Cybersecurity Exposure, Global Gov't Programs, Insurance & More

Walt Zerbe (00:00.644)
Hello and welcome to another CDA podcast. I'm Walt Zerbe, Senior Director of Technology and Standards and your host for the CDA podcast. And today we're going to talk about a little topic called cybersecurity. this, my gosh, this, this thing seems to be completely coming full speed now. We've been talking about cybersecurity for years, but I think, I think it's really a focus now in the world.

and a focus in our community and something that we need to be really abreast with. There's so much information to talk about here today. I really not quite sure how much we're going to get through, but we're going to give it a good shot. So joining us today, we have Trent Frazier. He's the Assistant Director, Stakeholder of Engagement Division at the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency.

otherwise known as CISA, C-I-S-A. And then we have Callum Wilson with SafeShark and he is representing SafeShark and is going to tell us stuff more on the UK and European side of things. And then we have our friends Michael George and Chris Boots who are both with AMJ Insurance. They've been long time helpers with Cedia. They have some programs for insurance for integrators.

with Cedia and insurance just really helps to round out this whole thing because you might need to get some insurance as you continue to be an integrator and or manufacturer and things and things get going. And then we have a repeat guest, our own Darren Raymond, Director of Government Affairs with Cedia. So how is everybody today?

Callum Wilson (01:45.614)
Good.

Chris Boots (01:45.996)
Very good, ready to roll.

Darren (01:46.318)
Good.

Walt Zerbe (01:47.67)
Okay, ready to roll. All right. So I'm just going to quickly start and you know, I am not an expert in this, but I'm I probably devote 24 hours a day to get to speed up on this and I probably wouldn't get the speed up on it with what I read on my own. But what I do know is that I'm just going to use example of my son. My son is a senior about to graduate college with a criminal justice degree. And he

He took an internship with a company that specializes in elder fraud, which is absolutely unbelievable. We look at my in-laws, they have no idea what to click on, what not to click on, what's real, what isn't real.

Trent Frazier (02:25.574)
Thank

Walt Zerbe (02:40.474)
just just in the elderly in the US in 2023, there were $12.5 billion estimated of fraud, just for the elderly 3.4 billion for people 60 and older. It's an 11 % increase over 2022. I can imagine those percentages going up now that we have AI deep fakes and and all other kinds of things. It's just a giant

giant problem and that's just with one little bit of the community and this is just with people probably dealing with email and smartphones and computers, let alone when we start to integrate smart home and IOT things, which takes us to a whole nother level. So that's kind of my little introduction. It's not really that great as far as what we're going to cover, but that's where my mind has been lately.

And October is Cybersecurity Awareness Month. So I didn't know if anybody knew that, but that's one of the nice timings of this particular podcast. So let's talk about the US cybersecurity programs. The FCC has a voluntary US Cyber Trustmark program, and Darren and Trent are going to run us through that. So Darren, would you like to give us a quick little introduction to that?

Darren (03:55.638)
Yeah, so thanks for everybody joining today. And before Trent kind of highlights

the CISA program, wanted CISA programs and what they're doing within October and around Cybersecurity Month. I wanted to also highlight one of the US programs that is beginning. The FCC or Federal Communications Commission has adopted the US Cyber Trust Mark program. Back in August of 2023, the FCC sought public comment on how to create the Cyber Trust Mark program. And then in March of

this year, they created a voluntary cybersecurity labeling program for wireless consumer Internet of Things products. And like I said, they are now in the process of standing up that program. And under the program, qualified consumer smart products that meet cybersecurity standards will bear a label, the US Cyber Trust Mark, that will help consumers make informed purchase decisions, differentiating trustworthy products in the market.

Trent Frazier (04:36.326)
you

Darren (05:02.016)
marketplace and create for manufacturers that meet the cyber trust standard. So there's many highlights to the program. And just one thing that I would add to that, you know, once a product is approved, companies can include the US cyber trust mark program logo on their products, along with a QR code that consumers can scan for further details about the security of the product. And how why I want to raise this on this podcast

Trent Frazier (05:04.614)
Thank you.

Darren (05:31.892)
back in November of last year, CDIA provided public comment to the cyber trust program and expressed support for the concept of the cyber trust mark. But in its comments, we stress the importance of for the security of the home to the importance of working with professionals and technology integrators to have a secure environment. So I just wanted to highlight that and then I'll turn it over to Trent to talk more about what CISA is doing for

October and the programs that they have to support cyber security throughout the US.

Walt Zerbe (06:07.439)
Yeah.

Trent Frazier (06:09.414)
Great, thanks Aaron. And I just wanted to start acknowledging that we are incredibly excited about the Cyber Trustmark program in discussions with FCC as they're developing the program. We see this as a first real step towards what we call secure by demand, which is a subset of the work we're doing in secure by design. And it's really about fundamentally changing the market incentives for how software, hardware and network services are provided to customers, whether they are individuals.

Walt Zerbe (06:26.923)
Trent Frazier (06:38.712)
all the way up through industry. And it's really an acknowledgement that we have to now design our products and services with security in mind. That customers should be able to acquire, whether it's an endpoint device, like a lot of what we were talking about at the outset, your phone, or an edge device, your home router, all the way up through broad network services. Those have to be designed.

and provided with security at the outset. And it's a strange market that we operate in today. If you think about it, none of us would buy a car where the manufacturer assured you that at some point in the future they will install airbags for you. None of us would, well hopefully few of us would want to jump on an airplane where the provider assured you at some point they'll go ahead and install seat belts later.

But in many cases when we acquire technology today, that's the market we acquire technology in. We acquire technology that's brought to market as quickly as possible and then as it is utilized in the marketplace and vulnerabilities are revealed, patches are installed to address those vulnerabilities. As our economy increasingly is digitizing and we're integrating technology at every level of civil society,

That is not a model that is sustainable for any of us as individual citizens, as entrepreneurs, as government institutions, or any level of public and private sector. So we really are looking at ways that we can restructure the incentives for that market. And the Trustmark is going to be one of those tools. It's a readily available resource that consumers can use to buy their devices, to buy those services.

and with the assurity that they were designed with security at the outset. And that's what we hope to see more broadly across all of our efforts. CISA plays something of a unique role in the federal government. We are charged with leading the national effort to secure our nation's critical infrastructure and to ensure the defense of critical networks and systems throughout the country. So we are the nation's cyber defender. We are here to ensure that cybersecurity is top of mind now for both

Trent Frazier (08:57.346)
individuals and industry and we want to see that really that evolution in the marketplace help to ensure that we can defend all of our critical networks across the country. We have a lot of programs and I won't go in depth into all of them because it's pretty extensive but I'd sort of ground that conversation first in the idea that a lot of folks especially in a lot of individuals and citizens when they talk about cyber security they think of it as this kind of monolithic concept that applies to someone else that it's

There is a cybersecurity person out there protecting you. In truth, it's really critical for all of us to think of cybersecurity more as a team sport, and all of us have a part to play in that sport, right? So it is absolutely the case that we want to see providers for both product and services creating those products and services with security in mind. It's also the case that we want to see vendors taking steps to ensuring that the products that they're installing

have security baked into them at the outset and that it's integrated as part of their work. And of course, it's fundamental that as individuals, as the people who rely on that technology, we're doing our part to ensure that we're protecting ourselves and protecting those networks that we rely on. We do that in a number of ways. We recently released a program called Secure Our World. It's a very straightforward public service program that's designed to basically educate the consumer.

the individual on the steps they can take. And they're very simple steps. It can be simple things like ensuring that you're implementing multi-factor authentication on your devices. Something most of us don't often do, but again, it's a critical and key step. It's ensuring that you're using complex passwords. Please do not use password as your password any longer. I had an interesting meeting with some folks from industry yesterday, and they talked about one of the key challenges they still have.

Walt Zerbe (10:39.578)
Ha ha ha.

Trent Frazier (10:49.88)
in defending the networks is that employees were using the word password as their password to gain access to their systems. you know, ensuring that your devices are kept up to date. We still exist in a marketplace where patches are required to address vulnerabilities as they're identified. Making sure that you're updating those devices in real time and keeping those security updates continuous is essential. And of course, making sure that you're aware

when you are potentially being targeted for other types of attacks like phishing and behavioral attacks. I think, Walt, you mentioned at the outset one of the key challenges we still see. In my role, we talk about complex cybersecurity attacks from highly capable adversaries like China or Russia or others. But the largest majority of cybersecurity attacks are still the very simple, basic phishing, spear phishing attacks that allow that.

that get people to share information and expose themselves and by extension expose those networks. So, secure our world is a key step for us. I already mentioned another program that we have that's really focused on secure by design. That's about reshaping the marketplace. And within that, we're starting to think through secure by demand. The resources we can help provide that will allow consumers, whether they are individuals, all the way through industry to acquire

those services and those products from their vendors with security in mind to make sure that they can ask educated questions about the kinds of security measures that are baked into the products and resources they're relying on and ensure that they're acquiring that at the outset.

Walt Zerbe (12:29.676)
All right. Thank you. That was an incredibly good, well-rounded explanation you just gave us, Trent. I have a few questions right off the bat. How are you guys marketing the Secure by Design? Is that within the other program, that Secure World that you mentioned?

Trent Frazier (12:46.842)
Yeah, it's actually multi-tiered and that's in part because of the complexity of the market we're trying to evolve. So for example, we have a pledge that we've developed for industry partners right now that outlines essential things that they can do in the design of their products and services. That can include things like eliminating entire classes of vulnerability or installing security patches, increasing the pace that patching can occur for their customers.

It can include ensuring that multi-factor authentication is turned on by default rather than requiring customers to activate it. And any number of those measures. Those pledges are really about bringing the providers, the industry partners into the conversation in a way that allows them to announce to their customers that they are taking steps to address security. Of course, we employ programs like Secure Our World.

that are really about educating the consumer and we're doing a lot of engagement now with those intervening supply chain partners. Those would be individuals or entities like your membership that are really involved in the acquisition of technology and the installation of technology for an end user at the other end of that supply chain and really bringing them into the conversation now to give them resources that they can use to help shape the kinds of products they're acquiring.

Our ICT SCRIM Task Force, is our information technology task force on supply chain recently released guidance on vendor acquisitions to help vendors who are looking to acquire technology really educate themselves on the kinds of questions they should be asking to ensure that the technology that they're acquiring has the right security baked in from the outset. So it is a multi-tiered effort. We have to really focus on a number of different audience segments now.

as we're looking to really evolve that marketplace.

Walt Zerbe (14:41.592)
Yeah, okay. I did watch the videos in Secure Our World. They're really well done and they're useful. Why voluntary? Is this just a precursor to them being mandatory?

Trent Frazier (14:45.914)
Thank you.

Trent Frazier (14:52.868)
You know, I think voluntary, and it's interesting at the outset you were mentioning that there's a conversation about some of the work happening within the EU and the UK and other markets within the world. If you look at the major global markets for technology right now, there are a number of different approaches. Some of them are regulatory, some of them are more voluntary based. We're taking a voluntary approach in part for two reasons. One, as an agency, our entire model is built on partnership with industry. It requires...

that we create trust between industry and CISA to ensure that information about vulnerabilities are being shared real time so that we can address those vulnerabilities real time before they cascade across networks. And we want to protect that relationship in our dialogue. But we also believe that in shaping the design of a market, it's really critical and probably one of the most valuable tools in that is the consumer in that marketplace. And so while there are certainly measures that...

various markets throughout the world are exploring, we believe that the most effective measure is going to be consumer demand and really driving and shaping the kinds of demands placed on providers to ensure that they're really providing the products and resources in a secure fashion.

Walt Zerbe (16:01.722)
All right, I just have a few quick questions to finish up with you. If a product, doesn't support this program, can a installer, integrator, consumer or something, how would they go about saying, you know what, your product should be on this program and where do you go to get educated on it? how, so this is as being voluntary, I'm hoping everybody that manufactures products knows about it, but how do we get others?

Trent Frazier (16:28.901)
Yeah, mean the simplest tool is to go to CISA.gov and look at our secure by demand resources. You'll find there the access to the pledge. I actually have been encouraging a lot of folks on the consumer side to take a look at that pledge because I think that pledge is a really simple, easy tool that you can use in discussions with the providers that you're...

you're engaging with, whether that's sort of a complex contracts negotiation, all the way through the more basic transactions, because it's going to give you the basic questions to ask. Are you doing these things in the products that you're employing? If not, why not? And are there other providers in the marketplace that are satisfying those things? But I would look at that as an easy starting point. As you're looking through those resources, certainly follow up with us directly. And if there's areas that we can engage with you to talk to,

You know, there are, we're working with a lot of industry partners now across a number of different supply chains for technology. There's certainly supply chains we probably aren't heavily engaged in today, but we welcome that insight because that gives us then the avenue for follow-up within those providers and those communities.

Walt Zerbe (17:39.32)
Yeah, cool. I could certainly see this as an advantage with an integrator saying I use only SISA, you know, I use only products that have been, you know, part of this program. So it's, I could see that as an advantage just for comfort for the end user to know that you're using products that meet security needs. My last question would be, I'm sure you guys recommend password managers, but what about pass keys? Pass keys seem to be a thing that's, that's we're moving towards.

What's what what is your position on pass keys is that part of the program and being recommended for manufacturers to support and all that stuff too.

Trent Frazier (18:14.234)
So it's interesting, know, pass keys are what I would call one tool in the toolbox to help with the challenge of user authentication, right? And when we think about pass keys, they are often incredibly valuable for specific types of users, but they can also be cost prohibited for other types of users. I mentioned I had...

some discussions yesterday with an industry partner who happens to work in what's called a high turnover industry where they have a lot of employees that join and leave at a relatively high rate in part because of the nature of their business model. keys for them might be cost prohibitive, so they're looking at other ways to employ multi-factor authentication using other ways of authentication. The key though is that you're using multi-factor authentication. Pass keys are certainly a highly capable tool for that purpose.

There are other tools that serve that purpose and it's really a balance of risk to reward in terms of how you're employing those things. We believe pass keys are certainly highly effective. The use of password managers are often very, what we would call, efficacious for the average user. The individual who's maybe logging in two or three times a day to key systems and networks, they may not be efficacious for other types of users and other settings. The real, the value point here is to acknowledge

that you're using these tools to address the vulnerabilities in your networks and you're implementing them in a way that really addresses your key vulnerabilities.

Walt Zerbe (19:41.711)
Gotcha. I know personally I couldn't live without a password manager and if I still had an integration company, I would educate all my customers in the household that they should use it to help to reduce the potential for vulnerability. I love that it lets me know when something's been breached. It generates automatic passwords that I don't even need to know or care about. just makes life more secure and a lot easier for me personally.

Trent Frazier (20:11.408)
Yeah, absolutely.

Walt Zerbe (20:12.578)
All right, well, let's let's move to the EU cybersecurity program. I don't know why my voice isn't working today, but the Calum, let's take a look at the other side. As they say, the pond, you guys have a lot of stuff going on over there. You've got US, you have UK cybersecurity programs. You've got the product security and telecommunications infrastructure act. You got all kinds of stuff. So let us know. Let us know what you're doing over there. And also some I hate saying over there, but

That's how I'm going to differentiate US from you. And also any similarities that you've heard that we're kind of doing the same.

Callum Wilson (20:52.44)
Yeah, that's it. So I work for Safe Shark. We actually do testing of lot of the...

IoT that your installers will install and provide and the providers will provide and there's essentially in Over here on this side of the pond. There's two bits of legislation and what I would say is that the European Union and the UK have chosen a much more legislative legislative kind say the word a much more regulatory point of view and In fact, there are two main bits of legislation So if you're absolutely right in the UK is the PSTI which is the product security and telecoms

infrastructure act which includes any bit of IoT that will be owned by a consumer and attached to a network. That includes Bluetooth speakers, includes your smart toaster, home cinema, everything. And in the EU in August of 2025, the radio equipment directive will be launched which includes a mandatory

test for anything with a radio connection that links to the internet. So when I say a mandatory test, means that any testing has to be signed off by a certification body. So it has to be done quite thoroughly. That's going to be a massive change, I think, to the industry. So the PSTI really has three components to it. It talks about the default passwords to make sure that products don't come with

default passwords and I know that in the home IoT installer industry there are still products that are shipped, high-end products that have a default administrative password. These would not pass this bit of legislation and it also requires things like vulnerability disclosure programs for manufacturers so that they can actually take feedback from the public.

Callum Wilson (22:44.889)
at large and security professionals about vulnerabilities in their products. And then the third thing is the requirement to provide security updates to products. So they can't just be given to a consumer and the consumer left to fend for themselves. Now the PSTI is an act of legislation, in other words it's in our law in the UK.

if an organization sells a product that doesn't meet this, they can be fined between 2 4 % of their global revenues. So there's quite a big stick to that. Now, having said that, that became law last year. And in SafeShark, my company research, we found that still today of high-end products, around 75 % don't meet the minimum criteria of PSTIs. So even with an act of regulation,

which has very heavy fines, there still is quite a lot of non-conformance. The EU has a tougher approach that's gonna take a bit longer to come on board, as I said, August 2025. The Radio Equipment Directive has a quite a...

large number of very technical tests that products have to go under. I won't go into massive amounts of detail, but it's far more than just checking your passwords, also looking about the actual security of the product itself and how it can store sensitive data on it in a secure way that hackers can't get into or can't be broken into or mistreated in any way.

Walt Zerbe (24:25.082)
Yeah, they like to do penetration testing and all that stuff on that stuff.

Callum Wilson (24:28.118)
Yeah, so there's going to be a compliance test. The rules are currently yet to be completely formalized, although we have been working on the committee to create those rules. The test is what I would call a compliance test rather than a penetration test, although some of the tests are actually quite... So for example, one of the tests is that you have to be able to brute force...

Walt Zerbe (24:44.194)
Okay.

Callum Wilson (24:51.23)
If it has a system for allowing a password, like an administrative password, we have to brute force the product and we have huge lists of millions of every conceivable password you can think of and it will just carry on for days at a time trying to break into these products. In fact, I'll tell you a story I was doing. I won't mention any names.

Walt Zerbe (25:14.703)
Callum Wilson (25:14.786)
But I know it's, just can't do that. It was a mainstream television and you would think that television wouldn't have an ability to log on. How'd you log on to a television? That doesn't make any sense. Well, exactly. And they actually are just like your computer. They have user accounts on them. Now the user accounts aren't normally presented to consumers. You wouldn't even know they were there. Yeah. Our automatic test platform said, bing, are broken into.

Walt Zerbe (25:26.082)
yeah, they're all app based now.

Callum Wilson (25:41.848)
this particular television and in fact it broke into it in about five seconds so quickly that we thought our system had broken but it turned out it had a one letter password what a single character so I think that was a big mistake there were lots of apologies made and promises it would never happen again although I do see other products that have guessable administrative passwords in there you just can't have that now here's why so why

Walt Zerbe (26:09.167)
No.

Callum Wilson (26:11.48)
The PSTI legislation all started because in 2016 there was a virus called the Mirai virus. And the Mirai virus targeted IoT, particularly CCTV cameras. And in Germany, in the European Union, the...

they have a major telecoms provider that gave the same route out to about a third of households in Germany. This was affected by Mirai virus. And so that's what really drove the legislation in Europe and the UK. They just didn't want to have a situation where what seems

a reasonably inconsequential hack turns into a nation state attack because you have your communications infrastructure attacked, such as attacking home routers for, or your broadband routers or internet connected routers in people's homes. And when you combine them all together over a population, you can actually cause a lot of damage. So that's really where the root of this legislation came from.

Walt Zerbe (27:10.33)
I have a few questions for you as always. are they saying that the security updates, know, the product being able to do security updates, is that automatic? Are you guys saying it's got to be automatic? Because I guarantee you consumers will not remember to check stuff.

Callum Wilson (27:21.976)
So.

Callum Wilson (27:26.082)
Yeah, that's exactly it. So in the PSTI, the UK legislation, this is where it gets difficult because each...

Chris Boots (27:26.092)
.

Callum Wilson (27:33.4)
geographic area has different rules. But in the PSTI, it's more about the ability to tell the consumer when they're buying a product what they're getting into. One of the, actually, bought one of these doorbells with a camera in it a few years ago, only to find that I got it cheap off a online shop, as you can probably imagine, and it had already passed its sell by date. The servers that it connected to had already been switched off. No wonder it was inexpensive. So what they're trying to do is that when a consumer buys a product,

Walt Zerbe (27:46.138)
Mm-hmm.

Callum Wilson (28:03.674)
The manufacturer or the distributor or the vendor whoever sold it that would include an installer by the way Would have to say you will get security updates up until a certain date in the future You can't say three years from the point of when you purchased it has to be an actual date when that product will have security updates for So that's how they're doing it there. They're trying to make the consumer

own the experience and have the knowledge and information to be able to use the products. I think Trent said earlier it's about this sort of risk profile. Each of us

listening today has a different risk profile. You might have young children in your home, in which point you've got a different risk profile if you're in your 20s and share an apartment with some of your friends. So it's up to giving the consumer the right information so that they can have, well, at the end of the day, it's a balance of usability against the security. And if you balance that correctly, then for each individual consumer, then you're going to be okay.

Walt Zerbe (28:42.44)
yeah.

Walt Zerbe (28:57.583)
Yeah.

Walt Zerbe (29:04.036)
was just curious, do you think the EU tests will once those are all finalized, likely potentially increase product costs because if somebody has to do a lot more testing, that's probably the margins are slim on some of these things, they're probably gonna have to pass that on.

Callum Wilson (29:14.594)
Yes, so there is a cost associated.

Well, so far we've been testing PSTI for about a year and a half and we've just started doing our first radio equipment directive test right now. The tests do come with a cost, but actually that's inconsequential to the actual changes that organisations have to make to their products. So we've been, even some of the very large tier one electronics organisations from the Far East have had to implement...

proper vulnerability disclosure policies and potentially some changes to the products. I can name a few examples. We had to change one television where you had to pair a app to the television. It was a four digit, so numeric digits, four digits to, and basically it had no ability to.

to withstand an attack where you just went from zero zero zero to nine nine nine, you could eventually just break into it. And of course, with these types of attacks, you don't actually need to be in someone's property to attack that because you can look for a window or you can be next door. Yeah, yeah, exactly. So yeah, so what you'll find is that the main costs, and I hope that these costs will eventually pay back because with a better security benchmark within the product, then you will have.

Walt Zerbe (30:16.258)
Yeah, just within range of the radio, right?

Callum Wilson (30:34.109)
hopefully lower costs and better sales in the future.

Walt Zerbe (30:37.326)
Yeah, Callum, will there be logos on instruction manuals and products when we know a product meets these things?

Callum Wilson (30:42.862)
Yeah, so within the UK, all companies are meant to have a certificate of compliance available either in the box, printed off alongside various other compliance statements like, you know, electrical safety and all the rest of the things that will be mentioned on there and on their websites. And in the European Union, it will be tested by a nation certification body.

Walt Zerbe (30:56.399)
Yeah, yeah.

Callum Wilson (31:08.336)
and at the moment we're still trying to work out exactly how that's going to work. Safe Shark, our company, we're going to do a logo and put it on boxes and so on, which states the actual name of the standard that it passed, and that will also be inside the box as well.

Walt Zerbe (31:23.194)
And products manufactured in the EU or the UK will be required to go through some of this stuff. So when they ship it abroad, that'll be a requirement as well, right? So the reason why I'm bringing this up is this is a global thing that people need to know about, especially integrators in the US installing products. A lot of products come from the EU and the UK.

Callum Wilson (31:44.74)
And the same vice versa, any American home IOT products being installed in the UK will have to meet the local legislation for wherever it is. And you would hope that a product made in the UK sent to the United States would be in the voluntary scheme that Trent was talking about earlier. that's the way it's going to have to work. And what's nice is that the voluntary scheme, the US, the EU Radio Equipment Directive, and the PSTI aren't exactly a million miles away.

Walt Zerbe (31:59.194)
OK.

Yeah.

Callum Wilson (32:14.762)
have the same threads of security. There are some slight differences here and there but they're all headed in the same direction because we've been talking about it behind the scenes for years now to do this.

Walt Zerbe (32:25.626)
Yeah. This is exactly like ERP. I remember when I was in the manufacturing world and we had to meet half watt standby power regulations that came from Europe. then we then as a manufacturer, we had to make sure all of our products met that. So every product then became ERP compliant no matter where SSL was designed. So this makes a lot of sense.

Darren sounds like we're gonna, we could use education, a class, something over all these marks, what to be aware of, what to look for, and all these things in the future. Because this, you know, we're just bringing up the subject today, but now we're gonna need education on this later on. For sure. One last thing, I wanted to give you a story too, Callum. I'm sure you heard it, but I'm just making sure our membership knows it. I know that there was a major.

Darren (32:52.706)
Hmm.

Walt Zerbe (33:18.798)
breach at a casino in Las Vegas, of which they lost a lot of money. And that was through a fish tank. And that was through a controller of a fish tank that someone was able to break in and access the entire network or portions of the network within this casino. So it wasn't even like on its own, its own, you know, VLAN or anything like that. It was just connected. And once they got into the fish tank, they had access. So this,

Is there any other questions for Darren or sorry, a column from Darren or Chris?

You guys have anything?

Chris Boots (33:56.224)
Great information, is really, really good information.

Walt Zerbe (33:58.98)
Well, the reason why I asked that is this is a perfect segue into insurance because the integrator that did that installation, and I'm going to say technology integrator, right Darren? Because that's our new SOC term. If you didn't listen to last week's podcast, listen to that. Our last podcast we did, it talks all about the SOC campaign. But when are you liable? And I've been saying forever.

Darren (34:10.411)
Correct. Correct.

Walt Zerbe (34:26.252)
Someday someone's going to get sued because somebody broke into somebody's house because they installed Smart Home or whatever and they're going to say you installed it. It's your fault so

Chris Boots (34:38.572)
It's already happened. I'd be glad to jump in here. Perfect. I can start.

Walt Zerbe (34:42.274)
Yeah, you guys want to fight over who's going to start? All right. So Mike, Michael and Chris, Michael, George and Chris from, why don't you guys go ahead and go.

Chris Boots (34:52.416)
Yeah, we've I've been working with CD members since 93. So the cyber thing has kind of changed through the years from doing the big large Mitsubishis to flat screens and no more cyber. But yeah, the the dip and now with the default passwords we actually had, you just brought that up. We had a guy that had actually installed a nest into somebody, the business owner, business owner's home.

They did not reset the password. Actually, somebody got into the nest, got into his work computer, went to his company. And what happened was the company did have cyber insurance. But when you have insurance or something happens, they always look for who is fault. They determined it. They hired a forensic.

Walt Zerbe (35:46.798)
Yeah.

Chris Boots (35:51.048)
investigation because it was a very large claim because they hacked into all of his clients. So he had to notify people with the US laws. So they went back and said, hey, it was from the nest that they got into it. Went after our our technology integrator. And luckily, we did have he did actually have cyber. So he would and we defended them.

Walt Zerbe (35:52.696)
Wow.

Chris Boots (36:19.6)
there were, there was some payout, but yeah, it's happened. actually, and columns shaking his head probably. Yep. I mean, it's just something simple like that. He installed, you know, he goes, all I did was install the nest and he did a flat screen was during COVID when the, when the owner of the business wanted to be at home and sit there and have his, you know, inner, you know, talk with his employees and, but yeah, it's happened.

Walt Zerbe (36:23.951)
Wow.

Chris Boots (36:47.82)
problem is we have 3500 plus members probably there's only 10 % of the members that carry cyber coverage we try to when we talk to them about insurance we try to let them know that where it starts happening is where the good news is your words out there Kellens out there the government's doing things which is

Walt Zerbe (37:10.382)
Yeah, Trent. Yep.

Chris Boots (37:11.84)
but also their clients. For example, we have a lot of high-end clients and they use management firms, especially the NFL. The NFL players, when you put that screen in there, they're gonna require you have cyber. So our guy will call us, hey, I need cyber on the certificate of insurance. And that's good news.

Walt Zerbe (37:31.865)
Chris Boots (37:37.034)
The nice part about it is when they do have the insurance to a lot of the things that everyone was talking about here, the safeguards, the company does a lot of that for you and make sure that you have the MAF and all that.

Walt Zerbe (37:49.344)
You know, the bad news is they probably didn't even think about having cyber until they were asked, you need to have cyber, which is I'm hoping people have a realization listening to this cast that they better look into it. If only 10 % of members have it, that's not good.

Chris Boots (38:09.376)
You know, nationally, only 17 % of businesses have cyber insurance in the country.

Walt Zerbe (38:16.975)
And Chris, is this the same cyber, whether you're an integrator, whether you're a business owner, is it the same policy?

Chris Boots (38:23.564)
Yep, yep, this would be any business and 48 % of companies with cyber insurance didn't purchase it until after their first attack, which is incredible. Yeah. And you know, the crazy thing is, businesses of a size of less than 100 people or 100 employees, 30 % of the attacks go to those size businesses. know, so people...

Walt Zerbe (38:33.976)
Yeah.

Walt Zerbe (38:50.17)
Yeah.

Chris Boots (38:50.624)
say, well, it's not going happen like you started out. Well, this is somebody else's problem. No, it's really our problem now and here. And it's as simple as employee goes to work, or then they leave for lunch, they come back in, they park their car in the parking lot, they look down and there's a USB drive. They pick it up, they go inside and they plug it in and the system is compromised. That actually happened and it still happens to this day.

Walt Zerbe (39:10.266)
Hmm?

Walt Zerbe (39:19.012)
You know what, Chris, that's a really good, I was going to ask you a question about that. So that is a end user error right there. And we like to call also some things wetware problems where it's your brain, like you clicked on a link that you shouldn't have clicked on. Will they still try to go after the integrator because that happened?

Chris Boots (39:25.633)
Yeah.

Chris Boots (39:38.022)
yes, very much so. You know, just like Michael's example of, you know, somebody got in through his home system and to his business. I mean, it's, it's, we say we're connected. Boy, are we connected. We're connected more than we'll ever know. It's crazy. And a lot of the CDA guys have, cause you know, we also do work comp for members too. And started noticing a few years ago, a lot of the guys will use programmers.

not at their location. I got an employee now, he may be in New York and he goes, my programmer is now in California. Like, great, we worked from his home. So he's doing all the programming on all the integration work through Crestron, Control 4, whatever. Another layer is added there where now you have somebody outside of your organization. Yeah, we've had fishing. Luckily, some of the guys have caught it. Hey, John Smith in his house.

Walt Zerbe (40:08.718)
Mm-hmm.

Chris Boots (40:36.832)
can't get into his clicker. His clicker's not working. Hey, can you give him, you need to give him the password. It actually comes from the owner and they actually had found, he was going on an airplane. They must've hacked into it. They said, hey, I'm getting on the airplane, which he was, but I need you to send the password immediately for John Smith's home. So yeah, it's just amazing some of the stories we've been hearing.

Walt Zerbe (41:01.242)
crazy.

Walt Zerbe (41:05.134)
It really sounds like if you're installing anything connected and you have an integration company, is a no-brainer. You have to have.

Chris Boots (41:12.438)
Well, even, and you're exactly right, well, because the example that Michael talked about, know, people think, well, I have insurance. Well, if you don't have, in that particular case, it was cyber and it was an error in omission. So a lot of our integrators, we're just now getting them on board that you need to have errors in technology, errors in emissions insurance, because if he didn't have that, he wouldn't have been covered.

Walt Zerbe (41:27.95)
Yeah.

Walt Zerbe (41:41.369)
Yeah.

Chris Boots (41:41.824)
That would have been all out of pocket expense. So you not only need the technology errors and emissions, but you also need cyber as well. And they have to be packaged together because you'll say, well, I have general liability. Well, general liability doesn't cover that kind of thing. Yeah. The business owner, the business owner actually, his cyber policy kicked in, went back to us. It wasn't under his cyber policy. It was under his errors of mission for the password that he actually put out.

Walt Zerbe (41:57.323)
in

Walt Zerbe (42:10.842)
Should consumers also get cyber and Arizona emission policies or is this really just for

Chris Boots (42:18.252)
Lot of the homeowners are now starting to include it as an option. I would take it, you know

Walt Zerbe (42:23.82)
Is it expensive? I don't know if we can't probably talk dollars, relatively, are they affordable?

Chris Boots (42:30.764)
Yeah, I think it's just what they call a rider or whatever to the policy.

Walt Zerbe (42:34.234)
A rider, okay. And then my question, once the gentleman had a breach happen and then, or I don't know if it was a gentleman, but once the person had the breach happen and then sought insurance, is that more expensive because something's happened, then you just better get it right away before an incident happens? I'm thinking like in driving, like let's say I'm a bad driver and I crashed my car a lot and then I decide to get a different insurance, I'm a higher risk, so those rates are gonna be higher. Is that?

Chris Boots (43:02.188)
Well, one thing that the carriers ask now is for any line of insurance, have you had a claim? They wanna know upfront, have you had a claim? And that's gonna make a difference. It's gonna be right away.

Walt Zerbe (43:13.089)
Okay.

Okay. Yeah, my point there was just get it. Don't wait till something happens.

Chris Boots (43:21.164)
Yeah, yeah. And you know, data breaches, you know, there was a manufacturer in Northwest Ohio and he had actually gotten a quote from an insurance carrier for, and his cyber policy was, it was, the quote was $4,500 and he turned it down. Well, six months later, he walks in from lunch and there's two people from the FBI standing in his office. And he said, what can I do for you? And they said, you've had a cyber attack and we are here to fix it.

Walt Zerbe (43:44.045)
What?

Chris Boots (43:50.7)
and you need to know this." And he's like, well, I have had no response whatsoever of having a cyber attack. He says, well, the IRS notified us, and that's why we are here. And so what happened was is that within the spring of the year, his employees start, because he's like, I don't take credit card information. I don't keep personal identifiable information. And they said, well, your employees have filed their taxes, and their taxes are being rejected because it's a second file on their social security number.

and it's all of your employees that are experiencing this. ended up costing, his employees sued him, ended up costing him $225,000 to fix this mess when he could have bought a $4,500 cyber policy. So it's incredible. Yeah, it really is. And the other part of data breach though is what, you know, the first step when you have a data breach is you have to have a forensic review.

Walt Zerbe (44:36.792)
Wow.

Chris Boots (44:48.054)
Well, right off the bat, that's $50,000. that's for, that's nobody fixing it. They're looking at it. And so what there are after the review, then there's a law review and the law review comes in and they say, well, you have, you have contacts in this state and that state and this state and that state. And so every, every state has different laws and how these people and the timeframe that they have to be notified. And so,

Walt Zerbe (44:50.723)
Whoa.