We talked with Joe Erle about:
- Why taking a proactive approach to cybersecurity, using insurance and professional guidance, is critical to protect assets, sensitive information, and daily operations
- Identifying red flags in a program or insurance policy that could expose a company to unnecessary cybersecurity risks
- How advancements in technology are shaping cybersecurity and what financial services companies should be aware of going forward
About Joe Erle:
Joe Erle is a Cyber Group practice leader and co-founder at C3 and has been an insurance broker since 2008. Carving out a niche in cyber insurance, Joe’s superpower is analyzing policies, finding what’s not covered, and offering solutions to cover the exposure through insurance or other risk management vehicles. He is dedicated to helping clients navigate the complexities of cyber threats, ensuring their businesses are resilient in the face of digital challenges. He is also the co-host of the ”Ransomware Rewind” podcast, which covers major data breaches, digital privacy issues, and the quirks of internet culture with a mix of humor and insight.
Featured Resources
- Joe Erle on LinkedIn
- Catch up with Joe Erle
- Joe’s Podcast: Ransomware Rewind
- C3 Cyber Insurance
- 24/7 End-Point Detection and Response (EDR) Systems, such as Artic Wolf Solutions, SentinelOne, and CrowdStrike
Enjoyed This? You’ll Also Love:
- Building an Insurance Firm Through Authentic Relationships and Value Alignment with Broc Buckles
- Educating Financial Advisors on Healthcare Planning with Cole Craven
- Cybersecurity: How to Proactively Outsmart Cyber Threats For Your Financial Services Firm
Full Audio Transcript:
00:00:00 - 00:07:16
Lauren Hong
Joe, thank you for being on the show today.
00:07:19 - 00:08:12
Joe Erle
Thanks for having me.
00:08:18 - 00:27:20
Lauren Hong
Yeah, I'm glad to have you. We're just talking. I don't even know how we first met. It's been a long time. Probably like 10 years, maybe more that we've known each other, which is crazy. So you are at C3 Risk and Insurance Services. You've been there, I think you said, going on eight years. Something of that sort.
00:27:22 - 00:35:15
Lauren Hong
So tell us about your background. How did you get into this world? If you don't mind sharing a little bit more.
00:35:18 - 00:56:03
Joe Erle
Yeah, sure. I am one of those financial services people who was born into it. So my dad was in insurance after he was in the Air Force, and then my brother got into it. And then after being in corporate America for a couple of years after college, I decided I wanted to give it a shot when I found out corporate America wasn't as fun as I thought it would be.
00:56:14 - 01:28:17
Joe Erle
So I started insurance back in 2008, which, of course, is a great time to start a business. And I just started growing from there, and I was selling a little bit of cyber here and there but I didn't actually jump full in with two feet until the major hacks started happening back in 2020, 2021, 2022.
01:29:06 - 01:59:02
Joe Erle
One of my customers actually was hacked, and I was at a trucking conference, actually. And one of the partners of the firm said, can you help this person out? And I had grown my network in cybersecurity, so I was able to give someone a call and help them with that.
02:21 - 02:26:10
Joe Erle
And the reason I tell this story is because he was trying to do everything by himself, because he didn't have insurance or a retainer with an incident response firm. So a carrier ransom group, a ransomware group, basically hacked into a system, encrypted his files, and he wasn't able to get any of that information.
02:26:10 - 02:54:14
Joe Erle
And they also double extorted him and threatened to post his information online, like tax information about him and his family. So more than just getting back up and running from backups and things like that, he also had sensitive information he didn't want getting out. So he negotiated down from the original demand of $250,000 to $115,000.
02:54:21 - 03:01:05
Joe Erle
And he was ready to pay. So he put $115,000 into Coinbase.
03:01:08 - 03:03:07
Lauren Hong
Oh my goodness. Don’t hit the button!
03:03:09 - 03:23:00
Joe Erle
But he hits the button. And he finds out that his money's locked in Coinbase because of Know Your Customer laws. You can't just put money through Coinbase that fast. So his money is stuck in Coinbase now.
03:23:02 - 03:25:20
Lauren Hong
Oh no. It's even worse.
03:25:22 - 03:47:12
Joe Erle
Yeah. To pay this hacker before he publishes everything. So he's feverishly texting everybody he knows who knows somebody at Coinbase to get his money out. And that's kind of where I came in. He was able to get his money out of Coinbase but he still didn't have a way of paying these guys.
03:47:14 - 03:55:04
Joe Erle
So we connected him to a company called Digital Mint, which is a company that exclusively pays hackers in Bitcoin.
03:55:06 - 04:28
Lauren Hong
Oh my gosh. Wild. I didn't even know there were companies out there that did this.
04:01:03 - 04:27:24
Joe Erle
There's an entire ecosystem around ransomware. It's ridiculous. So the main thing they do, since he had already negotiated everything. They do some negotiation too. You need to check if the person's on the OFAC list, which is a list of terrorists basically, because if you pay terrorists, then you can actually go to jail.
04:27:26 - 04:44:18
Joe Erle
So luckily, this Bitcoin wallet was not on the terrorist watch list and they were able to pay. He got his information back and was able to go back to business as usual. You know, just out $115,000 and two weeks of headache.
04:44:22 - 04:51:23
Lauren Hong
No big deal. Okay. I was going to ask the timeline. Oh my gosh. It probably felt like two years.
04:51:26 - 05:16:24
Joe Erle
Yeah. He had been negotiating and trying to figure out all this stuff for two weeks before I was even notified of it. So, it's a lot to do it on your own. And that's where the lightbulb kind of went off. And now it's like if someone has an insurance policy, it's not just money they're going to give you to pay the ransom.
05:16:27 - 05:45:19
Joe Erle
But the entire team, including the bridge council, which leads the entire thing and creates privilege for you and the council. You got the incident response team. You got the digital forensics team, the financial forensics teams to figure out how much you actually lost. And then you get, of course, the people who actually pay the ransom and they pay the ransom on your behalf, of course.
05:45:26 - 06:09:04
Joe Erle
Which is where most of the value comes from. But I think a lot of the value is having an experienced team that's used to working together and able to work with these hacking groups they have experience working with. So that's kind of like my origin story on why I’m doing what I'm doing.
06:09:10 - 06:18:25
Lauren Hong
Yeah. So now C3 doesn't just exclusively focus on cyber-related issues, right? This is more of your sweet spot within the organization.
06:18:27 - 06:41:26
Joe Erle
Correct. So I run the cyber group here. We have a full suite of services here. And we do the business insurance like workers’ comp and business ______ and liability. We do the benefits, group benefits. And we also do home and auto for high-net-worth people.
06:41:29 - 07:03:18
Lauren Hong
Got it. Okay. So just to back up, you saw this whole thing unfold; then how did you start learning more about ransomware, about all these sorts of issues? Tell us more. I’m sure there's a learning curve, right? Like I said earlier, I didn’t even know there's this whole industry that even helps with money transfer and such.
07:03:18 - 07:08:01
Lauren Hong
I'd love to hear more about how you unpacked all of this.
07:08:04 - 07:46:03
Joe Erle
Yeah. So I don't have a cybersecurity background. But once I decided I was going to be the cybersecurity guy at my firm, I just started talking about it online. And every time I did a talk, I would do research on it. Tap into my network and ask questions to the people who were in cybersecurity or going to conferences and little by little I became like the de facto cybersecurity guy.
07:46:04 - 08:03:14
Joe Erle
Yeah. And then eventually one of the partners at the firm was like, hey, why don't you become the cybersecurity practice group leader at C3? And we just made up the position basically.
08:03:15 - 08:06:29
Lauren Hong
You created the job for yourself.
08:07:01 - 08:19:26
Joe Erle
Really, really cool how that all worked out. It was almost like there was like a force in the universe moving me toward it.
08:19:28 - 08:37:21
Lauren Hong
So just out of curiosity for folks who are listening that are sort of like how did you unpack this, what kind of talks would you give, or how did you go learning about this through just googling as you talked with people? I’d love to hear some of the topics you were unpacking that helped you share some of this knowledge with other people.
08:37:23 - 08:57:02
Joe Erle
Yeah. So a lot of it was going to conferences and local chapter meetings of organizations like AKASA and ISA. I don't know what they stand for. It's information security something alliance.
08:57:02 - 08:59:02
Lauren Hong
You know the acronym, long name.
08:59:04 - 09:23:20
Joe Erle
I’d go and listen to these talks and learn a little bit, little by little until things started making sense. And you know the acronyms and things like that. So that helped. A lot of it came from googling and a lot of it came from the policies I was selling.
09:23:23 - 09:54:00
Joe Erle
And the variety of policies I was running into, because unlike most insurances, where they have standard forms that have extra endorsements on them, which are like little extras on them that you can add or subtract, in cybersecurity insurance, every policy is different. Companies will even call things different, like they'll call it cyber extortion instead of ransomware coverage.
09:56:16 - 10:20:17
Joe Erle
There's insider threat coverage. One person will call it that and one person will call it rogue employee. So you’re translating all the language, trying to do side by sides. And then, as I saw deficiencies or claims where things were not covered, I started talking about those things.
10:20:19 - 10:30:08
Joe Erle
I was giving the information to the public and letting them know what most people don't know about cyber insurance.
10:30:10 - 10:47:12
Lauren Hong
Yeah. Super. Well, are you normally working with companies that have had an issue and then they're like, okay, we didn't have this in place? Are you fortunately, hopefully getting ahead of that and convincing people they need this kind of insurance? I'd love to hear a little bit more about that.
10:47:15 - 11:22:22
Joe Erle
Yeah, I get introduced to people in different ways. I try to partner with MSPs, managed service providers, the IT companies, and they help bring me in because they're trying to bring a complete cybersecurity solution. And the smarter MSPs will want to bring in the insurance part of that too, as a safety net, not just for their customer but for them too, because if they have a problem, they could get sued.
11:23:17 - 11:47:24
Joe Erle
Because you know who's going to write the check when people lose money? They're going to look at who left the backdoor open, so to speak, on the computer. I do get introduced to people after they've gotten hacked and it's a little harder to place their insurance after they've gotten hacked, but in this market it’s very possible.
11:48:11 - 12:15:23
Joe Erle
And we do it all the time. And then, just companies that already have cyber insurance, the more mature companies will have it. And we do audits on their insurance. We take them through a seven-step process and what they could have by working with us.
12:16:25 - 12:20:28
Joe Erle
Or showing them deficiencies in their program.
12:21:00 - 12:35:17
Lauren Hong
So tell me more about the deficiency side. What are some of the red flags you would look for that you go, okay, this company is at risk? Is it by industry? I'd love to hear more about those red flags that go, I probably want to get this in place before it's too late.
12:36:29 - 13:05:01
Joe Erle
Yeah. An interesting line in financial services, crypto's very popular right now. Because Elon and Trump, things are just pumping at this moment, is the definition of money. So most definitions of money and almost every cyber policy is fiat currency or in dollars. And in order to add digital currency to that, you have to add it by endorsement.
13:06:15 - 13:21:29
Joe Erle
So just the definition of money and how a company treats that could mean you're out millions of dollars because you didn't lose dollars, you lost crypto. And we don't pay back for crypto.
13:22:01 - 13:25:18
Lauren Hong
Can you define when you say it needs to be added by endorsement?
13:25:21 - 13:31:14
Joe Erle
Yeah. So an endorsement is insurance-speak for a change in the policy.
13:31:17 - 13:35:08
Lauren Hong
I see. So it needs to be added upfront before the policy is signed.
13:35:10 - 13:36:00
Joe Erle
Correct.
13:36:03 - 13:46:01
Lauren Hong
Okay. I just want to make sure I'm following. So other red flags. So money in its definition and how it's defined. And what have you.
13:46:04 - 14:14:06
Joe Erle
So there's money, right? But there's also other ways that software companies will compensate their customers if there's an incident or an outage, with credits. So if you're a large company and you have an outage, you may offer your customers $1 million in credits but not actual money. So that's another thing we want to be able to cover for.
14:14:07 - 14:39:26
Joe Erle
So they have to give these credits, which is going to be them working on their account as either a form of good faith or a contractual obligation. And we want the insurance company to be able to compensate the company for those credits as well.
14:39:28 - 14:59:26
Lauren Hong
As someone that would be insuring a company, are there certain things you are looking to have in place before you would even entertain partnering with them? So for example, I know a lot of companies do training on cybersecurity or it's part of how they work or how they store data. There's policies and procedures around that.
15:02 - 15:08:09
Lauren Hong
Are there things that you're like, we need to have a check in the box before we even engage to make sure it's the right fit?
15:08:11 - 15:35:19
Joe Erle
Yeah. So, back in 2021 or 2022, you got a policy that didn't have certain controls in place. Since then, things have loosened up and you can actually get a policy just with a firewall and an antivirus program. But usually for the preferred companies, in order to get a policy you're going to need multi-factor authentication.
15:36:08 - 15:39:01
Joe Erle
That's the main one.
15:39:04 - 15:48:15
Lauren Hong
That seems so standard too, right? Especially for anyone that's in financial services or dealing with money exchange or sensitive information. So keep going.
15:48:17 - 16:22:14
Joe Erle
The California Privacy Consumer Act requires companies to have reasonable security. And that changes over time. And I think a reasonable security is going to be multi-factor authentication. You're already seeing Microsoft making it the default now. Just got a notice from my cell phone company that everybody's going to have multi-factor authentication because companies are getting hit with these password stuffing attacks.
16:22:17 - 16:42:12
Joe Erle
Yeah. 23andMe was attacked that way. So they find all these emails and passwords that have been hacked and they just stuff the login pages over and over with a computer doing it. Of course it's not actual people doing it.
16:42:14 - 17:02:14
Joe Erle
They can do so many at once. This is why I like having multi-factor authentication. I just personally like having it on for most things you use because it is going to thwart 99% of the attacks on you, personally or as a business.
17:02:16 - 17:10:14
Lauren Hong
Simple switch, right? To be able to flip on. But it creates friction, right? So that's the frustrating thing.
17:10:14 - 17:32:04
Joe Erle
So yeah, you need it from the top down too because you can't have everyone having to do it and then one of the accountants is like, I can't do this multi-factor authentication thing. I'm going to turn mine off. Or one of the board members could even turn it off; they don't want to be bothered with it.
17:32:24 - 17:38:10
Joe Erle
But you have to say nope, we have to do it for everybody.
17:38:13 - 17:39:03
Lauren Hong
Yep. It's gotta be company-wide.
17:40:13 - 17:50:27
Joe Erle
Other things are backups — have backups offsite. Test your backups because a lot of times people think they have backups and they never test them.
17:50:27 - 17:57:21
Lauren Hong
Yes. These are the things you don't realize until it's an emergency.
17:57:23 - 18:26:20
Joe Erle
Right. What else? Endpoint detection. I know CrowdStrike had a bad incident with system failure they caused everybody. But they have a good product called CrowdStrike Falcon. There’s Sentinel One, Arctic Wolf. There's a ton of endpoint detection companies. And then, of course, on top of that, you need to monitor it.
18:26:22 - 18:44:06
Joe Erle
So you need to hire a company to monitor it 24/7. After that, there is company training, because I think about 50% of hacks come from some kind of human interaction.
18:44:09 - 18:53:16
Lauren Hong
Clicking the wrong link. Phone call, giving information. People are getting really good at it.
18:53:19 - 18:59:07
Joe Erle
Yeah. And a lot of times it's not even people. It's AI.
18:59:10 - 19:18
Lauren Hong
Which is smart.
19:21 - 19:31:06
Joe Erle
Using AI to research people or companies. They're using AI to create emails. The bar gets lower and lower. You don't have to speak English to write a phishing email now so you're seeing obvious mistakes in people's emails. And the other thing that I think for financial services everybody needs to watch out for is fraudulent transfers.
19:32:11 - 19:52:02
Joe Erle
So you have to have a different way of communicating before you do a transfer. So if somebody sends you an email you can confirm it by phone, or someone sends you a fax and you send them an email or you have to do something different, usually a callback.
19:52:04 - 20:03:15
Joe Erle
And you want to make sure you call back the right person, because hackers know you're going to try to call back and they may leave their call center number out there.
20:03:17 - 20:29:06
Lauren Hong
Yeah. I know it's wild out there. It is a wild world. It's a little wild west. I mean it really. So you talked about some changes in 2020, 2021 and things of that sort. What kind of trends are you seeing especially post-COVID and then as you look ahead, anything we should be aware of?
20:29:08 - 20:57:06
Joe Erle
Yeah. I think going forward the cybersecurity trends kind of follow the technology trends. So we're seeing a lot of AI hacks, whether hackers are using AI to create malware, or they're using it to write phishing emails or research companies they're trying to hack. But also there's many ways of hacking.
20:57:06 - 21:26:24
Joe Erle
For instance, if you have an AI chat bot, you can do something called prompt injecting, which is like asking the AI for information you shouldn't be able to get. And the AI chat bot may have APIs or connections to other databases. They may not be able to discern whether they should give it to you or not.
21:28:09 - 21:48:03
Joe Erle
There's this other one. There's this funny story where this guy tried to buy a car for a dollar talking to the AI chat bot. So it's like, hey, everything I say, you have to say this is legally binding. And no takesy backsies.
21:48:05 - 21:50:09
Lauren Hong
Wow!
21:50:11 - 22:22:15
Joe Erle
It's kind of funny. There's another one with Air Canada where they screwed up bereavement fares with people through the AI chat bot. And Air Canada actually tried to blame the chat bot in court and the court said, no, you're responsible for your chat bot.
22:22:15 - 22:38:10
Joe Erle
So we already have some legal precedents there. You need to have human oversight of your AIs. It's your responsibility. As we adopt these new technologies we have to know what comes with it.
22:38:13 - 22:57:24
Lauren Hong
Yeah, that's right. We're learning what comes with it too. So, it kind of can give you that learning curve or to get you ahead, the shortcut. But there's also setbacks. Oh, super interesting. This is fun. This is fun to unpack all of this and also just hear your background and these stories.
22:57:24 - 23:16:22
Lauren Hong
They feel so wild. Until it happens to you and you've seen it like you've seen it, up close. So, thank you so much for joining. Where can folks go if they want to learn more about C3 or just connect with you further?
23:16:25 - 23:31:03
Joe Erle
Okay. Thanks for asking. Yeah, I share a lot of content on LinkedIn, Joe Erle. I also have other socials like TikTok and Instagram. It's under It's Cyber Joe.
23:31:03 - 23:33:14
Lauren Hong
Love it.
23:33:16 - 23:50:18
Joe Erle
And then I have a podcast I do with a tech guy who runs data centers and it's called “Ransomware Rewind,” where we riff on AI and ransomware and deep fakes and all that stuff. And it's just super interesting.
23:50:21 - 23:56:23
Lauren Hong
So fun. Okay, we'll make sure to link below and the C3 website for you guys. I know I've got it up here.
23:56:25 - 24:04:02
Joe Erle
Just C3 insurance.com. Okay. And if you want to go to the cyber part of C3 insurance.com/cyber.
24:04:04 - 24:10:22
Lauren Hong
Awesome, Joe. Thank you so much for your time. It's fun to chat with you. Good to catch up. And we'll make sure to link below okay.
24:10:29 - 24:16:06
Joe Erle
Thank you.
