Financial R&R: Everyone is a target. What to do NOW for when, not if, a cyber-attack occurs

Introduction (00:00):
Welcome to Financial R&R, a show dedicated to financial insurance and risk management solutions and trends shaping the market today. Here are your hosts, Ron Borys and Ryan Farnsworth.

Ron Borys (00:11):
Well, welcome everyone. This is Ron Borys and thanks for tuning in to the latest update of our podcast series. Today, I'm joined by Ryan Farnsworth, David Finz, and our special guest, David Kruse from Tetra defense. And we're talking today about cybersecurity and some of the benefits of some of the various service providers. And I think from our perspective, cyber continues to get a tremendous amount of attention. We know it's a top priority for most of our clients. We've talked a lot about cyber this year, but today, different angle, different approach, different guests. So, thanks everyone for joining us.

David Kruse (00:46):
Thanks for having us!

Ryan Farnsworth (00:47):
David and David, we enjoy your banter and your conversations on Clubhouse on LinkedIn. For those who haven't checked that out, please do. So, we really appreciate both of you with the passion that you have for cybersecurity. I mean, but what is it that you're seeing now? What's on your windshield? As you like to say with respect to cyber risks and cyber information these days.

David Kruse (01:07):
I'll take that one. And then Finz, you could maybe follow up with what you're seeing there. I think in the year 2021, it's still ransomware. That is by far and the way, the more common claim that we're seeing. It's the one that can be, I'm not going to say easily prevented, but with fundamental security practices in place, it could be. And that's what we continue to see very frequently. There's this email compromise and fraudulent wire transfers. There are close seconds, but ransomware is absolutely the king of the castle right now.

David Finz (01:34):
Yeah, I would agree with that. I mean, I would say probably at this point, ransomware is the one that grabs the headlines and it probably comprises the single biggest block in terms of claims that we see coming in for our clients, maybe one third to one half of all new incidents; but the other types of cyber events are still going on. They haven't gone away. Data breaches still happen. Business interruption claims still happen. And so, this is sort of adding on to the threat environment that was already there.

Ryan Farnsworth (02:06):
And we've heard so much about ransomware. What I think would be particularly interesting for our listeners today is to get some insider information about maybe a recent claim or recent experience. Of course, we want to protect all confidentiality where possible, but give us an insider's perspective on what our clients are dealing with, especially those that have a ransomware attack.

David Finz (02:29):
I mean, maybe the best way to do that is to take people through the life cycle of what a claim looks like, because that's the best way to, I suppose, anonymize this, right? Typically, it comes to our attention when a client becomes aware that their network or data has been compromised, either they've received some type of notification on their screens, that their files have been encrypted or that they no longer have access to their network. And this is coupled with a demand that make some payments typically in the form of cryptocurrency to provide a decryption key or terminate the threat in some other way. And so, then they will contact us at that point. We will guide them through the incident response process, which includes calling the hotline that the carriers have set up to deal with the event, getting them to engage with the appropriate vendors.

And of course, providing that first notice on behalf of our clients. And then the threat consultant, who is an approved service provider, the carriers will vet in advance, comes in and assesses the situation to determine whether the threat is credible. Do these threat actors actually have the capability of carrying out the threats? Are they going to make good on their promise to terminate the threat? What do we know about their emo and how they behave online? And is there a decryption key available from the government and say the FBI or the secret services. There's some other way to terminate the threat without having to resort to negotiating a ransom payment. So, that's the trajectory that this follows. If at that point, the determination is made to negotiate with the threat actors, they try to get that figure down as low as possible. And the carriers often with the help of outside counsel will conduct sanctions check to ensure that the payment is not being made to a sanctioned entity. In terms of what we're seeing, that's the trajectory that these normally take without getting into specific of client events. Obviously, depending upon the nature of a client's operations, whether they handle a large volume of confidential data or whether their internet presence is really tied to their operations, or say like along the lines of the manufacturer, the type of threat that actually can be perpetrated on them can be very different.

David Kruse (04:43):
One piece I want to dig into there, Finz, is that I think is regrettably still a common misconception that many executives have in their minds. You had mentioned that part of the, the standard DFIR that stands for Digital Forensics and Incidence Response, that's what my firm does among other things, part of that process is to be in regular communication with law enforcement authorities like the FBI to see if there is a publicly available decryption key for a certain type of ransomware. The misconception that we still run into frequently, and I'd say, this is even the highest among the businesses that don't purchase cyber insurance; the misconception is that when something like this happens, that you can call the FBI and you're going to get hands-on keyboard help from them. That's just not the reality that most businesses have, unless you are very, very large organization or a critical infrastructure organization, you might get some hands-on keyboard help from them.

But for the vast majority of businesses, the FBI is not going to swoop in with a cape and save you. That's just not the reality that most businesses have. So, they need to have processes and procedures in place to respond to an event like this. A key piece of that being a cyber-insurance policy, if it's going to cover the event costs and more importantly, connect you with the right service providers that can help you through what is probably going to be the worst event of your professional life, or at least in the top three in most cases. That's something that I think I am consistently impacted by - the emotional hit that executives and leadership teams face during events like this, depending on how much their operations are impacted. This is, this can be a traumatic event in some cases. So, when that's happening, you want to know that you've got repeatable processes and plans in place to deal with that as it's happening so that you're not making what ended up being very consequential decisions based off of gut reactions to a flood of adrenaline, more or less.

David Finz (06:36):
So, that's right. I mean, I think there are certain aspects of this process that people can count on the government to do, one of them is with respect to information sharing. The government agencies have done a very good job in terms of getting the word out there about known vulnerabilities that are being exploited. Again, there's a repository, if you will, at the FBI in terms of known modes of attack. So, if there's a particular type of attack that is linked, that's known to be associated with a particular decryption key. And if that decryption key is available, that may alleviate the need to have to negotiate a ransom payment with the threat actors. But that's a far cry from an expectation that the FBI or some other government agency is going to essentially parachute in to a company's operations and take over their response. That's frankly, where the ecosystem of the DFAR firms like yourself have sprouted out to provide that needed service to private enterprise.

David Kruse (07:36):
Yeah, I'll second that the FBI and those agencies absolutely excel at the information-sharing aspect, which is a critical piece of it. You got to give credit where it's due there and it is due there.

Ryan Farnsworth (07:46):
David Kruse, question for you. It seems as though we've been talking about ransomware all year, virtually in every podcast. Are companies starting to get the message? Are they doing things in advance of an attack to protect themselves? What are you seeing?

David Kruse (07:58):
So, I think it depends on what side of the business we're talking about. On the incident response side, there's a negative selection that occurs there where you're only seeing businesses that maybe didn't take appropriate protections. A big part of Tetra Defense is our proactive services division there. And more and more we've seen clients open to having serious discussions about that. And you can almost tie it back to the week, really when the oil pipeline attack happened in May. In the weeks following that, the conversations became much more fruitful. So, I think that event for executive teams that maybe thought that they didn't really have to worry about this, that they weren't maybe a target - I think that event really did open some eyes. So, it was starting to trend up there. But if you think of it sort of like an exponential curve, that curve really happened in May and more and more folks are open to having discussions about that. And when we're talking about what those discussions sound like, one of the biggest impediments to a good repeatable security program is having appropriate staffing for that. And staffing that is dedicated specifically to information security matters and not necessarily a dual split, half IT, half security type role. I think a lot of folks didn't necessarily realize that cybersecurity should be, in its proper view, an audit function of it. They're not necessarily the same thing. Yeah. They both deal with computers. They both deal with technology, but in an accountant and a finance person, they're dealing with money too, but there are different roles. And that's something that a lot of folks are realizing, that IT and security are different roles and they’re staffing and their resourcing accordingly.

David Finz (09:27):
David, you mentioned something about staffing before. Jog my memory in terms of what we've seen during the pandemic, right? We have a geographically dispersed workforce. We have more folks dialing in over a VPN or not on a VPN and issues with remote desktop protocol. Tell me what your experience is and how that's put a strain on IT departments in terms of their ability to monitor the attack surface and maintain the level of control that they would have had were people in their seats at the office.

David Kruse (10:00):
To say that that's been the challenge of the past year is an understatement. It absolutely has been because it all happens so quickly. I mean, we all remember that we were in the office one day and then a day or two later, we're all at home. And most of us were at home for a year. So, it happened overnight. It was a significant challenge for IT teams to deal with that. So many of them resorted to what is the quickest way to stand up a remote workforce through something called the windows remote desktop protocol. Unfortunately, that's also one of the most insecure ways to stand up a workforce. So that's led to a dramatic increase in those types of attacks over the last year. I think we can broaden this beyond just that one attack vector though, to say that one of the most common avenues for ransomware to infect an organization is through vulnerabilities in however an organization accesses their network remotely.

So, whether that is through RDP, that's that remote desktop protocol RDP that's open to the public internet. That means that anybody in the world can try and access that. And just try to use names, passwords until they're able to get in. Other ways the organizations are being compromised are through a VPN that isn't secured with multi-factor authentication, or it doesn't have the proper updates applied to it. Let's say we had a hundred ransomware attacks last year, more than 50% of those, at least in our experience had a root point of compromise. That was some sort of insecure remote access points. And we've got so many more of those remote access points than we ever did before. So that's absolutely had a direct impact on the level of claims and the level of impact that businesses are seeing.

David Finz (11:31):
It's astounding to me in this day and age. And then people walk into a coffee shop and oh, it's free WIFI, right? They're checking whether it's personal information or trying to log onto a corporate network or using that without the benefit of a virtual private network without two factor authentication. And these are the kinds of exposures that lead to compromise of a company's network or for that matter for one's personal information.

Ryan Farnsworth (11:57):
Well, it happens to all of us, right? We go to a public space and sometimes our WIFI connects automatically, right? Wait, wait, what's where those bars come from. I didn't ask to do this. We always have to be vigilant as to how we connect. So what impact is all this having on the insurance market? Is there anything specific that insureds can take away and cruise, you spoke to the benefits of having an insurance policy, but what are the impacts that they are feeling as a result of all these issues?

David Kruse (12:22):
Finz, why don't you take that one since you're in the closest seat to it. And I've got a specific idea that I want to mention here, but I'm curious what you're going to say here.

David Finz (12:28):
As we've mentioned on previous podcasts, the underwriters are imposing more stringent requirements as part of this mission process. Most cyber insurers now require what is known as a ransomware supplemental questionnaire that goes through several dozen questions that an insured must answer regarding the state of their security controls. We in fact use that and we have our own proprietary form that we use that's accepted by most of the U.S. cyber insurers. We use that as a diagnostic so that we can speak to clients upfront and tell them, here are the vulnerabilities that you need to address. Here are the controls that you need to enhance so that when we go to market, the underwriters will see you in a more favorable light, and in better terms with fewer subjectivities, as we call them. Those are conditions that need to be met by the insured prior to coverage being bound. So, all of that is designed really to put the insured in better shape and the underwriters are being a little more savvy about how they qualify applicants before they're willing to offer terms. I'd be curious to see in terms of your involvement from a pre-incident standpoint, David, in terms of how your firm participates in that process. Yeah, absolutely.

David Kruse (13:41):
You know, I think every point that you've made there really indicates a maturing cyber insurance market from an underwriting perspective. At the very least, we think back to what the market was four or five years ago, you could get a pretty good amount of coverage for not a whole lot of underwriting. I think that's absolutely changing. And one example of that, that we've seen was a client of ours, was applying for cyber insurance and the carrier that was underwriting the policy, they had asked the client to do two basic things. They said before we issue any coverage to you, we want you to rebuild your active directory. And the second thing that we want you to do is to add multifactor authentication on your VPN. Both of those are very good activities to do. Both of those will result in a real security gain for that company.

The problem came when the carrier said, and we need you to do that in the next 30 days. In terms of a security and IT project, those two activities result, it could be anywhere from four to eight months’ worth of work, depending on how quickly the company can throw resources at that problem. So, to ask for those things and then say, you need them in 30 days, I think the market is in that correction state right now, but those are incredibly good questions to ask. Nobody would have asked those questions five years ago, but the fact that they're asking those now means that they're thinking in the right way, but I think the market needs to be a little bit more lenient in terms of saying, okay, instead of getting this before binding, you'd need this within the 60 or 90 days post bind. I think that's a little bit more reasonable, but it's that type of activity that we're seeing on the proactive side, where clients are coming to us saying, hey, we need to do this for insurance. And what the carriers are asking for is good in theory. But sometimes with reasonable in terms of timeline.

David Finz (15:21):
I would agree with that. And as the broker it's incumbent upon us, we have a battle to fight on two fronts. On the one hand, we need to get out in front of our clients, 90 to 120 days in advance of the renewal and help them diagnose what they can achieve in terms of improving those security controls. And then at the same time, negotiate with the underwriters to have reasonable timeframes for completion of any remaining subjectivities. This is why it's important for us when we speak with our clients to prioritize for them near medium and long-term goals and enhancing their security controls and presenting themselves as a better risk.

Ryan Farnsworth (15:59):
All great insights, David and David, thank you so much for sharing. As we look to wrap up this edition of R&R podcast, what is it that you think would be great leave behinds for our listeners? What's the last message that you have to them in the coming months with respect to addressing cyber risks?

David Kruse (16:16):
If somebody is listening to this and is going to take one piece away, I want them to know that organizations aren't being hit with ransomware because they're missing PhD level cybersecurity. They're getting hit with ransomware because they're missing third grade level cyber security. We're talking fundamentals here. We're talking about keeping your software updated, having multifactor authentication really anywhere you possibly can. Having backups that are secured with multifactor and other ways as well. So, this isn't the rocket science of cyber security. This is the bottle rocket of cybersecurity, and it's the fundamentals that are executed repeatedly. That's the best way to protect an organization and more and more organizations are starting to do that. But if you're going to get hit with ransomware, it's probably because of the fundamentals weren't taken care of, not because you didn't have a really expensive blinky flashy box that was protecting you. It's because one of the fundamentals wasn't being addressed.

Yeah. I would just add to that, that this notion of the choice between cybersecurity and cyber insurance is a false one, right? These are really two sides of the same coin. As your risk advisor, we would never tell clients, spend money on insurance at the expense of enhancing their security. The solution is secure your network and implement privacy controls as much as you can, and then transfer the remaining risks through insurance, because you're never going to be able to 100% guarantee that you won't be the target of a ransomware attack or some other type of cyber event. So, we want our clients to implement those controls and present themselves as better risks. Then we can get the more favorable terms and that's really the best spend for an organization.

Ryan Farnsworth (17:57):
Thank you, David and David, I mean, it's great to talk more about cyber risks. Those last bits of wisdom, I think are something we can all think about how we can implement them in, in talking with our clients in implementing cybersecurity protocols. And maybe even going back to third grade, as David Kruse said to address and to help our clients find a more rewarding way to manage risk. Thank you both for joining us. And we look forward to having you again on future podcasts.