How to Defend Your Business Against Cybercrime And Why It’s So Critical to Insurance Carriers

Date: Tuesday, December 7, 2021

Moderator: Tom O’Neill, Management Liability and Cyber Coverage Specialist, toneill@fredcchurch.com

Presenters: Peter Quinlan, Senior Vice President, Client Executive, pquinlan@fredcchurch.com

Doug Lubahn, Vice President, Threat Intelligence, BlackFog, www.blackfog.com

Joseph Schlegel, Underwriting Manager, Evolve MGA, evolvemga.com

Tom O’Neill: Good afternoon, everyone, and thank you for joining our webinar today, “How to Defend Your Business Against Cybercrime,” and why it’s so critical to insurance carriers that you have a solution in place. This is the fourth and final installment of our Risk Management Webinar Series for 2021, so thank you for being here. My name is Tom O’Neill, and I will be your moderator today. I am the management liability and cyber coverage specialist here at Fred C. Church. I have been with the company for a little more than two years now, so I was here just in time to see the cyber insurance market get turned upside down. My role here is to work with our insurance carriers to construct cyber and professional liability programs that fit their specific needs. We have a great group of panelists assembled for today. I’ll introduce them in a moment, but a couple of housekeeping items: The session will be recorded and we do have a chat open, so please put your questions in the chat and we’ll try and answer as many as we can along the way. We’ll certainly have time at the end for questions, as well.

To our presenters and our panelists here today: Peter Quinlan is the senior vice president and client executive here at Fred C. Church. He has been with the organization for 30 years. He heads up our manufacturing industry vertical and has clients in a number of other industry segments, including health and human service and technology. Peter, thanks for being here today.

Next is Doug Lubahn. Doug is the vice president of threat intelligence at BlackFog. Doug is an established insider threat expert and risk management professional with a deep history in law enforcement, cybersecurity investigation, and Virtual CISO. Doug oversees BlackFog’s vCISO [virtual chief information security officer] MSSP [managed security service provider] offering and works with customers on investigations. BlackFog is a leading ransomware and data exfiltration prevention software company.

The third panelist today is Joseph Schlegel. Joseph is the underwriting team lead at Evolve MGA, a cybersecurity insurance specialist with a focus on protecting businesses from hacking attacks. Evolve MGA has won Advisen’s Cyber MGA of the Year for the past two years.

Doug, Joseph, thank you for being with us today. The cyber threat environment is very well publicized. You’ve probably been on other webinars about cyber that talk about the top claims of the year, statistical findings that show cyber claims have gone up. I don’t think we need to talk about that too much. Knowing there’s a little bit of webinar fatigue out there these days, we are going to do it a little differently today and really focus on the question of “what do we do about this?” as we look toward maybe a renewal or just planning for 2022. What do we do, knowing what we know about the cyber insurance market the way it is? And we’re going to talk about security implementations that are recommended by both the security experts like Doug as well as the insurance experts like Joseph.

With that, we’ll get to our first panelist here today, which is going to be Doug. Doug, let’s start with who is a target? The most common responses we hear from a non-buyer of cyber insurance is that they think they’re too small of an organization to be attacked. Or maybe they think that the data that they have isn’t anything that a bad actor might want to gain access to. Is there any truth to that? Who is a target?

Doug Lubahn: That’s a really good question, Tom. And thanks for having us today. But honestly, everyone’s a target. But what we’ve really been seeing in the industry, especially in the last several months, maybe even the last year, is that the bad guys really haven’t discerned between the size of the targets. They’ve actually been doing just the opposite of what most people think: They’re still attacking the whales; they’re still attacking the larger firms. But the frequency of attacks on the smaller businesses has gone up and continues to go up. And what they’re doing is they’re not only just deploying ransomware, but they’re also attacking and then they’re extorting the data. Then they’re attacking individual client by client by client. They get your customer list, and they will literally extort that data and try to get money out of that. We’ve seen ransomware extortions up to five different levels where they’re attacking and extorting people that way. It’s not just customer data, but it’s personal data. Anything from your records—things like that, that are private business matters—to personal matters.

We’ve seen cases where they’ve done sextortion, where they’re going in and trying to extort money out of people and saying, “If you don’t send me money, I’m going to uncover all these photographs from this website. I’m going to let your wife know, I’m going to let your family know.” Then they’ve sent in a letter—I’ve actually seen these letters—where they let you know, “Okay, I will let your wife know; this is her email. Let your family know; these are their emails.” It’s very intimidating, the letters that they send out, and it’s very scary. It truly is. The size of the business really doesn’t matter. The bad guys don’t care.

First off, the most important thing to understand is, the cybercriminals, they’re lazy and they’re greedy. They’re totally motivated by money. And if they would put their energy toward a real job, our world would be a lot better place, but that’s Pollyanna. The reality is the bad guys are the bad guys. I’ve seen this from both careers: 26 years in law enforcement, 14 years in cyber. Let me give you one really good example that most people on the call should be familiar with, but I think most everybody on the call is aware of the Target breach, when the Target company got breached. That breach literally originated at a very small, two-person heating and cooling shop subcontractor in the upper northeast of the United States. That was how the cybercriminals from Russia actually gained access to Target’s point-of-sale network. They waited two years, built their attack, and then deployed it—and it all started at a two-person heating and cooling shop in the upper northeast United States.

The size really doesn’t matter, but one other quick factor on this: The bad guys realize that most smaller shops and schools are severely understaffed and underbudgeted when it comes to cyber, and the bad guys know this. It doesn’t take a rocket scientist to figure out if you have one person defending a 4,000-student school district, that person is going to be overworked and their system is going to be under-protected. That is probably the best advice I can give: There are no thresholds, everybody’s a target, and smaller ones are getting attacked more now.

Tom O’Neill: Great. I think pretty much one of the attacks that you alluded to and described as a ransomware attack, it’s the most prevalent one that we seem to see in the past year or two. Can you talk about the anatomy of a ransomware attack—what that is, how they work, and why the bad actors have been able to be so successful with them?

Doug Lubahn: I would love to. The bad guys have literally turned the internet—and several functionalities of the internet that were originally designed as good things, and good for society, good for people, good for business—they’ve turned those on their head and made them bad things. The two things that I’m really talking about are profiling and advertising. So what profiling is—and we see this every single day in our demonstrations or demo calls and our proof of values with clients—is when you go to a website like CNN.com; you don’t click on anything, you don’t do anything; you go to CNN.com and then you click back out of the website. Just by visiting that website, you will have upwards of 80 to 100 profiling sites attack that connection. What a profiling site does is it captures little bits of information on you. It might capture: What were you searching for? What is your username? What are you entering? What are your likes? What are your dislikes? What it’s trying to capture are your behaviors.

What the bad guys have done is they’ve actually started deploying their own profiling sites and capturing this information. To make it even worse, they’re actually now amalgamating. They’re combining all these profiling sites and putting the information together, and that’s how they end up trying to become you and send you an email that looks like you: the business email compromise deployment. The profiling sites are very, very dangerous. And again, we see it every day where we’ll have a client or a prospective client go to CNN.com, then we’ll have them go to FoxNews.com. Both of those sites—and it’s any site out there, it doesn’t matter if it’s LinkedIn, PayPal, eBay, it really doesn’t matter—every site has profiling or side attachment sites that come on and you can’t stop it other than using BlackFog. We stop all profiling connections. We break that connection. The easiest way to describe it is like a phone call: Someone’s calling you, and in order for the conversation to take place, you have to pick up the phone. We stop that connection. We break the communication at the device. We stop the communication so nothing ever gets in—and nothing gets out, more importantly. We stop the data exfiltration.

The other bad thing that’s really going on is the advertising, the malware or bad ads, which often contain spyware, keystroke loggers, screenshot loggers, all sorts of spyware. Advertising in the mal, which is the bad advertising that comes to attach to websites, is just about the same count. We typically see 40 to 50, maybe even 60, ads per site that’s visited. And these are things that the common user has no idea are even going on. We’ll show them by starting the counter at zero, have them go visit the one site. Then they look at their counter again and say, “Oh my gosh, I didn’t know that.” And all this stuff is being captured on you. Let’s say tonight, sitting at the TV, go online looking at some type of a special tool. Well, then for the next umpteen days, you’re going to be getting ads on that type of tool. And this is what drives all of that. The bad guys have figured out how to monopolize and capitalize on this and use it to their advantage to deploy spyware, deploy ransomware attacks. And often, it’s things that the end user isn’t even doing or aware of; it has no effect. They want to go on and see their Facebook page. Facebook is one that’s notorious for being heavily loaded with both profiling and advertising. That’s one function that we block. We actually have 28 or 29 different layers of prevention built into our service, but two of the key things are blocking the advertising and blocking the profiling. That’s one of the key things we see them doing is attacking through that. They deploy, and they have to in a ransomware attack. Their ransomware attack package has to make a return call back to their server in order to finalize the communication. Again, because we stopped that, we can prevent ransomware from being deployed.

In a normal situation, if you don’t have BlackFog, the communication takes place, the bad guys have downloaded their payload onto your device, and then they can start taking control of your device from the back end without you even knowing it, just like in the Target example. They were in that network for two years and they literally were sitting there deploying, figuring out how to deploy, this massive attack all at once on Target’s point-of-sale system, which ended up netting them, if I can remember, $13 to $15 million, and then almost cost Target their company. But it’s no different than a ransomware attack: They deploy the payload, the payload starts talking back to the bad guys’ server, and they can control your device. That’s where BlackFog comes in. We stop those communications on the outbound flow data. We stop them from getting any of your valuable data, so they have nothing to actually work with; they have no way to hold anything over you because it hasn’t been sent to them. That’s a more technical point of view as far as what the ransomware attack is as far as how they end up effectuating and getting money, like I talked about earlier.

We’re seeing them now doing up to five different levels of extortion. Typically, they’ll lock up your system and you can’t get into your system or your files. They’ve encrypted your files and your whole system. They demand a ransom payment, then you have to start negotiations or make the decision to do that. You work with your insurance company if you have cyber coverage, as far as negotiating the claim. That in and of itself is an entire nightmare. Then there is the recovery. I know we haven’t gotten there yet. The recovery efforts that take place are absolutely intense.

There’s a good example just recently, just before Thanksgiving last year at the Baltimore Public Schools. I think it was actually the day before the kids were supposed to go out on Thanksgiving break. The early arrivals showed up at about 5:00 a.m. to find that their entire network—they have 8,500 employees, and their student count is massive—was locked up. They had a big screen showing, “Your system has been locked. We are demanding X amount of millions of dollars in ransom.” And then they started the process. That was a year ago. There was just an article that came out in the last couple of weeks that Baltimore schools have spent just shy of $10 million recovering from the ransomware attack. I don’t know whether they paid the ransom or not, but it’s all the secondary costs. It’s the recovery, rebuilding the whole process to get back together. They said they’re still having issues with payroll; they have several hundred people whose payroll wasn’t ever corrected because they locked everything up. They couldn’t do anything: their lesson plans, their grades, their payroll, their HR. Every single functionality in Baltimore Public Schools was blocked by ransomware. Ten million dollars is a lot of money for any school district.

Tom O’Neill: Yeah, it sure is. That’s a great example of how all the different costs can really start to add up. I think the other side to that equation is how broad a cyber insurance policy can be even today, where the threat environment is so severe. There is still really good coverage available in the marketplace with the right insurance company. Doug, before we jump over to Joseph and get that insurance company viewpoint on things, you’ve alluded to what BlackFog does. Can you talk a little bit about some of the other ransomware prevention tools that might be available to people or that they should consider? And what are the loss prevention tools that are available in the marketplace, and what makes BlackFog a little different?

Doug Lubahn: A great question, Tom, appreciate it, but we always recommend to our customers—and even our prospects, clients, however you want to frame them—but have a multilayered approach. You should always have some type of firewall protection, some type of an anti-virus; certainly should have cyber insurance coverage because there’s some great benefits to having that. As far as us doing something differently, multifactor authentication is another one that we strongly recommend. And there’s some great products out there on multifactor or two-factor authentication, whatever you want to frame it as. That’s always a really good place to start. Where BlackFog comes in, in a much different sense, is that we truly have become an industry disrupter. As the industry has changed—and I’m talking about the cybercrime industry, and I’ve been in cyber for 14 years—but when I started, it was all about the device; the data really didn’t mean a whole lot.

Around 2010 or 2011, we were seeing a significant change in what the bad guys were doing. I’ve actually conducted over 2,000 felony-level criminal investigations with cyber and arrested people for homicide and all sorts of different crimes tied to cyber, and this was in my private industry role, not as a police officer. But we started seeing the bad guys really focusing on the data. What we’re seeing is on the dark web; the value of a personal record or an ePHI [electronic protected health information] was going up through the roof. The bad guys were able to get $150 to $200 per health care record on the dark web. They could get $1 per record for just a credit card number. If it had a PIN number, it was worth $5. The bad guys really weren’t caring about the devices anymore because, originally, the bad guys were just stealing the computers and then reselling them. That’s back when a laptop was $3,500 to $4,500. That changed, and the criminal element has definitely adapted, too, so now it’s all about the data.

They soon realized that doing ransomware was an easy way to deploy it, and now, sadly, you can go on the dark web and they have ransomware as a service. Let’s say Tom wants to become a cybercriminal. Tom goes into the dark web, where you can buy modules that will help you become a cybercriminal, and step by step they walk you through it. It’s kind of like a Ransomware for Dummies book. Then you either have to pay them up front or you pay them a portion of what you get on your ransomware; it depends on where you get your spyware. That’s how advanced the bad guys have become. It’s almost like multi-level marketing, where they build a team and this guy’s got six people and this guy’s got six people. I spent time in organized crime, and it truly is organized crime because it’s multilayered.

Where BlackFog comes in differently, we are the only on-device, true ransomware and anti-data exfiltration. We stop the data from going back out. It was truly an “aha” moment that our CEO and founder, Deron Williams—he was on our team at another company I was with and doing all these criminal investigations—said, “Why don’t we just stop the outbound flow of data? I can do that.” He has his doctorate in criminology as well as pharmacology. In a nutshell, that’s the simplest form: We stopped the data exfiltration, and there’s no one else out there doing what we do.

We see success stories every day of clients that are getting attacked, and we watch the bad guys attack their devices, and they’ll attack them for a day or two, and then they’ll take a day off; they’ll go back in and they’ll attack another device in that network, and then they’ll do that for a day or two. We had one recently where one of the servers was attacked for two days—several thousand attacks per day, ransomware attacks—and we stopped them all. They took a day off, they attacked the co-owner’s wife’s computer; she got attacked 48,600 times in a 24-hour time. Almost every 7 seconds, she was getting attacked by a ransomware attack, and we stopped them all. They attacked her for about a day and a half and then they went away, they moved on. The bad guys are lazy. They’re going to go find someone who’s not protected because we were making them work. We see this literally every day all over the globe with customers worldwide. That’s where we have really come to shine in the fact that we are creating a whole new industry, the anti–data exfiltration industry.

Tom O’Neill: Great. There are a couple of questions that came in the chat here. The first one goes back to what you were speaking about earlier about paying the ransom, and the question is even if you pay the ransom, you have to rebuild the data? Can you talk about how it comes about that you pay the ransom, but you come back to that second, third, or fourth attack, and you still have to go through the process of rebuilding your data or putting yourself back to what you were before, even if you do pay the ransom?

Doug Lubahn: Right. There’s a couple of components to that question—really good question, by the way—but a couple of components: The decision to pay or not to pay the ransomware is obviously an entire business decision. There has been some legislation proposed; the IRS here in the United States has some legislation on it, and they’ve actually passed a law trying to make the transfer of money for ransomware illegal, but that’s a whole different topic for multiday discussion. The rebuilding is cumbersome enough and very costly to rebuild because of two things: number one, the bad guys often will say, “If you pay your ransom, I’ll give you your decryption key.” A lot of times, the decryption key doesn’t work or the data that you’re getting back after unencrypting it with their decryption key has been altered or it isn’t all there in its original state. Especially if you’re dealing with records: health care records, educational records, etc.—things that are critical. A lot of times, they come back in an altered state or you may not get them at all.

Another quick factor is that because the bad guys have come to realize that they’ve ransomed you once—you’ve paid and they sent you a decryption key, and maybe it was a partial or a bogus decryption key—that they can ransom you again and they know you’re going to pay. We’ve seen this often in the industry. We see it where people are held over a barrel because the bad guys have their data and they’re stopping the access to it. That’s, to me, very, very scary; the additional layers of the ransomware attack, the extortions that take place, can be very, very destructive.

I think stories are very powerful—real-life stories. A friend of mine is a director of a nonprofit up in northern Michigan. He got one of these sextortion letters. Number one, he said he never visited any of the sites that they were claiming, and we had his computer forensically examined and he was telling us the truth; he had never been to any of these sites. They just make it up, and they make it up very powerfully so that you’re thinking, “What if they show this to my board members?” That’s what they were threatening to do—show it to the board members and publish it in the local newspaper or Facebook pages because with social media, so much of it can be put out there. It’s very, very scary and the bad guys have come to learn that there’s just shy of 200 countries in the world and only [approximately] 115 of them have reciprocity with the United States, so there are about 85 countries that you can pick to deploy your spyware from.

It gets me to another quick story. I will be respectful, sorry, but the bad guys have learned where to start deploying these things from: Russia, China, Ukraine. But just recently, we are seeing a lot of attacks coming from a little country called Réunion, and I had never heard of the country. It’s a small island outside of France, and their computer extension is “.re”. The “.re” has a significance because it actually also stands for what the REvil cyber gang or ransomware gang goes by, “RE.” We believed that these attacks were coming from REvil and they just decided to start masking their communications as coming out of the country of Réunion. I’m not saying that the country is bad, it’s that they’re using their country’s extension. Here in the U.S., it’s “.us” or “.com,” but in Réunion it’s “.re”. Maybe in one week, we saw seven countries that were being victimized by ransomware attacks coming out of Réunion—several customers from seven different countries. With global crime, they don’t care; time doesn’t matter, and neither does the size of the organism.

Tom O’Neill: Wow. Yeah, thanks for that. It’s amazing how complex it all really is. For us, as business owners or IT directors, thinking about how we are going to protect our organization’s network from all of that out there, I’m sure it can be a bit daunting. But I want to turn things toward Joseph to talk about some of those key cybersecurity controls that can help you protect your business network and prevent some of this stuff from happening. Joseph, I know with most insurance companies, multifactor authentication is usually number one on the list in terms of security controls. Can you talk quickly about what MFA [multifactor authentication] is and why it’s so important?

Joseph Schlegel: Sure. So multifactor authentication or two-factor authentication—you probably have all used it, whether it’s for your banking app, etc.—but it’s basically asking you to confirm the authenticity of you trying to log in to an account by a secondary means. This is supposed to prevent a situation where your username and password is taken from another website and sold on the dark web. They’re just using it through a program to try to log in to your Office 365 account, and are just trying the password on your banking, etc. Now, even if they have the username and password correct, you still would have to authenticate it by another means, and usually that’s going to be through an app on your phone, where you’ll get notifications asking, “Are you actually trying to log in right now?” If you’re not actually trying to log in right now, don’t click “Yes.” Please let your IT department know that someone’s trying to get in there. As Doug was saying, it’s not like a silver bullet to stop everything, but these hackers are lazy and there are plenty of fish in the sea for them to go after. They’re going to be discouraged and just move on to find someone else who can let them into the network who doesn’t have that initiated.

As Tom said, MFA has been kind of a buzzword, and not just Evolve when we’re looking at a new risk, but I know a lot of our cyber carriers out there, our competitors, are also requiring MFA at different levels. Some won’t even provide an insurance quote, won’t even consider it, if you don’t have it to some degree, while others are taking more of a measured approach. For us, the areas that we look for MFA to be implemented on are all your business email accounts, and for remote access to your network because one of the ways that ransomware was being deployed was they would be able to get through your RDP [Remote Desktop Protocol] port, and then that was their way into your network. Those are the two areas that we look at for it to be turned on.

There are third-party applications, like Duo, out there, which are on a subscription basis, I believe, per user. A lot of these—if you’re using Microsoft Office 365—they do have their own Microsoft authenticator app. Your IT department may know, “We don’t have that setting turned on. Here’s how we can do it and be able to deploy it for you.” The other areas that I know, besides emails and for remote access to a network, that other carriers are looking for are, “Do you have it turned on for privileged accounts?” That’s for your IT administrator. I can’t actually deploy any new software on my computer because I don’t have that access, but if they were able to get access to the IT administrator, who does, that could turn into, “We’re all going to be affected” or “They’re going to deploy that across all the end points for all of our computers.” I think if you have filled out the Travelers’ app, you’ve seen them ask for it in five different areas. We asked for it on our app in two different areas of remote access, and for your email accounts to prevent business email compromises.

The other things that we look for: I’m a cyber insurance underwriter, so basically, you or your brokers are sending me the application, and then I’m reviewing it to see whether your securities on there are enough for me to put forth the recommendation of whether we should provide a cyber quote. I want to be able to give you a quote, so please give me as much ammo as possible so that if I’m getting into a situation where I need to get approval from the higher-ups, I can actually say, “Here are the securities they have, here’s why I think it’s a good risk,” and be able to do so. A mistake that a lot of small businesses, or even larger businesses, make is they will have an office administrator fill out the cyber application but can’t really answer the questions to the degree we need. I have to take all the information that I’m given into consideration, so it becomes difficult if the first application I get is from the office administrator and everything is labeled as “not applicable,” to then go back and say, “Could you please have your head of IT fill it out?” or “Could you please have your third-party IT provider help with these questions?” and be able to take the new information and take it at face value. That’s where I’d say if you’re filling out the application, have an IT professional within your company, or if you’re using a third-party IT provider, try to have them help you answer some of the questions. The more detail you’re able to provide about your backups, how you’re securing your systems, the more ammo that gives me to determine that we can provide an insurance quote. And if you do have a claim, and people look at my file, I can say why I gave the insurance.

The other items we look at are: How are you backing up your data? Are you even cognizant of how you’re backing up your data? I’ll get answers to applications just saying that it’s in the cloud. So have you looked into how they’re securing your data? Have you taken those steps? We do want to see that there is an offline version of your backups. The reason for that is so that even if your network is compromised, hopefully they’re not able to then spread that ransomware to your backups, because they are not actually connected to your network at all. Offline backups, we look for. Patch management procedures: Are you actually cognizant of and have a schedule for how often you are updating your systems, or are you just hoping that, since it’s a Microsoft product, it’s going to be all deployed and we’re going to be all good? We want to actually see that you are aware that there will be new software updates coming out that are to patch your applications, that you are actually doing it on a regular schedule and have that planned into your securities.

The other thing I’d say is, because human error is still such a critical element to how these attacks first are initiated, some form of employee training. There are lots of products; we use NINJIO that sends out a video each month to educate me on a new topic of what’s trending, and how it makes me aware of certain threats that are out there that are pertaining to me as an individual. We also have simulated phishing scams from another vendor, and it makes it interesting because you’re expecting to be tricked by these simulated phishing emails and you don’t want to be the person in the company who actually does get tricked. Then a notification is sent to the CEO, who sees how many people got tricked and these people need extra training on what to look for. It makes you actually even more aware of, and to be on the lookout for, other phishing emails because now you’re just worried that you’re going to be tricked by the simulated phishing emails and everyone in the company is going to know that you’re the one who fell for it.

Employee awareness training helps a lot because we as humans are just very trusting: “We were just corresponding with that other individual the other day; this email looks like it’s from them.” “It seems like an odd request, but I know Tom and he’s telling me that this is a secure, encrypted email that’s for me and I just need to log in, and I should just click on it, and it’s probably okay, right?” I get this all the time, and I even say, “Oh, I just was talking with that person,” but holding yourself to actually making that phone call to verify that it’s okay will help prevent a lot of these attacks from happening. Employee training, it sounds like it doesn’t have anything to do with cyber, but it really helps. It’s one of the things we look for a lot to see whether people are actually being educated on the types of scams that are out there, and that they’re not going to fall for that social engineering attack where they transfer hundreds of thousands of dollars, or millions of dollars, to a fraudster instead of the intended individual.

Tom O’Neill: Right, yeah, I really appreciate that. I think that’s a really good insight for everybody listening: how a cyber insurance underwriter views their application. I think some of the takeaways there are to provide more information. We tell clients all the time to provide an addendum to the cyber application with any additional information you want to include because there’s really good underwriters out there, like Joseph, who are trying to give you cyber insurance, not the opposite. Thank you for that.

Turning toward Peter. We’ve had Doug talk about how they prevent ransomware attacks via data exfiltration prevention. Joseph was talking about MFA, which can keep the bad guys out in the first place. Unfortunately, even with all kinds of good stuff in place, the worst can happen. Just like how having a fire sprinkler system isn’t going to prevent every single fire from happening, and you still need to have property insurance that covers your fire. Peter, in your experience, working with your clients who have gone through claims situations, what are some of the real important things for a client to understand as they think about “How do I need to be prepared for when a ransomware or another claim happens?” What are some best practices and some takeaways that you’ve seen clients learn from?

Peter Quinlan: Thanks, Tom. It’s a great question. I think it’s one that every client should really start to think about. Frankly, in my 30-year career, I’ve been through some pretty significant claims, from major building fires to a roof collapse on a manufacturing facility that had a significant disruption to their business. I’ve dealt with floods, and even some significant work-related injuries or workers’ comp situations. I can tell you, frankly, that there is nothing that compares to a cyber claim and some of the complexities associated with it. Fortunately, or unfortunately, I’ve lived through two claims with clients, and fairly sophisticated clients when it comes to IT, and they were hit. I think Doug mentioned it earlier: Anybody could be hit.

What I like to do is start with the basics, or what I call “inside the eye of the storm,” because once that breach hits, your business comes to a screeching halt. The C-suite or the executives, they’re scrambling around to try to understand what just happened. Your employees can’t get into the system; they’re wondering what’s happening. Customers are calling for their orders, depending on what type of business you’re in. You’ve got orders not being fulfilled; you’ve got angry customers trying to find out what’s going on. Your IT department, they’re in crisis mode, there’s no question about it, because they’re trying to figure out what the heck happened. You know you have this thing called a cyber policy, but you really have no idea what it covers and how it actually works.

I mentioned that your business is shut down and your customers are looking for their orders. That’s the single biggest thing that really gets clients in an uproar. At that point, you’re in the storm. You call your Fred C. Church team, assuming you have a cyber policy, and then you tell them what happened and things start to get engaged. Now that you’re reassured by your Fred C. Church team that the claim has been called in and your carrier is engaging, there’s more chaos that happens at that point, because you need to engage several resources, I’ll call them, to help you with the multiple facets of a cyber claim. Several of them were mentioned earlier. I think Doug had mentioned them.

Number one: You need to get a breach coach, or legal representation. The breach coach is there to try to help you with the ransom situations and negotiating the ransoms, and legal representation is needed in case any data that was stolen needs to be reported. You have to notify everybody that had their information stolen; you have to get some legal representation on that.

Number two: A forensic investigation. You’ve got to engage with forensics teams to help your IT team get inside the networks and figure out exactly what has happened. Doug had mentioned it—restoring systems, like that Baltimore situation. You have to now restore your systems back to where they were prior to the breach. Whether you’re doing that through the payment of a ransom in the decryption of it or not, or trying to rebuild them from scratch, you’re going to have to engage a team to do that for you as well.

Public relations certainly could be in play; you may need a public relations team getting in there. Target probably had one in the example that Doug used. Maybe some smaller firms don’t need to have PR firms, but you may need to engage public relations to let everybody know what’s been taking place.

Finally, some people, if you’ve had data information stolen, then you might have to engage a call center team to have a setup where anybody that’s had their data breached is calling into an 800 number. Small employers don’t have the capacity to do that, so you want to make sure you have that availability as well with the call center team. In terms of lessons and best practices, from what I’ve seen, I guess the lesson for me is don’t panic. You have to be patient in these situations. As you can see from all the varying degrees of activity and how many resources have to be involved, a cyber claim has a lot of moving parts. It really does.

The other thing I would say is to let the professionals do their job. Once you’ve engaged these professional teams, whether it’s forensics or rebuilding, let them do it. They know what they’re doing. They’ve been involved in these before. I really think it’s a matter of trusting that team that’s been brought in. Best practices certainly should be engaged. I go back to my mother, who always used to say, “You should be doing dry runs. Do a dry run.” Drilling, drilling, drilling is probably one of the things that the team should be doing. Maybe it’s a tabletop exercise where we just had a breach. “What are we going to do?” I think that’ll help to relieve some of the stress and some of the panic that can set in early on in a breach situation. It’s not always the premium, and I say that delicately, because I know it’s an expense to many organizations. Kind of like the Fred C. Church tagline: “It’s not just the policy, it’s the people.” No cyber policy is created equal, and you really have to engage in looking inside of them.

I say, if you have the luxury of multiple insurance carriers looking to offer you coverage, and that’s not easy these days because the cyber market is very difficult, but if you have the luxury of multiple carriers—and maybe because of some of the best practices that Doug and Joe talked about, you’ll be able to get that—you really should dig very deeply into the services that they actually provide. Again, every company that we deal with on the cyber side has a different resource level that they provide, so really dig deeply into that and how they provide those services.

I think in both of my cases, they were pretty similar in terms of the service model that the insurance carrier provided. I guess I’ll call it two ways. There’s the one-stop shopping model, where the insurance company gives you a 1-800 number and if there’s a breach, you pick up the phone and you speak to the folks on the other side and they engage their breach response team—a whole team: forensics, breach coach, call centers, restoration center, etc.—they have a whole team, and they engage that 1-800 call and they take care of all of that. Another level of that would be maybe it’s an approved list of vendors where the insurance carrier would say, “Yes, you’ve had a breach. Here are the providers that we use. Pick the one you want, give them a call and get them going.” It’s just two different philosophies. There’s probably a third in there, but I don’t think we see much of this anymore, where you have an insurance policy and you’re completely on your own to go and try to find the service providers for those varying activities we talked about. I don’t think I’ve seen that and I don’t know if they exist anymore, but really look inside the policy and how they provide those services.

Then I would say, what additional resources the insurance carriers can provide. They might have some up-front mitigation services that you can utilize, which could be very powerful. If they do have that, I’d recommend taking advantage of every service you can to try to prevent having the attack because, again, in my 30 years, I’ve never seen anything like going through a cyber claim. Basically, the bottom line is, and Doug said it, it’s not a matter of “if” anymore, it’s really a matter of “when.” And it doesn’t matter the type of industry you’re in; it doesn’t matter your size. You’re most likely going to get hit at some point in time. I would say just do the best you can to be prepared and really know how your cyber team will respond because, as I said, once it happens, there’s going to be a lot of things on your plate and it’s going to be difficult to manage them all. That would be it, Tom, in a nutshell. I don’t know if that answers the question entirely, but those are the experiences I’ve had with the two claims that I’ve been through, specifically.

Tom O’Neill: Yeah, that was great, Peter. I really appreciate it. I think everybody does. Your insight into having been through that process with multiple clients, it’s the key to so many of the things that we’re talking about. It’s a collaboration among those service providers, led by a representative at the insurance company to help you through that process. Having someone to quarterback it almost, I think, is so key. Then back to what Joseph really pushed and recommended in how you handle your insurance renewal process: It requires collaboration with your IT team, your outsourced vendors, your CFOs—whatever the decision-making team is—as well as your insurance agent. It requires collaboration in order to really get the application filled out so that you get the best possible quotes at the best possible price. I think that’s a good key takeaway for today.

Doug Lubahn: Tom, can I add a couple quick points? Great commentary, Joe and Peter, but Peter, to add one more point to yours that you may have touched on, but compliance issues are always a huge thing to concern yourself with in a recovery after an attack because there’s so many different compliance regulations out there, whether it be PCI [Payment Card Industry], HIPAA [Health Insurance Portability and Accountability Act], or even just personal data. It depends on the industry you’re in. That’s always a very cumbersome process, so doing exactly what Peter said—to work with your cyber response team through your agency—is great, but to our partnership and relationship with Evolve, one thing that we’ve had tremendous success with is we’re currently doing a free ransomware assessment, where we will have an onboarding call with the client. We give them up to 25 licenses for a couple of weeks to evaluate the tool and the services we have; we actually end up following up with them on additional calls to show them what they’ve been experiencing. We’ve had clients literally who have been under ransomware attack during our proof of values.

Tom O’Neill: We are approaching time here, but there was actually one question. It’s a question for you, Doug, so I’d love to squeeze it in. The question was how does your product differ from Forcepoint for DLP?

Doug Lubahn: DLP [data loss prevention], in my professional opinion, and I’ve been involved in some massive DLP projects we were trying to build out, and this was with a former company—I worked 10 years with LoJack for Laptops and helped grow that company from 90 employees to almost 700. We started off on a DLP project and actually ended up walking away from it because it was so cumbersome. The human load and the human effort is just immense to make any DLP product work properly. There’s an alert and then you have to react to it. That’s the key thing to understand with DLP: You get alerted and then you have to react to it, and what’s happened in the interim is the bad guys have deployed their spyware.

The key differentiator is, with BlackFog, everything we do is automatic. All the blockings are automatic. You don’t have to do anything; you don’t have to react. You go into your console as often as you want. We tell most people to go in once a week, to see what kind of attacks you’ve been under and adjust accordingly. The human effort for our product for BlackFog is absolutely minimal, where a DLP effort is extremely substantial, and that’s a key differentiator. DLP served its purpose at its point in time in the whole continuum of cybersecurity, but with data exfiltration prevention, that’s what’s here now. It’s not just a sales pitch. I’m not a sales guy; I’m a cop and an investigator. Those are the key differences: Ours is done automatically; everything’s done automatically. We’ve truly subscribed to the KISS theory, the “keep it simple, stupid” theory.

Tom O’Neill: That sounds good to me, and I think that’s a great way to wrap it up. Doug, Joseph, Peter, thank you for being on our panel today. Thanks to everybody who took time out of their day to listen in. If you have any questions, please definitely reach out. Emails are up there on the screen. We’d be happy to answer your questions. With that, thanks again. Have a great day. Thank you, all.

END OF WEBINAR