September 21st, 2020
In this video, experts Justin Reinmuth and Chris Lair discuss the evolving landscape of cyber insurance for MSPs. They cover the complexities of insurance policies and emphasize the importance of having comprehensive coverage and risk management strategies in place. The speakers also highlight the necessity of MSPs implementing standards and having thorough documentation to protect themselves and their clients from potential liability issues.<ul><li>MSPs must focus on internal security and establish industry standards to protect themselves and their clients.</li><li>Cyber insurance policies vary greatly, and MSPs must ensure they have comprehensive coverage and understand the terms and exclusions.</li><li>MSPs should educate their clients about the importance of cyber insurance and security measures, using standards and contracts to set clear expectations.</li></ul>
Guests
Video Transcript
All right, week 19. Can you guys believe it? This is our 19th episode of the cyber call, um, not to, and, um, we have twenty one hundred and twenty six in the community now, and a bunch of people coming on in now. Um, I'm gonna just share, um, a few quick announcements and then we'll get right on into it. Um, announcement number one in the call to action, depending on how the screen looks, Gary, to me, is in the bottom of the Brady Bunch, right in the middle.
I don't know if that's what you see, but there's the incident response planning workshop. If you click that, um, we have four 60, or I forget the exact number, but this is a kind of, we're going in reverse a little. We did the, uh, tabletop with Wes and Chris, um, with Gary, um, a few months back, close to 700 at the end of that one. And this is right about where we were too at that time, Gary.
And, um, this one, we're gonna look specifically on how to build the plan, and we're gonna also be joined by Mike Beard, the CISO of Marco. So we're gonna get into some real specifics about the plan. He's bringing it. So yeah, He's, he's, he's gonna nice enough to share a portion of their plan, the outline of it, which is amazing. Yeah, so he, he's awesome. Yeah, real excited about that.
And the other thing, which is kind of kicking this into gear, Gary, you, you kind of stirred the pot bringing on, uh, Justin, let me say this, that, um, if you haven't gotten into the cyber nation, I'm putting the, the link in there, um, that is growing, uh, really rapidly. Um, a little over three weeks now. I think we've had it over 600. The conversations are really getting engaging.
Um, I was looking to get engagement, and of course, Gary walks in, uh, like Gary, can you kind of come in and, you know, help out a little bit? And he just throws something out there about cyber insurance and it just blew up. Um, and then from there, um, our special guest, Justin Rein Moth. Did I get it right? You did, yeah. All right. Um, and, uh, got mentioned, like, I, it was crazy more. I'm, I'm like, I wanna be Justin when I grow up, man, this guy's getting just boom, boom, boom.
Oh, not bad. But, um, Justin, my understanding is, uh, you've been doing this since 2 0 4, over 16,000 policies working with IT providers. Um, welcome. And can you share a little bit about your background now that I've staken most of your thunder? Well, thanks. I appreciate it. So, um, no, I, I, it's great to be here with all you guys. Um, you guys are, you know, well represented in the community, so I appreciate you having me on. Um, yeah, just a little bit of backdrop.
Um, yeah, I used to be involved in an IT company. I know some people say it was an MSP, but we did a lot of app dev and IT staffing. 'cause that's kind of what you did in the late nineties, early two thousands, pre Y 2K when the world was gonna blow up type thing. Um, but then, you know, I, um, just, you know, with the evolution of offshore development partners just didn't want to go that direction. And so, uh, we ended up, um, you know, getting what we could for the company.
And, uh, you know, I, I, I got involved in insurance and for the first couple years back in 2004, I was probably like a lot of people on this call, their general agent, where you did the landscaper, the bakery, the home in the auto. And, uh, I just found a liking to professional liability insurance. So I was doing a lot with architects and engineers, lawyers, professional liability accountants, and, um, you know, working with some IT companies.
And then just tried to start pivoting, I guess, into it back in oh nine before it was cool. You know, I guess now cyber's a hot word back there. Everyone was like, what is cyber insurance and why do I need it? Right? So, um, you know, that's just a little bit of story, you know, and today we work with, you know, 1600 MSPs across the United States, um, and, uh, you know, hopeful. Are you, are You rethinking that now?
Well, it's up here six hours this weekend I run, you know, so, um, you know, it's, it, it's, it's, uh, you know, it's always evolving, it's changing. Um, you know, we, as you guys know, keeping up with the things that are going on, um, insurance tends to be a little bit less likely on the forefront, you know, in terms of policy changes. But I think the carriers and as an industry are getting better at it. And, um, you know, here we are today.
So, you know, I'm glad you guys have you on and I really appreciate it again. Well, we're, we're really glad you're here. And we've got another special guest. Most of you don't know him. No, I'm kidding. Chris, most people do know you, uh, hopefully not at a, you know, one a am level know you. But, um, for those out there that don't know you, can you give a little background about yourself? Yeah, sure. Chris Lare, I'm EVP of a company called, uh, solid Security.
We're also known as CFC Response. 'cause we were acquired last year by CFC, which is one of the various carriers that Justin's aware of. And so I spend a lot of my time doing incident response work, um, among other things. But typically, uh, MSPs, when they come to me and ask me about insurance, and typically I ask 'em about their broker and their broker doesn't know what the hell they're talking about, I send 'em over to Justin. So that's kind of how that workflow goes.
So, uh, Chris is a great guy and we've been on those one o'clock calls together, so We, we, we have a few working right now, so, yeah. So it's not ending, but yeah. I'm glad to be on again. Absolutely. Alright. Well, as Wes, Wes is seem seemingly doing a wardrobe change. I have a very special shirt on. I am live, You know, Wes, um, some out there? No, this is a very special shirt. Oh, okay. So now, now who are we today? Wes?
Uh, don't know how The ca sometimes the cowboy just shows up, so, Okay. Okay. Fair enough. Well, alright, so let's get right on into it. I think we got all the, to-dos out of the way, Gary, I'm gonna hand it to you. And, uh, yeah, So first off, I, I hear a lot people just love Wes and they want more Wes, so, um, I'm gonna go full west today. Oh, I love it. You like that? Now I gotta change my glasses. Yeah, there we go. Full west.
Uh, so Justin, what's funny, you know, I, I know, I know you've been doing this a long time, right? Over a decade, but now all of a sudden you're a little more interesting than you used to be, right? The MSPs certainly more interesting than you were a couple, a couple years ago. So, um, I listened to the video trailer that you did with Andrew, and you mentioned the carriers are taking kind of one of a handful, three or four approaches Mm-Hmm.
Um, can you just give us a little bit more about, about that and what you mean by that? Yeah, absolutely. So, you know, as you mentioned, um, you know, five, six years ago, obtaining a cyber insurance policy was fairly easy. I mean, a lot of the carriers, again, not all, but they were kind of asking you who are your five largest clients and to use antivirus and firewall, and here's a really broad policy and it's, uh, inexpensive and off they went.
And so, um, you know, like anything with insurance, then all of a sudden you have an influx of carriers that jump in and go, oh, there's money to be made in cyber insurance. So they're coming in, they're not realizing, for example, just using the insurance agreement of the cyber extortion, IE ransomware, what a lot of people refer to, you know, I, I don't think the carriers got in thinking that it was gonna be a kidnap and ransom policy, which is kind of what it's turned into.
So all of a sudden, what you've had over the last probably two years now is, you know, again, I think you got carriers that are kind of in one of four space, they're taking a stance on, you know, the first group's going, Hey, listen, you know what? It's been nice. We can't make money. We're exiting stage left, we're outta here. So, um, you know, some pretty brand name carriers, if I were to rep or mention them on this call, they would, they would be in that group.
Uh, and then you've got a second set of group of Carriers, mention them, no, No mentions. Uh, but then you got another group of carriers that are going, Hey, listen, you know, for every dollar we collect, we're paying out $3 and 50 cents. So everyone knows as a business owner, you can't sustain that model very long.
So they're, it Sounds like the MSP business model, But you know, if, if, if that's the, if they're gonna stay in the game instead of charging a dollar, they're gonna have to charge $5. And so you, that's why a lot of the MSPs, I think, you know, we get this on a daily basis, you know, y is the rate going from X to Y, you know, um, I think in this space, if you're getting an increase that's, you know, 50 to a hundred percent, I say consider yourself lucky. I know that they don't wanna hear that.
But again, I would tell you, you know, if you were to take a $5 million MSP and talk to a $5 million architect engineer, a $5 million doctor, or a $5 million accounting firm, they're still paying a lot more than what MSPs are. You know, they're just, it's so, you know, when this space, you know, probably 10, 15 years ago when the carriers got in, you know, it was just, it was relatively, it wasn't relatively, it was, it was priced extremely low.
And so now you're seeing the carriers are, you know, taking, uh, increases on these premiums because as the actuaries are starting to get their arms around the numbers and what they look like, and the claims, you know, they're, they're starting to say, okay, in order for us to play in the space, we gotta charge a certain amount of money. And then you've got the third group of carriers that are going, you know what, we're gonna just like, we tell our MSPs, we're gonna limit our liability.
So I know Mr. $10 million, Ms. P, you want a $5 million limit policy, but we're only gonna give you 2 million. And then the MSP's going, well wait a second though. I'm working with $500 million worth of clients. I, if something goes wrong, 2 million isn't gonna get me to first base. And they're going, well, that's all we're gonna give you. You know, and then you still have a group out there, which is in that fourth category, uh, that's saying, you know, we're gonna offer you broad coverage.
It's still gonna be relatively inexpensive, but the barrier to entry is gonna be a lot more difficult. Forget the five largest clients. We're gonna take you through a series of, uh, you know, I know, you know, risk assessment questions. Some of 'em are coming up with ransomware supplements, you know, so they're just making the barrier to entry a little bit more difficult for the MSPs. Gotcha. Yeah.
And so I, and I have seen gotten feedback from, you know, our, our customers, all four of this Yep. Didn't get renewed. If you want to get renewed, it's at a higher rate. Yep. Um, limiting, just literally write down that entire list. So we, we see that like happening, uh, every day. And unfortunately, this is not something that MSPs, you know, again, based on the business model, if you look at insurance is one of the areas that, that you talk to them, they know the least about. Right.
They're looking for, you know, for guidance on these things. So I, two questions. One is, how do the carriers, um, be able to evaluate what that price, you mentioned, you know, revenue, uh, number of customers, number of seats or endpoints, like what is, uh, uh, verticals? Yep. Um, like how do you, you know, No, that's, it's, it's a great question. I mean, carriers, it's gonna different carrier to, it's going to, you know, differentiate.
Each carrier's gonna take a stance on how they wanna underwrite, you know, risks and to what extent they wanna underwrite 'em. Right? But for the most part, I mean, you tackled some of the main things is that, you know, a $500,000 MSP and a $5 million MSP, they're gonna get two different prices, right? You know, so revenue matters. Um, you know, the industries you play in, if you've got a hundred percent bakery clients versus a hundred percent healthcare, you're gonna get two different rates.
You know, if you've got someone that's doing a hundred percent hardware sales versus a a hundred percent managed in cloud services, you're gonna get two different rates. You know, so there, there really are a lot of variables that go into this. But I think the biggest thing for me is, is that, you know, insurance in terms of the risk management pie, Gary, and I know you work with your members on this, you know, it's one piece.
I mean, there's gotta be other things that, that, that go along with it. If all you're gonna do is just look at an insurance policy, I mean, MSPs, once you start doing the math, you're gonna have to take out five, 10, $20 million of insurance. And at some point you're gonna look at, you know, tech rug or your agent and go, listen, I don't work for my insurance premiums. Right?
So you have to incorporate protection, meaning, you know, protection internally for the MSPs, but also what are you mandating of your clients? You know, we're big on standards here. I know you guys always talk about this, but, you know, making sure is the client following a standard?
You pick it nist, iso, coate, you know, but if they aren't gonna do it to me, you know, kind of a good analogy is if you go to the, uh, you know, the pharmacy to pick up a, a prescription, you know, when you get that prescription, you get a, uh, you know, a bag with a pamphlet on the outside of the pamphlet is that, you know, the, the, it tells you exactly A, what the drug does, but b, it tells you the 9,000 side effects to me, you know, that's the MS P sitting down and handing the client, like, here's the framework that we've gotta follow.
Now when you get home and you rip open that bag, you look at the side of the pill case, common side effects include nausea, dizziness, headache, whatever. It lists three of them. That's kind of where you can work with them on the budget. Well, you know, we got hunts on that car. You need that EDR and active threat hunting with huntress, right? You need, you know, the backup that's inaccessible from the network.
Those are kind of the three or four bullet points, but you're still not getting away from referencing a standard, you know? Right. Uh, and then I think, you know, as you've mentioned, I know your organization does a good job, you know, preaching contract use and critical action letters, waiver letters, things like that.
I mean, I think if you incorporate protection insurance and contracts, you know, I've been on unfortunately 12, you know, tool set compromises, private cloud compromises over the last year. But you know, we also have 1,590 clients that didn't have to go through that. So, you know, I still think that, you know, I don't want to paint a doom and gloom picture, you know, doing the right things. You can still operate a very successful, profitable MSP. Yeah.
Well, one thing I see is that most MSPs have one agreement and it has their liability statement in it, and it goes to the person who takes all their recommendations and pays the right price and does everything, but then they got that same agreement with the same liability to them with people that, that don't do that. And that's gonna, that's one thing I think is gonna have to come, right? It's gonna have to come to an end.
Do you think it goes a step further and as the carriers need to get more sophisticated, that there is some, you know, type of verification, maybe not on every customer, but actually on the MSP in terms of what they're doing to protect themselves in order to, to justify the rate or even acceptance into offering insurance? Yeah, I mean, you know, I think, again, where the premiums are at today, I don't think it would be a, you know, a SOC two type two audit, right.
Or something that would go to that extreme. Um, but I think that's what they're trying to do is, you know, you know, again, a lot of these carriers weren't, have, weren't doing supplementals that they're doing today, so they're trying to get a paper version of what you're talking about. But still for MSPs, if you're gonna have a two or $3,000 premium, right, the carriers aren't gonna invest the resources of, you know, some of these bigger policies.
You know, if you get a hundred thousand $250,000 policies and you wanna take those out, now, Gary, you're talking about a different underwriting stance they'll go through, we'll do a pen test, do vulnerability scanning. But I think right now where we're at this point, the premiums, again, compared to the other industries, are still relatively low. So you're gonna see a lot more like supplementals and things like that.
Maybe a little verification like pull a patch compliance report, do something like that. So it's a trust but verify type process. Gotcha. I'm curious, Justin, like we're seeing all kinds of states, like Louisiana is the one I can think of. I've got two employees there, and you know, they're starting to put legislation around these MSPs. Like if they're gonna do business with like a state agency, they must, you know, accomplish, you know, you must be this tall or have this type of certification.
Uh, I'm curious, do you see stuff, whether it's continuous monitoring, right, whether it's monitoring some of the stuff you just mentioned with Gary, meaning like, you must be this high to ride this ride, uh, you know, helping keep either the coverage, uh, low or enabling people to get coverage in case you're turning folks away. I saw some of that was actually brought up here in the chat as well. So I'll, I'll stick with that question first and I've gotta follow on.
But I'm just curious what you're seeing on that side. Yeah, no, absolutely. I mean, I think you hit the nail on the head. I think we're getting to the point where, you know, it, they're looking for certifications. They're looking for, you know, if you're gonna play in certain industries, do you have the right alphabet soup of, of, of, of certifications that are available? So yeah, I think that it's getting to the point where, you know, the carriers are saying, Hey, enough's enough.
If you want us to go back and offer really broad coverage and do it at a premium that we think is relatively low, then you know, you have to make sure that you've got a, at least a SOC two type one report, something like that. We're starting to see a shift in and they're going more in that direction. Is, is there any sort of like trust but verify? Like I, I know like my, my house, right?
If I go get insurance on my house and claim like, eh, I don't got a trampoline, or I don't got a pool, and all of a sudden they pull up my house on Google Maps, you clearly see I got a trampoline in a pool or whatever. Right? Right. Uh, is there something equivalent on the MSP side or is it just pretty much like, uh, self attestation? It is right now. I mean, you know, and again, that, that's gonna vary carrier to carrier.
So, you know, some carriers might not make you jump through as many hoops. Other carriers are gonna make you do certain things. So I think the biggest thing that people have to under or understand or realize is that these e and o policies, you know, they're unregulated. So it's not as simple as buying auto insurance, where whether you go with progressive Allstate or Geico, you wreck your three-year-old Honda, you're getting the value of the three-year-old Honda.
Some carriers might not cover client data loss, some carriers might not cover ransomware attacks. Some carriers might not cover breach of contracts, some might not cover rogue employee, other carriers will, and I think a lot of the MSPs tend to go out and buy cyber e and o insurance like they're buying auto insurance. You can't do it because there are unintended consequences by going through that process. Yeah, I think the, the key word Justin, you said earlier was broad, right?
So the one thing about these policies that the carriers have tried to do for years, whether it's a tech policy like you guys, uh, on the MSP side get or regular policies, is to keep them very simple, right? And not have a policy that's this deep and all this kind of stuff.
And so, you know, there's a, there's a balancing act there with trying to say, Hey, look, we're gonna cover you under the broad term of cyber, and we're not gonna get into all these different types of cyber type attacks, and, and you're, and, and so they gotta kind of balance that out with cost. And plus, I think, Justin, you can speak to it most, I mean, Justin's probably the, one of the best expert brokers out there.
A lot of brokers don't know what MFA or internal vulnerability or is, and they're the ones that are having to sell the policy. So the carriers don't have the benefit of having Justins who, who know all these types of terminology. So they also have to make sure that the brokers understand what they're selling too.
So when we talk about it sounds good to have, you know, standards and tests and all this kind of good stuff to prove to the carrier, the unfortunate side is, is the majority of their brokers out there don't know how to even talk that shop talk. And so it's very difficult to sell that policy. So you gotta kind of understand the insurance business and why these things are written the way they are and why they're priced the way they are, and why the unfortunate side.
I see some comments about MSPs, everybody gets put in the same bucket because it's, there's not really a good process here to kind of segmentize MSPs and Chris, I think I was gonna say, I mean, you know, who you've teamed up with. I mean, great, very broad coverage, you know, but a lot of people will call us up and they'll say, Hey, listen, you know what, here, here's my cyber, you know, policy. And then I look at it and I'm like, well, you got no first party business interruption.
You know, you've got no system damage, you've got no, you know, bricking coverage of computer hardware replacement, right? So they think it's cyber, and again, it's not really cyber. And also, you know, based on some of the answers that these MSPs will provide to the carrier, they may start putting exclusions based on, oh, you don't have MFA on your backup platform. They may try to put in an exclusion.
So it's really important that you're with either an agent or an agency that specializes, but also making sure that, you know, when you're dealing, you know, with these carriers, I mean, I'm, you know, I'm a big, you know, proponent and you, you go to bat with three or four carriers and that's who you're gonna work with, right? Because I don't wanna get into working with carriers that I don't know what the claims process is through.
'cause Chris, I know we've been on these things together, you know, it's fast moving for about a week, and you don't wanna find on the second day that, oh, my cyber extortion was supplemented to 10,000 and you got a $700,000 ransom. Now we're in big trouble. These aren't tens of thousands of dollars of claims. These are hundreds of thousands of millions of dollars of claims. If you spend $500 to get more to get the right policy, you just gotta do it.
Chris, that's what I've heard you recommend multiple times. You need to call your insurance and you need to say, okay, assuming this happened, can you take me through exactly what would happen, like in those, almost like a tabletop, those common things, because the insurance, Justin, if it doesn't do what you need it to do in the one time you need it, it's worth zero. Yeah. And it's crazy. I mean, a lot of times, Gary, I'll hear, you know, oh, do these policies really pay?
And people send me examples and I'm like, well, yeah, you're bringing up a cyber crime example, but there was no cyber crime on the policy. So of course it's not gonna respond. You know? So again, I think a lot of, you know, sometimes people when they're buying the insurance, you know, they're buying it as if it's workers' comp and auto insurance.
This is a much more complex policy, if written correctly, it will take you through the tool set compromise A to Z, you know, um, but it has to be what written correctly. And it's not something, it's not a regulated product. So the devil's in the details. And if you aren't gonna get with, if you aren't gonna take the time to read the 40 pages, you better get with someone that is going to do it. Because if you don't, you know, you could be in trouble potentially. Yeah.
The other thing is, is like you say, you know, a lot of people get the million dollar policy. That seems to be the magic number, but in the MSP world, the ransom amounts are easy between 700 and a million dollars. So on the extortion side, you could chew up your entire coverage just with your extortion payment alone. Well, Kristen, Well, you, you have a great point.
The other thing is, you know, financial guys are always saying, or girls, you know, I have this much assets under management, right? I ask MSPs, how many clients do you have under management, right? If it's per $52 million, if they're down a week, you're potentially facing a million dollars in business interruption claims. So if you've got $500 million worth of clients, and again, not all of 'em are gonna get taken down, but if 20% of those clients are down, that's a hundred million dollars.
You're looking at $2 million potential business interruption claims. I haven't paid for an attorney yet. You know, so these things, you know, the meter starts going, Yeah, this reminds me of, Uh, every Gary Pika conversation that said, you're not charging enough. And I think Justin's point, uh, just really reiterated it. So How many MSPs know how much their clients lose per day if they're down? I mean, how many actually have that conversation?
We've talked about it here a thousand times, but I still don't think MSPs are having that conversation, Even if they're not, even if, you know, you might work with a client that's, you know, $500 million, which is fine, I understand. And they're gonna, the limit of liability might not be as stringent. I mean, at some point you gotta make business decisions, right? But that's where we focused on contract use or waiver letters.
Like there has to be a risk management and a risk transfer technique in place for the MSPs. If they're not gonna wi if they're not willing to do it, then yeah, you're eventually I could, you know, five, 10, $20 million might not be enough, because you might have one client that takes that all from you. So it has to be more than insurance. I mean, that's the biggest thing. It ha we have to focus a lot more on the risk management and the risk transfer techniques.
Insurance is one piece of the pie, and it's very important, don't get me wrong, because it brings in vendors like Chris and some of the others, right? But we have to, you know, we, we have to sit down with the clients and make sure, hey, listen, if you're not gonna follow a standard, you're not gonna listen to my recommendations, then why am I open to my policy up to you? Right?
If you do these things, you know, I either miss cybersecurity framework, then you know what, instead of my limitation to liability, and again, I'm not an attorney, but instead of it being three months, then let's do 12 months or something. But the client has to be willing too many times they're putting the MSP in the position where they want to eat the cake and eat it too. And sometimes MSPs are just saying, Hey, I need the business. Well, you know what?
I can tell the reason I don't have a problem telling my clients or our clients, you know, that we won't, you know, to walk away from it is because we do the thing. You know, if you're gonna have 200 credit score clients walking through the door and they don't wanna try to achieve an 800 credit court score status, don't work with them. Walk away.
I mean, some of the best clients that I've had, we've not worked with, you know, because through the grapevine they've had and they've gotten hit, or something's happened and we didn't have to, you know, sit on that exposure. But if you have like a 500 credit score clients that's willing to work with you to get to a seven or 800 credit score, then work with them, you know? But, you know, again, in my opinion, you guys know better. There shouldn't be an A, B, C, and D plan, right?
It's an a plan or nothing. Well, Gary, that's moves you to your ears. There's only one. But, well, I, I mean, listen, uh, I was on a thread today. I mean, I, and after sitting here, Wes, if you were a carrier, would you let your, uh, MSP customers have any APIs? Well, no, no comment. Look, look, I hope this is first off, Justin, this is awesome. Okay. Okay. And so the big takeaway on this is it's not just insurance, but it's also risk waiver and transfer.
How it looks to, you know, going back to your agreement for every single client and you, you almost have to assess the risk of every client, you know, based on their vertical, what their environment is, what they're willing to accept or not accept. Like, you know, you almost have to go downstream with it that way. Well, And you have to think about it, right? Because once Chris and those vendors are outta the way, I've gotta live with a third party lawsuits that are coming in.
So as nice as, you know, we're gonna, we'll take clients through and we'll talk to 'em nicely. But you know, when it gets to the point and you have a law firm or an accounting firm down the street that had two FA on their email and the accounting firm that got hit, didn't, the lawyers are gonna ask the MSP. Why would you recommend that an accounting firm down the street to have tofa and not mine? And then they're gonna say something like, well, they didn't wanna pay for it or something.
And then the lawyer's gonna say, he doesn't remember that. Well, we send him an email, he never got the email. You know, that's where you gotta make sure the critical action layer, I mean, you know, again, if you think about it, right? And another industry, a doctor, if you have two patients walking through that God forbid, got cancer or something like that, the doctor isn't gonna treat one with chemotherapy and another with holistic medicine.
I mean, he's gonna get in trouble 'cause he didn't follow a standard. And that's the thing. The MSPs have to, you know, there are standards out there, architects and engineers follow standards when they put up bridges. Accountants follow standards when they do tax returns than the A-I-C-P-A, you know, medical pro professionals follow the A MA. Why are we not following a standard? We have to make the clients or the MSPs clients aware.
Hey, and a lot of times when you're achieving the insurance, you might represent certain things to the carrier. So it wouldn't be misrepresentation saying, Hey, in order to obtain my insurance, I rec, or, um, you know, I provided documentation that we would follow, blah, blah, blah. If we don't follow that and my insurance doesn't respond, that's not good for you or I, right? So, you know, having those conversations bring the insurance into that conversation.
So I don't know if you guys saw, but we, we got nine questions, uh, that are, that are in the hopper for us. So I, I didn't know, Andrew, you bringing those up or you you want to, uh, want me to maybe read one or two Yeah. In just a minute, because I just wanna touch on something that Chris mentioned and it kind of, it's, it's feeding a lot in here to how Gary talks about pricing, pricing conversations.
Chris, you know, you, you, for, I don't know how long we've been talking to audiences and raise your hand if you do a business impact analysis with your customer. Have you done one on yourself? Often you get a blank stare. But, and, and, and it's a new term, newer term, I think to MSPs. But I, I guess, Gary, my question is, um, I mean this is not just evolving cyber in within an MSP, it's evolving the capabilities and, and knowledge base around managing risk.
And our MSP's gonna have to have that knowledge of business impact analysis to, in essence say, look, we've gotta move. You're telling me, you know, if you're down, it's worth XA day and you're only paying one 50 a c, I've gotta put you to two 20. Or we've gotta figure out how to, you know, yeah, you get my point, Andrew. This part, this part is not new. I mean, we should be having some type of a conversation around business impact or we're not, we're not an MSP.
It's like, how are we making any recommendations, security or not security about what they need to do in terms of running their business, but all aspects of how they make, how should a customer know how much they should invest and what they should invest in. And now this is an area where, listen, we're all learning, right? And getting up to speed. Your customers know nothing at all about this, right? And Gary, if they don't know the right questions to ask Justin, they need that Education.
One thing, one thing, but I, I think one thing when you're, you know, when your members and you know, the clients are sitting down with their clients, right? I mean, look at this big picture. You know, the MSP is the CIO of Verizon. Their client is the CEO of Verizon.
I mean, do you think in a real world example, if the CEO of Verizon called up the CEO at American Express and said, oh, your CI o's recommending that you do certain things, and he finds out that his CIO isn't, he's fired in our industry, you're fired in your suit, right? So I mean, it has to, they have to sit down with the client.
And I guess, you know, some people say, you know, the easy part of my job is just collecting the 15% insurance premium, the commission you getting on, you move, right? But I actually wanna make sure that this insurance stays affordable, it stays broad coverage and does what it is meant to do.
And in order for that to happen, you know, I think that that, that the MSPs need to sit down and, you know, sit with their clients and make sure that, hey, listen, you know, as your CIO if you aren't gonna follow my recommendations, that's fine, but don't tell me I didn't tell you, you know, and be careful what you put into writing. We have an MSP in Ohio. They're not with our, our client, but they got sued.
The lawyers brought up, Hey, you said in the, uh, contract that, uh, you would provide additional security recommendations. Again, I'm paraphrasing, but why didn't my client have no before security awareness training, you told me that you'd sit down with us on quarterly business reviews. You didn't do it one time in 2019. If I'm an, if I'm a juror in that courtroom and I know nothing about it, I would look at it and go, okay, he hired the m ms P as the expert.
This guy ca cracks backs or cleans teeth. Why should he know what to do? And you know, the finger is gonna get point right back to the msp. Justin, Listen, in the MSP's defense, they were busy doing tickets and alerts. They were very busy. So can they say that in court? I, you know, listen, you can try whatever. I always say our attorneys are pretty good at defending you, but when you're shutting people down, their attorneys are pretty good too. Yeah. Yeah.
So, so Wes, um, we've got a lot of, of, um, questions in the queue, but I've, I'd yeah, and, which is awesome. Keep 'em coming. Wes, I'd, I'd like you to kind of just chat with Justin and Chris because, you know, I think this is, this part's really important because this is where the rubber hits the road with the, unfortunately, when these two have to talk. Yeah, for sure. And, uh, I'm cognizant of the time, so we always plan for cyber call to be 30 minutes. It's an hour now.
So I think we have tons of time. Let's just, I'll be honest, what's happened, uh, so we have tons of time for questions. Um, so let me, but before we get to those and, and keep firing them in, because that's a good way to guarantee that we will get to those, we're gonna leave some time at the end. And I love the questions coming in. So here's what I do wanna start with. I wanna moderate just a little piece of this back and forth.
Uh, one of my favorite podcasts, BiggerPockets always does, they make their interviewees, uh, talk about their last deal, like their last real estate deal. Uh, so I'm gonna do the same thing both to Chris and to Justin, except I'm gonna give you, because I'm a nice interviewer, I'm gonna give you an extra option. So I want you to either talk about your last war story or I want you to talk about, um, maybe one of your favorite war stories with lessons learned out of it.
Not just a super interesting story, but some lessons learned for all of us. Um, so Chris, I'm gonna let you go first. So we'll give Justin our, uh, our, our more guests a chance to think about it. So pick one of the two, uh, Chris, and give us some thought. I'll just, I think it's, we, we got a case this weekend. It's pretty large. I mean, I think it's close to 500 endpoints and 40 boxes. And, and uh, this one is a, uh, variant called Meza, which when, anytime that thing comes up, I cringe.
'cause those guys are real a******s, to put it mildly. Um, I mean, they all are, but these guys raise the bar. Um, it's very expensive. I think, uh, the starting price was 77 Bitcoin. Anyway, the, um, the problem with these guys this time around is they, uh, deleted all admin accounts, created their own, so they can't get in their network.
So not only is it encrypted that they're completely locked out of their network and they can't get in, um, their backups are destroyed and, um, and so on and so forth. So, um, another case here where we just have the attackers continue to do more and more things. I mean, I've talked about Revo and so do, uh, they continue just to crap, just trash or file permissions. And so it's just, it's brutal. And so, um, that's just the more recent horror story.
So it's just gonna take a while to get them, uh, decrypted and cleaned up and, and, you know, and, and a lot of stuff, even though we decrypt, we're gonna have to rebuild. So I guess I'm assuming, so Chris, do you, they probably figured out the insurance by now, right? And that they called the lawyer and they called their insurance company to found, find out where they are, I'm guessing by this point. Well, yeah, so they, they were actually pretty good.
So they had their, uh, they called the insurance right away. I mean, there's been a trend recently where people are not calling for like a week or something like that, or they just figure it out and they're like, oh, we didn't even realize that, that we had insurance. And they call, uh, but this one they were very quick to call. So we were able to get engaged very quickly.
But again, what happens in these situations is, and they're not all policies are written this way, but their particular one is, is when, when you have an extortion payment, it's a reimbursement policy, meaning that you gotta pay and then the carrier's going to reimburse you. So when you get popped at, and this is, this is not an msp, but when you get popped like that on a Friday, there's no getting that much money out of the bank.
So regardless, you're gonna be waiting till at least Monday if you have to pay that ransom, because you're gonna have the one to pay that the carrier's not gonna step up and pay that for you. So yes, they did call quickly, but the timing was there. And, and the other thing we're seeing too, um, and then with this one was the same way, is these guys are not doing much negotiating. Uh, they're staying, you know, hard and fast.
And they usually will have some financial information on the, on the victim to support that amount that they're demanding. Lair. Do you, one thing you said, I want to zoom in on just a little bit more. Do you, so the first threat actor you mentioned is actually a lot more operational inside the network than others have been, like changing admin accounts, things like that.
Do you think that's, uh, the future of, of things to come from these threat actors is not just leveraging, um, you know, live off the land tools to get access and, and ultimately run the, the ransomware, whatever it is, but they're also gonna continue to be more operational inside the network and doing things like that? Yes, I completely agree. I think, think we're seeing, um, you know, we used to see 'em never touch, for example, vSphere, uh, but they're going after that.
Now we're on the backups. We're seeing them encrypt like at going into the command line on nass that at, at a Linux and taking them that way. I mean, we're starting to see them become much more operational, much more deeper.
And I think it's coming up, you know, this is just speculation my part, but obviously we talked about how much these guys are recruiting, and I think the more and more they recruit people, the more and more so the, the less consistent the attacks get, but the more tricks of the trade other people bring in to the, to the fold. And so they say, Hey, you know, I went in and deleted all admin accounts and created my own. Now they're really screwed. Hey, that's a great idea.
I'm gonna do that as well. So we're starting to see, see that happen too. So, So it's, it's a real lesson learned for us that the only reason they're going after the data is they feel like that's where I can do the most damage. The second we have very good and pristine, recoverable data backups, they're gonna go after something else, right? So it could be, like you said, going after vSphere and ESX, going after infrastructure, going after whatever hardware actually is or whatever.
Because the goal is I want to interrupt your business to cause pain, to force you to pay, right? And right now that happens to be the data, but it may not always be the data, or it might even be a shift. Like Chris, you and I were even talking a little bit about cloud, right? And how we're starting to see bad guys get access to O 365 tenant environments and cause damage there, right? Right.
They, they can, the other thing we're seeing that I want is we're seeing them actually place phone calls to the victims as well. So if they don't hear from the victim or communicate with the victim one way, there's, they're actually getting phone calls in their office trying to, um, trying to get them to pay as well through for through phone calls. So, uh, they're very hungry for this money. The money's real.
Um, and so they're doing all sorts of different tactics we've talked about in the past, denial of service attacks. We've seen that, uh, we've seen, uh, one of our, um, we had a case that was in Australia that was purely denial of service extortion through denial of service. And so, um, yeah, it's, it's, it's crazy. And I think, you know, on the ransomware side, the exfiltration is the real deal.
I mean, these guys are taking massive amounts of data now, and they're spending the time they need to know to find that good juicy information. Like, I like to refer to it as in getting that out. So, um, if you're not on your toes or your client's not on their toes, they're gonna be taken for a rougher ride than they would've been taken if they went through this same thing a year ago. So, Justin, over to you, uh, give us your most recent or your favorite war story. I wanna hear from you.
You know, what, if it's okay, I think Chris did a great job. 'cause a lot of the stuff that he's gonna talk about, you know, I'm gonna, I'm gonna share those type of stories, but I'm actually, if it's okay, I'll pivot. And what I've seen is more of a disturbing trend since the whole COVID thing started, is we've had a, a 60 ish percent increase in what we call a notice of circumstance.
So a notice of circumstance means, hey, the MSP hasn't been sued, but they feel like something's coming around right, because of, of a ransomware attack. And what's going on is that the MSP's clients, you know, they, they don't know what tomorrow's brings, right? So they don't wanna invest in the proper security, okay? And we have the environment's gotten worse with all the, you know, people that have applied for PPP loans or CARES Act or all this government funding.
So what's going on is we're seeing that clients don't wanna take the necessary steps in securing their o or their, uh, organizations and the MSPs, you know, are getting situations where the clients are getting hit. And with the work from home exposure, we've seen a lot of those type of claims coming in. Um, you know, a lot of the ransomware attacks, you know, based on the phishing.
And so, you know, we're starting to see a troubling trend where clients don't wanna spend the necessary money to do the proper things, and yet they wanna use the e and o policy of the MSP as their piggy bank, you know. So that to me goes back to making sure that clients are, you know, whether they're following a standard, you know, whether you're making, demanding that they do certain things. Um, but that's been a troubling trend for me because again, Chris really hit on the ransom.
A lot of the, the stories that I have, you know, they can't get mu much worse than what he just talked about. Um, but that's where we're starting to see a troubling trend is, you know, if clients don't want to do the right things because they don't know what tomorrow brings, it doesn't absolve the liability on the MSP from not recommending that they do the right things. And so, I don't know if it's necessarily a horror story, but it's a trend that we're starting to see.
And if people aren't gonna go back to the offices and they're still going to use the home firewall with the built-in Comcast antivirus or whatever it is, right? You know, we're gonna get into these situations where we're going, going to continue to see, hey, guess what? MSPI fell for this. You should have protected me. Now it's your problem. It's not my problem. 'cause I don't have a cyber policy, so I gotta go pick $150,000 off someone's cherry tree. It's gonna be your cherry tree.
You're right. Justin. Oh, go ahead. No, no, no, please go ahead. So I was gonna say, Justin, you're, you're exactly right. And, and I'll tell you, I've signed some six and seven figure contracts in my days, uh, at the bank. Uh, and you know, what was the biggest discussion is limitation liability. That's what so much of our contract negotiation centered around is limitation of liability. How does that work? Where does it work? What are, what are the risks inside of all that?
Those are things that I actually think a lot of MSPs and their clients don't talk about enough is how do we protect ourselves where those limitations of liability exist? And even like Jason posted, if you guys scroll up and chat a little bit, Jason posted an example of a client suing the msp, just like you were talking about, uh, because in their mind there's that not that limit. Jason, you or, uh, Justin, you gave examples of that earlier.
Walk us through high level, if I'm an MSP and I'm thinking, okay, I'm hearing you loud and clear, Justin, how do I begin those discussions of limitation of liability to protect myself as much as I can? What are the key things?
Well, Again, I mean, you know, depending on the carrier, the carrier might ask you, and this is why I say you're not misrepresenting the facts by having this conversation, you might tell the carrier, Hey, I use a, a, uh, you know, master services agreement statement of work with my client. Okay?
So if that's what you're representing to the carrier, and then you're sitting down with a client and either A, they're not willing to sign an agreement or b you know, a lot of carriers are asking, you know, do you provide written security recommendations to your clients? Again, if you aren't doing that, then I as an MSP would sit down with the client and say, Hey, in order for me to carry my insurance, which is important for us, right?
Again, you need to have it, it needs, you don't, you don't di in my opinion, you don't dictate to the client. Remember it's the C-I-O-C-E-O uh, relationship. It's a we thing, not a me versus you. So sitting down with the client saying, Hey, I make represent, or we make representation as of the insurance carrier that will be doing certain things. If we don't do these certain things, we could run into problems with the policy triggering. Therefore we needed an updated MSA agreement.
We need to make sure that we're following, you know, that standard or that that, that, you know, you've got the security awareness training in place or you know, whatever it is they have. You know, oftentimes what I see, the problem is an MSP thinks that the solution they're offering is right for a particular client. You know what it has to be if we go to court, right? The attorneys, again, are going to ask you, where did you come up with those recommendations?
And outside of pointing to a standard or testifying in front of Congress with all these credentials, you're in big trouble, right? Because they're gonna say, you know what, you know, what credentials or why did you come up with the, the solution that you came up with? And those are questions that MSPs have, you know, trouble answering when we go to court.
So I would always ask the MSPs regardless, you know, if you don't have a file that we can hand to the attorney that has the master services agreement, the six critical action letters that you supplied to the client telling them why they, you need to do the things that they do, right? If you aren't doing those things, we're gonna go to a courtroom and the jury of 12 independent jurors are gonna look at you going, you're the expert in the room.
They're, you know, they prepare tax returns, they design buildings, whatever it is they do, why didn't they have those things in place? And that's what you gotta be prepared to answer. And if you can't answer it, the judgment is probably isn't gonna go your way. So, So that is a huge takeaway for us. Yeah. I'll just say this super quick, Andrew, that is a huge takeaway. If, if you didn't catch all that from Justin, go listen to this recording again and peel that out.
It guys, it is so important to have these things documented, written and clearly communicated to client because you're exactly right. And those times when you end up in the lawsuit or the potential of it, having that there as the clear communication is awesome very quickly. And then Andrew, I'll turn it back over to you 'cause I know we wanna get to questions. Gary, I got a question for you that Justin's just getting my mind thinking.
Gary, we talk a lot about selling security in this whole series that we do in Crowdcast. It seems to me what Justin's saying is an opportunity for us as well. Not just a threat and, and the risk of limitation liability, but we can even use this with our clients and sales opportunities to walk and say, Hey, help me Mr.
Client, these are the things that we have to do together in order for us to make sure that we've, we've got coverage in our cybersecurity, you've gotta be doing these things alongside me. It seems like that actually makes it a little bit more conversant in, in working together with the client to actually sell your security strategy, don't you think? A hundred percent.
Again, what we're doing on this call every week, and this is another topic, is about giving people more knowledge and more command, the more you know and we're all learning together. 'cause this is changing pretty quickly. But the more you know and understand you listen to a call like this one as a business owner, as an MSP, and you're not thinking about things differently, protecting your own business that's gonna come through in front of every prospect and in front of every customer.
So Wes, you're a hundred percent right. This is what's gonna drive value, it's gonna drive revenue for the right reasons because we need to be able to protect ourselves and our customers and we need to make sure that when there's an incident that we're prepared for it. And if it gets past that point, that our insurance is gonna work the way it's supposed to for us and our clients. And well, Gary, that's hard work. That's hard work. Yeah.
One of the thing that you hit upon, I just don't wanna forget it, you know, if you guys want a good revenue generating activity, demand your clients carry cyber. I was just reading the Wall Street Journal article that, as you guys mentioned, when are the carriers gonna kind of mandate that, you know, I think, uh, you know, you guys were asking when are they gonna start making it so that you have to do certain things to achieve a policy. You know, I was reading the Wall Street Journal article.
This particular, uh, syndicate was saying, Hey, no, two fa on email, no policy, right? So again, I think if you're pr, if you're hammering the client, I, I think again, it should be in your MSA, but if, if it's not in your Ms a I put it in. But secondly, sitting down with the client as a CIO saying, Hey, with everything that's going on, you know, you've got a security, a burglar alarm in place on your home, but if they get through, you better have your homeowner insurance paid.
IE carry a cyber policy. And then by going through that, you know, activity, you're gonna find that carriers are saying, Hey, you need that backup that's in accessible from the network. Well now all of a sudden, Mr. MSP, I gotta take your advice.
And if you can get two or three or $4,000 from each client and you're sitting down with, you know, 50 clients, you do the math, you know, plus you're, you're better protecting your MSP, but you're also, you know, making it so that, you know, if you guys call it mushrooming account, whatever, but you're making it so that, you know, the insurance carrier now is saying to them, you have to do this to achieve a policy.
See, I've been telling you that for years, it's not only good protection, but now you gotta do to achieve the policy. So based on what you know, Justin, if you were an MSP, would you even have an MSP customer you're responsible for that doesn't have the right cyber insurance in place? Uh, like for our client that doesn't have No, no. Yeah, I'm an MSP. What? You know, I'm an MSP. Yep.
If you would tell me, I want to have a client and they don't have the right cyber insurance in place, would you want, should the M MSS P have them as a client At this point? No, it's too, I mean, it's too hazardous out there. And again, you gotta remember MSPs, you got cyber, you know, for your negligence. The clients need cyber for their negligence.
If they don't have cyber and they're subject to a business email compromise, and they're out $200,000, they're gonna come pick on your cherry tree. They're not gonna self-insure 200,000. The question is MSPs listening today, have you asked, do you know that about every one of your customers today? I, I'd love to hear from the audience, if anybody's, for somebody, I'm like, look, you don't get a choice, uh, with I said, we have tons of questions.
There's a handful, and I've even tried to add some additional questions in here. Uh, Chris throwing it your way, Tim actually asked a question. He said, Hey, look, should MSPs retain their own legal counsel, you know, in advance of a cyber attack or rely on the one provided from insurance?
Likewise, one of the questions we got was related to, uh, incident response saying, Hey, should I just take the one the insurance provides or mandates or should I make my own, maintain my own, like IR company or incident response company and retainer? So yeah, curious what you're thinking. Two different questions.
So, yeah, so for the, uh, for for Breach council, normally the policies not, you know, and Justin's mentioned before, not all policies are the same, but most policies have a list of what's called panel council. And, uh, those, those firms have been well vetted out by the cyber insurance companies. They have their rates already negotiated with the insurance carriers. So everything's kind of set in place.
And all those firms typically have not come across one of them, uh, that, that is not an expert in this field. They're really good, very thorough. They're usually well-known national firms. And so trusting those firms is always a good idea. And it also removes any type of issues you're gonna have with claims on the policy and stuff of that nature, because it's already kind of pre-approved. And remember, when you deal with those law firms, they are engaged directly with you.
This isn't something like they're subbed out by the carrier. No, it's a, it's a legal arrangement between you and breach counsel. And so they're to represent you. So yes, I mean, there's really no need, in my opinion to go out and find your own breach counsel. I mean, we've gotten into situations where people have their own breach counsel, and lemme tell you, it just complicates the living heck outta everything. Yeah. Because, um, yeah, then I think you hit the nail.
You gotta also remember when you go attain, when you retain breach counsel, they're not doing this for free, so they want to get paid. Now you have a conflict where attorneys are fighting with attorneys and it's just not good. Yeah, Exactly. Right. And so that's the one thing. And then let's talk about IR pro, the IR providers as well. So the same thing kind of goes there. I mean, you should just go with who they assign. Again, they're well vetted, they work really well together.
Typically, when the IR firm says, Hey, we're gonna do X, Y, and Z for you, it's going to be approved by the carrier. If you have your own IR firm and they go do some things, it's possible that the carrier doesn't approve that, and you're still gonna be out of pocket for that. So, you know, like for ex example with us, even before being acquired, we invoice the carrier, we didn't invoice you, then you had to pay us, and then the carrier reimbursed you.
So there's just a lot of advantages for being that. But then there's this Capital One type kind of thing that's happened recently where the attorneys are now wanting even kind of bringing up this IR firm. So with the, the Capital One case is they had, I think they were using Mandiant, they had an existing IR retainer with Mandiant. So they had it, they got hit, they brought in, Mandiant was on retainer, they leveraged Mandiant, and then time passes.
Then it got called up a question about attorney-client privilege. Well, the judge in the case ruled against any of the stuff being covered under privilege that Mandiant was doing for the bank, because they had already had an existing agreement with the firm, and therefore that wasn't covered retroactive with the case that they had. So, so the, so the lawyers are being very, very careful about this now. And so you're starting to see things shift.
So you, you really should be very, um, I guess very careful about going out and doing your own stuff. Now, what some companies have decided to do is use IR firms and have a retainer when they don't want to file a claim. So they may have some little things and they say, I just don't want to go through the, the issues of filing a claim and then having that on my record. Just like if you get in a car wreck and you want to pay it out of pocket, kind of, some people are thinking that same way.
I mean, we've had people come to us and say, Hey, look, we just want to have you guys on a retainer for ransom negotiations. And we're like, okay, that's fine. And so there's just those types of things you can think of things that way. But when it comes down to an insurance claim, you want to play by the rules as much as possible because it's gonna be complicated as it is.
And you're just gonna make it more complicated if you start to bring in other parties that are not really accustomed to working together. So Chris, I appreciate you dispelling that. I know I've had multiple people ask me on my end of, I mean, we've even had a couple questions in here that said, Hey, are you aware of insurance not providing, you know, coverage for certain reason, right?
Maybe active war terrorism, generally speaking, I see the insurance carriers just wanna be good insurance carriers. They have their own reputation, they have their own business. Uh, they're not there to get their lawyers to go against you or have any massive negligence unless you're being negligent. Or maybe you, you know, self-certified, you had something covered and you actually, you know, had that pool or trampoline. You lied about it in the beginning. I've seen those fall through.
But huge thanks for, uh, providing some of that. Uh, with that said, guys, we're, you know, eight minutes left, uh, till we hit the one hour, and we've got tons of questions, 16 questions. So, um, you know, Justin, great job at, you know, getting everybody fired up here. And Andrew, thanks for keeping the polls going. 'cause if you haven't seen the polls, by the way, there's like three really great ones that are open. Yeah.
Um, so I, I, I did want Gary to take circle back and, and we'll come back to the questions. I know you guys have answered, answered a lot of them. I think one of the things that's really important here, Gary, and kudos to you, uh, regarding, I'm gonna give you a plug of my IT process.
Um, you, if you think about what Justin said in a court of law, you're gonna have to basically walk in with your book of customers and your security standards across, correct me if I'm wrong, Justin, And your recommendations and, and what the feedback was from the client. You just, you should be able to go back to how many meetings you had, what recommendations, what they accept, what they didn't accept. Correct. Correct me, I'm right. Correct me if I'm wrong, Justin.
Basically that's in, if, if you had a, if you could show up a spreadsheet in, in essence, real quick, right? Here's every client, here's two FA bubble all the way around what we did, how it was implemented, et cetera. It real quick that that's what you're basically saying. Is it across the board, did you handle as a doctor the cancer protocol the same way across the board, on and on and on? Is that fair? Correct. I mean, I always tell our clients, right?
I want it so that we can hand the attorneys a manila folder and we have a defensible position in court. So in that folder, just like a chart with a doctor, it should include the MSA, the statement of works. In your statement of work, are you referencing the third party terms and conditions? Right? I mean, again, I don't wanna take it down roads, but, you know, some of the highlights, you know, regarding around the MSA and statement of work, you know, are we gonna have critical action alert?
I mean, when you're sitting down with a client, you should be offering every single solution that's out there, right? And have them check the boxes on which ones they wanna take. But then all of a sudden, you know, if we get it to a point and they say, well, I didn't know about that backup, that's inaccessible in the network. Nuh, I offered it in a statement of work. You chose not to take it. You signed at the bottom. That's a you problem, not a me problem.
Don't tell me I didn't offer it to you. Yeah. Know. And I think Andrew, where our top customers are getting now, Justin and or trying to get to, it's like they're not giving them that choice. If you wanna do business with them, you have to have those basic things. The problem is that core offering, it's changing quickly, right? Right. That, that standard of what you need in terms of process and, and, and partners I is, you know, it's, it's evolving pretty quickly. So it's not easy.
But, uh, again, you Know, sometimes Gary, and we've talked about like sometimes sales equals security or security equals sales, right? So by taking a pause and making sure that you're doing these things internally, right? If you aren't, you know, and there's other MSPs out there that just continue to focus on sales.
I mean, I think, you know, Chris and Kyle can tell you it's almost an if not a win, you know, so you know, these people or these MSPs, if you aren't doing, gonna take the time to do these things, right, internally, you know, security, getting the correct agreement and all that sort of stuff, you know, it, you know, the tornado might be coming through town.
And then if we get there and you can't make a $900,000 claim, $90,000 claims, now we're in a situation where, oh, well, why'd my rates raise so much? You know? So, you know, going back and having that chart, if we can make that as $900,000 claim, $90,000 claims, and you have five clients that are hit instead of a $4.5 million claim return in a four 50,000 claim, that might be the difference between your MSP surviving and noting.
So, so, so, you know, we wanted it with four minutes left, we always talk about, is there something actionable here? And, you know, people are saying, we're gonna have to do a another Tim Fort happy birthday, by the way. Um, we're gonna have to do another one. And we can do, come back here, enclo in as we wrap this up here. Here's a takeaway, man. Number one, Justin, you're talking about doing security internally.
And man, I, I feel like I've slammed my head into a wall for three years asking people about, you know, what standards they use. Do they map to a specific framework? Are they doing it internally first? Because again, command, Gary, if you're not doing this internally, my goodness, it's gonna be really hard to go have a conversation about here are the controls, this is what they map to, here are the policies that map to those controls. This is our standard, right? Number one.
So my goodness, number one, you gotta be doing it internally. Fair, Justin. You know, Correct. I, I mean, a good gauge to me is if I were to take, you know, I would say if you, we were to take 10 of your peers and they were to peek into your operations and how your clients operate, would they say you're doing a good job above, you know, or better than average, average or below average?
And that's the question I always, for each client, unfortunately, you gotta kind of go through that, you know, and because these are, you know, when we get to the point that insurance has to engage, it's a very, very, very serious matter. And you think if you're not, I tell him, Ms. P, if you're not gonna have the conversation now we're gonna have it, but we're gonna have it in a deposition or in court where it's gonna be a lot more hostile.
So you wanna have it under, I'm gonna help Justin out today. Justin, you've done a great job. So I'm gonna give you a little gift for free. Okay? So listen, when you, you're talking to a potential MSP, you could just ask them two questions, find out what their seat price is, number one, and then two, find out how many tickets curse, you know, per end user per month. They generate. You find out how noisy they are and how much they charge. That'll tell you how secure they Are. Okay.
See, there you go. The poll. Can I, can I just do my wrap up real quick, Andrew? Yeah. Are you gonna touch on these polls, Gary? Because in your wrap up, because, and if you, if you don't want to, that's cool. No, I, I'm, listen, Andrew, it it is, look at what's happening here. Like, you know, most people, they, they don't know, they're not having those conversations right? About their customers and their cyber insurance. So here's my one 30 seconds.
We've been preaching this for years before the stakes weren't as high. You need, unfortunately, unfortunately, you need to be a business person first and a tech second. Now, as an MSP, before, if you weren't, it just meant you worked really hard and basically had a job. You couldn't quit, right? You didn't, you didn't make margin, but that was your decision to make. Now you're putting yourself, your customer's business, your financial future. You're putting it all at risk.
So like it or not, we gotta get moving insurance agreements, standards risk way, like we have to have command and we have to be business people first. Then you can be a tech. Uh, well, really well said. Kyle, how about your, uh, your summation here? No, um, folks earlier said it best. This shouldn't be a part one and done situation. I know. I mean, Chris Laron is always wonderful. Justin, you really opened, I think, a lot of people's eyes. You also said it blunt too.
And in your job, especially as a broker, you see it all and you get paid by keeping people successful, keeping customers happy, and making sure they got the best insurance they could afford. Um, I think your, your insight on this was awesome and I'd love to see you back again. Well, thanks.
I appreciate it Kyle and Andrew, by the way, Andrew, I just met a few weeks ago, so I just wanna say, I mean, I think it's great that cyber nation, I've learned more over the last couple weeks, so I appreciate you putting this together and all you've done. Yeah. Would you, thank you. Will you come back and and do a part two with us If you guys will have me? Yeah. Oh yeah. I think it's one of our best calls yet. This is awesome. And we're an hour and we ran out time. I know, I know.
Um, I wanna get to West, but what I wanna say is, I think a part two of this is gonna be really around Gary, that we turn it into how you address sales, you know, using the core things you set in your wrap up. Um, so yes, Justin, we'll do that. Wes, your summation. Talk about next week. 'cause your buddy's gonna be with us. Yep. Uh, so I'll just say this super quickly.
When I have a medical issue and I see a specialist, I listen to what they say because they've been there and done that thousands of times and they know what they're talking about. And we just heard from the specialist, Justin and Chris. So thank you for being our specialist and telling us how it is. Doesn't make it easy, doesn't make it comfortable, but it does make it necessary. Um, and it's a choice every day, just like Ray said in the chat. Really, really well said Ray. Um, okay, yeah.
So next week you definitely need to attend. We have got my friend, my colleague, my ex, uh, uh, alumni from Murray State, go racers, Chris Sanders joining us. Uh, Chris is the, uh, author of numerous books, but most notably just came out, uh, this month is, um, intrusion Detection through Honeypots. Uh, Chris is gonna be joining. We're gonna talk all about honeypots. We're gonna talk about intrusion stuff, uh, with Chris, he's fantastic. He actually has worked for an Ms P in his background.
So he loves the s and b sector. He loves MSPs, and he is doing five book signings on behalf of Huntress Perch True Methods. And, uh, Andrew Morgan from Code Red. So, uh, adjoin for that. It's gonna be a blast. Come with questions. It's gonna be a great event next week. Very, very much looking forward to it. Justin, any closing thoughts from you before we go to Chris? No, I mean, like I said, I, I just appreciate it. I hope, uh, you know, everyone got some value out of this call.
Listen, I know some of these conversations we're having aren't the easiest to implement, but trust me, once you do implement 'em, you're gonna thank yourself that you did, you know, because, you know, as Chris can tell you, I mean, especially the ransomware attacks, I mean, these aren't, these are Cat five tornadoes. I mean, I've been through hundreds of lawsuits in my years, and these are about the worst that they can get.
So again, if you don't do it now, you know, it, it, it could spell trouble and the trouble could be, you know, potentially got, can the MSP survive the ransomware attack? And people always say, oh, I'll start another MSP. Well, I don't know how many hundred, 200, $300,000 jobs grow on trees, but there aren't many, you know? And plus it's hard once you get that reputation in your community, your vendors are, or your peers are, I'm sorry, your competitors are gonna use that against you.
So it's not that easy, you know, to just start over. So I guess, again, my biggest takeaway is, I know we probably made a lot of the MSDS drink through a fire hose, but digest it, start working. I mean, even if you start implementing these things over, you know, create a, a year, 18 month plan, and if you can take 50% of the clients that aren't doing things and make it so that that number's 20%, you just improved your book by 30%.
So do you don't have to tackle it today or tomorrow, make this a year long activity. 'cause I can tell you from a claim standpoint, if we got 50 nasty claims and we can take that percentage to 20%, again, it's gonna be a, a lot stressful. And b, you're probably gonna be able to get through that ransomware attack. Yeah, really well, really well said. And taking this medicine, and I feel like, you know, Chris, you want to talk about your, you know, urology preparation of your co colonoscopy?
No, no, but, but in all kidding, all kidding aside, I mean, really this is some tough medicine that we all have to, you know, embrace and, and work through Chris. Um, we've got the incident response planning workshop tomorrow with you, Wes, Gary, um, and Mike Beard. Want to take us home here? And, and again, thanks for as always for being on with us. Me, no, Chris Lair. Oh, go. I thought you, my advice is to continue to get experts involved, like we've been saying a bunch on this call.
Uh, we have had a number of cases recently where the MSPs decided to take this in their own hands and, uh, it just never, ever, ever works out well. And so, um, it, it either they might return the customer to service, but they destroy forensics. I mean, it's just a bad, bad deal overall. And, and so, um, it's, it may be a little, um, bruised to your ego, but you'll get over it. Just, uh, bring the experts in. Alright, well again, all of you.
I think Kyle had a scoot, uh, he was probably running behind. But thank you for all of you. We were packed, uh, uh, here and we still have 165 on as we speak. Thank you for staying long again, Justin. Thanks for coming and, uh, here today. And we are gonna have you back. We're gonna do a whole thing around sales. Um, it's gonna be awesome. So team nine week 19 in the books. We'll be back next week for week 20. Thanks to everybody. Take care. Great job, Justin. Great job.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois