Welcome to the Inside Insight podcast presented by CR Solutions. At Consolidated Risk Solutions, we are taking our expert knowledge of the insurance world and using it to innovate the industry using technology, groundbreaking thinking and a personal touch. Join us as we talk to masterminds both inside and outside of CR Solutions about how the world of insurance is changing, and how we can be sure to grow along with it. If you have to manage insurance in your work, then you can benefit from the interviews, conversations, and insights. We’ll be exploring to elevate your business’s success.
INTRO (00:42 – 05:04)
Trevor Casey: Welcome back to another episode of Inside Insight. I’m your host, Trevor Casey with my co-host.
Beau Lunceford: Beau Lunceford.
Trevor Casey: And we’re here with another great interview. Today’s interview is actually a two for one with Ed Broderick and Richard DiFolco. Both of them are from Conner Strong & Buckelew.
Beau Lunceford: It’s nice to have another Connor Strong people here.
Trevor Casey: We partner with them as far as their brokerage, we’re an administrator. So they cross paths with us a lot. So it’s really cool to get insight with from them.
Beau Lunceford: They have a lot to offer. And it’s so interesting, because I really was unsure what they were going to have to offer the insurance side of things, because both of them really live in a Cyber Security Information Technology kind of world. But I didn’t realize how much crossover there really is in this conversation. And it was very enlightening to me. I thought, I’m really looking forward to our audience getting the chance to hear more about why these two things matter together.
Trevor Casey: And when you’re talking about two things, you’re talking about cyber security, and the infrastructure that is circled around cyber security.
Beau Lunceford: Those two things paired with insurance. Those are the two things I’m thinking of, unbundling IT and cyber security.
Trevor Casey: When you think of insurance, you think of people falling off a ladder and get some money, or getting hit by a truck or whatever, God forbid. But you’re not technically thinking about safety. As far as cyber security, you’re not thinking about ransomware, you’re not thinking about somebody plugging something in and dropping your whole system off the face of the earth, so it’s super cool to see the other side. We log into our computers, I press a button, I hope outlook pops up and my day gets started. I don’t think about where are that comes from.
Beau Lunceford: And the thing that we talk about a lot is the transfer of risk, and how insurance is all about the transfer of risk, so is that cyber side of things, that information technology, part of that coverage that is extended through cyber is still about that transfer of risk and how it is that you can keep that happening, or keep those wheels moving in your own company, and no matter what size you are, and both Rich and Ed give some really great insights in this conversation that we have.
Trevor Casey: I’m super, super curious to listen to it because I was actually not a part of the interview today. Because their backgrounds are super unique to me. So Ed actually went to Notre Dame, I’m a big Notre Dame fan, by the way, so go Irish. But Ed worked for a long time in information security. So he has a true expertise in criminal cyber threats. So one of the things that he really practices on is making sure that we have the best because the best offense is a good defense. So making sure that everything is well rounded and wrapped up and locked tight. So Broderick has tapped into his drive for cyber risk insurance and innovation. In addition to expanding the Conner Strong Cyber Security initiatives, he’s also led an effort to provide consolidative services to Conner Strong & Buckelew clients, and oversees the service of new products and services to grow the cyber security profile.
Beau Lunceford: And I think that’s a great testament for what he’s doing for his company at Conner Strong, what he has to offer to these other insurance organizations, or people who are dealing with insurance or anything with technology. And us as a primarily a technology company, this was a lot of really great stuff to learn.
Trevor Casey: Its super cool to with Rich’s experience. So Rich is has expertise in systems and network engineering. So he’s the other side of the coin from Ed. So you really get the software, the hardware. So, Rich, focuses on success rates and installing and migrating support for critical and multi-site networks. His proven ability to manage all phases of the network has truly been showed through his administrative skills and his leadership. So one of the things that he is adept as to analyzing business requirements and crafting technical Network Solutions.
Beau Lunceford: And I think you’re gonna hear a lot of that in our conversation today.
Trevor Casey: I’m excited to hear it.
Beau Lunceford: Well, without further ado, let’s dive into my conversation with Ed Broderick and Rich DiFolco.
Interview (05:07 – 23:10)
Beau Lunceford: Guys, I’m so excited to be here with you today talking about all things, security, all things, insurance, we’re going to be diving into some really cool stuff today. But before this, you’re going to hear or our listeners are going to hear a little intro about who either of you are. But I want to give you the chance to tell all of our listeners who you are as individuals from the horse’s mouth, as I say.
Rich DiFolco: Sure, I’ll start. Rich DiFolco. I’m the director of infrastructure in a partner with Conner Strong & Buckelew.
Ed Broderick: I’m Ed Broderick, I’m the Chief Information Security Officer for Conner Strong & Buckelew.
Beau Lunceford: Fantastic. We’re so excited that you guys were able to come in today and talk to us a little bit about the importance of cyber security and what kind of role the technology world has in an insurance space. Because honestly, as someone between Trevor and I, I always say that he has more of the insurance brain and I have more of the other side of the brain that exists. So, for me, who doesn’t necessarily know as much about how security and how technology works together with insurance. Tell me a little bit about how those two things are related?
Rich DiFolco: I can talk about from the infrastructure piece. At the end of the day, pretty much what is important is that the structure on the back is designed in such a way that allows all of the users in the organization to be able to do their job effectively, with the ability to pass over that infrastructure to Ed, where he wouldn’t be able to wrap around the securities required to make sure that we are compliant with everything needs to get done from the cyber security world and the insurance departments.
Beau Lunceford: And what do you think the biggest challenge to that is?
Rich DiFolco: Money. Everything costs a lot of money. And to do it right, it costs a lot of money. So we’re fortunate to be able to have and work with a company that sees the need to be able to invest in infrastructure to make sure that we are doing what’s right for not only our users, but also all of our clients and customers, make sure their data is secure, whether it’s online through Microsoft 365, or through our internal infrastructure being on nice elaborate sands and hardware that we run things on.
Beau Lunceford: I think that’s a conversation that a lot of companies are having right now about protecting data, and making sure that the information that they’re sharing with companies is safe and it’s secure, and that people are using it appropriately. So, Ed, can you speak any more into the importance of this and how these two things crossover?
Ed Broderick: I think one of the real is mergers of the goals between insurance and security and technology, security, is trust. In order to do business with another organization, you want to establish a strong trust relationship. In order to make sure that folks can trust your business, you also want to reduce risk. And insurance as a vehicle helps reduce that risk. And any business also wants to be able to know that they can feel safe working with another company. So you end up in insurance with all those different angles starting to come together. Insurance helps you reduce the risk, risk managers for any different company, you want to make sure that their customers feel safe and that they can be secure. And then also, any insurance company that you’d work with, can also help reduce that risk by providing cyber risk insurance and keeping themselves secure as well as their customers. So there’s a lot of overlap between insurance risk reduction and cyber risk.
Beau Lunceford: And that all make sense that really clicks in my brain is, insurance really is that removal of risk or it’s the redistribution of risk. So the idea that that cyber security helps to eliminate that is just clicks for me that tracks. So when we think about risk, what would you say is the biggest risk that companies are going to be facing in this world?
Ed Broderick: So I think something that is catching a lot of companies off guard is email borne, business email compromise.
Rich DiFolco: And it’s ever changing.
Beau Lunceford: And that when the when something is changing like that, as often as it sounds like that’s a hard thing to learn through, ready to learn how to recognize.
Rich DiFolco: That’s going to go through experience. So as we go through, and we do things like in house corporate training to see how you can catch the small changes that you may get an email, whether it’s the from address may look like this legit, but it really isn’t legit or a link is there and looks legit, but it really isn’t legit or the wording is all for the person that may have sent it typically would send you an email, but they wouldn’t have worded that way. Because that’s not really them sending it to you. And again, this sense of urgency from an email. So it can come from somebody who is your boss, your boss’s boss responding to you. And, again, that’s all about take a deep breath, don’t try to be so quick to react and work as fast. And when used to do, read it, analyze it, and then respond if it’s appropriate. And that’s really the bottom of it. And then obviously, between Ed and myself putting into tools to try to catch a lot of this stuff before it even gets to the end user to even read it. So if we can catch it a bulk of it before it gets there, then there’s less for that user to try to decipher to see if it’s legitimate email or not.
Ed Broderick: One thing that I’ve always felt strongly about is that when it comes time to budget for security, is that you should kind of way where the risk is, and put most of the budget in that direction. I don’t think you can overspend with regards to email security, everyone is used to ransomware at this point. Ransomware started appearing around 2012, 2013. That was all email born or mostly email born as a threat. Business email compromise, where an attacker will impersonate your business colleagues from other companies and do it very well. Often is done in a way that avoids a lot of the controls that we have. And a lot of the controls for business email compromise are nascent, the technologies are just starting to grow now to allow us to implement, the machine learning, the artificial intelligence that’s required to recognize that there’s this email that doesn’t have a lot of the same tail tails, that phishing email used to have, link that clearly came from a bad site, or an email that had headers in it that were spoofed. But business email compromised is definitely on the rise. It’s starting to surpass all other types of attacks in terms of the cost of businesses. And I think it’s catching the industry off guard.
Beau Lunceford: And as an industry that really needs to be proactive about things dealing with risk, that’s something that you don’t want to be behind on. And you also mentioned the development of those that AI technology. So one of the things that of course, I love as a marketer, like I’m obsessed with ChatGPT right now, which I think most people are, is there a risk that is involved with the technology like that?
Ed Broderick: I think there’s a risk with any technology of any kind that you bring into your business. ChatGPT is just another technology that brings in a certain level of risk that you have to weigh against the benefits that you’re going to get from using it. So if you bring in any software package, any new business process, any new vendor, they’ll all come with a certain level of risk. I’m sure there’s going to be some clever ways that businesses will use ChatGPT in the future. But I think as a company, you have to do a real heavy analysis of what does ChatGPT provide, and then what’s the risk that might come with it?
Rich DiFolco: I think right now, the biggest risk with ChatGPT is not so much the ChatGPT, or it’s clones that are out there, because all it really is an interface to a database that has some AI technology that can respond back to you more like a human those answers to the question that I put in there. Where I see the issue is because of all the data that’s in there, you could have someone that may have an issue with the “Company A, B, C”, and they can go into ChatGPT and ask it to create something like a fake web page or can you put together with the source for look like for the connerstrong.com webpage, but I like to have a Java insert a code that is malicious, and that person may not have any experience even developing that stuff. And they will write it for that person. They can just copy that code, paste it and then go ahead and attack the subject. So that’s where the biggest part is right now because it’s so smart, you can answer the question, make a game. When I was playing around with it, when it first came out, I asked him to make a game for me that I can play on the website. And it went ahead and asked for the details. It gave me the code, I pasted it in, and voila, there was a game. And all I did was talk to for about 15 minutes.
Beau Lunceford: That’s insane.
Ed Broderick: I agree with, Rich, the big difference. It’s why ChatGPT gets its information from the web. So with enough time and effort, you could find all the same answers, ChatGPT gives you from the web. But ChatGPT definitely packages it in a way that’s completely unique. So in that way, it could present more of a risk. But again, time and effort, you can find all the same information on the web.
Beau Lunceford: Oh, that’s so interesting. I wouldn’t have really thought about it that way. It really is more of a resource tool then. I don’t know, I’ve always thought about it as creating something out of nothing but that’s really not true.
Rich DiFolco: It will create, so it will make what you ask it. So there’s resources accessing the web, but it has its own algorithm built in. So when I gave the example of developing a program, it knows how to code in Java, it knows how to make HTML, it knows how to do these things. So if you give it enough information by telling it within the chat command, it can take that data and create that program that you want using what it knows.
Beau Lunceford: Got it. As someone who actually uses this program fairly regularly, I’m learning a lot in this moment about what actually it is that I’m using and that I’m doing.
Rich DiFolco: It’s a lot more than he asked me questions like, where should I go to eat tonight? I’m in a mood for sushi. It’s a lot more than that.
Beau Lunceford: Oh, absolutely.
Ed Broderick: I thought your email responses to me were a little prepackaged. .
Beau Lunceford: I haven’t sent an authentic email, since it came out. So all of its automated now. So I’m shifting gears a little bit. We see a lot of people coming through asking for certain kinds of coverage at CR’s. We have part of what we do is we are tracking insurance for a lot of these subcontractors and a lot of these projects. So we see where more and more cyber security is and insurance coverage that is being requested. So we see cyber risk insurance, we see EDR, we see these multi factor authentication as a tool that people are using. And that’s not so much something that someone’s asking for us to search for. But as we’re diving into this insurance world, as it relates to cyber security, these are things that we’re seeing in place to try and keep these companies safe. So what do people need to know about these programs, these platforms, these software’s to help to reduce that risk for themselves?
Ed Broderick: So one thing I think is technologists. They probably have strong opinions about is that the insurance world requires you to have a certain number of controls in place in order to qualify for cyber risk insurance, things like an EDR, which is (Endpoint Detection and Response). Are you protecting your laptops properly? Are you requiring appropriate authentication and authorization anytime you access anything valuable? Those are the examples of what the carriers will give you on a checklist, basically, do you have these items. But it’s very easy to miss configure those, it’s very easy to do the minimum and not make sure that everything is implemented correctly, and that those security controls are working well. So a checklist doesn’t cover everything, and you really have to dive deep as a business and make sure that you’ve had people validate that those controls are all working, and that they’re working properly and well, and all the time and everywhere they have to be. A lot of companies are still getting compromised by attackers and criminals and, and organized crime, mostly because they just haven’t gone to that level of depth. They haven’t taken the time and the amount of resources they need to fully qualify if their security is in place effectively.
Beau Lunceford: And that makes sense why we’re seeing that information because I’m wondering why are we seeing these checklists come through with this information on there? But those are the requirements for them to be able to get cyber risk insurance.
Rich DiFolco: A lot of the problems are because people follow checklists. Do you have an EDR? Check. Do you have an MDR? Check. Do you have MFA? Check. Doesn’t mean it’s configured. Just check the box. We’re just why not? You’re seeing more checklists to go past that initial. Do you have an EDR? And for those who are listening, if you don’t know what EDR is, whether you’re a home user, it can be as simple as like a McAfee or Norton. If you’re in a corporate world, it could be a CrowdStrike. It’s basically your antivirus, your malware endpoint detection anti-virus, anti malware software on your computer.
Beau Lunceford: So the last thing that I’ll touch on is, what is some actionable advice that you can give our insurance listeners to say, “If you want to be at the top of your game, at any level, no matter what size your business is, no matter what size data you’re working with, what are just some really basic things that we can make sure that we have in place to keep our data safe, to keep our people safe, to prevent these kinds of attacks from happening?”
Rich DiFolco: Spend the money. Invest the money in a good endpoint detection system. Depending on the size, you may or may not want to invest in the MDR. But there’s different ways you can go ahead and do that. You want to make sure all of your equipment is patched up to date. There are free tools online, if you don’t have it to do things like external tests to try to penetrate inside of your facility to make sure that there’s no vulnerabilities that are coming in and outside and really have a good grapple liquid headset is what the primary area is going to be your email penetration coming in with fake links and impersonation. So really get a hold of that technology and make sure it’s updated and ready to go.
Ed Broderick: I would say also get third party validation that your controls are working. It’s not something Conner Strong & Buckelew provides today. So this is not a sales pitch at all. But bringing in a consultant, bringing in an auditor, someone who can give you just a different opinion, and do some aggressive testing against your processes, your procedures, and the technology controls you have in place is invaluable. I think sometimes companies don’t want to spend that kind of money. Maybe they’re sheepish about having someone throw judgment at them, but they shouldn’t be. Every company struggles with making sure those same controls are in place. So it’s always good to get a third party opinion.
Beau Lunceford: Great. I think it says a lot coming from, , a an insurance company as large as Conner Strong & Buckelew, that we have two people who are full time on staff that helped to oversee this kind of security. I think that is a huge testament to how important this topic really is for the insurance world, especially with the kind of data that that comes in and comes out of these, these organizations. So, DiFolco and Rich, thank you so much for taking the time to be here. I really hope that we get to have you guys again in here soon. So we can talk about some more stuff that you guys have going on over at CSP.
Rich DiFolco: Thank you so much.
Ed Broderick: Sounds great, thank you.
Beau Lunceford: Absolutely, guys. Until next time.
OUTRO (23:14 – 26:06)
Beau Lunceford: Wowie zowie.
Trevor Casey: I did not understand how much stuff these guys do.
Beau Lunceford: It’s true. We covered so much information in this episode. And I think that what people don’t realize is that there’s even more conversation that happened outside of this recorded experience that we didn’t even get to dive into. We didn’t really even talk about malware, we didn’t talk about ransomware, we didn’t go into any of the in depth stuff that that you and I got the chance to talk to enrich about off air in real life. But the information they did provide, I’m really hoping people are going to be able to take and apply it to their day to day one of the things that, Rich, said that really continued to stick out with me because he said it like four times was like you just have to spend the money. You have to spend the money on the things that you need to keep yourself safe. Because investing in that on the front end is the best thing that you can do for yourself. And I know that’s really hard to hear in a lot of ways.
Trevor Casey: Realistically, it’s probably cheaper to spend the money up front, didn’t have to pay the premiums or the deductible of a claim or another kind of claim that your company may have to have to have. So it was super, super cool to have them in the office, learn their expertise. If any of you have any questions about network or software, hardware, any of these type of things you’re gonna have to Venmo us so that we can buy them a beer because these guys are so busy, they barely have any time. However, shoot us the emails over with your questions and we will make sure that they get answered. Great conversation though. I’m just so excited to see where this podcast is going, where the future of insurance is going, and where our company is going. It’s just super exciting. And I’m just glad that we’re on the forefront of it and really riding that wave into success.
Beau Lunceford: Absolutely. If you have any questions for Ed or Rich, we’re going to put their contact information in the show notes so that you can reach out to them with any kind of questions, comments, concerns that you may have. Because as they’ve told us, they want to be resources to this industry to make sure that if people have questions about this, like we said in the very beginning of this episode, Ed really lives in this consultation world where he wants to be outreaching to other companies who are looking to advance their cyber security and keep themselves as safe as possible. So with all that information is going to be in the show notes as well, so feel free to reach out to them and get that information.
Trevor Casey: Well. Thank you for coming on another episode of Inside Insight. Until next time…
Beau & Trevor: Stay covered.
Thanks for tuning in to Inside Insight presented by CR Solutions. If you like anything that you heard today, subscribe, follow and rate the show so that other industry pioneers like yourself can find it. Maybe even share it with someone you think might benefit from this episode. Do you have a question that you want answered or a concept that you need explain, you can email us at email@example.com with the subject line “Podcast Question”, and maybe your question, we’ll make it onto one of our episodes. You can also submit a question via our website at c-r-solutions.com/podcast. There are no dumb questions, only opportunities to learn something new. Now that’s a wrap on this episode. Join us next time on Inside Insight presented by CR Solutions. Stay covered.