Fast Break: Turning Cyber Awareness into Action

Matt Cranney

Welcome to Fast Break. I’m Matt Craney and today’s topic is one that’s no longer just an IT concern. It’s a business imperative. Cyber security. The average cost of a data breach globally was 4.45 million according to IBM’s 2023 report, 43% of cyber-attacks targeted small and mid-sized businesses as reported by Verizon, and only 14% of small to medium sized businesses were considered adequately prepared to defend against cyber threats based on a 2023 survey by Accenture and the Ponemon Institute.

Cyber threats are growing in frequency, sophistication and impact. So how do you protect your organization, your clients and your reputation? To help us answer that, I’m joined by three experts from M3 cyber liability team Matt Thomson, Alex Friedl, and Megan Peyton. Welcome to Fast Break.

00:55 Matt Cranney

Well, let’s just jump right in to start us off. I’m hoping all of you can share a bit about your background and what you do in the field of cybersecurity.

01:04 Matt Thomson

Sure. So Matt Thomson, I’m the Director of Cyber Liability here at M3. Prior to working within the cyber insurance realm here at M3, I spent. A little over 15-16 years as a cyber professional, so I’ve got a background on in the Air Force, where I ran the Cyber network security for all the Air Force bases in in Europe. Spent some time on one of the red teams, so got to legally hack into U.S. government systems, which was pretty cool. And then after I got out of the Air Force, ran a couple of cyber programs got to, you know manage that from a incident response planning and tabletop exercises. Seeing what our cyber professionals are doing on a day-to-day basis. It allows me to really interact with our clients in in a slightly different manner.

02:00 Matt Cranney

Megan, what about you?

02:01 Megan Peyton

I started at M3 about 7 years ago as an intern and I worked in our Senior Living and Social Service Department for a few years and then about four years ago, our cyber team kind of was born. I had an interest in Cyber, I was working with our senior living team to place it, but I found that line of coverage to be extremely interesting. So I moved towards becoming an expert in the cyber space. I partner with our client executives at M3 and I help explain the cyber risk and place the policies.

02:32 Matt Cranney

Awesome. Well, we’re glad to have you today, Alex. What about you bring us home on this one?

02:36 Alex Friedl

I’ve been with M3 for eight years and seven of which I’ve specialized in cyber liability. And worked on a large credit union program that we have here and then we built up the cyber team. I was asked to join that, and right now my role is multifaceted. I help place cyber policies for our clients, I help with the risk management side doing some more proactive services, and also help on the incident response claim side. It’s always hard when you get those calls, but it’s a very important service that we provide to our clients.

03:11 Matt Cranney

It’s funny team as I’m listening to all of your backgrounds and when I started it, our firm 21 years ago. Cyber liability did not exist as we understand it today. I think the best you could get was a line of coverage on the package called valuable papers, that maybe covered your computers. It’s just crazy to think about how quickly, how fast, both the risk is developed, but also the insurance solution and associated industries around it.

So let’s keep it going there and Matt, I’m going to come to you. With this question, what are the most pressing cyber threats businesses of all sizes are facing right now?

03:53 Matt Thomson

That’s always a great question. When we look at the claims and just the coverage is from within a cyber insurance policy that we see either most often come in as a claim or where we put the most emphasis on when we’re talking with our clients. Social engineering is the most common claim that we see, so whether that’s getting duped to be a phishing e-mail or a phone call in as that’s becoming more prevalent and I think you can never talk too much about AI nowadays and how AI may continue to evolve the capabilities both in detection of social engineering but also in enabling social engineering.

The other big one that we hear about a lot is ransomware and the impact of that has on a business. Whether it’s taking down their systems, the actual ransom payment, the fact that third actors are stealing that potentially PII, personal health information, financial data, all of that kind of stuff.

And then finally, as we’re in a very cloud enabled world, businesses are not housing the large data centers that they had in the past and they’re instead outsourcing some aspects of that by using these third-party vendors in a software as a service model. So those third-party vendors have always had a risk in our organizations but when we’re contracting with them to run the systems and we’re just buying access to the system, that is kind of a continuously evolving risk in how do you manage when you’re not physically securing your owning the systems yourself?

05:39 Matt Cranney

Fast moving industry, fast moving bad actors, fast moving insurance products fast. Everything feels like it’s fast moving. So how are those threats evolving are we seeing more sophistication or is it just more volume and therefore we’re hearing about it more?

05:55 Alex Friedl

We’re definitely seeing more sophistication and Matt already mentioned a couple of these, but we can’t have this conversation and not talk about AI.

There’s been a lot of talk about generative AI and deep fakes, and so using publicly available voice files, video files and creating simulated images or audio of people and then using that to trick a victim.

And also we’re seeing threat actors get smart and begin attack Making firms in the digital supply chain and that having downstream effects to many, many firms.

06:35 Matt Cranney

Maybe there are people listening today that still feel like when we talk about diver breaches or, you know, these kind of things, they’re thinking about the e-mail from the Egyptian Prince asking for $1,000,000. And when you share examples like so, we moved on to a video call. He was seeing deep fakes from their leadership team. That’s sophistication, that’s evolution. And so I’m so glad that we’re talking about this today. Please keep going, yeah.

07:07 Alex Friedl

Yeah. No, I mean the, yeah, the phishing e-mail with all the grammatical errors is a thing that passed when you can put a prompt in the ChatGPT and get a beautifully worded targeted phishing e-mail.

A big threat for our clients right now is actually litigation. And that anytime you have a data breach and need to send out notifications,  notification letters advising that peoples personally identifiable information their PII was accessed.

We’re at the point where we’re basically expecting to get a class action lawsuit in the mail, and that’s actually what’s really driving the claim severity now is it’s not the ransom payments themselves in a ransomware attack, but it’s the litigation that results from the attack and so that’s something that’s that we’re really thinking about is, what can our clients to mitigate that risk.

07:57 Matt Cranney

Megan, I want to come to you next. Obviously, we talked about evolution and sophistication. We’ve talked about the pressing threats, but maybe not all industries are affected equally. I’m curious, you know, what industries are you seeing being most vulnerable right now? And are there anything you know in that data that would surprise our audience?

08:20 Megan Peyton

Yeah, that’s a really good question. And I think you kind of hit it on the head. No industry classes are necessarily like not vulnerable at all like there’s nobody that’s completely immune from an attack.

So starting off, you know, with that caveat, the industry classes that we do see a little bit more vulnerable, this may not be necessarily a surprise, but any sort of industry that houses or contains a lot of sensitive information, they think, healthcare, hospitals, those have a lot of PHI or that, you know, health information that you don’t necessarily want released.

In the same thing you know, got your financial services, they have a lot of banking information, information that you don’t want out. I’d say that those are the more vulnerable industries,

One that kind of came to surprise to me was the manufacturing industry. And I think that bad actors has kind of gotten more sophisticated in that they’re no longer attacking that end user. Rather, they’re targeting kind of that core thing or the higher of the supply chain you go, the more impact you’re going to have on everyone down the line. So if you attack that core industry or that core manufacturing account, that’s not only going to disrupt that specific client, but it’s also going to disrupt dozens around it.

09:34 Matt Cranney

That’s great. Thank you for sharing it. And again, I think the message that we would all probably echo here is if you’re in business and actually if you’re just an individual, there is some risk.

And so how you pay attention to that, we think about it. You know, we talk a lot here about enterprise risk management and thinking holistically around how a business protects itself. It used to be the majority of that was around theft, but if you’re a retailer and now I  would say if you’re in the business of any size in any industry, if cyber liability issues are not in your top two or three things that you’re thinking about how to address, you probably need to be.

Matt, let’s talk about impact. What impact does a cyber breach actually cost the business? Maybe not just financially, but also reputationally.

10:27 Matt Thomson

Yeah, that’s a great question. And 2nd and 3rd order effects are big and may not be quite understood until they happen. It’s pretty understood that you’re going to have to pay lawyers. You maybe have to pay forensics. Maybe even ultimately pay a ransom payment in the ransomware situation, but things that aren’t thought about, you know, the impact to your own employees.

HR probably has a lot of your own employees personal information. What trust do you lose for from your own employees if you have something like that happen? Or, God forbid, the attack happens, two days before payday and you expect to be down for four or five days. People aren’t getting a paycheck. What impact is that going to have on their lives. That impact just internally to your employees, that is not always considered. You know, it’s not just an IT problem, it is a business problem.

And then you think about the business relationships, business partnerships that you have, you lose that trust. Could you lose customers or vendors? You know, we’re talking supply chain here, anything like that and you’re in a lot of business to business relationships, if you’re not the only player in the game, the other businesses do have choices. And you know, depending on how long you’re down or how much of an impact your outage had. And it’s not just business to business. We’ve seen consumer business to consumer where you know here in Wisconsin, I hate to call them out, but you had Celcom happen earlier in 2025, people couldn’t make calls and received text messages for days and once they were back up, I haven’t seen any numbers to say that what their client retention is, but can be imagined that there’s other choices out there in the market. So how many people moved because of that?

12:25 Matt Cranney

It’s essentially, you’re calling that is for our audience to think holistically around all of the first of all, the types of risk, reputational, financial, and then to really play that through in terms of so let’s go deeper on the financial piece.

Alex, let’s, let’s keep going with you on this one. I want to build like one of the things we talk all the time on fast break is we want to be really practical. And so I’m wondering if you can share a real-world example of a breach and how that played out for the customer

12:58 Alex Friedl

Oftentimes, when people think cyber, they think ransomware, and we certainly see those. But in terms of frequency, we see a lot more business e-mail compromise incidents. This is one where pretty typical the victim received a e-mail in their inbox. It looked like it was from Microsoft, it had a link, and then the user clicked the link, it took them to a website that asked for their username and password and they gave up their credentials and then the threat actor had access to their e-mail inbox.

Unfortunately, for this particular organization, this e-mail inbox had a spreadsheet that had the PII of 75,000 individuals so pretty typical we get on a call with a privacy attorney and a forensics firm.

It’s ultimately determined that this firm needs to send out 75,000 letters for each of these individuals that had their information access. And of course, this carries a cost. There’s legal fees, there’s forensics costs, and then ultimately, as we all too often these days.

Our client received a class action lawsuit in relation to these incidents, and so there’s a long tail as the litigation is ongoing and it can take years. And so there’s often a sort of a quick upfront initial response involving breach response experts coordinated through the cyber policy and then a long expensive tail as it works through the courts and the litigation plays out.

14:35 Matt Cranney

Alex, want to kind of build on that a little, but I’m curious in the event of, you know. Let’s say you’re listening to this and you’re either a small business and with a few employees and somebody runs into your office and says, oh gosh, I just put my username and password in. I shouldn’t have or you’re the. You know, working in IT or HR to large organization and you get notified that you know systems are down or there has been a breach, what would you say are the critical things that you would advise somebody to do in that immediate moment where they’re something is wrong?

15:13 Alex Friedl

As I heard one of my colleagues say a breach is like a fire so. So the quicker you can respond the, the better the outcome. I think really you need to think about what is going to be your first call.  If you determine that you need, it’s a severe incident, you need experts. Do you know who to contact? And often it’s contacting us, the broker or it’s contacting the insurance company and then they’ll set up a call with the breach response experts, and then they can immediately mitigate the breach. And so I think it’s really knowing how to get in touch with those experts

And I will say just another thing. oftentimes in a data privacy incident like business e-mail compromise or ransomware, law enforcement is not, should not be the first call simply because it’s not legally necessary, there’s other priorities. But if you’re dealing with the transfer funds loss, your first call would actually be the Secret Service. As they have people, think of them in their role to, in terms of protecting the President. But really they have a large mandate and that includes financial fraud, and they are best equipped to freeze funds and stop funds transfers.

So if it’s a funds transfer loss, which is a very common type of incident that we see, then they should actually be your first call, but otherwise it’s your insurance company so that you can get those breach response experts on the line.

16:44 Matt Thomson

Just to echo Alex’s point, you know If you have a fire, you know you’re calling the fire department. In a cyber situation, who is your fighter department? And besides the value, you know the financial value that you get back from our cyber insurance policy. The other piece is access to those legal and digital forensics and you know down the line, if you have to make notifications or public relations, those experts are already pre-vetted pre-negotiated rates. All of that and at the ready to respond to anybody who has a cyber incident.

17:20 Matt Cranney

I think Alex, as you talked about if we see that our first point of contact. Be our insurance broker and so all of you play roles which decide the liability. So Megan, I’m curious if you can speak to what role cyber liability plays in mitigating those risks. Obviously, it’s not the only piece of the holistic prevention protection suite that we need, but we would advocate that it’s an important piece. And so wondering if you can talk a little bit about that.

17:47 Megan Peyton

Cyber insurance is kind of twofold. You’ve got the prevention side and then you kind of have the remediation side. What I mean by that, the prevention side in order to purchase the cyber insurance policy, you need to fill out an application and this application is going to ask you things like what controls you have in place. Do you have MFA? Do you have EDR? Are your backups secured? Things like that. So that’s kind of that prevention side of it, so you want to make sure that you know who to call in those instances, you have all the controls in place. You’ve got that kind of preventative side of cyber.

And on the flip side, you’ve got the remediation. So Matt hit it right on the head. I think one of the biggest things obviously outside of the financial component, you know you’re transferring the risk of your finance goes from your balance sheet to the cyber insurance policy. But I think one of the biggest keys to purchasing a cyber policy is getting access to Those professionals know it gets extremely expensive and the fees add up very quickly and getting these people involved can be a daunting task. By purchasing the cyber insurance policy.

Like Matt said, they’re already vetted out. You’ve got the professionals already in mind and you know who to access. So I think that’s one of the biggest ways to mitigate your risk is. You know, purchasing the cyber insurance policy not only on their mediation side, the prevention side, it kind of all leads together.

19:05 Matt Cranney

With the amount of premium that is in the cyber market now buying this coverage, gosh when it started. 10-15 years ago, maybe it was local people, couple clients out of 10 that might purchase it. Now I think it’s almost everybody. It should be everybody. And so if you’re listening to this and you don’t, please reach out, we’d be happy to help you with that.

What are the things that every business should be doing today, today, today to strengthen their cybersecurity posture and I know we may have indirectly referenced some things, but I you know, if I’m listening to this and I’ve kind of, you know, been really following along, but now I want to get my pen and paper out and I want to write down. Yeah, listen, this is what I’m going to do differently because I spent the time in all of your company today, what should that be? Matt, I’ll come to you first.

19:56 Matt Thomson

Incident response, planning and testing, as Alex said before having an idea of if I need to contact the Secret Service to stop the payment, don’t wait until that happens look up, OK, which office do I need to contact of the Secret Service? What’s their number? You know, have that all vetted out ahead of time.

And your IR plan does not have to be a 30 page, you know fully formalized policy procedure guide start somewhere, get down those critical internal and. Well, maybe your top three to five systems, the key vendors related to those. If you get that together, you’re better than many organizations out there in your preparedness and then bring somebody in to test you on it, bring in a hypothetical, you know, as kids, we go through fire drills and tornado drills. So that if and when the unfortunate event happens, you’re not trying to figure things out for the first time.

20:59 Matt Cranney

And Matt, before I should have called it out, you mentioned and maybe Alex did it to a tabletop exercise. Can you explain for our audience what that is? I think you’re describing it, but I want to make sure we call it out.

21:09 Matt Thomson

Yeah, it it’s basically I like to call it the cyber fire drill, we or another, you know consulting organization comes in with a hypothetical cyber situation and we walk you through. These are the questions that are going to be thrown at you, or these are maybe a few wild cards that you didn’t expect. Maybe your head of IT blew out their knee and is under the knife when something happens. How are you going to work through that with them unavailable? Having that you know, documented again, even if it’s a basic plan, let’s run through it.

21:42 Matt Cranney

Yeah, love that. Megan, what about you? Anything that you would add to that?

21:46 Megan Peyton

List might be low hanging fruit and I know it’s a term that’s been thrown around a lot. But really, ensuring that you have multi factor authentication or MFA implemented everywhere, especially focusing on that phishing resistant MFA, it’s one of those pieces that that’s kind of your first line of defense from an intruder that’s, you know, the dual authentication piece is the idea of you have your username and password, could be authentication 1. And then potentially a push notification via duo or another application, but it really does help secure the entrances into your network.

Like I said, might be low hanging fruit and it seems like everyone’s got it in place nowadays, but if not that, that’s definitely the one place I would start.

22:28 Matt Cranney

I think that’s a great call to action, Megan. And you know, I can speak to I remember at M3, 20 years ago  when we rolled out the change that we were going to make somebody update their password every 90 days. We faced a lot of pushback on that because people like, oh, I like my password. Why am I doing that?

The good news now is that these kind of things, there’s enough in the press. In in our world that I think our employees want to be protected. Because they don’t want to put their businesses and they don’t want to be the ones that click that link. The more that we can do to protect them from themselves because as Alex and all of you talked about before, the sophistication is higher, so I see that as a great tool, almost like an employee benefit actually for employees.

So I love that call out, Alex. Maybe you can bring us home on this. What about you, anything you’d recommend that people should be doing today?

23:20 Alex Friedl

Really important control, especially with regards to ransomware, as your as your backup procedure. If you have a ransomware incidents and all your files are encrypted, and then your backups are encrypted as well. And you have nothing to restore from then that’s where making a ransom payment becomes much more likely.

If you can regularly and effectively back up your data, secure those backups so that they are safe from threat actors. That will do wonders if you have the misfortune of going through a ransomware or cyber extortion incident.

24:01 Matt Cranney

I know in a very brief conversation like this, we kind of cover everything and we can’t get into the all the depths and the 19 levels of ninja stuff that you all do on a day-to-day basis. But I think the call to our to action for our audience today is really, be thoughtful. Be holistic. Know that the threats are ever evolving and ever changing. And so I think if anybody’s listening to this and take some of your advice to heart, that will be time we’ll spend in listening.

So thank you for joining us today for that. So it’s now time for our fastest set of questions, Megan. I’m going to start with you favorite book you’ve read in the last 12 months.

24:43 Megan Peyton

In an instant by Suzanne Redfern.

24:45 Matt Cranney

Alex, what about you?

24:46 Alex Friedl

It’s called Kaput. It’s a great, great title. It’s about why the German economy is struggling right now.

24:52 Matt Cranney

Matt, what about you?

24:54 Matt Thomson

It’s two book series from AG Riddle called Pandemic and Genome.

24:59 Matt Cranney

OK, we got a wide range of interests on this team and I love it. We should do a book club, complete the sentence for you. Leadership is Matt. I’ll come to you first.

25:08 Matt Thomson

Having just started my Notre Dame executive MBA, I have to go with tender strong and true.

25:13 Matt Cranney

I like it. Alex, about you, it’s about.

25:17 Alex Friedl

It’s about caring and advocating for the people that report to you.

25:20 Matt Cranney

Megan.

25:21 Megan Peyton

I think it’s consistency it’s showing up for your team constantly and leading by example of it.

25:26 Matt Cranney

OK. The most impactful piece of professional advice that you’ve ever received, Alex, I’ll have you go first.

25:33 Alex Friedl

Anything you put in writing is permanent and I love that this advice is timeless as it came up in a book I was reading about Abraham Lincoln, where he’d write letters to people and then put him in his desk and never sent it.

25:44 Matt Cranney

Just like we talked today, it was as relevant back then. I love it. Megan, what about you?

25:50 Megan Peyton

Lead how you’d want to be led.

25:53 Matt Cranney

Matt.

25:54 Matt Thomson

Take the leap.

25:54 Matt Cranney

Love it? Your favorite podcast. Aside from Fast Break, obviously then you would recommend to our audience, Megan?

26:02 Megan Peyton

Fast Break was mine, but I guess a close second would be “Good Hang with Amy Poehler.

26:06 Matt Cranney Matt Thomson Megan Peyton Alex Friedl

I love that one. We’ll take fast Break as well, but good hang is really good. Alex, what about you?

26:12 Alex Friedl

I’m enjoying Steve Eisman’s investing podcast.

26:18 Matt Thomson

Recently I’ve just been listening to a fair amount of Simon Sinek, I don’t even remember the name of his podcast, but a lot of just Simon Sinek.

26:27 Matt Cranney

Matt I’m a big Simon Sinek fan that I can help you out. That’s a bit of optimism. Megan. You can’t live without it. App on your phone.

26:34 Megan Peyton

Spotify.

26:35 Matt Cranney

Love it, Alex.

26:36 Alex Friedl

For me it’s the stocks app.

26:36 Matt Cranney

Matt.

26:39 Matt Thomson

Email.

26:40 Matt Cranney

Yeah, yeah, we get a lot of emails, maps, all of those kind of things. So last thing you did that truly scared you, Matt.

26:47 Matt Thomson

Taking a leap to start my executive MBA.

26:50 Matt Cranney

Very cool, Alex.

26:52 Alex Friedl

I jumped off a very large rock. Into water. And so that was a little scary.

26:58 Matt Cranney

Megan.

27:00 Megan Peyton

I ran my very first marathon.

27:02 Matt Cranney

Awesome. Wow, look at you guys being really brave. Love it, OK Last question for today, if you were to give a Ted talk, what would be its title, Megan?

27:11 Megan Peyton

Making an impact as an introvert.

27:13 Matt Cranney

Alex.

27:13 Alex Friedl

How to get rich slowly but surely.

27:17 Matt Cranney

It goes back to the investing strategy, Matt.

27:20 Matt Thomson

I would say something to the order of just when you thought you knew everything of it.

27:26 Matt Cranney

OK. Team, thank you so much for being with us today on Fast Break. Before we close, if we have people in our audience who have listened today and would love to connect with M3, I’m hoping you can share with our audience where they can find out more about the best way to do that. Matt, maybe, You can share that for the team.

27:47 Matt Thomson

For sure going to the M3ins.com website or look Alex, Megan and or myself up on LinkedIn engage with us there. Or if you’re already an M3 client, talk to your client executive.

28:01 Matt Cranney Matt

Matt. Alex. Megan, thank you so much for joining us today and sharing your insights around all things cybersecurity. We really appreciate it.

This has been Fast Break brought to you by M3 Elevate. I’m Matt Cranney, thank you for joining me. Do you want more tips to grow protect your business? Subscribe now and catch all of our episodes and we’ll see you next time.