Challenge Accepted is a podcast from Arctic Wolf that has informative and insightful discussions around the real-world challenges organizations face on their security journey.
Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duo draw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.
In this episode, our two hosts are joined by Kirsten Bay, CEO and co-founder of Cysurance. During their conversation, the trio discuss the current state of cyber insurance, how cyber insurance can extend beyond cyber attacks, and best practices organizations can take to improve their insurability.
You can subscribe to Challenge Accepted via Apple, Spotify, Google, RSS, and most other major podcast platforms.
Transcript
Ian McShane 0:00
I can’t believe I said her name wrong. Yeah, so I think I said it the first time. Yeah.
Adam Marrè 0:04
Just probably a lot like me and that I don’t even care. Nobody gets my last name ever.
Ian McShane 0:12
I’m sure I can more than anyone else, but I hate when someone mispronounces my name. So what do we think about the intro? What did we record last time? I can’t remember Adam.
Adam Marrè 0:21
I don’t know, Ian. What did we record last time? I don’t know. What do you want to do?
Show Theme Song
Ian McShane 0:41
My name is Ian McShane. I’m VP of Strategy here at Arctic Wolf.
Adam Marrè 0:44
Hello, everyone. I’m Adam Marrè, CISO at Arctic Wolf
Ian McShane 0:46
This is the Challenge Accepted podcast and today we’re joined by Kirsten Bay, CEO and co-founder of Cysurance. So when I think of cyber insurance, I genuinely think of ransomware Incident Response first, is that the same with you?
Adam Marrè 1:00
Absolutely. Yeah. I mean, that’s what you think of when you’re like, I need this as an organization. So, I need to protect myself against the big breach and getting an IR company in here. That’s what you think.
Ian McShane 1:13
Yeah. And so that’s why I particularly enjoyed this podcast, because I learnt once again, that Ian does not know everything.
Adam Marrè 1:21
Yeah, I mean, I learned a ton too. And honestly, I probably could have kept talking for another 30-40 minutes on this topic. Or maybe even longer, I find it very fascinating. It was just opened up to me, like you said, referring to something you learned, like, it’s just opened up to me a whole world that I really thought that much about.
Ian McShane 1:40
It was great. And so today we’re going to talk about insurance, things like business continuity, we’re going to talk about gaming systems. And we’re going to talk about supply chain. So without further ado, let’s get into it.
So one of the one of the things I hear most about at the moment outside of machine learning and AI is probably cyber insurance. I hear about it from customers, I hear about it from marketing, I see it driving down the street, I see billboards that talk about cyber insurance. Adam as a CISO are you as aware of cyber insurance these days? It seems like something that’s popped up from nowhere in the past two, three or so years.
Adam Marrè 2:16
Yeah, absolutely. And it’s been something that we’ve actually cared about for longer than that. But now it’s sort of in, I think the popular world the zeitgeist as it will.
It’s a very important part of your security program to make sure you have this level of protection against the costs if you unfortunately face a breach, they can also help bring resources, help make sure you have different outside vendors that can come help you like Incident Response firms and things like that.
It’s a great partnership to form as you’re creating your entire security program. And it can also really help small-medium businesses as well that don’t have as many security resources. I think one of the reasons it’s become more popular to talk about was the rising costs over the last several years of cyber insurance
Ian McShane 3:10
Driven by ransomware, and things like that. Right.
Adam Marrè 3:13
Absolutely. We all read the stories in the news of like insurance policies not paying out and there’s things like that of sort of view. Of course, those are outlier cases, but those are the ones that make the news, right. So that makes people talk and think about it. So, for all those reasons, I think it’s something that people are talking about, obviously, it’s very, very important.
Ian McShane 3:35
Yeah, I hear about it. Like I said, a lot. I hear about the rates going up, I hear about the attractiveness for insurability of clients as a new phrase that has come up over the past year, which is an interesting one. And so I think it’s great to have to be joined today by Kirsten Bay of Cysurance. She’s the CEO and co-founder of Cysurance in fact. Hey, Kirsten, excuse me, how are you?
Kirsten Bay 3:57
Good. Good. Thank you for having me. Nice to see you today.
Ian McShane 4:01
Yeah, nice one. So, obviously, you’re gonna be our expert today in cyber insurance. But before we get into that, one of the things selfishly, I’m always really interested in is people’s path to working in and around cybersecurity. So would you mind maybe telling us a little bit about about yourself and how you got to where you are today with cyber insurance in cybersecurity?
Kirsten Bay 4:21
Yes. Well, it is always as most people are at this mature stage of our careers, a circuitous route. I like to say that material students, I started my life in finance and supply chain risk analytics.
I looked at the world of how do we measure and understand risks to the enterprise, whether that’s through supply chain risks, not like cyber supply chain risks, but true what happens, like we all know what just happened in 2020. What happens when the supply chain stops working and how do we manage our businesses around them? And then I also work on protecting portfolios for in finance around how do we measure risk and develop intangible assets, modeling for those types of portfolios.
So, I got into cybersecurity because I’m sure you’re like, ‘Well, how does this happen?’ Because I started looking at what how do we value data for loss? And so someone came to me one day and said, ‘How do we do that?’ And I said, ‘I don’t know anything about security.’ That was a long time ago now. So I do actually know a lot of things about security. That was almost 18 years ago. And so it intrigues me because it is a really important question, one that we struggle with still today.
But from there, I got involved in government working groups to really identify how we start to prioritize and understand that modeling, as well as then how do we integrate things like threat intelligence? And so I started working in threat intelligence to understand how we develop risk curve analysis around that type of modeling, and then started running threat detection companies, how do we integrate threat detection to contextualize something we talk a lot about in security. How do we contextualize that data to be actionable, and then on and on, until we got here to Cysurance where I wanted to marry the two, my love of finance and love of security into something that really can bring, I know, it sounds kind of goofy, but it’s my passion, you’ll find.
Ian McShane 6:14
Not at all I love to love to phrase it as loving security. But you might be the first person I’ve ever heard that said ‘I love finance.’
Kirsten Bay 6:24
Well, I know it’s a little strange. And I think that we can bring those things together to really make a difference for companies. And that’s the thing for me is how do we develop this integrated approach to integrate security, and really insurance, cyber insurance so that people understand the value, as Adam said, doesn’t really pay? How do we make sure it pays? How do we get people to proper ratings, that you invest in security should you get a discount. All of those things, for me, are very intriguing and the value that we’re trying to bring to the market and ask those hard questions.
Ian McShane 6:57
Perfect. So I guess a bit more intrusively with your current job. So you know, top of the chain, if you like, one of the cofounders for a cyber insurance company of Cysurance, what is the typical working day look for you now, I mean, maybe it’s better to start with what does Cysurance actually do?
Kirsten Bay 7:13
Well, the thing that we do that’s a bit different than other cyber insurance providers is that we provide layered insurance coverage around cyber risks. And what that means is that we do that through the channel. So we do that for security products, services, and providers. So that can be managed services, managed security services, or service organizations like managed detection and response.
And what we try to do is look at how well those solutions perform, and then develop layered security, where layered insurance coverage where we’re able to provide a certification around those products, so your customers can benefit from that with a financial protection, and then layered insurance capabilities. So it would be sort of a flat fee insurance program that we have, that essentially pre-qualifies organizations.
So what we’re trying to do is remove adaptations, and actually prove what people are doing in an organization and show the efficacy of those solutions in those organizations.
Adam Marrè 8:16
Oh, that’s really amazing. That’s great. And I really want to dig into some of this, especially with you talking about risk, I love that, that’s a passion of mine, to run a security program motivated and seen through the lens of risk rather than just what’s the latest thing that happened or your compliance program. So I love to hear that.
But I do want to scratch the surface or just go a little bit beneath the surface of what you just said, there maybe there may be some folks listening to our podcasts that are new to the whole idea of cyber insurance. So maybe just taking a step back and talking about, what does it do? You get it as an organization, what does it provide? What is the purpose of it? Why do you need it? And then if bad things happen, what does it do to help you, I think most people understand, like car insurance and things like that. So help us understand cyber insurance.
Understanding Cyberinsurance
Kirsten Bay 9:10
Well, cyber insurance, I like to refer as is general liability insurance for your operational digital core. So that’s how I like to think about it. And, for me, it’s not just about malicious events, although that’s predominantly what people think of when they think of cyber insurance. And certainly that’s the key coverage point that it manages.
So, as you said, that’s ransomware, it could be malicious intrusion where there’s credential theft, and now you’ve lost records. And so that’s the breach notification, it’s compliance management, it’s you touched upon this at the very beginning, it’s about providing remediation and recovery services and then paying for those things, if need be negotiating that ransom and actually paying for it. So those are the big block components that are really important, even things like funds transfer fraud, you know, the age old, ‘I’m the CEO, and I want you to send me $50,000 worth of Google Play cards’, because that happens a lot. You know, those types of things.
But the other part of it is, and this is something that I think is very important to call out, is also that it is business continuity insurance. So it covers broadly things like you have network downtime, you might have AWS might go down. And if it’s down for more than eight or 12 hours, depending on your policy, you actually have coverage that will kick in to support you if you have a revenue loss for that type of incident. Or you have an extended power outage where you can’t process credit cards as an example. So after the deletion of data, so there are broader coverages.
Also media viability coverage, if you’re sued for an online trademark infringement, things like that. So these are the components of these new solutions that many organizations aren’t aware exist but are very critical to, broadly running your operational digital core.
Ian McShane 11:05
That’s fascinating. I felt like such an idiot, because I never really considered the applicability of cyber insurance to something outside of a point in time incident like you say, AWS coverage GCP as your are available as well, that just keeping that the business continuity running is a really interesting aspects.
How often do organization’s come to you looking for that over cyber insurance for, say, ransomware, just for the sake of argument?
Kirsten Bay 11:32
Well, it’s not as often as I would wish for in the sense of thinking broadly about the things that we need to do to manage the availability of an organization. And that’s really the key. And the key is as we move forward, as you think about the significant changes that we have been through as an economy in a society where everyone is now pretty much reliant on some part of that footprint being protected and being operational. And those are the things that you can imagine now, people have zero tolerance for, I go to this website, I want to buy a thing, and it’s down, I’m going somewhere else, right? Like trying to protect for those types of incidents. And so it’s broad enough.
Adam Marrè 12:16
So yeah, so I got a question here. If your company thinking about insurance, I mean, oftentimes, and now I’m getting into like, being kind of a customer here, but you’re thinking about insurance, and you’re a company and if I’m looking for life insurance, right? There’s someone that comes up to my house, I go to the doctor’s office, and they do blood pressure and blood work. And basically they put me on some actuary tables and say, ‘How long is this guy likely to live and healthy?’ And then they kind of base a policy on that? Is there an equivalent of that happens when people are coming for cyber insurance? And what are those based on?
Kirsten Bay 12:53
Well, there is that type of data out there, although it’s very young.
I mean, when you think about hard data, live data, I mean, there are troves of amounts of data that like to say, you know, I live in New York City, right. And there’s some table out there somewhere that will determine that how often a car accident will happen in the intersection on which I live, right. So they know a lot of things. And it’s pretty good at being predictive.
When it comes to cyber risks, there are two components. One is that the body of data is not as high. And also, just because of years that we’ve had the collected. But there’s the also the relationship to what question, because claims don’t necessarily equal incidence. So you can measure how many times a car goes through an intersection how many times that car runs a red light, how many times cars run, or a yellow light and how many times that results in an accident, right, it’s pretty quantitative, the challenge with cyber is that it’s also evolving.
And that’s the other thing that we refer to as the silence cyber risk, which is, what are the factors and variables we hadn’t considered that should be related to a particular coverage point or an exclusion point. And so those are the things that create what we see in this market we refer to as a hard market or a frothy market, but a market that’s trying to normalize itself and we’re getting better but the in relationship to what question is the most important one to me, which is, if there’s some type of malware that results in a ransom attack, and we go ‘oh my gosh, that was a really terrible attack.’ Well, was it? Yes, because we saw 10%, or 20% of our insurers have a hold on that loss, meaning they hit the entire limit of their policy, and so therefore, that’s a bad event.
But it could be that there were 50 million different organizations that had that malware that didn’t have a full scale loss or any loss. And those are the things that I think we are working on trying to understand so that we can price better, be more efficient. And hard markets often happen in these moments when I’m when a market is trying to normalize itself.
Adam Marrè 15:07
Yeah, I think I’ve definitely seen that, as I’ve talked with different insurance organizations as a customer, it seems like the questions that they ask a company to answer are pretty different and can even be different from year to year. You know, it can be like, ‘how many records of PII do you hold?’ But it could also be ‘how many servers,’ I mean, there’s just all kinds of questions that they asked, and they don’t appear to be that consistent. And that would, I think, would belie what you’re talking about where the industry is young enough that it’s still trying to figure out what are the key indicators that we need to ask people about? What are the key pieces of information we need to be able to understand the risk of this organization? Do I have that right?
Kirsten Bay 15:48
Absolutely. And if you were to apply, like a similar analogy to the cars, again, when you take credit score, driving record, type of car, you start to develop a picture of that risk profile of that particular person, right. And so that’s the thing to your point Adam, is what are those factors that start to create fidelity in the picture ,right now we have a very pixelated risk picture. So we kind of know what it looks like. But it’s not super clear. And it can change.
Ian McShane 16:20
So it changing year by year, I’m just trying to I know, there’s probably a bunch of different analogies, we already heard about the healthcare one. And you know, now we’re talking about the driving one.
But if I think about car insurance, certainly in the UK, because that’s where I’ve got the majority of the experience, you can kind of game the system and get the same coverage with the same level of truth. But changing things around like assigning different people to different cars, or assigning a different job title to what you do for a living can have an impact on what you do, even if it’s descriptive enough that it’s still relevant.
Is that the case in cyber insurance, that companies can be creative about how they report? Or is it a case of, you’re always going to as the insurer, you’re always going to ask for a receipt. So whatever they say, you know, needs to match what they put down.
Kirsten Bay 17:07
Well, it needs to match. But to the point that was made earlier, that’s where some of these friction points come in around coverage, right? There’s two schools. One is the I thought we were doing it, I thought we had MFA. Well, we did, but we didn’t have it as broadly implemented as we thought that we did.
And then the other is, we’re not doing it, but catch me if you can, right and as it turns out, people are being caught. And in those requirements are being enforced and being monitored, which is really for us the thing that we want to be able to show continuous compliance.
But the other piece that concerns me is, is that we now have something like SOC 2 events, or some of the other kind of compliance centers that were driving where I have people coming going “well, I need to do these things.’ Because it says drum application and it’s like, ‘whoa, whoa, whoa, don’t set your security posture based on an insurance application.’ That’s like the worst thing you could do, you need to do your good care and feeding of your your security posture, and you’ll automatically check those boxes.
So don’t let that policy be the driver, the application of the driver of what you think is important to do in your organization. Because at one point, it will change depending upon the bad things that happened in the year prior and the most prevalent of those bad things.
Ian McShane 18:36
Is there an example you can give us something that shifted dramatically year on year, like maybe it wasn’t a big deal one year, and then the next year, it was the most important factor in terms of risk scoring?
The Importance of MFA
Kirsten Bay 18:47
Well, one, that it’s not necessarily an evolution, but it’s an absolute now, and that is MFA.
Like, literally, I have not seen a policy that will allow you to be insured without that in place. And it’s like, I refer to some of these things as cyber seatbelts, right? Every state, every country, everybody requires you to wear a seatbelt. Right? And there are good reasons for that.
And so those are things that just help dramatically change that risk posture, but what we find is that it might be turned on, but then the servers didn’t have it. So it can be kind of a complex ball and in some ways, but that’s one that certainly is a big one and then the others are related like to remote access management and the monitoring and the scanning that organizations, like carrier organizations will do where they will look for those ports, because it’s such a concern that those exist.
Adam Marrè 19:51
So let me ask this question. What is common for cyber insurance companies to do in a trust but verify model right so applicants? So a company may say ‘yeah, we got MFA. We got an all day long.’ They don’t. And obviously, it behooves the insurance company to kind of verify what their policyholders are telling them. So what is common practice to do, because that can be very labor and time intensive to do like penetration test all of the insured. So what’s kind of common practice across the industry?
Kirsten Bay 20:24
Well, typically, these are outside the firewall scans that are being run. And they’re certain degrees of sophistication and what those scans will show, depending on which one and how much, and how little and all that good stuff. But they’re looking for the big blocks, whether you have open access to an organization.
So certainly when people have RMM, remote access management, or remote desktop tools running, and obviously, I’ve had some that have been flagged, and it says there’s an RDP tool running and it’s Internet facing. And it’s like, is there another kind of RDP tool that isn’t Internet facing? It has to be Internet facing, right.
So sometimes those get thrown at flags, when you’re primarily they want to report back? Yes, we actually do have those locked down, you can’t access them without certain controls in place. But those are the things that cause most consternation, and so they’re looking for easy, low hanging fruit for access into an organization that could be leveraged.
Ian McShane 21:26
So we’ve already ascertained that at this point in time, cyber insurance is basically critical for every organization, and there’s a baseline of security for it. But you could argue that larger organizations, or I could argue that larger organizations have kind of got an unfair advantage, they’re more likely to have these kind of tools implemented already, or at least the ability to go and procure them and deploy them.
So how does cyber insurance differ by organization or size? So we’re talking immature, from a security standpoint, maybe a small team, one person that is responsible for IT? How do you see your industry working with that side of cyber?
Kirsten Bay 22:05
Well, I would say that’s the biggest change that I’ve seen across the board are all these organizations trying to service that sort of customer, either providing them different types of tools, providing them monitoring, providing them tools and monitoring, it really depends. And to try and help solve that problem, I would say that one of the challenges that exists on the other side is still convincing smaller organizations that they are at risk, right? And this is something that I know the ‘well, nobody has anything I want and assess.’ Okay, we’ll see.
So it’s the challenge of getting people to understand that, while they may not be the target of a targeted, big attack, certainly there are targets of opportunity. And that can be anybody. And so as a stat, something to be aware of when we started measuring these things, starting in 2012, when we hit 2021, organizations that have less than $25 million in annual revenue, had experienced, like 1,400% increase in claims activity versus other organizations, I mean, by an order of magnitude more than anyone who was $50 million or $500 million or whatever. And so those are two indicators. One is that to your point, lower security awareness and posture, but also the adversary knows they’re low hanging fruit. And so those two points intersected very nicely or badly, depending on how you want to look at it.
Adam Marrè 23:42
Is that awareness coming to the industry in general? I mean, across probably verticals, to companies of that size. I know that becoming more aware of the need for security in general. You know, we’re seeing that but I’m wondering in the insurance world, are you seeing the same thing, the awareness increasing? Or is this still just us yelling into the darkness?
Kirsten Bay 24:02
I think there’s dawn in that darkness. We certainly are improving. And I think there are organizations who are developing awareness, certainly what we see is in that sort of small middle market to middle market class of customer, what we’re seeing is a desire to have better security gets better insurance. And so that’s a big driver.
And so your point at the beginning, what we’re seeing is that cyber insurance is a new driver in acquisition of security products, because insurance has done a really good job of accentuating the importance and also people wanting it and not being able to get it or wanting it and having a premium given them to them where they’re like, ‘Whoa, that’s a lot and maybe I should go and get some security stuff.’ And so, those things, I’ve long believed that, putting my finance hat on that in order for people to broadly accept that good security posture is important we have to drive to financial outcomes and show that business mission and financial outcomes are drivers of security in general. And so that’s one of the benefits I think we have now is that we have seen that change in the marketplace.
Ian McShane 25:14
So what kind of changes do you see coming over the next 12 to 18 months in that cyber insurance marketplace?
Kirsten Bay 25:21
Well, enforcement, as as you call out, right, and I don’t know, and that’s part of where we’re really focused is being able to get with our partners inside the firewall data so that we can have better underwriting data, but also that our carrier partners, and we underwrite our own risks as well, that they can have confidence that we have that right view. And I really am a big believer that the more tightly we can wrap that together, the more successful have not only a reducing that risk exposure, both to the insured and the insurer.
But also, it’s like many things, it’s like COVID, or pneumonia or the flu, I don’t want any of those things. I don’t care what it is. And I don’t want a cyber attack. And so and I feel like that’s more of what we can drive to is that you can help really reduce that risk exposure and meaningfully prove, and that’s the biggest thing, that I think that the insurance world is still slightly dubious.
I think a lot of organizations and you’ll read about this, these are uninsurable risks. These are like hurricanes coming to get us, or wildfires. And I believe that with the right strategies, even for smaller organizations, will use the right defense in depth, there are ways for us to protect organizations, it doesn’t mean it’s zero, it means that we can manage through and reduce reduce severity, the impact of an incident.
Ian McShane 26:51
That’s interesting when you say uninsurable, and we go back to, I know you said you came from a supply chain risk kind of background, how does supply chain really impact how insurable a company is, because there has to be a line where my insurance covers me, but doesn’t necessarily cover something that happens downstream. We could drop specific incidents over the last three years or the last week in fact, right? How does that supply chain play into what someone can do with their insurance?
Kirsten Bay 27:20
Well, this is where there’s a lot of worry about this, because it comes back to what’s referred to as a contingent business risk and those contingent liabilities.
So I have a vendor, and something happened to my network, and now my vendor is infected with some malicious piece of code or some random event or something like that. There’s responsibility by my insurance policy to provide some renumeration to that organization, and this is where it becomes, it can wrap around itself very quickly, because lots of people have those in place.
Now, they’re not typically the full limit of the policy, but it’s enough where that could create a tremendous loss to an insurance company. And so those are the things that we’re really starting to focus on is how do we manage vendor risk? How do we measure vendor risk? You know, we see organizations now that take vulnerability data through an API and if they see that you’re out of compliance with either patches or other types of security posture, that they will actually cut your API connection to that organization so that you can place orders, you can’t take data, you’re cut off until you can get right with your security posture.
So vendor management, I think isn’t become continually a more important feature as, probably to the point you’re making, which is so key. And we’re we are all connected now. And that’s the biggest fear of all.
Adam Marrè 28:55
Yeah, I guess that’s a question I have is, how thorough is the penetration of cyber insurance generally? Because like with car insurance, there’s regulations that you have to have car insurance because it protects everyone, from someone going totally bankrupt and protects insurance companies, because it’s spread out to everyone and I have a limit on my policy, but then you also have a policy as the victim. And, there’s that whole system, that ecosystem that helps make sure that the burden isn’t focused or primarily carried by one entity or person. Are we getting to a point where we have enough of this in this interconnected web of companies? Or do we still have a long way to go?
Kirsten Bay 29:36
Well, we do and we don’t, but the challenge we have is that in sort of in those car analogy type scenarios there are four and a half million people connected to the same place at the same time that would have the same loss, right. And that’s the concern because this is pretty detailed in terms of cyber risk or management of insurance.
But there are some indications that you actually have to re-insurer and re-insure and re-insure on the back end. And so how much reinsurance is there in this world, literally to be able to manage that level of systemic risk? And that’s ultimately the question is, how do we control that? Do we limit it? Which is why organizations are seeing changes where there are paths on systemic losses when we look at overall insurability, because what they’re trying to look at is, how do we manage broadly, everyone’s reinsurance risk on the back end?
Ian McShane 30:35
Right on? Well, I mean, I selfishly like to use these podcasts to improve my knowledge about a bunch of things. And I certainly have learned some stuff today. Like I said earlier, I totally didn’t even consider business continuity being a critical part of the the insurability, and the insurance posture of a company. So thanks so much for that. Kirsten. Now is there anything you want to plug? How do we get in touch with your company? Or how do prospective listeners get in touch with your company?
Kirsten Bay 31:00
Yes, Cysurance.com is a great place to find us. And I do feel like when we have some of these conversations around systemic risk, particularly, it kind of comes back to this, why do we even bother question.
So I want to caution that while we grapple with some big rocks to crack in terms of some of these broader risk, the fact is that part of where I think this comes back to the security posture and security companies, is that we have to show collectively, that’s not just as Adam says, the beginning, not just about a point solution. It’s about how are we broadly managing these risks? How do we understand the combination of those products and how they work well together? And how do we monitor and provide services, and that’s the big thing for me is not just having fun solutions with that continuous management.
And I think that’s how we’ll be able to prove more broadly, that we can even manage these broad risks, but we can’t do it independently and alone. And so those are the things that we really firmly believe in.
Adam Marrè 32:06
Oh, that’s great. I love to hear that. I really like the way you’ve encapsulated that, I too have learned a lot even though I’ve been a customer of cyber insurance for a long time, I think digging into sort of these, and we got a little esoteric there, we got into some deep sort of insurance issues, but I like you bring bringing it back that, ‘hey, this is a very, very good idea for a company to have.’
And I wish that we were all at a security posture, where being motivated to increase your security, because you need insurance isn’t a necessary thing. But I’m glad we also have that, though, even though you shouldn’t base your security program, and what you need to have better premiums on your insurance, I think it’s a good idea to listen to what’s being recommended, much like with compliance or any other program, it’s all a part of it. So thank you for the work you do to help kind of make us all more secure by influencing various industries as you have your product out there.
Kirsten Bay
Thank you.
Ian McShane 33:09
Thank you. And yeah, thanks, everyone for listening, and we’ll catch you next time. Thanks so much.
