Navigating 2025: Cybersecurity and AI Challenges for Manufacturing and Distribution Companies

Margaux Weinraub:Thanks John, and good morning and good afternoon to everyone here today. So as shared, my name is Margaux Weinraub. I am the cyber practice leader for Marsh McLennan, which is the largest global insurance brokerage in the world. We provide business insurance as well as employee health and benefits insurance coverage, and also provide risk management consulting services. I noted that I am the cyber practice leader, so while our organization can provide all lines of coverage, my focus is all things cyber and in today's world, that keeps me and my team very busy. So think about cyber insurance placements, think about education for the changing landscape for our clients, for my colleagues, as well as then advisory services to ensure that they have strong cyber risk management posture. And then ultimately in the event of a cyber incident, partnering with organizations like John, partners like EisnerAmper and others across the entire incident response process.

Rahul Mahna:Great, thank you, Margaux. By way of background and introduction, my name is Rahul and I'm the national practice leader of outsourced IT and cybersecurity at EisnerAmper. And I've seen the registration list. Some of you are our clients and we welcome those that are our clients. And you do have access to me, and some of you are newer, and I welcome you to this conversation. Travis and I have been thinking for a while of how do we provide more technology information to our M&D clients, and I think the world of M&D has expanded a lot in this conversation. We'll hear why we think it's expanded, and I think there's a cross section of legal insurance and IT that's impacting us, and that's why I think this panel is going to be really interesting for all of you. And I hope you all get something very positive out of this. Travis?

Travis Epp:Thanks, Rahul. So why are we having today's discussion as Royal alluded to? So companies are always looking for opportunities to improve both the efficiencies and profits. And in M&D, in today's global world, the supply chain and the manufacturing processes are constantly evaluated. Given the constraints and the challenges in the labor force, companies are striving to increase their automation through both the use of AI and other technologies throughout both the procurement and the whole entire production process. These changes to the internal processes highlight that cybersecurity is no longer just an IT issue. It is also an operational, legal, financial, and reputational risk. Surveys have indicated that the manufacturing and distribution industry are the most targeted for cyber tax with most of these attacks being from ransomware, these bad actors recognize that a company's revenue stream and operating results will be negatively impacted by any sort of disruption to the production process. And as companies have a very low tolerance for downtime, this will impact the company's decision making process when impacted by the cyber attack. And now here's our first polling question. As you can see, has your company updated or performed an IT risk assessment in the last year? While you were answering the that question, I'll throw it. What is an IT risk assessment and why is it valuable to have, especially for M&D clients?

Rahul Mahna:Yeah, great question. And we lead all of our IT consulting engagements with an IT risk assessment. So let's make it very simple. We are supposed to go every year for a health checkup. And why do we do that? We want to know what's going on in our bodies and for holistically, we have two arms, two legs, it's kind of manageable. The thing that is getting unmanageable for M&D clients is the size of the amount of how big the business is getting. So it's no longer if you had something to manufacture a piece of equipment. There's logistics involved, there's different MSAs and legal and compliance standards. There's different insurance that you have to carry to work with some of your clients. The whole process of running a business, we believe in M&D has gotten very large, and with that comes a bit of chaos. And with that, you need somebody to come in time to time to take a look at where are the holes, where are the gaps, how can you think about improving your IT risk, your posture, your cyber hygiene? And so we do this very often. We come in independently. If you have an IT department or you have a third party outsourcing firm or you're thinking of outsourcing it, we provide a holistic view of where the risk currently lies.

Travis Epp:John, what are the primary vulnerabilities and challenges that give rise to potential security and privacy incidents in the M&D sector?

John Wolak:I think there's a number of different challenges and vulnerabilities, but before I get there, I just want to reference that privacy and security in this area, in the M&D area is more than just personal data and personal data of your employees or your customers. It involves operational data, it involves IP, it involves financial data, a broad range of data that is vital to your company and your company's operations, which if lost or compromised or locked up would dramatically impact your ability to operate in one way or another. And so this isn't just about social security numbers, it's about a lot, a lot more some of the vulnerabilities. Then when you're looking at that broad scope of data is perhaps most significantly IP theft. Where do the crown jewels of the company and are they subject to compromise, whether it's r and d information, CAD files, designs of vendors, contractors, clients, customers, supply chain issues with respect to shippers and vendors?

Where are your goods coming from? Where are they going? Operational sabotage. The manufacturing process has a lot of machinery involved in it. And as that becomes more and more automated, the risk of sabotage whether from internal or external attackers becomes significantly increased. Ransomware, as Travis mentioned earlier, probably the biggest threat and ransomware is particularly problematic because if your operations was shut down, so goes the business. Phishing is another attack vector, which is particularly problematic. And that manifests itself in a way that in manufacturing and distribution, typically a range of skill levels, a range of different types of employees. And so the vulnerability on phishing attacks becomes a little bit increased. And then finally, interconnected networks. We talked about operational sabotage, networks that operate manufacturing machinery and the like. If they're interconnected, that increases those attack vectors and the vulnerability because once somebody gets into your network, where can they go from there? Oh, Travis

Travis Epp:John, what are the primary pre-incident considerations that a business in the M&D sector needs to evaluate?

John Wolak:Well, so in terms of pre-incident considerations, you always want to be tuned into planning, right? Planning is your best defense in these types of areas. And so when you're thinking about your operations and the potential vulnerabilities, what are the range of threats? Is it threats from an email phishing? Is it threats from fraudulent transfer of funds? Is it threats from r and d files or ip? So what are the range of threats that may lead to a compromise or impact your operations? What kind of containment strategy are you going to implement? A lost camera that has employee files on it is different than the loss of confidential files from a customer or a vendor. So what are your containment strategies given the potential compromises that your business face? How are you going to restore operations? No question about it. The most important thing in the event of an incident is getting back up and running.

How are you going to restore operations and how are you going to do that efficiently and quickly? And one last point in this kind of pre-incident consideration is who is the decision maker When you're in the heat of an incident, the last thing you need is fighting factions about what we're going to do. Somebody has to make the call and that decision about who that somebody is should be made in advance so that there's no question when the rubber meets the road and a decision has to be made, who has the authority to do to make that ultimate call? It could be by consensus after consultation, but one person makes that.

Travis Epp:I think, John, you addressed this a little bit, but are there any risk mitigation strategies that can be implemented to reduce the company's exposure or liability in the event of an incident?

John Wolak:Yeah, lots of risk mitigation strategies. I'll just reference a couple my pet peeve, and I think the single best risk mitigation strategy that any company that does anything can implement is data minimization. Make sure that your retention of data is based upon a legitimate business purpose. I cannot tell you how many incidents I've been involved in where the scope and complexity and the problems created by the incident has been dramatically, exponentially geometrically increased because there is data involved in the compromise that has no legitimate business purpose. It dates back 25 years. Why do we have it? You ask anybody why we have it and they have no response. Data minimization is probably the single most effective mitigation strategy that can be implemented in terms of other risk mitigation. And I defer to Margaux on this insurance coverage, right? That's what risk mitigation is. So passing the risk and the costs for a data incident and the related and associated claims, passing that off to somebody else in exchange for a premium.

Travis Epp:John, that's a good segue to Margaux. So Margaux, what are some of the key controls an insurer looks at when assessing the cyber risk of a company? Maybe while we're Margaux, my...

Margaux Weinraub: Apologies. Can you hear me now? I'm sorry. Of course. The cyber person is having technology challenges, right? So I did hear the question. It looks like this sounds on my end, but what are the key controls? And over the last five years where we've really seen the market evolve the most frequently, we've identified 12 key controls that an organization must have. I'm not going to go through all 12 because that could be its own hour of itself, but I did want to hit on a few. So the first one that we all hear about is multifactor authentication. Reason being is we see how easy it is for user credentials to be compromised. So when we have that additional form of authentication, it does minimize cyber attacks. And what we saw was Microsoft released that nearly 90% of all cyber instance could be thwarted or could be stopped if multifactor authentication was in place.

So that's a key one specifically for manufacturing distribution, the end of life systems software applications, because we understand manufacturers, they have a lot of important machinery. They have lot of important equipment that oftentimes isn't updated every year when the newest one comes out. So making sure that there is support, but also a plan of action of how to ensure these pieces of equipment technology are able to understand what are the potential vulnerabilities that can happen. The next one I would say is the vendor supply chain. So who are the partners that you're working with? Are there in the manufacturing distribution, we understand right that there can be a bottleneck if one key supplier is unable to perform because they had a cyber incident. Do you understand the processes in place? Do you ensure that the partners you have, the customers that you work with, maintain the same hygiene standards that you set for your own organization?

Extremely important. We'll also want to look into the incident response planning as John said. And I think it's so importantly true. I use the Mike Tyson quote, right? Everyone has a plan until they're punched in the face. We don't want to be deciding in the chaos to pay or not to pay. Do we have an incident response plan or not? Who makes the final call? Being able to perform tabletop exercises is something carriers are really looking to see so that they understand in the event of an incident that that impact won't linger on because of a lack of preparation. And with that as well, it's not just senior leadership, but all employees, especially those maybe in the finance department who are having to wire funds to customers or request goods, send goods, all of that. That employee training makes all of us be stronger for organizations because oftentimes we'll say employees are that first line of defense

Travis Epp:Rahul I'd just like to get your input from an IT perspective. Where do you see M&D clients going off track when analyzing and addressing the risks?

Rahul Mahna:Yeah, first I love that John and Margaux sound like they're on my team. This is really fantastic. Everybody's talking the same talk on this conversation. Your question is where do MD's clients go off? I would say the first thing is M&D clients feel like nobody's going to hack them. Why should somebody bother with them? It's a strange mindset that I've seen for years, and it happens in other sectors too. But I think in this sector in particular, I see a lot of, well, we make widgets and we have machinery and nobody's going to bother with our widgets or we just, nobody would want to get access to this stuff. Why do we need it? And it is just so far from the truth. If you think about a burglar who breaks into a house, they'll break into the basement, but they're not trying to steal things from the basement.

They want to go upstairs to the bedrooms and find things. And so if there is machinery, if you are in that type of business and manufacturing, I would say that is the biggest area. Updating computers, keeping things up to speed with what are the latest and greatest security patches and things of that nature. There's so many manufacturing clients we have that have equipment that's running on a Windows 10 computer now. Windows 10 is end of life for everyone on this call. It is end of life no longer supported by Microsoft's in October of this year, which means if you have equipment running on Windows 10, you're going to be compromised. It is going to happen. Inevitably, it'll happen. And if you think that the manufacturer of that machinery will not upgrade, they will. You just have to inquire and ask and work with them. And everybody knows this is a problem that you have to get to. I think it's really important. Another analogy, going back 10 years ago around 2014 or 15, target was breached, one of the largest distribution companies in the world, and they were breached because someone broke in through their HVAC system. So someone broke into their heating control systems and penetrated the entire network of Target and brought it to its knees. So I think there's a lot of gaps and holes that M&D folks don't think about.

Travis Epp:Is there one technical item that M&D clients do to improve their cyber hygiene?

Rahul Mahna:I would say is really to realize their risk is getting very real. And I can draw some analogies that perhaps John could even speak to, but I'm very curious about on the legal side. So there's a sample client called Drizzly. They were delivering alcohol. It was a known operation logistics company, and they got bought by Uber, but in the meantime, their data got breached at drizzly who they were dropping and delivering alcohol to. Well, the FTC got involved and said, not only did you not show the proper duty of care to your customers and their data got breached, we're going to find the company and personally find the CEO. So we are starting to see a trend in this that the legal entities are taking a very keen eye on how savvy are you in implementing a data program, a risk program? Are you really trying to show the right duty of care to your clients? Are you taking responsibility? And if you're not, we're going to come after you personally. And I think that is a big, big shift in something that the M&D clients in particular really need to realize it's coming.

John Wolak:Yeah, and it is interesting, this personal liability concept, it has been a big shift and we saw it also in the SolarWinds context where the CFO of SolarWinds was held individually liable. There's some very interesting, I'm a lawyer so it's interesting to me, but court cases and court decisions, 95 page opinion from the southern district of New York about the liability of the individual. But that is an increasing and growing trend, not only from the litigation perspective, but from the regulatory perspective. And it really emphasizes that this is no longer just an IT issue. This is no longer just an ops issue. This is a board of directors issue. This is a director's issue. It requires disclosure in the public statements. It requires disclosures to your customer base. And even the FTC in terms of misleading advertising is going to follow up on that, the SEC rule in terms of incident response reporting on three days if there's a material impact. So it's just an increasing, increasing obligation going. We're all the way up to the top. Absolutely.

Travis Epp:Margaux, just bringing you back in, sometimes companies have some tighter budgets. How can organizations with tighter budgets afford protection against cyber attacks?

Margaux Weinraub:That's a great question and one we get asked often. There's only so much funds that an organization has available and deciding where those funds goes can be challenging to meet all of the needs. What we often say to our clients is utilize all of the partners that you have. So think about cisa, right? The cybersecurity infrastructure security agency, they have a wealth of resources online that you can access for free, utilize your insurance policy. So nearly every insurance carrier that provides cyber insurance offers not only the incident response when a cyber incident happens, but they offer pre-B breach services. Find out what those services are. Oftentimes they're free and that can make a big difference. It could be phishing testing, it could be vulnerability scanning with monthly reports being provided, varying different things. And also talk to your broker just like us, we all have services that we're providing. We include vendor discounts for employee training that you can access. We provide advisory services. We have tabletop exercises, so all of us work with some great organizations and ask our partners. That's a great way to take advantage and learn from each other with that information sharing when we might not have the financial resources to tick off every single item we have on our wishlist for improving hygiene.

Travis Epp:John referred to third party vendor management earlier. So what steps should a business consider to improve supply chain or third party vendor risk management?

John Wolak:Just one point before I answer that, if you will, Travis, to supplement what Margaux said, there's a great resource out of the state of New Jersey. It's called NJ Kick, N-J-C-C-I-C, and they offer threat response tips. They offer a current window into what the recent threats are. It's really an excellent resource. I think it's unmatched in the United States, N-J-C-C-I-C, New Jersey kick, great resource in terms of threat intelligence and the like. I recommend it to everybody in that regard with respect to improving supply chain and third party vendor risk. This is a huge area of potential exposure. As Raul mentioned on the target breach, they got in through the HVAC vendor and so many of the incidents that we see are facilitated through some type of third party access, either because the third party has your data or the third party has a window into your servers and your data.

The first thing I think that you need to do with respect to third party access, and Margaux mentioned this before, one, identify what your own company privacy and security requirements are, what's your tolerance level in terms of risk? And then implement that level, that standard all the way through your contracting. Make sure your vendors can meet you where you are in terms of privacy and security measures and in terms of responsiveness and compliance. Because if they can't meet your standard, then you've increased your risk dramatically by including them in your third party vendor network, right? And that is a particular vulnerability that I think you can easily mitigate easily address. Couple of other things. Do a due diligence review. Get down into the weeds, make sure that privacy and security terms are in the contract, that are in the contract and that it's enforceable terms of the contract.

Monitor the performance, monitor your vendor's performance under the terms of the contract. Make sure that they are continuing to meet whatever it is your standards are that you've set. Ask a question, are they going to subcontract services? Is all of a sudden another party coming in to provide services that you don't have a direct privity with, you don't have a contractual relationship with, but they're going to have access to your data? That's a risk. Know whether that's going to happen beforehand and if you can negotiate the right of refusal, absolutely do it. Certainly negotiate, push down all the requirements that goes without saying, make sure your vendor's able to comply with the requirements and upon the termination. Going back to my point earlier about data minimization, make sure you get your data back or make sure there's a representation that your data has been destroyed time after time. The FTC, the comptroller of the currency, big banks were penalized millions and millions of dollars because they failed to delete data that was no longer relevant to their operations, whether it was from a third party vendor or it was a own data. That is an essential term in order to minimizing your risk, particularly in the third party contracting area.

Travis Epp:John, thank you. We're going to go to the second or the next polling question now. And while that's up, we're all up. Where are the breaches coming from in 2025?

Rahul Mahna:I look everywhere right now because they're coming from all over. But to bring it into just one, I would say, what's the word everybody saying these days is ai. And so that's everyone's focus for the good guys and the bad guys. It's on both sides of the fence that everyone should know. But I would say that the breaches, my concern these days all fall around a particular type of AI called deep faking. And so we are seeing an increase in, let's call it the bad guys, fraudulently representing themselves as an employee of a company and trying to get access to systems by pretending to be that employee and they could pretend to be that employee because of all this AI technology that has enabled the bad guys to read your social media, understand how you speak, understand what you talk about, understand who your pet is, and represent themselves in a way, whether it's an email or now it's even gone to voice, where if you have your voice out in the public a lot, they can capture your voice fields and they can represent your voice and speak in your voice.

And so this is the area that I'm getting more and more concerned about. We're starting to see certain breaches happen this way. And to give one tip if I may, is when you have a help desk, and I assume many clients have help desks of some sort, an area we're seeing an increase on is the bad guys representing themselves as an employee and calling the help desk representing they're an employee and resetting things like an MFA that Margaux talked about, but resetting it to the bad guys devices and letting the bad guys get access to things they should not. I'm making that sound very generic and very simple for purposes of illustration, but one great example last year was I think it was Caesar's Resort. I'm not sure exactly, maybe one of my colleagues on this call would know better, but basically one of the bad guys went to LinkedIn, saw what a credential of an employee of Caesar's on LinkedIn called their help desk, represented that they were that employee and the help desk did not verify is it really that employee, they just took it on granted and allowed access to sensitive systems.

So creating a authentic way to make sure that's the right person who's calling is one of my tips I would say for this year. With the prevalence of AI coming in

Travis Epp:From an AI perspective, is that your biggest concern or there others?

Rahul Mahna:That's the biggest concern is really it's getting harder to distinguish who is a real person, I would say from technology point of view. And so trying to find mechanisms, we have one M&D client that had a breach that came in some fashion as the way I described, and now any highly sensitive ticket that's put in, they're asking for video, phone call verification to make sure face to face it's the right person and they've instituted a double check with the manager of that person before they will certain categories of tickets that they will do. And so that's something that happened to one of our M&D clients in the last six months and that is one solution they put in place. I'm sure there's others, but I just want to give some heightened illustration to AI getting very, very smart about things.

Travis Epp:John, I'll give you a couple quick questions. So first, what are the overarching objectives in the event of a security incident?

John Wolak:Sure, and as I said before, the paramount objective is to get back up and running, right? Restore business operations that might look very different than it did, but you have to be able to adapt and that's where the planning component comes in. I've had clients had to go back to paper and pen in taking orders in recording medical records. They knew ahead of time that that's what they would have to do, but that's that planning component. Restore regular business operations, that's the overarching concern in line with that isolate and potentially terminate the problem, right? Make sure that the ransomware, the infection, the compromise doesn't spread beyond where it is when it's detected. So isolate and terminate and then look to do a forensic investigation to understand how that happened. And there's a variety of different vendors that can assist you in that regard. I will take a moment here to say, and no disrespect Margauxt, but your first call is to your lawyer.

Your second call is to your insurance company. So that's kind of the process and the importance of the lawyer concept frankly is to make sure that and your communications, that can be privileged, that can be protected, that relate to legal advice and compliance obligations and the like are protected under the concept of the attorney-client privilege. So isolate, do the investigation preserve evidence because the likelihood, depending on the scope and nature of the breach, the likelihood that you will be sued by somebody is becoming increasingly more realistic, whether that's in class actions or under contracts with vendors in terms of the performance obligations that you may have agreed to comply with your regulatory requirements. Very important obviously again, in that planning phase, know what regulatory requirements you need to meet. Are you a public company that needs to consider the SEC reporting requirements? Are you a defense contractor that needs to deal with the Department of Defense? Who is the ransomware note or who on the other side of the ransomware? Are they an OFAC office of Foreign Asset Controls? Are they an OFAC person listed on the SDL list, SDN, especially designated right SDN list. And then implement proactive remedial measures so that you can get back up again running and your business can continue on and then do the kind of postmortem, if you will.

Travis Epp:John, any other incident response activities or is that a pretty complete summary?

John Wolak:I think that's a good summary. Contain, investigate, remediate, comply. The last point, and I don't want to minimize the post-incident activities, the lessons learned component is really very important because you want to know, number one, how effective was our plan? Does our plan need to be modified? Whether that be with respect to our response activities, our detection controls, how did this happen? Does our patching have to be updated? How about decision-making? How is communication? So that lessons learned exercise doesn't have to take very long. Usually it's a two or three hour exercise with the parties involved being prepared to participate, but it is really essential and I've seen it make dramatic differences for clients on a going forward basis.

Travis Epp:Thanks John. We'll go to our next polling question and throw a question over. Margaux, I think we'll go back to the beginning. So rather than after there's sort of an incident, maybe Margaux, can you give an overview of the types of cyber insurance cover suits and why a company should buy cyber insurance?

Margaux Weinraub:Sure. So a standalone cyber insurance policy is actually meant to be quite broad. And I say that because I think cyber can get a bad rap, right? We've seen multiple headlines where it says a cyber incident was denied, somebody didn't have coverage. And those headlines are true. But oftentimes that is when an insurance or an organization doesn't have a standalone cyber insurance policy and they're trying to access cyber insurance coverages, which might be sublimited or quite narrow on a property policy we'll say, or on a business owner's policy. So when you buy a standalone cyber policy, you're buying coverages that separate two different sides. First you have the first party coverages. This is the coverages that are going to immediately impact your organization. So it will always include incident response. That is the first step, the who, what, when, where, how. That is getting John that is getting your forensics, that's getting your notification, your credit and ID monitoring.

That's getting your crisis communications, all of those steps involved. Once you have that under control, you're then going to recognize, okay, well we figured out what's going on. What is our next steps? Do we have to pay a ransom demand first item, right? If this is a ransomware event, if so, cyber insurance policy has a cyber extortion inuring agreement which helps you with accessing a threat actor negotiator who's going to help you to interact with the potential threat actor to understand do they actually have our information? Can they prove with a file tree that they have accessed our data? How can I get potentially a decryption key back or am I just going to negotiate with them to actually remove information from the dark web? All of that would be available. And then as well, most organizations don't have a cryptocurrency wallet readily available. So having a partner who can assist you with that process as well as part of the cyber extortion coverage section.

The next one is the data restoration. So we identified something happened, we're in the process of figuring how to get back up and running, but how do we restore, recreate, recollect, all of that really important data that John mentioned earlier, financial information about your customers, IP information, employee information, healthcare information, your all of that process, right? How do we get that information back quick and timely restoring all of that process and then the business interruption. And that is what's I think one of the most important coverages for manufacturers and distribution that we saw is what really drove why these organizations were buying it is if a manufacturer can't produce and a distributor can't transport, what really can they do as part of their operations? And what we saw, a cyber incident is going to go after the most vulnerable parts of a network and they're going to find a way these sought actors to monetize the cyber attack to cause the largest harm.

And business interruption is that big important reason as to why you should be purchasing cyber insurance for if your organization has a cyber incident. But again, we brought up third party risk management earlier. So what happens if one of the partners that you utilize to create that widget that you maybe get the screws from or that you utilize later on for transport, they have a cyber incident. That's what we call contingent business interruption. And that's to ensure that if you have lost income or you have additional expenses to find another supplier, to find another partner, that you are able to still operate your business and you're not suffering from that cyber incident. So all of that is the first party coverages and hopefully if you handle all of that, well, you might not see the third party incidents, but John's smiling because he understands What we're seeing is it's no longer if you do a great job, you won't see it.

Unfortunately. We understand we're in a very litigious society. We have plaintiffs looking to find opportunities for class action lawsuits to identify breaches of contract and failure to protect information. But as well, we're now starting to see more and more privacy regulation within the United States. So while we have 50 breach notification laws, meaning you have to notify for each of the affected individuals, we currently have 19 comprehensive privacy laws based on states. So following those privacy laws about wrongful collections. So how are you collecting information? Are you disclosing that you're collecting this information? Are you selling this information? Do you have consent to collect this information? Is something that's big that we're seeing. And you think about manufacturing distribution, if you were using a fingerprint or a retina scan to clock in and clock out and that information is shared with a third party who authorizes and authenticates that, yes it is.

Margaret Weiner clocking in at the start of the day, she's clocking out to go to lunch, she's clocked back in for lunch, she's clocked back out at the end of the day, that would be potentially four violations in specific states across the United States. So understanding the compliance aspect, what could be that impact and potentially knowing there is cyber insurance coverage to address that need. And then we see, as I said, regulatory class action lawsuits, all of that as well as really part of the process. And when you're thinking about your cyber insurance, the one thing I always bring up, because we talked about earlier, right? What do you do if you might not have enough financial resources understand how your policy works? Is this on a pay on behalf basis or are you on a reimbursement basis? Pay on behalf means when there is a cyber incident and you are utilizing all these great vendors that you're partnering with, like John, like Raul's team, are you able to submit that invoice back to the carrier and have them pay that for you? Or do you need to pay the invoice yourself, make sure that your organization has the funds and then submit to the carrier for reimbursement. Really important distinction to understand and make sure that your organization is prepared to utilize your policy appropriately.

Travis Epp:So Margaux, I think we addressed the current trends in cyber insurance. From your experience, do companies have a thorough understanding of what risks their cyber insurance policy actually cover? Is there sort of a mismatch of reality and expectations?

Margaux Weinraub:I do think it can be mixed and it really depends on individuals who may have seen a cyber incident before and can understand the value and those maybe that have yet to really maximize a policy to see that value. Before we saw much of the manufacturing distribution industry purchasing cyber insurance coverage, a lot of times we would talk to clients and they would say, I don't need a cyber insurance policy. I have a great MSP or I have a really robust team and they are super strong. We have all the best controls. And understanding a cyber insurance policy isn't to say, I don't trust the leadership or I don't trust the systems, but really it is, as we discussed, it's a risk transfer mechanism because organizations need that balance sheet protection and a cyber insurance policy is to help you with the defenses. We talk about cybersecurity defenses of all of the different controls. These threat actors are proactively looking for zero day vulnerabilities. They're looking for opportunities to basically stock prey on organizations and insurance is a way to support organizations that are doing all the right things but still have a business operations exposure.

Travis Epp:Thanks Margaux. We're going to go to the next polling question and I hope I never have to answer it, but here we go. So John, what are the essential components of an effective incident response plan?

John Wolak:A couple of things I think here are worth highlighting. As I mentioned before, you really need to sit down and think about what are the potential risks of compromise? How is it that your data might be subject to compromise or subject to acquisition by the bad actors and where does that fit on the scale of impact on your business? As I said before, a camera with an employee video of an employee may be a compromise of data that is not necessarily rising to the level of the compromise of all your HR files and your 401k enrollments. Alright, so what are the risks? Where does that fall on the scale of incident levels? Who's going to be the response team for each of those levels? And it doesn't have to be as granular, maybe two or three different types of classifications, right? There's a green, yellow, red almost in terms of levels and response teams for each incident level, one thing that I really emphasize repeatedly is communications and communications in a couple of different ways.

Communications number one, internally, who's on the communications team internally, know that ahead of time and make sure that you have all the appropriate stakeholders and players depending on the incident response requirement on the communication plan. How are you going to do that? If you have a ransomware event, you're probably not going to be able to communicate by email. What are you going to do, right? If your cell phones are compromised, you can't use your cell phones. What are you going to do if your manufacturing is compromised? People are going to have to be sent home. What are you going to do? So these are all the types of things that you need to think about and detail in terms of your response activities. I want to go back to communications for a moment. I mentioned internal communications. External communications are equally if not more important, control the narrative, control the narrative.

Margaux mentioned before crisis communications. You are in a crisis. If you suffer an incident, you are in a crisis no matter what the scale is. And it's very important to control the narrative. What are the internal communications going to say? Who's going to be privy to all the gory details or maybe just some of the gory details and what is the messaging that's going out to your customers, to your vendors, to the press, to law enforcement? Because all of those individuals likely will at one point get wind of the fact that you have a security compromise, whether it's because you're not able to fulfill your orders or you're not able to issue invoices or you're not able to issue payments. So control the narrative, know what it is your communications are going to be to all the different impacted parties. And that requires some thoughtful, thoughtful work with not only your internal team but also your lawyer. Because I tell clients all the time, take the communication and proceed it with ladies and gentlemen of the jury. And if it wouldn't play in that context, don't issue it. Words matter. Words matter in this type of situation.

Margaux Weinraub:John, can I add something real quick as well? Sure, absolutely. So what I noticed in the tabletop exercises and in our briefing conversations after a cyber incident is an organization saying, we had an incident response plan and we were so prepared to use it, but the threat actor encrypted all of our files and I couldn't access the file from my computer. And you're like, well, so another big important thing, save John's phone number in your cell phone so you know who to reach. Save your carrier hotline as well in your phone number, in your cell phone and have that documented and printed incident response plan for when you need it because we don't want to do all of the great work of preparing for a cyber incident to then be not able to follow the plan.

Travis Epp:We'll do a couple of rapid fire questions as we're getting close to the end. So John, if there's an incident, when and under what circumstances would you contact law enforcement or regulators

John Wolak:Real quickly? I think generally speaking, and in my experience, law enforcement and regulators are your friend. They are not your enemy. They are not trying to gotcha, they're trying to be helpful. The FBI, the Department of Defense, the office of the treasury, the control of the currency, they are all really important resources that can help you through this incident and navigate it, whatever the scope is. Now, I'm not saying you just run to 'em right away. It's a thoughtful type of approach, but more often than not, contacting law enforcement or regulators is either going to be required and then you have to decide when you're going to do it or it's going to be helpful and you can decide, for example, just very quickly in a wire fraud event where you've mistakenly or one of your employees has transferred money to a fraudulent account, you better notify the FBI immediately because after 24 hours, the likelihood of you getting those funds back is diminished, is diminished considerably within the first 24 hours.

They can pretty much trace it. You might have a good high success rate, but in a ransomware event that escalates the contact to the FBI and the IC three. So my advice to clients typically is they're your friend, they're not your foe. They can be extremely helpful even with respect to decryption keys and ransomware. I mean we're getting a little more sophisticated than that recently in terms of AI and the like, but there's a lot of resources that exist in those law enforcement agencies and in those regulators that can be helpful. A thoughtful approach to notifying them is the best course of action.

Travis Epp:And Margaux, quick question. Does an organization need to have a cryptocurrency wallet to make around some payment?

Margaux Weinraub:No. So I think the important thing to note is having the right vendor partners, your insurance policy is going to connect you with the threat actor negotiator and that cryptocurrency wallet to ensure that you don't need to save funds in an account knowing the volatility of the cryptocurrency market right now anyway, but that you are able to make that transfer. What's important, and John alluded to that earlier, is making sure you can make that payment is the more important aspect. So is this entity on an OFAC sanction list and typically before you'll be able to either make that payment or get that payment reimbursed, there's going to be three checks. It'll be from the law firm, it'll be from the insurance care, and it'll be from the organization that's going to help you make that transfer. And if all three say you're clean, it's good to go. It allows your organization to make that business decision quite easily if we need to continue with that payment. But if one of those organizations of those three says we're not sure, we think they might be listed, we think they're going to potentially be listed, it makes a very different conversation for your organization of what that business need truly is.

Travis Epp:Rahul, a last question for you. So the cost of addressing it risks can be significant. What are the benefits of outsourcing some aspects of an IT budget? Rahul, you're on mute.

Rahul Mahna:We had more time. I feel like we could talk for another hour, but I know there's a couple of questions also that were posed. We'll make sure to get back to everybody in those questions. And in terms of what are the two things that I would suggest? One is scalability and internal IT team just cannot scale When something bad happens, as my colleagues have just mentioned, you need a team to come in and help. And so an outsource provider can definitely help whether it's forensics, whether it's day-to-day, I think that's somebody that should be in your pocket on your speed dial, as Margaux said on your phone. And then secondly is skills. There are so many skills needed that a typical IT department these days cannot keep up, and so outsourcing with the right partner will give you the ability to lean on those extra skills and how to handle it.

Especially with AI coming up now, really people don't know how to handle it. There's so much still. I know there's a question. Can AI be hacked? I think this is going to be a gold rush of hacking happening in AI in the next year. I think John is going to be super busy. So is Margaux that nobody knows. People are uploading their financials into AI tools these days. They have no idea. All of this data is going up and it is being used by some entity. You can manipulate ai, you can change things. And so be very careful how you use these tools is my final word.

Travis Epp:And Margaux, does the company need a cyber insurance policy if they outsource the cybersecurity to vendors?

Margaux Weinraub:Quick and easy, yes. If you have any information, you're connected to the internet and you have anyone that you work with, yes, you need a cyber insurance policy.

Travis Epp:John, any quick final comment you'd like to make

John Wolak:Just on, well, actually on ransomware, it's not presumed that you have to make the ransomware payment, right? Proper planning and that's a pre-incident consideration. Decide if you're going to make a ransomware payment or not. I've represented a lot of companies that are not paying ransomware, whether it's insured or not. That's their policy and they've planned accordingly with respect to backups and the like to not have to do that when they're in those situations. Just with respect to ai, lots of benefits, lots of risks, and it's going to be an interesting road ahead.

Travis Epp:John, Margaux, Rahul, thank you very much. I know we went through a lot today. Thank you everybody for listening. And now I'll pass it back to Bella.

^{Transcribed by Rev.com AI}