Specialty Podcast: What Happens When a Cyber-Attack Goes Beyond Ransomware?

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

CJ Dietzman (00:08):
Welcome everyone to another Alliant Specialty podcast. You've got CJ Dietzman here. I'm here today with my colleague, Bobby Horn, from Alliant Cyber, and today Bobby and I really wanted to talk about cyber business disruption and the implications and impact to an organization from a potential cyber-attack that doesn't manifest itself solely as ransomware or a malicious insider or business email compromise. What we really want to talk about today, and something that probably doesn't get talked about enough in our experience, is the risk that an organization can experience from a significant cyber attack, either directly, or on one of its key service providers that causes a significant disruption to critical business processes and functions. What we might be talking about here is a scenario where, for example, an organization relies on a key ERP system, enterprise resource planning, for all of its business processes - customer management, order management, purchase order processing, warehouse ops, sales orders, customer communications, accounting and settlement, supplier and vendor payments.

When and if that ERP system was compromised, subject to a cyber attack, either as an internal system or as a system that's hosted by a cloud or other outside service provider, what would the organization do? No doubt there are some common things across these cyber attacks from a digital forensics and incident response standpoint, but when it's an attack at this level, that directly impacts critical business processing, that has an impact on the organization's revenue and can potentially impact the organization, that’s a growing concern. What do you do? So, one of the things that we've been working with clients on very closely in recent months is to take a bit of a rotational approach, mix it up a bit when looking at incident response readiness and resilience. And as we jump in and perform exercises like tabletops with our clients, we're looking at some of these types of challenges.

For example, how will a client deal with offline supplier purchase orders? What about sales order processing? How are we going to enter in new orders? What if we get a new client? What if there's a new customer? How are we going to collect the customer's information in a secure manner, process it, place an order, book an order, and ensure that we've got the right mechanisms in place for accounting and settlement for that order while our ERP is down? And what we found in working with clients is that unfortunately, far too often they're ill-prepared. Now the good news is we jump in, we help our clients identify those blind spots and address the remediation. So, what we're talking about here, the concept is the intersection of cyber incident readiness with business continuance and disaster recovery. We're bringing them together, Bobby. I wanted to pick your brain a bit. You and I have been chatting quite a bit about this. What are the cyber insurance and broader insurance implications of a cyber attack that actually disrupts the business, including key functions and revenue streams?

Bobby Horn (03:33):
Yeah, it's a great question and definitely an interesting topic. I think so many times, so often we get inundated with talking about ransomware and extortion payments, and disruptions to network and of course business interruption are concerns as well. But rarely do we really focus on such a specific topic as business process disruption. And I think the good thing is for those of our clients that have insurance, cyber insurance, the policy does cover these types of losses. Again, we talk about ransomware payments being covered and of course there is business interruption, loss of revenue as a result of being down from a malicious attack or even something as, or not as a system failure, which is really any unplanned outage. It doesn't necessarily have to be a malicious attack against your network, but the policy does cover you for those that lost income and extra expenses that you incur to get back online.

So, whether it's normal operating expenses, payroll cost to hire additional staff or find new workspace or servers, the cyber insurance policy is going to cover that, in addition to the data restoration costs associated with getting whatever systems are down or corrupted or deleted, built back up from backups. But the good thing is the policy does cover these types of losses, but the broader issue is making sure that our clients know what that exposure is to them. So, not just looking at the impact to IT systems, but the broader loss of customer service type of applications and how you fulfill orders. I think many times that gets overlooked. When doing some of these table type exercises, what does the actual loss look like?

How resilient can you be and what can you be doing to get yourself back online quicker and understanding all the different wheels that are in motion so that if and when you are dealing with this, you have a playbook at hand so that you can understand, we need to number one, engage, whether it's legal counsel or computer forensics or just having a playbook so that we can't use our online systems. We have a manual process in place to process orders. Understanding what that exposure is and what it could look like from a loss perspective if you were to be down for weeks or months at a time.

CJ Dietzman (05:35):
Fantastic points, Bobby. One question that's come up a lot in these discussions with clients as we assist in harmonizing and bringing together cyber incident readiness and resiliency together with business continuity. Several times recently I've been asked, and I think you have been asked as well and maybe you could talk about it: When and how during a potential catastrophe or an incident, do they engage their insurance broker? When should the carrier be notified? What does that process typically look like, Bobby?

Bobby Horn (06:08):
Our recommendation, especially if there's a cyber policy in place, is to always contact that breach hotline. There's typically a 1-800 number where you can reach out to your carrier directly to engage their breach coach or breach counsel immediately. Once that phone call is made and you're engaging with your carrier, that breach coach will quarterback the process as far as getting all the other panel vendors engaged. So, whether that's computer forensics, public relations, that's going to all be handled by the breach coach, breach counsel. As your broker, we of course want to be involved as well. So I would say, after contacting the carrier, certainly let your broker know so we can work on our end to make sure that all the services are being brought together in a clear and cohesive way so that you're not, frantically trying to do that on your own.

But I think one of the key aspects of this and something one of our colleagues mentioned before, and something I like to talk about as well is making sure you have the team picked before the day of the game. What that means is basically having those vendors lined up prior to any sort of breach or network attack so that you're not scrambling the day of to get those contracts in place, whether it's NDAs or with legal counsel and forensics, making sure you had that team ready to go. So that if and when you're faced with an attack, you pick up the phone and you can say, Hey, look, we've been attacked. We need to engage our counsel. Please go ahead and reach out to our forensics team. I think that is a crucial aspect that many times gets overlooked by our clients. They don't think it's going to happen to them, and it's always a much more difficult process when you're doing it the day of, rather than having that team ready to go.

CJ Dietzman (07:38):
So true. When I think about that scenario that we started today's podcast talking about, the organization that relies heavily on, let's say a cloud-based ERP system to run its business, all critical functions, its enterprise resource planning system, and software is hosted by a provider in the cloud, it's outside of their direct control, if you will. Let's say that outsource service provider is compromised and obviously downstream, we start thinking about all the things that happened to the organization on that really bad day, and their business processes are disrupted, the revenue takes a hit, their sales order processing slows to a crawl, supplier orders get jammed up, customer communications, accounting, settlement, warehouse operations are sideways all due to that third party's incident and cyber attack that's caused this significant outage. It would seem to me, Bobby, that it's more critical than ever for our clients to not only know their vendor, but to be intimately familiar with the cyber coverage and the insurance coverage that those key vendors have. Any thoughts on that?

Bobby Horn (08:51):
Yeah, it's something that we are talking more with our clients about, that kind of vendor risk management and something certainly the carriers are focused on as well. The point at hand, so whether we're talking about a direct attack against our insured or against one of their vendors, regardless of who it's against, if it impacts our client, the policy will cover it as a direct business interruption loss or a contingent or dependent in interruption loss. So, if you're relying on third-party vendors to conduct your business, if they're down and it impacts you, you're covered under the policy. So yeah, that's a critical distinction, but also, not always clear to some folks who are maybe non-buyers of cyber insurance,

CJ Dietzman (09:25):
You know, it's an important question and not all tabletops are created equal, so to speak. And if the tabletop is specifically focused addressing specific technology gaps or within a security function, sometimes we see, dare I say, more narrowly focused tabletop, but in this situation when we're considering organizational business process disruption risk, something at that scale, having the right stakeholders participate and to be around the table is absolutely critical. And one that we recently did, for example, where we drilled in on business continuity, disaster recovery in the context of a significant cyber attack: We had representation, the executive level up to and including leaders of the organization, and we conduct these tabletops, we truly take a multifaceted, integrated approach where not only do we ask our clients to bring the best of leaders from across their organization, but we as Alliant will bring the best of our cyber insurance brokerage team, coupled with our cyber consulting team, coupled with our claims team so that the cyber incident tabletop exercise that we tailor and develop is really dialed in to what matters most for the client, and it enables us to smoke out some of those blind spots and those areas that really require some care and feeding to put them in the best possible position.

Bobby Horn (10:45):
Yeah, that's great. I'll add one final note just because I think it's really important too because we're talking about certainly risk management, but I also want to tie it back to insurance. You asked the question before you know about vendor risk management. It's certainly something we're focused on, definitely something that the carriers are more focused on when we go out to market on behalf of our clients and we can say, Hey, look, we did a tabletop exercise and we engaged all these important stakeholders. Certainly ransomware is an issue, but talking about business process improvements and resiliency, that goes a long way with the carriers and certainly reflects well when they're underwriting your risk. And you definitely get credit on your premium and retention and coverages when you can say you've gone through that process because you're taking it more seriously than some of your peers and the carriers love to see that type of proactive exercise being done.

CJ Dietzman (11:28):
Great points, Bobby, thank you so much for that. Well, that concludes our podcast today. Thank you so much for joining Bobby and I for the Alliant Specialty Podcast. And if you have any questions, reach out to Bobby or myself. Again, it's Bobby Horn at Alliant Cyber and CJ Dietzman here with Alliant signing off and wishing you all well, speak to you next time.