 Welcome to all of you again. We're so glad that you're here. Julia and I show up each and every day to have these thoughtful conversations and insightful conversations. And today we were really excited to have another nonprofit Power Week episode with Ida Bailey and we're talking with Kyle Hendrickson today all about cybersecurity insurance realities. And for those of you that have joined us earlier in this week, we launched the Power Week on Monday with Kyle in person, live in studio in the Phoenix office for Ida Bailey. Yesterday we had another very insightful conversation but Kyle's here to talk to us about the cybersecurity insurance. And again, I didn't even know this was a thing. So I am definitely learning as we go with the nonprofit Power Week. So as we jump into today's conversation, we wanna remind you who our voices and faces are that you're seeing and hearing. Julia Patrick, CEO of the American Nonprofit Academy. I'm Jarrett Ransom, Julia's personal nonprofit nerd but I can be your personal nonprofit nerd too, CEO of the Raven Group. And we are always so very honored to have the continued support and trust from our very invested presenting sponsors. So thank you to Bloomerang American Nonprofit Academy, fundraising academy at National University, Be Generous, your part-time controller, staffing boutique, nonprofit thought leader and the nonprofit nerd. These companies, many have been with us from the very, very beginning March of 2020 and have helped us produce over 700 broadcasts. So thrilled to have their support. And if you missed any of those broadcasts, you know where to find us, Roku, YouTube, Amazon Fire TV, as well as Vimeo. And for those of you who are podcast listeners, you can go ahead and queue us up there wherever you stream your podcast. So again, Kyle Hendrickson is back. We haven't scared him, he hasn't scared us and we're here to talk more, dive deeper in cybersecurity. So welcome back Kyle. Thank you. And speaking of being scared, so full disclosure, right before this episode, I ate a bunch of Oreos. And so I was actually more scared of having everything in my teeth than I was of talking about cybersecurity insurance. I have a question. Are they the Halloween Oreos with the orange filling? Are they the regular with the cream or white filling? Double stuffed regular. Okay. And do you turn them and lick them? Like now you're really getting into like the detail. I mostly just shove them in two at a time as fast as I can because I love them. Yeah, they are pretty tasty. Well, we love getting to know more about you because cybersecurity is not a light subject. It's really scary in and of itself and you have helped us to really understand this in layman's terms. So I wanna say thank you for that. And again, we're gonna dive into, what is it we need for cybersecurity insurance for our nonprofit friends across the country? So. You know, Kyle, one of the things that Jared and I were like, oh, I don't know if we can have a whole week with somebody who's, you know, in the cyber world, he's probably not gonna be very aligned to the nonprofit world and understand what we all do. Or fun. Like your own chest. Or fun. Okay, I didn't wanna go there, but thank you. And so we learned at lunch with you earlier in the week off camera, of course, that you know about the nonprofit sector. Will you share with us the amazing story about starting your own nonprofit? Yeah, so starting in the fall of 2020 when our girls were going back to high school at that time and everything turned into a learn from home situation, we realized very quickly that they were taking care of on technology. They had everything they needed with the dad having access to plenty of computers. But their friends and their buddies at school weren't in that situation. There were a lot of kids in our area that were left out even with school provided devices. They just didn't necessarily have everything that they needed to be set up for success in a all remote environment. And so we took the retired computers out of where I worked and we were on a three year replacement cycle. So they're all good computers still able to do anything they needed to do, me and my wife. We cleaned them up, we got them ready, we fixed what needed to be fixing and we were able to give them away. And no questions asked, just took care of people. And whether it was kids, whether it was parents now suddenly working from home and needing to do that. Veterans, people going back to college, we just found a lot of need in our community and the surrounding communities. And it felt really good to be able to help out. It's fantastic to hear that. I myself, very fortunate my son's dad works for very large computer companies. And I joke, I'm like, my 12 year old has more computers than I ever have in my entire life. And again, we had talked about earlier in these episodes where our children and other individuals are learning so much about technology and the acceleration through COVID. And I commend you and your wife for that because we also learned it's not just in the Dakotas you're sending this across the country to other individuals. And I didn't know it was adults as well. So that's really, really amazing. No questions asked, wherever someone has found a need we've just stepped in not worrying about exactly everybody's personal situation. If they come to us, obviously they need help and we're able to just provide help where we can. And it's been a really fun adventure. That's really cool. And tell us the name of your nonprofit. Green Dog Tech. Green Dog Tech. All right, well, we love it. I think that I've heard about this very interesting competition of sorts, the resourcefulness awards presented but I Bailey, hmm, there might be something there. But yeah, I love it. I'm really proud of you. I think it's cool. And Jared and I are very fortunate. We get to hear these amazing stories from founders day in and day out. And it's really powerful and it's something that is just an amazing thing to witness. So congratulations. And how many devices have you worked with so far? So the first year we were right around 500. So that 2020, finishing out 2020 in the fall, we were able to do about 500. This year we're on target for about 3,500 devices to either sell or place to people in need. Holy smokes. And you're doing this out of your garage or your home or something. Garage and home. So yes, my wife is awesome. I love it. Shout out to her. Absolutely. This is really cool. And so now, if you ever needed to think, wow, does this techie dude, can he really understand my nonprofit pain? Yes, he can. I am excited. So let's get into this, Kyle. Whew. Deciber security insurance. Is that something we need or can we wait? I mean, talk to us about this. Yeah. So again, I'm going to use a made up word, cyber risk. And I don't know that cyber risk really is a thing, but cyber risk really is business risk. So insurance is there to help us mitigate risk to all of our businesses. And so specifically, we're talking about how do we help ensure that our nonprofits are able to survive a disaster around a cyber security incident? So yes, I believe that cyber security insurance is a requirement for nearly any business that I talk to, nonprofit or otherwise. This is just about business risk management. That is so fascinating to me because before Monday, I didn't even know cyber security insurance was a thing. And one of the insurance we talk about often is directors and officers insurance. And we really waive that flag a lot. So I'm curious, is cyber security included in D&O insurance? And is it an add-on or is it a separate policy? So this is typically a separate policy. This would be sometimes combined with business outage type insurance or errors and omissions type of insurance. Sometimes it's additive to that. But typically, cybersecurity insurance is its own separate policy with its own analysts and adjusters and making sure that they're sizing things appropriately for the size of your organization. And does it vary by sector? And we always think of the nonprofit sectors having nine major subsets. Let's say you're running a museum or a cultural institution. Is that cyber security policy going to differ from that of maybe somebody in health care or human services? Yeah, so it depends on what we're trying to protect. So some of us are trying to protect monetary assets. Some of us are trying to protect personal health information. Some of us are looking at just private information for donors or those people that we're serving. So it's going to depend on the type and amount of personal information or the kind of information we're trying to protect along with the size and complexity of our organization. So if I'm a tiny organization, I have less things to protect than a large health system that may be a nonprofit. And so I'm going to have less, as far as premiums, less, as far as coverage. But it's going to impact me less on the bottom line. That's a great way to look at it because it can kind of help you shop the market, so to speak, or to understand why, if you talk to a counterpart, but they're in a different sector, their insurance costs might be quite a bit different. So yeah, that's really interesting. Talk to us a little bit about along that line and understanding that we need to have this policy. And Jarrett, I love your question. This is a separate type of insurance. So it's not just going to come under your general business umbrella coverage. What are some of the challenges to renewing? This isn't just going to be something that you get in the mail and you check the box or you send a check, right? Not quite. There are some requirements. So a little bit of history here. So starting around five, six years ago, this used to be a check the box type situation where you could just, hey, do you want to add this to whatever policy you have going on? And insurance brokers would just include it. Carriers would cover you. It was just a thing that you added to your policies. Starting about four-ish years ago, ransomware became big in the news. And we started hearing about that in the headlines all around us in our communities everywhere. That took the insurance industry a little bit by surprise. And so suddenly they had to pay out on a ton of claims as a result of ransomware and as a result of these large breaches or extortion attempts from ransomware actors. Insurance companies make money when they don't have to pay out claims. And so they have actuaries. They have really, really smart people that can look at all the bad things that they've had to pay out on claims in the past to know what are the key things that need to be in place so that they can keep making money and keep serving their shareholders. And so now it's not just a guarantee that you're going to get your renewal or a policy in the first place. They're looking for key things in your environment. And so I'm referencing something from one of the largest cybersecurity insurance brokers in the United States. When I say they're looking for five key controls and then above and beyond those key five controls, they're looking for how comprehensive is your protections that you have in place that lines up with their best practices to understand how big of a risk are you going to be to them? And so the better your cybersecurity program, including those required items, the less your premium is going to be and the easier time that you're going to have for renewals. And this is for any size. And I love that you really do say business. And I just want to remind everyone, nonprofits are businesses and we need to stay in that mindset. But this is for any size business. Is that correct, Kyle? Yep. So this is from small to big, whether it's for profit or nonprofit. We all have the same requirements being placed upon us by both the cybersecurity brokers and the cybersecurity insurance carriers. Okay, so I got to ask, I mean, this is like kind of a left field question, but in the past, you could even today go online and pretty much within a few minutes be fully covered on whatever it is you're looking for. I would imagine going into the marketplace which is probably still somewhat limited. This isn't going to be a quick go online and you're covered in 15 minutes kind of purchase, right? Not typically. So you're going to be wanting to work with a broker that shops multiple carriers and is going to tell your story or help you tell your story around where you're at in your cybersecurity journey and make sure that you're as accurately portrayed to the carriers that they work with as possible and understanding what is that risk that you pose to them by them extending insurance to you. I'm curious, Kyle, has any of this changed over the last three years with a lot of remote working now? Like there's a lot of staff working remotely, but a lot of systems that have been integrated. Has the cybersecurity insurance and the policies, some of the requirements, have those changed you think because of the increase of remote working? So I don't know that answer, but I do know that when we start looking at those five required controls that need to be in place, things like multi-factor authentication, endpoint detection and response. So the next version of next-gen antivirus, secure and encrypted and isolated backups, making sure you're managing your administrative privileges across all of your computers and then implementing email filtering and web security. These are all centered around things that would affect us in a remote work environment. So the challenge to an organization as we're in a hybrid or a fully remote work environment is when we're talking about cybersecurity controls, how are you making sure that you're effectively implementing all these things across all of your computers, regardless of where they're at? We wanna be comprehensive and holistic and manage risk across our entire organization, not just when they're on site and in our office. I'm sorry, go ahead. Well, I was gonna say, I have to admit that two-factor authentication, it's a really hard word for me to say, it's annoying as heck, but I understand the need of it. But oftentimes what I find is I'm working with a client because I'm a consultant, but working with so many other people, it's like, well, where did this go? And is the staff still there? And so there's a lot of kind of nuance in that. And it's an easy thing to just kind of turn off and say, we're not gonna worry about that, but are you telling me we need to worry about that? We need multi-factor authentication everywhere and for everybody. But when we start talking about multi-factor authentication, we should be looking towards solutions that we can use that we can integrate in with a common multi-factor authentication platform where we have one way for doing that challenge response that's something that we have and making sure that it is legitimate. So we don't have 14 different things that we're using for multi-factor and making it even harder to manage. And when we get down onto one platform, then we have the ability to start creating custom rules like, do I know this device? Is there a location specific attribute that I can tie this to somewhere that is connected before with that trusted device? Is it within the normal working hours that I normally work? Are all of these things that are true enabling us to make risk-based decisions that maybe I don't need to be doing that challenge every single time I check my email? Got it. That makes my life a little easier. Reducing the friction of cybersecurity. You want to be comprehensive and make it even better, but then make it less painful to use everywhere. You know, Kyle, this is like one of those things that if I didn't know about green dog tech, I probably wouldn't have thought about this, but I hear you saying, you know, with this work from anywhere concept and all of these different devices that we have, in the past, we would share our devices with our family members. So it sounds to me like in the nonprofit sector and probably in the for-profit sector, of course, as well, that we need to start investing in dedicated devices that are not being shared. Would that be an accurate thing to help reduce some of that risk? So I would always recommend anything that is doing anything financial for your nonprofit, be completely separate from anything the rest of your family is using for non-business purposes. So that's the first step. And then from there, as we can, knowing that some nonprofits are small and working with very little means, from there, then I would separate out business activities from personal activities. So if we can isolate that and make it, so we have dedicated devices just to support the nonprofit, knowing that our personal life blends over sometimes, I'm not so worried about a individual that works on the nonprofit's behalf that also does some personal on the same device. I would be more interested in making sure other family members are not getting on that business device to do whatever they need to do in a personal setting. Smart, makes a lot of sense. Yeah, I think that's why. Now, this is a curve ball, and I don't know if you're gonna know the answer Kyle, but you've known with us now three days. And I'm curious if these cyber security insurance policies, if they also cover board members and volunteers, because as I think of committee members and they're working in the donor database, are we covering them in these policies? Yes, so we're gonna be covering anybody who's working on behalf of the organization. And we just need to be clear with our, when we're getting that policy, that this is our world of who accesses this data and this is who needs to be covered. So yeah, that's all part of this. Good, I just had a bit of a panic because I know it's event season right now and events are typically heavy, heavy dependent on some amazing volunteers and event committee members. So I wanted to see about that. I love that you asked that question because yeah, absolutely, Jared. I hadn't thought of it in that, quite in that perspective, but yeah, absolutely. Well, of course now you're gonna, as we look forward and I love that you're like, we can bring messages of hope. I'm gonna ask you to kind of walk us through, don't let your hair on fire, go any further. You don't have to be burning it all off. Messages of hope, actions to reduce risk. What does that mean and are these achievable for us? So I kind of cheated. I already gave you the answers to the test here. So again, I'm gonna look back at those five required controls because the insurance carriers know that these are the things that need to be in place and done well so that they don't have to pay claims. That directly translates into less risk for all of our organizations. So again, those five required controls are gonna be centered around multifactor authentication. Next-gen antivirus, EDR is what we call that now. Secure tested and isolated backups. So when things like ransomware take a hold, their threat actors typically will try and disrupt your backups so that they can force you into a payment situation. So we need to protect them. We need to make sure that we're properly managing administrative rights both to our computers and to the systems that we're using to support everyone we need to support. And then we need to implement email filtering and web security. And that's just the minimum. That's just the minimum, bare minimum. One of the things I know to be true for so many of our friends is, the person that's in charge of IT is literally the person that knows how to plug in the right wires into the right sockets, right? So who should be overseeing cybersecurity? And is that, is it a staff position? Is it, you know, a partner like I Bailey? Where does this sit? Yeah, great question. I think that the questions should be asked of the leaders within the organization. So that might be on the board. How is management taking care of this? And it isn't necessarily that management within the organization is doing it, but they may have a partner like I Bailey or another partner that can assist them with both implementing these controls and then the ongoing monitoring and maintenance of things. But I would expect that from a leadership perspective that the board or the founder or executive leadership committee, just like within a business, the people that are tasked with keeping that business successful should be asking these questions because again, this is business risk. And then is the policy a year? Do we renew it annually or is it a multi-year policy? It's typically a one-year policy and the guidance I would give people is talk to your broker early and often to know what's gonna be coming for next year's renewal. So if the things have changed, you have time to plan to make sure you won't have a lapse in coverage because again, this is helping manage business risk. That's exactly what I'm thinking. And so, Julia, you always share a lot about that leadership list, quarterly updating your fast facts, things like this. I feel the cybersecurity insurance has gotta go on this quarterly list because with the acceleration of technology, the access to technology across the globe, there's just so many new nuances within the technology realm. Yeah, it's a changing landscape and because of that, I would imagine that the insurance companies are changing their parameters all the time and then to Kyle's point, finding new avenues of extortion, ransomware, all of these different attack and threat positions, it's a changing target. I thought it was interesting, Kyle, that you mentioned tonight and I'd love, we don't have that much time, but I'd love for you to kind of amplify that point of renewal and that we need to be looking out. I mean, 12 months goes by like that. What does that look like if we're trying to plan and put this on our calendars to start moving forward on regaining that? I mean, I don't think we can just rely on our insurance brokers to call us up and say, okay, we need to start planning and we need to be ahead of this as well. Well, and so this doesn't need to be something that is a week-long event with your insurance broker, but asking them what frequency that you need to be working with them and touching base to see if anything has changed. And for a lot of people, that means either at six months out or quarterly. So understanding, okay, just a quick 15 minute or a half an hour touch base and make sure that, okay, this is what we've accomplished over the last year in improving things. There's this lineup with what we would expect and then asking the question, are there things that we can do that would potentially reduce our premiums? Because there is. If the better the program, the less risk you are to the carriers and so that should be reflected in your premiums. So asking those questions and making sure that you have a broker that you can work with and establishing a frequency that works for both of you and knowing that this doesn't need to be a ton of time invested in checking in, just making sure that you're keeping a finger on the pulse. Great advice. And again, continued messages of hope. Day three with Kyle Hendrickson as we talk about cybersecurity. And again, so grateful that I'd Bailey has the foresight to include this in their services. This entire week is dedicated to the nonprofit Power Week. Again, with I Bailey, you can find all of these episodes that we've had with Kyle starting on Monday with our live and audience episode, cybersecurity again, as we said, it can be frightening, but Kyle is here to deliver each and every day this week some messages of hope. And speaking of questions, if you have questions, send them to us. Friday also referred to as Friyay. Kyle and I will dedicate that entire episode for I'd Bailey and these cybersecurity questions that you or viewers and our listeners might have and might want to ask, so make sure you send those over to us. Yeah, it's gonna be really great, a lot of fun, and I think a lot of opportunity. Again, Kyle Hendrickson, Director of Cybersecurity for I'd Bailey. What a great way for us to get a better grip on this concept. It's not an easy topic for a lot of us in the nonprofit sector. It's a new concept and yet incredibly perilous if we don't know about it. So Kyle, thanks to talking with us and spending so much time on this deep dive. If you go to I'd Bailey.com, there's quite an extensive selection of information about cybersecurity. Many of the things that Kyle has been going over, you can access that. You don't have to be a client of I'd Bailey. You can get that free information, a lot of resources, and you can even learn more about Kyle Hendrickson on that. Again, I'm Julia Patrick. I've been joined today by the nonprofit nerd herself, Jared Ransom, which has the perfect name for this week of cybersecurity. I don't know if I do. I think it's a horrible name this week. I don't know. I think it like is just serendipitous. I actually have loved that, but yeah, it's been really a lot of fun to have Jared on this road with us. And again, we wanna thank all of our sponsors who continue to join us in these conversations. Bloomerang, American Nonprofit Academy, Your Part-Time Controller, Be Generous, Fundraising Academy at National University, Staffing Boutique, Nonprofit Thought Leader, and the Nonprofit Nerd. These are the folks that join us day in and day out. Hey, everybody, as we like to end every episode of the nonprofit show, we want to remind ourselves, our viewers, our listeners, even our guests, stay well so you can do well. Thanks, gang. We'll see you back here tomorrow.