ITSPmagazine Podcasts

First of its Kind Cyber Insurance Product Exclusively Available to HITRUST-Certified Customers | A Brand Story Conversation From HITRUST Collaborate 2024 | A HITRUST Story with Blake Sutherland and Robert Booker

Episode Summary

Discover how HITRUST's R2 certification is revolutionizing cyber insurance by providing a quantifiable measure of cybersecurity maturity, easing the insurance acquisition process, and potentially lowering premiums. Join Sean Martin as he speaks with Robert Booker and Blake Sutherland to explore this groundbreaking approach and its benefits for organizations and underwriters alike.

Episode Notes

In this Brand Story episode, Sean Martin brings together the team from HITRUST, Robert Booker and Blake Sutherland, to discuss the topic of cyber insurance and its current state in the industry. Both guests bring a wealth of experience and insight, with Robert Booker overseeing strategy, research, and innovation at HITRUST, and Blake Sutherland serving as the EVP of Market Engagement.

A significant portion of the discussion centers around the role of cyber insurance in today's business environment. Cyber insurance is not just a safety net but a critical aspect of a complete risk management strategy. As Robert Booker points out, it’s an essential service, historically used to cover residual risk after companies have applied their own security measures. However, the market has changed considerably, with new capabilities and approaches evolving over the past several years, making it a dynamic area.

Blake Sutherland further elaborates on the issues that organizations face in acquiring cyber insurance today. The process is often cumbersome, involving extensive questionnaires and varied requirements from different underwriters. This can be particularly challenging for mid-market companies that may lack the internal resources to manage these complexities.

The episode highlights that HITRUST is addressing these challenges with their R2 certification, which provides an objective, quantifiable measure of an organization’s cybersecurity posture. This certification helps companies not only in fortifying their own security but also in streamlining the insurance acquisition process by offering a standardized measure that underwriters can rely on. According to Robert Booker, this quantified approach can make a significant difference, offering confidence to both the insured and the insurer.

Another important aspect discussed is the role of brokerage in this process. Brokers traditionally guide companies through the insurance process, and an R2 certification from HITRUST can greatly assist them in securing better terms and conditions, as it is recognized as a testament to a company's robust security posture. This can also translate into potentially lower premiums and more reliable coverage, addressing one of the largest pain points in securing cyber insurance.

The HITRUST Shared Risk Facility is made available exclusively through licensed brokers and can be accessed by any company holding an R2 certification, with plans to extend to I1 and E1 levels in the future. This facility aims to simplify the process, reduce the administrative burden on companies, and provide greater reliability in the insurance coverage.

The episode wraps up with an invitation for organizations, brokers, and underwriters to engage with HITRUST to explore these innovative solutions. It’s a call to improve the overall confidence in the insurance landscape through verified, independent measures of cybersecurity maturity, ultimately benefiting all parties involved in the cyber insurance ecosystem.

Explore how HITRUST’s R2 certification can enhance your organization's cybersecurity posture and streamline your cyber insurance process.

Learn more about HITRUST: https://itspm.ag/itsphitweb

Note: This story contains promotional content. Learn more.

Guests: 

Blake Sutherland, EVP Market Adoption, HITRUST [@HITRUST]

On LinkedIn | https://www.linkedin.com/in/blake-sutherland-38854a/

Robert Booker, Chief Strategy Officer, HITRUST [@HITRUST]

On LinkedIn | https://www.linkedin.com/in/robertbooker/

Resources

HITRUST 2024 Trust Report: https://itspm.ag/hitrusi2it

Learn more and catch more stories from HITRUST: https://www.itspmagazine.com/directory/hitrust

View all of our HITRUST Collaborate 2024 coverage: https://www.itspmagazine.com/hitrust-collaborate-2024-information-risk-management-and-compliance-event-coverage-frisco-texas

Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story

Episode Transcription

First of its Kind Cyber Insurance Product Exclusively Available to HITRUST-Certified Customers | A Brand Story Conversation From HITRUST Collaborate 2024 | A HITRUST Story with Blake Sutherland and Robert Booker

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

[00:00:00]  
 

Sean Martin: And hello everybody. You're very welcome to a new brand story here on ITSP Magazine. I'm thrilled to have the team from HITRUST back with me to talk to me about some, some new cool stuff that it's not necessarily hot off the press, but there's been a lot of work taking place to, uh, to build this new product around cyber insurance and, uh, Robert Booker and Blake Sutherland. 
 

It's great to have you back on the show. 
 

Blake Sutherland: Thanks for 
 

Robert Booker: Thanks, Sean. Great to be here. 
 

Sean Martin: And, uh, wonderful seeing in person that the, uh, collaborate 2024 events, uh, where there's a lot of conversation on this topic from, uh, partners and customers alike. And, and, uh, I know some folks that I had a chance to talk to also were very intrigued by, uh, what, what the team's pulled together, uh, before we get into the conversation, a few words from each of you about your role at high trust. 
 

And, uh, then we'll get into the new product, Robert, 
 

Robert Booker: Yeah. Hi. Uh, hi everyone. Uh, Robert Ker here. I have, uh, I have strategy, research and [00:01:00] innovation for hitrust. And, uh, before coming over to hitrust, uh, as an employee, I worked for, uh, many years as A-C-I-S-O in the industry and, uh, retired and then unretired and here we are doing all this great work, 
 

Sean Martin: the unretiring 
 

Robert Booker: the Unretiring. 
 

Sean Martin: it's fantastic. Well, I'm glad you're there, Robert. You're doing some amazing things. Um, Blake, 
 

Blake Sutherland: Blake Sutherland, uh, EVP market engagement, which involves customer success, sales, business development, and really trying to formulate some of the ideas that Robert comes up with and bring them to market. 
 

Sean Martin: yeah, and this isn't your first rodeo either. You've done a lot of things in this, in this space. Uh, people can look at your profile and see some of the cool things you've worked on. 
 

Blake Sutherland: True enough. In fact, I started with HITRUST way back when it launched. So I was part of the first CSF launch way back in San Francisco, what, 16 years ago now, Robert? And, uh, in working, working in the industry, uh, In [00:02:00] software security for a long time. 
 

Sean Martin: I love it. All right. So cyber insurance, just those two words might, uh, put pictures in people's minds. They might cringe a little bit. They might, they might cry a little bit. Um, there may be some that, that I don't know, maybe the, the brokers and the, and the insurers might be happy. I don't know. Um, but I, We'll start with you, Robert. 
 

Can you, can you paint the, the picture of the world of cyber insurance as it kind of sits today, maybe, maybe a peek back in the past to kind of give us a view into how we ended up where we are at the moment 
 

Robert Booker: Yeah, I think it's a, it's a great question, Sean, and a good start. You know, it's a, it's an essential service. I mean, uh, insurance has been something we, we use to mitigate all kinds of risk. And those of us that are security leaders have always talked about, you know, manage risk and then potentially insure that. 
 

The balance of residual risk. So it's always been the concept we talk about as a, as a security, [00:03:00] uh, security professionals. And, uh, but it's, it's a little bit, uh, it's a little bit of a space that's been mysterious for many. And, um, and I think it's a space that's changed really dramatically over the last year. 
 

Thank you. Uh, I'll say five to six years. Um, you know, there's a, you know, a series of, you know, new and interesting capabilities that are being looked at in terms of how to think about the risk and what the coverage of cyber insurance could be for companies. But, uh, there's also a lot of companies that have been in the insurance industry for well over a century. 
 

And I truly mean that, I mean, ensuring all kinds of risk for hundreds of years now, and, uh, they're also the big players in this space. So you've got. You've got the companies that are looking at the future and thinking about how to disrupt the market in a positive way, create a better experience for the people that are covered through the underwriting process. 
 

And then you've got people that are sort of looking at it as, you know, this is sort of the questionnaire. Let's ask you a bunch of bunch of things about yourselves and we'll decide how much you're going to pay for cyber insurance in this cycle. And I think Sean, the thing that's really [00:04:00] fascinating about it is it literally is different every time. 
 

So if I look at the policies I purchased, um, six, seven years ago in my tenure with a fortune 10 company, uh, every year, the process looked differently. You know, it was always based on interviews. We, we had some questionnaires eventually, uh, and it always felt quite subjective. So I think, I think anything we can do to, to make it objective is valuable for the industry and for the people that, um, are underwriting these risks. 
 

Blake Sutherland: I know I had a opportunity to host a panel at collaborate on this topic. And one of the things they pointed out is. Cyber insurance among insurance types of insurances is relatively young and part of the problem and why we're seeing different mechanisms and them changing year to year is because there isn't a long history of data and that they're looking to make better decisions. 
 

risk decisions, and they're looking for ways to get that information. 
 

Sean Martin: and my, my experience over the years, and maybe you [00:05:00] can confirm this, uh, from your own, own interactions with folks over the years as well. Is that it, You kind of alluded to it a little bit, Robert, that a lot of organizations would put in policies and controls to help, uh, mitigate some of the risks that they have, and then there's some residual, um, my experiences that a lot of people led with, well, we'll get cyber insurance and whatever they say we need to do, we'll, we'll put those. 
 

Things in place and not really focus on the posture or focus on the getting the policy. Um, is that something you've recognized and is it still true if it has been something you've seen? 
 

Robert Booker: Yeah, I think, um, I think it's less true than the past, Sean, but it has been true in the past. And I think cyber security as a discipline has evolved so dramatically. Even without regard to the insurance side of things. So, uh, the, the capabilities that organizations need to have to defend themselves from the types of threats that are out there in the world [00:06:00] today, you know, change very dramatically and they change on a regular basis based upon new attacks and new vulnerabilities and new exposures. 
 

And so, uh, sometimes the challenge is to know what is good enough and what is necessary to actually do something. You know, manage that risk. And I think, I think, uh, companies, especially mid market companies, uh, often look at their cyber insurance carrier as an expert or a resource that they could lean to or look to, excuse me, the, to help them define the space. 
 

And I think actually, if you talk to the underwriters, Uh, they would, they would probably not want to be characterized that way. I think they would view the space as, um, requiring the leadership the company brings forward to understand their scope of their systems, where their data lies, what kind of information they have at risk, and then to decide what level of management and control is needed to. 
 

you know, manage that risk. And, uh, so I think, uh, I think inherent in the question is just maybe a little bit of a challenge in understanding and [00:07:00] clarifying the role of the underwriter, the broker as part of that process, and then the role of the company that's being insured. And, um, I think my most successful, um, encounters with the insurance industry were Encounters where I had the opportunity to have a relationship with them to talk about the philosophy of our program in my prior life and how we thought about the risk management that we invested in for the company and, uh, I think that kind of engagement provides great respect. 
 

And, you know, that's, that's the kind of thing we're trying to formalize, you know, in a way for, you know, maybe people that don't, uh, have the, the pleasure of, uh, the benefit of working for a very large company, they're working for a, uh, a smaller market company that, uh, still wants to be able to distinguish themselves to the underwriters. 
 

So, you know, I've done the right things the right way in order to manage the risk I have. 
 

Sean Martin: And Blake, um, to you for this one or Robert as well, um, the other thing that I've, that I've seen maybe [00:08:00] shift over time is I think early on that policies were being written as fast as they could. And because. They wanted, they offer the product and, and, uh, and the companies needed the product, right? They needed the insurance. 
 

And actually about 15 years ago, maybe even longer, I pressed some of the, the folks in the industry saying, are there clauses and other things in the, in the policies that give you the, get out of jail free card. So you don't actually have to pay a claim. And they said, no, no, no, we're really, we want to provide a service here that helps our customers get out of the trouble that they're in. 
 

So there aren't any weird things there, but, so I think. Some of that now has shifted to a lot of claims being made and certainly around ransomware and with that perhaps fewer policies and maybe a closer look at posture and things like that. So Blake, some of your thoughts on where we stand in terms of being able to get policies, being able to get good, good terms in those [00:09:00] policies. 
 

Blake Sutherland: Well, certainly with the rise of ransomware and the cost that's imposed on the industry, uh, certainly, uh, it made underwriting insurance, uh, a bigger challenge. Uh, a desire to know, uh, who you're underwriting much better, which has caused some of the things that Robert was alluding to longer and longer. 
 

Questionnaires, uh, different questionnaires every year. These sorts of things. And certainly it's caused frustration among those that are looking to get insured our customers, right? In that, um, rates could vary massively year to year. You might not be able to get the same insurer in a subsequent year. 
 

because of what they've experienced within their risk pool. And of course, certainly customer of ours who feel they're doing the right thing and can demonstrate it, feel they're part of a, uh, sort of a high quality risk pool, meaning one that should perform well. Uh, you know, you can take a look at our trust report. 
 

Um, and so they're gonna have to go through a lot of research and a lot of support to see what we see in terms of, you know, the level of breach for those who are getting [00:10:00] our highest certification. The art too. Um, so they should be a good risk pool. And as a, as a result, they should be rewarded. So, um, yeah, no, definitely seeing that pain in the market. 
 

And, uh, it's, uh, our excitement about bringing this with our partners to market was, you know, they understand, uh, what are risk, uh, management capabilities and maturity that someone who is certified. For high trust have achieved and therefore can make the whole process a lot easier. 
 

Sean Martin: Yeah, with reliability and provability and a bunch of other stuff we'll get into here. So you said this, let's take, let's take this moment to. Define what, what you've brought to market and maybe with that, what was the driver behind that? Was it customer request? Was it a broker request? Was it how the, how the product come, come to be? 
 

Blake Sutherland: I actually think all parties on the creation of the product, we're seeing the same [00:11:00] need in the market in that, you know, uh, organizations were frustrated with the process. It can be very time consuming. Robert's been through it many times. He shared some stories about how time consuming it can be. Um, and, you know, frankly, the outcome, whether they get the amount of coverage they needed, whether they could get coverage at all, uh, you know, how, um, steep the premium would be and how it would change over time or be predictable from a budgeting perspective. 
 

So there absolutely was a need. We could see from the mutual customer, if you will, I think if I try to put the insurer's hat on and in high trust is not an insurance organization. So we should probably make that very clear. Our partners are and, um, you know, from their perspective, they were having to. 
 

Basically ensure a very general level of risk, not the residual risk, because without the right data to understand what the residual risk was, it was hard [00:12:00] to know how much there was there. So they had to sort of pull it sort of the lowest common denominator for many, and, um, you know, they wanted to improve that because insurance companies want to work with good risk schools and can offer. 
 

better insurance coverage and premiums as a result. 
 

Sean Martin: And Robert, talk to me about the, kind of the, you've been through it a few times, kind of the process of getting coverage, um, what you have to provide, how do you prove what you provide is accurate, how long does that take, how much back and forth you talked about having, having interviews and things like that, how, how does what you provide with your insurance partners, um, Help in that regard and other things perhaps that I haven't even touched on. 
 

Robert Booker: Yeah, I think, um, you know, You know, I think, I think, uh, it's traditionally began with, uh, you know, a, a questionnaire or a series of a series of, um, [00:13:00] uh, insights that the underwriter is seeking to, uh, understand how you manage your security system. And so, um, what's fascinating about that is you may actually have a different questionnaire for different underwriters. 
 

The brokers have tried to normalize that somewhat, but, uh, if I want to be competitive, uh, or seek a competitive. bid in the process. You know, I want to talk to different underwriters. I ended up having to do multiple questionnaires because one company may view specific controls as more essential than another company may. 
 

Um, that is getting better, I think, but in general, it's, it's pretty much, uh, I'll ask you a lot of questions about your, your system, about the controls you have, about how much data you have, what's the, what's the What's the sensitivity of the data, you know, all the things that sort of, you know, uh, quantify a risk, a number that they can actually say, okay, this is the potential exposure that we're seeing for your business. 
 

And then, uh, and then it goes, that goes to an underwriting analyst, uh, you know, some, usually a, an expert in the sort of cybersecurity considerations that each [00:14:00] underwriter has, or, or a team of, uh, experts in some cases. And, um, You know, there, there will likely be some conversation. They might come back and ask you some clarifying questions about some of your responses, but there's really not a lot of validation. 
 

And, uh, even, even now in the last, uh, the last year or two, um, you know, you'll, you'll get challenges on it. Like, well, you know, You say you have two factor authentication, like explain to me how you know you've got two factor authentication enabled at every point of entry into your company. Um, but there's no, there's no consistency with how you would actually validate that data. 
 

So I think, I think in thinking about, um, the challenge the underwriter has, it's like, well, I'm going to do my best. I'm going to ask smart questions and get good responses, then try to make sure I, I, um, My Tesla's responses, but it ultimately kind of comes down to looking in the eyes of the of the customer saying, Do I believe that they really have confidence in their program? 
 

And I think there could be a better way. I mean, if we can actually, if we can actually look at not only the control, the control specificity, but, um, you [00:15:00] know, how the controls are implemented their policies that, that, uh, you know, create an, uh, Um, incentive in the company to have that control, the procedures that make sure the control stays in place. 
 

And then we, we score it. Like we score many things at HITRUST with regard to, you know, security and risk management, and you can earn a, earn a level of maturity. Then, you know, the underwriters should know, um, with, uh, with confidence in how that process works, that if you score a 71. 3 in this area, you know, you're You're a pretty darn good organization from a cybersecurity perspective. 
 

And I think that's to Blake's earlier point. That's, that's the real, uh, if I may, holy grail around this is to say, if I know you've earned a certain level of objective and quantifiable maturity, I can know that I can underwrite your risk at a level that's, that's, uh, lower from a, from a premium perspective, because I'm much less likely as an underwriter to pay a claim. 
 

And so I think that really is the future of the space. And I think it's, it's like many things in technology. Let's use the data. [00:16:00] Let's validate ourselves and validate the data. And let's, let's make sound database decisions and the underwriters that are smart about this are getting there. 
 

Blake Sutherland: And if I might add, um, just touching on two things both of you have said is, you know, a denied claim is considered a failure by the insurance industry as well. They don't want to deny claims at all. And this concept of independent verification of the information you're getting to make risk based decisions. 
 

is hugely important to the insurance industry because it's, you know, whether someone, um, knowingly or unknowingly positioned a level of maturity or capability that they have in a questionnaire, the fact that in a high trust certification has been independently verified provides a level of trust in the data. 
 

That they can make decisions at and know that they won't be stuck in a situation where they'd have to deny a claim because of, you know, the data not being independently verified.[00:17:00]  
 

Sean Martin: So talk to me about the, the, uh, the, the process of, uh, an existing high trust customer that has a certification on, is it all three levels? Um, does it apply? Um, and if so, what, what do they do once they have that certification to obtain, uh, the insurance? 
 

Blake Sutherland: Okay, so the high trust shared risk facility is only available for the R2 level. Now, today, uh, we, it will, the plan is to expand it to our I1 and E1 levels. And in fact, Even investigate our new A. I. Certification as something that may be insurable in the future, but those are still to come. Um, the offering is broker agnostic. 
 

So if a high trust organization is interested in seeing what sort of offer they can get. For insurance through this facility, the all they need to do is reach out to the broker and mention it, and they, the broker [00:18:00] will be able to contact the underwriter for a quote the way the, you know, it's been simplified is within our system. 
 

You can just share your assessment, your results. Uh, electronically with the underwriter and as a result, they will have all the information they need. No need for 500 question questionnaires or those sorts of things in order to demonstrate sort of their level of maturity. There, of course, will be a few extra questions that will have to be verified and, and things that are not captured like claim history and other things that may be relevant to issuing insurance. 
 

But that's the general process and it, it certainly streamlines. You know, all this exchange of information as it relates to security controls and maturity. 
 

Sean Martin: That's through the results distribution system, RDS. It's 
 

Blake Sutherland: Yeah, that's the capability we have in our platform for sharing information and allowing an organization who's been assessed to say, I do want to share this with this. Other organization [00:19:00] and in this case for cyber insurance, 
 

Sean Martin: fantastic. And obviously it's all the work that they've done. To hopefully first and foremost, have a, have a good security program and then, and then following that, uh, having the proof that, that, that they've done that so that they can meet regulatory requirements, policy requirements, internal or otherwise, and now cyber insurance, which is really cool. 
 

Robert Booker: Yeah, Sean. I think to that point, um, you know, we have quantifiable data that, um, well below 1 percent of our R2 certified customers, about 0. 64 percent over a two year period. So. 0. 32 percent per year, kind of rough math of people actually experience a reportable breach. And, um, that's very exciting to the cyber insurance underwriting community because while they're careful about guarding the actual number, their claim history would be significantly above that level of performance. 
 

So they, they like seeing the data because it helps them underwrite it. But I think [00:20:00] they're also having a high level of confidence that, you know, they're, uh, they're getting to a very high quality applicant, somebody that does a good job at their cybersecurity program has earned something that proves that and, uh, to, to Blake's earlier point, which I can't, I can't overstate enough is a high quality risk pool. 
 

It drives both premium costs down and it drives performance of the overall product up. So, uh, you know, insurance companies want safe drivers for auto insurance and they want well secured, uh, companies for cybersecurity, uh, coverage. And, you know, so this is an important tool to help, help them, uh, find, you'll find those entities, the people they really do want to do business with. 
 

Blake Sutherland: I trust your safe driving app. I think you're getting at Robert, 
 

Robert Booker: think the lawyers would say that's not a good use of a term, but I'll take it. I'll take it. 
 

Sean Martin: think it paints a picture anyway, whether we don't want to, um, So I spoke to Ryan Patrick the other day. We did a nice recap [00:21:00] around collaborating. Cyber insurance is one of the points we touched on and he, he made another statement on the cost, so I don't want to misrepresent that. So I don't know if you, it's one thing to. Actually get a look at so you can potentially get a, get a policy, right? That's another to actually get a policy with good terms, good coverage. That's all for not, if it costs an exorbitant amount of money, right. Uh, or too much. So I know that there's some progress in that front too, uh, in terms of the cost of cost of coverage. 
 

Any, anything you want to share there? 
 

Blake Sutherland: Well, I'd love to point you back to the recording from collaborate because the underwriter lead for the consortium was the one that made the comment. And I think I caveat it first with every underwriter has a different model for assessing risk. And, uh, so in their case, if they in their models, if you had. 
 

[00:22:00] You know, uh, sort of a weak attestation like a SOC 2 and then on the other side you had a high trust R2, they would, uh, discount the difference in the insurance by, uh, 25 percent per year. 
 

Sean Martin: That's what I heard there. And that's what I heard again. So I'm glad, 
 

Blake Sutherland: Hopefully I caught all the caveats. He made a few others. 
 

Robert Booker: Yeah. 
 

Sean Martin: sure you I'm sure there are many in it and there's no no one size fits all. Of course, that's 
 

Robert Booker: well, the other thing that's quite fascinating is that because it is a syndicate and it's, it's a syndicate through Lloyd's of London, um, companies can actually gain access to even a higher level of coverage. So if I, if I go to a single underwriter as a company with a certain level of risk and I say, I'd like to buy a policy, you know, they might give me, I don't know, 5 billion of coverage. 
 

That might be all the exposure they'll take for any one client. But through a syndicate, they might have two or three companies that are all. comfortable with this underwriting process we've described today. And, uh, they would, they would pull that coverage. So you would have [00:23:00] 5 million plus 5 million if there were two of them, for example, and that that actually opens the market up for companies that, uh, have a higher level of need because their customers or their products really need higher levels of coverage and it allows everybody in that. 
 

in that consortium that Blake described to, to know with consistency that they're all looking at the same data when they underwrite that risk as a team. And so that, that just makes for good, good, uh, clarity and good transparency around the whole process. 
 

Sean Martin: fantastic. And I I want to as we're coming coming up to the end here in a moment. Um, Another thing I heard in Collaborate and leading up to, leading up to the conference, uh, and maybe Robert, you can speak to this, uh, first is the, the idea that it's not necessarily the CISO's role to acquire coverage. Now the CISO has a lot of responsibility in terms of what is my program, how do I prove it? 
 

What regulations have I met and what, what controls [00:24:00] can I show that I've put in place and what have you and I do, I have a high trust R two that I can share. To, to help with this, but there are other folks involved, the financial team, third party, vendor management teams, perhaps are involved. So can you speak to how, how this potentially helps bring the right stakeholders together and bring them all together on the same page? 
 

Such that they're aware that good programs with high trust certification can result in in good things, 
 

Robert Booker: Yeah. Well, the process has traditionally been that the corporate risk or the treasury risk functions and companies are the ones that actually buy insurance and not universally the case, but, but mostly the case. So oftentimes it's the security. Team and the security leader that's being impacted by the underwriting questions that we've just been describing today. 
 

And, uh, so it's kind of a silo, you know, there's somebody buying the product, there's somebody that has to prove that the system is good so they can, they can qualify to buy the product. [00:25:00] And what these kinds of, uh, capabilities do is they actually, they allow those two, business leadership functions to collaborate on this problem. 
 

And I think it, it does a couple of things. It, um, it gives the security team the opportunity to demonstrate with objectivity to their corporate partners. You know, we've got a good, well managed security program and, you know, that might actually result in a, you know, a decision to maybe buy a little less insurance, for example. 
 

I mean, it might very well be that I feel, I feel like we've got some, Some good maturity in our program. And, you know, we don't need so much insurance, but the other thing is, is I think it, um, oftentimes it's those corporate risk leaders that are communicating to the board and others along with the CISO about this different problem. 
 

I just think the more that we have enterprise leaders, all understanding the problems we, each other saw that we solve for each other and solve with each other, the better our companies are from a governance and from a overall management point of view. So just bringing people together with a common understanding is a great value in my mind.[00:26:00]  
 

Sean Martin: and I don't know if you had anything to add there, Blake, but I'd like to wrap with is perhaps a message to the folks listening. How I think we described, if you're an existing high trust customer, you reach out to your broker and, and they can present this information. Um, is there a message to the, the, the brokers out there or perhaps to some of the other stakeholders that we want to share? 
 

Robert Booker: I can, I can start, I'll, I'll start Blake. So I think, I think the question, you know, the, the message to the industry is it can be better. Uh, you can have higher levels of confidence that the people you're underwriting risk for have been truly and objectively validated. And, uh, I think, um, The desire to an earlier point Blake made to ensure that when you write a policy, your policy provides the protections your [00:27:00] customer is seeking, uh, requires a high level of confidence. 
 

So I think any underwriter that's a, that's out there that wants to participate in this process. I mean, it's a, it's a facility for a reason and, uh, it's available for others. And, um, You know, that that's certainly an opportunity, uh, for people to get involved and get engaged. And it's, it's pretty, it's pretty, um, it's pretty low intensity. 
 

I mean, there's no, you know, you don't have to true up your questionnaires and stuff. You just literally have to understand how it works and you can gain access to the information. And I think we would invite others in the market to participate, um, especially as they, they, uh, They get there. Um, one last message for the customer though, is if you are, uh, if you have a cyber insurance policy today, you're seeking renewal. 
 

It is, uh, this facility is available through any, through any licensed broker. Um, they can gain a quote. Uh, I would test yourself. If you have an R2 certification, I would, I would say, you know, I want to just see what I would get. And, uh, you know, it's not a bad thing. It's not a heavy process because you already have earned [00:28:00] the certification and you can use that data to qualify. 
 

And, um, you know, I think people will be pleasantly surprised to find that there is higher quality insurance available at potentially a lower cost. And, um, you know, it doesn't take a lot to sort of try that out as a, as a consuming organization. So, you know, maybe curiosity would be a good thing, um, to, to look at whether it can be done differently. 
 

Sean Martin: Maybe a message to organizations that have solid programs, but maybe not an R2 yet, like, because I think the whole trust factor, um, internally and externally with your, your partners and your customers and now with cyber insurance carriers, um, Just the, the fact that it's independently assessed right and certified by high trusts is a huge thing in my mind. 
 

So, I don't know. Can you, can you speak to the value of getting the R two with the, the value then leading to perhaps better insurance as well? 
 

Blake Sutherland: yeah, I actually started [00:29:00] back to your comment about what might I say to the brokers, right? Like, brokers are there to guide folks to better quality, uh, you know, risk transference through insurance products, right? So knowing that an R2 could help your. Customer achieve better rates, better coverage, better quality of insurance is something that you can provide as guidance to them. 
 

I think, um, we're excited in that as we mentioned at the top of the show, you know, E one and I one are stepping stones to an R two. R two is our highest certification and we have a traversable portfolio as you know. As we, uh, tailor the product for the E1 and the I1, if someone isn't high trust certified, but wants to mature or feels they're mature already, that first step may not be as hard as they think it is, and they can start there and then see the benefit as they move, you know, up the maturity, uh, ladder, if you will, [00:30:00] thanks 
 

Sean Martin: Yeah, it's such a cool thing, and this is a space that I've been following for a while now, and I think it was a few years back, there were some inklings that this was going to start to take place and then take form, and I'm super excited to see it happen here, and it was great to get the feedback and see the energy of folks at Collaborate. Really embrace what you've done here and what the underwriters have pulled together. And I had a chance to chat with a few folks. Um, so folks can, can stay tuned for those episodes coming out soon. Uh, and, uh, yeah, so a lot, lots, lots coming here. Any final words, uh, Robert or Blake? 
 

Robert Booker: Oh, I think I appreciate the time, Sean. It's great to explore something that's important for people. 
 

Sean Martin: Absolutely. I encourage everybody to, uh, Take that spark of curiosity that's coming from this conversation, hopefully, and, uh, engage with your broker and engage with [00:31:00] high trust. And, uh, let's raise the tide for everybody. It's all, it's a good thing for everybody involved here. So thanks everybody for listening and watching. 
 

And, uh, Robert Blake, it's fantastic to see you guys. And, uh, more and more conversations coming. 
 

Blake Sutherland: a lot, Sean. 
 

Robert Booker: Good day.