#22 Why your digital program needs cyber insurance

#22 Why your digital program needs cyber insurance

#22 Why your digital program needs cyber insurance

Guest:

Courtney Hensley

As a consultant, Courtney helps Senior Executives, Human Resources and Risk Management professionals achieve an efficient risk management program across a broad spectrum of product lines providing insurance brokerage and risk management consulting.

With more than 19 years of experience, she an understanding of my clients’ needs and pressures. Courtney is able to effortlessly integrate her industry knowledge, expertise and strategic planning to ensure her clients achieve their goals.


Last year, ransomware victims collectively paid out more than US$1.3 billion to attackers. The evolving digital security threat landscape signals the need for a more holistic plan, which, for many organizations, should include cyber insurance. In this episode, Courtney Hensley talks with Kristina Podnar about insurance as an additional layer of protection against a myriad of malicious activities that enterprises face and breaks down the real costs to an organization of a security event. Courtney also breaks down the unseen risks that enterprises face amidst COVID and remote working, and how to ensure that your business is not unexpectedly interrupted.

Keywords:
cyber insurance, cyber security, digital security, data breach, ransomware, cyber protection, enterprise security, VPN, exploit, breach, malware, trojan horse, DDOS, phishing, disaster recovery, redundancy, backup, crime coverage
Episode number:
22
Duration:
40:20
Date Published:
July 23, 2020

KRISTINA PODNAR, HOST: Hi everyone! I’m excited to have Courtney Hensley as our guest today. Courtney helps Senior Executives, Human Resources and Risk Management professionals achieve an efficient risk management program across a broad spectrum of product lines providing insurance brokerage and risk management consulting. She has more than 19 years of experience in the risk industry, but more importantly Courtney understands the digital and security landscape, and is able to use her expertise and strategic planning to help organizations balance out the opportunities and risk that come with digital. All right, Courtney. Thanks for being with me today. I really appreciate it. That's been a long time coming.

COURTNEY HENSLEY, GUEST: Thank you so much for having me.

KRISTINA: I appreciate you making the time because, honestly, I can't think of a better person to be speaking with us right now. I was just looking at some numbers last night in anticipation of speaking with you, and I guess I kind of conceptually understood this, but the cybersecurity market size is really growing. It's supposed to be surpassing some 259 billion dollars by 2025 up from like a hundred and four billion and 2718.

COURTNEY: Yes. It is. Definitely not, it's not leaving. It is evolving. It is something that you cannot ignore any longer. I think the losses are going to be somewhere around six trillion dollars.

KRISTINA: Wow.

COURTNEY: So that's a number that is able to catch most people's attention. So yeah. Yeah. It's definitely here to stay.

KRISTINA: What I mean, you know, just kind of thinking At those numbers those are not sort of your average everyday business numbers that were talking about. What are the biggest drivers that you see for the numbers, either from a loss or from an opportunity perspective?

COURTNEY: You know, the thing that people they don't consider is the business interruption component of cyber. So many people think about reconstructing your data; they talk about paying the ransom, for instance, and they think that's where the cost is, and ultimately the cost is as in how many days your business doesn't have access to their data. So I tend to ask the question if you make a million dollars a day and you're down for ten days that's 10 million dollars. What is that going to do to your bottom line? Who are you going to have to talk to is that the board of directors is at the CFO? If you're the CFO, do you have shareholders? You know, how do we quantify this loss and it's they're tangible numbers. And so a lot of times I think people underestimate the cost of doing business and the cost of extra expense when they think about cyber and that's where a lot of these lost numbers are coming from the large percentage of it is not the ransom. It's the business interruption.

KRISTINA:  What types of businesses need to be considering insurance? I mean, should they should everybody consider insurance these days?

COURTNEY:  Oh, yes, that I tell people unless you are a cash-only business and you have no internet presence, you do not sell anything on any form of media. Then you are you're in the pool of people that need insurance though. We always do. Yeah. I always joke; if you're a hot dog stand, you might not need cyber insurance, but everyone else should consider cyber insurance. It is obviously like I said, six trillion dollars in losses. It's not going anywhere. So every company, regardless of size, needs to consider what they are doing to become cyber resilient and a lot of companies think we're not Target. We're not Yahoo, you know, we're not the big, big company. And so, therefore, we're not a Target. Nobody knows that we exist. Why would they pick on us? Well, the problem is is a lot of all businesses are the ones that are being tested if you will there's a playground for all of the hackers, and they're coming to you to test out their theories before they go to a target a Yahoo. Someone like that. So every company needs to have some sort of backstop and some sort of balance sheet protection so that they can prevent going out of business from a cyber loss.

KRISTINA: It's a right now we're reading in the headlines a lot that the COVID related you do with rights are kind of on the rise, thinking about that, how does a business actually figure out a what type of insurance do I need? And then also how much insurance do I need? Like what is the process they're like?

COURTNEY: Oh, those are great questions. So in this time of COVID, most people are sending their employees to work from home, and that creates obviously great flexibility for their employees. It's an increase in safety for their employees. However, we also need to consider that the hackers are using this time period as a free game for those companies that do not have the correct policies and procedures in place and the correct approach to cyber protection of their data. So for instance, if you send all of your employees to work from home, they're using individual internet service providers, and they may or may not have a firewall on their own internet, and they're now accessing your data through potentially an unsecured system. And so that that creates problems second of all they're using their wireless devices more often they're not on their work phone anymore. They're answering emails in different places than they normally would have, and so they're trying to be accessible right, and yet they're creating more risk for you as an organization. The other problem comes in that people are not considering how the forensic investigation would work. So if you have a loss and someone has been duped socially engineered if you will. That person might be working out of their home. The forensic investigator has to go to that person's home to start the process of investigation. It is no longer; I'm coming to your home-based office where everybody works together. They're having to increase the cost to do extra investigation in people's homes or wherever workplace is that they're using at this point. So those are the types of things where the COVID situation makes it a little bit more complex. And I will also add this is a good time to mention that your cyber coverage and your crime coverage usually are not there placed separately, but they are usually not viewed by insured or a company if you will as being related, but when it comes to a cyber loss that is a social engineering loss those two pieces are very, very important and the crime policy has what we call an insured premises definition. And so they defined very clearly in your insurance policy for crime what an insured premises definition is, and an employee's home may not be listed. It may not be included in your scope of that definition. So we need to look at that very carefully, and it's in every policy is a different situation. So those are some of the things just a couple of the main points that I'm seeing as becoming an issue when it comes to claims.

KRISTINA: Oh, I love that tip, especially because I've actually been asking my clients whether or not they understand, first of all, do they even have a cyber insurance policy, but I've been asking them, you know, are they really covered for employees working from home and not just for employees working from home? But we have a situation, for example, where a colleague of mine is stuck in India right now has been in India since the end of February and can't get back to the US because of the flight situation. There are no direct flights. It's hard to get out of the country Etc. And so that individual is working remotely, and the company has no control of course and no visibility into the Wi-Fi into any of the security aspects of the ISPs. And I kind of said hey, you know, are you actually covered, and they just sort of shrug with their shoulders. So do you have a sense for how many people are sort of exposing themselves to risk out there that aren't aware of the fact that this actually is a risk and they won't be covered?

COURTNEY: Sure, I think the risk actually occurs anywhere. So being an India obviously is a unique situation, and most companies probably do not consider India as being their worker's compensation location, a cyber location, a crime location. So there's a lot of depth that comes to that particular scenario. The one thing I will mention is when it comes to GDPR or CCPA or the Shield act, a lot of times you can violate some of those issues and create fines and penalties in your cyber policy and you don't have a lot of companies don't have separate sub-limits or a separate limit for those and a lot of times because you're in a different country, you might be sharing information that you if you had been in your home office might not have been an issue, but now you're creating issues in some of these areas, and so that can create a little bit of a problem as well. So I think that's a great question. And again, I hate to use "it depends" answer, but an insurance these are all your policies are considered legal contracts. So it's going to have to come down to your individual policy and how it is worded. But that is definitely a question that should be asked of the risk manager, the CFO, legal counsel. Whoever handles the insurance function in the organization, they need to be looking into those definitions.

KRISTINA: And I would hope that each one of those individuals was looking into their policies and hopefully giving you a ring right as we saw the pandemic take place. But if folks haven't done that yet, is this still a good time to be looking at their policies and reviewing sort of what their coverages or is it too late now?

COURTNEY: It's never too late. I think if the claim is already occurred, then obviously that particular claim will be outside of the scope, but you can always amend a policy midterm and a amand a definition for insured premises, for example. Or you can always add coverages to a policy midterm. It's so it's definitely not too late to give your insurance broker a call and have those conversations. I think the key is when you contact your broker get a clear answer. I have had a couple of situations where some of my I like to call them future clients have contacted their brokers, and they send them an endorsement and say or take a look at it. Let me know if you have any questions if I was the client, I would want to know does my policy truly cover this yes or no, and I think there are some conversations that can be had with the underwriters and with the claims team to try to best determine what that might look like. So now it's never too late, and I think all always you should be reviewing your coverages because things change, and especially right now in COVID, I was on a call earlier today. We joke it is changing by the hour, but it does kind of feel that way, and so everything that you can come up with can be asked, and midterm can make changes, and at least for future claims, there will be an opportunity to prevent unexpected losses.

KRISTINA: That's great. And you know as we're talking about COVID there was a lot of I think considerations as people went to work remotely. We're in this kind of weird phase where some folks are going back into their physical offices. Some folks are continuing to stay in and work from home, but are their considerations that businesses need to give for folks coming back into their physical building, kind of transitioning from working remotely to being back in the physical office space from a cyber insurance perspective?

COURTNEY: I think regardless of where they work it's very good to keep your employees educated on you know, how phishing emails are coming into them being aware of how money is paid out. So for instance, if you have employees that are regularly making payments for you know large signature do usually companies have a two signature rule for a certain amount of money. Those employees need to constantly be educated and tracked in terms of cyber phishing attempts. There are also should be really strong policies and procedures in place, which I know is kind of in your wheelhouse in terms of here's what we do. Here's what we don't do considerations in terms of you know, making sure all of your employees know that they will never be asked to purchase gift cards or to pay invoices when they didn't usually have that request that this is now during COVID-19 time that that's going to happen. So it seems it seems kind of silly. It may seem a little trite to say that, but a lot of times, people are trying to be agreeable. They're concerned. COVID creates an opportunity where people are happy to have their jobs, and they want to prove that they're helpful and the hackers are depending on the fact that you're going to go above and beyond and so I think you know helping to just continue to train your employees and I tell people your employees are your biggest asset. They're also 95% of the likelihood of a first-party loss. So I think just kind of keeping them up to date on how to best limit their social media access when they're acting don't access Facebook or something of that nature from your personal laptop, whether you're in the building or in your home or you know, don't access public Wi-Fi from McDonald's or from Chick-fil-A, you know, try to use something that is like your cell phone data use your own personal Hot Spot something that you know where the firewalls are. So I think some of those are just things that are common regardless of whether you're working from home or working inside. The building is just being very aware and asking questions. Don't be afraid to pick up the phone and call someone if something looks fishy if it doesn't look right, just common protections. I think at this point, our key.

KRISTINA: And that's one of the areas that I see a lot of organizations struggling. They think that once a year training, mandated training that requires you to do those videos and the click click click next to take a quiz training is going to do the job, you know, are there other tricks that you've seen that are better than sort of that mandatory once a year training that gets people a more engaged understanding of cyber threats and really paying more attention to them?

COURTNEY: I think for me, I like to show people scenarios of things that can happen. I like to give them ideas of real case real-life issues that come up and how other people have fallen prey to it. And so for instance, if you get an invoice from a contractor who is building a building for your company and they say we need additional funds. We're ahead of schedule on the project, and you pick up the phone and call the person who is your account manager if you will at that construction company and say Hey, you know, how's it coming? I got the invoice for the additional funds. Can you just give me an update on where we are? Typically that will prevent a loss. I've had clients who emailed back, and they ended up having a loss because that point the hacker is in your system. So I like to use examples like that to say look, here's what we would want you to do best practices pick up the phone or again limit your social media access, or they'll use public Wi-Fi. I love the idea of training your employees. I think annually is not enough. I think that semi-annually is still probably not enough. The other thing I will say is just updating your IDs and passwords, you know, using a really robust password or passphrase is helpful, update them on a regular basis. Um, I think those are our key pieces to the puzzle that are low-hanging fruit. Those are things that you, as an employer, can do that. Don't cost a lot of money and will keep you safe and help prevent some of the smaller, quicker ways that a hacker can get into your system. So I don't I definitely don't discourage the employee training, but I do think that having a policy and procedure in place and everyone actually following through Is going to be critical.

KRISTINA: Great. Well, let's talk about the c-suite and the board of directors. A lot of these leaders are smart businesspeople, but they don't seem to know much about digital nor security, which is fine. That's not their job to know that part. But how have you approached that conversation with these folks? I mean a lot of times I think, you know security starts at the top. How do you engage them and get them to pay attention to things like security and invest in training or bring somebody in and talking about the kind of risks that there might be facing the organization?

COURTNEY: That's a great question. So yes, I agree. The c-suite is usually very on top of their financials. They understand the basic operations of their company. They know who to call; they know all of the high-level information. I think the catch is most of the time when I go in and have a conversation; my favorite question to ask is what your cybersecurity strategy is? And I'll admit a lot of the answers I get back are concerning. Typically, they will tell me that they do a penetration test once a year that they have firewalls that they use all the bells and whistles and tricks and Microsoft Office 365. Those are not a strategy. Those are really great blocking and tackling things that you can do. The CFO's, the CEOs have a fiduciary responsibility to manage their company to the best of their abilities and what we see in the insurance realm is the directors, and officers liability policy is being triggered when they don't handle cyber the way that the stockholders or their customers view them to do it successfully if they don't then that becomes a problem and they're liable, so I try to either educate or offer to sit with their board and educate their board on their responsibilities to manage that risk. I also will try to ask them if we leak information, right, if the information is on the front page of the news, that is your first step? Who do you call, and if you don't know who you would call, then let's sit down and put together a strategy because there are so many parts and pieces to that? You don't want to wait until you're in the middle of a cyber incident because time is money. You want to have all of those relationships already vetted and know who to call and how it works. So, for instance, you can have on speed dial a data breach coach. You can have an attorney that understands cyber don't pick just any attorney. And if you can get all of these types of vendors in line, then when you have a security incident, you pick up the phone, you know who to call. You know, they know your system they've already talked to you, they know what you're you know, if you use Microsoft 365 they know what your insurance carrier is. They've already been approved hopefully, by your insurance carrier as an approved vendor. There are so many things you can do with no cost on the front end so that you actually can have a strategy and be prepared. And I think a lot of times when I talk to CFOs they find that is the next step the next logical piece to the puzzle. They're very excited about doing it. A lot of times, they just don't know what that first step should look like and so that's what I try to do is just help them create a roadmap of what to do where to start so that when that loss happens, we're not trying at that point to negotiate. We're ready to actually hit the ground running and stop the attack and save as much data as possible instead.

KRISTINA: Does that roadmap look the same for large and small businesses because I'm thinking back to some of the small businesses that I work with. And first of all, you know, everybody at the company is wearing 13 hats, and they really have to think but every dollar invested whether or not they're going to invest it into security or they going to invest it into the payroll and some wondering how does that roadmap differ for small businesses does it differ or should they also have people on speed dial?

COURTNEY: It should be a similar situation for any size company now obviously to your point you might on a smaller company have a CFO that also wears the hat of two or three of the people that may be in a large organization. There's an actual person assigned to each of those roles. So when you go to put together this roadmap, and you put together your incident Response Team it might be that you only have a CFO, CIO and the CEO and then for a larger company, that might be a 10-person team and it might include HR and legal and compliance and you know a couple of other people along legal and those realms. So I don't know that the plan should be different. I think that the number of people potentially might get a little bit more complex, but you can also call a data breach coach you can talk to your insurance carriers have a lot of people already on speed dial for zero dollars whether you're a small company or a large company, and I think that's where the key comes in as a small company. You don't have to spend a lot of money to be prepared. I think they hear six trillion dollars in losses and they panic and instead, let's put our efforts towards cyber resilience and let's make sure we have a plan so that we know we're going to get hacked two out of three companies are going to get hacked in the next three years. So if we know likely chances are we're going to get hacked. Let's be prepared.

KRISTINA: That makes sense. And you know, when we think about sort of preparing, you know, some companies do outsourced cybersecurity, and I'm thinking about the fact that you know, some small businesses might say know what I just want to pay x amount of money and make this a non-issue. You know, what is your advice to them? Should they outsource cybersecurity risks in kind of think about insurance in that context and just hand over a check. Should they do it in-house like what's the pragmatic approach here?

COURTNEY: So I will warn companies that you can outsource cyber to some extent you cannot outsource all of your liability. So from an insurance policy perspective, you can sign managed security service provider agreements and MSSP. You can hire someone to handle those functions for your company. But at the end of the day those pieces of information, those pieces of data that you have collected as an organization, your HR records, your employee data, whether they signed up for benefits and provided their health information, their payroll, your client data, you've collected that information. So you're still responsible for that information. And so you can say to your MSSP. We expect you to manage our cyber for us that still does not alleviate you from having an insurance policy. I think at the end of the day; you still need to have a balance sheet protection for you because what happens when an MSSP does something incorrectly and breaches your system, and then they don't have enough insurance. You want to make sure you're protecting you and is your balance sheet, that's your responsibility and then whether or not you can subrogate whether or not you can go back to the MSSP and fight in court and create defense costs for that. That's a different story. But I think a lot of companies are assuming that they have transferred all of their risk to an MSSP and that we can like our hands clean and we can move on to other initiatives, and that's not true. And the other thing I will mention that I find to be the case with lots and lots of people in senior leadership: IT people are not created equally and so for instance if you have a CIO and you have a chief information security officer or a CISO or CSO, so depending on how you pronounce it, those are two different people, two different skill sets. So I've run into several companies where they say. Oh, we have an IT guy for that, and then the IT guy says I am not a security person. I can help you with your VPN. I can help you with your sign-ons. I can add applications. So I think a lot of times companies outsource to a managed service provider and think that they're getting cybersecurity is part of that. So you really have to look at the contracts. You really have to look at the scope of services either way, MSP or MSSP. You still cannot outsource 100% of your risk.

KRISTINA: And I imagine that that becomes even more complex when you have different geographical regions that you're operating in. I'm thinking specifically may be a US-based company that has clientele in the EU or perhaps, you know, you're dealing with like you said earlier CCPA or you know POPIA now in South Africa, you know, it can become complex very quickly. How do you find people dealing with that best? I mean, is there sort of the magical formula, or is it just being smart, being very honest, inventorying what your risks are, and really addressing that?

COURTNEY: I think having some educated idea internally of what types of records you hold, what amounts of records that you hold, and who has access to that information is going to take you a lot further down the road in terms of getting the right coverage constructed for your company. I will tell you I don't think any company can truly tell you within a specific amount; you know to a rounding error what their amount of risk is? Okay, so for instance, I'm not going to be able to walk into a Healthcare company today, and they're not going to say we have 13252 records; that's not going to happen, and a lot of times they don't really understand what they have. So it's more of a ballpark we need to know in theory. Is it 250,000 or less? Is it 250,000 to 500,000 that gives us a better idea of what we're looking for, a lot of underwriters still at the end of the day base a cyber policy off of your revenue. And so keep that in mind. Now again, they're going to ask you a lot of questions about what types of policies and procedures you have. Do you have firewalls? Do you monitor your mobile devices? Do they have firewalls? All of those questions are absolutely important in terms of getting the best cost premium if you will for your insurance policy. They're I'm going to write a large limit on a company that does not protect themselves. But you also have to be able to give them some idea of what your records are and then again like I mentioned who has access to them. So if you're not segmenting your data if I can come in sign into my computer as an account executive and have access to everyone's payroll. Everyone's HR benefits. That's a problem because that means the hacker can hack me and get everything in your company. You know, I think if you look at it from that perspective, there are lots of things that we can do to help companies to identify how and what types of coverages and what limits are available to them that make sense. And then at the end of the day, it comes down to risk. How much can you afford how much you are willing to bet on your security and systems and controls, and maybe we grow maybe it's a phased approach. And so if you're a small business it might be that you buy a million-dollar limit this year and then maybe in two years we up into two million and then in a couple of years we up, it's five million. It might be that we start working on increasing supplements here. And there those are lots of conversations that can be had. It is not a one size fits all, and so you really have to find somebody that can help you grow in your policies and procedures help you grow in your risk appetite as you get a little bit more mature as a company and you start to get a better handle on what you have.

KRISTINA: Courtney, we've talked a lot about risk one of the questions that I have for you, and I've been dying to ask you this. I'm happy that we're finally talking. You know, what are the risks I always think to any organization that has a cyber event, whether it's ransomware or there's a cyber breach whatever it is. There's always the reputational damage, and how do you put a number on that reputational damage? Does insurance help you with the reputational or their brand risk aspect?

COURTNEY: It does. If you have a policy crafted, the way that I would say is correctly crafted, then yes, you should have what they call reputational loss coverage. Some carriers actually also provide reputational avoidance coverage. So they will help to mitigate some of those to where if you have something happen internally this kind of a near-miss they can help you with some of those issues as well. But reputational loss is a huge piece to this puzzle if you look at Target or Yahoo. Someone like that, and it hits the news your stock price is affected. The public's ability or willingness to work with you is affected a lot of times. It depends on how long your down. So, for instance, if you're a manufacturing company and you're down for ten business days, and your suppliers can't get from you what they need to keep going. They're not going to get mad at their wallet. They're going to fire your contract, and they're going to hire someone else, and then maybe, maybe not, they will come back to you. So I think a lot of times you have to look at reputationally what can you do to protect and to keep your clients? What can you afford, right? So a lot of times, policies I'll run across don't include reputational loss or reputational harm. There's also a built-in component some carriers sub limited. So you might have a million-dollar policy limit, but you're limit for legal forensic, and public relations might only be $2,500. Others will give you the full policy limit of a million. That's a huge difference because if you've ever hired someone in PR or hired a legal person, $2,500 goes very quickly. So I think, and especially during a breach when things are going very quickly, you've got lots of people involved lots of phone calls. You want to have everybody at your disposal, and you don't want to be worried about not having enough coverage, but yes, the short answer is yes a good cyber policy should have reputational harm coverage included, and they will give you prepped coaching along the way, carriers are very good at wanting to help, they don't want to pay out any more of a breach than you do.

KRISTINA: Wow, it's so does that also kick in, and this is just a personal question because I always wonder about this. I talk a lot with clients with regards to GDPR are in need to meet the 72-hour notification to authorities and individuals if sensitive data is breached, you know, but I always say you have to sort of being smart right because you don't want to sound an alarm if there wasn't a breach and yet you want to make sure that you're compliant if there is a breach have you seen clients who haven't really had a breach, but they thought they might have and so they sounded the alarm too early. And if they've done, that does insurance help in that instance?

COURTNEY: So yes, I've seen carrier clients have issues where they thought they might have been breached, and then it turns out to be either not a breach or not as bad or as extensive of a breach as what they originally thought. That's where your forensics comes in, and your insurance policy should have limits included for forensic accounting, forensic investigation. So when you contact your carrier at the very beginning and say we've had this loss, they're going to immediately jump in and start trying to figure out what has been accessed. They can tell on the backside from an IT perspective which files have been accessed and downloaded. They can help you determine, and then going forward; they will help you in terms of GDPR reporting or any types of fines and penalties. They're going to be very heavily involved in that because this is what they do and then I mentioned earlier, you know, you also want to have a data breach coach and an attorney those carriers are going to assign a data breach coach and an attorney if you tell them who you want separately. So, for instance, if you say I would prefer to use this vendor, they're going to help you in and pull them at the very beginning that attorney in that data breach coach is also going to help coach you along on when it is time to report to GDPR. So hopefully, if all things work correctly, you shouldn't report without it being an actual event. They should be able to help you through that process. So that's why I always say make sure you've got the right team in place all your vendor team so that when this happens, you've got all the right people at the table that understand. I've had problems with clients in the past where they opted to hire an attorney that maybe didn't understand all of the issues and cyber and then the attorney reported something the client incurred a million dollars in fees and penalties because of the way that it was handled and then the attorney says oh, well, I wasn't a cyber expert anyway, but I was just trying to help. So that can cause problems. So I think a lot of it is no on the front end spend your time while there's not a breach doing your due diligence learn, who what when so that when that occurs you're ready to go and you trust who you've got on your team. And then at that point, those issues should be relatively non-existent.

KRISTINA: That makes sense. I'm so excited. I'm actually jazzed up that we're talking about this because I'm learning so much from you today. And you know, one of the things that I think is very obvious to me and I also hope to all my listeners is there are so many details to be learned here. And so I'm wondering for a lot of people, especially if they're an SMB it might be a little bit overwhelming but what are some of the things that people should be doing right now? I mean, you've talked about reaching out to a broker what else can be done proactively by an organization to not just prevent cyber issues. But also make sure that the business is sound and protected from an insurance perspective. Like what are the three things everybody should go out there and do today?

COURTNEY: If I had to pick three things, first of all, don't create a policy or procedure that you're not going to use. So if you have a policy and procedure it needs to be something that is actionable that is reasonable, and that is not sitting on legal's bookshelf and that somebody thinks might exist, but we aren't really sure, know what you have and lets all train towards using that information correctly. Second of all don't assume when it comes to insurance, don't assume that your broker has educated you on all of the coverages that are available to you don't assume because you have a property policy or a cyber policy or a crime policy that it covers all of the things. If you go to a conference, if you listen to this podcast don't assume that because you have a cyber policy that it includes forensics or that includes reputational harm you need to look and if you obviously if you're not an insurance person, that's where your broker comes in. We can help dissect that out the point you to where it covers where it's not covered talk to you about the cost. And then lastly, I would say just have the conversations internally be transparent be open to understanding that maybe the things that you've always done are not the things that we should be doing going forward. Maybe there's room for improvement. Maybe it's an IT vendor or education training or you know having is it response team that you didn't think you needed and today maybe we decide we do so I think some of that is just willing to be evolving, to pivot if you will, and look for the best ways to protect their company going forward because at the end of the day if you're not in business, we're going to miss you. In the economy, we need what you're offering. So, let's do it and let's do it really well.

KRISTINA: Courtney, you have just made my day you are a tremendous wealth of information, and I'm so grateful that you've agreed to so generously and freely shared it with us. Thank you so much.

COURTNEY: Yeah. Thank you so much for having me. I just really enjoy your contributions in terms of policies and procedures and your excitement for insurance. I know insurance can be a topic that people dread to talk about, but we honestly are trying to help and want to help keep your business to the best of its abilities. And so, I just really enjoyed our conversation, and thank you so much again for having me.

KRISTINA: Well, thanks, Courtney. I think as a policy person, I can say that you and I are originally I think connected around the concept of policy and insurance and what everybody should know. We're definitely reading from the same book chapter, and I'm really delighted. Thanks for spending time today.

You can reply to this podcast here: