Cyber Readiness: 5 Critical Steps for Your Organization

(SPEECH)
[MUSIC PLAYING] 

(DESCRIPTION)
Text, Wednesdays with Woodward (registered trademark) Webinar Series. 

A laptop sits on a desk, surrounded by a coffee cup and a small plant. Text on the laptop screen, Wednesdays with Woodward (registered trademark) Webinar Series. Text, Travelers Institute (registered trademark). Travelers. Joan Woodward appears on a video call.

(SPEECH)
JOAN WOODWARD: Good afternoon, everyone. And thank you so much for joining us. I'm Joan Woodward. I'm honored to lead the Travelers Institute, which is the public policy division and educational arm of Travelers. Welcome to Wednesdays with Woodward. You know this series. It's a webinar series. We started it during the pandemic, and it's been amazing to have you all here. 

(DESCRIPTION)
Slide, About Travelers Institute (registered trademark) Webinars. The Wednesdays with Woodward (registered trademark) educational webinar series is presented by the Travelers Institute, the public policy division of Travelers. This program is offered for informational and educational purposes only. You should consult with your financial, legal, insurance or other advisors about any practices suggested by this program. Please note that this session is being recorded and may be used as Travelers deems appropriate. Travelers Institute (registered trademark). Travelers.

(SPEECH)
So, before we get started, I want to share our disclaimer about today's program. 

(DESCRIPTION)
Slide, Wednesdays with Woodward (registered trademark) Webinar Series. Cyber Readiness: 5 Critical Steps for Your Organization. Logos, Travelers Institute (registered trademark). Travelers. Trusted Choice (registered trademark). I.A.C., Insurance Association of Connecticut. Risk and Uncertainty Management Center at the University of South Carolina’s Darla Moore School of Business. Metro Hartford Alliance. Master's in Financial Technology (FinTech) Program at the University of Connecticut School of Business. C.B.I.A., Connecticut Business & Industry Association.

(SPEECH)
I also want to thank our terrific webinar partners. You're going to see them on the screen now. So as many of you know, the U.S. Department of Homeland Security has designated October as Cybersecurity Awareness Month. 

So today's webinar is just one portion of the educational programming that we got planned for you all this month under our Cyber: Prepare, Prevent, Mitigate, Restore Program, which we launched in 2016.

(DESCRIPTION)
A picture of a group of people standing on a balcony, smiling and clapping. A large metal bell is affixed to the front of the balcony below the words New York Stock Exchange. Text on the wall behind the group, T.R.V. Listed N.Y.S.E.. Travelers. 

(SPEECH)
We've held over 50-- 5-0, 50 live events and virtual events under the series. As you can see us here, the National Cybersecurity Education Tour took us to the New York Stock Exchange. 

We rang the opening bell in 2020. 

(DESCRIPTION)
A picture of five people sitting in chairs on a stage in front of an audience. Text, Celebrating our 50th Cyber Symposium. 

(SPEECH)
And then a few months ago, we went back and we held our 50th cyber awareness program. This fall, we're headed to six different cities. We're going to be in Worcester, Massachusetts, and Kansas City. So check out the chat for more details on those programs. 

(DESCRIPTION)
Slide, 5 Cyber Readiness Practices. To help protect your organization, Travelers' cyber experts recommend five practices that, used collectively, can provide a strong defense from an ever-changing range of cyber threats - before, during and after an event. A bullet list with five items. Multifactor Authentication (M.F.A.). Endpoint Detection and Response (E.D.R.). Back up Data. Update Your Systems. Incident Response (I.R.) Plan.

(SPEECH)
Last week, we also were thrilled to release a series of articles highlighting five must-do steps that organizations, large and small, can take to become more cyber secure. On today's program, we're going to take a deep dive into these five key practices, and also ask what's at stake for your organization with making cybersecurity a priority. 

(DESCRIPTION)
Slide, Speakers. Pictures, names, and titles of Joan and two other people. Text, Joan Woodward. E.V.P., Public Policy; President, Travelers Institute, Travelers. Carolyn Purwin Ryan. Partner, Mullen Coughlin. Tim Francis. Vice President, Enterprise Cyber Lead, Travelers. 

(SPEECH)
So joining me for today's webinar are two of my favorite cybersecurity experts, who also happen to be seasoned veterans of our cyber series. Tim Francis, my friend and colleague, is Vice President here and Enterprise Cyber Lead at Travelers. He has oversight over the company's cyber product management, including underwriting strategies, products for businesses of all sizes, public entities, and technology firms. 

He's also been recognized as one of the industry's foremost experts on cyber issues. So Tim, thanks so much for joining me. Also joined today by Carolyn Purwin Ryan. Carolyn is a Partner at the law firm Mullen Coughlin. She serves as a breach coach to health care institutions, construction companies, municipalities, retail, finance, and so many more. She's also served as a national counsel for several state and federal mass tort litigations, representing clients in the medical and pharmaceutical industries.

So, really thrilled to have these two experts here today to mark October Cybersecurity Awareness Month.

(DESCRIPTION)
The slideshow disappears. The two other speakers join the video call. Text, Joan Woodward. Tim Francis. Carolyn Purwin Ryan. 

(SPEECH)
So, before we get into the five steps, let's set the stage a little bit with Tim. Let's talk about how do cyberattacks occur? What does a threat actor do to gain access to someone's system? So especially for someone who's not prepared. 

TIM FRANCIS: Sure. And I'll start with actually something that happens all the time, which doesn't require threat actors to have access to the system. And that would typically fall into the category of what we might call social engineering. And I'm sure we've all heard that term. Maybe unfortunately experienced events that deal with social engineering.

But just as one example, we see frequently with our customers where some business partner of theirs, some vendors that they do business with, for example, might suffer their own cyberattack. And as a result of that, threat actors can gain information that that vendor has and be able to perpetrate fraud against our customers. So in other words, they might hack into one system and understand that our insured or our company owes that particular vendor money. And they might know how much money they owe, they might actually be inside the system, be able to send an email that is legitimately coming from that company, or purports to be, from the right person at that company with the right invoice.

And they may simply just say, but our banking and routing information has changed. So instead of wiring that million dollars here, wire it there. And that is very sophisticated. And all you need to do is hack into one. You don't need to access the other insured’s systems to do that. And so that happens all the time. And our customers need to be diligent about that. But back to the question at hand, we certainly see, particularly ransomware, which does require access to the system.

And really what it requires is access to the system. And there's a variety of different ways in which threat actors can gain access. We'll talk a little bit more. But at the very simplest, once they have access, they come in through a virtual door or window as it were, upon doing that, now they're able to deploy malware.

And so once they deploy malware, if that is successfully deployed, that will allow them to potentially encrypt all the data and the network, it will allow them to even, if they gain administrative access, essentially gain command and control of the network. Right? They are in control. They are in charge. And they can, essentially, do what-- with that what they will. Right?

And so that's really the most disruptive and financially costly types of events that we see. And we see them all the time because customers haven't done usually one or more of the five basic steps that we're going to talk about more.

JOAN WOODWARD: OK. Great. Thank you, Tim. So Carolyn, for people in our audience who may really have a hard time thinking about cybersecurity issues or haven't looked at it recently or haven't made it a priority, what's at stake here? So why does cyber readiness matter for people and organizations today?

CAROLYN PURWIN RYAN: Absolutely, Joan. Well, No. 1, which I always say, the ultimate goal is never having to call everybody on this call. But what's really important about that is really what do you think about is your business. Everything is at stake is what it comes down to it. So thinking about it from a cyber-- like, why would I be worried about it? I'm a small organization. I'm a medium-sized organization. Why me? Well, I will tell you, one of the largest-- single largest ones and attack, the ones that are always part of those attack vectors are those small- and medium-sized businesses.

Because what a lot of threat actors out there do is they say, you know what? What's low-hanging fruit? What are some things that I could do? Some of the things that Tim is talking about in order to get in the door. So to me, it's not the ones that land in the news all the time, right? It's the ones-- the small, the medium organizations, the ones that maybe have the doors open. Some of the things that we're going to be talking about. They don't have those implementations.

Or you know what? They don't have the funds in order to put those more robust programs and things like that in place. So when it comes to your organization, I always say to everybody, what's the first question I ask is, what kind of data do you have, right? So that’s-- because these threat actors, I love that, Tim, the first thing that he talked about was wire transfer fraud and business email compromise, because those are the single largest things that we're seeing that is out there.

Sure, the ransomwares are the ones that get you in the news, but you know what? Business email compromise can sometimes be just as costly to an organization. So think about as an organization, what kind of data that you have and what kind of things that a threat actor might want in order to extort you.

JOAN WOODWARD: OK. Wow. All right. So let's get into it. Before-- first of all, we're going to take each one of these five steps and really do a deep dive. So we're going to ask our audience the question first. And we love to do audience question polling to get a sense of what you're seeing in your businesses.

So the one question-- we only have one question today. Which one of these steps do you feel least prepared to take? So these are the five we're going to talk about. We're going to go in depth on each. But which one of these steps do you feel least prepared to take in your organization? Give it a couple of seconds here, and we're going to get the results to talk about.

All right. It is looking like having an incident response plan and implementing endpoint detection and response are coming in as the top two organizations are least prepared to take. So having that incident response plan, we're going to talk about this in a minute, would seem to be something every organization should have. Implementing your endpoint detection response is also up there. People are least prepared to take that.

But it does look like multifactor authentication, updating your systems or regular backups. People are-- seem to be interested in taking. So let's talk about that. So we're going to go one by one, as I said. First, multifactor authentication. First of all, should I ask Tim and Carolyn, what do you think about these results of our folks feeling least prepared to have an incident response plan?

Carolyn, I'm going to go to you on that. And then, maybe, Tim talk for a second about implementing the endpoint detection there that people are worried about taking.

TIM FRANCIS: Sure.

CAROLYN PURWIN RYAN: Yeah. You could see me smiling and probably Tim smiling and nodding as well. Because when it comes to incident response plan, one of the first things I'll go in front of people and talk about, I'll say, do you know what an incident response plan-- what actually is it? And people will do the-- like the half-- you know, I want to say hands up or people will nod along, and they might not know what it actually is.

And really what it is is a plan. And we're going to talk what those things are. And that there are some even just simple ways organizations can put themselves in a better light. Love to see this about the multifactor authentication being one of the last ones that are on there, because-- and I know that's one of the things that we're going to talk about. But certainly, the incident response planning and endpoint protection solution being the top is not surprising to me. What about you, Tim?

TIM FRANCIS: Well, I think you're exactly right. And I think for any of these, whether it's one of the things you feel most confident about or least confident about. There are resources available. And we can help you identify those resources. We're going to touch on those things today. We're going to go deep, but it's an hour's worth of information.

So take advantage of the resources that are available because they're helpful. And I'm very always interested in what the responses are to multifactor authentication. I think it’s phenomenal that people feel confident with that. But I'm glad it's the first thing we're going to talk about, Joan, because what we find is, as much as people are confident, in our experience, often, many of our customers face threats, even though they thought they had MFA or did have MFA.

But it wasn't quite configured as well as it could have been. It wasn't in all of the areas of the network that it should have been. And so I think while that's phenomenal to see that score low here, I think the reality is is that people may be overconfident in how well they deployed MFA. Because we see time and time again, that being the case.

CAROLYN PURWIN RYAN: Yeah, absolutely.

JOAN WOODWARD: So let's get into it. So is using it for an organization's email system enough, for example, Tim? Let's just talk about that right now. So MFA just on your email system, or are there other places we should be protecting?

TIM FRANCIS: Well, certainly there's other places. Having it on your email systems, particularly as email more and more is cloud-based, right? And so because email is cloud-based largely, that invites some threats. So I don't want to discount the importance of having MFA on email. But it's certainly not enough. Because there's other ways into the system. And so particularly, we talk about remote access. Right?

As many of us worked from home more and more when the pandemic first happened, we saw companies that-- some better-- adapted better than others. Some struggled with the ability to allow employees into the networks remotely. And even when we're largely coming back to the offices, everybody still has people that work remote for necessary reasons and need to and access systems.

So having the ability, for example, when you're accessing the VPN remotely, making sure that you have that protected with multifactor authentication. And particularly important is the administrative access. Right? Those individuals that are allowed, and necessarily so, to have access to, essentially, the command-and-control operational parts of the organization.

Those systems have to be protected by MFA. Because if they're not, should a bad guy get in through some open doorway, it no longer is just isolated to a particular silo, if you will, within the system. They're going to be able to maintain control over the entire network if they can get into the administrative access.

JOAN WOODWARD: OK. Thank you for that. So Carolyn, is it hard to set up MFA? What is MFA? Give us literally the ABCs of MFA.

CAROLYN PURWIN RYAN: Absolutely, Joan. So really when you're talking about multifactor authentication, you're talking about a multi-step account login process, right? That's the fundamental, really. And everybody on there will-- they'll have-- some people say, they get it in like a text message that allows them to log in, that gives them a code in order to log in.

Some people, whether or not they have a Microsoft Authenticator or a Duo or something, like a secondary step to authenticate that that is you who's going to be logging in, that's really what you want to be thinking about. So is it easy? Is it flipping a switch? No. Not really. Unfortunately, because it is that next step of the process where you need to have that secondary. You need to have your cell phone near you or you need to have something where you have that login code in order to enter that in.

And a lot of-- and this actually goes to Tim's point, which is, a lot-- it's not necessarily something easy to deploy across all things, across all organizations. Because sometimes, like, for instance, in the educational systems. Is Chromebooks-- is it easy to deploy multifactor authentication on Chromebooks? The answer is, no, it's not. What about those legacy-- some of those older systems that are out there like the construction and manufacturing industry?

One of the single largest targets that we're seeing now is those kind of issues. Those operational issues. Implementing multifactor authentication on those is very difficult for those organizations. And sometimes can't even be done, right? But knowing that as a potential avenue in which they could be a vulnerability, those are one of the first steps that you want to have with an organization is what are my vulnerabilities? And having a threshold level of multifactor authentication is just that first step in making sure that your organization is protected.

JOAN WOODWARD: OK. Thank you for that. One last question for Tim on this topic, then we're going to move on to the next step. What about those small mom-and-pop organizations out there? Maybe a small agency. They're going have limited resources, their IT expertise. What do they do to try to get MFA on their systems immediately?

TIM FRANCIS: Again, there's resources available. Right? And we'll share some of that information. We've talked on many of these webinars about partnerships that we have with CISA, for example, which is largely designed for critical infrastructure. But many people are shocked to realize that they are part of critical infrastructure. And many organizations are. Even if they're not, that information is largely publicly available, which gives some guidance.

But there's other resources available. And I would encourage people to take example. Microsoft published a study, which is a couple of years ago, but largely true. Ninety-nine percent of the threats that we see can be protected by MFA that's adequately deployed. Right? So when you talk about return on investment, the ability-- MFA is-- even if it's a little complicated to do, very inexpensive to do. And the protection is tremendous.

And I think when you look at it from that perspective, if you're still confused about how to do it appropriately, please reach out and get the right resources because it's critically important to do it.

JOAN WOODWARD: OK. Perfect. Moving on, practice 2 is update your system. So Carolyn, we get messages all the time on our apps, on our phone or personal devices about software updates and upgrades. Talk about updating your systems, why it's important. What if you don't update? And what does that leave you vulnerable for?

CAROLYN PURWIN RYAN: It's what the threat actors take advantage of. You see those updates that are out there, it is not something like a phone update, it is something that, especially when you have those-- you have an internal-- I want to say, a person who's taking a look at your systems. And what they want to do, these threat actors that are out there, they are looking to take advantage of all of those.

They know that there is those vulnerabilities that are out there. And what they do is they try to find ways around it or they take advantage of people, parties, companies that don't implement it quick enough. So they are looking out there for those-- I always say, don't make yourself one of those easy targets that are out there.

So update quickly. When those vulnerabilities, you see them come out, update your systems quickly. There's a reason behind it, because they're there to protect your systems to avoid these threat actors that are coming out there for you.

JOAN WOODWARD: And can you give us some real-world examples maybe, Carolyn, of people who have exploited, outdated? Yeah?

CAROLYN PURWIN RYAN: Yeah. Microsoft Exchange. Microsoft Exchange was a very large one. You'll see a lot of those vulnerabilities that's out there. You'll see information in the news about what's called zero-day vulnerabilities. Those are ones in which an organization-- like, there wasn't a patch that was available, right? But we're more talking about the patches that are available, right?

So you want to be-- you want to try to be prepared for both. I know that sounds like a lot to put onto an organization. But if you're waiting-- for instance, if you have a procedure or a policy in place within your organization that says, you know what? You patch it and we get those patches and we do it in 30 days. Well, I'll tell you, most of the threat actors know that that's something that's within organizations that are out there.

So they take advantage of it within those first 30 days. So Microsoft Exchange, there's so many different ones that are out there. I mean, unfortunately, it's something that happens on a daily basis. They're the ones that you see out there. Like for instance, there's a lot of software vulnerabilities. You see a lot of third-party incidences now that are happening. And those are particularly the reasons why they're happening, unfortunately.

JOAN WOODWARD: OK. And Tim, talk about-- some people just don't get around to doing it within the 30 days. I know a lot of people wait till the 29th day. What are the risks, though, of running systems that are out of date?

TIM FRANCIS: Well, I mean, it's exactly that, particularly on software, right? So if you're running software that's out of date, it's entirely possible that the manufacturer of that software may not come up with a patch. Because that system is discontinued, right? And even if they do come up with a patch, they may not push that patch out.

So oftentimes, when you're running systems that are up to date and software that's up to date, you're going to get that notification, right? You're going to actually, sometimes, have to almost deliberately ignore plenty of warnings that are coming your way. And we still see that, right? And as Carolyn said and as we say in our industry, it's zero-day only at Day 0, right? Once the patch is available, it's no longer zero-day.

And we see time and again, customers where there's a patch that exists. They have not done so. And sometimes, it's not on the 29th day, it's on the 49th day and the 59th day. And the threat actors are-- they're going after low-hanging fruit. They can go out and scan networks and see whose vulnerabilities exist and where they exist and take advantage of them. And if you're in their shoes, why wouldn't you do it that way? It's just easy. Let's not make it easy for them.

JOAN WOODWARD: OK. Great. All right. Moving on, this is practice 3. And this is the one, as a non-tech person, I don't really understand. So I'm looking forward to your responses. Implement endpoint detection and response. Or otherwise known as EDR. So Tim, what is endpoint detection and response? And how does it differ from other antiviral solutions?

TIM FRANCIS: Sure. And I'll give you at a high level. If we think about antivirus, right? Think about that as the wall that protects the system. And so it's keeping out things that it's designed to keep out. And does a good job at keeping things out that it's designed to keep out. Endpoint detection and response is a little differently.

It's not designed to keep it out, but it also is able to then see things that you got through the wall, right? And identify them, encapsulate them, that allow the organization to know that it exists. And it's really looking at behavioral issues as much as things it's programmed to keep out, right? So both are necessary layers. Think about endpoint detection and response as antivirus on steroids, for lack of a better term, because it allows you not just to keep out the things you want to keep out, but really a tool that's useful when things happen to get through.

JOAN WOODWARD: OK. Good. That was a good explanation. Thank you. Carolyn, so what types of threats and attacks are EDR solutions really designed then to detect or even respond to?

CAROLYN PURWIN RYAN: Yeah. They're really designed-- yeah. And Joan, they're really designed to take a look and look around for malware, which I think one of the things I always say that is coming out there right now, you hear a lot about artificial intelligence and machine learning and stuff like that and the negative side of it. But one of the things that a lot of the great endpoint protection solutions are doing now, as a positive thing, they are learning from the different malware and they're evolving./

So they're watching those kinds of things and they're evolving and making sure to destroy those attacks from a malware standpoint as well. So all the more important, if you're going to invest in something, because we talk a lot about practical tips, but if you're going to make the investment, we talk about-- one of the things that we're going to be talking about is backups.

But the next thing that you want to be talking about is those endpoint protection solutions. Tim is exactly correct. It's the wall, right? It's putting up that fence around to protect your information that's out there. And you're getting alerts that are out there. I think one of the more difficult things that we're seeing a lot of clients deal with now is you're seeing an abundance of alerts. But would you rather the abundance of alerts than letting the doors all the way open, right?

JOAN WOODWARD: OK. Good. So I always go back to the smaller organizations, right? Those out there that have maybe less than 20 employees. What kind of solutions can smaller organizations-- I mean, what is out there in terms of EDR solutions? So maybe, Tim, can you talk about that?

TIM FRANCIS: Yeah. So I would think this one is probably is a little bit different than when we talked about MFA. This one may be harder for a small organization just to go to, say, CISA or somewhere else and really understand what to do, right? So if we think about EDR as the tool, right? It's a tool that can be deployed.

You got to know how to use the tool. And so often, what is associated with EDR is what we would call MDR. So that is managed detection and response. So if we think about EDR as the tool, an MDR is a service that can run the tool for you. And so while it may cost more money, there's no sense really, spending the money on EDR solution, if you don't know how to operate it or don't have the bandwidth.

So I would encourage small organizations to think about, do they have the ability to run an EDR solution? And if not, have an MDR, which is a service that can run the tool, because that's going to maximize your capability, and it's going to maximize your ability for that tool to do all of the things that it can do, and all of the machine learning and AI that goes into it is only as good as the human beings that are understanding what that means for them.

And so that's a worthy investment for small companies that may not have the internal cybersecurity team to run those tools on their own.

CAROLYN PURWIN RYAN: Yeah.

JOAN WOODWARD: OK. So--

CAROLYN PURWIN RYAN: It's an excellent point. Sorry, Joan. I just wanted-- because that's one of the single largest things that we're seeing right now. Is that because of the abundance of alerts that are out there, people are getting-- it's almost like multifactor authentication fatigue, right? So then they're clicking and allowing people in.

Same thing with endpoint protection solutions. They're doing the same thing, where they're seeing all these alerts, and then they're saying, you know what? We're allowing them in. All the more important, for someone who's able to decipher what's real and what's not, what's important and what's not, those are the kinds of things that if you were to talk about the most important things to invest money in, those are one of the top things. It would be your backup solutions and your endpoint protection MDR solutions.

JOAN WOODWARD: OK. Terrific. And we're dropping in the chat, for everyone to know, some links that you can learn a lot more about all of these five steps. But this one in particular, because I know it can be confusing. All right. We're going on to practice 4. And this is the one that I think is really low-hanging fruit for anyone out there, which is to have an incident response plan.

So we're going to talk about what's in an incident response plan, but one of the, I think, the beauties of even talking about cyber insurance for a client, for a customer out there, is to talk about whether they have an incident response plan. And that is part of the conversation, I'm sure Tim, you're going to talk about. When we talk to our insureds about what they have in place currently to protect against a cyberattack, do they have this incident response plan?

So Tim, explain what it is, why it's so critically important, where someone should keep their incident response plan, because that's another thing to think about. And is there some sort of template out there for a generic one people should look for?

TIM FRANCIS: Well, let's start with the second part of that question first. And I'm sure we've put up links which will get you to some access to incident response plans. And this is where the incident response plan for a small company may necessarily look different than a large company. And those in between in certain industries will have different incident response plans or different people play different roles during the incident response plan.

But to get to the first part of your question, many of our customers don't have an incident response plan or they do but it's old and it's outdated. They don't know where it is, they haven't practiced it. So it's like anything else that we would have plans for. But here, maybe importantly, it's having a plan is a good first step. But understanding what that plan is, updating it, practicing it, which I can't stress enough.

When an incident happens, it's entirely likely-- I think it's almost inevitable that the plan is not going to work exactly the way that you thought it might. You're going to learn from that. But having the plan and having prepared for it is also inevitably going to make the experience much better than it would have been if you had had no plan and you hadn't prepared for it.

And there's some basics, right? You can see in some of these. There might be four basics or five or six depending on which, if you go to NIST or MITRE and some other sources. But preparing first. Understanding-- we've seen, for example, the emails are compromised, and the threat actors are seeing emails back and forth between folks on what to do, right?

Having a backup that is not the company email. Preparing for it, having part of detection is part of the incident response plan containment. And then probably as importantly, having a post-event triage best practices learned. So there's some basic steps. But again, avail yourselves to the resources that are out there for the plan that's right for your organization.

JOAN WOODWARD: OK. Great. Carolyn, to you, I imagine you've been involved in developing these incident response plans for lots of people. Who should be at the table for that? Who should be involved in developing it for a company?

CAROLYN PURWIN RYAN: So usually what you want to talk about, you want to really bring your C-suite to the table. The real decision-makers to the table. But one of the first things I always say to everybody when we're talking about an incident response plan is, if you have one key takeaway, if you don't have the time to really sit down, first thing I want to tell everybody is, know the phone number to call.

Use the resources that you have, right? Travelers has a 24/7 hotline, right? Mullen Coughlin has a 24/7 hotline in the event that any sort of incident occurs. Somebody will call you back in less than half an hour, usually, I will tell you, within minutes, to give you the resources that you need.

But you know what? If you don't know the phone number or if it's this wonderful incident response plan that you develop is stuck up in the cloud, print it out. Please, print it out-- going backwards in technology. But print it out. That way, you have that lucky phone number. You have your broker's phone number. You have the Travelers phone number. Print out that 24/7 hotline that gives you the resources you need in order to get going in the right direction, right?

But Joan, one of the most critical pieces to this and who you bring to the table and talking about it and getting involved in those conversations goes exactly to what Tim was talking about earlier, which is, how can you develop something? It is something that's usually developed per organization. But what you do is you think about, OK, let's just say, in the event that my whole system goes down, what do I do first?

Who do I call first? One of the other critical pieces, you can call-- what's my role as a breach coach? Right? I'm here to advise you as to any sort of state and federal and contractual obligations that you would have, guide you through the entire process. But really I say to everybody, I'm here to take things off of your plate and put them onto mine. Right? Let me be the person who's going to be guiding you through this entire process.

But I always get the question, do I need to have bitcoin? Do I need a forensics company? Those are the kinds of questions where we have those answers to those questions for you. The answers are, no. Right? Through insurance, they vetted all of those different wonderful forensics companies that do this day in and day out and have those 24/7 hotline numbers.

You don't need to have those. You need that one phone number in order to get the process going. And I think that's critical to organizations. It goes to the point of, know the resources that you have. Talk to your brokers who are going to say to you, you know what? Take advantage of all those proactive wonderful services, including an incident response plan.

One of the things I always do is do what they're called “meet the breach coach” calls. Right? I know this sounds a little salesmanshipy and it's not meant to be. I always say, take away the mystery. Look behind the Wizard of Oz, the big curtain that's there, and walk through what an actual incident would be to you and to your organization.

Know the process. Know that in the event of a wire transfer fraud, time is of the essence to call right away, because we can put you in touch with-- and we have wonderful relationships with CISA, with the FBI, with Homeland Security, with Secret Service, who are there to help you try to get this money back from the banks.

Take advantage of those particular services, because if you don't, you don't want to be costing more to your organization than need be. You're already going through enough. You're already a victim as itself. You don't want to be re-victimizing yourself.

JOAN WOODWARD: Yeah. I think it's really important-- and Tim, I'll let you speak to this-- that over the last almost 10 years, we at Travelers, and you certainly in your role, Carolyn, have developed these partnerships with government entities who have free resources, complimentary resources. You're all taxpaying folks out there; you pay your taxes. And these are available to you.

So Tim, let's talk about this for a second. So you've developed an incident response plan. How effective do you think that is when you actually need it? Other than having the number to call Carolyn or to call Travelers or your broker, have you seen incident response plans really guide a client and a customer through the whole process? Are they effective? Do they know who to notify or is there--

TIM FRANCIS: They're tremendously effective. And my comment before about the plan may not survive initial contact, as the phrase may go, right? And it probably won't. But that's not really the point, right? Let's take the other part of that. Do we see-- have we seen customers that have no incident response plan?

And let's take that customer that not only has no incident response plan but doesn't have cyber insurance. Has never heard of Mullen Coughlin. Wouldn't know what to do. And by the way, even if they decided that they might Google “breach coach” while their systems are down, and they might have to do that on a private phone, right?

So when we see customers, and less and less do we see this, because it's part of our process to make sure customers that don't have incident response plans do. But when we see customers that don't, they are in a really, really bad way. And particularly, those customers that might not have insurance and might not know how to get in touch with Mullen Coughlin.

They're essentially on their own in what is a situation which where minutes and hours matter. So when you have that incident response plan, when you practiced it, the No. 1 thing is the anxiety factor is lowered, right? Your ability to then know what to do and to have practiced it, and people know what their role is it, it makes them more effective in those roles, because the anxiety is so much less.

I mean, this is a mission-critical thing, often happens over the weekends, middle of the night, right? And you can imagine the stress levels. And reducing the stress levels makes the process more effective. And if for no other reason other than that, that's a good enough reason to have the incident response plans in the first place.

CAROLYN PURWIN RYAN: Yeah, Tim, and think that means-- that's so important on so many levels, right? No. 1-- when you have such a high level of stress, and that could be wire transfer fraud, business email compromise, ransomware, whatever it may be, any type of incident, you need to be thinking about, No. 1, are you preserving any and all evidence when an incident occurs?

Because organizations-- sometimes before they call, what they'll do, they'll wipe things clean. Right? And what do you do-- what happens when you wipe things clean? You're wiping away the evidence to see what actually happened, right? But we would walk you through all of that. The reasons why the importance behind calling right away.

So we talked about wire transfer fraud. The preservation of evidence so we can see what—how this happened, especially with ransomware incidents. What, you know, what kind of information was taken from a particular system? What these threat actors actually did within a system. But the other piece I always think about it, is also the business aspect. The communications aspect.

You send out an email into the oblivion, yeah. Everybody has this inclination. We live in a society where everybody is on emails. We're always on systems. But you know what? Memories fade, pieces of paper do not. Emails do not. So is it easier to be able to step away from the computer and put your hands up and say, you know what? Let's think about the communication that's going to go out the door instead of having to walk things back.

Those are the critical pieces. That's where we all can help all of you. And that first call, I always say that to everybody, the first call is at no cost to you. Always good to run ideas by people. Run it by Travelers, run it by the forensics team, run it by a breach coach. Those are the kinds of things-- that's what we’re here to  do  is to help you, right? And all the more reason that you don't want to put yourself in a worse situation.

TIM FRANCIS: And I would add. And just, again, on the effectiveness of the plan. Just having the plan and having go through it. Think about the event taking place. Do you want to be in a position where you actually might have to tell regulators, depending on your industry, that we had no plan. We didn't think of that. Right?

Or your customers know you had no plan, right? The plan may not work exactly as you anticipated. But there is no excuse for not having the plan. And more and more, there's requirements to notify various law enforcement regulatory bodies, right? And so the faster that you're able to comply with that and the more professionalism and expertise that you can bring to bear on that will not only reduce the actual event, but it's going to reduce the impact that that event has on your reputation and on your business. How customers perceive you and how regulators perceive you.

CAROLYN PURWIN RYAN: Absolutely, Tim. And I think one of the other things, you mentioned the regulators that are out there. I mentioned also the contractual obligations. We're seeing more and more organizations, especially contracts that have been entered into in the past two to three years, that have an obligation to notify in the event of any sort of cyber incident, and you don't want to be in breach of contract.

So all the more important-- proactively, to take a look at those contractual obligations. But also know what regulatory obligations that you're going to have and who you need to contact. Because some of those obligations are 24 hours, 48 hours, but good to know so then you're not violating them right away.

JOAN WOODWARD: OK. Very quickly on this. Because we have to go to our fifth category. How often should an organization update their incident response plan? Is this an annual exercise or is it every five years? What do you advise clients, Carolyn, on that one? How often?

CAROLYN PURWIN RYAN: So I usually-- at a minimum, at least once a year. I usually prefer it twice a year because things unfortunately in this landscape change very quickly. But just test it. Because you know what? People leave. People go on vacation. Make sure to have people cell phone numbers out-of-band emails that Tim was talking about earlier. Those are the kinds of things that you're going to want to think about at least once to twice a year.

JOAN WOODWARD: OK. Very good. Now we're going to move on. This is practice 5, everyone. Regularly back up your data. So Carolyn, why should you be backing up your data? What does it mean by regularly backing this up?

CAROLYN PURWIN RYAN: Well, you know what? Think about to yourself, you want to give yourself options in the event of anything happening. So what is backing up your data meaning, right? So in the event that your systems go down, everything gets encrypted, you want to be able to take a look into the stuff you put in the system yesterday, right?

So you want-- if you have invested-- and we talked about really good investments. Endpoint protection solutions are one of them. Backups are the critical one. I would put that as like a No. 1-- if you want to invest in really good backups, because these threat actors, what do they want to do? Their ultimate goal, most of the time, I mean, some of it's-- they're thinking about intellectual property.

But the other piece to it is money, right? So what do you think that they're going to do and go for first? They're going to go for your backups first. They're going to try to wipe your backups clean, because they want to leave you in a position where you're going to have no choice but to pay them, right? So if you invest in good backups, backups that are separated, backups that are secure and separated from your organization, one that was from yesterday. One of the single largest costs that we're seeing right now are business interruption costs, right?

Not being able to get back up and running from your-- getting your options in terms of the data itself, getting those back up. You just want to be in the best position in order to make sure that you wouldn't have to make any sort of payment to these threat actors.

JOAN WOODWARD: OK. Good. So Tim, talk to us about what types of data should be backed up on a regular basis.

TIM FRANCIS: Well, certainly as Carolyn said, the data that's changed, right? Doing a full backup of all your data and systems is critical. But really, it's also backing up the data and systems that have changed since the last time you did a full backup. And so part of that is an assessment that's necessary. And really, it's maybe easy to say everything. But it's that those data and systems that are necessary for the core mission of the organization to run their business.

And just to put that into some perspective and to maybe go back in time a little bit, when the ransomware threat first came upon us in the cyber insurance industry, ransom demands were $300, $400, right? And the reason that they were so small is because the threat actors weren't into the backups, right?

And so somebody would have this threat on their-- and might not even really care because their business wasn't disrupted. As the threat actors got more sophisticated, and they were able to encrypt the backups, right? And that's when we saw ransom demands go from $300, $400 to tens of thousands, hundreds of thousands, and millions of dollars.

And over the last year or so or a couple of years, we've seen a lot of really good due diligence about backups being better. And despite the threat actor community increasingly deploying ransomware, some of the actual-- the frequency in which customers have to pay ransom is down. The amount of disruption in terms of time is down. And ultimately, the amount of ransom is down for many of our customers too.

Because they've gotten better at backing up their systems. So understand what data is mission critical. And that may be different for each organization. But your databases, your active directory and domains are the types of things that you want to be thinking about. And then do it.

JOAN WOODWARD: OK. So now we understand why it's so important to back up. So Carolyn, talk to us about how organizations go about doing it. Is there a magic to it? Is it part of the system that they're-- again, is this a yearly thing, is it daily, is it hourly when you talk about a backup.

CAROLYN PURWIN RYAN: Sure. It’s usually-- it really depends on the organization and the amount of data that they have incoming every day. Because it's all about the change from Day 0 to Day 1 to Day 2, right? But it usually is a separate and apart system. Now, the best systems, I hate to say it, have multiple backups.

Because if one backup goes down, you need to have another backup just in case. One that's separate and apart, meaning that if you're having a particular-- like an air gaped one is one that in which you're making sure that your organization is-- I want to say, if your organization gets encrypted, then the secondary-- it doesn't go directly to your backups and then the encryption goes directly to your backups.

You want to have something that's separate and apart. So it is a separate system, Joan. But it is one in which that you want to have those regular backups. For instance, if it's something where you're getting client or customer input every day, all the more reason that you would need a daily one. Versus, for instance, if it's something where if it's-- you're not getting that much data per day and you could do it monthly, then that's something that an organization would need to decide.

JOAN WOODWARD: OK. Great. We're going to get to your questions now. Because there's a whole lot coming in through the Q&A feature here. So first one is coming in from Kerry Wakely. Kerry asks-- and I think this is probably for you, Tim. "Can you clarify the differences and gaps between a crime policy and a cyber policy?"

TIM FRANCIS: Sure. And there may be less gaps than potential overlaps. And this may be one area where that's probably a good thing as opposed to a bad thing. But if we think about a crime policy generally speaking as an insurance policy that's going to protect and cover expenses related to companies that have money stolen, and there's lots of ways that have nothing to do with cyber or systems that money can be stolen.

Whether it's a petty cash drawer, whether it's inventory leaving, whether it's embezzlement in some other forms of way. Fraudulent checks, right? But that kind of thing can happen, and it has nothing to do with cyber. And crime policies can deal with some of those things that way. But there is some overlap because more and more people use technology to steal money, right?

And not just steal money, not just in the extortion stuff that we've been spending a lot of time talking about, but what we might call computer fraud. So actually, manipulating the keys, if you will, or the inputs so that money is wired out of an organization or what we might call funds transfer fraud, which is a coverage that can exist in both cyber and crime policies where a threat actor has enough information to essentially pretend to be you.

Maybe they got that information through a hack, and they go to your bank, right? And they have enough credentials to be able to get access to the bank fund and move money out. And so a good cyber insurance product may protect against all of those things. And it may overlap with a crime policy. I think it's a good strategy to have those coverages with one insurer. So you can see where those overlaps and the gaps are more easily. But it's important to have both because both do-- while they do some overlap, they do different things too.

JOAN WOODWARD: OK. Thank you, Tim. Another question coming in from Mark Connelly. Mark, good to have you on the program today. "Are backup programs getting smart enough to identify a potential threat from getting back up?" So Carolyn, how about to you?

CAROLYN PURWIN RYAN: So most of the times, I will tell you, it really depends on what you have in terms of your protections to your backup systems. We were talking about those endpoint protections and those air gaps associated with it, because if you have a backup that's completely connected to your systems and your systems get infected with any sort of malware, it could go right through to your backups.

And that's a reason-- one of the attack vectors that the threat actors count on. There's a lot of options that are out there. So when you're looking into a good backup system, make sure to ask those questions about whether or not it could be air gaped or even just ones that it could be separate and apart, where you can even have it as separate data center. So then it would be separate to your system, that's something that I know people talk about. Going up into the cloud and having on a daily or even just every other day basis.

JOAN WOODWARD: OK. Follow up from Mark Connelly. He's got a couple today. “What percentage of ransom claims result in a ransom being paid?” So I know, Carolyn, in some of our live sessions, you talk about the pre-pandemic ransom demands and maybe post-pandemic, how that's changed. What is the average ransomware demand, as Tim talked about the small dollars when this was starting. Now these are very big dollars that you're seeing.

So give us a sense-- a peek behind the scenes of what's happening at your law firm with regard to ransomware. What percent are being paid? Who makes that decision? Is it the insured? Are you coaching them on whether they should pay the ransom or not? Is the insurer have a view on that? Who makes that decision? So I'm going to go to Carolyn first about what they're seeing and then Tim talk about the process of deciding on ransomware.

CAROLYN PURWIN RYAN: Sure. And it's an excellent question, right? So we're seeing probably on averages in terms of demands of about 2 million. But the payouts are really much significantly lower because you-- and when I say that we're talking about 180,000 just really on median in terms taking a look at that on an average.

Now, obviously, there are some that are going to skew upwards and lower based on incidences. But in terms of actual people paying them, we're seeing maybe anywhere between 15 and 18%. Definitely under that 20% marker of actual people paying these threat actors. But really who it ultimately is the decision-maker is the business themselves. I take a look at it from both perspectives, right?

Because really, you want to be thinking about it. No one ever wants to make a payment to a threat actor, right? No one ever wants to have that. That's the reason why we talk about these five things, right? You want to be in a best position not to have to make payments to these threat actors. That's a reason why we're here to talk about all these things.

But one of the things-- and one of the increases that we are seeing are individuals who are making payment. And the reasons why they're making payment, it’s-- we're still seeing that highest number being to get that key because the backups themselves are infected. But we're still seeing that those lower numbers in terms of people actually making payment, but you do that balance of, hey, look.

The threat actor, it's a criminal, right? So you never know whether or not they're going to sell the information to the buddy down the street. They don't know whether or not it's going to be a situation. Hey, look. They give it to somebody else or they post it. They're criminals. So you don't know what they're actually going to be doing with the data. And it doesn't negate your obligation to notify the individuals if there’s sensitive information that was taken.

But you need to think about it from a business perspective, right? Is it going to cost me more to get back up and running? Is it going to be a situation where it's-- is it going to be a very big detrimental harm to my business? That's all the conversations we have from moment one with the business. And I'm sure, Tim, I know you guys have had that conversation as well, right?

TIM FRANCIS: Sure. Yeah. And I think the point you made is that we don't make the decision for the customers, we allow them to make it. Obviously, we expect and hope that they take into consideration the expert counsel of Mullen Coughlin or other breach coaches. The breach coaches don't work for us. They work for the customer. Right?

And so if the customer makes a decision to pay, we'll be there. If they make a decision not to pay, we'll be there. And that's an individual decision for that customer. But almost always our interests are mutually aligned. No one wants to pay, and when it's paid, it's really very much the last resort. And it's what is necessary for that particular event.

CAROLYN PURWIN RYAN: Exactly. The only exception would be is whether or not that they be a sanctioned entity, whether or not that they would be on the OFAC list-- the Office of Foreign Assets and Control list. That would ever be a reason not to-- that you absolutely cannot pay. And that would be a reason why we would say, absolutely not. That would be something that we would never counsel as to.

JOAN WOODWARD: OK. Carolyn, quickly, do you have a average payout? I mean, when clients do pay ransomware, where is that number today? Tim mentioned hundreds of dollars when this all started. But where are we at today?

CAROLYN PURWIN RYAN: Yeah. So probably on average right now, it's about anywhere between 150,000 to 180,000 range is really the payouts that we're seeing. We are seeing definitely an increase in the demands up to that $2.2 million on a median. But then, of course, you just always have those outliers unfortunately.

JOAN WOODWARD: Yeah. OK. Tim, this question is coming in from Adam Adler at MJ Insurance. And he's asking you, "What does the future hold for cyber insurance underwriting?" So what are some of the challenges and opportunities in today's marketplace? Because obviously, this has been an evolution. We didn't have cyber insurance 50 years ago, 20 years ago.

So what are you seeing now? You're our Chief Underwriting Officer for cyber at the company. And it's a big challenge in today's marketplace.

TIM FRANCIS: Yeah. It's a huge challenge. It's a great question. And it's an ever-evolving and necessarily ever-evolving process. And a phrase sometimes, technology and threat actors move at a different pace than insurance does. So from an insurance underwriting, really to stay on top of that, we got to move at a different pace than many other coverage lines, which are also evolving, necessarily of course.

But I think probably the biggest change that we've seen. A lot of the threat actors, we touched on this. They're able to scan networks and look at vulnerabilities. And they're often exploiting a vulnerability. And oftentimes, doing it without knowing who that customer actually is. They don't know who the customer is until they've exploited the vulnerability and they're inside the network, in many cases.

So what we're doing is to do some of that scanning ourselves. We're understanding where those vulnerabilities are. So certainly, we're getting information from our customers in terms of an application in what I'll say is traditional underwriting. But more and more, we're relying on third-party data for us to understand what vulnerabilities our customers have used as part of our underwriting, sure.

Maybe more importantly or certainly more importantly, be able to reach out to a customer and say, hey, we see something on your network that maybe you're unaware of. Here's what it is. Here's an issue. Here's access to resources that can help you remediate that vulnerability. That helps them not have the claim, which obviously, helps us financially. And it's really to borrow a phrase, a win-win for everybody.

JOAN WOODWARD: Wonderful. OK. Last question here coming in from Heidi Springer. And there's a couple of questions on this. "VPN. You all did not mention VPN once. For remote workers, is it necessary to have VPN in today's world?"

CAROLYN PURWIN RYAN: Yeah. And I think actually, Tim did mention the virtual private network, otherwise it is VPN, as part of the multifactor authentication. One of the things that you want to have as a threshold. But absolutely, it's something that you want to have. It's, again, talking about walls that you put up before your remote desktop protocols. Things along the lines of that. And you're just thinking about how you funnel people to get into your organization. All the more critical to have multifactor on those particular VPN.

JOAN WOODWARD: OK. Great. Well, listen, the hour has just flown by. I want to thank you so much, Tim and Carolyn. A wealth of knowledge. We'll have the replay out for this session very shortly. Check out our resources on the web. Take our survey about today's program. We love to hear-- it's in the chat-- so we'd love to hear from you and what other topics you want to understand on cyber and anything else related to insurance. So do that as well.

(DESCRIPTION)
Slide, Cyber: Prepare, Prevent, Mitigate, Restore (registered trademark). Travelers Institute (registered trademark). Travelers. A map of the United States with six locations highlighted. Text, National Cybersecurity Education Tour. A bullet list. September 12 - Atlanta, Georgia. September 19 - San Ramon, California. October 17 - Worcester, Massachusetts. October 20 - Kansas City, Missouri. November 7 - Bellevue, Washington. November 29 - Dallas, Texas. Register: travelersinstitute.org.

(SPEECH)
Tim and Carolyn, thank you so much. 

I also want to let my viewers know that we are doing lots of live events in cybersecurity this fall, throughout the fall. We're going to be in Worcester, Massachusetts, next week. We're going to be in Kansas City also coming up. So if you're in either of those locations, please join us.

(DESCRIPTION)
Slide, Wednesdays with Woodward (registered trademark) Webinar Series. Upcoming Webinars: October 25 - 100th Webinar Episode! A Conversation with Travelers Chairman and CEO Alan Schnitzer. October 30 - Evolution of the Supreme Court with The Gilder Lehrman Institute of American History. November 8 - An Insurance Agent's Field Guide to Gen Z. November 15 - Retirement Playbook: Your Guide to Life After Insurance. Register: travelersinstitute.org. 

(SPEECH)
And then I have a very, very special guest to celebrate our 100th episode on October 25, Alan Schnitzer-- our Travelers Chairman and CEO will join me for a sit-down about his last many years leading this company.

And so, we're really excited he's going to talk about leadership. And leading through the pandemic, leading through change, innovation, he's done it all. So please join us then. We have a number of other webinars coming up. One, with our Citizen Travelers Program-- October 30, talking about the Supreme Court and understanding what that court is about and what it does.

After that, we're going to look at Gen Z on November the 8th with our colleague Jacqui Heidelberger coming back with new research, specifically to insurance and Gen Z. You're not going to miss that on November 8. Then on November 15, we're going to talk about-- we're going from Gen Z to retirement.

Mark and Judy Rollins-- two of my friends in the insurance industry recently retired, and they have figured it out, folks. We're not going to talk about finances, we're going to talk about a successful retirement plan for you and your loved ones. So everything's on our website, travelersinstitute.org. Thanks again for joining me as always on Wednesdays. 

[MUSIC PLAYING] 

(DESCRIPTION)
Slide, Wednesdays with Woodward (registered trademark) Webinar Series. Watch Replays: travelersinstitute.org. Connect: LinkedIn, Joan Kois Woodward. Take Our Survey: Link in chat. #WednesdayswithWoodward.

Text, Travelers Institute (registered trademark). Travelers. travelersinstitute.org.