Hacked! What’s Your Plan?
June 8, 2022
Webinar
This cybersecurity education program is proudly presented as part of the Travelers Institute’s Cyber: Prepare, Prevent, Mitigate, Restore® initiative, which promotes dialogue and education to help leaders prepare for and respond to cyber incidents.
If your organization suffers a cybersecurity incident, will you know how to respond? Who will you notify? How will you contain the breach? Putting an incident response plan in place, and testing it before you need it, is one of the basic tenets of good cyber hygiene. Yet many businesses report failing to do so, according to the Travelers Risk Index. Travelers’ Enterprise Cyber Lead Tim Francis and Arete’s Charlie Platt provided practical tips and an overview of key considerations when putting an incident response plan together.
Summary
What did we learn? Here are the top takeaways from “Hacked! What’s Your Plan?”
Cyberattacks can happen to any business — any way, anywhere, anytime. “It’s not if, but when,” warned Charlie Platt, Arete’s Senior Director of Forensics. “But I like to take it one step further and say; it’s not just when, it’s how bad is it going to be?” According to Tim Francis, Travelers’ Enterprise Cyber Lead, many take the risk seriously. “Despite all other things [going on in the world], cyber remains the number one concern across the businesses we survey,” Francis said.
Ransomware attacks have increased over 150% — but typically only account for a third of claims. “It’s the main issue that’s making headlines. But it’s just one of many attacks that might occur,” noted Francis. Acknowledging other common cybercrimes, like social engineering fraud and business email compromise, he stressed that “there’s a host of other things that an incident response plan can help you address.”
Prevention is the best defense. According to Francis, multifactor authentication (MFA) — which requires a combination of something you know (like a username and password), something you have (like a specific device) and something you are (like a thumbprint) to verify the legitimacy of account access attempts — can prevent 99.9% of attacks. “It's usually cheap, it's often easy and it's very effective,” he noted, recommending that every company deploy MFA as their first line of defense.
Having an incident response plan in place to mitigate the risk associated with an attack or breach is important, too. “Your incident response plan is really a business continuity plan or a disaster recovery plan. It just happens to be a disaster that happened within your information systems,” remarked Platt. He and Francis offered these tips for creating the cyber portion of your business’ continuity plan:
- Make good cyber hygiene part of your plan. Maintaining organization and control of your IT assets is key. To that end, Francis recommends your incident response plan include strategies for keeping systems up-to-date, backing up data regularly and using endpoint detection and response (EDR) technology.
- Identify and prioritize your business risks. “Understand which systems actually control and run the business and are critical, and which ones are secondary so that, when you do have an incident, you know which ones to prioritize,” said Platt.
- Have a communication strategy that includes multiple means of contact. Know who you need to contact, and in what order you need to contact them – including critical internal personnel, as well as insurance, law enforcement, supplier, client and media partners. Store multi-channel contact information for each resource (personal and work emails; mobile, office and home phone numbers) both within and outside of your company’s systems, which may be compromised.
- Determine how and who will be responsible for collecting evidence. While containing the situation as soon as possible is crucial, so is gathering evidence. “These two are usually competing interests,” noted Platt. “Preserving evidence is going to take time, and it needs to have a system that is active and live.” It’s a balancing act, so knowing how evidence will be collected in advance helps maximize the effort while minimizing the risk.
- Know who will get back-ups ready to come back online. “Ultimately, the goal is to get everything back up and running,” said Pratt. “Have all this in place… who’s getting backups ready to come back online, so that you can restore to a known good state.”
- Develop and document a practical plan that meets your business’ specific needs – then practice and update it regularly. “It’s a project. It’s not just a single document,” said Platt. “The problem with using a template is it seems to imply that incident response planning is a single document, and really incident response planning is a process.”
- Have a paper copy of your plan at the ready. “If you’ve got ransomware, that document on your computer may be encrypted. You may not have access to it,” noted Platt. “You’ve got to have a physical document that you can reach up and put your hands on.”
Getting back to business with limited impact after an attack is only one benefit of having a plan. “Your incident response is your checklist… to make sure you’ve covered all your bases,” noted Platt. “But it also shows your partners, your suppliers and your clients that you took this seriously, that you had a plan, that you’ve done your due diligence.”
Presented by the Travelers Institute, the MetroHartford Alliance, the American Property Casualty Insurance Association and the Master's in Financial Technology (FinTech) Program at the University of Connecticut School of Business
Watch Replay
(SPEECH)
[MUSIC PLAYING]
(DESCRIPTION)
Text, Wednesdays with Woodward (registered trademark) Webinar Series, Travelers Institute (registered trademark). Joan Woodward's video feed appears in the upper right corner of the screen. She is seated in her office speaking to camera.
(SPEECH)
JOAN WOODWARD: Hi, good afternoon, and thank you for joining us today. I'm Joan Woodward, President of the Travelers Institute, which is the public policy division and educational arm of Travelers. So welcome to Wednesdays with Woodward, our webinar series where we convene leading experts for conversations that we all care about, for today's biggest challenges in your personal life and your professional life and at work.
So today is our 60th program. That is right, 60th program over the last two years. Thank you all for joining us and making this such a great success. We're so thrilled to be able to deliver relevant content to you almost every Wednesday.
(DESCRIPTION)
New slide titled About Travelers Institute (registered trademark) Webinars. The Wednesdays with Woodward (registered trademark) educational webinar series is presented by the Travelers Institute, the public policy division of Travelers. This program is offered for informational and educational purposes only. You should consult with your financial, legal, insurance and other advisors about any practices suggested by this program. Please note that this session is being recorded and may be used as Travelers deems appropriate. New slide. Text, Hacked! What's your Plan? Logos, Arete, Metro Hartford Alliance, Travelers Institute, Travelers, UConn School of Business, Master’s in Financial Technology, American Property Casualty Insurance Association.
(SPEECH)
So before we get started, I'd like to share our disclaimer about today's program and a big thanks to our webinar partners, the MetroHartford Alliance, the American Property Casualty Insurance Association, the Master's in Fintech program at UConn, and Arete, one of our guests today. So the Wednesdays with Woodward cybersecurity programming is now part of the Travelers Institute Cyber, Prepare, Prevent, Mitigate and Restore initiative that we launched about seven years ago, when cybersecurity became, as you know, a really big thing to worry about. So this initiative really does promote dialogue and education.
And we had our last webinar around cyber last October. We're getting back on the road. We were recently in Chicago and Denver, and so we will be coming to a city near you. We'll let when those in-person events will start this fall.
So, today we're going to really be talking about preparing for a cyber breach-- what steps an organization can take so they're not caught off-guard if a cyber breach happens to them. So this incident response plan and putting it in place is one of the really basic tenets of a good cyber hygiene for businesses. So here today to help us understand the steps we can take better to protect ourselves in our businesses and with our clients are two world-renowned cyber experts. And I don't say that lightly.
(DESCRIPTION)
New slide titled Speakers. Headshots of speakers. Text, Joan Woodward, Executive Vice President, Public Policy; President, Travelers Institute, Travelers. Tim Francis, Vice President, Enterprise Cybersecurity Lead, Travelers. Charlie Platt, Senior Director, Forensics-- Incident Response-- Solutions, Arete.
(SPEECH)
Charlie Platt of Arete Incident Response and my colleague and friend, Tim Francis, at Travelers really are recognized throughout the industry and throughout the financial services industry, not just in insurance, for being true experts in this field. So Charlie is the Senior Director with Arete Incident Response, where he works at the Incident Response and Digital Forensics teams. Arete is a global cyber risk company that helps organizations prepare for, respond to, and prevent cybercrime. Charlie has over three decades of experience working in information security, digital forensics, incidents response, software development and litigation.
And then we have Tim Francis. He's Vice President and Enterprise Cyber Lead for all of Travelers. He has oversight of the company's cyber product management, including underwriting strategy and products for businesses of all sizes, public entities, and technology firms. Again, he's one of the industry's foremost experts. Charlie and Tim, thank you so much for being with us today.
So to begin this conversation I'm going to ask each of our speakers to provide a bit of an overview of what they do in their daily jobs, the state of cybercrime, what they're seeing. As we all know, during the pandemic, cybercrime has skyrocketed. So we want to talk about that. And then we're going to have a moderated discussion, as you know.
We're going to bring in lots of your questions, so please make sure to put some questions in the Q&A feature there. We'll get to as many as we can. We know this is a really hot topic. We've had thousands of people register for today's event. So we’ll also have a replay available to those of you who registered. So Tim, why don't you go ahead and take it away.
(DESCRIPTION)
New slide. A graphic of a computer monitor with a red padlock on the screen and a screen full of binary numbers in the background. Text, Cyber is the #1 concern across all businesses.
(SPEECH)
TIM FRANCIS: Thanks, Joan, always a pleasure to be with you, and looking forward to another great presentation. So, we're going to spend most of this conversation talking about what to do if, unfortunately, a cyber event should happen to you. But, I think it's important to start out with just a little bit of why we should be concerned in the first place and at least some steps that you might take from preventing these events from taking place in the first place.
No one wants to have to use their incident response plan. We do what we call the Cyber Business Risk Survey every year. And cyber is the number one concern. And in fact, it's been the number one concern every year, with the exception of 2019 when we were really in the height of the pandemic.
So, there's a lot of stuff going on in the world, right? And despite all of the other things, cyber remains the number one concern across all of the businesses that we survey in the U.S. And the demographics are virtually any industry and really any size customer.
(DESCRIPTION)
New slide. Line graph titled Ransomware Frequency and Severity Increase. Dates from 2016 to 2020 appear along the x-axis. The blue line, representing ransomware amount starts at $25,000 in 2016 and steadily increases to $247,000 in 2020. The black line, representing incident costs, starts at $98,000 in 2016 and steadily increases to $352,000 in 2020. Text, Ransomware attacks have increased by over 150% in the last year.
(SPEECH)Let's dig into a little bit about what's going on and what those numbers really represent. So, ransomware is something that I'm sure you've all heard of. And it's the main issue that's making headlines and certainly causing concern.
I can't stress enough, though, that ransomware is just one of many cyberattacks that might occur. And we'll spend a little bit of time on ransomware. But ransomware in any given year is really only maybe a third of the number of claims that we see in our customer space.
There's social engineering fraud. There's business email compromise. And there's a host of other things that, again, an incident response plan can help you address. But for ransomware, attacks are up over 150% from last year. And last year, they were up from the year before that, and not just the frequency of events, but how much these things cost.
On average, we're seeing costs multiple six figures, $350,000. It is not at all unusual to have even small companies have ransom demands alone that are seven figures. Sometimes those are paid. And sometimes, hopefully, they're not.
But the reality is, even if a ransom is paid, often there's other costs associated with it. Or if a ransom can be avoided from paying, there's still costs. And they can be really crippling to any organization.
(DESCRIPTION)
New slide. Text, Why Ransomware is Driving Claim Trends.
(SPEECH)
So, let's talk a little bit about why ransomware is the trend. It's a host of issues. Fundamentally, ransomware is a trend because threat actors can, with relatively minor consequences or risk to them, make a lot of money. And it's very successful, unfortunately.
And over time, it's become more and more sophisticated as more sophisticated actors have entered into this space and that they're developing better software. Back just a few years ago, it was pretty easy if a ransomware threat hit your computer systems that you could just simply back up and get your systems back online pretty quickly and pretty painlessly and with not much money. As that software has gotten better, it's allowed not only sophisticated threat actors to use it, but sometimes that software is sold, and less sophisticated threat actors can perpetrate the same crimes. And so it's really created this snowball effect with, frankly, not much end in sight.
So what are some things that we can do to prevent it from happening? Let's spend a little bit of time on that.
(DESCRIPTION)
New slide. Text, Cybersecurity and Infrastructure Security Agency, (CISA), Bad Practices. 1. Use of unsupported (or end-of-life) software. 2. Use of known/ fixed/default passwords and credentials. 3. The use of single-factor authentication for remote or administrative access to systems.
(SPEECH)
So, one of the things that we refer customers to, if nothing else, is some resources that are at CISA. Now, this is not best practices.
This is literally-- and CISA says right there-- simply what you should not do. And so don't take this as a guideline of, if I only don't do these things, I'm perfect, but at a minimum, don't do these things, right? Which is pretty simple. Don't use unsupported software.
Every software manufacturer is going to push out a patch if a vulnerability is discovered. But if they no longer support that software, even if a patch could be made, it's not going to end up getting to the software. So don't use it. Don't use default passwords and credentials, and don't just set them.
It is still the case, unfortunately, that "password" is a password used, or 1234. Don't use those. And don't, when you take some new software out of a package, just use the default password. Change it. Most importantly, probably, is don't use single-factor authentication. Or in our parlance, make sure you do use multifactor authentication.
(DESCRIPTION)
New slide. Text, Why is Multifactor Authentication, (MFA), so critical? Per Microsoft, 99.9% of account compromise attacks can be blocked by MFA.
(SPEECH)
And so let's talk a little bit about multifactor authentication. So why should you use multifactor authentication? Well, you can see the stat from Microsoft. And you could Google or look up other stats from other organizations.
And they'd all say essentially the same thing, that most cyberattacks that we see that are those attacks that are threat actors looking to monetize the attack-- not necessarily sophisticated nation-states attack, which has a different purpose, but the bread-and-butter criminal organizations that are trying to make money-- 99.9% of those attacks can be avoided simply by using multifactor authentication. It's usually cheap. It's often easy. And it's very effective.
(DESCRIPTION)
New slide. What is MFA? A graphic of a login screen with username and password fields. Text, 1. Something you know. A graphic of a gray bullseye in the background with a flash drive, iPad, credit card, and phone overlaid on top. Text, 2. Something you have. A graphic of a fingerprint with a checkmark in the corner. Text, 3. Something you are.
(SPEECH)
So what is multifactor authentication? It's simply something you know. And for the record, username and password is not two forms of authentication. That's still something you know. A username and a password is one form of authentication.
Something you have, like a device-- so when you connect your device to a corporate network, the corporate network knows that device belongs there. It's got a token on it. It's got a certificate. Combine that with a password, now we're into a little bit better security. Or something you are-- a thumbprint, as you're all probably familiar with when you get into, at least, your phones. So some combination of one or more of those things will be-- MFA, there is some complexity to how it's deployed, whether it's on administrative controls, email access, et cetera. We won't get into that now, but I just wanted to give you the basics because, again, it's-- as much as we want to talk about the incident response, here are some things you can do to avoid it.
(DESCRIPTION)
New slide. Text, 5 Cyber Readiness Practices. 1. Implement multifactor authentication. 2. Keep systems up-to-date. 3. Use endpoint Detection and Response, (EDR). 4. Back up your data. 5. Have an Incident Response (IR) Plan.
(SPEECH)
Now, moving beyond, very quickly, this list of bad practices, let's talk about still some other basic things. Multifactor authentication, keep your systems up to date-- so patch regularly, have a process, have a cadence in which you patch-- use endpoint detection and response, and very simply think of that as next generation antivirus software. And back up your data, right? Not only back up your data in a way that you have access to it, but if your systems were brought down, could you bring them back up online? And what is that process? And make sure that you understand that process.
And last, and not last in importance, but last on the list, have an incident response plan. So all of those other things are more how to avoid or how to mitigate. Now we're going to get into-- and Charlie is going to talk about-- what do you do when all of those things don't work?
And no plan is foolproof and bulletproof. Eventually, it's almost not a question of if, but when there's going to be an event. So what do you do? So Charlie, why don't you take it away.
(DESCRIPTION)
New slide show. Text, Hacked! What's your Plan? Charlie Platt, Senior Director, Forensics, Incident Response, and Solutions, June 8, 2022. Arete logo.
(SPEECH)
CHARLIE PLATT: Great, thank you, Tim. That was fantastic. I think there's a lot of good information in there. And I want to dig into that number five a little bit here and talk about the incident response plan and really what is it and why do you need it. And Joan, thank you for having me today. This is an honor for me to be here and an opportunity for me to talk about something that I'm really passionate about, which is information security.
(DESCRIPTION)
New slide. An image of a digital line-drawing of a lock with a photo of a hand holding it up. Text, What is Information Security? InfoSec (or Cybersecurity) is the practice of controlling the risks associated with our organization's use of Information Technology. One of the most effective ways to control risk is to make decisions prior to the need to make decisions.
(SPEECH)
And one of the things that whenever I talk about information security I'm reminded about, especially when I'm talking about incident response planning, is a situation that arose when I was in my graduate study program for cybersecurity. And I was in there with a bunch of guys. We're in the D.C. area, so we've got guys from three-letter acronym government agencies who'd rather not tell you where they work, all the way up to people like me who are consulting with a background in forensics.
You've got people who are just coming out of undergrad that are highly technical. And you've got a big, broad range of all these different experiences. And day 1 in this class, the professor sits us down, and he says, all right, guys, here's the scenario.
It's 2:00 a.m. You're in the security operations center, and all of a sudden, the alerts start going off. What do you do? And we've got 30 people here with this broad array of background. We're coming up with ideas left and right.
We're throwing out everything you can think of. Pull the plug. Take a forensic image. Track the attacker down. See if you can find out where he's coming from. See if you can find out where he first got in. How did he get in?
All these great ideas are coming up. And after he lets us go on for maybe about 30 minutes, he goes, now, this is great information, these are all great ideas, but you're all wrong. The only thing you should do at this point is stop, take a breath, pull out your incident response plan and follow it.
And at that moment, the light bulb goes off. And you realize exactly what he was trying to teach us is, if you're making that decision at the time that things are falling apart, it's not going to be as good a decision as if you made it previously, when things were calm, when the world was normal and you had time. You had a group together. You can sit down and discuss it.
You can throw out all these great ideas. You can go through them and prioritize them. You can choose which ones you want to do, which ones you don't think you can do. And you can come up with a solid plan that allows you to, in that moment of chaos, take a breath and follow your plan. And I think that's the biggest benefit to planning this ahead of time, is that you take that decision-making away from the chaos, and you put it into a period of calm and quiet so that you have a chance to actually make the best decisions that you and the organization can make.
And so, when we look at information security, what we're really talking about is controlling those risks. And to summarize that, the best way to control those risks is to make the decisions before you need to make the decisions because once you need to make that decision, you're under a very tight time frame. And you're under a lot of pressure.
And there's a lot of chaos going on. People are calling, and you need to make a quick decision. If you've already made it, it's easy. If you haven't already made it, then that's when the trouble starts.
(DESCRIPTION)
New slide. A photo of a man and woman in business attire speaking together in an office hallway while looking at a tablet. Text, What is an Incident Response Plan, (IRP).
(SPEECH)
So if we go a little bit further on this and dig into-- and Tim, you set me up perfectly for this because you've used this in your presentation. It's not if, but it's when. And that's every cybersecurity professional you talk to will say that. It's not a question of if this happens to you, it's just a question of when it will happen to you.
But I like to take it one step further and say, it's not just when, it's how bad is it going to be. Is this going to be something that's terrible, the worst event that your company's ever had to live through? Or, is it something that you're prepared for, you understand and you know how to act? And that's what the incident response plan is here for.
It's to help you limit that damage arising from an incident and help you get your business back up and running again as soon as possible. If you think about it, your incident response plan is really a business continuity plan or a disaster recovery plan. It just happens to be that the disaster happened within your information systems, not a storm or a hurricane or something like that that came and destroyed one of your plants. It's a bad actor trying to destroy your information systems.
And our incident response plan is going to help us stop them as fast as we can and get ourselves back up in business. And one of the ways I like to illustrate this idea is, if you think about a pilot, and a pilot’s going to get in a plane and fly that plane. They're going to take hundreds of people from D.C. to LA.
And every single time that pilot gets in that plane, they pull out their pre-flight checklist and they go through it. It could be the first time he's flying the plane. It could be the thousandth time he's flying that plane. He is going to go through that pre-flight checklist.
And you ask yourself, why? If he's flown this plane 1,000 times, he's got to know that checklist in and out back and forth. But the human brain works in a way that, if you don't have that checklist, it's very possible that you might overlook something. You could be stressed. There could be something going on. Maybe there's a call that just came in that had you upset.
You stop, you take a breath and you use your checklist. And knowing you've gone through that checklist, you know you've covered everything you need. Your incident response plan is your checklist. Just like that pilot has the checklist before he takes off in that plane, you've got your checklist to know that, at this time, I'm doing the things I need to do.
And that does a couple of things for you. It makes sure that you've covered all your bases. You've said, these are the things that are important to me during an incident, and now I've done them. But it also shows to all of your partners, your suppliers, your clients, that you took this seriously and that you had a plan, and you followed it. And while, as Tim said, all plans aren't perfect, and things always kind of go a little bit sideways, you had actually thought about this ahead of time, you've done your due diligence, and now you're doing your due care to make sure that you follow that plan.
(DESCRIPTION)
New slide. Text, Who do you notify?
(SPEECH)
So, what does a plan really look like? If we go and take a look a little deeper here, it starts out with, who needs to know? I'm in the operation center. It's 2:00 a.m.. Something's going on. I have to start thinking about, who do I have to tell about this, and how am I going to tell them about this?
You might have an information security response team that you want to stand up. How do I get in touch with them? Who's on it? Who's the first person to contact? You might want to contact your insurance partner and let them know this is going on. They can provide all kinds of resources for you.
They can get someone to come in and help with forensics. They can get a breach coach to come in and help you with the legal aspects of it. They're really a great contact for you to help navigate this situation. Maybe you need to contact law enforcement or if you have in-house counsel. There's a list of individuals that you probably need to contact. And it's probably a little bit different for every organization.
One of the things as you're building this list that you really need to think about also is, today, while things are great, all my systems are up. I can pick the phone up, and I can call anyone. I can email people. But during an incident, it's very possible that maybe your email is offline. If you use VoIP phone systems, maybe those are offline.
So you want to think about multiple different ways to contact these individuals. You want to have, hey, here's personal cellphones for these people. Here's their personal email addresses. We have a way to communicate that's outside of the company systems.
Another thing to consider, too, is that your company systems may be compromised. The threat actor may be in there viewing communications. So if you're emailing about the incident as it's going on, they may be reading those emails as well. So you want to have a way to communicate that doesn't rely on a system that's already been compromised.
(DESCRIPTION)
New slide. Text, 3rd Parties and Incident Response Notifications. Where do we, as an organization, sit within our supply chain? Who are upstream and downstream from us? Suppliers, partners, clients. What do our contracts say about incidents and notification? Both as notifiers (if we have an incident) but also as recipients if a third party has an incident? What actions does our I R P say we should undertake when we are notified that a third party has had, or is having, an incident? What legal and regulatory obligations do we have? Notification Windows. Vary by jurisdiction: state, federal, international.
(SPEECH)
And so what do we do after we've notified someone? What other steps do we need to think about? Well, we also need to think about, we've now notified our internal teams, our internal individuals, our partners, like insurance or law enforcement, but we also have, as a company, business partners, people who sit upstream from us, our suppliers who we get products from that supplies us. Who's downstream from us? Who are our clients? Who are we giving things to?
And who are our partners who sit side by side with us and help us? Those individuals may also now have cause for concern. If we're suffering an incident, it's possible that we have ties into these different individuals, these different corporations, partners and clients, that would allow an attacker to move laterally out of our organization into theirs.
And really, again, this is something we should think about before the incident happens. And look at our contracts, the contracts that we originate and ones that come to us, and say, is there any language in here that talks about how do we notify, what are we supposed to do if an incident-- if we identify an incident, who do we have to tell? Who do we contact? And at what point do we need to contact them?
And you, also, as an organization, probably want to think about your contracts, and say, hey, if one of my partners has an incident, I want you to tell me. And this is when I want you to tell me. So that we're all sharing information, and we all have each other's backs. And you also have several things, like regulatory and legal obligations, that counsel can help you with, state, federal, international, even GDPR.
We're here. I'm in D.C. I'm in the U.S. But organizations still have to concern themselves with the laws of other countries, especially if they operate in the EU, Australia, China. There are very different laws and obligations in different countries that may not seem natural to us here in the U.S. but are perfectly normal somewhere else in the world. And we have to be aware of those and make sure that we're complying with those in places that we're doing business.
(DESCRIPTION)
New slide. A photo of a hand in between a line of dominoes. The dominoes on one side of the hand have all fallen, but the ones on the other side are still standing. Text, What should you do?
(SPEECH)
And so now that we've gone through and we've identified our internal contacts and our external contacts, what is it that we're actually going to do on the ground to get ourselves back up and running? Really, the first steps are, we want to identify the situation and contain it. So we want to stop it from growing.
We want to see where is it. What's going on? Where is the attacker? What do they have access to? And let's stop them from going anywhere else. This could be as simple as taking systems offline, turning off the network, cutting off our internet connection, isolating things.
Then we want to start working on eradicating and cleansing and preserving evidence. So these two are usually at competing interests. Preserving evidence is going to take time, and it needs to have a system that is active and live. Eradicating and cleansing is going to want to destroy that evidence because, basically, we want to get rid of everything that the attacker has done and get back to a known good state.
And so you have to balance the idea of, what evidence do I need to preserve, how can I get it quickly, how can I get it offline and saved so that I can then get my systems back up and running? And this is all part of your planning. So you should have all of this in place and know exactly what are steps are, who's going to be preserving evidence, who's going to be getting backups ready to come back online and wiping out systems so that we can restore to a known good state. And ultimately, our goal is to get everything back up and running and get our business operating.
And so once we've done this, what else do we need?
(DESCRIPTION)
New slide. Text, What should you document?
(SPEECH)
We've got our business back up and running. Well, unfortunately, in the world today, if you've gone through an incident, it's also possible that you will be facing litigation downstream, that someone may say, hey, you went through this incident, you didn't do your due diligence. You weren't prepared, and now I have harm that I've undergone because of you having an incident.
And you may find yourself in litigation. Documentation of what you did during that incident is going to be critical in defending yourself in that litigation. And so your incident response plan should also talk about things like chain of custody.
That evidence we preserved in the previous slide, how do we know it's legitimate? How do we know it's the right evidence? Chain of custody is going to help us preserve that in a way that we can present it as evidence if we need to.
What steps did we take? Did we do our checklist? Did we write it down? Who did it? Who took what action, and when was it taken? And then even just, who first identified the incident? Where were they? When did it happen?
What was the timeline from the first identification and towards restoration and complete restoration of the business? Were there any ransom notes? Did we pay any ransom, anything like that? Was data exfiltrated? Did anybody take anything away from us that they're now using to potentially harm our clients or customers?
(DESCRIPTION)
New slide. Text, Other Steps/Actions.
(SPEECH)
And then we can look at, what should we have done prior to the incident? What things can we do before we actually have an incident that can get us prepared for it? So things like tabletops and testing. A tabletop is basically just sitting down and role-playing, pretending that an incident is going on and making sure that everyone knows what their roles are and how they're supposed to react.
Making sure that your call lists are up to date, that you've got the right people-- it might be, oh, it was Bill was Head of Operations, but he retired, and now Susan is Head of Operations. Well, is she in our incident response plan now? Do we have the right contact information, do we have the right people? Just making sure that we're staying up to date. It might be that previously we had on-site, on-prem Microsoft Exchange for email, and we've now moved to Office 365. Is that updated? Do we now know, from an incident response perspective, that we're talking about a different system?
All of these things being updated and current at the time of an incident will make it go much smoother and make you be able to recover much faster. And then after the incident, what do we do? What lessons did we learn? Where did our incident response plan not hold up?
What do we need to update? Is there new training that we need to go through? Verify our documentation. Go back and make sure, did we get chain of custody?
We have all of our documentation complete and put aside so that, in case we need it, we have it and it's ready to go. And then any of that evidence that we preserve, let's take that and set it aside and keep it somewhere safe so that when we do need it, if we need it, we have it and we know where to go.
(DESCRIPTION)
New slide. Text, Additional Incident Planning Resources. NIST SP 800-61: Specific guidance from NIST on how organizations should handle information Security Incidents. Link: SP 800-61 Rev. 2, Computer Security Incident Handling Guide, CSRC (nist.gov). NIST CSF: General guidance from NIST on how organizations should approach Information Security. Link, Cybersecurity Framework, NIST. Link, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (nist.gov).
(SPEECH)
And then just a couple of documents for you-- I'm a big fan of NIST. NIST does some great work around cyber. And the first one is the NIST SP 800-61. This is basically their guide on how to prepare for incident response. It's really great. I think it's a fantastic guide to get you to an incident response plan.
And then the NIST CSF, which is NIST's approach to cybersecurity as a whole. It covers everything from proactive, getting set up, making sure you're doing the right things from a hygiene perspective, all the way through responding and recovering to an incident and getting the business back up and running.
(DESCRIPTION)
New slide. Text, Questions? Arete logo.
(SPEECH)
And I think, with that, I will turn it back over to Joan. And we can go to the questions and answers, I think.
(DESCRIPTION)
The slide presentation closes and the screen now shows the web feeds of Joan, Tim and Charlie.
(SPEECH)
JOAN WOODWARD: All right, terrific. Well, Tim, great setup on the macro level. And Charlie, that was just really, really just completely useful day-1 information that people can take back to their offices and start implementing right away. So we really appreciate that practical advice and plan.
So we have a number of questions coming in. And feel free to put more in the Q&A. Also, in the chat right now, my colleague Ginny just put all those links to the NIST site and other resources. So go check out the chat.
But first, I'm going to ask our audience a few questions. And we like to do this because we like to see what they're thinking, what environment they're operating in. So let's go to our first question.
This is an audience polling. So everyone out there, take a look, and then let us know your answers. This is an easy one. Would you know what to do if your organization suffered a cyber breach? What would you do? What would be your first, second and third thing to do? Do you have that mapped out in an incident response plan? So do you know what you would do? Be honest.
All right, let's see what our results are here. I'm pretty encouraged by the preliminary results. We have about over 1,000 people answering this question, and 55% of them say they know what they're going to do, 55%. 45% say they do not know what they're going to do. Charlie, is that about what you thought, or you think our audience is more sophisticated here and know what they're going to do?
CHARLIE PLATT: I think this is a little more sophisticated than I had anticipated. That's fantastic.
JOAN WOODWARD: Really good. Tim, how about you? Did you expect this?
TIM FRANCIS: No, honestly, it's a little higher than I thought,
JOAN WOODWARD: Yeah.
TIM FRANCIS: so that's good. And, but it's interesting. I would just add, because you asked what's the first, second and third thing you would do? Well, the first thing is as Charlie said, you pull out the incident response plan. So the second thing is the first thing on the incident response plan. But just know the first thing.
JOAN WOODWARD: Good, good. All right, excellent. Well, maybe some of our audience members have listened to some of our other cyber webinars. And if you haven't listened to our other cyber webinars-- I think we've had five or six over the last year or so-- go back to the travelersinstitute.org website. And you can look at all those replays that we've done on previous cyber.
OK, second question and last question for our audience. So let's see what this is-- this is for our agents and brokers. So our agents and brokers who are signed in today, do you have clients who have suffered a cyber breach, yes or no? Do any of your clients that you currently have in your book suffered a cyber breach, yes or no?
And we'll see if we're going to be surprised by these numbers or not. But over 1,000 or so people are answering this right now, I can see. And it looks like, I'm going to say 67% say, yes, their clients have suffered a cyber breach. And about 34% say no. All right, Charlie, what are your thoughts on this?
CHARLIE PLATT: I think, Joan, my first thought is that there's 10% there that don't know what they're going to do when they suffer the second breach. And I think that's a great opportunity for people to stop and sit back for a second and think, now, I suffered one, that doesn't mean I'm not going to get a second one. What can I do now to make sure that I don't have that happen to me again?
And I also-- I have had clients who have suffered the first breach and gotten lucky and nothing really bad happened. And that gave them a false sense of, oh, this isn't as bad as what everybody else has told me it's like, therefore they did not take the actions that were recommended, suffered a second breach. And the second breach was devastating.
JOAN WOODWARD: Mm, wow.
CHARLIE PLATT: I hope there's nothing-- yeah, that's a worry.
JOAN WOODWARD: Yeah, for sure. So Charlie, why don't you walk us through exactly what happens when you get a call from a client or an organization, they just had a breach. So walk us through your day when you get that call, whatever time of day or middle of the night that is.
CHARLIE PLATT: Well, we get a team together fairly quickly to get on a call. And our call really has, I think, two goals to it. The first goal is to understand the breach, understand what's going on, the organization, how they're architected. Have they started doing anything?
Do they have an incident response plan? Have they started working through that? Where are they with the breach? What size organization are they? Do they know who the threat actors-- all of that sort of detailed minutia-- to find out, OK, this is what we're dealing with here, this is the situation on the ground.
The second aspect that we try to focus on is to let them know that we're here to get them through this, that they're now-- they have their insurance partner. Hopefully, I think, they'll have a breach coach with us. And they have us as a forensics team. And together, the three of us are going to get them through this.
There is light at the end of the tunnel now, and they can take a breath. There's still a lot of hard work to do, but we're going to solve this. And I think that's one of the big things.
Because at this time you've got a lot of people in the organization who may be doing this, suffering this the first time they've ever had to, and they're seeing a lot of their hard work potentially being put at risk. And there's a lot of fear and concern. And so we try to help settle that down, calm them, convince them that they've got the right team in place, and let's get at it.
JOAN WOODWARD: OK, great. So we have a lot of questions coming in that are very similar to this. This is the question. Is there a template for a business that they can use? And is that template different for different industries? So just talk us-- walk right through an incident response plan template, if you would, Charlie.
CHARLIE PLATT: Yeah, so I-- a template-- and I understand and I know why everybody wants a template because we all want to have, this is what you have to do. And that is sort of what we're saying here. The incident response plan is your checklist. This is what you have to do during an incident.
The problem I have with a template is it seems to imply that incident response planning is a single document. And really, incident response planning is a process. It's a whole-- it's a project. It's not just a single document. While that document will come out of the process, there's a lot more to it.
There's understanding what systems you have, identifying and organizing your IT assets. There's identifying business risk, understanding which systems in your business actually control and run the business and are critical, and which ones are secondary, so that when you do have an incident, you know which ones to prioritize. And they're speaking to the business owners and the business leaders to understand what their perspective is on how the business runs and what the most important aspects are to get back up and running.
I've had some clients who getting the phone systems back up and running was the utmost priority because they wanted their clients to be able to call them and communicate. Whereas other ones say, we've got payroll coming up, we've got to get payroll systems back up and running immediately, or we're not going to make payroll. So there's various different aspects.
Every organization is slightly different. And that process of going through planning, actually, is what is important. The document that comes out of it that you follow during the incident is an output, but it's the process that really gets you in place, I think.
JOAN WOODWARD: OK--
CHARLIE PLATT: And so in a short answer-- sorry, Joan. The short answer is, I don't have a template that fits everybody, but everybody should go through that process of planning.
JOAN WOODWARD: Got it, got it, so those key elements, right? You have all the different elements, as you say. Get a list of phone numbers and personal cellphones, and maybe somebody's spouse or husband or wife or someone else to contact if that person is out of the IOP, the Skype system or the team system. So, I assume, also, you're advising people to print these things out, actually print them, right, and have them? Everything is on my computer, and my computer has been hacked.
CHARLIE PLATT: Exactly, a notebook on the shelf, the old three-ring binder that's up on the shelf that you pull out because-- you're absolutely right. If you've got ransomware, that document on your computer very well may be encrypted, and you may not have access to it. So you've got to actually have a physical document that you can reach up and put your hands on.
JOAN WOODWARD: OK, good. So Tim, I want to get to you. So from an insurance perspective, we obviously require a lot of different things for companies to do in their cyber hygiene before, in fact, we even would insure them or underwrite them. So, from an insurance perspective, what are the key goals or ingredients that we look for in an incident response plan?
TIM FRANCIS: Well, first and foremost, we're going to look to see if you have one, right? And as Charlie said, it's harder to know from an insurance-- just telling me that you have an incident response plan frankly doesn't tell me much, right? We do want to understand, do you practice it? Do you have the process? What does that look like?
And I would say in terms of access, one of the things that we provide because it's ultimately beneficial is, for all of our customers, they get access to what we call the Travelers eRiskHub, which has a lot of incident response plan material, not just templates. And I couldn't agree more with Charlie. It should be a living, working, breathing thing, not just a document that sits there.
But in addition, we're going to make sure that our customers realize, too, if there's an incident-- Charlie mentioned breach coach in his world during forensics-- we have access to a variety of experts that do that work. So we're not a replacement for an incident response plan but also, as your insurer, can make sure all those pieces behind the scenes are already lined up, and working with experts that, frankly, if an incident occurred, particularly to a small- medium company at 3 o'clock in the morning on a Saturday, which they often do, you might say, well, my incident response plan says I should call a breach coach. But you've never called the breach coach.
And you don't know who they are, and they don't know who you are. As you're an insured, that call is going to happen. And that person, that breach coach who is going to be on the line within hours. And we're going to have that team that we can assemble, even if you have not done that pre-work. But we're looking to make sure that you've done some of that pre-work, that you've got at least the things that we can control, that you've organized your internal team, that you know whose role is what, and that you've at least talked about and walked through some of these things in a tabletop kind of exercise.
JOAN WOODWARD: So the process, I guess it's the process that you're involved in. Even before we write the policy and sell the insurance, it is the value of that process that businesses really get-- that's the value proposition, right, of buying insurance?
TIM FRANCIS: Yeah, and really, it's the establishment of a culture that the, first of all, cybersecurity and information security is taken seriously. And at the highest levels of the organization, there's supporting the idea that this is important and that people need to have the authority to run the teams and the communication chains that need to happen.
JOAN WOODWARD: So let's talk about the chain of command and maybe talking to the press. Let's talk about some of those practical steps. This is even for smaller companies, as well, right? We're not just talking about big companies, but small businesses also should have this in their plan.
So talk about chain of command. Talk about who's going to call-- when the press, when the reporter starts calling you, who talks with that person? Not every small company has a chief communications officer, if you will.
TIM FRANCIS: Well, right, and I think it's probably more important in a small company. A lot of big companies have gone through that process even if that process wasn't cyber-related. And they've gone through something where they've had to make decisions about talking to the press or not. Smaller companies, this may be the first time that they've even had to think about that.
And again, the encouragement is to think about that before it happens. But even if you've thought about it before it happens, every incident will be a little different. So it isn't that you've decided ahead of time.
Yes, you should decide ahead of time who's going to talk to the press. But whoever that is needs to be informed. And that information needs to come not only from the internal team to say, OK, what's really happening, what do we know, what do we don't know? What pieces of this puzzle are still left to be decided? And should we wait an hour or two because maybe we'll have more information, and that might help the story better?
Of course, the conflict is, well, sometimes the longer you wait, well, it looks like you're stonewalling or you're not being forthcoming. And so there's a challenge there. And so even if you're determining who's going to talk to the press, CEO or whoever has got the right level of authority, it's the information you need to get to that person so what they say is accurate and provides as much information as should be provided, but also is not going to come back to hurt after a series of other facts come to light the next day or in the following weeks.
JOAN WOODWARD: OK. Charlie, did you want to get in on that question?
CHARLIE PLATT: I was going to say, even just going through the process of planning for an incident can help you identify areas where your cyber hygiene may be weak. That as you're going through, you say, oh, we're going to do this, you're like, well, wait a minute. If we're going to capture logs, how much logs do we actually have at any given time?
Maybe we should extend that time period. Maybe we need more. It's just going to actually naturally sort of bring up questions that are going to help you actually put yourself in a better posture. So, the planning helps you with the incident, but it also helps you on the front end of putting yourself into a better position.
JOAN WOODWARD: OK. All right, so let's talk a little bit about-- you've been hit. You've been hit with a ransomware or some other breach. Tim, how do you know, or do you always know that you've been hit? Is it always obvious? Or what can that look like?
TIM FRANCIS: No, it's not always obvious. And it's almost never completely clear, even when you realize something is going on. And so there are plenty of times when a company may find out that there's something going on because of a business partner of them or some other third party says, hey, we're seeing suspicious activity, and the only thing we can link this back to is you. And then that might set up a series of events in place.
Frequently, whether it's ransomware or other types of attacks, there might be some period of time where a threat actor is in the system doing some reconnaissance. And they're seeing or maybe exfiltrating data information. And then they might hit you with the gotcha.
If it's a ransomware event, for sure, they've been inside your system for some period of time before you know you've got a ransomware event. So it's not just, hey, we've got an event now, but it's, OK, well, how did they get in? How long have they been in? What did they see while they were in?
And depending on all of those things, that might ultimately affect your response. Maybe it's a ransomware event where the threat actors just want a set amount of money. But in the process of doing that exploit, they've got access to personally identifiable information of customers or employees.
Well, that might obligate you to provide notification that perhaps the threat actor doesn't really care about. Sometimes they might hit you with a ransom attack to get your systems back online. Sometimes they'll understand, aha, we've also got information, and that'll be used to leverage and ransom. So it's not just determining-- to answer your question, you might not know you've had an event.
But even when you've had an event, you almost never know for sure the full scope of it. And that's where organizations like Arete come into play. That's what they do. That's what they're going to help you do is to uncover that whole event spectrum, understand what's going on, understand what happened before and then proceed to get you out of it.
JOAN WOODWARD: OK, OK. So Charlie, so how do you contain a breach before it causes more damage? So you've figured out you've been breached. How do you kind of stop the bleeding?
CHARLIE PLATT: I think-- the thing you do is you isolate systems. If you have some sort of a MDR or endpoint detection response system, you can use those to shut systems down and keep them from infecting other systems. What Tim had said is there's a lot of times, they've been in there for a long time before you even know what's going on.
So they've had a lot of access and the ability to move around within the different systems. And if you're actually responding to ransomware, that means that, likely, they've reached the end of where they want to be, and they've gotten back out. And ransomware is the last thing they've done. They may still stay in to monitor to see if they can see your communications going back and forth.
But they're done looking around and moving through your networks. And they're now ready to, basically, play their endgame. And we actually have a term for it. It's called-- from the day they first started to the day we first recognize that they got in, to the day we identify them, it's called dwell time. And that's how long they were dwelling in your systems without you knowing they were there.
JOAN WOODWARD: And on average, what is the dwell time of a midsized business? When they get hacked, when you go back and look at the forensics of it, how many days or how many hours is that dwell time?
CHARLIE PLATT: Well, it’s, I think-- I wish it were measured in hours and days. It's measured in weeks and months. They can be in for several months, especially if you think of-- ransomware is one thing. But if we think of something like a business email compromise, they'll dwell in your email, I've seen six months a year before they actually attack.
And what they're doing is they're just basically getting reconnaissance. They're waiting for the right moment. And when they see that right moment come up, that's when they spring into action. And everything happens, all the activity happens within a period of maybe a few weeks or a month where they actually attack. But they've been sitting there watching your communications and seeing how you talk and who you talk to for a long time so that they can naturally slip into it and pretend to be someone that you've been communicating with.
JOAN WOODWARD: Wow.
TIM FRANCIS: And I'll add, too, and the reason, part of the reason-- Charlie is exactly right. It is months, at least, on average. But if you think about it, it's because they're not just in your system. They're doing this multiple times. And so while somebody within that threat-actor group is doing reconnaissance on your system, they're probably in the midst of the ransomware negotiation with somebody else.
And so it isn't like they're just waiting because they've got and only you. This is just part of the process. And so, A) they can afford to spend the time because they're doing other exploits at the same time, and that feeds their level of information. So, Charlie's right. They're going to figure out a way because it's worth it to them to take more time and to figure out exactly, aha, now I fully understand who this organization is, particularly on ransomware, who they are, what they've got.
I've exfiltrated it so now I can leverage it. That's going to increase the ransom. So if they can demand a ransom of, say, $100,000 now, they'll wait until they can understand, aha, I bet I can get $1 million or $3 million or whatever it is. And so that leads to the dwell time being fairly expensive in most cases.
JOAN WOODWARD: So you used a phrase, Tim, and I'm going to-- you said, when you're negotiating the ransom. So are you actually calling-- do these people give you a number you can call and say, hey, you want $100,000, I could be willing to pay and am able to pay $50,000 right now? You actually negotiate with these people?
TIM FRANCIS: So I'm glad you asked that question. And that's, again, part of the ecosystem in managing this on the exploit side is there's-- everybody has a role. There's forensic providers. There's breach coaches. And there are firms that what they do is they negotiate with the threat actors and, if need be, ultimately pay the ransom.
And that's an area that some of the forensic firms do. And there's some that really just do that negotiation as well. And in doing that, they'll have some degree of familiarity with the threat-actor group, who's able to-- maybe we can negotiate a little bit down, maybe we can get some of that money down. And typically, you can. Because ultimately, these guys now have exploited the ransomware, now they do want to get out. Now they want to get paid.
JOAN WOODWARD: They want to get paid.
TIM FRANCIS: And they want to get paid quickly.
JOAN WOODWARD: And so when they get paid, do they actually deliver? Are they trustworthy thieves? Do they actually give you your data back?
TIM FRANCIS: Yeah, that's part of the process because they don't always. And so rather than if somebody demands $1 million, particularly if it's a threat group that we may not be familiar with, we don't just pay them $1 million. We would say we might pay a small percentage of that to get a-- see if they have what we might call proof of life, in the old kidnap ransom days. Can you give us some of the decryption keys back? And we'll work with them.
I think this was a question in there, and I'll say it, though. Even when a ransom is demanded, nobody wants to pay the ransom. That's not in anybody-- nobody-- even if you could and you-- like it's just-- financially, it's a bad day. And it's just distasteful at best.
We might only pay a ransom maybe 30% of the time that there's a ransom demand. Because the first course of action is, don't pay the threat actor, can we get the systems back online some other way? And sometimes you can. And sometimes it's just a matter of, well, if it's going to take weeks to get the systems back online without paying, sometimes the payment is, unfortunately, a cheaper, faster option.
But there's a lot of decision-making that goes into whether a ransom is paid. It's not just something that's taken lightly by the organization. And ultimately, we don't make that decision. Our customers will make that decision and what's right for them.
JOAN WOODWARD: And Charlie, is the 30% number, approximately what Tim used, is that what you're seeing across all the industry, I'll call it, and your line of work? Is it about 30% that gets paid?
CHARLIE PLATT: Yeah, I would say that it's a decent number. But it's really based upon your upfront planning. Because I think Tim nailed it, is the idea that what you did upfront, did you have backups, are your systems prepared, are you ready to recover, can take a lot of that sting out. And you can really defang the threat actors.
You can say, I got my systems back up and running. I had a disaster recovery plan. I had my incident response plan. I had my backups. I'm back up and running. I don't need your decryption key. So we see several different-- we some where it's just like, we want the decryption key so that we can get the systems back at work.
We also see things where we just want to have proof that you have our data. Did you actually take something? And again, forensics can help with that because we can look at your systems forensically and say, there's no evidence here that they actually took data, in which case you could even say we're not even going to communicate with the threat actor.
We were able to get our systems back up and running on our own. And we have forensics evidence that says they didn't take any data from us. They didn't exfiltrate anything. And that would be the perfect scenario because then you've basically taken all of their tools away from them.
But I think Tim had a good point, is that data exfiltration is one of the big things. Because if you do get your systems back up and running and they have exfiltrated data, you want to avoid that notice. You want to be able to pay them to delete that data and provide proof that they've destroyed it to you.
JOAN WOODWARD: OK good. We want to get to some audience questions here. So here's one for you, Charlie. So what happens if the breach results in litigation? So how does an organization know that the data that's collected is admissible in court? That's a good question about litigation.
CHARLIE PLATT: Yeah, I think one of the big parts about data being admissible in court is going to be your chain of custody. Can you prove through documentation where the data came from and who's had access to it? Think of it the same way you would think of as your CSI, where they've got the murder weapon, and they put it in a bag, and they write on the bag who found it, where it was when they found it, date and time.
And now they basically start to build a trail of, where did the evidence come from, who first collected it, who's had access to it. How can I verify that it hasn't been altered since it was first collected? Those are going to be the big pieces that a court's going to want to look at and say, you can present this evidence because you've, A) proved that it hasn't been changed since it was collected, and you've proven to me where you collected the provenance of it, where it was collected from and why it's part of the incident.
JOAN WOODWARD: OK, Tim, this one's for you from Jeffrey Schmidt, Assured Partners. What can we expect going forward on cyber coverage, underwriting and pricing with our insured? So obviously, this is an evolution of cyber coverage and pricing. The market has certainly changed over the last couple of years-- dramatically, I'd say. What can our agents expect?
TIM FRANCIS: Yeah, it's certainly no secret that prices have gone up in the cyber market. And that's a direct result of the claim activity we're seeing. And again, I said at the outset, ransomware is only about a third of the claims. And those other types of claims haven't gone away or haven't gotten less. It's just that ransomware has gotten more. So all of that's going on at the same time. I think more importantly, in terms of the underwriting, I do think as an industry, prior to ransomware, that we might have gotten a little bit lax in making sure that all customers had-- again, multifactor authentication is a pretty good easy example. That's always been something that's been touted as a best practice.
It wasn't always a full-on mandate that multifactor authentication had to be present. Now, given the importance of it, that is something that we require of all of our customers. So things like that, where what might have been "you should do" is becoming more and more something that a client must do. And therefore, one of the things we're doing is not just making sure that our customers have better standards than maybe they used to, but giving them access to professionals, both within our own risk control group inside of Travelers, as well as some of the external partnerships we have with other companies, to say, OK, if you don't have these minimum things, here are some resources you can go to get them so that you can become a customer and stay a customer. Because ultimately, we want to make sure that we've got customers and that they're increasing their cybersecurity hygiene. And we think we've got an obligation to provide some of that resources to them. And ultimately, that's in both of our best interests.
JOAN WOODWARD: OK, wonderful. Charlie, this is for you from Evan Peterson at Nevin and Witt Insurance. How would you broach the importance of a cybersecurity and insurance with management that doesn't get it and doesn't get how important it can be? So this person sounds like they're trying to talk to their bosses and trying to raise the red flag.
But in certain situations, people have done it, done the business for so long in such a way that they don't realize the threat is out there. And how do you deal with that? How do you help, it sounds like a person in an agency that wants to help the boss, and the boss is saying, nah, we don't need to worry about that?
CHARLIE PLATT: Yeah, so I think there's a couple of things that you can do. First is you really need to address it from a business aspect. What's the business risk? You can't just come in and say, I'm here to make things secure, and I'm going to secure it, and not communicate with them in the things that are really important to them.
They want to know, what's the risk to my business? If you tell me that I can't get my email for a day, all right, I'll live with it. You can see someone who's an executive saying I could get away with not having email for a few hours or whatever. The business will still continue to operate. I'll be out of touch, but we'll manage.
So you need to address it to them in a way that really hits home with the business and say, so what if all of our information systems were inaccessible for two weeks? And they say, well, if I can't get email for two weeks, that's going to be a problem. No, I'm not talking about email. I'm talking about systems on the floor that are running manufacturing today.
I'm talking about the systems that our engineers use to write software. I'm talking about actual productivity that's going on that's earning us money. The things that bring in revenue to our organization, today, for almost every organization that I can think of, are tied into information systems. And those information systems are what's at risk.
So when an executive thinks of information systems, they probably think of email, they think of Microsoft Word, Office, Excel, things like that, things that they interact with on a daily basis. They don't necessarily viscerally tie it into the systems that operate their company. And when you tell them those systems are at risk, too, and those are the systems that are going to get taken offline, now you've put it into real terms for them.
Now they see machinery stopping on the floor. They see developers not able to write software. They see projects not getting completed because they didn't take these steps. Now you're starting to talk their language, as opposed to, well, we just need to do this because it's the right thing to do for security. I think that's the right way to broach it, is to kind of come at it from their perspective and sit in their seat.
JOAN WOODWARD: OK, thank you. Another one, Charlie, for you, this is Hannah Smith. What are some ways a small agency without a big IT department can do to make sure their cybersecurity is up to snuff and effective?
CHARLIE PLATT: One of the great ways you can do this-- and this is a rapidly growing area in information security-- is the virtual system. So you can't afford yourself to hire a specific person to come in your organization and run your information security systems. But you can hire a consultant to come in and play that role for you on a part-time basis. And those are termed currently vCISO, or virtual CISO for chief information security officer.
And they'll come in and they'll help you assess your systems. They'll help build an incident response plan with you. And they'll basically help you build up cyber hygiene for your organization. And then they can check back in with you periodically to make sure you're doing updates and you're keeping up with it. But that's a great way for a small organization that doesn't have the resources to do that full-time to get the benefits and, basically, share a system among different organizations.
JOAN WOODWARD: OK, good. Tim, this one's for you from Jeff Prillio in California. Does data recovery cover the cost to recreate data and information from scratch when no backups or duplicates are available? Good question.
TIM FRANCIS: Yeah, it depends what that data is, in terms of we're going to cover the cost to try to get the data back. But if the data is 10 years’ worth of clinical trial medical research, we're not going to pay to do 10 years’ worth of medical research as a matter of course, in terms of how the policies work. We're paying to get that data back and whatever the costs are to try to-- if it's encrypted, to try to unencrypt so that you can read it.
But it's not going to be, again, a coverage. It's not covered, in terms of you need 10 years’ worth of medical research to reconstruct that data. That's not how the coverage works.
JOAN WOODWARD: OK, great. This is from Robert Flowers coming in. Can you touch on the importance of engaging with the right vendors, especially given the myriad of cyber exposures that companies face? So we want to talk about vendors for a second. Charlie or Tim?
TIM FRANCIS: Yeah, I'll take that I'll take that question in the context of not just the vendors that you might deal with as a regular course of doing business. I think-- well, I'll take it both ways. When you are engaging with a vendor, whether it's your laundry supply or your payroll systems, you want to do some due diligence to make sure they're taking their cybersecurity seriously.
And as part of the contractual process, there ought to be something in the contracts about that. And there ought to be some due diligence that's done to determine what their system protocols are. Because if their systems are connecting to your systems, you might invite a vulnerability. And so we ought to do some work.
I'd also take it in the context of vendors that you might call upon when an incident occurs. And again, as an insurer and, frankly, our competitors in this space, we've got long-standing relationships with vendors that do this kind of work, whether it's incident response or forensics or breach coach, that do only that and are the best of the best. And you do not want to go with somebody that thinks they know how to do it, or it's their first time, or you use for something else, and now they're going to get called in. You want to avoid that, and you want to get somebody that does this and has been tried and true and tested.
JOAN WOODWARD: Great. Well, we have come to-- this was just-- the hour flew by. We came to the end of our program today. But Charlie and Tim, I can't thank you enough. I found it extremely practical, which, of course, we always go for the practical so people can implement best practices today in their business.
So I want to thank you again. We'd love to have you back to talk about different aspects of cyber.
(DESCRIPTION)
The slideshow returns with Joan's web feed in the upper right corner. Text, Wednesdays with Woodward Webinar Series. Upcoming Webinars: June 29: The Exponential Rise of Nuclear Verdicts. July 20: Wildfire Mitigation: Cutting-Edge Insights, Tech and Research. Register: travelersinstitute.org
(SPEECH)
But in the fall, we're going to have a number of other cybersecurity webinars. So especially in October, we'll have a number of them for Cybersecurity Awareness Month in October.
But also in the next few weeks, we have a couple of interesting ones coming up on our series. June 29th, as you can see, The Exponential Rise of Nuclear Verdicts. And we've seen a lot of them recently, so we're going to talk about that.
And then on July 20th, we're going to talk about wildfire mitigation and, really, the cutting-edge technology that's happening now. So go ahead and register on our website. This replay will be sent out to all of you in a few weeks.
(DESCRIPTION)
New slide. Text, Watch replays: travelersinstitute.org. LinkedIn Connect: Joan Kois Woodward. Take Our Survey: Link in chat. #WednesdaysWithWoodward.
(SPEECH)
So, I invite you to connect with me on LinkedIn. If we're not connected, let's do that because I post a lot of really interesting content that come out of our webinars. If you may have missed one over the many months, we repost the replays. We repost a quick summary, and again, a lot of practical advice.
So please take a minute to answer our survey. We'd love to hear from you. Let us know who else you want to have on the show and who else you might want to hear from.
So that's in the chat as well. Have a wonderful afternoon, my friends. And we'll see you in a few weeks for another great webinar. Take care.
[MUSIC PLAYING]
(DESCRIPTION)
New screen. Traveler's Institute, Travelers logo. travelers institute dot org.
Speakers
Tim Francis
Vice President, Enterprise Cyber Lead, Travelers
Charlie Platt
Senior Director, Forensics – Incident Response – Solutions, Arete
Host
Joan Woodward
President, Travelers Institute; Executive Vice President, Public Policy, Travelers