Cybersecurity Video Resources

(SPEECH) 
[UPBEAT MUSIC] 
 
(DESCRIPTION) 
Text: How is the Federal Reserve helping businesses and organizations enhance their cybersecurity? A man sits in an event space near a panelist table, wearing a dark suit jacket and purple tie. Text: Matt Davies, Assistant Vice President, Payments Outreach, Federal Reserve Bank of Dallas. 
 
(SPEECH) 
MATT DAVIES: We provide financial services to banks and credit unions. And our mission in payments is to ensure the safety, the efficiency, and the accessibility of the payment system. So we look at payments and cyber really are so inextricably linked right now because a lot of the motivation for cyber crime is financial, they're trying to get at the money. 
 
So really, it's in the best interest of the fed as far as protecting the payment system to be out in front of banks, credit unions, and businesses, talking about some of the issues in cyber right now. [AUDIO LOGO] 
 
(DESCRIPTION) 
Text: Travelers Institute (registered trademark). Travelers. TravelersInstitute dot-org. 
 
(SPEECH) 
PRESENTER: Learn more at travelersinstitute.org.

(SPEECH) 
[UPBEAT MUSIC] 
 
(DESCRIPTION) 
Text: What is the benefit of having a cybersecurity response plan already in place? 
 
(SPEECH) 
SIAN SCHAFLE: 
 
(DESCRIPTION) 
Sian Schafle -- Partner, Data Privacy and Network Security, Mullen Coughlin LLC. 
 
(SPEECH) 
The benefit of having a response plan prior to the breach is that you've already decided who you're going to work with, how you're going to facilitate your team, and what you're going to be doing. So the time that it takes within that first 48 hours after discovering an incident, you don't have to spend identifying which breach codes you'll work with, which forensics vendor you'll work with. And those vendors that you've already selected as part of your response team are going to have familiarity with your company, your business, the type of data you store, the architecture of your network and your technical environment. All of these things will help cut down the time that will take to respond to the incident. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark), Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
NARRATOR: Learn more at travelersinstitute.org.

(SPEECH) 
[SOFT MUSIC] 
 
(DESCRIPTION) 
Text: What risks do cyber insurance policies cover? Tim Francis. Vice President, Enterprise Cyber Lead, Travelers. Tim stands facing us in front of a building's columns. wearing a suit. 
 
(SPEECH) 
TIM FRANCIS: Cyber policies can cover lots of risks. Most critically, most importantly, they're primarily focused on issues related to data breach or breach and compromise of personally identifiable information. So when that happens, a company not only might face a lawsuit by a claimant, whether that be a group of customers or potentially even employees who identity information has been compromised, but there's a host of what we call first-party coverages, which is figuring out how bad guys got in the system, what information they've seen. That can be very costly and require experts that need to be brought in by the insurance provider. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Text: Travelers Institute (registered trademark). Logo: Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
PRESENTER: Learn more at travelersinstitute.org.

(SPEECH)
[MUSIC PLAYING]

(DESCRIPTION)
Text: What is the role of a data privacy lawyer? A man in a suit sits in an office. Text: David Clark. Senior Claims Counsel, Major Case Unit, Specialty Insurance, Travelers Canada.

(SPEECH)
DAVID CLARK: If there's any possibility that there's been data stolen or compromised in some way, I'm going to recommend that you work with a data privacy lawyer. This is someone who's got specialty training in the area. They understand the laws, the regulations. They have relationships with the regulators. They know how to approach them.

And they're going to start to run the investigation for you. That phone call is immediately after the one we've just had. It can be an hour or two hours sometimes. They're going to dig into all kinds of things. They're going to be asking questions, particularly about things you may not be thinking about. And this is a common theme. People call and they say, we think it's this and it's that, but it's so much more.

[AUDIO LOGO]

(DESCRIPTION)
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org.

(SPEECH)
ANNOUNCER: Learn more at travelersinstitute.org.

(SPEECH)
[MUSIC PLAYING]
 
(DESCRIPTION)
Text: What is cyber extortion? A man wearing a suit sits in an office. Text: Ben Hunter. Technology Segment Managing Director, Travelers Canada.
 
(SPEECH)
BEN HUNTER: You look at something like ransomware, that really didn't play a huge part in cybersecurity or cyber exposures a few years ago, that's become a preeminent exposure. And there you have a type of software that essentially encrypts data and doesn't allow users to get at that data until you utilize an encryption key.
 
Secondarily, the method of payment is Bitcoin, a peer-to-peer currency that can be virtually untraceable. So there you have something that only a few years ago didn't exist. And now is one of the most preeminent exposures, small and medium sized business faces.
 
[AUDIO LOGO]
 
(DESCRIPTION)
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org. 
 
(SPEECH)
ANNOUNCER: Learn more at travelersinstitute.org.

(SPEECH)
[MUSIC PLAYING]
 
(DESCRIPTION)
Text: How can organizations prepare for a cyber event? A man wearing a suit sits in an office. Text: Victor Beitner. Founder and CEO, Cyber Security Canada.
 
(SPEECH)
VICTOR BEITNER: The most important thing is to plan. Plan because it is an eventuality. Go through a potential incident. What's involved in having the legal, if it's large enough, they may need PR in it. They should also know what's critically important is what are they protecting. What do they have to lose? So, it's all their crown jewels, which would be the data today. That's what everyone's after. So you've got to plan. You have to know what you have to protect. And that's all part of planning.

[AUDIO LOGO]
 
(DESCRIPTION)
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org. 
 
(SPEECH)
ANNOUNCER: Learn more at travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
What is the role of a cybersecurity breach coach? A woman sits in front of a stock exchange backdrop wearing a striped blazer. Text: Jennifer Coughlin, Founding Partner, Mullen Coughlin. 
 
(SPEECH) 
JENNIFER COUGHLIN: An organization should engage a cyber breach coach prior to experiencing a cyber event to assist in identifying the risks the organization faces to its information systems and data, to identify what data the organization has, where and how it is stored and collected, and who has access to it, and what the organization will do if it does experience a cyber event. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Text: Travelers Institute (registered trademark). Travelers. TravelersInstitute dot-org. 
 
(SPEECH) 
ANNOUNCER: Learn more at Travelersinstitute.org 

(SPEECH)
[MUSIC PLAYING]
 
(DESCRIPTION)
Text: How can an organization prepare for and recover from a cyber incident? A man in a suit faces us with computer charts behind him. Text: Art House. Chief Cyber Security Risk Officer, State of Connecticut.
 
(SPEECH) 
ART HOUSE: Prevention and recovery are quite different sports, I must say. So to prevent, you have to have a corporate culture. You have to understand what the threats are. You have to have good cyber habits. And they have to go through the entire organization from the top to the bottom, including everyone. So I would say to prevent, understand what could go wrong, and understand what each individual needs to do to prevent that from happening. 
 
Recovery is an entirely different thing, and we don't ever want to have to recover, but we have to understand what would happen if there were a cyber incident. And then you have to rehearse that plan. You have to absolutely take some time off and say, OK, let's just postulate that today we were attacked, and the following things have happened. What would we all do so that if it does happen, it's not a surprise. We've already thought through the consequences and things we can do to recover. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
ANNOUNCER: Learn more at Travelersinstitute.org 

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: What are the biggest misperceptions small businesses have about cyber risks? A man in a suit faces us with computer displays behind him. Text: Jay Vadiveloo. Director, Goldenson Center for Actuarial Research, UConn. 
 
(SPEECH) 
JAY VADIVELOO: Small businesses their perception is that cyber risk is a large business problem. Doesn't really impact them. That's the first misperception. The second misperception is that if they ever get hit with any kind of a cyber breach, they are adequately prepared to face it. 
 
Well, they are wrong on both counts. There's statistics which say that more than 50% of cyber breaches occur with small businesses, and many small businesses are totally inadequate on how to face a major cyber breach. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
ANNOUNCER: Learn more at travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: How does the U.S. Small Business Administration help businesses succeed? A woman wears a red-orange blazer with black trim, standing near an abstract art piece. Text: Anne Hunt, District Director, U.S. Small Business Administration, Connecticut District Office. 
 
(SPEECH) 
ANNE HUNT: We are the federal Small Business Administration, a federal agency that can help people with their business, expand their business. If they're having some issues, they can come to us. We have counseling services. We have capital for small businesses. We have contracting opportunities. So sba.gov, the best email address in town for them to be aware of. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Anne holds up a piece of literature titled, Resource Guide for Small Business. Text: Travelers Institute (registered trademark). Travelers. TravelersInstitute dot-org. 
 
(SPEECH) 
ANNOUNCER: Learn more at Travelersinstitute.org

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: How can organizations respond to a cyber incident? A man in a suit faces us in an office. Text: Will Rasmussen. Director, Brunswick Group. 
 
(SPEECH) 
WILL RASMUSSEN: What we've found in the 72 hours after a cyber incident a breach is uncovered it's really a fog of war situation. It can be very disorienting for many companies. So, most important thing is to plan in advance, to have a plan that you've developed with all your key internal constituents, and actually test it so that the organization feels comfortable with it. 
 
A cyber incident you're going to get a lot of people in the room that are often unused to working with each other. So human resources, legal, IT, communications, these people often almost speak different languages. So you want to really define when each person is going to need to take an action and what exactly they're going to do. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
ANNOUNCER: Learn more at Travelersinstitute.org.

(SPEECH)
[MUSIC PLAYING]
 
(DESCRIPTION)
Text: What is a breach coach? A man wearing a suit stands in an office. Text: Dominic Paluzzi. Member and Co-Chair, Data Privacy and Cybersecurity Practice, McDonald Hopkins.
 
(SPEECH)
DOMINIC PALUZZI: So a breach coach is privacy counsel, attorneys that specialize in incident response and breach response work. We know who to call and when to call. And most important is that an insured puts their carrier and their broker on notice, and then they engage a breach coach, because everything really evolves from the breach coach
 
We engage the service providers on that insured's behalf, specifically forensics, so that we can cloak all that with the attorney-client privilege. Breach coaches quarterback the whole response process. So we figure out does that client actually have an incident or does it actually rise to the level of a breach where we have to give notice to affected individuals and regulators. And breach coaches help clients through that process.
 
[AUDIO LOGO]
 
(DESCRIPTION)
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org.
 
(SPEECH)
ANNOUNCER: Learn more at travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: What cyber resources does the U.S. Department of Justice offer? A man wearing a suit sits in an office. Text: Josh Goldfoot. Principal Deputy Chief (Acting), Computer Crimes and Intellectual Property Section, Criminal Division, U.S. Department of Justice. 
 
(SPEECH) 
JOSH GOLDFOOT: Well, through the Justice Department, we've created a couple resources that organizations can access to help themselves improve their own cybersecurity. The biggest of them is a manual that we've published, which is available on our website at cybercrime.gov. That's called the best practices for responding to cyber incident. That talks both through how you would respond to one of these incidents should it occur to you and also some of the steps you can take in advance to protect your business. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
ANNOUNCER: Learn more at travelersinstitute.org.

(SPEECH) 
[SOFT MUSIC] 
 
(DESCRIPTION) 
Text: How do insurance carriers help educate businesses about cybersecurity? David Lavergne. Regional President, Travelers. David wears a gray suit and stands in front of a panel table in an empty conference room. 
 
(SPEECH) 
DAVID LAVERGNE: Insurance companies-- our industry plays an important role in many ways. I think first is helping businesses of all sizes understand the actual risk itself of cyber risk. I think, secondly, it's to help prepare businesses to help value the risk itself. All too often, businesses overestimate what their insurance program will pay in the event of a cyber attack and underestimate the exposure they have to the risk itself. And then lastly, I think as working with independent agents and brokers, we can help provide a plan to help them mitigate those risks and any risk that they face. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark). Travelers. Text: Travelersinstitute.org. 
 
(SPEECH) 
PRESENTER: Learn more at travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: How do independent insurance agents and insurance carriers help customers manage cybersecurity risks? A man wearing a suit stands in a conference room. Text: Chris Noble. Regional Vice President, Bond and Specialty Insurance, Travelers. 
 
(SPEECH) 
CHRIS NOBLE: Independent insurance agent represents a number of companies. And they can match and manage a relationship to get the coverage for the customer that best fits their needs, be it a very sophisticated customer or small customer with just a few computers. 
 
Post breach we're contracted with a number of what we call breach coaches. And once they're contacted, they will reach out to a customer within 24 hours and allow them to establish an order of priority as far as what they need to do. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
ANNOUNCER: Learn more at travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING]
 
(DESCRIPTION)
Text: Why do entrepreneurs need to care about cybersecurity? A woman wears a black blazer in front of a shifting digital blue backdrop. Text: Nicola Corzine, Executive Director, Nasdaq Entrepreneurial Center.
 
(SPEECH)
NICOLA CORZINE: Cybersecurity has become really a hotbed for every entrepreneur to be concerned about these days. There isn't an industry out there where cybersecurity isn't really a topic of worry, of concern. The issue of trust is questionable on a good day for a lot of startups.
 
Losing that trust component early on in their period of time coming into market is just a point of no return. If they are not able to succeed in owning this field, then the chances of them being able to be a viable company for the long run really is an issue.
 
[AUDIO LOGO]
 
(DESCRIPTION)
Text: Travelers Institute (registered trademark). Travelers. TravelersInstitute dot-org. 
 
(SPEECH)
ANNOUNCER: Learn more at Travelersinstitute.org

(SPEECH) 
[GENTLE MUSIC] 
 
EDDIE CHANG: The most important thing for businesses to do is know thyself. In fact, it's the first guidepost in the manual, which is to know your data, know your systems, and to know your network. And the reason that's important is because when you know where your data is, where it's being sent, and how it's being used, you'll be able to determine what are the necessary and appropriate cybersecurity controls to put into place. 
 
It's not possible for a business to implement every possible cybersecurity control. And by having an understanding of where your data is and what it's being used for, you can choose which ones to implement. 
 
(DESCRIPTION) 
Travelers Institute, Registered. 
 
(SPEECH) 
PRESENTER: Learn more at travelersinstitute.org. 
 
(DESCRIPTION) 
Logo: Travelers.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: How should an organization's leadership engage on cybersecurity? A man sits in front of a shifting blue backdrop, wearing a tan suit jacket. Text: Joe Voje, Chief Information Security Officer, City and County of San Francisco. 
 
(SPEECH) 
JOE VOJE: Educate your leadership, have frequent meetings with your leadership, and articulate the risk in business terms to them. If you can get your leadership on board, you'll find that you'll have easier times when it comes to budget asks. When you have controversial initiatives that the business may not see as serving some of their core deliverables. So having those frequent and meaningful conversations with leadership is the easiest way to get buy-in and advance your program. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Text: Travelers Institute (registered trademark). Travelers. TravelersInstitute dot-org. 
 
(SPEECH) 
ANNOUNCER: Learn more at Travelersinstitute.org.

(SPEECH)
[MUSIC PLAYING]
 
(DESCRIPTION)
Text: What makes a business more attractive for a cyber attack? A woman in gold hoop earrings sits in front of a shifting blue backdrop that reads, Cyber. Text: Alexa King, Executive Vice President, General Counsel, Corporate Secretary and Chief Compliance Officer, FireEye.
 
(SPEECH)
ALEXA KING: Cyber attacks vary much more based on industry, based on the type of information that your company has, whether it's own information or information related to its customers, for example, and what the bad guys want at that moment in time.
 
It also varies depending on how your vulnerability is perceived by the bad guys. So rather than focus on the size of a company, I focus on what's the industry, what's the vulnerability, what's the information that the bad guys might be seeking and go from there.
 
[AUDIO LOGO]
 
(DESCRIPTION)
Text: Travelers Institute (registered trademark). Travelers. TravelersInstitute dot-org.
 
(SPEECH)
ANNOUNCER: Learn more at Travelersinstitute.org.

(SPEECH) 
[UPBEAT MUSIC] 
 
(DESCRIPTION) 
Text: What steps should a company take immediately after a cyber attack? 
 
John Mullen, Managing Partner, Mullen Coughlin LLC. 
 
(SPEECH) 
JOHN MULLEN: The internal aspect is going to be important for a company. They need to have internal assurances that when an event happens somewhere down low in the company, that it will trickle up to the people who are tasked with figuring out what to do next. Because if you have a problem on a Tuesday and the bosses don't hear about it till the following Friday, a week and a half went by. So first of all, make sure that's the case. 
 
And then you get on the horn with us. Sometimes we're accessed, like I said, through your policy. Sometimes it's the broker who puts us on the phone with you. There's any number of ways, but you get on the phone with the people who do it for a living and then we take you from there. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Text: Travelers Institute (registered trademark). Travelers. TravelersInstitute.org. 
 
(SPEECH) 
NARRATOR: Learn more at travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: What is the Travelers Institute (registered trademark) cybersecurity education initiative? A woman wearing a suit stands in a foyer. Text: Joan Woodward. President, Travelers institute, Executive Vice President, Public Policy, Travelers. 
 
(SPEECH) 
JOAN WOODWARD: The Travelers Institute new cybersecurity initiative was launched because we saw in the marketplace generally, small businesses, medium-sized businesses really struggling to deal with cybersecurity challenges that they're facing. 
 
And it's a threat that's really unknown by a lot of business owners. And so we've seen a lot of cyber incidents in the national economy. And we want to share our expertise with business owners to try to help them get cyber smart. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
ANNOUNCER: Learn more at travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: How should organizations communicate with their employees about cyber incidents? 
 
(SPEECH) 
SIOBHAN GORMAN: 
 
(DESCRIPTION) 
Siobhan Gorman, Director, Brunswick Group. 
 
(SPEECH) 
Most companies actually look for a way to not have to communicate about a cyber attack. And so what's important is to make sure that you are handling it in a way that is consistent with your corporate culture. And so if you have an open corporate culture, then you really need to strongly consider whether or not you should be sharing that with your employees. 
 
If their expectation is that you'd share that information, then that's probably something that you need to do. But you need to do it in a way that is going to put out the most accurate information and isn't going to create misimpressions about what happened, because these are highly technical, highly nuanced situations. And often over time, you may learn a more complete picture. And initially you really only have a fraction of a sense of what's going on. 
 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark), Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
ANNOUNCER: Learn more at Travelersinstitute.org.

(SPEECH) 
[SOFT MUSIC] 
 
(DESCRIPTION) 
Text: What is one thing organizations can do to enhance their cybersecurity? 
 
Brett Leatherman, Assistant Section Chief, Cyber Division, Federal Bureau of Investigation. 
 
(SPEECH) 
BRETT LEATHERMAN: One of the largest mistakes organizations make, especially those small to medium and even large organizations, is the lack of focus on detection capability. We focus a lot on prevention and making sure we stop the adversary at our perimeter. But we don't focus enough on looking at what's happening inside our network. What traffic is coming in? And more importantly, many times, what traffic is going out? Is that traffic good traffic, bad traffic? What is the usual behavior on our network? And how do we identify anomalies to the usual behavior on both endpoints and on the network itself? So I think organizations really have to focus more on detection in addition to prevention and not solely focus on prevention. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Travelers Institute (Registered Trademark), Travelers. TravelersInstitute.org. 
 
(SPEECH) 
PRESENTER: Learn more at travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: What is one thing a business can do to enhance its cybersecurity? 
 
(SPEECH) 
JOHN ESPOSITO: 
 
(DESCRIPTION) 
John Esposito, Regional President, Brown & Brown Insurance of Arizona. 
 
(SPEECH) 
The one thing that they could do is bring in an outside expert that would come in and test their computer systems and then give them recommendations on what they think they could improve on. But some business owners don't want to spend the resources on that. So some of them might be a little bit more economical. They could pay dividends. Would be to buy an antivirus or anti-spyware system and install it on every computer-- and not just install it, but make sure that it's updated with the latest patches. 
 
(DESCRIPTION) 
Text: When it comes to cybersecurity, what is the role of an independent insurance agent? 
 
(SPEECH) 
I think our role is twofold. I think one, it's to point out that they actually have an exposure, make them aware of it. And then once they're aware, it's to talk them through how they can mitigate that risk-- but not really just saying that buy an insurance policy or procuring one is the solution. In fact, that should be the last solution. There are many steps they should take before buying the insurance policy. And once they've taken those steps, then buying the policy then covers them if something does break and an accident does occur. 
 
[AUDIO LOGO] 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark), Travelers. Text: TravelersInstitute.org. 
 
 
(SPEECH) 
NARRATOR: Learn more at travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: What is the National Institute of Standards and Technology and how does it help businesses with cybersecurity? www.nist.gov. A man in a suit faces us in a foyer. Text: Peter Thomas. Chief Technology Officer, Blue Lance. 
 
(SPEECH) 
PETER THOMAS: The National Institute of Standards is a federal agency that provides guidelines on information technology. And they have different frameworks, different publications that help organizations protect information in their networks. 
 
They recently published the Cybersecurity Framework, which provides five steps identification, protection, detection, recovery, and response as core elements that any organization can craft to mitigate and limit data breaches. 
 
[AUDIO LOGO]
 
(DESCRIPTION)
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org. 
 
(SPEECH)
ANNOUNCER: Learn more at Travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: Where should businesses turn for cybersecurity resources? A man sits in an office building wearing a dark suit and blue tie. Text: www dot infragard dot-org. Jason Ritchie, Assistant Vice President, Bank Administration, Federal Reserve Bank of Dallas, Houston Branch 
 
(SPEECH) 
JASON RITCHIE: I would advise people to go to infragard.org. That is a free tool. All you have to do is apply. They do a background check on each individual, and you have free access to information and access to report cyber crimes and theft. It's a great resource for any organization to tackle, especially because of the low cost. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Text: Travelers Institute (registered trademark). Travelers. TravelersInstitute dot-org. 
 
(SPEECH) 
ANNOUNCER: Learn more at Travelersinstitute.org.

(SPEECH) 
[SOOTHING MUSIC] 
 
(DESCRIPTION) 
Text: How you create a culture of cybersecurity? 
 
Michael Echols, Director, Joint Program Management Office, Office of Cybersecurity and Communications, US Department of Homeland Security. Michael, wearing a suit and tie, is seated outdoors speaking to us. 
 
(SPEECH) 
MICHAEL ECHOLS: A cybersecurity culture is created first by having discussions. The lowest of your employees in terms of their level need to understand that they affect the company and that everyone in the company plays a role in assuring that the company exists three months from now, six months from now, nine months from now. 
 
Previously, it was, how many sales do we make? Now it's a matter of, are you leaving the door open for someone to come in and essentially dissolve our business? 
 
[AUDIO LOGO]
 
(DESCRIPTION)
Logos: Travelers Institute (registered trademark), Travelers. Text: Travelersinstitute.org. 
 
(SPEECH)
ANNOUNCER: Learn more at travelersinstitute.org.

(SPEECH) 
[UPBEAT MUSIC] 
 
(DESCRIPTION) 
Text: What cybersecurity risks do businesses fail to recognize? 
 
Bill Detwiler, Managing Editor, TechRepublic. 
 
(SPEECH) 
BILL DETWILER: One of the things that people really are just starting to think about or aren't thinking about is the Internet of Things and the security vulnerabilities that exist in all these devices now that are going to be connected to the network, from your smart toaster, your smart home appliance, your watch, your television. All of these devices are basically connected to the internet in some way, shape, or form. They may have cameras on them. They may have speakers in them. 
 
And those devices can be entry points onto your network. They can also help people exfiltrate data from your executives, from your employees, from your customers, from your clients. And so it's really important that as you think about security, you think about the every device that's connected to your network, not just the laptops, not just the smart phones, not just the desktops, but it's everything that could come onto your network. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Text: Travelers Institute (registered trademark). Travelers. TravelersInstitute.org. 
 
(SPEECH) 
NARRATOR: Learn more at travelersinstitute.org.

(SPEECH) 
STEVE BROWN: Cyber claims are very complicated claims, and their complications range from the damage to the business itself, the damage financially as well as to its equipment and hardware, and then the damage to their reputation. So what businesses have to focus on is, how do we solve the problems quickly, how do we educate the public, and how do we make it so it isn't our reputation that's at risk, it's just a problem, as in the course of business, that we can solve together. 
 
(DESCRIPTION) 
Travelers Institute, Registered, Travelers. 
 
(SPEECH) 
SPEAKER 1: Learn more at travelersinstitute.org. 
 
(DESCRIPTION) 
Travelersinstitute.org.

(SPEECH) 
[UPBEAT MUSIC] 
 
(DESCRIPTION) 
What is at stake for businesses after a cyber incident? A man wears a dark suit in front of a window. Leafy green and purple trees stand outside. Text: Jeffrey Klenk, Executive Vice President, Management Liability, Travelers. 
 
(SPEECH) 
JEFFREY KLENK: For companies of all sizes, what's at stake in the event of a cyber breach or incident could potentially be the business itself. Whether it's a small to mid-sized company that maybe can't afford the millions of dollars that these incidents can unfortunately cost an insurer to deal with, all the way up to the largest of organizations, many of which have been in the news with high profile breaches or situations where customer information has been breached. 
 
They take a serious brand hit if they don't effectively manage a situation and protect their client's information and the safety of their systems. The brand hit that they can take and also be a serious hit to their balance sheet. So again, not to put too fine a point on it, the very existence of the company could be at stake. That's why I think cybersecurity and preparation is one of the utmost strategic issues facing companies of all sizes today. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Text: Travelers Institute (registered trademark). Travelers. TravelersInstitute dot-org. 
 
(SPEECH) 
PRESENTER: Learn more at travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: What can businesses do to enhance cybersecurity? A man wearing a suit stands in front of a window. Text: John Bruce. CEO and Co-Founder, IBM Resilient. 
 
(SPEECH) 
JOHN BRUCE: Good security is about the combination of three things. It's about the combination of prevention, detection, and response. And there's generally a fair, old bit of prevention kicking around, Lots of detection, hardly any response. So the one thing I would encourage everybody to do quickly as they can is think about how they're going to respond. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
ANNOUNCER: Learn more at travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: What can businesses do to enhance cybersecurity? A man wearing a suit stands in front of a window. Text: Don Anderson. Senior Vice President & Chief Information Officer, Federal Reserve Bank of Boston. 
 
(SPEECH) 
DON ANDERSON: The one takeaway that I really hope people have, and it's something that we practice near and dear to our heart is preparedness, is going through and actually exercising that what if scenario. So assume that the worst case scenario could happen to your organization, do you know what the important artifacts of the business that have to continue to maintain? 
 
Do you know who the decision makers are? Do you know where your backup are? Do you know who your vendors are? Do you know who to call from. Law enforcement? That's something that we exercise multiple times a year up and down the organization to make sure we're prepared. And irregardless of whether your business is small or large, we hope that they're doing the same as well. 
 
[AUDIO LOGO] 
 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark). Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
ANNOUNCER: Learn more at travelersinstitute.org.

(SPEECH) 
[LIGHT MUSIC] 
 
(DESCRIPTION) 
We enter a Federal Reserve Bank Branch, an imposing brick building. Inside a hallway leading to the conference room, attendees mingle. A sign reads: Cyber. Prepare, Prevent, Mitigate, Restore. Travelers Institute (registered trademark). Welcome. Wednesday, May 11, 2016. 11:30 a.m. Registration and Networking. 12:00 p.m. Luncheon program. 
 
(SPEECH) 
[MUSIC INTENSIFIES] 
 
(DESCRIPTION) 
Staff hand out name tags. Attendees chat in small groups. A sign on a table reads, Cyber. Prepare, Prevent, Mitigate, Restore. Travelers Institute (registered trademark). Join the conversation on Twitter. @DallasFed. @FutureHouston. @Travelers. #HarnessRisk. 
 
Text: Joan Woodward. President, Travelers Institute; Executive Vice President, Public Policy, Travelers. 
 
(SPEECH) 
JOAN WOODWARD: We at the Travelers Institute, which is the public policy think tank, again, educational arm of the very large Travelers Insurance company-- and what we talked about a number of times was business continuity planning and what you do after a disaster strikes. We talked about access to capital. And the last few years, we've really been talking more and more about cybersecurity. 
 
JASON RITCHIE: 
 
(DESCRIPTION) 
Text: Jason Ritchie. Assistant Vice President, Bank Administration, Federal Reserve Bank of Dallas, Houston Branch. 
 
(SPEECH) 
Business email compromise, BEC. What this is someone-- a hacker, a criminal-- is posing as a very important person in the organization and has somehow either hacked that person's email or is spoofing their email and sending urgent emails to someone who might be able to send wire transfers to someone. 
(DESCRIPTION) 
Text: Edward Schreiber. Houston Region President, BancorpSouth/GEM Insurance Services, Inc. 
 
(SPEECH) 
EDWARD SCHREIBER: If you do nothing else, make sure that anyone in your organization who's in charge of sending money electronically does a verbal confirmation of any email change to any bank routing or any address routing. 
 
(DESCRIPTION) 
Text: Peter Thomas. Chief Technology Officer, Blue Lance. 
 
(SPEECH) 
PETER THOMAS: Think about password phrases. I don't see a lot of folks using phrases. If you use a phrase, it's easier to remember, and it's very hard to crack. So we're getting to situations where you can actually add long passwords and make it easier to remember. 
 
(DESCRIPTION) 
Text: Chris Hauser. 2nd Vice President, Travelers Risk Control, Cyber Program, Travelers. 
 
(SPEECH) 
CHRIS HAUSER: One of the things from an insurance perspective is we can be a trusted partner, a trusted advisor. Our claim professionals are working with some of the best computer forensic firms out there to help you figure out what happened during a breach. Also, some of the best law firms that are out there in terms of figuring out what legal ramifications could have occurred because of the loss of data or because of this particular cyber crime that impacted your company. 
 
(DESCRIPTION) 
Text: Travelers Institute (registered trademark). Logo: Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
PRESENTER: Learn more at travelersinstitute.org.

(SPEECH) 
[LIGHT MUSIC] 
 
(DESCRIPTION) 
We enter a Federal Reserve Bank Branch, an imposing brick building. Inside a hallway leading to the conference room, attendees mingle. A sign reads: Cyber. Prepare, Prevent, Mitigate, Restore. Travelers Institute (registered trademark). Welcome. Wednesday, May 11, 2016. 11:30 a.m. Registration and Networking. 12:00 p.m. Luncheon program. 
 
(SPEECH) 
[MUSIC INTENSIFIES] 
 
(DESCRIPTION) 
Staff hand out name tags. Attendees chat in small groups. A sign on a table reads, Cyber. Prepare, Prevent, Mitigate, Restore. Travelers Institute (registered trademark). Join the conversation on Twitter. @DallasFed. @FutureHouston. @Travelers. #HarnessRisk. 
 
Text: Joan Woodward. President, Travelers Institute; Executive Vice President, Public Policy, Travelers. 
 
(SPEECH) 
JOAN WOODWARD: We at the Travelers Institute, which is the public policy think tank, again, educational arm of the very large Travelers Insurance company-- and what we talked about a number of times was business continuity planning and what you do after a disaster strikes. We talked about access to capital. And the last few years, we've really been talking more and more about cybersecurity. 
 
JASON RITCHIE: 
 
(DESCRIPTION) 
Text: Jason Ritchie. Assistant Vice President, Bank Administration, Federal Reserve Bank of Dallas, Houston Branch. 
 
(SPEECH) 
Business email compromise, BEC. What this is someone-- a hacker, a criminal-- is posing as a very important person in the organization and has somehow either hacked that person's email or is spoofing their email and sending urgent emails to someone who might be able to send wire transfers to someone. 
(DESCRIPTION) 
Text: Edward Schreiber. Houston Region President, BancorpSouth/GEM Insurance Services, Inc. 
 
(SPEECH) 
EDWARD SCHREIBER: If you do nothing else, make sure that anyone in your organization who's in charge of sending money electronically does a verbal confirmation of any email change to any bank routing or any address routing. 
 
(DESCRIPTION) 
Text: Peter Thomas. Chief Technology Officer, Blue Lance. 
 
(SPEECH) 
PETER THOMAS: Think about password phrases. I don't see a lot of folks using phrases. If you use a phrase, it's easier to remember, and it's very hard to crack. So we're getting to situations where you can actually add long passwords and make it easier to remember. 
 
(DESCRIPTION) 
Text: Chris Hauser. 2nd Vice President, Travelers Risk Control, Cyber Program, Travelers. 
 
(SPEECH) 
CHRIS HAUSER: One of the things from an insurance perspective is we can be a trusted partner, a trusted advisor. Our claim professionals are working with some of the best computer forensic firms out there to help you figure out what happened during a breach. Also, some of the best law firms that are out there in terms of figuring out what legal ramifications could have occurred because of the loss of data or because of this particular cyber crime that impacted your company. 
 
(DESCRIPTION) 
Text: Travelers Institute (registered trademark). Logo: Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
PRESENTER: Learn more at travelersinstitute.org.

(SPEECH) 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Text: Travelers Institute (registered trademark) Cybersecurity Education Symposium, Washington, D.C. 
 
A white stone office building with steps the width of the entrance. 
 
An American flag flies on top. 
 
A paper sign outside a room. Text: Cyber. Prepare, Prevent, Mitigate, Restore. Logos: Travelers Institute (registered trademark). Travelers. Text: Welcome. Friday, June 17, 2016. 11:30 a.m., Registration & Networking. 12:00 p.m., Luncheon Program. Join the Conversation on Twitter: Hashtag, HarnessRisk. 
 
A domed ceiling in the room, surrounded by columns. 
 
A table banner with the logos, Travelers Institute and Travelers. 
 
People talk at round banquet tables in a meeting room. 
 
A room sign on a wall: 345, Caucus Room. 
 
(SPEECH) 
JOAN WOODWARD: 
 
(DESCRIPTION) 
Joan Woodward, President, Travelers Institute; Executive Vice President, Public Policy, Travelers. 
 
(SPEECH) 
The mission of the Travelers Institute is try to provide informational tools to small and medium-sized businesses, to the consumer. A really hot topic that we started to focus on significantly at our sessions is cyber security. 
 
 
 
BRETT LEATHERMAN: 
 
(DESCRIPTION) 
Brett Leatherman, Assistant Section Chief, Cyber Division, Federal Bureau of Investigation. 
 
(SPEECH) 
Especially in the small to medium business environment, you can never 100% protect your environment from being compromised by a sophisticated adversary. It won't happen. I don't care how much money you spend. 
 
What organizations have to do is start focusing additional efforts on detection capability. What's happening within your environment? 
 
BEN EDSON: 
 
(DESCRIPTION) 
Ben Edson, Founder and CEO, Vari Q. 
 
(SPEECH) 
The last thing you want to do is spend a lot of money as a business and securing your environment and then inviting all your friends to come collaborate with you to solve problems. And then all of a sudden, you're compromised through very trusted vendors or sometimes vendors that you haven't fully vetted to ensure that they have secure practices within their own organizations. 
 
TIM FRANCIS: 
 
(DESCRIPTION) 
Tim Francis, Vice President, Enterprise Cyber Lead, Travelers. 
 
(SPEECH) 
We often get the question of, well, why would I be a target of one of these? I'm a small, midsize business. I'm in a fairly innocuous industry. Why are they after me? 
 
Simply because you exist is a good enough reason. It's not a target in the traditional sense. 24,000 some odd ransom attacks a day are just-- they're after money, and they're after the path of least resistance. 
 
JOHN MULLEN: 
 
(DESCRIPTION) 
John Mullen, Managing Partner, Mullen Coughlin LLC. 
 
 
(SPEECH) 
Email is where we usually see the social engineering exploitation, right? They trick you to clicked on the wrong thing. So if you focus on email, how to manage email, how to respond to different things on email-- and that, again, ties in mobile devices, it's all tied together-- that's where I see most entry points into systems are when employees make mistakes using email. 
 
SIOBHAN GORMAN: 
 
(DESCRIPTION) 
Siobhan Gorman, Director, Brunswick Group. 
 
(SPEECH) 
What we found is that simply going through the process of developing a plan, and particularly a communications plan around cyber, helps everybody in an organization understand what role they would have to play and the fact that they would have a role to play. And it does offer the opportunity to sort that out in advance, in addition to, from a communications perspective, what actually you're going to say. 
 
[MUSIC PLAYING] 
 
(DESCRIPTION) 
Logos: Travelers Institute (registered trademark), Travelers. Text: travelers institute dot org. 
 
(SPEECH) 
NARRATOR: Learn more at travelersinstitute.org.

(SPEECH) 
[LIGHT MUSIC] 
 
(DESCRIPTION) 
We enter the Nasdaq Enterpreneurial Center, a building with window walls. Attendees check in and get name tags. They sit at tables and mingle in the conference room. A sign reads, Cyber. Prepare, Prevent, Mitigate, Restore. Travelers Institute (registered trademark). Logo: Travelers. Text: Welcome. Thursday, September 8, 2016. 11:30 a.m. Registration and Networking. 12:00 p.m. Luncheon program. Join the conversation on Twitter. #HarnessRisk. 
 
(SPEECH) 
[MUSIC INTENSIFIES] 
 
(DESCRIPTION) 
A woman stands at a podium. Text: Joan Woodward. President, Travelers Institute; Executive Vice President, Public Policy, Travelers. 
 
(SPEECH) 
JOAN WOODWARD: Today we're releasing-- there's a news release in your packets-- Empowering Organizations to Tackle Cyber Threats. Now, there's about 25 pages in here. All content and information really talk about the threats your businesses face and the solutions, the easy solutions, that you should be really aware of. And then, of course, if you do have a minor or major cyberattack, you'll be prepared. 
 
(DESCRIPTION) 
Text: Bill Detwiler. Managing Editor, TechRepublic. 
 
(SPEECH) 
BILL DETWILER: Unless you're doing packet analysis, unless you're monitoring your network, unless you have intimate knowledge of how the systems are designed, you don't know that the data that you're-- every document that you scan isn't somehow being exfiltrated from your network with one of these multifunction devices. There's a lot of trust that has to happen, and depending on your situation, you have to make a judgment. It's all about risk management, making a judgment about how much you want to trust these devices. 
 
(DESCRIPTION) 
Text: Joe Voje. Chief Information Security Officer, City and County of San Francisco. 
 
(SPEECH) 
JOE VOJE: If you're a non-technical organization but you have IT staff, your IT staff is probably around 10% of your organization. And your cybersecurity function should probably be about 10% of your IT organization. That's a general rule of thumb. 
 
You can go back and look at that. You can look at economy scales if you're a very large organization. But always consider that there is a cybersecurity function in everything that you do IT. 
 
(DESCRIPTION) 
Text: Alexa King. Executive Vice President, General Counsel, Corporate Secretary and Chief Compliance Officer, FireEye. 
 
(SPEECH) 
ALEXA KING: There is no right answer, I think, for what a board should be doing on this topic. There's one very clear wrong answer, which is to do nothing. Clearly now the courts have said that it's part of a board member's fiduciary duties to include cybersecurity governance in his or her scope. 
 
So, for sure, boards need to be involved. How they do that can vary from company to company. 
 
(DESCRIPTION) 
Text: Eddie Chang. Second Vice President, Cyber Risk Management, Travelers. 
 
(SPEECH) 
EDDIE CHANG: If a vendor has a vulnerability and they have access to your system, their vulnerabilities become your vulnerabilities. That's where the problem comes in. Because you don't have as much control over the vendors' computers as you have over your own employees' computers, and they have these complicated routes into your system. 
 
(DESCRIPTION) 
Text: Travelers Institute (registered trademark). Logo: Travelers. Text: TravelersInstitute.org. 
 
(SPEECH) 
PRESENTER: Learn more at travelersinstitute.org.