[00:00:00] Speaker A: Escalating cyber attacks are reflecting the increasing volatility of the global environment. And according to the World Economic Forum, AI is anticipated to be the most significant driver of change in cybersecurity in 2026.
An entity operating online is at risk of a malicious attack, and constant vigilance is required to mitigate that risk in 2026. What does that look like? I'm Janet Eastman, and today on TradeSecurely, my guest is so Kudlick. She is Senior Vice President, Cyber and Technology at Hub International, and she's going to help us understand the current risk landscape and navigate through it. Sophia, great to have you on the show.
Thanks for joining us and give us a little bit of background on yourself.
[00:00:47] Speaker B: Thank you, Janet. It's a pleasure to be here. I am currently at Hub, sitting in the broker seat, liaising between businesses and insurance companies. However, over the past 10 years, my career has spanned from incident response and forensics to insuretechs as well, too. So I'm excited to bring that full circle here to my client advisory at Hub.
[00:01:10] Speaker A: Okay, perfect. So let's kick things off with the evolution of the cyber risk. How has the cybersecurity risk evolved over the last five years?
[00:01:21] Speaker B: This is a great question, and I think it speaks more credibly to my experience, especially since I'm returning back into the cyber insurance world after five years being really solely focused on cyber attacks and cyber claims. What I've noticed is that, of course, the cyber risk has evolved and there's a growing sophistication in attacks. Not only that, the frequency and severity of these attacks are also growing. So it's not getting any simpler for businesses to combat these digital risks. If anything, they're increasing at enormous speeds. And this really is changing the conversation in terms of what businesses need to do in order to stay vigilant. Overall, I'd say in the past two to three years, the insurance market specifically has gone through a change where there's a lot of competition flooding the market.
It's easier than in the past for businesses to procure cyber coverage. They're getting broader terms at cheaper prices. So overall, it's a great buyer's market to consider how to effectively transfer risk.
However, not long ago, during the pandemic, this was a very different story.
Going remote overnight really meant that threat actors really had frontline access, access to businesses, their personal data, which weren't secured. That gave rise to, you know, the. The biggest spike in cyber attacks that we've seen ever.
So the market is. An insurance market is coming out of that a little bit now, which is positive to see. But I am hopeful but not optimistic that it'll continue to be that way for much longer. Considering the evolution of cyber attacks. How crafty cyber criminals are getting these days.
[00:03:10] Speaker A: I think it's interesting that you said the speed of them has really, really increased, because I have personally noticed that myself. But anyway, let's talk about the current impact and what key risks are challenging business now and what could evolve in 2026.
[00:03:27] Speaker B: Absolutely. So I like to anchor the conversation into the risks that we have always seen and the risks that we will continue to see. That being social engineering fraud or funds transfer fraud. This is when businesses are tricked or duped into transferring money to an unknowing party business email compromise. This is when either with loss and stolen credentials, there is a threat actor that gains access into your emails and your system and is planning their attack. The most severe is the third type of attack, and this is ransomware. Ransomware has always been, you know, the front liner and synonymous with cyber risk as well too. This is where, you know, data is encrypted, businesses are shut down, there's potential business interruption effects, and cybercriminals are really extorting an organization in order to get back up and running or to retrieve their data.
So these are sort of steady and true and have always been in the cyber risk landscape. However, where we're seeing the conversation change is around how businesses interact with others.
So this whole concept of third party risk is now becoming front and center because it's not just about how you protect your own business.
Your security is reliant on how other vendors or other companies that you rely on as a partner conduct their cybersecurity as well. Those challenges can lead to business interruption, which is really something that we're seeing quite concerning. So through this third party risk angle, we are expanding our conversation about cybersecurity risk to encompass not just the company itself, but who are you doing business with, how are they protecting their systems and what does that mean for you if they go down? So this is something that's changed a lot more in the last five years that we've seen, this reliance on external parties as well. So apart from those steady and true cyber risks, this is where we're seeing the conversation change.
[00:05:32] Speaker A: Wow. Okay.
I may. Can we just expand a little bit on that third party risk part of it? Just very briefly, I'm looking at it kind of like as the supply chain, right? You, you can't, you can't. You know what you're doing, but you don't know what either side is doing besides you in your. Yeah, so it's, it's very much the same way, right?
[00:05:56] Speaker B: Absolutely. And the way we like to advise our clients is, you know, a lot of this third party risk management comes in the form of contracts. So what standards you set for the businesses that you rely on or that rely on you, how do you set that baseline cyber security standard and how do hold those other companies accountable to what you believe is good risk management?
I think the misconception a lot of the times is, you know, we own this data, but because we're transferring out to a third party, whether that's your payroll or any other type of software as a service, you think that you're, the company thinks that they're ridding themselves of that risk or transferring it out. Ultimately this is a misconception because that data still belongs to that company and there is still inherent risk that if that data was breached by, not by any fault of your own by that third party, that still falls back on the company to address those breach response matters and potential litigation that could arise out of that.
So the conversation doesn't stop at transferring out that risk or transferring out your data or relying on other parties. If anything, it expands the net and expands the footprint of where your risk is sits today.
[00:07:15] Speaker A: Okay, that is a great explanation. Thank you. Okay, let's talk about the role that AI is playing in cyber attacks and cybersecurity.
[00:07:24] Speaker B: Absolutely. So I think that this is the biggest and most concerning shift and change.
Before I think five, 10 years ago, we could rely on spelling errors or something that seems a little funky or off in emails or you know, threat actors really trying to get creative in terms of how they're gaining access to your credentials, your email, trying to get you to part with funds.
However, now AI has really grown, grown in sophistication and the accessibility to not just the top line threat actors who know this business and have been doing it for years, but it really introduces those less sophisticated amateur threat actors to enter into the criminal ring.
Because of these standards that are now lowered due to AI, those attacks, that attack surface is broadening. So if, if there is a situation where a company is compromised, the time, the dwell time.
So when a threat actor is sitting in a system studying it, deciding how best to proliferate their attack, that time is shortening by a lot because of AI. So cybercriminals are able to really scan this, scan the environment, target different types of documents, consolidate in, in minutes if not seconds.
That is different than the types of tactics that were used in the past.
They were studied, they, they took a longer time. Now we're seeing that shift in sophistication really, really increase.
So just like we're using AI in our day to day lives, becoming more efficient and transferring some of tasks, cyber criminals are doing exactly the same thing, except at quicker speeds as well too. So that's from the attack surface standpoint where we're seeing the most concerning evolution with, with AI and how these attacks are, are growing in severity as well.
[00:09:34] Speaker A: Wow. Okay, so what should businesses be watching for and guarding against? Like the landscape seems pretty scary out there. What, what, and what else should they be telling their staff about mitigating these risks are there to be watching for?
[00:09:48] Speaker B: Absolutely. And I think that this is one of the positive tales. Over the last five years, we've seen cybersecurity risk sort of gain more importance, more headlines and more airtime when it comes to businesses up from the, you know, starting from the boardroom all the way down to frontline staff. I think the key takeaway is that cybersecurity risk is no longer an IT problem that was siloed for so long that now it's becoming a lot more of an organizational issue.
So every single employee is a steward of that organization, of that data, of protecting that data, of flagging something if something feels off.
So because we are all gatekeepers of this risk, we are the first line of defense in that defense, in depth, really network. And what I mean by that is the more layers of defense that are added by an organization, the better and quicker they can detect when someone is trying to gain access or something feels off.
So these layers, they coexist. But your employees are certainly the first line of sight into when something is off, should that fail that first firewall.
There's a sequence of different types of risk management tactics that could be used by businesses and that we have seen proven through claims that work. They minimize the severity of losses, they stop the bleeding, and they stop the damage before it gets out of control.
Certain examples of this are backups. So testing and keeping backups offline and testing them frequently.
Really, it's your best line of defense in a ransomware scenario. If that data is locked away, extorted, you don't have access to it.
This gives an organization a fighting chance to recover without relying on those cybercriminals.
Another example is really monitoring that overall attack surface. So really here we've evolved the conversation from firewalls to endpoint Detection and Response, or EDR for short. But what good is a security system if you have no one watching it, right? So this is where the conversation is changing from EDR into mdr, which is called Managed Detection and Response.
So this is where a security team is actually managing and monitoring the behavioral changes of an external network before, you know, someone can breach those digital walls.
So those are just two examples of what we see not only in the insurance landscape, but in the security world being, you know, top line items for defense. But I overall focusing on security proactive measures as well too. Training your staff, making cyber become a cultural shift. Cyber risk is a cultural shift of an organization where we're not shaming employees and potentially clicking a link, we're empowering them to know what to do next.
So when we gravitate away from that type of culture and invest in more of a proactive culture, the more focused we can be to oh, there's a claim, what do we do next? Who do we call? How do we move forward?
[00:13:20] Speaker A: Okay, let's talk about the role of insurance in cybersecurity. How can you effectively insure against a cyber incident?
[00:13:28] Speaker B: Absolutely. So I like to describe insurance as a really effective risk transfer mechanism that has gotten organizations a lot of leverage when it comes to cyber cybersecurity and cyber budgets.
Effectively, cyber insurance is a risk transfer mechanism. So this is how organizations, as the last resort, can transfer out some of that risk. When it comes to dealing with a cyber incident, however baked into it, cyber insurance has so many benefits that have become more proactive in nature rather than reactive and just sitting and waiting for a claim to happen.
So first and foremost, I'd just like to delineate that why cyber insurance is different is because it has not only the third party traditional liability component that we see in a lot of insurance policies, this is protecting companies against litigation and lawsuits as a result of a privacy or data breach. But they have this first party component as well too, which provides boots on the ground, out of pocket, immediate support when there is a cyber incident.
Not a lot of organizations have this roster of digital forensics breach coaches sitting and waiting to jump in and happen to help with an incident. So I think that this is one of the things that differentiates the cyber policy the most.
Moreover, what we find is that insurance companies today are baking in a lot of proactive measures to help organizations build up their risk management, help help provide more defenses in that defense in depth system, and really advise organizations on what to look out for when it comes to overall cyber risk. Management.
[00:15:12] Speaker A: Okay, quick question in there. We were talking earlier that, you know, when you're worried about AI and the other risks, you're looking at your own business, but you're looking at the businesses that you deal with and you know, transfer off some of your components like payroll and things like that. Does this cybersecurity insurance protect that?
[00:15:35] Speaker B: Yes, great question. So there are elements that do. Yep. They're called things to look out for on your cyber insurance policy are contingent business interruption or dependent business interruption. So this isn't only in the interruption that you face, it's, you know, as a downstream effect from those supply chain or third parties as well.
[00:15:53] Speaker A: Too. Perfect. Okay, so what's your key takeaway from everything that we've talked about today? And this is a huge subject and we, you know, we've, we've scratched the surface, but what's your key takeaway for listeners today?
[00:16:05] Speaker B: Yeah, I think there's, we sit in a really unique point in time right now where with the softening market conditions, it's making cyber insurance a lot more accessible for organizations than it's ever been before. The market has evolved, the cyber insurance landscape has become incredibly innovative and broadened. And this is really positive takeaway for businesses who are looking to ask the right questions.
If you work with the right experts, you are able to take advantage and leverage this time. So that when the pendulum comes swinging back around because of the scary AI landscape that we briefly discussed, it's only a matter of time that we start to see the growing attacks become more of a problem for businesses. And the cyber insurance market will, in my opinion, eventually catch up, increasing prices and being a little bit more scrutinous on terms of.
So I think that this is, this is a moment in time to really take a look at your risk management, ask the questions, bolster your policy, really see what needs to be done proactively so that down the line, when we start to see the growing sophistication and severity of these types of attacks, businesses are well prepared to ride the storm and really understand that this is a long term play. And despite the volatility, how can organizations put themselves in the best spot right now, today, given where we are to protect themselves against this type of volatility. So that would be my takeaway. And I know we talked a lot about a lot of scary things with AI, but as always, I think that there is, I'm a die hard optimist and I think that there's a lot of opportunity in the market today for more sophistication more collaboration, and more of a proactive stance on how we manage cyber risk.
[00:18:01] Speaker A: Okay, one final quick question.
You know, people may say, oh well, nothing like this is going to happen to me. I'm a small company, I'm whatever. I think from my standpoint, I'm looking at it and going, sure, they're going to want to attack the bigger companies where maybe there's more money to be pulled out, more data or whatever, but they're also looking for an easy entrance. Right. So it, this is, this is something that applies to every company.
[00:18:26] Speaker B: Absolutely. And you said it right. I think that, you know, a phrase that gets overused in the cyber insurance industry is it's not if, but when.
I think that small businesses have historically thought that because they don't have valuable data, they're not on the radar, they are somewhat sheltered. However, we saw a really stark shift in that mentality, especially when it came to the pandemic where it's because small businesses are under resourced in the IT and cybersecurity budget side.
They are low hanging fruit to the cybercriminals. And if you put on your threat actor hat, you can see that those guys are just trying to make a quick buck and they're really going after. Why spend weeks, if not months trying to go after the big fish when in a few minutes they can really do some damage and extort a small business?
So we see the spray and pray method being used a lot and it still continues to hold true, which is a really unfortunate reality that small businesses are the most exposed, but the most underprotected from a cybersecurity angle.
[00:19:38] Speaker A: Okay, Sophia, thank you so much. This has been really, really helpful.
[00:19:42] Speaker B: Thank you for having me.
[00:19:44] Speaker A: Yeah, my pleasure. Sophia Kudlich is Senior Vice President, Cyber and Technology at Hub International.
I'm Janet Eastman. Thank you so much for listening to the TradeSecurity podcast and please, with your friends and colleagues, you need to get yourself protected. You can find business news tools to help you trade and grow securely at TradeSecure CA or get a stronger understanding of how trade credit insurance can support your
[email protected] you can also follow us on LinkedIn @receivables insurance association of Canada or subscribe to our YouTube channel @tradesecurely. I'm Janet Eastman. Thanks for listening.
