Cyber: Prepare, Prevent, Mitigate, Restore®
March 21, 2023 | New York, New York
We broadcasted live from the New York Stock Exchange for an impactful discussion on one of the biggest issues facing business today: threats to cybersecurity. This exclusive event was part of the Travelers Institute’s Cyber: Prepare, Prevent, Mitigate, Restore® initiative, a national series of educational symposia helping businesses and organizations tackle evolving cyber threats. Speakers shared insights into the current threat landscape and strategies to help prepare for and respond to a cyber incident.
Presented by the Travelers Institute, the New York Stock Exchange, the Big I New York, the Big I CT and the National Association of Professional Insurance Agents.
Text, Travelers Institute (registered trademark). Logo, Travelers, a red umbrella. Text, Cyber. Prepare. Prevent. Mitigate. Restore. Travelers Institute Cybersecurity Symposium. New York Stock Exchange. A woman steps up to a podium on a stage that contains five empty chairs. Text, Lynn Martin. President, NYSE Group.
LYNN MARTIN: Hello? OK, I think we're going to get started. Hi, everyone. Welcome to the New York Stock Exchange. It's so awesome to see such a full room of folks. From what I understand, last one of these that we had here was February of 2020. So, who was in the room February 2020? All right, so welcome back, and it's nice to see many new faces.
My name is Lynn Martin. I'm President of the New York Stock Exchange. And I know you guys are going to talk about a topic that is near and dear to our hearts. It's near and dear to all of our communities' hearts, which is cyber. Particularly, since you all last convened in the room together, the SEC has come out with some guidance on cyber.
So I can tell you that it is something that is on the mind of almost every one of the 2,400 CEOs that are members of our community. They're looking at how to protect themselves with cyber, since the world's moved so fast, and there's increasing geopolitical uncertainty. And they're looking at how to do it in an efficient fashion, not just because of regulatory mandates. It's just because it's good business practice.
Given who we are at NYSE, we're 230 years old. Cyber is something we take very, very seriously, given our role in the global markets. It's the largest global exchange, the home to the greatest and the largest companies. We represent about $30 trillion of market cap and employ about 43 million people globally. So it is something that we take very seriously as well.
So, you did not come here to our lovely boardroom to hear me talk. So without further ado, I'm going to call up someone who needs no introduction, Joan, to the stage.
Another woman takes her place at the podium. Text, Joan Woodward, President, Travelers Institute, Executive Vice President, Public Policy, Travelers.
JOAN WOODWARD: Thanks so much, Lynn. I really appreciate it. All right, folks. Lynn, thank you so much for kicking us off. It's a real pleasure to be back in this room. I am Joan Woodward. I'm President of the Travelers Institute, which is our public policy educational arm. We're thrilled today marks our 50th cybersecurity symposium.
So we started this back in 2016, saying, we think cyber is going to be an issue for our clients and customers going forward. We'll start this little symposium series and webinar series called Cyber-- Prepare, Prevent, Mitigate, and Restore, and so, again, our 50th live event in person.
Lynn, I want to thank you and Joe Tama and the NYSE staff today, really, really helpful in getting us this room and this beautiful venue. The last time we were here, February 2020, rang the opening bell. Little did we know weeks later that pandemic would hit, and we would not be able to convene for a very long time.
We canceled a lot of our programs, in-person programs, and then we went virtual, like everybody else. Patrick Kinney, former Executive Vice President of Distribution-- how many people knew Patrick Kinney-- for many, many years, right? So he looked at me, and he's like, Joan, why don't you just start a webinar series? I'm like, people are so sick of Zoom. Who's going to tune in, right?
And so he's like, no, no, no. We should do it. We should do it on Wednesdays at 1:00. We're going to call it Wednesdays with Woodward at 1:00. That's what he told me. I was like, hey, Patrick, you're the boss.
So I said, if we build it, hopefully they'll show up. And we showed up in numbers. We have 48,000 people who are invited to our Wednesday sessions. We get between six and 7,000 people joining our sessions on Wednesdays.
So if you haven't done it, we're going to have a QR code for you guys to make sure you sign up. Today, in addition to the 200 or some folks in this room, we have over 3,000 people tuning in to a webinar to watch this livestreaming. So make sure you smile and wipe that little stuff from your face after you have your bite.
When it comes to cybersecurity, we truly believe that this is a critical issue for businesses. Last year, President Biden hosted an event and invited all the tech CEOs in to talk about cybersecurity. And there was one non-tech CEO at that table. Our CEO Alan Schnitzer was invited to represent the insurance industry. And we're very proud that he was-- we were honored to be part of that discussion.
And since then, we have had-- well, we had a partnership for the last seven years with the Small Business Administration, with the Department of Homeland Security, now with CISA-- CISA is the new agency created within the Department of Homeland Security-- and the FBI. We've had those partnerships, and we doubled down, with President Biden saying we are committed to educate and inform our customers and our clients. So we're back at lots of cyber symposiums.
So since we started this-- actually, before we get started, I want to recognize some of the leaders in our room today-- Pete Heard, Executive Vice President of Enterprise Distribution; Ricky Jones, Regional President, Enterprise Distribution Management, Metro Region. Ricky, stand up. People don't know who you are. They've got to know who you are.
Missy Phillips, Regional Vice President, Bond & Specialty Insurance
All right, and then also, a huge shout-out to our partners today, the Big I of New York and the fabulous Lisa Lounsbury.
Yes? Big I of New York and Connecticut, she's taken over another state, so good for you; and the National Association of Professional Insurance Agents, Mike Becker. Mike, are you around?
All right, thank you for being with us. Now a quick overview of our agenda. We're going to have a terrific keynote address. And then we're going to have a panel discussion. And we have experts from government, industry; the QR code on your screen here shows and also, on your tent-- the bios. So I'm not going to read long bios for people, so make sure to take a look at that.
Did we throw up the picture of the New York Stock Exchange, us ringing the opening bell? Want to make sure we saw that. OK. So today, I'm thrilled to kick things off with a keynote address from Valerie Cofield. She's up from Washington, D.C., and she's the Chief Strategy Officer for the Cybersecurity and Infrastructure Security Agency, which is CISA, which is now housed in the Department of Homeland Security. So we're very appreciative of Valerie for making the trip up from Washington.
She serves as the principal strategic adviser at CISA and advises just the leadership integrating strategy across all the organization's mission areas and ensuring policy, strategy and operational consistency throughout the agency. Prior to CISA, Valerie served at the FBI for 22 years in a variety of roles. She was Deputy Assistant Director for Cyber Capabilities within the FBI's Cyber Division, where she led coordination and deployment of the division's technical tools and capabilities and oversaw cyber-related training, recruiting and budgeting.
So she's a clear government expert. And we need lots of government experts on this topic because it is rapidly evolving. So Valerie, please join me. Thank you.
Another woman takes her place at the podium. Text, Valerie Cofield. Chief Strategy Officer, Cybersecurity and Infrastructure Agency.
VALERIE COFIELD: Well, good afternoon, everyone. And thank you so much, Joan, for that introduction. And thank you the Travelers Institute for having me today in this beautiful building. And it was great for me, actually, to learn about the great history that Travelers has with cyber. To be doing this for 50 years is pretty unprecedented, and so it's really an honor and privilege to be here.
As Joan mentioned, my name is Val Cofield. I'm the Chief Strategy Officer of CISA, the Cybersecurity and Infrastructure Security Agency. And it's the newest agency on the block here in the federal government-- or not here, but in D.C. We've been around for four years. We celebrated our fourth birthday this past November.
And as Joan mentioned, it is a part of the Department of Homeland Security, which recently celebrated its 20th year in existence. And so, as we know, the past 20 years since the events of 9/11 that created DHS, much has changed in the threat landscape here. And cyber really is coming to the forefront. I think we all see the proliferation of technology in our lives in everything that we do, let alone in the businesses that we run and even in education.
So I want to talk a little bit about what CISA does and how it does what it does. It's our responsibility to protect the functions of government and the private sector that are so vital for the United States, that their disruption, corruption or dysfunction would have a debilitating effect on security, national economic security, and national public health and safety. These critical services include the water that we drink, the electricity that lights our homes and the gas that we use to fill our pumps. And all of these critical functions, we know, keep our society running.
We also fully recognize that we at CISA can't accomplish this vast and complex mission on our own. Protecting our infrastructure requires deep partnerships across all levels of government, industry and with our international partners. And we work with our partners through a variety of different initiatives.
On the physical side, CISA works across sectors and conducts and facilitates vulnerability and consequence assessments to help our partners understand and address risks to critical infrastructure. When it comes to emergency communications, CISA is the focal point for ensuring that national security and emergency response communications are up and running. And for cybersecurity, we focus on the most significant threat actors.
Gaining visibility and taking action against these threat actors requires daily collaboration with our partners in industry, the intelligence community and law enforcement. I'll be the first to admit that when it comes to these responsibilities in today's complex and evolving threat environment, we face a wide array of risks, but especially when it comes to cyber. Today, there is now, unfortunately, a cyberattack that occurs every 40 seconds, and 1 in 10 of the 1.8 billion websites leads you to malware. Damages from cybercrime amount to trillions.
In this past year especially, we've seen the results of an interconnected world, in which neither government nor industry alone have all the tools, information or authorities to adequately shift the cyber ecosystem in the favor of defenders. We know that our most critical infrastructure continues to be a significant target of interest by diverse group of threat actors, who today, through cyberspace, can initiate attacks from anywhere in the world.
The list of significant incidents in the recent months is long and growing. Cyber intrusions over the past years have been highlighted-- have highlighted that government and private sector entities are being targeted by sophisticated nation-states that have the time, money and capability to find a way even into the most well-hardened networks. As we unfortunately learned from the Colonial Pipeline ransomware attack, a successful attack on the critical infrastructure or functions that can block vital services to entire segments of society.
This highlights-- this incident highlighted that an intrusion affecting a business IT network can result in potentially catastrophic effects to the provision of critical functions. Tackling these threats facing the critical-- our critical infrastructure system is no easy feat. It will take teamwork and a relentless dedication to our mission. It will also take bold action to transform our global security posture.
This bold action will require a new approach to sustainable cybersecurity. This new approach is grounded in five pillars, which include ensuring the technology--ensuring that technology is secure and trusted by design; greater accountability by CEOs and board directors as cybersecurity moves beyond an information technology issue to an era of corporate cyber responsibility; radical transparency in our IT and software and products; and greater investment in raising public awareness of threats and online security choices and a cultural shift that promotes deep and unfettered collaboration between companies and with the federal government to ensure that we collectively move faster than our adversaries.
Slide, Cyber. Prepare. Prevent. Mitigate. Restore. Text, Travelers Institute (registered trademark). Logo, Travelers, a red umbrella. On the right is a QR code. Text, View Today's Agenda and Speaker Bios. Proudly Presented With: Logos, Small Business, Big Opportunity, Travelers Institute (registered trademark), Travelers, Big I New York, Big I Connecticut, Professional Insurance Agents, NYSE, New York Stock Exchange, An I.C.E. Exchange.
I also want to stress that even as the cybersecurity community takes steps to build sustainable approaches to cybersecurity through the widespread adoption of these five pillars, the larger community must also continue to help individuals and small businesses protect themselves. We recognize that everyone has a responsibility to maintain a safe cyber secure environment, just as drivers still bear responsibility for driving safely, even when seat belts and airbags have become standard features.
A great philanthropist by the name of Craig Newmark recently called for a focused investment in civil cyberdefense to raise public awareness of threats and online security choices, in addition to the creation of online tools and digital infrastructure that help secure the country's networks. His efforts-- his recent efforts also include programmings aimed at developing a diverse, inclusive and equitable workforce capable of meeting the technology challenges ahead.
At CISA, we've been working with our partners on similar efforts, including working with target-rich and resource-poor entities, including small businesses, school districts, water facilities, hospitals and local election offices, to ensure that they have the resources and tools needed to improve their cybersecurity, leading a nationwide cyber hygiene campaign to help all Americans, from kindergartners to senior citizens, to stay safe online and building cybersecurity into the K through 12 curriculum across the nation's schools.
Just one example of this partnership is with CISA-- that we have is with CYBER.ORG. Through a grant funded by CISA, the nonprofit organization CYBER.ORG develops and deploys a nationally focused K through 12 cybersecurity education and training model for teachers through various education tools. CYBER.ORG enables teachers to provide students with a cybersecurity educational foundation across all 50 states.
And as we work to increase the cybersecurity talent pipeline of the future, we also want to ensure that simple cyber hygiene steps, like enabling multifactor authentication, using a password manager, conducting phishing awareness training, and keeping software updated, becomes as common as basic physical hygiene practices, like washing your hands. Multifactor Authentication, or MFA, is particularly important.
MFA is a layered approach to securing your online accounts and the data they contain. While this basic security practice may seem elementary to many of those in the tech field, it is an action that is not being deployed by average, everyday technology users and critical infrastructure operators and owners. In today's environment, technology consumers should not have to opt out, but rather opt in to critical basic security, like MFA. And if you would like more information on MFA or other free cybersecurity services and tools, I encourage you to visit our website at cisa.gov. As a part of our continuing mission to reduce risk across the U.S. critical infrastructure, we've partnered and compiled a list of free cybersecurity tools and services on this website to help organizations further advance their cybersecurity capabilities.
I also want to briefly talk about CISA's cybersecurity performance goals. As you might be aware, this past October, CISA released the cross-sector Cybersecurity Performance Goals for critical infrastructures, which we call CPGs. These voluntary practices outline the highest priority baseline businesses and critical infrastructure owners of all sizes can take to protect themselves against cyberthreats.
And while the CPGs were developed with critical infrastructure in mind, they are useful to organizations of all sizes that may not have the expertise, resources or structures to place them-- in place to implement a fully comprehensive cybersecurity program. With this as a clear set of goals, entities, large and small, can be better equipped to prioritize risk in their environments and can enable more prudent decision-making, including how they allocate resources toward cybersecurity practices. More information on these goals can, again, be found at cisa.gov.
That being said, my challenge for all of you today is for you to join us in this effort and take a few simple steps that are aligned to our common baseline goals whenever possible. Specifically, all organizations should-- we ask all organizations to have a mitigated known and exploited vulnerability-- to have mitigated known and exploited vulnerabilities in public-facing systems within 48 hours-- and if you want to know more about those, you can find them on our website; to establish a vulnerability disclosure program and to publish a security.txt file; eliminate all default passwords from administrative accounts and publicly facing systems; eliminate all end-of-life assets supporting essential services or publicly facing systems; using phishing-resistant MFA for all administrative accounts and remote access systems; and review your incident response plan and conduct biannual exercises for your organization's leadership
I also understand that we have several CEOs and executives with us here today. So I have a second challenge for all of you. And I ask that you all be early adopters to corporate cyber responsibility.
Today, many business leaders still think of organization cybersecurity as information technology issues. But in today's evolving digital threat environment, is that how we should be approaching cybersecurity for an enterprise? And the answer is, no.
In the year ahead, CISA is asking for more accountability by CEOs and board directors as cybersecurity moves beyond an IT or a CISA issue to a new era of corporate cyber responsibility. It's vital for CEOs to set an example for their colleagues and to create a culture of cyberdefense. As you all know, CSR, or corporate social responsibility, is a major buzzword today.
But at CISA, we urge you all to spend more time thinking about corporate cyber responsibility, or CCR, as a good part of your governance. From our vantage point, leadership, especially CEOs and board members, need to be a part of the equation when it comes to cybersecurity. Security isn't what IT does, but what the CEO and senior executives of an organization do.
Does the senior leadership read, understand and formally sign off on the company's incident response plan? Do they attend the annual tabletop exercises and mandate it for the senior leadership team? Or do they opt out? Do senior leaders personally talk about cybersecurity to their company-wide emails and at their all-staff meetings? Do they treat cybersecurity as a cultural matter that they own or an IT issue that techies own?
People notice where their top leaders spend their time, regardless of what edicts they issue. When empowered by their leadership, cybersecurity teams at companies across the businesses can take-- across businesses can take meaningful steps to improve the resilience of their systems, so that they have the natural ability to prevent cyber intrusions.
I would be remiss if I didn't take a moment to discuss a growing trend, a growing trend in cybersecurity insurance. As many of you in this room know, the field of cyber insurance is still relatively new, and a lack of historical data on losses and legal uncertainty about what is and is not covered by specific policy language has led to a volatile-- a volatility in the cyber insurance markets.
Currently, companies offering cyber insurance may mandate that their clients take specific cybersecurity actions that they have-- that have the potential to greatly reduce the nation's cybersecurity risk. However, not all cyber insurance companies require robust cybersecurity, and investing in cybersecurity insurance doesn't replace the need for companies to invest in cybersecurity best practices. It is critical that companies continue to make sustained investments in the security of their systems over time.
I also want to highlight that insurance markets may have been playing an outsized role in shaping the financial motivations and targets-- motivations and targets of cybercriminals, who seek to obtain ransoms from insured state, local, tribal and territorial governments and private sector entities as well. The dynamics of this environment present considerable opportunity for the insurance sector and the federal government to collaboratively encourage positive behavioral changes in the private companies and organizations.
For example, by requiring a level of cybersecurity action that will drive down risk, government and industry can help shrink the territory of illicit ransomware activity. The recently released 2013 National Cybersecurity Strategy acknowledges the need to explore how the government can stabilize insurance markets against catastrophic risk to drive better cybersecurity practices and to provide market certainty when catastrophic events do occur.
In the June 2020 report titled "Cyber Insurance-- Actions Needed to Assess Potential Federal Response to Catastrophic Attacks," the Government Accounting Office asked CISA and the Treasury's Federal Insurance Office, or FIO, with producing a joint assessment for Congress on the extent to which the risks to the nation's critical infrastructures form catastrophic cyberattacks, and the potential financial exposure resulting from these risks, and if it warrants a Federal Insurance response. In response to that requirement by GAO, FIO has published a-- or this past fall, they published a Request for Information, or RFI, in the federal registry, requesting comments on the potential Federal Insurance response to catastrophic cyber incidents.
The comment period closed in mid-December. And following that RFI period, FIO engaged in a series of listening sessions with a variety of different stakeholders to hear their perspectives. CISA will support FIO in evaluating what additional data might be needed to consider whether cyber-risk warrants a Federal Insurance response. It is anticipated that FIO will complete its assessment by the end of this coming September.
In all our efforts, our goal at CISA is to raise the collective security of our cyber infrastructure. That being said, we know that we cannot secure our homeland alone. Protecting our homeland requires action from each and every one of us
So we ask you, our industry partners, to help catalyze on the necessary changes needed to move our nation's cybersecurity forward. I look forward to engaging with all of you on how CISA not only can help your organization become better protected, but how we can work better together to defend our country. Thank you again for inviting me here today, and I look forward to partnering with all of you on the cybersecurity challenges that our nation faces.
JOAN WOODWARD: Thank you so much, Valerie. Appreciate it. Valerie, that was terrific to set the stage for us and kick off. So thank you for those comments, and a special thank you for coming up from Washington just for us today.
Slide, Cyber. Prepare. Prevent. Mitigate. Restore. Text, Travelers Institute (registered trademark). Logo, Travelers, a red umbrella. On the right is a QR code. Text, View Today's Agenda and Speaker Bios. Proudly Presented With: Logos, Small Business, Big Opportunity, Travelers Institute (registered trademark), Travelers, Big I New York, Big I Connecticut, Professional Insurance Agents, NYSE, New York Stock Exchange, An I.C.E. Exchange.
So now we're going to have more experts-- a lot of chairs up here. I'm going to introduce our panel to you. And just come on up as I introduce you. Our first panelist is right here at the New York Stock Exchange. Ryan Hebert is joining us from the Exchange. He has served as the Business Information Security Officer at the NYSE and the Fixed Income and Data Services business units. He leads the cybersecurity program for those businesses, securing critical economic infrastructure and managing risk across multiple subsidiaries, geographies and regulatory jurisdictions. Prior to his role, current role, he served as Senior Director of the Information Security Governance, Risk and Compliance team, a group he established and led since joining the company in 2009.
Next, we have my friend and colleague Tim Francis. Tim is Vice President and Enterprise Cyber Lead for Travelers. He has oversight for the company's entire cyber product management, including underwriting strategy, products for the businesses of all sizes, public entities and technology firms. He's one of the industry's foremost experts on cyber issues and was named an “Industry Icon” recently. I love to mention that, just embarrasses him.
Next, we have Jennifer Coughlin of Mullen Coughlin, LLC. Jennifer is a Founding Partner of one of the largest law firms dealing with cybersecurity. She serves as a breach counsel to companies in various areas, including health care, construction companies, managed service providers, municipalities, professional services, retail, technology, and financial institutions. She also counsels clients on development of risk assessment policies, vendor agreement analysis, and implementation of data privacy practices.
And then finally, we have Rich Richard, from Region 2 at CISA. Rich is the Chief of Cybersecurity for CISA, Region 2, which covers New York, New Jersey, Puerto Rico, and the U.S. Virgin Islands-- busy man. He served in the U.S. Navy for 20 years. And after retiring, Rich worked as a Naval Network Warfare Command as a Senior Cybersecurity Engineer, managing a team of cybersecurity analysts and engineers responsible for certification and accreditation of all Navy systems and networks.
He then moved on to become Information Systems Manager with Northrop Grumman, where he was responsible for managing the IT governance and cybersecurity compliance of over 2,000 computers, processing Secret and Top Secret information.
The participants take their seats on the stage.
That's a lot. So this panel is-- we could go on for days.
But I'm going to go first to Ryan because Ryan is in this house, and he knows how to protect all these systems at the New York Stock Exchange. So it's a critically important and massive undertaking. I don't know how you sleep at night. But talk about your role and New York City's-- NYSE's approach to protecting from cyberthreats.
RYAN HEBERT: Well, I also have a three- and a six-year-old, so sleep is always hard to come by. But thank you. It's been great to partner with Travelers and to be representative from NYSE, so us to have this together. So thanks, everyone, for coming, and I appreciate it.
Text, Ryan Hebert. Business Information Security Officer, New York Stock Exchange.
So I've been with the company for quite some time. But we've gotten more horizontal as we've gotten bigger and acquired new things and built new products for our customers. So it made sense for us to have a business information security officer role.
So we now have three, me and two peers. And we are acting as a chief information security officer, but specific to those businesses that we're protecting. So we basically liaise between what the business plans to do and wants to do and is currently doing with what cyber wants to do and is planning to do and is currently doing.
So whenever we have big initiatives that we want to change, if we want to build a new product or create a new tool that we're going to use for security, I'll liaise with the company to make sure that that's the case and that they're ready for it. Likewise, if we're going to be acquiring a new company or looking to do something different in the NYSE space, then we'll make sure that we're protecting that.
But the general process that we use is we've got a first line of defense and a second line of defense. So we've got our incident response team, which would be the people attacking the actual day-to-day things that we're seeing, melded in with an engineering team. And then on the second line of defense, it's more of the let's purposefully do what we can to see what we can find, which would be broken, and get that fixed before a bad actor is able to do so. So that's our application cloud security team and our Governance, Risk and Compliance group.
But what sits on the outside of that is threat intel. And threat intel is so important in this day and age. So we're partnering with some of the folks that are up here and some of our peers in various different spaces. And that's really what drives how we protect the company, right? We really find out from there, based upon what we do for our customers, what makes sense to really put our efforts towards. And we can get into that later.
But with that, threat intel drives those threat objectives. We get those approved by our cyber governance committee. So that's the way the business is understanding that what we're focusing on in terms of what we think the big residual risks are out there. So what we'll do is we'll have our internal red team, or we'll commission penetration tests against what those threat objectives are.
So we'll attack ourselves with those same tactics, and do the same things that we would expect a bad person to do to us on a bad day, and see if our blue team can defend against it. Right? So in more times than not, our blue team is successful with identifying what it was that they were attempting to do and getting it mitigated. But in the events where we do find open items that we need to correct, that goes through that funnel of our Governance, Risk and Compliance team to fix. And then the cycle just continues over and over.
JOAN WOODWARD: Thank you for that. So Tim, I want to talk about when we got the call, when our CEO got the call to come to the White House and talk with all the other tech CEOs sitting there about cyber and how to have this defense as a country, not just for critical infrastructure. Because most of you, I'm sure, are working on things that could be considered critical infrastructure. But that's what the Department of Homeland Security has been focused on recently
But all of us, in terms of being cyber ready, what came out of that White House meeting? And I know we doubled down our commitment to doing these kinds of things. But what else came out?
TIM FRANCIS: Yeah, it was certainly an interesting meeting. And we were humbled to be there. And it was incredible to be a part of that process.
Text, Tim Francis. Vice President, Enterprise Cyber Lead, Travelers.
But it was a recognition, first and foremost, that how the country protects not just critical infrastructure, but the entire private and public sector, takes a village, to borrow a phrase, right? It's not just the solution that is going to come from government. It's not just going to come from law enforcement or technology companies. It involves a broader ecosystem. And one of the pillars of that ecosystem is insurance.
And a lot of what we talked about then and have continued to talk about, in terms of our doubling down, was actually less about how we normally think about insurance, right? Somebody has a cyber event, and we're there to help get them back up and running. And we do a considerable amount of work there. And that has led to lots of our customers and the industry's customers being able to withstand cyber events. That's the traditional role I think people think of insurance.
But we spend a lot of time talking about the other role that we play, which is, how do we help our customers prevent these events from taking place? And Valerie Cofield talked a little bit about it, through just our normal underwriting process, requiring a certain level of standard-- not the same standard for every customer, mom and pop, to Fortune 100, to this place, right? Everybody's got a different place that we can meet them at. But in encouraging increasing standards help reduce the chances that somebody is going to go through one of these events in the first place.
And so when we think about the five pillars that came out of the administration just a little while ago, one of those is shaping market forces towards more cybersecurity and resiliency. That's a role that we play. And whether you're an underwriter and a carrier or an agent that's representing a customer, giving them access to the tools and information that help prevent these events from taking place, or at least reduce the chances, is really a long way to go towards, towards raising the security. And it's really a national security issue.
JOAN WOODWARD: It is. I was talking with one of my favorite-- well, they're all my favorite agents. But one of my favorites, just when he walked in, he's like, look Joan, I had a client that didn't buy the coverage. And they just spent $158,000 just down the drain, versus what it would cost to have a policy. And so still, even though we're all bought in because you came to this event today-- you know how important this is-- it's sometimes very hard to convince a customer or a client that they need that cyber product.
But Jennifer, I want to talk to you because you see it every day. People are coming through your doors. You're a breach coach. Your law firm is exclusively working on this--
JENNIFER COUGHLIN: Correct.
JOAN WOODWARD: --issue. What are you seeing in the threat landscape out there? Has it changed during the pandemic? And give us your daily life. You walk in, and you have to work on all these probably pretty sad cases, right?
Text, Jennifer Coughlin - Founding Partner, Mullen Coughlin.
JENNIFER COUGHLIN: Yeah, oftentimes it's a catastrophic event that may, may be what ruins the business. We've seen clients go out of business because they weren't prepared to investigate these events and respond to these events. But talking about volume, I always talk about volume in how we've grown.
So we started our firm October 1, 2016, with 13 attorneys. And I remember saying to my husband, I'm going to wipe the savings account. I'm going to put the house on the line. I think we're going to be OK. I don't think cyber is going anywhere, but we're going to start this firm and see what happens. And we have 103 hired attorneys today.
JOAN WOODWARD: And what year was that?
JENNIFER COUGHLIN: --higher. 2016
JOAN WOODWARD: 2016, which is when we started our-- this is 50. We started our first one in 2016, partnered with you.
JENNIFER COUGHLIN: Yes.
JOAN WOODWARD: And we did an event on Capitol Hill talking about this issue. So since 2016 till now, you have 100 and--
JENNIFER COUGHLIN: 103 attorneys, 103 attorneys. And all we do is data privacy. We counsel organizations in the advisory compliance realm, which I think is an important growth area. Because we are seeing organizations take preparation more seriously. And that's where we provide preparatory assistance.
Incident response, the volume is just unending. We see more and more attacks happening. The threat actors are more sophisticated. They're figuring out ways to cause pain to organizations.
And then litigation has spiked. We've got lots of plaintiffs' attorneys out there that see the dollar signs and pursue these claims relating to data privacy incidents. But also, we see them attempting to pursue claims against laws that are decades old, that weren't even-- the internet wasn't around when these laws went into effect. And they're focused on wiretapping. They're not focused on technical components that you might see on a website.
But what are we seeing in trends? So, 2018 to 2021, I think everybody here knows ransomware was the biggest focus. Everybody was talking about ransomware. And what did we learn? Organizations weren't prepared to detect these events, to quarantine these events and to respond to these events.
So we saw a big spike in ransomware over 2018 to 2021. But we worked closely with Tim and Travelers and the cyber insurance community to start preaching about what organizations can do to be better prepared, to be more secure, to detect these events before they become truly catastrophic and cripple their entire network. And I think-- I think we made progress. I think people heard it.
And I think organizations said, we can be better prepared. We can respond better. We can have a plan. But the threat actors had a plan as well. So while we were so focused on ransomware, we had business email compromises spike.
So it was always ransomware, number one, business email compromise, number two. And for everybody in this room, I think you know what BECs are. But it's when a threat actor gets into your system, gets into your email account.
And what we saw the threat actors do is realize organizations are better prepared for ransomware. They're paying less. But if we get into email accounts, we might perpetrate wire fraud.
And just some numbers for everybody in here, we had, in 2019, 21% of our BEC matters involved wire fraud. The average amount of money wired fraudulently, $300,000. 2020, we had 24% of our BEC matters involving $392,000 wired.
2021, 34%, 343,000 was the average. 2022, 32%, 376,000; 2023-- this is 1/1 to 2/28-- 27% of our BEC matters involved wire fraud and the average amount of money wired fraudulently, $1.3 million. So there's so much money going out the door.
So while we were so focused on ransomware and being better prepared to detect and respond and not have to reach that point of, do we have to pay the ransom? The threat actors were like, well, that's cool. You can focus on that, and you can pay us less.
Our average ransom payment-- the percentage of clients that paid the ransom-- from 2018 to 2021, the average was 25%. Last year, it was 12%. This year it's 3%. So organizations are better prepared, and they don't have to pay the ransoms.
Except there's so much money still going out there because the threat actors realize, all right, we'll pivot. We'll focus on BECs. But all of that being said, if you asked me last year or the year before or the year before, give me the top five countries that you see ransomware threat actors coming from, Russia would be in there, and Ukraine would be in there.
So they used to be sitting sidecar with the same adversary being us, and now they're fighting each other. So I think there's a geopolitical element to why we're seeing less ransomware. But I think we do need to applaud the organizations and everything they've done over the past few years for being better prepared to detect and respond to those events.
JOAN WOODWARD: Wow, that's a lot. Thank you for sharing all your law firm's data with us. Because the trend is just increasing. OK, Rich, to you, so you're our government panelist. The whole weight of the government is on your shoulders now to talk about this.
No, I mean, in the last year or so, obviously, a lot of activity around critical infrastructure.
RICHARD RICHARD: Certainly.
JOAN WOODWARD: But one of the things I think a lot of people in this audience are saying, oh, I'm not critical infrastructure. I'm not part of the electrical grid or part of the highway system or part of the pipeline system. But in fact, most businesses are somehow, some way connected to critical infrastructure in the U.S. Can you talk about what CISA is doing now around that?
RICHARD RICHARD: Sure, my pleasure.
Text, Richard S. Richard Jr. - Chief of Cybersecurity, Region 2, Cybersecurity and Infrastructure Security Agency.
So most people don't realize, just like Joan said, how expansive critical infrastructure actually is. There are 16 sectors of critical infrastructure. That includes, like was mentioned, power, water, hospitals, financial companies, telecom, dams. The DOD has its vested interest in there. They're all part of critical infrastructure.
In fact, most people don't realize it, but somewhere between 80 and 85% of critical infrastructure in the country is owned by private industry. It's not part of the government. And because CISA is a non-regulatory agency, we don't have the authority to go in and dictate cyber practices, or anything else for that matter, to these companies that own this critical infrastructure
We have a tremendous interest right now. Lifeline sectors, that's where we're focusing. But I don't want to say that to the exclusion of the other sectors.
You might not be involved in power or water or health care or telecom or things like that, but chances are you have a nexus to it, if you're not directly involved in that. And for what it's worth, we also work with folks in-- we work with nonprofits, as well as faith-based institutions. And so they're also part of our portfolio, as well as critical infrastructure.
We are a proactive agency. We want to work, just like you mentioned, we want to work with folks before the bad day. Once the bad day happens, to be honest with you, you're into recovery mode. That's not where we have, have our ability to really help you at that point.
We want to work with you ahead of time, build you up. Resilience, you hear the word resilience. It is our mantra. We want to work with you to build you up to make you stronger to prevent that bad day, in the first place. It's a heck of a lot cheaper in the long run to keep the bad guys out of your network to the best of your ability for as long as you can than it is to deal with them once they get in.
So that’s really-- that's really where we're working right now, is to bring assets and resources, like was mentioned during the keynote. We have a tremendous amount of resources that we can bring to bear in situations like this, proactive resources. And they're all free, completely free. There's no cost.
So if you're a small-- you’re a small outfit, you're a small company, small firm, give us a call. Let's see how we can work together. We have resources, services, assessments, that can help you figure out where you stand, so you can make good decisions, going forward, on how to manage your cyber as a business risk, going forward.
JOAN WOODWARD: So maybe one of my favorite agents over here told me this morning that his client did not buy cyber insurance. So maybe that conversation is, well, if you're not going to buy cyber insurance, at least call CISA, right? And have CISA do a risk assessment on your business.
So, many people don't know this. This is 100% free. The government is offering-- when they say, I'm from the government, I'm here to help you?
This is actually-- I want you to pay attention. Because this is going to help your client who didn't want to buy the insurance. Because when you buy the insurance, you have to go through all these processes before we even insure you. That cyber hygiene happens behind the scenes and with folks like we partner with, with Mullen Coughlin.
But the government actually has these resources. So you can point your client and customer and say, go to CISA, right? And you actually have a live person come in and look at--
RICHARD RICHARD: Absolutely.
JOAN WOODWARD: --even a small business, correct?
RICHARD RICHARD: So we have big CISA, our headquarters down in Arlington. We also have 10 regions where CISA is broken out geographically. My area of responsibility is New York, New Jersey, Puerto Rico, and the Virgin Islands. But we have folks in every state that can come meet with you locally.
In fact, that's what we want to do. We want to get back to sitting down across the conference room table, sharing a cup of coffee, be that belly button that you can poke to get some help and call. And if and when you have that bad day, you have a dedicated person that you've met with from the government, where you're not calling an anonymous number, where you get one person who answers the phone. You call back a half hour later. You get another person that answers the phone. We are dedicated people locally to your organizations.
JOAN WOODWARD: That's great. OK, we're going to mix it up a little bit. Take out your phones. I want you to take out your phones. And if you're online streaming with us, we're going to do a live audience poll question. I have two of them for you.
So first of all, scan the little QR code there on the screen.
Slide, Active poll. The red umbrella Travelers logo. On the bottom left is a QR code. Text, Join at slido.com # 1 0 4 3 space 7 8 8. When hit with a ransomware attack, what percentage of the time do your clients end up paying the ransom? 100%. 75%. 50%. 25%. Never. Each answer begins at 0%.
OK, and livestreaming folks, you can join in as well. First question for you is, when hit with a ransomware attack, what percentage of the time do your clients end up paying the ransom? And so this is for those of you who work with clients that may be experiencing a ransomware attack. So we just heard from Jennifer, how much percentage of time they pay the ransom. Have you been in this situation, and what percent of time have your clients paid? All right.
And these results are both in the room and online with us.
The 75% answer option moves to the top of the list and populates to 100% full.
All right, 100% of the time, we have 75%. There we go. There we go. OK.
The percentages shift. The 75% populates to 67% full. 50% and Never both move up in the list and populate to 17% full.
It's technology, right? Maybe someone's hot cyber interfering here, let's say.
The percentages shift again. The 75% populates to 70%. The 50% populates to 20%. The Never populates to 10%.
All right, looks like it's about 75% of the time, interesting. OK, Never, we had about 6, 7%; 50% of the time. OK.
The percentages shift again. The 75% populates to 65%. The 50% populates to 29%. The Never populates to 6%.
All right, let's move on.
A new question appears. Text, on average over the last year, how much ransom was paid in these cases? Under $25,000. $25,000 to $100,000. $100,000 to $500,000. $500,000 to $1 million. Over $1 million. Each answer begins at 0%.
On average over the last year, how much ransom was paid in these cases, in these cases? We just heard from Jennifer on her experiences.
The answer percentages shift. $100,000 to $500,000 moves to the top and populates to 69%. $25,000 to $100,000 and Over $1 million populate to 13%. $500,000 to $1 million populates to 6%.
JENNIFER COUGHLIN: I intentionally did not give the average amount of ransom payment--
JOAN WOODWARD: Oh, you didn't?
JENNIFER COUGHLIN: --that we've seen. I have it.
JOAN WOODWARD: You're going to do it now. OK, wait, let's wait till the audience-- so on average the last year, how much ransom was paid in these cases?
The percentages shift. $100,000 to $500,000 moves to the top and populates to 68%. $25,000 to $100,000 populates to 16%. Over $1 million populates to 11%. $500,000 to $1 million populates to 5%.
All right, we're going to go with between a hundred and 500,000, which is a lot of money. OK.
Do the threat actors, do they look at the business, and they say, oh, well, Joan's business, she can afford to pay me a $20,000 ransom, versus like hitting me with $1 million ransom that they know I can't pay. Are they that sophisticated?
JENNIFER COUGHLIN: Sometimes. Yeah, we do see them looking. So they're trying to get into anybody's systems. There
The percentages shift. $100,000 to $500,000 moves to the top and populates to 69%. $25,000 to $100,000 populates to 14%. Over $1 million populates to 10%. $500,000 to $1 million populates to 7%.
are certain organizations that are absolutely being targeted. But most of the time, the ransomware victims are victims because they use the internet.
And the threat actor gets into the system. And what we've seen them do is start exfiltrating data and then encrypting the environment. And then they're looking at the exfiltrated data to see what financials do we have in here?
And then they're also Googling how many people do they have employed? What do they report as their revenue online? So we have seen some threat actors where, in their demand, it says, we see you have locations in the U.S. and the U.K. You have X number of employees, and we see you reporting $200 million in revenue. So your demand-- our demand for you is $2 million, $10 million, whatever it may be.
JOAN WOODWARD: And do you want to give us the average ransom?
JENNIFER COUGHLIN: Absolutely. So 100 to 500 is a massive window. So I'll say you guys were right. But we have, in 2019, it was 285,000. 2020, it was 585,000. 2021, it was 490,000. 2022, it was 400,000. 2023, we're at 172,000.
JOAN WOODWARD: So I'm going to ask each of you, so get you back in the conversation. Ryan, in a generic case, do you advise clients to pay the ransom or not? What would you?
RYAN HEBERT: I mean, it really is-- it's signature-based. It's based upon the situation. I can't say yes or no, because I can't say what level of detail do they have encrypted in your data. How pertinent is that data in your infrastructure to supporting your business on a day-to-day basis?
From a general standpoint, I would say work with your FBI agents. Work with the law enforcement. Get with CISA. Get involved first. And obviously, if you have the ability to do so, get her involved, as well, before you make that call. But it really is a case-by-case basis, depending upon what they're asking for, given what they've been able to get to that-- block off at that point from you being able to use.
JOAN WOODWARD: Thank you. So does CISA-- if I came in to you and said, I just got hit with a ransomware attack, would you help me decide whether the government would help me or the FBI?
RICHARD RICHARD: Well, the government's official stance in all circumstances is that no one should ever pay the ransom. You have no idea where that money is going. You could be funding terrorists. You could be funding other cybercriminals, who will turn around and infect hospitals, which have the potential to cause harm, if not death.
So we will never advocate for paying the ransom ever. We will help you ahead of time so hopefully, you don't fall victim to it. But we'll never advocate for paying a ransom.
JOAN WOODWARD: So recently, I read that the government was able to recoup a ransom that had been paid in a case. Can you talk about that case?
RICHARD RICHARD: I can.
JOAN WOODWARD: And how did that happen? How did you recoup that?
RICHARD RICHARD: Well, it’s a-- first of all, I was just asked this question. I was at an event, and it came up. And CISA had no really, no role in that. That was an FBI function. And they said it happens very, very rarely. It was only a portion.
There was a pipeline not too long ago that had an issue. I think we all understand what we're talking about. And a small portion of the ransom that was paid was able to be recovered.
You've got to realize the bad guys are really adept at getting paid. And once they get paid, they don't want to give the money back. And they're really good at bouncing money around, hiding it, being paid anonymously. That's the whole thing, so they can get paid. That's really what it comes down to. They want to get paid.
So don't count on being able to get any of the money back. But if you act quickly and the right set of circumstances, folks like the Secret Service and the FBI, they can help you. They can at least make the attempt. But you have to be really, really fast about getting them the information they need to try to make the attempt.
JOAN WOODWARD: OK. Tim, so if you were hit with a ransomware attack, are you more vulnerable to get attacked again, twice?
TIM FRANCIS: So, yes and no. Let me go back to something Jen was saying and talk about why somebody might be targeted in the first place, let alone for the second time, which is it's easy when we sit here, right? And Ryan's next to us. I think it doesn't take much imagination to think about why bad actors would want to penetrate the Stock Exchange or frankly, any of the companies that are trading beneath us.
But we have a lot of customers or a lot of the folks that maybe don't buy insurance do so because they think they won't be a target. And so they're not in this place. They're not a big company. They're a small company in middle America somewhere that sells something to somebody else and thinks, why would I ever be a target?
But the reality is, for many of those people that are not high profile and not a target in the normal sense of that word, they're just victims of an opportunity. Right? CISA, one of the things CISA does, is they can scan an environment and see vulnerabilities that a customer has. As an insurer, we can do much the same thing. And we help our customers understand where they have vulnerabilities.
The bad guys can do much the same thing, too, right? So they may, as Jen said, they're looking for vulnerabilities, and they're going to the path of least resistance. And oftentimes, when they hit a victim the first time, they don't know who that company is until they're already inside.
They saw a vulnerability through technology. They deployed software. They then spend some time doing a reconnaissance once they're inside. But they don't know who that company is. And frankly, they don't care who that company is. If they think they can leverage some money from that victim, that's what they're going to do.
So whether or not, then, you become a victim the second time is, well, you just were the victim the first time. Did you do something to prevent the thing that just happened to you from happening again? Right? And as an insurer, we're working with those customers. We're paying the claim.
Oftentimes, when a customer has a claim, they actually become a better customer. Because they've now done something that we both mutually identify that can be fixed. And if we fix it, then they're less likely to be a victim. If they don't fix it, then they probably have just as good, if not a better chance, of being a victim the second time around.
JOAN WOODWARD: OK, I want to talk about third-- thank you-- third-party risk. So to you, Ryan, so you could be doing all the right things. And I'm sure you're doing all the right things here at the NYSE. But you have vendors. You have contractors in your business. And we all have vendors and contractors that we have to work with and rely on. So talk about third-party risks.
RYAN HEBERT: So obviously, we've got a pretty stout group that works with vendor management, that works in information security third-party due diligence. So we have the ability. We're afforded the right to be able to go out to those representatives and have a thorough assessment of what it is that they're going to do.
But we choose a path of, what is the actual relationship based upon, right? And that really is what drives what we're going to see a requirement out of them for. In many cases, you'll see larger companies like us do a full-scale approach assessment, say, show me all your detailed controls, cross, bottom, top, et cetera.
But we really like to focus in on what the individual vendor is going to be doing for us in that relationship to drive the information security requirements of them. But in any case, no matter what it is, if they're going to have access to NYSE data or customer data of ours, they're going to be treated just like an employee, in that, I say, their access to anything from us, it's treated exactly as if they were me. They go through the same ticketing process. They go through the same infrastructure laptop ownership, et cetera, et cetera.
So that multifactor authentication that everyone keeps speaking of, that's applicable to them as well. So it really is important to note end-user behavior analytics, vendor management, vendor assessment and third-party risk. If they're going to access your data, you need to treat them as if they're an employee of yours.
Now, if you're a larger-scale company like that, you have the means to do that. If you're a smaller-scale company, start with the little things. Just ensure that they're doing security awareness training. Make sure that they're understanding what a phishing attempt would look like, and make sure that they know how to navigate a day-to-day life as a representative of you in some capacity, if you don't have the means for those sorts of activities.
JOAN WOODWARD: Got it. Did you want to say something, Tim, on the vendor?
TIM FRANCIS: No.
JOAN WOODWARD: OK. So now we're going to go to cyber hygiene, all the things you should be doing or are doing, hopefully, in your business to be cyber clean. We have another audience question for you. This is our last audience question. So again, if you haven't, scan the QR code.
Slide, Active poll. The red umbrella Travelers logo. On the bottom left is a QR code. Text, Join at slido.com # 1 0 4 3 space 7 8 8. Does your business use multifactor authentication? Yes. No. Unsure. Each answer begins at 0%.
Very easy question-- does your business use multifactor authentication, MFA? Does your business use MFA, yes, no?
Hopefully, you're not unsure. But we get some of those sometimes.
The answer Yes populates to 100%.
Yes or no, do you use MFA? All right, I'm going to call this a huge victory. Not one single person in the room is not using MFA
RICHARD RICHARD: I think they're lying.
JOAN WOODWARD: You do? You do? We all know what MFA is. Let me ask you this question. Are you using MFA in every part of your business? Is there any way you can get into your systems without MFA in one of the parts of the business?
So OK, we're going to take you at your word. You don't think they're telling the truth.
Slide, Cyber. Prepare. Prevent. Mitigate. Restore. Text, Travelers Institute (registered trademark). Logo, Travelers, a red umbrella. On the right is a QR code. Text, View Today's Agenda and Speaker Bios. Proudly Presented With: Logos, Small Business, Big Opportunity, Travelers Institute (registered trademark), Travelers, Big I New York, Big I Connecticut Professional Insurance Agents, NYSE, New York Stock Exchange, An I.C.E. Exchange.
Go ahead. Why don't you--
RYAN HEBERT: I'm with Rich on that one.
JOAN WOODWARD: All right, so Rich, let's talk about when you come in to assess organizations' vulnerabilities, what are the most common things that criminals exploit?
RICHARD RICHARD: That's an excellent question. And we try to focus on the basics. Especially with small business, they often contract out for their cybersecurity needs and things like that.
So we sit down with folks. And again, like I said, we're looking at the basic things. Do you patch your systems on a regular basis? Do you have some mechanism to see that your systems are adequately patched? Are you using things like multifactor authentication?
Do you have good backups? Backups will save you if you fall victim to a ransomware, if you have good backups that are kept clean and pristine and air-gapped or at least logically gapped from the rest of your network, so they don't get infected. My personal favorite thing is about developing a culture of awareness in your organization. Do you train your users?
Some people, it's like a dirty little secret sometimes amongst IT folks is they sometimes think that your user community is your worst nightmare, they're your worst enemy. Because those are the folks that are clicking on stuff, that open things that they shouldn't have. They go to websites where they're not supposed to, and they bring in all sorts of badness.
I prefer to think of your users as your first line of defense. You can be technically adept and have the latest, greatest hardware, software, everything protecting your systems. But if something gets through, who's going to be the one that can save your bacon at that point? The person that has that presented to them on their screen.
Educate your users. Make them aware of what they should do. Make sure they understand that if they do see something they think is sketchy, that they're not going to get in trouble for reporting it just because they saw it. It's not a problem
So empower those folks to do the right thing. Educate them so they can keep you out of the badness that is out there. We all know there's a tremendous amount of badness. So that's the baseline conversation we have with folks.
Do you have a security plan that we can take a look at, that we can run some assessments against? A lot of folks do great things. We do a whole bunch of stuff, but I don't know if they're doing the right stuff, enough stuff, the wrong stuff.
Is there ways that we can help them spend their money more cost effectively to help their cybersecurity needs? That's all the stuff that we can do with folks. We can sit down, like I said. We want to sit down across the table from you, talk to you about this stuff. We can save you a lot of money in the long run, a lot of time and effort, and a lot of pain.
JOAN WOODWARD: I hope you brought a lot of business cards with you.
RICHARD RICHARD: I do have some.
JOAN WOODWARD: The stage is going to be rushed. Jennifer, I want to go to you because you hear from clients all the time, right? And what is the biggest regret that CEOs or leadership of the clients you have when they're looking back at assessing what just happened to them with a cyberattack
JENNIFER COUGHLIN: I echo the not enough training, not enough awareness. It has to be something that's on everybody's mind. Even if it's people complaining about how inconvenient it is, you have to be training and talking about it. Because if something does slip through the filter, you want to ensure whoever receives it, doesn’t click the link and knows how to escalate it appropriately.
But some other regrets that we hear from our clients-- not having a plan, which we've seen that change over the past few years. But if you don't have a plan that addresses not only the technical response components, but also the legal components, the risk management components, ensuring the right stakeholders are identified, you're going to be starting at a disadvantage.
And we love the opportunity to help organizations do it because it really makes our lives much easier if they know who to call, when to call and what's going to happen when that event time comes. And not having insurance, it's a great-- I'm not going to do your pitch. But it's not--
It's a great way to--
RICHARD RICHARD: Pitch, pitch.
JENNIFER COUGHLIN: It's a great way to shift the risk. And I think some of the improvements we've seen over the past few years is because of cyber insurance. Because you do have to have MFA. You do need to talk about your backups. You do need to talk about your incident response plan.
You do need to talk about EDR on your systems. And having all of that in play does make you a better risk and more secure. So when we have organizations come to us without cyber insurance, they usually say, we thought the premium was too much, and we never thought this would happen to us. But it's not just the incident that they're facing. It's also the regulatory investigation and the litigation as well that they're paying 100% out of pocket for because they didn't have cyber insurance.
JOAN WOODWARD: And that incident response plan and all of the risk assessment, you don't want to have that on your systems. You want to have it outside or printed somewhere--
JENNIFER COUGHLIN: Yes.
JOAN WOODWARD: --maybe, printed maybe offsite, not on your actual computer that's going to get hacked.
JENNIFER COUGHLIN: Yup, and test it, test it frequently. We love going through the exercise with the clients. We tailor an event to them. We're going to identify the risk appropriate for their organization and create a fact pattern based upon something extremely realistic.
Sometimes, we don't tell everybody on the incident response team that we're doing the tabletop. Because nobody is going to give you a 24-hour notice you're going to have a ransomware event tomorrow. But it's a great way to work out the kinks and develop some muscle memory without being in the middle of an actual crisis
RYAN HEBERT: Yeah, I just wanted to add, and I do harp on size. It doesn't matter. It doesn't matter the scale of the information security group you have or the smallest. We did a CISA DHS penetration test, and it was fantastic. It was a great experience.
We do have cyber insurance on top of our business insurance. And we would most certainly press for security awareness. We do training once a quarter. We gamify it. We make it great.
If you actually find a real phish, as opposed to it being a test, we reward you by mean-- various different means through HR and recruiting. And so there's just a lot of ways that you can do it.
JOAN WOODWARD: Wait, say that again. Say that again. You reward people, gamify it
RYAN HEBERT: That's correct. So we phish test our people, the entire company, once a quarter. And we create the test ourself based upon what we're seeing out there. If you pass the test, you get a success, this is what you did. You don't, you get an immediate lesson.
It comes up on your screen. It says, this is how you failed. This is why you failed it. These are the things you need to look for that were factors within that email.
But on the other side of it, if it's a legitimate phish email that comes past all of our controls, which is rare. And I do like to pat myself on the back sometime.
But when it does get through, if you identify that, we have built tools that will rip it out of every other inbox in the company. So that saves the money infinitesimally. So we give them things of-- I can't remember-- praise.
But in the past, we put them into work notes that go out to the whole group, the communications to the rest of the company, so to make you know, don't be scared of telling us what you think this is. If you think it is, say something. And it's been extremely beneficial for us to have the people in the entire enterprise, as you said, your first line of defense being empowered to know it's OK if I say, I thought that was a phish, and it's really just a spam email for someone trying to sell me insurance.
RICHARD RICHARD: That's not how [INAUDIBLE].
RYAN HEBERT: --it's good to know that those people are empowered to think it's OK if I'm wrong. At least I wasn't wrong for the wrong reason. I was wrong for the right reason.
JOAN WOODWARD: This is great advice, really, really great advice. Tim, you were going to--
TIM FRANCIS: No, I would just add on. And I think what Ryan said is-- the most important thing there, I think, is, of all those things, it's having an organization that culturally, makes information and system security part of the culture. Right? If you don't establish that, you're never going to get anywhere with the training. You're never going to get anywhere with any of the other programs.
And so that's probably the most important. And that culture can be in, again, a large company or a small company. But having a leadership that takes this issue seriously and empowers their entire organization to have some ownership stake in it is a really good thing.
JOAN WOODWARD: Thank you. OK, it's time for questions. So as I said during our 50 symposiums like this, no question is too dumb. OK, so if you're having that question on your mind, somebody else is probably having that question on their mind.
So just raise your hand. We want to make sure you get a microphone. And apologies to our livestream folks. We're not going to take your questions today. We're going to go to the audience.
So any questions? I have a whole another 10 pages. There we go. OK. You don't want to hear me drone on. Just wait for the mic, and Michelle will get it to you. And if you have a specific question to a specific panelist, let us know.
AUDIENCE: So I think this is great what you're doing in terms of education. And I was just thinking. I work for a large company. But for small businesses, is there something that they can just download and then do the checks themselves?
RICHARD RICHARD: Absolutely. Again, we have something called the Cyber Essentials. They're specifically designed for small and medium business, has things like checklists, basic processes and procedures, not real nuts-and-bolts stuff, more like actions you can take at all levels of a company, from the user to the boss and everybody in between, including your technical people. Just use your search engine of choice, CISA Cyber Essentials.
Also, the cybersecurity goals that was mentioned during the keynote, another great tool-- you use those together. You've got the nuts and bolts and the practices. You put them together.
And like I said, there's all kinds of checklists. Everybody loves checklists because you can go through them and check things off. So, yes, and again, completely free. I urge you, go out and take a look. Poke around at our websites. There's more there than you'd ever think, if you've never looked before.
JOAN WOODWARD: And I want to say, it's user-friendly, too. I went on just to see a couple of years ago. And I know it's been updated, but it's also user-friendly. So we have a question here. Yes?
AUDIENCE: We have a client who's a municipality, and they actually had a breach through their email. And so we have two questions. One is breach, versus--
JENNIFER COUGHLIN: Don't say the B work. Don't say the B word.
AUDIENCE: All right. Then the second question is, once the client actually had this matter happen, the police and the FBI get involved. So here we are doing our best to help get everything to the underwriters and the claims folks. But of course, the investigators are saying, say nothing to anybody.
So I started out as an underwriter, and I'm a firm believer in cooperate with the insurance company. What are you recommending? How do we help the client to stay within the constraints that the law officials are establishing for them, but at the same time, be responsive to the company so coverage is not compromised?
JENNIFER COUGHLIN: Yeah, it is a balance. So we take our relationship with law enforcement very seriously. They are absolutely a key stakeholder in the incident response process, and we are going to involve them early on, sometimes not even tell them the client name. But we want to be able to say we reported to law enforcement. And we've also worked out the understanding that we may not give them much, but we want whatever you're willing to give to us.
When you have law enforcement involved, and say they've seized the systems, and they're not even letting you do the investigation, what we've worked out with them is, let us take the artifacts we need for the investigation. We'll make a copy for you. We'll talk to you about what we're finding.
And they, more often than not, completely understand why we need it. Because we need to do our own legal analysis. We need to ensure containment. We need to ensure we understand the nature and scope of the incident.
You need to balance that with consent requirements under the cyber insurance policy. And there needs to be an information flow that happens sooner rather than later so there's no coverage being jeopardized. So what we have done in instances where law enforcement is saying, you can't tell anybody about this incident, we say, let us tell you a little bit about who we want to talk to, why we need to talk to them and what we're going to say. And they've always come around and support us.
But there's a separate component of law enforcement delay for public notification that under the law they can say you're not allowed to tell anybody. And then the time and the clocks that start running under the statutes, they're delayed because we have law enforcement saying, hush, don't say anything. We have a close enough relationship with law enforcement that we can work out why we need to message externally to certain audiences and confirming with them what they're comfortable with us saying to them.
And the carriers are sophisticated. They get it. If I call Tim, and I say, hey, law enforcement is involved, we can tell you the following, he's probably going to say, you've got talking points.
TIM FRANCIS: Well, and I was going to say, I was going to say, if they were to call us first, which happens frequently, we're going to make sure immediately, 24 by 7, they're going to get in touch with somebody like Jen. And we're going to say, call law enforcement. I see three, right?
So we encourage law enforcement to be involved. We expect law enforcement to be involved. We certainly want to get the information that we need. But generally, that's not really a problem, for all the reasons that Jen just said.
JENNIFER COUGHLIN: Yeah, there's a sequence of events that should happen. And sometimes, law enforcement does show up on the client's doorstep and says, we identified your information on the dark web, and we want to take your servers. And in those instances, the organizations that understand the process will say, we are going to cooperate with you. I need to make another phone call.
And then we get involved and say, we get you need to do your own investigation. These are your goals. We've got to do our own investigation. These are our goals. So let's figure out how we work together.
But there are times where law enforcement shows up on the doorstep, says, give me everything, and the client says, OK, what do we do now? Hand it over. And then we're hamstrung in our own investigation. And it's something that we've worked really hard to get right with law enforcement. And they get it.
We're not trying-- we’re being cooperative. We're not going to withhold information from them. We might push back a little bit, but we're not going to withhold information. But when they show up at the doorstep, and they take what you need, and we don't get involved until later, it does impact a lot of things.
RICHARD RICHARD: Yes. So this is not law enforcement, but let me just throw out there, to reiterate a point that was made before. Have something like that as part of your incident response plan. What if law enforcement does show up on your doorstep? Or what do I have to tell law enforcement? What do I have to disclose to a regulator?
That should all be built into your plan. You shouldn't be figuring out, if you have to do that action, in the middle of dealing with an incident of some sort. Game that stuff out ahead of time, like we said before.
RYAN HEBERT: And if you're testing your plan, and you're testing it frequently, you'd be surprised how amenable the external factors of that plan are willing to come to the test with you and work through that, to say, this is the hypothetical. Where do you fit into this? And what time should I invoke this portion of that?
It's quite remarkable how quickly the different factors that are involved in these types of situations would be-- convene themselves for a planned test. Don't even try to not ask. Give the ask, right?
RICHARD RICHARD: And we in government, we're more than happy to show up to your exercise and be the government part of the exercise. When it says, I call government, and what do we want to do? Well, I can be that person that represents the government at your exercise in the conference room. So you can actually get a good response and idea of what would happen. We deal with this stuff all the time.
JOAN WOODWARD: And this is all free, again, right?
RICHARD RICHARD: All free, absolutely.
JOAN WOODWARD: Not charging anybody anything. I got to make sure everybody heard that, complimentary, free, like your bento box.
RICHARD RICHARD: Your tax dollars at work.
TIM FRANCIS: That's right.
RICHARD RICHARD: Honestly.
JOAN WOODWARD: How was your bento box today? Like it, yeah? All right, another question from the audience, yes, right here.
AUDIENCE: So this is probably for Richard, Jen and Tim more, I guess. If you have-- I think you mentioned before, Richard, that the government's never going to say, advocate for the payment of ransom for ransomware. So Jen, you have clients who may want to pay. Maybe they're being extorted, not only because their information is locked up, but maybe because they're going to publish sensitive stuff about the company.
And you have OFAC laws, and then you have insurance. And then the question is, how many times do you counsel your client about being in compliance with OFAC? And are you going to be able to pay that ransom, or is Tim going to be able to pay that ransom because of those laws?
JOAN WOODWARD: So let's explain OFAC first.
JOAN WOODWARD: Either.
JENNIFER COUGHLIN: OK, so OFAC is a regulatory agency that, essentially, says, we're going to make a list of people and people associated with countries, in certain countries, that you can't make payment. And we need to look at that list before any payment is made as part of a ransomware response. And if there is a direct hit, or there is a gray area, you might-- if there's a direct hit you can't pay-- and we've had clients say, we get it. OFAC, schmofac, we're still going to make the payments. Which we say, here's our disengagement letter. Best of luck on your future endeavors, but more often than not--
JOAN WOODWARD: It's against the law, right?
JENNIFER COUGHLIN: It is, yes.
JOAN WOODWARD: These are terrorists. I mean, the OFAC list is basically-- against the law.
JENNIFER COUGHLIN: Yeah, those are the reasons why they're on the list. Because you can't pay. But the pipeline to me was a milestone in cyber because the government had-- love you-- the government had the opportunity to say, no ransom payments. It is official. This is our position. It's the law. You cannot pay ransoms, and that didn't happen.
But I've talked to law enforcement about why that move hasn't been made. Because if you tell a hospital that they're shut down, and the only way they can restore operations is making the ransom payment, you've got blood on your hands. Because people will lose their lives. They will not have the ability to provide lifesaving measures.
So organizations sometimes, for different reasons, decide it is in our best option to make the ransom payment. You still have to confirm you're not paying somebody on the OFAC list. You still need to ensure you understand the process under your insurance policy required relating to consent. And is it direct pay? Is it reimbursement?
TIM FRANCIS: So I was just going to add on, we don't usually disagree on this, though slightly disagree-- not on the OFAC piece. She's 100% right. When we have to go through an OFAC check, and in fact, there's another third party that's actually transferring the payment, that will also do an OFAC check, we compare notes. And so if you're on the list, we can't pay. We won't pay. But--
And it's not our decision to pay, in the first place, by the way. It's ultimately the customer's decision. Even when they can pay, it's the customer working with the breach coach and doing what's right for them. And if they choose to pay, they choose to pay.
But even in a situation where OFAC doesn't allow us to pay, we're still providing a service to the customer, right? They're still getting the advantage of a breach coach, forensics. We're still paying the business interruption costs, which actually may be more now that we can't pay the ransom. But we don't just cut you off and say, best of luck. We just say, we can't pay the ransom
JENNIFER COUGHLIN: And government's position is exactly what was articulated. They don't want you to pay the ransom.
TIM FRANCIS: And we don't want them to pay the ransom either, right? All of our interests--
--it may sound like we're on different sides of the coin--
JOAN WOODWARD: Let's be clear.
TIM FRANCIS: --but we're really not. We're all in this together. Paying the ransom in the best of cases is a really bad place to be. These are not people that are on your Christmas card list that you're sending this money to. Right? And you don't want to. But when it's life and death, then it's a little bit harder to say, well, the government doesn't want me to, so I won't. There's real-life implications that matter a lot.
RYAN HEBERT: And every business has different needs from a network standpoint in terms of what traffic you expect to come into your infrastructure and which you don't. We have the ability to say, there are many to all, depending upon the year and the time, based upon threat intel, able to block all traffic from those countries that are non-extraditious. I know that's not directly related to OFAC, but I'm saying, there are measures in place that you can take that are pretty wide sweeping as long as you have a business that's really in tune with cybersecurity and how important the implications are of having something happening to you from those places.
JOAN WOODWARD: OK, we're going to do another question over here. Yes?
AUDIENCE: One of the most dreaded risks in the marketplace today are municipal governments, as I'm sure our friends from Travelers can speak to. Is there anything, Richard, in your organizations that you're doing to target municipalities, to try and help them create a stronger framework?
RICHARD RICHARD: Yeah, absolutely. SLTT, state, local, tribal, territorial, all that, so tiny county governments, all the way to big cities like we're sitting in right now, we work with everybody. We have an entire branch of folks specifically dedicated to working with municipalities, state and local government, counties and the like, to bring services, again, bring these same services to bear to help them get better.
I live in a county that had a problem not all that long ago. And it's really great to see how things evolve and how we can help work with folks to get out from under these things. But like I said, we really shine in beefing them up ahead of time, working with them ahead of time, so they can avoid this kind of nonsense altogether.
There's this perception that paying the ransom is kind of like that silver bullet. I get a decryption key, one or more, and I'm good to go, right? I type it in somewhere, and I'm magically back in business. It doesn't work that way. So again, trying to avoid that stuff ahead of time is the way to be. Be proactive with us. Work with us.
JOAN WOODWARD: Another question? Thank you. That was a good one. All the way over here-- and if anyone else has another question, can you raise your hand? I just want to pre-position the microphone.
AUDIENCE: I just want to piggyback to the OFAC sanctioned countries. Is it common for a criminal organization group similar to, let's say, Lazarus Group out of Korea, is it common for them to have a ransomware, knowing that they probably are going to have a low success rate of receiving funds?
TIM FRANCIS: Yeah, I mean, so part of the challenge in this space and why we all said is we do an OFAC check, you don't always know, even when you're doing the OFAC check, who's on the other end of that, right? You have to go through a due diligence.
But some of these threat actors are, obviously, not stupid, right? But because of the way the internet works, the blockchain works, and you're sending cryptocurrency, and how it's being laundered, you don't always know who's on the other end. And they'll change different email addresses and IP addresses. But we're making sure that we do the diligence to check.
And there are plenty of cases where we know that-- and because we're often dealing with the same threat actor groups over and over again, when you start to see the same signals, either in the malware that they use, the tactics that they use, the language that they use, literally the language, as well as just how they're phrasing things, you can kind of get a sense of maybe this is a different email address or IP address than before, but it looks and smells like the same threat actors that's on the list. And sometimes, you have to make a subjective call, but oftentimes, it's very difficult to tell for sure.
JENNIFER COUGHLIN: But OFAC is only part of the due diligence that's undertaken.
TIM FRANCIS: Yeah.
JENNIFER COUGHLIN: You reference the malware and signatures and things like that. So we're looking at the totality of the event, the indicators of compromise and other intelligence. And this is why you need to work with the people that are doing this day in and day out. Because it's not just running it against the OFAC check and saying, you can make payment.
There are other things that need to be looked at. And you need access to that intelligence to make those decisions on whether or not it's gray, payment shouldn't be made, payment should absolutely not be made, or payment can be made at this time. But there's the concept of strict liability under OFAC as well.
So if I make a payment to Tim today, to Tim's ransomware group today, and I do--
TIM FRANCIS: I don't have one.
JENNIFER COUGHLIN: --the OFAC check--
TIM FRANCIS: It's all right. It's all right.
JENNIFER COUGHLIN: And I clear the OFAC check and make the payment. But two years from now, Rich knocks on my door. Hey, Tim's been sanctioned, and do you know OFAC can go after you for the payment that you made two years ago?
Because I'm supposed to know, two years from now, he might be sanctioned. That was highlighted in the guidance that came out from OFAC in October of 2020. And I want to tell this story because it's highlighting the importance of working with law enforcement.
So the guidance came out said, strict liability. You make a payment today. You clear the OFAC check process today. But two years from now, we sanction them. We can go after you. Excuse me.
I was working a very large ransomware matter at that point in time. And the FBI was actively involved as a key stakeholder. We were gearing up for payment. We knew payment was going to be made. We had the bitcoin wallet from the threat actor, but payment had not been made yet.
So I call my FBI guy. And I said, hey, this guidance came out. I need to know, what are you telling OFAC that I'm doing right now? What are you telling them about my client? And the FBI said, we will not support revictimizing a victim of cybercrime. We are here to help you.
We have our own file. We are not going to share it. And we understand the business decision that was made here.
And it was a group that was a little questionable on whether or not they were tied to somebody who's on the naughty list or not. And OFAC hasn't done anything about it. Law enforcement supported us. And actually, because we were working so closely with them and gave them the bitcoin, well, we were able to recover $1 million of the ransom payment, which is another reason why you work with law enforcement, because they really are a valuable player in the process.
RICHARD RICHARD: Yep. See, here's the thing, though. For every company or organization that has good counsel, good guidance, to fall back upon, there's that small municipal county hospital or medical center that if I were to go to them and go, hey, you just paid an OFAC company, they'd be like, what's that? They have no idea what we're talking about.
So again, like we said, we don't advocate paying. We certainly do understand why they get paid. We understand the situations and the pressure that are on organizations, especially small, like what was mentioned before. Small businesses, single-owner, small businesses, 70% of them that get hit with malware or a ransomware incident, that's catastrophic. Like we said, they go out of business.
So I get it. They have to pay. Just understand that when you make the payment, like I said, it is not some magic make-me-better kind of a thing.
I don't know what your statistics are, but from what we found, 20% of computers that have been encrypted or infected with malware, and they do get the decryption key, 20% of them never come back. They have to reimage them anyway.
TIM FRANCIS: I would just add on-- and Jen certainly lives this every day, right? That is true. It's not a you flip the switch, and you're good. Right? And it can take days or even weeks, once you get the decryption key, to get back up and running to some semblance.
And again, that's part of what the insurance products are there and the services. Because it's not just about the payment of the ransom. It's about all the other things that go with it, trying to get you back to fully functional.
Slide, Cyber. Prepare. Prevent. Mitigate. Restore. Text, Travelers Institute (registered trademark). Logo, Travelers, a red umbrella. On the right is a QR code. Text, View Today's Agenda and Speaker Bios. Proudly Presented With: Logos, Small Business, Big Opportunity, Travelers Institute (registered trademark), Travelers, Big I New York, Big I Connecticut, Professional Insurance Agents, NYSE, New York Stock Exchange, An I.C.E. Exchange.
JOAN WOODWARD: Well, this hour has flown by. And we really appreciate it. We have to end it. I'm going to ask you, if you don't mind, taking our survey. Because the only way we know how to get better is with you telling us what we could do differently on our events. So spend just a minute and write us a sentence. We read every single comment.
I also want to give you a heads up on a couple of webinars we're having. Tomorrow, I'm going to interview the CEO of Stanley Black & Decker, and he's going to talk to me about supply chain issues and inflation. There's it on the screen.
Slide, Wednesdays with Woodward (registered trademark). Webinar Series. On the right is a QR code labeled, Register. Text, Upcoming Webinars. March 22 - Lessons for Your Business Toolbox: A Conversation with Stanley Black & Decker CEO Donald Allan. March 29 - Total Worker Health (registered trademark): Are You Looking at the Full Picture? April 5 - Navigating the Rapidly Changing World of Professional and Financial Lines Insurance. April 26 - Surety Protects: The Economic Value of Surety Bonds.
March 29th, we're going to talk about workers compensation with the CDC, the head of the CDC, who deals with this all the time.
And then April 5th, we're going to have Jeff Klenk, joined by Marsh, Michelle Sartain, and Aon's Christine Williams, talking about financial lines, the FI product, some in the news these days around financial lines, financial products. And then on April 26th, we're going to talk about surety products and surety bonds. So please join me 1:00 on Wednesdays always. Listen, please join me in thanking this amazing panel and our terrific keynote.
Thank you, all, for coming. Class dismissed.
Text, Travelers Institute (registered trademark). Logo, Travelers, a red umbrella. Text, travelersinstitute.org.
11:30 a.m. EST Registration & Networking
12:00 p.m. EST Welcoming Remarks
12:10 p.m. EST Keynote Address: CISA Chief Strategy Officer Valerie Cofield
12:30 p.m. EST Panel Discussion
1:30 p.m. EST Program Concludes
Richard S. Richard Jr.
CISM, CCISO, Chief of Cybersecurity, Region 2, Cybersecurity and Infrastructure Security Agency
Cybersecurity threats affect businesses and organizations of all sizes. Our Cyber: Prepare, Prevent, Mitigate, Restore® initiative promotes dialogue and education to help leaders prepare for and respond to cyber incidents.LEARN MORE
Join Our Email List
Get on the list to receive program invitations, replays and more.SIGN UP NOW