StartupNation Radio

Kapnick Insurance: The Right Time to Protect Your Business from Cyber Attacks Is Now

Episode Summary

Jeff Sloan discusses why your small business needs to make cybersecurity protection a priority with Michael Spath and Melissa Selke of Kapnick Insurance.

Episode Transcription

Jeff: [00:00:00] Welcome to this edition of startup nation. We're focused today on cyber insurance. We've got Michael Spath from the Kapnick group. Michael, you guys have brought along a subject matter expert on cyber security insurance. You know, it's one of those things where a lot of businesses may say, “eh, that's something I'll think about next year.

You know, probably not me. Right? Probably not small business. They're probably only going after the big guys.” But the reality is, man, first of all, when this happens, it can be catastrophic. Bring your business down kind of thing, number one. And number two, the statistics show that it is hitting small business now more than ever before, especially with people working from home and.

Tee this up for us. We need some help. We need some guidance. 

Michael: Yeah. Yeah. Very excited that the, uh, the two guests that we have here today, but it's interesting. Cause everything's about like, if a business burns down, like the fire is a actual risk out there, but cyber attacks and ransomware attacks can very much just think of it as a fire that is burning your building down.

It's just happening to your security, your, your infrastructure, [00:01:00] your, uh, all your software, all those things like that. 

Jeff: Frankly, in many ways it can be worse than. Some things can withstand a fire or be saved from it. They'll, listen, they bring your business down this way. They can take command over the business, right?

Hold it for ransom. Destroy it instant 

Michael: and absolutely. And where are you going to go from there? Once your business has been attacked? And so a yes. To talk about it here, joining me from Kapnick Insurance Group, uh, in our specialty risk department of vice-president Melissa Selke. I'm so very excited to talk to Melissa.

And then from Unishippers, uh, a franchise owner, Dave. Uh, actually Dave and I go way, way back. Um, probably so when we were 14 years old, grew up together. Wow. Uh, and so connected recently, and he's got a lot going on into the business side and opportunity to talk to him. Um, but Melissa, I kind of want to start with you just.

You know, when you look about it in that question, that, that Jeff asked, you know, like, why should I, why should I even pay attention? Why should I care about it? I am not a fortune 500 company. I am, uh, you know, not a publicly traded company. [00:02:00] I am just the mom and pop shop down the street. Where's my risk?

Melissa: Yeah, they're going to come right after you because they don't think you're paying attention to this because of the exact conversation that we're having right now. I'm too small. Nobody pays attention to me. Well, guess what, they're focusing on you specifically as a small business and it's time that we start fighting back and being proactive.

In this regard, because you, you are seen as a small business as somebody who isn't focusing on cyber security, who doesn't have a dedicated IT professional, who is allocating resources elsewhere, who's extra creative and is outselling your new product or your new service. And isn't focusing on cyber risks when the cyber criminals are targeting you specifically.

Jeff: Yeah. Well, first let me break this down. The first line of defense has to have some sort of cyber security in place. Right? So that you work with your it company that's you guys would recommend that number one, but those things, especially at a small business level can be brief. [00:03:00] They are from time to time and that's, and in the, either in the a and the absence of having some sort of, you know, either firewall or VPN or the other things, you know, to help you keep from having the attack in the first place, whether they breach it, whether you don't have the protection and they get through cybersecurity insurance does what for me?

What is it? What do I get? For what I, when I purchased cyber and security insurance, we need to understand what that is and what it does for me.

Melissa: Yeah. As you get so much and let's think about an attack, let's think about a breach and let's go through the process just really quickly. First, you're going to have a breach of your system.

Maybe it's a ransomware attack. Maybe it's just can tell that there's malware in your system and somebody has, you know-- 

Jeff: Ransomware, excuse me. I just want to make this really clear because I want to make sure people understand this out there. Ransomware’s where they literally can't. They take control, they seize control of your digital assets could be your financial, whatever you've got out there in the cloud, whatever you've got on your internal company, computers, laptops, whatever this stuff is digitally, where it's stored, they can take control of it, even your website so that you can't do [00:04:00] business anymore, or you can't manage and operate your business anymore.

They take control that. If you want it back, you got to pay me X. That's ransomware

Melissa: Exactly.. And what are you going to do? You're going to need some help. First. You're going to need some legal guidance. So you're already starting to pay for legal guidance right off the bat. Then you're going to need a forensic analyst to help you through this situation.

You're going to need a negotiator. You're going to probably, you may end up paying the ransom, maybe not. But you may pay the ransom. You are going to be losing revenue while your business is shut down. So you're not making any money. You're shut down. You're dealing with this ransomware attack. You're losing money.

You may be losing customers who realized that you had this attack. So now you're losing customers. Well, guess what? The insurance pays for the legal guidance. It pays for the notification costs to et people know that you've been breached. It lets you set up credit monitoring for those people so that they can watch their credit for the next couple of years, it pays for public relations because you're going to have a reputation to defend and guess what?

You're probably going to lose a contract or two after the breach and the insurance pays for that [00:05:00] as well. It's called reputational loss. Most importantly, it's going to pay for your revenue loss. So while you're shut down, you're going to have this revenue stream coming in from your insurance.

And you're going to have a whole team of vendors helping you, the forensic analysts, et cetera, because you don't have that in house. You're a small business. You're focusing on your art. You don't have all of these people lined up and the insurance just gives those to you, these vendors and all of that breach response .

Jeff: In the worst case, does it pay the ransom?

Melissa: It pays the ransom.

Jeff: So even that, I mean, my God. That's what you get your bang for the buck. 

Michael: And it's always changing a little bit based off of industry numbers, but you know, a lot of these ransomware payments, I think the most recent one that we just wrote about was around $220,000 of a ransomware payment. And so you've got all these other costs and if it comes down to it, then you’re like, hey, I'm going to actually pay this to get my good controlled. Well, now you're looking at as a smaller medium sized business, $220,000 in a ransomware payment. 

Melissa: The average is over 300,000 now.

Michael: [00:06:00] Oh, I mean, so that's how quickly it changed because there's more and more cyber attacks that are taking place.

Melissa: And don't forget to the criminals have switched from just locking up your system to actually taking your data.

So they're exfiltrating your data as well and using it, and the insurance will pay for you to reconstruct all of that lost data. 

Jeff: And other kinds of attacks, it covers, I mean, I stopped you because I wanted to be clear on what ransomware was. Let's give us a list of other nefarious things that can happen, that cyber security insurance will help cover and mitigate.


There's so much. And that's a great question because right now everyone's focused on ransomware because it's where the criminals have pivoted because we've blocked a lot of other areas for them to write.

Jeff: And people will become wise to things like fishing and other things. I'm not going to give my credentials in an email that right.

Melissa: Exactly. So your system can be shut down in other ways, not just ransomware attacks you could have, what's called the denial of service attack, where you're just flooded with so much information in the form of emails or other data that it overwhelms your system and shuts you down [00:07:00] and your customers can't access your system.

There's also just the basic necessity that you are holding other people's personally identifiable information. So you are at risk. And it's your employee. I don't care if it's not a customer's credit card number. You've got employees information. You've got applicants for employment. You have all of that in your system and you're responsible for it.

So if that's breached or lost in any way or accessed in any way, then the insurance steps in that's considered a breach.

Michael: Well, let me, let me bring Dave in here. Cause I want to talk about Unishippers, but I was kind of thinking about a scenario and Dave you'll appreciate this because of the era we grew up in.

And, um, does he remember the movie, Tommy boy? Tommy boy, starting Chris Farley worked at a plant, I believe in Ohio, uh, that manufactured, you know, machine parts for cars. At the end of the movie, they end up sending all of the, they make all these sales to save the business and they end up sending them all to the wrong place.

Right. And so here's Dave, he works for, [00:08:00] he's a franchise owner for a shipping company. And imagine if someone took control of your internal and you've got Customer A in Detroit and Customer B in Traverse City and Customers C in Chicago and they just start mixing those all up and they're sending them all over the place.

How does that impact your business? 

Dave: Well, you know, supply chain is in the news now. So predominantly that's a pretty serious supply chain issue. That hits home. You know, I think it's interesting to hear all that, about the ransomware and the cyber security and everything.

I think, you know, Unishippers is part of a larger, you know, $5 billion company based in Dallas. We have a lot of that sort of big tech, uh, those muscles to hopefully save us from, from some of this. But then I run my own franchise out of my basement. And now you're making me think about a lot of these-- 

Jeff: There’s the opportunity.

I hate to say it this way, but there's the opportunity for the bad guys, right? 

Dave: Absolutely right. I mean, just what I got from Best Buy a year and a half ago, doesn't make me feel as comfortable after this conversation. [00:09:00] But no, you know, I think it's, um, in terms of what we do and what we focus on, there are some similarities from, from what I've heard so far today.

And that's, um, I actually just left a conversation 30 minutes ago where companies say, okay--thelandscape has changed so much in the last 18 to 24 months, and we need to launch our e-commerce program, or we need to get into this shopping application or this cart, and do all these things. And that's a big part of what we help.

Amazon has changed the expectations of society, of what humans expect and that's quick delivery, but how do you get quick delivery with an affordable price? And that's a big part of what we focus on with, with UPS. Yeah. 

Michael: I mean, it's great stuff. And what it shows is too, is that, you know, what I, what I appreciate about Dave adding this is, is saying, you know, here's this big company, but within the big company, there are smaller pieces of.

[00:11:00] How much are you responsible? I mean, as a franchise owner, how much of the logistics, how much of the e-commerce, how much of everything falls on your shoulders that, you know? Yes. You have a big, you know, a big entity overlooking you, but, uh, they're not bailing you out from. 

Dave: No, no. I mean, ultimately, um, I don't care how big, how small, what your business is, people are going to do business with you because of you. And if, if it's not, um, whether it's a website being down a website, being unsecure, uh, migration, right. We're going through. Uh, very large, um, migration right now that's a five-year project, uh, and obviously a massive investment of our next gen technology.

And if that doesn't work, uh, or if there's hiccups to it, ultimately it falls on you as small business owner. So it's a, it's a very easy parallel. And, uh, hopefully it goes smooth.

Michael: Well, Melissa, let me ask you this question. Cause he just brought up something, you know, here's a franchise considered essentially a small business of a bigger entity.

And so [00:12:00] what are, how are the cyber risks different maybe by the. Of a business. Um, you know, our colleague, Doug Miller just wrote about, you know, some of the fortune 500s. We do think more about cyber attacks than ransomware, but are there different is a small business being attacked in a different way than a medium-sized business than an S and then a larger business, or all of them kind of being attacked on this.

Melissa: They're all being attacked in the same way right now. And I think it's because there are so many criminals who go to work every day and this is their business and they're, they're, they're not going to sleep until they crack through somebody's door. So they are going after every size company. And I don't really feel like the risks are different.

Um, as far as the attack. The result of the attack is a lot different because if you're a small company you're going down, it’s 

Jeff: It can be catastrophic.

Melissa: --a kill the company risk for you. Um, target had a humongous, uh, breach that we would think it was a large breach--

Jeff: --but they can survive that.

Melissa: --it was nothing.

Jeff: But for the small business, I want to underscore that, it’s the end .

Melissa: It's the end of your company. Um, you might not be holding a ton of data, so you may not have the same risk that a large company is, who has tons and tons of people's information

I say PII, we were talking acronyms, PII, personally, identifiable information. Everybody's got that. They're holding your social security number. They're holding your bank account number to get your paycheck in there, things like that. So you might not have as a small business, as many data points, but you still have some, and it's going to take you down.

Jeff: You mentioned that sometimes. And I'm aware of this, and I know cases of this where sensitive information, customer data, customer credit cards, and other things can be taken and used in appropriately. And criminally does cyber insurance protect me against say lawsuits from the market too, that may come my way as a result of a claim?

Melissa: Thank you so much for asking that. Yes, it does. And we never talk about it anymore because we're so worried about ransom payments. We're so worried about breach responders. It pays if you're sued, [00:14:00] it's very unlikely that you are going to be sued. And I, and I say that lightly, um, I think it's between 5- 10% chance of being sued.

The insurance will pay for the defense costs and the indemnity. It's just really tricky to tie your breach to that person's loss. So in a legal environment, you have to have causation. 

Jeff: But it's expensive even to defend yourself. Right. Right. And that helps. Okay. So the benefit is clear. 

Can you guys frame out a little bit about what the costs are? I know that's a little bit hard cause it's, you know, circumstantial account by account, but just generally, what does something like this cost? 

Michael: Yeah. I mean, that's the, I always get asked that and… 

Jeff: --well, it's a cost benefit analysis, right? It is business decision. 

Michael: We always kind of focused on is a little more of like, what does it cost you, but what do you get out of it?

In the past, I'll go through a lot of policies that are five, 10 years old, and there’s

$50,000 [00:15:00] cyber written in as part of a business owner's policy. Melissa just cringed, like if someone did have $50,000, I mean, you really have nothing., 

Melissa: It's going to track your revenue. It's also going to track your security protocols that you have in place. So there's a very detailed process that we need to go through with our clients and find out what controls do you have in place?

What are you holding? And it might sound like, um, a lot of work for the client at that time, but it's a huge eye-opener to them when they see what they're holding and what is at risk and how it can be taken from them. So I would say to Michael's point, if they have $50,000 in their business owners, um, insurance policy, the only thing they're getting is a false sense of security.

Michael: Yeah, you're asking for a number. I know that we do our hardest to avoid a number, I will say, that I have written a lot of these policies in the last six months for small businesses of a million dollars in coverage for around $5,000 in principal.

Jeff: Okay, that’s good. That's a ballpark. That's, that's [00:17:00] an idea. 

Michael: And some of them are 2,500 and some of them are 7,500, but I would use that average of 5,000 for a small. Of a million dollar coverage. 

Jeff: So here's the bottom line. We know the risk is huge. Can be catastrophic for small business owners. For $5,000 a year million dollars or protection covers it more than covers an average of a $300,000 average ransomware circumstance.

There it is. I'm in. And by the way, by the way, for those listening, we are in we're, getting the insurance from you right now. It StartUp Nation for just that reason. Listen, we run our business on the internet. We're out there. Everything's digital, of course. We would have no business if our website were hijacked.

Michael: Absolutely. We would have no you're like that a Hair Club for Men advertisement, right? Like you're not just a promoter…

Jeff: …minus a few zeros…

Michael: …you're also, you're also up subscriber. Let me ask you this question. I want to ask this of Dave two for Unishippers. Um, because it's, it's one question I get asked a lot is like, at what point [00:18:00] should you reach out to your insurance agent and ask about this? And to your business, Dave, you know, when a company is starting, maybe they're a brick and mortar business, and they're starting to think about a lot of things.

Okay. I needed to this, we knew this when to, should they be reaching out to a shipping company to understand the cost, understand the logistics of, Hey, if I'm going to be shipping to customers and yes, they expect like an Amazon, like deliveries. When should they engage that to be, to understand their business before they open up their shop?

Dave: Yeah, I appreciate it. I think the interesting part about what we do is the net starts very wide, uh, as far as casting. We really work with anybody that ships.

So every business potentially has a need to do that. But I think specifically, if number one, you have a line item of shipping that's over $10,000 a year. Number two. If the example I gave earlier, if you [00:19:00] are looking to expand your business, we talked about e-commerce. We talked about, um, you know, all the different sort of changes going on in the market.

But if shipping is part of your business on a daily basis, or you simply just need help. You know, that's really what Unishippers does, whether it's small package, right. Which ties into UPS or it's the bigger stuff, LTL freight shipping. Uh, we didn't talk about that much today, but really one of those two things is our big focus.

So as you see the line items start to increase. It increases January 1st, every year, the prices, right? They say it's like, just like the ball, you know, coming up on New Year's Eve, right. Shipping prices increase every year. So that's why it's always good to make sure you take a look at it. Yeah. Yeah. I feel like 

Michael: Labor, lumber. Theone that we all all know, those things just increase exponentially every year.

Melissa, when should someone engage with an insurance agent when it comes to their cybersecurity? Should they be doing this? Uh, After they've built their business should be doing this before they built their business before. Like where, what is the perfect time for someone to reach out to you or me to ask these questions?


The [00:20:00] perfect time is right now. Um, you need to talk to your agent about this insurance and you need to go through the insurance application process and get a sense for what you're doing as far as your security posture and what changes you need to make. Because right now,  you can't even get insurance, unless you have certain levels of security in place that should tell you something.

You used to always be able to buy insurance at a cost or with a deductible in place to protect the insurance company if they thought you were risky. Now you can't even get it. So it's super important to talk to your agent right now about it. At least ask them for an application so you can go through the process and do your own self assessment and see where you need to refocus some resources.

Michael: All right. Well, thanks Melissa. So to reach us at Kapnick, you can go to Um, or Dave, the best way [00:21:00] for businesses out there to reach you. Metro Detroit, even beyond that is, I mean, you're, you're operating here out of Metro Detroit, but you can, I mean, you've got a fortune 500 company operating out of Denver.

You can ship anywhere. So what's, what's the best way for people to reach you. 

Dave: Absolutely. Yeah, it's a, it's a national franchise. So I think Dave Stavale on LinkedIn is a, is, is definitely the best way. The website's 

Jeff: Thanks guys. Listen insurance for business owners in particular, small business owners, just on this.

You know, as we know it can be an enigmatic thing. It can be the kind of thing where, you know, I know a lot about, you know, how to, uh, revenue at the top line minus expenses equals profit at the bottom line, all the basics. I know how to market on social media, you know, do search engine optimization, all those basics.

Insurance is something that a lot of us don't understand and especially cyber insurance, you know, that's a very timely thing. We appreciate you guys educating me and the audience on the subject matter. And, uh, you know, and, and, and really kind of underscoring the critical nature of it today. It's a mission [00:22:00] critical kind of a line item.

That's for sure.

Michael: Oh, I have this thing. Cause Dave said it perfectly earlier too, is that, you know, whatever, you know your business, but there's a lot of entities. There's a lot of pieces of it. Insurance, the legal side, shipping where go find a person who you can trust. Go find a person that you, um, that their personality, you believe in them and you believe that they know what they're doing and they can help solve your problems.

Cause there's so many things as a small business owner where you may not think of when you first started, you may have. But in order to be successful, there's a lot of operations. And so go find that person that you can trust, especially you can rely on because you're going to need someone who's going to help you out in every single, every single part of your business to make it successful.

Jeff: Yeah. Well said, listen guys. Thank you. Thanks Dave, for being on sharing your, you know, your perspectives as a small business owner, and thank you guys again for the great education. Thanks for being on StartUp Nation radio.