In this special holiday episode, sponsored by SentinelOne, Recorded Future and Travelers Insurance, Aaron Bregg and Jim Kuiphof discuss with Tim Francis about Cyber Insurance and Liabilities with respect to the increasing threat of ransomware attacks.
These are just some of the questions and topics that are covered:
- What is cyber liabilities insurance and why do some think they don’t need it?
- While ransomware attacks are increasing in the public eye, some websites are reporting that ransomware attacks aren’t being reported and that is a problem.
- What trends are being seen in the insurance industry right now?
- Are attacks truly going up, or it is just that there is more ‘visibility’ in to this area of cybersecurity?
- Why are some incidents just not being talked about?
Ransomware Fallout: Talking Cyber Liabilities and Insurance transcript powered by Sonix—easily convert your audio to text with Sonix.
Ransomware Fallout: Talking Cyber Liabilities and Insurance was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.
Welcome to a very special event, a holiday fundraising episode of hashtag, we’ll talk with Mir host Erin Breg. Today I’m joined with a special co-host, my one of my directors, Mr. Jim Poff. I want to do some special shout outs to Brian the Schneeberger. Don’t call me Steeves or you may call me Steeves Snavely from SentinelOne, one who is one of our gracious sponsors today. And where are we at? There’s Chris. I was going to say Chris and the recorded future gang is also an awesome sponsor today. I very much appreciate their help. We’ll talk about that. We’ll give them a little few minutes at the end to talk about this, but we have a lot to cover. So I want to jump right in. Today’s topic is cyber insurance, cyber liabilities and kind of like what you can do before, during and after a ransomware attack. My special guest today is Tim Francis from Travelers. Tim, I’m going to be quiet for a few minutes. Can you talk about who you are and how you got information got into information security?
Sure. Tim Francis, I’m the enterprise cyber leader for travelers, so that means I’m responsible for the products that we provide to our customers in the cyber arena. And I’ve been in that role for about 10 years now and with travelers for just celebrated my 15th anniversary. So happy to be here, happy to talk to your listeners and always interested in talking about cyber and cyber insurance.
Excellent. All right, I actually did my homework before this event, and I actually going to do a little bit of a prelude because it kind of sets up some of the questions. So those of you may or may not know, on October 28th, this SISA Cyber Information Security Security or SARAY Cybersecurity and Infrastructure Security Agency say that five times real fast, the FBI and the Department of Health and Human Services released a joint advisory on an imminent threat and attacks of health care systems in the United States. Around that same time, we had their release, their Q3 20/20 Ransomware Marketplace Report, and in their report, it showed the top two industries targeted by ransomware in the third quarter where health care number one and automotive, too. I know Brian could talk forever about that automotive attacks. One of the things that was interesting to me is in the report, it also showed by a large margin, small businesses are being attacked or are not attacked, targeted by these ransomware actors to the tune that under 10 employees was eight percent, 11 to 100 employees was thirty one percent. And companies that had one hundred and one to a thousand employees, forty one percent were targeted. So in this episode, we’re going to kind of talk about these things and let’s teed up and get raid in. So, Tim, our first question, what is cyber liability insurance and why do some people think that they don’t need it?
Well, I think people let’s let’s take the second part of that, I think to the extent that people think they don’t need it, it’s because they’re not really aware of the full breadth of what cyber insurance does. Or maybe even worse, they’re not fully aware of the vulnerabilities that they might have and the the consequences of having a cyber event back to the coverage. If if people think about cyber insurance at all. And that’s a big hit, even getting people to think to know that such a such a product exists and it’s relatively new cyber insurance compared to other types of insurance that you might be more familiar with. But it’s been available for years. I think the the the problem becomes as people think about it, they think about that’s insurance that has something to do with helping protect or helping when personally identifiable information is compromised.
And think about the data breaches that used to make the headlines more frequently than maybe they do. And so companies that are either smaller or in industries like auto and manufacturing that might think, jeez, I don’t have health care records, I don’t have financial records, I don’t maybe even take credit cards, maybe I don’t need cyber insurance. They’re missing now. And we’re going to talk a lot about ransomware. You know, the ransomware events that we see sometimes don’t involve a compromise of data and certainly the motivation by the threat actors isn’t to get at data. They just want to corrupt your system, essentially hold it hostage and extort money out of it to get it back. Right. So that means that a whole new universe of potential victims is opened up. So you don’t have to be in health care necessarily. You don’t have to be in finance. You don’t have to be in real retail to suffer. A cyber and cyber insurance can not only kind of pay for the costs associated with the ransomware attack. Maybe even more importantly, we have access to professionals, the whole network of companies that will come in, whether it’s helping pay the ransom, which nobody likes to do but sometimes is necessary, more importantly, doing forensics and back up. And to the extent that you need, you know, reputational damage and marketing, all of that combined is is part of a cyber insurance solution.
So are you seeing that ties in nicely into the next question, why are ransomware attacks increasing in the public eye? Because when when I met with some people from SentinelOne and we did a podcast about a month ago, the speaker that we had, he was like, yeah, this is way more prevalent that the media is letting on. Why? Why is it so in in the news now and why are so many different businesses reporting? Is it because they don’t have to? What do you kind of see? And along those lines?
Yeah, so if we think about what I’ll call the traditional data breach, which is a compromise of personally identifiable information, so Social Security numbers and health care records, the kind of things that people can associate with with their own identity, the most states have rules around the protection of that data. And when that data is compromised, most of the time there’s an obligation to report that there are some exceptions to that rule. But most of the time that has to be reported. Ransomware, on the other hand, doesn’t always involve those pieces of data and there isn’t a requirement that it be reported. So oftentimes it is, but a lot of times it doesn’t make national news unless the victim is a, you know, name brand or doesn’t even make local news, unless it’s an organization that’s key to the community. And sometimes it is. It’s a school or other it maybe even a town. But if it’s a you know, what I call a regular manufacturing type of risk type of account, that doesn’t always make the headlines, even if the event itself is detrimental to that organization.
And it to some extent. Right. These are these are events that people would prefer obviously don’t happen to them. And so when they if they don’t have to report it publicly, they tend not to. But living in my world or dealing with what we deal, these are everyday occurrences that are happening more and more frequently and happening to virtually every industry and every size organization in any industry.
You can name one to pull in gym for help on this one, Jim. He talks about like branding and how some companies like, you know, just don’t want it to be public. Are you seeing with some of the questions, are you that we talked about, are you seeing Piers, you know, secretly asking, like, for advice or input from other things? Because as we’ve had on a previous podcast, our own health care system had a near miss. So are you seeing kind of leeriness when it comes to stuff like this?
Well, from a health care perspective, you have the regulatory environment that you have to be conscientious of, and there’s reporting laws and rules around that. And so the deliberation internally when to declare the legal term breach has significant consequence. So that’s where a company like Spectrum Health or any really any company that has cyber insurance needs to be in communication with their legal department, needs to pull on their liability insurance provider because declaring that formally has significant financial impact to an organization.
Do you sorry I didn’t answer your question.
No, no, no, no, no, no, that’s not what that means, is a lot of companies are tight lipped about when it happens that there’s that internal deliberation to determine were we actually compromised to the extent of declaring something a breach, did we lose control of EPP or PII or PCI data sensitive data that’s in some way regulated? And if that’s the case, then you have to be very conscientious about the way you go about collecting evidence, proving that evidence was or wasn’t compromised, and then ultimately reporting if it was.
So, Tim, how much do you think the recent decision by government to start regulating some of these ransomware payouts? Do you think it’s going to kind of shine a light on more of these incidences? Because people are going to have to be more transparent for fear of like, you know, a penalty from the US government.
Yeah, we don’t necessarily look at that as necessarily new. There is always been protocols around whether or not ransom could be paid and but that tends to be fairly limited.
And and there’s what we would call the Office of Foreign Asset and Control, which is part of the Treasury Department, which simply regulates there are, you know, bad actors. And the easy, easiest ones to think about are terrorist. Right. There are individuals that it’s simply illegal for a U.S. company to pay money to even when it’s a ransom.
So that guideline was to remind individuals of that. And there are protocols in place and we certainly follow protocols where if the ransom can be tied back to one of those actors, it would not be paid. But that’s actually pretty hard to do in a very, very limited likelihood. Most of the activity that we see in that ultimately is affecting our customers. And society doesn’t tie back to one of those actors or it would be. Very difficult to tie it back to one of those actors, and so then the decision whether to pay ransom or not, at least for our customers, rests with our customers. And I don’t think any of our customers that has gone through one of these relishes the idea that they’re going to pay a ransom doesn’t even matter the amount. It just doesn’t feel right to pay somebody who is, you know, essentially got your system locked up. So what happens is, you know, in our case, we will put them in touch with, you know, who said forensic investigators that are helping them do essentially a triage in a ransomware. You know, can you bring the system back up online on your own without paying the ransom? Right. That ought to be the first course of action. And sometimes that’s successful. Ransoms aren’t always paid. In fact, they’re usually not paid for ransom.
And so if you can bring in your system back online, that’s usually in everybody’s best interest. But there are times when that’s hard to do or there’s a decision that has to be made that’s partly financial. It’s partly, you know, depending on the organization that the company is in, if they’re a health care provider, for example, can you deliver patient services if your systems are corrupted or not? And so, you know, it may take longer to bring the system back online kind of organically than to pay the threat actor. And so the in our case, the insured will make that decision with input from experts as to kind of what’s the best course of action or what’s the viable course of action. But it comes down to kind of a financial equation. It comes down to how long is the organization going to be? And sometimes these you know, even when paying the ransom, it may take some time to bring the system back online. So it’s, you know, can you be out for days, weeks? And what’s the economic impact to that? What’s the reputational impact to that? What’s the harm that that might cause customers or employees and so on? So there’s a lot that goes into, you know, whether the ransom is paid or not.
Brian, you had a good question. Yeah, my question is, Jim, you touched on the idea of what the difference between a breach and an incident, as you know, and when certain data is exfiltrate filtrated. So in today’s term, a lot of ransom is targeted not just to encrypt and lock up computers, but first to get some data out. Right, because they understand that people have backups, you know, and now it’s well, we can release this. And that’s where you see some issues. But there’s been a lot more conversation around the idea that if this threat actor is sanctioned, right, if this group that ransom the box or the company is sanctioned, you can’t pay that that ransom. But to be able to solve that equation, to figure out is this really a sanction, you know, you could take one form of ransomware that’s used by multiple different threat actors. Right. And trying to figure out, is this a sanction that time? And I think it affects both the enterprise, the insurance company, everybody, because the longer it takes to figure that out, where maybe it was X amount of money, but to be down for X amount of time cost, even that X plus Delta could be more money. And in the long run, you look at some of these very large fortune, five hundreds, some that have been in the news this year, the longer they’re down, I mean, that’s especially in the third quarter of this year when everyone’s was getting back rolling, you saw some of the best numbers out of manufacturing. If you were hit during that period of time, boom. It just it trickles all the way back to your supply chain. So my question is more. You know, with the amount of time that it takes to investigate, is that rule or when you look at that rule, the obligation to do it and to be able to solve it. Does that does it help or actually not help the companies or the insurance companies to have to prove that out?
And how do you make that call, Jim? Where to put him on the spot behind your ear?
I mean, but you had this situation and you’ve had to make tough decisions based on the information that you have, which may or may not be accurate. How what are you thinking in that situation? Pass the buck up the chain of command?
No, we actually did create guidance for our senior leaders. It’s a framework for making the decision around a lot of different threats. Ransomware is one of them, but it asks a series of questions and attribution is one of those questions. Do we attribute this back to a sanctioned actor? Is it obvious? What’s the timeline around restoration? What’s the likelihood of restoration? All those questions weigh into that decision, Hopper. And ultimately, it’s not my call. We make recommendations and then it’s the business leadership that has to make that call. But ultimately, we want it to be an informed decision. And that’s where we would reach out and have conversations with our insurance provider, potentially law enforcement, depending on the circumstances, internal counsel, external counsel, some of our managed security service provider expertise would weigh in on that. And all of it is really around making that informed and wise business decision. It seems odd, but it is a business transaction at that point. And you’re dealing with somebody who treats it as a business transaction. So removing the emotion of the moment from the the the ultimate decision that sometimes has to be made very quickly. I don’t ever want to be in that situation. I’m thankful that we haven’t done. But I know that a lot of companies have to face that. And it’s pretty when you’re talking about paying the ransom. A whole series of other controls have failed. And there’s going to be a lot of questions that have to be answered around how those failed, why they failed, why you can’t back up or restore from backup and things like that. So all of that has to be set aside for the moment to make that decision around pay or not to pay.
One thing I was going to throw out there and Tim, you look at the different verticals and you had health care in automotive as the two heavily targeted. If if I was a threat actor and really understood what the supply chain is. Right. Not just the supply chain. When you look at technologies such as solar winds, I’m talking supply chain. Get down to the tier two and tier three tier ones in automotive that don’t have great security and have never even had the conversation of, well, what do we do when this happens? Right. If you get down and you could just shut down a tier two, don’t even talk about exfiltration of data. You don’t even have to report it as a breach. If you could just go ahead and shut them down, that it’s not about not having enough steel or enough components. It’s that bolt supplier. It’s this supplier. That’s what would make GM, Ford, Toyota and Honda scream. Right.
And in you’re seeing that across the board, tens of thousands of dollars a minute for downtime if you shut down one of the OEMs and the refactoring lineup if you go ahead.
How do you have that conversation, right, because you have done this with, you know, with multiple partners, how do you calmly explain to someone in that situation to where you have a couple of choices? You can make that business decision to pay the ransom or not pay the ransomware. But it could have, like you and I talked about in the podcast prep meeting, that might be more costly. So can you talk about that? How do you convince them?
Sure. Sure. And I think I just want to make a comment to what Jim said.
Right. You know, best practices to have a plan in place before such an event happens. Right. Have an incident response plan. Practice it like any plan. The actual facts on the ground in the chaos of this never really play out or seldom play out exactly the way you planned. But having had the plan, having put it in place is far better than having no plan and not having thought about it. Who needs to be informed who makes the decisions? Who needs to be at the table to help make those decisions that mapping out beforehand should be done by everybody, regardless of what industry and regardless how big you are. And it’s, you know, cliche to say it’s not if, but when. But you ought to be thinking about it’s not if, but when. Right. You’re going to have one of these events and hopefully you won’t. But better to you know, if we look at, you know, solar winds and then the organizations, that it can be compromised. Right. If it can happen to organizations like that, it can happen to you no matter who you are. Right. No one. But to get back to your question. Right. In terms of that and from an insurance standpoint, it’s interesting and I didn’t really comment on this before, but from just from economics, most cyber insurance policies will fund, you know, the ransom if that becomes, you know, becomes necessary.
But they’re also going to pay for what we would call the Zougam loss. Right. So the amount of downtime and the amount of money that you would have made for this incident is likely to be covered under your cyber insurance policy, whether you pay or not. So to some extent. There’s really not a financial motivation one way or another from an insurance side, right? You could pay the ransom, but you might if you don’t, you might have a greater income loss. So in terms of the decision to the customer, which again, is up to them, it should be an informed decision. And that’s why it’s, you know, having the forensic investigators that we bring to the table. But they work for the customer. They don’t work for us. They work for the customer. So they’re going to make an objective, sober recommendation. They do this every day. Yes, it’s chaotic and stressful and anxiety-ridden for the customer. But these are professionals that do this. And often it’s you hate to say it, but it is a business on the threat actor side. And often it’s the same threat actor or a common group. And the forensic specialist that we bring in actually may have worked on cases with those same threat actors several times over. So they’re actually in a pretty good position to kind of gauge the odds, right? Yeah, these guys are serious.
These guys may be less sophisticated depending penetrate these guys. We can negotiate the ransom down to X instead of why they do this for a living. And unfortunately, there are enough of these events taking place that they’ve got a lot of practice under their belt. So they’re usually able to really do a pretty good job of knowing, hey, here’s here’s the reality. You can try to back up and let’s do that. It might take this amount of time or if you need to be up faster, you might pay. But sometimes paying doesn’t get you up faster. Right. And so you have to do what you have to do. This negotiation, which is, you know, show us that you can actually bring the system back. Right. Because you don’t want to pay a ransom. And then the bad guys, you know, just go away and you’re still stuck. Right. So you have to get what we would call, like a proof of life. Right. Can you give me some of the decryption keys will prove that you’re you know, you’re good. You not only can do it, but you’re honoring your word. And you go through this negotiation and you bring a little bit of the system back online and then and then you go from there.
It’s a good Segway, Alan, I’m going to bug you for a minute from the threat intel perspective, how. Like, how do you hope that, right, because, you know, the scenario that Tim talks about, the more information that you can give him, the better that your ads can be and whether it’s successful or not successful. What are you seeing? Are you changing some of your tactics, so to speak, when it comes a threat until.
So the you know, when you’re looking at a traditional attack, we’re looking at worms or rats or whatever.
Normally we have acronyms, but we’re sorry this. If you’re looking for remote access, Trojan or Worm is just a worm.
You’re generally looking and providing indicators of attacks that have already happened, that people can go on throughout hunting missions and try and find.
Well, that does. You don’t need that with ransomware, because when the ransomware hits, you know, it’s the ransomware. And you know what? Ransomware it is because they advertise it in big, bold letters and they’re in their ransom note.
So there there are a few things that we’re doing a little bit differently. One is we’re certainly trying to help be more proactive. But the other thing that we’re trying to get our clients to do, and in general the Internet in general is engage in more threat hunting. So when you look at how ransomware has evolved from two thousand fifteen sixteen to today, when we look at ransomware in 2015 16, it’s kind of like knocking over a liquor store, right? You’re running a smash, you grab the money out of the register and you leave. Ransomware today is more like Ocean’s Eleven, but with a lot uglier cast. These are not attractive people behind the keyboard. They are just they’re super ugly and but but they it’s a much more complicated attack because you don’t just land in the network, encrypt the first machine you see and get out.
You land in the network. You have to gain the accesses you need because when they encrypt systems and I think a lot of people don’t understand this amount of ransomware attack, they’re not encrypting a single computer, a dozen computers. It’s hundreds, if not thousands of computers at a time. And they order to do that. You need to get the right access. And the network add to that the extortion component of it, where we now are tracking 20 plus ransomware variants that maintain extortion sites takes a while to steal that data and it take that long. We’ve seen attacks as quick as six hours, but we’ve also seen some of the attacks that last for several days to several weeks between initial entry and ransomware. So now what we encourage people to do is look for the indicators of moving around the network. So you’re looking for things like cobalt strike, you’re looking for things like Slive, or you’re looking for things like add, find the tools Mimecast, the things that the ransomware actors are using to move around the network looking for exfiltration of large files because they’re generally not subtle about it. They’re like, oh hey, here’s a whole bunch of files. Let’s just send them all off to our server as quickly as possible, often using FTP. And the fact that there are still companies that allow FTP to leave their network freely annoys the heck out of me.
But that’s a whole other story. So that’s what we’re encouraging, is more of that threat, having more of that proactive looking, because by the time the alert that they’re in, in your network shows up in your SIM and makes it to the SOC, analysts are off late. You want to be on you want to be I don’t want to say on the offensive because that has a completely different connotation. But you want to be proactive in going after and finding those indicators that that that ransomware hackers on your network. And we’ve gotten much better as a company. And I think in general, security companies have gotten much better at freely sharing these indicators. Used to be that, oh, I have ransomware indicators, I’m going to keep those to myself so our customers have them. But now, like SentinelOne has an amazing blog that they publish all kinds of fantastic indicators. Even FireEye is now getting more public with sharing indicators and things like that. But the old guard, Symantec, McAfee, et cetera, have come around and and there’s much more information sharing which helps make everybody better. Yeah, you just have to know where to go look and pull it down. So in some ways, it, unfortunately, becomes information overload, I guess.
Aaron, can I ask him a question? Yeah. So we’ve been talking a lot about technical controls, Tim. Maturity of program. Right. We mentioned having a plan, exercising, rehearsing that plan.
All of those things really are reducing the risk from a cyber liability insurance perspective. Can you know, we can’t maybe talk specifically about the secret sauce for travelers, but what are some of the things that an organization should be looking at to move that risk needle substantially in light of some of the threats that we’re facing?
Well, there’s not a single answer, of course, right, but just if you take the technology for a second, right. You know, not having you know, and it’s you know, we’re talking still in in in covid era. Right. And we saw, you know, many companies just had to shift to more work workers remote. And so not having open remote desktop protocol or RTP. Right. Which doesn’t have to be open. And there’s other ways to configure your network. Right. That’s a that’s a vulnerability that we see get exploited, not having multifactor authentication turned on in your for administrative access and for remote access, which is not necessarily either hard to do or expensive, depending on what you’re already running from a technical standpoint and then having an endpoint protection and a response, having an EDR solution. And, you know, those are the technical the common things that we in this industry kind of shake our head, particularly for companies of any substance, to say, geez, why wasn’t that control in place? Or or what often happens, unfortunately, is they think the control is in place and it just isn’t it across the network. But all of that combined gets to what I would call the soft things right. In terms of employee training. And and and frankly, even before you get to employee training, having a leadership team that takes the management of data security and network security seriously and and resources it and funds it. And that happens when you know, more awareness of the significance of these issues, both in term, you know, from the economic standpoint and just, you know, the reputational happens. But having a culture around cybersecurity and information security is as important, if not more so, than the technical controls. And you don’t get the technical internal controls unless you have that culture around that the place in the first place.
So you implied that the bad guys know your environment better than you do?
I don’t know if I applied it, but I but I will suggest that, you know, and it’s interesting because that’s good if I could talk about that a little bit.
And it’s often and, you know, sometimes I think your listeners may hear or will say, you know, there are certain organizations that are being targeted. And sure, that’s true in the sense of, I think, how we would ordinarily use that term. More frequently, what we see is it’s not so much in a. Company or Noriko’s nations that’s being targeted and frankly, you know, many of these threat actors, if not most of them, are overseas, as Allan described them, right behind the keyboards. They’ve never even heard of some of the year in the organization. Never heard of the state you’re in. Right. And so it’s not a personal thing.
They’re targeting the vulnerability right there, targeting. Can I get in? Once in, then they’re doing more reconnaissance and laying low for longer. They’ve gotten smarter about that, trying to corrupt the data, look at the data, and not just to harness the data, but to try to then say, OK, how much do we think that this organization might pay? Right. And so if they know we’re not right about that, they’re not going to ask you for the same amount of money because they know you can’t pay. Right. Right now, they’d rather be in a bigger organization that has deeper pockets or at least that they perceive as deeper pockets. But if they’re in an organization where they think they might get one hundred thousand two hundred thousand or pick a number. Don’t ask for that because they want to get paid and go about and going to the next target, and it’s it’s a business, right? So they’re their cost of a customer acquisition, which we might you know, it’s not how they talk about it, but that’s really what’s the motivation, right. If they can get a new target, make a quick hit and get out, they’re happy to do that. And so but part of that is not so much targeting the customer. Ahead of time, knowing we’re going to go after X. We’re going after you, it’s they know that there are vulnerabilities, they send out malware, malware corrupts through of the vulnerability. Then they figure out, OK, who do we have? They’re going to do about it. Right. That’s really often what’s the case. So they’re not coming. They’re not looking at a list and saying today we’re going to go after company X, Y, Z, it’s today, Company X, Y, Z got infected. Let’s now take the money out of them.
I think Putin’s point sometimes it’s not even they find the vulnerability, it’s what what what access they can buy on the underground market. So there are all these cottage industries that have sprung up to support ransomware after some one of the big ones is shelling and selling shell access. That’s another one to try and say three times selling you shell access to on underground forums that that that is really revived as an industry. And so for a couple grand, you buy access to a company that’s worth ten million dollars, that a couple of grand turns into one hundred thousand dollars. Again, when you talk about, in effect, customer acquisition, as Tim said, that’s a really good return on your investment. If I can, for two thousand dollars, I can buy access to a company. I get in. I deployed my ransomware and I get a two hundred thousand dollar or more ransom from it. Then it was a really good investment and I didn’t even have to do anything. I just handed over some bitcoin, which unfortunately they have in spades right now.
So I’m going to shift gears a little bit because we talked about some rather depressing stuff, so let’s let’s talk about how we can, like, affect change and some of the things that we can do a little bit differently. That’s what’s nice about having Jim here is Jim. Jim has helped build a program from scratch. So seeing different policies change different negotiations with insurance companies somewhat. Talk a little bit about reputation. Right, because sometimes the insurance companies get like a bad rep. Right. So the example that I often use is a couple of years ago and Jim knows this, I actually think Jim is the one that pointed this one out, is a Catholic health care system in California was breached. And then obviously, as the breach is going on, they’re figuring out what they’re doing. They’re contacting the cyber insurance company to say, hey, we need help paying this. Then all of a sudden the insurance company comes in. They do their investigation. There’s there’s not even due diligence. Right. And obviously, insurance is also a business. So they have that little clause saying, hey, well, you didn’t even, you know, beat the bear meat to the bare minimum. So we’re not paying now that health care system is on the hook. From from the outside looking in, it looks like, oh, my gosh, the insurance companies are a bad guy, they’re they’re not paying they’re not living up to their end of it. But that’s not quite the case. So what are some of the things that insurance companies can do when they’re talking with Jim about like what’s happening before, what you can do to, like, lower your costs? What are some of those hidden things that a lot of people don’t realize? Insurance, so insurance companies do.
Was that question for me? Yeah, that was for you. OK, I thought so, but yeah. Yeah, so, so, so certainly everybody has every carrier has their secret sauce or not.
So secret sauce. Right. In terms of a the standards that have to be met in order to qualify for coverage. Right. And and that may vary depending on the industry and certainly the size of the organization. But, you know, in my experience, it’s very, very, very rare that. Anybody would kind of deliberately misrepresent, right, and short of a deliberate misrepresentation is really the only circumstances where they’re likely to be any kind of argument coverage, right. You in good faith say here’s our controls and we we and our competitors will look at those controls and make a decision as to whether we want to offer you coverage. And then obviously not all coverage is the same. Larger organizations buy more coverage as a general rule, kind of true of any line of insurance. But the better the controls are right. And we can work with those customers not only directly ourselves, but with other business partners, whether it’s whether it’s SentinelOne or we have a relationship with Symantec that also help people understand kind of what are the controls in place, technical and and non-technical kind of her organizations that look like them.
Right. In an industry segment or in a size, the better controls you have kind of like kind of like any other line of insurance. Right. The better. You know, if you’re a good driver, you get better rates than if you’re a bad driver. And in the cyber insurance world, it’s not really any different. Right. You got bad controls. You might pay more or get less coverage. Or if they’re really bad, maybe you’ll be denied coverage. But but that’s kind of true of any insurance. And cyber is no different in that regard.
So, Jim, what advice what advice do you have, because obviously we’ve matured the program over the years, what are some advice you could give the listeners that go along with the things that Tim’s talking about?
What’s worked for us is to have a dialogue, have a conversation, and then the other thing is to be transparent and honest, it seems, and it seems obvious, right? It’s intuitive to say we’re going to be honest and have that conversation, but it’s really important in this particular decision. Framework insurance is just another control of risk at the end of the day.
And if you’re layering your controls, your risk controls properly and making good decisions around which technical controls the extent that those technical controls are deployed and managed, being able to prove that you’ve got a good coverage with the control. Multifactor authentication is a perfect example of that. You don’t have some rogue and point sitting on the Internet directly without MFA. Those are the things you need to be honest with your insurance brokers about to make sure that they understand the liability they’re accepting so that if something were to happen and you have to exercise that policy, you can specifically point to the area of weakness that hopefully you recognize before the compromise even happened, that you made a conscientious decision to say, look, this control isn’t where we want it to be. Here’s our plans to get it there, or maybe we’re OK with it. It’s too expensive to get it to that point. And that’s why we’re we’re engaging our insurance provider. But you have to have that conversation before the bad thing happens. But that’s getting back to knowing yourself, knowing your business, knowing where your areas of weakness are in terms of policy, procedural or technical controls and having that open and honest dialogue. And that’s where a partnership with someone like Tim and travelers are super important to to understand that changing landscape of threat, both from a business operations perspective, but then also from a control perspective and how much insurance you actually do need and what makes you comfortable in terms of that risk reduction benefit.
So if somebody came to you, Tim, and said, I want I’m going to have a layer to firewall between me and the Internet and I’m only going to do antivirus on my endpoints, please provide me cyber liability insurance.
And I’m a 10 million dollar a year manufacturer. What are you going to say to them?
Well, that’s that’s why there is a robust market of providers of cyber insurance.
And they may be a good candidate for for for want of somebody else. But every situation is different. And you make a point. Right, of of you know, and we write we have customers, as I said, in every industry, in every size.
And so so particularly as people listening this. Right. Eight, you know, even though I’ve said it and I’m going to continue to say, you know, all industries are vulnerable or have events and it really doesn’t matter the size it also is in.
The dynamic that we would require a a a company that makes a million dollars a year to have the same controls as somebody that makes 100 million dollars a year or that somebody OK. And so and the type of insurance they might buy is is it different or at least the amount. So so there but there’s within that segment of do you have good controls for who you are and if the answer is no. Right. And if you’re, you know, if you’re a large organization and you don’t have the appropriate controls for large organization, you may have trouble getting insurance. But that doesn’t mean that the you know, somebody who’s listening to this and saying, geez, I make a million dollars a year to make whatever it is right. That you can’t potentially have a cyber insurance solution, it’s just going to look different.
Brian, I know you’ve been holding holding on to that question.
Yeah, actually, I think this is really well, Jim, with where you are going. And then you kind of lobbed over a softball to Tim there and said, let’s take an auto manufacturer, which I love. You just brought it right back to the home state. But let’s let’s dive into that a little bit. When you said putting together, you know, depending on the size of the company, you’re going to have different, you know, purchase spend for your security, different things in place. And there’s so many different tools to buy from. And I think when you talk about the landscape and the number of vendors out there and the number of tools, that also becomes muddied. Right. And you look at the third party organizations that are actually evaluate or don’t evaluate to give their opinion on them. If you looked at automotive in general and I love the Phoenix Project because I I thought it did a great job of explaining how to simplify dev ops in terms of being able to do one piece for what is just in time production.
Right. And why it’s so important when you have Whipp work in progress not to get to the end and realize you have a quality problem. Right. That all goes into PFM. Right. Process failure mode analysis but DFM right design flaws remote in the auto’s. A really, really big on this today because if you’re going to go in and get supplier X to provide you a part, you go in and you first check off their DFM, their design failure, then you go in for their PFM here. Right. And that’s a two year process from sourcing to when you watch. But DOMA reminds me more of the idea of the architecture that you build in from your security program, the things and the equipment and the vendors. Right. And the products you choose PFM is how you’re actually using them and applying them. Right. And as of right now, there is no GM that goes into every different location to figure out at the former premier are being applied from a security perspective. They spend loads of money going in to figure out if you’re doing it from a component production. But security is just starting to be that conversation right now. I think it’s more left to the insurance provider, like, are these guys doing it? A lot of these companies have just said we want to make sure our suppliers have cyber insurance. Fast forward a year to promote. If they don’t change or do something, they may not have it. So that’s like the first level is saying some checks and balances. But how do we and it’s not necessarily a question, but perspective on what you were saying. There really isn’t a standard to measure the security posture of all the different types of verticals out there and the different size of the companies. Right. And there’s so many different products, I think something that’s lost there.
But there are simple things that can be done, you know, like you were referring to from a defense of how you put those products in. But Tim, when you go in and look at that and say, OK, I’m looking at the products, how and then is there anything that says how the products are being used valuation wise? You said size of the company right at the end of the day. Like who? If you say no to someone, it sounds like there’s someone down the line that’s going to say yes to him. Well, let’s I think we can rephrase that question for him. That’s a little simpler.
How do you how do you gauge a company’s maturity? I mean, because all the stuff you’re talking about is maturity rate.
And Brian gets really loud, and I think I can appreciate it. No, no, no, no, no. I can I can answer both of those. I hope. Or at least give it a shot. Right. And and let me kind of start, Brian, with, I think where you were going.
And and it’s a positive development, but nowhere nearly as mature as it should be. But, you know, in terms of kind of who if a company will just it has maybe poor controls just for whatever that means. Right. Where is the motivation in the leverage to if they’re not right, assuming they’re aware of their controls and that’s part of the issue. But where is the leverage in society to get those controls to be better? Right. And there’s only so much insurance providers can do, right. First of all, we need you know, there’s a lot of customers don’t buy a lot of companies that don’t buy cyber insurance in the first place. But we are seeing more of, you know, organizations that fit somewhere in a supply chain or in a chain where they’re relying on other organizations and other organizations are relying on them, whether they’re in the auto industry or anywhere else, that the larger organization that, you know, they rely on is requiring controls to be not only by cyber insurance, but they’re doing more due diligence as part of vendor procurement to determine whether those controls are in place to their satisfaction and even whether so that’s happening. And that’s having a positive impact on lifting, kind of. Everybody’s posture or a lot of posture, but you’re back to your question, right? It’s still the there’s a lot of reliance on tools. For example, there’s third party data that that we use in our competitors use. So we might ask questions about, just as an example, what the PATCHIN cadence is. Right. So how frequently are you patching? And and and we have tools that will help us actually see that. Right. And so our customers actually patching with the frequency that they say or frequency that that we think they have, we can often see and help have a conversation with things like do you have open RTP remote desktop protocol? Right. And sometimes organizations are unaware that that was configured that way. And and we can help before an event takes place to say, look, there’s a controlled it’s important. Here’s why it’s important.
We suggest you do X, Y and Z shut shut that port or have a conversation as to why, if that’s potentially necessary, why it’s necessary, and what other mitigating factors that they have to reduce that exposure. So it’s a conversation that takes place. And again, not everybody has to have the same solution. But we have a lot of vendors that we use and a lot of expertise that we have in-house to help guide people towards the best practices. Right. Not only because they make better insureds for but it’s a good value add service that people can come to their insurance carrier and get access to to how to make their systems better. And sometimes that ends up pointing them in the direction of somebody like a SentinelOne with an EDR solution or or another solution.
Do you let’s let’s let’s as we’re getting towards the end here, I want to I want to talk about the future a little bit with all the things that you’ve talked about in with auditing and protection and all the current trends you’re seeing. And, Jim, chime in in a minute. Are do you really think we’re going to get to the point where insurance companies are going to at least want X, Y and Z and maybe X, Y and Z tools to help with that stuff? Right. Because if you’re if you’re paying out the money and you and I kind of talked about in the podcast a little bit, I mean, I know you can’t give exact numbers, but, you know the B word, right? Are we going to is twenty, twenty one the year that’s going to be well over a billion dollars in ransomware paid again. You don’t have to answer that like yelling at me, but you have to protect yourself as a business also. Right. So are we going to see in twenty, twenty one where you’re going to have to have seatbelts in the car or you use the smoke detector analogy? You’re going to have to have this before we even think about insuring you. So are we going to start seeing changes when it comes to cyber liability insurance?
Yeah, I think I think that’s already baked in. I think you’re already seeing that. And again, it may be it may be a tightening of controls. But but, you know, again, I don’t think cyber insurance is necessarily different than any other line of insurance. Right. There’s kind of minimum standards. And if we go to the property analogy, you know, it may be code to have sprinklers and and and so forth, but it’s partly because over time. Right, you wouldn’t be insurable if you didn’t have some of those controls in place, depending on who you are. So cyber is not different. And and since the since cyber has been in existence or cyber insurance has been in existence, there’s always been some standard that has to be met in order for somebody to qualify for insurance. Now, that said, right prior to the fairly dramatic, very dramatic increase in ransomware trend over the last 18, 24 months and even in the last six months, those standards were probably a little bit looser then than they may be in twenty one. I think that’s that’s a fair statement. But it’s not that standards themselves are new. It’s just it’s just probably becoming a little bit more or more mandatory to enforce the minimum standards being raised undoubtably, particularly for the types of vulnerabilities that correlate directly to ransomware, such as R.S.V.P. and MFA and so forth, which we talked about.
Jim, what are you seeing for 20, 21 on your side to help in regards to stuff like that? Are you going to see that fundamental change? I know a lot of times we have the marketing jargon like EHI and Security 2.0, but is it really that it really feels like it’s that time to wear us in the security industry have to start taking that extra step?
You know, I go back and forth on that and Tim and Alan and Brian can probably weigh in on this one as well. I almost feel like the yes, it’s it’s a tool question, but it isn’t a tool question. It’s a people question. It’s your you can deploy the best EDR, but if there isn’t anybody to respond to the alerts. In a timely manner, you might as well not even have the EDR if you don’t understand your environment well enough to know where that alert just came from, to be able to effect a response, you might as well not even have the EDR. So I. I see. And maybe this is a little bit biased, but in twenty one it’s going to be a shoring up of the fundamentals. Do you have an inventory, do you know when something connects to your environment. Do you have a team that’s capable. Have you trained them. Have you set expectations for them. Do you have a leadership team in place that’s able to make good risk decisions around where you spend the limited amount of capital? You have to lower the risk to the business from a cyber threat? I think that’s those are the basic blocking and tackling pieces that we’ve been pushing on for a long time.
And what I think the threat actors have done is exploited those softer areas to find the weaknesses within our businesses and exploit them and make money off of it. I don’t see it changing from that perspective. The weaknesses are still going to be exploited. There’s still going to be attempts made to find those weaknesses. I think because we’re seeing an increase in the visibility, the news is catching more and more of these government laws and regulations are mandating reporting. All of that is just simply putting pressure on businesses that don’t see this as a high enough risk to actually take action to motivate some form of action. And that’s a good thing, right? That’s raising the tide for all of us. And the more we have from a business perspective looking into these threats, the more conversations we’re having around what effective controls are. How do you build a team? What is leadership within the security program look like? Those are all good things that are going to mature the entire industry as a whole and will get better at responding to these threats.
Excellent, Alan. I’ll save I’ll save Brian to the last just in case we have to dangle the ears and cut them off. All of it.
Alan So along those lines, what do you what do you see in twenty, twenty one look like from the threat intel side?
Well, I think I think you’ve hit on an important point.
We’ve been talking for thirty years about how important the basics are. Good vulnerability management, kaching, don’t click on links that you don’t know, etc. and we still haven’t been able to get that right.
And I don’t know, unfortunately, that that’s going to change. And in twenty, twenty one, I do think we need to do a better job of celebrating people that get it right. Like if you run a really great vulnerability management program and you don’t do all the things that we’ve been telling you that you should do for thirty years, nobody invites you to give a talk at Black Hat. Nobody invites you to give a talk at at RSA because it’s not sexy and it’s not cool. But it’s actually really, really hard to do that, especially in a complex organization. One of the things that I am encouraged by is that we’re seeing more security teams that are have greater involvement in the business in general, like we’re not sitting in a dark corner in a room somewhere. We’re actively engaged with with with the rest of the business. And that helps, you know, that I think we’ve moved on from where the Department of Know, and now we’re getting better at being the the department of. Let me understand what you’re trying to do. And we’ll come up with a solution which is a little bit longer than the Department of Know. But it works better. It becomes more effective if you’re if you’re integrated in business unit. I do think because I think everybody in security is against government regulation, but I do think that the government has a role to play. And this is probably a little controversial. So feel free to edit it out.
But no, you’re right.
I do think the government does have a role to play in going after the bad guys. Like, you know, the ransomware actors don’t meet the legal definition of the definition of terrorist, but they do colloquially we would think of them as as sort of terrorist activities. And they’re certainly making a lot of illegal money. And I’m not saying we need to drop a drone on anybody but or have a consequence today. But but we do need to know. We have whole groups that engage in Sydney and see an activity and we should be trying to do a better job of taking down their infrastructure. And I don’t think businesses should do that because it’s too easy to get it wrong. But I think resources, government agencies have the ability to do that. And I think there should be more of that. We saw a little bit of that, obviously, with the trick. But takedown by both Microsoft and Cyber Command, unfortunately, that didn’t go quite as well as we hoped. But I think more of that activity does need to happen because we’re not. Going to get everybody to agree on or on the steps they need to take, I mean, we can’t even get people to agree not to get cyber insurance. So certainly not the government says, here’s our recommendations, go and do it.
And then the other thing I think is we need to expand our definition of what’s considered critical infrastructure. So I think like schools, which are heavily hit by ransomware, that needs to be because schools are never going to have enough money to have an effective security program or hire the people who are able to maintain and actually keep those people for more than a couple of years before they can go off and make more money, probably sometimes double somewhere else. So having more involvement in in helping protect schools and things like that, I think is also going to be important.
Well, the good news is you and I will be talking next month to go into a little bit deeper dive on threat intel. So that’s a good Segway. Thank you, NIB’s. Bring it. Bring us home. But don’t but don’t go too much on a tangent.
I’m going to try not to, but I’m going to take this back to when you look at insurance, take car insurance, for example. Right. When I was growing up, I got this car, had a seatbelt, had an airbag, had all these tools in it. But there was nobody monitoring the driver. And within about a less than a year, I was uninsurable in the management, stepped in my father and I was no longer allowed to drive. Fast forward to today. And now insurance companies can actually put on tools to monitor how hard you push on the brakes, how often you push on the brakes, how many times you’re going over the speed limit, which if that was back in place, then there would have been a lot more monitoring of what would have been deemed inappropriateness which spiked my insurance and caused me to lose that. And some of what we talked about today, and I say all this for the listeners out there that aren’t in security and this is essentially what we’re talking about is building things with the right tools in place. But then also, Jim, like you mentioned, from a people perspective, are the people actually using the tools? Are they being used properly or are you putting the right systems in place and following those? Right. And then, Tim, you touched on that. Those are the things you’re looking for. And I think collectively, companies and management in those companies should also should also start to respect that even more. Right. Both from the business side for the insurance companies and the business, the Derand and also the other businesses that they support. And I think it’s a collective conversation that you’re hearing more of it talked about and hopefully less finger pointing because you still you still do see a lot of that going on. And for people that don’t understand the infosec world, something gets it in the news and their assumption automatically is that somebody there did something wrong or blame this.
So it’s great to get on and talk with people from both sides of the house, the insurance side, the threat intel side. You know, the guys have feelings to write him and look at. That’s right. He came dressed up. He has a button up shirt on. You know, I felt better.
You could tell I’m the insurance guy right now. I would expect nothing less from an insurance.
And for the final two seconds, I’ll throw on like the the buttoned up sweater just to make him feel more appropriate.
Now, it’s OK.
It’s more or born with these blue blazers on and you know, they don’t come off easy.
So, Allen, do you have the baby yota back there too to hold up? Hold on. I was going to get to that point since we’re winding things down. Let me get to that for a second. I want to say a big, big thanks, Tim. Thanks a lot. Mike and Tracy, you guys were awesome as well. I know that sometimes insurance isn’t sexy or fun, but I really think we had some great conversations today. I really appreciate the donations that you guys did. I want to say thanks to the Snead’s for getting SentinelOne one to help out with this. And actually this idea was a golfing idea. So kudos to him. And then, Alan, thanks a lot to you and the recorded future team. We’ll get a chance to dig in a little deeper in the threat intel and some of the things that you guys do next month. It brings me to the prices that I’ll give away. I’m not going to give them away right now because we’re out of time. But Allen did have a baby Yoda. So recorded future. Besides, you want a generous donation, donated this awesome baby yota, which is now all real goo for the people that don’t want to Mandalorian.
And then we’ve got to give a shout out to actor because we actually have a microphone similar to Gemini’s and a boom stand. And then finally, Active has a gift card in the last of the Christmas presents, and Tim, I’m sorry, you have to wear jackets because otherwise you could wear have a nice hashtag.
I would I might be willing to make an exception, you know. Hey, there. They’re actually next, next, next next time you have me on, I will wear that shirt. Howzat. Excellent.
I think it would look good on your jacket personally.
That’s right. It’s a little bit of, you know, business professional and fun. So I very much appreciate all you guys this time.
It’s been it’s been a crazy year. I thank you for everyone’s support, all the listeners, all of the different sponsors that helped to make this stuff happen. So to everyone, have a safe and fun holiday and we’ll have some exciting stuff for you in twenty, twenty one.
Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.
Audio to text transcription just got more accurate. Sonix is the best automated transcription service online. Use Sonix to simplify your audio workflow. Sonix converts audio to text in minutes, not hours. Sonix can make your life a whole lot easier. Do you have a lot of background noise in your audio files? Here’s how you can remove background audio noise for free.
Manual audio transcription is tedious and expensive. Sonix’s automated transcription is fast, easy, and accurate. Imagine a world where automated transcription just works. Sometimes you don’t have super fancy audio recording equipment around; here’s how you can record better audio on your phone.