insurers are still catching up. They're not quite there yet, but they are starting to update their policies to start, including more.
Dara Gibson:
On the in the insurance needs. Industry needs to understand that that's not a light switch. If you have a multibillion dollar industry, you can't just turn on your privileged access management that takes months to deploy and implement and make sure it's fine tuned to make, to make sure it's working to the best capabilities of the program. So that's where the insurance industry is going to have to have flexibility and say, okay, this company is working on it, they are deploying it, they are making sure it's in place and and have those be the course of action.
Dara Gibson:
That's a positive role.
Joseph Carson:
So what's what what types if an organization's going down the path? You know, one of the other things I mentioned, you know as well is that, you know, most organizations, their security team is is, you know, % of one of the right resources is sometimes it's their part time job or just a responsibility that they have. So I think for many, it's it's important to get outside help.
Joseph Carson:
It's important to partner with the provider who can provide more, you know, was it ? And also in many reasons, sometimes you're located to headquarters, but you might not have resources available to all locations. Right. So it's really important. Make sure you've got availability there. And the expertise is what types of resources does an organization need to get some insurance, you know, And roughly how long does it roughly take?
Joseph Carson:
Is it, you know, is it like a couple of weeks is something you do self-assessments? Is it you need to involve multiple departments? What type of kind of resources would you expect?
Dara Gibson:
So our Optiven in particular has noticed that a lot of our clients are getting their renewal notices days out, which gives them the flexibility to utilize Optiven to say, Hey, help me with this program. Right? And so days is a long time because the insurance companies are now looking and saying our questionnaires are no longer just ten questions.
Dara Gibson:
It's not a day portion. So days is where they're looking to say, you know what, That gives the clients the opportunity to look at their program and understand where are their gaps, How can we remediate these gaps and put the appropriate measures in place to make them more insurable? And then following have that insurability concept. So I've seen, you know, some companies out at days, others are still at .
Dara Gibson:
But really giving that strong code of here's your renewal date.
Joseph Carson:
That's a whole.
Dara Gibson:
That's a.
Joseph Carson:
Good indication about what you're typically expecting days is, you know, it's a long time I've seen similar I've seen on the on the smaller side of things you know the small companies doing self-assessments I've seen a tick you know, anywhere up to a month. You know sometimes it's pretty quick. But on the other the larger side of things, I've seen very, very deep risk assessments, third party risk assessments, penetration tests and seen, you know, even up to six months plus were seeking to get cyber insurance.
Joseph Carson:
And and sometimes, you know, they make some organizations might not even get it because insurers are becoming more selective.
Dara Gibson:
Or they're getting a very small policy. So where they may have gotten million in the past as a part of their coverage, now the company is saying, okay, well, now we can only do five. And that's where you now have to find a second insurer to do your tower policy and build back in addition. Absolutely. To get you back up to that ten because you still have a business that's growing, thriving.
Dara Gibson:
You can so you can't minimize your coverage. You still need your, you know, your larger access policies. Absolutely. And you also you know, you also have to understand that it's not just the the secure it the maturity of the insurance company. It's also the the company that the insured company that's coming in. Right. Because they could be a smaller one man shop and they're not going to take days to renew their policy.
Dara Gibson:
They're going to be able to do that self assessment on the on the website and truly understand. So it's the maturity of the insured client as well as the maturity of the insurance company.
Joseph Carson:
Yeah, I've seen, you know, a lot of organizations with many policies and things and a lot of some some of the times it's due to complexity. The business. Yeah. You get large pharmaceutical companies that might have something for here's our medical machines line of business and therefore it's a different risk than things like.
Dara Gibson:
Cybersecurity policy covers that portion of our business because it's.
Joseph Carson:
More specific to hardware to the asset. It might be.
Dara Gibson:
Property and the operational technology.
Joseph Carson:
Correct, versus the let's say, the, you know, biomedical side of things or, you know, vaccine side, which is much more on the data side. Therefore, you need the.
Dara Gibson:
Intellectual property.
Joseph Carson:
Side, the intellectual property, the algorithms and stuff, you know, that makes it happen. So therefore it's very different type of policy as well. So I've seen organizations that, you know, do have many different policies that they look into and sometimes many different teams that has a work on it. So it can take a lot of a lot of time resources.
Joseph Carson:
What what are the things you're seeing? What's the trend that you're seeing in the industry? What's what's what's the looking forward in the future.
Dara Gibson:
On some of that? As we mentioned previously, some of the trends we're seeing is the insurance industries are taking a much more control of the cyber vendors that they're working with. And as you as you said earlier, they're purchasing them up. They're acquiring. Yeah. So to me, that's a little odd because it could be a conflict of interest.
Dara Gibson:
You know, hey, we provide service and we provide insurance. So so somebody can, you know, correct me on that one. I'm happy to have that conversation. But to me, it's a little maybe a point of conflict. But I do see that as a trend that's coming. But I also in the positive light, I am seeing the conversation between the insurance, the legal vendors and the insurer and the cyber vendors really coming into play and understanding that that three pronged approach is helping the clients out much more efficiently and absolutely creating a strong foundation in the front end helps them in the back end, especially with the new SEC regulations coming to play for publicly traded
Dara Gibson:
companies in the U.S. That's significant for day. That call, that time frame is significant. So they're going to need a lot of measures in place and a lot of phone numbers on hand to make that come into play.
Joseph Carson:
And you want to have a practice because to meet that four day, you will not do it without practice, without simulation, without having those relationships and connections and the context. It's going to be difficult. I've seen organizations even trying to figure out after month what the root cause of the incident was, let alone four days. That's so that makes a massive difference.
Joseph Carson:
Absolutely. I'm also saying, you know, the industry is definitely maturing. That's just the great thing they're starting to have much more tangible, quantifiable risk data, which is definitely a positive thing. And they're starting to mature. The policies they're starting to understand about what really is cyber risk. I think one of important things that I, you know, share with the audience as well, one of the things I've found doing a lot of research in this area and just released recently released a very detailed report, is that it's important that cyber insurance is not cyber security.
Joseph Carson:
You know, that's that's the confusion I've seen a lot thinking, well, maybe I'll just get cyber insurance because then I don't have to do these cyber security like, you know, best practice, you won't.
Dara Gibson:
Get insurance and stop putting cybersecurity in place.
Joseph Carson:
And it's important that it is the financial safety net. You know, cybersecurity is the bricks in the car. It is the seat belt. It is, you know, the airbag. It is, you know, driving according to the rules and putting the best practices in following the right things in place. Cyber insurance is a financial safety net to help you recover quickly, to help you had the right resources that you need to get back up in the business.
Joseph Carson:
And when that car is no longer functional, you'll get a replacement car to keep going. That's it's that difference. And they go together. It's a combination of both, which is important. You can't do one with.
Dara Gibson:
Proactive versus reactive. Going to your Missoula doctor for your annual exam, keeping you healthy and taking some vitamins is a lot easier than the and cost effective than going to the emergency room to have that emergency fix and systems. And again, it's all the power of the dollar, the power of mitigation, the power of being proactive.
Joseph Carson:
Absolutely. And one of the important things is this is where the CFO in the organization does really well. They understand financial risk. So sometimes, you know, they can become your best friend when you're going down this path because they understand how to negotiate these types of policies and they understand about the financial mechanics of the organization as well.
Joseph Carson:
So definitely, you know, as organizations are going down this path, you know, the risk officer or the CFO, the business owners, they help you provide that quantifiable data side of things and can help you, you know, build in your the package that you need the right package, right? Plus also make sure you're able to, you know, understand the you know, the needs of the business and what type of insurance you need to cover it as well.
Dara Gibson:
And it goes back to our previous conversation of communication because the CFO knows their component and the I.T knows their component and the private the DPO knows their component. If they're not communicating across everything, it's still going to be siloed and not going to work efficiently. Whereas as a communicator, whether they're also communicating now with their outside stakeholders, and that's where a complete risk management program comes into play.
Dara Gibson:
And I think that's that communication is, you know, what makes the policies that much stronger.
Joseph Carson:
And this is this is a great opportunity to break those silos down. It's a great opportunity to have those conversations and and, you know, get to the point where you're all working together, you know, and realize that cybersecurity is no longer just an I.T. problem. It's actually a business cross-functional problem.
Dara Gibson:
It's a business.
Joseph Carson:
For we need to work together in those areas. So I think that's definitely, you know, a great one of the things is also I've seen is a lot of boards requiring the organizations that they represent because they might sit on multiple boards and they're hearing it from other organizations. So you should be prepared that when your board meets the next time that the question that CEO or the question that the board might have from the is or might have from, you know, the director of I.T.
Joseph Carson:
And security, they might have the questions, but what is our situation with cyber insurance? Do we have it? And and if we don't, what are we going to do about it? So be prepared that those conversations will will happen and you want to already you know if you if you haven't done the part that you want to make sure you're already starting to think about it and start inquiring and and at least becoming a knowledgeable about what it means, what the terminology means.
Joseph Carson:
So at least one one the CEO at the board comes to you for those for those answers. And they want the answers. They want answers. They don't want you know, they say, oh, nothing.
Dara Gibson:
Oh, acronyms. They don't want all the high level, you know, intricate knowledge, you know, language that you're like nobody else understands. They want to understand where you're coming from.
Joseph Carson:
Absolutely. And it's been fantastic having you on. This has been really intriguing, exciting conversation, something that organizations definitely will have. And any final has a direction you would, you know, hopefully the audience know what would be the first step, what would be the first thing that they should do either as they're coming up for renewal, maybe they already have a policy or there have been done the first time.
Joseph Carson:
What would be your your advice for the audience?
Dara Gibson:
Well, read your declarations page of your policy. I mean, they make it very simple. So it's usually right in the front of the policy because that will list everything that's covered and, you know, included in the policy because you want to make sure that if you've read, you must have MFA for this portion of your policy to work.
Dara Gibson:
Make sure you understand what that means. Now, that also opens up the opportunity you to talk to your cyber vendor and say, We don't know what MFA truly means for our organization. You know, is it just truly understanding having that second code on your phone, or is it is that, you know, is there a token? Is there a you know, have no and understand where does this come into play, having that understanding what your declarations page says and understanding what it means for your organization, That's where your first step lies in a cyber event.
Dara Gibson:
Knowing that the numbers to call the WHO to contact makes cuts down on that.
Joseph Carson:
And having it playing it off line as well. And a bucket are printed sometimes because I can't tell you how many times I've involved in this response where the actually is. Response plan is also encrypted with the ransomware. So always make sure that you do that. You do not either in your head or you've got it easy, accessible in an awful answer.
Joseph Carson:
And one other thing I'd recommend.
Dara Gibson:
Client one time actually had the whole printed off in air plan in the back of his car. He'd have to find her in the back of his car. He's like, If we're, if we're offline, I have to have a printed copy. And sure enough, his his trunk of the car parts came into play.
Joseph Carson:
That could be a very. But I've seen it. You know, those types of practices being a big savior. Hmm. Well, another thing I'd recommend for the audience as well as don't try to go it alone, you know, reach out and, you know, contact the likes of Optiven and find out, you know, what help you can get, what you can do to prepare, because that makes a massive difference.
Joseph Carson:
And, you know, get get people and the community and the network and reach out who've done this before because it will definitely make, you know, make it much easier for you. And they can already help you with some templates and some guidance suite. Absolutely. So it's been fantastic having you on it. Really enjoyed the conversation. Really excited.
Dara Gibson:
Me too. Thank you for having me.
Joseph Carson:
It's been a pleasure. So for the audience, again, you know, this is the fourth one, access to my podcast. We're really trying to bring you educational, knowledgeable thought, leadership content. And I really do hope that you find this valuable and insightful. Again, tune in every two weeks. We always have a great guests and exciting topics. And again, you know, stay safe, take care and look forward to hearing from you again.
Joseph Carson:
So take care. Thank you.
Dara Gibson:
Bye bye.