Why Every Canadian Business Needs Cyber Insurance in 2025

Joseph Hines: [00:00:00] From a cyber perspective, it's certainly been an interesting, I would say, probably last five years in terms of how the threat landscape has evolved. And from an insurance perspective, the way that we're looking at it is really transferring the risk from a cyber exposure to an insurance policy.

We've seen clients that, are on paper probably not the best risks, have events that were of significant severity and we've seen clients that have done everything and maybe it's something unrelated to their specific network--maybe it's a third party, maybe it's a supply chain event where it came through a technology provider of theirs or something of that nature--that have had events just as severe as those worst in class risks.

I can tell you that these events, they don't often happen during business hours. It's a weekend or a holiday, so it does [00:01:00] make it very challenging if you don't have a plan from a disaster recovery point of view in place and developed and have all the stakeholders at the table.

It doesn't need to be an overwhelming process. It needs to be a process of continuous improvement.  

Mike Reeves: This is Solving For Change the podcast where you'll hear stories from business leaders and technology industry experts about how they executed bold business transformation in response to shifts in the market or advances in technology.

In every episode, we'll explore real-world strategies and technologies that you'll successful evolution. I'm your host this month, Mike Reeves.

I'd like to welcome Joe Hines to Solving for Change. Joe works for Gallagher and I'll let him introduce himself. But just a quick intro, Joe is a longtime friend of the company and of mine.

Long history there on the insurance side, and today we're gonna talk about insurance and cybersecurity. And Joe leads a [00:02:00] practice at Gallagher around cybersecurity and insurance, so really interested to get his insights and perspective on the entire landscape from an insurance perspective, but also from the perspective of cybersecurity and insurance.

So, I appreciate you taking the time to join us today, Joe. If you don't mind just doing a little intro of yourself and your company please.  

Joseph Hines: Yeah, thanks Mike. It's great to be here and I'm excited to dig into this a little bit more. So just some background on myself--I lead our cyber practice here nationally at Gallagher.

We are an insurance broker, really focused on the risk management space and from a cyber perspective it's certainly been an interesting, I would say, probably the last five years in terms of how the threat landscape has evolved. From an insurance perspective, the way that we're looking at it is really transferring the risk from [00:03:00] cyberexposure to an insurance policy. But with that being said, and we'll dig into this I'm sure, obviously there's best practices and risk management components associated with that that can really have an impact from a pricing perspective, from a coverage perspective, in terms of what that risk transfer solution ends up looking like at the end of the day.

Mike Reeves: I appreciate that perspective. Maybe, if you don't mind, just since you have a national view from a Canadian perspective on what's happeningg in the cybersecurity space as it relates to insurance, maybe you can give us just an overview--kind of macro, where is the market, and maybe what is the maturity of the market in terms of the customers. Are most customers in a good space that you're talking to and have a good understanding? Or is it just kind of, annually you get together, or whatever the cycle is, and they're trying to figure out, "OK, I need [00:04:00] cybersecurity insurance, I need a rider of some sort. How do I sign up for that?"

Maybe if you could just give us a little compare and contrast there.  

Joseph Hines: Yeah. If we were to, from an insurance perspective... You know, five, six years ago, from an underwriting perspective, there was really nothing that was being done on the insurance side to really understand what the exposure looked like from an insurer perspective.

So when we look at the carriers that are deploying the capacity in terms of the ones that are gonna be paying the claims at the end of the day, they were asking customers four or five questions in terms of what revenue do you have annually? What are your employee counts? What's your website domain? What industry class are you in? And in a lot of cases you could have a $5 million deployment of capacity within 48 hours in terms of turnaround from a quote perspective.  

What that led to when ransomware really started to run rampant and business email [00:05:00] compromise started to to surface very frequently, was carriers posting significant, significant loss ratios. Meaning they were paying out way more in claims than they were bringing in premiums. So, what that led to was these carriers starting to analyze that claims data and really focus in on: OK, what risk control measure or what security control could have been in place to either reduce the severity of the overall event or prevent the event from occurring in the first place. And what that led to was a significant shift in the market landscape in terms of what they were looking for from an underwriting perspective. So what that introduced was applications that were very challenging for a lot of organizations to complete.

We look at ransomware supplemental applications sometimes 4, 5, 6 pages [00:06:00] long, asking you: do you have endpoint detection response covering all of your endpoints? What does your backup policy look like? Have you tested those backups? So, the information that they started requesting became much more complex.

And those organizations and a lot of organizations that weren't able to make the investment and make the change, in a lot of cases, were unable to obtain coverage on a go-forward basis because of the fact that the claims data was suggesting that they were a very easy target. They didn't have any preventative measures in place.

Then if we fast forward to today, the cyber insurance market has really recovered. In terms of what they did from an underwriting perspective and what they introduced from a controls perspective in terms of what those minimum requirements were to be able to obtain the coverage has led to some profitability starting to come back into the marketplace. [00:07:00] Meaning that loss ratio is now under a hundred percent, which oftentimes is very good for customers that have made the investments because ultimately it creates competition from a carrier perspective in terms of the carriers that are looking to deploy the coverage. Also, if you can position yourself as a best-in-class risk in today's marketplace, you're likely gonna be paying significantly less for the coverage than you might have been two or three years ago because of the leverage you're getting in the marketplace.

Mike Reeves: Thank you for that. That was very good detail. And just a follow on question to that, and I liken this to, I remember when we started our journey and it happened to be with you at the time. Going back to what you described as the early on approach as to kind of how you initially where customers were trying to request or get coverage. If you look at a lot of customers that haven't had to go down this road, or maybe they're getting pressure and they [00:08:00] need to find a way to get some coverage today, and it's the first time at the table--what is the best approach for somebody to come to a company like yours and say, "OK, I need to get coverage."

I know we'll talk about this a little bit more in terms of you've got lots of structure and questionnaires and format that you can provide to a customer to help take them along to get to a point where they can understand what they need to do and then understand their current posture or position and maturity, and then maybe the things or the gaps they need to cover off to get them to a good state for coverage. And as you say, kind of moving through the maturity model to get the best in class. So, when a customer approaches you for the first time, maybe offer some guidance, how would you want them to come in and have that discussion? What level of preparation would you like them to have just to, make it as productive as possible?  

Because if I go back and look at our initial experiences around this, it was like, "Really, we [00:09:00] gotta do all this?" And maybe you can talk about that a little bit for folks.

Joseph Hines: Yeah. From an initial conversation point of view, oftentimes when we're dealing with an insurance program, oftentimes there's a lot of coverages that lie outside of the cyber insurance component as well. So oftentimes in organizations, you're dealing with a decision maker--a CFO or someone of that nature--that might not have as much context in terms of what that overall network structure looks like, what they're leveraging from a tech stack perspective within the organization, what they're really relying on. So, what I usually recommend is bringing someone into that conversation, whether it's the director of IT or whether it's an outsourced provider, depending [00:10:00] on what the situation is at that organization to really do almost like a scoping call, Mike, in terms of, "Hey, where are you with your journey? Have you implemented things like multi-factor authentication for remote access for the network, for the employee emails? What's your backup situation look like? Are those backups disconnected from the internet or disconnected from the network? Are they inaccessible? Do you have them in a cloud environment that's protected by MFA? What's your patching cadence for critical vulnerabilities that are released?" Things like employee training, do you have a significant number of employees? Are you going through phishing exercises? If those employees fail those phishing exercises, are you able to determine that and assign additional training to those vulnerable employees? What's your privileged access look like?  

And then really from there you're [00:11:00] working through... That would almost be, Mike, the barrier to entry. Those are kind of the initial questions of, okay, we know if there's some nos in there we're probably not gonna be in a position where we're gonna be able to get the coverage, so here's what our recommendation is. Go out and work with your team to implement a few of these changes. Let us know what that looks like. Now, in certain situations, especially when we're dealing with end of life and things of that nature, sometimes those implementations can be a significant length of time, depending on if you've gotta do upgrades to even be able to attach some of those controls to certain elements of the network and things of that nature as well. So, that journey can be as quick as going into Outlook and switching on the MFA button if there's already Duo Mobile, or something of that nature downloaded on the employee smartphone, to now we've gotta go upgrade our entire ERP system in order to be able to [00:12:00] attach these controls to that ERP system. And it can be a significantly longer process for some of those organizations.  

Mike Reeves: Yeah, I appreciate you sharing that perspective and then, dig in on that a little more.

You talked through a lot there and then you also mentioned earlier kind of maturity and the maturity curve. So, I know you sent me a couple documents yesterday, which were great. They were nice and simple. They were red, yellow, and green in terms of requirements or things that you want to see or ensure that are in place, or that you can kind of move toward.

I'm wondering, maybe you could speak to what is the minimum to kind of start somebody on the path to say, "OK, you're good. We can give you coverage." And with that, do you put any parameters around you know, do you say, "We will give you coverage, but you also have to show us over the next six, twelve--over the year," or whatever is the policy term, "that you've done additional [00:13:00] hardening and started to mature further." And then that reflects potentially in costs for premiums that a company has to pay. So wonder if you maybe talk a little bit about that cycle.  

Joseph Hines: Yeah. So from a minimum requirement perspective, let's say, Mike--and just to give you some perspective on what the market landscape looks like--let's say we've got 25 different insurance carriers in the Canadian marketplace, and I'm gonna speak to Canada. There's probably a few more in the US marketplace and then you've got your London-based carriers in terms of the UK market, or the Lloyds of London market as well.

Let's say we meet those minimum baseline requirements: you've got MFA implemented, you've got your backups offline, disconnected, you're doing some employee training. Depending on the size of the organization, there might be a requirement for an [00:14:00] EDR solution deployed across all endpoints and a true, whether it's EDR or MDR, where it's actually managing all those endpoints. You've got a written plan for patch management, you're doing some employee training. You may be in a position where you might have maybe 25% of those carriers at most willing to deploy capacity, or offer what we call a quote for coverage.  

Where if you take yourself through that maturity stage and you get to the point where you're following an industry framework, you're going through stages of doing other components. You've done some pen testing and you've actually reviewed those results and done some hardening associated with what the results of that pen test looked like. You've tested your backups, you can [00:15:00] restore. Then in those situations, that's where you're really creating the value for the organization. When you're doing that marketing exercise as a broker with the carriers, you might have 90% of that marketplace that really wants to write the business and wants to deploy capacity. So you could see premiums fluctuate as much as 50% in those situations. And then alternatively, the enhancements that you can sometimes get on the coverage-- and we don't need to dig into it--but you can talk about things like systems failure coverage or dependent BI or whatever that looks like. You're in a much better position as a best in class risk versus kind of in that initial stage of being able to get something in place.  

Mike Reeves: You just touched on something that I think is super important for people to understand and it's the duality [00:16:00] between people will come to you and ask for we need to have a discussion around cybersecurity insurance, but you also said disaster recovery.

And I think that's the linkage and the integration between. Even though most companies treat them as two separate things, those are very much, especially these days because of cybersecurity, integrated together in terms of planning. Maybe you want to spend a minute talking to folks about that because that's super important that people understand that those are tightly integrated or linked together now, where traditionally they may not have been.  

Joseph Hines: Yeah. And that's an excellent point, Mike. When we look at cyber insurance, and this is what I always tell every one of my clients, is this is not a replacement in any way, shape, or form for your investment in your infrastructure within your security posture.

And the reason for that is because we've seen clients that [00:17:00] are, on paper, probably not the best risks have events that were of significant severity. And we've seen clients that have done everything, and maybe it's something unrelated to their specific network--maybe it's a third party, maybe it's a supply chain event where it came through a technology provider of theirs or something of that nature--that have had events just as severe as those worst in class risks.

But when we look at it from an incident response perspective, really the way that the coverage is designed is to essentially cover all of your costs associated with bringing in the experts to deal with that event. When you look at, and oftentimes it really does depend on the industry in terms of what's going to be the most important in those situations, but if it's healthcare related, for example. Having a privacy lawyer to [00:18:00] walk you through everything that you're going to be required to do in that situation. You know, when we look at the US, for example, they've got different privacy legislation all throughout the country. So to be able to understand what your legal requirements are gonna be through that process is extremely important.

Oftentimes there's gonna be a huge forensics component associated with identifying: okay, what information was accessed? Have they exfiltrated data from the network? What are they doing with that data? Is it a ransomware attack? Is it just simply business email compromised? What does that look like? And then alternatively, okay, if it's a ransomware attack, can we access our backups? Let's look at what that looks like. Can we get to our backups? If we can't, well, we're in a lot more challenging of a situation if they've encrypted our backups and we can't restore our backups than we would be if [00:19:00] we can access our backups and we can restore from those backups. Because, chances are, especially if you're a private company and you're gonna be down for a significant period of time, recreating your entire network because you can't access your backups, your business interruption exposure is going to be night and day in terms of the difference than if you've got those backups and you can get up and running again in a very short period of time. And it could be the difference of you deciding to make that ransomware payment or not needing to make that ransomware payment.

So, the preparedness, I would say in terms of being proactive versus reactive in those situations, is extremely important to be doing those pre-breach because if you haven't done any of those exercises in determining what that disaster recovery plan looks like prior to a breach occurring, it's [00:20:00] gonna be a lot more stressful than if you've gone through all of those exercises and you've prepared yourself for one of those events. Because I can tell you that these events, they don't often happen during business hours. It's a weekend or a holiday. So it does make it very challenging if you don't have a plan from a disaster recovery point of view in place and developed and have all the stakeholders at the table that need to be at the table within the organization.  

Mike Reeves: And when you're looking at a customer--again, cybersecurity and disaster recovery both together--I'm assuming, based on the maturity and how well prepared and planned a company is, does affect premiums as well because of the linkage between the two.

Joseph Hines: Yeah. And there's a lot of questions associated with that, that would come up in the underwriting process in terms of, what have you [00:21:00] developed internally? Have you, sometimes it's actually outside the scope of just controls. It's saying, "How many times a year you testing your backups? Have you done any pen testing? Have you developed, do you have a written incident response plan where you've assigned the roles and responsibilities within the organization? If the network goes down tomorrow what's that look like?" All of those questions do become a component, especially when you're looking at those more mature organizations, and that really from a broker perspective, that's what's gonna work in the client's favor or the insured's favor in the marketplace. Being able to negotiate the best terms and coverages for the client.  

Mike Reeves: Great, thanks for sharing that. Just gonna change gears a little bit here and kind of maybe go back onto something we were talking about a bit earlier, and it ties into the maturity conversation. [00:22:00] If you look at the different frameworks that are out there, you've got CIS controls, NIST, MITRE Attack framework. Do you have customers that, if you look across Canada, is there one that's more prevalent than the others and/or do you have a preference for a model or one model versus another? That may be a tough question to answer.  

Joseph Hines: It is a tough question. And the reason for that is because there's certain industries that you'd see that certain industry frameworks would be more applicable to. Just for some context, we work with clients in all different industries. So, if you look at ISO, for example, like that's a very popular framework. We see that framework a lot, but we also do see the NIST framework quite a bit as well. From a [00:23:00] carrier perspective, there isn't necessarily a preference from which industry framework that is, unless there is specifically one assigned. If you're looking at certain industry segments of where that industry framework might be a little bit more applicable, then obviously there's gonna be some advantages to following that industry framework.

But really, just being able to show that you are going through that process and maybe you're still in the audit stages, which a lot of organizations are and a lot of organizations remain in those stages for a long period of time. It's a challenging process to go through, but if you're able to display that you're making progress and you're addressing those things on an annual basis, it really does go a long way in terms of from an insurer perspective, the way that they're looking at that specific account. [00:24:00] But yeah, it's tough to say that there's a specific industry framework that that would be recommended in that situation because also if you're multi-jurisdictional and you're dealing with data in different parts of the world then that can have an impact on which framework to follow as well.

Mike Reeves: In terms of starting a process with you folks from initial conversation through to having a signed contract, do you have kind of a standard timeline for that? I know it's probably not standard, there's not zero to 90 days, but is there kind of a bucket or a range in terms of how long the process typically takes for a customer?

That may depend on their maturity level as well, in terms of how quickly they're able to provide you with the information you need.  

Joseph Hines: Yeah. So that's really the key there, Mike, is in a lot of cases, the collection of the information can really be the challenge for the [00:25:00] client. In a lot of situations they might not have a lot of that information internally and they might need to go work with their outsourced providers to be able to obtain some of that information.

But, let's say they're a very mature client and they're in a very good spot from an insurance point of view, that process is, probably a couple weeks of having a really good amount of options on the table and a really good negotiation perspective.

But for example, like I said, if they need to go out there and they need to make significant adjustments before we're even gonna be able to get a carrier to provide capacity, that can take a significant amount of time for the organization depending on: are they able to just go implement it or do they need to make a bunch of other changes before that implementation begins?[00:26:00]  

So, it can be a significant period of time or if they're in a very good position because what we're seeing a lot of now is, it is very hard to deal with a vendor now without being able to show evidence of cyber insurance coverage depending on what industry class you're in. That's a very standard request. And I would say those that are dealing with US customers are probably seeing it a lot more, than those that are just in the Canadian marketplace, but I don't think that's gonna go away anytime soon. So, a lot of clients will come to us and they'll say, "Hey, we're looking at this contract and they're requiring $5 million of coverage." And it puts them in a tricky situation if their posture's just not to a point where they're going to be able to obtain the coverage in a very short period of time.  

Mike Reeves: Yeah, great perspective. And just kind of [00:27:00] maybe a little further and deeper into the discussion. So, if you look at SOC II and you look at ISO 27001--we're talking about frameworks here as well--and you say, that's a great path for folks to get down is, pick a framework and start to move down that path. And clearly it sounds like there's typically going to be good support to be able to get some sort of coverage and put in place.

Having gone down the SOC II road within our organization and 27001, certainly, much more depth there, I'm wondering, what do you see more of in the market in Canada from your perspective? Is there more SOC II more 27001? I know again, it's gonna be industry dependent probably, but I'm just trying to get an understanding of state of [00:28:00] maturity that you typically see tounderstand where most organizations are. And maybe shed a little light on that for us.  

Joseph Hines: Yeah, we definitely, from my perspective, I work a lot with technology companies, whether that's technology product companies, whether that's technology service related companies, managed service providers, et cetera. SOC II is certainly the most popular that I see. ISO 27001, depending on how much US exposure might be associated there. Sometimes you do see clients and sometimes they'll shift mid-SOC certification to then transfer over to ISO 27001.

So it's interesting because it certainly is more SOC-related, but I would say [00:29:00] that there's still a lot of organizations out there that haven't gone down either road. Like it's certainly not as common as you might think it is.  

Mike Reeves: Thanks for saying that because that's one of the reasons why I'm kind of trying to have this discussion and talk about the landscape because the lens that we will get exposed to is a lot of customers are in some portion, some element of the journey, around cybersecurity. So, there's a little more thought there, but I'd venture to say, the majority of organizations have not. Maybe are timid, scared, or maybe they're just don't know how to approach it and what I'm trying to do here today is just let a lot of people know that you know, you're not alone.

It's a tough thing to figure out. It does require a lot of patience, a lot of time, and a lot of collaboration with organizations like yourself. And then, as you say, some of the ecosystem of technology partners and maybe it's [00:30:00] consultants and/or third parties that are helping you around your cybersecurity posture. And, you know, it's okay. Like you gotta start somewhere. And what I'm hoping to do is say: Okay, you folks have a very, very good plan around how can you have those initial discussions to basically do some consulting with the customer to say, "Here's how we start this journey."

And there's a lot of depth to it and it can be a lot of time, a lot of money, and very complex. Or you can go down a path and do it a bite-sized chunk at a time and really start to build some momentum, maturity, get that into the culture, get it into the operating culture of the company. And then, it starts to pick up its own rhythm or cadence. It becomes less daunting to get your arms around. So, I'll pause there if you want to comment on that a little bit because I think that's important that people understand that today. [00:31:00]  

Joseph Hines: Yeah, and I think that's a really great point is, there's a lot of organizations--you know, I see organizations in Atlantic Canada, I see organizations in Western Canada, I see organizations in Ontario--and I think it is such an overwhelming, I would say initial stage. Especially if you've got an organization that really hasn't made any changes for a significant number of years and they can get overwhelmed very quickly. But that's from our perspective, we're not there to help you implement tools. We're there to tell you kind of what that roadmap looks like and then they're gonna rely on organizations like yourselves to really kind of help them through that process to see, "Okay, this is what our broker told us that we're going to need to do to be able to get this coverage. Can you assist us with [00:32:00] kind of developing that plan in terms of where do we start and how do we get there?"

But I think one of the bigger concerns I see in a lot of cases, and we've had this happen a couple times, where clients see that best in class piece and they want to get to that best in class bracket and they want their premiums to be cheaper, but to wait until you're a best in class risk to put insurance coverage in place to transfer the risk of protecting your balance sheet if you do have a loss, you're more exposed now than you will be when you're in that bracket. So, what I always suggest is maybe it's a three year period of: okay, let's start with this carrier who we know maybe is priced a little bit higher, but still is gonna be able to provide you with coverage for the time being and then next year, as you mature through that stage, we'll go back out to [00:33:00] market once you've checked these additional five boxes and you can check them and say that, "Okay, we've implemented this over the period of this year." And maybe that premium gets a little bit cheaper the second year. And then that third year, maybe we're to the point now where we are a best in class risk and maybe we can go out there and reduce that premium by a significant level. But to... Because like I said, some of the time these projects can take a significant amount of time. In some cases it's not as significant.  

But I see it, just personally, in the manufacturing sector, there's a lot of change. In a lot of cases, you've got clients that are introducing OT environments. And they've never had OT in their environments before and being able to segregate that from the rest of the network and make sure that that's not gonna be connected to the corporate network and things [00:34:00] of that nature, that all can take time. And in a lot of cases, it's not gonna happen overnight. But once again, that's the importance of, if you're not able to determine what that looks like at a corporate level within the organization, that's why you go out and you find an organization that can help you walk through that process and help you come up with a plan. It's no different than any other professional services that are being provided out there, right?  

Mike Reeves: Great summary. I appreciate that. And, I maybe should have asked this question a little earlier on as we're setting the stage, but I'm gonna come back to it now anyway, 'cause I'm just curious to hear your thoughts and this is kind of more of a Canadian market thing.

So if you look at breaches, we all hear about them. They're going on, they're out there on a regular basis now that we hear of them through the media. [00:35:00] If you look at the landscape in Canada from what you see around breaches, are there any commonalities that you see that customers experience, maybe it's the type of breach, but also how they're approaching working through the breach to get to a resolution. And whether it's--and maybe you can't speak about some of this stuff--it's who pays, who doesn't pay, or percentage of market that would pay versus doesn't pay. Maybe if you could give us just a little commentary on that and then I think we'll kind of get to the end of our conversation here.

Joseph Hines: Yeah. So, when we look at ransomware specifically, if that's the angle where we're gonna go down here. There's a lot of misconception in terms of, I think everybody thinks that they're never gonna be a target of ransomware. And I [00:36:00] don't think that in a lot of cases they are actually a target of ransomware. They are just low hanging fruit or are susceptible to something that's happened to another network where there's been some communication and they've discovered them through that. And with that being said, it really, from an insurance perspective, what we see is the policy is essentially: obviously as long as you're not making a payment to a terrorist organization, which 99% of the time that check comes back clean and the client's able to facilitate a payment, or it really becomes their decision in terms of a cost benefit analysis of: okay, if we can get a decryption code and they've got our backups, then chances are our business interruption exposure is gonna be a lot less than if we have to recreate our entire network.

But as we [00:37:00] discussed earlier, it's those clients now that are preparing for those events and they've got a backup environment that they know they're gonna be able to access. They've planned and they've tested and they've done all of these things. They lock your network down, it's a lot easier to get back up and running than it is when they have full access and have encrypted all of your backups.  

And yeah, in certain situations there's gonna be sensitive client data that you don't want them to have, but if you can prove to them--and the whole process is very unique in terms of how you communicate with these threat actors in terms of, there's legitimate ransomware negotiators involved in that process saying, "Hey, I know you've said you've exfiltrated a hundred gigabytes of data, but prove to me that you've exfiltrated a hundred gigabytes of data." And there's exchanges of information that happened through that process. So, in a lot of cases now, we've seen the frequency of those payments being made significantly [00:38:00] decrease. And not only significantly decrease, I would say Mike, you know, two or three years ago that was probably 70% of companies were making the payment, and now it's probably much closer to 30%. Which is obviously a good news story because we're not paying that money to a criminal organization because that's essentially what that is, right?  

But with that being said, it's interesting to see how that process works. But at the same time--okay, well if we're able to restore and we're able to get back up and running, maybe instead of that $5 million ransomware demand that they've told us that they want, maybe we can make them a good faith payment of a hundred thousand dollars to get the data back now that we've proven to them that we can restore our network [00:39:00] without making that payment. So in certain situations, you look at, is the reputation there. From a threat actor perspective, it's tough to say, but they operate themselves as businesses. They want to keep a good reputation in the marketplace. They've all branded themselves. So, if you do make that good faith payment of a hundred thousand dollars and get the data back, does that ever surface on the dark web? Does it ever get sold? I don't think we'll ever know the true answer to that, but it can certainly really decrease the exposure to giving them $5 million in that situation, right?

Mike Reeves: Yeah. I appreciate you sharing that last little bit, particularly around the involvement and the maturity and how you help a customer go down when they're in that situation or through that process to try and get to best case, whatever that may be. And, I think that's one of the things I don't think, and if you're fortunate enough, you [00:40:00] don't have to go through that experience. You bring as part of the relationship with companies like us to really put that strategy together and try and devise a plan to get to the best outcome for the customer that's been impacted, at the end of the day. So, that was a great anecdote. I appreciate you sharing that.  

And, I really, enjoyed the conversation today. And, I wanna thank you for coming on the podcast. And, as I said, I really just wanted to use this as a platform to let companies know and people know that you're not alone in trying to figure out the cybersecurity journey and in terms of risk and how do you manage that and how do you find a partner from an insurance perspective that has the knowledge and the depth to be able to take you, even if it's very early days or if you're very mature in terms of where you are with your cybersecurity posture and disaster recovery, and you certainly have that knowledge and that depth, personally, and [00:41:00] then clearly Gallagher as well.  

And so, I appreciate you taking the time to share that. And I don't know if there's anything else you want to kind of close on or would like to share and then clearly, contact details. I can put those in the show notes if you want, or you can communicate them here, whatever you feel is best.  

Joseph Hines: I appreciate the time, Mike, and it's always a pleasure having these conversations, but I think, just one note. I think, there's always room for improvement. There's always gonna be room for improvement.

And I think with the way and what the next few years looks like with AI and things of that nature, it's only, I think, gonna get more and more interesting in terms of the tools and resources that the threat actors are gonna invest in and develop. So, there's no better time than now to really take those steps in terms of planning for the future and working with an organization like yourselves to really be able to understand what that [00:42:00] plan looks like and come up with a plan in terms of--OK, yeah, maybe we're not gonna be able to do everything today, but here's what we should focus on and here's the next step. And then there's more steps that come after that." It doesn't need to be an overwhelming process. It needs to be a process of continuous improvement.

So, I really appreciate the time and I look forward to chatting again.  

Mike Reeves: Great. Thanks for that. And, thanks so much for coming on the show today, Joe.

Thank you for listening to Solving for Change. If you enjoyed this episode, leave us a rating and review on your favorite podcast service and look for our next episode.

‍