1
00:00:00.440 –> 00:00:01.130
Jake Marcus: That’s it.
2
00:00:02.320 –> 00:00:04.650
Jake Marcus: So we got a lot of people in the waiting room.
3
00:00:07.110 –> 00:00:15.040
Jake Marcus: So we’re we’re getting started out here as we let people filter into the ballroom.
4
00:00:15.040 –> 00:00:17.550
Steve Marcus: Jake, what are you supposed to tell the people, hunter.
5
00:00:17.550 –> 00:00:21.470
Jake Marcus: This is every there’s a ton of seats up front. Everyone come.
6
00:00:21.470 –> 00:00:23.099
Steve Marcus: Go to the front.
7
00:00:24.430 –> 00:00:29.550
Steve Marcus: Jake. Jake just takes things that I said 40 years ago and just recycles them.
8
00:00:29.550 –> 00:00:35.449
Jake Marcus: And have been repeating for 40 years. So it’s drilled into my mind. So I really don’t have a choice but to repeat it.
9
00:00:35.740 –> 00:00:37.129
Steve Marcus: I do repeat a lot.
10
00:00:37.380 –> 00:00:37.840
Jake Marcus: That’s true.
11
00:00:38.325 –> 00:00:39.780
Steve Marcus: Is a disability.
12
00:00:41.390 –> 00:00:44.760
Jake Marcus: It’s a disability. Well, what can you do?
13
00:00:44.760 –> 00:00:47.199
Steve Marcus: We have. We have 50 people in the room, Jake.
14
00:00:47.200 –> 00:00:59.980
Jake Marcus: So we’re already. We have a lot to cover today. And and actually, I need to change your name, because that is not your name. So we have people coming.
15
00:00:59.980 –> 00:01:02.030
Steve Marcus: That started from the bottom. Now we’re here.
16
00:01:03.120 –> 00:01:03.540
Erik Davis: Exactly.
17
00:01:03.540 –> 00:01:05.560
Kevin Davis: What’s underneath.
18
00:01:06.570 –> 00:01:12.305
Jake Marcus: Oh, and you too. Yep, alright! So we are off to a great start today.
19
00:01:13.300 –> 00:01:16.809
Steve Marcus: Good morning. It’s not even morning. It’s 1 Pm. Wow! Alright.
20
00:01:17.240 –> 00:01:19.760
Steve Marcus: Well, it’s morning. It’s morning West.
21
00:01:19.930 –> 00:01:27.499
Jake Marcus: That’s true. 10 Am. In the West Coast, which we are. Live here from Massachusetts. La.
22
00:01:27.500 –> 00:01:31.950
Steve Marcus: We have somebody from Montana on the call, so they’re 2 h different.
23
00:01:32.090 –> 00:01:45.750
Jake Marcus: That’s great. So we have people from all over different geographic regions. We have an action packed program. Today. As you can see, we have a larger panel than usual. We’re really getting into cyber security.
24
00:01:45.750 –> 00:02:10.120
Jake Marcus: And if you don’t know about cybersecurity, you’re going to probably know, then you even want to know after today’s today’s session. And today we’re really getting into cybersecurity. But the top cybersecurity threats facing hoas and condominiums which includes data breaches fraud liability and the like. So
25
00:02:10.340 –> 00:02:21.645
Jake Marcus: I am, Jake, Marcus. This is Episode 23 of the Marcus hour. So we’re we’re coming up on our our 2 years of doing these.
26
00:02:22.220 –> 00:02:48.180
Jake Marcus: and I’ll share the the Powerpoint that we have. And I’m Jake Marcus, a partner at Alcock and Marcus, a full service law firm that represents Condominium associations throughout New England as well as Florida we now represent, are proud to announce that we represent every State in New England, or have attorneys that can represent every State in New England.
27
00:02:48.180 –> 00:03:12.009
Jake Marcus: I’m here with Steven Marcus, also of counsel, or the chief information officer, employee number 8 at Alcock and Marcus. He just makes baskets like Antoine Walker. So we’re happy to have him aboard. And we’ve been doing this for yeah, 2 years. This is our second webinar with Kevin Davis and Eric Davis, of Kevin Davis Insurance Services.
28
00:03:12.010 –> 00:03:35.639
Jake Marcus: Kevin is the president of Kevin Davis Insurance Services, and also the managing general agent of Travelers. Eric is Vp. Began in New York City, and is named one of the best insurance professionals under 40. So we have a promising promising duo here today to
29
00:03:35.740 –> 00:03:59.279
Jake Marcus: bring us back for installment number 2 related to insurance and condominiums, and as it relates to Kevin Davis insurance services, we want to start out with a big congratulations to their company, which is celebrating 25 years of bringing insurance and risk management services, and really being the experts in this field.
30
00:03:59.280 –> 00:04:15.809
Jake Marcus: they insure over 40,000 associations and offer specialty insurance coverage. Both Kevin and Eric are Cirm certified and do anything from dno crime, umbrella, errors, and omissions.
31
00:04:15.810 –> 00:04:27.260
Jake Marcus: and of course, what we’ll be talking about today, cybersecurity, which is a growing area, something that you should not bury your bury your head in the sand about, even though it is complex. And
32
00:04:27.260 –> 00:04:51.429
Jake Marcus: really no one even I don’t think anyone understands what’s going on with the Internet or a computer or technology. It’s all over my head. But that’s why we also have 2 other experts from wizard computer services. Eric Kuznets and Chris Gear. Eric is the Vp of wizard computer services. Chris Gear runs the cybersecurity and
33
00:04:51.600 –> 00:04:55.610
Jake Marcus: project manages for wizard services.
34
00:04:55.790 –> 00:05:15.238
Jake Marcus: And if you don’t know about wizard computer services, they are a it full service. It solutions provider, one of the leading providers in the Boston area. I’ve been around since 1997. They know what they’re doing. They provide full services to small and medium medium sized businesses
35
00:05:15.620 –> 00:05:35.109
Jake Marcus: as we mentioned, as it relates to manage services, consultation, installation, and of course, cyber security. So what we’re really gonna get into on on this episode in this installment. And I also want to introduce Sherry Branson, who’s gonna kick off and kind of get us into the program as a whole.
36
00:05:35.390 –> 00:05:56.470
Jake Marcus: What we’re going to get into today is the top cyber security issues and what hoas condominiums are facing what property managers may be facing and kind of get into how you can go to Wizard. You can go to Kevin Davis insurance services, and they’ll kind of give you a rundown on how to prevent these issues
37
00:05:56.600 –> 00:06:09.529
Jake Marcus: at the forefront, and then what to do if the unfortunate circumstance, the possibility of a hack or fraud situation. But I’m going to hand it off to sherry to kind of get a little.
38
00:06:10.046 –> 00:06:15.729
Steve Marcus: Did you cut out my 5 min setting the table.
39
00:06:15.900 –> 00:06:17.210
Jake Marcus: No, you can go. Yeah, go ahead.
40
00:06:17.210 –> 00:06:28.470
Steve Marcus: Okay, okay? And and then then sherry is much nicer and much better spoken than me as pretty much everybody is. So so
41
00:06:28.730 –> 00:06:37.130
Steve Marcus: in 1984 community associations, condominiums, Hoa’s co-ops did not
42
00:06:37.440 –> 00:06:41.470
Steve Marcus: think they needed directors and officers liability insurance
43
00:06:42.560 –> 00:06:53.990
Steve Marcus: until Kevin Davis came along with a couple of my other buddies, rich Kennedy from New Jersey, George Nowak from from Atlanta.
44
00:06:54.130 –> 00:07:02.310
Steve Marcus: But all of a sudden everybody knew they needed it, and
45
00:07:02.974 –> 00:07:10.070
Steve Marcus: and we also learned that all as others entered the market, that all policies are not alike.
46
00:07:10.350 –> 00:07:14.090
Steve Marcus: so that the better policies covered
47
00:07:14.140 –> 00:07:32.109
Steve Marcus: might cover Epl. They might cover. They would cover non monetary damages. So Kevin’s example used to be, somebody brings in a Potbelly pig. They just want to keep the pot Belly pig. No money damages no anything. And yeah.
48
00:07:32.647 –> 00:07:51.560
Steve Marcus: adding the manager as being being covered under the or the association having the manager covered under the D and O. Policy as well. We’re all nice bells and whistles so fast forward to 2025,
49
00:07:51.720 –> 00:08:06.030
Steve Marcus: and computers have. And technology is exploding. And so suppose an association condominium hoa co-OP
50
00:08:06.510 –> 00:08:13.620
Steve Marcus: owes one contractor for major repairs $300,000,
51
00:08:15.230 –> 00:08:20.010
Steve Marcus: either the manager or the or the or the board, and and that can make
52
00:08:20.120 –> 00:08:24.579
Steve Marcus: a difference, as we’ll discuss gets a email
53
00:08:24.760 –> 00:08:28.749
Steve Marcus: saying, Please wire the $300,000
54
00:08:28.850 –> 00:08:37.179
Steve Marcus: to this particular to the. With these wiring instructions, the board member or manager?
55
00:08:38.049 –> 00:08:39.530
Steve Marcus: Why is the money?
56
00:08:40.120 –> 00:08:43.970
Steve Marcus: And it turns out
57
00:08:44.610 –> 00:08:53.589
Steve Marcus: that it was a fake email. The funds have been diverted, likely never to be seen again.
58
00:08:54.488 –> 00:09:04.729
Steve Marcus: If there’s insurance that the carrier may may try to track down where the funds went. So
59
00:09:05.520 –> 00:09:12.609
Steve Marcus: what’s gonna happen in terms of what should all of you on the call be nervous about
60
00:09:12.900 –> 00:09:14.380
Steve Marcus: in my mind.
61
00:09:16.020 –> 00:09:25.720
Steve Marcus: And if this is a marketing tool, it’s a weird one, be because basically, I think my intent is to scare everybody a little bit.
62
00:09:26.430 –> 00:09:30.930
Steve Marcus: So the board members you go to the unit owners and say.
63
00:09:31.040 –> 00:09:38.269
Steve Marcus: at least in a lot of States. we have a $300,000
64
00:09:38.520 –> 00:09:40.859
Steve Marcus: of funds that are are gone
65
00:09:42.280 –> 00:09:49.089
Steve Marcus: worse. We can’t pay the contractor $300,000 for the major repairs that they did.
66
00:09:50.530 –> 00:09:53.550
Steve Marcus: And you tell that to the unit owners.
67
00:09:53.670 –> 00:09:56.390
Steve Marcus: And what are the Internet owners gonna say
68
00:09:56.490 –> 00:10:09.169
Steve Marcus: they’re going to say, well, we’re going to sue you. You lost $300,000 of other people’s money, and we don’t want to pay our share of it, and we think you messed up.
69
00:10:10.550 –> 00:10:21.850
Steve Marcus: The the next person in line is the management company and the manager. Let’s say that they manage 50 condominium associations.
70
00:10:22.413 –> 00:10:48.819
Steve Marcus: And each one has 50 units or whatever, but the servers and everything else. The portals are all with the manager. The management company makes the decisions on the protocols they take to protect to protect the information so that these kind of fishing expeditions, fake emails, etcetera, social engineering don’t don’t happen.
71
00:10:49.501 –> 00:10:56.150
Steve Marcus: So people are gonna be pointing at the manager as well and saying.
72
00:10:56.590 –> 00:11:10.339
Steve Marcus: We’re gonna Sue, the manager. The manager should have had the protections in place to stop this from from happening and they should have told the Board that they should have this insurance.
73
00:11:10.550 –> 00:11:19.510
Steve Marcus: I’m not convinced managers are supposed to be insurance ex experts or advisors, but that’s a likely scenario. So you now have the board and the manager.
74
00:11:19.730 –> 00:11:23.599
Steve Marcus: So I know there are a lot of insurance people on this call.
75
00:11:23.820 –> 00:11:25.969
Steve Marcus: So I don’t want to leave you out.
76
00:11:27.700 –> 00:11:32.740
Steve Marcus: The next group that they’re gonna look at are gonna be the insurance agents.
77
00:11:32.930 –> 00:11:58.959
Steve Marcus: and it’s gonna be, what are they going to say about the insurance agent? Well, they’re going to say, well, let’s sue them. And why are they going to sue the insurance agent. Well, they’re going to say that the insurance agent did not have a big disclaimer on their proposal, stating that cybercrime is not included under the policy.
78
00:12:00.300 –> 00:12:07.370
Steve Marcus: So I think there’s enough dangers for a significant amount of monies.
79
00:12:08.192 –> 00:12:19.580
Steve Marcus: That everybody should be a little worried. And then the problem gets worse because cyber
80
00:12:19.790 –> 00:12:31.970
Steve Marcus: coverage is not fidelity or crime coverage. Your fidelity or crime coverage is not going to cover these losses for reasons Kevin and Eric will get into, so there’ll be no coverage.
81
00:12:32.440 –> 00:12:44.180
Steve Marcus: There’s 1 case that Jake found somewhere where a DNA carrier provided a defense, but usually dno is not going to step step in in either. So what are the solutions?
82
00:12:44.490 –> 00:12:45.379
Steve Marcus: Well, one.
83
00:12:45.510 –> 00:12:58.419
Steve Marcus: What wizard does protect the software, the servers, and everything else, so that there isn’t a hack, or they can’t give a hundred percent guarantee but to cut down the chances of a hack
84
00:12:59.941 –> 00:13:12.870
Steve Marcus: and then cyber. Then Kevin and Eric with cyber insurance but not all policies are alike, but
85
00:13:13.230 –> 00:13:18.840
Steve Marcus: the carriers these days for the cyber insurance want to see an application filled out.
86
00:13:19.100 –> 00:13:47.479
Steve Marcus: and they prefer correct answers not wrong information, saying what protections you have in place. So it all goes around in a big circle where the the team becomes kdis and wizard working together to fill in what the carriers want to provide the appropriate coverage. And adequately protect you. So with that
87
00:13:47.630 –> 00:13:50.470
Steve Marcus: I’m done with my 5 min.
88
00:13:51.014 –> 00:13:53.679
Steve Marcus: Jake, what are you doing next?
89
00:13:55.190 –> 00:14:16.419
Jake Marcus: All right. Well, that was about 9 min. I’m just kidding. That was useful. So now we’re going to push over to Sherry, who’s going to facilitate a lot of really insightful questions that we got that range from. You know. How do you protect? What is the current landscape? How do you protect?
90
00:14:16.430 –> 00:14:42.930
Jake Marcus: What types of data breaches are we looking at? What type of ha! I mean? Eric Davis and I spoke at in Orlando a couple months ago, and we said, You know, cyber security out of sight, out of mind hasn’t happened to me. What are the chances? Some don’t even get coverage on it. Some don’t know how to protect, some don’t have the best safeguards in place which wizard computers will be able to address
91
00:14:43.280 –> 00:14:46.750
Jake Marcus: but we were talking about it and saying, Well.
92
00:14:47.310 –> 00:14:55.080
Jake Marcus: what if something significant did happen? A serious data breach of a management company that manages
93
00:14:55.620 –> 00:14:59.270
Jake Marcus: hundreds, thousands of associations
94
00:14:59.500 –> 00:15:08.500
Jake Marcus: that would be like a surfside type incident. In. If there was a fraud situation, a hacking situation where,
95
00:15:09.370 –> 00:15:16.700
Jake Marcus: copious amounts of files were compromised. So we really right now, it doesn’t seem like an issue, but
96
00:15:16.780 –> 00:15:35.360
Jake Marcus: it might take something significant. It might even take it just happening to on a smaller scale. And we hope that doesn’t happen. But I think that’s kind of the backdrop. And why this is an important topic, and why the people at Kdis and the people at Wizard can be of use and and are important to reach out before
97
00:15:35.360 –> 00:15:50.950
Jake Marcus: something of that nature even comes close to happening. So with Sherry, she’s gonna get into some of the questions that we got some great questions from the from the audience and feel free to submit any questions in the chat that you have. As to cyber security.
98
00:15:51.255 –> 00:16:07.219
Jake Marcus: and your it generally, and what you can do in your community to make sure it’s protected, or even, let’s say your manager, or you have your own insurance services. What type of what type of what type of things can you do to put in place and and be ahead of the curve.
99
00:16:08.340 –> 00:16:11.176
Kevin Davis: Sherry for you start. I’m gonna add something in there.
100
00:16:11.470 –> 00:16:41.060
Kevin Davis: The one thing that really kind of expanded this for us. When Eric and I started talking about it is the claims we’ve been seeing over the past 2 years. We were seeing more claims. If you add up all the claims we’ve received since 2022. They have more than we’ve seen in the past 10 since we started writing cyber insurance. So one of the things we’ll end up talking about. And it is the claims that we’re seeing the actual claims against Community association. So looking forward to this chat.
101
00:16:41.480 –> 00:17:10.730
Sherry Branson: Great fantastic. Thank you, Stephen. Thank you, Jake, and thank you, Kevin, and we’ve received lots of great questions from you all. And again, if you think of any other questions you’d like to get answered at the end of the webinar. Feel free to type them in the questions box, and we’re happy to answer your questions. So we have great experts joining us today. And the 1st question to start out with is, what are the most effective software based protections organizations can implement today to reduce their risk of cyber theft.
102
00:17:12.530 –> 00:17:12.880
Steve Marcus: So.
103
00:17:12.880 –> 00:17:14.240
Chris Geer: Yes, yeah, sure.
104
00:17:14.240 –> 00:17:23.880
Chris Geer: I can take that one so you really want to start out with the foundational tools, such as Antivirus Edr.
105
00:17:24.398 –> 00:17:45.600
Chris Geer: You know, making sure your firewalls spam filtering is up to date. You’re encrypting, you know your laptops, your your digital communications? But really, we want to prioritize, prioritize the multi factor, authentication side of things, and the endpoint detection and response side, because those are the those are the tools that make.
106
00:17:46.169 –> 00:17:55.510
Chris Geer: You know, username and password compromise is less effective. So when you have that multi factor, authentication enabled you know, there’s that additional step
107
00:17:55.730 –> 00:18:20.420
Chris Geer: to get to the resources. And then, you know, long gone are the days really for traditional Antivirus, you know, back years ago, you know, Antivirus was the big thing. But now it’s really the next Gen. Type, antivirus with Edr, which is an endpoint, detection and response system that is monitored 24 by 7 and responds to real time threats that happen within the with the endpoints in the network.
108
00:18:22.470 –> 00:18:41.269
Eric Kuznitz: And these these pieces of software, specifically, the Edr will will alert. Say, Hey, look! There’s something that we don’t recognize, and that’s out of place from this particular machine or this particular email account, or or a location right? Sometimes it’s location based. Chris. We get alerts all the time that, says
109
00:18:41.960 –> 00:18:47.090
Eric Kuznitz: Stephen. Marcus logged in from Lithuania, and it’s
110
00:18:47.090 –> 00:19:08.549
Eric Kuznitz: setting up a flag. So now we look into it. We reach out to someone at the office, hey? Is Steven traveling? No, he’s not okay. Well, then, then, the system will will reply, No, and the system will lock down that email account. So there’s nothing, you know, someone’s trying to get in to to Stevens. And you know, we found that that
111
00:19:08.670 –> 00:19:10.350
Eric Kuznitz: response
112
00:19:10.490 –> 00:19:26.419
Eric Kuznitz: from those locations is is just huge. Like we. I mean, we might get 5 a day and and listen. There’s a lot of times that they’re legit and someone is traveling, and we still get the alert, and we look into it and and verify right location of this person if we can’t find them
113
00:19:26.450 –> 00:19:40.070
Eric Kuznitz: and we can’t get a touch of someone, then I think we’re we’re kind of as a company, been better to be safe than sorry. I mean, all all we’re doing is is resetting your email password from here, and and you’ll call us, and we’ll re and and we’ll
114
00:19:40.070 –> 00:19:57.390
Eric Kuznitz: get it back up and running for you, you know, immediately. But I think for the amount of breaches we’ve seen, especially with email that that this tool that we have is is it’s invaluable to our, to our clients, to our end users. And and it really just shows how sophisticated
115
00:19:57.440 –> 00:20:02.179
Eric Kuznitz: you know a the hackers are, but the people trying to stop them as well, you know. I mean. They’re kind of like.
116
00:20:02.300 –> 00:20:06.020
Eric Kuznitz: you know that the hackers are generally a step ahead.
117
00:20:06.470 –> 00:20:07.080
Sherry Branson: And.
118
00:20:07.080 –> 00:20:15.639
Eric Kuznitz: You know the response people are generally chasing. But I think with some of these tools now it’s kind of even the playing field a little bit.
119
00:20:16.040 –> 00:20:43.809
Kevin Davis: Yeah, let me let me add something about the multi factor, authentication thing. That is such an important thing that right now they get insurance for cyber. They look at that. They look at the anti virus software do you have? And look at the encryption? And they look at those things and a lot of carriers it and depends on the limit how big you are. They won’t even insure you unless you have multi factor, authentication. And that is right. Now, the most critical piece out there. Don’t you guys agree.
120
00:20:43.810 –> 00:21:01.009
Chris Geer: I mean, it’s the most cost, effective security measure. You can take it it. It’s cost barely anything to to enable and roll out, and it adds such a significant layer of security to the environment. No matter what application or system you’re protecting with. Mfa. It’s it’s a no brainer.
121
00:21:01.880 –> 00:21:14.949
Steve Marcus: And for the people that under, like me, who understand this less than everybody else, I think on the authentication. Because I run into it in using
122
00:21:15.120 –> 00:21:21.850
Steve Marcus: computers and websites, and whatever you put in your password.
123
00:21:22.471 –> 00:21:25.179
Steve Marcus: but it then doesn’t open up
124
00:21:25.320 –> 00:21:38.199
Steve Marcus: it, then says we’ll send say to your cell phone or by email a 300 number?
125
00:21:38.360 –> 00:21:53.700
Steve Marcus: Well, usually it’s less 5 to 6 or 7 number code. And you put that in. That’s the double authentication. They know they sent it to my cell phone. And that is that generally.
126
00:21:54.050 –> 00:21:56.800
Steve Marcus: Well, what you’re talking about for a layperson.
127
00:21:56.800 –> 00:22:15.669
Chris Geer: Yeah, it’s just another form. So something other than a username and password. It could be a token, a physical key it could be a push notification to a phone. It could be a text message, although we try to stay away from the the text messaging authentication piece. But anything is better than nothing when it comes to multi factor, authentication.
128
00:22:16.090 –> 00:22:38.970
Eric Kuznitz: I think the apps, too, are pretty pretty commonly used, and even more secure than the text. So if you use a Google authenticator or Microsoft authenticator, those you and if you have one, I mean I must have 15 different sites that I go to, that. These 6 digit codes change every 30 seconds. So if I go to log into a particular piece of software that I use.
129
00:22:39.030 –> 00:22:46.400
Eric Kuznitz: and you know this is like a little countdown right next to it. You type in those. If if it resets even before I hit enter.
130
00:22:46.490 –> 00:22:52.619
Eric Kuznitz: then I’m not getting in, and then I have to re-enter it in. So those apps are, are kind of
131
00:22:53.330 –> 00:22:58.199
Eric Kuznitz: more advanced security than than just getting a simple text message. Now, at this point.
132
00:22:58.210 –> 00:22:58.990
Sherry Branson: Hmm!
133
00:22:59.590 –> 00:23:04.480
Sherry Branson: Sounds like cyber security has come a long way. It’s really, really advanced now. Incredible.
134
00:23:04.787 –> 00:23:05.709
Jake Marcus: And and I.
135
00:23:05.710 –> 00:23:06.320
Sherry Branson: Agree.
136
00:23:06.320 –> 00:23:28.269
Jake Marcus: I think, on the insurance side, and Kevin and Eric will be able to speak further. This might actually be a question that comes up. But we were doing a pre-session yesterday, and we were talking about kind of the different things that may be carried may be covered. And and what what represents a wrongful act, and also the difference between crime
137
00:23:28.410 –> 00:23:40.560
Jake Marcus: which the traditional sense would be someone physically going to your computer breaking in getting the files. Now it’s different. All this is in the Cloud Cloud based software, and
138
00:23:40.730 –> 00:24:05.090
Jake Marcus: you’re seeing things that are popping up in the cyber security realm that may not have been covered 10 years ago, or may have been loosely covered, but unsure how it is covered. So we really I think they can delve into a little bit more on how that has kind of evolved over the last few years. But I’m sure there may be a question on that that more specifically addresses that type of situation.
139
00:24:05.090 –> 00:24:20.970
Kevin Davis: Well, let’s jump into the one right now. That’s the biggest one is social engineering. And, Eric, you talked about social engineering yesterday. The difference between that and historically, everybody believed it was covered under the crime policy. Go ahead, Eric. You can talk about that one. Yeah.
140
00:24:21.290 –> 00:24:28.189
Erik Davis: Sure, no problem. So basically what Jake was saying, that you know the crime policy and the cyber policy, a lot of
141
00:24:28.430 –> 00:24:48.079
Erik Davis: individuals consider to be like. Oh, they have similar coverages. They have similar names. Maybe they do the similar things when and don’t be wrong. There are some similarities, you know you can find a cyber policy that has a lot of crime insuring agreements in it, and there are some crime and sharing agreements that sound somewhat like cyber, like cyber insurance agreements.
142
00:24:48.200 –> 00:24:48.930
Erik Davis: But
143
00:24:49.110 –> 00:24:59.849
Erik Davis: the difference is that when it comes to, at least in a social engineering standpoint, so there’s 1 coverage that most that most crime policies have. It’s called funds transferred fraud coverage.
144
00:24:59.980 –> 00:25:07.790
Erik Davis: Now to anybody who is not an insurance person. If I willingly give my money somewhere, and it was a fraudulent act that would cover that
145
00:25:08.700 –> 00:25:10.499
Erik Davis: everybody. I would think so right.
146
00:25:10.980 –> 00:25:22.589
Erik Davis: But that that’s where the issue lies that you are willfully giving the money away to this bad actor. 3rd party, individual person. Now you were. It was a you were essentially tricked into doing so.
147
00:25:23.150 –> 00:25:30.859
Erik Davis: but you were still willfully gave the money away, which is why, up until probably, you know, social engineering probably came around the last
148
00:25:31.590 –> 00:26:01.339
Erik Davis: 7 to 10 years or so. But prior to that there was no once you, if once you gave the money away willfully, that was it. There was no longer a crime. It was no longer a crime loss because you’re willfully giving the money away. Now, social engineering, which is, you know, everybody’s been either seen it heard it, maybe maybe not heard of the term before, but has experienced it in some way, shape or form. Somebody gets an email pretending to be somebody else, or the example that that Steve gave where
149
00:26:01.640 –> 00:26:12.549
Erik Davis: you know you. You have a contractor. They change their bank information. Say, hey! Don’t send it here, send it to this bank, and then you send the money away. And now that money is gone, now
150
00:26:12.760 –> 00:26:36.559
Erik Davis: that happens all the time, and that happens. Whether it’s contractor, whether it’s, you know, employee to employee, employer to employee. Whether it’s you know, any. This can happen anywhere, it even can happen to in your personal life, which we’ll probably get into more. But you know, associations usually don’t have company computers. They’re usually just using your own personal computer to conduct association business. So if you get
151
00:26:36.630 –> 00:26:44.809
Erik Davis: one of those kind of if you get or you’re a victim of breach, or there’s like some kind of social engineering situation on your computer. Those are things that are
152
00:26:44.950 –> 00:26:46.620
Erik Davis: would have to be covered.
153
00:26:47.700 –> 00:27:06.089
Erik Davis: Those are things that are. Those are major issues that need to be, I guess, reconciled and taken into account. So social engineering is definitely something. That is, we see a lot. It’s a big issue, and it’s something that is extremely important to have, because willfully giving the money away. If you do not have that.
154
00:27:06.400 –> 00:27:11.489
Erik Davis: it’s there’s no coverage under the crime. So make sure you have a crime policy that has that
155
00:27:12.000 –> 00:27:22.910
Erik Davis: and this, and you can get a cyber policy that some cyber policies do include social engineering coverages. But for association business, usually, that that’s something that you have to get under your crime.
156
00:27:23.470 –> 00:27:25.820
Sherry Branson: As an endorsement rate. Eric.
157
00:27:25.820 –> 00:27:26.910
Erik Davis: As a separate endorsement.
158
00:27:26.910 –> 00:27:28.750
Sherry Branson: As a separate endorsement.
159
00:27:28.900 –> 00:27:41.419
Sherry Branson: Absolutely. And it’s really not that expensive. I was checking with one of our underwriters this morning. Sorry I have some landscapers going by in the background. So it’s a little bit noisy in the back. But I checked into the
160
00:27:41.880 –> 00:27:50.559
Sherry Branson: currently you know what our premiums are in New York, and I found out that for $100,000 worth of social engineering coverage it’s $62,
161
00:27:50.750 –> 00:27:54.590
Sherry Branson: and for half a million it’s 1, 24.
162
00:27:54.800 –> 00:28:08.249
Sherry Branson: So they’re not expensive, you know, and like you said, I mean, many emails are going out every day trying to trick people into sending money or transferring money, etc. So so it’s great coverage to have fantastic coverage, to have.
163
00:28:08.250 –> 00:28:14.920
Kevin Davis: Yeah. And sherry. One of the issues is when you talk about things like social engineering, it is people
164
00:28:15.040 –> 00:28:23.599
Kevin Davis: we it we get. I mean. It happens to me. Whenever I go out of town I go to a Ci conference right? And I put on Linkedin. I’m going to a conference in Florida.
165
00:28:24.020 –> 00:28:30.190
Kevin Davis: By the time I get to Florida our office gets these emails saying, Hey, I’m landing Florida. Send me some gift cards.
166
00:28:31.350 –> 00:28:42.149
Kevin Davis: Perfect example of social engineering. It is by far. If I looked at all our claims, we’ve received social engineering by far. The number one claim that we get over and over and over again. So.
167
00:28:43.340 –> 00:28:45.249
Sherry Branson: Absolutely. Yeah, right? Now.
168
00:28:45.250 –> 00:28:53.050
Jake Marcus: Raise your hand if you’ve ever received a an email that says you want a gift card from Amazon.
169
00:28:53.810 –> 00:28:55.320
Sherry Branson: Oh, I get them all the time.
170
00:28:55.320 –> 00:28:56.289
Jake Marcus: Yeah, yeah, it’s
171
00:28:56.290 –> 00:29:05.889
Jake Marcus: it’s almost like I’m seeing them pop up more and more I have to. And I guess where it says, Hey, like. I’ll have my my law partner. It’ll say it on the email.
172
00:29:06.290 –> 00:29:19.899
Jake Marcus: I’ll say, are you coming into? Or can you get me a gift card on the way in today, or can you send me a gift card before you come in today? And it says the email. And you think it’s first, st and then you look. And you’re like, Oh, the email screwed up.
173
00:29:20.970 –> 00:29:23.750
Jake Marcus: I’m seeing more and more of those where it’s coming from.
174
00:29:24.110 –> 00:29:28.159
Jake Marcus: Fraudulent social engineered email accounts.
175
00:29:28.420 –> 00:29:55.369
Kevin Davis: And one more part about the social engineering before we move on is that again, outside of 7, probably 7 years ago, there was no social engineering coverage at all. I mean, Eric is correct when you give when you give money, because what happens is it has to be without your knowledge. The theft has to be about your knowledge. You give it away, you have knowledge of it, and you give it away. There’s no coverage. And historically, for the past 1015 years
176
00:29:55.700 –> 00:30:12.929
Kevin Davis: people thought it was covered under that type of except covered under the crime policy. And it’s not people to this very day. Still, not certain that you have social engineering coverage. You gotta have it. There’s nothing more important than social engineering coverage right now to protect you from a cyber loss.
177
00:30:15.690 –> 00:30:17.410
Steve Marcus: And for the agents.
178
00:30:18.669 –> 00:30:28.650
Steve Marcus: I’ve always thought that there should be a bigger list, but it would seem like there should be in any kind of proposals, etc.
179
00:30:28.810 –> 00:30:44.470
Steve Marcus: or or even the next page, is that that the insured chose not to purchase cyber coverage just like you might do if they don’t purchase
180
00:30:44.810 –> 00:30:51.380
Steve Marcus: earthquake, or dno, or or or or go with higher limits on umbrellas.
181
00:30:51.720 –> 00:30:55.280
Steve Marcus: it, it just say, seems like the agents might
182
00:30:55.520 –> 00:31:18.239
Steve Marcus: might do well, putting that in bold letters somewhere in that proposal so that it’s as clear as possible, because I’m convinced that the agent is gonna be a recipient of anger and threats of the lawsuit that somehow they messed up
183
00:31:18.540 –> 00:31:19.819
Steve Marcus: so so.
184
00:31:19.820 –> 00:31:20.910
Sherry Branson: They don’t watch it.
185
00:31:21.120 –> 00:31:25.759
Steve Marcus: They said, it’s pretty pretty pretty clear that it’s an excluded coverage.
186
00:31:25.920 –> 00:31:29.299
Steve Marcus: Yeah, maybe that maybe that helps.
187
00:31:31.040 –> 00:31:33.470
Sherry Branson: Absolutely, absolutely.
188
00:31:33.970 –> 00:31:44.910
Sherry Branson: And I have another question here, what role do software updates, patch management and configuration, hardening play in preventing cyber attacks.
189
00:31:46.600 –> 00:32:03.040
Chris Geer: Yep, so many, many attacks are exploits on known vulnerabilities. That actually have available patches to them. So this would be talking like your internal systems, like your your servers your firewalls
190
00:32:03.736 –> 00:32:25.550
Chris Geer: your perimeter devices where they gain access through a vulnerability or known vulnerability and in most cases a username and password with no multi factor, authentication. Once they’re able to obtain access to the network they then utilize known vulnerabilities within the internal components of your network to move laterally.
191
00:32:26.246 –> 00:32:33.219
Chris Geer: And once they move laterally, they identify, you know, their target devices. And a lot of times. That’s you know. They’ll
192
00:32:33.370 –> 00:32:56.530
Chris Geer: take all your data, upload all your data, and then they’ll initiate in case of a ransomware attack. They’ll initiate the ransomware attack on your network, which then encrypts the contents of all your network devices. So your servers, your workstations anything that they can encrypt, which renders the network, and you know your productivity.
193
00:32:56.890 –> 00:33:01.660
Chris Geer: you know, grinds to a halt, and a lot of times following that I’m sorry. Go ahead, sherry.
194
00:33:01.660 –> 00:33:07.707
Sherry Branson: Oh, I was, gonna say, yesterday, you were mentioning, you’re seeing a lot of Ransomware right now is that a trend, you’re seeing
195
00:33:07.970 –> 00:33:15.510
Chris Geer: Yeah. So we we see. And it’s all business sizes that they’re they’re they’re not discriminatory on who they are attacking.
196
00:33:15.966 –> 00:33:43.179
Chris Geer: You know. I mean, if you’re handling money sensitive information, Pii. Anything like that, I mean, information is is worth a lot of money. Not only for the current attack. But future attacks. Right? They’re gathering data, for you know, employee databases get compromised. They use that information. You know, or client information to. Then, further, you know, down the road go after
197
00:33:43.330 –> 00:33:45.040
Chris Geer: other targets.
198
00:33:45.560 –> 00:33:51.169
Chris Geer: But yeah, it’s it’s mostly exploits or honestly, social engineering. And and that’s where
199
00:33:51.910 –> 00:34:14.340
Chris Geer: having a good. You know, cybersecurity, awareness training program for your employees to recognize the phishing, the trick emails, the fake links and all that stuff. It’s invaluable. You’re not only protecting your business. You’re actually giving your employees almost a benefit. I look at it by protecting their personal
200
00:34:14.786 –> 00:34:24.579
Chris Geer: Assets, you know, because with these threat actors are not targeting just businesses, targeting individuals as well, because there’s money to be made everywhere, doing it.
201
00:34:24.790 –> 00:34:33.150
Steve Marcus: So so, Chris, let’s let’s go to the management company that manages a hundred condominiums
202
00:34:33.897 –> 00:34:37.720
Steve Marcus: is the servers are all
203
00:34:39.362 –> 00:34:50.557
Steve Marcus: with the management company all of their portals for each different condominium or hoa
204
00:34:52.320 –> 00:35:05.329
Steve Marcus: tons of money and and and data but couldn’t someone freeze up
205
00:35:05.770 –> 00:35:14.459
Steve Marcus: everything that that management company is managing? And, in other words, could they? They mess up
206
00:35:14.970 –> 00:35:23.750
Steve Marcus: all 100 associations and all the data and bring things to a halt for all those associations or.
207
00:35:23.750 –> 00:35:25.799
Chris Geer: Absolutely 100%.
208
00:35:26.510 –> 00:35:32.460
Steve Marcus: Okay, and you can’t, and you can’t guarantee that what you do stops at.
209
00:35:32.720 –> 00:35:38.560
Steve Marcus: But it gets it pretty damn good.
210
00:35:38.560 –> 00:35:44.310
Chris Geer: We can mitigate the risk. We can lower the risk profile right? It’s all about. You know, we have to operate in layers
211
00:35:44.460 –> 00:35:48.160
Chris Geer: of security as well. So we want, and you mitigate.
212
00:35:48.630 –> 00:36:05.379
Steve Marcus: Do. Do you always have the risk of the person in the office who, sees the free $50 gift certificate for Amazon? I mean, you can’t stand over their desk and and make sure nobody hits the button that they’re not supposed to hit.
213
00:36:05.510 –> 00:36:08.089
Chris Geer: Correct. But you want to have the tools in place
214
00:36:08.260 –> 00:36:20.800
Chris Geer: like the Edr solution, that if that employee does click, that link that Edr solution detects it stops it. And this app, we see this happen frequently, you know, within our with our within our platform.
215
00:36:21.349 –> 00:36:46.880
Chris Geer: That, you know, somebody gets a link. They click on it. It installs a backdo program that allows the threat actor access back into the computer. And within within seconds we’re getting notified that this has happened. The device has been isolated from the network, and then we take action on it. We remove the. We remove the component that was installed and we train the end user on what they did wrong.
216
00:36:47.420 –> 00:36:48.809
Steve Marcus: Is this? 24, 7.
217
00:36:48.810 –> 00:36:50.800
Chris Geer: It’s 24, 7. Yes, sir, yep.
218
00:36:50.930 –> 00:37:04.030
Eric Kuznitz: That’s the biggest risk, too, is the the end. Users right? Like you’re saying, Stephen. We can’t stand over everyone’s desk and see what they’re clicking on and what email they’re responding to. And you know, we’ve seen it. And you guys have probably seen it, too, where there
219
00:37:04.650 –> 00:37:21.210
Eric Kuznitz: 2 different companies could be having an email. They’re doing business together. They’re having an email conversation. And all of a sudden it gets intercepted. And one person is now communicating, pretending to be one of the other people. And then, before you know it, that’s where the wire transfer comes from.
220
00:37:21.280 –> 00:37:26.370
Eric Kuznitz: And it’s just it’s just. It’s it’s so prevalent. We see it
221
00:37:26.430 –> 00:37:41.479
Eric Kuznitz: daily, multiple times a day. And it’s really it’s the end user. And and the employee training that that I think is is really the the 1st step in in trying to just kind of mitigate, mitigate the loss, mitigate the risk
222
00:37:41.844 –> 00:38:01.629
Eric Kuznitz: and and just the knowledge that that can be provided, you know and what it does. It sends out fishing simulation emails. And and if you click on it and think it’s real, then you get bounced to training immediately, and it’ll keep doing it until you kind of say, All right. Well, let me verify so and so is is
223
00:38:01.630 –> 00:38:17.000
Eric Kuznitz: changing their bank for wiring. Let me call them on the phone and verify. That’s the best thing you can do is pick up the phone. Steven, did you change your banking information where I need to wire you money. Yes, I did, all right. Can you verify it for me? Yep, here it is perfect. Sending it over.
224
00:38:17.010 –> 00:38:31.650
Eric Kuznitz: I mean, it’s simple it everyone’s so fast and doing things multiple times digitally and and and multitasking. But picking up the phone and verifying, you know, something of the of that nature is is probably the most
225
00:38:32.260 –> 00:38:36.049
Eric Kuznitz: safest way to kind of mitigate any type of transfer really.
226
00:38:36.610 –> 00:38:41.120
Steve Marcus: For for the, for the the managers, board members.
227
00:38:42.020 –> 00:38:45.970
Steve Marcus: and maybe the insurance agents. We’re seeing a lot with
228
00:38:46.531 –> 00:38:49.599
Steve Marcus: people who close attorneys who close on real estate.
229
00:38:49.600 –> 00:38:50.170
Eric Kuznitz: Hmm.
230
00:38:50.609 –> 00:39:02.909
Steve Marcus: In some States. That’s title companies that do do that. But I guess one suggestion I have for at least the managers and the board members is.
231
00:39:03.660 –> 00:39:11.219
Steve Marcus: It’s easy enough in the auto signature and bold to state warning on
232
00:39:11.460 –> 00:39:22.290
Steve Marcus: on wiring instructions. If you get wiring instructions, call us at this number to verify that we sent them.
233
00:39:23.412 –> 00:39:28.187
Steve Marcus: And I’m not sure I’m saying that
234
00:39:29.660 –> 00:39:33.570
Steve Marcus: with as many management companies as as I’d like
235
00:39:34.890 –> 00:39:38.850
Steve Marcus: Maybe I’m wrong, but but I don’t think it’s
236
00:39:39.240 –> 00:39:46.709
Steve Marcus: caught on as much as it probably should be, so that the receiver sees the warning.
237
00:39:47.180 –> 00:39:52.940
Steve Marcus: and the manager has some protection because their email had the warning on it.
238
00:39:53.900 –> 00:39:57.799
Steve Marcus: Kevin, do you think that helps? And and somebody asked.
239
00:39:58.555 –> 00:40:02.090
Steve Marcus: the cyber, what limits are you suggesting?
240
00:40:02.090 –> 00:40:05.069
Kevin Davis: Well, I I let me go back to the
241
00:40:05.200 –> 00:40:20.429
Kevin Davis: what happens on the on the Condo side, which we see the management company is working with the landscaper. The landscape gets hacked. Okay? So the landscape starts sending emails out to everybody, saying, Please pay to avoid any late fees.
242
00:40:20.730 –> 00:40:22.919
Kevin Davis: or please pay now to get a discount.
243
00:40:23.090 –> 00:40:25.110
Kevin Davis: Here’s my new bank and new rounding number.
244
00:40:25.230 –> 00:40:38.520
Kevin Davis: and for some reason, when you see that new banking routing number, you should automatically. I know, Chris, Eric, you’re gonna say, this automatic make that phone call. But it doesn’t happen because Erica said, it just keeps going and going and going and going
245
00:40:38.520 –> 00:40:58.430
Kevin Davis: people so busy. And that is your number one issue that we’re seeing right now. There’s 2 issues. And again, we’ve been on 45 min almost. And it’s 2 issues that really impacting community associations number one is that social media, that fraudulent email you’re getting and number 2, which can lead to the
246
00:40:58.680 –> 00:41:28.090
Kevin Davis: the Ransomware payments. You know. What we saw is somebody actually broke into a match company office, installed. The server. Just took the server out of there, you know, and the server had a lot of data in there, and our biggest claim we’ve had is from a situation like that where the investigation took place, and just investigation. There was no ransomware, the payment, but just the amount of money we had to spend on the forensic investigators. And that Guy, if I can get Chris and you and Eric to talk about
247
00:41:28.310 –> 00:41:35.590
Kevin Davis: that aspect of, because that’s where the costs really apply. If you don’t have insurance. Can you talk about that? Yeah.
248
00:41:38.585 –> 00:41:41.690
Chris Geer: About the the forensic piece of it, like the.
249
00:41:41.690 –> 00:42:09.790
Kevin Davis: Yeah, yeah, because that’s where the you know, our largest loss that we’ve had in terms of money has been for the investigation. You know that was a hundred $1,000 we spent. Just investigate a potential loss, and once we investigated, it was settled in. It was taken care of. But that part of it’s really the cost of it. That again, from our as insurance expert and a lot of insurance professionals on the call don’t really understand that cost involved right there. Just investigation.
250
00:42:10.170 –> 00:42:17.040
Chris Geer: Yeah, the the costs are huge when it comes to those investigations for sure. And that’s that’s you know. My.
251
00:42:17.380 –> 00:42:27.009
Chris Geer: you know, we always say that, you know just the the proactive security costs. Really are cost a fraction of breach breach recovery.
252
00:42:27.459 –> 00:42:48.880
Chris Geer: You know, with everything that’s entitled. I mean, you have multiple, you know, depending on what’s been, what’s been compromised. You’re you’re talking days of recovery effort. Not only from, you know, working with the forensics teams. But your It team recovering the data loss of data, potential loss of data
253
00:42:49.365 –> 00:43:05.150
Chris Geer: and just the impact of of the business alone. I mean, those those costs are enormous. And you know, like it’s it’s the proactive security does. Actually, you know it it. We’ve seen it. We’ve witnessed it over and over again, as I’ve I also lead the incident response team.
254
00:43:05.360 –> 00:43:33.560
Chris Geer: When there does. When there is a breach breach that happens, we we can spend days and and just if they had invested in some proactive security measure, almost every breach or incident that I’ve been personally involved in, could have been defended against if they were just. You know, some, some protocols and procedures and training put place almost every one of them, every one of them. To be honest with you.
255
00:43:36.260 –> 00:43:50.589
Sherry Branson: and I have a question here regarding the cyber policy. Kevin, Kevin and Eric, can you talk a little bit about a cyber policy. And what’s in it? What are the ensuring agreements in it? etc. I know you’re talking about social engineering and ransomware, etc.
256
00:43:51.168 –> 00:43:57.149
Sherry Branson: I believe there’s a cyber breach coach that’s part of a cyber policy as well.
257
00:43:59.170 –> 00:44:06.039
Erik Davis: Yeah, no. So I mean, a breach coach is basically sort of what we’re talking about. So essentially when you have a breach, most people don’t know where to start.
258
00:44:06.120 –> 00:44:16.579
Erik Davis: You know what I mean. So obviously like these are, these are perks that you get when you have a Sarah policy, but a breach coach specifically is, most people don’t know where to start. So you need to be able to call somebody
259
00:44:16.660 –> 00:44:39.559
Erik Davis: and and and start the process like, where do I do like? Do I save all my data? Do I, you know, throw my computers out the window like, what? What do I do? You know, you know, I need to start somewhere. But you know, and generally with the policy, like a sour policy for association. Specifically, obviously, there’s a lot more coverages that can be available to, you know, bigger companies like things like betterment, and like things like reputational
260
00:44:40.850 –> 00:44:44.750
Erik Davis: reinstatement. You know what I mean, because obviously, when you have a cyber breach, you need to be able to like.
261
00:44:45.260 –> 00:44:57.539
Erik Davis: say, Hey, look where everything’s safe. We’re okay like, don’t don’t leave our company, or don’t leave our association. But you know, the things that you’re definitely gonna need are, you know, obviously, that you’re buying cyber for for breach issues.
262
00:44:57.790 –> 00:45:03.529
Erik Davis: you know, and the thing about is that I think this is the biggest issue that associations, at least, in my opinion.
263
00:45:03.750 –> 00:45:20.729
Erik Davis: the best, biggest, 2 biggest misconceptions is that one? They believe that they’re like, no, they’re not there. They can’t be targets because they are either too small or or they have no data. All the data belongs to the management company. So therefore they’re they’re. It’s not my issue to deal with.
264
00:45:20.730 –> 00:45:21.680
Sherry Branson: Their responsibility.
265
00:45:21.680 –> 00:45:32.249
Erik Davis: Yeah, it’s not their responsibility. So so I it’s like, it’s not my responsibility. I don’t have to deal with any kind of breach or issue that happens because somebody else is in charge of that. It’s not me.
266
00:45:32.680 –> 00:45:33.070
Sherry Branson: Right.
267
00:45:33.070 –> 00:45:51.709
Erik Davis: Misconception. One other misconception is that oh, it has to be computer files. It has to be only association type stuff which is entirely wrong. You know it can be paper files, you know, in every state you have to have. There’s that varies each state, so you’d have to go by what your State says.
268
00:45:52.720 –> 00:45:54.119
Erik Davis: You have to hold
269
00:45:54.410 –> 00:46:07.309
Erik Davis: applications of the people who want to live in your association for X number of period of time, and I get it. There’s not a lot of paper files anymore. But let’s just say you historically have had paper files, you know, and you threw them in your basement.
270
00:46:07.710 –> 00:46:18.830
Erik Davis: And because you’re like, Oh, we do everything electronically. Now, we don’t need these paper files. Let’s put them in the basement. And then, sherry. We talked about yesterday, you know, you put those out on, you know, on trash day on the yeah.
271
00:46:18.830 –> 00:46:20.889
Sherry Branson: Cleaning up basement one day. Yeah.
272
00:46:20.890 –> 00:46:34.019
Erik Davis: You put those out on trash day, and now the the trash, you know the the trash company come and takes the stuff, but the papers are flying around everywhere. That’s a cyber breach, you know. If you leave your if you leave your
273
00:46:34.780 –> 00:46:37.139
Erik Davis: laptop in the back of your car
274
00:46:37.460 –> 00:46:40.440
Erik Davis: and your car gets broken into and a laptop gets stolen
275
00:46:40.990 –> 00:46:46.449
Erik Davis: in Charlestown right beside Steve. You know you get.
276
00:46:46.450 –> 00:46:48.260
Steve Marcus: The the crime capital of the world.
277
00:46:49.615 –> 00:46:50.460
Erik Davis: Oh!
278
00:46:50.460 –> 00:46:51.829
Steve Marcus: We like it in Charlestown.
279
00:46:52.200 –> 00:47:00.589
Erik Davis: Your laptop gets stolen like that like that. Give you a cyber breach. And, like I said, kind of before, like most people don’t have community association, specific
280
00:47:01.370 –> 00:47:04.800
Erik Davis: laptops. They have personal laptops, right? That they just
281
00:47:04.800 –> 00:47:23.789
Erik Davis: conduct association business on so similar to what you know. Chris and Eric were saying like, even if you have to protect the personal, that that person as well. So let’s say, I’m doing work. And my computer now gets hacked. And I’m like locked out of my computer. And they say they’ll take all my data, and, you know.
282
00:47:23.890 –> 00:47:36.120
Erik Davis: send out on the Internet. But think about is, it’s just my computer, like what data they have. That’s just mine. But in reality you have all the associations data on your computer because you do not have a separate computer. You just do everything on your personal computer.
283
00:47:36.360 –> 00:47:37.249
Jake Marcus: Oh, what do you know
284
00:47:37.250 –> 00:48:00.799
Jake Marcus: of it, too? Especially just on that point, with the with the advent of AI and Chat Gpt. And people using that on a regular basis was that a lot of people will. And we’re told it from the attorney client. Perspective is when inputting details related to that you are using Chat Gpt or AI.
285
00:48:01.130 –> 00:48:08.980
Jake Marcus: Make sure not to put any client information or confidential information, because, let’s say, one of those systems got hacked, and then.
286
00:48:08.980 –> 00:48:09.510
Sherry Branson: Hmm.
287
00:48:09.510 –> 00:48:20.420
Jake Marcus: All the client information is out there, and who knows what’s happening with that? So just another protection that is also being considered the advent of AI something to consider.
288
00:48:21.520 –> 00:48:24.469
Sherry Branson: It makes sense. That’s another area, absolutely. And I.
289
00:48:24.470 –> 00:48:33.480
Steve Marcus: It was something like a remote desktop, or whatever the current way of accessing
290
00:48:33.930 –> 00:48:36.020
Steve Marcus: an office computer.
291
00:48:37.560 –> 00:48:42.140
Steve Marcus: I’ve had. I’ve had this. I idea that nobody seems to like
292
00:48:42.656 –> 00:48:58.890
Steve Marcus: that, and part of it was for confidentiality. But now I’m thinking, and on cyber, especially if there’s remote desktop to access it. If every board member had a email that had the name of the Condominium as the domain name.
293
00:48:59.030 –> 00:49:11.410
Steve Marcus: and it could only be accessed by remote desktop, or whatever else Chris Chris might suggest. Would that do anything to help.
294
00:49:15.060 –> 00:49:16.129
Steve Marcus: Sounds like a no.
295
00:49:16.540 –> 00:49:21.186
Chris Geer: Yeah, I don’t. I don’t. It would make it difficult to get the email. That’s for sure.
296
00:49:22.850 –> 00:49:28.259
Steve Marcus: So we’re not give remote desktop. If the laptop were hacked.
297
00:49:28.840 –> 00:49:29.190
Chris Geer: Yeah.
298
00:49:29.190 –> 00:49:31.080
Steve Marcus: The remote stuff would be hacked too.
299
00:49:31.730 –> 00:49:43.849
Chris Geer: Yeah, not necessarily, not. I mean, again, we. I’m gonna roll right back to the the 1st topic we covered with the multi factor, authentication and the proper tools. Right? So the the laptop gets stolen.
300
00:49:44.450 –> 00:50:01.319
Chris Geer: They open up the laptop, you know, and they have well, 1st of all, laptop stolen. They have to be able to get into the laptop with the username and password and and you hope that if you’re traveling a laptop, you’re using some sort of encryption mechanism on the laptop, right? So the laptop gets stolen.
301
00:50:02.340 –> 00:50:25.980
Chris Geer: They can’t take the hard drive out. Take the raw data off the hard drive right? The what you want to do is you want to have a full disk encryption where that system boots up at prompt you for a password or physical key to access the operating system, which then gets you into your data. With a fully encrypted hard drive in that laptop or desktop, or whatever it is. You
302
00:50:26.770 –> 00:50:38.969
Chris Geer: laptop gets stolen, does. The no data can get removed from that device because the complete content is encrypted, and without the password or the key can’t get access to that data.
303
00:50:39.410 –> 00:50:41.490
Steve Marcus: Same protections, for smartphones.
304
00:50:42.649 –> 00:51:06.790
Chris Geer: Smartphones. Yeah. So there are some protections on smartphones you can enable. You know. Invalid password wipes. You know, password attempts will wipe the device. There are biometrics built into the phone face, id thumb print id, but you know a lot of times with phones. Those what what people are doing is, you know, they’ll see someone on a phone walking down the street. They’ll rip the phone right out of your hand.
305
00:51:07.210 –> 00:51:24.220
Chris Geer: And that phone is now unlocked. Right? So they go in and they change. And then they have access to everything they have, because they can change the PIN number. They can change the biometrics on that. So you know. So there’s that, too, you know, there’s, you know. But with the phone locked it’s hard to get into it.
306
00:51:25.250 –> 00:51:53.170
Kevin Davis: You know this is fascinating. Right now what you’re saying, Chris, you know, number one claim that we’re seeing in social engineering, and we talk a lot of social engineering. And the reason why? Because technology has advanced to the point where the things that we used to worry about before we have to worry about anymore. I mean, we 1st started. We were scared to leave our laptops in the car, but now, because they encrypted, or because you have multi factor, authentication, hey? Guess what? We feel more safe. And we’re comfortable.
307
00:51:53.170 –> 00:52:13.240
Kevin Davis: So right now, the only way that the best, the easiest way to get access to any information is for you to give it to me for me to call you up and say, guess what? You know. Either pay it now, because avoid late fees, or guess what I give you a deal on it. I mean, it’s the 2 things that. And now, all of a sudden, we give it away everything else, because we don’t see data breaches
308
00:52:13.240 –> 00:52:33.300
Kevin Davis: that much anymore. We don’t see a lot of things that we used to see thought of claim, you see. But now everything ends up being social engineering related that leads to fraud all types of fraud, and it leads to the ransomware and leads to everything. So there has to be some way
309
00:52:33.680 –> 00:52:48.438
Kevin Davis: or some some mechanism out there that you guys can recommend to everybody out there. How do we prevent social, because, again, social nearing is not covered under most policies. You know, you gotta have a cyber policy if you have a
310
00:52:48.790 –> 00:52:52.939
Kevin Davis: yeah, their crime policy. Yeah, the crime, the social engineering is on the crime policy.
311
00:52:52.940 –> 00:52:54.480
Kevin Davis: but not all the crime.
312
00:52:54.480 –> 00:52:55.629
Erik Davis: Yeah, not on all of them.
313
00:52:55.630 –> 00:53:08.310
Kevin Davis: But but only a small portion of crime policies. Because again, you have to underst insurance provider to understand what social engineering is, provide the coverage, and most of them don’t. So so right now, social engineering.
314
00:53:08.310 –> 00:53:14.979
Steve Marcus: Is, is it covered? Is it covered under the policy that you’re the Mga for.
315
00:53:15.670 –> 00:53:16.020
Kevin Davis: Yes.
316
00:53:16.020 –> 00:53:16.890
Steve Marcus: Social engineer.
317
00:53:16.890 –> 00:53:22.019
Kevin Davis: Yeah, yes, it’s covered under our crime policy. So you, you know you don’t.
318
00:53:23.380 –> 00:53:34.660
Kevin Davis: You have it under, you have social engineering coverage under our policy. Okay, but the social engineering leads to ransomware and things like that. You know, you got different different things going on there. So yeah.
319
00:53:35.990 –> 00:53:36.350
Sherry Branson: Great.
320
00:53:36.350 –> 00:53:40.729
Steve Marcus: Do you wanna talk about Kevin? Do you want to talk about? Suggested
321
00:53:41.379 –> 00:54:08.839
Steve Marcus: not suggested limits. Because I don’t. I don’t want you to put you on the hook, saying, Well, Kevin told us X, and we’ll a loss of of more. We’re gonna sue him also, because Marcus was telling everybody to sue everybody. but but what do you see your agents typically writing limits for? And can you give a rough idea of cost.
322
00:54:09.510 –> 00:54:24.639
Jake Marcus: Yeah, we received a couple of questions in the chat I’m seeing Nancy Mandino of Dartmouth Group. What limits are you seeing for social engineering coverage, and then low Lois Moses! What would be the suggested limits? So that would be a good thing to address? It seems like.
323
00:54:24.650 –> 00:54:28.580
Kevin Davis: You know, this is kind of the formula historical formula
324
00:54:28.770 –> 00:54:49.550
Kevin Davis: for crime coverage. When we talked about fidelity employees, honesty, if 3 months assessment is supposed to be reserved so for social engineering. How much do you think you can lose any one time? I mean the reserve account? If I’m a criminal. I’m looking at your reserve account. I’m looking at your operating account. Look at how much money I get access to at any one time.
325
00:54:49.630 –> 00:55:04.120
Kevin Davis: and so at least cover that amount. So that’s the minimum amount you have. I would try to get as much as you can, but the minimum should be what you have at any one, the Max you have any 1 point in time now, the question I would have
326
00:55:04.210 –> 00:55:06.059
Kevin Davis: you know, for our experts
327
00:55:06.160 –> 00:55:14.760
Kevin Davis: is that from the Community Association’s point of view. You know they have money, they they collect the assessments, they have reserves.
328
00:55:15.530 –> 00:55:17.240
Kevin Davis: That’s I think that was
329
00:55:17.370 –> 00:55:26.889
Kevin Davis: if they if they cover that. I think that would be it. But I don’t know if there’s something else. They have access to that. We have data, and we have data. You get access to the data. That’s
330
00:55:27.450 –> 00:55:31.650
Kevin Davis: I. You know, I stick with that. We think we think.
331
00:55:31.650 –> 00:55:35.550
Erik Davis: I was thinking 1st of all, just to get like, you know, I
332
00:55:35.770 –> 00:55:38.270
Erik Davis: just so that people can have a more
333
00:55:38.280 –> 00:56:06.809
Erik Davis: concrete idea, I guess of limits and stuff that they should be looking at just for associations, you know, to go into crime. Since we’re talking about crime, you know what I mean crime and cyber. They do kind of go hand in hand. You know, most people usually have about a million dollars with a crime limits. You know social engineering is usually sublimited, you know, so usually can get usually out of the gate is about 100,000 is usually fair, you know. You can also get up to. You can also get slightly increased limits to about 2 50
334
00:56:07.170 –> 00:56:30.499
Erik Davis: as long as they have a little bit more controls in place some of the stuff that Chris was talking about. You know, if they have those extra controls in place, that there are higher limits available when it comes to actual cyber policies. Those limits usually range anywhere from let’s call it 100,000 to $500,000 in coverage, and usually they kind of sublimit as they go down.
335
00:56:31.150 –> 00:56:35.320
Erik Davis: Similar to the way they similar to the the coverage on crime.
336
00:56:35.470 –> 00:56:37.620
Erik Davis: But the thing about it is that
337
00:56:39.840 –> 00:56:41.580
Erik Davis: you have to make sure that
338
00:56:41.750 –> 00:56:45.210
Erik Davis: you know you have all the coverage that you want, but you also have to make sure that
339
00:56:46.200 –> 00:57:04.289
Erik Davis: you’re not. You don’t want look, associates don’t have a ton of money, so you don’t want to be paying an arm and a leg for it. So that’s why I think that the situation. Where, when you go to a specific association specific company like ours, that does this on that does this every day, we make sure that you know. The coverages that are offered
340
00:57:04.290 –> 00:57:29.300
Erik Davis: are exactly what the association needs and the limits that they offer are roughly around, like where where we’re seeing that the types of claims. That’s how much we usually offer, and they usually range anywhere. Price wise. And Steve was looking for like, I guess, like a price estimate somewhere anywhere between $400, about $900 to add. So it’s not a ton of money for for a lot of peace of mind, because, like Jake and I kind of were talking about in Orlando, you know.
341
00:57:29.540 –> 00:57:50.249
Erik Davis: It might take a a catastrophic style event of, like a you know, large, very large, you know, nationwide property manager to have a breach that disseminates to all these, you know associations for for this to be a big deal. But we’re saying here on this call is that it’s always better to be proactive than reactive.
342
00:57:50.400 –> 00:57:54.240
Erik Davis: So if we, if they, if you take anything away from this, is that
343
00:57:54.760 –> 00:58:04.950
Erik Davis: at the very least, you know you should be your associate, and should be working with somebody like Chris and Eric to make sure that they’re protected in the grand scheme of things, because
344
00:58:05.260 –> 00:58:09.819
Erik Davis: that has to be the 1st line is like you. You have to be protected in order to.
345
00:58:10.520 –> 00:58:21.049
Erik Davis: you know, to stay safe, because association, because the insurance part of it won’t want to protect associations that don’t even take the basic precautions to protect themselves.
346
00:58:21.520 –> 00:58:37.700
Erik Davis: So this is all kind of goes hand in hand. So if you have to work with somebody like Chris to get yourself protected, and then you have to work with an association specific company that enables you can ensure you for the types of acts that occur in the grand scheme of things.
347
00:58:37.700 –> 00:59:04.350
Steve Marcus: So so hit and you said that you offer 250,000 in social engineering. Somebody Nancy also made it made a comment. Nancy’s from Associate group that. They’ve only been able to get very small limits on social engineering. So you guys go to 2, 50.
348
00:59:04.580 –> 00:59:15.279
Erik Davis: Yeah. So like, I said, a hundred is usually what we prefer. But like, I said, what they have like, definitely proper controls in place, you know, like some, you know, more higher level controls in place. We we do. We can go up to 2, 50.
349
00:59:15.280 –> 00:59:18.880
Steve Marcus: So so here’s what keeps me up at night. So.
350
00:59:18.880 –> 00:59:21.609
Jake Marcus: What? What? I’m sure there’s a lot of things.
351
00:59:21.990 –> 00:59:22.799
Jake Marcus: How are you.
352
00:59:22.800 –> 00:59:23.820
Steve Marcus: No, no.
353
00:59:23.820 –> 00:59:42.160
Steve Marcus: I have a lot of issues. So thieves are getting much more sophisticated. The technology is getting greater in some ways and awful in other ways depending on in whose hands it’s in
354
00:59:42.631 –> 00:59:49.939
Steve Marcus: if I were going to suggest a book a few years ago, in 2021. I read a book called The A. 1 41,
355
00:59:50.140 –> 01:00:08.230
Steve Marcus: and it was by Eric Schmidt of Google, and Henry Kissinger, who wrote it when he was in his nineties, and it was where AI will be in 20 years since it was a 2021 book.
356
01:00:08.330 –> 01:00:30.810
Steve Marcus: and they went into all the great things that can happen. But they then went into awful things like we’re talking about, and wars that can be caused by one person versus a nation. But the other concern I have is that post surfside on June 24, th 2021,
357
01:00:30.830 –> 01:00:47.340
Steve Marcus: and in California they have Sb. 2, 36. I think it is on balcony inspections and replacements is that associations are getting bigger and bigger loans. As the amount of work that has to be done
358
01:00:47.400 –> 01:01:07.719
Steve Marcus: becomes more significant with deferred maintenance. So if you have a 5 million dollars project, get a loan from a bank for 5 million dollars, and let’s say they advance a million dollars. Now, you don’t just have the reserves and 3 months of operating.
359
01:01:07.720 –> 01:01:26.079
Steve Marcus: You also have another 1 million. That in theory is subject to attack, that are the proceeds of the loan sitting in your account. Same goes the fidelity crime. If you think you’re covered for every penny that you ever have, once you get a loan.
360
01:01:26.610 –> 01:01:35.720
Steve Marcus: Don’t forget to, especially the the agents, if they can alert the their their boards and managers to this.
361
01:01:35.880 –> 01:01:52.150
Steve Marcus: If if you get a loan. Let them know, because you probably want to increase your fidelity, because now you might have 5 million dollars that that’s at at risk. I guess I’m concerned that the
362
01:01:52.480 –> 01:01:54.950
Steve Marcus: with the sophistication
363
01:01:55.900 –> 01:02:20.140
Steve Marcus: I have this awful feeling that the amount of losses is kind of become greater, which is all my way of saying, is, is it easy enough to go from, say, 500,000 to a million? If you and your trusted insurance advisor think those are appropriate, how much coverage can you get.
364
01:02:20.620 –> 01:02:26.100
Kevin Davis: Let me let me go back and answer what? What actually has happened in the past
365
01:02:27.290 –> 01:02:34.290
Kevin Davis: earth earthquake in California we had 30 years ago. Okay, which destroyed a lot of our area where we live at right now.
366
01:02:34.873 –> 01:02:35.780
Kevin Davis: The insurance.
367
01:02:35.780 –> 01:02:37.910
Steve Marcus: The one the one during the World Series.
368
01:02:38.140 –> 01:02:41.020
Kevin Davis: No, no, no! That was like 35 years ago.
369
01:02:42.780 –> 01:02:46.929
Jake Marcus: Yeah, that was 35 years. That was October 19, th 1989. So I’m yeah.
370
01:02:46.930 –> 01:02:47.500
Jake Marcus: That day.
371
01:02:47.500 –> 01:02:48.650
Steve Marcus: That was your birthday, Jake.
372
01:02:48.650 –> 01:02:49.310
Jake Marcus: Yeah.
373
01:02:49.310 –> 01:02:50.901
Kevin Davis: You’re you’re 2 right or.
374
01:02:51.220 –> 01:02:52.700
Jake Marcus: I was now. He was born.
375
01:02:53.420 –> 01:02:55.289
Steve Marcus: That was his birthday.
376
01:02:55.290 –> 01:02:59.030
Erik Davis: The World Series. One was in San Francisco also. Not not down here.
377
01:03:01.890 –> 01:03:16.089
Kevin Davis: But but but what happened though, is this what happened? The association started getting a ton and ton of money for the earthquake damages, and there were a lot of dishonesty happened, and we had a claim where end up being the board of directors.
378
01:03:17.248 –> 01:03:19.640
Kevin Davis: Had, like a, you know, 2 million dollar
379
01:03:19.760 –> 01:03:48.439
Kevin Davis: judgment or insurance paid 2 million. They paid a million upfront and a million disappeared, and it’s gone. And they didn’t know what happened. And the crime policy was like a hundred $1,000. So they like you said they never increased the limit, never. So they’re out, I guess. So. What happened was, there was D. And O. Claim, because the board was negligent, the board failed. Supervise properly. So that was our 1 million dollar claim I ever saw. 30 years ago under the D and O. Policy.
380
01:03:48.840 –> 01:03:52.310
Kevin Davis: Now, this is interesting. Could that happen today?
381
01:03:52.600 –> 01:04:12.249
Kevin Davis: Now, if if a person is tricked into that 1 million dollars? Okay, so let’s say, all of a sudden the 1 million dollars went to the roofer. Okay? And and so you pretended I pretend to be a roofing contractor, and I got access to that 1 million dollars and I’m gone. I’m disappearing at the 1 million dollars.
382
01:04:12.370 –> 01:04:24.569
Kevin Davis: and the roof’s been done. So the roof, the roofer wants to be paid. Association said, Wait a minute. You’ve been paid already. So now, all of a sudden, now there’s a claim going on. And now, all of a sudden there is a
383
01:04:24.900 –> 01:04:28.010
Kevin Davis: a lien placed on the Association
384
01:04:28.190 –> 01:04:30.340
Kevin Davis: because they owe a million dollars.
385
01:04:30.650 –> 01:04:32.629
Kevin Davis: That is not a D and O. Claim.
386
01:04:32.870 –> 01:05:02.079
Kevin Davis: And that’s the number one thing that we’ve been seeing lately in terms of these payments that have been paid to the landscape, or the management company, or the roofing contractor or security people. The money is now gone. There’s a lien placed on association, and an association has to pay the money, you know. That is not a dno. Claim the dno, there’s no wrongful act committed. So we see these claims all the time, and it goes back and say, Where’s the wrongful act?
387
01:05:02.240 –> 01:05:12.460
Kevin Davis: So it’s really important to understand that. You know you need a cyber policy, you know, for situations that come up come up that we have not seen before.
388
01:05:12.560 –> 01:05:35.630
Kevin Davis: Things are changing. The landscape is changing, you know. And today I learned why it’s changing. Because guys like Chris and Eric, their technology, their knowledge and things are protecting associations and protecting businesses. My business, your business, and protecting it to the point where we’re doing better now than we thought. We’re not seeing a claim of thought we were seeing. But we’re seeing now
389
01:05:35.730 –> 01:05:50.489
Kevin Davis: a new set of claims that we’re seeing. And we got to figure out how to handle those things, because from an insurance point of view, we’re saying we must have multi-factor authentication. We have to make sure you have antivirus, and all the software is up to date, or else we won’t insure you.
390
01:05:50.790 –> 01:06:00.510
Kevin Davis: But that’s not enough, because the people we’re doing business with the associations, the management companies. They’re not sophisticated enough to understand these things, so
391
01:06:01.590 –> 01:06:15.679
Kevin Davis: I guess the bottom line is, you gotta have this insurance coverage, but you would have to have it under our terms. Our terms is saying that you gotta know what you’re doing. You have to be more sophisticated than just saying, Hey, what? You have, new bank and routing number no problem.
392
01:06:16.370 –> 01:06:22.369
Steve Marcus: And and it’s not the it protections the cyber security protections
393
01:06:23.138 –> 01:06:48.779
Steve Marcus: alone. And it’s not the insurance alone. I I think they work hand in hand. And, as you you say, Kevin, they’re not gonna get past the application unless they have the wizard side of things in terms of protecting, and the dual author authentication and and all that. So somebody asked a question in in the audience, really good one, which is.
394
01:06:49.220 –> 01:06:57.160
Steve Marcus: you know, where? Where does it say that cybers? Cyber insurance is required? So the answer is.
395
01:06:57.370 –> 01:07:07.659
Steve Marcus: yeah. I think if I were writing a set of condominium documents today I would at least include it as something that the Association Board could can buy.
396
01:07:08.247 –> 01:07:14.319
Steve Marcus: I think it doesn’t have to be listed as a coverage to get.
397
01:07:14.750 –> 01:07:27.700
Steve Marcus: The board has certain duties to the owners in term, including protecting and preserving the property and the assets of the association.
398
01:07:27.860 –> 01:07:32.639
Steve Marcus: So I think that the the the coverage
399
01:07:33.205 –> 01:07:40.189
Steve Marcus: is gonna be based on common law case law that basically says you had duty
400
01:07:40.739 –> 01:08:08.229
Steve Marcus: you breached it you were tricked. You gave our money away with a cause of action, but but check with your individual general counsel for your associations to see what they say in terms of. Gee! These guys babbled on for over an hour. Do we really need this coverage they’re talking about?
401
01:08:08.580 –> 01:08:14.660
Steve Marcus: I think that the condominium and hoa and co-OP
402
01:08:14.960 –> 01:08:40.449
Steve Marcus: attorneys are going to tell you that this is a coverage you should have. It doesn’t have to be specific list specifically listed. But there’s a vulnerability if you don’t have the coverage and not enough people have it. The survey that Cai did about a month ago, 1 3rd of the respondents had cyber coverage. That is just scary.
403
01:08:41.950 –> 01:08:47.870
Kevin Davis: But the reason why and I guess we should we talk about before we close up is that they believe
404
01:08:47.979 –> 01:08:58.299
Kevin Davis: that they say that I don’t have any data. I don’t have access to any funds. All the funds, all the data goes to the management company. So why do I need cyber policy.
405
01:08:58.890 –> 01:09:06.760
Kevin Davis: And that’s the number one question that I think if we we need to answer that before we leave, so that everybody who’s listening, this understands the answer.
406
01:09:06.760 –> 01:09:09.069
Chris Geer: It. Isn’t it risky management.
407
01:09:09.279 –> 01:09:12.879
Steve Marcus: Well, well, well, I think the answer is,
408
01:09:13.509 –> 01:09:16.709
Steve Marcus: understanding the role of the manager and the board
409
01:09:17.287 –> 01:09:20.089
Steve Marcus: the manager might be the professionals.
410
01:09:20.359 –> 01:09:25.169
Steve Marcus: but the manager takes direction from the board.
411
01:09:25.409 –> 01:09:38.799
Steve Marcus: and the Board’s responsible for protecting its funds, and I don’t think an answer that oh, the management company takes care of all that stuff flies. I don’t think it gets the board off the hook.
412
01:09:39.369 –> 01:09:54.501
Steve Marcus: I I think they have the ultimate responsibility for protecting the funds, and saying that we thought the manager was doing it. I don’t think cuts it. Maybe there’s a cross claim against the manager, but
413
01:09:55.019 –> 01:09:58.119
Steve Marcus: I don’t know. What do you think? Kevin and others.
414
01:09:59.770 –> 01:10:05.889
Kevin Davis: Well, let’s go to the the experts there first, st Chris and Eric, let me ask you, because this is the issue. Right now
415
01:10:06.200 –> 01:10:11.859
Kevin Davis: I I’m the president of Happy Valley Condominium Association.
416
01:10:12.060 –> 01:10:20.679
Kevin Davis: and all of a sudden I got 30 units here, and every month. I say, listen! You know I tell my insurance.
417
01:10:20.860 –> 01:10:29.979
Kevin Davis: I said, Listen, I don’t need A. D, and I don’t need a cyber policy, because the management company they collect all the funds. They have all the data. I don’t have any data.
418
01:10:30.590 –> 01:10:44.149
Kevin Davis: and it’s kind of the same thing as saying that all the data is in the cloud. You know, I don’t have any data on my computer. It’s all in the cloud. It’s to me it’s the same thing, you know. I the cloud may be responsible for it.
419
01:10:44.360 –> 01:10:45.440
Kevin Davis: But
420
01:10:45.560 –> 01:10:54.319
Kevin Davis: ultimately I’m I’m telling people to go to. You know this place to give their data and information to. So I’m still responsible.
421
01:10:54.460 –> 01:10:56.980
Kevin Davis: Do you guys have an opinion on that from the.
422
01:10:56.980 –> 01:11:04.370
Steve Marcus: And and somebody in the audience has threw in a question, say, a management contract and absolutely
423
01:11:04.600 –> 01:11:07.130
Steve Marcus: managers management companies
424
01:11:07.370 –> 01:11:15.490
Steve Marcus: based on this webinar. I should be looking at the management contracts and see what it says about these kind of exposures
425
01:11:15.600 –> 01:11:42.900
Steve Marcus: and boards and their legal counsel should be looking at the management contracts to see is there any obligation that the management company has, especially if it’s the management company’s servers, etc? And if the Management company are the ones who decide what software and all that, and either take or don’t take the protections. So the the management contracts
426
01:11:42.960 –> 01:11:50.540
Steve Marcus: in theory could could be a good source for clarifying responsibilities.
427
01:11:53.834 –> 01:11:54.439
Steve Marcus: No
428
01:12:00.750 –> 01:12:01.970
Steve Marcus: could be present.
429
01:12:01.970 –> 01:12:06.249
Kevin Davis: Wait. Wait. I agree with that, because
430
01:12:06.680 –> 01:12:16.720
Kevin Davis: right now the magic company doesn’t have in this contract. If there’s a data breach or a cyber threat or a cyber incident. We take full responsibility for it.
431
01:12:17.510 –> 01:12:27.359
Kevin Davis: So they don’t say anything. So the contract is doesn’t say anything at all. So you guys are the lawyers? If there’s nothing in the contract, do? Are they responsible.
432
01:12:27.860 –> 01:12:29.290
Steve Marcus: It depends who’s paying us?
433
01:12:32.860 –> 01:12:37.780
Steve Marcus: I apologize, but but every case I’ve ever seen.
434
01:12:37.780 –> 01:12:38.320
Kevin Davis: Yeah.
435
01:12:38.320 –> 01:12:49.520
Steve Marcus: As an attorney representing one view zealously and another representing another view zealously.
436
01:12:50.246 –> 01:12:52.953
Steve Marcus: It’s like the old story of the
437
01:12:53.480 –> 01:12:58.450
Steve Marcus: The sole attorney in the town who was going broke
438
01:12:58.640 –> 01:13:03.240
Steve Marcus: until the second attorney moved in, there’s true.
439
01:13:04.626 –> 01:13:06.570
Steve Marcus: Jake, do you have a better answer than that?
440
01:13:08.295 –> 01:13:09.145
Jake Marcus: To what?
441
01:13:09.950 –> 01:13:13.729
Kevin Davis: Well, it can. It can simply be. Don’t listen to my dad, but.
442
01:13:13.730 –> 01:13:14.140
Sherry Branson: But.
443
01:13:15.250 –> 01:13:15.769
Jake Marcus: Let’s go back.
444
01:13:15.770 –> 01:13:16.720
Jake Marcus: There you go!
445
01:13:16.720 –> 01:13:23.990
Kevin Davis: I mean the if. If right now, the the management companies have nothing in their contract
446
01:13:24.000 –> 01:13:37.700
Kevin Davis: that says I will take responsibility if there’s a cyber incident. Okay? Now, all of a sudden, I’m again. I’m the president of Happy Valley Condominium Association. You know. I I suffered a loss all of a sudden.
447
01:13:37.700 –> 01:13:56.349
Kevin Davis: all 5 of us right now, or 7 in a board meeting. Right? And I’m saying you know what I can’t believe. My, you know. I filed my tax return, and my tax return says it was filed already right. And then Jake says anything happened to him and Steve. We all find out that our association has been hacked.
448
01:13:56.450 –> 01:14:20.330
Kevin Davis: We go to the Management Company Magic Company. Guess what we gave you all our data. You have all our stuff. You’re responsible. The Management company has a choice. They can say, yes, we take full responsibility because it’s in our contract. Yes, we take full responsibility, even though it’s not in our contract, or they can say, No, it’s not us. We have nothing to do with us, or they can say, No, we’re not going to do anything about it, because it’s not in our contract, I mean.
449
01:14:20.630 –> 01:14:38.940
Kevin Davis: but reality is that we, as me, as the president of Happy Valley, still has to do something. I still have to contact Chris or Eric over there and say, guess what we’ve had a breach. We have a massive breach in our association. The match company. We think they’re responsible for it, but they’re not they. They’re not returning our calls.
450
01:14:39.120 –> 01:14:49.029
Kevin Davis: So it’s still this. So at the end of the Day Association needs the coverage, you know. I mean, they’re the ones that at the end of the day they want to face that responsibility.
451
01:14:49.340 –> 01:14:54.640
Steve Marcus: And and you probably have to consider. Should you change the name of the Condominium to unhappy valley.
452
01:14:58.610 –> 01:14:59.480
Steve Marcus: go ahead.
453
01:14:59.855 –> 01:15:00.230
Sherry Branson: Okay.
454
01:15:00.230 –> 01:15:04.037
Steve Marcus: I think you want to wrap up. We’re we’re only 15 min beyond
455
01:15:04.580 –> 01:15:04.920
Jake Marcus: Yeah.
456
01:15:04.920 –> 01:15:07.740
Steve Marcus: This could be a. This could be a record for the shortest. We’ve gone over.
457
01:15:09.090 –> 01:15:09.690
Sherry Branson: Yes.
458
01:15:09.690 –> 01:15:26.369
Jake Marcus: Yes, yeah, no. Thanks. Everyone for attending today. A nice Friday afternoon or morning. If you’re in California, we appreciate it. We hope we offered some some good insight. I did share the the information as to
459
01:15:26.370 –> 01:15:50.389
Jake Marcus: how you can get in touch with the people at Kevin Davis insurance services the people at Wizard as well as the attorneys who host the Marcus hour. But yeah, we appreciate everything. If you have any questions. In the meantime, please follow up, feel free to reach out with any questions we can, anything that we didn’t get to today. We will be sending out a
460
01:15:50.390 –> 01:16:01.139
Jake Marcus: the Powerpoint presentation as well as the recorded session. But yeah, again, this is an important topic, something that is fairly untapped
461
01:16:01.140 –> 01:16:13.200
Jake Marcus: and something that will be kind of a big developing, evolving issue, in the, in, the, in, the, in the future. So thank you, Kevin. Thank you, Eric.
462
01:16:13.699 –> 01:16:20.190
Steve Marcus: Jake somebody asked, Is there a link to the 22 other webinars.
463
01:16:20.190 –> 01:16:28.440
Jake Marcus: Yes, yes, actually, that’s available at am condo law I’ll actually put that in the chat as well.
464
01:16:28.440 –> 01:16:32.748
Chris Geer: And if they act now they can get a free Ginzu copy.
465
01:16:33.686 –> 01:16:35.980
Steve Marcus: Only Kevin, and I understand.
466
01:16:37.734 –> 01:16:45.530
Kevin Davis: To tell the truth, last night. She she oh, yeah, I remember that show you, and I always remember the show, too.
467
01:16:46.350 –> 01:16:52.749
Steve Marcus: Okay, I interrupted. You, Jake. I think you were. Gonna thank the Wizards of Oz.
468
01:16:53.080 –> 01:17:15.000
Jake Marcus: Wizards of Oz, the the Wizard computer services full service. It solutions delves right into cyber security as well as other areas, such as managed services, consultations, installations, and they are a great resource. Have been around for 25 plus years.
469
01:17:15.000 –> 01:17:30.500
Jake Marcus: Kevin Davis insurance services. Happy. 25th anniversary. Quite the feat. They are the go to insurance services providers, especially in the Community association world. And again, thank you for coming out today appreciate it. On a Friday.
470
01:17:30.500 –> 01:17:32.029
Steve Marcus: Oh, a final final thing.
471
01:17:32.660 –> 01:17:33.080
Steve Marcus: Go with.
472
01:17:33.080 –> 01:17:34.610
Steve Marcus: Correct me if I’m wrong, Kevin.
473
01:17:36.080 –> 01:17:46.350
Steve Marcus: your local insurance agent, your trusted advisor for your association, can work through you
474
01:17:47.040 –> 01:17:56.630
Steve Marcus: for the coverages that we talked about today from dno to fidelity to excess. In. In other words.
475
01:17:57.321 –> 01:18:04.400
Steve Marcus: people don’t have to contact you in la they can go through their
476
01:18:04.540 –> 01:18:10.220
Steve Marcus: trusted condominium insurance agent, or is that correct or no?
477
01:18:10.220 –> 01:18:12.290
Kevin Davis: Yes, perfect! Go ahead, Eric, give one second.
478
01:18:12.660 –> 01:18:30.008
Erik Davis: No, I understand. Yeah, no perfect, Steve, I mean, obviously, anybody contact their local agent to, you know, reach out to us. So you don’t have to call us directly, you know you can, you know. Go through. Go through whoever you use for your for your usual insurance needs. But
479
01:18:30.610 –> 01:18:41.566
Erik Davis: I said, this, this is really important stuff. I really want to thank you know, Jake and Steve, for allowing us to be on here. Hopefully. You guys will have us back for a 3rd you know, 3rd time in some of their capacity.
480
01:18:42.172 –> 01:19:09.220
Erik Davis: and like I said, Chris and Eric has been great to to meet you guys. And you know, I think that what you guys do is really important. And I think that showing everybody on this call today that you know all, all 3 of us in all 3 different spaces of the industry, all work together towards protecting your association. So I think that’s ultimately like, why, you know, such a great program. So thank you guys for for putting this together.
481
01:19:09.410 –> 01:19:10.899
Eric Kuznitz: Appreciate it. Thank you. Yeah.
482
01:19:10.900 –> 01:19:14.869
Steve Marcus: And and there was so many insurance agents signed up for this program.
483
01:19:15.150 –> 01:19:23.769
Steve Marcus: I’m just so grateful to have you all on here from all across the country.
484
01:19:23.790 –> 01:19:36.509
Steve Marcus: well from national agencies to other agencies, but but all names that I recognize as being the Ulsters and the Community Association insurance space.
485
01:19:36.530 –> 01:19:44.729
Steve Marcus: and to the extent that together as attorneys, we can push
486
01:19:45.222 –> 01:20:07.379
Steve Marcus: the need for for cyber and to the extent that you can push your associations of the need for the coverage for what sounded like fairly modest amounts. We really appreciate you being on the call, and for everything that you do.
487
01:20:09.060 –> 01:20:12.410
Kevin Davis: Okay, now it’s time for our after- after conference.
488
01:20:14.300 –> 01:20:18.150
Kevin Davis: you know, because I gotta ask Chris, because this is this is this.
489
01:20:18.451 –> 01:20:21.769
Steve Marcus: Are we just gonna talk for the rest of the day?
490
01:20:21.770 –> 01:20:22.150
Sherry Branson: He’s out.
491
01:20:22.452 –> 01:20:24.270
Kevin Davis: But this is the last, but.
492
01:20:27.150 –> 01:20:28.539
Steve Marcus: Have 30 left.
493
01:20:28.955 –> 01:20:45.990
Kevin Davis: This is the question, because this is the problem that we have in our in our industry is that they do they? The exposure is with the management company because they have all the data. The Association have 5 board members.
494
01:20:46.487 –> 01:21:05.942
Kevin Davis: Maybe you know, 20 people live there and they give all that information to the management company and the management company is small. They are dealing with all these individual board members. So they are really really just moving too fast. And and that’s the mistakes come from the social engineering because they get those calls.
495
01:21:07.130 –> 01:21:22.039
Kevin Davis: is there anything that you can say to the ones that are still listening, what they really need to do other than slow down, or something that you give them some piece of advice, because there’s still like? What 20 people listening.
496
01:21:22.740 –> 01:21:37.949
Chris Geer: I mean, we’ve had great success with the the Cyber Security awareness training programs that we that we’ve run just getting the information out there. As to what are the threats? How are they happening?
497
01:21:38.380 –> 01:21:52.569
Chris Geer: And and so what we do is we usually send out, you know, some training a training platform that has videos that you would watch to understand the fishing, the social engineering. And then, along with that, we also have simulated fishing campaigns
498
01:21:52.650 –> 01:22:08.479
Chris Geer: that we can, you know, send out fake, you know, simulated phishing emails and gather data. And then further, our education and security awareness programs towards those clients. It’s it’s like a managed service, right for training. So it’s really knowing
499
01:22:08.580 –> 01:22:15.720
Chris Geer: how these things are happening and and the willingness to invest and and
500
01:22:15.970 –> 01:22:19.480
Chris Geer: the the trainings because the training I mean you.
501
01:22:20.410 –> 01:22:46.849
Chris Geer: It. It almost forces you to get in there and learn about these things, and like I said, but it only protects the business and the associations and the management companies. But it also protects the individuals, right? Because it’s happening everywhere. There’s those personal, you know, attacks happening. So I, the the cyber awareness training has really been a great for us. We’ve seen great results from it. People learning and understanding. You have to know
502
01:22:47.502 –> 01:23:00.069
Chris Geer: what’s happening. It’s you know I’ll give you, you know, a affiliate example is, you know, my friend called me up one day and said, hey, my mom is at best buy. She’s getting ready to go in and buy some gift certificates.
503
01:23:00.230 –> 01:23:01.410
Chris Geer: I’m like, okay.
504
01:23:01.910 –> 01:23:08.549
Chris Geer: And she, why is she buying gift certificates. Well, she got a call from Amazon, said she bought a TV, and it didn’t include.
505
01:23:08.770 –> 01:23:12.300
Chris Geer: you know, a warranty like.
506
01:23:12.450 –> 01:23:18.860
Chris Geer: and they wanted to send these best buy gift certificates to cover the warranty. I was like, did you even buy a TV?
507
01:23:19.580 –> 01:23:26.139
Chris Geer: No, like so. But they showed me in my Amazon account that I bought this TV.
508
01:23:26.340 –> 01:23:48.730
Chris Geer: So I called her up, and I asked her a few questions, and the last thing I left the world is with is, don’t be embarrassed about what just happened to you. Tell all your friends, because it’s it’s about knowing what’s happening, and and that’s just that incident. But knowing how these things are happening with the, with, the with the social engineering, and the fishing is is a huge key to the battle.
509
01:23:49.150 –> 01:24:06.480
Chris Geer: You gotta be aware of what’s happening, not how to detect and and ask questions. Don’t be afraid to reach out to you. Know your trusted it, provider, and say, Hey, you know, is this legit. I get them constantly from clients I talk to. I I listen. You know, I get emails on a daily basis, saying, Hey, does. This is this legit.
510
01:24:06.780 –> 01:24:16.600
Chris Geer: and I’ll take a look at it, and I’ll reply and say, No, it’s not. Thank you for reaching out to me. Thank you that you know they’re learning the process. And so, yeah, training, I, I
511
01:24:17.910 –> 01:24:19.700
Chris Geer: say, is a great resource.
512
01:24:20.080 –> 01:24:26.259
Steve Marcus: And and Nancy Mandino again at a associate which is a International
513
01:24:26.390 –> 01:24:35.539
Steve Marcus: Community Association Management Company, just said they do, and kudos to them. They do internal
514
01:24:36.361 –> 01:24:43.939
Steve Marcus: cyber, mandatory, internal cyber training programs that everybody has to attend.
515
01:24:44.090 –> 01:24:46.560
Steve Marcus: So I think.
516
01:24:46.690 –> 01:24:56.339
Steve Marcus: without knowing that they’re probably in the minority and great for them. But I wouldn’t mind
517
01:24:56.450 –> 01:25:01.979
Steve Marcus: seeing more management companies do this or doing a program
518
01:25:02.808 –> 01:25:22.761
Steve Marcus: slated towards the management companies about what such a mandatory training program would would would look like cause I think, associate. I think it’s wonderful that they seem to be way ahead of the curve.
519
01:25:23.620 –> 01:25:27.710
Steve Marcus: I’m not a hundred percent sure of that. But I’m just guessing that the training
520
01:25:28.335 –> 01:25:44.719
Steve Marcus: isn’t happening in a lot of management companies. But unless Kevin or Eric know or I’m not, I’m not sure of the answer, but I think Associate might be in the minority and good for them.
521
01:25:45.170 –> 01:26:08.370
Kevin Davis: I would tell you this is interesting. When we have. When we do cyber for the management companies, we do send our cyber experts in there to review their and we do offer recommendations also. So we do that for the larger ones. So and sometimes they listen, and sometimes they don’t but they don’t. They don’t get. They will not get the coverage. So I would say right now, from insurance point of view.
522
01:26:08.540 –> 01:26:14.629
Kevin Davis: the large association, the large companies. They will go in there and do some their own
523
01:26:15.120 –> 01:26:24.009
Kevin Davis: you know, information and check and make sure they’re doing things. So I got another question. The cloud. Okay, everything’s cloud based. Now.
524
01:26:24.610 –> 01:26:26.610
Kevin Davis: how secure is that for all of us.
525
01:26:28.600 –> 01:26:29.190
Chris Geer: I mean
526
01:26:30.080 –> 01:26:44.689
Chris Geer: with the proper protections in place. You know it’s it’s it’s where everything is going anyway, right now. So you know again, it’s it’s, you know. Do you have the proper security in place? Multi factor, authentication.
527
01:26:44.690 –> 01:26:45.180
Kevin Davis: Yeah, yeah.
528
01:26:45.180 –> 01:27:12.309
Chris Geer: You know, it’s it’s that, and is, there is is the cloud provider that that is hosting. Whatever it is. The email, the application, you know, are, are they logging, you know? Are they performing updates? Do they have the protections in place? In their data centers? Where are they doing? Do they have? Vcdr, you know, backup continuity, disaster, recovery. You know, procedures. If they get compromised.
529
01:27:12.851 –> 01:27:17.330
Chris Geer: So yeah, I mean, it’s it’s it’s safe
530
01:27:17.590 –> 01:27:19.470
Chris Geer: with the proper precautions, you know.
531
01:27:20.360 –> 01:27:23.620
Steve Marcus: I think Judy Collins said it best on both sides now
532
01:27:24.840 –> 01:27:30.220
Steve Marcus: the I, not even Kevin, recognizes that song.
533
01:27:30.490 –> 01:27:30.870
Chris Geer: Okay.
534
01:27:30.870 –> 01:27:31.610
Steve Marcus: Okay.
535
01:27:32.416 –> 01:27:34.174
Kevin Davis: I give up.
536
01:27:35.880 –> 01:27:36.390
Jake Marcus: Alright!
537
01:27:36.570 –> 01:27:37.299
Chris Geer: I get a lot.
538
01:27:37.300 –> 01:27:37.909
Jake Marcus: On that note.
539
01:27:39.930 –> 01:27:44.149
Jake Marcus: We do have to log off.
540
01:27:44.580 –> 01:27:46.760
Jake Marcus: Yeah. Unfortunately.
541
01:27:46.760 –> 01:27:47.220
Steve Marcus: Available.
542
01:27:47.220 –> 01:27:47.860
Sherry Branson: Couple hours.
543
01:27:47.860 –> 01:27:48.270
Kevin Davis: That’s okay.
544
01:27:48.270 –> 01:27:49.110
Jake Marcus: Yeah.
545
01:27:49.110 –> 01:27:50.700
Steve Marcus: Do do you pay overtime.
546
01:27:51.434 –> 01:27:57.100
Jake Marcus: Yeah, I know, right? Yeah, yeah, we’re we’re on a tight time limit. So
547
01:27:57.530 –> 01:28:13.310
Jake Marcus: we do have to log off cause our our computer system. We have a shared zoom. So one of the attorneys in our office has to use the has to has to butt in. So unless we want to participate in another meeting.
548
01:28:15.380 –> 01:28:16.200
Sherry Branson: Join? Why not.
549
01:28:16.750 –> 01:28:17.309
Jake Marcus: We can see.
550
01:28:17.310 –> 01:28:20.280
Steve Marcus: Yeah. Why don’t? Why don’t we just do this one for them?
551
01:28:20.280 –> 01:28:20.880
Steve Marcus: I’m surprised.
552
01:28:20.880 –> 01:28:22.719
Jake Marcus: Yeah, and it’ll be a surprise. Guess?
553
01:28:22.720 –> 01:28:24.580
Chris Geer: All right. Pleasure meeting you, Evan and Eric.
554
01:28:24.580 –> 01:28:26.800
Eric Kuznitz: Alright, thanks a lot, guys. I appreciate it.
555
01:28:28.370 –> 01:28:29.370
Steve Marcus: Thank you.
556
01:28:29.370 –> 01:28:29.750
Chris Geer: Meaning.
557
01:28:29.750 –> 01:28:31.859
Kevin Davis: It was wonderful, all right.
558
01:28:32.130 –> 01:28:33.960
Jake Marcus: Excellent. Have a good weekend.
559
01:28:33.960 –> 01:28:35.190
Sherry Branson: You, too. Thank you.