 Think Tech Away, civil engagement lives here. Bingo! We're back. One o'clock on a given Monday with Tawana Scott, and she is with Dietrich Insurance Company right here. She's a vice president, and she likes to look at cyber attacks and the like. She's an expert in that area. So the title of our show here on Think Tech Tech Talks is Cyber Insurance to Help Protect Your Business. And this is really interesting because this is where the rubber meets the road. It is. Tawana, welcome to the show. Thank you, Jay. Thank you for having me. Appreciate it. So how'd you get into this? This is really interesting. So, you know, as Insurance has evolved over the years, there became a need. And someone in their infinite wisdom said, you know what? Let's solve that need. And that product was born. And so what we've done is we've worked with some other reinsurers to come up with a product to protect businesses in the event. They have a data breach or cyber attack. Yeah. More and more these days. More and more. So tell us what the landscape is like these days. I mean, last time I looked at this and it affected some websites that I was developing. There was a cell of, what do you want to call it, hackers in Vladivostok who targeted me. And they tried to knock all my sites down and they succeeded. Wow. Over and over again. I would put them up. They would knock them down. They liked me. So that was a long time ago. But how is it now? How has it evolved? Who's doing what? See, I think, you know, that it's, I think now it's a myth that it's isolated to that part of the world. I think it's a worldwide issue. And there's not one group that is solely responsible for the hacks. I think, again, this is the full-time job of a lot of hackers. This is what they do for a living, to hack security systems, whether it be small mom and pop type businesses or, you know, your, you know, apples of the world. Or Sony. Or Sony, right? Or Facebook, right? Yeah, sure. And so what happens is this is what these people are doing for a living and they're making a lot of money and business is good for them. How do they make the money? So I think what they, what they end up doing is, right, once they kind of compromise the data, they use that data. And next thing you know, they sell the data. So if they get all my data from, say, what, Facebook was a recent breach, they can sell that on the dark web. They can sell your personal data on the dark web and potentially sell your identity. Yeah. And I won't even know about it. And you won't even know about it. It'll take months or even years before I can get any idea that I've been comfortable. Potentially, yes, absolutely. For us as individuals, that's a huge, huge thing that your identity can be out there for years and years and just the cost to restore it can bankrupt you as an individual. Sure. You know, a stolen identity is a real hassle, too. It is a real hassle. I'm so thankful that I have not had the experience that I'm really grateful, but I do know some folks who have. And, you know, again, caught early, you can mitigate and do a lot of things, but once you're knee-deep in it, it can take a long time to recover. Well, let's begin with the individual. How do I know I've been hacked? How do I know I've been compromised? So the best way... What are tell-tale signs? The best way is if you monitor your own credit reports, right? You can get notifications from the three bureaus when new credit is taken out under your name and social security number. That's available. You can also partner, if you have credit cards, some of the credit card companies like Discover, they can put your... You can access them and authorize them and they kind of monitor those dark webs for if your social security number pops up on the dark web. Oh, how interesting. Yeah. I was going to ask you if they had algorithms back there to figure out that my... You know, the charge I just made in Albania, where I haven't been, is a bad charge. Yeah. But it goes further than that. Yeah. Because they go on the dark web themselves. Yep. And they look for my credit card. They look for your credit card. They look for your social security number. I had gotten an email from Discover sometime early this year asking if I wanted to take part in that, right? And I'm thinking, wow, look at this company being proactive. No extra charge to me just because I'm a Discover company, a customer. So, you know, I'm sure Visa and MasterCard and American Express have something similar, I'm sure. And if they don't, I'm sure at some point in the near future they probably will. It's a great selling feature. But yeah, so doing things like that. But the biggest thing I think is monitoring your credit report and getting those notifications when credit is taken out in your name. And reading your credit card bills. And reading your bills. Right. And the favorite one is the dollar half one. It appears mysteriously, right? Yeah. And you say, and it's got a very generic name to it. Yeah. But every month, a dollar half, every month. Yeah. And then there's another one and another one. And you know, sometimes people don't even pay attention, right? So, you know, and hackers, you know, they're almost like artificial intelligence. Like they are learning, right? So, before, you know, you think 10, 15, 20 years ago, they just throw on a thousand dollar charge, right? Immediately and hope for the best, right? And immediately that is, you know, a red flag and the company would shut it down. Now they do something like $50. You know, and if they've got, you know, 300,000 names. It's a lot of money. $50 is a lot of money. Yeah. But it's something that you or I wouldn't even notice a $50 transaction, right? So, if I know that Facebook has been hacked for X millions or tens of millions of profiles. And I figure I'm a Facebook person. Right. And they got a certain amount of information on me. What do I do? What can I do? Is there anything I can do? So, you can, again, be proactive with that credit report. You can reach out to Facebook if you think your data has been compromised or you've gotten some issues. You can reach out to them for assistance. You can contact any credit card companies, of course. You can reach out to the three credit bureaus and talk to them as well to help you get that off of there. But you should be proactive. A lot of people, they know that Facebook has been compromised. They know they're on Facebook and say, well, it wasn't me. Right. I don't have to worry about this. The chances of them coming from me are minimal, so I don't do anything. And that's exactly right, right? People will say that. Oh, you know what? I didn't, my data hasn't been compromised, but it has. You know, one of the things I saw on Facebook saying was, you know, recommending people change their passwords, right? Something simple as that. Just going and changing your password, right? And it's little things like that. Even when some of the major companies get hacked, changing your username and password, sometimes you have to change both. Not just the password, it's the username too. So, again, being proactive, I think, is the best way to mitigate. A stitch in time, yeah. Exactly. So let's move to corporations. Large or small, Mom and Pops or Sony, what are the telltale signs for them? How do they become aware they've been hacked? Well, as you mentioned before the show, there are two things. One is you get hacked and your data is compromised. And the other is you get a full-on attack. Yeah. And you can't do business. So you get the data breach, which is basically that data being compromised, right? And then you get the cyber attack, which is the one that can kind of take you out of business for a while. You can't use your computer and things like that. A lot of IT company departments, what they have is they have software and virus protection that will alert them to when their systems are being compromised. Also, you got to educate your staff, right? You know, my company, we get thousands of emails in a day, right? So you got to talk about different types of emails so that you don't click on phishing links or you don't inadvertently bring that malware into your system. So being, again, that proactive having IT folks that are subject matter experts in this field that kind of keep up with the trends and what's happening of late to combat that. It's always changing. It's always changing. And you have to be very conservative. Again, I said these guys, these hackers, it's a full-time job for them, right? And so as we get smarter in terms of protection, they get to get more sophisticated in terms of hacking, right? Yeah. And it's not just the technology. It's the social engineering. That's absolutely right. Yeah. My wife worked for a bank a long time and they told her, you can't send emails from the bank. Yeah. And we don't want you to go browse on the browser. Just do with the program on the computer wants you to do that. Absolutely. And that's why, right? Because back then you think about it, right? We didn't really know what the internet was. We didn't know what the potentials were. Same thing with email, right? We didn't know what the potential, you know, was to be hacked and things like that. And now we do. So, you know, now employers don't restrict internet usage in the manner that it did 10 years ago, even a year ago, right? Same thing with email. You can, you know, a lot of people use their work email for personal use, right? But it's just a matter of, again, being proactive and having that IT protection within your network. So the fishing thing you mentioned earlier, I mean, what are the signs of danger, you know, the things that I should be watching? So when you get emails, normally you say, you get emails from unknown parties, right? Oh, those days are gone, right? Now it's an email from me, right? It's an email from your wife, right? And you just think, oh, it's my wife, right? But they've cloned it. They've done all these things. And what's inside of the body of the email is a link that they want you to click on. And when you click on that link, that is what invites the malware, or the charging, or the worm, or the virus into the network. Right. And what shows on the screen is not actually the link that's behind it. That's exactly right. So it looks like she's telling you, honey, can you pick up milk? And this company is having a big sale. Click this link for the coupon, right? And so, you know, you're rushing around. You're not really paying attention. And, you know, you don't think, oh, well, first of all, who has coupons for milk, right? Whatever. That's the hair that's there, right? And next thing you know, you've clicked on it, and you've invited that malware into your system. Yeah. And silly you. You weren't watching. And, you know, the thing about it is, your IT department can actually pinpoint which terminal system that opened up that email and let it in. Yeah. I was telling you about the shipping company somewhere in Scandinavia, and all of a sudden their screens had a joke on it. And everything was down and everything turned off. And the whole company was down. It was a global company. It all turned off. And they wound up spending weeks, you know, in kind of a brain session to try to figure out what happened and how to fix it up. But they were sloppy. Right. And that was the thing. I'm sure that heads rolled on that. And they, I'm sure they're much safer now. Absolutely. And they'd be a hard target now. Yeah. Because of the disaster that took place. They lost an incredible amount of money. Hundreds of millions because of this, yeah. And, you know, what happens is a lot of times, especially some of the larger companies, they just kind of think it can't happen to me, right? I've got the, you know, the top IT folks and all my staff, right? My CIO knows everything. And, you know, and so they think, you know, they spend all this money in software and, you know, protection. And they think that it can't happen to them, right? But like I said, I go back to my original statement. This is what these people do for a living, right? And they're looking for ways to reach your security. And they love doing it. And that's the thing. When you love what you do, it's not really work. And so this is what ends up happening. So in addition to having all that protection and doing what you need to do, you'll have to be proactive to monitor and watch what's happening within your system. Yeah. And I don't think people realize that it's not just a few people. There are many, many, many, many people. And there are some state hackers too that work for governments who hack you. And so there's a whole multi-billion, trillion-dollar industry out there. Absolutely. Absolutely. And the chances of you escaping that completely in your life are minimal. No. I mean, I saw an FBI study where, you know, two-thirds of Americans have said that they've been compromised, right? You think about how many American citizens there are. Two-thirds of them have been compromised at some point. It's pretty scary. So on the corporate side, just before we go to our break now, what can we do? Certainly we're going to warn our staff, you know, be careful about fishing. Right. We're going to get virus protectors against, you know, the known viruses, but that changes all the time. And we're going to hire the best, you know, cyber people we can find. But even that's really... Well, and when you've done all that, right? Yeah. Now you want to buy insurance, right? What happens? You want to buy insurance. Right. Just in case. It's just like insuring your property or your car, right? Just in case something happens, I want to be protected. Well, then the losses can be extraordinary, like that shipping company. They can put... You know, when you think about that shipping company, right, some of the data breach and some of that information that they had to restore and things like that, that's covered under... That can be covered under a policy, right? Yeah. And, you know, it's millions of dollars that they had to pay, but having to use your insurance for a small price to pay. Yeah. You know? And a few years ago, there were no insurance products out that would cover these risks. No. Unfortunately, I think the cyber product has been making its way to the market in probably the last, I'd say maybe five to 10 years. And I would think that it's going to continue to evolve. Sure. As the whole industry does, yeah. And we get precedent and we get legalization and legislation. And I think the product will continue to evolve as insurance does. Yeah. That's Tawana Scott. She's a vice president with Dietrich Insurance Company right here in Honolulu. And her specialty is cyber terrorism and cyber attacks on business organizations. And the insurance you can get to cover those risks. And right after this break, we're going to talk about today, what those products are today and what they feel like and sound like and the kind of coverage you can get. We'll be right back. Aloha. I'm Wendy Lo. And I'm coming to you every other Tuesday at 2 o'clock live from Think Tech Hawaii. And on our show, we talk about taking your health back. And what does that mean? It means mind, body and soul. Anything you can do that makes your body healthier and happier is what we're going to be talking about, whether it's spiritual health, mental health, fascia health, beautiful smile health, whatever it means. Let's take healthy back. Aloha. When I was growing up, I was among the one in six American kids who struggled with hunger and hungry mornings make tired days. Grumpy days. Kind of days. But with the power of breakfast, the kids in your neighborhood can think big and be more. We're not hungry for breakfast. We're hungry for more. More ideas. More dreams. More fun. When kids aren't hungry for breakfast, they can be hungry for more. Go to hungeris.org and lend your time or your voice to make breakfast happen for kids in your neighborhood. Okay, if you don't remember, we're in Think Tech Talks. I'm Jay Fidel. And this is Tawana Scott next to me. She's the vice president of Dietrich Insurance Company. I'm going to be talking about cyber insurance today to help protect your business. Really important at a time when it seems to be growing like all over the place. It is growing like weeds. Absolutely. So Dietrich specifically has an endorsement that we add to our policies to cover the data breach and the cyber attack. It's a two-fold product because the coverages are different. What happens in a data breach is not the same as a cyber attack. So you distinguish that for the insurance. Exactly. Data breach versus attack. Versus attack. We kind of define it in the policy language. But some of the things that the data breach covers is, you know, because this has gotten to be so great a concern, all states, including Hawaii, have enacted notification laws. So when there's a data breach, there are certain requirements that the state mandates a business owner to do. Interestingly enough, I think before these laws, overall, only 33% of small businesses ever... Only 33%. Only 33% actually notified. I wouldn't say anything. And then the poor guy would find out the hard way. Well, because, you know, what happens is, your reputation is at stake as a business owner, right? Think about it. If you knew ABC Company couldn't protect your information, would you do business with them? Probably not. Not these days. But back a few years ago, as you say, most businesses would kind of ignore it. Yeah. Hope it went away. Absolutely. And they wouldn't say a word because they thought that the balance of concern is, it's worse that people know than if they don't know. Right. Exactly. Now those laws... Yeah, those laws protect you. With the general feeling of the public, too, you can't do that. Exactly. You have to tell people, right? So the data breach will cover the notification requirements. It will cover fines and penalties. You mean if you breach the notification requirements? No. So the government says, you have to do ABC. You have to do these type of requirements. So basically you have to notify the people that this has happened. You have to tell them to what extent the possible damage is. So they got your credit card numbers and maybe something else. Or if it's a hospital, they got your social security number. So you have to tell them what could possibly be effective, right? And then you have to give them identity restoration coverage. So you have to help them if their identity is stolen. In the notice. In the notice. And then you have to monitor their... So nothing happened today. You patronized the store or this business and nothing happened to you. Well, you have to give the monitoring of their credit reports for usually it's up to a year. But again, that's a cost, right? Right. So I see this. So the insurance we're talking about on the notification side is I notify people and then I have an obligation under the state law to not federal... To do some other... Not federal yet. There's pending legislation at the federal level. But I think, you know, the state's kind of, you know, acted quickly to get those laws passed. And it is good for them. So yeah, so there's a certain level that has to be done and there's an expense. And you think about all that notification. So if I have to let you know and help you clear it up and all that, it's going to cost the company some money. But the different notices have different requirements. So the exposure to the company is different in different states. Exactly. So there must be different rates in different states. Absolutely. And it's also, you know, I think the primary thing with regards to the cyber is the potential for loss, right? So somebody who's a retailer, for example, has a huge data reach potential, right? Sure, sure. Because people want the credit card numbers. Whereas somebody like a financial institution is more of a cyber attack, right? People want to get into your system, investment companies and things like that. So the level of your exposure is different based on your business. And that will affect your costs as well. Yeah. Okay. Right? And they have, you know, they have markets out there, insurance companies out there that just write those products for those what we call higher hazard types of risks. Well, those hazards could be huge. They could be huge. And, you know, and some insurance companies, we need to get reinsurance on that. Because you have an exposure. You have a big exposure. You know, banks get compromised and there's a lot of money and a lot of risk at stake. So traditional insurance companies will not tend to ensure those types of companies that have huge software exposures. We're looking for, you know, the mom and pops, the vanilla. I wouldn't say people that don't have an exposure because everybody does. But we're looking for things that can be managed and that are not going to put us. If the exposure is in the billions, that's a hard policy to write. That's exactly. Because there's so many variables that go into underwriting it. And you need a more specialized expertise to do that kind of work. So Dietrich is carrying this kind of, and we're still talking just about notice. Yes. Dietrich is carrying this kind of insurance. We'd cover, say, a retailer who, you know, say at Alamoana, somebody who was selling things. Absolutely. And his records were compromised. And then you reinsure because the exposure is beyond what you would like to cover your own self. Because again, you know, depending upon the, you know, using Alamoana as an example, let's say if there's something with Alamoana's Wi-Fi, that's compromised. And all of these stores in Alamoana get affected, right? Right? The dollar amounts that you're talking about are huge. And so, yeah, insurance companies protect themselves with reinsurers. So, yeah, we do reinsure. You've got to do that. So it's just inexpensive. You know, like, you know, most insurance, most insurance for a small business or retailing. You have companies of general liability. You have property and fire. You may have employment type insurance. But that though, I guess those are the three main... Those are probably the primary three and property GL and workers' compensation for their employees. And then, you know, this is not real expensive. I mean, it's a few hundred dollars for small for lower limits. We do it kind of based on the limit that you protect, select. We offer three limits at Detrick for the data breach. And then we offer one limit for the cyber attacks. Oh, let's go to the cyber attack. So the cyber will cover recovery, replacement, and repair. So your system is damaged, right? Usually after cyber attack, you've got some system damage. And that's the kind of stuff that the policy covers. It covers, you know, again, the recovery, the data recovery, any repair to the system, and any replacement. It helps you replace the data that's lost, things like that. Sometimes you've got to key it all in. You've got to get it from other sources, maybe even paper sources. And you've got to have a battery of people who are working night and day to put the data back in. And those are some of the expenses that can be covered, yeah? It can be expensive. And these are the things, again, that companies don't think, ah, I don't think I have an exposure. A lot of people are now outsourcing in the private industry world. And a lot of the laws state that if you own the data, you are responsible. So even if you outsource it because you own the data, you're responsible for keeping it safe. And that's why it's important for companies to understand a little bit more about cyber in their state and reading contracts. You know, get that attorney involved in your contract negotiations. Yeah, I mean, if you didn't have, if you didn't do the right thing within the company, have the qualified people, have the anti-virus, have the systems to deal with and to, you know, give you alarm bells when you've been attacked. If you didn't have that, then you would be negligent in today's standard of care. Absolutely. And those are the, you know, when you look at these policies, you know, we're not going to cover you if you're not going to take an active approach to protecting your business, right? So if you're not going to put those things in place, and it's a morale hazard, oh, I have insurance, and so on, I've got to worry about it, right? Well, you won't have insurance because the, you know, policy language comes into play, exclusions. We don't want to ensure things that we, that, because people don't want to protect their business, right? It is still your business, and it's still your reputation. If you get hacked, that's your reputation. And, you know, we offer in our data breach and the cyber attack, we offer a public relations sub-limit, right? That will help you, get back favorably in the market point, right? Which is huge. It's huge, you know? We offer the, you know, the Forentics, Forentics IT review to help people understand how did this happen, right? I've got the best technology, I've got the best of everything, and I still got hacked. How? So we offer that as well. For advice for next time. For advice for next time, yeah. And then we offer third party. So this is just talking about first party, right? It's damaged to your business, your work, your data. We also offer third party. Liability. Liability. This is with the attack. Right. So somebody now sues you because you failed to secure your network. Fair chance they will, huh? Fair. In the United States where we're so litigious. Fair chance. I said there's a highly likely chance that you can be sued. It just really comes down to the negligence. What did you do? What didn't you do? And what the damages are of the affected parties. Now what about loss of income? Loss of business income. We pay for that as well. It takes you a month to get back online or whatever. You're going to pay me my loss of revenue for that time. We will pay for the loss of business use, yep. Now suppose I'm sloppy. Define sloppy, Jay. Sloppy. I don't have, you know, I don't have antivirus. I don't have a separate and distinct cyberterrorism person. I'm my staff. I never tell people who work for me that they should be careful about phishing. I, you know, do it all wrong, okay? You probably will not have insurance. So is that because you're going to look at me before you issue the insurance? So we do ask some questions before, but normally, because we just add it on as a, just a matter of reference, we just include it with all our costs at low limits and you can kind of buy up if you want to increase it. It's at the time of loss is when we look. So, you know, we have the team of claims experts that go out and they kind of, let's see what happened and how did it all, you know, play out. And what happens is they can tell that you've never put any kind of antivirus software on. You never did any checks. You never did that. You never did that. And, and it could be excluded. It, the coverage, the claim could be denied because of that. Yeah. So somewhere there's a list of things I have to do. Yes. And the, the carrier is going to tell me what those things are. And so, not a list of things per se, but there's a list of things that we will tell you what we're not going to cover. Right. If these things happen. Right. We're not going to pay your loss. Right. Well, this is so in all kinds of insurance. All kinds of insurance. The list of exclusions, right? Yeah. And so you go through that and, and you see what those are and that's what happens at the time of the loss. Before hands to some extent we, we make the assumptions that businesses protect themselves. Like you, you can't buy a computer today that doesn't have some form of antivirus built into it. And again, we assume that businesses are going to take the, the appropriate measures to protect their business. And, you know, because you guys, the businesses have skin in the game. I mean a ton of skin in the game, right? You do that reputation. I'd rather not have the loss at all. Exactly. You know, the insurance is only insurance. I'd like to never have the loss. Absolutely. You know, I think, I'd like to call sleep at night insurance. Right? It's enough that can protect you, especially if you're, you know, small to medium-sized risk or a bigger risk that does a lot of protection. We can, we can help you out as well. But if you, if you have a major cyber exposure, you need a specialized marketplace for that. Yes. So one last question to Anna because we're almost out of time and that is where's this all going? You know, we talk before the show began about the nature of our world and so many risks we have and certainly the changing nature of cyberterrorism and the changing nature of insurance products that cover cyberterrorism. Yeah. Can you comment on where you think this is all going? I think that as the, the world changes and we start to see case law and suits and precedence, I think that insurance policies will adopt, adapt to that as they have in the past, right? When I look at insurance from, you know, 100 years ago and how it's evolved today, we change as the market changes and, you know, there's enough millennials and younger folks out there coming on board to think outside the box and be creative and innovative and that's what's going to change the industry is that innovation to foresee what's going to happen. That's what, that's what we need to do. We need to be proactive against these cyber thugs. Yeah. The only thing for sure is change. I used to say plus change plus la meme. That means, you know, the more things change, the more they are the same. I don't say that anymore. Now I say plus change, plus change. I like that. Thank you so much, Dick. Well done, Scott. Thank you very much. Thank you for your insurance. Thank you very much. Thank you. Thank you. Thank you. Thank you.