Cyber: Prepare, Prevent, Mitigate, Restore^®

(SPEECH)

[MUSIC PLAYING]

(DESCRIPTION)

Text, Travelers Institute (registered trademark). A red umbrella logo, Travelers 

Cyber (registered trademark). Prepare, Prevent, Mitigate, Restore 

Travelers Institute Cybersecurity Symposium. Lone Tree, Colorado 

(SPEECH)

JOAN WOODWARD: Good morning, everyone. Thank you for coming. 

(DESCRIPTION)

She looks around as the audience takes their seats. 

(SPEECH)

It's great energy in this room. Thank you for grabbing a seat with us this morning. We really, really appreciate you being here. I'm Joan Woodward. I'm President of the Travelers Institute and Executive Vice President for Public Policy at Travelers. We're really thrilled that you're here today. This is one of our very first in-person events in two years. 

[CHEERING] 

Yes, it's great to be back. It is great to be back. In fact, the last time we held an in-person event was February 10, 2020. And this is where we held it. We rang the opening bell at the New York Stock Exchange, literally three weeks before the pandemic hit. And we celebrated our 10th-year anniversary at the Travelers Institute, which is our public policy kind of think tank. We are a think tank, but we're also a do tank. 

And so, on that day, we rang the opening bell. And then we had the opportunity to have a cybersecurity symposium. And this picture shows us in the boardroom at the New York Stock Exchange hosting a cybersecurity symposium. If you haven't been in the boardroom at the New York Stock Exchange, it's very cool, gold-gilded, old, historic, but then very, very modern technology. And so you see in those pictures. 

We were humbled, really, to have our CEO invited to a White House summit a few months ago. So Alan Schnitzer, our CEO, was invited by President Biden and the Small Business Administration, and the Department of Homeland Security and the Defense Department. And what they learned was that we need to start a massive education program of our not only small businesses, but medium-sized businesses, large businesses, individuals, everyone needs to be educated about the dangers and, frankly, the opportunities that come with being cyber prepared. 

So that's why we're here today. We're here to talk about cyber hygiene, all the things you should be doing in your business and personal life. We're talking about if you get hacked, what you need to do first, second and third. If you get a ransomware demand, what you need to do first, second and third in your business. 

So we have an amazing panel. And I also have a keynote speaker-- a opening speaker from the Small Business Administration that I'll introduce formally in a minute. But we're really thrilled to have you here today. And we hope you take away at least three key ideas for your business or your personal life when you walk out the door.

So let me take a moment to thank our partners today. First, the Colorado Chapter of the National African-American Insurance Association. 

[APPLAUSE] 

Also, our own Regional President, Rich Rogers. Rich also sits on the board of NIA. 

[APPLAUSE] 

And we also have another partner in the Professional Independent Insurance Agents of Colorado as our partner today. So thank you for being here, and all your members as well. The Travelers team, I want to recognize just off the bat. We just saw Rich, also Genus Dalton, Josh Reel, Tim Bishop and Henry Meintjes. So thank you all for being here and inviting your colleagues. 

With that said, I want to get started with our program and introduce our opening speaker. We are going to hear from the District Director of the Colorado Small Business Administration. I'm pleased to welcome Director Frances Padilla. As District Director, she serves as the Chief Executive Officer responsible for directing the expansion and delivery of the SBA's various loan and business training services throughout the state of Colorado. Her career is 24 years long in government relations, project management, strategic planning. So, in an effort-- in an effort to support small businesses, Director Padilla really does play a critical role in educating businesses on the importance of cybersecurity and good cyber hygiene to their businesses. 

So, she'll kick off our session today. And then we're going to welcome a really expert panel. But most importantly, we want to hear from you. So, get your questions ready, at the-- at the end of kind of our moderated discussion. And also, take out your phones, just for a minute. Usually, I tell you to put your phones away. Take your phones out for a sec. Because I'm going to have you scan this QR code that we have on our table tents. And this QR code is going to give you access to resources, and ideas and strategic planning ideas for your cyber hygiene. It'll also connect you to the Travelers Institute. And you can see all of our other programming that we put on throughout the year. 

This is not a one-and-done thing. We host a Wednesday webinar, almost every Wednesday, to talk about really important things that you can learn in your businesses. So do scan that code for us. And with that, Director Padilla, please join me on the stage. Thank you. 

[APPLAUSE] 

(DESCRIPTION)

The Director steps up to the podium. A QR code appears on a screen to her left. 

(SPEECH)

FRANCES PADILLA: Good morning, everyone. Can you hear me? All right, it's so awesome to see everybody's real faces, not those wonderful Zoom calls with the background behind you where you're like in the Bahamas. But literally, you're sitting in your backyard, and the dog is barking, or there's a rooster crowing, and you're in your yurt or whatever. And everybody's in big-boy and big-girl clothes. That's awesome. 

[LAUGHTER] 

Little salty that we had to do that. But, yeah, we're all coming back. It's amazing. Thank you, Joan, for the introduction. It's just a privilege to be here today representing the U.S. Small Business Administration. And super kudos to Travelers Institute for hosting this event and for really focusing the spotlight on what is an increasingly critical issue for America's 30-plus million small businesses, innovators, founders and entrepreneurs. 

For those of you that aren't overly familiar with our agency, in a sentence, we exist to help power the American dream of business ownership. We are the only go-to resource and the voice for small businesses that's backed by the strength of the federal government. And really, our mission is to empower entrepreneurs and small-business owners with the resources and the support that they need to start, grow, expand and, of course, unfortunately, recover from a disaster. We do that mainly through an extensive network of SBA field offices and with partnerships that are both public and private organizations. 

As Joan mentioned, I'm the Director of the Colorado District Office. So, our service area is the entire state of Colorado, where we have approximately 675,000 small businesses. That represents 99.5% of all private business in Colorado. And it employs 1.2 million people. So you can see, even though our universe is working with small businesses, small business is really large business in Colorado. They are our driving force in our economy. 

And although we're only 1 of 70 of the field offices that deliver SBA programming, if you're not from Colorado, you'll find a district office wherever you're from. It has its own network of resource partners that can provide services. We're a really small team. We're lean and mean. There's about 15 of us, but we're the second seat of government for the SBA. 

So, in the event that, let's say, D.C. went down and the SBA had to reconstitute, it would reconstitute here in Denver. So, there's approximately about 115 and 120 different SBA offices. And the financial infrastructure of the SBA, half of it actually exists here in Colorado. So we're a big delegation. 

And each of our organizations and each of our district offices has its own network of collaborations. So in Colorado, here, we have 15 Small Business Development Centers, one Women's Business Center, a Veteran Business Outreach Center, and two SCORE chapters. And these are really our partners that are the boots on the ground that can work one on one with all of our small businesses, so whether they need mentoring, consulting, training. 

Represented today is our Pikes Peak SBDC and part of our statewide Cyber CYA program, sitting mainly in this area right here. So shoutout to our cyber consultants from the SBDC here in Colorado. We joke with each other that there are so many organizations in Colorado that want to help entrepreneurs that we're tripping over each other, right? But that's actually not a bad problem to have. And we would love to have Travelers Institute as part of that team, ready and willing to assist small businesses. 

It's really key to have those partners, as we all experienced over the last two years, when our agency was charged with providing so much significant delivery of disaster assistance. And we know how that crippled so many small businesses, the pandemic. But I think, also, it unearthed some really important truths about cybersecurity. And that is that it's so business critical. 

Despite all of the devastating economic impacts of the COVID pandemic on our small businesses, we want to tell you there's been one really significant silver lining. And that's that millions of small businesses have embraced technology like never before. So they've adopted digital sales strategies, if they didn't have them before. They had to use virtual platforms and adopt and use online tools for their operations. And that happened at a really high rate, especially over the last two years. 

And interestingly enough, in 2021, the applications for new small-business startups reached record levels. And that continues to climb. Last year alone, in one month, across the nation, there were 430,000 applications to-- for businesses to enter into their market. That was one month alone. And so many of those small businesses, now we know, have an online presence, whether it's e-commerce, or it's online tools for operations, or they save their CRM system and use a CRM system off on the cloud. 

So it's clear that using technology, and especially virtual platforms, is basically essential. And that was made clear over the pandemic. And while it's brought new opportunities for small businesses to expand into new markets, we also are concerned because it's become fodder. It's become fodder for cybercriminals that are looking to take advantage of these entrepreneurs who may lack the experience or the resources to effectively protect themselves. And I think the reason small businesses are attractive targets is because, typically, they have this information that cybercriminals want, right? They lack the security infrastructure themselves sometimes that larger businesses have. 

I'm going to throw some stats at you. And you're going to hear a lot of stats today. And I think all the stats that we hear should effectively scare, or maybe I should use the word motivate us and a call to action. So the United Nations estimates that cybercrime increased by 600% during the pandemic. In 2021, almost one quarter of small businesses suffered at least one cyberattack. And that came out to an average 12-month financial cost of $25,000 for each small business that was attacked. 

So, sadly, small businesses do represent the majority of ransomware victims. Imagine surviving the pandemic, after barely holding on financially. And then you're knocked down by a cyberattack. The sad truth is that some small businesses aren't just imagining that scenario. They actually have experienced it, or they're experiencing it right now. They're living through it. And with small businesses, again, being the driving force of our nation's economy, we really can't afford for any more of those small businesses to experience that. 

So at SBA, we know that we need to build awareness to motivate to action. And we need to create simple solutions for cyber health for small business owners. So again, some stats, an overwhelming majority, about 88%, recognize their vulnerability. This is small businesses. But less than half of them actually have a cyber defense plan. And less than 1 in 10 have a dedicated IT staff. 

So, many of small businesses, they just can't afford to have professional IT solutions. A lot of the times, they have limited time to devote to cybersecurity. Or they just don't even know where to begin. So, in addition, I think small businesses are also-- and the supply chains are also seeing more demands on their cyber readiness. And this is from buyers. Especially if they're working in the federal contracting space. 

So the federal government has a requirement that defense contractors have to be cyber ready by 2025, that with a Cybersecurity Maturity Model Certification. We call that a CMMC. And CMMC applies to any company of any size that's looking to do work on defense contracts. And that's throughout the defense supply chain. So while these standards are important, obviously, for our national security, they can impose undue costs and burdens on small businesses. 

We've established that the pandemic has served as a catalyzation for the digitization across small businesses. And we know this has helped them survive. And it's helped them accelerate their modernization. But it also comes with cybersecurity trade-offs, and then, again, an urgent need to pay attention to cyber hygiene. 

So, ransomware attacks directly impact Americans' daily lives. We know they impact our economy. We know they impact the security of our nation. Another stat for you, roughly 300 million in ransom was paid to malicious cyber actors in 2020. That's more than a 300% increase from the previous year. 

So, what are we doing at SBA to try to provide tools and resources? First, we're working very hard through many of our different cross programs to help our nation's small businesses get the support and the resources that they need to increase their cyber hygiene. In terms of capital, we have 13 different loan programs in lots of different flavors. And almost any of our loan programs could be utilized to provide that working capital that might be necessary to improve cybersecurity, whether that be hiring professionals, amping up their hardware, amping up their software, any antivirus. 

Again, going on contract to have somebody kind of work with them with an assessment, that can be done with any of our loan programs. Also, in terms of providing more capital for the innovators that are working in this space, the federal government has a program that's called the Small Business Innovation Research program, or SBIR. This is the world's largest source of early-stage public finance. So we've been using the SBIR program through the various federal agencies that let these programs, or let these offerings out, to power some of the nation's leading cyber innovators. 

Does the name NortonLifeLock sound familiar to any of you? Yeah. So, this company is arguably, right now, the leading provider of cybersecurity software and services. But back in 1982, when it was just starting out, it was just a little company called Symantec. And that's what it was known back then. And through an SBIR grant from the National Science Foundation, that's where they did their research on the first natural language understanding programs for microcomputers. So that's how some of these federal programs can support innovators in that space. 

On a national level, we're launching a pilot program that will help states actually fund cybersecurity efforts for small businesses. That goes through our Office of Entrepreneurial Development. And, in addition to that, that office will also soon be rolling out several, several different cybersecurity educational initiatives. And it's going to be focused on reaching underserved communities. 

We've also been promoting stopransomware.gov, which is a new federal portal that helps provide clear guidance on how to report attacks. And it's going to be the go-to source for the latest ransomware-related alerts from all the different participating federal energy-- agencies. Let me give that to you again, in case you want to write that down. stopransomware.gov. 

SBA also has a wide range of cyber info. And that's in our Cyber Online Learning Center. And that's tips, videos, links to federal resources. Also, a little preview. I think we're going to be announcing another National Cyber Security Forum, sometime this summer. So kind of keep your eyes and ears open for that. If you subscribe to sba.gov, it allows you to get on a newsletter. And you'll be able to find all of our announcements that come out as we roll out these programs. 

In addition, through our vast network of resource partners, one of them you're going to hear from today, Dr. Shawn Murray. We're helping small-business contractors get cyber ready and achieve that certification. That way, we help to increase their chances of working with the federal government and getting a portion of that federal government spend. 

The Uncle Sam is the largest buyer of goods and services in the nation. So we want our small businesses to be ready. And we want them to be secure as they open up their markets in working in that federal space. 

Also, in terms of preparedness, for all of our team, our Office of Entrepreneurial Development has, for the past several years, required a broad mix of kind of different online cybersecurity training and counseling, required of our 63 different Small Business Development Center networks throughout the country, one that Dr. Murray heads here in Colorado, and members of his team that are here at this table participate in. So each one of our resource partners would offer cybersecurity education tools, and a number of Centers of Excellence in that network. 

And I don't want to steal Dr. Murray's thunder, but in Colorado, we actually have a formal statewide program called Cyber CYA, Cover Your Assets. 

[LAUGHTER] 

So Cyber CYA actually helps small and medium-sized businesses solve their cybersecurity challenges. This includes cloud computing, social media, securing technology to meet those compliance standards. It also offers online resources, free and confidential-- free and confidential, and low-cost workshops. You can also schedule an appointment with any of our cybersecurity consultants. Right now, it's actually housed under the Pikes Peak SBDC, which is located in Colorado Springs. But any client can go to any of the 15 SBDCs in Colorado and ask for a referral to that program. 

I think we all know that, especially for small businesses the-- and the limited resources, and sometimes the limited infrastructure, that we have, and time, on top of all of that, that simple solutions are key. And I think we all need to find creative ways to partner to meet those supply chain demands, but then to also deliver cyber health to our increasingly digital Main Street. 

Our administration has actually declared cybersecurity a national security issue and an economic security imperative. And we're prioritizing elevating that issue across the federal government. Joan referenced that White House cybersecurity summit last year, where SBA had the privilege to meet and engage with your CEO. And we're really optimistic that that summit set in motion some really key public-private partnerships that are surrounding this topic. 

We know that insurance companies like Travelers are increasingly a key tool for organizations to manage cybersecurity risks. And I, again, want to applaud Travelers for taking all these steps, and all the next steps, to providing actionable solutions for our mutual clients, which are America's small businesses.

The work that you are all doing to help our nation's small businesses, and all of our innovative startups, and all of our solopreneurs protect themselves from cybercriminals. And to feel secure online is so vital, particularly now, when we do see that rise of the American entrepreneurial spirit. And it's stronger than ever. 

I'm so especially grateful for all of the work that those of you in Colorado are doing in Colorado. We look forward to hearing more about your efforts to help our nation's small businesses thrive and looking forward to working together in the future to leverage our collective power to drive progress for our nation's cybersecurity. I want to thank you for your time today. Again, it was lovely to see all of your faces. And enjoy the rest of your morning. 

[APPLAUSE] 

(DESCRIPTION)

The president of the Travelers Institute returns to the podium. A long table stands on the stage to her left that has four chairs behind it. 

(SPEECH)

JOAN WOODWARD: Director Padilla, thank you so much for coming today, and your time, and also for inviting your Chapter small-business owners today. So we're thrilled to welcome you all. As I said, we do do these around the country. And we're going to do a lot more in the coming year. So we really appreciate our partnership, and longtime partnership, with the SBA on these issues. 

Now we're going to do our panel. And our panel is just amazing. We were in Chicago two days ago. And we had some similar-- a couple of the same speakers. And I'll tell you, it's really excellent information you're going to hear today. So first up is my colleague Tim Francis. Tim is Vice President Enterprise Cyber Lead globally for Travelers. He has oversight over the entire company of cyber product management, including underwriting strategy, products for businesses of all sizes, public entities and technology firms. 

Recently, he was named as the insurance industry's foremost expert on cyber and was named an industry icon. Ooh. 

[APPLAUSE] 

Next up is Carolyn Purwin Ryan. Carolyn is a partner of the cybersecurity and data privacy law firm Mullen Coughlin. She counsels clients of all sizes, across all industries, on investigating, responding to data breaches, assists with legal compliance and disclosure. And she is the gal you want to call if you've been hacked. She's amazing. So thank you, Carolyn, for being here. 

[APPLAUSE] 

And then rounding out our panel of experts is Director Padilla's suggestion. And we're thrilled that we got the suggestion, Dr. Shawn Murray. Dr. Murray is President and Chief Academic Officer at Murray Security Services and represents the Small Business Development Center for the SBA. He's assigned to the United States Missile Defense Agency as a Senior Cybersecurity Professional. His previous assignments include work with the U.S. Army Cyber Command in Europe, U.S. Air Force, the NSA, the FBI, the CIA, U.S. Defense and State Departments on various cyber initiatives. I imagine you have lots of scary stories for us today. 

But thank you all for taking the time to be with us. And, audience, please get your questions ready. Because it's the most important part of our programs is when we hear from you, and what's on your mind, and what you're worried about in the cybersphere. So, we're going to kick off with Dr. Murray. And then I'm going to have a seat. But, Dr. Murray, you have a really remarkable background in cyber at the federal level. And can you give us kind of a high-level overview into what, today, cyber prevention and mitigation looks like at the federal level? 

SHAWN MURRAY: So, at the federal level, it keeps evolving, right? A lot of it has to begin with legislation. So without proper legislation, people aren't going to do things unless your arm is twisted to include the federal government. We were just having a conversation earlier this morning with my colleagues over here in the center of the room, and sometimes the government doesn't know what it doesn't know. And it's the experts in our industry that need to educate them first, let them understand what the risk is associated with what they need to do and how they need to do it, the best approaches. 

So, the federal government has evolved. We used to do just IT and focus on quality, usability. Then, all of a sudden, we had bad actors doing things, outside of what was expected for our technology. In 2009, during the Obama Administration, a lot of legislation was passed requiring a specific cyber hygiene, and also identified our national critical infrastructure. So that helped start reinforcing the need to secure our national critical infrastructure, in areas like energy, utilities, national defense industrial base. 

All of a sudden, we started taking a look at, hey, our national critical infrastructure, those things that we're not allowed to touch, we don't have any cyber hygiene on that stuff. Do you think our adversaries-- 

JOAN WOODWARD: None? 

SHAWN MURRAY: --would want to know that, right? 

JOAN WOODWARD: You mean like none? 

SHAWN MURRAY: None. 

JOAN WOODWARD: And what year was this? 

SHAWN MURRAY: 2009-ish time frame. So we did have some, but not to the-- to the level that we were doing for our regular businesses, that includes weapon systems. Weapon systems were always hands off. One of the contracts that I worked on was identifying the critical areas where our adversaries might have an opportunity to disrupt our capabilities for ourselves and our allies. 

And we literally spent, probably, the next three years traveling around the globe doing assessments on all that national critical infrastructure. So, again, it evolves over time, right? Usability is usually one of those things that everything is focused on. Does it work and does it work well? But cyber hygiene needs to be considered in that as well. 

JOAN WOODWARD: And, just for a minute, tell us about the critical infrastructure in the U.S. So, we have water systems, sewer systems, electrical grid, all the new solar and wind getting to the electrical grid. And those are not owned. They're owned privately, correct?

 SHAWN MURRAY: Yeah, a significant portion of our national critical infrastructure is privately owned, either through businesses, corporations, which, then, are publicly traded. And so, a lot of that the government wants to have some influence on because of economic stresses, right? So economic risk, risk associated with lives. The innovation of technology is introducing things that will allow you to have your medical history monitored. 

In my family, my dad's side, we have cancer, and diabetes and all kinds of other health-related things that technology exists right now to be able to forecast those things before they become a problem for you. Where 20, 30, 40 years ago, we didn't have that. But what are the cyber-risks associated with that technology if I incorporate that into my lifestyle? What are the privacy issues associated with that? And not everybody wants to participate, everything from conspiracy theories to just telling citizens what they want to do. You've got to balance all of that. 

JOAN WOODWARD: OK. So that's kind of the federal level, the national critical infrastructure. I want Carolyn to speak to, which she's expert at, kind of break it down for us. So, let's talk about what are the best practices organizations can do and embrace to prepare for a potential cyber event in their business? So, give us-- give us kind of what should we all be doing now before that ransomware hits us? 

CAROLYN PURWIN RYAN: Sure, of course. So, really, the ultimate goal here is to just never have to call me, right? So that’s-- if anything-- anybody learns anything, the old school, nobody on this panel, actually. That's really the goal here. But how can you avoid doing that? So, we could talk about multifactor authentication across the board, right? You're going to hear that, probably, over and over again. We could certainly talk about the importance of backups, right? Because you want to have all the options across the board for yourself. 

Endpoint protection solutions, right? Of course, you could have the fanciest ones that are out there. But I also like to talk about, let's talk about practicalities. Let's talk about things that we could be doing on the smaller end, but also ones that are cost-effective and cheap to do, right? Because we want to be thinking about what are the three methods of intrusion of how people do get into systems, hypothetically, ransomware, right? 

Number one is phishing emails-- 

SHAWN MURRAY: Number one. 

CAROLYN PURWIN RYAN: --number one that's out there. So education is critical, making sure to take a look at those emails. I mean, I've seen emails that are out there that I would have fallen for, for sure. I mean, just make sure in talking to employees and actually expressing and having them be involved within the security conversation. 

Because a lot of people just say, well, you know what, that's not going to be my problem. But it is everybody's problem because if the business itself is shut down, that affects everybody across the board. And involving people within the conversation is always critical when that comes too 

Open remote desktop protocols to the internet. Now, we just went through the pandemic. It's still ongoing as well. So we have a lot of people who are working remotely. A lot of people and a lot of organizations, especially on the smaller business end, were unfortunately forced into a situation where they had to open all of their ports up to the internet. Shut it down, please do. If there's one thing that you could take away also, besides calling me, is shut that down. 

JOAN WOODWARD: So as a nontech person, what does that mean, open-- how many people know what she said? 

CAROLYN PURWIN RYAN: OK. 

JOAN WOODWARD: OK, so I don't know-- 

[LAUGHTER] 

--what she said. I don't know. 

CAROLYN PURWIN RYAN: Wait 

JOAN WOODWARD: So, you have a business, right? 

CAROLYN PURWIN RYAN: Yep. 

JOAN WOODWARD: And you were normally having people come in the office. And they would log on in the office. So now you've sent them all home with laptops. And then you went open to the internet. 

CAROLYN PURWIN RYAN: Right. So how do you actually-- so what it is, actually, is you know when you get on to your computer, and you're sitting at home and your own laptop, whatever it may be, whether or not it's company-owned, or if it's your own. And you actually, there's usually systems that you utilize to go into, right? And you type in your password, and you type in your username. And it actually remotes in to your desktop that's sitting at your office. So that's what I mean when I talk about remote desktop protocols. So in order to compensate for everybody working at home, people opened it up to the internet. So basically, anybody could get themselves into your system, as a result 

JOAN WOODWARD: So you want us to shut that down. 

CAROLYN PURWIN RYAN: Shut that down. You could shut it down, please. 

JOAN WOODWARD: So you want us in the office five days a week, is that what it means? 

CAROLYN PURWIN RYAN: Oh, no-- 

JOAN WOODWARD: No? 

CAROLYN PURWIN RYAN: --you could still work remotely, but just don't have your ports open to the internet. So that's another one, patching. I mean, if I had a dime for the amount of times that patching-- I mean, you see every day, it's really, really hard to keep in touch with, is it my SonicWALL VPN. Is it the 50 things that are out there that you constantly have to look at? But please do because the threat actors that are out there, they know it too. And they'll know, and they’ll take a look. Any patch that's come out there, they'll take a look throughout the entire universe and they'll try to manipulate it. 

So, but what can you be doing in terms of other things from a smaller business, or even just, just any business, small, big, medium, large, whatever it is? When somebody quits, remove their credentials. I know that sounds-- I know that sounds crazy. But even as a protocol, you know how many times I've been in cases where they have literally used old credentials. Passwords. I know we talked about multifactor authentication. But also, resetting passwords every 60, 90 days. 

But also, even just talking about this a little bit more. That's always what I always have to say is don't be afraid to utilize-- I know some of you-- some people in the room, if you have insurance, there's a lot of things that are out there from an insurance perspective-- and I know, Tim, you could probably speak to this as well-- that there are offerings that are out there that people don't utilize that are preemptive services. And even for the small business end, I know you were-- you were talking about that earlier today. There are so many resources. Use them. 

JOAN WOODWARD: OK, we're going to talk about insurance. But I do have one more question for you. 

CAROLYN PURWIN RYAN: Sure. 

JOAN WOODWARD: So, when our company sends us those phishing emails to see if we're smart enough to click or not click, how often should companies send those out? 

CAROLYN PURWIN RYAN: So, I typically recommend them quarterly. But sometimes, that's just not within the budget. Because I always think about what's in the budget, right? I would want the Ferrari of endpoint protection solutions, if I could have it. But sometimes it's just not in the budget, right? If you could do it even just every six months. And also come up with a plan, right? 

I always say, one of the first things that you certainly want to have within that plan is the phone number, if you do have insurance. Because I know a lot of people, what they do is they store it on the systems. Well, you know what, ransomware hits and it's shut down. 

(DESCRIPTION)

She throws up her hands. 

(SPEECH)

Where's that phone number? It's stuck somewhere. 

JOAN WOODWARD: All right, thank you for that. So, Tim, we're an insurance audience. There's different levels of understanding of what's in an insurance product here, different levels of understanding of what we do with clients and customers, even before we let them buy the insurance. And I say let them buy because we do deny people insurance if their cyber hygiene is not in place. But we do have risk control people to help. So, tell us the process. Tell us how it's evolved and where we are today. 

TIM FRANCIS: Well, yeah, so it is very much an evolving process. And I'll say that as an example we talked about open ports, and also something I know we talked about in Chicago. But people tend to think-- I think particularly in small business, right-- they have some level awareness of the threat environment. But they tend to, for a variety of reasons, and certainly, coming through the pandemic, a lot of companies were focused on just keeping the lights on and doing the business that they need to do. And the thought of adding to more resources for cybersecurity, understandably why that might take a back seat. 

But I think there's still a mentality of my company won't get targeted. And they think I’m a restaurant in Denver somewhere, right? And therefore, why am I going to be a target? And I think we look at things like open ports. The industry has evolved where we have a lot of resources to third-party data, right? There's a lot of companies that will look for externally internet-facing things. 

I can tell, right now, all of the customers that I insure whether their ports are open or not, right? And we will tell customers, new business and existing, you have ports that are open. Close them. And if that technology is available to me, I can assure you it's available to threat actors. 

So the threat actors, certainly, there are situations where they're targeting a specific entity because they want to get intelligence and intellectual property, or they want to disrupt specifically an organization for a reason. Most of the claims that we see that are ransomware are not that. They are the threat actors that go in through any means that they can, and whether it's an open port or another way, because they target the vulnerability. And then, when they're in, they find out who they've targeted, right, or who they've hit. 

So, in terms of underwriting, in terms of risk control, in terms of the things that insurance providers can help with, right, we have the ability to educate our customers, whether they're our customers or somebody applying for business. We have the ability to actually, sometimes, know more about their security hygiene than they might know or might have the resources for. And so it's a partnership to help them raise the bar that they have on any individual account and across a portfolio. And ultimately, that's what helps society ultimately help reduce some of these impacts. 

JOAN WOODWARD: And so there's a statistic out there that's something like, the insurance industry has only paid 2% or something of all ransom demands. Why is that? Is it because a lot of companies are paying ransom don't even have cyber insurance? Is it because-- what-- 

TIM FRANCIS: Well, I have two answers. And I'll have to say because I have to say it. 

[LAUGHTER] 

Frances cited a statistic, which is a real number. She got the number right of 300 million was paid. And when she said that, Carolyn and I both leaned over at the same time and said, it's a lot more than that, right? And it is. And that's not for, actually, insurance companies’ failure to report. That's a little bit of the government bureaucracy not sharing information with each other, by the way. 

So it's happening a lot more. And one of the-- one of the reasons and one of the ways in which insurers can partner with the government is to share some of our statistics and data. But most of the reason that, if there's statistics that 2%, or whatever the number is, of cybercrime not being insured or insurance not paying it, it's because customers don't buy insurance in the first place, right 

And so, we live in a world, still, where outside of a few industry sectors and some contractual requirements, that cyber's not a required purchase covered. 

JOAN WOODWARD: It's not required. It's not required. 

TIM FRANCIS: And relative to property, and general liability and auto, it's very new. And there's less of an appreciation, less of an understanding. So even in North America, or in the United States, maybe, at best, 50% of customers that would otherwise have insurance products available to them buy-- and that might be a high number. 

JOAN WOODWARD: Is that less than 50%. 

TIM FRANCIS: And when you get to small business, it's less. 

JOAN WOODWARD: Less than 50% of all businesses, and small businesses even more-- 

TIM FRANCIS: Exactly. 

JOAN WOODWARD: --are uninsured. 

TIM FRANCIS: Yep. 

JOAN WOODWARD: So how do you think-- when I think about insurance, I think, if I have a house in a flood zone, right? My mortgage company is going to make me buy flood insurance, right? And so, do you think, at some point, there will be an evolution of businesses who have, obviously, loans with big banks to get their businesses started, the loan, the banker, would say, you must buy cyber insurance. Do you think, at some point, we might get to that place? 

TIM FRANCIS: I think we're in the process of that evolution now. And when we talked about our CEO going to the White House, there was-- and we were there from the insurance sector-- there was cybersecurity, but there was financial institutions too. And that's one of the topics that was discussed, right? It’s, it’s-- and part of what insurance can do in the private sector, I think the government is reluctant to try to regulate cybersecurity practices. And there's limited ways that they would want to be able to do that. 

And so, therefore, if financial institutions made it harder to get a loan, or cyber hygiene, and potentially cyber insurance, to qualify for a loan, right? That could go a long way, or at least further than where we are now. 

SHAWN MURRAY: I'll add to that. So, I sit on our board of directors as Vice Chair for the Women's Chamber in Colorado Springs, so the Southern Colorado Women's Chamber of Commerce. And one of our other board members is representing the financial industry. And they are, before they underwrite small business loans, cyber hygiene is now starting to become part of that discussion. 

If you're dealing with PII, especially, and there's a large breach, again, they want to protect the investment for the small-business owner. They want to be able to get paid back. If they suffer a breach and they don't have a good cyber hygiene, and they go out of business, the risk is they don't get paid back now. 

CAROLYN PURWIN RYAN: And also, one of the things-- one of the largest things that I've seen-- and this just goes with all-sized businesses-- is vendor management issues, right? So going along that lines is I've seen, actually, it be a contractual obligation between like if you have a contract with X, Y and Z company in order to supply them with whatever it may be, a lot of the times, you're actually required to have cyber insurance. I've seen that in a lot of contracts now. 

JOAN WOODWARD: Very best practices, right? You heard it here first. That's your tip number one. If you have a vendor and you don't have a clause that says you must have a cyber protocol or hygiene in place. OK, let's talk about ransomware. So, it exploded, right, during the pandemic, for all the reasons you cite. People have the open source. 

[LAUGHTER] 

But anyway, people having lots of different vulnerabilities, right, in their computer systems during the pandemic. 

CAROLYN PURWIN RYAN: But on the other end of things, we talk about backups. I always think about what are all the options? If I'm a business, I also have to weigh, how much-- how much downtime can there be, right? Do I even have sufficient backups? What are my choices associated with it? And by the way, if I'm going to be down for X, Y and Z amount of days, what are the cost benefit to if I just made payment to the threat actor, am I going to get back up and running quicker and then get my company up and running? 

But one of the things that we keep internally, and also, even with all the resources that we work with, the forensics teams and things like that that we work with across the board, we talk about things like is this a type of threat actor group that will, number one, as soon as you pay them, come back after you for more money? Is this a type of threat actor group where the decrypter tool works fast versus slow? Is this the type of threat actor group that takes data? Which I will tell you, a heavy majority of them actually do. And then is this the typical threat actor group that's going to, is it phone calls, emails, text messages, all of that across the board, to your COs, if I don't make payment to them? 

So all of these things are kind of risk factors associated with it. And if you don't make payment, what happens next? Most of these threat actor groups have a-- it's a blog, it's a dark web blog, that will post your name, and then will slowly start posting up your data if you don't make payment. So balancing that out is certainly an issue to be considering. 

But if you do make payment, does it necessarily mean that they’re gonna come-- you're a target for the next time? The answer is no to that, not based on what I have seen. However, if you don't remedy what you've done before, there's going to be another threat actor group that's most likely going to come after you. 

JOAN WOODWARD: Dr. Murray, I want to pull you in because it's like my head's swirling here. You work with a lot of businesses, right, in the Denver area, talking about cybersecurity and what they could do. What are their most common vulnerabilities? I mean, I know you've worked at the absolute highest levels of the federal government. But when you're helping a small or a medium-sized business here, tell us your kind of process and what you've seen. And what are the vulnerabilities? 

SHAWN MURRAY: Yeah. It ties back to the Cyber CYA program that we developed with the Pikes Peak SBDC, that's now available throughout the state. And that is, we take a look at it from very simplistically. We call it the RIP model, RIP. Identify your most significant resources, the most significant information or data and the most significant or critical personnel. 

We had a small business with 54 people in a construction industry that nobody else knew how to do payroll. So that's a critical person in your business that was disrupted. And now, so they're asking us, can you hack in? And, well, you have admins, so you could get into it. We suggest, rerun your payroll from the last pay period. Keep track of whoever was on sick leave or vacation. That way, everybody's getting paid while you work through this. 

Luckily, she came out of it and was able to help for the next pay period. But personnel, information or data, you know what that is. Is it the recipe to a pharmaceutical, the recipe for Coca-Cola? Is it your whatever it is that's unique that sets you apart from your competitors and your business, intellectual property? 

That needs to be protected, that information or that data. It's a no-brainer for privacy or PII information. And then, as far as, we've got big supply chain issues right now. So resources, what are the resources? Are you in food and beverage? I watched a very disgruntled person during COVID at Costco going, I run a restaurant. You can't tell me I can only have one thing of toilet paper, one thing of soap and one thing-- I run a restaurant. I need-- that's going to last me half a day, right? So identify those and prepare for that. So critical resources. And remember, 80% of our processes are automated. 

JOAN WOODWARD: So, what do you recommend? What is your top three recommendations when you walk into a small business's office to talk about what they need to know and what's kind of their crisis management plan for a cyber incident? 

SHAWN MURRAY: So, a lot of them don't even know where to start. And when we walk into an organization, we do the RIP model. And by the way, RIP, rest in peace, if you don't do it well. That's the outcome if you don't do it well, rest in peace for your business. 

But, first thing we do is, hey, what is your most important information? Sometimes they don't even know. And so, like, OK, explain to us what do you do? And then, back to your point, do they have vendors? How do you vet your vendors, right? You may hire a vendor for a specific purpose. Look at Home Depot. They decided several years ago to get into the self-checkout business. 

And so, they have a unique point-of-sale system. Well, that vendor didn't understand that point-of-sale system, so hired a third party to write the software so it can communicate with the point-of-sale system. Well, that third-party software company wrote really bad software. It worked, but it had all kinds of vulnerabilities. Cyber actors came in. 

So, again, for a small business, take a look at the supply chain. Who's your primary vendor? Do they outsource anything to other vendors? The idea is to understand the risks that you have that you can control within your business, and those that you have control over, like a cyber hygiene, putting antivirus and internet protection, and patching, the simple things 

CAROLYN PURWIN RYAN: Unfortunately. 

JOAN WOODWARD: OK, so now that I've cheered you all up-- 

[LAUGHTER] 

--we're going to get to your questions. But aren't you glad you came? I mean, seriously, I've learned so much. All right, questions from the audience 

AUDIENCE: Quick question, this goes to the use case with regard to the F-35 fighter jet that was hacked a few years ago. So a lot of what happened-- and going with Mrs. Padilla's statement this morning that the federal government is one of the largest purchasers of goods and services in the U.S.-- a lot of those were tier 2 and tier 3 suppliers, meaning that they were some of the smaller guys contracting up to the bigs. 

Where do you see what can happen to a business, not only because they get hacked because they're smaller businesses, but what can happen to those contracts after the fact with those small businesses? So maybe you want to touch on some of your expertise on the federal side a little bit and how it can impact a small business at that tier 

SHAWN MURRAY: So, I can hit that one. She talked about the CMMC, the Cybersecurity Maturity Model Certification. It’s-- again, as legislation becomes available because we have more attention on specific things, like the supply chain-- I hire Boeing, or Lockheed, or one of the big primes. Well, they have to meet their small business objectives. So they hire small businesses. Small businesses hire other businesses. 

Manufacturing, you don’t-- it could go as much as seven layers deep. That aircraft that you're referring to probably has 100 or more different companies that build a part or something specific to that. And so, part of the acquisition process under the Federal Acquisition Regulation is to now ensure that you have a supply chain that understands a cyber rigor so they're not hacking into your environment and stealing, not just the technology, but the design, the plans associated with that technology. 

And it goes back to everything we've talked about. And that's your cyber hygiene. How are you protecting that intellectual property? The legislation is going to help. But it takes industry to help define that legislation. Because you can't make it so rigorous that a small business isn't going to want to participate. 

JOAN WOODWARD: And that doesn't go into place, though, for a couple more years, right? 

SHAWN MURRAY: Well, so version one had a lot of problems with it. I won't go into those details. But I was literally at the-- earlier this week, at the National Security Institute. On Wednesday morning, we had the new director of the CMMC program provide the guidance. Yeah, it's going to be a couple more years before we see that rolled out. 

CAROLYN PURWIN RYAN: But one of the other important things to bring up-- because we were talking about contracts a little bit earlier and your vendor management-- one of the things I always talk to people about is one of the things you want to be thinking, does somebody else have my data? Or my response, what are my responsibilities to them? And what are their responsibilities to me? 

Especially when it does come to any sort of government contracts and things like that, you're going to have an obligation to report if you have an incident. And cyber incident, by the way, is a very, very large, I would say, definition. Because sometimes, you don't even know if their data, their particular data, has been impacted at all. But it's still going to require you to notify very quickly. 

So again, talking about from a proactive standpoint, one of the things that you can be doing, take a look at your contracts between yourselves and your vendors, and especially government contractors because you're going to have reporting requirements, requiring forensic reports to be provided to them. Because if not, then you're going to lose your DOD potential status. 

JOAN WOODWARD: And, Carolyn, just give us a sense, and same question to you, Tim, how many cyber cases have you worked on, in the course of your career-- 

[LAUGHTER] 

--either hacked, ransomware, or give us an idea- 

CAROLYN PURWIN RYAN: Sure. 

JOAN WOODWARD: --of what you've seen. 

CAROLYN PURWIN RYAN: Well, Mullen Coughlin alone had 4,000 incidences last year alone. 

JOAN WOODWARD: This is your law firm. 

CAROLYN PURWIN RYAN: This is just my law firm, just one law firm, 4,000 incidents. 

JOAN WOODWARD: 4,000 incidents. 

CAROLYN PURWIN RYAN: And that's business email compromise, wire transfer fraud, unauthorized access, and ransomware all in a big pot. 

JOAN WOODWARD: 4,000 

CAROLYN PURWIN RYAN: 4,000. 

JOAN WOODWARD: And your law firm is how many lawyers? 

CAROLYN PURWIN RYAN: Well, close to 100-- 

JOAN WOODWARD: 100. 

CAROLYN PURWIN RYAN: --close to 100. 

JOAN WOODWARD: So, 100-person law firm saw 4,000, multiply that, right, by the number of law firms that are involved. Tim, same question to you. 

TIM FRANCIS: Well, I would just say it this way, I remember when that law firm had a lot less lawyers in it. 

[LAUGHTER] 

And that's because, right, we had a lot of claims that end up with their law firm, and other law firms, right? And so, yeah, it's thousands. 

JOAN WOODWARD: Thousands, thousands, wow 

TIM FRANCIS: Now, having said that, it's thousands, right? We have a lot of customers. It's still unlikely that a customer is going to have an event. It's not like every customer has a cyber event. 

[KNOCKS ON TABLE] 

I just jinxed myself, right 

JOAN WOODWARD: Yep. 

TIM FRANCIS: But, but, particularly, again, we're talking a lot of small business, right? When you have the event, boy, you really wish you didn't, right, at best. 

JOAN WOODWARD: OK. So it's a wake-up call for all of us, right, no matter how big your business is today. And for the insurance agents and brokers in the room, I mean, one of our biggest challenges is educating customers so they actually want to buy the policy, right? Because they don't see the immediate threat. They see the hurricanes, the wildfires here in Colorado, right? They see other general liability issues. So, OK, next question, put your hand up high so we can get our microphone to this sir right here. 

(DESCRIPTION)

She points to a man in the center of the audience. 

(SPEECH)

AUDIENCE: My question might not be as thoughtful as that. But we were talking about ransomware. And you get the email. Then you instant message a little bit. And I don't know if anyone else is thinking about the last process of that. You send them $5 million and just pray they give you your stuff back? Is there like a criminal agreement between that 

[LAUGHTER] 

CAROLYN PURWIN RYAN: Yeah, that's actually a good question, right? Because why would I pay them? And we do keep statistics as to which ones actually do-- like if you do make payment to them, that they're actually going to give you the decrypter tool. So, one of the things, by the way, during this entire process, before you were even making payment to them, there is a benefit associated with communicating with them. I hate to say that, but it is true. 

One of the reasons why is we'll say to them, we're going to do a proof of life. Think about any sort of ransom, sort of-- I always think about the movies that are out there. We will give them a file, like a smaller file, and tell them, prove to me that you can actually decrypt it, before I ever make you a payment. Some of the communications are, you know what, give me a file of what you allege to have taken. Which is also helpful because, then, it also directs our forensics perspective too, right? Because then we're like, ooh, this is where to look. 

But I will tell you, my experience with it, when you do pay, I want to say almost, 99% of the time, they do give you the decrypter tool. There is such a thing as honor amongst thieves, right? Because you know what, the thing is, word gets out in the street that if you make payment and they don't abide by their word, everybody's going to stop paying. And then that cuts off their arm. 

JOAN WOODWARD: OK, they're trustworthy, good-- 

CAROLYN PURWIN RYAN: Somewhat. 

JOAN WOODWARD: --good to know-- 

[LAUGHTER] 

--good to know. 

CAROLYN PURWIN RYAN: Right. But it's not a settlement agreement, right? It's not like I could go and, hey, look, go to court. And if they don't abide by their word, it's not like I can go-- again, criminal. 

SHAWN MURRAY: Yeah, remember, the criminal is running their own business on the back end, right? So they have to have some level of credibility. We have seen, with a major breach-- I can't go into the specific details-- the breach, the threat actor actually set up a help desk to help people. 

CAROLYN PURWIN RYAN: They do. It's convenient. 

[INTERPOSING VOICES] 

SHAWN MURRAY: Because they were like, what's bitcoin? How do I pay-- this is how to establish a bit-- I mean, their call center. And I listen to this story of this small business. So she was like, oh, they were so nice. And [INAUDIBLE]. 

[LAUGHTER] 

CAROLYN PURWIN RYAN: No, they're helpful. And if the decrypter tool doesn't work, you can go back to them and say, hey, look, this doesn't work. And they'll work with you. They'll communicate back and forth with you-- 

JOAN WOODWARD: Good, good. 

CAROLYN PURWIN RYAN: --100% 

JOAN WOODWARD: Good to know. 

CAROLYN PURWIN RYAN: Which is, I know. 

JOAN WOODWARD: We started these symposiums on cybersecurity six years ago. And people were like, oh, who's going to come to that? It wasn't even really-- 

SHAWN MURRAY: I never said that. 

[INTERPOSING VOICES] 

JOAN WOODWARD: Well, you were on my panel, you had to come. But people were like, oh, I don't know if I can fill a room. But look, here we are today, right? I mean, this is just critically important for all of our businesses. And I really appreciate you coming. We are-- we're out of time. So if you enjoyed today's program, if you learned anything today-- and I actually learned a bunch today-- we do a Wednesday webinar session on different topics related to insurance and other items. 

So if you're interested in that, I'm going to talk to you about our lineup coming up. Do we have that on the screen? There we go. So, I have about seven programs coming up for you. We have another cyber program on June 8th, “Hacked! What's Your Plan?” So that's, again, more practical advice. But next week, I'm going to interview President Trump's Surgeon General, Jerome Adams, on the lessons learned from the pandemic. 

Then we have some fun things, looking at the PGA golf TOUR. But managing hurricane risk, wildfire risk, these are all in our radar for this year, in terms of our webinar series. So, we won't, probably, be back in Denver for a live event like this in a little while. But we invite you to join our website, travelersinstitute.org. Again, we're the think tank, the do tank of Travelers. And we pull in wonderful experts, always, from federal government agencies and other places to help educate us all. 

So join us on our website. Do the little QR code thing on your table. And now is my great honor and pleasure to thank our terrific panelists. And I want to thank Tim and Carolyn in particular. They were with us in Chicago a couple days ago. Dr. Murray, we're going to stay in touch. You're doing great things on the ground here for the business community. And we thank you. 

SHAWN MURRAY: Thank you. And I'd like to, for those of you that are local, the Pikes Peak SBDC website, when we talk about the Ukraine-Russia event and how that impacts small businesses, I was asked by SBA to put together a white paper on how that affects small businesses. That resource is available here in your local community. Head out to the Pikes Peak SBDC website and download that white paper. 

JOAN WOODWARD: Terrific. Well, thank you for being here. And thank you-- 

SHAWN MURRAY: Thank you. 

JOAN WOODWARD: --for what you're doing. So thank you all for coming. My panelists, let's give them a great round of applause. 

[APPLAUSE] 

[MUSIC PLAYING]

(DESCRIPTION)

Text, Travelers Institute (registered trademark). A red umbrella logo, Travelers

travelers institute dot-org