Brian Culp from Morgan Insurance joins us talk about the next steps to take in the event of a cyber attack against your business.
Here’s the transcript:
Ryan: I’d like to introduce our speaker today, Brian Culp with Morgan Insurance Group.
Ryan: And he’s going to share a presentation for us about why everyone needs to be aware of needing cyber insurance.
Brian: OK, can everyone see my screen share there?
Brian: OK, wonderful.
Brian: So the title of this is You Got Hacked,
Brian: What now?
Brian: And it’s you got hacked.
Brian: Because the chances that.
Brian: You’re going to get hacked, are 100%, at some point, you are going to get hacked, that is no longer if.Brian: But when?
Brian: There are a lot of examples.
Brian: Right now. You’re out there.
Brian: You see in the news where the pipeline.
Brian: Earlier this year got.
Brian: Hacked and that caused gas prices to go up.
Brian: Not too long ago.
Brian: There was a.
Brian: Hack on a farm in Iowa and they’re talking about whether meat prices will go up.
Brian: You see all of these big companies and people think you.
Brian: Know what it’s not going to?
Brian: Happen to me because I’m not a.
Brian: Big company and that is just not the truth.
Brian: There we go, so there are a lot of ways.
Brian: That your computers get hacked at your business.
Brian: And most of them have to do.
Brian: With your employees. Employees
Brian: Are wonderful people.
Brian: They are there to help you.
Brian: Grow your business.
Brian: But there’s a good chance that they aren’t paying a lot of attention.
Brian: Sometimes when they’re going through their email, or if they get fired, they might be wanting to do things to your computer so here is
Brian: One example, when employees stole a donor’s credit card information from a nonprofit that resulted in a forensics investigation, a lawsuit and a fine.
Brian: The per record insured cost for that incident was $50,000 and.
Brian: You noticed those word per record.
Brian: That isn’t the total loss was $50,000. That is per record.
Brian: That is one of the.
Brian: Things that you have to be careful.
Brian: About when you look at your policy.
Brian: Now why my computer is not letting me?
Brian: Move, there we go.
Brian: Another example, when the server and the hard drive maintained by a company acquired by an insured were stolen, sensitive data for nearly 45,000 individuals was compromised. The insured was provided $1,000,000 to cover notification, public relations, and other incident related services.
Ryan: And one of the.
Brian: Things I get from people when I.
Brian: Tell them that they need to look at.
Brian: Their payment card systems is ‘oh that’s covered by the payment part system, I don’t need to worry about my.
Brian: Credit card numbers.
Brian: Being stolen.’
Brian: One of the things you need.
Brian: To do is take a look at the contract that you have with your PCI.
Brian: Your PCI has written contract that you are responsible for cyber security that you are responsible for making sure that their credit cards don’t get hacked.
Brian: Now if it’s stored on their server.
Brian: That’s correct, anything flown from their server is going to be covered by their cyber insurance, but if the hack happens on the unit that’s sitting right next to your cash register.
Ryan: Or if it happens.
Brian: In between, there’s a good chance that you’re going.
Brian: To be.
Brian: Responsible for that.
Brian: Uhm, one example Strack and [Van] Til had about half of its 21 stores temporarily closed in November 2018, during one of the busiest grocery shopping periods of the year.
Brian: Because cashiers could not check customers out. The cyberattack encrypted its point of sale and phone systems, they were seeking a ransom to get them working again.
Brian: Now that’s a case where it was ransomware which.
Brian: Means that they couldn’t do.
Brian: Anything and there there’s a couple of different pieces of insurance.
Brian: That you have.
Brian: To have in order for that to be covered but cyber is.
Brian: One of them business income is the other.
Brian: Ransomware and cyber extortion.
Brian: This is the biggest one.
Brian: That you see right now is the.
Brian: One that you hear about the most.
Brian: This this one I said July was actually July 2019, about $132,000 worth of Bitcoin was paid by LaPorte County to ransomware hackers to regain access to part of its computer systems.
Brian: Originally, the ransom was 221,000, but a firm hired by the county was able to talk down the hackers. Insurance will cover $100,000 of the.
Brian: 132,000.
Brian: Dollars that was paid.
Brian: The people who talked those hackers down were hired.
Brian: By the insurance company.
Brian: Uhm, part of the coverage that they had was.
Brian: Having someone come.
Brian: In and do forensics, having someone determine how many records had been stolen.
Brian: And then they negotiated.
Brian: With the hackers and then they went ahead and paid the hackers.
Brian: So there’s a lot of ways that data breaches occur.
Brian: One is a malicious Internet.
Brian: Attacker and these are the things you hear about the brute force where someone will come in and they.
Brian: Will just check.
Brian: Just click on your.
Brian: They’ll just guess passwords until they finally get in or they also have systems where they will just send.
Brian: Packets they will basically throw things against your.
Brian: Firewall until they.
Brian: Breakthrough. User error is probably one of the biggest one where you have people who just have bad passwords.
Brian: 1234 never use 1234.
Brian: You will get it.
Brian: You are asking to get hacked immediately.
Brian: A loss of theft or loss of the device.
Brian: So if.
Brian: You lose your.
Brian: Phone, there’s a good chance someone willing to hack into that and take all the information out.
Brian: Of it, if you lose your.
Brian: Laptop, same thing.
Brian: Disgruntled employee that person that you fired that wasn’t happy about being fired.
Brian: They can very easily hack back into your system and place malicious software into your system.
Brian: A third party mistake someone who has access to your system because they are doing business with you gets hacked and then that hacker gains access to you through them and network intrusion.
Brian: So there’s a couple of different coverages.
Brian: That come to mind if you.
Brian: Pick up your insurance.
Brian: Policy and you look at it.
Brian: You’re going to see oh, cyber coverage.
Brian: You can move on in a few days.
Brian: And you’re going.
Brian: To be fine.
Brian: The problem is there are two types.
Brian: With cyber insurance 1st that the one that is most normally included is third party coverages.
Brian: 3rd party coverages go out and help make your customers whole.
Brian: So if one of your customers gets hacked because of something you did, this insurance policy insurance from the third party will go out and make sure.
Brian: That they are.
Brian: whole. what it doesn’t do is pay any of the fines or the costs.
Brian: That you have.
Brian: In order to stop the hack from happening.
Brian: You need first party coverages for that, so you need to make sure when you look at your policy that.
Brian: You have both pieces.
Brian: First party coverages can.
Brian: cover loss or damage to electronic data, loss of income or extra expenses.
Brian: Cyber extortion notification costs.
Brian: You’re going to.
Brian: Have to let all of your customers.
Brian: Know that you’re.
Brian: Your data was stolen and damage to your reputation.
Brian: It’s not easy to overcome the thought that your, their data could get stolen again.
Brian: If you haven’t done the.
Brian: Things that you need to do.
Brian: There are a lot of other coverages that you can have on the cyber policy – terrorism,
Brian: Some insurance insurers have developed cyber liability policies tailored to specific industries.
Brian: The tech industry has a lot of coverages that you’re probably not going to have at Urban Air.
Brian: One of the most important.
Brian: Things you want to do is to know your policy.
Brian: Make sure that you have a trusted insurance advisor, so when he’s going to sit down with you and not.
Brian: Just hand you the policy.
Brian: And walk away.
Brian: You want to make.
Brian: Sure that you review.
Brian: Review that policy with you.
Brian: That you understand all of the coverages and that you have everything that’s going to protect you.
Brian: One of the most important parts of any insurance policy, not just cyber but cyber.
Brian: Is a part of.
Brian: This as well is that the insurance.
Brian: Company has a.
Brian: That an obligation to protect you legally.
Brian: So if.
Brian: You get hacked.
Brian: And then your customers sued.
Brian: You they will go to court.
Brian: To help you defend yourself in court.
Brian: That’s true with professional liability.
Brian: That’s true with general liability.
Brian: They have the obligation to protect you in court.
Brian: You don’t have an insurance policy.
Brian: Well, you don’t have this specific type of insurance policy to cover you for the loss.
Brian: You aren’t going to have that and lawyers bills.
Brian: Let’s face it, they inflate them and.
Brian: Often we’re talking about 100.
Brian: $150, $250 per hour if you.
Brian: Have an inexpensive lawyer.
Brian: This presentation I put.
Brian: It together in 2018 and I’ve kind.
Brian: Of modified it as I went along.
Brian: Right now.
Brian: As of 2019, and they have only increased the prices that in 2018 the average cost of a cyber attack was $34,000.
Brian: In 2021, the average.
Brian: Price is $200,000 per incident.
Brian: So it has more than quadrupled in cost.
Brian: If you do have these issues.
Brian: And as I’ve said before, it isn’t just.
Brian: The big guys.
Brian: Small linear non profit falls victim to ransom cyber attack.
Brian: Little Red Door is a small Indiana company.
Brian: They help Cancer Support, cancer survivors and people who are suffering from cancer.
Brian: They got hacked.
Brian: Well, I guess this one.
Brian: See small business management consultancy in Carmel cofounder of Reveal Risk.
Brian: Talked about Hancock Regional Hospital in Greenfield back in 2018. Their system got hacked. Recently I was talking with someone about the Brownsburg Library, got hacked, the Kokomo Howard County Public Library was hacked and I don’t know if any of the rest of you got this notice.
Brian: But I got a notice in the mail not too long ago.
Brian: I don’t know if.
Brian: I’ll be able to show.
Brian: It to you, my computer camera no no it.
Brian: Won’t do it.
Brian: ’cause I got it on blur the.
Brian: Indiana Department of.
Ryan: Health was hacked.
Brian: So if you went and got tested for COVID or you went and got a vaccine, your information was.
Brian: Included in a data breach.
Brian: And what can you?
Brian: Do, of course, you’re going to go out with the cyber policy to protect you against all of these things.
Brian: One of the issues though is.
Brian: You might not know all of the.
Brian: Answers to the questions on these complicated.
Brian: Applications, this application right here is probably one of the.
Brian: More complicated ones.
Brian: It’s 13 pages and it is meant specifically for tech providers for IT companies.
Brian: Ryan Grimes, with My IT Indy is someone that I partner with and anytime someone looks at this questionnaire and says ah I have no idea how to answer these questions.
Brian: I send them to Ryan and he goes over it with them.
Brian: Helps them answer it.
Brian: If they don’t have the protections.
Brian: That they need.
Brian: He can help them with it.
Brian: He can help them get it.
Brian: Uhm, this is the application for ransomware.
Brian: It’s a little.
Ryan: Little bit better.
Brian: But it is 3 pages and then also asks a lot of questions that you just might not know the answers to.
Brian: The price of cyber insurance has gone up.
Brian: Dramatically in the last year.
Brian: So many more companies have gotten hacked.
Brian: And it used to be.
Brian: You could buy a 5 or $10 million policy and it wasn’t terribly expensive. They’re not offering five and $10 million policies.
Brian: This point, they are most likely only going to offer you something between one and 2,000,000 right now.
Brian: This is not the website I meant to pull up.
Brian: Ah, here’s the one.
Brian: Getting a quote is actually relatively.
Brian: Simple, I have a website where.
Brian: I can go and put in just a minimal information and they will.
Brian: Give me a quote for what it would cost.
Brian: To cover your business for cyber insurance.
Brian: That may.
Brian: You may or may not already have.
Brian: Some I’m happy to sit down with anybody who is unsure.
Brian: Of what they do.
Brian: Have and review their insurance policy.
Brian: Make sure that they do have what they need and I’m.
Brian: Happy to provide.
Brian: It, But I’m also happy to send that information with you so you can go back to the agent that you’re currently.
Brian: Using. My goal.
Brian: Is to educate.
Brian: As many people as possible about this risk.
Brian: And help them get the.
Brian: Coverage whether I provide it or not.
Brian: So with that, what questions can I answer?
Ryan: Yeah, Brian?
Ryan: What, let’s see,
Ryan: What are some of the more common like third party ways that a company can be hacked so it places where there might be like human error or something to do with the human element?
Brian: You know most of the malware attacks.
Brian: Occur through email. We’re getting these emails every day. I get probably two or three to actually make it through my spam filter. When I go into my junk mail box, there’s probably 100 more.
Brian: It’s the email that says hey, are you busy?
Brian: Will you go buy these?
Brian: Gift cards for me so that I can.
Brian: Give them out.
Brian: That’s when it happens a lot.
Brian: Uhm, Ryan Grimes has a.
Brian: Customer who and this happened before he
Brian: Was Ryan’s customer actually, him and so,
Brian: There were several levels between sending out a check and the boss.
Brian: Someone hacked into secretary’s email and then was able to send the boss an email with an invoice.
Brian: They created an invoice and they sent it to the boss.
Brian: The boss came from [unknown].
Brian: He normally creates invoices.
Brian: He went ahead and.
Brian: Set it up.
Brian: To pay. He
Brian: Sent it to the person who writes the checks.
Brian: The person wrote the.
Brian: Check, they lost $50,000.
Brian: And that was because.
Brian: Of a hack on an employee.
Brian: One of the things that is happening now is that it’s really pretty scary is zero click, so most times you think that you have to.
Brian: Click on a.
Brian: Link you have to follow a website.
Brian: You have to do things.
Brian: Well, there was a vulnerability in Apple Software that was allowing zero click so someone could call your phone.
Brian: If you answered it.
Brian: They could hack.
Brian: Into your new phone.
Brian: Just by getting the text and opening the text, you didn’t have to click on anything.
Brian: Apple put out a fix two weeks ago and then they put out another fix last week.
Brian: So if you have not already gone in and updated your iPhones
Brian: To the latest software.
Brian: You need to do that because.
Brian: You are vulnerable to those zero clicks.
Brian: If you have not done.
Brian: So, and that is something that is increasing in frequency is.
Brian: The zero click.
Brian: Uhm, I have up here.
Brian: Of list of the different types of viruses and.
Brian: These are all malware, malware attacks.
Brian: These are the ones that are.
Brian: You’re probably going.
Brian: To get.
Brian: If you do click on a.
Brian: Link that you shouldn’t.
Ryan: Hey Brian, another question for you.
Ryan: What are some of the ways that
Ryan: Are used to.
Ryan: Threat assess a company to get them cyber insurance?
Brian: I’m going.
Brian: To go back to the application here.
Brian: So an application like.
Brian: This is the biggest.
Brian: Thing they’re going to go through, and they’re going to ask you questions about the type of firewalls you have.
Brian: They’re going to ask you.
Brian: About the training that you give to your employees, you’re.
Brian: Going to ask how?
Brian: Your data is stored where it is stored.
Brian: Who protects it?
Brian: Once it’s there and stored?
Brian: Uhm, they want to know about.
Brian: This one is a private tech application, so this one is asking the tech.
Brian: Provider what types of services they provide.
Brian: You’re going to want to know how many customers you have, and so they want to know just how much information is vulnerable.
Brian: If you do things that you shouldn’t.
Brian: Certainly they’re going to assess.
Brian: There were other clients 5.
Brian: Largest projects in the last.
Brian: Year, then wonder who your clients are who you’re doing business with?
Brian: Uhm, the number of employees is important because they want to know how many people might accidentally click on that link.
Brian: Well, one of the one.
Brian: Of the there are a couple of ways that.
Brian: There are a couple ways that IT providers are going about making sure that you don’t get hacked things they’re doing to help you protect your business, and you’re going to get questions from the insurance companies about whether you’re doing those things.
Brian: Multifactor authentication is one that I know.
Brian: We have all seen a lot more of recently.
Brian: Uhm, this is where you put in your password, but as soon as you put in your password they want you to put.
Brian: In a code that gets texted to your phone.
Brian: And this is relatively secure because someone else probably doesn’t have.
Brian: Your phone probably doesn’t have.
Brian: Access to that.
Ryan: Air gapped backups.
Brian: Is something that you’re seeing a lot more up now as well those backups instead of being just sitting right next to your computer, that hook into your computer.
Brian: They’re just as.
Brian: Vulnerable if someone hacks your computer because they can hack into the backup right there, so there’s an air gap.
Brian: It is not connected to this system.
Brian: The way that hackers can get straight into it.
Brian: And then email filtering of course.
Brian: Is something that they’ve been doing that
Brian: They are working to come up with better email filters, ways to potentially inoculate you from those things that come in.
Brian: I know that that’s a lot of information that.
Brian: I dropped in about 20 minutes so.
Kim: It has been very good information by and I appreciate you speaking to us.
Kim: I think you’ve answered my questions my question oh.
Kim: I see Kristen.
Kim: I thought you.
Kim: I see Kristen behind me, uhm.
Kim: I was wondering if it, if it matters.
Kim: Uh, what,
Kim: What size business it is, but it sounds like it doesn’t matter.
Kim: It could be small or huge and also something that was interesting is I’m not sure I knew about either one of those hacks that you were talking about, like the hospital and then the other one in Indianapolis.
Kim: People probably.
Kim: Try to keep this under wraps.
Kim: They probably don’t want this on the news.
Kim: They probably don’t want.
Kim: From an embarrassment, would you agree with that?
Brian: I do.
Brian: Agree with that and that is 1.
Brian: Of the big.
Brian: Problems we’re having in fighting cyber crime is that people aren’t reporting it.
Brian: Ransomware attacks happen all the time and the insurance company will go in and.
Brian: They’ll pay it, they will.
Brian: Go and they’ll put the person back.
Brian: To whole, there is legislation that is.
Brian: Out there right now.
Brian: To require companies to report cyber crimes and attacks.
Brian: And I’m on the fence.
Brian: About that
Brian: I think it is something.
Brian: That would help.
Brian: Us to fight cybercrime, but at the same time?
Brian: Having requirements to report these.
Brian: It does put it out there where people could be embarrassed by things that happen, but it also creates another level of bureaucracy, something that we have to work to do.
Brian: Uhm, there are mid sized companies that this will.
Brian: Create a whole new.
Brian: Department for them and it could be very costly so.
Brian: I’m interested to see how the federal government structures these requirements as they.
Brian: Go about building that.
Kim: Right?
Kim: Well, thank you again, that’s very informative.
Kim: I appreciate that and I guess.
Kim: I see Kristin.
Kim: Now, ’cause you weren’t on my phone?
Kim: But that your.
Kim: Fire Storm Restoration.
Kim: Your pickup truck was behind me, but you’re not in the pickup truck today.
Kim: I guess yeah, OK.
Kim: Wasn’t you.
Ryan: Does anyone have any other questions for Brian?
Ryan: All right, well, let’s give Brian a hand for his presentation today.
Ryan: Brian, if you would, please can you tell everyone how they could reach out to you if they’re interested in learning more or have any other questions they think of later?
Brian: Certainly I my email address is B.
Brian: Culp at Morgan insurance.
Brian: Group.com, I’m saying it as I type it. Luckily, I didn’t type it wrong.
Brian: No, I did type it wrong.
Brian: I can’t talk and type at the.
Brian: Same time but my cell.
Brian: Phone number is 317-850-1336.
