Learning Without Scars

Shielding Your Business from Cyber Catastrophes: Insights on Cybersecurity and Insurance

Ron Slee & Kevin Landers & Joe Brunsman Season 4 Episode 11

Send us a text

Can your business survive a catastrophic cyber incident? Learn how to shield your company from devastating financial losses with insights from our guests, Kevin Landers of Rocketwise and Joseph Brunsman, a cyber insurance expert. We start by discussing the urgent need for annual technology audits in dealerships to mitigate risks and comply with FTC safeguards. Kevin highlights the importance of conducting thorough risk assessments and engaging vendors with self-assessment questionnaires. Meanwhile, Joseph sheds light on the critical role of cyber liability insurance in protecting your business from financial fallout due to cyber threats.

Uncover the complexities of cyber insurance and the personal liability risks for business leaders in the wake of a cyber catastrophe. We'll explore the limitations of cyber insurance, such as waiting periods and sublimited coverage, and the intricate process of filing claims. Learn about the heightened scrutiny from insurance companies on third-party risk management and vendor security, as well as the legal and financial responsibilities of data owners versus data holders. Discover the rising trend of class action data breach claims and what it means for businesses that fail to manage third-party risks effectively.

Finally, we tackle the evolving landscape of cybersecurity and insurance. Understand the distinctions between data holders and data owners and the impact on educational institutions and compliance with data laws. We share personal anecdotes of hacking incidents and discuss the potential for increased security measures mandated by insurance companies and government bodies. Learn practical advice on enhancing your security posture and the implications of rising premiums and tightening underwriting standards. Join us for an hour of expert insights and practical tips to keep your business secure and resilient.

Visit us at LearningWithoutScars.org for more training solutions for Equipment Dealerships - Construction, Mining, Agriculture, Cranes, Trucks and Trailers.

We provide comprehensive online learning programs for employees starting with an individualized skills assessment to a personalized employee development program designed for their skill level.

Speaker 1:

Aloha and welcome to another Candid Conversation. Today. We're joined by two rather timely guests Kevin Landers from Rocketwise, who many of you have already heard and read but what is interesting to me is we are being joined by a particularly talented young man by the name of Joseph Brunsman, who's in the insurance business, and the subject that I would like to have this conversation cover relates to the hack that we saw on the industry last week on the ADP dealers some 15,000 of them in North America and the reason I want to start this conversation is I don't know that very many people out there have a good understanding of the implications of being hacked and what it can and will do to your business. So, with that as a starting point, let me ask each of these young men to introduce themselves and we can get started. How about you start?

Speaker 2:

this one, kevin, seeing as how they know you, Kevin Landers, rocketwise, as you mentioned already, our focus primarily is IT and cybersecurity. In Rocketwise, we focus solely on the equipment dealership space. So this event over the last week or so has been definitely something that we've had folks dealing with and learning about and trying to educate users and dealers on. So that's us, in a nutshell, over to you, joseph. Okay.

Speaker 1:

Joseph.

Speaker 3:

Hey, I'm Joe Brunsman. Ostensibly I'm just an insurance guy, but I love cyber insurance. I've wrote the best-selling book in the nation on the topic of cyber insurance and cyber law. Former IT guy got my degree in robotics, went on to Cary School of Law with a specialty in cybersecurity law and now I do a ton of cyber insurance and I love talking about cyber insurance, despite the fact that my wife thinks I'm a giant dork for loving such a niche industry. But I think it's super cool. I'm excited to talk about stuff that 10 years ago I couldn't pay people to listen to me talk about it and now it's the coolest thing going on. So I'm just happy to be here.

Speaker 1:

Wonderful. So let's get started. Kevin, you last wrote a blog for us that we published. Actually, from a timing perspective, it was on the Tuesday night of the week in which ADP was hacked and we ran concurrent to that one on the insurance industry, on the on-highway trucking world, relative to cybersecurity. And in that blog, kevin, you talked about having what you and I called inspect, what you expect, and you went forward and talked about what dealers need to be looking at From the perspective of what happened last week. I believe every dealer should have a once-a-year review audit of their quote technology from all aspects of risk. And let's start there.

Speaker 2:

Sure, to your point, alongside that blog article, you and I did an initial podcast our first together right at that same time, and one of the things that you and I talked about was hey, what are these dealerships going to do to mitigate risk if their ERP or their dealer management system is breached? If their ERP or their dealer management system is breached and we actually talked about one example, a dealer built back from like 2019 that had a data breach and the FTC had a fun conversation with. So yeah, I mean, it's kind of I don't know, it's a little eerie that we've had that conversation. We start talking about inspecting what you expect, and then all this in pretty much the same week. So, yeah, I mean, you know to your point. Let me pause. What was your original question? You need to edit that part out.

Speaker 1:

I'm thinking every dealer needs to have an audit of technology, like they have an audit of financial statements that they put out for the government for taxation. And it's more than that. Yeah, well, than that, and and, yeah, well, you know, I, I and and I, yeah, well, I suspect you have a product that's a standard product, where you go out and offer inspections, audits of differing levels. Is that true?

Speaker 2:

yeah, that that is correct and, um, we do, and know one of the things that we talked about, going back to the podcast and uh, when we were chatting last, uh, one of the things we talked about was the fact that, you know, mostly most dealers um, seem to be underestimating, um, things such as FCC safeguards and, uh, their, uh, their responsibilities in light of that, even their responsibilities in regards to cyber liability insurance or, even worse, their need for cyber liability insurance. We've seen, in helping our dealers even just begin the conversation of getting the cyber liability insurance taken care of, because it's usually the more immediate, you know, not the thing that they're like. You know they see the most need in because it directly impacts them not losing money, right In their eyes but in doing that, we help them to realize that most of these carriers are expecting you're doing risk assessments as well, you know, not just the FTC, expecting that happening once a year, and so you know, yeah, it's something that you need to have going on. Now, I don't, you know. That being said, you know we're having this conversation in light of the CDK event and you know that happened with a vendor within that vendor's environment, as far as we know to date, and so it's a little hard to you know, run risk assessments on those vendors to some degree. To some degree, you know.

Speaker 2:

One of the things that we talked about last was self-assessment questionnaires and asking your vendors the tough questions that your liability insurance providers are asking you, similar or even harder questions, so that you can document the risk that you are aware of or how you're mitigating those areas of risk that you've identified, et cetera of, or how you're mitigating those areas of risk that you've identified, et cetera. But, that being said, you know the idea of having risk assessments. Yes, every dealer, every business for that matter, should be doing risk assessments. The idea of doing them annually, you know, I guess I kind of raise an eyebrow at that just because you know, on average, by the time that you know a threat actor, a malicious actor, whatever you want to label them, has been detected in your environment. I think the average right now is like 290 days that they've been in your environment by the time you detect them. So the idea that you're going to wait 365 days and let them camp out and, you know, hang out with your team for 290 days is a little bit scary.

Speaker 1:

Part of this whole series of discussions. Kevin gets us to the place and it isn't going to happen in one or two or three, but gets us to the place of what they need to do on a daily, weekly, monthly, quarterly basis. But you open the door and with Joe's pedigree law, robotics technology I don't think anybody out there listening in the capital goods industries that buys and sells product understands how much at risk they are, but not for their business. What we haven't talked about is the customer. Out there it's a crane, it's putting up a 40-story skyscraper. That the crane just had a wire cable break needs a replacement, calls the dealer. The dealer doesn't know how the hell to find it. So the customer's at risk as well. And that extension is much more exposure. So here comes insurance and you know I'm a part of Lloyd's of London, peripherally Aon, and the history of Lloyd's and how they got started was information communication at people with binoculars all around the world watching wooden steam.

Speaker 1:

You know sailboats carrying material around. So their advantage was early information. I think everything in the world relates to time and space and Joe has. Now I'm going to ask him to start, but I bet you the exposures and the details that he's going to bring us make what you and I do disappear in significance, kevin. Am I right, joe?

Speaker 3:

I hope I can live up to that. I will do my best to shock and amaze you with the knowledge I have.

Speaker 1:

I think that? Well, who are all the players? That goes into, say, I have an insurance policy that protects my business from a cyber attack and I just got hacked and my business has been out of service for five working days and I call my insurance agent up and say, okay, I got a policy here that allows me to get reimbursed for business interruption. What do you do to verify the claim? Who gets involved and does it change by order of magnitude?

Speaker 3:

It does. It does. So, before I answer that question, let me just reinforce what you guys were talking about earlier. So we go all the way back to 2012. What you guys were talking about earlier, so you know we go all the way back to 2012. That was the FTC ruling in the matter of Franklin's budget car sales, where it said, hey, dealerships are holding large troves of PII, you are subject to the FTC safeguards rule. A new FTC safeguards rule just came out was it earlier this year, and much more stringent than the last one.

Speaker 3:

So it's like, all right, well, just because it wasn't your fault doesn't mean it's not your problem. Uh, car dealerships. And then, on top of that, um, in the matter of gmr transcription services that was 2014 where the ftc said, hey, you are responsible for the security of your vendors, right, so third-party risk management. You know, frankly, like, hey, if you're a for the security of your vendors, right. So third-party risk management. You know, frankly, like, hey, if you're a car dealership, right, equipment dealer, et cetera. It's like you're really good at that thing. You are not, you know, a third-party risk management assessor. It's just not what you do, just like you know, I can mow my lawn. I just hate doing it, so I'm trying to hire somebody else to do it.

Speaker 3:

So it's like, hey, dealerships start leaning more heavily upon the subject matter experts, because the risk is there. Now, as far as the business interruption reimbursement, I tell and this may sound weird because I'm the insurance guy, but I tell all of my cyber insurance clients hey, a good year for you is when I talk to you once and I take your money. Right, that is victory. A bad year for you is we're talking twice, because you're about to have a really bad month and you're having a really bad day currently. And so I think these dealerships would do very well by themselves to start taking a much harder look at cybersecurity, because now, hopefully, their eyes have been opened.

Speaker 3:

It's like, hey, this can materially impact the revenue of our organization. Right, it, so to speak, is not this black hole that we just chuck money into. It is a necessary business expense, just like we pay the power bill to keep the lights on. We have to do this, and those rules are only going to get more and more stringent, and these dealerships need to know the leadership of these dealerships. If they go back to the Drizzly case, which was late last year. The FTC is now holding ownership, personally liable for data security.

Speaker 1:

So let me reinforce that, or emphasize that the Federal Trades Commission, the FTC, is holding the owners of a business, the executive of a business, personally responsible and thus liable for any penalties. Is that a fair statement?

Speaker 3:

Absolutely they're coming. In the case of Drizzly, they put a 10-year consent order on the CEO because of a cyber issue, and with that 10-year consent order now I mean the data security requirements go through the roof. The cost you're going to have to expend is astronomical to get these third-party assessors. They're going to know the federal government's going to be poking around critiquing everything they do, so they're going to be paying people on the back end that you don't even know exist to look over their stuff before it comes to you, and it's an absolute nightmare for a business to go through and it follows him and it follows him, he or she, like, if they go to another company, all that follows them.

Speaker 2:

So you sell your nice company Drizzly and want to be on the board somewhere. What board wants to take that risk?

Speaker 1:

yeah, so let me, let me, let me interrupt and put a pause out there just for a quick second. Yeah, if I was to pull a hundred people that own dealerships of whatever brand, how many do you think are aware of that?

Speaker 3:

Zero, unless they watch my YouTube video.

Speaker 1:

Yeah Well, we'll take that too, Joe, just as an aside. Joe's going to start writing blogs for us. I just made it public, so now you've got an obligation, buddy. Ah, you got me. So you know. To Kevin's point this follows you as a statement on your skills as a leader of a business, as a statement on your skills as a leader of a business, Like, if you lose money as a leader for two or three years, you're going to have a hard time doing something outside of that company when you eventually get fired. Okay, so let's come backwards now, Joe, to. We have this catastrophic event. The owners are held personally liable. How can they be protected from an insurance perspective, a legal perspective?

Speaker 3:

Well, to a certain degree, you can't. You can't insure everything, and that's what my side of the equation in the insurance industry has just done an atrocious job actually explaining to people that cyber insurance does not solve all woes. Legally it can't. There's plenty of moral hazards, there's plenty of case law that reflects that, and so you know, kind of a basic answer is hey, within a cyber insurance policy, right, you most likely have a dependent business interruption reimbursement type clause where, hey, somebody you're relying upon, right, that's a vendor. You need that guy to generate revenue for your business. A la CDK Global. If they go down your business, cyber insurance policy can step in and start reimbursing some of those losses. Now, yeah, they probably have that on their policy, but there's caveats to that, which is one there's going to be a waiting period. It could be hours, it could be days. I've seen up to two weeks, whoa that long.

Speaker 2:

Oh, yeah, yeah, oh my.

Speaker 3:

Uh-huh. And then you got to think, okay, well, on top of that there's kind of practical limitations. It's probably going to be sublimated coverage, because insurance industry is saying, hey, we're insuring your company, not everybody else, so there's going to be a finite amount of money there. You're going to have to submit that claim. Now you have to work through that whole process. Every cyber policy is different. So I have to speak in kind of broad strokes here, but we don't actually know how long this is going to go on for. So the insurance guy answers oh yeah, if these guys much, you're going to get reimbursed. And then now you might have to evidence that particular loss. Now you got to think, okay, does your policy have a forensics accountant who's going to come in? Then we got to start saying, okay, in practical terms, the easiest way to evidence how much money you lost is well, what did you make last year Right During the same period of time? Now, maybe your business was crushing it last year, right During the same period of time? Now, maybe your business was crushing it last year. Maybe it was doing terrible last year, it's doing amazing this year, and so there's so many variables there to deal with that you know.

Speaker 3:

The short synopsis is hey, talk to your insurance guy, look at your cyber policy right, determine if you want to file that claim or not, because there's obviously long-term repercussions to filing cyber claims. So you got to start kind of weighing the economic decision there in your own personal. I'll say comfort with risk. And hey, regardless, I'm going to say that every single cyber insurer that's insuring these dealerships this is their wake-up call and we've seen it in other industries already they're going to start saying are you doing third-party risk management? Are you actually holding your vendors to the same levels of security that you're obligated to hold? People have been answering that question. They have not been doing the due diligence and so now it's like well, next year they're going to be really asking questions. They might ask for proof. All right, show me your vendor list. Who are they doing? Do you have the SOC reports for these guys? And if you don't, you're toast.

Speaker 1:

That's perfect. So two things. You mentioned a forensic accountant come in and looking at it. How about law enforcement? Do they get involved as well?

Speaker 3:

Yeah. So that brings an interesting twist to this whole saga. Now, cdk Global is obviously a massive organization, right? At least a billion-dollar company. I think there are probably more All over the world. I know here in the US it's at least 15,000 dealerships that have been impacted In the breach notification laws.

Speaker 3:

It will say, hey, if law enforcement gets involved, you can put a pause on all this breach notification etc. Now what dealerships and just businesses at large, to be fair don't understand is that, yeah, maybe CDK Global just entirely screwed up and they did something completely boneheaded and it's entirely their fault that all your client's information just got stolen. Well, look in the MSA, look at every single state and territory breach notification law in the United States. It's going to say CDK is the data holder, you dealership are the data owner. So guess what You're paying. If it comes down to it, you're going to be paying for attorney, forensics, breach notification, credit monitoring and on top of that, guess what. There are, as of last year and it's only ramped up latest numbers from Dwayne Morris there are 45 class action data breach claims filed every month in the United States.

Speaker 3:

So let's imagine you're a dealership. Maybe you weren't super tight on that third-party risk management. Right, maybe you're not even to blame, but you have some advantageous plaintiff's attorney out there. You have tens of thousands of clients who were sent their breach notification letters. Bam, now you're facing class action claims, potentially in multiple jurisdictions, and you're gonna want your cyber policy to deal with that. But to make it even more complicated and hopefully everybody's following me so far tell me if you're not. But because we don't really know what's going on. Right, we heard it's a ransom event, at least according to the latest Coveware report, 70 some odd percent of ransomware events also include data exfiltration. So this could be. You could have second-order, third-order ransoms coming to us.

Speaker 2:

Yeah. And they're saying what well the group that supposedly are the ones that carried this out, they're known for second-time, oh man.

Speaker 1:

We're known for second time.

Speaker 2:

Oh man, words of both, Joe, basically not only ransoming your data but, like you said, exfiltrating it and getting it a second time.

Speaker 1:

There's so many interesting levels to this, and one of the things I'd like everybody to think about is the difference between a data holder and a data owner, because that's significant. For instance, at Learning Without Scars. We have student information, student data. There's a law in Canada that requires anybody who has student information to have the server for the computer system on which they hold this data be in Canada. Now, that's an interesting. So I deal with the committee that controls or is doing research and making recommendations to the federal government up there. I know two of the guys personally and I have for a long time, and I say, okay, tell me where my server is when it's in the cloud. And they come back and say, well geez, we don't know. And I said, of course, that law is stupid. However, I've been able to find a learning management software product that allows me to have control of the cloud for our business in Canada, which means then it works all around the world.

Speaker 1:

Difference between a data holder and a data owner In this case I own both, but the school owns the student data personally. So you know who bears responsibility gets a little tricky. So you know who bears responsibility gets a little tricky. The other thing that both of you have mentioned is a review of every supplier that deals with every person who's involved in buying and selling, and most of those vendors, with respect to them, have their head in the clouds. In this one as well, I don't think that people have a true understanding of what the hell happened, and here's evidence of that fact.

Speaker 1:

There was an editorial written, two pages worth in the last five days responding to this outage, in essence, just waving it away. It's a blip on the radar, doesn't matter. And one of my clients this morning when I got up at four o'clock I see a text from him because I sent this article around to a bunch of dealer principals, owners and he said this guy is nuts. He said how much business are we going to see drop in the month of June in the gross domestic product in this country, in the tax collection at the state level in this country? You know the order of magnitude of this stuff is beyond people's expectations. So I take you to the next place. Should I have on my financial statement a reserve for data interruption, like I have a reserve for theft, like I have a reserve for nonpayment of bills? Should we not be talking at that level of security and seriousness, and maybe 1% of your sales needs to be set aside against your P&L.

Speaker 3:

I think it's a good idea, simply because there are so many variables at play and, frankly, I nerd out on this stuff for a decade and all day, every day, and I read all the reports and I get really in the weeds and there's just so much that we don't know and this environment is evolving so fast that, frankly, like no one attorney no, really even a team of attorneys can actually say, hey, what's really going to happen here, what's your exposure going to be? And so you know, having a cash reserve I think is a good idea for any business, because, hey, sometimes it snows right and you need to bust out the emergency food because you can't get to the grocery store. And you know you were talking about the magnitude of this issue what dealers don't yet know, because it's not their world. The insurance industry is really looking up. They're looking at this in a real difficult way because there's only so many cyber insurers that really insure dealerships actually. So now you have this giant potential aggregation of loss.

Speaker 3:

So what are insurance companies going to do? They're going to go, okay, what are the terms and conditions of our policy here? Because, hey, you're held, as a customer of the insurance company, to the clear and conspicuous terms of that policy, even if you didn't read it, you didn't understand it, you didn't understand it and your insurance guy never told you about it. So within most of these insurance policies, they're going to say hey, if you have something which could potentially become a claim all a CDK you have to report that before you renew your insurance. Now, your insurance renewal is an arbitrary day of the year and law enforcement's definitely involved, intelligence community's involved. We're probably not going to know for quite some time what happened.

Speaker 3:

Hey, if that rolls through your renewal period, you renew your cyber insurance. You're like, ah, we don't know yet. Whatever, no one said that there's been a breach yet. And then CDK Global comes out and they say, oh, hey, by the way, all this information got stolen or there's evidence that's on the dark web, et cetera. Obviously, insurance companies are going to go what's the easiest way to save billions of dollars? They're going to say, well, let's take a real hard look at that notification provision. And most business owners just don't know that that's a thing. They're thinking oh, if I have a cyber claim, I have to report it. And it's like no, there's something called a written notice of circumstance in most of these policies and just given the magnitude of this issue, it's like hell yeah, the insurance industry is going to go. Well, do we want?

Speaker 3:

to pay out billions of dollars? Or do we want to try and deny a claim because the case is on our side, yeah. So to get back to your original point, there, ron, it's like, yeah, you probably should have some money set aside and you don't know, hey, what's the probability that the FTC is going to come knocking? What's the probability that, say, your state attorney general is going to say, well, did you do third party risk management? Were you adhering to our reasonable cybersecurity safeguards? What are the odds that a class action claim is going to rise against you? And business owners don't know.

Speaker 3:

The breach notification law that applies depends on where your clients are residents of. So maybe, right, I bought my truck from a dealership in Pennsylvania. I'm a Maryland resident, so if my information got stolen, they have to adhere to Maryland breach notification law, right? Maybe they had a guy come from Massachusetts. Now they're subject to 201-CMR-17. That's 18 different administrative, technical and physical safeguards that they have to evidence. And guess what the AG is going to ask for? Hey, where's your written information security plan? What are you doing with third-party risk management? And I would wager a lot of these dealerships simply don't know that information. They don't have those policies in place, much less are they enforced, and they're about to get a real big wake-up call that this could get very, very bad, very, very expensive in a whole bunch of ways that they probably don't even want to know about.

Speaker 1:

Well, let me, let me go back, joe go ahead.

Speaker 2:

Well, I've actually been dying to ask you, joe. Yeah, so the FTC could. There's a couple of ways this thing can play out. Right, just from the FTC safeguard side of the equation, right To your point, cdk is the data holder, the dealerships are the data owner. You know, in tossing it through my head, I came up with three scenarios. One was they go after CDK and they leave the dealers alone. They go after the dealers, they leave CDK alone, they go after both, and or?

Speaker 2:

I guess there's a fourth option and that is you know, does the federal government just go? You know what? The June auto sales are going to be drastically affected by this. Cdk says we're probably not going to get you back up anytime before the end of the month, so this may carry on into July. So you know, july sales could be down. What is, you know? I guess the thought is does the federal government just give a pass? Does FTC just go? You know what? This is so massive that we're just going to, you know, not chase it. Is that an option? And I guess, from my standpoint, you know, on one hand I hand, I'm like that would be a great reprieve, but on the other hand it'd be like a huge disservice because, as we've all been saying, the dealers just aren't. This is an area where most of them are oblivious and don't think that they're a target.

Speaker 1:

Yeah, no. So to your point, back in the 50s and 60s, when quote data processing, huge monolithic batch processing machines were doing banking. I'm kind of like Joe, I'm a maniac as far as details and reading and keeping up with what's going on. The people that were committing hacks on banks then that I dealt with running computer centers all had prison records. They'd been to jail, they'd been caught, they'd been sent away. But what I found that was more intriguing, which is exactly what you're just saying, kevin the bank didn't want to let the public know that they'd been hacked, that they lost millions of dollars because that made a statement to their clientele and what that was going to do to their business going forward. So you know the CDK or the dealership, or both, forget that. It's every single dealer management system supplier on the planet. It just happened that CDK went public because it was so large, but I can take you to 10 dealers right now that have been hacked in the last three years. That digit penalties were found unidentified and they didn't get any reimbursement. This is huge, this damn thing, and I don't think anybody understands it. I'm hoping you two guys can be start of enlightening no, I'm serious as hell. Start to enlighten the people that hey, wait a second, boys and girls, this is something you've got to pay attention to.

Speaker 1:

Two last points. One was a lot of these hacking. These are very smart people and there is a lot of money that they're being able to get, so they're going to continue to hack until we find a way to stop them. This is either hacking or phishing or whatever. You've all heard about social security records, national healthcare records, all of this stuff that's been hacked. So the stands, the companies whose countries, whose names then withstand. They have a whole bunch of people that are working and they're trying to catch us every single day. The second part of the question that bugs me I've personally been hacked our bank accounts a couple of times, once because of a trip in London, england, that the hotel that we stayed in their network wasn't particularly good.

Speaker 1:

Another one where the modem that connected to a network. They just bypassed the whole damn thing and went right to the network and there was nothing as a protection inside the modem. So they were coming, the hacker was coming in via the modem, just like they were another store. I mean, good, lord and Kevin, like you said, 290 days before people recognize it. Lord, love me. What happened in the 289 days before this is this is dancing. You got to know you really really well.

Speaker 1:

Yeah, this is serious as hell and I don't think people are paying attention. So Joseph, continue being a nerd, my man, not only technology-wise, but legally. That's a nice combination.

Speaker 3:

Drives my wife nuts.

Speaker 1:

That's why she married you.

Speaker 3:

That's right. That's right, I'm like I got you.

Speaker 1:

You're stuck now.

Speaker 3:

To answer Kevin's question about, you know, is the FTC going to take a look at this? Right now, ftc chairwoman Khan has just been losing hand over fist and it hasn't stopped her yet, and so, yeah, I mean this is a circumstance where there's so many people are impacted and it has such a massive potential economic detriment to our country and really to many countries around the world that I would be shocked if they don't. I mean, it would just I'd be dumbfounded if the FTC did not go after start looking into CDK Global and what's been going on there.

Speaker 1:

What we're going to see is a whole hell of a lot more regulations come out, and rightfully so, because without that, people won't know what the hell to do.

Speaker 3:

Yeah, and you know there is actually the component of the average consumer has zero control over their information once it goes into these dealership systems. Once it goes into these dealership systems. And so I'm not particularly a big fan of large government, but it's like, okay, this seems to me to be a very rational reason to have the government come in to say we have to protect the end consumer. And if that means we're putting the screws to a billion-dollar corporation, chairwoman Kahn has had zero qualms about doing that. Now will the FTC go after dealerships individually? Probably unlikely that they'll do that, but that's probably more the territory of you could have various attorneys general, obviously the plaintiff's bar, via class action claims. Once again, I would be dumbfounded if it turns out there's actually a data breach here. I'd be shocked if there's not, probably, given the scope of this, a class action claim launched in every single state, actually probably multiple class action claims. And then you start thinking about okay, how's this going to impact the insurance side? So what I often tell people is you know, yes, I'm the insurance guy, but before I ever did insurance I was an IT guy. And it's like you're going to increase your security the easy way or the hard way, right, you got two choices here. Now the easy way is you go, all right. Got two choices here. Now the easy way is you go, all right. This isn't going to get any simpler. It's not going to get any easier. How do you eat an elephant? One bite at a time? So we might as well just jump in, get this thing going, lock it down the best we can. So that way, if we do have regulators, if we do have attorneys coming after us, we can evidence we did the best we could with what we had. We just happened to get bit.

Speaker 3:

The hard way is what everybody is about to experience, which is insurance companies mandating things, governments starting to mandate additional controls, and you'll see in every single, every single breach notification letter. It'll always say at the bottom like hey, magically we have found more money to increase our security and we're ramping it up, et cetera, et cetera. Right, every single time You're going to see that. So anybody listening to this hey, just go look up publicly available breach notification letters. There's, I think, 12 states off the top of my head where you can find this. Just start poking through and they're all going to say that.

Speaker 3:

So it's hey, don't wait until like two weeks before you get your renewal to suddenly figure out that your insurance company is saying, hey, now you need EDR on every single endpoint and why don't you have a 24-7 SOC? Your you know, third party risk management reports and we want to see this policy, et cetera. That's just not enough time to implement that stuff. So just do it the easy way, which is I always tell all my clients okay, I don't have insight into your network architecture. That's obviously not what I do. I'm your insurance guy. I know some stuff based on the questionnaire. The easiest thing to do if you're a dealership is you're not an IT guy. Go to your MSP, go to your IT folks and say give me a wishlist to increase our security, rank it right, biggest bang to the buck, moving down, what could we do right now to increase our security? At what cost? And then just start chipping away at it. And one thing I would add to get a little even dorkier here is one of the benefits of being an insurance guy is that I get to play the idiot and nobody ever calls me out on it.

Speaker 3:

So I was at a conference and I was sitting in the back in the speaker's room and they had actually brought in a plaintiff's bar attorney who did class action claims following data breaches. So he's like what are you doing here? And I said, oh, I'm just, I'm the insurance guy Just here to talk about cyber insurance. And then I proceeded to pick his brain for the next half hour and one of the things that he said that always stuck with me is I was like hey, super, very self-important attorney guy, what's the one thing you see, right, when you're going through discovery and you subpoena stuff and you're like I got him dead to rights, I'm buying a new boat, he's like, ah, it's simple, he goes. Every single time he goes.

Speaker 3:

We start subpoenaing emails about data security between, say, like management and it, right, and it every time, right, there's an email where it's hey, we need this thing, we have this giant vulnerability, this is really bad, right. And then management goes ah, we don't have the money for it. He goes dad to rights, got him. He's like, dad, he's buying a new boat. So I was like, all right, what's the reverse of that? Or the obverse of that? What would you hate to see? He goes. Oh, it's super easy. He goes.

Speaker 3:

Plan of action and milestones, poanm he goes no business, has unlimited funding, he goes. But what would really kill us is if somebody came in front of the court and they said, yeah, we got hit and you're right, we didn't have that control. That would have fixed it. But we had sat down with the CIO, ciso, you know, cfo, ceo, the board, and we had a plan and we said, all right, we don't have unlimited money but, given the funding constraints we have, given the prevalent risks that are, you know, present in the world, in the next four months we're going to implement this right and then in six months, we have to reassess this and then, a year from now, we're going to have funding for this right and he goes juries.

Speaker 3:

Juries would love that. He goes juries, he goes. You know, juries will side with you. If you show them like you were trying to be responsible, he's like you show them like you were trying to be responsible, he's like but if you were intentionally irresponsible, daddy gets a new boat. And so I would just urge everybody go to your it folks, get that plan in place and start saying, okay, what do we need to do to start chipping away at this problem?

Speaker 1:

it'll save you. It's good stuff, okay. So let me. Let me go into a different direction again and think just in terms of the insurance industry. I think almost everybody over the last 12 months has seen insurance premiums go up rather dramatically and I'm pretty sure that most people haven't really thought about the function that the insurance industry provides to society at large and that if we don't have insurance, we don't have money to do anything. The insurance industry is probably the largest financial collection agency on the planet. You got car insurance, you got health insurance, you got home insurance, you got liability insurance. You got all of these insurances that you pay a little bit every month. But that little bit every month in the United States probably covers 200 million people, 200 million adults, 150,000 million children all leave on the side. It might be smaller than that. So in the last 12 months almost everybody's seen I think the average is 32% increase in insurance premiums. Then go forward and look at events, special events, hurricanes, katrina, earthquakes. All of a sudden the insurance industry changes the game Long-term health insurance. They change the game because financially it doesn't work anymore and if it doesn't work anymore, writ large, it affects society in general. The federal government is putting money out. The state governments are putting money out. Where the hell do you think they get the money? From the banks that are holding the cash for the insurance companies. So this is real.

Speaker 1:

And then let me chapter B to that is we all have car insurance. If you have a car, you have health insurance. Read the policy. Do you know what the qualifiers are for the liability the 250 grand or 500 grand that you've got in coverage If you have an accident or if you kill somebody? Look at the restrictions, find out what they are somebody. Look at the restrictions, find out what they are. It's a really important aspect of our lives that we've taken for granted forever In school.

Speaker 1:

I'm an educator. I think everybody in high school should learn about insurance, what you need to do, the good, the bad and everything else about it. I'm a fan of everybody being able to be smart enough they can come to their own conclusions, or smart enough they know to whom they should talk and ask the question. Like Kevin just said, I believe the order of magnitude of this puppy is immense and we haven't got a clue at leadership in business. They want to sell a machine. They want to make some money. You know they have no. So here it comes, boys. Like you said, joe, this could be class action across the country, across the world, every car dealer, every truck dealer, every equipment dealer, wow.

Speaker 3:

Well, and to make this to add, I guess, one final wrinkle, let me quote from Understanding Insurance Law, 6th edition. That might add a little I wouldn't call it clarity a little I don't know spice to this whole conversation. The default rule is that agents and brokers have no duty to advise their insureds about the adequacy or appropriateness of the insurance coverage they purchase or about optional coverage that might be available. Now let's segue that into the fact that, hey, you know what, the insurance industry is not super fun or not super excited about shelling out hundreds of millions, billions of dollars because of one event. And so there are plenty of business owners out there where they have to understand hey, they never read their cyber insurance policy. Well, guess what? The guy that sold it to you, he probably didn't read it either, and even if he did, he may not understand what it actually says, because he kind of needs at least some modicum of IT knowledge to begin with. And so, hey, guess what Cyber policies have? Some of them. They have widespread event exclusions right to save the bottom line of the insurance company so that they don't go bankrupt. Now there's different thresholds in that widespread event exclusion, and so somebody listening to this has that on their policy and they probably don't even know it. And then they're going to have potentially critical vulnerability exclusions right, they need to know what that is. They need to talk to their IT folks about that. Right, there could be zero day exclusions.

Speaker 3:

There's all types of potential ways that cyber insurers could get out of coverage if they can get away with it, and so you know. My point here is hey, cyber insurance, it's a reserve parachute, right, it's when the full defense in depth for your business has been penetrated. It is not the go-to answer, right, it is not. Oh, something happened. Let's get cyber insurance. Cyber insurance is getting really tired of paying out on stuff that should have been patched. Right, it's a moral hazard for the insurance industry. They're doing everything they can to try and get away from paying out for that stuff and so let me throw another wrinkle on that.

Speaker 1:

At the end of World War II, when the military came back in the United States, congress decided that the insurance industry could provide special recognition of that group of clients returning veterans which allowed the insurance company then to start instead of having 100% of the universe that they were insuring covering everything, they could have 10% of the population be specially insured at a different rate. So now we started putting out a whole bunch of things. And then medical insurance. Anybody who said a partner who's had breast cancer will realize that their insurance premium went up dramatically because their wife or partner had all of a sudden fallen into a different pool. And, as a personal experience, we had our insurance rate doubled every six months because my wife was all of a sudden in the pool of breast cancer people. That's not true in all states, but it was in this particular case. We're from Canada, so my wife said to me we can't afford this. I'm going back to Canada where we get coverage. This is serious. I thank you guys a lot.

Speaker 1:

I think we've opened a door here and I hope you guys don't mind if I open that door often with you, because we've got to educate people. We've got to get people better coverage and it's ahead of time. For instance, the apartment building disaster in Florida cost a couple of billion dollars. We had a fire instance here in Honolulu that cost a couple of billion dollars. We had a fire instance here in Honolulu that cost a couple of billion dollars. Who do you think paid for that? Every person in this damn country, because the premiums went up. Who's going to pay for the hack on CDK? Every single person. So if we can have for Joe a class and kind of people that have done specific things to mitigate, like Joe's indicating, and that Kevin can create products and assessments to allow you to prove the point, then we can have different insurance rates for different risk categories For cybersecurity.

Speaker 1:

You look after things, it's rate a buck. You don't look after things, it's rate five bucks, whatever the hell it is. I suspect that's going to start happening. Oh, it already is. Can you get out on a limb with me on that one?

Speaker 3:

No, it's already happening where you know, I'll say five, six years ago, I mean, cyber insurance was the wild west and I loved it and it was super fun because I could get anything I wanted at any amount with any term and condition that I could throw in there. The underwriters had no idea what they're doing. Insurance companies are just happy to get some money and everybody was hunky dory and what we're seeing really in the last few years is like 40 years of policy evolution just squished into a couple years. And it's a really difficult area and, as Charlie Munger was recently quoted as saying, cyber insurance may be rat poison. There's a lot of insurance companies they're writing this stuff because they think they have to and it's an economic issue and it's a competitiveness issue, but they're not super excited about it, to be honest. And so if you actually look under the hood a lot of these cyber insurers and you talk to the underwriters and you talk to the actuaries, there's a whole lot of question marks and they're getting a lot more serious about what they're willing to insure, what they're not willing to insure, and so you know companies it's like, hey, maybe you've gotten away with your small organization and you have literally zero security and your you know cousins, uncles, nephews, best friend comes in every six Thursdays to you know. Make sure that Outlook is working right. Those days are over and you will not get cyber insurance and you're going to get hit. You're going to get crucified by the plaintiff's bar. Something's going to happen. I mean hell. I had one client where they just happened to do a tax return for this one attorney for one year, five years ago. His information got breached. Class action claim right there, right.

Speaker 3:

So you know people think, oh, they're only going after the big guys. It's like, well, if they go after the big guys, it's going to impact all the small guys. But why rob Fort Knox and get shot in the face by a tank when you could go after 20 small credit unions, bonnie and Clyde style, and get away with it for quite some time? And there's no. People often ask me well, why doesn't law enforcement do something about this? And I'm like, think about it this way way, if you're let's say, you're a smart kid in some third world country somewhere, in a day you can make more money than all of your ancestors combined since the dawn of time.

Speaker 3:

And there's no extradition treaty. They're probably never going to find you. And damn it, you want that ferrari. Well, hey, there you go right. That is. It's like terrorism. You have to be right every time. They only have to be right once, and so this problem is not going away. It's only going to get worse. You throw ai into the mix, it's going to get a million times harder, um so on that cheery nigerian prince emails are going to get so much better yeah.

Speaker 2:

Yeah, yeah.

Speaker 1:

So you know, we, we, we wrote so many things. It's like skipping a rock over the ocean, and you mentioned Charlie Munger, one of my favorite business guys we're going to miss immensely. Rat poison is a great analogy You're killing the rat but you haven't stopped the rats from breeding, and that's that's the point he's trying to get to on that. So at this point I'd like to close this one off. I think we've succeeded in introducing the subject and the seriousness of the subject and giving people some things to think about. Kevin, what do you think?

Speaker 2:

I think you're absolutely right. I mean, listen, I, I love Joe, I love just sitting here and learning from this guy. Every phone call we've had, I think, is going way beyond anything we thought it would be and anyway, he's a wealth of knowledge. So I've just enjoyed it. And, yes, I think I think we're just starting to crack the surface. I mean, you know you can't just rely on your IT and you can't just rely on your insurance carrier. Neither one of them is going to 100% bail you out and it's like anything else. I mean you just got to. You know you got to have options, you got to layer things on top of one another and unfortunately, this is the space. I mean it's not just the pick of these dealers, right?

Speaker 2:

I mean small business in general everywhere you know, dealership just has to be my expertise and your expertise and, uh, you know it's, it's. They no longer are going to be allowed to put their heads in the sand or, to your point, put their heads in the clouds. Yeah and uh, and hopefully, yeah, hopefully we can continue to this conversation and, uh, hopefully wake up some folks and help them to figure out what they need to be inspecting and whatever everybody's expecting of them.

Speaker 1:

So joe, how have you enjoyed this last hour?

Speaker 3:

oh, it's fun. I, I was nerding out on this stuff for like a decade and nobody cared and I couldn't pay someone to listen to me talk about it. So I always think it's fun when I get to just nerd out on stuff. That I think is super interesting. It, you know, it's like constantly changing, it's always evolving. Um, yeah, you know, I get to bring in, like you know, like the legal side a little bit and the insurance side and some of the IT stuff and I get to kind of mix and match all this stuff in my head and you know I get to help people and I think it's awesome yeah.

Speaker 1:

Well, I thank you both for the time today and to everybody out there listening. Thank you for your involvement and I look forward to having you with us for the next Candid Conversation, Mahalo.

People on this episode