The Truth About Cyber Insurance, AI Risk & Business Protection

1
00:00:05,739 –> 00:00:06,306
Hi, Tim.

2
00:00:06,306 –> 00:00:08,942
Thanks for joining us. Great to see you Marco.

3
00:00:08,942 –> 00:00:09,709
Thank you so much.

4
00:00:09,709 –> 00:00:13,646
So for everybody listening, I’m Marco,
the CSO here at REDD Digital.

5
00:00:13,646 –> 00:00:16,783
And we have Tim join us Tim Stephinson.

6
00:00:16,783 –> 00:00:20,320
Yes from SherpaTech.
So I’ll let you introduce yourself.

7
00:00:20,320 –> 00:00:23,990
Thanks, Marco. Yeah.
My name’s Tim Stephinson. From SherpaTech.

8
00:00:23,990 –> 00:00:28,528
We’re an insurance specialist,
primarily for tech and IT companies.

9
00:00:28,528 –> 00:00:32,232
But because we help a lot of tech
and AI tech companies, we also help,

10
00:00:32,232 –> 00:00:36,836
their customers as well, with cyber insurance
in a in a number of examples.

11
00:00:36,870 –> 00:00:39,439
So, yeah. Happy to be here.

12
00:00:39,439 –> 00:00:41,374
Great to be here today with you. Fantastic.

13
00:00:41,374 –> 00:00:41,808
Thank you. Tim.

14
00:00:41,808 –> 00:00:45,311
And I said we’re going to be talking about cyber
insurance and business risk and whatnot,

15
00:00:45,311 –> 00:00:48,448
something that’s very prominent
now, especially with all the

16
00:00:48,448 –> 00:00:50,116
the announcements
that we’re getting around cyber

17
00:00:50,116 –> 00:00:53,353
and AI and models
that are even a bit too scary to be released.

18
00:00:53,353 –> 00:00:56,156
And what this means for businesses. Yeah.

19
00:00:56,156 –> 00:00:59,426
So December insurance is a little bit
like technology as well.

20
00:00:59,426 –> 00:01:02,695
It’s a, it’s a, it’s a little bit
of a misunderstood industry sometimes.

21
00:01:02,695 –> 00:01:04,330
And you know what we try to do

22
00:01:04,330 –> 00:01:08,401
is help people understand cyber insurance
and not be fearful of it.

23
00:01:08,401 –> 00:01:13,139
And that way they can use it
to, enhance their business and, you know,

24
00:01:13,139 –> 00:01:17,577
see it as more than just a cost, but actually
a service that they can tap into when they need.

25
00:01:18,011 –> 00:01:20,246
Absolutely. So listen, thank you.

26
00:01:20,246 –> 00:01:22,749
You’re going to help us understand
the risk, navigate them,

27
00:01:22,749 –> 00:01:25,151
make sense of what it is
and what is not, as I said.

28
00:01:25,151 –> 00:01:26,119
So maybe let’s start with that.

29
00:01:26,119 –> 00:01:27,187
And for anybody listening

30
00:01:27,187 –> 00:01:29,322
who might not understand
what cyber insurance is,

31
00:01:29,322 –> 00:01:32,859
how do you define cyber insurance
in simple terms.

32
00:01:32,859 –> 00:01:33,226
Yeah.

33
00:01:33,226 –> 00:01:38,064
So cyber insurance is a
relatively new insurance, in comparison

34
00:01:38,064 –> 00:01:42,202
to things like professional indemnity
or public liability coverages, which is either,

35
00:01:42,202 –> 00:01:47,807
you know, bad advice or people risk,
cyber ensure that those types of insurances

36
00:01:47,807 –> 00:01:49,309
have been around for hundreds of years.

37
00:01:49,309 –> 00:01:52,412
And the case law that they’re built on is very,
very stable.

38
00:01:52,412 –> 00:01:56,783
Cyber insurance by contrast,
has only been around about 15 years.

39
00:01:56,783 –> 00:01:58,551
It’s a relatively new product.

40
00:01:58,551 –> 00:02:02,122
And so we actually see a lot of variation
from different providers.

41
00:02:02,122 –> 00:02:08,161
So, when you compare policy A, B, and C,
you’ve really got to, you know,

42
00:02:08,261 –> 00:02:12,665
dig a little bit deeper and make sure that
they’re including the coverages that you need.

43
00:02:12,832 –> 00:02:18,138
But from a very high level perspective,
we see a good cyber insurance policy, including

44
00:02:18,138 –> 00:02:23,143
incident response, which is basically the
the emergency services you need.

45
00:02:23,143 –> 00:02:24,344
I call them the Avengers.

46
00:02:24,344 –> 00:02:29,816
They come running, you get these incredible
lawyers with amazing technical people,

47
00:02:30,116 –> 00:02:34,454
who all day, every day
respond to cyber incidents.

48
00:02:34,454 –> 00:02:38,424
They have speciality people
who do ransomware negotiation.

49
00:02:38,424 –> 00:02:42,896
They have data experts,
they have decryption experts, recovery experts,

50
00:02:43,163 –> 00:02:48,234
and also people that are, trained in dealing
in the regulatory environment.

51
00:02:48,768 –> 00:02:53,306
And a lot of people say, well, what
a lawyers have to do with IT infrastructure.

52
00:02:53,606 –> 00:02:57,777
But the regulation around I.T
now is incredibly complex.

53
00:02:57,777 –> 00:03:02,248
And if your end client might have
a, telecommunications

54
00:03:02,248 –> 00:03:06,653
speciality versus a medical speciality,
there’s different paths they need to navigate

55
00:03:06,853 –> 00:03:11,291
for their, I suppose, breach disclosure
and other information.

56
00:03:11,758 –> 00:03:19,265
And the lawyers are the, the perfect person or
people to manage or project manage that case.

57
00:03:19,999 –> 00:03:23,336
And they also provide a legal shield
for the client as well.

58
00:03:23,336 –> 00:03:26,072
So you you’re protected by privilege.

59
00:03:26,072 –> 00:03:31,544
The insurance pays for the lawyers,
however, they’re appointed for the policyholder.

60
00:03:31,678 –> 00:03:36,082
So the person who holds the insurance policy

61
00:03:36,349 –> 00:03:40,687
is engaged with a lawyer
who’s paid for by the insurer.

62
00:03:40,687 –> 00:03:45,858
And that’s a bit of I suppose, a point
that a lot of people get confused by thinking,

63
00:03:45,858 –> 00:03:49,329
hang on, are these lawyers here
to try and get out of the claim? No they’re not.

64
00:03:49,329 –> 00:03:50,563
They’re here to help you.

65
00:03:50,563 –> 00:03:55,235
And in many cases,
we actually advise our clients to engage

66
00:03:55,235 –> 00:03:59,105
with the response lawyers
before they even have an incident that way.

67
00:03:59,105 –> 00:04:03,443
The it’s part of their incident response plan
that they know that path that a case

68
00:04:03,443 –> 00:04:04,510
will go down.

69
00:04:04,510 –> 00:04:08,915
And one of the things that’s happened
in cyber insurance, and I’ll get to

70
00:04:09,048 –> 00:04:12,318
why it’s a lot cheaper
now than it was five years ago.

71
00:04:12,318 –> 00:04:18,458
But they’re very good at immediately responding
and reducing the risk if there’s a claim.

72
00:04:18,758 –> 00:04:22,128
And one of the ways they do
that is actually by getting in quicker,

73
00:04:22,128 –> 00:04:25,999
if somebody sits on a claim
and waits a week to tell the insurer, yeah,

74
00:04:25,999 –> 00:04:26,332
it can

75
00:04:26,332 –> 00:04:31,237
actually go a lot further than it would have had
they have had the incident response

76
00:04:31,237 –> 00:04:34,907
team jump on it in the first 30 minutes
or a couple of hours.

77
00:04:34,907 –> 00:04:35,675
Absolutely.

78
00:04:35,675 –> 00:04:37,610
It brings us to an example
that we just had with a client

79
00:04:37,610 –> 00:04:42,215
who was potentially looking at cyber
surance, and, we had our CSO speak to him,

80
00:04:42,215 –> 00:04:47,120
and he was trying to impact understanding
of what a cyber attack and cyber insurance is.

81
00:04:47,654 –> 00:04:51,090
And one of the first question,
that this person was asked

82
00:04:51,090 –> 00:04:54,927
was if you have a breach,
do you know who you have to report it to?

83
00:04:54,927 –> 00:04:56,229
I don’t really know.

84
00:04:56,229 –> 00:04:58,931
Depending on the industry,
there’s changes and depending on the instances,

85
00:04:58,931 –> 00:05:00,233
you have certain amount of times.

86
00:05:00,233 –> 00:05:04,804
And if you don’t hit those amount of times,
you’re automatically in breach of the law.

87
00:05:04,971 –> 00:05:07,807
Right. For example,
paying ransomware is illegal.

88
00:05:07,807 –> 00:05:09,442
Right it up, you know that. Yeah.

89
00:05:09,442 –> 00:05:13,179
So this is why we need,
you know, experts and and lawyers involved.

90
00:05:13,179 –> 00:05:17,050
And some we’ve seen some insurance claims
where they have paid the ransom.

91
00:05:17,050 –> 00:05:22,455
And that’s where the lawyers can navigate that,
whether you are right, are not able to pay.

92
00:05:22,488 –> 00:05:25,858
The other thing that the policy includes
is business interruption.

93
00:05:25,858 –> 00:05:30,029
So kind of like in a property policy,
if you’re building burns down on you’re

94
00:05:30,029 –> 00:05:31,497
a manufacturing business.

95
00:05:31,497 –> 00:05:31,898
Yeah.

96
00:05:31,898 –> 00:05:36,769
The business interruption insurance covers
you for the time it takes to rebuild

97
00:05:36,769 –> 00:05:41,441
or re-establish or your lost income in that
period, depending how you structure a policy.

98
00:05:41,908 –> 00:05:46,879
In cyber insurance,
there’s business interruption for lost costs

99
00:05:46,879 –> 00:05:48,948
or added costs of working.

100
00:05:48,948 –> 00:05:53,186
So if you’re an online retailer
and you’re down for,

101
00:05:53,186 –> 00:05:58,324
you know, a week, you’ve lost one week’s
worth of revenue potentially.

102
00:05:58,458 –> 00:06:00,660
But it also can have a compounding effect

103
00:06:00,660 –> 00:06:05,665
where you might have lost future revenue,
because that week impacts others.

104
00:06:05,898 –> 00:06:10,837
Also, in businesses that are heavily
reliant on tendering or responses,

105
00:06:10,837 –> 00:06:13,373
if your network is down for a period of time,

106
00:06:13,373 –> 00:06:18,544
you can actually lose work that
you could have been bidding on or going for.

107
00:06:18,544 –> 00:06:22,949
So the nature of all different businesses
has different business interruption exposure,

108
00:06:23,149 –> 00:06:27,620
but I feel all businesses
now have digital business interruption exposure,

109
00:06:27,653 –> 00:06:27,920
you know,

110
00:06:27,920 –> 00:06:32,959
and a lot of people have very good managed
service providers like yourselves across their,

111
00:06:33,159 –> 00:06:34,460
their infrastructure.

112
00:06:34,460 –> 00:06:37,897
But you’re responsible
for providing that infrastructure.

113
00:06:37,897 –> 00:06:44,237
If the client then has a user
or is a victim of a, an attack that’s outside

114
00:06:44,237 –> 00:06:47,774
your area of responsibility typically,
and that’s the client’s responsibility.

115
00:06:47,774 –> 00:06:48,341
And that’s why

116
00:06:48,341 –> 00:06:52,879
the client needs to hold cyber insurance
for their own business and their own data.

117
00:06:53,279 –> 00:06:58,818
And in our experience,
when all the clients hold cyber insurance,

118
00:06:59,118 –> 00:07:05,158
the insurers jump in, and all work together
to mitigate a claim and pay the claim.

119
00:07:05,491 –> 00:07:10,196
Whereas, where it gets messy is when different
providers don’t hold that, that cover.

120
00:07:10,530 –> 00:07:11,564
That’s very interesting.

121
00:07:11,564 –> 00:07:15,401
So there’s a lot of again,
it is not necessarily easy,

122
00:07:15,401 –> 00:07:19,005
but it’s not that difficult either
once you get your head around it. Yeah.

123
00:07:19,005 –> 00:07:23,242
There’s a lot of concerns that people have,
which is unfortunately something

124
00:07:23,242 –> 00:07:26,712
that the insurance world has taught people
the hard way, which is payout.

125
00:07:26,712 –> 00:07:27,046
Right?

126
00:07:27,046 –> 00:07:27,346
Yeah.

127
00:07:27,346 –> 00:07:29,749
And a lot of people,
you know, if you think about your car insurance

128
00:07:29,749 –> 00:07:31,484
man is the one that everybody has.

129
00:07:31,484 –> 00:07:34,720
And getting the payouts
can be incredibly difficult at times.

130
00:07:34,720 –> 00:07:37,490
Well it is
what is this like for cyber insurance?

131
00:07:37,490 –> 00:07:37,890
Yeah.

132
00:07:37,890 –> 00:07:43,296
So, in our experience, the world that we work
in, of business insurance,

133
00:07:43,296 –> 00:07:49,635
that is broker led business insurance is we feel
the claims environment is very different

134
00:07:49,635 –> 00:07:54,440
to what people experience when,
they have a Fender bender.

135
00:07:54,440 –> 00:07:59,312
And, you know, they say the insurer doesn’t pay,
to go back to basics with insurance.

136
00:07:59,312 –> 00:08:01,981
Insurance is a contract of mutual honesty.

137
00:08:01,981 –> 00:08:06,586
The applicant or the or the business is honest
about the risk factors

138
00:08:06,586 –> 00:08:11,090
they put forward, and the insurer is honest
about the fact that they will cover those.

139
00:08:11,390 –> 00:08:15,261
So when the two match,
we don’t see any issues with payments.

140
00:08:15,261 –> 00:08:20,032
Insurers, their whole business model
is covering these types of incidents,

141
00:08:20,199 –> 00:08:21,901
especially with cyber insurance.

142
00:08:21,901 –> 00:08:27,440
Many of them now include, like a 24 hour
incident response or a incident response,

143
00:08:27,440 –> 00:08:31,944
no claims period where they jump in
and they triage it because they want to remove

144
00:08:31,944 –> 00:08:34,547
all barriers
to people delaying that notification.

145
00:08:35,481 –> 00:08:37,250
But very much in our experience, it’s

146
00:08:37,250 –> 00:08:42,588
about making sure the risk matches
what the insurer is insuring for.

147
00:08:42,788 –> 00:08:47,426
And it’s important to have an insurance broker
that actually pulls apart that risk

148
00:08:47,426 –> 00:08:50,296
and really challenges
you on. What are you covering?

149
00:08:50,296 –> 00:08:55,167
We do a lot with our clients, around
really peeling back the layers.

150
00:08:55,167 –> 00:08:59,472
I mean, I’ve had construction companies
that have really large digital exposure.

151
00:08:59,472 –> 00:09:03,409
And it’s it’s actually about understanding that
if this went down, how would that affect

152
00:09:03,409 –> 00:09:06,679
your business interruption?
And what are you insuring for?

153
00:09:06,679 –> 00:09:11,183
I kind of take a risk
tolerant approach to insurance

154
00:09:11,517 –> 00:09:15,688
where we’re trying to insure
for the things that kill the business.

155
00:09:15,688 –> 00:09:20,660
So the big risks, instead of worrying about,
oh, if we lose a laptop on a train,

156
00:09:20,860 –> 00:09:24,964
we’re worrying about what
actually kills the business or takes it down.

157
00:09:24,964 –> 00:09:29,902
And those larger type insurance products
in cyber, you could have coverage for,

158
00:09:30,202 –> 00:09:34,740
500,000 or $1 million worth of protection,
and it might only cost you

159
00:09:34,740 –> 00:09:36,943
a few thousand dollars in the current market.

160
00:09:36,943 –> 00:09:43,049
So it’s a very affordable insurance
for the ultimate risk that it’s covering.

161
00:09:43,416 –> 00:09:45,551
Okay. That’s that’s great to hear.

162
00:09:45,551 –> 00:09:49,956
So if we talk about people deciding
how much risk they should carry,

163
00:09:50,389 –> 00:09:53,759
what cyber insurance
would that be a good way to look at it.

164
00:09:53,759 –> 00:09:54,694
Like what is actually going

165
00:09:54,694 –> 00:10:00,032
to, you know, take my business down
for X amount of data forever versus a blip.

166
00:10:00,132 –> 00:10:00,666
And the

167
00:10:00,666 –> 00:10:05,571
the biggest risk we see at the moment for
businesses in digital exposure is supply chain.

168
00:10:05,805 –> 00:10:12,812
So many businesses are built around third party
platforms or other tools that they use that

169
00:10:12,812 –> 00:10:18,384
in the event one of those platforms goes down,
they have no control over that infrastructure.

170
00:10:18,718 –> 00:10:23,089
So typically
a lot of business app or CRM, even,

171
00:10:23,089 –> 00:10:27,627
a point of sale system in a retail business,
if they go down

172
00:10:27,927 –> 00:10:32,331
and the business card trade,
that’s a cyber incident or that’s a cyber claim.

173
00:10:32,698 –> 00:10:33,666
Understood.

174
00:10:33,666 –> 00:10:37,703
And it’s as simple as picking up the phone
to your cyber insurer and go, like

175
00:10:37,703 –> 00:10:40,906
I think I how to breach a how to breach.
How’s the process. Yeah.

176
00:10:40,906 –> 00:10:43,743
So the correct person to always talk to
is your insurance broker.

177
00:10:43,743 –> 00:10:45,978
Most businesses will have an insurance broker

178
00:10:45,978 –> 00:10:48,781
that manages their property
and liability insurance,

179
00:10:48,781 –> 00:10:52,118
and they’re the best person to talk
to about cyber exposures.

180
00:10:52,118 –> 00:10:55,521
Insurance is a, in as in the Australian market.

181
00:10:55,521 –> 00:10:56,722
It’s a regulated product.

182
00:10:56,722 –> 00:11:00,559
So we have to operate under an Australian
financial services license.

183
00:11:00,559 –> 00:11:04,930
So we’re very regulated about the advice
we can and can’t give.

184
00:11:05,097 –> 00:11:09,168
So we work with clients to really unpack
that risk

185
00:11:09,168 –> 00:11:13,973
and articulate what is and what is not covered
with a cyber policy as well.

186
00:11:13,973 –> 00:11:16,976
You can cover for things like third party
payments.

187
00:11:16,976 –> 00:11:21,881
So, you know, if your accounts team
pays, fraudulent invoice,

188
00:11:21,881 –> 00:11:25,551
you can insure for that,
but that’s sometimes a more expensive cover.

189
00:11:25,551 –> 00:11:30,322
So some businesses will look to supplement that
or maybe not cover it at all,

190
00:11:30,322 –> 00:11:33,426
but businesses
that have really good controls around that area.

191
00:11:33,426 –> 00:11:34,760
So if we could show

192
00:11:34,760 –> 00:11:39,699
and ensure that all bank accounts are verified
via a third party before they’re changed,

193
00:11:39,699 –> 00:11:45,271
payments are always, you know, dual authorised,
accounts aren’t changed without management

194
00:11:45,438 –> 00:11:47,506
like all these other controls
you can put in place.

195
00:11:47,506 –> 00:11:49,575
We show an insurer that
then we can get really good

196
00:11:49,575 –> 00:11:53,446
pricing for that type of insurance, because
the likelihood of that occurring is lower.

197
00:11:55,047 –> 00:11:56,148
In addition, you know,

198
00:11:56,148 –> 00:12:01,220
frameworks as well are a great way,
to show that compliance with insurers.

199
00:12:01,253 –> 00:12:07,860
So, you know, using, you know, ISO, nest size,
any and this is where it’s industry relevant,

200
00:12:08,194 –> 00:12:13,999
that you make sure you show the insurer
that you’ve actually thought about your,

201
00:12:13,999 –> 00:12:19,038
your governance risk, you know, in compliance
and brought that all together in a holistic way.

202
00:12:19,438 –> 00:12:20,272
That makes sense.

203
00:12:20,272 –> 00:12:20,906
Thank you.

204
00:12:20,906 –> 00:12:24,744
And it prompts another question for me,
which is I’ll try to relate to my world

205
00:12:24,744 –> 00:12:27,279
where a client potentially
wants to change supplier.

206
00:12:27,279 –> 00:12:30,282
In their case it might be insurance and they go,
oh, we’re covered for this, this and this.

207
00:12:30,282 –> 00:12:34,120
And we look at their their agreement
and were like, well actually or not.

208
00:12:34,120 –> 00:12:34,253
Yeah.

209
00:12:34,253 –> 00:12:39,558
And anything that’s that you do, your current
supplier is going to charge you by the hour

210
00:12:39,759 –> 00:12:42,061
because you think you’re covered,
but you’re not.

211
00:12:42,061 –> 00:12:47,333
Have you had a case where you’ve reviewed
a business insurance or another cyber insurance

212
00:12:47,333 –> 00:12:49,902
from another supplier on a basis
where, like, you know, we’re covered,

213
00:12:49,902 –> 00:12:53,839
but when you dig into it, you realise
they’re not and they are a big risk.

214
00:12:53,839 –> 00:12:55,608
Yeah, we actually see that a lot.

215
00:12:55,608 –> 00:12:59,779
And a lot of it comes from look, insurance
isn’t the most exciting topic.

216
00:12:59,779 –> 00:13:04,150
So we have to work with our clients
to make them understand that, hey,

217
00:13:04,150 –> 00:13:06,919
we’re not actually selling insurance.
We’re discussing risk.

218
00:13:06,919 –> 00:13:12,792
And so what typically happens is businesses and
grow, business grows and changes quite quickly.

219
00:13:13,159 –> 00:13:16,829
But insurance is quite slow
to adopt those changes.

220
00:13:16,829 –> 00:13:19,932
And so your typical insurance cycle is annually.

221
00:13:19,932 –> 00:13:24,804
And so it’s usually a discussions
head with a CFO around that insurance program.

222
00:13:25,037 –> 00:13:29,742
But we find businesses have greater success
when it’s a whole of business discussion.

223
00:13:29,942 –> 00:13:34,947
And you have to you have technical management
all contributing to that.

224
00:13:34,947 –> 00:13:38,717
What is covered risk
and also that incident response plan about,

225
00:13:38,717 –> 00:13:40,319
well, what is going to happen.

226
00:13:40,319 –> 00:13:42,288
And, you know, a simple example is,

227
00:13:42,288 –> 00:13:46,826
you know, you could set an excess
quite high to reduce the cost of your insurance,

228
00:13:47,059 –> 00:13:50,196
knowing that you have a really strong
technical team already engaged.

229
00:13:50,196 –> 00:13:53,799
And if it’s a small phishing attack
or something, you manage that internally.

230
00:13:53,799 –> 00:13:56,969
You still notify the insurer,
but they’re not picking up the bill.

231
00:13:56,969 –> 00:14:00,339
But you’re covering above $100,000
as an example.

232
00:14:00,339 –> 00:14:03,209
If it goes above that,
then the insurer is going to jump in and help.

233
00:14:03,209 –> 00:14:07,279
But all of those things, it’s important
that you predetermine those

234
00:14:07,279 –> 00:14:09,481
instead of having a claim and then going,
oh, hang on,

235
00:14:09,481 –> 00:14:12,251
what’s our excess or what is covered
or excluded?

236
00:14:12,251 –> 00:14:14,286
Ransomware exclusions are really common.

237
00:14:14,286 –> 00:14:17,456
So we see a lot of insurers
carving out ransomware.

238
00:14:17,456 –> 00:14:20,860
And in most cases
now we can have those exclusions removed.

239
00:14:20,860 –> 00:14:24,630
You just have to have the conversation
with the underwriter and explain what,

240
00:14:24,630 –> 00:14:26,232
platforms are operating

241
00:14:26,232 –> 00:14:30,803
to remove the risk of ransom encryption,
or that you have a really strong data

242
00:14:30,803 –> 00:14:31,704
recovery plan on.

243
00:14:31,704 –> 00:14:36,876
You’re using a certain set of software tools
that will allow that to happen in real time.

244
00:14:37,910 –> 00:14:40,813
Different
industries carry different risks as well.

245
00:14:40,813 –> 00:14:46,051
So we might see, one industry
where they’re not that concerned

246
00:14:46,051 –> 00:14:51,123
about the volume of, say, personal information
because it’s in a secure environment.

247
00:14:51,323 –> 00:14:54,426
But then we might say medical
being more susceptible.

248
00:14:54,426 –> 00:14:58,264
And so you can get two businesses
with same kind of,

249
00:14:58,264 –> 00:15:00,232
I suppose, avatar or the look to that business.

250
00:15:00,232 –> 00:15:02,868
But one premium will be higher than the other
because of the industry

251
00:15:02,868 –> 00:15:07,172
they’re in and the lack of appetite
from the insurance market for those industries.

252
00:15:07,172 –> 00:15:07,940
That makes sense.

253
00:15:07,940 –> 00:15:12,978
So let’s talk about what makes a business
handle risk well versus one that does.

254
00:15:12,978 –> 00:15:16,315
And you talked about that Swiss cheese model,
right. In terms of your your insurance.

255
00:15:16,315 –> 00:15:20,552
And if anybody doesn’t know what a Swiss
cheese model is happy to answer, let me know.

256
00:15:20,552 –> 00:15:22,187
We’re not actually talking about cheese,

257
00:15:22,187 –> 00:15:26,759
but it’s the
what makes a business good at handling risk.

258
00:15:26,759 –> 00:15:29,795
Is it a simple,
you know, process and procedure things?

259
00:15:29,795 –> 00:15:31,830
Is it reviewing the ways that they work?

260
00:15:31,830 –> 00:15:37,102
Is it having multiple steps such as, you know,
multiple factors, complicated authenticator.

261
00:15:37,469 –> 00:15:38,837
Is it all of that?

262
00:15:38,837 –> 00:15:39,104
Yeah.

263
00:15:39,104 –> 00:15:42,374
So that we the way we sort of approach
it is the first thing you need to do

264
00:15:42,374 –> 00:15:45,911
is identify the risk
or be aware of it to to be able to manage it.

265
00:15:45,911 –> 00:15:48,247
You know, you can’t insure for something
you don’t know about.

266
00:15:48,247 –> 00:15:53,953
But insurance is also built to cover,
those outlining cases

267
00:15:53,953 –> 00:15:58,357
or those 1%, cases
that can really topple a business.

268
00:15:58,958 –> 00:16:03,662
So the businesses that we see managing that
well do implement frameworks and standards.

269
00:16:03,963 –> 00:16:05,864
And even for a small business,

270
00:16:05,864 –> 00:16:09,234
you can use your insurance proposal form
as a framework or a standard

271
00:16:09,234 –> 00:16:12,237
because they ask you a bunch of questions
about your environment.

272
00:16:12,237 –> 00:16:13,739
And if you’re answering on the negative

273
00:16:13,739 –> 00:16:18,510
all the time, you can pretty be pretty clear
about the things you need to do to improve that.

274
00:16:18,811 –> 00:16:23,716
The interesting thing with insurance
is only that the way that insurance is,

275
00:16:23,849 –> 00:16:28,220
priced is a little bit backwards looking.

276
00:16:28,220 –> 00:16:33,092
So instead of looking forwards and saying,
we think we’re going to have a case from this,

277
00:16:33,492 –> 00:16:36,328
they say, what have we suffered losses from?

278
00:16:36,328 –> 00:16:40,499
And then they try to exclude those cases
from their coverage.

279
00:16:40,499 –> 00:16:44,903
So that’s why ransomware exclusions came around,
because there was a lot of ransomware

280
00:16:45,170 –> 00:16:47,339
going on and taking out the premium pool.

281
00:16:47,339 –> 00:16:53,245
So the quick way to improve that is to remove
the ransomware as a as a coverage area.

282
00:16:53,545 –> 00:16:58,050
But then as frameworks
and others start to improve that coverage

283
00:16:58,050 –> 00:17:03,188
of ransom cases and those drop off, then
we can look to remove those coverage sections.

284
00:17:03,589 –> 00:17:04,623
That makes sense.

285
00:17:04,623 –> 00:17:08,260
So what we’re saying is
if you have business insurance,

286
00:17:08,260 –> 00:17:10,963
you’re not automatically cyber
insured. Definitely. Yeah.

287
00:17:10,963 –> 00:17:14,366
That’s absolutely, you know, business insurance
or your bespoke insurance.

288
00:17:14,366 –> 00:17:16,935
Yes. Typically doesn’t include cyber insurance.

289
00:17:16,935 –> 00:17:20,072
Cyber insurance is its own class of insurance.

290
00:17:20,072 –> 00:17:23,142
And we would say that
now is, I suppose an area

291
00:17:23,142 –> 00:17:27,179
that a business needs to look on
and ask its okay as well not to take insurance.

292
00:17:27,179 –> 00:17:32,184
You know, we we’re not we, we look at it
and say, if you’re not going to take insurance,

293
00:17:32,651 –> 00:17:34,486
how do you deliver these services.

294
00:17:34,486 –> 00:17:36,889
And some large companies do
look at that and say,

295
00:17:36,889 –> 00:17:38,090
we just need to make sure

296
00:17:38,090 –> 00:17:42,428
we actually have the same incident response team
that the insurance will pay for

297
00:17:42,428 –> 00:17:46,498
on our speed dial, so that we can access them
as we need and will pay for that as we need

298
00:17:46,498 –> 00:17:46,999
that.

299
00:17:46,999 –> 00:17:51,203
And that’s an example of self insurance,
which is totally acceptable,

300
00:17:51,203 –> 00:17:55,074
but you just need to know the risk
is there to cover it either

301
00:17:55,074 –> 00:17:59,078
by, you know, we talk about, you know,
you cover it with your own cash or your PNL

302
00:17:59,078 –> 00:18:00,679
or you cover it with insurance.

303
00:18:02,047 –> 00:18:03,615
Regardless of your choice.

304
00:18:03,615 –> 00:18:06,418
And I mean paying by the day on those.

305
00:18:06,418 –> 00:18:07,419
It’s their response teams.

306
00:18:07,419 –> 00:18:11,523
It’s not cheap, but regardless of your choice,
you need some sort of preparation either.

307
00:18:11,523 –> 00:18:15,694
A business continuity plan,
a business disaster recovery plan, so on.

308
00:18:15,694 –> 00:18:19,398
Because thinking on the spot when you get
attacked, it’s going to be nearly impossible.

309
00:18:19,398 –> 00:18:22,501
Now, one of the good things as well,
that’s coming from cyber insurance,

310
00:18:22,501 –> 00:18:27,973
because it’s an evolving product,
is they’re now starting to include more GRC

311
00:18:27,973 –> 00:18:32,544
governance, risk and compliance services
that come with an insurance policy.

312
00:18:32,778 –> 00:18:38,317
So one of the larger providers, Chubb,
now include with their policy

313
00:18:38,317 –> 00:18:42,721
a lot of services or software offerings

314
00:18:42,921 –> 00:18:47,292
that actually reduce the likelihood of a claim.

315
00:18:47,292 –> 00:18:49,828
They’ll also help
you build an incident response plan.

316
00:18:49,828 –> 00:18:51,930
You know,
we always advocate for clients to do that

317
00:18:51,930 –> 00:18:54,199
in consultation
with their managed service provider.

318
00:18:54,199 –> 00:18:55,601
You know, your incident response plan

319
00:18:55,601 –> 00:18:59,438
as it exists, is usually built
from a technical control perspective.

320
00:18:59,438 –> 00:19:01,507
It doesn’t always consider insurance.

321
00:19:01,507 –> 00:19:05,544
And so it’s important
that those two streams of work align.

322
00:19:05,544 –> 00:19:09,181
And you know, when one hands off to the other
and vice versa,

323
00:19:09,181 –> 00:19:14,186
because an MSP should be
a, a real stakeholder in the incident response.

324
00:19:15,487 –> 00:19:18,056
But they
really should dovetail with the insurer.

325
00:19:18,056 –> 00:19:22,127
And if you can do that before an incident,
everyone’s better prepared.

326
00:19:22,127 –> 00:19:23,495
Completely agree, I completely agree.

327
00:19:23,495 –> 00:19:27,332
I think preparation is going to cost you,
you know, one fifth of or less of whatever

328
00:19:27,332 –> 00:19:28,534
your incidence is going to cost you.

329
00:19:28,534 –> 00:19:32,938
And it’s going to be so much peace of mind that
if something happens, you have a plan, right?

330
00:19:32,971 –> 00:19:35,674
And the likelihood of something happening
then is actually less,

331
00:19:35,674 –> 00:19:40,946
because as you uncover this, you find risks
that you might not have thought of before.

332
00:19:40,946 –> 00:19:42,481
And your mitigations in place.

333
00:19:42,481 –> 00:19:45,450
And look through some of those tabletop
discoveries as well.

334
00:19:45,450 –> 00:19:49,154
If you do identify risks that you’ve resolved,

335
00:19:49,154 –> 00:19:51,256
they’re actually good things
to share with the insurer

336
00:19:51,256 –> 00:19:52,658
because they can actually uplift

337
00:19:52,658 –> 00:19:56,228
the maturity of the organisation
that the insurer is assessing.

338
00:19:56,228 –> 00:19:58,630
We do that with a lot of our larger accounts.

339
00:19:58,630 –> 00:20:01,300
They’ll do annual sort of tabletops or on board

340
00:20:01,300 –> 00:20:06,672
or like reviews with the insurer to go further
than just do we have an incident response plan?

341
00:20:07,105 –> 00:20:09,274
Yes, because that can improve coverage.

342
00:20:09,274 –> 00:20:15,814
Yes. So what’s interesting about cyber
insurance is versus regular business insurance

343
00:20:15,814 –> 00:20:21,019
or everyday insurance for whatever your vehicles
is, that it doesn’t change the way.

344
00:20:21,186 –> 00:20:24,423
So the business insurance doesn’t change
the way you operate necessarily. Right.

345
00:20:24,423 –> 00:20:28,927
But when you start thinking about
cyber insurance, you can use it as a strategy

346
00:20:29,361 –> 00:20:33,565
to go, this is where my risk are,
and this is where I have to change my business

347
00:20:33,565 –> 00:20:36,902
and actually make myself
a bit more bullet-proof against cyber risks,

348
00:20:36,902 –> 00:20:38,704
so you can change the way that you work.

349
00:20:38,704 –> 00:20:41,907
So in a way, just thinking about it
and talking to your broker about it

350
00:20:41,907 –> 00:20:44,209
is a strategic change for the business.
Definitely.

351
00:20:44,209 –> 00:20:49,982
And a lot of, underwriters now have it
invested in third party assessment tools.

352
00:20:50,415 –> 00:20:54,720
They don’t replace the security offerings
that come from an MSP, but they share

353
00:20:54,720 –> 00:20:59,124
what they see as the risks,
that the insurer is concerned with.

354
00:20:59,424 –> 00:21:01,226
And sometimes we get into a bit of a technical

355
00:21:01,226 –> 00:21:05,063
discussion between insurers
and technical managed service providers,

356
00:21:05,063 –> 00:21:07,065
where they have different views on

357
00:21:07,065 –> 00:21:10,168
whether those risks that are being highlighted
are relevant or not.

358
00:21:10,168 –> 00:21:14,439
You know, we see a lot of insurers
being concerned about web facing risks.

359
00:21:14,439 –> 00:21:18,310
However, they typically sit sometimes
outside of the managed service provider

360
00:21:18,310 –> 00:21:21,280
they managed by the marketing team
or and those sort of areas.

361
00:21:21,280 –> 00:21:25,017
So but if you can use the cyber insurer
to bring the business together.

362
00:21:25,017 –> 00:21:29,254
So all of those departments are aware
of what affects the coverage,

363
00:21:29,254 –> 00:21:32,391
then they can actually resolve
all of those areas.

364
00:21:32,391 –> 00:21:34,793
Collectively. Yes, that’s very interesting.

365
00:21:34,793 –> 00:21:41,300
And let’s talk about that a second, because
not long ago I heard somebody say, if you get

366
00:21:42,334 –> 00:21:45,737
some sort of certificate in cyber insurance

367
00:21:45,737 –> 00:21:49,274
and you go back to your broker, your insurance
is automatically decrease in price,

368
00:21:49,274 –> 00:21:51,143
which seems like a misconception.

369
00:21:51,143 –> 00:21:56,448
It’s a bit of a it’s a bit of a challenge
because insurers right on what as I said

370
00:21:56,448 –> 00:21:59,117
earlier, insurers
write on where they’ve lost money.

371
00:21:59,117 –> 00:22:05,090
So in some cases, regardless of the frameworks
that are in place, if last month that insurer,

372
00:22:05,657 –> 00:22:10,028
had a lot of claims from third party payments
to fraudulent bank accounts,

373
00:22:10,362 –> 00:22:13,398
we will see increases in those areas.

374
00:22:13,398 –> 00:22:15,467
The other thing
that we’re seeing in the Australian market

375
00:22:15,467 –> 00:22:19,338
now is a saturation of cyber insurance
providers.

376
00:22:19,338 –> 00:22:27,045
There’s now 48 cyber insurance providers,
and the market size is about $750 million.

377
00:22:27,279 –> 00:22:31,817
So it’s quite a small insurance market
for a lot of providers.

378
00:22:32,050 –> 00:22:36,588
So it’s actually a really good news story
for anyone looking for cyber insurance

379
00:22:36,822 –> 00:22:39,658
because the premiums are really cheap.

380
00:22:39,658 –> 00:22:41,626
So there’s a lot of competition.

381
00:22:41,626 –> 00:22:43,595
And your local broker

382
00:22:43,595 –> 00:22:47,999
will be able to go to 4 or 5 providers
and get some really competitive quotes.

383
00:22:47,999 –> 00:22:53,071
But what that also means
is that the premiums are already very cheap.

384
00:22:53,438 –> 00:22:58,043
So and while some businesses
above a certain turnover,

385
00:22:58,243 –> 00:23:03,849
you know, frameworks are absolutely required,
many insurance providers now

386
00:23:03,882 –> 00:23:08,820
will only ask 3 or 4 risk questions
to actually place a cyber insurance policy.

387
00:23:09,321 –> 00:23:13,725
So for any business that’s considering
going through a cyber uplift, I always advise

388
00:23:13,825 –> 00:23:19,197
get a cyber insurance policy in place first
and then go through the uplift process,

389
00:23:19,431 –> 00:23:24,403
and then you can share the steps you’ve improved
and there may be a premium reduction.

390
00:23:24,403 –> 00:23:26,538
And if you do get one that’s that’s a bonus.

391
00:23:26,538 –> 00:23:32,778
But because the cyber market is so competitive
at the moment, we’re not seeing 2,030% savings

392
00:23:32,811 –> 00:23:37,215
on some of those uplifts
because the standard of those businesses,

393
00:23:37,349 –> 00:23:39,985
or the cyber controls
around a lot of those businesses

394
00:23:39,985 –> 00:23:41,987
is actually really good in a lot of cases.

395
00:23:41,987 –> 00:23:46,224
And the third party assessment tools
the insurers are using,

396
00:23:46,224 –> 00:23:49,561
they’re using those as a tool to validate
what that looks like.

397
00:23:49,561 –> 00:23:53,965
In some cases they’re only scanning the outward
facing environment.

398
00:23:54,032 –> 00:23:58,437
But insurers use tools like that,
almost like in home insurance.

399
00:23:58,437 –> 00:24:03,642
If they check that all the windows have locks
and bolts on them, they can make an assumption

400
00:24:03,642 –> 00:24:07,179
about the other factors
that you would do to secure the house.

401
00:24:07,179 –> 00:24:11,450
And so when they scan,
all the outward facing information

402
00:24:11,450 –> 00:24:16,021
and they say that your firewall is actually up
to date on it’s, software patching,

403
00:24:16,354 –> 00:24:18,990
they make an assumption
that it’s being managed well.

404
00:24:18,990 –> 00:24:23,628
But if they scan that outward facing firewall
and say that it’s, you know,

405
00:24:23,728 –> 00:24:27,899
has a vulnerable patch on it, then they’ll say,
no, we don’t want to insure for that.

406
00:24:27,899 –> 00:24:31,736
So that’s how they kind of use that,
that information.

407
00:24:31,736 –> 00:24:32,704
That makes sense.

408
00:24:32,704 –> 00:24:37,442
So those those frameworks or certificates,
it’s not necessarily untrue

409
00:24:37,442 –> 00:24:40,312
that you get a discount.
It doesn’t just apply automatically.

410
00:24:40,312 –> 00:24:45,283
But what it does is it makes you potentially
go from bad risk to good risk.

411
00:24:45,517 –> 00:24:48,720
And yeah, that transition is
what’s going to give you a better correct.

412
00:24:48,720 –> 00:24:53,625
And then we do say premium reductions
when those risks are improved.

413
00:24:53,959 –> 00:24:57,896
So yeah. No it we’re definitely saying
a lot of that at the moment.

414
00:24:57,896 –> 00:25:00,198
But it’s a case by case basis.

415
00:25:00,198 –> 00:25:05,837
And as a broker, I actually can’t give
financial advice around premiums.

416
00:25:05,837 –> 00:25:07,439
What they will and won’t cost.

417
00:25:07,439 –> 00:25:10,909
I can share an indication
that from similar clients we’ve seen this,

418
00:25:10,909 –> 00:25:15,046
but the underwriter is the only one
who can price that risk. Yes.

419
00:25:15,046 –> 00:25:19,651
And does does a new and stair,
which is not only as a broker, you can’t do it,

420
00:25:19,651 –> 00:25:21,319
but there’s certain information

421
00:25:21,319 –> 00:25:26,191
that if you’re not a broker,
you actually legally, legally cannot share.

422
00:25:26,191 –> 00:25:28,560
Can you? Yes. Help us out with this. Yeah.

423
00:25:28,560 –> 00:25:35,333
So, there’s a difference between general advice
and factual advice in the insurance world.

424
00:25:35,600 –> 00:25:38,803
And then sort of specific advice.

425
00:25:38,803 –> 00:25:44,576
So for factual advice,
an MSP can share factual advice about,

426
00:25:44,576 –> 00:25:49,814
oh, emergence have a cyber
you have a cyber policy with emergence.

427
00:25:49,814 –> 00:25:51,750
And it’s got a $1 million limit.

428
00:25:51,750 –> 00:25:54,986
You know, that’s a that’s a good policy.

429
00:25:54,986 –> 00:25:59,124
But if you’re then going to delve into the
coverage of that policy, that’s where you need

430
00:25:59,124 –> 00:26:01,826
a licensed insurance broker
to actually give that advice.

431
00:26:01,826 –> 00:26:05,530
Because if we guide a customer
in the wrong direction,

432
00:26:05,530 –> 00:26:09,935
we hold professional indemnity advice
for that bad advice.

433
00:26:10,168 –> 00:26:14,906
Whereas a managed service
provider doesn’t hold professional indemnity

434
00:26:14,940 –> 00:26:17,409
to protect them for insurance advice.

435
00:26:17,409 –> 00:26:17,909
Yeah. Of course.

436
00:26:17,909 –> 00:26:20,745
And the client might be misguided or feel,
you know,

437
00:26:20,745 –> 00:26:22,781
you don’t buy and it’s not anybody’s fault.

438
00:26:22,781 –> 00:26:26,084
It’s just that the right person with the right
knowledge wasn’t involved in the conversation.

439
00:26:26,084 –> 00:26:26,685
Yeah.

440
00:26:26,685 –> 00:26:29,955
And that there’s a lot of really good insurance
brokers out there now,

441
00:26:29,955 –> 00:26:32,090
who can help with cyber insurance.

442
00:26:32,090 –> 00:26:36,461
So, yeah, the first point of call
is really talk to your insurance broker.

443
00:26:36,628 –> 00:26:39,798
Yeah, yeah,
that seems to be the recurring theme here. Yeah.

444
00:26:39,798 –> 00:26:45,437
Let’s talk about something that’s that’s been on
everybody’s lips and and it’s I.

445
00:26:45,537 –> 00:26:46,638
Right. Yeah.

446
00:26:46,638 –> 00:26:50,208
I’m feeling it in a way that I’m trying
to implement that into the business.

447
00:26:50,208 –> 00:26:52,777
And we have in some cases, done
so very successfully.

448
00:26:52,777 –> 00:26:55,680
In other cases,
every time I try to build a business case,

449
00:26:55,680 –> 00:26:59,884
as soon as I build one the following week,
literally the following week,

450
00:26:59,884 –> 00:27:02,721
something new has come on
that replaces it or it’s cheaper.

451
00:27:02,721 –> 00:27:06,725
It’s better has an add on.
How much does this scare you?

452
00:27:06,725 –> 00:27:11,463
But what advice would you give businesses
in terms of the progress in which AI is being

453
00:27:11,696 –> 00:27:13,832
up, kept in terms of cyber insurance?

454
00:27:13,832 –> 00:27:18,803
Yeah, so there’s two areas of insurance
that AI touches for me.

455
00:27:19,070 –> 00:27:23,441
So you have professional indemnity,
which is bad advice.

456
00:27:23,575 –> 00:27:25,644
And then you have the cyber exposure.

457
00:27:25,644 –> 00:27:30,915
So if we were to take a one of REDD’s customers,

458
00:27:30,915 –> 00:27:35,720
that might be an accounting firm
who’s using AI in their business.

459
00:27:35,887 –> 00:27:40,291
If the AI gives bad advice to their customers,
they actually have,

460
00:27:40,358 –> 00:27:42,527
they could have a professional indemnity claim.

461
00:27:42,527 –> 00:27:48,299
Yes. So they need to make sure
that they have coverage for the AI, for,

462
00:27:48,667 –> 00:27:51,236
you know, how
they’re actually operating their business.

463
00:27:51,236 –> 00:27:53,538
The other area then is the cyber exposure.

464
00:27:53,538 –> 00:27:58,910
So in the event that they’re left vulnerable,
because the AI has done

465
00:27:58,910 –> 00:28:00,645
something, being connected in a

466
00:28:00,645 –> 00:28:06,217
or misconfigured, that could
then cause a cyber claim or cyber exposure.

467
00:28:07,018 –> 00:28:11,856
The good thing with AI,
though, is that from a protection perspective,

468
00:28:11,890 –> 00:28:17,228
current insurance policies are already built
to handle breaches that are caused by AI.

469
00:28:17,595 –> 00:28:23,368
So, we’re not currently seeing AI exclusions
in cyber policies.

470
00:28:23,702 –> 00:28:27,539
But what we are saying is insurers
stay silent on it.

471
00:28:27,539 –> 00:28:30,308
So they’re not actually putting a stake
in the ground that we will

472
00:28:30,308 –> 00:28:31,710
or won’t cover something.

473
00:28:31,710 –> 00:28:37,048
So what we advise any business that’s using AI,
in a transformational way,

474
00:28:37,282 –> 00:28:42,854
is to actually be proactive in sharing that
with your insurer and bring your insurer

475
00:28:42,854 –> 00:28:48,526
into that conversation and what you then remove
is the chance for them to stay silent on it.

476
00:28:48,526 –> 00:28:51,062
And you make them take an affirmative position

477
00:28:51,062 –> 00:28:56,334
that our client is using AI in this way,
and we will cover an exposure if it exists.

478
00:28:57,035 –> 00:28:57,602
And that way

479
00:28:57,602 –> 00:29:02,006
then you avoid that argument about will
they or what they pay at the time of a claim.

480
00:29:02,207 –> 00:29:06,678
And because of the
the speed at which AI is accelerating,

481
00:29:06,678 –> 00:29:13,551
it’s really important to bring those, use cases
to your broker, to share with the insurer.

482
00:29:13,551 –> 00:29:16,621
So because some of them might just be platform
features.

483
00:29:16,621 –> 00:29:18,757
Yeah. And that’s fine.

484
00:29:18,757 –> 00:29:22,560
But you can share that proactively
with the insurer,

485
00:29:22,560 –> 00:29:24,829
to say,
oh, we’ve turned on these platform features,

486
00:29:24,829 –> 00:29:29,567
some insurers are actually requesting those AI
platform features to be turned on in some ways.

487
00:29:29,968 –> 00:29:33,805
But, you know,
if you send an email to your broker and say,

488
00:29:33,805 –> 00:29:36,975
hey, look, we’ve actually just turned
on enterprise grade Claude,

489
00:29:36,975 –> 00:29:39,477
and we’ve connected it
through to an we’ve done an MCP

490
00:29:39,477 –> 00:29:43,882
server at it’s going now through to our,
our database and blah, blah, blah.

491
00:29:43,915 –> 00:29:45,950
Would that be covered by our cyber insurance?

492
00:29:45,950 –> 00:29:49,587
They can take that to the insurer
to get an answer on.

493
00:29:49,587 –> 00:29:55,527
And then you have some degree of comfort
that eventuates from that you’re more protected.

494
00:29:55,994 –> 00:29:56,895
Yeah, that makes sense.

495
00:29:56,895 –> 00:30:01,332
And a lot of what people use
AI for these days is research, right?

496
00:30:01,366 –> 00:30:01,633
Yeah.

497
00:30:01,633 –> 00:30:04,869
I mean, it has a lot of, a lot of good use.

498
00:30:04,869 –> 00:30:08,973
But, you know, if you’re talking about the
the co-pilot, it’s a ChatGPT is a lot of people,

499
00:30:08,973 –> 00:30:11,209
you know, use it as a Q&A, right? Yeah.

500
00:30:11,209 –> 00:30:15,613
And there is a, a level of discretion
that needs to be applied there.

501
00:30:15,680 –> 00:30:20,351
Because and there’s two very good quotes
that I heard about AI, that I’ll share.

502
00:30:20,351 –> 00:30:23,788
One is what is the difference
between a human giving advice and an AI?

503
00:30:23,788 –> 00:30:28,059
Giving advice is the human can stop and say,
I don’t know.

504
00:30:28,059 –> 00:30:31,729
The I will keep using you. Yeah, right.

505
00:30:31,729 –> 00:30:34,132
And and if it’s wrong, it’s wrong. Yeah.

506
00:30:34,132 –> 00:30:38,870
And that’s the first really, really
important line which is talk to your broker.

507
00:30:38,870 –> 00:30:42,373
Talk to a human who can go. We’ll find this out.

508
00:30:42,373 –> 00:30:43,575
We’re not. Yeah sure.

509
00:30:43,575 –> 00:30:47,478
It might not take us to 20 milliseconds
that chatty video co-pilot can take.

510
00:30:47,478 –> 00:30:49,581
But what I show you, that is the right answer.

511
00:30:49,581 –> 00:30:54,452
And the other quote
was that I can answer, but humans can question.

512
00:30:55,553 –> 00:30:57,555
And I
think that is a really, really good one as well,

513
00:30:57,555 –> 00:31:01,960
which is similar enough if you’re unsure,
just don’t take the advice for granted.

514
00:31:01,960 –> 00:31:03,928
You know, it can be great for research,

515
00:31:03,928 –> 00:31:06,698
but you look at where
AI is getting a lot of information from.

516
00:31:06,698 –> 00:31:09,500
It can be popular, right?
Such as Reddit or other things.

517
00:31:09,500 –> 00:31:11,870
And, you know, millions of users
potentially sharing wrong information.

518
00:31:11,870 –> 00:31:13,738
And that’s where, you know,
I think, for example,

519
00:31:13,738 –> 00:31:14,973
you might get something

520
00:31:14,973 –> 00:31:19,577
don’t quote me on this one, but 50%
plus of their of their answers come directly

521
00:31:19,577 –> 00:31:23,314
from like Reddit in some cases, you know,
which is a bit yeah, a bit absurd, right?

522
00:31:23,314 –> 00:31:25,750
I’m sure there’s plenty of good advice in there,
but if you’re looking

523
00:31:25,750 –> 00:31:28,386
for cyber insurance advice,
maybe you want to go to Reddit.

524
00:31:28,386 –> 00:31:33,024
Yeah, and that’s where I suppose having
a professional implementer actually help you go

525
00:31:33,057 –> 00:31:33,858
through that journey.

526
00:31:33,858 –> 00:31:35,059
There’s a number of,

527
00:31:35,059 –> 00:31:37,795
we have a couple of clients in this space
where they are,

528
00:31:37,795 –> 00:31:41,299
you know, specific
AI consultants going in to do that work

529
00:31:41,299 –> 00:31:43,067
and making sure the right guardrails are there.

530
00:31:43,067 –> 00:31:46,537
And I suppose people are,
you know, we’re speaking to read about that.

531
00:31:46,537 –> 00:31:49,741
Because I know you guys are doing
some really innovative stuff there as well.

532
00:31:49,741 –> 00:31:50,041
Yeah.

533
00:31:50,041 –> 00:31:51,175
Absolutely, absolutely.

534
00:31:51,175 –> 00:31:55,213
And questioning
asking a question doesn’t cost anything.

535
00:31:55,213 –> 00:31:58,750
Yeah, right. It’s just sort of a conversation.
And if anything you just walk out it.

536
00:31:58,750 –> 00:32:03,121
They’re better informed than you were,
you know, half an hour before that conversation.

537
00:32:03,121 –> 00:32:05,823
So another few questions for you
if you don’t mind on this.

538
00:32:05,823 –> 00:32:11,763
If you could look at cyber insurance as a whole
and give one piece of advice to businesses,

539
00:32:12,230 –> 00:32:14,699
what would it be? I think it’s range of policy.

540
00:32:16,100 –> 00:32:17,802
So and you don’t have

541
00:32:17,802 –> 00:32:22,340
to read the whole thing,
but focus in on the exclusions

542
00:32:22,640 –> 00:32:27,512
and the endorsements, because if you read
what it doesn’t cover, it’s quite obvious.

543
00:32:27,512 –> 00:32:29,747
Insurers have to be very blatant about this.

544
00:32:29,747 –> 00:32:31,549
You can then overlay that with your business.

545
00:32:31,549 –> 00:32:36,688
And also if you have an assumption
that it is covering something, confirm that,

546
00:32:36,821 –> 00:32:40,858
or what are you scared of? Is it, you know,
you serve as being encrypted.

547
00:32:40,858 –> 00:32:42,293
Is it the server burning down?

548
00:32:42,293 –> 00:32:46,664
Is it be prescriptive about the digital exposure
you have?

549
00:32:46,664 –> 00:32:48,967
All those those use cases?

550
00:32:48,967 –> 00:32:52,236
I always ask my customers for
what are you, big three risks.

551
00:32:52,236 –> 00:32:54,472
So if you can bring those big three risks

552
00:32:54,472 –> 00:32:58,910
that as a business you’re fearful of,
sometimes they’re not even an insurance problem.

553
00:32:59,577 –> 00:33:03,581
But insurance can actually help you
uplift in those areas as well.

554
00:33:03,581 –> 00:33:06,584
So yeah, we actually see,
some large businesses,

555
00:33:06,584 –> 00:33:12,890
you know, they use insurance as a way to cover
against profit instability from a cyber crime.

556
00:33:13,157 –> 00:33:18,496
You know, because the bottom line can
be affected quite quickly in a large business.

557
00:33:18,730 –> 00:33:23,368
And the insurance product
allows that to have a more stable response.

558
00:33:24,168 –> 00:33:25,870
So if, you know,

559
00:33:25,870 –> 00:33:31,142
some businesses will have different risk
concerns, others it might be reputational.

560
00:33:31,175 –> 00:33:31,409
Yeah.

561
00:33:31,409 –> 00:33:35,513
Articulate that and then you can put
the right wrapper around it.

562
00:33:35,513 –> 00:33:36,147
Fantastic.

563
00:33:36,147 –> 00:33:38,549
And you don’t have to be a technical guru,
right,

564
00:33:38,549 –> 00:33:41,386
to read your cyber insurance
or understand it or ask the question. Right.

565
00:33:41,386 –> 00:33:43,454
If you don’t know, ask the question.

566
00:33:43,454 –> 00:33:44,155
Yeah.

567
00:33:44,155 –> 00:33:48,192
Also, one of the other big things is it
shouldn’t live in a silo in your business. Yes.

568
00:33:48,192 –> 00:33:51,729
It actually should be a business
wide knowledge piece.

569
00:33:51,729 –> 00:33:55,133
You know, the entire team is aware
that we do have cyber insurance.

570
00:33:55,133 –> 00:33:59,871
And if somebody comes across something
on a Sunday afternoon and they feel it’s

571
00:33:59,871 –> 00:34:04,475
a risk, put your hand up and raised the raise
the flag to the insurer if needed.

572
00:34:04,475 –> 00:34:07,378
Bringing your insurer into the problem
isn’t a negative.

573
00:34:07,378 –> 00:34:09,380
A lot of people used to be fearful about,

574
00:34:09,380 –> 00:34:13,084
oh, if I tell my insurer that premiums
are going to rise, that’s for cyber insurance.

575
00:34:13,084 –> 00:34:14,218
It’s almost the opposite.

576
00:34:14,218 –> 00:34:16,387
Bringing your insurer in early

577
00:34:16,387 –> 00:34:20,792
allows them to triage and help you and hopefully
confirm it’s a false positive or something.

578
00:34:20,825 –> 00:34:23,861
And then they say that is actually good cyber
hygiene.

579
00:34:23,861 –> 00:34:24,829
Yeah, absolutely.

580
00:34:24,829 –> 00:34:28,533
And your cyber insurance can sit through
your MSP, but it has to be held on your own.

581
00:34:28,533 –> 00:34:32,203
As I said, it has to be in your name.
But in this paper out there that’s sorry.

582
00:34:32,203 –> 00:34:34,639
That’s, that’s
that’s a point. Just, to hone in on.

583
00:34:34,639 –> 00:34:38,976
The MSP does not traditionally provide
cyber insurance for their clients.

584
00:34:38,976 –> 00:34:44,115
That’s, everyone needs to hold their own cyber
insurance because it’s a first party cover.

585
00:34:44,115 –> 00:34:47,819
So it’s there to protect the person
whose name is on the policy.

586
00:34:47,819 –> 00:34:51,756
Thank you, thank you. That is a correction
that is absolutely necessary.

587
00:34:51,756 –> 00:34:55,226
Make sure people understand the right thing.
Thank you. Tim.

588
00:34:55,226 –> 00:34:59,230
One last question is a bit more personal.
How did you end up in cyber insurance?

589
00:34:59,230 –> 00:35:03,167
So I’m a, I’m a, a recovering builder.

590
00:35:03,167 –> 00:35:04,202
All right.

591
00:35:04,202 –> 00:35:06,070
I had a construction company
for a number of years.

592
00:35:06,070 –> 00:35:08,973
So, we did a lot with risk management.

593
00:35:08,973 –> 00:35:14,745
And I worked in, a couple of companies
that, one in particular that did lights, lasers

594
00:35:14,745 –> 00:35:17,448
and fountains in in Dubai,
Singapore and Hong Kong.

595
00:35:17,448 –> 00:35:22,987
And I love the connected nature of technology,
and also really cool toys

596
00:35:22,987 –> 00:35:25,356
that could be controlled with technology.

597
00:35:25,356 –> 00:35:30,061
And with that we managed, you know,
a lot of personal risk, a lot digital risk.

598
00:35:30,294 –> 00:35:35,500
And then, my wife said I was travelling
too much, and, I discovered the,

599
00:35:35,500 –> 00:35:36,801
the wonderful world of insurance.

600
00:35:36,801 –> 00:35:41,239
And it was one of the things when I had my own
businesses was nobody ever explained to me

601
00:35:41,372 –> 00:35:42,640
how to use insurance.

602
00:35:42,640 –> 00:35:47,245
I was always told I needed it,
but my broker at the time really did not like

603
00:35:47,478 –> 00:35:48,813
what it was, therefore,

604
00:35:48,813 –> 00:35:51,015
and I actually reflect
now on a number of occasions

605
00:35:51,015 –> 00:35:54,752
where I could have had insurance claims
or used my policies more proactively.

606
00:35:54,752 –> 00:35:56,654
Yeah,
and that’s a lot of what we do with business

607
00:35:56,654 –> 00:35:59,123
owners is really help them understand policies

608
00:35:59,123 –> 00:36:03,828
and then use it as a lever within their business
to improve maturity and profitability.

609
00:36:04,295 –> 00:36:06,497
Fantastic. Sounds sounds great.

610
00:36:06,497 –> 00:36:09,167
Light lasers and fountains.

611
00:36:09,167 –> 00:36:11,269
Yeah. The name of our next conversation.

612
00:36:11,269 –> 00:36:14,338
So we’ll talk about that as well. What is it?

613
00:36:14,338 –> 00:36:16,607
Thank you so much for your time.
It’s been absolutely.

614
00:36:16,607 –> 00:36:17,175
Like. You.

615
00:36:17,175 –> 00:36:18,376
I’ve learnt a lot as well.

616
00:36:18,376 –> 00:36:22,547
And safe to say that if anybody has any
questions, they can reach out to you directly.

617
00:36:22,547 –> 00:36:23,581
Absolutely. Yeah.

618
00:36:23,581 –> 00:36:26,551
You’ll find us on, LinkedIn, or the website.

619
00:36:26,551 –> 00:36:30,388
But yeah, we’re always happy to have
a conversation or help where we can burden.

620
00:36:30,388 –> 00:36:33,024
Thank you so much. Them.
Thanks, Marco. Have a lovely day.