 Hello, and welcome to this episode of the Security Angle. I'm your host, Shelly Kramer, Managing Director and Principal Analyst here at theCUBE Research. I'm joined today by Joe Peterson. Joe is an engineer and a fellow analyst and a member of the CUBE Collective community and a brilliant thinker in her own right. Always a pleasure to have you on the show, Joe. And in this episode, we are going to talk about the ins and outs of cyber insurance and what CIOs and CISOs need to know when they're evaluating or thinking about cyber insurance. And we are thrilled to have, as our guest, Mark Lind. Mark Lind is a four-time CIO and a CISO for several global organizations. He currently leads the Executive Advisory and Corporate Strategy at NetSync. He is, as I said, a former CISO. He's been ranked among the top five global security thought leaders on a consistent basis over the last handful of years. He was a finalist for Ernst & Young's Entrepreneur of the Year Southwest Region Awards program. He's a veteran. He served in the U.S. Army's Third Ranger Battalion and 82nd Airborne. He holds a bachelor's degree from the University of Tulsa, and he attended the Wharton School. Welcome. Thank you for having me. Absolutely. Well, Joe and I are still looking forward to this conversation. Thank you for joining us. We're very much looking forward to you sharing your gray matter with us. Me too. I'm looking really looking forward to it. It's going to be great. So, as I said, today we're going to talk about cyber insurance and what the C-suite needs to know when it comes to using cyber insurance coverage to manage and actually mitigate organizational risk. To set the stage a little bit here, according to PWC's Digital Trust Insights Pulse Survey, cyber crime was at about $6 trillion in the damage that it did in 2021, which kind of seems like a lifetime ago, doesn't it? And that's expected to hit about $10.5 trillion by 2025. So, when Joe and I on this show all the time talk about the dramatic increase in cyber crime, this is what we're talking about. We're going from $6 trillion to $10.5 trillion, and chances are good, it'll end up being even a little bit higher than that. So, when we say this is a quickly moving realm, we're not kidding around. And that's why cyber insurance is so important. But it's not really like cyber insurance is new. I mean, it's been around for a long time. And over the course of the last handful of years, we've seen premium spike. They've risen 74% in 2021, and we've seen massive increases over the course of the last three years. And of course, that's tied to incidents of cybersecurity breaches. So, this means that business leaders really got to get serious, and they really need to get knowledgeable about cyber insurance coverage. And that's what this conversation is all about today. So, Mark, I talked a little bit about your extensive background. What I learned to ask our guests is to share something that maybe not everybody knows about yourself. So, lay it on us. Give us something that'll surprise us. Well, I'm a girl dad. I have three girls. I have one headed to college, one out of college, and one a little bit younger in high school. And then I think the thing that most people don't know is that I was really involved with sports early on when I got out of college and now the military. And I actually gave the Dope Walker Running Back Award to Lydani and Tomlinson in 2000 on ESPN TV, on national TV. See, that's a good one. In fact, it's right over here. Oh, right over here behind me. You know, I saw one and I got one earlier and I wondered what it was. So, well, that's awesome. And thank you for indulging me. That's exactly the kind of information I'm always looking for. Just something that not everybody knows that, you know, we all have those. So, very, very cool. All right, now we're going to dive in. So, as I said, the cybersecurity world is rapidly evolving. We've got the, you know, we've got AI. We've got the advent of gen AI. And, you know, organizations really, without any hyperbole, are at more risk today than ever before. And that's why we decided that we wanted to turn a spotlight on cyber insurance because it really is a business necessity today. So, Mark, let's start if we can with your thoughts on why the rapid rise in cyber crime. What precipitated that steep jump? Yeah, it's really interesting. You know, at the base of it is financial, right? They're making money. The nation states are making money. The cyber gangs are making money. Even the individual ransomware went out there. They take $25,000. They go on the dark web and they can become, through a subscription, right through a SaaS subscription, they can become a ransomware provider themselves. Ransomware is a service. Yeah, ransomware is a service. So, it's one of those things where they're, it's much more accessible on the dark side of it. And people are making money. As long as they're making money and they continue to make money, especially in such a target-rich environment, because, you know, unfortunately, with, you know, you think about all the spend that's been going on out there, a lot of that was on firewalls and network security and things like that. Very little was spent actually on incident response, on cyber insurance, on other risk mitigation, you know, capabilities or recovery capabilities. And now you're starting to see that even out a little bit. You know, it's making headway. Let's put it that way. And I think, you know, until that actually catches up and until we start to make additional investments about, you know, doing quarantining and containment and doing more modern techniques that you're starting to see with the rise of XDR by all the major manufacturers, et cetera, et cetera, those things and getting those in place, we're going to see, you know, a continued rise of cybercrime. Right now, people are making money. That's really at the base of it. And the last thing I would say about it, a really interesting element of this is now with AI, they're making more money and the targets are becoming easier. And they even are using AI to create cyber profiles of how vulnerable they are. So they can choose based, you know, almost in like a descending order, Hey, here's the ones that are vulnerable. These are the ones I'm going to go after. And it'll even build a portfolio about them. So they know who's who, what's what, if they're traveling, if they speak at conferences, do they put, you know, things in the job descriptions that they have out there about the types of tools and products and security things that use the background and surprisingly, a lot of companies still do that. Yeah, absolutely. It's really interesting. You know, of course, and I think I want to step back just for a minute, you know, we navigated a global pandemic together. So we saw, you know, this massive shift to work from home over the course of a couple of years. And so of course, you've got routers and and copy machines and all kinds of endpoints that a lot of times people don't even think about, you know, so we've seen that I think that played a role there as well. But you know, to your point about AI and generative AI in particular, you know, just like all of us are all of us here at home are trying to get our arms around AI and trying to use AI to speed productivity and efficiencies and all of that sort of thing. The cyber criminals are spending just as much time, if not more to your point, leveraging these tools because the quicker they learn it, the quicker they deploy these things, the more money they make. So I mean, this is kind of a no brainer. Joe and I talk about this all the time. So it really is. And I think the other part of this is that this is not slowing down if anytime soon or ever, right? Yeah, and you think about it, Kelly, if you think about it, that they're, they're the guard, they don't have to worry about guard rails. They don't have to worry about ethical use. They can train on nefarious data, right, that they pulled off the dark web and load that into the LLMs and it gives them even greater targeting capabilities and they'll be able to assess vulnerabilities even more. You're right. It's not going, it's not going to get better. It's going to get worse. And we're always in this, you know, kind of a cat and mouse situation because they go out, they do something new, and then you see all the manufacturers, they bring out what they're going to do to combat that. And since really signature capabilities, you know, identifying, you know, threats and all that by signature is being less and less used because it's not as effective as it used to be. Now they're having to do it by a variety of other ways using machine learning and other types of artificial intelligence, some genetic algorithms, things like that. It's a cat and mouse for a little bit. They're going to be ahead and that makes the organizations that use those tools and use those security platforms vulnerable for a period. And so we're seeing more and more people start to really think about putting additional money and resources into incident response into cyber insurance into these tools so they can recover as fast as humanly possible, regardless if it's a zero day and insider threat or something that they're just not prepared for or their tools aren't ready for. Yeah, absolutely. And the reality of it is today, it's not a matter of will my company suffer a data breach. It's a matter of when we suffer a breach. And that's really where observability and the ability to, you know, real time monitoring that plays such an important role. But the other thing about AI that I think is really interesting is that not so long ago, we used to be able to identify threats. You know, you would get one of those phishing emails or an SMS message. And, you know, you can kind of tell because that sometimes the language was a little clunky, you know, when you have to be paying attention, but you could figure it out. And that's really, I think the other thing that AI is bringing into the equation is that it's able to write things in a way that's much easier to trick end users. So big challenge. Yeah, it is. And you'll see that like there's tools out there like no before and all that where you can send out these emails that simulate how, you know, AI and, you know, how these nation states and gangs are putting out these emails, right? And even with that, you'll see they are getting a tremendous response, even if it's clunky, right? There was one that they did right before the holidays when about two years ago, and it was a for a $400 Best Buy coupon. And it was from HR because we've done so well as an organization. They put that out. It had noticeable errors if you scrutinized it, but people were so excited about getting $400 to Best Buy, they just ignored any telltale signs. Well, and this is not the topic of our conversations today, but I'll tell you, that's why I am such a fan of organizations like no before and others who really preach the importance of, you know, when it comes to cybersecurity training and awareness within your organization. So this is not a one and done thing. This is a conversation that you need to keep having with your employees over time. And what I love is those simulations, something like that Best Buy thing, if it's created as a simulation, and then you can do it, and you can, and then you can bring your team together and say, this is the test that we did. And this is, you know, and this is how this is what we need to do differently. And that sort of thing, I think that that kind of ongoing and continuous training really needs to be embraced throughout organizations. And it's not a set it and forget it thing by any stretch of the imagination. Yeah, because all the organizations that we deal with, it didn't matter if it's public sector, private sector, commercial enterprise, they're living, breathing organisms, right? People leave, they move on, they switch roles, they do all this. And every time that happens, it changes what your, you know, what your attack surface is, it changes everything. It can change the threats. And that's why we're going to work at such a huge impact on us, right? And many organizations that double or triple the attack surface, and the amount of ways in and to break in were incredible, right? Because all of a sudden, now you're in charge of securing Starbucks. Well, people found securing Starbucks not as easy as they thought it was, they'd better have some good input security that's ready for those things. And many organizations were ready to do even, even to deal with the licensing alone, but nevertheless, deploy it, get it ready, do the training and awareness that we're talking about and make it effective, you know, to some level effectiveness where they could feel comfortable. Yeah, you haven't even touch added about micro segmentation, that dirty word yet. Yeah, we'll talk about micro segmentation. Well, no, I mean, if you think about a lot of organizations, what they did is they started ahead towards zero trust. And Joe and I have done some events together where we talked about the value of a zero trust framework and approach, right? And, you know, micro segmentation is a big piece of that where you limit the East and West traffic by segmenting. And you can do it by geographic, you can do it by business discipline, there's a lot of different ways you could do that. So if they do get in and they will and they do, you limit their East West because what they're going to do is they're going to move East West, trying to find a privileged account so they can up their access, or they get in your network and they hide for 200, I think of what the average now is like 242 days or something like that. They're putting your network and listen and watch and learn. And that way they can, you know, actual trade some data, come back after they hit you with a ransomware or whatever threat they hit you with, and they can extort you. So there's lots of ways and they're becoming much more viral and nasty about their approach. Yeah, absolutely. All right. Well, now I want to talk a little bit about the different types of cybersecurity coverage and why it's important to know what your policy covers. And I know that there are a number of different coverage types. You know, you talked about network security, you've got privacy liability, you've got network business interruption, you've got media liability, you've got, you know, and of course all of this coverage is designed to protect against ransomware and breaches and financial restitution and business resiliency and help you offset business obligations that you might have missed along the way. So Mark, will you walk us a little through these coverage areas and kind of the basic types of insurance agreements and our insurance coverage and, you know, where you think some of the primary importance is? Yeah. And I'm really glad we're doing this because, you know, when I'm out there talking to all these audiences and sea levels, there's a lot of misconceptions and a lot of misinformation out there about cyber insurance. It is really, it's not as intuitive as people think, right? And I think that part of that reason is a lot of them they think, well, if I have a corporate umbrella policy, it includes arrows and emissions and things like that. Well, I have coverage. The reality is you do not. And it's specifically, those umbrella coverage is specifically exclude any cyber coverages. And I think that that's a big misconception. It's gotten several organizations into some big trouble. You know, you think about it, the ones you need to think about, you know, for organizations are like network security and privacy liability, right? Because that's one of the big problems. A lot of times when somebody gets hit, an organization gets hit, one of the first things they have to do after they realize that some of the, you know, personally identifiable information or some of the personal health care information, the PHI was breached, right? And they've identified that they have to provide every employee and their spouse, right? They have to provide them with credit report. And they have to buy a credit monitoring for a full year, right? And that's something they don't realize. And the reason why is because you just put their information out on the dark web. So how do you limit that? Well, you know, there are policies that do that. And so having that, you know, privacy liability, having the network business interruption, because your business has been erupted. You're accruing damages, right? And so that's a big one. Imagine what the network business interruption costs were for the MGM Casino breach. Oh, yeah. And Sony, I mean, Sony too, I mean, think about it. Yeah, just incredible. That seems like that was an old one, wasn't it? Yeah, old one. We're dating ourselves, they're nervous. I think the thing is, though, that we've all been around long enough and covering this for long enough that we look at the Sony breach, which was one of the big ones at the time. And then you have the Equifax breach, and then you have the colonial pipeline, you know? And so they keep getting, you know, of course, you know, I feel like sometimes it's another day, another breach, right? And but that, but when you think about business interruption in a casino, oh my gosh, I am dollar-sized. Just incredible. Yeah, because you think about it, a lot of the businesses out there are low latency real-time networks. You know, you think about your insurance companies, your financial services organizations, casinos, a lot of state and local, where they're providing critical services to those in need. I mean, they can't be down, right? Their idea of an outage window is in seconds, not in minutes. I mean, we've seen hospital, entire hospital systems go down, you know, in the UK for sure. And here in the United States, I mean, there have been some healthcare breaches, and that's such a sector, it's a very attractive sector because you talk endpoints, their endpoints galore, right? Oh, yeah. TII galore, too. So, yeah, it's real. They have a lot of OT, right? They have a lot of OT in there. They have SCADA, they have ICS, they have all that. NOS networks typically are undersecured, much more than the most more than the typical, you know, IT network. For sure. That's a whole nother securing OT is a whole nother topic, as you and I know. Well, I'm going to say what some CIOs in the last year have come to consider as a cuss word to you, Mark. It's MFA, right? Yeah. And we're left, we're chuckling because MFA was one of the things that got CIOs that didn't have it in the last couple years. And it got them because they weren't able to get coverage, they weren't able to renew. And so my question is, the insurers are getting more strict about what they're willing to provide coverage for to Hulu and without what, you know? So, can you talk about that a little bit? Yeah. So, you know, when they come in, a lot of times what they do, they have two levels. So, if your insurance is typically around a million dollars, right? That's a fairly common cyber insurance policy. They're going to send you over a questionnaire. That questionnaire is going to ask you a bunch of questions. One of those questions is, is how are you just using simple, you know, username and password? And that right there for a lot of insurance companies is a no-no. It just doesn't work for them. And they require MFA, right? And, you know, the reason why is if you listen to what Octa, Microsoft, and Ping, and those out there doing that, they're throwing out numbers like 91% of all security threats that we handled if you employ MFA. What they don't realize is what they're hearing is marketing speak, right? It depends on how much you buy, how you implement it, what your security policies associated with that, terms of use, how acceptable use, how it's used, and how often it's used, right? And is it just for authentication or is it more? Do they have the geo tracking on? There's so much to it. I think that's one of those ones where you're in there and there's misconceptions and misinformation that's kind of driving this. But I will say this, MFA is a really good start. If you don't have it, it is a very smart thing to employ. But once again, you need to really think about what is our use case? What do we get a gain for? Where's the ROI on this? And make sure that you go back and then check for the ROI. And then you're going to get better insurance coverage for that. And they give a lot of credit, and I'm glad you asked that, Joe. There's a lot of credit just to putting MFA in place when you go and try to get cyber insurance. And by the way, they are turning people down. They're turning people down. That's not a declination of coverage. That's just we're denying you coverage. We're not going to give you coverage. Or they can't renew. So it shouldn't surprise me. And I know it doesn't surprise you, Mark. Big company, CIO was grousing to me last year about the fact that he could get a cyber insurance renewed because he didn't have MFA. And I had to look down from the camera, honestly, because I was floored that they didn't have MFA. Yeah. There's a lot of declination going on. One of the interesting ones that we put in our answer response tabletops that we do, because it tends to happen to a lot of public sector, large public sectors like cities and counties, is they don't realize that when you get the policy issued to you, the front two pages of any policy, right? Just like your home owners and your auto policy, there's information in there that you may have reporting requirements. You may have additional requirements that you have to take when you do this. Like one of them, you know, for auto, you have to give them your insurance card and you got to report it in a timing manner, et cetera, et cetera. That is one of those, that is one of those items that is really important. And a perfect example of this is we have had several customers that have gone in there and when they got hit, they immediately called the FBI or they called the local authorities. They violated that because IT and the CISO did not have a copy of those two pages of that policy. So they were aware that there's a reporting requirement because they didn't meet that reporting requirement. You just gave the insurance company an out. So they collected a lot of nice healthy premiums from you and now they're going to decline your coverage and they are doing that. Oh my gosh. That is, I mean, to me, that is such an important insight and piece of advice because I think that, you know, it's so stressful, right? And there's also some new reporting requirements that have been placed in, you know, by the federal government. And so I think that advice here is very clear. Before you make a phone call, before you report, before you do anything, get that policy out and read it very carefully with your attorney. Yes. And look, it's usually sitting with a CFO. Yeah. It's usually sitting with a CFO just to have so every single one of the tabletops we do, we, the CFOs usually there are one of the, one of somebody that they designated. And, and that is one of the great values you get out of doing these tabletops and going through that. And by the way, you should be doing that, right? If you have cyber insurance, that's great. That's a risk mitigation technique. So doing tabletops. So you know who the incident response team and how they're going to do that. And, and, and you, and in those, you learn things about cyber insurance, you learn what's covering, like bricking. A lot of times people don't realize now they do not cover breaking. So if your hardware gear gets bricked, you know, so I'd say somebody unplugged something while it's, while, while the ransomware is encrypting, it's over. I mean, that's brick, you're not going to recover that. And so they do not cover bricking. And so we always tell, we're always very aware. Look, the first thing you do when you get into ransomware, disconnect from the internet. Do not turn things off because if you turn things back off, you're going to brick it and will not be covered by insurance. You're because by unplugging from the internet, you're, you're disrupting their command and control, right? Their ability to signal and, and do things. And, and that's a, that's a very important piece. It also buys you a little bit of time. It doesn't buy you time from encrypting because it's going 50,000 files a minute, right? That's kind of what most modern ransomware is about 50,000 miles, 50,000 files a minute. And it can vary based on, you know, memory processor, et cetera. But that, that's the number you're thrown out by the FBI and others. So that buys you a little bit of time. The other thing that buys you peace of mind and all that is cyber insurance. So once you've identified all your risks and you take steps to mitigate that risk by buying things, you know, putting a security platform in place, you know, brushing up your answer response plan, taking all these other measures, putting security controls in using MFA, that leftover risk, right? You either accept that risk or you take cyber insurance and you, and you ensure that risk. And I think that is another misconception. What people tend to think is, well, I don't have to do that much security. I'm just going to go out and buy a great and cyber insurance policy. I'm good. Yeah. And that is not correct. That is, that is the fastest way to bad things. That is a rapid, rapid path to a bad destiny. Yeah. I can see that. You know, as we were talking about the round table and discussions about policies, I couldn't help but think about, so I live in Kansas City, Missouri, home of the Kansas City Chief Super Bowl champions. I gotta get my plugs where I can. But if you watch that game, do you remember when they went into overtime and San Francisco got to choose what they wanted to do and they decided to receive the ball and, you know, our team was like, oh my God, you know, thank you. But what happened there was that there was some confusion on their end about the rules and that the rules had changed. And so lots of conversations about how that decision could have gotten in the way of their victory. And sorry, so sad. Not really. But my point here is that, my point here is that I don't think know that this is something that people will think about. And you made the point that your cyber policy a lot of times rests with the CFO. Who else knows what's in it? Who like a team of people need to proactively, before a breach happens, you know, just like the rules and the NFL that are changing as it relates to overtime, you know, that your team has got to know what the rules of engagement are and what our steps are when this happens because it isn't going to happen. And I feel like that's probably something that doesn't happen a lot within organizations that group of people who have an understanding of and a plan in place for when it happens and they know exactly what to do and where to go. And I think that's really an important thing too. It is. And we always say, look, if you're when we're doing these table tops, we're always very, very prescriptive in the fact that, look, there's a couple things, a couple steps you can take that will really make a big difference, right? One, you have to have amazing communication. You and you have to have designated roles and responsibilities. And then you need to understand what are using those roles and responsibilities, understand what actions they need to take when that happens. Crisis PR is another place where people really fail, right? But then what, but back to, you know, talking about cyber insurance, get the two pages, right? Get the two pages that include that with your documentation for your incident response. And please do not put it on the network. If it's on the network, you do not have it, right? The incident response, they're going after the network, they're going to hit your domain controllers, your storage, you will not be able to retrieve it off the network. And so there's a little, little, little nuggets of really good information, helpful information that come out of those. And really, that is, that is a, that is a big one. Because look, all your, are you going to fully recover if you get hit? Very few fully recover. A lot of times they have to, you know, in fact, if you look at what IBM said and what Verizon says in their annual threat report, it's like 52% a lot times is what they recovered. And that's if they get the ransom where they pay the ransom, they get the key because certain types of files do not like to be encrypted and decrypted. And so they're no longer useful. You're not going to be able to use them, right? And then when, and you don't find that out until after you pay the ransom, until after you've taken these steps. And so there is this, there's this belief, another misconception that if we, you know, have the cyber insurance and the cyber insurance pays, you know, goes out and pays the ransom, right? Because how many people, how many organizations, you know, right now have $400,000 sitting in a crypto account that went through KYC and they have access to it and the money's been cleared from the bank and they can send it right away. Not a lot. Yeah, very few. So, you know, they're, they're, they're in a quagmire, but their belief is, oh, gosh, we got to just, you know, the pressure just beating them, beating down on them. The drama is extremely high. There's a lot of, a lot of ability to make mistakes with that type of pressure, with that type of scenario. So making quality decisions, thoughtful decisions, following the, you know, incident response plan, which can be slow. It can be slow, right? Because it's very structured and so some people just cannot deal with structure under pressure. And so not having the insurance policy, not reading about it, there's just so many things along this journey that can trip you up and cause real damage to your organization. So having this thing lined out and then having cyber insurance, you know, is really important because even if they do pay, let's say everything happens, it's bad, we get there and you're gonna have to pay and the cyber insurance is gonna pay. That doesn't mean you're out of the woods at all. It doesn't mean that. In fact, what it usually means is the cyber insurance company is now going to put their people in, right? They have the whole teams of people that they have sitting there waiting to bring in, right? And they bring them in and they replace the, a lot of companies don't understand this. And you have to read this in the policy before you sign up for it. Because if you sign up for it in there, it has very explicit authority for them to bring their people in and replace your people. Now all of a sudden you even have less control. And there's a lot of reasons why they would do that, right? Now they're gonna pay cheaper rates because they already had a preexisting relationship with this organization, right? They just had them on call because the insurance company is probably dealing with five or six of these a day. And so that brings that ability. A lot of times those tools get left in afterwards and you end up having to buy them. And you will come up with the money. There is one solid truth that comes out of all this mess. They always find the money. And it's funny, I lead off with that on the table tops. We do. And I did 57 of them last year. And I'm on track to do 44 this year. Yeah, I'm sorry. You just lack it. Yeah, I'm taking it easy. But it's great because you think about it, they learn about cyber insurance and the holes in it. And it is not a catch-all. It is not an end-all. It is not a savior. It is not. Absolutely. Absolutely. You know, it's funny, I'm watching the time and I'm thinking that we could talk on this topic, the three of us for hours at, you know, without end. So I'm going to try to move us along a little bit more so we don't wear out. We're on a roll with our audience. One of the things that Joe and I talked about that we're really interested in is cyber insurance startups. You know, we've seen a lot of, you know, new startups come on the scene. Joe and I have talked about it. She's mentioned that she's heard lots of rumblings out in the field and her conversations would see so is that many of them are in over their heads. What do you think about that? Yeah, a lot of them are underfunded. Some of our customers have found out in a very pitiful manner. Let me put it that way. Because you know, you think about it, most of the cyber risk startups, and I wouldn't just call them cyber insurance. I call them cyber risks. There's other things that are either offerings associated with that, right? And their focus is on cyber risks, not really. Cyber insurance is just an element of that. A lot of times they use the cyber insurance item to do their fundraising, but they're really technology-driven solutions, right? They're really focused on the technology side of this business. But because of that, a lot of times they don't have all the financial controls in place. So there's the financial stability and their capacity. If a large group of their customers got hit, right, saying a specific sector or segment or whatever, or a really big hit, there's not enough rules associated with making sure that they're all properly funded and can do that. The other thing is that most of them use reinsurance, like a lot of the big carriers do as well. So if you look at the jobs of the AXA, et cetera, USA, et cetera, et cetera, they're all pushing a lot of their risk off-shore for that, right? To the Lloyds of London, those folks. Some of the startups are not doing that, right? Because that costs money, right? That has a lot of money. And so, and then I think the other thing that just drives me a little bit nuts about it, but I think there's a place for them. So I don't want to come across as being totally negative about it, but because there is additional regulatory scrutiny going into it right now. But I think one of the things that drives me crazy is their underwriting experience oftentimes isn't there. And when you think about that, who gets hurt? Well, investors and the startup get hurt. Executives and their families, their children, et cetera, are at risk. And then their customers, who also have very similar capabilities and situations. Some of them may have been around a hundred years, right? Because there is some excitement about, hey, I'm going to get a cyber insurance policy of $5 million. I'm going to get it like a 50% of the cost I would have done if I hadn't gone to job or AIG or somebody else. And I think that, there's a lot of potential there for damage or our deal. And what it was supposed to do is it was supposed to increase the competition, right? That's the thing you hear out there. Well, it's going to increase that when they went out there and they said they were going to do this, what's going to increase the competition? So it's going to bring the rates down. Well, we've heard how long we've been hearing that and across many different financial services. Yeah, your rates aren't going down. It never happens, right? It's just chitter chatter. It's a way to raise money. It's a way to do that. And I just think this in particular is a very vulnerable group of insured. They insured are very vulnerable. They're at risk. You're going to hit them at their worst time. And they don't have time to wonder whether as a startup, do they have good, the right underwriting? Do they do the right underwriting? Are they following the regulatory scrutiny that they're supposed to do? Or do they have the ability to pay this claim? And what will end up happening is if they can't pay that claim, what are they going to do? They're going to try everything within their power to decline your coverage. And they may already have it in the books. They may already know how they're going to decline your coverage. So I'm not always a skeptical, but in particular things, I'm skeptical. So count me or color me skeptical on cyber insurance startups, at least for the moment, until we see some of the regulatory scrutiny kick in and get a little bit better. And we start to see them managing payouts when there's big hits. Yeah, I agree. Show me, don't tell me, right? I know that's right next to Kansas, right? We've got the Missouri, it's show me state. Show me, don't tell me. Show me, don't tell me. Yeah, that's right. Another thing I think it's really important to remember is, and apologies to anyone from any insurance companies listing the development is, insurance companies are not your friends. I mean, they're just not. They are in a risk mitigation, risk management business. They are always looking for how they can pay out the least possible amounts and meet the minimum requirements that are set out in their policies. They are not worrying about your business surviving. That's not on them. And so you really need to do your due diligence here and always keep in mind that, you know, that you are driving this and you're responsible to make sure that you have the kind of coverage that you need and not fall into the trap of thinking that they've got your back. Yeah, and by the way, it's a negotiation. One of the other things that we always say, and Joe's heard me say this before, cyber insurance, unlike other types of insurance, is a negotiation. It is a negotiation. You go back and forth. The perfect example, let's use the MFA example that Joe brought up because that's a really good one. You, a lot of times you can say, okay, I'm going to do the MFA. So let's say we're a higher education. Let's say we're a large college, right? So if you're a large college, I'm going to do MFA for the administration, but I'm not going to do it for the students, right? I'm not going to do it for the alumni. I'm not going to do it for the retirees, right? And I only know this because we do this all the time, but it's a negotiation. And a lot of times the insurance companies will accept that. And if they do require that you do some level or some percentage of some of those groups, then they allow you to put a year or two plan in there. And then as long as you're making credible advances in that plan, then you're able to do that. And I can go on and on and on different ways you can negotiate your cyber insurance policy and save yourself a lot of money and a lot of drama. Well, I think that's pretty much what everybody wants, right? I think so. I try to eliminate drama throughout all the other stages of my life, especially when you try to save money too, Mark. Absolutely. Yeah, I mean, you know, that's one of the things about cyber insurance. There's so many misconceptions. There's so much misinformation. And there's good reason. It's just not intuitive. It seems intuitive because I've been buying car insurance for 20 years. I've been buying homeowners insurance. I have a corporate umbrella. They're not the same. There is definite differences in this piece. No argument from us there. Joe, hop in there. You've been inordinately quiet today. I know you've got questions. You know, I'm listening because Mark is making such good points. I guess, you know, as we're heading towards the close of the show here, one of the biggest, what are some of the biggest challenges that CISOs and CIOs face when it comes to actually finding and procuring cyber insurance? Yeah, I think one of the biggest things is being able to participate because a lot of times this is done by the CFO or it's done by legal, right? And we find that all the time. Where is the policy? You know, oh, it's in legal or it's in the finance area. The CFO has it. And that is up front be able to participate in actually going out and getting the policy, right? And understanding what to do that. I think a tool that the CIOs and CISOs can use is understanding and quantifying their risk. If they understand and quantify their risk, then they can be say, I need to seat at the table because I'm the one that understands what our actual risk is. And so I can help us identify what level the policy should be and what specific coverages in that policy should we include. There's a formula for that in the CISSP training guide, Mark. It's interesting. There's a lot of risk quantification formulas out there, right? And so you need to find the one that means, you know, has meaning for your organization and do that. And Joe's right, you know, it's a big piece. You know, it's so important to not understand your risk. And to be honest, and I know it doesn't really fall directly in what we're talking about risk quantification is a real problem in cybersecurity. It's been a real problem. And it needs a lot of work because people don't understand their real risk. And they don't use threat hunting or threat intelligence in a way that they understand their true risk. So when you go out and get cyber insurance, how do you know what you're ensuring for? How much, how do you know, how are you aware of how much insurance you need to get? Yeah, well, and where your compliance gaps might be and, you know, what did you do in audit, right? Like all of these things are really logical, strategic action steps that you can take. And some of this I know, Kim, I think one of this bit of information came from your ebook, but, you know, determine the level of risk, determine where coverage is needed, audit, understand data security, and then also, you know, identify where your compliance gaps are. So I think that, you know, if you're thinking about what you need to do to move forward, that's a really important, that assessment is a really important place to start. I think pre-flight, pre-flight is so critical, right? Both of you brought that up during our conversation. I am 1000% in that, in that fold. Pre-flight is so critical to make sure you get the right policy, you get the right amount of coverage, you understand your roles and responsibilities, you integrate it into your inset of response plan. And last but not least, when it happens, you don't allow the pressure to skew your outcomes, because it will. Got to take some deep breaths. Deep breaths. Yeah, you move forward. And, you know, I mean, I can't, I can't even, Joe and I talk about this all the time. I mean, I cannot imagine the stress and pressure on people in CSO roles and just how difficult those jobs have become over time. And really some of the liability that's attaching to that as well. And, you know, we've seen that a little bit. So it's interesting times. It is. I saw an amazing stat a few weeks back. And I'd seen one that was actually a little worse than it, but it said that after six months, after a major ransomware event, 41% of the security people will lead the organization. They do not want, they don't want to stain on their career. And here's another interesting thing they went on to talk about. They actually leave that job off the resume. They'd rather take the gap than they hit. Wow. That is something. I mean, it makes perfect sense, right? Yeah. Yeah, I mean, yeah, it's brutal. This is a brutal game of cat and mouse. And, you know, cyber insurance can be very helpful in that game. Incident response can be very helpful. And I always ask our customers. And, you know, I think a lot of time it comes off as I'm evangelizing versus, you know, advising. And that's because I believe in it so much, having been the former CIO at CSO several times. And that is, look, for the last 15 to 20 years, you spent all your money on projected detect. Please, please put some money in responsible cover. Please. It's so critical. Absolutely. Well, Mark Linde, as I expected, as we expected, this was a fantastic discussion and we so appreciate you taking time from your crazy schedule to chat with us today. And I want to leave our viewing and our listening audience with this. I know that you've written a couple of books, one for teens and one a cybersecurity e-book. Tell us a little bit about those books. I'll include links to them in the show notes and tell us what we can look forward to from you ahead on that front. Yeah, absolutely. So, you know, I wrote the one that in particular that kind of covers what we're talking about today, the nine things that, you know, executives need to know about cyber insurance. And I'm actually working on version two of that book. Like many other domains and areas of expertise, it is a moving, growing situation. So, I'm adding a lot more information to that. A perfect example of that is now Lloyds of London is no longer covering nation states. So, since reinsurance is not covering nation states, and by the way, they're the sole determiner of nation state, not you, then what does that mean? Well, that means that CHUB, AIG, XA, all these others are not going to offer it either because they're underwriting it offshore. So, that is a big change. That's a big deal for a lot of people. And now there's additional, you know, different types of declination that are going on. And what's also interesting is with the cyber insurance startups, there's new coverages coming out. So, there's some coverages that are a little bit different. One of them is compliance assurance. Compliance assurance, right? So, do you get fined if you break your compliance and governance if you're a regulated industry? Yes, you will. Yes, you will. Should you have insurance for that? You should. At least the insurance companies think you should. So, we're going to link the current e-book. We're going to look forward to your second edition of the e-book. And just tell us quickly if you would before we leave your team focused book. Yeah. So, it's really, you know, because I'm a girl dad and I have three girls and I do a lot of K-12s and a lot of higher ed. There's a special place in my heart for those that, you know, are easily preyed upon, meaning seniors and teens and kids. It is a real problem. Cyberbullying is the number one reason and the main reason I was aware of a cyberbullying incident. It got involved by kids, but it was somebody they knew. It ripped my heart apart when I heard about it. It did involve a very tragic end. And so I decided to write the book, which is Cyber Security Life Skills for Teens. And it was when it came out, it was number one in the teens deal on AWS and it's still doing quite well. And I am doing a version two and I'm going to double the amount of graphics and images in there because it is for kids. It's that's who it's designed for. And I'm going to put an appendix area in there for the parents. So that is the plan. That was the feedback I got. And I want to I want to believe that I do listen to feedback. And it is really very near and dear to my heart. I spend a tremendous amount of time with K-12s and with higher ed. And it is very, very important. And so ultimately, you know, I know we were going to ask what am I going to do in the future. I'm going to do one for seniors as well. That's awesome. Well, I can hear it. We're going to put links to those books. We're going to revisit this conversation later on this year because I know things will continue to change. But thank you so much again for making time for us today. This, as I said, I know that the three of us could have talked about this topic for hours. We've gone way longer than we normally do in these shows, but I think it's been packed with great information. And again, we thank you so much for spending time with us today. Thank you, Shelly. Thank you, Joe. And by the way, Shelly, a lot of people say that about Joe and I. We've done events together. And it's like it only seems to go longer than it really, than we thought it was going to. But we get lots of good comments, right? So I'm hoping that this thing will be here. It's a super important topic. And there's so much misinformation, disinformation, lack of knowledge and understanding. And so I think conversations like this are really, really important. And if they go along, that's just the way it is. So yeah, by the way, everybody can reach out to me on LinkedIn or on Twitter or Instagram or XX, formerly Twitter. Sorry. I want to make that big mistake. Get caught up in that. But they can reach out to me. I'm happy to answer questions. I did. To me, it's about, you know, ensuring good outcomes for a lot of people. And there's a lot of important companies out there that need good information so that they can take care of those that need it. Absolutely. Well, thanks again, Mark. Thanks as always to you, Joe, for adding your insights here. Always amazing. And to our viewing and listening audience, thanks so much for spending time with us. And we'll see you again here next week.