- September 28, 2022
Pavese McCormick Cyber Insurance Awareness Webinar Slides: Click Here
|Input Video File:||Cyber Security Awareness You Can No Longer Outsource the Risk|
|Raymond:||Good, I guess just to respect everybody’s time that’s here, Tom, you’ll continue to let people in as they come in. So, we’ll get underway. Before I start, I thought I would just make mention that a lot of us have friends and family down in Florida. And I’d be remiss by not acknowledging that and just say that, you know, if you have friends and family down there, we all wish them the best. It sounds like it’s going to be a nasty storm and hope that everyone’s damage is limited and they remain safe and are in a safe place. So with that, again, I see a lot of friendly faces and people I know and some new ones. So welcome. Good morning, and welcome to our webinar this morning on Cybersecurity Awareness. I am your host; my name is Ray Pavese, CEO and Director of Sales at the Pavese McCormick Insurance Agency. For those who may not know, we’re a third generation independent insurance agency providing property casualty insurance products to businesses across a multitude of business segments and industries. I wanted to make the most of this webinar as valuable as possible. So, I also invited Doug Roahn, CEO of IND Corp. They are an IT technology service firm. And Doug will add to content as an industry expert and speak a little bit more about mitigation. Doug, anything you’d like to add before we really move in?|
|Douglas:||No. Thanks, Ray.|
|Douglas:||Great to have you.|
Just to let everyone know, this is a recorded event. We will use it for those who could not make the event, and we will do some Q&A at the end of today’s segment. And we will stop the recording at that point if some people may not want their questions recorded, and those who have something they’d like to discuss in a more private nature, please feel free to contact myself or Doug. Our contact information is posted on the last slide. So, without any further ado, today we’re going to talk about cyber risk, cyber insurance, and mitigation. A lot of businesses are truly unaware of the significant risks they face in terms of financial impact and disruption to their operations. To manage and mitigate risk, every organization needs to be prepared with both an effective security mitigation plan and cyber liability insurance. In terms of mitigation as we move through this today, in our discussion, we’ll touch upon the following items in terms of best practice, MFA, which is known as multifactor authentication, phishing, and employee training. Alright, so it only takes one cyberattack or breach to devastate a company’s financial results. One hacker virus or system glitch could shut down your entire business, or even put you out of business. And finding and remedying a breach is very complex and expensive. So, I want to share this, imagine this; it’s a Sunday morning, you get a call, and you’re advised your network and systems are under attack. Or worse yet, you walk in Monday morning and find out the same. A threat actor has completely hijacked your network and all your systems. And to boot, there’s a ransom demand. What do you do? You talk about a pit in your stomach. So cyber insurance, it’s your financial backstop, and access to what I call the Special Forces. They’re the people that are going to come in and help you out. People often speak about insurance as providing peace of mind. So, I want to quickly tell you a story about a real client call and experience. So, what I stated in the last slide is true. On 10:45 on a Sunday morning, a client got a call from their IT vendor advising them their network was under attack, and they were shutting down the network and all systems. At 11 o’clock, I received the client call notifying me of the event. I provided the carrier claim hotline and the initial report was filed. Now 12:15, there was a conference call setup, which was the initial triage. Attending the call was the insurance carrier, their legal team, professional forensic services team, the client IT vendor, the client management team, and I. So, give and take, about 15 people. And remember, this is on a Sunday morning, 90 minutes post notification. In this scenario, you’re never going to feel good, but do you think the owner was less anxious after the call? I would think so. And to boot, they walked in 7:30 Monday morning, and the IT tech team was already on site. So, why do companies need cyber insurance? As we’re kind of painting the picture already, the costs associated with a single cyberattack can be catastrophic. You’re talking about potential litigation, regulatory defense, mandated notification requirements, public relations to defend your company’s reputation, the need for skilled computer forensic teams to determine the exact extent of a breach. And talk about your time, your staffs’ time, how much money is that? How about the employees and their inability to work at all, or significantly struggle to work even semi efficiently for days or weeks? You may ask, what is the minimum cost of a breach today? Well, there’s a lot of ways that you can go about finding that out and a lot of information on the web. But if we look at a typical cost, even when there’s no notification requirements to clients, take a 20-person office; that’s going to have to go through forensics, legal IT restoration and everything else, you’re talking easily that bill alone could reach 250,000. Now, that doesn’t contemplate any ransom demand or notification requirements to your clients. This slide here kind of breaks down just simply 12 points of potential cost of a security breach. So, you talk about compromise data, business loss, downtime, reputation, time to discovery, legal costs, compliance issues, notification requirements, incident response and recovery, ransom. Alright, it just goes on and the numbers are staggering. So, what is cyber liability insurance? It provides businesses with a combination of coverage options that help protect the company from data breaches and other cyber security issues. So, what I tell people all the time it’s no longer a matter of if your company will suffer a breach, but when? Policies are going to reimburse you again for computer forensic experts, potential business loss, extra expenses that may occur during the restoration and cost associated with recovery. Every type of organization- from small business to global companies that use technology, faces cyber risks. Technology is becoming more and more complex and sophisticated, so are the threat actors. So, businesses face a significant increase and it’s happening at a huge pace. So, you need cyber if you store customer or employee data, you accept credit card payments, your employees use computers, mobile devices in their daily work. And the thing to know is cyber is not a one size fits all solution. It’s important to have coverage that addresses your business specific risks to your organization. So, based on my overview of the last slide, I always recommend a standalone policy. A lot of people ask me questions, ‘Well, I have some cyber, it’s included in my business owner’s plan policy or my package policy’. But those usually offer very low limit coverages, and the limits or the coverage itself is usually inadequate. It’s just something that I couldn’t professionally recommend satisfying a business need. Cyber insurance can be a crucial safeguard against your devastating financial consequences associated with a breach or an attack. Policies, they offer solutions, that include loss business income due to a cyber event, a cost associated with notifying customers that’s notification of the breach, and that gets expensive, hugely expensive. Cost of recovery for compromised data and cost for repairing damaged computer systems and more. So, let’s look at the cost of recovering data. How far do you have to go back? When was your last good backup? What about local desktop files? Any idea what your employees keep on their local drives to help them work more efficiently? That’s most likely lost forever. Repairing computer systems, you’re talking about network restoration, desktop restoration. Ease of doing business, what about the customizations that everyone has to help them and feel good about their environment? You’re talking years and years of data and files most likely lost forever. Again, coverage options within the policies or forensic investigations, litigation expenses, regulatory defense and fines, business interruption, the cyber extortion itself, the ransom, and then you have an option for betterment and that’s the cost to improve your computer systems after an attack. So, what I’ve spent time on is really the first party portion of this. But if that doesn’t alarm you or concern you, what about you being the source of an attack to a customer? That’s where we talk about third party liability. Everyone remembers Target years ago? They had the credit card breach. Well, the source of that was through an HVAC vendor gaining access or had access to their network. And they were making adjustments to buildings or some type of software upgrade. Look at the implication of that. How about malware or a link in an email that you send out to a client? You have to ask, ‘Who are your clients, and how much do they have at risk financially’? Now, you’d have to ask yourself, what limits are appropriate for you to protect your business? Alright, applications. I’m going to laugh and smile; how many of you have looked at an application recently? They’re lengthy. They get into a tremendous amount of detail. 3 or 4 years ago, I used to provide an indication to a client in a matter of hours or a day. That’s no longer true. Carriers want to know about controls that you have in place. They want to know about up to date active firewalls, up to date active antivirus software on all computers, networks and mobile devices. They want to know specifically about multifactor authentication, MFA, on all your network systems, programs, emails, VPN access points. And they also want to know about monitoring and security logs, just to highlight a few. Now, the big point here too, is applications are warrantied statements. So, unless you’re an IT professional, I strongly recommend that you review the applications with your IT service provider. And the big thing is, is that misstatements or misleading statements could lead to a denial of coverage. Carriers also are very interested in your vendor controls, and they want to know about outsource services, which might include data backup, data center hosting, IT infrastructure, web hosting, payment processing, just to name a few. Policy cost? Well, it’s going to vary depending on your organization’s level of risk. It all depends upon what you do in your business, the type and sensitivity of the information that you hold and retain, oftentimes referred to as PII, which is personal identifiable information. Other considerations to pricing, or policy limits and deductibles, is it built in or it’s a standalone? And I also want to talk about contractual requirements. We are seeing a huge increase, everyone’s usually aware of your contract requirements with insurance limits and types of coverage you have to have, we’re now seeing a big increase regarding the request for cyber liability. That goes back to that third party liability that I just discussed a few slides back. But we’re seeing significant limits with regards to that. So, let’s look at an office, let’s say they have 20 employees, a $2 million limit, their deductible is 5000. Now again, some discount for sensitivity of what that information is, you’re probably around 5 or $6,000 in premium. Now, if you take that and go back a couple of years, that same premium probably was 3800 in 2019. It was probably around 4600 in 20, and now it’s around the 5, 6000 mark. So, the risks are going up, premiums are going up. And remember, it’s not a matter of if, but a matter of when. So compared to the cost of a breach, or a cyber event, cyber insurance is a very worthwhile investment for your company. We’re going to move a little bit into mitigation. Okay, remember, mitigation is the key. The cyber insurance is post event, and Doug’s going to touch on that in a minute, but it’s what you do pre event that is the key here. So, we ask that you work with your IT vendor; you have that security and mitigation plan set up, if you have cyber insurance, work with your insurance carrier. Many of them offer services that a lot of insureds, don’t take them up on. They have one on one consultation services with the cyber expert, there are risk assessment tools they provide, there’s training. And if you have questions, they have help desks. Alright, so at this point, I’m going to turn it over to Doug, and he’s going to get a little bit more into the mitigation aspect.
Thanks Ray. Good morning everybody. Just to really talk and Ray, you hit on this before that, you know, it’s not a question of if, but when you’ll be breached. At this point, that’s where we are. That’s why premiums are going up. That’s why the applications are getting longer and more complex. So, Ray talked about operating before. And that’s really all mitigation is. The key to mitigation is having a plan. So, thinking about your house, you know, we all have smoke detectors, we didn’t wait for a fire to put in a smoke detector, we didn’t wait for a fire to have a fire extinguisher in our house, we didn’t wait for a car accident to have insurance on our vehicle. You know, these are all the same. Cyber liability is the same, and having a plan before the event is when you have to do it. Because operating, and we call this operating left of boom. So on this timeline, the boom is when you know. When you know there’s been a breach, when you have the impact. So, you have some kind of event. When you’re on the right side of that, it’s not the time to go out and try and find someone to help you and to try and determine what you are going to put in place to minimize the risks. To scramble at that point, if anybody has had, you know, a fire or a flood or an accident, imagine you have to now figure out all these different things. You don’t want to be doing that in the time. And a lot of the time, it’s too late to do some of it. So, you want to operate when there’s no panic, when there’s no chaos, before that happens. You know, get the smoke detector, get the fire extinguisher, and know what the plan is, in order to be able to have a much better time when it does. Because today, as Ray said, it’s not a question of if, it’s when. And now, it’s about surviving, letting the business survive after the event, minimizing that risk so that business operations can continue. The chances of companies continuing after a significant event today, without pre planning or any of these things in place are in the single digits in the 6 months to 12 months [unsure word 19:23]. The slide I’m showing right now is just a little zoomed in. We’ve seen this additional attestation on some of the applications out multifactor and Ray talked about that. Multifactor is one of the number one mitigating factors today to reduce your risk. And now, carriers are actually asking you to attest what type of multifactor do you have it deployed on all your critical systems. So, as he mentioned, if you’re not, and I’m speaking to the principals of organizations, because what I see less today, but in the last couple of years, I see often that the principals aren’t even aware that these forms are getting completed sometimes. And they need to be completed accurately so that you can make sure that your policy is going to be in full force. So, as Ray mentioned, if you’re not filling them out accurately, the carrier might come back and say, ‘Hey, you told us you had this security in front of the VPN or the multifactor. And if that’s not the case, you may have a problem getting the full services that you do’. Just to review a couple of things that you can do to mitigate, this is just a quick cheat sheet, and a couple of quick things. I’m not going to talk about every single one. Most frameworks today suggest that every company should designate a security officer in the organization that’s kind of drive it but be responsible for these things. A security officer would basically set up recurring security meetings where you’re talking about where is the risk of the organization? What can we do to mitigate that risk? Think security the same way you think about your website. You don’t design and build a website once and then it’s done forever. Google doesn’t like that. They like to see iterative changes and that it’s alive and fresh- the same thing about security. Security is not a product, and it’s not a 1-time situation. It is a journey and it’s a continual iterative process. So, that security officer would just keep that moving. We highly recommend that it is a ceiling level in the organization. That doesn’t mean that they have to do everything, they just have to be the responsible party that is making sure things are moving forward. Talked about multifactor. Today, it is probably the number one actual effort thing you can take to make sure that things are secured by multifactor authentication. We say multifactor everything. If something exists; if your bank has multifactor, well, you should make sure your bank has multifactor. But every system, so every critical business system that stores any kind of client information, communication, or data should be secured. And that’s pretty much every system. A lot of people don’t know that when a breach occurs, that you typically don’t know of the breach, until it’s been a little while. So, what happens in the background during a breach? Initially, there’s a package that gets deployed. And what happens is, usually the hackers now, today, exfiltrate. Meaning, they copy all of your data off, before they raise a flag and say that they’re there, or give you a prompt or ransomware. So, when Ray was talking about notifying clients, there’s notification laws in play now that multiple different types of organizations need to notify their clients anytime that there’s been a breach of that data. The reason is that that data could already be copied. You know, sometimes people say, ‘Oh, we had a breach, I think somebody’s email, you know, it was compromised, but we cleaned it up. It’s all taken care of now’. But in the meantime, between the time that that started, and you knew about it, they’ve already copied every email in that inbox. And what happens is, they’re gonna go out and send copies to other clients. So now, you have reputational damage, as well as data that might have been exposed. So, that’s why the multifactor, protecting every account as much as you can to avoid that, is probably the best thing you can do. The next is security assessments and tabletop exercises, somewhat go hand in hand. Security assessments, as Ray talked about, have a third party come in and look at so that you know. Because, this stuff is complex, and it is changing day by day, the whole industry is evolving. It’s constantly changing, we see the industry, we see the insurance industry responding to those evolutions. So, you need to be working with somebody that works on security full time. Because just like you can’t be the expert in every single thing, bring in experts to work on that, and give you an idea. You know same with medical professionals today. You go to the doctor, and you have your general, and then there are all these specialties. And even security is starting to be broken up into those specialties. So, tabletop exercises are along the same lines is once you have that assessment. The tabletop exercise is a C level exercise you can do with your leadership team. Sit down and get in a room, spend some time, and just go through, as Ray talked about earlier, that real world scenario of a breach just occurred or you just became aware of the breach. Now, what happens in the organization? What do you do? Who do you talk to? What is your plan? How do you get out of that burning building? How do you put the fire out? How do you recover? Having that discussion, you know, once or twice a year, and review what you have put in place is going to make a huge difference for after. Because, it’s not about 100% avoiding it, it’s about how you respond, and how you survive the after impact. So one other thing, you know, all of this is really in a nutshell, building a culture of security. And that’s what it takes today. We’re in a battle right now. And, you know, this is a war. It’s not a static war, this stuff is changing, and it needs to be responded to. But honestly, most companies are far below where they need to be. And unfortunately, they find out when it’s too late. So, save yourself, put the smoke detector in now, have a plan, and build a culture of security that’s going to help you the best. So, I think we’ll jump to the Q&A now, and I think there have been a couple of questions. If you have a question, you can throw it in the chat or send it in to Ray or myself, and we’ll go back and I’ll go through a couple of the questions that we’ve gotten.
|Raymond:||While we’re waiting for that, so the MFA, that’s statistically proven to be in the high 90 percentile of…|
|Raymond:||So, that is of extreme importance so I just want to drive that home.|
|Raymond:||Because, multifactor everything. Multifactor everything because that’s your biggest line of defense.|
|Raymond:||So we touched on earlier about phishing. Alright, phishing is probably the way that they’re going to get in too. They’re going to test your employees, they’re going to get this email that somebody in your organization clicks on, and allows them to come in. And from there, they’re going to go in and start to embed themselves in there. So employee training, there are programs and vendors that provide training to your employees, and they’re out phishing to catch your employees, but it’s on the safe side. And then you can offer additional training to people who fail the phishing test. But those are some really good things that you can do proactively to avoid an incident.|
|Douglas:||Yeah. And I’ll just speak about the multifactor. I don’t know if people heard about this, but it was a pretty widespread breach. Recently, Uber was hacked. And Uber used multifactor authentication on their internal systems. And a lot of people don’t know that there’s a new level of multifactor out there that has an additional challenge. So, we’ve used it, we’ve used it probably for about a year. Everybody’s used to getting the multifactor, you know, probably getting the SMS or the text code where they have to enter 4 digits, and this is what Uber had in place. But the hackers were able to overcome that multifactor because they were able to intercept that text or that SMS. And the new layer of multifactor that is being recommended by the National Institute of Standards, which is a group, it’s worked in concert with Department of Homeland Security, they have a NIST cybersecurity framework that is pretty much the national standard now that is recommended. They’re pushing that the new level of multifactor is a multifactor with challenge, which is you discretely get a number like a 2-digit number popping up on your phone so that they know that you’re the only one that can see that message, that 2-digit and then you can get the actual code only if you can answer that challenge. So, it’s an additional layer and it’s unfortunate, but things continue to move pretty quickly for those that want to stay secure.|
|Raymond:||I just want to thank everybody today for your time. Hopefully, you found it very enlightening and beneficial of your time. Everybody’s busy during the day and you took time to spend it with us. So, we very much appreciate that. Again, our information is posted there. If anybody has anything they’d like to continue discussions or address something specific to your own need, please reach out to us, and we’ll be happy to have that conversation with you. So for now, take care, enjoy your day, and be well. Thanks for joining.|
|Douglas:||Thanks, everybody. Take care.|