good morning good morning let’s see here let’s get the participants
coming there we go people starting to stream in
here all right we are excited this is you know I
I made that post on LinkedIn whatever a week or so ago about boring webinar alert you know and I know insurance is
not a topic that people love to talk about it’s like taxes but uh it is super
duper important especially these days especially with
um just how many attacks are happening and and the ramifications of uh being
hacked and how sophisticated these freaking bad guys are becoming so so looking forward to digging in with
this today let’s go ahead and get going um um so let’s move to our next slide so
my name is Paul vanan meter I am the co-founder uh Pro Shop and I am super
excited today to have Rick Rosenberry with us from USI I met uh before you
introduce shelf Rick I met Rick uh few months ago at a couple of different events here in the Northwest and was
just immediately struck by how knowledgeable Rick was how excited he was to provide information and value to
the manufacturers that were in these events and just very giving so I’m I just thought uh Rick Rick is the guy
that I want to have talking to my audience about insurance so Rick please introduce yourself and uh let’s learn
more about you and your company yeah so Rick Rosenberry with USI insurance so we’re a national agency and brokerage I
specialize in working with manufacturers specifically those in the defense and
Aerospace field um but I work with all types of Metal Products food
manufacturing and cyber is one of the things that I’ve been focusing on um for
the last couple of years and so I wanted I’m excited to you know share some of the insights that I’ve
found absolutely absolutely awesome well let dig let’s dig into this first I
would like to share our mission statement and while I’m doing that as I often do I’d love for you to uh assuming
chat is turned on for everybody uh yes it is um I would love to have you all put
in where you are joining from uh I know we have people joining from all over the place so there we go Heather kicked it
off from Bend Oregon beautiful area Portland fantastic Libby Montana
fantastic great thank you folks um we definitely have a community all over the
world so our mission statement here at Pro Shop is to deliver powerful manufacturing software by deeply
understanding our clients challenges in order to meaningfully improve their businesses and in turn their communities
and uh understanding challenges to in today’s environment includes the uh
keeping companies safe uh that is definitely a challenge so Rick why don’t you take it away and and share um share
some information with us yeah so to start off these are the 10 essential
controls that the insurance carers are going to be looking for um the reason
why these are the essential controls is because through past history these are the areas that have either caused a
breach or significantly attributed to the increased size of a breach um I put
some check marks next to the controls that Prock actually
helps provide um so multiactor authentication Access Control backups
and then um the green check mark is for for insurance carriers so one thing that
they often provide is training all right very
good so looking at a holistic solution so a lot of times what we see is if they
do have an insurance policy it’s sitting in the corner and it’s not being used um
but do how do we take all the resources that you have access to and really look
through an organization and find out you know the best way to buy cyber so
traditionally it’ll start by evaluating where you’re at and then talking with
management talking with it your external service providers and then the carriers
will also provide a scan so this scan looks through all the external ports and
everything that a bad actor would see mm-hm and so we look through these scans
and then we move on to okay do you have a policy are there things in your policy
currently that the care is providing that you’re not taking advantage of um frequently we see that there’s a lot of
benefits that the manufacturer could be using and then we go into broker
resources so vendor contract negotiation so especially in the Aerospace field
liability is passed around and there’s a lot of like oh no this person handles
liability this person handles it and so figuring out where the buck stops and then using tools to figure out how much
Insurance do you actually need and then we’ll work with your in-house vendors um
we have vendors that we also refer um to people uh Pro Shop is actually one of
the vendors that I often refer especially when someone is working in a field that’s very restricted there’s a
lot of controls and the goal is to get you the best application to get
you the best terms and the best pricing so going back to this question
about carrier and policy um obviously every every shop every company carries
General business insurance are you saying that sometimes there might be um Clauses in those that provide some kind
of cyber insurance or they basically having to go out and always buy something that’s completely kind of
Standalone or and add on to their normal business insurance so 50,000 in coverage
is normally something we’ll see as an add-on and a lot of times the carriers include that just to give just to show
people that hey this is out there you know if you want to look at coverages you can buy more um there’s usually not
a lot needed for that 50,000 but usually that coverage
is not very substantial as far as what actually is covered and then 50,000
really only gets you um so far if you were to have an incident so it generally
unless you’re in a program like in healthcare so for manufacturing there’s a a separate policy that you’re looking
at for your cyber Insurance okay okay
interesting so looking at what is the price actually made from so you have the
classification so what are you doing so manufacturing and then it also can change depending on what you are
manufacturing if you have direct sales um the sales your employee count your
security posture and so what you can show the underwriters that you’re doing
um and we’ll get into that later and then records which is something that actually is often misconstrued um
records from a carrier is any one person or any one business and all of the
information you have on that person or business so a a medical record um soci
SC number driver’s license um all of that for one person would just be one
record okay interesting so that’s true that’s true in a manufacturer as well
it’s it’s okay and how does that relate to sorry how does does that relate to employee
count it’s so it’s not um so you would look at your employees as well but okay
so for so in the terms so records would be a client so if you have a 100 clients
then you have 100 records is that generally refers to clients so if you’re just busines to business it’s a lot easier because you look at all of those
clients that you have and you’re not dealing with those clients personal information of their employees so it’s
just your client count um do would it matter how many different part numbers
you make or is it really just the customers not let’s say you have a you know a 100 customers and you make 10
part numbers for each of them that’s a thousand part numbers does that matter or is it just the 10 it’s just 100
companies nope yeah so the supplier or whoever you’re working with um the the
prime it’s that was just one company no matter how much so if you’re doing all of your work through Boeing um you only
have one client oh fascinating okay I’m definitely learning something new here
as well so how to optimize your renewal so one
of the things is get the application right um and that seems pretty
straightforward um but looking at like like records like we said so there’s some things in the application that you
may think this is the answer and it seems straightforward but it’s actually something else so working with a broker to go through the application um one
other one that we see really commonly is do you process credit card or handle
credit card transactions um for all of us that answer is probably going to be
no unless you own a credit card payment company as
part of your manufacturing that answer is no um and the wording is very generic
and in order to really like in order to say okay no it’s not me you have to ask for more more wording and once you get
down to it it becomes very clear um so some of these questions if you don’t
understand them or if they seem really generic there’s usually a page description behind that you know one
sentence question so um I’ve I’ve gone through these enough that I can just
tell you you know what it means um but if you’re not working with somebody experience it you know make sure you
drill that down and then turning a no into a yes so go through the application
um there will be questions where whether it doesn’t apply or if it’s something you don’t have yet um you need to answer
those no questions with a description so sometimes what you’re doing with your team makes a control not valid or maybe
you have something better explaining that um will go a long ways to helping you
get better rates even if it is just a no I should have that but I don’t you can
say we’re working on this or you know putting a little bit of wording in there
um so that goes into explaining the nose and then looking at a executive summary
so this isn’t like home and auto um there’s an actual person on the other
side that’s going to be reading this application so it’s not a robot or an algorithm with
most um cyber insurance no there’s still some of those urance where they’re just popping out numbers but once you get
into the renewal especially now um there’s going to be a real person looking at this so you know talking
about I I’m working with Pro Shop and they have these special controls these
are some tools that we’re using that may be different um our organization runs
this way and this is how we’re better more controlled so if you can take a little bit of time and I can you know we
help people craft those all the time um especially when there’s losses so going
into loss runs a history of all the losses that you’ve had within cyber if you can you explain what that means a
loss yeah a loss run is a is a term in the industry where you’ll ask the
carrier and they’ll send you a report that shows all of your losses and kind of what those losses were and the
amounts um if you don’t have any losses mean you mean something that you had to
make an insurance claim for something oh okay yeah so if you’ve had a claim um
it’s going to show up in these okay and so you want to explain you don’t just
want to send them you know the new carrier the list of losses you want to
explain how these happened how they’re not going to happen again um and you
know in the transactional sometimes things just get you know on autopilot and you just start
sending stuff um this is an area where you do want to take some time and
explain and not just be on autopilot and fill out the application and send it got
it got it do you have any just like rough ballpark like the percentage of
savings that a company could see if they really do their renewal or their application well and do all these things
you’re suggesting versus not doing those things is is it going to you know so so
a lot of time and you can see up to you know 80% of reduction reduction in premium by
doing the right things um and you can even see um up to a 50 or more percent
reduction in a renewal with the same company if you’re you know moving
forward especially now um you know they’ve been spending years trying to
figure out you know they all a sudden they’ve had all these losses and they’re the carriers are scrambling and you know
but now they’re not scrambling anymore they understand where the losses are coming from um so there’s been kind of a
a land grab recently where like this is the last chance to try to get as many
people to understand get Cyber insurance and then this next year is going to be
the okay we really need to reinforce controls and the people who aren’t going to get with the program and get these
things in place are not going to be insurable but let’s get these people to under like get these people as
clients um so even if you just got a insurance policy a cyber policy you and
you didn’t need some of these controls the next year okay chances are you’re
gonna so if someone has had say a Cyber attack in the past and they had to pay
some ransomware because I certainly know of shops that have had that happen um how much will that affect their but
let’s say they’ve now put in place some better controls to help mitigate that in the future um I imagine that that loss
they had in the past will still affect their premiums today even if they put in more controls or or will it not it it’s
going to definitely affect the underwriting process um where that lands
as far as premium um it’s going to be from Individual carrier to carrier um
but that story and showing how you’re better you may be better positioned than
a somebody who hasn’t had any losses but has less controls um because the
insurance carriers they had losses like they had policies that they wrote that they didn’t think they so they
understand that you know security is evolving as threats are evolving so um
it’s definitely not going to put you out of the market if you have a loss um but if you have and you’re just mailing it
in um as far as not taking your time on uh
putting together a really good story then you’re you’re throwing money away for sure okay awesome great stuff thank
you so this comes to the you know why why should I put all this time into an
application um into making sure that I’m getting the best rates and the reason why is because
cyber Insurance Market is unregulated so unlike property or Auto there is not um
really any rules to what coverage needs to be provided and so a lot of times
carriers will just um leave things out where okay we’re having some losses in this area let’s get rid of this piece of
coverage and then we can sell the same policy and we can make more money um so
it’s really only as good as you can negotiate and so working with um as a national um
brokerage we’ve actually pre-negotiated a lot of coverages to where we’re not going to sell you a policy that is
missing some of these things that you need um on a basic standard so we work
with you but then from that point know we have a really good Baseline but looking through what an
incident May look like um there may be some coverages that we want to make sure that are there that wouldn’t be on a
regular po policy and maybe some of these bells and whistles that look really attractive may not apply to you
so let’s go with this policy because this has the core so you know using that
to really find um what’s a good match for you and
even if you have two two competing insurance companies and the policies
look similar um and they have the same coverages those individual coverage
lines may be written different um so that’s something that we do is we
actually help you because you can’t compare any insurance Apples to Apples um there’s there’s no same fruit in the
in the Cyber insurance right now so if I’m and I
um UND so the the reg the unregulated part of it is basically means that
insurance companies can put in whatever coverages they feel like whatever things they want to SK you know not cover
versus you know auto insurance is you know they have to provide you know
uninsured motorists and liability and comprehensive or whatever all the things yeah so it’s it’s a lot EAS so I imagine
it’s a lot easier to shop for insurance for your car or your house you don’t
really need someone like yourself but for for this this sort of wild west
unregulated industry you really want someone in your corner making sure that you’re not missing something a clause
that means that you won’t have coverage if something happens is that am I getting that right yes so being a
knowledgeable buyer um this is definitely one of the most critical um
Industries to make sure you have someone in your corner that can tell you whether or not you’re covered for instance and
can help you buy more for your money okay so I know I have some
questions come you know mulling in my head and I forgot to say at the very beginning um please put your questions
into the Q&A area um we will get to those at the end I think we’re gonna have plenty of time Rick is efficient
with delivering this information so we won’t be using the full hour so we’ll definitely have time for Q&A so um yeah
as as as things come up in your mind uh don’t be don’t hesitate to throw those in there and we will uh put them in the
hot seat at the end all right what’s next so this is kind of an ey chart um
but these are a list of all of the areas where you may have
losses um so you have privacy liability the notification forensic costs forensic
costs are a large one um the reason why ransomware is so expensive and those claims cost more than other claims is
because largely forensics so you have to have someone go in and see you know how
they access your system and and go through all of these in order to um you know there’s there’s things that are
expected of you as a business um as far
as reporting especially if you’re subject to cmmc we can definitely get into that um
but being able to actually look and see who those Bad actors were and do your due diligence of trying to figure out
what happened um so it doesn’t happen again so there’s a lot of these costs
and then on the next page so before we jump ahead um on the
liability costs is that for like you get hacked your customer’s data gets
exfiltrated out um now it’s on the you know the dark web and your customer
tries to sue you for leaking their information is that what that is for so
the the liability cost so third party liability anybody um or sorry the liability for
anybody that is damaged because of that loss um
and it doesn’t always have to be super critical information so if
something’s taken forcibly from you it becomes you know private information
even if it’s something that you may give out at a different time so it’s right
you know some personal information about somebody you can post it online and then it’s not a a breach but if somebody
takes that forcibly then it becomes an issue um interesting okay um and what is
just so this is just different types of coverages yeah so um this is something
that we would go over so when you’re looking at your instant response plan and when you’re looking at your business
holistically um we’ll go through all of these different coverage lines and see
okay this is your size business this is how your business operates where it trickles down to your different
organizations um we’ll look at your contracts with your subcontractors as
well as with primes to see what liability you’re taking on how can you disperse that throughout your
organization um and that’s what we use to figure out you know how much bricking
coverage so if somebody gets into your system and they damage your computers
your network to where they can’t be used anymore you know what does that coverage need to look like how much do you need
to replace all of your systems um okay okay all right super
interesting all right let’s jump to the next slide so this is what these coverages
will look like in the wild so when you actually have a cyber policy um you know
system failure reput ation harm invoice manipulation um fines and then there’s
also um there’ll be a list on your policy of the services that they provide
so um employee training uh pre-claim assistance so that’s one thing um that a
lot of policies will provide where you have a hotline that you can spend a certain amount of time calling and okay
it well you know Bill and accounting lost laptop and you know you call them
and say hey you know what what should I do um and they can help you so not
everything that happens you know is a claim so as long as that’s encrypted um
and then there’s um some of these covers like I said
aren’t the same so ransomware in cyber extortion you would think that each
carrier that would just be the same coverage if you have it with one it’s the same with another but there’s a a
paragraph or a page that explains exactly what that covers um and so the
pre-negotiation that we do makes it a lot easier on your side it’ll save some time because we don’t have to go through
all of these um and that’s where having a trusted broker um that that works in this field
helps because they’re not going to let you you know buy a policy that has big gaps in it okay
interesting there’s a lot to know this is this is this is a lot yeah that’s why
you know I don’t want to get too in depth on some of these individual coverage lines um but I do want you to
know that you know these are things that you’re going to want to look at and if you can have a a larger more holistic
view of everything um you know for some companies with lots of employees you know an employee training program that’s
free that may save them you know $2,000 um and so you know that may be
something maybe in pre-claim assistance that may save them a bunch in lawyers fees so it’s not just looking at
coverages but looking at everything that policy will provide for you got it and
these things on the left-hand side are these line items that could or could not be added to a policy yes okay yep so uh
bricking I also I often see that excluded um so bricking just to be clear
for everyone bricking is when someone uh puts in some malware or ransomware and
basically freezes up all your all your devices all your computers are basically bricks they’re useless anymore and you
need to replace them is that what that is yep that exactly what that is and so some
policies do not include that and other policies might yes and then this doesn’t
include um the you know exclusion page so they’ll be um a whole like probably 10 pages of
exclusions on a cyber policy wow that you need to you know read through and I
I usually build packages for Industries so we have one for the defense and
Aerospace industry so where this is what you’re doing we understand your risks
and we’ve built policies with the limits that you need um so we can do that in
all types of different manufacturing so it’s really tailor fit but we don’t have
to go through every single line on them because we know 95% of what your organization does without actually
having to talk um and so so it sounds like when it’s well crafted the policy
it’s okay to have exclusions because you don’t actually want to pay for those and you don’t really need them based on the
type of business business you have yeah so there is um there there’s one
exclusion so if you are working in the defense industrial base um and you’re
making Parts Aerospace or um defense Parts one exclusion is government
intervention so when a government actually takes control of your systems
um because of something that breach that happened you know normally for a food
manufacturer for metal parts of components that’s not going to be something that they’re going to need but
according to the CM regulations you actually have to turn
your systems over to the government and make them readily accessible um and so paying for
consultants and lost time to actually have that so that’s something that we carve back in for our defense
contractors fascinating but you wouldn’t want to pay for that if you we’re just
making other metal components or plastic not for defense yeah
yeah that’s yeah I am learning all sorts of things today this is this is good
although a little scary um all right what’s next here so um we can just cover
this one quickly bench marking limits and your retentions so seeing what you’re deductible what you want your
deductible to be um looking at options for um there are some deductible free
programs where your breach response so calling somebody or calling the company
and saying hey I need somebody in forensics to look through my system I think there may be an issue um okay some
policies include that without a deductible and so then you can raise the deductible from you know maybe 5,000 to
25,000 um and have savings there maybe that won’t doesn’t make sense for your
organization so really looking at that um raising retention or deductible can
be a great way and then also you know not buying too much and then when you
look at we go to the next slide um looking at your thirdparty
vender contracts so people that are working for you somebody that’s doing your welding or your inspection you’re
working with um and you want them to have cyber as well because you want your
supply chain to be resilient um we can figure out know how much Insurance should they buy how much you know we
don’t need to ask for them to have five million limits but we don’t want them to have you know a $50,000 add-on right so
that’s something that we can do and then you know looking through um all of these relationships
and figuring out um you know is there a place to take some of this liability and
pass it on uh and so that’s part of you know a risk strategy um you know you’re
passing off risk to the insurance carrier and you’re paying a premium for that but you can also pass that same
risk off and there’s at the primes you know at these large companies there are
people whose job it is to figure out how to pass off risk and so having somebody
in your corner that you know we work with some of these larger organizations so we can say you know hey this is
something that you may want to push back on you know that’s not applicable to you
if you take on this liability you’re not covered for it and so you’re just going to be left after the you know your cyber
insurance has done its thing you’re going to be left holding the bag is is cyber Insurance requirement
under cmmc or is it just still an optional thing that it’s optional it was
um it was considered in the original Ru making um okay to be a requirement but
um you know they decided that it didn’t make sense to require it specifically
and a lot of that is because for different size organizations um different things make
sense others have different requirements but one thing I will say about requirements is there’s reporting
requirements there’s a due diligence that needs to be done so I don’t know of
a company um you know that’s making less than a 100 million you know in sales
that has everything in place to take care of a cyber incident um you know
they have the specific lawyers that can walk them through the process they’re reporting and they’re doing all of these
things that are required um you know that’s a big piece of the policy is you
instantly have experts on your side that have done this and this is what they do every day and um the their job is to
make losses smaller so let’s say you have two manufacturing organizations you
know 10 million in sales both of them have been planning one have a policy one
doesn’t um the one that doesn’t have a policy they have really great controls you know they have been working on doing
this for quite a while and they’re in a good position they don’t think they’ll have a claim but something does happen
whether it’s just an employee that does something wrong the one with the policy because they have so much in their
Corner they’re going to end up with consider considerably smaller losses
than than one because they don’t have the processes that a policy could provide sure
sure wow fascinating okay uh let’s move along
here so um another coverage business Interruption and dependent system failure
so not only are you worried about your information um and your systems
but let’s say your um one of the third-party companies your managed
security provider you know they have a hack you know they are managing your
information okay um and your systems and you actually are responsible for that um
so you want to make sure that you have coverage for an interruption of your system so if they go down and you’re
relying on them for your day-to-day operations we can include coverage so
you get business income um coverage you get coverage for any liability third
party liability to other people so that’s something that you’re seeing more and more common uh but it’s definitely
not something that’s just added on usually into a policy so so does that so
let’s say a shop works with a local it provider and they help them with their computers they help them with their
backup systems and they are hosting some of their that you know your data on
their servers and they get hacked and your data gets you know extrated there
instead of in your own facility yeah so you’re saying now wouldn’t that it provider have to have their own policy
or how does that relate to if you have polc if you have coverage for them so they don’t have to have their own policy
I would recommend checking um okay but normally so an IT provider I know we
recommend five million you know 10 million in limits you know a a really robust policy that covers their clients
but that policy is meant to protect the it provider not their clients so it’s to
protect from lawsuits and to protect the things that that company has to do in the case of a loss so your policy is to
protect you um from people that are going to sue you um and that even if
it’s a 10 million in limits um you know they have you know what 100 200 300
clients that’s gonna get whittel down really really fast oh sure so it almost
you know them having coverage for their actual resilience you know
and they’ll be able to do the things they need to to get you back up and running faster but as far as that
liability and the loss that you’re going to sustain by not having that up and running um is something that you need to
cover yourself so it’s still important for them to have insurance but it’s not for you okay interesting all right C MMC
everyone’s favorite acronym yeah so um just like what we talked about for um
you know government intervention coverages there’s a lot of different coverage enhancements that we have built
so a manufacturer working in Aerospace or defense we actually have a package
policy that includes several things that you’ll want um I haven’t seen anybody else doing this um I’m sure they’re out
there somewhere um but I know this is a pretty Niche industry um I’m actually
after this um flying to San Diego at at noon for a cmmc conference um staying up toate on everything that
is you know is going on um but if you are in a compliance model like this I
would recommend having a cyber policy it’s going to very much outweigh the
costs um and we’re building in uh to where you’ll actually have a um a law
firm that specializes in cmmc okay so they specialize in govern compliance and
they’ll be on your side as soon as something happens to be able to walk you through this and they understand the DI
and they understand these regulations um because they helped write them and
um so definitely make sure that you you have a policy and we’re actually working
to make the policies cheaper um because if you are subject to these and you’re
working towards them um you know you have great controls and you do have
a government that’s going to step in and help for companies that have had losses
in the defense industrial base if they did have their ducks in a row so they’re you know they have their Spurs
score that’s accurate they are you know actually doing what they can and then
they reported properly you know as soon as something happened they escalated it and they went through the proper
channels um the Department of Defense EV actually stepped in and was like okay
you know there was a ransomware incident they’re like we’ll take care of this and they actually um bricked the ransomware
company oh are you serious yeah and got their data back and like ruined all
their systems we like we found out who it was um you know you’re you’re good like and that company because they had
their ducks in a row um sustained considerably lower losses and then the
reputation loss so this isn’t just for Department of Defense but one of the big coverages that you want is reputation
coverage so you’ll be assigned a a PR specialist that will help you to get the
message out there to your channels because these Supply chains that you’re working in um it’s about you know this
trust there’s usually years of working together and then a lot of this is you
know especially for the small manufacturers you’re working on okay you’re you’re nimbler than these
companies are but if you spend three months or a month not being able to work
you know you could really impact where you’re at yeah but that is one place
where you know prosop has been super helpful as far as having offsite backups
yeah and um and when it comes down to real resilience supply chain resilience
having somebody like prosop that’s keeping your data um you know
confidential as well as having the people on your side with a cyber policy
that are going to come in and you know fight for you as soon as something
happens right so interesting wow so the the
having the lawyers that’ll help you and the pr is that built into most policies or is that something that you guys
negotiate on behalf of your customers so we’ve negotiated this for the specific industry but all policy
um will usually have um one of the biggest things they build into it is um
reputation damage for so the lawyer will be able to help you to do these things
and then as far as um all the reporting so you will have a coach um and a law
firm that’s going to help you to do all the reporting that you need to and um so
yeah that’s something that’s included in in most policies sometimes there’s exclusions okay um or suits
right interesting okay and gdpr yeah so if you if you are working
um I’ll just cover this briefly if you’re working internationally um if you have clients
from Canada or from the EU it’s very
important to make sure that this is built into your policy it’s specific coverages to cover your International
um uh the international penalties and different things that can be um put
against you so there’s a bunch of reporting requirements even if you just have one
person from the eu’s information there’s a lot of reporting requirements that you need to follow and there’ll be fines and
penalties and you know all types of stuff so this is um in a lot of policies
this is just built you don’t have to touch it you just make sure that this is included and this will be included if you have a loss
there’ll be somebody to help you through these different compliance okay so if you have a
customer in the UK or somewhere in Europe and you get hacked and their data gets compromised that’s when gdpr will
start kicking in yeah so it is um it’s coverage for all of the different losses
that you would have associated with um you know their specific private
regulations and California is getting to the point where it’s fairly similar um and there’s
different states that are you know increasing penalties and they’re
increasing um the things that you have to do so
providing instant or providing a year of
um of coverage for um
um sorry the um for the person to be able to see if somebody has hacked them
so got it okay and know I just had a I just remembered when you’re talking about the reporting um and let me just
jump back one here yeah so we actually had a customer that had a situation like this um and we have a case study of it
that they’ll put into the chat so for those on the on the call here uh pull pull that up on a tab and and bookmark
that or save it for later um who who are the proper channels to report to like do
did they just go to the to you guys first or the insurance company and say hey we had a hack and then they tell you who to report to in the government or
how do people know what to do with that so once you have um an incident and at
the very beginning whether you think it’s going to turn into a giant incident or not if you have something happen
usually there’ll be a Channel with in your insurance carrier that you can report um you know it may not be okay
this is going to be a breach but something happened you know there was an incident um so you can report that it
doesn’t trigger a claim um but you want to have that there so if it does turn
into something you’ve reported that on time so would an example of an incident be someone clicked on a fishing email
and then they realize after they clicked on it they’re like oh man that’s not legitimate yeah but they’re not sure what actually
happened they didn’t see anything on their computer but they know they clicked something is that the type of thing that they would want to report to
the so yeah if you think you may have downloaded something um or if you realized that you put in your password
and wait this isn’t the right you know landing page yeah something like that um
you know you’re going to want to um have
these processes through throughout um your it team so smaller companies are probably going to want to submit that
and then they may call that hotline on the the insurance company’s hotline yeah so they may call the hotline and say hey
this happened you know um large organizations are going to have um a better understanding because they’ll
have employees that like a ciso a chief information security officer that is going to know how to um what to handle
but usually as a small organization um something like that happens you’re going to want to be reporting first and once
you have a policy in place um there’s going to be a list of this is what you need to
do uh so there’s actually instructions built into the policy and you want to take those instructions and make sure
that you have it understood within your employees how where things need to be El
escalated and then at what point does that get reported so that’s something that you can kind of we can work work
shop within an individual company okay all right and this looks like sort of a
wrap-up slide for you yeah um I have um after this I have
a couple of um examples of losses okay um let’s move through those because we
are taking more time than I thought we would so okay um let’s take people love
case studies so let’s talk about this yeah so um this is an example of
customer it’s 25 million in Revenue uh 120 employees um they were just
corresponding they thought they were talking with the supplier and somebody
got in the middle of that and um they sent fraudulent funds um so it doesn’t
have to be somebody hacking in um somebody as a joke people will say um
hackers don’t hack they log in so they find your information and they would log
in just like you would um so there’s if they get an email or something or if they get the email of
the law firm or the supplier you’re working with that’s pretty common wow
yeah now I’ve I’ve heard of this happening it’s it’s uh super deceptive
people don’t realize that they’re not talking with their vendor and yeah sending them money invoice manipulation
is something that we see excluded on some policies so if somebody takes your
invoice changes things around because they’re in the middle between they’re seeing your um they’re seeing your
emails they can um either send those invoices out to your
clients without you knowing and then have the address changed or have the billing information
changed so your customer thinks they’re paying you but they’re actually sending company to the hacker yes wow okay
um fascinating and what’s this one about so um this is a a larger
organization uh somebody that actually um working for a government agency so
they had government contracts and um their one of their environments was
encrypted and then that U bad actor stayed in their system long enough to
encrypt the other environment um luckily they had offside backups um and those
backups hadn’t been encrypted but they actually um were able to get their
systems back in line um but they lost their contract because of the loss and so there was
loss of income and eventually that company did end up going under that’s rough so yeah even with
those even with those off-site backups they couldn’t they couldn’t get back up
quick enough to not lose that contract or is that why they lost the contract because they couldn’t perform on the
contract while they we don’t have I can’t share some of the specifics um but
not having um the the pr in place and not having
um the right things moving at the right times so the government understands that
you know there are people do get breached and
um people in the industry understand that but if you don’t handle it properly
um to where people think okay this company you know they had something happen but you know they’re reliable
they were above board they did things and they got back to work right away um
you know if this brings you down for a while it can really affect your position in supply chain and that’s what happened
to this company um their position was you know affected and they had all these losses and and they could
that’s so hard all right well thank you Rick that was awesome um and now I’m going to take over for a few minutes and
just talk about how Pro Shop can help your companies be more secure and hopefully have lower premiums so uh
first just a couple Baseline things um for all of our clients that are in the
defense industrial base or any kind of Aerospace or they just because they or just because they choose to we host uh
can host in the gov Cloud um which is a very secure environment with lots of controls it is designed to be itar
compliant um Pro Shop itself has lots of itar sort of features and functionality to help help make compliance easier um
and then of course we’re working very diligently to uh make Pro Shop help our
clients become certified more easily and less expensively and lastly um it is Our
intention uh and we are working on starting to become fed ramp moderate
certified um we it it turns out that any cloud service provider a a software
company that is hosting or or maintaining sensitive data controlled and classified information things like
that will have to become fed ramp uh certified so good question to ask your
um you know providers uh if that’s their intention uh and if they’re working towards that as
well so just a few things that we have put in place over the last couple of years um very uh very tight controls
over password uh rules we even have built-in schemes like a cmmc compliance
scheme that predefines things like complexity and how often you have to change them and things like that um we
definitely do offer multi multiactor authentication right now we uh that is exclusively through U keys so it’s a
physical Hardware Key in fact I have mine right here um looks like that uh so
you have to have it uh either plugged into or just wave it near a a bluetooth
reader or an NFC Reader excuse me um so much more secure than phones uh and a
lot of shops are going to no cell phones out on the shop floors uh so you couldn’t have a you know a uh an app for
your second Factor anyway um so also a lot more controls on audit traceability
lockout functions surprise privacy and security notices and then very specific tailored access to certain users for
specific functions you can even have an admin user that normally doesn’t log in as an admin they log in with less
credentials um and they can do their daily job but if they have to do admin
type things that’s just an additional um sort of access that they have to turn on
just for a brief period of time uh and then Pro Shop safe is a new
product that we are launching very soon it’s a pretty we believe it’s a pretty revolutionary way to handle file storage
and file management it it basically allows very
granular control uh over which users have access to which files and folders
in the file system all through your credentials and authentication of your
your proshop login um and it’s designed to help you be compliant to the cmmc and
itar standards for sensitive data uh storage so um and it’s and I’ll show you
another slide in a second here but um because it’s uh for the majority of our
customers that would be cloud storage we do have also the on-prem options but uh
we I’ll talk about more that more in a second we believe the the cloud storage is considerably more
secure um but uh it basically it only allows file access to each user for the
duration of time that they’re logged into Pro Shop as soon as they log out all that access is instantly eliminated
so and so this is uh a traditional
company uh with you know an onsite on-site server uh storing all their
drawings and their models and things like that both physically in paper form and in digital form they have lots of
cui within their company um on lots of devices let’s say your salesperson or your estimator right has a laptop they
take home that cui is stored on those devices there’s lots of footprint for
attacks someone leaves their loses their you know their their their uh laptop at
a coffee shop or it gets broken into their car right that’s that’s that’s a potential breach we believe that it is
entirely possible and we already have clients really doing this to eliminate any cui physical or digital otherwise
within the company and have it stored only in the cloud um and the even even
when you have employees like programmers that are programming you know to their
CAD models they are doing that in working directories within the cloud environment not on your local network so
as soon as they close out their Master cam or whatever um that that temporary
storage that was in their the memory of their computer is is cleared out and there was never an actual file stored on
their local device so theoretically someone could break into your shop steal all your computers go
you know hack through them um and there will be no cui or no leakage at all so
we believe that uh it’s going to make it just considerably uh easier and and and
less expensive to maintain compliance so here’s an example of two different types of access
so you have a machinist and they are in a certain uh what we call a file Security Group and they have access to
just the drawings and the G-Code folder and maybe this folder so they can see pictures of their setup but they can’t
see or look at anything else versus a project manager that might have complete access to all the folders within a
certain client part number uh because they need to to do their jobs so really
limiting the scope of who can see what and this same access also translates right into the browser experience so if
someone logs into prosop they go to a setup page for uh for a part number
they’re going to be working on they can pull up the drawing in Pro Shop they can see the photos of the setup or
the video of how that machine is supposed to be set up um right through the browser but a different employee
that isn’t supposed to have access to those things when they log in with their credentials and their two-factor key
they will not see any of those things within the browser experience so they won’t see pictures they won’t see the links or the links won’t work to go to
certain uh folders or images or things like that so really pretty pretty easy
on the shop floor you don’t and it’s only with your Pro Shop login so we’re very excited about bringing that out we
think that’s just going to be super powerful to help uh customers keep that data locked down so we have what two or
three minutes left here um uh so a couple questions let’s start here aside
from fishing emails what are some common vulnerabilities and points of entry for Bad actors thank you David great
question so open ports um and that’s something
that we talked about with the the carrier scans so they’ll be able to see if there’s any
open windows or ways to just sign into your network so a lot of products that
you may buy um they may have a standard login or admin and those not being
changed um or close down can make it to where you know hackers don’t uh hack
they log in and they’ll find that they’ll log in with the the stock information and be able to access your
system got it okay um and what is the typical cost for like a 20 person
manufacturing company that’s that’s in the defense space yeah so um you know 20
person you’re looking at you know three to four million in sales um possibly um I would say you
would be at um around three to four
thousand um maybe cyber insurance for the year yeah maybe up to 5,000 um
depending on your controls in in your organization um a lot of clients that
I’ve talked to before we actually got into it they were like no I don’t need cyber um because they thought it was going to be you know 25,000 $50,000
right um but you know $3 to $4,000 a year if you’re a small business um you
can usually use the general rule $1,000 per million in sales um okay that that
seems to fit um and I would say that would just be you’re an average company
with average controls um if you’re you know working through cmmc and you have
some really great controls and and you can show that you know you’re going to see lower and then if you um you know if
you just have a bunch of old systems you may not get coverage or you may be paying considerably more okay um it is
the top of the hour we have a few more questions I’d love to are you okay for a few more minutes Rick absolutely all
right we’ll stick around um obviously the the recording of this will come out if you need to jump off to another
meeting um thank you for joining us those that uh couldn’t stay so uh
another question here is there are there any special considerations if you have employees work
remotely so yes um so one of the things
um as far as remote access um is going to be something that you’re going to
need to look into as far as having those proper controls in place if you’re working in the cloud um that makes
things a lot easier um but having a VPN is something that would be important
especially if you’re working um you know traveling or working from home so
there’s some things you want to have in place um but it’s it’s very doable
okay and then Megan asks what if someone has added coverage in a package policy
versus a standalone policy so in
manufacturing a lot of times we see the coverages that are included in a package
to be very limited okay so they’ve either taken you know okay this is where
we’re having all their losses let’s just get rid of this or limit this piece of coverage and then we’ll be able to you know compete with the people who are
special izing in that in that field um so you may feel like you’re covered but
you’re not actually covered for the most likely scenarios yes um and uh yeah so you’ve you you have bars
on the windows and everything is great but the front door’s open got it okay um
and then a question here for me is Pro Shop’s file curage uh encrypted and yes
with proshop safe uh it’s encrypted in transit and at rest and the backups are
encrypted as well so that’s those are three questions you’re going to see on an application so okay ex almost exactly
like that you know where your files are they encrypted it rest in transit right
and then last question I think before we’ll wrap it up um what is the best way to do employee training since that’s the
most common way people come in yeah so um a lot of the carriers almost everyone
that I work with provides free employee training um so for you and for all of
your employees um at no additional cost so that’s one thing to look at um and I
just want to end with I know there’s a lot of uh some some Doom and Gloom with some of the things they’re presenting
but um you know it’s affordable um we’re actually seeing these giant catastrophic
losses be consistently less because people have people in their Corner um
and so you know it’s a thing you want to be resilient but uh if you have things
in place I think you know you’re going to have a great 2023 2024 awesome well Rick thank you so much
I know I definitely learned a ton I’m sure others did as well um and uh yeah
just appreciate your enthusiasm for helping our manufacturers stay safe if you want to reach out to me on LinkedIn
I put a a link in the chat but if you type R Rosenberry it’s me and a dog gromer um and so awesome all right thank
you Rick thank you all of you for joining us today I’m I’m sure you took away some valuable stuff uh if you want
uh to reach out to Rick you know connect with him on LinkedIn here’s his information obviously you know how to reach us and uh yeah sounds Rick like
it’s if you’re going to get insurance it’s a really prudent thing to go through someone like yourselves to
really make sure you’re not you’re getting what you need and not getting what you don’t need yeah yeah awesome
all right well thank you everybody appreciate you joining us today and uh have a good rest of your day and good
rest of your month all right thank you
everyone