Episode Summary

Cyber insurance is a delicate and confusing world, and there’s a massive disconnect between insurers and the cybersecurity industry. So what does the average MSP need to know? What is the cyber insurance process in the event of an incident? And how can MSPs protect themselves from liability if their customer experiences a breach? Joseph Brunsman of Brunsman Advisory Group is a veteran of the tech insurance field with a master’s in cybersecurity law, and he joins Mac to break down this complex but important topic. Plus: what do the SolarWinds CISO’s legal troubles mean for CISOs everywhere?

Episode Transcript

MacKenzie Brown: Welcome everyone to Return of the Mac, episode three, actually. Wow, it’s been so long. We’ve gotten really far. And in the theme of this is, as Joseph will appreciate, “Always in writing, always in cash, understanding the delicate and confusing world of cyber insurance.”

Yes, that’s right. Insurance has not been particularly the most riveting type of topic to have. But the insurance market in itself, specifically cybersecurity, could be arguably classified as slightly a little more snooze worthy, but we’re not gonna make it that way. I have the best guest ever.

As I’m getting a little bit better at these podcasts—I’m trying to think of the show and movie actually where there’s someone, I think it’s like a person, an officer and they wear a hat, and then every scene the hat gets bigger and bigger. So that’s probably going to be me in every single podcast. The mic’s going to be a little bit different. The lights are going to be different.

But I’m really excited, actually. I know it sounds weird. I’m going to be excited to talk about cyber insurance. But for me, we are going to demystify something that I feel like a lot of us just talk about. And we just nod, but we really have no idea what’s going on.

The market in itself has had a lot of ups and downs lately. Very crippling ransomware cyber attacks that bring in massive sums, some rumors of insurers leaving the market altogether. Where are we at? Where’s the market today? And more importantly, what does the average managed service provider, our partners of the channel, need to know about cyber insurance?

So I am joined with the perfect person, right person to interview in regards to cyber insurance. Joseph Brunsman, welcome.

Joseph Brunsman: Hello. Thank you. Thank you. And as far as big hats go, my first thought was Spaceballs.

MacKenzie Brown: Oh, that’s right, that’s one of them too. That is one of them. Oh my gosh, I think, was it Scary Movie? It’s gonna bug me now, but I’m gonna find it and my mic’s gonna get bigger and bigger slowly as I continue doing some of these episodes.

So Joseph Brunsman’s with us today from Brunsman Advisory Group, an insurance brokerage that offers amongst its cyber portfolio insurance for MSPs. Joseph has been in the tech insurance field since and actually has a master’s in cybersecurity law. So he is the expert.

Joseph, do you want to kind of introduce yourself and how you got here today and why you’re so obsessed with cyber insurance?

Joseph Brunsman: Yeah. So a little bit more about my background. I’m a former IT and I got my bachelor’s in robotics from the Naval Academy. So as a kid, I was always skipping school and I’d go to the computer lab, right? I’m like, I don’t need English class, which is funny because I ended up writing. Well, I’m on my seventh book at the moment. So probably should have stayed in English class, but anyways, I’d go to the computer lab or I’d go to the library and do more fun stuff.

But when I came into the insurance world in 2015, I was like, man, what’s this cyber insurance thing? Like this is really cool. And that’s back when nobody cared. There was no money in it. It just kind of hit upon my background and my interests. And then it just kind of went from there. And so, yeah, I’ve written a bunch of books, bestselling author on the topic of cyber insurance and cybersecurity law.

And I just think it’s super cool, right? It’s constantly changing. It’s ever evolving. And. MSP conferences are way more fun than going to accounting firm conferences.

MacKenzie Brown: I can imagine. I can imagine. What, you don’t mean that there’s like full on frat parties going on at these NetDiligence conferences, or they’re not streaking through the quad or really taking beer bongs?

Joseph Brunsman: No, it’s a whole lot of very serious old men in white New Balance sneakers. Which, you know, talking about the latest ransomware trends or, you know, various like technology components or whatever it is, that’s so much more interesting than sitting through an hour and a half of, you know, IRS circular 230, Revision C. That will put the most caffeinated man to sleep. It’s terrible.

Working with MSPs is so much cooler because it’s like, man, I like, I’m super interested in the problems they have. It’s a super dynamic industry. The people are really cool. We’re all nerds. So it’s like, I just get to nerd out.

MacKenzie Brown: I feel like, too, we’re all just trying to navigate the same problem, you know, which is why I like the theme of this, because I’m still trying to learn as much as I can about this space and about insurance, but mostly how it applies to—coming from the incident response world, where it actually makes a difference, for lack of a better phrase, you know, like for positive reinforcement of a victim cybersecurity posture.

It would be really good to kind of break it down, and maybe you’re not here to bring that good news, but bring some light to it and some suggestions and advice is always wonderful.

Joseph Brunsman: I’ll do my best. I’ll do my best. People should just kind of understand—I get questions from MSPs all the time. Why don’t insurance companies do X or require Z?

And one, we have to understand, insurance companies are giant behemoth bureaucracies that have been around for hundreds of years. Right? So like all good bureaucracies, any decent idea will die somewhere between the steps between the person with a good idea and the actual final say on that. So it’s a really interesting dynamic area with a lot of competing interests. There’s a ton of capital that’s getting poured into the marketplace, there’s a ton of capital leaving the marketplace. So it’s ever fluctuating, ever changing, never boring, always frustrating.

But it’s cool. Gets me up in the morning.

MacKenzie Brown: I can see why this is your hobby then and why you’re really invested into this. Or you’ve really made a living on it at this point.

Joseph Brunsman: Oh, purely by circumstance. I was so interested in this stuff when there was no money in it. And everybody was like, ah, there’s never any money. No one’s going to care. And I’m like, I don’t know. I care.

So even when I got my masters in cyber law, the only reason I did that was because I had these questions I just couldn’t find the answers to. And I was like, ah, maybe if I go here, they’re going to have the answers. And then being the nerd that I am, I didn’t realize that I had already read about % of the course curriculum before I even enrolled. I just didn’t know. So I showed up and I was like, what about this? What about that? And they were like, oh yeah, we just don’t know. And I was like, ah, damn it.

MacKenzie Brown: And people still don’t know too. There still feels like there’s a lot of unknowns there and a little bit of a disconnect in between our two worlds, but it’s also a part of the new normal. Like cyber insurance is just a part of it. And I’m hoping we can kind of break that down a little bit further. Before we get into the good stuff, I actually like to start with a fun hot topic of the day. So prepare yourself.

The SEC has now charged or is planning to charge or charged as of Monday, I believe, the SolarWinds CISO with fraud of misleading investors before a major cyber attack. This brings me back to when SolarWinds actually hit, which also puts it in perspective from a timeline of when a massive cyber attack breach happens like this, the amount of organizations that were impacted by it. Going back to IR days where this was a very long, very long engagement with many, many organizations.

And even going back to my experience in the SLTT space, starting in state government and doing IT support, network engineering and seeing, you know, we used SolarWinds for network health visualization across all of our facilities across the state. So, but I know they’ve expanded their technology a little bit.

And if anyone doesn’t remember, kind of the SolarWinds in a nutshell, you know, it was attributed to the Russian foreign intelligence service. Hackers essentially found, this adversary pursuit group actually found their way to insert malware into a version of the Orion IT monitoring system, basically a backdoor, and it allowed Russians to gain a foothold into high value targets.

And definitely from my experience, knowing the high value targets, this is that public sector, right? This is federal, state, local territory.

The big thing that I do remember that came out of this was coining the golden SAML attack. So I always had a lot of fun with that because after the Golden SAML attack, where they would essentially be able to forget that SAML response, get a foothold into the environment, then we’d start investigating the web shells, persistent mechanisms, privilege escalation from there, but really they were just trying to maintain longer dwell time for as much as possible without getting caught.

But seeing that the SEC is now trying to charge Timothy Brown, we are not related, by the way, for fraud in allegedly lying to investors by, quote, overstating SolarWinds cybersecurity practices—sorry, my quotes aren’t high enough—cybersecurity practices, and understanding or failing to disclose known risks.

That is a page-turner. This is going to shift a lot of where we’re going as far as, you know, maybe I don’t want to be a CISO someday, because I feel like we’re too pretty for jail, Joseph. I don’t think we should become CISOs.

Joseph Brunsman: Well, I do martial arts, so you’re on your own. But yeah, I think it’s a very kind of interesting, scary time, as if CISOs didn’t have enough stress and the burnout rate wasn’t high enough to begin with. Right? Now you got to start thinking about, well, now I could have these government agencies coming after me as well.

And I mean, to be fair to the guy, cause I don’t want to disparage him and I wish him all the best and I hope everything turns out all right for him. You know, it’s like, I think he was in a public company and they trotted him out there to be a cheerleader, right? Which is what happens. Like that’s what the CEO of a public company is. They’re the cheerleader for the investors and the public at large.

And I think he just got hemmed up, but you know, I’d say a lot of CISOs out there are probably like, Hey, why don’t you add a zero to my paycheck? Right? Like if we’re talking about jail time.

MacKenzie Brown: Right, I mean, what does this mean for all CISOs going forward when it comes to making attestations about the risk posture of their organization? And, you know, that’s kind of why I named this, as we’ve talked previously, “Always in writing, always in cash” is essentially like everything you report though, to what degree are you actually putting it on paper and ensuring that it is what it is?

And when you look at, you know, we’ll dive into the cyber insurance side, but compliance in general is this theme, broken theme, I’d like to say, unpopular opinion that we have a checkbox mentality. We are in fact checking the box, but we’re not doing controlled versioning on a purposeful level. So we’re completing the control. We’re writing the policy and procedure and maybe we’re implementing some sort of tool, but the effectiveness of that tool maybe is lackluster.

And is that going to potentially turn into down the road we get hit and somehow those controls were a failure or they failed to mitigate to some degree, or I don’t know. Then what? Then because we said we were secure and fine but we actually weren’t, I’m going to get put in handcuffs?

Joseph Brunsman: I mean, kind of the basis of this is it has to be material, false and misleading facts, right? But you know, part of it is when I think back to my time as an IT guy, I started in 2003, I was like, man, one of the hard parts about this job is that when everything’s working perfectly, nobody knows you exist and you get no credit. And then when something breaks, everybody hates you, right?

So it’s like this odd balance of trying to be heard and seen and appreciated and not hated all the time. So it’s like this weird, you know, I’m sure that he probably had gone in to the board of directors and done presentations. And I’m sure he’d spoken to all the executives. I think it’s actually in the Wells notice from the SEC. And I’m sure he was going in there saying, Hey, we have deficiencies here, and here. I think we need to upgrade this. Like we need additional tool, I need more funding for X, Y, and Z.

So it’s like, how do CISOs balance that where, you know, MSPs have the same problem, where they’re going, Hey, I think my client legitimately needs this control and that control. And, you know, why aren’t they doing this? And there’s always that balance within business of, you know, security versus how much you’re willing to spend on it.

Because the problem ultimately is you’re being judged by federal regulators and their boss literally prints money. Like the IRS has a plan in place on how—I’m not joking—on how to collect taxes after a nuclear war, right? So Uncle Sam’s going to get his.

So, you know, it’s like, you’re being judged by these people that probably have little to no practical real world experience outside of working for the government. And then they’re going to look at CISOs and they’re going to go, well, I’m going to hang my hat on crucifying that guy. And I mean, what do you do with that as a CISO?

MacKenzie Brown: Yeah, are CISO is the new scapegoats for the industry at this point? Which, I mean, in all fairness, it’s not unheard of to hear in the headlines of a breach or a cyber attack and then scrolling through LinkedIn and seeing some job postings of the same company start popping up. Maybe they’re supplementing or augmenting their staff a bit, or maybe it’s not a coincidence, and they’re just like, well, let’s start from scratch. We got that scapegoat, now we’re going to pull in a new one. Which is, again, unpopular opinion, but this is the show. We’re gonna be a little bit frank here.

Joseph Brunsman: Yeah. I mean, CISOs don’t just have to worry, right? Because I’m sure if you’re a CISO and you’re in a publicly traded company, you’re sitting there and you’re like, Oh my God. And you’re watching this like a hawk.

It’s not just the SEC. CISOs also have to worry about the FTC, the Federal Trade Commission, because they, in the first time they’ve ever done this. The FTC is the, I’ll say, self-entitled nation’s preeminent cyber cop. So they use this hundred plus year old part of a statute to say, Hey, we’re going to go after people for cybersecurity now. And they’ve gone after obviously private companies as well as public companies. And they’ve gone after big companies, small companies, sole proprietors, effectively defunct companies, just to prove a point.

And in the Drizly case, not only did they issue consent orders to the company, which are years long and super expensive and all-encompassing and they’re brutal, they also issued a consent order against the CEO personally. So no matter where that guy goes, that consent order follows him.

So you imagine, we all work for somebody, right? So the board of directors is going to go, do I want this guy or do I want some dude who’s bringing the feds and all the heat into my business?

MacKenzie Brown: That’s way worse than a non-compete. That’s like the ultimate baggage to bring in to a new job. By the way, the FTC, it’s my ex-boyfriend, but he’s still hanging around. That’s awful. Oh, that’s frightening.

Well, I mean, I guess what would be your advice for people watching this, you know, going forward? Because this is just, I feel like this is just the start of it. Well, SolarWinds has clearly been going on for a long—I would love to stop talking about SolarWinds someday, but it’s probably, this is the grand example of the industry that people need to pay attention to, even the regulators, right? And I’m sure this ties into the cyber insurance side too.

Joseph Brunsman: Yeah. So I think for CISOs, they need to start thinking personal liability. So they need to start saying, you know, giving a presentation to the board of directors is one thing, right. But then maybe following that up with an email. And I think MSPs should do the same thing, right? Hey, here’s what we discussed. Here’s why I think you should have it. My understanding is you don’t want to do it this quarter. We’ll revisit this next quarter, right? Here’s the risk in not doing that. Pleasure speaking with you.

Right? So that way, like there’s some chain where you can go back and you could say, Hey, I was being responsible. Right. At the end of the day.

MacKenzie Brown: I feel like I should be writing this down now. I’ve read brown charts with fraud too many times. I’m a little traumatized just from reading the news article. Okay, that’s great advice, right? Like paper trail is what you’re saying.

Very distinct, you know, even on the investigation side for IR, we would be on the calls with lawyers at times and there would be, because there’s always lawyers on the calls no matter what, but there would be these conversations where we would be redacting information or we would be modifying the language to say, you need to go implement X, Y, Z.

But really they were like, “Well, could you just make it a suggestion?” Not a, “If you don’t do this, the default is failure.” Versus “You can harden your environment with the opportunity to implement these controls.”

There was such detailed language, very specific words that were used. So it didn’t feel like we were giving an assessment. Rather we were saying, you know, “This would help this not happen again. This would protect you a little bit. This would harden your environment, reduce your attack surface just a little bit.”

Joseph Brunsman: Yeah. I mean, honestly, if I had a magic wand, I would say for all the CISOs out there, I mean, obviously we’re talking about liability, but granted you guys only have so much time in the day and it’s kind of a 24/7 job, which hurts. But just even knowing a little bit about the statutory side, about legal requirements.

Because typically the CEO is not going to know that, and even in-house general counsel, you know, when they passed the bar exam, privacy law didn’t even exist, right? Especially if you’re at a big company. So at least kind of understanding the fundamentals of, who are the players, what are those general requirements, would go a long way.

Because, you know, in my experience, I actually ended up doing inadvertently a lot of selling for MSPs to my non-MSP clients. And I’m talking to, say, like my cyber insurance client, they’ll call me up and they’re like, “Hey Joe, you’re the IT guy.” And I’m like, “Well, I’m technically just your insurance guy. I don’t know your network architecture.” Like there’s way more to it than, Hey, Joe’s good at computers.

But when I start talking to him about, Hey, you know, here’s the statute that you could fall under, here are the requirements, right? Something like an OFAC exclusion, right? Where within a cyber policy, sometimes it’s illegal to pay the ransom, right? I start talking to my cyber insurance clients about that. And then they go, “Oh. Well, my MSP was talking to me about getting extra backups.” And I’m like, “Yeah, that’s why it’s a really good reason. Like you’re gonna need minimum – – backup strategy and then immutable backups, right? Or object locked permanence,” or whatever you call it these days. Whatever the hip kids are calling it. I’m like, yeah, that makes a lot of sense, right?

So kind of adding that in there, I think CISOs could benefit from that as well, right? By saying, “Hey, here’s some of these potential legal requirements.” And it’s hard because it’s always changing. It’s a spiderweb patchwork of craziness and conflicting ideas.

But I’d say if you’re a CISO at a big company, get a data privacy attorney into your business. And start saying, okay, what’s just a requirement that we need to be doing?

So if you look at FTC, they have a reasonable data security requirement, which means it’s hyper-dependent on your business. So you have to look at precedential case law and you have to start thinking about what you’re holding, how you’re holding it, where that information’s going.

I think that would add a lot of backup to the MSPs and to the CISOs out there to say, Hey, it’s not just the IT guy going, “Hey, this whiz bang thing that the CEO doesn’t understand is a really good idea. And if we don’t get it, we’re all going to die,” to the lawyers coming in saying, “Yeah, you have to get this. Like it’s non-negotiable. If you don’t do it, here are these just straight, terrible outcomes that could occur.” That, I think, makes a lot more sense to the business owners because they’re used to working in that area, right? Of dealing with laws and regulations.

MacKenzie Brown: Well, and I do feel like as we lead into the cyber insurance conversation, that’s also a disconnect that you have between the C-suite or the business minded individuals who are concerned about not just the bottom line, but hey, where’s the risk from a legal perspective? And then everybody else in cyber and IT saying just do these things, we do these things and we can eliminate that risk or the concern. But those don’t tango well together all the time.

And I would say that the legal business mind always takes precedence, sadly, whether it should or shouldn’t, it’s always gonna take precedence. They’re gonna be more concerned of after the fact what happens.

Like you said, on the OFAC regulations, they may call their cyber insurance panel, they may have breach counsel, their internal counsel, even an IR team, they may be working with ransomware negotiators where all of a sudden the negotiators are like, “Hey, we did some attribution, we analyzed the linguistics of this, we can confirm this is one of the 10 countries on OFAC lists. You cannot pay the ransom. So we can’t negotiate anymore. Good luck. Also, this is all recorded. This is all reported. So don’t even try to pay the ransom, because now you’re just going to add yourself to risk.”

And so they’re going to be sitting there like, sh**, we will blurb that out, by the way. But I wish we would have listened to Joseph and worked on those backups.

Joseph Brunsman: Yeah, I think that business owners, this may sound weird coming from the insurance guy, but business owners put way too much reliance on cyber insurance, right? Because one, their insurance guy didn’t tell them because the insurance guy generally doesn’t know, nor does he necessarily have a legal obligation to tell them, although, I would argue, an ethical obligation. But understanding the capabilities of something, great, but understanding the limitations of something generally is more important, right? Like you have to know what this thing cannot do and will not do.

And something like the OFAC exclusion, every time I talk to a new client, they’re like, wait, what? Nobody’s ever told me that. And I’m like, yeah, it changes the game, doesn’t it? Suddenly, maybe you should have all these additional controls.

Because cyber insurance, think of it as health insurance. Like you could eat yourself into a diabetic coma, and yeah, you have insurance, but you’ve already lost, right? You played that game and you lost.

So cyber insurance is like a reserve parachute. It’s not the primary. And I really hope businesses just get more focused on those controls. I think part of it is gonna be like, if we look at the SolarWinds event, this is all coming in together, what I call the cyber event death spiral. And so, you know, business owners traditionally were just very worried about, hey, if I get hit, what happens? How do I recover from this?

I wrote an article for a magazine in like 2019, I think. And I went through every single class action claim that was public record. And I was like—

MacKenzie Brown: That’s dedication.

Joseph Brunsman: Oh, I nerd out on this stuff.

MacKenzie Brown: Just casual light reading before bed, just class action lawsuits. Someone’s gotta do it. Not all heroes wear capes, so that’s okay.

Joseph Brunsman: We all wear flannel though. I’ll say that much.

So kind of the synopsis of that article was, “Hey, I’ve looked at every single publicly available case. Unless you’re a billion dollar company and you lost more than 200,000 records, you don’t have to worry about a class action claim.”

Those days are gone, right? That was about three and a half, four years ago. That has completely changed. So what we’re seeing now, great example is Solar Winds, is: You get hit. And now you have to deal with the fallout from that event, which is not fun to begin with. Now you have to worry about clients leaving.

MacKenzie Brown: Hopefully not a Senate intelligence briefing as well, on top of that.

Joseph Brunsman: Yeah. Right. So now you’re going to have bad publicity. What happens when clients leave you? They have no real reason not to sue you, because what do they care? So now we’re seeing cyber event happens, clients leave, class action claim. That leads to discovery. Regulators, like what happened here, which is why the second Wells notice got sent out.

MacKenzie Brown: Mm-hmm. SEC, FTC, this…

Joseph Brunsman: Everybody just starts, they start getting theirs, right? You have to worry about state attorneys general, right? Because what does every attorney general in a state want to do? Run for Congress. What’s the easiest way to do that? Consumer protection. What’s the hottest point there? Cyber. So you’re looking at, you know, class action claims, you’re looking at state regulators, you’re looking at federal regulators, and then it just keeps spiraling and spiraling, and that is super hard to recover from.

MacKenzie Brown: Well, the death spiral ends in death, right? It’s not gonna be positive at this point. Yeah, that’s, ugh.

Joseph Brunsman: Yeah, it hurts. It hurts.

MacKenzie Brown: Yeah, I have an ulcer just talking about it, just going through the death spiral. And when will it end at this point? Because I’m honestly waiting now. You talked about the FTC thing and I feel like it’s gonna keep coming. So I guess our advice to our listeners too, whether you’re a CISO or a business owner, an MSP, is just keep your ear to the ground, right? Like watch this closely.

I think if we go back in time or in the next six months, we look at this historical timeline of what happened from point of breach to investigation to Senate to class action lawsuits to SEC to maybe FTC knock on wood to whatever is going to happen after that. Like this is going to be and I would imagine it will trickle down where something like this conversation ends up at an insurance conference, your favorite place to be where they’re going to be talking about like, so how can we leverage this?

And that’s a good transition into our insurance conversation of, okay, I see this massive disconnect between the cybersecurity industry and the cyber insurance industry. And people may say, again, not a riveting topic for a podcast, but when you’re in cyber, this is a big deal. It changes and it impacts many roles within the cyber realm and world. Not just leadership, but IR, security monitoring, SOC or security operations monitoring centers, all of that is going to be impacted because cyber insurance is going to change the requirements. And then of course, regulators, I don’t know if they go to coffee with the insurance people, but they’re going to shift as well.

Where is the disconnect from the practitioners to these brokers? Like, what’s going on here?

Joseph Brunsman: Oh, you guys are smarter than us.

MacKenzie Brown: You’re pretty smart.

Joseph Brunsman: No, I’m just an insurance guy. But no, really, you gotta think, okay, one to begin with, you have these giant old bureaucracies that are insurance companies that are working with giant old bureaucracies which are state insurance commissioners, right? So generally what state insurance commissioners and insurance companies want is years of historical data to validate and justify the rates that they’re charging people, what actually goes on the policy, what the exclusions are, etc. And sometimes those filings, depending upon the type of policy, that could take a couple years to get through.

So if we look at something like car insurance, if you’re a 35-year-old white male with two kids and you live in the Annapolis suburbs and you drive a black Toyota Tacoma X number of miles per year, insurance companies know, they’re like, all right, well, this is roughly the risk associated with that. And we know, Hey, do you wear a seatbelt? Do you have an anti-theft device? All that type of stuff.

Cyber insurance is pretty much the exact opposite because you’re dealing with this ever-evolving dynamic threat where just when it was ransomware for the big guys, they start shoring up defenses and then the bad guys go to the small guys. And then the small guys start ramping up defenses. So then the bad guys go to do something else. And it’s just a never-ending cat and mouse game.

And then the insurance company, they’re looking at years past to try and justify. Like they have to build up the data sets and the models to do what they’re doing. And that’s super hard when the threat that you’re trying to protect against is always changing.

So I just gave a talk at a conference on the intersection between cyber insurance and AI, and I’m like, well, the short answer is the insurance industry isn’t going to even remotely probably touch this for another five years because it’s changing so quick, we don’t really know what it’s going to evolve into. There’s so many facets where this could be implemented that, you know, trying to push that through some insurance regulator who’s just a nine to five type of guy, I mean, it’s almost impossible to do. So it’s, you know-

MacKenzie Brown: Yeah, we’re still at typewriter, so let’s get into AI for the insurance guy. I feel like that’s a little more advanced.

Joseph Brunsman: I guess the good news is, I mean, I’ve been screaming from the mountain tops since of increase your controls, increase your controls. You’re going to increase them the easy way or the hard way. So while I wish the cyber insurance industry was more on the ball and more forward leaning in terms of what they’re requiring, how they’re evaluating and writing risks, at least we’re kind of moving in that direction.

So we are starting to see really, it’s not fast enough for me, but you’re seeing probably a traditional insurance policy, like a homeowner’s or something like that, like 40 years of policy evolution in like three, four years for cyber insurance. Right? So your normal kind of run of the mill insurance policies, they don’t really change. It’s only every now and then something pops up and the insurance industry is like, Oh, well we haven’t seen that before. We got to change it.

But now what we’re starting to see, and this is probably good news for the MSPs, exclusions such as for critical vulnerabilities, right? Which I don’t know how many normal business owners are, you know, scouring the MITRE website and looking for critical vulnerabilities, probably none. So like one policy says, Hey, if it’s a CVE and it has a CVSS of eight or greater, so a score of eight or greater, you have days to implement that patch.

So that’s good news and bad news for MSPs. Because now—

MacKenzie Brown: Just bad news for a lot of organizations that don’t do that. Patch your sh*, by the way. But people don’t, that’s unheard of. And then you look at zero days that come out, which I’m sure is an exclusion of itself, but 14 days after a zero day, which is definitely gonna be a scoring of 10, maybe a little bit lower, but likely 10, we see how fast these new zero days are evolving. And we saw those with the exchange vulnerabilities. We’re probably gonna see it with Move It, right? We’re seeing them shift every two months is going to be the same thing, it’s just going to be a different compiled version of it. So 14 days is still a tight, tight schedule there.

Joseph Brunsman: And now, and here’s the problem. We’re looking at this where we’re like, ah, patch Tuesdays, which everybody hates. What happens if you’re a seasonal business, right? What happens if you’re an MSP, you have an accounting firm and they say, Hey, during tax season, you don’t touch anything. You do not change our network. Nothing gets changed. There’s no updates. Nothing. That’s a problem. That’s a big problem.

MacKenzie Brown: That is a problem.

Joseph Brunsman: When you start looking at the statistics behind that and you go, okay, on the IT side, if we’re trying to patch within two weeks, that’s a pain. There’s a lot that the business owner obviously doesn’t know that happens behind the scenes. Invariably something always gets broken. You gotta de-conflict a bunch of stuff. Well, the bad guys, obviously they’re keeping track of zero days.

And so we’ve seen where these critical vulnerabilities get published and within 15 minutes you got bad guys that are scouring networks trying to find this. And so I would say, Hey, 14 days, that hurts. Get ready for seven days. Get ready for three days. Get ready for same day.

MacKenzie Brown: It’s like my love/hate relationship with bounties and bug bounty researchers is when they start posting it publicly before they’ve done the due diligence with the vendors and really prepared for it. Because once that hits public information, it’s a heyday. And it makes attribution even more difficult from a threat intelligence side. Because you’re going to have every other criminal group, nation-state group, they’re all going to start hitting it as fast as possible. So yeah, seven days is still terrifying to think about.

So insurance is keeping that in mind, even with an exclusion of it, but say that they have that exclusion, but for some reason the victim organization still fails once they actually do the full investigation and then insurance gets the full report. Do they not reimburse? Do they charge them penalties? Do they drop them from the policy? Do they increase their premium? Like what are, I guess, and this is kind of an off the cuff question, but like what are the penalties when you experience a cyber attack and they identify that some of these things were your fault, obviously, and they’re going to what? Make your insurance more expensive?

Joseph Brunsman: So if you don’t have the exclusion, the easy answer is, as I said before, you’re gonna increase your security the hard way, right? So let’s imagine if you look at any breach notification letter at the very bottom, you can see a bunch of ones, a bunch of them that are publicly available. And at the bottom, they all say, effectively, magically we have found more money to increase our security and we’re taking this seriously and the underlying portion of that is regulators and private citizens. Please don’t sue us. Don’t come after us. Right. We’re, we’re trying to be responsible here.

So if you don’t have that exclusion, well, now your premium is going to go up and you’re going to pay more for the controls that you probably should have had to begin with, right? So you either increase those controls the easy way or the hard way. Now, if you have that type of exclusion, obviously it depends on the exact wording of the exclusion.

But generally I’ll say that if they got through a vulnerability, right? That is essentially like connected to that exclusion in a simple sense. Your insurance company can just outright go, all right, we’re done. Right. The forensics came back. There’s no coverage for this claim. Best of luck. And then your hosed because—

MacKenzie Brown: I was just going to say, then you could potentially bankrupt yourself with the costs of doing response and recovery and all the after action as well as paying your own lawyers. That’s terrifying.

Joseph Brunsman: Oh, precisely. Right. Because if the insurance company comes back and they said, Hey, we did the forensics, right? We brought in the attorney. The forensics said that they came through this vulnerability. You didn’t patch it in time. Best of luck to you.

Now you could try and litigate that. I mean, good luck. That’s going to take a few years and be super expensive and you’ll probably lose. But you still have all of these legally required costs that you have to pay for to begin with.

So you’re not getting reimbursed for business interruption. You’re not getting credit monitoring and breach notification letters or they just won’t pay the ransom. That’s another exclusion, right? That could come into play if they go, Hey, anything past this point, that’s coverage denied. We’re out.

If you’re sitting on a half million dollar ransom or whatever, I mean, good luck. And suddenly, the marginal cost of email filtering or security awareness training. You’re like, damn, I really should have paid for that.

MacKenzie Brown: Makes a difference. I mean, just doing immutable backups would be a great leap forward.

Okay, so I wanted to, because this is demystifying some of these concepts on each episode, let’s pretend this is an episode of Blue’s Clues and you can put on your dad hat and you can explain to me—wherever your dad hat is, or put on your Nikes and your, you know, like what is the Motorola pocket holder for your cell phone on the outside, of course, the belt holder.

Can you break down for me, organization gets breached, cyber attack. What is the process now with cyber insurance? Their lawyer’s probably the first one they should probably call. They’ve already enacted their insurance policy holder. Who are the players in this game? Kind of break it down for me. Blue’s Clue style.

Joseph Brunsman: Sure. So I put my pen in my pocket. That’s the closest I could get. If I had like pens, I would just like have like a little rack of pens.

So this applies to both MSPs and their clients. If they have a cyber event, like what, what’s kind of the general flow? Well, to sound like an attorney for a second, the answer is it depends on what happens, but kind of the general answer is let’s say you had a business email compromise or a data breach or ransomware event.

Well, the first steps in all of that are going to be, Hey, we need to bring in attorney and forensics because there are so many laws that business owners and CISOs and MSPs don’t even know exist because—and I nerd out on this, and it’s hard for me to keep track of all this stuff.

Like I’m writing a book right now on insurance and cybersecurity law for MSPs. I just finished a chapter and then they changed the law. So I’m like, well, that’s 5000 words and like 15 hours of my life gone. I got to redo the whole thing. So that’s hard, but yeah.

MacKenzie Brown: Okay. Step one, attorneys, forensics. That’s where we start.

Joseph Brunsman: Yeah, so step one is attorney and forensics, right? They want to figure out, Hey, what are your legal obligations? That could also include contractual obligations. So the MSP has got to be careful because their clients may have some contractual obligation of notification that’s completely separate and different from the state laws or the federal laws, right? And they just wouldn’t know.

So that’s another reason why their clients have to carry cyber insurance and MSPs have to be careful about what they’re saying and how far they’re going to help clients. Cause they could really get themselves in a very bad position and potentially denied coverage.

And I have a whole video about that on my YouTube channel, um, called like—You could tell I wasn’t an English major. It’s something like MSP considerations after a client cyber event. So attorney—yeah, really rolls off the tongue. So I need to use AI to get better titles, I think.

But yeah, step one’s attorney and forensics. And then from there, it’s kind of all over the place.

And often what we’re gonna see is really, I see a disconnect. There’s always tension between incident response, forensics attorney, the client in the MSP, right? Because the client’s kind of sitting in the middle of all this and they’re going, I don’t understand any of this stuff. So they ended up calling me and I’m trying to kind of break it down. And then obviously the MSP being the technical side of the house, right? They’re going, Hey, we got the forensics back. They didn’t look here. They didn’t assess this. They should have done ABC and XYZ and so forth and so on.

And then the forensic side of the house, right. And the insurance company and the attorney. They’re looking for minimum viable product, right? So they’re looking at how do I get in as fast as possible, get out as fast as possible, get the report done, figure out what happened in bounce. And so it’s not uncommon, I’ve dealt with hundreds of cyber events, unfortunately. So it’s not uncommon where the forensics comes back inconclusive.

MacKenzie Brown: Yeah, absolutely.

Joseph Brunsman: And to their credit, this is hard stuff. You know, this is not, we’re not baking cakes, like this is, well, I can’t bake a cake either. I’m terrible at cooking. Maybe not a good—

MacKenzie Brown: But that’s also, that’s a part of that threat landscape that we’re talking about is when we think about adversaries and if you really want to do a good job, you don’t want to get caught and you want to obfuscate a little bit. Sometimes that does mean the evidence doesn’t exist or we can’t determine who patient zero is nor can we guarantee it. We can’t determine if the data was actually exfiltrated and then you get into the nuanced debate of, okay, well, it wasn’t exfiltrated, but it was viewed. So does that mean it was taken or it’s at risk now?

It’s like, well, I don’t know, you should ask your lawyer at that point. But absolutely, there are some gray areas of investigations as well in what those reports look like.

Joseph Brunsman: Yeah. And here’s another reason why MSPs, one should contractually require their clients carrying cyber insurance. I’ve been, I’ve been shouting on that hill for over two, three years now.

MacKenzie Brown: I have been hearing a lot about this. I have been hearing this in these groups where MSPs are like, oh, nope, we do not allow to have a customer or client that does not have cyber insurance in place or some sort of policy.

Joseph Brunsman: Yeah, I was that guy. I was that guy two, whatever, years ago on the MSP subreddit. And I was like, here’s why you have to do it.

But to put it for the MSPs listening, the reason they got to be really careful, I’ll give you an example, right? We just talked about, Hey, did they steal the data? Did they view the data? Is that a breach? Is it not a breach? Well, the answer is it depends. That’s a legal determination.

That is not something that the MSP should be stepping into, which is why they got to say, hey, talk to an attorney, notify your cyber insurer, recommend you do it, however they want to word it, because the definition of a breach for a law firm is different than the definition of a breach for other types of businesses, right? So you could have a law firm, they get hit. And according to their unique professional standards and code of ethics that is a breach and they have to notify clients, but according to the state laws, they don’t have to do it. And that’s something that is such a niche, obscure insurance fact.

MacKenzie Brown: Well, what if they have clients in different states too, at that point? Then do you just notify certain people, but not all people? I mean, I’m not a PR rep, but if I was, I would be like, you should notify everyone, not just pick and choose, but it sounds like they legally could pick and choose.

Joseph Brunsman: Yeah. So sometimes it’s a pick and choose type situation. I will say that generally the breach notification law that applies, it doesn’t matter where the business is typically located. It’s where their clients are residents of.

So for example, I have a firm in Virginia. They had two Massachusetts residents as clients. And I was like, Hey, you have to comply with this obscure law called 201 CMR17. And there’s 18 different administrative, physical and technical safeguards that you have to evidence and you have to have a written information security plan and like on and on and on. And they were like, okay, Joe, cool.

Never did it. Right. Well, what happens? They get hit. They, they notify the attorney general, the state of Massachusetts finds out about this. And now there’s been this ongoing investigation from the AG of Massachusetts against a business on the East coast for something like two years.

MacKenzie Brown: Geez. Oh my gosh.

Joseph Brunsman: Yeah, that’s, that, that’s what I’m saying. When MSPs, when you have a client get hit, one of the first things, one, never call it a breach, that’s a legal determination, right? It’s always a cyber event.

MacKenzie Brown: I say this all the time. Do not use the B word. It’s a bad word to use. Let the lawyers use the B word. I don’t even like to say incident.

Joseph Brunsman: Yeah, it is never used. Right. Cause it’s illegal to, yeah, it’s, it’s a, it’s an event, an occurrence, right? Um, but that’s just another example of why MSPs have to start going, okay, yes, I want to help my client. I want to help my client recover. I want to be a good business owner. Maybe you’ve been working with those guys for years or golfing buddies. You still have to think about your own liability.

You still have to think that there’s so much that is just outside the scope of being an MSP as far as requirements on the legal side go, you always got to couch that with, all right, do I need to, um, recommend that they reach out to their cyber insurer for attorney and forensics, right? MSP sitting there going, all right, I think it’s a basic business email compromise, you’re like, okay, what do you do?

Lock it down, change the password, change the rules back. Okay, go. But MSPs are not forensics experts, right? Like I often tell people, you know, a neurosurgeon and a dentist are both doctors. You probably don’t want one doing the other guy’s job. And so your client’s just gonna look at you as an MSP and they’re gonna go, all knowing, all seeing computer guy. They have no concept of all the millions of different aspects, right? Of computer networks and systems and the legal requirements, et cetera. So it’s always, as I put in the video, identify, contain, refrain, right? And then you recommend.

MacKenzie Brown: I was going to say, so at some point, they impose more risk to themselves though, too, during this process, right? If they have a client that experiences a security event that maybe leads down the path of requiring cyber insurance, what, at what point do they need to, can they have to, do they have to stop supporting the client as a part of that? Because they are going to get pulled into a deeper level of litigation, regardless of what their primary stakeholder role is in within their overall incident response plan. You know, they could do recovery, but then if they start doing assessments or advice or forensics and that’s not their forte, do they start getting themselves pulled in legally in an uncomfortable, uncomfy way? Is that something that you’ve seen out there?

Joseph Brunsman: So it, as to how far they can go, it depends, sorry to sound like an attorney, depends on what their insurance policy says. But I would say identify, contain, refrain. That’s a good set of heuristics to keep in the back of your mind. And you know, it’s, it’s saying, okay, yes, I’m a good person. I’m a good business owner.

However, there’s limits to what my business can do to help somebody else. And there’s points where other experts need to come in. So MSPs need to put that risk back on the client who made the mistake to begin with, right? To say, Hey, here’s what I saw. Here’s what I did. Moving forward, I encourage you to, you know, talk to your cyber insurer, et cetera.

Then at that point, it’s up to the business owner on the other end to make that call, right? Now, maybe the business owner goes, I think it’s just a business email compromise. I’m not going to spend five grand of my deductible to go through that. That’s on them. That’s on them, right? Maybe it was, you know, just a ransomware event and they restored from backups. And so they’re, they think they’re good.

And the MSP is sitting there going, well, I don’t know if there’s an attack loop that’s involved here. I don’t know if there was a data exfiltration. Here’s what we saw. Here’s what we did.

MacKenzie Brown: Yep, the importance of a real investigation. Absolutely. I can see that too. I can see that from the client side of being like, well, we didn’t pay the ransom and we did a full workaround. We remediated the accounts and the systems and yeah, everything’s fine. Like we’re back up and normal, but you’re right. There’s always this residual risk that is kind of left behind if you don’t do a full investigation after the fact.

Joseph Brunsman: Yeah. And it’s something where the MSP just has to go, okay, this kind of, this has to be standard operating procedure where they go, when it comes to this, here’s the stock reply, right?

Which is like, I had an event where an MSP called me and he was really worried because he goes, Hey man, I got this client. They actually have people working all over the world, right? Remotely. And so trying to do forensics is just a nightmare. And he goes, they had a ransomware event, but you know, we restored from backups. Like, we think everything is fine. What do we do?

And I’m like, kind of going through what we’re talking about here. And I was like, you know, at the end of the day, you got to put that risk back on the client, right? Cause the risk is going to be somewhere. And it’s, Hey, MSP, you don’t want to accept that risk because of business owner, you know, and to be fair, the average business owner—I think MSPs have to educate the clients.

The average business owner doesn’t know that the latest Coveware report said that % of ransomware events also include data exfiltration, right? Average people that are running these businesses are really smart. You know, they think, okay, there’s ransomware events, there’s data breaches. That’s about as far as they go. And they don’t understand there could be overlap in all these legal requirements, et cetera.

MacKenzie Brown: Yeah, no, they definitely don’t. But I mean, I like that you say that too, because I feel like that is the new normal with ransomware, is there’s always going to be data exfiltration at some point, which is the importance of looking at doing a proper response and saying, like, has anything been touched? And I know that kind of preface is going backwards, where we just said we may not even know at that point, once you do an investigation, if data was taken. So this is the fun logic loop that we’re stuck in.

Well, I mean, you’ve given so much great advice already just in this discussion. I feel like I’ve learned too much to be quite honest. So what did you say the statistic was, that % of brokers end up leaving the market anyway, leaving cyber insurance after two years? Is that is that still a normal stat you would say? So okay, I probably won’t go into this career path, it sounds like, but you keep staying in it. You’re what we need in this field.

Joseph Brunsman: I love this stuff. I think it’s, I mean, like I legitimately like teaching people about this stuff that’s just been rattling in my brain for so many years and nobody cared. And I’m like, Hey man, I have all this like cool knowledge in my head. Let me teach you some of this stuff.

And I think that the more that MSPs, they start going, Hey, technology is one thing, but let’s kind of add that extra layer. Not that they’re giving legal advice, right? Or official insurance advice. But saying like, Hey, let’s add a little more consulting into this mix, right? Because OFAC exclusion, . % chance the business owner goes, my insurance guy never told me that. It’s like, well, yeah, because absent special circumstances, the general rule is the insurance guy has no obligation to read, understand, or explain what he’s selling.

And if you think that something percent are leaving within two years, and they don’t have a technical background and they’ve never read the law, it’s like, what do you think is going to happen? Right?

So unfortunately I think, I mean, what, that’s one of the reasons I put everything on video is so that MSPs, if you’re watching this and you watch a video, you can steal that information wholesale, make your own video. I don’t care. As long as the end client gets the idea, right? That they’re going, okay, well, OFAC exists. What does that mean to me? How does my business deal with that? So that if they know the rules of the game, they can play the game and they can decide, I’m gonna bend the rules, I’m gonna break the rules, I’m gonna disregard the rules. I’m willing to take that risk. I’m not willing to take this other risk.

And I feel like that would make MSP’s lives so much simpler. It’s just educating the clients because the clients really, they have no idea. And why would they?

MacKenzie Brown: So if you were to leave one piece of advice then, and not just for MSPs, right? Also, like, let’s just consider business owners of SMB space or MSPs or larger organizations, those that are actively pursuing a cyber insurance application are in the middle of it or have been approved and they’re just kind of like waiting for the infamous day of, to test out their policy and plan. What would that piece of advice be for them to consider? Whether right of boom has happened or it hasn’t quite happened or they’re debating having insurance in the first place. I know that’s a loaded last ask of you.

Joseph Brunsman: Here’s what I tell all of my clients, right? A successful year, I talk to you once and I take your money. And then we never talk until the same time next year. Now, why is that? Because if you’re talking to me twice in a year, it’s probably not because your kid got into Harvard, right? It’s probably because you’re having a really bad day.

So for all those people out there, I would say, do everything you reasonably can to increase your controls.

So, you know, if I was a normal business owner, I would say, okay. And pretending I have no technology background, I would go, all right. I don’t remotely understand what any of this is. I don’t know what a switch is. I don’t know what a firewall does. I don’t know what email filtering really means. Like, what is it filtering? I don’t really understand what, you know, FA for email access means is it every time I send an email, I get a poke it, whatever.

I would say, go to your MSP and just say, Hey, what’s the biggest bang for the buck? That’s a great start. And if I was an MSP, I would say, all right, well, depending upon how their business is set up and if it’s all you can eat or if it’s tiers, or whatever, I would say for ethical purposes, as well as liability purposes, I would go to the clients and I would say, Hey, Here’s the biggest bang for the buck, right? Looking at all the background threats and all this stuff. And here’s in plain English, what it means.

If I had one wish, it would be that MSPs would draw pictures. That would be my one wish.

MacKenzie Brown: That’s what I need to do. We all just need picture books on this at this point. But by the time, like you said though, by the time you make the picture book and you really give the MSP breakdown, the laws are going to change anyway. So we have something to look forward to.

Joseph Brunsman: Well, like, I mean, we’re all familiar with the security onion, right? The whole like defen—right? So I’m like, Hey, MSPs go to the client. And say, Hey, I’m going to ask you a bunch of potentially stupid questions because you’re an expert in this field and I’m not. And in return, feel free to ask me what you think are stupid questions. Cause I’m an expert in my field and I just want to help you.

So something as simple as drawing the security onion or drawing a picture for people, right? It’s information comes in, here’s the information, information goes out. How do we protect that? I think that would actually go really far.

MacKenzie Brown: Make a risk decision. Yeah, absolutely.

Joseph Brunsman: So now you could say in this onion, here’s where a firewall applies and here’s generally what it does, right? Or here’s what email filtering is and why you need it. Or here’s where security awareness training falls in on the end of that. And then the very last layer, arguably not in the security onion—it’s the, I don’t know what you’d call it—the tiers of the security onion—really would be cyber insurance, right? So cyber insurance is when all else has failed, then insurance comes into play. Because increasingly it’s not, hey, we didn’t want to spend money for this thing, so we just have insurance. The insurance industry is trying to get away from that. So the sooner you get defense in depth and get those controls in place, the better life’s going to be.

MacKenzie Brown: Okay. Great advice. Well Joseph, thank you so much for joining me. This has been enlightening. I may have some ulcers and a little bit of stress about this, just learning about this topic. I was trying to demystify it and I think you did a fantastic job, but I also hope that it woke some people up a little bit, right? It’s taking a little bit different of an angle that’s not Googled necessarily.

But do you have any resources too you want to leave with our viewers so that they can not just probably bother you on LinkedIn, but where they can actually learn a little bit more about everything you’re teaching right now?

Joseph Brunsman: Oh, sure. So if you just YouTube my name, I’ve got all the better part of a hundred videos on there, probably 75 or so, just for MSPs, some of which I referenced today. My latest one is, Hey, how do you figure out how much insurance you need as an MSP, right? Like what are those factors that play into it? So yeah, just YouTube my name.

If you go to my website, https://www.thebrunsgroup.com/book you can download my, I guess the one I have right now, I’m writing, isn’t published. So my latest book called Damage Control, that’s cyber insurance and cyber security law, best selling book in the country on that topic.

You can find me on LinkedIn if you want to bug me. I love this stuff way too much. So I’m always happy to answer questions. You can find me on the MSP subreddit as joe_cyber, probably the worst username ever, but I wasn’t thinking ahead on that one.

MacKenzie Brown: I mean, you still got it though. I’m sure another Joe out there is looking for that user name or handle and you just took it.

Joseph Brunsman: Funny enough, there is another insurance guy in Ohio whose name is Joseph Brunsman. And I’m like, that dude’s riding the coattails, man.

MacKenzie Brown: No way. Well, maybe for episode two or our next episode together, we’ll bring him on and then I’ll just have popcorn and I’ll watch you guys debate because I think that would be hilarious because maybe it’s your arch nemesis. Maybe he believes the exact opposite of everything you’re preaching right now.

Joseph Brunsman: He’s like, security, it’s like pockets. It’s a fad.

MacKenzie Brown: It’s not real. He’s like, definitely pay the ransom. Just don’t put it down on paper. You paid the ransom and no one’s going to know. Just hire someone to do it.

Joseph Brunsman: Cyber insurance doesn’t work. Man, you know how many times I’ve gotten in arguments with FBI guys? This happens every time. Every time they’re like, never pay the ransom. I’m like, dude, your boss prints money. Like, what are you smoking? You get paid on the st and the th. No, like World War Four breaks out, you’re getting yours. But for the rest of us that live in the real world, yeah, like we live in the real world. And I mean, I have a whole video called why you will happily pay the ransom, which I wish MSPs would show their clients to increase their controls. But it’s like, yeah.

MacKenzie Brown: Oh, I mean, without going down, I digress, going down the whole Colonial Pipeline and paying the ransom, I mean, but there is a rhyme to a reason, typically when it comes down to that. That’s, oh, wait till we have an episode all about ransomware, it’s gonna get probably a lot dirtier anyways in conversation. The reality of ransomware.

Joseph Brunsman: Well, you know how we were talking about the death spiral, right? One of the things that people never, cause everybody lambasted Colonial for paying the ransom, right? But one thing they never took into account was the average wrongful death lawsuit is something like $600, $650,000. Now imagine the entire eastern seaboard where every grandma died because she couldn’t go to dialysis because her grandson didn’t have gas in his car. I mean, oh my God.

So there’s a lot to this. And business owners got to start thinking, they got to start going, all right, what do we think is going to happen? And if they’re buying cyber insurance, they have to go, all right, what scenarios are we worried about?

That’s generally, that’s what I do with my clients. Let’s start talking through what are you actually worried about? What are those scenarios? Cause your CISO has his own, Oh my God, I’m getting fired scenario, the CEO’s is different. The CFO’s is different. HR is different. Legal is different. So everybody has these competing interests.

So if people just sat in a room and they went, all right, what, what are you guys worried about? I can translate insurance policy to those concerns. And say, all right, that’s 75% covered. It’s 50 % covered. This part’s not covered at all. So you got to increase your controls, right? Talk to your MSP, but that would make life a million times, million times simpler. Yeah.

MacKenzie Brown: That would be a lot easier. Well, everyone, feel free to definitely go reach out to Joseph on LinkedIn and inundate his inbox with as many questions as possible. I’m sure you have some more after this. But also his YouTube, Damage Control book, I’m going to. Go get it if you haven’t gotten it already. I’m sure it’s going to be a really great read for myself. Maybe that’s one I should open with a nice bottle of bourbon.

But thank you so much, Joseph, for joining me today. And yeah, let’s look for this other Joseph guy, because I think that we need to see if this is your arch nemesis in some way in the cyber insurance world.

Joseph Brunsman: Man, he’s living on easy mode. He’s like, I don’t know, all of a sudden these people started calling me about cyber insurance. Yeah, like what is this? Yeah.

MacKenzie Brown: Nice. I’ve got so many followers. How did I know? That’s fantastic. Well, thank you so much for joining me. And yeah, we’ll catch everyone on the next episode of Return of the Met.

Joseph Brunsman: Pleasure. Thanks, Mac.

Explore the resources we have to offer!

Sharing information keeps cyber adversaries at bay. Stay sharp by checking out our library of blog posts, on-demand webinars, threat research, and more.