PTG Podcast 12-08-20 with Craig Petronella of Petronella Cybersecurity and Digital Forensics and Matt Holcomb of Biltmore Insurance Services on Cybersecurity Insurance. In this episode, Craig Petronella and Matt Holcomb discuss various cybercrimes such as phishing, business email compromise, wire fraud, ransomware, malware. Learn how a $100 keylogger malware caused Target, Home Depot, Michael's, Sony and others to get hacked. The time is now to create and update your policies, procedures and security controls. Security awareness training, security risk assessments, penetration testing, and continuous security monitoring are essential. Learn how the new CMMC may impact cybersecurity requirements and how vendors are now assessing the your risk. Learn what your business needs to show supporting evidence of to ensure that you qualify for cybersecurity insurance and cybercrime insurance as well as what to look for.
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
PTG Podcast 12-08-20 with Craig Petronella of Petronella Cybersecurity and Digital Forensics and Matt Holcomb of Biltmore Insurance Services on Cybersecurity Insurance. In this episode, Craig Petronella and Matt Holcomb discuss various cybercrimes such as phishing, business email compromise, wire fraud, ransomware, malware. Learn how a $100 keylogger malware caused Target, Home Depot, Michael's, Sony and others to get hacked. The time is now to create and update your policies, procedures and security controls. Security awareness training, security risk assessments, penetration testing, and continuous security monitoring are essential. Learn how the new CMMC may impact cybersecurity requirements and how vendors are now assessing the your risk. Learn what your business needs to show supporting evidence of to ensure that you qualify for cybersecurity insurance and cybercrime insurance as well as what to look for.
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
Hey! Thanks for having me.
Announcer:You're listening to cybersecurity and compliance with Craig Petronella, visit us online at Petronellatech.com.
Craig Petronella:Welcome, Matt. Absolutely. So introduce yourself to my audience if you don't mind.
Matt Holcomb:Sure. I'm Matt Holcomb. I work with built more Insurance Services here in the greater Atlanta area, focusing on IT security, cyber data breach, those fields. I've been working in the insurance industry for over 20 years, so I have quite a bit of experience. But like with anything, you always want to try and learn. And with cyber is forever changing. It's something new.
Craig Petronella:That's right. Great to have you. I appreciate it very much. A lot of the folks listen to the podcast, and all of them need cybersecurity insurance. Do you have any tips for them? When they're shopping around, what should they look for? I know that I've heard that some coverage does not include what's called cybercrime. Maybe, you could talk a little bit about that.
Matt Holcomb:Yeah, it's like with a property and casualty side. It's not like health insurance, where you buy a policy; it has everything wrapped into it. When it comes to the side of the property casually, everything is kind of Al-La-Carte. You may have cyber insurance, but there could be things like money wiring. Any of this stuff may not be covered as a secondary that you have to ask for. So some carriers will include things like that. Some carriers will even put a cyber policy on a traditional general liability and wrap it into that coverage amount. But if you're serious, you want to break out a lot of times and have your standalone cyber policy. Hartford's really strong care that we use. It depends on what you're being asked as well. So a lot of times when people will come to us, they have a contract with us. But let's say Coca-Cola, for example. We have this contract with them. Before we can do anything, we have to have XYZ. And we'll take a look at their current policies and say, Okay, I see you have cyber, you don't have third-party crime, you don't have a data breach, or some things that are missing out of this policy. So we're going to have to get those. As I said, Hartford has been around they've been doing. They were one of the first they insured Uber before it became a ridesharing company. So just go out and take a look and see what will be a good fit for them. Often, you try to explain to them a price and don't look at price alone. Make sure you're looking at the coverages because the last thing you want to do is find out what coverage you have when it comes time to claim.
Craig Petronella:Okay, good information. It sounds like there's almost a menu of services that you offer. That seems to be ever-changing. Is there somewhere that folks could go to stay up to date or know what questions to ask you when kind of shopping around?
Matt Holcomb:That would be us, typically, where I would ask the questions, and we would dig into it. But they can talk to their agent. What will happen is whenever they come to a carrier, they'll have an application. They have to complete pretty much always. Also, the carriers will look to a deep dive into that company. They're going to look at their website, and they're going to see everything they do. And then from there, they're going to say they can cover XYZ, or when you cover this, they can only cover for this limit. You're going to have to go outside to get that, and we try to explain to our clients if there's something on your website that you don't do anymore, take it off. You'd be surprised many times if someone is doing IT, what I say cloud-based stuff, but they may have done something in the past that they dabble with on the side a little bit. And then, all of a sudden, the carrier looks at and says, we can't cover that when we go to cover you at all.
Craig Petronella:Interesting. What would be like a basic example of that, an activity that somebody might do that might disqualify them?
Matt Holcomb:It's pretty tough in the IT industry. You would have to be doing something that could hurt the company. Say you are a company that had something with rideshare. That's an example. You were a rideshare company, then you all of a sudden, have morphed into an Uber. So that'd be a reversed way that Uber did it because Uber started as an app and then went into the rideshare. And they immediately got excluded from Hartford city go elsewhere. So in that situation, it'd be a good example.
Craig Petronella:But again, business model change, is that accurate then?
Matt Holcomb:Yes.
Craig Petronella:So it's kind of going from IT and then doing ridesharing or something so different like that?
Matt Holcomb:Yes. Or in the situation, as I said, if you did ridesharing in the past as a taxi company, and you like what Uber was doing, you wanted to do just the app for it.
Craig Petronella:Right.
Matt Holcomb:And we're not doing any more taxi services, we're just straight-up the app for all the other taxi companies out there, but you leave on your website. And we also a taxi service, just someone forgot to take it off that immediately will trigger the carriers say, No, we won't take this because you're not just an app company. You're doing rideshare as well. That's a completely different animal. We don't want it.
Craig Petronella:It's almost the first engagement is they speak to a professional. You go through a series of questions or interviews with them, drill down into their daily business activities, score their risks to figure out what might be the best products or services in your portfolio to offer them. Is that fairly?
Matt Holcomb:Yes, that's very accurate. Let's dive a little deeper into that. We also have companies that will come to us many times and say, Hey, we've got this contract with this company, and they require X dollars of coverage on these certain lines. And the first thing we asked is what size company are you? They're a $2 million company. They have explained. They're asking us to go out to market for 5 million, the underlying GL, and a 5 million crime and cyber. Nobody's going to touch that. Because they don't even have enough money. They're not even worth that.
Craig Petronella:Oh, that's interesting. Let's say my company is a $2 million company, for example, and I want five or$10 million in coverage. You're saying that that's pretty much not possible because the revenues aren't there. Is that true?
Matt Holcomb:Correct. Yeah. I had a company here in Atlanta that did that. They are embedded in coke. And they do software for Coca Cola. They had all these limits and all these different coverages, and one of them was just a basic general liability policy and an umbrella. They wanted a 10 million general liability policy.
Craig Petronella:Wow.
Matt Holcomb:And then a 10 million umbrella on top of that, so they wanted 20 million coverage.
Craig Petronella:Oh, my goodness.
Matt Holcomb:Yeah, they were a$5 million company. We could go anywhere, but Coke was willing to work with them because they wanted to work and allow them to come in with whatever they could reduce. And as the company grew to a $50 million company, we were able to increase that to get to the Coke's limits would be satisfied.
Craig Petronella:That's very interesting. That's great information. It sounds like the coverage that you're able to get is based on one criterion would be your revenue. So if your business is 1 million, then you're probably only going to get 1 million in coverage. If you're 10 million, maybe, you'll get 10 million in coverage with some more detailed interview process. You also mentioned the umbrella policy. Let's use a small business of 1 million as an example. Maybe, they could qualify for 1 million in cyber. Could they also get a million in umbrella for a total of 2 million in coverage?
Matt Holcomb:It depends. Cyber does not sit over, so you may have it sit over some of the cyber. But there are things like, for example, a professional liability, which goes hand in hand a lot of times with cyber. That is something that covers you for any advice you'd give. If you recommend something to someone, it doesn't turn out the way they wanted it. They could sue you for giving the wrong information. It was your professional wisdom. You're the one that professional advice said we need to do this. It didn't work. So we're suing you. Umbrella will not ever sit on that, because that's based on what you've done, whereas a general liability is just basically someone trips and falls with some cybers can have us as an umbrella sitting on it. But sometimes, you have to check with the carriers a lot of times and see what they will allow sitting on top of the underlying policies.
Craig Petronella:So you've got your general coverage. Then you've got a separate umbrella. And then potentially you have a cybersecurity coverage, separate agreement for that. And then you might also want cybercrime coverage.
Matt Holcomb:Yes.
Craig Petronella:So how do people figure out how much is enough? If your revenue is X, and that's pretty much all you're going to get is, that sounds fairly accurate. But how much is enough for the other pieces? For example, we use the$1 million example of a small business. They get a million dollars in general coverage. Maybe, they get a billion in the umbrella. They want to get cyber insurance, and they also want cybercrime coverage. How much is enough? Or how do you drill down onto that?
Matt Holcomb:That's a good question and has been an asset million of times. And it's funny. I listen to one of the carriers who was having a seminar, and they said no number says this will fix you, this will take care of you. It's for whatever people want to sue for. And that's the scary thing.
Craig Petronella:Right.
Matt Holcomb:They can only get so much. So if your company is a$2 million company, and you have a million with a million umbrella, they'll stop there. Most people are like, Yeah, 2 million, I'm satisfied. I'll walk away.
Craig Petronella:Okay.
Matt Holcomb:But you may have it were some situation where people want to keep going further and further. It's just whatever the judgment is. It depends on what they want. So there is no magic number on those limits. Believe it or not, the only one that does have a number is workers comp because, at some point, the state runs out, everything runs out, and there's no more money or not paying anymore. So that's the one thing that you can say. A million-dollar policy will cover me fine because I know this person's getting a million dollars to be thrown at it. You know, we're fine.
Craig Petronella:There's a maximum there.
Matt Holcomb:Right.
Craig Petronella:Now, another question that comes to mind. Is it possible to have more than one life insurance? Can you buy life insurance with more than one policy from different carriers? Like, I could buy a couple of million dollars from you and then maybe get another policy somewhere else. Can you do that with cyber?
Matt Holcomb:You can do excess. It sits above the umbrella. I've had to do that as well where they had Hartford allow 3 million in underlying, and then we had to go to get up to the 10 million. We had to go to Chubb. They would take over the next 7 million. And once you get into that level, the price changes slightly because that first underlying 3 million heartburns will be on the hook immediately. If there's a claim, Chubb may never see it. They may be able to sit back and say, I'm not going to come into the mix until they've exhausted that 3 million. And similarly, an umbrella is usually pretty inexpensive. You can get like a 1 million underlying policy cost you, say, 2000 a year. And then a million umbrella could be 500. Because they know that the second million may never get touched, the first million gets hit first. So that's the one that has to pay. That's what it costs you more.
Craig Petronella:Okay, but using the 1 million example that we're using earlier. For a small business, we only make a million in revenue.
Matt Holcomb:Yeah.
Craig Petronella:Could you get more? Could you get 2 million in coverage from two separate carriers like that?
Matt Holcomb:Yeah, you would. In that situation, you would just want to do 1 million in underline and then do a two in 1 million in the umbrella. There's no real reason to go to general liability policies because that's a different scenario altogether. And that's what you're talking about. You go ahead and either see if the carrier increases it to the 2,000,000 you need or just see if the umbrella sits on top of it because it'd be more cost guided to do that. And if you do the other way, it's going to be just the cost of the just because you'll pay more than you need to get it primarily.
Craig Petronella:Okay. That sounds good. Now, what about the requirements for coverage? Do you see new requirements around businesses needing policies, procedures, supporting evidence of certain security control layers, audits, security, risk assessments, penetration testing?
Matt Holcomb:That's one of the things your application will ask, and that application is always evolving. It's constantly changing. You may have it one year, where it asks questions of your day-to-day. How much is your security system? Your CISO? What limits and what levels do you have? Next year, it may come
up with another question:Is there anything you ever give out money, any of this stuff that comes into play more ransomware? It is the stuff that comes into play. Suddenly, they're bringing a new question because hackers and the bad people are out there. It's always evolving, always changing. Each year you have to give more information to the company as it's been updated. They do want to see your financials for all renewals as well. So you'll see that a lot where they asked how big the company is. It's your premiums based on that as well. Like I said before, you said your revenues, your criteria. What what are you doing? What are you securing? What's your app look like? What are all the different things that come with using a cloud-based system? All these other things come into play.
Craig Petronella:So the insurance industry has pretty much their scoring methodology around some type of assessment risk level process through a questionnaire or interview process to figure out how risky the client is. Then how much coverage they can potentially offer.
Matt Holcomb:Yeah, and in most situations, a newer company is pretty straightforward. They look at it and say it's a newer company. Here's the straight-up, propped up the policy. Here's what you're going to get. If you want to add stuff to it, they'll bring in the mix. They'll ask you if you want certain things to be added to the policy. Do you want a crime? Do you want third-party crime to be added to it? There are just different things that can come into the mix. Do you do any kind of wire transfers we need to put that in there? Do we need to put credit card fraud with any employment theft? That falls into the crime, but just different things may come into the mix. They'll ask, at time of sales, kind of upsell it. A lot of times, the brand new company where's no exposure. You try and keep it as cost-effective as possible. You don't want to kill them with Okay, your policy could be$1,000, but we're going to make it $10,000 for the year. So that's like, I'm not even barely making that. Making a million dollars is what our company's revenue is looking like. Why would I want to go so much to have all this, but as the companies grow? We do revaluations every year, and we take a look and see what's changed. We asked him some questions. Have you got any new systems? Do you have any new hires? Do you have anybody handling your playbook? What kind of security do you have? Have you upgraded any of that? It's ever-changing.
Craig Petronella:Do you think it'll be similar to auto insurance, where rewards are for good behavior, a future discount? Or if you could show supporting evidence of pen-testing, for example, or risk assessments policy, will you have more stuff? Do you think that might reduce premiums in the future because they might be a lower target?
Matt Holcomb:Yeah, that could help. You can always use that stuff to go and ask for credits.
Craig Petronella:Sure.
Matt Holcomb:We've done that a lot. We've shown that these guys have been really strong. They haven't had any claims. They got this now they got. Let's go and get some credits on this and see if we can reduce their renewals. You typically don't want to go in with all taken, all the credits for the first year because there's nothing left for the second year. So you want to sit back and take us to get some credits in the first on the front end. Then also renewal. If you haven't had an increase, go ahead and start seeing there have been no claims. Why are we getting hit 10, 15, 20%? Are there any credits available? Or if it's just a point where you just want to shop it? I don't recommend shopping a lot. Some people like to shop every year. That doesn't look good because then the carrier looks and sees you as a shifty person. You shift anytime the winds change. It's not something that I would recommend. You try to talk to the clients about it, and sometimes you lose them because they just want to find something cheaper. That's not the kind of person you want because they're not going to be satisfied at claim time. They're going cheap. They're getting cheap.
Craig Petronella:Often we might get calls from somebody that gets hacked. And one of the first questions we ask is you do you have cybersecurity insurance? Do you have cybercrime coverage? And sometimes they do, but it's not high enough. It'll only be$50,000 or something like that. Or maybe they don't have coverage. It's a scramble. How do we help them? All this stuff, a lot of the pricing is out of our control.
Matt Holcomb:Right.
Craig Petronella:I get what you're saying, and a lot of useful information there. I don't know if you've heard of the new Cybersecurity Maturity Model Certification or the CMMC released from the DoD. I think that that's going to change insurance as well as other regulatory mandates radically. That's very mature. HIPAA was enacted in 1996 for healthcare. And this is the latest and greatest as far as it's been called the ISO of cybersecurity. Have you heard anything about insurance companies looking at the CMMC as a framework to model?
Matt Holcomb:I haven't heard too much. It's such insurance companies if they're going to do whatever they need to do to make sure they protect themselves and clients. I know that with California having their change that came through recently, you're going to see changes over here with the European one. A lot of the carriers had to change because they had to fit that model. If it's something that's going to be coming down from the pipeline, it's going to affect or help their clients or their bottom line. They'll follow suit and start working in that arena and try and get set up. That's one thing with insurance. It's your last line of defense. It's not your pre-emptive. That's not what it's for. When you get hit when you get hacked, you have to send out notifications to your client. That's what for defense costs, all these different things that's when it comes into p ay. And that's what people need to understand why they a ked the questions upfront if you have these security measur s in place. If you do see signs, you can connect quickly enough to know.
Craig Petronella:I agree; wel said. I've been saying that fo years. You always want to have your systems protected. You want to be doing the checks of our policies, procedures, yo r risk assessment. Yo want to be doing all this stuff But then some people, especi lly small businesses, ta k to me. They say You're cra y. I'm not going to pay that mu h money to do X, Y, or Z. Look,'m not the one that's responsibl for all the pricing around th s. I know how to get around thi job and do it as efficiently s possible. But you hav to be willing to listen. An if you're not willing to listen to the direction and my advi e, your days are numbered. I ean that hackers are smart and lazy. And I've said this for ye rs. They're scanning your net orks. They're looking for weak oints and holes, just like a cr minal will be profiling your ne ghborhood or your hous if you're the dark house. Yo don't have an alarm system, and you don't have camera systems or a dog, or anything. You're ow hanging fruit. Then you'r more likely statistically to g t broken into.
Matt Holcomb:Yeah.
Craig Petronella:I'm a firm believer in what's called the onion concept, or the layered approach. For example, we're talking about a house in this dark corner. We put some lights there, and we add some camera systems and get a dog and an alarm system. You're not just going to want to put a sensor on the front door. There's a total ecosystem that covers you. And if you cut corners because of money, the hackers will see tha on your networks or physica ly. And the only way to score y urself is to pay attention to t is stuff in the review to now where your gaps are. And don't recommend that most people do that themselves. Yo want to have a professional come in and do that to score yo. And that's what I love about t e CMMC. And that's why I hope t at the insurance companies wi l adopt a similar model bec use you can't fake it anymore. You can't say that you're doin certain things. You have to s ow two forms of supporting evide ce for each of the 110 pl s control layers. That's a big eal. I think it'll reduce yo r payouts from insurance compani s significantly.
Matt Holcomb:Yes. Right now, as a company, you could check yes to everything that the insurance company asks on the application. The insurance company's not going to check until there's a claim. And at that point, they're going to go back and say that you said you had security here. And you had this, that and the other. Where's your documentation? Where's the proof that this was up and running? Where's the proof that this happened or would have caught this. Otherwise, we may not pay this claim because you did.
Craig Petronella:Oh, that's interesting that you bring that up. If somebody lies on the application and says, Yes, yes, yes to this, but then it comes to that, they get ransomware. And they go back to you or your providers and say they need coverage for this. I'm sure the insurance company will do their due diligence and investigation. And if they can approve that there is no supporting evidence for the yeses on the application, then they may deny the claim. Is that accurate?
Matt Holcomb:That's correct. And something a little bit different. You have a loss of income. So if your company shut down for 12 months and has no receipts, your account receivable, all this stuff is wiped out, it's no longer there. They'll send in a forensic team, and they'll find all this stuff through all of your system and everything. And they say, Okay, Mr. Company XYZ, right now, on average, you're getting 20,000 a month. So we're going to go ahead and pay you the 240,000 to make you whole for the next year because you've had for 12 months. That's why I'm saying they do their due diligence when it comes time to claim it's a big enough claim. And it's something that's when it's specialized. Yes, they're going to do their due diligence and pick through everything and say you have your application here. Yeah, it says yes on this, but you didn't have this in place. So we're going to deny the claim.
Craig Petronella:Yes. Are there any criminal actions in addition to that the insurance paying up the claim?
Matt Holcomb:If it's considered insurance fraud - sure. If you are trying to push a fasten on insurance companies, they could take legal action. I don't know if they would. If you lost a lot, they're going to say, that's hard enough because they lost everything. But you didn't make sure you make aware whenever the person is still not. That's one thing I meant when they're filling out the application. I usually ask them the questions because I want to make sure that they see what the question is, and they know it, and they say yes to it, and they sign off on that application. They're saying that everything on this legal document is precise and true. And yes, there could be. I haven't seen any situation of that. But if the insurance company wanted to go after it, they could make an example of someone, and they could take them to court. No, have a lot will be fine.
Craig Petronella:Excellent information, though, because I've had folks tell me, No, I'm not going to do all that stuff I get. I've just bought insurance to cover me for that. So it sounds like the days are numbered. That's pretty much over nowadays, where you can't lie to the insurance company and try to make your ignorance or excuse not doing the things you should be doing.
Matt Holcomb:Right, and more and more companies are getting into the mix, meaning buying cyber insurance who, before we look at it, say, Why do I need that. I've got you to know, my POS systems with such as Equifax or it's with CS NCR, all my stuff with them they'll take care of it well, it's still your the point of contact. Look at when it was a Home Depot guy hit, and their whole situation. Target's another example. The point of service was with Target. They didn't look at the point of a service company as being the fault. Everybody in America, and, probably, the world looked at it was Target. Yeah, they're the ones that got the black eye, not the POS system at Home Depot's hack was a guy that was an HVAC, guy who came in and went ahead and plugged into their system, didn't have the correct security uploaded at Home Depot employees.
Craig Petronella:Both of those examples, the Home Depot, the Target, the Sony, and the Michaels, are all from a sub$100 black market keylogger.
Matt Holcomb:Yeah. The hackers and all these guys are not like Hollywood where they're going after the government like we're going to break down the g vernment. We're going to go afte anyone they want the least pat of least resistance and then ge into someone small, and th t small can get someone big a ju t chain reaction peopl
Craig Petronella:That's why ransomware is so big. And ransomware and then now the cryptocurrency mining malware now that my Bitcoin and other things when Bitcoin was easi r to mine. The fact of the ma ter is this stuff this ma ware. It's hard to detect, yo know, antivirus, the latest st tistic is 95% not effective. On y 5% effective. It's one la er. You can't rely on your fi ewall and your antivirus to pr tect you anymore. There's the hu an element as well. And you ca't rely on your vendors to pr tect you either. I have a lot of people that tell me, Oh, I'll ju t go to AWS. Gov cloud or I' l do HIPAA compliance with AW or Amazon or Google. And th y'll sign an NDA with me, but yo have to read the fine print. Yo have your respon ibilities, and you're at one. T ey're giving you the infras ructure, but it's up to you or a professional to configure that infrastructure and make it secu e. And the security is on you nd the legal terms and thei terms of use. Service, they all list that out. Nobody read it. But I'm highlighting them It's a fact that they list that stuff out. They give you grea systems to use that you can uild upon as a foundation, but ou are and or professional. Idea ly, a professional should be c nfiguring this stuff for you nd monitoring it continuou ly. It is not a one and done st ff anymore. You can't just do i right in time.
Matt Holcomb:Right. You know, Justin Daniels from Donaldson Baker with provisor invited me to a simulated hack. And he brought in the Secret Service. He said that if you have a situation where you do a wire transfer, you have about three to four days to get in touch with the bank to stop it. If it goes after that, it goes overseas. It's gone forever. He said that people to contact me is a secret service because they have a department division in the department that handles this wire transfer fraud, all this cybersecurity. Don't call your local police because they're not going to do anything. They don't know what's going to happen. If you call the Secret Service, they can immediately contact that bank, get to the right person immediately, and put a hold on that money. It's usually above 25,000 under that they don't mess with. People will often get tricked by the person calling up because they need 15 Best Buy cards, this, and that.
Craig Petronella:Yeah, money packs, or cards or impersonations, booth emails, business email compromise.
Matt Holcomb:Justin was talking about AI now. One of his clients got a call. The CFO was out of town. He was on vacation. And this person sounded exactly like him, called him the secretary. He said, Hey, listen, I need this money wired ASAP. I'm on vacation. I got this count that we're working on. It's not going to go through unless I get this money. It was like $75,000, whatever it is. And we ASAP when they were getting in the whole company was in the process of getting all this taken care of all of a sudden got a call, again, it's the same script, same everything. And that's what tipped them off. That doesn't seem right. It turns out it was AI that was doing the whole thing.
Craig Petronella:Yeah, they're recording people's voices and putting it into the AI system to build out that voice pattern and change or manipulate the pattern, just like he talked about. That's why you ever get those scam calls that want you to say yes. They record your voice and make patterns out of that using AI software. That's true.
Matt Holcomb:Yeah, I hear him all the time. I'll give him a call like we've got a great deal for you. And I asked what the deal is. I knew immediately this is fake, and I hang up, or I'll block the call. But yeah, the hackers and the criminals are getting smarter. And they're working day and night to do this. And it's a lot of areas, a lot of large companies, a lot of governments need just to think it'll be easy. But it's not a matter of if. It's a matter of when you get hacked.
Craig Petronella:Absolutely. It's in its training. It boils down to training, secure, ongoing security awareness training. I'm going to be building out a brand new security awareness training from my company.
Matt Holcomb:Okay.
Craig Petronella:We have many companies that we work with on the training side of things, but we're going to create our own around that. We have our methodology around it. Yesterday, I got an email from a CPA firm that's in my contacts. So it's kind of trust. But I immediately knew it wasn't the person. It was a spoofed email. I took screenshots of it to create the evidence trail, and I picked up the phone, and I called her and left a message. I didn't get a callback. People don't take this stuff seriously enough to understand. Look, I'm taking you off to a huge problem that you're probably not aware of because your organization isn't at the maturity level to have detection and monitoring systems to look at this stuff. I'm not the only one that got that email. I'll put money on it. A lot of her contacts or others in that company got those emails. And there's going to be people clicking on those links that could have ransomware or some other keylogger malware on there.
Matt Holcomb:Yeah, if you're a CPA, that's the one thing if you get hit. You got to do everything you can to cover that up because you can lose clients, because now, all of a sudden, when they send the personal information, all the documentation for taxes to be signed off for the IRS. How do I know you're going to be secure and safe? It's crazy. I have a friend who does kind of similar to what you do, and he's in their consulting firm. In this database, this algorithm program can go into a company can dig it can look at everything and tell them where the weak spots are. And they went into one major company on Peachtree Street here in Atlanta and told them this. You got a look at this area. They just blew it off. No big deal. And four months later, they got hit huge. And he said we told you.
Craig Petronella:Oh, yeah, we've done drills like that before. I've done some marketing experiments around what's called the Red team, Blue team. Look at the outside perimeter of people's websites and networks and be like, Look, you've got these gaping holes. You should fix this and patch it up. Nine out of ten would ignore us. And we've got that covered. Oh, Bobby in the corner, he's got he's doing a good job.
Matt Holcomb:Yeah, it's got a guy on a Commodore 64 sitting there working on this stuff. That doesn't work. You got to understand. You've got to be up to speed. You think you're small, but you may work with larger companies. And that's why the larger companies require their subs, all these people that come in to have that limit. Because if I have a $5 million limit and hire you to come in and do some services, you have a$1 million limit. That means if I'm hit, you're hit, and it's your fault. I only have a million dollars of covers for you. I have to use 4 million of mine, just to make it home if I get hit for that. Now I'm basically on the hook for this stuff. So I've taken you on as an employee, almost, because now I have to cover your insurance.
Craig Petronella:Yeah.
Matt Holcomb:People complain all the time. If you want to work with the big companies, you're going to have to increase or work with them, talk to them and say, Can I at least have a couple of years to my companies larger than we can look into getting these increases you're asking for? But once you get those increases, you go after the bigger fish, then you start going after the companies, and we've gone over that was the number of clients of ours. Once you get this, you now can go to about anybody.
Craig Petronella:So it's almost like a competitive edge. It's almost like a tool in your box that you can use to help put you above your pack as far as competition goes. I know that my company has been hired to do what's called vendor security questionnaires or VSQ's. Like the example you gave, the bigger guy wants to do business with the smaller guy. The smaller guy gets this huge spreadsheet. And it's like, Whoa, I don't know how to answer all this stuff. And it could be like, Yeah, 300, I've seen questions over 600 questions, all this stuff. I don't know how to answer this. So then they got started looking, they find my company and me often. And that's one of our specialties. We know how to fill all that out. But it's an educational experience for the client because often, the client doesn't have half of the stuff they're supposed to have.
Matt Holcomb:Right. Often, when they get these agreements, they'll send it to us immediately and say, Hey, they're asking for this insurance, these limits. Do I have it? And we'll look through and see you're asking for 2 million. You've got 1 million underlying in a 1 million umbrella CA; you're good there. You have a 500,000 work comp, they're asking for a million, want to increase that, or your umbrella can sometimes sit up the work comp. And the reason why I bring up those lines is that those are the ones that can be the biggest ticket items. Your cyber is going to be in the different ones, but your underlying general liability work comp, those are the ones that are going to stand out immediately. You send them the certificate of COI. Those will be the top ones. Automobile, work comp, umbrella, general liability, that's it. Other stuff we can put in a separate place down below. But there's not a field to fill it in the way it is for those. And that's where a lot of times they want to 10 million underlying GL, 10 million in the umbrella. Just a few companies will do that. But that's one thing. Like I say, if your startup company, and you're going to hunt with those guys, you need a bigger gun. I'm sorry, man, you're not going to make this.
Craig Petronella:Now, are there any questions that automatically fail? In the CMMC world, if you don't have a system security plan, you auto fail for the NIST 800-171 Interim Rule requirement. It was released by the DoD a few weeks ago. November 30 was the deadline, actually last week. They said to look to federal defense contractors. You're supposed to be compliant with NIST 800-171 frameworks per DFARS 7012, and this has been in place for over five years now. We want to see the supporting evidence of your system security plan or your
SSP, your self-assessment score:your poems, plan of action, and milestones to get you to the perfect score of 110. We need you to upload all this by November 30. So there's this vast scramble. Everybody's like, Oh, my God, I don't have this. They're freaking out. And they need help from companies like us, one of the certified experts in this space. And we noticed that some folks federal in the federal defense contractor space are taking contract awards that are worth millions of dollars. And they're saying they are checking the bottom. They are good with NIST 800-171. But they're not. Now that they came out with this law, I think it was released October 1 was the Interim Rule's notice. And I think it's going to be a shakeout of Look. They know that's why the whole CMMC came out. The DoD knows that most are not compliant. I think what they wanted to do with that DoD Interim Rule is figure out who is compliant, who have you all that. I think it could lead to what's called the False Claims Act fraud, which is nasty. You have to pay back three times the contract award plus 15,000 plus per infraction, so it skyrockets. It's nasty.
Matt Holcomb:Yeah, you're dealing with a government in that situation. And that's the one that whenever you have a data breach, they're the ones that come out after you and say that you have to pay X number per account that you have, per item, per person within that company. You work with 1000 people, and you have to get a fine for 1000 of them. You're talking 2030. It could mean it could be up way up there. So when it comes to the government, the insurance company will look at it and deny the claim. Then you're on your own, or they could go after you for. That would be the more the insurance commissioner could do that. They could come after you separately for insurance fraud, but they could file with the insurance commissioner. And I'm pretty sure North Carolina is the same way. But in Georgia, they can come to your office and come to your house and rescue you right on the spot. I've seen that situation where a person was doing something in a life insurance field he was doing union life insurance policies wasn't credentialed and label to do it. John Oxendine years ago went to his office and the rest of them on the spot and put them in jail. That's one of the things you're talking to the government. That's one place out of wouldn't fool around with it. If they want to find out, they're going to find out.
Craig Petronella:And it's elementary. We've been in business for almost 19 years now. And one of our first regulatory specialties was HIPAA compliance for medical practices.
Matt Holcomb:Yeah.
Craig Petronella:I've written books on HIPAA, and I'd educate dentists and doctors and work with hospitals and various general and specialist medical practices. And almost nine out of ten had no clue about all the stuff that I was talking about. They're like, Oh, yeah, we're HIPAA compliant. Here's our binder. They'd show me this binder, and it had like a couple of sentences and paragraphs. And that was their supporting evidence of all the policies they were supposed to have. And it was a complete nightmare and a mess. So I would help educate them on why they need to do this stuff. Look, the acting sheriff is the Office of Civil Rights. And if you get busted with this, it's nasty. You're going out of business because it skyrockets quickly. And then they glaze over.
Matt Holcomb:Yeah. It's a lot of times when people fill out the insurance application. If they claim, that's when the insurance company can go back and do the due diligence, do a forensic, take a look and do a deeper dive. And they may turn up some stuff. But what if the company decides to put all this stuff in place while that's going on? And oh, wait, we said yes to? Yes, we've got a manual that shows all of our different structures, what we do as far as security and everything. We don't have that, let's get a quick. And they can throw things that some things, I am pretty confident. There are certain things. I'm not very savvy. I'm insurance. I'm incredible. But I'm sure there's stuff that you could teach me in the IT world. I'm pretty confident of certain things they can't get in place in time. If they have somebody asking for deep dives and financing in other companies, they don't have that. You said yes or no on this application that you did, or you don't. It can be scary working with insurance and with the government. I'd be more afraid of them, I think, than anything.
Craig Petronella:Yeah. It's interesting. You said the timeline too, which was one of the things released in the CMMC certification track. They said, look, you know, you there's no on-off switch to this stuff. You need to show a long trail of supporting evidence that you're doing the security risk assessments. They want to see the penetration testing, the audits, the updates of your policies, procedures, logs, supporting evidence, and supporting evidence for each of the 110 plus controls. You need to show a culture of all of that in your organization. And if you don't have that deep depth of evidence and that bulk, then then you're done.
Matt Holcomb:Yeah, what's if it's 110? What is there a special number you have to be at?
Craig Petronella:It depends. Suppose you're dealing with sensitive information that's around a federal contract. In that case, maybe, you're an engineering company, and you do blueprints for the Department of Defense that's controlled unclassified information, or CUI, you must protect that. And the framework to protect that is called NIST 800-171. And the new twist on that is now the CMMC. In this example, we level three or higher, because you're dealing with CUI, level five is the maximum security, it'll take years to get there. And level one is the most basic. And if you're dealing with CUI, you're automatically a three or higher. So okay, there are 110 controls. And there's now an additional 20 that were added with CMMC level three. They're saying you need to have supporting evidence of all of these things to form. And then you have to have a lead assessor come on to your premise, from what's called a C3PAO, that they have to look over, either you or your IT team's shoulders, and go through with a fine-tooth comb, all the supporting evidence. It's a pass-fail. There's no partial credit. So if you fail and don't have your SSP, or you lied, you're done. You don't get it. And if you don't get it, you don't get to bid on contracts anymore. You're done. You're on the bench.
Matt Holcomb:And so that's the kind of a deal that it's breast restrict, that's just cut and dry.
Craig Petronella:I think that people don't even realize how strict it is. I think that they're going to be a big eye-opening experience. We're working with a bunch of smart folks already that are behind the eight balls on it, and they see this is a big deal. But the people sitting on the sidelines right now that did not upload and comply with the DoD Interim Rule because they didn't think it applied to them. But Katie Arrington, the Chief CISO from the DoD, said it's 300,000 plus federal contractors. And she even said that if DFARS 7012 is not in your contract, but you have a contract from the federal government, assume that it is there from the Department of Defense. Because they have a clause in there that if they didn't put it in there, they get it. You still need to apply it. So she said, you need to do it anyway. And it's just amazing how many people have not even completed that step. But they're going to get the wake-up call and a few months where they're not going to be able to bid on new contracts. They're going to be off the system.
Matt Holcomb:That's like one of the old sayings to hear fake it till you make it. And you can't fake that.
Craig Petronella:I think it's going to be brutal. I think it's going to be hard on some folks. But here's the thing. The federal contractors are supposed to be doing this for over five years anyway. I feel like it's a good thing for our country. We're getting hacked left and right from necessaries. Chinese governments have planes that look just like ours now. We have to do these things that are hard in the short term to get ahead and stop the bleeding. Because of our intellectual property and our secret sauce, that's what makes our country great. And if we can't control that and make sure our adversaries don't steal that from us. What else do we have left?
Matt Holcomb:Yeah, whenever they assassinated Osama bin Laden, when that helicopter that was secret crashed, they blew it up and took everything they could, often blow it up. So the Chinese couldn't get ahold of it and come out and recreate it because they've already recreated one of our drones. And it's just, yeah, it's just that scary.
Craig Petronella:Our fighters too, it's not just drugs that they've stolen.
Matt Holcomb:I've seen it, and that's sad. If it protects, and you have people in the front line of creating this stuff, doing the software, and all that, if there's something that the government's now finally stepping up to saying, can't have this anymore. We got to stop the bleeding of all these hacking because they've been hacked, they've been hit, and it's steak.
Craig Petronella:You know, we're in the times now where it's so much easier for an adversary or a hacker to sit behind their computer and push a button to hurt you. Then it is to send somebody over or use military-type force with a weapon. A weapon now is digital.
Matt Holcomb:Right. The state funds these organizations to sit in a room all day and do this stuff. So if someone could have software that can go in because the stealth bomber is a prime example, that thing will not fly without the computer system work. It's just none other than I make this logistical.
Craig Petronella:Right.
Matt Holcomb:But since they have that software in there, and the computer systems, that's what allows it to fly. So if you could get into that and hack it and cut them off, drop them out of the sky. Sorry, guys. You're right there. We're coming to attack someone. They could reprogram it, get in and hack. And the next thing is it didn't work.
Craig Petronella:Yeah, we're in crazy times. I noticed one thing that I thought of when you were talking earlier. Have you noticed a difference in your coverage and your options with people working from home due to COVID? Businesses no longer in the quote-unquote, brick, and mortar office anymore.
Matt Holcomb:There has been a little bit with that because they're starting to expand on that. I have received on some of my policies, some cyber, some others that they're saying they're not going to cover any COVID related stuff. Now, all of a sudden, you have to extend your protection. For example, even our office. Everybody's taking the computers at home. Right now, they're not hooked up to the network that we have secured in our office. They're hooked up to their personal.
Craig Petronella:Right!
Matt Holcomb:It may not be set up the way it needs to be. So they've had to go in and restructure our security systems. I've seen anything much from the carriers, but that's not to say they're not working on stuff. Some of the renewals have been tweaks as far as what's covered the definition of COVID. I'm for seeing some changes. That might be a new norm is people working from home more?
Craig Petronella:I think that's true. I think a lot of people have been doing this for seven, eight months now.
Matt Holcomb:Yeah.
Craig Petronella:Businesses have been forced to adapt and change or die. And they've adopted technologies like this with Zoom or WebEx or other online collaboration tools. And I think this might be the new culture and the new way for many businesses to stay this way, save the money on the rent.
Matt Holcomb:Yeah.
Craig Petronella:Still not an excuse for all these home networks are not configured properly. And once again, they need to be tested. There needs to be a security risk assessment done at that home level, whether by your corporate office or if you're a small business. You need to hire a professional to check that stuff. Because, guess what, if there's a default password on that router, or somebody sits in the driveway and breaks in, they can get to your computer information. Say you're working for a company dealing with sensitive information, whether medical PHI, PII, or insurance, or anything sensitive with the government CUI. It's easy and right for hackers to break into the password and the username of admin "admin." It's a layered model. You have to do different things with the physical and the software and the human element training in the home environment. If you're not doing those things, you're taking risks.
Matt Holcomb:And I brought that up somebody about the fact is little side note, but when you talk about how many these companies don't have to pay rent for these large buildings anymore. They may skim it down to a handful of executives and a few other people, have meetings, and come to the building for meetings, but they don't need all that space anymore. So we'll see, only time will tell. We could be back to normal after everything settled down, I don't know that.
Craig Petronella:We'll see. I think that there'll be a reduction in a commercial application. I think certain business models, labs, or places that have specialized machinery need a place. Maybe, they're going to have salespeople work from home, or there will be certain divisions of their company working from home. I think smaller companies that can work from home will stay that way. I think it's going to be interesting moving forward for sure. It has been fantastic. Thank you for joining.
Matt Holcomb:Oh, thank you. It has been good. I appreciate it.
Craig Petronella:Yeah. My pleasure. Tell folks once again, how did they reach you? Do they have your website, your phone number?
Matt Holcomb:They can call me. The number is 770-466-9475, extension 1103. My email address is Matt.Holcomb@biltmoreins.com. We're always looking to help our clients and anybody else who might need our experience and knowledge. I think we can help them out and pick through there. As you said, he's getting these contracts that come in. We can pick through that and say you're not compliant here or here. And you've already signed this contract. So you better get compliant pretty quick because if they have a claim, they're coming back at you, and they could sue you for breach of contract. So that's another thing to think of.
Craig Petronella:Awesome. Great information. Now, what states are you licensed in to help folks?
Matt Holcomb:I believe we're licensed and in just about every state in the union.
Craig Petronella:Okay. Awesome.
Matt Holcomb:Yeah. We're part of Watkins. We're a large entity. So we have different offices all over the southeast to help just basically by any state.
Craig Petronella:Awesome. Thank you, Matt. I appreciate your time. Have a good day.
Matt Holcomb:Yeah, you too. Thank you.
Craig Petronella:All