CMMC
Videos
1-800-990-4046
Solutions
SERVICES
CLIENT IMPACT
WHY
RESOURCES
Contact
BOOK A CALL
Estimating & Quoting
Sales & Work Order Process
Visual Work Instructions
Shop Floor Management & Scheduling
Product Data Management
CMMC and Cybersecurity
Calibration & Preventative Maintenance
Quality Systems Management & Inspection
Inventory Control & Material Planning
Job Costing & Financial Data
Cutting Tool & Fixture Management
Human Resources
QMS Support Plans
Compliance
ProShop Safe
OTHER SOLUTIONS
QMS
Compliance
ProShop Safe
Flying Start
CMMC and Cybersecurity
View all modules
Partners & Integrations
Industries
[email protected]
1-800-990-4046
[email protected]
1-800-990-4046
[email protected]
1-800-990-4046
[email protected]
1-800-990-4046
[email protected]
1-800-990-4046
Cyber Insurance and Cybersecurity 101
Back to the video library

Video Transcript

good morning good morning let’s see here let’s get the participants

coming there we go people starting to stream in

here all right we are excited this is you know I

I made that post on LinkedIn whatever a week or so ago about boring webinar alert you know and I know insurance is

not a topic that people love to talk about it’s like taxes but uh it is super

duper important especially these days especially with

um just how many attacks are happening and and the ramifications of uh being

hacked and how sophisticated these freaking bad guys are becoming so so looking forward to digging in with

this today let’s go ahead and get going um um so let’s move to our next slide so

my name is Paul vanan meter I am the co-founder uh Pro Shop and I am super

excited today to have Rick Rosenberry with us from USI I met uh before you

introduce shelf Rick I met Rick uh few months ago at a couple of different events here in the Northwest and was

just immediately struck by how knowledgeable Rick was how excited he was to provide information and value to

the manufacturers that were in these events and just very giving so I’m I just thought uh Rick Rick is the guy

that I want to have talking to my audience about insurance so Rick please introduce yourself and uh let’s learn

more about you and your company yeah so Rick Rosenberry with USI insurance so we’re a national agency and brokerage I

specialize in working with manufacturers specifically those in the defense and

Aerospace field um but I work with all types of Metal Products food

manufacturing and cyber is one of the things that I’ve been focusing on um for

the last couple of years and so I wanted I’m excited to you know share some of the insights that I’ve

found absolutely absolutely awesome well let dig let’s dig into this first I

would like to share our mission statement and while I’m doing that as I often do I’d love for you to uh assuming

chat is turned on for everybody uh yes it is um I would love to have you all put

in where you are joining from uh I know we have people joining from all over the place so there we go Heather kicked it

off from Bend Oregon beautiful area Portland fantastic Libby Montana

fantastic great thank you folks um we definitely have a community all over the

world so our mission statement here at Pro Shop is to deliver powerful manufacturing software by deeply

understanding our clients challenges in order to meaningfully improve their businesses and in turn their communities

and uh understanding challenges to in today’s environment includes the uh

keeping companies safe uh that is definitely a challenge so Rick why don’t you take it away and and share um share

some information with us yeah so to start off these are the 10 essential

controls that the insurance carers are going to be looking for um the reason

why these are the essential controls is because through past history these are the areas that have either caused a

breach or significantly attributed to the increased size of a breach um I put

some check marks next to the controls that Prock actually

helps provide um so multiactor authentication Access Control backups

and then um the green check mark is for for insurance carriers so one thing that

they often provide is training all right very

good so looking at a holistic solution so a lot of times what we see is if they

do have an insurance policy it’s sitting in the corner and it’s not being used um

but do how do we take all the resources that you have access to and really look

through an organization and find out you know the best way to buy cyber so

traditionally it’ll start by evaluating where you’re at and then talking with

management talking with it your external service providers and then the carriers

will also provide a scan so this scan looks through all the external ports and

everything that a bad actor would see mm-hm and so we look through these scans

and then we move on to okay do you have a policy are there things in your policy

currently that the care is providing that you’re not taking advantage of um frequently we see that there’s a lot of

benefits that the manufacturer could be using and then we go into broker

resources so vendor contract negotiation so especially in the Aerospace field

liability is passed around and there’s a lot of like oh no this person handles

liability this person handles it and so figuring out where the buck stops and then using tools to figure out how much

Insurance do you actually need and then we’ll work with your in-house vendors um

we have vendors that we also refer um to people uh Pro Shop is actually one of

the vendors that I often refer especially when someone is working in a field that’s very restricted there’s a

lot of controls and the goal is to get you the best application to get

you the best terms and the best pricing so going back to this question

about carrier and policy um obviously every every shop every company carries

General business insurance are you saying that sometimes there might be um Clauses in those that provide some kind

of cyber insurance or they basically having to go out and always buy something that’s completely kind of

Standalone or and add on to their normal business insurance so 50,000 in coverage

is normally something we’ll see as an add-on and a lot of times the carriers include that just to give just to show

people that hey this is out there you know if you want to look at coverages you can buy more um there’s usually not

a lot needed for that 50,000 but usually that coverage

is not very substantial as far as what actually is covered and then 50,000

really only gets you um so far if you were to have an incident so it generally

unless you’re in a program like in healthcare so for manufacturing there’s a a separate policy that you’re looking

at for your cyber Insurance okay okay

interesting so looking at what is the price actually made from so you have the

classification so what are you doing so manufacturing and then it also can change depending on what you are

manufacturing if you have direct sales um the sales your employee count your

security posture and so what you can show the underwriters that you’re doing

um and we’ll get into that later and then records which is something that actually is often misconstrued um

records from a carrier is any one person or any one business and all of the

information you have on that person or business so a a medical record um soci

SC number driver’s license um all of that for one person would just be one

record okay interesting so that’s true that’s true in a manufacturer as well

it’s it’s okay and how does that relate to sorry how does does that relate to employee

count it’s so it’s not um so you would look at your employees as well but okay

so for so in the terms so records would be a client so if you have a 100 clients

then you have 100 records is that generally refers to clients so if you’re just busines to business it’s a lot easier because you look at all of those

clients that you have and you’re not dealing with those clients personal information of their employees so it’s

just your client count um do would it matter how many different part numbers

you make or is it really just the customers not let’s say you have a you know a 100 customers and you make 10

part numbers for each of them that’s a thousand part numbers does that matter or is it just the 10 it’s just 100

companies nope yeah so the supplier or whoever you’re working with um the the

prime it’s that was just one company no matter how much so if you’re doing all of your work through Boeing um you only

have one client oh fascinating okay I’m definitely learning something new here

as well so how to optimize your renewal so one

of the things is get the application right um and that seems pretty

straightforward um but looking at like like records like we said so there’s some things in the application that you

may think this is the answer and it seems straightforward but it’s actually something else so working with a broker to go through the application um one

other one that we see really commonly is do you process credit card or handle

credit card transactions um for all of us that answer is probably going to be

no unless you own a credit card payment company as

part of your manufacturing that answer is no um and the wording is very generic

and in order to really like in order to say okay no it’s not me you have to ask for more more wording and once you get

down to it it becomes very clear um so some of these questions if you don’t

understand them or if they seem really generic there’s usually a page description behind that you know one

sentence question so um I’ve I’ve gone through these enough that I can just

tell you you know what it means um but if you’re not working with somebody experience it you know make sure you

drill that down and then turning a no into a yes so go through the application

um there will be questions where whether it doesn’t apply or if it’s something you don’t have yet um you need to answer

those no questions with a description so sometimes what you’re doing with your team makes a control not valid or maybe

you have something better explaining that um will go a long ways to helping you

get better rates even if it is just a no I should have that but I don’t you can

say we’re working on this or you know putting a little bit of wording in there

um so that goes into explaining the nose and then looking at a executive summary

so this isn’t like home and auto um there’s an actual person on the other

side that’s going to be reading this application so it’s not a robot or an algorithm with

most um cyber insurance no there’s still some of those urance where they’re just popping out numbers but once you get

into the renewal especially now um there’s going to be a real person looking at this so you know talking

about I I’m working with Pro Shop and they have these special controls these

are some tools that we’re using that may be different um our organization runs

this way and this is how we’re better more controlled so if you can take a little bit of time and I can you know we

help people craft those all the time um especially when there’s losses so going

into loss runs a history of all the losses that you’ve had within cyber if you can you explain what that means a

loss yeah a loss run is a is a term in the industry where you’ll ask the

carrier and they’ll send you a report that shows all of your losses and kind of what those losses were and the

amounts um if you don’t have any losses mean you mean something that you had to

make an insurance claim for something oh okay yeah so if you’ve had a claim um

it’s going to show up in these okay and so you want to explain you don’t just

want to send them you know the new carrier the list of losses you want to

explain how these happened how they’re not going to happen again um and you

know in the transactional sometimes things just get you know on autopilot and you just start

sending stuff um this is an area where you do want to take some time and

explain and not just be on autopilot and fill out the application and send it got

it got it do you have any just like rough ballpark like the percentage of

savings that a company could see if they really do their renewal or their application well and do all these things

you’re suggesting versus not doing those things is is it going to you know so so

a lot of time and you can see up to you know 80% of reduction reduction in premium by

doing the right things um and you can even see um up to a 50 or more percent

reduction in a renewal with the same company if you’re you know moving

forward especially now um you know they’ve been spending years trying to

figure out you know they all a sudden they’ve had all these losses and they’re the carriers are scrambling and you know

but now they’re not scrambling anymore they understand where the losses are coming from um so there’s been kind of a

a land grab recently where like this is the last chance to try to get as many

people to understand get Cyber insurance and then this next year is going to be

the okay we really need to reinforce controls and the people who aren’t going to get with the program and get these

things in place are not going to be insurable but let’s get these people to under like get these people as

clients um so even if you just got a insurance policy a cyber policy you and

you didn’t need some of these controls the next year okay chances are you’re

gonna so if someone has had say a Cyber attack in the past and they had to pay

some ransomware because I certainly know of shops that have had that happen um how much will that affect their but

let’s say they’ve now put in place some better controls to help mitigate that in the future um I imagine that that loss

they had in the past will still affect their premiums today even if they put in more controls or or will it not it it’s

going to definitely affect the underwriting process um where that lands

as far as premium um it’s going to be from Individual carrier to carrier um

but that story and showing how you’re better you may be better positioned than

a somebody who hasn’t had any losses but has less controls um because the

insurance carriers they had losses like they had policies that they wrote that they didn’t think they so they

understand that you know security is evolving as threats are evolving so um

it’s definitely not going to put you out of the market if you have a loss um but if you have and you’re just mailing it

in um as far as not taking your time on uh

putting together a really good story then you’re you’re throwing money away for sure okay awesome great stuff thank

you so this comes to the you know why why should I put all this time into an

application um into making sure that I’m getting the best rates and the reason why is because

cyber Insurance Market is unregulated so unlike property or Auto there is not um

really any rules to what coverage needs to be provided and so a lot of times

carriers will just um leave things out where okay we’re having some losses in this area let’s get rid of this piece of

coverage and then we can sell the same policy and we can make more money um so

it’s really only as good as you can negotiate and so working with um as a national um

brokerage we’ve actually pre-negotiated a lot of coverages to where we’re not going to sell you a policy that is

missing some of these things that you need um on a basic standard so we work

with you but then from that point know we have a really good Baseline but looking through what an

incident May look like um there may be some coverages that we want to make sure that are there that wouldn’t be on a

regular po policy and maybe some of these bells and whistles that look really attractive may not apply to you

so let’s go with this policy because this has the core so you know using that

to really find um what’s a good match for you and

even if you have two two competing insurance companies and the policies

look similar um and they have the same coverages those individual coverage

lines may be written different um so that’s something that we do is we

actually help you because you can’t compare any insurance Apples to Apples um there’s there’s no same fruit in the

in the Cyber insurance right now so if I’m and I

um UND so the the reg the unregulated part of it is basically means that

insurance companies can put in whatever coverages they feel like whatever things they want to SK you know not cover

versus you know auto insurance is you know they have to provide you know

uninsured motorists and liability and comprehensive or whatever all the things yeah so it’s it’s a lot EAS so I imagine

it’s a lot easier to shop for insurance for your car or your house you don’t

really need someone like yourself but for for this this sort of wild west

unregulated industry you really want someone in your corner making sure that you’re not missing something a clause

that means that you won’t have coverage if something happens is that am I getting that right yes so being a

knowledgeable buyer um this is definitely one of the most critical um

Industries to make sure you have someone in your corner that can tell you whether or not you’re covered for instance and

can help you buy more for your money okay so I know I have some

questions come you know mulling in my head and I forgot to say at the very beginning um please put your questions

into the Q&A area um we will get to those at the end I think we’re gonna have plenty of time Rick is efficient

with delivering this information so we won’t be using the full hour so we’ll definitely have time for Q&A so um yeah

as as as things come up in your mind uh don’t be don’t hesitate to throw those in there and we will uh put them in the

hot seat at the end all right what’s next so this is kind of an ey chart um

but these are a list of all of the areas where you may have

losses um so you have privacy liability the notification forensic costs forensic

costs are a large one um the reason why ransomware is so expensive and those claims cost more than other claims is

because largely forensics so you have to have someone go in and see you know how

they access your system and and go through all of these in order to um you know there’s there’s things that are

expected of you as a business um as far

as reporting especially if you’re subject to cmmc we can definitely get into that um

but being able to actually look and see who those Bad actors were and do your due diligence of trying to figure out

what happened um so it doesn’t happen again so there’s a lot of these costs

and then on the next page so before we jump ahead um on the

liability costs is that for like you get hacked your customer’s data gets

exfiltrated out um now it’s on the you know the dark web and your customer

tries to sue you for leaking their information is that what that is for so

the the liability cost so third party liability anybody um or sorry the liability for

anybody that is damaged because of that loss um

and it doesn’t always have to be super critical information so if

something’s taken forcibly from you it becomes you know private information

even if it’s something that you may give out at a different time so it’s right

you know some personal information about somebody you can post it online and then it’s not a a breach but if somebody

takes that forcibly then it becomes an issue um interesting okay um and what is

just so this is just different types of coverages yeah so um this is something

that we would go over so when you’re looking at your instant response plan and when you’re looking at your business

holistically um we’ll go through all of these different coverage lines and see

okay this is your size business this is how your business operates where it trickles down to your different

organizations um we’ll look at your contracts with your subcontractors as

well as with primes to see what liability you’re taking on how can you disperse that throughout your

organization um and that’s what we use to figure out you know how much bricking

coverage so if somebody gets into your system and they damage your computers

your network to where they can’t be used anymore you know what does that coverage need to look like how much do you need

to replace all of your systems um okay okay all right super

interesting all right let’s jump to the next slide so this is what these coverages

will look like in the wild so when you actually have a cyber policy um you know

system failure reput ation harm invoice manipulation um fines and then there’s

also um there’ll be a list on your policy of the services that they provide

so um employee training uh pre-claim assistance so that’s one thing um that a

lot of policies will provide where you have a hotline that you can spend a certain amount of time calling and okay

it well you know Bill and accounting lost laptop and you know you call them

and say hey you know what what should I do um and they can help you so not

everything that happens you know is a claim so as long as that’s encrypted um

and then there’s um some of these covers like I said

aren’t the same so ransomware in cyber extortion you would think that each

carrier that would just be the same coverage if you have it with one it’s the same with another but there’s a a

paragraph or a page that explains exactly what that covers um and so the

pre-negotiation that we do makes it a lot easier on your side it’ll save some time because we don’t have to go through

all of these um and that’s where having a trusted broker um that that works in this field

helps because they’re not going to let you you know buy a policy that has big gaps in it okay

interesting there’s a lot to know this is this is this is a lot yeah that’s why

you know I don’t want to get too in depth on some of these individual coverage lines um but I do want you to

know that you know these are things that you’re going to want to look at and if you can have a a larger more holistic

view of everything um you know for some companies with lots of employees you know an employee training program that’s

free that may save them you know $2,000 um and so you know that may be

something maybe in pre-claim assistance that may save them a bunch in lawyers fees so it’s not just looking at

coverages but looking at everything that policy will provide for you got it and

these things on the left-hand side are these line items that could or could not be added to a policy yes okay yep so uh

bricking I also I often see that excluded um so bricking just to be clear

for everyone bricking is when someone uh puts in some malware or ransomware and

basically freezes up all your all your devices all your computers are basically bricks they’re useless anymore and you

need to replace them is that what that is yep that exactly what that is and so some

policies do not include that and other policies might yes and then this doesn’t

include um the you know exclusion page so they’ll be um a whole like probably 10 pages of

exclusions on a cyber policy wow that you need to you know read through and I

I usually build packages for Industries so we have one for the defense and

Aerospace industry so where this is what you’re doing we understand your risks

and we’ve built policies with the limits that you need um so we can do that in

all types of different manufacturing so it’s really tailor fit but we don’t have

to go through every single line on them because we know 95% of what your organization does without actually

having to talk um and so so it sounds like when it’s well crafted the policy

it’s okay to have exclusions because you don’t actually want to pay for those and you don’t really need them based on the

type of business business you have yeah so there is um there there’s one

exclusion so if you are working in the defense industrial base um and you’re

making Parts Aerospace or um defense Parts one exclusion is government

intervention so when a government actually takes control of your systems

um because of something that breach that happened you know normally for a food

manufacturer for metal parts of components that’s not going to be something that they’re going to need but

according to the CM regulations you actually have to turn

your systems over to the government and make them readily accessible um and so paying for

consultants and lost time to actually have that so that’s something that we carve back in for our defense

contractors fascinating but you wouldn’t want to pay for that if you we’re just

making other metal components or plastic not for defense yeah

yeah that’s yeah I am learning all sorts of things today this is this is good

although a little scary um all right what’s next here so um we can just cover

this one quickly bench marking limits and your retentions so seeing what you’re deductible what you want your

deductible to be um looking at options for um there are some deductible free

programs where your breach response so calling somebody or calling the company

and saying hey I need somebody in forensics to look through my system I think there may be an issue um okay some

policies include that without a deductible and so then you can raise the deductible from you know maybe 5,000 to

25,000 um and have savings there maybe that won’t doesn’t make sense for your

organization so really looking at that um raising retention or deductible can

be a great way and then also you know not buying too much and then when you

look at we go to the next slide um looking at your thirdparty

vender contracts so people that are working for you somebody that’s doing your welding or your inspection you’re

working with um and you want them to have cyber as well because you want your

supply chain to be resilient um we can figure out know how much Insurance should they buy how much you know we

don’t need to ask for them to have five million limits but we don’t want them to have you know a $50,000 add-on right so

that’s something that we can do and then you know looking through um all of these relationships

and figuring out um you know is there a place to take some of this liability and

pass it on uh and so that’s part of you know a risk strategy um you know you’re

passing off risk to the insurance carrier and you’re paying a premium for that but you can also pass that same

risk off and there’s at the primes you know at these large companies there are

people whose job it is to figure out how to pass off risk and so having somebody

in your corner that you know we work with some of these larger organizations so we can say you know hey this is

something that you may want to push back on you know that’s not applicable to you

if you take on this liability you’re not covered for it and so you’re just going to be left after the you know your cyber

insurance has done its thing you’re going to be left holding the bag is is cyber Insurance requirement

under cmmc or is it just still an optional thing that it’s optional it was

um it was considered in the original Ru making um okay to be a requirement but

um you know they decided that it didn’t make sense to require it specifically

and a lot of that is because for different size organizations um different things make

sense others have different requirements but one thing I will say about requirements is there’s reporting

requirements there’s a due diligence that needs to be done so I don’t know of

a company um you know that’s making less than a 100 million you know in sales

that has everything in place to take care of a cyber incident um you know

they have the specific lawyers that can walk them through the process they’re reporting and they’re doing all of these

things that are required um you know that’s a big piece of the policy is you

instantly have experts on your side that have done this and this is what they do every day and um the their job is to

make losses smaller so let’s say you have two manufacturing organizations you

know 10 million in sales both of them have been planning one have a policy one

doesn’t um the one that doesn’t have a policy they have really great controls you know they have been working on doing

this for quite a while and they’re in a good position they don’t think they’ll have a claim but something does happen

whether it’s just an employee that does something wrong the one with the policy because they have so much in their

Corner they’re going to end up with consider considerably smaller losses

than than one because they don’t have the processes that a policy could provide sure

sure wow fascinating okay uh let’s move along

here so um another coverage business Interruption and dependent system failure

so not only are you worried about your information um and your systems

but let’s say your um one of the third-party companies your managed

security provider you know they have a hack you know they are managing your

information okay um and your systems and you actually are responsible for that um

so you want to make sure that you have coverage for an interruption of your system so if they go down and you’re

relying on them for your day-to-day operations we can include coverage so

you get business income um coverage you get coverage for any liability third

party liability to other people so that’s something that you’re seeing more and more common uh but it’s definitely

not something that’s just added on usually into a policy so so does that so

let’s say a shop works with a local it provider and they help them with their computers they help them with their

backup systems and they are hosting some of their that you know your data on

their servers and they get hacked and your data gets you know extrated there

instead of in your own facility yeah so you’re saying now wouldn’t that it provider have to have their own policy

or how does that relate to if you have polc if you have coverage for them so they don’t have to have their own policy

I would recommend checking um okay but normally so an IT provider I know we

recommend five million you know 10 million in limits you know a a really robust policy that covers their clients

but that policy is meant to protect the it provider not their clients so it’s to

protect from lawsuits and to protect the things that that company has to do in the case of a loss so your policy is to

protect you um from people that are going to sue you um and that even if

it’s a 10 million in limits um you know they have you know what 100 200 300

clients that’s gonna get whittel down really really fast oh sure so it almost

you know them having coverage for their actual resilience you know

and they’ll be able to do the things they need to to get you back up and running faster but as far as that

liability and the loss that you’re going to sustain by not having that up and running um is something that you need to

cover yourself so it’s still important for them to have insurance but it’s not for you okay interesting all right C MMC

everyone’s favorite acronym yeah so um just like what we talked about for um

you know government intervention coverages there’s a lot of different coverage enhancements that we have built

so a manufacturer working in Aerospace or defense we actually have a package

policy that includes several things that you’ll want um I haven’t seen anybody else doing this um I’m sure they’re out

there somewhere um but I know this is a pretty Niche industry um I’m actually

after this um flying to San Diego at at noon for a cmmc conference um staying up toate on everything that

is you know is going on um but if you are in a compliance model like this I

would recommend having a cyber policy it’s going to very much outweigh the

costs um and we’re building in uh to where you’ll actually have a um a law

firm that specializes in cmmc okay so they specialize in govern compliance and

they’ll be on your side as soon as something happens to be able to walk you through this and they understand the DI

and they understand these regulations um because they helped write them and

um so definitely make sure that you you have a policy and we’re actually working

to make the policies cheaper um because if you are subject to these and you’re

working towards them um you know you have great controls and you do have

a government that’s going to step in and help for companies that have had losses

in the defense industrial base if they did have their ducks in a row so they’re you know they have their Spurs

score that’s accurate they are you know actually doing what they can and then

they reported properly you know as soon as something happened they escalated it and they went through the proper

channels um the Department of Defense EV actually stepped in and was like okay

you know there was a ransomware incident they’re like we’ll take care of this and they actually um bricked the ransomware

company oh are you serious yeah and got their data back and like ruined all

their systems we like we found out who it was um you know you’re you’re good like and that company because they had

their ducks in a row um sustained considerably lower losses and then the

reputation loss so this isn’t just for Department of Defense but one of the big coverages that you want is reputation

coverage so you’ll be assigned a a PR specialist that will help you to get the

message out there to your channels because these Supply chains that you’re working in um it’s about you know this

trust there’s usually years of working together and then a lot of this is you

know especially for the small manufacturers you’re working on okay you’re you’re nimbler than these

companies are but if you spend three months or a month not being able to work

you know you could really impact where you’re at yeah but that is one place

where you know prosop has been super helpful as far as having offsite backups

yeah and um and when it comes down to real resilience supply chain resilience

having somebody like prosop that’s keeping your data um you know

confidential as well as having the people on your side with a cyber policy

that are going to come in and you know fight for you as soon as something

happens right so interesting wow so the the

having the lawyers that’ll help you and the pr is that built into most policies or is that something that you guys

negotiate on behalf of your customers so we’ve negotiated this for the specific industry but all policy

um will usually have um one of the biggest things they build into it is um

reputation damage for so the lawyer will be able to help you to do these things

and then as far as um all the reporting so you will have a coach um and a law

firm that’s going to help you to do all the reporting that you need to and um so

yeah that’s something that’s included in in most policies sometimes there’s exclusions okay um or suits

right interesting okay and gdpr yeah so if you if you are working

um I’ll just cover this briefly if you’re working internationally um if you have clients

from Canada or from the EU it’s very

important to make sure that this is built into your policy it’s specific coverages to cover your International

um uh the international penalties and different things that can be um put

against you so there’s a bunch of reporting requirements even if you just have one

person from the eu’s information there’s a lot of reporting requirements that you need to follow and there’ll be fines and

penalties and you know all types of stuff so this is um in a lot of policies

this is just built you don’t have to touch it you just make sure that this is included and this will be included if you have a loss

there’ll be somebody to help you through these different compliance okay so if you have a

customer in the UK or somewhere in Europe and you get hacked and their data gets compromised that’s when gdpr will

start kicking in yeah so it is um it’s coverage for all of the different losses

that you would have associated with um you know their specific private

regulations and California is getting to the point where it’s fairly similar um and there’s

different states that are you know increasing penalties and they’re

increasing um the things that you have to do so

providing instant or providing a year of

um of coverage for um

um sorry the um for the person to be able to see if somebody has hacked them

so got it okay and know I just had a I just remembered when you’re talking about the reporting um and let me just

jump back one here yeah so we actually had a customer that had a situation like this um and we have a case study of it

that they’ll put into the chat so for those on the on the call here uh pull pull that up on a tab and and bookmark

that or save it for later um who who are the proper channels to report to like do

did they just go to the to you guys first or the insurance company and say hey we had a hack and then they tell you who to report to in the government or

how do people know what to do with that so once you have um an incident and at

the very beginning whether you think it’s going to turn into a giant incident or not if you have something happen

usually there’ll be a Channel with in your insurance carrier that you can report um you know it may not be okay

this is going to be a breach but something happened you know there was an incident um so you can report that it

doesn’t trigger a claim um but you want to have that there so if it does turn

into something you’ve reported that on time so would an example of an incident be someone clicked on a fishing email

and then they realize after they clicked on it they’re like oh man that’s not legitimate yeah but they’re not sure what actually

happened they didn’t see anything on their computer but they know they clicked something is that the type of thing that they would want to report to

the so yeah if you think you may have downloaded something um or if you realized that you put in your password

and wait this isn’t the right you know landing page yeah something like that um

you know you’re going to want to um have

these processes through throughout um your it team so smaller companies are probably going to want to submit that

and then they may call that hotline on the the insurance company’s hotline yeah so they may call the hotline and say hey

this happened you know um large organizations are going to have um a better understanding because they’ll

have employees that like a ciso a chief information security officer that is going to know how to um what to handle

but usually as a small organization um something like that happens you’re going to want to be reporting first and once

you have a policy in place um there’s going to be a list of this is what you need to

do uh so there’s actually instructions built into the policy and you want to take those instructions and make sure

that you have it understood within your employees how where things need to be El

escalated and then at what point does that get reported so that’s something that you can kind of we can work work

shop within an individual company okay all right and this looks like sort of a

wrap-up slide for you yeah um I have um after this I have

a couple of um examples of losses okay um let’s move through those because we

are taking more time than I thought we would so okay um let’s take people love

case studies so let’s talk about this yeah so um this is an example of

customer it’s 25 million in Revenue uh 120 employees um they were just

corresponding they thought they were talking with the supplier and somebody

got in the middle of that and um they sent fraudulent funds um so it doesn’t

have to be somebody hacking in um somebody as a joke people will say um

hackers don’t hack they log in so they find your information and they would log

in just like you would um so there’s if they get an email or something or if they get the email of

the law firm or the supplier you’re working with that’s pretty common wow

yeah now I’ve I’ve heard of this happening it’s it’s uh super deceptive

people don’t realize that they’re not talking with their vendor and yeah sending them money invoice manipulation

is something that we see excluded on some policies so if somebody takes your

invoice changes things around because they’re in the middle between they’re seeing your um they’re seeing your

emails they can um either send those invoices out to your

clients without you knowing and then have the address changed or have the billing information

changed so your customer thinks they’re paying you but they’re actually sending company to the hacker yes wow okay

um fascinating and what’s this one about so um this is a a larger

organization uh somebody that actually um working for a government agency so

they had government contracts and um their one of their environments was

encrypted and then that U bad actor stayed in their system long enough to

encrypt the other environment um luckily they had offside backups um and those

backups hadn’t been encrypted but they actually um were able to get their

systems back in line um but they lost their contract because of the loss and so there was

loss of income and eventually that company did end up going under that’s rough so yeah even with

those even with those off-site backups they couldn’t they couldn’t get back up

quick enough to not lose that contract or is that why they lost the contract because they couldn’t perform on the

contract while they we don’t have I can’t share some of the specifics um but

not having um the the pr in place and not having

um the right things moving at the right times so the government understands that

you know there are people do get breached and

um people in the industry understand that but if you don’t handle it properly

um to where people think okay this company you know they had something happen but you know they’re reliable

they were above board they did things and they got back to work right away um

you know if this brings you down for a while it can really affect your position in supply chain and that’s what happened

to this company um their position was you know affected and they had all these losses and and they could

that’s so hard all right well thank you Rick that was awesome um and now I’m going to take over for a few minutes and

just talk about how Pro Shop can help your companies be more secure and hopefully have lower premiums so uh

first just a couple Baseline things um for all of our clients that are in the

defense industrial base or any kind of Aerospace or they just because they or just because they choose to we host uh

can host in the gov Cloud um which is a very secure environment with lots of controls it is designed to be itar

compliant um Pro Shop itself has lots of itar sort of features and functionality to help help make compliance easier um

and then of course we’re working very diligently to uh make Pro Shop help our

clients become certified more easily and less expensively and lastly um it is Our

intention uh and we are working on starting to become fed ramp moderate

certified um we it it turns out that any cloud service provider a a software

company that is hosting or or maintaining sensitive data controlled and classified information things like

that will have to become fed ramp uh certified so good question to ask your

um you know providers uh if that’s their intention uh and if they’re working towards that as

well so just a few things that we have put in place over the last couple of years um very uh very tight controls

over password uh rules we even have built-in schemes like a cmmc compliance

scheme that predefines things like complexity and how often you have to change them and things like that um we

definitely do offer multi multiactor authentication right now we uh that is exclusively through U keys so it’s a

physical Hardware Key in fact I have mine right here um looks like that uh so

you have to have it uh either plugged into or just wave it near a a bluetooth

reader or an NFC Reader excuse me um so much more secure than phones uh and a

lot of shops are going to no cell phones out on the shop floors uh so you couldn’t have a you know a uh an app for

your second Factor anyway um so also a lot more controls on audit traceability

lockout functions surprise privacy and security notices and then very specific tailored access to certain users for

specific functions you can even have an admin user that normally doesn’t log in as an admin they log in with less

credentials um and they can do their daily job but if they have to do admin

type things that’s just an additional um sort of access that they have to turn on

just for a brief period of time uh and then Pro Shop safe is a new

product that we are launching very soon it’s a pretty we believe it’s a pretty revolutionary way to handle file storage

and file management it it basically allows very

granular control uh over which users have access to which files and folders

in the file system all through your credentials and authentication of your

your proshop login um and it’s designed to help you be compliant to the cmmc and

itar standards for sensitive data uh storage so um and it’s and I’ll show you

another slide in a second here but um because it’s uh for the majority of our

customers that would be cloud storage we do have also the on-prem options but uh

we I’ll talk about more that more in a second we believe the the cloud storage is considerably more

secure um but uh it basically it only allows file access to each user for the

duration of time that they’re logged into Pro Shop as soon as they log out all that access is instantly eliminated

so and so this is uh a traditional

company uh with you know an onsite on-site server uh storing all their

drawings and their models and things like that both physically in paper form and in digital form they have lots of

cui within their company um on lots of devices let’s say your salesperson or your estimator right has a laptop they

take home that cui is stored on those devices there’s lots of footprint for

attacks someone leaves their loses their you know their their their uh laptop at

a coffee shop or it gets broken into their car right that’s that’s that’s a potential breach we believe that it is

entirely possible and we already have clients really doing this to eliminate any cui physical or digital otherwise

within the company and have it stored only in the cloud um and the even even

when you have employees like programmers that are programming you know to their

CAD models they are doing that in working directories within the cloud environment not on your local network so

as soon as they close out their Master cam or whatever um that that temporary

storage that was in their the memory of their computer is is cleared out and there was never an actual file stored on

their local device so theoretically someone could break into your shop steal all your computers go

you know hack through them um and there will be no cui or no leakage at all so

we believe that uh it’s going to make it just considerably uh easier and and and

less expensive to maintain compliance so here’s an example of two different types of access

so you have a machinist and they are in a certain uh what we call a file Security Group and they have access to

just the drawings and the G-Code folder and maybe this folder so they can see pictures of their setup but they can’t

see or look at anything else versus a project manager that might have complete access to all the folders within a

certain client part number uh because they need to to do their jobs so really

limiting the scope of who can see what and this same access also translates right into the browser experience so if

someone logs into prosop they go to a setup page for uh for a part number

they’re going to be working on they can pull up the drawing in Pro Shop they can see the photos of the setup or

the video of how that machine is supposed to be set up um right through the browser but a different employee

that isn’t supposed to have access to those things when they log in with their credentials and their two-factor key

they will not see any of those things within the browser experience so they won’t see pictures they won’t see the links or the links won’t work to go to

certain uh folders or images or things like that so really pretty pretty easy

on the shop floor you don’t and it’s only with your Pro Shop login so we’re very excited about bringing that out we

think that’s just going to be super powerful to help uh customers keep that data locked down so we have what two or

three minutes left here um uh so a couple questions let’s start here aside

from fishing emails what are some common vulnerabilities and points of entry for Bad actors thank you David great

question so open ports um and that’s something

that we talked about with the the carrier scans so they’ll be able to see if there’s any

open windows or ways to just sign into your network so a lot of products that

you may buy um they may have a standard login or admin and those not being

changed um or close down can make it to where you know hackers don’t uh hack

they log in and they’ll find that they’ll log in with the the stock information and be able to access your

system got it okay um and what is the typical cost for like a 20 person

manufacturing company that’s that’s in the defense space yeah so um you know 20

person you’re looking at you know three to four million in sales um possibly um I would say you

would be at um around three to four

thousand um maybe cyber insurance for the year yeah maybe up to 5,000 um

depending on your controls in in your organization um a lot of clients that

I’ve talked to before we actually got into it they were like no I don’t need cyber um because they thought it was going to be you know 25,000 $50,000

right um but you know $3 to $4,000 a year if you’re a small business um you

can usually use the general rule $1,000 per million in sales um okay that that

seems to fit um and I would say that would just be you’re an average company

with average controls um if you’re you know working through cmmc and you have

some really great controls and and you can show that you know you’re going to see lower and then if you um you know if

you just have a bunch of old systems you may not get coverage or you may be paying considerably more okay um it is

the top of the hour we have a few more questions I’d love to are you okay for a few more minutes Rick absolutely all

right we’ll stick around um obviously the the recording of this will come out if you need to jump off to another

meeting um thank you for joining us those that uh couldn’t stay so uh

another question here is there are there any special considerations if you have employees work

remotely so yes um so one of the things

um as far as remote access um is going to be something that you’re going to

need to look into as far as having those proper controls in place if you’re working in the cloud um that makes

things a lot easier um but having a VPN is something that would be important

especially if you’re working um you know traveling or working from home so

there’s some things you want to have in place um but it’s it’s very doable

okay and then Megan asks what if someone has added coverage in a package policy

versus a standalone policy so in

manufacturing a lot of times we see the coverages that are included in a package

to be very limited okay so they’ve either taken you know okay this is where

we’re having all their losses let’s just get rid of this or limit this piece of coverage and then we’ll be able to you know compete with the people who are

special izing in that in that field um so you may feel like you’re covered but

you’re not actually covered for the most likely scenarios yes um and uh yeah so you’ve you you have bars

on the windows and everything is great but the front door’s open got it okay um

and then a question here for me is Pro Shop’s file curage uh encrypted and yes

with proshop safe uh it’s encrypted in transit and at rest and the backups are

encrypted as well so that’s those are three questions you’re going to see on an application so okay ex almost exactly

like that you know where your files are they encrypted it rest in transit right

and then last question I think before we’ll wrap it up um what is the best way to do employee training since that’s the

most common way people come in yeah so um a lot of the carriers almost everyone

that I work with provides free employee training um so for you and for all of

your employees um at no additional cost so that’s one thing to look at um and I

just want to end with I know there’s a lot of uh some some Doom and Gloom with some of the things they’re presenting

but um you know it’s affordable um we’re actually seeing these giant catastrophic

losses be consistently less because people have people in their Corner um

and so you know it’s a thing you want to be resilient but uh if you have things

in place I think you know you’re going to have a great 2023 2024 awesome well Rick thank you so much

I know I definitely learned a ton I’m sure others did as well um and uh yeah

just appreciate your enthusiasm for helping our manufacturers stay safe if you want to reach out to me on LinkedIn

I put a a link in the chat but if you type R Rosenberry it’s me and a dog gromer um and so awesome all right thank

you Rick thank you all of you for joining us today I’m I’m sure you took away some valuable stuff uh if you want

uh to reach out to Rick you know connect with him on LinkedIn here’s his information obviously you know how to reach us and uh yeah sounds Rick like

it’s if you’re going to get insurance it’s a really prudent thing to go through someone like yourselves to

really make sure you’re not you’re getting what you need and not getting what you don’t need yeah yeah awesome

all right well thank you everybody appreciate you joining us today and uh have a good rest of your day and good

rest of your month all right thank you

everyone

BOOK A CALL
Privacy Policy
Terms of Service
magnifiercrosschevron-downarrow-leftarrow-right linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram