Craig Sekowski and Ralph Pasquariello with The Tech Collective

Intro: Broadcasting live from the greater perimeter. It’s time for greater perimeter business radio. Now, here’s your host.

Lee Kantor: This episode of Greater Perimeter Business Radio is brought to you by Mirability with their new compliance exo service taking you from IT risk to IT reward. Now here’s your host, EriK Boemanns.

Erik Boemanns: I was recently reading about a small drink manufacturer who was bottling. Who’s bottling vendor made a mistake. After shipping the cans. Now sitting in a warehouse, the cans began to explode. They lost $1.5 million in inventory. They had $500,000 in insurance plus some supplemental policies. It was nowhere near enough to cover their loss. So a large company might have shrugged this off, but a company that was just starting it was devastating and almost ended them. That’s easy to comprehend. That idea of a real world loss where there’s product. But when we shift gears to cyber, it gets a little bit more abstract. It’s a little bit harder to understand. $1 million of coverage sounds like a lot. So my guest today, Craig and Ralph of Tech Collective, helped translate this very real risk that cyber does bring to our business into real world examples. For example, they shared with me an example of a concrete company that initially was hesitant to have any insurance at all, got hit by a cyber or a ransom attack, was basically out of commission for almost six months. Um, just due to that. So maybe Craig or Ralph, do you want to expand on a little bit in that story on what happened?

Ralph Pasquariello : Sure. Um, you know, selling cyber insurance, Eric, as I did for 15 years, one of the actually early adopters to cyber insurance here in Atlanta. So it was a hard sell at first, you know, and, and several of my companies, Midsize or small size. Just, you know, said, hey, we don’t need it. And as you indicated, one of the stories was one of my concrete companies that we insured. And they were, you know, I actually had two. One was a concrete company that was down for quite a bit, and the other one was another large company that, um, paid us a lot of money for premiums for their insurance policies. But when I offered them a cyber policy, they said, well, we really don’t need that. We’re, you know, we’re a construction company. And as you know, you know, three months later, they got a major attack. It was a malware attack, ransom attack. And the owner called me and said, hey, we have blue screens here. We don’t what is a Bitcoin? They want $25,000. And I said, well, I’ll show you how to get bitcoin. But if you had bought $1 million policy, which at the time was, you know, 15 years ago was was kind of a radical, people were like, wow, that’s a lot of money. Like you indicated. Yeah. Um, I said you were to spend $3,000 on the policy, and it would have covered the $25,000 fine and the ransom and all that fun stuff. So, um, but it’s, you know, it’s just nowadays it’s not as hard a sell, but with the small businesses, it still is. It’s amazing that only 40% of small businesses actually have cyber insurance policies, which is crazy. So yeah.

Erik Boemanns: So I know we still drove right into a story. So maybe we take a step back. Um, I’d love to hear a little bit about your own backgrounds and, and The Tech Collective, what it does.

Ralph Pasquariello : Right. Well, about a year and a half ago, I joined The Tech Collective from a previous job. You know, I was with cyber, I did cyber insurance for 15 years and, um, decided to jump into it full time and to kind of help or we created something new. Um, Craig and I and Jim called the care report and it basically benchmarks Companies and lets them know what their exposure looks like, what their risk looks like, and then they can adjust their insurance policies and their security as, you know, as needed. So it was it was something that was really, really needed for for many, many years. I just said, there’s something missing here and we can dive into that a little bit more. But, you know, Craig and I and Jim came up with something in seven months ago. We launched the website for care Report.com, and in the last seven months, the growth has been incredible and we’ve been blessed. So. And I’ll let, uh, my CEO here speak. Go ahead.

Craig Sekowski: And I’m Craig. Um, so The Tech Collective, we are technology focused service providers and we help businesses with tailored IT needs, whether it be cyber insurance assessments could be strategic advisement, cybersecurity or just your basic infrastructure, but we’ve got two different divisions of our platform. And as Ralph was mentioning, our latest and greatest growth is the key report really helping identify both cybersecurity risks and also the cyber insurance side of the house, making sure that you have the correct policies being put in place for protection.

Erik Boemanns: Gotcha. Yeah. And, um, so you began offering the report you said seven months ago.

Ralph Pasquariello : Uh, we launched the website. Yes. On, uh, uh, August 5th, I believe it was of last year. And since then, well, we’ve I don’t know how many. Um, we’ve done a lot of interviews, a lot of podcasts. We’ve we’ve spoken at so many events. Um, and as you know, Eric, we we did the, uh, the Secret Service launch, the Secret Service, the cyber event here in Atlanta back in June. And that was at the Mercedes-Benz Conference Center. And that was just quite an honor to do that, especially when we were less than a year old. So yeah, it’s been quite a ride. It is.

Erik Boemanns: Absolutely. So I’m curious if kind of what prompted you to launch the report, was it stories like the one with the construction company or other companies that maybe had gaps in their cybersecurity?

Ralph Pasquariello : Well, yeah.

Craig Sekowski: I think I think the story is, you know, I met Ralph some years back and we had similar conversations from different spectrums of the conversation, and the conversation was really broken. Um, CEOs, CEOs, CFOs, CISOs all speak a different language. And we were looking at cybersecurity. On one side, Ralph was mentioning the insurance and lack of from the cyber insurance. And we said, we’ve got to connect those two and be a conduit for that program. So we figured we would solve something. We don’t like to stand still. So being part of the environment we are, we wanted to come up with a program that would really benefit, um, somebody, you know, I’ve sat in the C level seat and know the importance of that. And best effort isn’t good enough.

Ralph Pasquariello : It’s hard to make an impact when you’re selling insurance. You know, when you’re presenting and writing insurance. But from a consultation point of view that I’m doing now, that we’re doing now, when we go in and you speak with the CFO and every single time, um, their insurance is wrong with cyber insurance. You know, when I ask a CFO, why do you have a $5 million limit? And they say, well, because we need to be in compliance. And I say, with what? With a contract. Every single time. Eric, that is their answer. And I said, well, look, you know, if your building is worth $500 million, why would you insure it for 100 million? This because to be in compliance with what? The homeowner’s association or whatever, you know. So, um, so when we took a deeper dive into that and we did an analysis and actually, you know, I would do a whiteboard and say, look, the most The thing that’s going to hurt you the most is downtime, right? So if you get hacked and you’re down for 30 days, what does that cost? Right. And the CFO would look at me like I’m crazy, saying, why would we be down for 30 days? And I said, well, you know, we’d pay this and we’d get back up and running. I said, no, no, no, you don’t get it. You know, and there’s so many as you know, there’s so many more cost involved, you know. And so when we run the report for them today and the analytics and all the algorithms that we have with three major, uh, partners that we have and the numbers come back, the benchmarking is right. Spot on. And it always takes them by surprise. But they realize now look, we have a $10 million policy. We really need 30. Um, that’s a big gap.

Craig Sekowski: Well, the other gap that we we fulfill, it’s, as I was saying before, everybody has a different, different definition of compliance, right. Cfos are looking at their contracts saying, I’m in compliance with the contract needs. Well, that’s only one slice of the pie. And now we talk to CISOs and CIOs, and they bring in like health care. Talking about HIPAA or PCI requirements. Are those also being addressed and covered. And we bring that into the benchmarking and the risk quantification and measure those against really what they need. So again, that brings up a different conversation and fulfillment.

Erik Boemanns: Yeah. Well I think it’s interesting too. You’re talking about compliance with a customer contract. The customer put that in there. Because if something bad happens that might be what they’re expecting to get from you. Which if that’s all your policy is, then what’s left over for you and getting back up and running.

Ralph Pasquariello : So I think it’s kind of reverse third party damages. Right. So and, and I also insist that when, when people write their insurance that they do a check on their suppliers and their clients, right, for third party damages, but to make sure that they have enough insurance in case something happens.

Ralph Pasquariello : So yeah.

Ralph Pasquariello : It’s a big step.

Erik Boemanns: Absolutely.

Erik Boemanns: So I am curious, um, what does the care report help with? How does that actually help a business understand where they’re at with those gaps that we’ve been talking about?

Ralph Pasquariello : Well, like Craig mentioned, we do analysis on both sides. We do the cyber analysis for liability. So we do a risk quantification when it comes to financial how is it going to hurt. And we benchmark you. And then on the security side we also do a benchmark saying look if all of your peers have x, y, z for security and you’re deficient in that, why is that? We need to bring you up to current standards. Um, and Craig can talk about this a little bit, but, you know, we we speak to so many CISOs too, and a lot of them are locked in to their environment, you know, and they live in a bubble. So they really don’t know what a lot of the outside threats are. And that’s the outside look that we take. You can expound on that You.

Craig Sekowski: Have a broad lens. And that’s why we partnered with three different groups that fetus information and vice versa. And it’s a broader lens from risk mitigation. Taking a look at what they have from an outside in type of exposure that they might not even be privy to. And we also look at industry like for like what are your peers doing? What are their exposures. And I think the largest part is really looking at some of the history and the new things that are coming up. We also partner with different agencies that feed us information. We find that, um, many companies are ill prepared for their incident response. What do you do? It’s not a matter of of if you’re going to get it. It’s really when.

Speaker6: Yeah.

Erik Boemanns: So makes sense that some analysis and benchmarking. I’m curious maybe if some success stories that you’ve had where people have, having gone through the care board, realize that they have the gap, they got that coverage. And then kind of where did that go for them?

Speaker6: Yeah.

Ralph Pasquariello : Well we have several. One is a manufacturer, large manufacturer. Actually we have one in Detroit, but there’s one in Atlanta too, that we dealt with. And when we went in, they had a $3 million policy. And they’re doing about 600 million in revenue per year. And I just I, you know, I couldn’t believe that the the numbers were so low. And I said, well, why. Again, it was a contract. Um, after we got through with them, they had a $15 million cyber policy from their broker. And we work with the broker. That’s another thing. We don’t sell insurance. You know, we are we’re friendly, you know, we’re consultation only and dealing with not only the client, but their insurance broker and their security people, their MSPs. You know, we’re a friend to them because we are now validating what they need. Right. And from a different perspective, totally. We’re an outsider. But it seemed to have more value when it comes from us than from their insurance broker. Right. Sure. They said the insurance broker? Yeah. You’re just trying to sell me more insurance. And I used to hear that all the time. Um, and I’m not. You know, my job as an insurance guy is to keep you in business. You know, when the proverbial. You know, when the crap hits the fan and it costs $10 million and you only have a $3 million policy. Who’s going to be who’s who’s to blame? Right. And I always say that to CFOs. Whose fault is it? You know, if you’re wrong, is it my fault or is it your fault? And we don’t we don’t want to play that game. We want to just look, here’s what you need. It’s your choice whether you go that route or not. Right? But this is what you need. So does that make sense?

Erik Boemanns: Yeah, absolutely.

Erik Boemanns: Well, and I think you brought up earlier like the idea of if you under insure a property because it’s what the HOA requires, right. I wonder too, if a lot of people maybe don’t understand the risk and or the value that they really should be ensuring. Right? It’s it’s easy to say, oh, $3 million of coverage. Great. But to your point, if it’s a $300 million business, are they even thinking about that problem the right way?

Craig Sekowski: Well, the extra risk tiles that are included in our report, I think, accentuate that. And I think that exposes some of the needs that they might not even look at and saying, oh, I didn’t even think of this. And we’ve been in business for X amount of years. So that extra benefit and again to reframe, we work for the client. So we’re that extra arm or extension of the client. And I think that’s the largest value that the client receives.

Erik Boemanns: Yeah I’m curious how many people come to you thinking that they’re going to save money on their cyber security insurance after.

Ralph Pasquariello : Well, they cannot. They excuse me, they actually can because, um, we like Craig, always talks about we go back to the beginning where the applications who filled out the these cyber applications in order to get the insurance right. So maybe that was filled out wrong. If we go back and we fill that out properly, right. It can reflect a better premium on your insurance. And we’ve had that happen a couple of times.

Craig Sekowski: We had a university that was putting in the CMC and some of the other security benefits. They didn’t list anything on their application and they saw their premium kind of just rising. And it wasn’t, you know, dramatically. But we looked at the application, we were doing the cure. And part of that benchmarking was missing some of those gaps. We said, why aren’t you identifying that? Let’s make it part of the roadmap. And when they return that application and we like to call it oven ready or fully baked, um, the underwriter gave them additional considerations and they lowered the premium. And actually they were able to gain excess liability limits for next to nothing. So it really benefited the program.

Erik Boemanns: So a company can find out not only are they underinsured and maybe need to change the coverage, but also like you just said, that they’re incorrectly covered or at a higher premium than they should have been. So the the net can be a positive.

Craig Sekowski: Absolutely. And we worked in their insurance agent really appreciated the extra guidance that we provided from that report.

Ralph Pasquariello : And the other thing is you mentioned insurance brokers, a lot of them. And God, I’m going to say over 95% of them don’t have the expertise when it comes to cyber insurance. And the good thing is we hold their hand on that application process. So we review those applications. And this is what differentiates us from a lot of people that are writing insurance and pushing these programs. Um, we look at those applications, we help them fill it out properly. We’re looking at the previous policies, what they had in place. We’re scrubbing that where the where are the gaps? Where are the exclusions? Where are your deficiencies in the policy? You know, you may have a really I always say to Eric, you might have a really good policy, but you’re with the wrong carrier.

Erik Boemanns: Sure.

Ralph Pasquariello : You know, you should, you shouldn’t be with that carrier for what you do. So this again the consultation version or application what we provide. Um we’re not looking to switch things around, but if it’s broken and it needs to be amended, you got to you have to do it.

Erik Boemanns: Yep.

Erik Boemanns: And as you talk about the cybersecurity insurance applications, I’ve helped my employers and companies and clients with that as well. And every year there’s a new page because the threats keep changing and the insurance providers keep realizing, oh, you should have had this in place and we wouldn’t have had to pay out a claim. And so they pushed that back into the requirements. Right? So that’s an evolving the products themselves are evolving. I’m curious if you see any other emerging trends in cybersecurity insurance.

Ralph Pasquariello : So the level of security needed now in order to get a cyber insurance policy has been upgraded quite a bit. You know, years ago they didn’t even talk about MFA, you know, multi-factor, um, and now the actual, The actual applications that you have to fill out are 10 to 15 pages long. There is now a malware application that you have to fill out a ransomware application to factor. So there’s there’s like four applications that you need to fill out now in order to get cyber insurance. And that’s good because for a long time, the insurance carriers were way behind when it came to security. What’s needed. But I think after they get, you know, so many losses over the years, they’ve finally stepped up. And we’ve seen a lot of that. Greg.

Craig Sekowski: Absolutely. I think the the best part of what we’re providing, and, Eric, especially for your type of services as well, I think it’s a conduit for IT strategy, roadmap. And I think that builds a stronger roadmap. And it also makes the CFO find it’s more economically reasonable to find out what their strategy is going to be for not just short term, but long term. And they might be able to add that benefit of growth or some other productive things that they can add into their, um, their offerings.

Erik Boemanns: Um, so you mentioned MFA and multi-factor authentication. Right. The whole I need to have my cell phone and my password to log in concept. Right. Um, I kind of correlate that with on the car safety side if I have airbags required now, but if I have collision avoidance or if I have an alarm system, my car insurance premiums go down too, because now my car is safer or the the claims that may be lower. Um, so are there things besides MFA which is now a requirement to get insurance effectively? Are there other things that companies should be thinking about doing to help lower their risk? And that then translates to, you know.

Craig Sekowski: We also work with third parties and for training. I can’t tell you how important training is and awareness. Um, we had somebody years ago. I was part of a fintech company and we were doing training. We finished our quarterly training and we were about to release a product. Excuse me. Our CTO was moving very quickly, and you were talking about MFA and phishing attacks and things like that. We were doing requests for approvals and he actually clicked on something he should not have, and unbeknownst to him, got into that trap, reported it very quickly. We got our council involved and we called a town hall meeting. And it was it was actually fun. But he said somebody clicked on something that they should not have clicked on. And everybody’s looking in the audience looking around, and he goes, it was me. So being a little humble, he explained what that was and he said, if I had just followed our training principles over and over and over, we could have avoided that one UN error. And they they got through it. But still, I think training is also a key part.

Erik Boemanns: Yeah, that’s for sure.

Ralph Pasquariello : And that brings up a point. Um, one of our, one of my clients years ago, uh, and we talk about security, but, you know, you can have the greatest security in the world. But if you know it’s like your house, you know, you lock all the windows, but you leave the front door wide open. Right. And I’m going to use some acronyms, but people love it when I do that. But Bec is business email compromise. And and that’s something everyone should know about. And the reason why is that leads to so many other things. Um, you know, when the criminal is in your network or the average right now is almost 200 days before they are before you figure out they’re in there. Right? Um, they’ve done so much damage. And then when they leave, they always shut the door and they always, you know, give you a nice, you know, malware ransom attack, you know, but the thing that that leads to that I wanted to talk about, that happened to one of our clients is an invoice manipulation. And that’s a big component right now of cybercrime. And for those of you listening that don’t know what that is, um, when the criminal is in your email system, he controls a lot of things inbound, outbound.

Ralph Pasquariello : And they take an invoice that’s an actual invoice of one of your clients, and they change the routing instructions. What happens after that is your money goes not to your client, or the client’s money doesn’t go to you, but it goes to a third party. And and it’s a it’s a crime, right. But a lot of times people don’t pick up on that. And if they do pick up on it, when they return the email and say, hey, Eric, I noticed you changed your routing instructions. Well guess what? Eric responds to you, but it’s not Eric, it’s the criminal. And he said, yeah, yeah, yes, we did change the routing instructions. I’m glad you noticed that. Pay us the money. So I had that happen to one of our clients. It was $600,000 payment, and 30 days later they invoiced him for another payment and another $600,000 went out. And the client realized that after, you know, 45 days said, hey, Eric, you haven’t paid us. And and Eric said, yeah, I paid you both. Both of those invoices I paid and the money was gone.

Craig Sekowski: I guess the question is, is Alice listening?

Erik Boemanns: I had very similar where a client, um, their email got compromised, so they emailed everybody on their contact list. Got emailed, including me, and it was one of those. It was a fake invoice. Had I clicked on it, I also would have been compromised and it would have perpetuated. But yeah, I replied back and said, hey, I think your account is compromised. Well, the hacker had control of her account and so immediately I go back. No, it’s not compromised. It’s everything’s fine here.

Erik Boemanns: And it was wonderful. So fortunately, I then called their IT department and said, you need to go check this out, but um, but yeah, if, if they had used slightly different language and if I hadn’t been paying a little bit more attention, I would have not. I would have believed the email that came back.

Craig Sekowski: Bad actors are definitely improving every day.

Erik Boemanns: Exactly.

Ralph Pasquariello : It’s big business.

Erik Boemanns: Yep.

Ralph Pasquariello : Huge business.

Ralph Pasquariello : And now with AI, I mean, this is who knows? Who knows where we’re going, right? It’s going to get tougher.

Erik Boemanns: Yeah. The little language issues. We had another one where a person was impersonating a new vendor saying, look at the email thread. This already got approved by your vice president to pay. The mistake they made, though, was they were sending it to a Canadian office and they talked about us IRS forms. The new ChatGPT would have probably known better and written that email slightly more believable, right? So yeah.

Ralph Pasquariello : Beware.

Erik Boemanns: Yep.

Erik Boemanns: Anything else from a best practices that people should be thinking about?

Craig Sekowski: Looking and tracking I think is, is companies are streamlining some of their, their finances and allowing people to bring in their own devices. It’s another method you want to make sure that you can wipe those devices remotely. You want to practice that event. You want to have a plan put in place. That’s another low hanging fruit that people really should face or pay attention to. Mhm.

Ralph Pasquariello : And I would say, um, we we’ve been engaging with so many CISOs lately. We’ve, was spoken at many CISO groups and organizations. Um, there’s a great article that I that I posted the other day, and it’s this is referring to the insurance portion of what we do, and it’s who should be in the room when you’re buying cyber insurance. And now it talks about the CFO and the CISO. For years I never I never saw a CISO for years, you know, 15 years. And now they are really encouraging that both of those people need to communicate and need to be in the room just alone for the the quantification, for the risk, you know, the, the the CISO is aware of that, but the CFO has his head in the sand. He’s trying to make money for the company. That’s his job. And not to cross over the line and find out, you know, exactly what the threats are, which he should, though, because it is his job. So, um, so that that’s my recommendation to, you know, have better communication. The CISO and the CFO bring that together.

Speaker6: Absolutely. Yeah.

Erik Boemanns: So I know we’ve only just barely skimmed the surface of a very deep topic, but I want to make sure, too, that we’ve had a chance to anything else about The Tech Collective or the report that you want to make sure you have a.

Ralph Pasquariello : Do we have another two hours?

Erik Boemanns: Exactly. Yeah. Yeah.

Craig Sekowski: No, I think somebody always asked me, when do we get engaged today. Right. There is no right time. Today is the right time to to get engaged. You don’t need to take a look at renewals. Yeah. Look at things today. Just like bringing in a virtual CISO. When is the right time to get started.

Ralph Pasquariello : That’s a great point. Craig. We were dealing with the university and they were like, well, our renewal is in September, so we’ll increase our limits then in September. I said, what, you know, if there’s a firestorm going on in the neighborhood, you know, it’s best to put in sprinklers now, you know. So yeah. Don’t wait. That’s a you know, and we’re not making more revenue on that. We’re not selling the insurance. But you know what? Don’t wait. Protect yourself. You know, we always say, what if you’re wrong, you know?

Erik Boemanns: Exactly.

Craig Sekowski: We tell people I’d rather you sleep well at night, knowing that we can help you. Rather than what if you’re wrong and not know, right?

Erik Boemanns: So if today is the right day to engage, how do they reach out to you? How do they find more information?

Craig Sekowski: Well, we’ve got a website you can visit. It’s very friendly website. It entails everything that we can benefit from or the client can benefit from. It’s called care Dash Report.com. And it has our contact information out there. You can put your contact information out there. We’ll have somebody return phone call. And hey, conversations are complimentary. There’s no charge for talking and discussing.

Erik Boemanns: Right? I know we’ve hit on a lot of great nuggets for people to to think about to digest, but maybe what is that one thing that you want to make sure people take home today.

Ralph Pasquariello : Let’s call Craig.

Craig Sekowski: Yeah. Start today.

Erik Boemanns: Exactly.

Craig Sekowski: Let’s start the conversation.

Erik Boemanns: Yeah.

Ralph Pasquariello : You know what? Just don’t gamble. I posted something the other day, and I said, don’t gamble. And, um, if you’re not sure about anything, double check. You know, ask an expert. You know, I don’t do my own finances. You know, I, I leave that to my my money manager, you know, because I was investing in things that didn’t make any sense. So don’t gamble. You know, trust an expert.

Erik Boemanns: Yeah.

Erik Boemanns: The risk is real, right?

Ralph Pasquariello : Yes, it is.

Craig Sekowski: Very much so, yeah.

Erik Boemanns: Well, Ralph Craig, I appreciate you coming out today. Thanks for sharing about the care report, The Tech Collective, and kind of giving us all something to maybe not sleep as well tonight, but once we talk to you, sleep better tomorrow.

Ralph Pasquariello : Thanks, Eric. Love it.

Craig Sekowski: Thank you. Thank you Eric.