Cybersecurity Playbook: Creating Your Checklist

(DESCRIPTION)
Joan Woodward in a video window in the upper right corner. Text, Wednesdays with Woodward (registered trademark), Webinar Series. Travelers Institute, Travelers

(SPEECH)
Good afternoon and thank you for joining us today. I'm Joan Woodward and honored to lead the Travelers Institute, our public policy and educational arm of Travelers. Welcome to Wednesdays with Woodward, coming to you today from Scottsdale, Arizona. I have a different background than my normal home so welcome. Today we're going to tackle a critical topic for all businesses, small or large, the growing risk of a cyber attack on your organization.

(SPEECH)
So before we get started, I'd like to share our disclaimer about today's program.

(DESCRIPTION)
About Travelers Institute Webinars. The Wednesdays with Woodard educational webinar series is presented by the Travelers Institute, the public policy division of Travelers. This program is offered for informational and educational purposes only. You should consult with your financial, legal, insurance or other advisers about any practices suggested by this program. Please note that this session is being recorded and may be used as Travelers deems appropriate.

(DESCRIPTION)
Wednesdays with Woodard webinar series. Cybersecurity Playbook: Creating Your Checklist. Logos for American Property Casualty Insurance Association, University of South Carolina Darla Moore School of Business, Travelers Institute, Travelers, UConn School of Business

(SPEECH)
Check out the chat feature now for ways to ask our experts a question during today's session and for a full list of our partners for this program. Now let's get started.

Just a few weeks ago at the beginning of October, we hosted a webinar on the battle against cyber crime discussing efforts from the insurance industry and the government to investigate, prosecute, and deter cyber criminals. Well folks, it broke records over here at Wednesdays with Woodward. We had thousands of guests dial in and watch the replay. So we generated so many audience questions during that session, we had no choice but to schedule round two to keep the conversation going today.

If you joined it, welcome back. And if you missed it, we're going to put a link in the chat right now so you will be able to watch that replay. We had a representative from the Department of Justice on that call. And he was very, very interesting in terms of what he was telling us about how DOJ handles cyber crime.

(DESCRIPTION)
Photos and text, Speakers. Joan Woodward, Executive Vice President, Public Policy; President, Travelers Institute, Travelers. Jennifer Coughlin. Founding Partner Mullen Coughlin. Jeff Klenk, Executive Vice President and President, Bond & Specialty Insurance, Travelers

(SPEECH)
So I'm thrilled to welcome my friend Jeff Klenk back. He's Executive Vice President here at Travelers and President of Bond and Specialty Insurance. Jeff manages Travelers’ worldwide surety, management liability offerings, which includes every cyber insurance product we sell. And prior to that, he was Executive Vice President responsible for Travelers' management liability businesses.

Joining him today is one of the leading cyber breach coaches in the world, Jennifer Coughlin, who is founding partner of the cybersecurity and data privacy law practice Mullen Coughlin. Jennifer counsels clients of all sizes across all industries in investigating and responding to data breaches and assists them with legal, compliance, and disclosures. So in a word, she's seen it all when it comes to cyber breaches.

Jeff and Jennifer, welcome you to the Woodward platform.

(DESCRIPTION)
Coughlin in a video window in the upper right corner.

(SPEECH)
We're thrilled you're here. And I'm hoping that, Jeff, you could kick us off today.

(DESCRIPTION)
Klenk replaces Coughlin in the video window.

(SPEECH)
You were here on this virtual stage two months ago. There was a lot of engagements. The chat was blowing up lots of questions. What were your key takeaways from that audience during that day during that session, and why did you want to continue this conversation today?

Thanks, Joan. It's great to be back. It's wonderful to actually get invited back here to one of these. That's a good sign. And you and the Institute have been great partners. As we're going to talk about today, education and awareness is one of the most important things that we need to do on this front from an industry perspective and a national perspective.

So I appreciate your partnership. And, Jennifer, it's wonderful, our cyber experts have been singing your praises for a long time. It's wonderful to get to be here with you today. Thanks for coming. I'm looking forward to your comments.

Joan, to your question the last session was great, a couple of thousand people asking lots of questions to your point. Eddie Chang an assistant US attorney, really I described him as a cyber guru but somebody who gave us the prosecutors and the federal government's view on the current threat landscape.

And I noted specifically to your question the breadth and the depth of the questions that we got. And as you know, we had more than we could get to. You and I spoke right afterwards. And the question was should we do another one soon to try and get to them. And we'll try and do a better job today in getting to them.

(DESCRIPTION)
Text, Ransomware Is Increasing Rapidly. 304 million ransomware attacks worldwide in 2020. Every 11 seconds of ransomware attack is expected. Cyber is the #1 concern across all businesses.

(SPEECH)
I had a huge takeaway in the context of the need for partnerships was something that we needed to get at in order to face this dynamic threat.

And when I say partnerships, I'm talking inside the insurance industry, certainly like we talked about our participation in cyber activity during that session but also partnerships with the federal government. And so that was one of my big takeaways. And so from sharing data to improving cyber hygiene and threat security positioning, there's a host of things that we can actually do together to improve the overall outcomes. And so, I think, as I talked about this with Tim Francis our enterprise cyber lead, you know, we really hope that we capitalize on the moment that we make sure that we're seizing the opportunity and the energy that exists inside both the government and in the private sector to move things forward.

And so let's talk first and foremost, maybe about ransomware. And while it's but one of a host of cyber threats that companies face, it is becoming increasingly the leading exposure, rapidly growing with frequency now where there's attacks happening every couple of seconds. And it's the predominant exposure and when you look at how we're trying to educate our insurers and respond from an underwriting perspective, it's a main focus for us right now.

And related to that-- and I'll talk more about it in a few minutes-- the Travelers Risk index, which is a survey of really a wide swath of our insurance companies' risk managers, has again identified cyber as the number one concern across. And so there's no question. I understand the demand and the number of questions.

(DESCRIPTION)
Why Ransomware Is Driving Claim Trend. More variants with more sophistication. Easier to monetize compared to traditional data breach. Threat actors’ data & patience = larger ransom demand success. Greater decryption complexity resulting in higher exposure in restoration and business Interruption loss. Evolving variants with exfiltration capabilities. Minimal risk for threat actor groups.

(SPEECH)
So moving on, why is it that ransomware is really becoming this leading exposure? And I guess if I were to sum it up pretty quickly, I'd say that the bad guys are getting smarter. They're deploying more sophisticated malware variants. They're realizing that it's easier to extort money from someone in the form of a ransom than it might be to, say, extract the data and then find some way to monetize that.

It's an easier and a more efficient mechanism for them to steal money. There's no question that they're sitting in systems longer. They're learning more about their targets. They're leveraging that data to make more significant and effective demands on those companies. Encryption technology is getting better. So the bad guys are able to be more effective in getting in there, getting the data, and locking those systems down, driving up business interruption and recovery costs and making it more expensive for us to partner with our insureds to decrypt and restore that data.

And we talked a little bit about that last time. There's not a host of successful prosecutions here. No disrespect to the government. I know that they've publicized some. They've even been effective in getting some of the money back.

But you're not seeing a lot of perp walks on national TV here. It's been a good criminal enterprise. And so one of the things that's definitely needed-- and it's crying out for more affirmative government intervention in prosecutions. And so those are some of the dynamics that are causing the proliferation of ransomware.

(DESCRIPTION)
Potential impact of a Cyber Event. Costs. Photo depicts scales of justice with text, Forensics, legal Consultants. Photo depicts computer servers with text, Network damages and cost to repair. Photo depicts a sign which reads, Closed Please Call Again with text, Business Interruption. Photo depicts cash with text, Ransom payments, fraudulent transfers. Photo depicts a handshake with text, Reputational harm.

(SPEECH)
So moving on, and I think Jennifer will touch a little bit on this in her presentation too. What's the potential impact? And I've put just some of the leading dollar costs here on this page.

But from the forensics and legal consultant related costs in the event of one of these events, to the actual damage to the systems that it caused or the cost to repair it, to the dollars in business interruption as companies can't conduct their business, to the ransom payments themselves or if it was used in some way to get somebody to transfer money that they wouldn't have otherwise done, and to the always difficult to quantify reputational harm, which-- when you have a brand and you're a company out in a marketplace, there's no question that trust and security is an important part of a brand, which can really be rattled. There are a host of things that can really come in terms of cost that ransomware and cyber incidents can hit you on.

(DESCRIPTION)
2021 Travelers Risk Index. Cyber is once again leading the business concern. Despite the heightened concerns, many businesses report not implementing even basic prevention practices. Still only 56% of businesses have purchased a cyber insurance policy.

(SPEECH)
Moving on, just a little more specifics on our cyber risk index, I mentioned that earlier. And while cyber is the leading concern of businesses and risk managers, we still have uncovered a shocking or surprising lack of follow up on that either in terms of implementing even the most basic risk management practices or that barely half of them are using insurance as a means to mitigate the exposure.

And I think it's important to highlight here too-- the insurance is not just about the dollar payments in the event you've had the hacker. You have to pay a ransom. There are a lot of services both in terms of preparedness beforehand or quality folks like Jennifer, who will talk in a few minutes, that can help you when that thing occurs that come with the purchase of it. And so we have a long way to go as an industry to continue to educate on the need for the insurance and the services and a lot of room to actually penetrate more customers out there in the broader economy.

(DESCRIPTION)
Top 5 Basic Prevention Steps. 1. Have an incident response plan. 2. Securely back-up your data. 3. Implement Multifactor Authentication (MFA). 4. Patch and update regularly. 5. Use Endpoint Detection & Response (EDR) software.

(SPEECH)
I think Joe mentioned a little bit. And moving on to the next page, when we think about preparedness, which is the subject of today's conversation, we keep it fairly simple. And these are five big buckets that we would bring to the table. Number one--have an incident response plan.

And I think whether it was before cyber or the old disaster recovery plans or crisis management plans--if it's a dusty book that you've never read, or God forbid it's actually on the system that's now been encrypted and you have no access to it--if it's not a living, breathing document that you actually understand and that your team understands how you're going to respond, then you're in trouble when the event happens. So a living, breathing incident response plan is an important part of the equation.

The backing up of your data is also an important thing. And it's a lack of leverage that the bad guy will have on you at the time they're demanding money, right. And so effective backups are an important part of the equation.

We're going to talk more about MFA. So let's put a pin in that one because we're big believers in it. I'm going to show you why. But that's an important part of the response. Regularly updated patching and updates to your software, critical. If you bought something 24 or 36 months ago and haven't taken the updates, there's a lot of threat vectors that are open on that and easy for the bad guys to get in.

And then an effective endpoint detection and response system, a software package out there that will help you see when somebody is pinging your system or looking and finding ways to get in, another good protection for companies. And so it's not just one thing. And, yes, while it varies depending on the size and sophistication of a company-- and certainly the largest companies will have CISOs and spend a lot of dough on this. Even small and mid-sized companies can effectively do what's on this page in a cost-effective way relative to the cost of potentially not having those things in place.

(DESCRIPTION)
What's the Big Deal with MFA? Per Microsoft: 99.9% of account compromise attacks can be blocked by MFA. Per Arete: 94% of ransomware victims they investigated did not use MFA.

(SPEECH)
So talk about MFA, moving on to the next page, I would share with you these stats which we talked about a month or two ago as well. Microsoft shares that 99.9% of account compromised attacks could have been blocked by MFA. Arete says 94% of the ransomware victims that they investigated didn't have MFA in place.

Now I don't know about you, but if I had 100% or roughly 100% chance of stopping this type of thing-- if I were to take a particular pill or do a particular thing, that would be quite convincing to me, which is why we seeing this data-- this is not fresh data by the way. This is not a-- this is not a this month news release. This is information that's a year plus old. And so that's why early in 2021 we started to pilot and play with this.

And in the middle of the summer of this year, we got more directive. And on our new business accounts and on our renewal accounts, we were really looking for MFA to be in place in order for us to feel comfortable with the risk. That's not just for us, that's also for the insurers. Whatever we can all be doing to educate and raise the level of understanding of these issues is going to put us all in a better position from a managing of the risk perspective.

And so moving to the next page,

(DESCRIPTION)
MFA Implementation & Adoption. A bar chart of Multifactor Authentication Familiarity indicates 63% Extremely/very familiar, 25% Somewhat familiar, 12% Not too/not at all familiar. The percentage Extremely/very familiar in 2019 was 49% compared to 55% in 2020.

(SPEECH)
our Travelers Risk index actually went a little further this last time-- and I really appreciate them doing that-- and started to probe MFA. Have you heard of it? Are you going to do anything about it? If you haven't done anything about it, what are the reasons behind that?

So the good news here is that the number of folks familiar with MFA has gone up, still a lot of people who aren't. So we still have a ways to go.

(DESCRIPTION)
A pie chart indicates the percentage of Multifactor Authentication Implementation. Company has done this, 57%. Company has not done this, but considering doing it, 35%, Company is not likely to do this, 8%.

(SPEECH)
And, yes, there's a decent jump where people reported that they'd actually done something on MFA, more than half. So that's good. But we still have a way to go.

(DESCRIPTION)
Reasons do/will NOT use Multifactor Authentication. I don't know what options exist, 29%. The cost is too high, 22%. We have other controls in place, 21%. It is incompatible with the current system infrastructure, 11%. It is too inconvenient for users, 10%. Other, 6%.

(SPEECH)
But if you look at the why I wouldn't do it on the right-hand side of the page, lack of education, concern that it's going to cost more money than it likely would cost. There's a real opportunity for us together to get the message out that this is something that is available, is probably already available in the software packages that these companies are buying. And they may just need to turn it on. Education is a big part of this conversation.

And I thank you all for tuning in. And that's one part of what we've got to do is talking about it together.

(DESCRIPTION)
Travelers Cyber Pre & Post Breach Services. Travelers,  eRisk Hub (registered trademark) Powered By NetDiligence. SentinelOne (registered trademark) Endpoint Detection & Response (EDR). Symantec (registered trademark) Cyber Resilience Readiness Assessment & Cybersecurity Professional Consultation. Symantec (registered trademark) Security Coach Help Line. Symantec (registered trademark) Cyber Security Awareness Training Videos. Cyber,  Breach Coach (registered trademark). Travelers Claim Services. Additional Consultation Available Through Travelers Cyber Risk Control.  All third party trademarks are the property of their respective owners.

(SPEECH)
And then moving on again, while we think MFA is absolutely a big deal, it's not the only answer. And I won't drain everything on this page, but I will share with you that we believe pre and post breach services are also critically important.

We have partnerships with companies like Symantec. We've got other partnerships for post breach services. We actually have an entire platform that our insureds can use to access these systems to get videos to learn to calculate the costs of what a potential breach might mean to them and to access additional consultation with us and our claim professionals and our dedicated cyber risk control professionals in order to put them in a better position.

And so in a brief 11 minute whirlwind, that's the story. And the partnerships are important. And I think that speaking of an excellent partner now is an excellent time for me to turn it over to Jennifer to go a little bit deeper.

Great. Thank you, Jeff.

(DESCRIPTION)
The (Potential) Incident Response Roadmap. Detection, Notification of Carrier and Engagement of Breach Coach, Engagement of Forensic Investigation Firm, Restoration, Engagement of Mailing, Call Center and Credit Monitoring Providers, Disclosures, As Required (Law, Contract, Courtesy. Internal External; Law Enforcement; Individuals; Regulators; Consumer Reporting Agencies; Media; Business Partners. Mobilization of Internal Incident Response Team, Notification To Law Enforcement, Engagement of Negotiation And Payment Firm, Engagement of PR Firm, Data Mining, Litigation / Claims, Single Plaintiff; Class action; Regulatory.

(SPEECH)
Thank you everybody for joining us today. And again thank you to the Travelers team for including me in this presentation.

(DESCRIPTION)
Coughlin now in the video window.

(SPEECH)
What I'm going to cover today is education on some key points, including the Incident Response Roadmap, trends that we've seen over the past few years, and regulatory developments that we've seen in about the past 14 months.

So on the screen now is a slide that shows the potential internet response roadmap. Why do I say potential? Because no two incidents are alike and no two incident roadmaps will be the same. So on this screen you're going to see how it starts from the point of detection. And the detection of a ransomware event may be like what you hear on the news which is somebody turns on their computer screen and sees a skull and crossbones and a note saying, give me your money. I've encrypted your systems.

But detection is what will kick off the incident response roadmap. And after detection, you're going to see the mobilization of the internal incident response team. Who is the internal incident response team? These are stakeholders within your organization that are trained and tapped to conduct the evidence preservation and investigation into any type of event impacting the security of your data or your systems.

Then you're going to see the notification of the carrier, Travelers, and also the engagement of the breach coach, us. And the role of the breach coach is interesting. We are an attorney. We are providing data privacy counsel to the organization and the investigation in response to the data privacy incident. But we're called the breach coach because we quarterback the entire incident response process.

And you'll see other stakeholders and players in the incident response process on this roadmap. We're the ones engaging them. We're the ones directing them so that we can best protect to the extent possible what they're doing, what they're finding, and what they're telling us and what they're preparing in attorney-client privilege.

So we are engaged directly by the victim organization and we kick off the investigation process. Now in a ransomware matter-- and I'm going to touch on this in a few minutes. Again, we after we are engaged notify law enforcement. And we think that is a key process in the incident response process for a ransomware incident. We want to make sure that law enforcement knows of the incident of the impact to the victim organization and that we are responding to the incident.

And again I'll talk a few minutes from now on more details on why that's important. We're going to be engaging a forensic investigation firm. And this firm is responsible for assisting us in identifying the nature and scope of the incident, what happened, how it happened, is it ongoing, what information may be at risk as a result of the incident, what steps should be taken to better prevent something like this from happening again in the future. And we're going to rely upon the findings of the forensic investigation firm to determine legally and contractually what obligations to disclose or document or otherwise the victim organization may have as a result of the incident.

Now in a ransomware event, we may find the need to engage with the threat actor and possibly pay the threat actor. And there are some forensic investigation firms that do the negotiation and payment in-house. Other times we are bringing in a different party to do the negotiation and payment with the threat actor. I will say that you can engage in communications with the threat actor without committing to payment of any monies to the threat actor. And there's some positive strategy behind doing that because we might want to buy some time to really understand exactly what happened.

We're also going to be working with the firm that's going to assist in the restoration. And sometimes this is something that's offered by the forensic investigation firm. Other times it's another firm that we need to bring in to assist the organization in recovering from the incident either via restoration from backups or utilization of the decryption key or both. Sometimes we need a public relations firm to assist in the response process. And this firm would be assisting us in crafting, messaging, and holding statements for internal and external audiences related to the incident.

And there are certain times that you experience a ransomware event where it is a reportable event. So taking one step back, you can have a ransomware incident that is not reportable under law, it is not reportable under contract. You can have a ransomware incident where there are a lot of reporting obligations as a result of the event.

And that's why it's important to work with the forensic investigation firm to understand exactly what was accessed if anything at all, what was exfiltrated if anything at all so that we can conduct our legal analysis and provide counsel to the organization on what disclosure and documentation obligations they may have. But to the extent there is any disclosure that may be due, we would be working with a vendor that would provide mailing services, call center services, and also credit and identity monitoring and restoration services.

Data mining is something that you sometimes see necessary in a ransomware incident. And it's going to be contingent upon the findings of the forensic investigation firm. If there is a set of data that is at risk as a result of the incident, we need to understand is there any information protected by law or contract within that set of data and if so, what that data is and to whom it relates and to whom it belongs so that we can provide guidance to the client on exactly what disclosure and, again, documentation obligations the event may have caused the organization to have to undertake.

And then if there are any disclosures, we are supporting that disclosure process and it can be to individuals, to regulators, to consumer reporting agencies, to business partners, to the media. It's going to depend upon the type of incident, the attention that the event has attracted, and also the legal and contractual obligations as a result of the incident. And sometimes you see litigation and claims arising from the incident.

I will say, you see these milestones on the road map on this screen, they don't always happen in this order. Detection will always be the first thing. But you may have-- some of these milestones happen in an order different than the roadmap because, again, no two response processes are going to be similar. It's going to be nuanced to the organization and the event that they are experiencing.

Moving on to the next slide,

(DESCRIPTION)
2019, 2020 & 2021, as of 10/19/21, Claims Data – Type Of Incident. 2019 Type of Incident, Count. Ransomware, 644. Business Email Compromise, 488. Third-Party Breach, 69. Other, 1150. Total 2,349. 2020 Type of Incident, Count. Ransomware, 1,024. Business Email Compromise, 805. Third-Party Breach, 654. Other, 1,075. Total 3,558. 2021 Type of Incident, Count. Ransomware, 933. Business Email Compromise, 810. Third-Party Breach, 504. Other, 1,075. Total 3,558. Other Includes “Inadvertent Disclosure,” “Network Intrusion” and Other / Unknown.

(SPEECH)
so this data is super interesting. So like Joan said, we are a firm of attorneys that do nothing but counsel organizations in the context of data privacy. So what that means is we are seeing lots of matters all related to incidents where there's data being subject to unauthorized access or unauthorized acquisition.

So just some background information, we started the firm in October of 2016 with 13 attorneys. We are now in December of 2021. And we have over 90 attorneys. And the growth is really directly related to the increase in cybercrime. The criminals have figured out that this is a great way to monetize their efforts and make a lot of quick money.

Like Jeff said, they don't need to exfiltrate the data and then perform identity theft or sell the data on the dark web to make money. They are now able to monetize their efforts much easier via ransomware events. So in 2019 we had 644 ransomware matters, 488 business email compromise matters, and 69 third party events. These are the top three types of incidents that we've seen over the past three years.

In 2020 we had 3,558 matters come into the firm, 1,024 of which were ransomware. 805 were business email compromise. And 654 were third party events. And then in 2021 as of October 19-- so this is a few weeks old-- we are at 3,558 matters into the firm, 933 ransomware matters, 810 business email compromise, and 504 third party events. So you can see that ransomware and business email compromise and third party events are the top three types of incidents that we're seeing, but ransomware continues to be the flavor of choice and the attack that is launched most often against US organizations.

(DESCRIPTION)
2020 & 2021, as of 10/19/21, Claims Data - Ransomware. Ransomware Incidents. 2020: 1,024. 2021: 929. Average Ransom Demand. 2020: $3,800,000, 2021: $2,495,315. Average Ransom Payment. 2020: $580,000 (255 payments), 2021 $644,853 (185 payments). Median Ransom Payment. 2020: $154,000 (255 payments), 2021 $210,052 (185 payments).

(SPEECH)
Moving on to the next slide, so this slide is super interesting because it dives deeper into ransomware. So, again, in 2020 we saw 1,024 ransomware matters. In 2021 as of a few weeks ago, it's 929. The average ransom demand in 2020 was $3.8 million. The average ransom payment in 2021 is about $2.5 million.

I'm sorry the average ransom demand in 2021 is $2.5 million. The average ransom payment in 2020 was $580,000. We had 255 payments made which works out to be about 25% of the ransomware matters. And in 2021 we are at about $645,000 with 185 payments being made which works out to be about 20 or so percent. And the median ransom payments, 154 in 2020 and 210 in 2021.

(DESCRIPTION)
Percentages by industry on two pie charts. 2020 Industry Sector. Hospitality and Entertainment, 85, 8%. Manufacturing and Distribution 227, 22%. Non-Profit 31, 3%. Other 3, 0%. Technology 122, 12%. Education 64, 6%. Energy 24, 3%. Financial and Professional Services 278, 27%. Government 79, 8%. Healthcare and Life Sciences 111, 11%. 2021 Industry Sector. Hospitality and Entertainment, 71, 8%. Manufacturing and Distribution 196, 21%. Non-Profit 35, 4%. Other 2, 0%. Technology 101, 11%. Education 42, 4%. Energy 17, 2%. Financial and Professional Services 334, 36%. Government 37, 4%. Healthcare and Life Sciences 94, 10%.

(SPEECH)
And you'll see the industry sectors that we note up here. So are there any industry sectors that are immune to ransomware or better secured? The short answer is no. You can see from this slide that we have organizations from all different industry sectors being victimized and experiencing ransomware attacks.

And we do not believe that the threat actors are going to be targeting some organizations more than other. We think that they first target vulnerabilities that they can identify. But once they get into organizations' systems, they are looking at data in the systems.

And in the negotiations that we conduct with them, they tell us they pull data from the data on the organization system and say, we know that we can assess a demand of $10 million because you made $10 million in profit last year. Or your CEO just got a $5 million bonus. Tell them to give it back and pay it to us instead.

Do organizations from all industry sectors respond to a ransomware attack on the same fashion? No. There are some organizations in certain industry sectors where you see payment more likely and payment less likely. And that is most often attributable to the preparation efforts the organization has undertaken.

You do see a lot of organizations in certain industry sectors being less likely to pay because they do have backups from which they can restore. Sometimes they are able to detect the incident earlier and they are able to stop the incident before it gets too widespread throughout the system.

(DESCRIPTION)
2020 & 2021 Claims Data – Ransomware, Continued. Two pie charts. 2020 Ransom Paid vs. Not Paid. As of 10/19/2021. Some matters are ongoing, and a ransom payment / reason has not been determined. Paid, 255, (25%.) Not Paid 770, (25%). 2020 Ransom Payment Reason. Key Only, 177, 69%. Key & Delete, 66, 26%. Delete Only, 12, 5%.

(SPEECH)
But the big question I'm sure everybody is asking is does everybody just pay the ransom? And the short answer is no.

So you can see on this slide-- and we're going to go to the next slide as well-- that in 2020 we had 25% of our ransomware clients pay the ransom. 75% chose not to pay the ransom. And the reason for the payment in 2020, 69% of the time it was for the key only. So they didn't have backups from which they could restore, and there was no data exfiltration. But they needed the key in order to regain access to their data.

66 of those matters or 26% of those matters-- it was four key and delete. So there was data that was exfiltrated from the system. And they also needed the key because they did not have backups from which they could restore. So they were paying for the decryptor as well as a promise from the threat actor. So I use, air quote, "promise", from the threat actor to delete the data and not publish it on the dark web or circulate it or use it in any other way.

And then 5% of the clients it was delete only. So they did not need the key. They had backups from which they could restore. But they made the business decision that they were going to pay for the promise of deletion from the threat actor.

(DESCRIPTION)
2020 & 2021 Claims Data – Ransomware, Continued. Two pie charts. 2021 Ransom Paid vs. Not Paid. Paid 185, (20%). Not Paid 744, (80%.) 2021 Ransom Payment Reason. Key Only, 76, 41%. Key & Delete, 79, 43%. Delete Only, 30, 16%.

(SPEECH)
And moving on to the next slide, this includes stats for 2021. About 20% of the matters thus far have paid the threat actor. 80% of the time our clients have said, we are not the threat actor. We do not need to pay the threat actor. And we choose not to pay the threat actor. And the payment reason, 41% key only.

So, again, they didn't have backups from which they could restore. 43%, it was key and delete. And 16% it was delete only. And we're seeing a direct correlation to organizations choosing not to pay with their preparation efforts, including the things that Jeff mentioned earlier, including having backups, including having EDR on the system, which will detect and quarantine the nefarious activity before it becomes too widespread in the system. But all of that being said, even though more often than not our clients are not paying the ransoms, ransomware is still a very big problem for the US. And the government is very much invested and interested in how we are responding to the ransomware events and how victim organizations are responding.

Next slide, please.

(DESCRIPTION)
Ransomware Regulatory Developments. October 1, 2020: OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. October 1, 2020: FinCEN’s Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments. October 8, 2020. DOJ’s Cryptocurrency: An Enforcement Framework. September 21, 2020: OFAC’s Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. October 2021: FinCEN’s Financial Trend Analysis - Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021. October 2021: OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry. Several pending bills.

(SPEECH)
And some of this is duplicative of what Eddie and Jeff spoke about in October. So I won't go into too much detail. But you'll see on this screen that we've had several guidances issued over the past 14 months that relate to ransomware events and how organizations should respond to ransomware events from the perspective of government, the first being the October 1, 2020 advisory from OFAC.

And this was noteworthy because from their perspective, they said in paper on that date what they've been saying to us all along. But the OFAC advisory talks about the importance of doing due diligence prior to payment being made. It states that payment is discouraged. It also discusses significant mitigating factors that would be considered if there were to be some type of payment made in violation of law and an enforcement action pursued by OFAC at a later time under the theory of strict liability.

And the significant mitigating factors include reporting to law enforcement, which is why that is one of our first steps when we are engaged in a ransomware incident response process. We want to make sure that if an organization that we counsel is somehow subject to an enforcement action in the future they have the ability to argue several significant mitigating factors, including reporting to law enforcement.

On October 1, 2020 seeing that as the advisory FinCEN issued an advisory on ransomware and the use of financial system to facilitate ransom payments-- and this discusses the need to file suspicious activities reports in connection with ransomware events. October 8, 2020 Department of Justice issued a framework. And the takeaway from that framework was that payment should be made in Bitcoin. Payments should not be made and truly anonymized cryptocurrency.

In September of this year, OFAC issued an updated advisory on the potential sanctions risk for  facilitating ransomware payments. And this was noteworthy because, one, it shows OFAC continues to be interested in this. But it also introduces the Office of Cybersecurity and Critical Infrastructure Protection and certain reporting that should occur to that office if there are any certain payments made.

It also provides additional detail on enforcement actions, including that enforcement actions may occur and the public may never be made aware of the enforcement action occurring. So I can tell you that publicly we are unaware of any enforcement actions being pursued by OFAC in connection with a ransomware payment in response to a ransomware event. It also notes the sanctioning of Suex, a certain cryptocurrency exchange.

Then in October of 2021 FinCEN issued a financial trend analysis. And this is super interesting. It says, "for ransomware related suspicious activity reports filed between January 1 and June 30 of 2021, there was $590 million in suspicious activity reported to FinCEN. 635 SARs were filed, 458 transactions reported. That is a lot of money just in the first half of this year in connection with ransom payments. And it also notes the most commonly reported variants and virtual currency wallets that were utilized for the top 10 types of variants.

And in October of 2021, OFAC also issued a sanctions compliance guidance for the virtual currency industry, which talks about certain organizations needing to evaluate risk and build certain sanctions compliance programs. There's also several pending bills that all in some way, shape, or form require reporting by certain organizations to certain offices of certain information within a certain period of time. And I utilize certain because it's still being ironed out.

But you've got some deadlines of 24 hours, some deadlines of 72 hours. Sometimes it's being proposed as only applying to organizations involved in critical infrastructure or being a federal contractor. So there are some bills. There are some that have some great traction. And they may pass in the coming few months.

So what does this all mean? What is the takeaway? The takeaway is that cybercrime is at an all-time high. The cyber criminals are extremely financially motivated now more than ever in attacking US organizations.

Businesses need to be as prepared as possible to detect and defend against these attacks. And I think organizations have made great progress in that given the stats that we have on payment. And businesses need be as prepared as possible to respond to these attacks after they detect them.

(DESCRIPTION)
Woodward returns to the video window in the upper right corner. She then shares the screen with Coughlin and Klenk.

(SPEECH)
Jennifer, that was just really rapid-fire amazing data, great slides, great content and context for all of our guest on the phone today. And I'm going to bring back Jeff now to the conversation. And we have reached another record here. We have over 60 questions coming in from the 3,000--

I read through them too, Joan. I want to give credit to everybody. There's several good ones in there. And so if you fire through them, great. If not, I've written some that rapid fire need to be addressed.

We'll do that. OK. But first a couple of things. One, a couple of questions coming in, are these seminars open to your customers and your clients? The answer is yes. Every time you get a Wednesday invitation, pass it on to your entire list of clients and customers. We're happy to have them on these calls.

And two, we're going to turn the tables on the audience just for a minute, Jennifer and Jeff, and ask you two questions. And we're going to get the pulse of the audience with these questions. So first, let me read it so everyone can kind of take a look. What are the two biggest hurdles for cybersecurity at your organization or those you advise?

Lack of leadership commitment, complacency. It's not going to happen to me, of course not. We're good. Underestimating the business impact of a breach, cost of implementation, or competing business priorities, which is always a big one for people trying to figure out where to put their investments-- so what are the two-- you can choose two here on this list, biggest hurdles for addressing cybersecurity.

OK. We're going to call it now. The two largest, complacency, it's not going to happen to me. I'm good. I'm very, very cyber hygiene up. Underestimating the business impact, so those are the two largest kind of categories here. And then obviously the cost of implementation. Everything has a cost.

But the question is, is the cost of implementation going to be greater than the cost of hiring Jennifer and her firm and having to pay ransom and having to pay legal bills and forensic look at all the data? So interesting, let's hold that thought for a minute. I'm going to go to the next question. This is our last question for the audience. So let's try to pull that up.

Of the cybersecurity steps below, which need more attention from your organization or the clients you counsel? So having that incident response plan like Jeff talked about, securely backing up your data, implementing MFA, which Jeff talked about a lot, regularly patching and updating software or using endpoint detection and response software. So which one of those would you say your organization needs more attention?

OK. So it looks like 60% of you talk about the MFA. So, Jeff, we still have folks out there that don't do this. And as Jennifer showed in her slides, if you don't do it, you're really at risk for a breach. And then having an incident response plan-- So, Jeff, why don't I turn to you first to just comment on these audience results, maybe this one first and then the other one next.

So I guess my comment-- I have to minimize the polling question. My comment on that would be, please do all five and that the most immediate thing equated to wildfires in the West-- multifactor authentication right now will be the most effective thing in the short run to stop the fire as it's coming through your house. But all of them because there's some great questions in there about, well, what about phishing.

Absolutely. All of those things require other training, other understanding. Back to the first question, I would have picked other on what the barriers were because frankly getting employees engaged in the training to spot in the first line of defense-- please, God, don't click on that link or button in the email that you just got because you've just turned over the entire company to somebody in whatever country, right.

And, I guess, also relative to that first question, Joan, that's not a surprise to me that there's still complacency. Maybe the insurance costs too much money. I don't understand. Almost every new coverage we've had-- and maybe employment practices is the best example. Nobody was buying that coverage until they had a large claim. It costs $400,000.

And then they realized, wow, a couple thousand dollars policy and better risk control that came with it would help prevent it. With cyber I know it varies depending on size of company. But a small mid-sized company can spend a couple thousand dollars.

Maybe it's getting more expensive now. But for $1 million limit, get services. If they actually suffered one of these events, it's catastrophic. And so it doesn't surprise me. The trend is similar.

Joan, if I could just add to that a little bit. Travelers has figured it out. If you go back to the road map slide that I had on the screen earlier-- and I talk about all the different players in the response process and everything that needs to happen. And while the timeline may be different, the milestones may fall different on the timeline for certain organizations and certain events.

Organizations, all they have to do is call Travelers and they have the ability to set that into motion. And the organization isn't vetting who to use. If you're experiencing a Conti ransomware event-- I have at least 10 other Conti ransomware matters in my firm right now-- I'm going to work with somebody who's doing those.

We're going to build on the efficiencies. We're going to be able to build the threat intelligence. And we're going to be able to best counsel and best position the organization to respond. So the it's not going to happen to me, I strongly disagree with anybody who thinks it will not happen to them because it definitely will. And you look at the stats, those are a lot of organizations that have said the same exact thing. And they ended up picking up the phone and calling us.

And just to follow up, Jennifer, because this was asked several times in the Q&A. It's not only going to happen; it's going to happen Friday night at 7:30 or on Saturday morning or in the middle of the night. One of the questions is, well, what happens? We've got 24/7 coverage. It's not if it happens, it's likely to happen in a terribly inopportune time. And you need to have the resources ready to go during that time.

Yeah. I mean, even just over Thanksgiving, there was lots of warnings. While you're relaxing and having your dinner, people around the world don't have Thanksgiving. So these actors in these different countries are very actively preying on us who think we have our guard down. So the holidays, again, are a really important time to make sure you have that coverage before the holidays.

OK, Jeff, you mentioned risk control. And I want dig deep a little bit because we have a lot of questions about-- so you're a Travelers customer, what risk control advice or services do we provide because that checklist was really fantastic? And everyone's asking for the slides on the Zoom chat. But talk about risk control because that's really a key element. Even before you get to buying the coverage, you want to have that process in place.

So it's a big bucket. We've got fantastic dedicated claim professionals. But we've also got several people who are dedicated forensic, government employed, FBI, Homeland Security, folks like Eddie from the last session--he worked with us for a five, six year period of time--who are focused on what's the latest, what's going on. They're plugged into the active intelligence that's going on right now. And so we've got internal resources.

But in addition to that, we've got external resources. And I know one of the questions that's going to get asked--at some point it has to do with MFA. Let's use that as an example. How do I turn it on? Or what do I do with this? I don't understand it. Well, we offer access to Symantec through our pre-breach services.

A year ago, they were maybe getting 20 phone calls a month. I mean, that's not a lot. We have a lot of insureds. A year later they're now averaging about 500 calls a month, right. So think about the increase there relative to the noise and the threat that everybody's under. And the lion's share of them are, talk to me about MFA. How do I turn it on? Where is it? Right.

And so I think, Joan, the demand for help and sort of the tech support, we’ve  absolutely built into some of the services that we provide. And it's so important to think about the insurance not just in terms of the payment or the crisis but the hygiene, the risk control on the front end. Yeah. Good question.

Yep. Tim Francis, who works with all of us in your organization, and I were at the Plus conference just a few weeks ago. And we asked for a show of hands. And a surprising number of people in the audience did not already have the MFA. So good point. All right, Jennifer, we're going to do some rapid fire with you. So if you're breached, does that make you more or less of a target for it to happen again and especially if you pay the ransomware?

I think it depends on how you respond because if you just pay the ransom and you don't take the time to understand how the event happened, how they were able to gain access to your system, and really, really confirm and understand the nature and scope of the incident and take the steps necessary to further secure your system, I think you are more likely to be a victim again because you're leaving yourself open. I think experiencing an incident, it can absolutely be an end of life event for organizations. But it will always be an educational opportunity on what they can do better. And organizations that go through the process of doing the right incident response and making sure they understand what happened, buttoning up their systems are going to be better prepared to detect and defend against future attacks.

Great. OK. Another question with regard to the Colonial Pipeline ransomware case. We saw that the government was able actually to recover a portion of that ransom that actually got paid. How often does that happen?

I will tell you in my experience, I have had that happen on one matter. It was a partial recovery. This is interesting, though. On this matter, we were working closely with the FBI throughout the negotiation process.

Before we made payment, we obtained the Bitcoin wallet from the threat actor. And we gave it to law enforcement. And law enforcement was able to watch the money flow and watch it continue and continue. And it may have just been the stars aligned because it ultimately ended up-- part of the payment ended up in the wallet of somebody who was on the radar for carding.

So we were able to identify who had that wallet. And we were able to get that money back. But if you look at some of the proposed pending bills, there's one that says report the payment 24 hours after the payment is made. So I think if you report the payment earlier and you provide the Bitcoin wallet, the government's going to be able to watch it and track it and possibly recover. But this is something that organizations should not expect to happen in every case.

OK. Jeff, to you, so a lot of recent articles we're reading suggest that cyber insurance policy prices are rising, yet coverage is shrinking. So this is an industry phenomenon. So comment on that for us. Give us your view.

Sure. There will be no pricing predictions in any way, shape or form coming out of my mouth. But we've talked about the trends, right, both frequency and severity, a fairly straight line, rapidly in the last, call it, 18 to 24 months going up. No surprise that there's reports of increased pricing. We too have been seeking to address price issues.

Also absolutely some insurers are out in the marketplace doing some things by way of endorsement to limit the coverage and to try and attack it that way. Probably the most common thing is there's really a shrinking in the amount of limit, the limits that companies are looking to provide. So that makes it difficult to place the coverage and get what you're looking for.

While we've been certainly going after appropriate rate increases to match up to the exposure, you heard what our focus is. We're not really talking about the wording of the coverage or the cutting of the limits, we're much more focused on what's the security in place, has the organization gone after it, and where something like MFA is going to be darn near 100% effective.

Let's talk about how we get that in place. And when the bad guys pivot-- I know another question I always get is what's next after MFA? Great news, I have no idea. But whatever it is, we're going to partner with the Jennifers and the Symantecs and everybody else to figure out how do we stay ahead of that. Maybe it's EDR. Maybe that's got to really be more effectively in place. Whatever the next thing is, we've got to stay nimble because the bad guys are.

Exactly. So just, Jennifer, a lot of questions about how long do cyber insurance claims take to be resolved from kind of start to finish. When you get that call, how long does it take your firm and doing the forensic investigation, working with Travelers or others? How long from start to finish?

I hate to give the lawyerly answer of it depends, but it really depends. It's going to depend upon the type of incident. It's going to depend upon how quickly the forensic investigation firm can get their hands on the artifacts. It's going to depend upon how quickly we become involved.

We've had plenty of organizations come to us and say, we tried to do this on our own. We did it wrong. Can you help us so we actually can take a few steps back before we move forward again? But it's also going to depend upon do you have any disclosures.

And if so, what's the tale after you do those disclosures? What type of regulatory investigations are you going to be subject to, any claims or litigation that you may be subject to? So it absolutely depends. And there's no one answer for that question.

OK. So getting to your questions, audience members, thank you for putting 70-something questions in the chat feature here. So Lisa Jensen of Woolverton Insurance in Colorado, "are there industries where cyber insurance might not be essential, such as contractors who don't do a lot of work online?" Good question.

So I'll go first, Jennifer, and just say, if you rely on data or computers at all, then you're exposed here. And so while I understand that some industries may be more exposed, we've gotten to a point--if you can't talk to your customers, if you can't talk to your employees, your business is in trouble. And so contractors is one that comes up a lot like, well, contractors, right, they're out moving the Earth around or doing whatever.

They are also dependent. We're a big writer of contractors on the surety in the PNC side. They are actively asking these questions. So everybody has this exposure in my opinion. Jennifer, I don't know if you--

I agree. I do agree. And, Jeff and Tim, I don't know if you remember a few years ago when manufacturers were really not interested in buying cyber insurance because they said, we have no protected information. We don't really need it.

So just some fun stats on manufacturing clients, in 2020 we had 227 manufacturing clients that experienced ransomware and 120 with a business email compromise. 2021 as of October, 196 ransomware events, 129 business email compromises. The average ransom demand in 2020 was $1.5 million. The average ransom payment was $540,000.

In 2021 the average ransom demand was $3.8 million. The average ransom payment was $553,000. So those numbers I give them to you to show that a few years ago manufacturing said we had absolutely no need for cyber insurance. And if they don't have cyber insurance, they are looking at these costs as being out of pocket.

Yeah.

All right. Good question. Another one coming in from Craig Kutchmanich at Price Insurance Agency in Pennsylvania. Should small agencies encrypt their email? Do you suggest a password manager to manage and generate passwords?

Good question.

Jennifer?

Jennifer?

Yeah. So the encrypted email is a tricky subject because if you send something encrypted, so long as a nefarious actor cannot gain access to the encrypted email, then all they're going to get when they gain access to the business email account is something saying you have a virtual email, whatever it may be. So I think it does go a long way in ensuring that the information is protected. But if you aren't maintaining security around the usernames and passwords that are utilized to gain access to the platform on which the encrypted email is posted and accessing that email, then it's not going to help you.

OK. Thank you. Another one coming in from Greg Magnus in Munro Insurance. If you put a customer's info in the cloud, does that absolve you from any liability?

Yeah. That's one we see a lot. So no, the cloud is not a magic shield, right. So a couple of things real quick. Just remember, when you sign a contract with a service provider, oftentimes they will also limit their liability to the amount of money that you paid them. So if you paid $400 bucks for that cloud service, they probably have something in the contract that says when Armageddon hits, they may give you $400 if you go after them.

But in addition to that, you still are liable for that data as it respects to the people who you took it from. You still have the costs associated with whatever interruption you had. You still have the reputational harm. And so do not believe or counsel folks that use of the cloud is some kind of shield in my opinion, Jennifer. I don't know if you would--

Absolutely agree. Absolutely agree.

OK. Next question from John Campos, Diversified Insurance in Utah, my friends out there. Many cyber insurers will not even quote coverage without some minimum-security protocols in place. Which are those must haves in today's world?

Yeah. I guess that one goes to me. I think it really depends on size and scope of insured. The one that's really hardcore for us right now-- size is not dependent as MFA. We expect the larger the organization that the more sophisticated they will be. So I think that's something to consider.

And I would also throw one other thing out there. When I'm speaking, for the most part we're talking about dedicated cyber policies where the limits are probably starting at a million dollars and up. There are for smaller organizations that maybe are less sophisticated options oftentimes to endorse lower limits, maybe a lower version of coverage but primarily lower limits on to, say, a BOP. We do that through our small commercial team as well.

It's a good starter coverage. It may not have as robust a breadth of coverage and certainly doesn't have the size limit protection that is routinely being used in these events. But that's how I would go after it. I mean, we just need to see a further uptake in order to help protect the companies out there.

OK. Great. So, Jeff, you noticed some questions coming out in the Q&A feature, and I know you wanted to kind of speak to a couple. So I just wanted to give you some time if there was a few out there that you want to address specifically.

There were some beauties. And I'll just go really fast. And, Jennifer, you stop me if you want to add anything to it. Did remote work drive the trends? There was a lot of noise around that. And we were concerned about it as was everybody else. Just inside our data, Tim and I were talking about this actually. We haven't really seen that be a driver.

And in fact, Tim made a comment I want to give him credit for. He's like, you know, the bad guys had so many other vulnerabilities they could exploit. It might also just be that they didn't really kind of need it. But no, remote work has not been something that we've seen as a huge driver of the trends.

Are you OK with Jennifer?

Agreed.

Yeah.

Yeah, I agree.

We touched on the cloud. Somebody asked the question; would ransomware even exist without cryptocurrency? That's a fantastic question. And I want to let you know as we've engaged with the government and with other constituents, that's a valid thing that people have brought up, right like, should we get rid of that, right, and just would that make this problem go away.

There are other issues around that. Certainly, Treasury and the government has a way to enhance the regulation of cryptocurrency to make it look a little bit closer to maybe the way even cash is regulated today. So I think you'll see more of that. And that's part of the discussion and some of the legislation that Jennifer was going through. So I thought that was an excellent question.

Somebody asked are the incident response plans just--can we make them available? I can share with you that on our eRisk Hub, which we give access to our agents and brokers and to our customers, yes, we do have draft incident response plans, structures out there and available.

Like a template, right, a template for a small or medium sized business?

Yeah, it's an example of what it would look like. Yep.

OK.

And then the only other one I got, and I thought--Lisa, you responded to the comment about the promises from the bad guys to give the data back or turn things on. And you're just like, promises from a bad guy, right.

I just want to give you this context, the bad guys want to continue their bad acting. And so believe it or not, for the most part they have an incentive to give the data back or turn the systems back on because they want you to pay the next time. They want to have, believe it or not, a good net promoter score. Some of them even have concierge level desk services, help lines that you can call to get your computers turned back on.

As disgusting as that sounds, the folks who negotiate these things do their best to quote, unquote, "get proof of life," to use a kidnapping and ransom example and then to sort of manage that you get some return when you're actually paying the money. And one other comment, we don't as the insurance company decide whether to pay or not. In

Fact, we're really very careful. That is completely and entirely in the hands of the insured. They work with their breach coach. They work with whatever other lawyers, forensics folks. They come up with a determination.

As Jennifer so aptly said, some people refuse on principle. I am not going to negotiate with terrorists. And you can see that in some of the numbers, right. And so I just want to make clear that's not something that the insurance company is driving.

There was a related question to that that I found interesting from Terrance Tracy. He says, are you successful in ever-- Jennifer, this is to you-- are you successful in ever negotiating down the ransom payment? And if yes, what percentage reduction from what their ask was to what you actually gave them?

So that's a great question. We do typically see the threat actors be willing to negotiate. However, there are certain threat actor groups that are notorious for not being willing to negotiate or only being willing to drop the price maybe 5% or 10%.

We have other threat actors where we've seen reductions up to 80% off of the demand. So it's going to depend upon the threat actor group that you're dealing with. But this is another reason why you want to work with the people that do this all the time. Because if I have 10 Conti ransomware matters right now, and I have 10 Conti negotiations going on right now-- if I'm working with the same firm to do the negotiations, I'm not going to know any information for organizations that aren't clients of Mullen Coughlin. But having insight into the 10 that I have and then anonymously, without names, the status of other negotiations that firm has going on, that's amazing threat intelligence that we can utilize to determine how we're going to negotiate with the threat actor and what we might ultimately get as a final demand if we do decide payment is going to be made.

OK, great. Another good question coming in from Dale Everson. So this is to Jennifer. Have you encountered clients that have appropriate system backups, but they have found restoring their systems from the backups would take way too long, so they just paid the ransom? If you've seen that, what do you counsel clients on testing how long it would be to restore from their backup systems?

Yeah. Fantastic question. This does come up. So we have organizations that say, Jen, we get it, your 3, 2, 1 rule, three copies of backups in two different locations, one of which is offline. We have backups from which we can restore. However, we think it's going to take about three months for us to be fully restored if we restore from backups.

And they learn it in the moment of crisis when they're completely locked up. So we tell organizations all the time, to the extent you can before you experience a ransomware event, number one, test to make sure your backups are actually backing up your data. And then two, test to see how long it's going to take, how much it's going to cost and what energy and resources will be necessary to restore from those backups. You will be able to make an informed decision in the middle of a crisis when you're experiencing a ransomware event on if we go this route, it's going to be this amount of money and this amount of time. If we go that route, it will be this amount of money in this amount of time.

Great. Great. Jeff, to you, we have a number of Canadian agents and brokers on the line. And they're asking what program specifically does Travelers offer in Canada. So we have a pretty big cyber practice as well there. Do you want to speak to that just for a quick moment?

Sure. It's a little bit of a different situation. Not all vendors have the same access. But we do actually have cyber coverage up in Canada and also have associated services offered there too. So I would just encourage them-- feel free to contact our local partner Steve Smith up there. And his team do a marvelous job. And fair question, it does vary by geography as do the regulations, requirements, notifications, et cetera.

Certainly. And then at the travelersinstitute.org, we wrote a paper about cyber breaches. Go on our website travelersinstitute.org and download the Canadian version. And we also have a US version. So,

(DESCRIPTION)
Wednesdays with Woodward Webinar Series. Upcoming Webinars: December 8, Economic Outlook 2022 with Goldman Sachs’ Chief US Economist. December 15, Ensuring the Rebuilding of America: What's in the $1.2 Trillion Law? What Will It Mean For The US Economy? January 12, How to Negotiate Without Fear with Expert Strategist Victoria Medvec. February 2, Hit Me with your Best Shot: A Conversation with Johnson & Johnson's Joe Wolk. Register: travelersinstitute.org

(SPEECH)
listen, we have run out of time. But I want to talk to our audience about four upcoming programs we have over the next month to get you through the holidays and into January.

But first, Jeff and Jennifer, I will invite you back because we had over 120 questions put in the Q&A. We had over 3,000 people register for this webinar. And so clearly there is a demand and a need to do this every quarter. So if we can schedule you, we would love to schedule a cyber event at the Wednesday sessions next year.

So please, thank you so much for your intelligence, your advice. We really appreciate it. There will be a replay of this session. We will send it out to everyone who registered. So you will be able to see the entire replay. Ship it to your clients or your customers. It's free and open to the public. We're here to educate and inform. OK. So thank you, Jeff and Jennifer.

Thank you.

Thank you.

Onto our upcoming programs. I'm going to interview the chief economist at Goldman Sachs, where I used to work, on December 8. December 15, we're going to talk about the new infrastructure bill that just passed and was signed into law. What does it mean for insurance? What does it mean for surety? A lot of dollars, federal dollars coming into the insurance space to insure those projects. That's December 15.

January 12, I'm going to interview Vicky Medvec, a renowned book author of "How to Negotiate Without Fear Expert Strategist," negotiating with your kids to go to bed or negotiating with the cyber criminals over whether or not you pay the ransom. Lots of advice there. And then on February 2, I'm going to interview the Chief Financial Oofficer of Johnson & Johnson, the world's largest pharmaceutical company. Joe Wolk is going to be here to answer your questions about the next shots coming out, tax policy, how a pharmaceutical company goes through a pandemic. I'm really grateful for him joining us.

So register for any of these programs at travelersinstitute.org. Connect

(DESCRIPTION)
Watch Replays: travelersinstitute.org. Indeed Connect: Joan Kois Woodward. Take Our Survey: Link in chat. hashtag WednesdayswithWoodard

(SPEECH)
with me directly on LinkedIn. I'd love to have you in my network. And again, Jennifer and Jeff, thank you so very much. Happy holidays to everyone. And we'll see you next week.