#77 CyberFin for Cyber Security with Daniel Metcalf Artwork

ATO Podcast

My Name is Brad Boldt, Owner of Ameriguard Insurance Agency. My mission on this podcast is to help insurance agencies become bigger, better, stronger business owners. Most of us are insurance agents that evolve into owning a business. Becoming a business owner is often an after thought. By developing as a well rounded business owner earlier, we can avoid some costly mistakes. I'll be interviewing insurance agents, insurance companies and insurance professionals from across the country to help us grow together. We'll be discussing marketing, growth, hiring, acquisitions, challenges, mistakes and wins. Enjoy!!

All Episodes

ATO Podcast

#77 CyberFin for Cyber Security with Daniel Metcalf

March 18, 2024 • Brad Boldt • Season 2 • Episode 77

In this episode, I connect with Daniel Metcalf, co-founder of CyberFin. Cyberfin specializes in Cybersecurity for the insurance industry. This is a solution that many of us in the insurance industry needed. We discuss how the origin and the need for a cybersecurity solution, how CyberFin protects our data, common mistakes insurance agencies make, the cyber crime that Daniel has witnessed and some of the regulations for protecting our data. This is a very informational episode for the insurance industry.

0:00 🛡️ Introduction to Cybersecurity Services for Insurance Agencies
3:16 🚫 Cybersecurity Protection and Threat Prevention
7:45 📧 Email Threat Prevention and AI-Powered Cybercrime
12:24 ⚙️ Cybersecurity Practices and Incident Response Planning
17:27 📄 Cyber Liability Insurance Adoption in the Insurance Industry
24:04 📊 Cybersecurity Regulations for Insurance Agencies
27:25 💻 IT Services and Cybersecurity for Insurance Agencies
34:06 🏁 Wrap-Up

https://www.linkedin.com/in/danielmetcalf/

https://cyberfin.net/

Brad Boldt: 0:00

Welcome back everyone to another episode of the agents to owners podcast with me today I have Mr. Daniel Metcalf, co founder of cyber fin. Separate fin provides cybersecurity specializing in the insurance and financial sector. Daniel has an extensive background in cybersecurity. And it we might get into that as well today. So looking forward to him educating us today on how we can better protect our small businesses. Welcome to the show, Daniel.

Unknown: 0:28

Thanks for having me. So honored to be here. I appreciate it. Yeah, man, thanks. Thanks for being here. Appreciate it. Got to know Daniel, a little bit cyber friend just set up recently, our cybersecurity really, really happy with that, really happy to be aboveboard with the state and properly protected, as all of our insurance agencies and small businesses should so and it was really it was really impressed with with the process. So I really look forward to learning more about everything cyber Finn does today and a little bit about you. And so why don't we start there? Why don't you want you to tell us about your little bit about your background and tell us how cyber Fed was was created. Alright, yeah, I appreciate that. So yeah. So again, Daniel Metcalf, I'm the co founder and president of cyber fin, I have the best job at cyber fin. I get to do all the education and build all the services and all the systems because my whole background has been in providing technology solutions to business challenges. So I spent 15 plus years in the insurance, banking, financial institutions financial services world, bringing technology solutions to their business challenges, whether it's from E commerce or digital marketing, it cybersecurity, physical security, and bringing the teams together as well to help manage that. And that's what cyber fin is cyber fin is a service where a cybersecurity service, simplifying cybersecurity for insurance agents and financial services, brokerages and their customers. So I'll give you the story real quick bread. Cyber fin was born out of insurance. So my co founder and business partner, Chris Steffel, owned a own still owns a life insurance wholesale agency through a mutual friend. He was introduced to me, because he's like, Hey, Daniel, in 2019. insurance agencies now are regulated under HIPAA if they take personal health information, so that's going to include life insurance, senior health insurance, employee benefits, you name it, right, then it started, including more PCI, you know, credit information, personal identifiable information, like we're regulated. Now, and I'm just not feeling very comfortable that I'm able to protect my clients data, we come look at it for me with your experience and banks and credit unions. I'm like, Sure, I'll take a look at it. And, you know, unbeknownst to him, after spending 90 days and $30,000, on what he believes, you know, as a techie person, what he believed is protection, he was neither protected nor compliant. And so that, that set off the whole, can you build me something right? Can you build me something for my agency through our mutual friend? I said, Absolutely. So we put together a cybersecurity service. And that came with a tech stack and with the, with the actual people to manage it, right. For his agency, he's like, Hey, I have a whole set of customers of other agency owners and independent brokers who aren't going to know how to protect themselves, right are in from the right technology and be probably have no idea that they're being you know, what the what the fines are going to be what they need to have for to be compliant and all those, let's go do this for their, you know, for those customers that want to, so that's where cyber fin was born that so we created a company together so that we could go and protect his his customers from that side. And then it just went throughout the country. Right. So we've been in business for four years. We represent insurance agencies all over the country. We're in 20, some states from timezone timezone, and we're actually starting to work internationally till two. But a year and a half ago, Brad, one of our insurance agency friends called us and said, Hey, what you're doing for us was great. I have a customer who is trying to get renewed for cyber liability insurance, and they got denied. Can you look at their stuff? Can you help me with the underwriting? We need to get them insurance? So i Dad, I said, Yeah, go ahead, send me the application. We went through the application together. We showed them where the protocols needed to change. And so we added the cyber fin protocols, they actually got the insurance, right. So they got approved. They go through underwriting and they'd been through a breach before they had better premium that they had before and higher coverage. So we're in the two sides of business, not only are we protecting insurance agencies, but we're helping them with their clients as well and protecting their clients.

Brad Boldt: 5:07

Yeah. Wow. So let's talk a little bit about what it is that that you actually do with the security. So, you know, in that example. And I've seen that too. It's on just about every cyber liability application of what kind of security you have. So what what does and I know you have different levels of, of protection that you offer, what are typically the levels of protection that are required to be compliant? Yeah,

Unknown: 5:41

so we really break it down into two. Again, our whole goal is to make it simple, right, we break it down into two separate categories, whether it's for several liability insurance, whether it's to protect yourself or whether it's for compliance, it really comes down to two buckets, you have the provider, you need to have reasonable cybersecurity put into place, right, is your first bucket, your second bucket is you need to be able to remediate. Report and recover any data breach that's going on from that standpoint, and I can break those down for you. So what what we offer in cybersecurity is service. Let's start with the protection side, right? We have a cyber posture, that's a little different than what's been going on prior to about four years ago, right? Our posture is instead of putting cybersecurity around the castle, right around the around the business, let's put cybersecurity and layered cybersecurity between each person, each user within the company right down to the one user. So even an independent broker or independent company can can use it and do this and that, when we're talking about what does reasonable cybersecurity looks like, I'm going to tell you the the factors real quick on what that looks like. It starts with endpoint protection, you need to make sure that you have endpoint protection on each device that's being monitored 24 by seven. The second is you need to make sure every inbound email is being filtered for certain types of attacks, business, email, compromise, malware, ransomware, things like that. The next is you need to have a secure internet portal and make sure that any data that's being transferred from that internet portal is being monitored, right that it's a secure portal, and it's a private connection. And then you need to make sure you have multi factor authentication included. So those four things, right, or what each cyber liability insurance is going to look for, right or the state or even just to be protected. And you need all of those around every single user, not just the company as a whole, right? When they're in and out of the office or, you know, in one location location has follow them around wherever they go, that's how you're going to severely lower your risk to an attack. And from a finer or you want to make sure that you get the best insurance possible be able to get the best insurance. It's those four things. So when we talk about the other side, which is can you remediate, can you? Can you report and can you recover? Those are the other side of the services. Right? So do you have your backups in place? Right? Are your backups off off domain? On? Or do you have a solid state backup? If you have, if you have on your devices, right or both? Are you making sure that you have incident reporting? Do you have a way of being able to report to each state that you have to report to to each of the associations like HIPAA or FINRA or the SEC or FTC, right? Do you have the right reporting structure in place? Do you have a written information security policy in place? You know, so that you know how to react and respond to this right? Letting your customers know, letting their employees know, right? Being able to do credit, restoration if necessary? And then can you recover? Can you recover that data? Do you have the right backups in place so that you can recover? So that if it's under ransomware, you can say yep, Nope, we're good. I can go recover that data somewhere else, right. So your customer feels good that their data has not been compromised, that that you can go in and do that. So those are the two levels that we that we provide. So you can either have this do protection, or you can always do protection, compliance. It's whatever you as the agency owner don't want to have to manage or the band's owner, right. Because you know, you didn't go to I don't know about you, Brad, but I don't think you went to school to become a cybersecurity guard.

Brad Boldt: 9:23

No, right. I think you're an insurance agent either, but

Unknown: 9:28

I don't think that you from what I can tell you, you appreciate doing insurance more than cybersecurity. Yeah. Yeah, from that sample.

Brad Boldt: 9:35

So there's a lot a lot there. And we'll try to keep it you know, basic as we can. And you know, I do have about probably a with this sort of thing about fourth grade education. So what what is the endpoint protection that you're essentially putting putting on the systems

Unknown: 9:53

perfect. So, just to give some context, our multi layered solution means one, it's it's all through those layers, I talked about endpoint protection, email protection, internet protection, and then multifactor authentication. It's all layered together in one tech stack. It's not our tech stack. It's enterprise level tools that I'll talk about individually, all mesh together that we put on the user's device, email, internet usage. And it's all monitored, managed 24, by seven 365, at cyber fin security operation center, that's located in Minnesota, but as a separate, it's a distributed throughout the entire country. So let's have one endpoint protection. Endpoint Protection is anti virus on steroids, right, our endpoint protection in particular that we use, it looks for anomalies on the computer, right? So it's not just saying, Hey, here's a database of viruses that we've heard out there is this coming into the computer, it's doing that and it's looking for the different anomalies within the device to say, hey, this document is not supposed to be there. Hey, for some reason, this software is sending traffic through the internet to Russia, right. So it can stop and recognize it and stop it and all the different alerts and anomalies it's looking for, it's actually monitoring that and then letting a human know, hey, this is going on right now. I think we need to take care of this right. And then human gets involved in that's the security operation. That's no good

Brad Boldt: 11:17

protection. Okay. Okay. So and then on the which, which you and I talked previously to me, you know, probably the most common threat to us is, or what I found to be the most common threats is, is email is and, and most of the breaches come from employee error. Responding to, you know, a link, they shouldn't maybe they received a bogus invoice, went to the bookkeeper, gotta pay whatever it is. Talk about what the filtering process looks like, how that how that helps protect us. Yeah,

Unknown: 11:59

so the what we call email Threat Prevention is the name of the tool. And what it does is it filters every single email that comes inbound of all the users inside your email platform, whether it's Outlook or Google workspace, right. And what it's doing is not only is it looking for again, we're it's always about anomalies, right, we're looking for anomalies inside the emails themselves, right? Does you know, is the attachment not really attachment? It's a link? Is it? You know, is it look like it's a phishing email? Does it look like it's a spear phishing email? Does it look like it has nefarious code in the background? And it's reading, right, that is not reading the data? It's reading the context of the email to make sure that okay, is this a legitimate email? Is it coming from a legitimate source should really go into the inbox? If it at any time it doesn't, it goes into a quarantine, right? That you have access to anytime it goes into a quarantine report, it says, Hey, this is an advanced threat. We know this is bad email, you can't do anything with it. We're just telling you, it's an advanced threat. Or it's like, hey, we think this is spam. You know, but if you really think you needed it, you can release that email, right? That's kind of the end, it's filtering all that now one of the keys to our email threat prevention that others don't have is we rewrite because you're talking about employee issues, right? So first of all, we slow everybody down, because, hey, we're, we're making sure the email should actually end up in their inbox or not. Right. The second thing is we rewrite all the URLs. So our software rewrites the URL so that it goes through our private, our private network, in our servers first. So if you click on a link, it goes, Hey, is this supposed to be going to the right places, this link bad link actually rewrites overtop of it. So that so that our software can go hey, is this a legitimate website, it's supposed to be going towards this is something that's actually supposed to happen. So that kind of takes away some of the some of the user error on that side of it. And lastly, we have a remediation system. And what that means is, is that if we see one email is nefarious, it's not supposed to be there. Our tool can we and our engineers can reach into the email boxes of everybody and pull that email out of there. That way, you don't have to wait for the Brad Boldt email that comes out that says, hey, don't click on this email or don't open it right. What's the first thing everybody wants to do? Open? Yeah, click on it. But this allows us to go and actually remediate the emails and takes that employee onus off, right, because we're moving it freaks people out. Because you know, in Outlook, you get that little notification that pops up that says, hey, got an email that all sudden they go on the inbox. It's not they're like, ooh, that's scary. But it's a way that we can make sure that we slow down the bad guy. And yeah, and by having that layer protection endpoint, that email, and that internet protection together, you now can tell, hey, it's just like, it's just like anything else. Right? If they get through the one set of, you know, cyber criminals have ROI, too, right? It's all about return on investment. Hey, they got one layer protection. If I get through that first layer, I might keep going. If I see a second layer protection, man, I'm just done with this. This is this is too much work. I'm gonna go on to the next guy. Right? Yeah. And it's the same side on the user error. You know, the, the more gates that we put in there to slow people down to say, Is this legitimate? Should I be worried or should I be Clicking on this, should I be doing something with this? Or just removing it out of there line of sight allows you to severely lower the risk of an attack.

Brad Boldt: 15:10

My own theory Do you think that these phishing emails have improved with AI? Because, you know, I receive at least one a day. And in most time, they're so blatantly obvious, right? But I feel like they've gotten better over the course of the last, you know, maybe a year where, you know, they're just in so I wonder if that's because a lot of it is, you know, maybe it's whatever, it's just improper English or just how you speak? I mean, but I feel like that I don't see as many of those. Is there any evidence of that at all? You know?

Unknown: 15:52

Yes, absolutely. So think about from this from the standpoint of a criminal, right. Because of the of the introduction of AI, because the introduction of some some tools, it is now more return on investment for them, right, they are going to get more money, and steal more money, because they can now hit 1000 small business owners at a time and agency owner at a time, where instead of 1000 attacks against a big company, right, so they can actually collect more by going after the after the volume of majority of companies than one big company. So what are they going to do, they're going to try to find a way to perfect their system. And just like all of us and Mark using AI, right to try to not only to try to, you know, continue to learn, but they don't get tired, they don't have to worry about writing a script, they don't have to test things out AI doesn't, right. So they're using that as a way to build better and better and better. And not only that, but execute more attacks at a time. Right? So by saying, Hey, I never click on those things, or Oh, yeah, I'm pretty good about it. Or, you know, my employees. Yeah, we do a good job educating, you probably do, but that's the bad guys know that too. And so they're going to try to find a way around it. Because it's a $3 trillion. And cybercrime is a $3 trillion industry, they're going to find a way that nation states, entire GDPs for certain programs, right? We're not just going against kids in their basements anymore, it shouldn't stereotype but its entire country's armed forces are doing this as a way to try to make money for their, you know, for their, their country.

Brad Boldt: 17:27

What are you seeing common specific in the insurance industry, from breaches and from cyber criminals?

Unknown: 17:34

Yeah, 100%. And so this is, this is why one of the other reasons why cyber fin became an existence is we saw a agency in the middle of Illinois, right? been in business for 25 years, right, just doing this minding its own business and providing insurance, through business email compromise. And through them getting their credentials into a coding engine, ended up having 25,000 Records stolen from recording engine using their credentials, that that that company said, You're liable for all that data being stolen. So then that agency a couldn't pay for the remediation, couldn't pay the fines, couldn't pay the reputation hit that it took for being responsible for that issue. So they are gone off the planet, right? went out of business, shut the doors, all those people for all those years, I relied on them to give insurance in the middle and I know had to find a different option. That's why cyber fins in existence today, we never want to see another agency go out of business for something that's preventable, like, protect themselves from business email compromise, from losing their credit, you know, their credentials being given up on a carrier, you know, for a carrier coding engine, or for their CRM, or you know, someone's all their health information gets downloaded. We never want to see that happen again, that's our mission at cyber fin. That's what we're trying to do. And so that's the that's the number one fear, right? Or that's the number one thing that should keep an agency owner up at night that they're looking to try to use you as a way to make more money. They're trying to use you and your data and your access through business email compromised phishing, spear phishing, we've talked about those right? And through finding and getting your credentials to use it against you or to sell it or just sell the data on the dark web and make a couple bucks

Brad Boldt: 19:31

what you know, what are some other the the security practices that business owners should implement to protect their companies, their company's data, their customers data? Is this all kind of encompassing, you know, say in the cyber fin package, or, you know, what should we be doing to protect our data?

Unknown: 19:54

Yeah, layered security is the first thing to think about, right? How are we layering our security? Yes, and it is copper It is complete and comprehensive with the cyber fence solution because we're a service, right, we're managed service for cybersecurity. And so we have to be comprehensive. And so we, you know, it's it's the layered security, making sure every single employee has multi factor authentication, you know, before they can access the device or access any type of email or customer data, make sure that your endpoints are being monitored 24 by seven, make sure that you have every email being filtered on the way in, make sure that you're under a secure internet portal, especially if they're working from home. If, if you have, you know, if they're shared Wi Fi with the person that has, you know, maybe they have, maybe they have a partner or spouse or kids that like to play video games, right? So those video games like they have huge open internet portals that they work off of, they can certainly get into your network through those internet portals, right? So we have to think about how do we put the layered security around everybody in the environment that they're working in, whether it's a Starbucks, it's inside an office building, or it's at their home, or all three of them, you know, all within a given day, right? And then be able to make sure that all that data is backed up and can be recovered. So with off domain backups, not just backed up to a OneDrive that's already on your domain, but backed up on another solution so that if something were to happen, boom, you can get it remediated, right. And so part of the cyber fin solution, when I say service, it's zero cost remediation. So if we have to go in and fix something, right as part of your just the cost of working with cyber Fenway, whether our fee will actually go and fix it, and work on the breach at no extra remediation costs. But you also want to make sure that we can go back and get the data if something were to happen, right, and be able to recover, recover that data. So those are the areas that I would that I would say that's what you need to have comprehensive within your agency or small business to protect.

Brad Boldt: 21:49

So if we do have a breach, what should our incident response plan look like? What

Unknown: 21:56

is well, first of all, you have to have an incident response plan. Right? Second, my recommendation is have cyber liability insurance because it comes with a breach coach, right? So you get your breach coach, and you don't, you don't call the cybersecurity company first. You don't call the IT person, you don't even call the owner. The first if you know it, the first thing if you know it, boom, you call your breach coach, right, because they're the ones that are going to make sure that all the protocols that you've now put in place. So things that you should have in your incident response plan is called breach coach, make sure all that information is public, everybody knows it, but we're doing that, then it should include all the other people that need to be notified. Right? It should then also include, okay, how are we the steps taken, identify what data that the person had access to those breached, be able to make sure that we know that we can remediate the situation and recover the data, the circuit as possible, that's what needs to be in your incident response plan. You can, you know, obviously, there's compliance individuals, there's lots of people that can provide you that we have a service that we can also introduce you to that can help you with those in incident response plans. The other is putting policies in place. So not only is it about the response plan, but what policies are you putting in place to also have a cyber secure environment? Right? Hey, policy is you only use business only devices, right? Policy is the only use business ownself mobile devices, the policy is there's no social media being used on these particular devices unless it's approved and for business, right, as an example. So those policies also help. You know, having policies that we do employee awareness training on an annual basis, you'll pay anyone, and then you get tests once a quarter, once a month, right. But all those things, put a security mindset in your organization. And that's what's going to also help you with the internal issue too, right? So that those are some things that again, you can either there's plenty of resources that you can go get yourself or if you if you'd like we have we have people we can refer you to or different services, we can refer you to do that.

Brad Boldt: 24:04

Do you have any idea? How many say insurance agencies or you know, even even in the financial sector? How many of these companies agencies have cyber liability insurance in place? And two parts of this question, if if if you don't have statistics on it fine. I'm just kind of curious on minor things. I don't I don't have any numbers on that. I would venture to guess it's low. I don't know. And then since you since you guys have been in business for three years, three years going on for going on for how difficult of a cell is it for you guys to put in this security to specifically to the insurance industry? I would guess because to me, it's you right? This is something that that would keep me up at night of, I mean, I've had cyber liability insurance for maybe, maybe 5567 years, something like that. It's been a long time. And we did have a breach. A number of years ago, someone hacked into my God into my email, sent out a message to every one of my last messages that I sent out, in fact that you know, this even this person, or these criminals have a better contact list than I do. I wanted to, I would have bought my contact list. Thankfully, nothing, nothing came of it as far as monetary damages. But any idea roughly, the percentage of agencies that have cyber liability insurance if you don't have it? Fine. I'm just wondering if you've come across

Unknown: 25:53

that. Yeah. So we offer here's what I can do. Right. So we offer a cybersecurity assessment prior to us having any engagement with the insurance agency. I personally do well over 70% of those assessments myself, because I want to make sure that we're, you know, that we're getting the assessments on that side, and I bet of the 70% that I do for insurance agents, maybe 30% of the agencies actually a cyber liability insurance would be my guess. And I definitely know it's less than 50%. Especially standalone policies, if they do have it, a lot of them are are like an add on to the ENO insurance that they that they're required to have. Right. So then I just don't count that as cyber liability insurance, right? Or like a writer.

Brad Boldt: 26:40

Yeah. It's not nearly as in depth

Unknown: 26:42

protection is Yeah. And the coverage is just aren't there? I mean, yeah, they're just not there if something were to happen. So from that side of it, and yes, it's been, it's been difficult from time to time to get insurance agencies to buy cyber fin service. And I'll give you the three reasons that we overcome. One is, hey, look, when we first started four years ago, everybody was like, I'm too small. I'm an agent. I, no one's ever gonna hit me. Right? Well, then they start seeing the stories and they've heard of other agencies like yours, Brad that have and they're like, Okay, wait a minute. Yeah, we're all we're all under attack. So that that started to go from that standpoint, but it's still out there. Right. The other is that, hey, I do a little bit already. Right. I you know, as you know, I have I have some stuff. Yeah, right. I have an IT guy that sold me some stuff. Right. And I love it. You've already mentioned I do have access to outsource it services. I love it. I think it is great. But they're great at it. They too did not go to school to be a cybersecurity guard. Right? Yeah. And a lot of times they're worried about productivity, they're not worried about security. So we've we've talked to our tea person, and they're like, hey, you know, oh, yeah, I gave you this, this, this, this should do it. Right. But they can't monitor it. 24 by seven, they gotta go on, you know, they go on vacation, they don't have staff sitting around the, you know, sitting around the clock looking at this kind of things. That's just not what they built their business off of. Right. So, you know, and that's why I still believe that it is a $3 trillion. Crime is still a $3 trillion industry, because we've relied on the it you know, we've just handed it over to the IT people, which that's not wasn't fair to them, in my opinion, right. They're trying the best they can. And then And then lastly, it's, you know, am I a do it yourself type of agency owner, a lot of them are right, they they've started their own agencies, they do everything themselves. Yeah. Do I really want a third party company to do my cybersecurity for me too? Or can I do a better job doing it myself or my more, right? And so we just have to, you know, we just need to overcome, hey, if you want to do it yourself, I can provide provide you some tips and tricks and you can you know, as long as I feel better that you're going to follow those tips and tricks, then we hit our mission, right? If you're like, Hey, I'd love somebody else, just to do it for us, just like we hear every single day. And then we're here for you. Right? Well, we're gonna manage it for you. And you have the peace of mind that somebody knows what they're doing is doing it. Yeah.

Brad Boldt: 29:04

I'm one of those dummies, that's kind of a do it yourself guy. I where I started. And here, let me just put this VPN on every one of my and I'm like, What am I doing? I don't know what I'm doing. I just this is just an expense that I have to have. I mean, that is just something I need to need to take care of. Talk a little bit about from a compliance standpoint, and I'm sure every state is different. What does well, we'll talk about our state of Minnesota, what that looks like, what do we have to do to be compliant in our state? And, you know, is that common throughout the rest of the country?

Unknown: 29:40

Yeah, and I'm just gonna repeat myself. If just if you wanted to make a blanket statement here in many states, the two things that you have to think about for your agency is Do I have reasonable cybersecurity in place? And can I report right do I have everybody I need to report to and can I report that incident recover from it right? within a certain timeframe? Right. So if you think Give yourself saying though, the shortest timeframe is New York, which is like 48 hours, right? So the longest timeframe is like you have 30 days, in many instances from that standpoint. But if you think of those two things, and everybody puts that in their mind, one, right, hey, do I have reasonable cybersecurity in place? And I've already listed off what reasonable looks like, right, starting with 24? By seven monitoring to, right, can I report? Do I have the right people to report to? And am I going to get it out in time, right? Because what the DLCs are saying, and I'll tell you a minute, so So what all the department commerce and insurance are saying is, we're not going to end even HIPAA inaccurate, like, we're not going to go on witch hunts, right, we're going to do our due diligence, and our audits. But if all we hear is from one consumer, right talk all over the country, if one consumer says I believe my information was taken from this agency, that's when they're coming in with a hammer. Right, that's, that's when they're gonna, that's when they're going to really lock it down. And I'm sure open up the entire agency. So Minnesota says, any size agency, you need to report an incident. So even though under the one person, you have to have the ability to report an incident, you have to have a written information security policy, right, or an incident plan that written an incident policy where you can report to us if anything happens. So in NAV, this whole little list of things that you have to fill out, right, that a lot of agencies probably don't know that they have to be able to fill out as your agency grows into certain sizes, right. And as you're taking on more and more data, you have to have a written information security policy in place. And you have to have reasonable cybersecurity in place, being able to monitor and be able to report an incident. That's what the state of Minnesota is asking you to do. And you have to report that incident. I think the time has changed, so I'd have to look it up again. But you have only a certain amount of time that you can report that incident. So Minnesota has done a great job, at least bringing it to the attention that hey, we are going to start to regulate some of this right? All their states are much more stringent, hip was very stringent. I mean, it's it's black and white. The fines are minimum $100. Right? If you don't follow those two things I mentioned, minimum 100. Most of the fines are $50 per bellybutton. So $50 per people that are, you know, of data that you contain up to a million and a half dollars per year per incident. So if it's been happening for three years, and it's and it's this egregious, you could end up paying one and a half up to one a half million dollars for those however many years back that they have to go back. Do

Brad Boldt: 32:31

you have some examples of people that have been fined? I've heard through the grapevine of some that have been very substantial. And what what have you heard out there for states that have been have fined people,

Unknown: 32:49

most of the fines that we like said that we, you know, it's not very public, as far as that's concerned, but the fines that we're hearing are on that level of, Hey, you did not hit you did not report this incident, we heard from a consumer, we're gonna, we're gonna find you between, you know, I've heard as high as two owner or as low as 250,000, to half a million dollars and a fine, four, right, all of these egregious things, because you didn't even report to us and you don't even have anything in place to be able to recover from it or whatever it might be so, and then it starts opening the doors into other things that they can start looking for inside your agency beyond just the cyber, right, once they're in there. They're gonna look for other things, too. So those are just some examples. And that one in Illinois, the one that really what broke the camel's back on that one was the amount of fines that they were gonna have to pay. Just wasn't wasn't worth it. Right.

Brad Boldt: 33:42

Yeah, and I've heard of somebody here fairly local to me that had a $10,000 fine, you know, after they had a breach, you know, as you know, it has if the breach isn't enough, you know, so, you know, and then they had to do that, which, again, I don't know if that was appealed, and knocked down. In any way. It's, it's nasty. And I believe that ours in our state, came through in August of 23. are mostly other states consistent with having regulations, like we have here.

Unknown: 34:20

Yeah, they're they have decided that that the nyac Model law, they can go look up, right, the nyac. And I see Model law is one that they can that they can use as an infrastructure that they can use in each state, and then they tweak it based on what what they feel is necessary by state by state. Right. And I think I think the NIC model has been accepted by these 23 states now or 24. States now, from that standpoint of and they all have a different flavor of it. And then And then each state has their own department of commerce, right like Colorado, that I can think of Washington, New York. The three new no North Carolina there, they actually can be on top of it of just being a business owner. So yes, you have your insurance one, and you have as being a business owner. And they might even have other other laws. And in sight of that, too, depending on what type of agency you are, and what type of information that you're gathering, how much information that you're gathering. So it can get really confusing fast, right? So that's what we're always saying, like, hey, work with somebody that can help you put the right protocols in place by the states that you're in. And then let's make sure you meet those two minimum guidelines. Reasonable cybersecurity, and I know how to report. Yeah.

Brad Boldt: 35:34

Let's pivot a little bit to your IT service, which I think, you know, that's another area that a lot of I know, insurance agencies, specifically independent insurance agencies need help with? And so talk about that company a little bit and services that you can provide there.

Unknown: 35:55

Yeah, so we at cyber fin completely believe in the separation of, of the companies of IT and security, they should, we should they should be in conjunction with each other, but they should not be the same function. Right. So we do have an eye, you know, based on requests from our insurance agency friends in some other companies, they've requested for Yeah, but we also did it services to right, but we don't need it fully managed, necessarily, some do. But a lot of times, it's just hey, DS, MIT services that we can, that we can connect to, to be able to do that. So we created a IT services specifically for insurance agents. insurer Tech's right, so in the insurance industry, on that side, it includes everything from helpdesk down to software developer sell software development. Resources, right. So whether it's website development, or like if an insurer tech is needs, use some software or if an agency wants to, you know, wants to create some of their own custom software and customer processes, you know, depending on the size, we also software development so everything in between when it comes to it outsource that's not security sits within with inside instinctive it.

Brad Boldt: 37:03

Okay. So is does that work on like a subscription basis? Or is it a Tyree?

Unknown: 37:11

Three different ways that works with right? So cyber fence? Complete subscription? Base, right? You know, that yourself, right? It's on a per user per month, based on what we're putting into place, and sometimes per building, depending on the size or agency, right? It's all per user per month? No onboarding fees? No, you know, for less than a cell phone bill, right half of a cell phone bill, you can meet those requirements. And it's all per user per month.

Brad Boldt: 37:34

Which sounds pretty reasonable, because I've checked out out you know, outsourcing of it, and some of them can be 300 $500 a month,

Unknown: 37:42

right? Yeah, ours on average of $65 per user per mile. On average, for on the cybersecurity side. On the IT side, we do it a little different, because we know the level of what many agencies need for it. It support it could be once a month, right patch update, you know, updating our computers, maybe we need to replace a computer, maybe Oh, I have an old my old 365 down again, or my I need to add a SharePoint folder or something like that, right? So we have that pay as you go model right? You pay, right? You can even if you need a budget, well, you'll say hey, I need certain amount of hours, like we call it a bucket of hours, right? I'm just wanting to make sure that I know that I'm paying you know, 200 to$300 a month, and yet you're going to use those hours and it gets done right. But at least I can flatline my budget. And then we have to call them to say, hey, we need more hours. The last version is you can do it on a larger saying, hey, I want an annual bucket of ours that is split up per month that we were able to do it but we don't do the all you can eat manage service idea, right? Because it ends up being harder for agencies to say, Okay, well, I pay $1,000 a month, let's say or$500 a month, and they want to do a project and they want it to all fit underneath that that hourly rate right and then becomes that that conversation we would rather say let's get your it done. Right. Let's fit within your budget. Let's have those conversations each time and have that white glove treatment than just the Hey throw you on the Help Desk and right and and then you're just gonna get treated like everybody else. That's we don't believe that in it.

Brad Boldt: 39:21

Yeah, I mean, and for me for an IT need. However many computers we have eight or something, you know, I might need it three times a year or something like that, you know, it's fairly small. If people want to, first of all, what's the name of the IT service? I know you said it, I would. But the IT service.

Unknown: 39:43

It's McClendon. Oh,

Brad Boldt: 39:46

okay. Okay. And if people want to get a hold of you, and I would strongly recommend it on the cybersecurity side through cyber fin what's the best way for someone to Get in touch with you.

Unknown: 40:02

So I've definitely come through the cybersecurity door first and then we can we can move on to the it. That's and it's DM Daniel Metcalf DM at cyber fin dotnet. Okay. And I'll put that in the show notes. Yep, you can find us on cyber fin dotnet. There's a big button there that you can get your own cyber assessment, because like I said, we all start with cyber assessment from that side of it, and help you in

Brad Boldt: 40:27

the name your website, cyber fin.net. Yeah, and I think if I remember, right, when I went on there, it basically tells you everything that you want to know, right on your site. Pricing, right,

Unknown: 40:38

right. I mean, the price I'm talking about, because again, we just, we, we want to make sure that's custom for you. But on average, our price is $65 per user per month, but it does explain to you everything that's in the service, they explain to you what we're going to do for you how the onboarding is work, you know, what, what the different technologies are? They're all right there for you.

Brad Boldt: 40:57

Okay. It was on there for some reason. Maybe it wasn't.

Unknown: 41:01

In the future. We're thinking about doing. Okay. Okay.

Brad Boldt: 41:05

Daniel, this has been super insightful. Again, if you don't have security in place, I strongly, strongly recommend you check it out. It's a great service. They specialize in insurance agencies. It's something that we just have to have an expense for. We just have to protect our companies and our customers data. Daniel, thank you very much for for taking the time joining me today. Appreciate it. Yeah, and it's been great to kind of get to know you and your system. So yeah, it's been it's been a it's been a pleasure. Everyone else to be here. Appreciate it. Yeah, everyone else. Thank you for listening to another episode of the agents to owners podcast, and we'll see you next week.

People on this episode

Brad Boldt

Host