As technologies continue to advance, cyber threats have become more sophisticated and frequent, making cybersecurity more important than ever before.
In this episode, we delve into the impact of new technologies and their potential to create new risks, how businesses should adapt to keep up with these ever-evolving cyber threats, and more. Join our host Matt Sutorius as he speaks with Joseph Brunsman of Brunsman Advisory Group on the future of cybersecurity.
As technologies continue to advance, cyber threats have become more sophisticated and frequent, making cybersecurity more important than ever before.
In this episode, we delve into the impact of new technologies and their potential to create new risks, how businesses should adapt to keep up with these ever-evolving cyber threats, and more. Join our host Matt Sutorius as he speaks with Joseph Brunsman of Brunsman Advisory Group on the future of cybersecurity.
Matt Sutorius 0:12
Welcome to Making Change, the CPA podcast that has nothing to do with accounting, and everything to do with innovation. I'm your host, Matt Satorious, and today we're speaking with Joseph Brunsman of Brunsman Advisory Group on the future of cybersecurity.
Joe, thanks for being on the show today.
Joseph Brunsman 0:37
Thanks, Matt. Good to see you.
Matt Sutorius 0:39
So, Joe, we've talked before and you're involved in the cyber insurance industry, which I'll admit is something I had virtually no visibility into before our conversations. Can you kind of at a high level for our listeners, describe what cyber insurance is? When you need it? How it works? Give an overview for those like me who've heard of the concept, but don't know much about it?
Joseph Brunsman 1:00
Sure, sure. So, you know, I've written the best selling book in the country on this topic. It's like, two of them, each is about 500 pages long. But fundamental cyberinsurance, it's actually pretty simple, right? So it's kind of like if you're with, say you're standing on the side of the freeway, you're with a car guy, and you're like, "Hey, cool car!", and he goes, "Oh, no, that's a midsize SUV." and you're like, "Well, that's a cool car over there.", and he's like, "Oh, well, that's a two door coupe.", right? At the end of the day, what do they all have in common? Well, they probably have four wheels, steering wheels, seats etc., right? So every cyber policy is going to be different. So, as kind of a free pre-req. here, I will say there's no perfect cyber policy, there's no ideal cyber policy, there's no, one cyber company is better than necessarily than another cyber company. It just really depends right now on what's in that insurance contract. Now, with that being said, fundamentally cyber insurance, if you're gonna boil it down, it's two sides, four buckets, and then exclusions. Alright. So, the first side is probably the part that a lot of people don't think about, but they really should. Imagine somebody wants money from your business, typically via lawsuit because of some type of cyber event. And we call that third party coverage, right, third parties are coming after you. The other side is what people traditionally think of as cyber insurance. That's what we call first party coverage. So it's business that your money has to pay, needs to pay, wants to pay, and/or be reimbursed for, following some type of cyber event. Now, that side, I just break it down into four buckets. The first is going to be data breach. So generally speaking, access and acquisition of PII, think credit card information, healthcare information, that type of stuff, or some type of cyber event. So it could be a business email compromise. The second bucket is ransomware, and all the component parts that go into dealing with that. The first two buckets are pretty straightforward. Data Breach/cyber event, ransomware, that's pretty well ironed out. Fortunately, or unfortunately, depending on the way you look at it, because we've dealt with so many of those in the industry. The third bucket is where it kind of starts going off the rails, and that's going to be loss of funds, right? So, when business owners come to me, and they're like, "Hey, we want coverage for social engineering." My immediate question is, "Well, what's that?", because it just depends. So business owners think like, "Hey, I have this idea of what I want covered.", maybe it's social engineering. That could mean exactly what you want in cyber policy. It could be exactly what you don't need in a cyber policy. So you really just have to read those definitions to figure out what it is they are actually trying to cover. And then the fourth bucket is what I call "Miscellaneous, Situationally Important". Those are kind of the odds and ends that could flow into the other buckets, depending on what happens. So that could be something like business interruption reimbursement, right? So you go down with ransomware, your business can't generate revenue, like that'd be a big deal for manufacturers. So cyber policy could step in and help you recoup those losses, or it could be a crypto jacking event. Right? So, bad guy goes into a business email compromised, hits you with crypto jacking software, he got a huge utility bill, all that kind of stuff. So the last bucket is kind of a bunch of odds and ends, but that's the gist. Then you have exclusions.
Matt Sutorius 4:48
The buckets you have there, is this stuff happening all the time? It feels like every week I'm getting an email from a bank or somewhere I shop that says, "Your information has been compromised in some way.", to the point where you mentally, I kind of set it all aside and forget about it, assuming it's gonna be okay. But our business is constantly under threat from this, and is that increased a lot lately?
Joseph Brunsman 5:12
I think it has. So, you know, with the tension between the US and Russia, and now the increasing tension between the US and China, you just have all these threat actors out there with effectively carte blanche from their host governments, right? Like, as long as they're not attacking someone within their country, then their country doesn't really care. And what we're up against fundamentally, is, you've got some kid, maybe he's got like a 145 IQ, he's in the middle of a dirt poor country. Well, with a dial up connection and a couple of YouTube videos, that kid can make more money than every single ancestor of his combined, in the space of like an hour. Right? So it's either that or go work in a factory, go work in a mine. I mean, what do you think he can pick? Right? He's like, "Oh, these guys have infinite money and I don't. And I see that they have infinite money, and I want some of that." And is he ever gonna get caught? Probably not. Maybe there's no extradition treaty. Maybe he's really good at what he does. Maybe we're just not gonna go after the small bit players because there's so many of them. That he's like, "Yeah, I mean, I'll play the odds." So it's constant, it's never ending. I've probably dealt with something like two cyber events per week for the last four years. It never ends, it never ends.
Matt Sutorius 6:42
If it's that easy, which I mean, I totally believe it is. How did the economics work for these insurance companies? Is this akin to like, everyone's crashing their car once a week? And the car insurance companies would be paying out constantly? How did they make money off this, or even sustain the business?
Joseph Brunsman 7:02
So a lot of them, if you dig into, like, there was the National Association of Insurance Commissioners report. These cyber insurance companies are just losing boatloads of money. A lot of this goes into market pressures, a bunch of venture capital private equity guys getting into the cyber market because they're like, "Hey, this thing is growing, rates are low, we need return somewhere. Let's try this." And then, you know, the market pressures from these traditional insurance companies were, "All right, well if we don't do it, somebody else will." Right. So maybe we have five different insurance policies with this company. The last thing we want is one guy to get in, sell a cyber policy, and while he's in there, go, "Hey, you know what, let me look at all this other stuff you got." And they're like, "Oh, he's smart. You know, he does cyber, let's take a look." And then you lose all this other business. So, the numbers are, I'll just say this, business owners have been complaining, and I understand given the current economy. They're like, "My insurance, my cyber policy, it's going up again." And I'm like, "Yeah, and it's gonna go up next year, and it's gonna go up the year after that. And it's gonna go up the year after that, and the year after that, and so on. And it's gonna keep outpacing inflation." You know, I'm an engineer at heart. Got my degree in robotics so I'm not a big fan of anecdotes, I prefer data. But the data is pretty clear that none of the cyber insurance industry really knows how to rate this risk. We don't know how to charge for it. We don't know what the odds are, because there's no centralized data set. So buckle up is maybe the best way to put it unfortunately.
Matt Sutorius 8:45
If you're a business owner, you know, this is one of the tools in your tool shed is having cybersecurity but how do you balance that against your overall security environment? Where would you be investing your money? Is it in prevention? Is it in better network security, cyber insurance? How do all those things play against one another?
Joseph Brunsman 9:05
This may sound kind of heretical, but I am a huge proponent of defense in depth. Like there are just basic things that companies are doing wrong. They need to hit the fundamentals of cybersecurity down and then view cyber insurance as kind of that break in case of emergency. Right? Businesses for too long, have been saying, "Well, why would I pay for a penetration test? Why would I pay for employee training? Why would I pay for this MSP to come in? When at the end of the day, I have a $5,000 Cyber deductible?" And what they're not seeing is, maybe you've gotten away with this so far, but kind of two things. One, if you get hit, you're going to have to implement those controls anyways. Right? And now it's on somebody else's timeline, and you may have two weeks, three weeks, maybe less, to implement those controls, or you just will not have cyber insurance. The other thing you have to think of is if you get hit, your premiums are going up. Because premiums are going up, we have these insurance companies losing money, you have insurance companies where, you know, maybe a business owner sitting there going, "Well, we got a policy. They're not requesting these things yet. They're not demanding anything, we're good." Not true. The cyber insurance industry, obviously not a big fan of, you know, just throwing money out the window as they've done for many, many years now. And so, we've seen where entire industries, or entire industries in certain revenue bands, just get completely blackballed by an insurance company. So what you could have is you could be a business owner out there, and you're like, "Well, I don't have anything in place, but I got a cyber policy." And then maybe two months before renewal, you get a letter in the mail. And it's like, "Hey, thanks for playing, find somebody else." The non renewed, they got to go back to the open market, and they're quickly going to discover, "Oh, I really do need 2FA, MFA. I need cloud based backups.", so forth and so on. So it's something where, you know, I tell people, "Hey, just because you have a health insurance policy, you wouldn't eat yourself into a diabetic coma." I mean, yeah, the policy is going to respond, but you're not in for a good time. Business owners who have never gone through a cyber event, I don't think really, and they couldn't to be fair, they can't really comprehend just how much pain, and time, and stress that that event will place on their business. And without exception, every company I've seen go through some type of cyber event, they always increase their controls after the fact. Right? So it's like, if all those guys are doing it, insurance companies demanding it, business owners, shareholders, etc., demanding they go through and increase their security posture, it's like, well if they're doing it, the lesson would be, learn from somebody else's pain, not your own, and just start going down that path.
Matt Sutorius 12:26
Right now, the hot thing in the news is artificial intelligence. You've got ChatGPT and all this stuff that I feel like we've read about in science fiction for 60 years, and we're on the cusp of a sea change and what it means for our regular life and how we work. How does this impact cybersecurity? Is it a good thing? Is it a bad thing? Is it to be determined? What do you think?
Joseph Brunsman 12:53
I view AI in the same vein as fire. Right? So, fire, it can cook your food, release extra nutrients. The evolutionary biology community, right, they're big into by unlocking fire we were able to take, you know, vegetables that are, you know, have these great compounds in, you know, various phytochemicals that you can't really get unless you cook them, or it changes some of the chemistry of that particular vegetable. Or it can just burn your house down and kill everybody inside. So at least until general AI comes into play, until that point I think he's just something that, you know, business owners, increasingly AI will be more affordable. So there's going to be obviously more and more AI on the cybersecurity front, but then on the same token, it's going to be more and more AI is available to the bad guys to start doing things. So it's just kind of but yet another thing that I think business owners, you got to keep tabs on. Make sure you have somebody in your team, whether it's in house or outsourced, right, that's keeping a tab on that stuff. Leverage the technology, but understand that it can also burn your house down. It's like everything else in life, it's got pros and cons. Right? But it's going to be damn interesting, that's for sure.
Matt Sutorius 14:21
Yeah, I'm really interested in how artificial intelligence in general will change everything we do. And yet, a lot of that comes from being a longtime science fiction fan and the fear that things like Terminator have put into my brain about AI, that maybe a younger generation will not be burdened with in some ways, but there's just so much opportunity to do things differently and you got to think it's going to impact every industry in different ways.
Are we in some kind of a odd transition phase where you've got a lot of business owners who don't know much about cybersecurity, but they're gonna learn, in some cases the hard way, in the next five years, 10 years, and 10 years from now, this market looks very different, because everyone's got better controls in place. But then on the other side, you got bad actors figuring out new ways to exploit those controls. So what does this look like in 10 years?
Joseph Brunsman 15:26
Hopefully, the robots have taken over all our jobs and we're all sitting on a beach in Tahiti drinking mai tais. I will have fewer gray hairs than I otherwise would have had. I mean, for the foreseeable future, I don't think it's going to be any better, unfortunately, because all the economic incentive is really with the bad guys. Right? So just like we say with terrorism, "We have to be right every time. They only have to be right once." You're fighting people that have nothing to lose, right? Who do you think's gonna win that battle? It's not the business owner, unfortunately. Right. And the business owner, I mean I get it, you know, like, interest rates are high, they have limited resources. You have increasing government regulation come down. You have the plaintiffs bar going after these companies, even smaller companies facing class action claims.
Matt Sutorius 16:21
If you're a small business owner listening to this podcast, and you're running a cold sweat right now because you haven't thought about this at all, what's step one? What do you do first to address this issue? What's good advice for someone who hasn't thought about it before?
Joseph Brunsman 16:35
Yeah, so probably what I would do is really two things. And this may sound self serving, but obviously I can't be the insurance guy for everybody in the world. I would say if you've done nothing, go and try and get a cyber policy. Right? See what requirements they have, meet those requirements as quickly as possible, get that policy in place with the understanding that it's a stop gap, right? That's not the final solution. And then just leverage all of these experts that are out there. I mean, there are just 1000s of great people who love solving these problems and helping businesses just like whoever it is that's listening to this podcast. They are happy to help you, you know, they have all this knowledge bubbling in their head, and they're like, "God, I wish business owners just knew this thing." Right? And you can leverage those guys, and it's generally not as expensive, I think, as people would imagine. So like the fundamentals of cybersecurity, 321 backup strategy, immutable backups, you know, password policy, you know, having firewalls, anti virus, you know, MFA/2FA. It's not that expensive, and generally those basics, I mean, those are the fundamentals for reason, and of all the cyber events I've dealt with, only rarely is it something that's like some super whiz bang method of entry. Right? A lot of what I deal with is really just so basic. A phishing email, why? Because there was nothing to screen the email coming in. The employee didn't have security awareness training. There were no internal controls around wiring money to somewhere absolutely new and novel, right? It's just real basic stuff like that. So, you know, business owners, go out there, get those experts on your side. It's not as hard as you think, and generally, it's not that expensive. Whatever those controls would cost you, I'm pretty confident in saying that every business owner I've dealt with that's had a cyber event, would go back and probably pay triple, with a smile on his face, just to avoid the absolute pain and agony of dealing with that cyber event.
Matt Sutorius 19:00
Good advice! Joe, thanks for your time today. Thanks for being on the show. Really appreciate it.
Joseph Brunsman 19:06
Hey, happy to help! Good seeing you again, Matt.
Matt Sutorius 19:11
And that's our show! Thanks again to Joseph for speaking with us and to you for listening in. Join us next month as we discuss the future of artificial intelligence with Kevin Merlini, entrepreneur in residence at the Allen Institute for AI.