The adoption of new and emerging technologies to stay relevant, competitive, and high performing have posed major cybersecurity concerns for nonprofits across all industries. The world of cybersecurity is highly complex and dynamic, with the landscape and threats changing daily; and, for nonprofits, contending with cyber and data demands require time, resources, and money. It’s one thing to have the right infrastructure and technology in place but it’s another to ensure that your people, processes, and systems are secure and protected. So, how do you design an effective strategy that’s right for your organization? It starts with a clear understanding of your cyber environment and the options available to you—from proactive planning to security training and proper cyber insurance—to safeguard your organization.
In this expert panel discussion facilitated by SC&H, you will hear from some of the top cyber insurers in the Mid-Atlantic about best practices for prioritizing cybersecurity and protecting constituent data and actionable insights to mitigate the operational effects of cyber threats when they do occur.
- Anthony DiGiulian, Director | SC&H Group
- Justin Felmey, Vice President | M&T Insurance Agency
- Francine Hope-Pressley, CFO | Association for Financial Professionals
- Christopher Dean, President & CEO | B/Net Systems
Anthony DiGiulian: Good morning to everyone. We’re excited about the group that we brought together today. I want to give everyone a quick opportunity to introduce themselves, and then we’ll dive into some of the content. Something I’d like a lot of the folks to keep in mind during today’s conversation as we think about cybersecurity in the current state are some of the impacts on not-for-profits and how much your organization, even your daily life, relies on technology now more so than it has ever in the last several years. Think about how much personal information, of yourself and your organization, is on your computer and your smartphone, your tablet, and for that matter, somebody else’s system. And those are some of the considerations that I think a lot of organizations have to be mindful of as we think about the risks related to cyber security. So just a quick introduction across the group and then we’re going to get into the conversation. Francine, do you want to start?
Francine Hope-Pressley: Certainly, good morning everyone. As I’ve been introduced, my name is Francine Hope-Pressley, I’m the CFO for the Association for Financial Professionals. AFP is a professional membership organization for treasury and financial planning analysis professionals, and we are the certifying body for two certificates a CTP and the FPAC. And we’re located in Bethesda, Maryland.
Anthony DiGiulian: Fantastic, Justin.
Justin Felmey: I’m Justin Felmey, Vice President of M&T Insurance Agency, located in Baltimore. I am a broker. We work with many non-profits and I personally have an interest and a specialization in cyber insurance and working with all my clients to make sure they’re best covered.
Anthony DiGiulian: Great. Thank you. Christopher.
Christopher Dean: Hi, I’m Christopher Dean. I am the President/CEO of B/Net Systems, we are a managed service provider, which for all you non-geeks in the audience, basically means outsourced IT. We handle the needs of our clients, many of which are nonprofits, and cybersecurity has definitely been top of the list for us for the past few years as the threats have increased.
How Have Cyber Threats Evolved?
Anthony DiGiulian: Fantastic, thank you. That’s one of the areas I’d like to start with, talking about how cyber threats have evolved over the last 18 to 24 months is opened up to everyone initially. How has cyber security evolved and what are some of the biggest threats in today’s current landscape that organizations need to be aware of or cognizant of? Justin, you can start from the perspective of what you’re seeing.
Justin Felmey: Yeah, absolutely. We’ve seen an explosion, a large increase in claims and hacking activity affecting companies big and small. You know, it really spreads across the landscape. What we’ve seen is that hackers and bad actors have lost no time due to COVID and exploiting the large increase in attack vectors that came with the remote work environment. We’ve seen companies that quickly adopted to pushing all this technology out to their employees who are working remotely but necessarily didn’t take all of the precautions and the needs to then go behind and secure all those new access points. A lot of companies, I think a recent survey I saw of some materials with 70 percent are still relying on just solely password-centric passwords to gain access to their systems. With the increase in both affordability and usability of some of the tokenizations or the multi factors, that still hasn’t been widely adopted. We’re seeing the threats target those folks who are just using still and relying on passwords to secure their systems.
Anthony DiGiulian: Francine, from your perspective as a CFO, over the last 18 to 24 months have you looked at cybersecurity any differently from a risk standpoint?
Francine Hope-Pressley: Certainly. You know, when we all had to begin working from home, it was certainly a key consideration for our organization. We are based in Bethesda, Maryland, so we didn’t have a remote workforce or regional offices. So this was going to be the first time that we would have so many employees, 100 percent of our employees, working remotely. What we did have in place, however, was an internal control process pre-COVID, which allowed us to begin the process of implementing MFA for certain of our applications. We had also utilized our outsource IT provider to help us with implementing training around cybersecurity and also implementing a system where we simulate phishing attacks so we can challenge and test our employees and get them accustomed to what problematic communication might look like. That’s not to say that we were perfect.
Every once in a while, maybe we get a new employee or maybe we’re busy, right? Because that’s the other thing, you’re working from home, so you maybe let your guard down a bit and you click on something that you’re not supposed to click on. What happens then? If it’s a simulated phishing attack, that employee automatically gets a notification that they’ve got to attend training once again. We were lucky in that we did have some of those processes already in place, but since we began working from home we’ve increased the frequency of those simulated attacks. We’ve changed our training to make it a little bit more involved so that employees are aware and realize that they have to be on alert. It’s not just a matter of being curious and clicking on a link, it’s that email that comes through that looks like it’s from your supervisor that’s instructing you to do something. But when you look at it a little bit more closely, you realize that the bad actor has utilized your supervisor’s name, but the email address isn’t quite right. Basically teaching our employees, it’s been an educational process for all of us, just to become more aware of all the possible ways that someone might try to attack our organization.
Anthony DiGiulian: Interesting, I know we’re going to talk a little bit more detail on some of those areas of focus going forward as well. Christopher, from your standpoint, in terms of where we are in the current landscape, ransomware is an area that’s devastating and costly to organizations looking at Baltimore County most recently and the fees and the cost associated with that attack. What are the biggest threats right now that you’re seeing? I’m sure from your perspective, you have a lot of insight into the current state and the vulnerabilities that organizations should be aware of.
Christopher Dean: Yeah, thank you. Ransomware is definitely top of the list. We’re seeing a great increase in malicious phishing attacks. It’s tough for nonprofits because they’re nonprofits, so they don’t have a big budget. This stuff is not necessarily inexpensive to fix, but it’s the way it is these days. We need to address that. It needs to be fixed. It’s now a baseline security issue. So we’ve seen a lot of chaos recently. I think it’s a combination of the increase in attacks, a lot of that. You’ve seen a lot of high-profile ransomware attacks in the media, but the other thing is COVID.
COVID has really, in a way, taken people’s eye off the ball, it’s a lot more confusing when people are working from home. They’ve got kids they have to deal with. They’re not in their work environment. They’re not as focused as they are at work usually. We found that to be a real challenge because one of the themes I’ll keep coming back to is, obviously you want to configure your hardware and software to be as secure as possible. But actually, that’s the easy part. The hard part is getting the users trained to identify malicious emails and not take action on them. What do they do? That’s the hard part and it needs to be. I think that non-profits need to start making this their basic core training that IT security needs to be part of the basic core training because that’s the world we live in. That’s one of our biggest challenges is getting the association’s leadership in the nonprofit leadership to focus on integrating that type of training into their overall training because it’s not going away. So they need to adapt.
Francine Hope-Pressley: I just want to expand on that. I think the shift that has to occur is that security is everyone’s responsibility. It’s not just IT’s responsibility, right? Because we all have access to data in some form. Quite frankly, there may be some instances where we don’t even have a full inventory of all of the data that’s being accessed and who has access to it within our organization. So just taking that step back to say, what is all of the data, the data inventory of the data, and then who has access to it? That’s almost one of the first steps along with training.
Justin Felmey: I would just echo that as well, especially some of Christopher’s points, that you can secure all your hardware and you can have the greatest outsourced IT vendor available, however, 85% of the breaches in 2020 had a human element to them. This is someone clicking on a phishing email or someone accessing something that they showed from a different device. I think what a lot of the focus from what we’re seeing is making sure that it’s an organizational objective to make sure that everyone’s aware that security begins with you and making sure that you do have those phishing programs. That is a topic of training as far as securing the data and knowing your responsibilities as a user of that data.
Don't Let Uncertainty Lead to InactionTalk 1:1 With a Cyber Expert
How Has Security Training Been Affected?
Anthony DiGiulian: From the polling question, I don’t know if you saw the results, but the results said that 41% of the respondents have not done training in 2021, and almost 37% said it has been over six months. Being that people are your largest concern as an organization when it comes to vulnerability management, how have you seen how this training evolve and what are some of the things that organizations are doing more frequently or otherwise from a training perspective to drive to the organization the associated risks related to cybersecurity?
Christopher Dean: A couple of things. I think Francine mentioned the phishing awareness training, and we do a lot of this. We partner with a company out of Florida where it sends fake phishing emails and you first send it out to everybody and then generate a baseline score. What is the percentage of phishing emails that fool people? It’s about 30 to 35 percent before training. Then as people get to run through the training, it drops to the single digits and percentages. What I always tell our clients is, I’m not worried. I don’t think your staff and your employees are stupid. I think they’re distracted. What worries me is you’re on endless Zoom call after Zoom call, and it’s just human nature to try to multitask and clean up your inbox or something at the same time. They’re just not focusing. And that’s why I think they’ll click on something that they shouldn’t click on. If the network is configured properly and user access is configured for a, we call it least privileged user access, basically, you shouldn’t have access to anything you don’t need. You shouldn’t have administrator rights on your local machine. If you do that, at least if you’re hacked, it limits the damage that can be done, but a lot of that stuff isn’t front of mind. We’ve had to do a lot of reeducation of our clients about, yes, this is important, but you’ve got to start with the fundamentals. Get those right and then we need to be training all of your staff. It’s a multifaceted approach.
Francine Hope-Pressley: I would also add that we certainly need to get those fundamentals in place, without them you could have the greatest plan to create a structure in place, but if those fundamentals aren’t operating and aren’t in place, you’re not going to be very successful. But what I have seen also is that when there is also focus from the top, so whether it’s from a governance perspective, a board perspective, from a senior leadership perspective, when it continues to filter down and everyone realizes that everyone’s got eyes on it, the importance it raises across the organization.
Risk Management and Cyber Insurance Go Hand-In-Hand
Anthony DiGiulian: That’s a great point and we talked a little bit about it before as it relates to risk management. Can you talk a little bit about how your organization does from a cybersecurity risk management standpoint, the assessment process that you guys take in looking at cybersecurity on an ongoing basis.
Francine Hope-Pressley: Putting COVID and remote work aside, one of the things that my organization has done was that we incorporated into our risk management process cyber risk, cybersecurity. I won’t say that ransomware and phishing were at the top of the list when we put that process in place, certainly not to the extent that it’s a focus now, but it was a part of one of our governance committee’s responsibilities to work with management to at least periodically subject the organization to an external cybersecurity audit. That is something that had been occurring every other year for quite a few years within our organization. Of course, as the attacks have become more prevalent, the type of audit that we’re undergoing has changed as more penetration testing is being done.
Certainly, that prepares us for the next step, which is insurance, what is our exposure, what’s covered and what’s not covered, and what is the current status of the organization from a security perspective to determine what type of insurance do we need or are even eligible for? All of this feeds into this whole idea of, should something happen you need to be clear about what your exposure might be. How are you going to respond to it? Who is ultimately within the organization the person who takes the lead on it? Are there multiple people involved? It’s akin to if you think back to like 911 and Y2K, where we used to have all those business continuity planning activities and plans, it’s like that, but sort of taken to the next level because you now have this criminal aspect to it if there’s a ransom being demanded. It’s a very involved process and it needs to include all the way from the top, from governance all the way through to make sure it’s operating effectively because it is so much more involved. Basically, it is business continuity planning at this point. I’ll AFP as a specific example. On the surface, we may not look as though we’ve got data that we’re concerned about getting out, but quite frankly, our biggest concern is the ability to continue operating. That’s the risk for us and I suspect many other organizations such as ours.
Christopher Dean: I’d like to echo what Francine said. One thing that we push, we’ve got five things we try to hit on when we’re talking about cybersecurity with our clients, and one of them is policies. You’ve got to make sure you’ve got the right policies in place, so you know how to handle things when they happen. One of those things, which could be called a policy is disaster recovery plan or a business continuity policy. It’s great to have that, but you have to test it and it has to be tested at least annually or after any kind of major infrastructure change. This is probably not something that nonprofits want to hear because it’s not cheap and it’s another headache that they have to deal with, but it is the way it is these days and we need to address it. Having the policies, having the plans, and doing some testing and some dry runs is hugely helpful to recovering from any kind of attack and possibly even preventing an attack in some cases.
Anthony DiGiulian: Justin, Francine talked about how a lot of that process leads into cyber insurance, so I want to pivot to talk a little bit about how the involvement of cyber security and risk changed the way cyber insurance is issued and managed and some of the considerations that organizations should be aware of when they’re thinking about how much is cyber insurance. How do I get it? Where can I get it as well?
Justin Felmey: The scope of the cyber insurance landscape has really changed over the last eight to 10 months. We started seeing a clampdown from a lot of our carriers in terms of pricing and then also to some of the items that have been previously mentioned. Just what are your processes and procedures? What do you have in place? We’re having those discussions with a lot of our insurers early and prepping them and walking them through some of the information that it’s going to be needed for the upcoming renewals because the upcoming renewals or placing new business is not going to be looking like the same process that it was prior to 12 months ago, six months ago. There were several carriers out there that if you answered five short questions, you could have a viable cyber quote with limits for everything, low deductibles, and fairly cheap. Now in today’s landscape, carriers are requiring MFA to be in place, and are also requiring the phishing training to be in place. We’ve had several carriers that have actually stepped up, and they’re now offering that as part of a dashboard of tools that they’re pushing out to their insurers. If they are a small organization or they don’t have a dedicated IT team to be able to access these tools to make them better and reduce their risks, disaster recovery plans are being looked at and to make sure that is in place to make sure that if there is an event what are the processes and procedures to look at that? We have even had carriers that start asking questions targeting around priority patches. What’s your patching process? Are you waiting zero to 45 days to get them out? Or is it 6 months before the priority patch is utilized?
One of our carriers that we do partner with a lot does almost a passive scan of your system from the outside looking in. They’re not trying to hack your system, but they’re looking at what ports are out there, what’s your system that’s presenting itself on the outside world? They’re making a judgment call based upon whether you have a Microsoft Server, an exchange server in-house. They want to see that it’s been updated and patched against some of the new exploits that have been out there. One of the big things that the carriers are now looking at, especially with some of the larger risks, is end-of-life software and hardware, where there’s no support going forward as far as making sure those patches are updated. Sometimes, if one of those pieces of equipment is identified, carriers are declining those risks. So carriers are taking a proactive stance.
Anthony DiGiulian: I think we lost Justin for just a second there, but while we get Justin back, Christopher, when you work with organizations that need cyber insurance, what are the things you think about as it relates to how much cyber insurance do I need? From a coverage perspective, am I getting the right types of coverage based on my risk?
Christopher Dean: Yeah, there are a couple of things. First, you have to get the insurance and as I’m sure Justin will point out, there’s a long checklist of technical things that need to be in place before you’re issued insurance. Things like, are you using multifactor authentication, and do you have a password policy and things like that. Often for us, we have to get our nonprofit clients up to that level before they can even apply. We’re just we just finished one of these advising a client last week actually about getting cyber insurance and they went with a million dollars, seems to be a nice round number, but we have to take a look at what their assets are and what the risk is and also their budget too. It all feeds into it. We usually let the insurance company work directly with our clients to determine the appropriate amount. That’s not really in our wheelhouse. We focus more on the technical aspect, but we can get them ready for that and get them ready to be able to be accepted by an insurance company so they can issue a policy.
Anthony DiGiulian: Justin, going back to the coverage side, obviously your organization, it’s become more challenging to get cyber insurance. But how about the amounts? Have you seen a fluctuation in terms of coverage and what’s some of the background as to why that may be occurring?
Justin Felmey: We’ve seen that prior to the past 10 to 12 months. If we had a law firm or someone else handling highly sensitive data or had a high reliance on their network being up, there is a business income component to cyber insurance as well, that we could go to a single carrier and get $10 million limits pretty easily and pretty cheap and cost-effective. However, what we’ve seen recently is carriers start to scale back those limits and deploy those limits to different organizations. We’ve had some that we’ve had to go out and, the primary carrier will offer the first five million, and then we’ve had to layer and use different carriers to get to the overall limit that a company may be seeking. Also when we’re evaluating limits and seeking limits, the policies and procedures that they do have in place will determine what limits that insurance carrier is willing to offer if there’s no MFA in place, if there’s no fishing training in place, if you have a loose procedure as far as how you’re deploying those patches, and what your disaster recovery plan looks like, then you’re going to have a hard time finding available limits. For companies that don’t have that MFA in place, we’ll see that carriers are either attaching a super high retention level to it or deductible or they’re supplementing coverage for ransomware business and income that are associated with it. Making sure that you do have these policies and procedures in place and making sure that IT’s security is an objective upfront, will avail yourself to having broader coverage, better access to coverage, and access to limits when benchmarking limits. It comes down to working with your broker or your insurer to understand what their system is, how are they organized as far as what their IT reliance is, and what the situation would look like if that was taken off by ransomware. What’s your data recovery plan? How often are your backups done? Where are those backups stored? Are they on the network, or off-network? And really working with them to tabletop that worst-case scenario and then working into the element from there.
The Importance of Cyber Insurance Contract Management
Anthony DiGiulian: I want to talk a little bit about contract language and maybe real quickly you can respond and can give us some background on how your review processes relate to the contract. I think one of the concerns that organizations fall into is they get cyber insurance and then don’t ever look back at it or they don’t review the contract language. What are some contract language considerations? We talked about the Sony hack before. Justin can touch on that as an example, for contract language considerations? Then how often should organizations be reviewing cyber insurance and making sure that the most recent iteration of attack vectors and vulnerabilities are included? After you give some background, Francine you can weigh in on the review process that you have gone through.
Justin Felmey: Part of the benefit and the problem as well, with cyber insurance is that there is no really standardized policy form out there. With property and general liability and work comp, there are some governing bodies that push out language and state regulators accept it and it’s considered admitted insurance. It’s a standardized form with cyber insurance. Almost every carrier has its own different form. Some of the pushback from carriers trying to file these rates and forms that make it more of a standardized product is exactly as you mentioned, that the landscape is constantly evolving and constantly changing. It’s the due diligence of the broker you work with to make sure that they are reviewing cyber forms and they’re only offering new forms that they reviewed in-house, they’ve done policy form comparisons. I have a library of all the different policy forms from the different carriers and personally and organizationally unless it’s one of those risks that we’re really scrambling and working hard because they don’t have the necessary policies and procedures in place. We try to stick to a select number of carriers that we’ve already vetted their policy forms and dug in and see what the coverages are. And as you mentioned in the Sony hack, an emerging threat is essentially the war and terrorism exclusion. A lot of these new hacks are being driven by nation-states or sponsored by them.
Typically, an insurance policy is going to exclude any hostile act or an act that’s considered more from another hostile country. Some cyber insurance companies have chosen to remain silent on that. We never want to see silent language in an insurance contract regarding that because it’s left up to the courts to decide or who the insurance adjuster is at the time, whether your claim is going to be handled and if it’s small, they may say yes. But if it’s going to be a costly large claim, they may use that ambiguity against you. So we want to see a firm give language. A lot of the top insurance and cyber carriers are making that language affirmative right now. It’s one of the emerging trends, some of the threat vectors change as far as who is behind these attacks. Change is one of them. Make sure that your policy is affirmative on that type of language for war or terrorism.
Anthony DiGiulian: Great. Francine, from a cyber insurance perspective, how often are you looking at coverage and reviewing policy, at least on the organization level?
Francine Hope-Pressley: At least annually we’re looking at our coverage. I do know that the past 12 months, by the time we got to six months of working from home, it was something I was revisiting just to double-check. I was working with our IT team to see if there were any gaps in our old coverage so that when the renewal period came around, I could start having those conversations with our broker around, including making sure the language included certain things that we wanted to be covered if it was even possible. We tried to understand from a broker if we wanted something covered, what did we need to do to ensure it was covered? A new angle has been that some of our customers that we work with have asked us to include in contracts that we signed with them, the specific language around cyber security and if we have access to their data, what does that mean for us in terms of liability and related cyber insurance? It is continually changing. Everyone is trying to make sure they minimize their risk exposure. I would say every two to three months there’s always something new that we’ve got to consider and make sure that either at a minimum we thought about it and we’ve made the decision it’s not something we want to address in our policy or whether this is significant and it will continue to become an increasing risk for us. We do need to consider it seriously and start those conversations with our broker.
Justin Felmey: One of the big common terms in cybersecurity is the question of not if but when, as it relates to being breached as an organization. There are a lot of preventative measures that go into cybersecurity management, but in terms of being able to reduce the impact of a breach, I want to talk about reporting considerations and managing compliance. At this point, all 50 states have some level of legislation requiring organizations to report breaches. Christopher from your perspective what are some considerations around how do organizations prepare, and what are some best practices around managing breach situations?
Christopher Dean: Yeah, there are quite a few things, we’ve discussed multifactor authentication that is an absolute must these days.
Justin Felmey: Can you explain that for everyone? Just explain what is multi-factor? We talked about it a couple of times, but I think it’s very helpful, especially given how much of an impact it’s had in the last 12 months.
Christopher Dean: This is a way to use multiple factors, something you know, something you have to validate your identity when you’re logging into a system. The most common familiar thing for people would be you log into your bank’s website and it sends you a pin code to your cell phone and you need to input that code before you can log in to the site. It’s the same type of thing for other cloud-based services or other systems in general, where it’s more than just a username or a password. You need that alternate form, that alternate factor to get you in, and you can use an app on your phone that generates a new number every 90 seconds or something like that, or it will text you a pin code to your phone. The idea is number one, nobody can get into your account without knowing that code unless they have your cell phone or hack your cell phone, which is unlikely, they’re not going to be able to get in. Number two, it’s a bit of a red flag. If someone else is trying to log in, you’re going to get the notice on your phone saying, here’s the pin code and you’re going to say, wait a minute, I’m not logging into my account. Something fishy is going on here, so it’s a bit of an early warning system to let you know that you’re being probed. That’s that is a huge one. The other things that I mentioned, you want to make sure that your network is set up properly, and I don’t I won’t go off into geek land on this one, but you want to segment your network. You want to make sure that you have role-based permissions. So someone on your network who is in the finance department, for example, obviously should have access to the finance stuff, but maybe not the H.R. stuff. So you want to make sure that permissions on the network are assigned based on the user’s job role.
Anthony DiGiulian: That limited exposure.
Christopher Dean: Yes it limits the exposure, and that’s a good practice anyway. I had mentioned earlier also policies. Security policies are a big one, making sure that you’re prepared for this disaster recovery and business continuity. The phishing awareness and the IT security training, that’s the biggest one for us. The technical stuff is not that hard to set up. The hard thing is getting the users to take it seriously and make sure it’s an ongoing thing, not a one-and-done. The training needs to be wrapped up in all of this. We also will recommend considering cyber insurance, it’ll give the organization some financial resources if they’re hacked to address it. Then another thing we will recommend is considering moving fully to the cloud. The ability to control the cloud environment, the security around the cloud environment is typically going to be much better than what you can do on-premise. For our clients, it gets them out of the server business. We typically try to tie it to the lifecycle of their servers. When their servers are up for renewal and you want to do a hardware refresh and get new servers, we say, why don’t you consider just putting all this stuff in the cloud? You’re going to get better security. Microsoft, on their Office 365 system, is going to have far better security around their systems than you’ll ever have around your on-premise server. It’s true that they’re a bigger target, but they also have many more resources to bring to bear on any kind of security issues. And you can pay for additional threat reporting, and there are lots of bells and whistles that you don’t necessarily have with an on-premise system. It’s a combination of those four or five things that we try to push. It needs to be looked at holistically. It’s not just an IT problem, it’s not just a server problem or a password issue or something like that. It’s everything.
Anthony DiGiulian: Justin from your perspective in breach situations, I know some contract language has a component of risk management, how do you advise organizations that are facing breach situations? How do you ensure that they’re prepared to manage those risks and act quickly once they’re aware of a situation?
Justin Felmey: I think the biggest thing from our side is, once they’re aware of a situation, whether they have a dedicated I.T. team not, maybe reach out first to their dedicated team to make sure that they are indeed looking at what they think is a breach situation. I recommended reaching out to the carrier as one of their first contact points. The carriers have breach teams and they have entire organizations that are dedicated to helping coach insurers and organizations through a potential breach. You mentioned the myriad of different reporting and different statutes that are out there by state level. There’s also federal. There’s the PCI component of it and the breach response teams are going to have all of the lawyers, all of the coaches that can help you navigate when the notification should be sent out, what to do if it is ransomware. They may take over the situation again without having a proper placement and having the proper protocols in place. How do they interact? What takes place in the advent of that unfortunate situation that, as a nonprofit, you definitely don’t know how to respond or to interact with someone that’s demanding ransomware. These insurance carriers and their breach teams have to know how to interact, they’re trained up on those. And rather than you trying to research what notification processes are statue in the different states and federal levels, you can rely on that team and that’s part of the process. Some of the unfortunate claims that we work through, our insurers have relied on those teams and they fared well and they’re not trying to navigate that on their own.
Justin Felmey: Francine, from the organizational standpoint, there’s a lot that we’re unfolding here. How do you manage expectations of compliance and reporting considerations? Is it something that’s forefront in any organization from an awareness standpoint?
Francine Hope-Pressley: Absolutely. As Justin said, it’s a very complex reporting structure. It’s very difficult. Certainly, you’ve got the state and federal reporting requirements, but you could be an average-sized nonprofit and have foreign operations, and that just brings in a whole other layer of complexity because now you have to deal with that country’s requirements, potentially. That is something that we consider whenever we are trying to make a business decision around how we engage with a vendor or a customer. One of the things we look at is, potentially where could this data end up getting to, where is it coming from initially? Which state, or which country could we have to report to eventually? Because that adds a layer of complexity that you may or may not want and you have to make the business decision, and it may be from a business perspective, worth the risk. But it’s another layer of complexity and consideration that you do have to keep in mind. The other thing that we keep in mind or we need to consider is if you’re in the unfortunate situation where there’s been an attack, it’s been validated that it is an attack. Someone has asked for payment. That’s that next step of how has the organization decided how they are going to respond to that request for payment and then if they plan on paying, how much are they willing to pay in any form of payment? Those are all of the types of things that need to be determined ahead of time, but Justin you could speak to this too, but trying to make those types of decisions in the moment on the fly. Challenging.
The Future of Cybersecurity
Anthony DiGiulian: That’s a great point. I don’t think a lot of organizations actually think about that as part of their response, planning or otherwise. Have we had the right discussions internally to know what we’re comfortable with from a ransomware standpoint if we are breached? Having that lined up to act quickly is going to ultimately minimize the impact of that breach on your organization. That’s a great point and something that I think a lot of folks can take away from this thought process. So we have a few more minutes. I want to talk about what’s ahead for cybersecurity, hear some thoughts from the panelists on what organizations should be looking at going forward, and how to position themselves to continue to manage cybersecurity risk going into 2022. Christopher, you got any thoughts to start?
Christopher Dean: I think it starts from the top. I think the organization’s leadership needs to make sure that cybersecurity is on the agenda for planning so they can get their arms around this and their heads around this and then start implementing all the things, the hardware and software configuration portion, the user training portion, the policy portion, all of these things we’ve been talking about, it needs to be on their agenda and they need to be prepared and they need to plan, if God forbid something happened, it’s going to be a lot better if we have some sort of a plan. So we do annual reviews with all of our clients and cybersecurity is always on there, but we try to encourage them to adopt it in their own organization’s planning for the upcoming year. Not only does it have the attention it gets, the attention it desires, but they can liberate some money towards that because it will take a bit of money to try to address this.
Francine Hope-Pressley: That’s exactly right. I’ll speak to it from the budgeting and forecasting perspective. I think having a sense as to the costs to the organization as it relates to planning to prepare for being able to protect the organization, that’s one bucket of money. But then you also need to think through the amount of funds available or what you want to make available for insurance. Those are all the things you need to keep in mind and factor into any budgeting process, any forecasting process because there are a lot of competing priorities. most non-profits, they’ve got their mission and they want to focus their attention and their dollars towards that mission. But we need to understand that if we do become subject to some sort of attack, we’re not able to execute our mission anyway, so we need to have that balance.
Anthony DiGiulian: Absolutely. Justin, any changes from the insurance perspective? Obviously, we’ve seen a lot of changes, but anything specifically that jumps out and we do have a question I want to get to as well.
Justin Felmey: Yeah, I think the biggest thing is what some of the elements and what the insurance carriers are looking for. Chris and Francine mentioned it is the planning and implementation of some of these best practices. A lot of companies don’t think they will be a target, and that’s just a false narrative that people make themselves feel better about. We’ve had small real estate companies that have been the victims of ransomware attacks. Planning and looking at what your use of IT is in your daily life as a nonprofit and realizing that just because you’re not storing tons of personally identifiable information, you can be significantly impacted by a ransomware attack or an attack, and you will be a target. Especially with some of the unfortunate success stories and the proliferation of payments to some of these ransomware attacks, is that they’re not slowing down. So large and small organizations need to focus on IT security because, in today’s world, your IT is the backbone of everything you do. No matter how unsophisticated anyone is, if you don’t have access to your email, if you don’t have access to your internal, you can’t function as a business today. Identifying that you are a potential target and making sure that security is on your mind just as a common business practice and some of the training that’s incorporated into the daily lives of the employees or the volunteers and realizing that you need to take accountability for that and implement a phishing awareness tracking. Some of those things will help you be positioned to be able to function and then also be aware of the security that’s needed in today’s world.
Anthony DiGiulian: Yeah. What you said is really important because I don’t think a lot of businesses understand that in today’s cybersecurity landscape hackers aren’t targeting specific companies or otherwise, they throw a wide net into programs that they run. They don’t often even know who they breached and what information they have until it’s done. Then they collect the information they’ll sell to somebody else. They’ll assess what they can do with it, and how much it’s worth on the market. But it’s not that they’re specifically targeting only Fortune 100 companies or otherwise, often those are the companies, as Christopher said, more protected and they’re more likely to breach your organization that has less control. That’s leading to one of the questions we received, which I want to lean on you for this. They said that an organization has dealt with a lot of denial of service attacks and is curious, as the solution they were advised was just 24-7 monitoring. Any other thoughts as it relates to how organizations can manage risks related to denial of service attacks?
Christopher Dean: Yeah, that can get to be a very technical discussion, but essentially, obviously work with your IT team and work with wherever your stuff is hosted. Denial of service attacks is basically when you’re not able to get into your online assets because of a variety of different techniques that have been attacked. There are somewhat expensive ways to deal with this. You can disaggregate and move things around and present a moving target. It gets kind of expensive that way. A lot of non-profits don’t have those kinds of resources. So it’s a bit of a difficult question to answer in a short time. It’s like a 15 and 20-minute discussion. I’m sorry, but I would say, reach out to your IT professionals and start that discussion because there are two or three ways to skin this cat and it’s going to depend on priorities. It’s going to depend on cost, it’s going to depend on risk tolerance. I’m sorry, I can’t give a very specific answer, but it’s a pretty broad category.