0
00:00:10,000 --> 00:00:11,000
Walt Zerbe (00:00.644)

1
00:00:10,000 --> 00:00:11,000
Hello and welcome to another CDA podcast. I'm Walt Zerbe, Senior Director of Technology and Standards and your host for the CDA podcast. And today we're going to talk about a little topic called cybersecurity. this, my gosh, this, this thing seems to be completely coming full speed now. We've been talking about cybersecurity for years, but I think, I think it's really a focus now in the world.

2
00:00:11,000 --> 00:00:12,000
and a focus in our community and something that we need to be really abreast with. There's so much information to talk about here today. I really not quite sure how much we're going to get through, but we're going to give it a good shot. So joining us today, we have Trent Frazier. He's the Assistant Director, Stakeholder of Engagement Division at the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency.

3
00:00:12,000 --> 00:00:13,000
otherwise known as CISA, C-I-S-A. And then we have Callum Wilson with SafeShark and he is representing SafeShark and is going to tell us stuff more on the UK and European side of things. And then we have our friends Michael George and Chris Boots who are both with AMJ Insurance. They've been long time helpers with Cedia. They have some programs for insurance for integrators.

4
00:00:13,000 --> 00:00:14,000
with Cedia and insurance just really helps to round out this whole thing because you might need to get some insurance as you continue to be an integrator and or manufacturer and things and things get going. And then we have a repeat guest, our own Darren Raymond, Director of Government Affairs with Cedia. So how is everybody today?

5
00:00:14,000 --> 00:00:15,000
Callum Wilson (01:45.614)

6
00:00:14,000 --> 00:00:15,000
Good.

7
00:00:15,000 --> 00:00:16,000
Chris Boots (01:45.996)

8
00:00:15,000 --> 00:00:16,000
Very good, ready to roll.

9
00:00:16,000 --> 00:00:17,000
Darren (01:46.318)

10
00:00:16,000 --> 00:00:17,000
Good.

11
00:00:17,000 --> 00:00:18,000
Walt Zerbe (01:47.67)

12
00:00:17,000 --> 00:00:18,000
Okay, ready to roll. All right. So I'm just going to quickly start and you know, I am not an expert in this, but I'm I probably devote 24 hours a day to get to speed up on this and I probably wouldn't get the speed up on it with what I read on my own. But what I do know is that I'm just going to use example of my son. My son is a senior about to graduate college with a criminal justice degree. And he

13
00:00:18,000 --> 00:00:19,000
He took an internship with a company that specializes in elder fraud, which is absolutely unbelievable. We look at my in-laws, they have no idea what to click on, what not to click on, what's real, what isn't real.

14
00:00:19,000 --> 00:00:20,000
Trent Frazier (02:25.574)

15
00:00:19,000 --> 00:00:20,000
Thank

16
00:00:20,000 --> 00:00:21,000
Walt Zerbe (02:40.474)

17
00:00:20,000 --> 00:00:21,000
just just in the elderly in the US in 2023, there were $12.5 billion estimated of fraud, just for the elderly 3.4 billion for people 60 and older. It's an 11 % increase over 2022. I can imagine those percentages going up now that we have AI deep fakes and and all other kinds of things. It's just a giant

18
00:00:21,000 --> 00:00:22,000
giant problem and that's just with one little bit of the community and this is just with people probably dealing with email and smartphones and computers, let alone when we start to integrate smart home and IOT things, which takes us to a whole nother level. So that's kind of my little introduction. It's not really that great as far as what we're going to cover, but that's where my mind has been lately.

19
00:00:22,000 --> 00:00:23,000
And October is Cybersecurity Awareness Month. So I didn't know if anybody knew that, but that's one of the nice timings of this particular podcast. So let's talk about the US cybersecurity programs. The FCC has a voluntary US Cyber Trustmark program, and Darren and Trent are going to run us through that. So Darren, would you like to give us a quick little introduction to that?

20
00:00:23,000 --> 00:00:24,000
Darren (03:55.638)

21
00:00:23,000 --> 00:00:24,000
Yeah, so thanks for everybody joining today. And before Trent kind of highlights

22
00:00:24,000 --> 00:00:25,000
the CISA program, wanted CISA programs and what they're doing within October and around Cybersecurity Month. I wanted to also highlight one of the US programs that is beginning. The FCC or Federal Communications Commission has adopted the US Cyber Trust Mark program. Back in August of 2023, the FCC sought public comment on how to create the Cyber Trust Mark program. And then in March of

23
00:00:25,000 --> 00:00:26,000
this year, they created a voluntary cybersecurity labeling program for wireless consumer Internet of Things products. And like I said, they are now in the process of standing up that program. And under the program, qualified consumer smart products that meet cybersecurity standards will bear a label, the US Cyber Trust Mark, that will help consumers make informed purchase decisions, differentiating trustworthy products in the market.

24
00:00:26,000 --> 00:00:27,000
Trent Frazier (04:36.326)

25
00:00:26,000 --> 00:00:27,000
you

26
00:00:27,000 --> 00:00:28,000
Darren (05:02.016)

27
00:00:27,000 --> 00:00:28,000
marketplace and create for manufacturers that meet the cyber trust standard. So there's many highlights to the program. And just one thing that I would add to that, you know, once a product is approved, companies can include the US cyber trust mark program logo on their products, along with a QR code that consumers can scan for further details about the security of the product. And how why I want to raise this on this podcast

28
00:00:28,000 --> 00:00:29,000
Trent Frazier (05:04.614)

29
00:00:28,000 --> 00:00:29,000
Thank you.

30
00:00:29,000 --> 00:00:30,000
Darren (05:31.892)

31
00:00:29,000 --> 00:00:30,000
back in November of last year, CDIA provided public comment to the cyber trust program and expressed support for the concept of the cyber trust mark. But in its comments, we stress the importance of for the security of the home to the importance of working with professionals and technology integrators to have a secure environment. So I just wanted to highlight that and then I'll turn it over to Trent to talk more about what CISA is doing for

32
00:00:30,000 --> 00:00:31,000
October and the programs that they have to support cyber security throughout the US.

33
00:00:31,000 --> 00:00:32,000
Walt Zerbe (06:07.439)

34
00:00:31,000 --> 00:00:32,000
Yeah.

35
00:00:32,000 --> 00:00:33,000
Trent Frazier (06:09.414)

36
00:00:32,000 --> 00:00:33,000
Great, thanks Aaron. And I just wanted to start acknowledging that we are incredibly excited about the Cyber Trustmark program in discussions with FCC as they're developing the program. We see this as a first real step towards what we call secure by demand, which is a subset of the work we're doing in secure by design. And it's really about fundamentally changing the market incentives for how software, hardware and network services are provided to customers, whether they are individuals.

37
00:00:33,000 --> 00:00:34,000
Walt Zerbe (06:26.923)

38
00:00:33,000 --> 00:00:34,000
Trent Frazier (06:38.712)

39
00:00:33,000 --> 00:00:34,000
all the way up through industry. And it's really an acknowledgement that we have to now design our products and services with security in mind. That customers should be able to acquire, whether it's an endpoint device, like a lot of what we were talking about at the outset, your phone, or an edge device, your home router, all the way up through broad network services. Those have to be designed.

40
00:00:34,000 --> 00:00:35,000
and provided with security at the outset. And it's a strange market that we operate in today. If you think about it, none of us would buy a car where the manufacturer assured you that at some point in the future they will install airbags for you. None of us would, well hopefully few of us would want to jump on an airplane where the provider assured you at some point they'll go ahead and install seat belts later.

41
00:00:35,000 --> 00:00:36,000
But in many cases when we acquire technology today, that's the market we acquire technology in. We acquire technology that's brought to market as quickly as possible and then as it is utilized in the marketplace and vulnerabilities are revealed, patches are installed to address those vulnerabilities. As our economy increasingly is digitizing and we're integrating technology at every level of civil society,

42
00:00:36,000 --> 00:00:37,000
That is not a model that is sustainable for any of us as individual citizens, as entrepreneurs, as government institutions, or any level of public and private sector. So we really are looking at ways that we can restructure the incentives for that market. And the Trustmark is going to be one of those tools. It's a readily available resource that consumers can use to buy their devices, to buy those services.

43
00:00:37,000 --> 00:00:38,000
and with the assurity that they were designed with security at the outset. And that's what we hope to see more broadly across all of our efforts. CISA plays something of a unique role in the federal government. We are charged with leading the national effort to secure our nation's critical infrastructure and to ensure the defense of critical networks and systems throughout the country. So we are the nation's cyber defender. We are here to ensure that cybersecurity is top of mind now for both

44
00:00:38,000 --> 00:00:39,000
Trent Frazier (08:57.346)

45
00:00:38,000 --> 00:00:39,000
individuals and industry and we want to see that really that evolution in the marketplace help to ensure that we can defend all of our critical networks across the country. We have a lot of programs and I won't go in depth into all of them because it's pretty extensive but I'd sort of ground that conversation first in the idea that a lot of folks especially in a lot of individuals and citizens when they talk about cyber security they think of it as this kind of monolithic concept that applies to someone else that it's

46
00:00:39,000 --> 00:00:40,000
There is a cybersecurity person out there protecting you. In truth, it's really critical for all of us to think of cybersecurity more as a team sport, and all of us have a part to play in that sport, right? So it is absolutely the case that we want to see providers for both product and services creating those products and services with security in mind. It's also the case that we want to see vendors taking steps to ensuring that the products that they're installing

47
00:00:40,000 --> 00:00:41,000
have security baked into them at the outset and that it's integrated as part of their work. And of course, it's fundamental that as individuals, as the people who rely on that technology, we're doing our part to ensure that we're protecting ourselves and protecting those networks that we rely on. We do that in a number of ways. We recently released a program called Secure Our World. It's a very straightforward public service program that's designed to basically educate the consumer.

48
00:00:41,000 --> 00:00:42,000
the individual on the steps they can take. And they're very simple steps. It can be simple things like ensuring that you're implementing multi-factor authentication on your devices. Something most of us don't often do, but again, it's a critical and key step. It's ensuring that you're using complex passwords. Please do not use password as your password any longer. I had an interesting meeting with some folks from industry yesterday, and they talked about one of the key challenges they still have.

49
00:00:42,000 --> 00:00:43,000
Walt Zerbe (10:39.578)

50
00:00:42,000 --> 00:00:43,000
Ha ha ha.

51
00:00:43,000 --> 00:00:44,000
Trent Frazier (10:49.88)

52
00:00:43,000 --> 00:00:44,000
in defending the networks is that employees were using the word password as their password to gain access to their systems. you know, ensuring that your devices are kept up to date. We still exist in a marketplace where patches are required to address vulnerabilities as they're identified. Making sure that you're updating those devices in real time and keeping those security updates continuous is essential. And of course, making sure that you're aware

53
00:00:44,000 --> 00:00:45,000
when you are potentially being targeted for other types of attacks like phishing and behavioral attacks. I think, Walt, you mentioned at the outset one of the key challenges we still see. In my role, we talk about complex cybersecurity attacks from highly capable adversaries like China or Russia or others. But the largest majority of cybersecurity attacks are still the very simple, basic phishing, spear phishing attacks that allow that.

54
00:00:45,000 --> 00:00:46,000
that get people to share information and expose themselves and by extension expose those networks. So, secure our world is a key step for us. I already mentioned another program that we have that's really focused on secure by design. That's about reshaping the marketplace. And within that, we're starting to think through secure by demand. The resources we can help provide that will allow consumers, whether they are individuals, all the way through industry to acquire

55
00:00:46,000 --> 00:00:47,000
those services and those products from their vendors with security in mind to make sure that they can ask educated questions about the kinds of security measures that are baked into the products and resources they're relying on and ensure that they're acquiring that at the outset.

56
00:00:47,000 --> 00:00:48,000
Walt Zerbe (12:29.676)

57
00:00:47,000 --> 00:00:48,000
All right. Thank you. That was an incredibly good, well-rounded explanation you just gave us, Trent. I have a few questions right off the bat. How are you guys marketing the Secure by Design? Is that within the other program, that Secure World that you mentioned?

58
00:00:48,000 --> 00:00:49,000
Trent Frazier (12:46.842)

59
00:00:48,000 --> 00:00:49,000
Yeah, it's actually multi-tiered and that's in part because of the complexity of the market we're trying to evolve. So for example, we have a pledge that we've developed for industry partners right now that outlines essential things that they can do in the design of their products and services. That can include things like eliminating entire classes of vulnerability or installing security patches, increasing the pace that patching can occur for their customers.

60
00:00:49,000 --> 00:00:50,000
It can include ensuring that multi-factor authentication is turned on by default rather than requiring customers to activate it. And any number of those measures. Those pledges are really about bringing the providers, the industry partners into the conversation in a way that allows them to announce to their customers that they are taking steps to address security. Of course, we employ programs like Secure Our World.

61
00:00:50,000 --> 00:00:51,000
that are really about educating the consumer and we're doing a lot of engagement now with those intervening supply chain partners. Those would be individuals or entities like your membership that are really involved in the acquisition of technology and the installation of technology for an end user at the other end of that supply chain and really bringing them into the conversation now to give them resources that they can use to help shape the kinds of products they're acquiring.

62
00:00:51,000 --> 00:00:52,000
Our ICT SCRIM Task Force, is our information technology task force on supply chain recently released guidance on vendor acquisitions to help vendors who are looking to acquire technology really educate themselves on the kinds of questions they should be asking to ensure that the technology that they're acquiring has the right security baked in from the outset. So it is a multi-tiered effort. We have to really focus on a number of different audience segments now.

63
00:00:52,000 --> 00:00:53,000
as we're looking to really evolve that marketplace.

64
00:00:53,000 --> 00:00:54,000
Walt Zerbe (14:41.592)

65
00:00:53,000 --> 00:00:54,000
Yeah, okay. I did watch the videos in Secure Our World. They're really well done and they're useful. Why voluntary? Is this just a precursor to them being mandatory?

66
00:00:54,000 --> 00:00:55,000
Trent Frazier (14:45.914)

67
00:00:54,000 --> 00:00:55,000
Thank you.

68
00:00:55,000 --> 00:00:56,000
Trent Frazier (14:52.868)

69
00:00:55,000 --> 00:00:56,000
You know, I think voluntary, and it's interesting at the outset you were mentioning that there's a conversation about some of the work happening within the EU and the UK and other markets within the world. If you look at the major global markets for technology right now, there are a number of different approaches. Some of them are regulatory, some of them are more voluntary based. We're taking a voluntary approach in part for two reasons. One, as an agency, our entire model is built on partnership with industry. It requires...

70
00:00:56,000 --> 00:00:57,000
that we create trust between industry and CISA to ensure that information about vulnerabilities are being shared real time so that we can address those vulnerabilities real time before they cascade across networks. And we want to protect that relationship in our dialogue. But we also believe that in shaping the design of a market, it's really critical and probably one of the most valuable tools in that is the consumer in that marketplace. And so while there are certainly measures that...

71
00:00:57,000 --> 00:00:58,000
various markets throughout the world are exploring, we believe that the most effective measure is going to be consumer demand and really driving and shaping the kinds of demands placed on providers to ensure that they're really providing the products and resources in a secure fashion.

72
00:00:58,000 --> 00:00:59,000
Walt Zerbe (16:01.722)

73
00:00:58,000 --> 00:00:59,000
All right, I just have a few quick questions to finish up with you. If a product, doesn't support this program, can a installer, integrator, consumer or something, how would they go about saying, you know what, your product should be on this program and where do you go to get educated on it? how, so this is as being voluntary, I'm hoping everybody that manufactures products knows about it, but how do we get others?

74
00:00:59,000 --> 00:01:00,000
Trent Frazier (16:28.901)

75
00:00:59,000 --> 00:01:00,000
Yeah, mean the simplest tool is to go to CISA.gov and look at our secure by demand resources. You'll find there the access to the pledge. I actually have been encouraging a lot of folks on the consumer side to take a look at that pledge because I think that pledge is a really simple, easy tool that you can use in discussions with the providers that you're...

76
00:01:00,000 --> 00:01:01,000
you're engaging with, whether that's sort of a complex contracts negotiation, all the way through the more basic transactions, because it's going to give you the basic questions to ask. Are you doing these things in the products that you're employing? If not, why not? And are there other providers in the marketplace that are satisfying those things? But I would look at that as an easy starting point. As you're looking through those resources, certainly follow up with us directly. And if there's areas that we can engage with you to talk to,

77
00:01:01,000 --> 00:01:02,000
You know, there are, we're working with a lot of industry partners now across a number of different supply chains for technology. There's certainly supply chains we probably aren't heavily engaged in today, but we welcome that insight because that gives us then the avenue for follow-up within those providers and those communities.

78
00:01:02,000 --> 00:01:03,000
Walt Zerbe (17:39.32)

79
00:01:02,000 --> 00:01:03,000
Yeah, cool. I could certainly see this as an advantage with an integrator saying I use only SISA, you know, I use only products that have been, you know, part of this program. So it's, I could see that as an advantage just for comfort for the end user to know that you're using products that meet security needs. My last question would be, I'm sure you guys recommend password managers, but what about pass keys? Pass keys seem to be a thing that's, that's we're moving towards.

80
00:01:03,000 --> 00:01:04,000
What's what what is your position on pass keys is that part of the program and being recommended for manufacturers to support and all that stuff too.

81
00:01:04,000 --> 00:01:05,000
Trent Frazier (18:14.234)

82
00:01:04,000 --> 00:01:05,000
So it's interesting, know, pass keys are what I would call one tool in the toolbox to help with the challenge of user authentication, right? And when we think about pass keys, they are often incredibly valuable for specific types of users, but they can also be cost prohibited for other types of users. I mentioned I had...

83
00:01:05,000 --> 00:01:06,000
some discussions yesterday with an industry partner who happens to work in what's called a high turnover industry where they have a lot of employees that join and leave at a relatively high rate in part because of the nature of their business model. keys for them might be cost prohibitive, so they're looking at other ways to employ multi-factor authentication using other ways of authentication. The key though is that you're using multi-factor authentication. Pass keys are certainly a highly capable tool for that purpose.

84
00:01:06,000 --> 00:01:07,000
There are other tools that serve that purpose and it's really a balance of risk to reward in terms of how you're employing those things. We believe pass keys are certainly highly effective. The use of password managers are often very, what we would call, efficacious for the average user. The individual who's maybe logging in two or three times a day to key systems and networks, they may not be efficacious for other types of users and other settings. The real, the value point here is to acknowledge

85
00:01:07,000 --> 00:01:08,000
that you're using these tools to address the vulnerabilities in your networks and you're implementing them in a way that really addresses your key vulnerabilities.

86
00:01:08,000 --> 00:01:09,000
Walt Zerbe (19:41.711)

87
00:01:08,000 --> 00:01:09,000
Gotcha. I know personally I couldn't live without a password manager and if I still had an integration company, I would educate all my customers in the household that they should use it to help to reduce the potential for vulnerability. I love that it lets me know when something's been breached. It generates automatic passwords that I don't even need to know or care about. just makes life more secure and a lot easier for me personally.

88
00:01:09,000 --> 00:01:10,000
Trent Frazier (20:11.408)

89
00:01:09,000 --> 00:01:10,000
Yeah, absolutely.

90
00:01:10,000 --> 00:01:11,000
Walt Zerbe (20:12.578)

91
00:01:10,000 --> 00:01:11,000
All right, well, let's let's move to the EU cybersecurity program. I don't know why my voice isn't working today, but the Calum, let's take a look at the other side. As they say, the pond, you guys have a lot of stuff going on over there. You've got US, you have UK cybersecurity programs. You've got the product security and telecommunications infrastructure act. You got all kinds of stuff. So let us know. Let us know what you're doing over there. And also some I hate saying over there, but

92
00:01:11,000 --> 00:01:12,000
That's how I'm going to differentiate US from you. And also any similarities that you've heard that we're kind of doing the same.

93
00:01:12,000 --> 00:01:13,000
Callum Wilson (20:52.44)

94
00:01:12,000 --> 00:01:13,000
Yeah, that's it. So I work for Safe Shark. We actually do testing of lot of the...

95
00:01:13,000 --> 00:01:14,000
IoT that your installers will install and provide and the providers will provide and there's essentially in Over here on this side of the pond. There's two bits of legislation and what I would say is that the European Union and the UK have chosen a much more legislative legislative kind say the word a much more regulatory point of view and In fact, there are two main bits of legislation So if you're absolutely right in the UK is the PSTI which is the product security and telecoms

96
00:01:14,000 --> 00:01:15,000
infrastructure act which includes any bit of IoT that will be owned by a consumer and attached to a network. That includes Bluetooth speakers, includes your smart toaster, home cinema, everything. And in the EU in August of 2025, the radio equipment directive will be launched which includes a mandatory

97
00:01:15,000 --> 00:01:16,000
test for anything with a radio connection that links to the internet. So when I say a mandatory test, means that any testing has to be signed off by a certification body. So it has to be done quite thoroughly. That's going to be a massive change, I think, to the industry. So the PSTI really has three components to it. It talks about the default passwords to make sure that products don't come with

98
00:01:16,000 --> 00:01:17,000
default passwords and I know that in the home IoT installer industry there are still products that are shipped, high-end products that have a default administrative password. These would not pass this bit of legislation and it also requires things like vulnerability disclosure programs for manufacturers so that they can actually take feedback from the public.

99
00:01:17,000 --> 00:01:18,000
Callum Wilson (22:44.889)

100
00:01:17,000 --> 00:01:18,000
at large and security professionals about vulnerabilities in their products. And then the third thing is the requirement to provide security updates to products. So they can't just be given to a consumer and the consumer left to fend for themselves. Now the PSTI is an act of legislation, in other words it's in our law in the UK.

101
00:01:18,000 --> 00:01:19,000
if an organization sells a product that doesn't meet this, they can be fined between 2 4 % of their global revenues. So there's quite a big stick to that. Now, having said that, that became law last year. And in SafeShark, my company research, we found that still today of high-end products, around 75 % don't meet the minimum criteria of PSTIs. So even with an act of regulation,

102
00:01:19,000 --> 00:01:20,000
which has very heavy fines, there still is quite a lot of non-conformance. The EU has a tougher approach that's gonna take a bit longer to come on board, as I said, August 2025. The Radio Equipment Directive has a quite a...

103
00:01:20,000 --> 00:01:21,000
large number of very technical tests that products have to go under. I won't go into massive amounts of detail, but it's far more than just checking your passwords, also looking about the actual security of the product itself and how it can store sensitive data on it in a secure way that hackers can't get into or can't be broken into or mistreated in any way.

104
00:01:21,000 --> 00:01:22,000
Walt Zerbe (24:25.082)

105
00:01:21,000 --> 00:01:22,000
Yeah, they like to do penetration testing and all that stuff on that stuff.

106
00:01:22,000 --> 00:01:23,000
Callum Wilson (24:28.118)

107
00:01:22,000 --> 00:01:23,000
Yeah, so there's going to be a compliance test. The rules are currently yet to be completely formalized, although we have been working on the committee to create those rules. The test is what I would call a compliance test rather than a penetration test, although some of the tests are actually quite... So for example, one of the tests is that you have to be able to brute force...

108
00:01:23,000 --> 00:01:24,000
Walt Zerbe (24:44.194)

109
00:01:23,000 --> 00:01:24,000
Okay.

110
00:01:24,000 --> 00:01:25,000
Callum Wilson (24:51.23)

111
00:01:24,000 --> 00:01:25,000
If it has a system for allowing a password, like an administrative password, we have to brute force the product and we have huge lists of millions of every conceivable password you can think of and it will just carry on for days at a time trying to break into these products. In fact, I'll tell you a story I was doing. I won't mention any names.

112
00:01:25,000 --> 00:01:26,000
Walt Zerbe (25:14.703)

113
00:01:25,000 --> 00:01:26,000
Callum Wilson (25:14.786)

114
00:01:25,000 --> 00:01:26,000
But I know it's, just can't do that. It was a mainstream television and you would think that television wouldn't have an ability to log on. How'd you log on to a television? That doesn't make any sense. Well, exactly. And they actually are just like your computer. They have user accounts on them. Now the user accounts aren't normally presented to consumers. You wouldn't even know they were there. Yeah. Our automatic test platform said, bing, are broken into.

115
00:01:26,000 --> 00:01:27,000
Walt Zerbe (25:26.082)

116
00:01:26,000 --> 00:01:27,000
yeah, they're all app based now.

117
00:01:27,000 --> 00:01:28,000
Callum Wilson (25:41.848)

118
00:01:27,000 --> 00:01:28,000
this particular television and in fact it broke into it in about five seconds so quickly that we thought our system had broken but it turned out it had a one letter password what a single character so I think that was a big mistake there were lots of apologies made and promises it would never happen again although I do see other products that have guessable administrative passwords in there you just can't have that now here's why so why

119
00:01:28,000 --> 00:01:29,000
Walt Zerbe (26:09.167)

120
00:01:28,000 --> 00:01:29,000
No.

121
00:01:29,000 --> 00:01:30,000
Callum Wilson (26:11.48)

122
00:01:29,000 --> 00:01:30,000
The PSTI legislation all started because in 2016 there was a virus called the Mirai virus. And the Mirai virus targeted IoT, particularly CCTV cameras. And in Germany, in the European Union, the...

123
00:01:30,000 --> 00:01:31,000
they have a major telecoms provider that gave the same route out to about a third of households in Germany. This was affected by Mirai virus. And so that's what really drove the legislation in Europe and the UK. They just didn't want to have a situation where what seems

124
00:01:31,000 --> 00:01:32,000
a reasonably inconsequential hack turns into a nation state attack because you have your communications infrastructure attacked, such as attacking home routers for, or your broadband routers or internet connected routers in people's homes. And when you combine them all together over a population, you can actually cause a lot of damage. So that's really where the root of this legislation came from.

125
00:01:32,000 --> 00:01:33,000
Walt Zerbe (27:10.33)

126
00:01:32,000 --> 00:01:33,000
I have a few questions for you as always. are they saying that the security updates, know, the product being able to do security updates, is that automatic? Are you guys saying it's got to be automatic? Because I guarantee you consumers will not remember to check stuff.

127
00:01:33,000 --> 00:01:34,000
Callum Wilson (27:21.976)

128
00:01:33,000 --> 00:01:34,000
So.

129
00:01:34,000 --> 00:01:35,000
Callum Wilson (27:26.082)

130
00:01:34,000 --> 00:01:35,000
Yeah, that's exactly it. So in the PSTI, the UK legislation, this is where it gets difficult because each...

131
00:01:35,000 --> 00:01:36,000
Chris Boots (27:26.092)

132
00:01:35,000 --> 00:01:36,000
.

133
00:01:36,000 --> 00:01:37,000
Callum Wilson (27:33.4)

134
00:01:36,000 --> 00:01:37,000
geographic area has different rules. But in the PSTI, it's more about the ability to tell the consumer when they're buying a product what they're getting into. One of the, actually, bought one of these doorbells with a camera in it a few years ago, only to find that I got it cheap off a online shop, as you can probably imagine, and it had already passed its sell by date. The servers that it connected to had already been switched off. No wonder it was inexpensive. So what they're trying to do is that when a consumer buys a product,

135
00:01:37,000 --> 00:01:38,000
Walt Zerbe (27:46.138)

136
00:01:37,000 --> 00:01:38,000
Mm-hmm.

137
00:01:38,000 --> 00:01:39,000
Callum Wilson (28:03.674)

138
00:01:38,000 --> 00:01:39,000
The manufacturer or the distributor or the vendor whoever sold it that would include an installer by the way Would have to say you will get security updates up until a certain date in the future You can't say three years from the point of when you purchased it has to be an actual date when that product will have security updates for So that's how they're doing it there. They're trying to make the consumer

139
00:01:39,000 --> 00:01:40,000
own the experience and have the knowledge and information to be able to use the products. I think Trent said earlier it's about this sort of risk profile. Each of us

140
00:01:40,000 --> 00:01:41,000
listening today has a different risk profile. You might have young children in your home, in which point you've got a different risk profile if you're in your 20s and share an apartment with some of your friends. So it's up to giving the consumer the right information so that they can have, well, at the end of the day, it's a balance of usability against the security. And if you balance that correctly, then for each individual consumer, then you're going to be okay.

141
00:01:41,000 --> 00:01:42,000
Walt Zerbe (28:42.44)

142
00:01:41,000 --> 00:01:42,000
yeah.

143
00:01:42,000 --> 00:01:43,000
Walt Zerbe (28:57.583)

144
00:01:42,000 --> 00:01:43,000
Yeah.

145
00:01:43,000 --> 00:01:44,000
Walt Zerbe (29:04.036)

146
00:01:43,000 --> 00:01:44,000
was just curious, do you think the EU tests will once those are all finalized, likely potentially increase product costs because if somebody has to do a lot more testing, that's probably the margins are slim on some of these things, they're probably gonna have to pass that on.

147
00:01:44,000 --> 00:01:45,000
Callum Wilson (29:14.594)

148
00:01:44,000 --> 00:01:45,000
Yes, so there is a cost associated.

149
00:01:45,000 --> 00:01:46,000
Well, so far we've been testing PSTI for about a year and a half and we've just started doing our first radio equipment directive test right now. The tests do come with a cost, but actually that's inconsequential to the actual changes that organisations have to make to their products. So we've been, even some of the very large tier one electronics organisations from the Far East have had to implement...

150
00:01:46,000 --> 00:01:47,000
proper vulnerability disclosure policies and potentially some changes to the products. I can name a few examples. We had to change one television where you had to pair a app to the television. It was a four digit, so numeric digits, four digits to, and basically it had no ability to.

151
00:01:47,000 --> 00:01:48,000
to withstand an attack where you just went from zero zero zero to nine nine nine, you could eventually just break into it. And of course, with these types of attacks, you don't actually need to be in someone's property to attack that because you can look for a window or you can be next door. Yeah, yeah, exactly. So yeah, so what you'll find is that the main costs, and I hope that these costs will eventually pay back because with a better security benchmark within the product, then you will have.

152
00:01:48,000 --> 00:01:49,000
Walt Zerbe (30:16.258)

153
00:01:48,000 --> 00:01:49,000
Yeah, just within range of the radio, right?

154
00:01:49,000 --> 00:01:50,000
Callum Wilson (30:34.109)

155
00:01:49,000 --> 00:01:50,000
hopefully lower costs and better sales in the future.

156
00:01:50,000 --> 00:01:51,000
Walt Zerbe (30:37.326)

157
00:01:50,000 --> 00:01:51,000
Yeah, Callum, will there be logos on instruction manuals and products when we know a product meets these things?

158
00:01:51,000 --> 00:01:52,000
Callum Wilson (30:42.862)

159
00:01:51,000 --> 00:01:52,000
Yeah, so within the UK, all companies are meant to have a certificate of compliance available either in the box, printed off alongside various other compliance statements like, you know, electrical safety and all the rest of the things that will be mentioned on there and on their websites. And in the European Union, it will be tested by a nation certification body.

160
00:01:52,000 --> 00:01:53,000
Walt Zerbe (30:56.399)

161
00:01:52,000 --> 00:01:53,000
Yeah, yeah.

162
00:01:53,000 --> 00:01:54,000
Callum Wilson (31:08.336)

163
00:01:53,000 --> 00:01:54,000
and at the moment we're still trying to work out exactly how that's going to work. Safe Shark, our company, we're going to do a logo and put it on boxes and so on, which states the actual name of the standard that it passed, and that will also be inside the box as well.

164
00:01:54,000 --> 00:01:55,000
Walt Zerbe (31:23.194)

165
00:01:54,000 --> 00:01:55,000
And products manufactured in the EU or the UK will be required to go through some of this stuff. So when they ship it abroad, that'll be a requirement as well, right? So the reason why I'm bringing this up is this is a global thing that people need to know about, especially integrators in the US installing products. A lot of products come from the EU and the UK.

166
00:01:55,000 --> 00:01:56,000
Callum Wilson (31:44.74)

167
00:01:55,000 --> 00:01:56,000
And the same vice versa, any American home IOT products being installed in the UK will have to meet the local legislation for wherever it is. And you would hope that a product made in the UK sent to the United States would be in the voluntary scheme that Trent was talking about earlier. that's the way it's going to have to work. And what's nice is that the voluntary scheme, the US, the EU Radio Equipment Directive, and the PSTI aren't exactly a million miles away.

168
00:01:56,000 --> 00:01:57,000
Walt Zerbe (31:59.194)

169
00:01:56,000 --> 00:01:57,000
OK.

170
00:01:57,000 --> 00:01:58,000
Yeah.

171
00:01:58,000 --> 00:01:59,000
Callum Wilson (32:14.762)

172
00:01:58,000 --> 00:01:59,000
have the same threads of security. There are some slight differences here and there but they're all headed in the same direction because we've been talking about it behind the scenes for years now to do this.

173
00:01:59,000 --> 00:02:00,000
Walt Zerbe (32:25.626)

174
00:01:59,000 --> 00:02:00,000
Yeah. This is exactly like ERP. I remember when I was in the manufacturing world and we had to meet half watt standby power regulations that came from Europe. then we then as a manufacturer, we had to make sure all of our products met that. So every product then became ERP compliant no matter where SSL was designed. So this makes a lot of sense.

175
00:02:00,000 --> 00:02:01,000
Darren sounds like we're gonna, we could use education, a class, something over all these marks, what to be aware of, what to look for, and all these things in the future. Because this, you know, we're just bringing up the subject today, but now we're gonna need education on this later on. For sure. One last thing, I wanted to give you a story too, Callum. I'm sure you heard it, but I'm just making sure our membership knows it. I know that there was a major.

176
00:02:01,000 --> 00:02:02,000
Darren (32:52.706)

177
00:02:01,000 --> 00:02:02,000
Hmm.

178
00:02:02,000 --> 00:02:03,000
Walt Zerbe (33:18.798)

179
00:02:02,000 --> 00:02:03,000
breach at a casino in Las Vegas, of which they lost a lot of money. And that was through a fish tank. And that was through a controller of a fish tank that someone was able to break in and access the entire network or portions of the network within this casino. So it wasn't even like on its own, its own, you know, VLAN or anything like that. It was just connected. And once they got into the fish tank, they had access. So this,

180
00:02:03,000 --> 00:02:04,000
Is there any other questions for Darren or sorry, a column from Darren or Chris?

181
00:02:04,000 --> 00:02:05,000
You guys have anything?

182
00:02:05,000 --> 00:02:06,000
Chris Boots (33:56.224)

183
00:02:05,000 --> 00:02:06,000
Great information, is really, really good information.

184
00:02:06,000 --> 00:02:07,000
Walt Zerbe (33:58.98)

185
00:02:06,000 --> 00:02:07,000
Well, the reason why I asked that is this is a perfect segue into insurance because the integrator that did that installation, and I'm going to say technology integrator, right Darren? Because that's our new SOC term. If you didn't listen to last week's podcast, listen to that. Our last podcast we did, it talks all about the SOC campaign. But when are you liable? And I've been saying forever.

186
00:02:07,000 --> 00:02:08,000
Darren (34:10.411)

187
00:02:07,000 --> 00:02:08,000
Correct. Correct.

188
00:02:08,000 --> 00:02:09,000
Walt Zerbe (34:26.252)

189
00:02:08,000 --> 00:02:09,000
Someday someone's going to get sued because somebody broke into somebody's house because they installed Smart Home or whatever and they're going to say you installed it. It's your fault so

190
00:02:09,000 --> 00:02:10,000
Chris Boots (34:38.572)

191
00:02:09,000 --> 00:02:10,000
It's already happened. I'd be glad to jump in here. Perfect. I can start.

192
00:02:10,000 --> 00:02:11,000
Walt Zerbe (34:42.274)

193
00:02:10,000 --> 00:02:11,000
Yeah, you guys want to fight over who's going to start? All right. So Mike, Michael and Chris, Michael, George and Chris from, why don't you guys go ahead and go.

194
00:02:11,000 --> 00:02:12,000
Chris Boots (34:52.416)

195
00:02:11,000 --> 00:02:12,000
Yeah, we've I've been working with CD members since 93. So the cyber thing has kind of changed through the years from doing the big large Mitsubishis to flat screens and no more cyber. But yeah, the the dip and now with the default passwords we actually had, you just brought that up. We had a guy that had actually installed a nest into somebody, the business owner, business owner's home.

196
00:02:12,000 --> 00:02:13,000
They did not reset the password. Actually, somebody got into the nest, got into his work computer, went to his company. And what happened was the company did have cyber insurance. But when you have insurance or something happens, they always look for who is fault. They determined it. They hired a forensic.

197
00:02:13,000 --> 00:02:14,000
Walt Zerbe (35:46.798)

198
00:02:13,000 --> 00:02:14,000
Yeah.

199
00:02:14,000 --> 00:02:15,000
Chris Boots (35:51.048)

200
00:02:14,000 --> 00:02:15,000
investigation because it was a very large claim because they hacked into all of his clients. So he had to notify people with the US laws. So they went back and said, hey, it was from the nest that they got into it. Went after our our technology integrator. And luckily, we did have he did actually have cyber. So he would and we defended them.

201
00:02:15,000 --> 00:02:16,000
Walt Zerbe (35:52.696)

202
00:02:15,000 --> 00:02:16,000
Wow.

203
00:02:16,000 --> 00:02:17,000
Chris Boots (36:19.6)

204
00:02:16,000 --> 00:02:17,000
there were, there was some payout, but yeah, it's happened. actually, and columns shaking his head probably. Yep. I mean, it's just something simple like that. He installed, you know, he goes, all I did was install the nest and he did a flat screen was during COVID when the, when the owner of the business wanted to be at home and sit there and have his, you know, inner, you know, talk with his employees and, but yeah, it's happened.

205
00:02:17,000 --> 00:02:18,000
Walt Zerbe (36:23.951)

206
00:02:17,000 --> 00:02:18,000
Wow.

207
00:02:18,000 --> 00:02:19,000
Chris Boots (36:47.82)

208
00:02:18,000 --> 00:02:19,000
problem is we have 3500 plus members probably there's only 10 % of the members that carry cyber coverage we try to when we talk to them about insurance we try to let them know that where it starts happening is where the good news is your words out there Kellens out there the government's doing things which is

209
00:02:19,000 --> 00:02:20,000
Walt Zerbe (37:10.382)

210
00:02:19,000 --> 00:02:20,000
Yeah, Trent. Yep.

211
00:02:20,000 --> 00:02:21,000
Chris Boots (37:11.84)

212
00:02:20,000 --> 00:02:21,000
but also their clients. For example, we have a lot of high-end clients and they use management firms, especially the NFL. The NFL players, when you put that screen in there, they're gonna require you have cyber. So our guy will call us, hey, I need cyber on the certificate of insurance. And that's good news.

213
00:02:21,000 --> 00:02:22,000
Walt Zerbe (37:31.865)

214
00:02:21,000 --> 00:02:22,000
Chris Boots (37:37.034)

215
00:02:21,000 --> 00:02:22,000
The nice part about it is when they do have the insurance to a lot of the things that everyone was talking about here, the safeguards, the company does a lot of that for you and make sure that you have the MAF and all that.

216
00:02:22,000 --> 00:02:23,000
Walt Zerbe (37:49.344)

217
00:02:22,000 --> 00:02:23,000
You know, the bad news is they probably didn't even think about having cyber until they were asked, you need to have cyber, which is I'm hoping people have a realization listening to this cast that they better look into it. If only 10 % of members have it, that's not good.

218
00:02:23,000 --> 00:02:24,000
Chris Boots (38:09.376)

219
00:02:23,000 --> 00:02:24,000
You know, nationally, only 17 % of businesses have cyber insurance in the country.

220
00:02:24,000 --> 00:02:25,000
Walt Zerbe (38:16.975)

221
00:02:24,000 --> 00:02:25,000
And Chris, is this the same cyber, whether you're an integrator, whether you're a business owner, is it the same policy?

222
00:02:25,000 --> 00:02:26,000
Chris Boots (38:23.564)

223
00:02:25,000 --> 00:02:26,000
Yep, yep, this would be any business and 48 % of companies with cyber insurance didn't purchase it until after their first attack, which is incredible. Yeah. And you know, the crazy thing is, businesses of a size of less than 100 people or 100 employees, 30 % of the attacks go to those size businesses. know, so people...

224
00:02:26,000 --> 00:02:27,000
Walt Zerbe (38:33.976)

225
00:02:26,000 --> 00:02:27,000
Yeah.

226
00:02:27,000 --> 00:02:28,000
Walt Zerbe (38:50.17)

227
00:02:27,000 --> 00:02:28,000
Yeah.

228
00:02:28,000 --> 00:02:29,000
Chris Boots (38:50.624)

229
00:02:28,000 --> 00:02:29,000
say, well, it's not going happen like you started out. Well, this is somebody else's problem. No, it's really our problem now and here. And it's as simple as employee goes to work, or then they leave for lunch, they come back in, they park their car in the parking lot, they look down and there's a USB drive. They pick it up, they go inside and they plug it in and the system is compromised. That actually happened and it still happens to this day.

230
00:02:29,000 --> 00:02:30,000
Walt Zerbe (39:10.266)

231
00:02:29,000 --> 00:02:30,000
Hmm?

232
00:02:30,000 --> 00:02:31,000
Walt Zerbe (39:19.012)

233
00:02:30,000 --> 00:02:31,000
You know what, Chris, that's a really good, I was going to ask you a question about that. So that is a end user error right there. And we like to call also some things wetware problems where it's your brain, like you clicked on a link that you shouldn't have clicked on. Will they still try to go after the integrator because that happened?

234
00:02:31,000 --> 00:02:32,000
Chris Boots (39:25.633)

235
00:02:31,000 --> 00:02:32,000
Yeah.

236
00:02:32,000 --> 00:02:33,000
Chris Boots (39:38.022)

237
00:02:32,000 --> 00:02:33,000
yes, very much so. You know, just like Michael's example of, you know, somebody got in through his home system and to his business. I mean, it's, it's, we say we're connected. Boy, are we connected. We're connected more than we'll ever know. It's crazy. And a lot of the CDA guys have, cause you know, we also do work comp for members too. And started noticing a few years ago, a lot of the guys will use programmers.

238
00:02:33,000 --> 00:02:34,000
not at their location. I got an employee now, he may be in New York and he goes, my programmer is now in California. Like, great, we worked from his home. So he's doing all the programming on all the integration work through Crestron, Control 4, whatever. Another layer is added there where now you have somebody outside of your organization. Yeah, we've had fishing. Luckily, some of the guys have caught it. Hey, John Smith in his house.

239
00:02:34,000 --> 00:02:35,000
Walt Zerbe (40:08.718)

240
00:02:34,000 --> 00:02:35,000
Mm-hmm.

241
00:02:35,000 --> 00:02:36,000
Chris Boots (40:36.832)

242
00:02:35,000 --> 00:02:36,000
can't get into his clicker. His clicker's not working. Hey, can you give him, you need to give him the password. It actually comes from the owner and they actually had found, he was going on an airplane. They must've hacked into it. They said, hey, I'm getting on the airplane, which he was, but I need you to send the password immediately for John Smith's home. So yeah, it's just amazing some of the stories we've been hearing.

243
00:02:36,000 --> 00:02:37,000
Walt Zerbe (41:01.242)

244
00:02:36,000 --> 00:02:37,000
crazy.

245
00:02:37,000 --> 00:02:38,000
Walt Zerbe (41:05.134)

246
00:02:37,000 --> 00:02:38,000
It really sounds like if you're installing anything connected and you have an integration company, is a no-brainer. You have to have.

247
00:02:38,000 --> 00:02:39,000
Chris Boots (41:12.438)

248
00:02:38,000 --> 00:02:39,000
Well, even, and you're exactly right, well, because the example that Michael talked about, know, people think, well, I have insurance. Well, if you don't have, in that particular case, it was cyber and it was an error in omission. So a lot of our integrators, we're just now getting them on board that you need to have errors in technology, errors in emissions insurance, because if he didn't have that, he wouldn't have been covered.

249
00:02:39,000 --> 00:02:40,000
Walt Zerbe (41:27.95)

250
00:02:39,000 --> 00:02:40,000
Yeah.

251
00:02:40,000 --> 00:02:41,000
Walt Zerbe (41:41.369)

252
00:02:40,000 --> 00:02:41,000
Yeah.

253
00:02:41,000 --> 00:02:42,000
Chris Boots (41:41.824)

254
00:02:41,000 --> 00:02:42,000
That would have been all out of pocket expense. So you not only need the technology errors and emissions, but you also need cyber as well. And they have to be packaged together because you'll say, well, I have general liability. Well, general liability doesn't cover that kind of thing. Yeah. The business owner, the business owner actually, his cyber policy kicked in, went back to us. It wasn't under his cyber policy. It was under his errors of mission for the password that he actually put out.

255
00:02:42,000 --> 00:02:43,000
Walt Zerbe (41:57.323)

256
00:02:42,000 --> 00:02:43,000
in

257
00:02:43,000 --> 00:02:44,000
Walt Zerbe (42:10.842)

258
00:02:43,000 --> 00:02:44,000
Should consumers also get cyber and Arizona emission policies or is this really just for

259
00:02:44,000 --> 00:02:45,000
Chris Boots (42:18.252)

260
00:02:44,000 --> 00:02:45,000
Lot of the homeowners are now starting to include it as an option. I would take it, you know

261
00:02:45,000 --> 00:02:46,000
Walt Zerbe (42:23.82)

262
00:02:45,000 --> 00:02:46,000
Is it expensive? I don't know if we can't probably talk dollars, relatively, are they affordable?

263
00:02:46,000 --> 00:02:47,000
Chris Boots (42:30.764)

264
00:02:46,000 --> 00:02:47,000
Yeah, I think it's just what they call a rider or whatever to the policy.

265
00:02:47,000 --> 00:02:48,000
Walt Zerbe (42:34.234)

266
00:02:47,000 --> 00:02:48,000
A rider, okay. And then my question, once the gentleman had a breach happen and then, or I don't know if it was a gentleman, but once the person had the breach happen and then sought insurance, is that more expensive because something's happened, then you just better get it right away before an incident happens? I'm thinking like in driving, like let's say I'm a bad driver and I crashed my car a lot and then I decide to get a different insurance, I'm a higher risk, so those rates are gonna be higher. Is that?

267
00:02:48,000 --> 00:02:49,000
Chris Boots (43:02.188)

268
00:02:48,000 --> 00:02:49,000
Well, one thing that the carriers ask now is for any line of insurance, have you had a claim? They wanna know upfront, have you had a claim? And that's gonna make a difference. It's gonna be right away.

269
00:02:49,000 --> 00:02:50,000
Walt Zerbe (43:13.089)

270
00:02:49,000 --> 00:02:50,000
Okay.

271
00:02:50,000 --> 00:02:51,000
Okay. Yeah, my point there was just get it. Don't wait till something happens.

272
00:02:51,000 --> 00:02:52,000
Chris Boots (43:21.164)

273
00:02:51,000 --> 00:02:52,000
Yeah, yeah. And you know, data breaches, you know, there was a manufacturer in Northwest Ohio and he had actually gotten a quote from an insurance carrier for, and his cyber policy was, it was, the quote was $4,500 and he turned it down. Well, six months later, he walks in from lunch and there's two people from the FBI standing in his office. And he said, what can I do for you? And they said, you've had a cyber attack and we are here to fix it.

274
00:02:52,000 --> 00:02:53,000
Walt Zerbe (43:44.045)

275
00:02:52,000 --> 00:02:53,000
What?

276
00:02:53,000 --> 00:02:54,000
Chris Boots (43:50.7)

277
00:02:53,000 --> 00:02:54,000
and you need to know this." And he's like, well, I have had no response whatsoever of having a cyber attack. He says, well, the IRS notified us, and that's why we are here. And so what happened was is that within the spring of the year, his employees start, because he's like, I don't take credit card information. I don't keep personal identifiable information. And they said, well, your employees have filed their taxes, and their taxes are being rejected because it's a second file on their social security number.

278
00:02:54,000 --> 00:02:55,000
and it's all of your employees that are experiencing this. ended up costing, his employees sued him, ended up costing him $225,000 to fix this mess when he could have bought a $4,500 cyber policy. So it's incredible. Yeah, it really is. And the other part of data breach though is what, you know, the first step when you have a data breach is you have to have a forensic review.

279
00:02:55,000 --> 00:02:56,000
Walt Zerbe (44:36.792)

280
00:02:55,000 --> 00:02:56,000
Wow.

281
00:02:56,000 --> 00:02:57,000
Chris Boots (44:48.054)

282
00:02:56,000 --> 00:02:57,000
Well, right off the bat, that's $50,000. that's for, that's nobody fixing it. They're looking at it. And so what there are after the review, then there's a law review and the law review comes in and they say, well, you have, you have contacts in this state and that state and this state and that state. And so every, every state has different laws and how these people and the timeframe that they have to be notified. And so,

283
00:02:57,000 --> 00:02:58,000
Walt Zerbe (44:50.723)

284
00:02:57,000 --> 00:02:58,000
Whoa.

285
00:02:58,000 --> 00:02:59,000
Chris Boots (45:17.42)

286
00:02:58,000 --> 00:02:59,000
That's where the expense for notification comes next, you know, after in the steps of rectifying or mitigating the breach. So these guys, they're like, I have no idea that it's gonna cost this much money to do it. And you know, ransomware, $850,000 is the average ransomware. yeah.

287
00:02:59,000 --> 00:03:00,000
Walt Zerbe (45:37.316)

288
00:02:59,000 --> 00:03:00,000
Wow. Is this stuff retroactive? Like, let's say you installed something 15, 20 years ago. Could somebody and something and they get a breach, could they come after you now?

289
00:03:00,000 --> 00:03:01,000
Chris Boots (45:49.26)

290
00:03:00,000 --> 00:03:01,000
Most of the good companies will have a prior axe. So when you're out there looking at a cyber, ask your agent, it doesn't cover your prior axe. Most of them, the better ones do. Some of the new ones out there don't.

291
00:03:01,000 --> 00:03:02,000
Walt Zerbe (46:05.284)

292
00:03:01,000 --> 00:03:02,000
So my point is if you don't have cybersecurity and insurance and somebody had a breach, a job they did 20 years ago, they could still be liable.

293
00:03:02,000 --> 00:03:03,000
Chris Boots (46:14.868)

294
00:03:02,000 --> 00:03:03,000
Yep, had one. They had bought it later. They installed the water bugs. It was just the water bugs. goes, install the water bug. The water bug didn't work. I was a programming error. I, you know, the house, was in veil and the house flooded, you know, and the bugs didn't go off. But he had installed them years ago, but it did pick them up. So, but yeah, you have to have prior acts coverage. So.

295
00:03:03,000 --> 00:03:04,000
Walt Zerbe (46:16.974)

296
00:03:03,000 --> 00:03:04,000
Wow.

297
00:03:04,000 --> 00:03:05,000
Walt Zerbe (46:20.953)

298
00:03:04,000 --> 00:03:05,000
Yeah.

299
00:03:05,000 --> 00:03:06,000
Yeah.

300
00:03:06,000 --> 00:03:07,000
Walt Zerbe (46:43.854)

301
00:03:06,000 --> 00:03:07,000
Well, Michael and Chris, I want to thank you for scaring the bejesus out of me and everybody else.

302
00:03:07,000 --> 00:03:08,000
Chris Boots (46:46.859)

303
00:03:07,000 --> 00:03:08,000
Hahaha

304
00:03:08,000 --> 00:03:09,000
Also, you guys that are installing in conference rooms and businesses expect to be required to have cyber. Most of the larger cities, New York, LA, and typically they want five million. Hey, if you're going to put a flat screen or a projector in our conference room, we need cyber.

305
00:03:09,000 --> 00:03:10,000
Walt Zerbe (47:11.288)

306
00:03:09,000 --> 00:03:10,000
or even if you're not required, you better darn well have it. It's just a giant risk you're taking. Yeah.

307
00:03:10,000 --> 00:03:11,000
Chris Boots (47:13.824)

308
00:03:10,000 --> 00:03:11,000
Yeah, even yeah.

309
00:03:11,000 --> 00:03:12,000
Darren (47:16.866)

310
00:03:11,000 --> 00:03:12,000
Best best practice.

311
00:03:12,000 --> 00:03:13,000
Chris Boots (47:18.666)

312
00:03:12,000 --> 00:03:13,000
Yep. And we're here if anybody has questions. It's a member of benefits. So we try to just offer our advice and give you good advice.

313
00:03:13,000 --> 00:03:14,000
Walt Zerbe (47:27.32)

314
00:03:13,000 --> 00:03:14,000
Are there any checklists that you guys provide or anything, Calum or Chris or Darren, so someone can go through to make sure, right, I checked to change passwords on things, I checked this, I checked that.

315
00:03:14,000 --> 00:03:15,000
Chris Boots (47:41.196)

316
00:03:14,000 --> 00:03:15,000
So you'll let you know when we the coverages we have the the insurance carriers we use they will do a scan of you And maybe Colin knows a little more about that, but they go into it They'll give you a grade and then they'll give you a suggestion. Hey do this this and this So that's another thing nice about having cyber insurance. The carriers don't want to pay they're paying out a lot They want to make sure you're doing all the things and it's constant

317
00:03:15,000 --> 00:03:16,000
Walt Zerbe (48:10.554)

318
00:03:15,000 --> 00:03:16,000
Yeah, low risk. do you regularly get audited?

319
00:03:16,000 --> 00:03:17,000
Chris Boots (48:10.988)

320
00:03:16,000 --> 00:03:17,000
It all constant Every day I'll get a I didn't realize until a few years ago. I'll get an email. Hey your Client may have a possible breyer. They're not doing this. We tried to get in we got in So they said hey notify them. Hey have their tech person check this out. Mm-hmm. So we'll get

321
00:03:17,000 --> 00:03:18,000
Walt Zerbe (48:18.092)

322
00:03:17,000 --> 00:03:18,000
okay.

323
00:03:18,000 --> 00:03:19,000
Chris Boots (48:37.708)

324
00:03:18,000 --> 00:03:19,000
I used to get maybe one or two a year. Now I'm getting 10 to 15 a year on the cyber policies we have.

325
00:03:19,000 --> 00:03:20,000
Walt Zerbe (48:42.81)

326
00:03:19,000 --> 00:03:20,000
We could have an independent podcast on this. This is pretty deep.

327
00:03:20,000 --> 00:03:21,000
Chris Boots (48:45.526)

328
00:03:20,000 --> 00:03:21,000
Yeah, there's some, and we can have any time you want to have our underwriter involved in it too. We can talk about it.

329
00:03:21,000 --> 00:03:22,000
Walt Zerbe (48:52.098)

330
00:03:21,000 --> 00:03:22,000
All right. Well, we're just at the end of the cast. Darren, Colm, do any of you guys want to add anything to this discussion? Yes.

331
00:03:22,000 --> 00:03:23,000
Callum Wilson (49:02.392)

332
00:03:22,000 --> 00:03:23,000
Yeah, I think if you're an installer and you have high net worth clients,

333
00:03:23,000 --> 00:03:24,000
where you have network or internet connected products that you've sold them potentially up to more than five years ago, try and revisit them and update the core hub of those products to modern products. There's been, I would say over the last five years, a lot of the large manufacturers that sell to CD installers have upgraded the performance and the security of their products vastly in the last 12 to 24 months. Anything before that,

334
00:03:24,000 --> 00:03:25,000
Just treat with caution. mean, it's not you necessarily have to go and rip it all out and put something new in but think about is there a firewall around it or it Maybe as an installer to prevent truck rolls You've got a VPN connected to your clients think about yourself is your office safe because if you have 50 clients and you've got VPNs to all of these clients and particularly you could be the Target at which they could then target your 50 high net worth clients, so I would say that it's

335
00:03:25,000 --> 00:03:26,000
Walt Zerbe (49:47.556)

336
00:03:25,000 --> 00:03:26,000
Yeah.

337
00:03:26,000 --> 00:03:27,000
Callum Wilson (50:08.356)

338
00:03:26,000 --> 00:03:27,000
It's up to installers to try and use it as a positive way to re-engage with clients to update the technology, get later things and look for those compliance certificates. Look for the voluntary logos and so on for the manufacture of the products, especially hub equipment. Equipment connects lots of things together. I think it's really important and it's a great way to get new sales as well and re-engage with your clients.

339
00:03:27,000 --> 00:03:28,000
Chris Boots (50:29.217)

340
00:03:27,000 --> 00:03:28,000
Hmm.

341
00:03:28,000 --> 00:03:29,000
Walt Zerbe (50:36.12)

342
00:03:28,000 --> 00:03:29,000
percent agree. Darren, any last thoughts?

343
00:03:29,000 --> 00:03:30,000
Darren (50:38.646)

344
00:03:29,000 --> 00:03:30,000
Yeah, last stock here, we opened up by saying, you know, in the US, October is cybersecurity month. But I think from this podcast, you can say, you know, globally, and in the US, we need to not only take it seriously in October, but take steps daily to, to ensure our our cybersecurity for our businesses and for our clients and just continue to educate yourself and take steps to protect your the technologies that you're that we're all installing and providing for our customers.

345
00:03:30,000 --> 00:03:31,000
Walt Zerbe (51:08.954)

346
00:03:30,000 --> 00:03:31,000
100 % this is should be front and center top of mind and absolutely mandatory to get knowledge on right now if you don't have have the knowledge. So all right, I want to thank you all very much for doing the doing the podcast with me and giving me some of your valuable precious time.

347
00:03:31,000 --> 00:03:32,000
Chris Boots (51:27.456)

348
00:03:31,000 --> 00:03:32,000
Thank you so much. Thank you.

349
00:03:32,000 --> 00:03:33,000
Darren (51:27.896)

350
00:03:32,000 --> 00:03:33,000
Thank you.

351
00:03:33,000 --> 00:03:34,000
Callum Wilson (51:29.028)

352
00:03:33,000 --> 00:03:34,000
Thank much.

353
00:03:34,000 --> 00:03:35,000
Walt Zerbe (51:29.834)

354
00:03:34,000 --> 00:03:35,000
Absolutely. And I hope everyone listening is going to do something. If you don't have cyber security insurance or you don't know about the initiatives that are happening in the United States or in the EU, UK, all areas of the world, you better get up to speed on it. Knowing the marks that you need to have. You can differentiate your business by making sure you sell products that meet these new standards as they're coming out. And this is just beginning.

355
00:03:35,000 --> 00:03:36,000
I'm sure there's going to be a lot more stuff and even mandatory stuff as we navigate this and the deep fakes and everything. don't know. The AI I think is going to take this to another level of being able to break into things and do combinations of things. So this is something you need to have protection against and need to be very educated on as an integrator and a manufacturer because we do have manufacture.

356
00:03:36,000 --> 00:05:00,000
listeners and distributors distributing products that meet these things. So thanks again everybody for being on the cast. I learned a ton. I've got like 10 I don't know, maybe 50 more questions in my brain. So maybe we'll do a follow up on this to maybe dig a little deeper into some things. But thank you so much. Appreciate all the information. I hope you all enjoyed the cast. And as always, I will ask you to please keep an open mind.