What’s Required? Understanding the New Cybersecurity Laws Impacting U.S. Critical Infrastructure

(SPEECH)

[MUSIC PLAYING] 

(DESCRIPTION)

A title appears on a laptop: Wednesdays with Woodward (registered trademark) Webinar Series. To the right of the laptop, a red mug features a Travelers umbrella logo. 

(SPEECH)

JOAN WOODWARD: Good afternoon. And thank you for joining us. I'm Joan Woodward, and I'm honored to lead the Travelers Institute, which is our public policy division and educational arm of Travelers. Welcome, everyone, back to Wednesdays with Woodward, our webinar series where we convene leading experts, as you know, for conversations about today's biggest challenges. So, thanks for joining us. 

Of course, as you know, we also have a disclaimer. So, before we get started, I'd like to share that about today's program. 

(DESCRIPTION)

Text, About Travelers Institute (registered trademark) Webinars. The Wednesdays with Woodward (registered trademark) educational webinar series is presented by the Travelers Institute, the public policy division of Travelers. This program is offered for informational and educational purposes only. You should consult with your financial, legal, insurance or other advisors about any practices suggested by this program. Please note that this session is being recorded and may be used as Travelers deems appropriate. 

Wednesdays with Woodward Webinar Series, What's Required? Understanding the New Cybersecurity Laws Impacting U.S. Critical Infrastructure. Logos: UCONN School of Business M.S. in Financial Technology, MetroHartford Alliance, Travelers Institute (registered trademark), Travelers, University of South Carolina Darla Moore School of Business, American Property Casualty Insurance Association (service mark), Insuring America, A.P.C.I. dot org.  

(SPEECH)

And then a huge thank you for our webinar partners today, the Risk and Uncertainty Management Center at the University of South Carolina's Darla Moore School of Business, the American Property Casualty Insurance Association, the Masters in FinTech Program at the University of Connecticut School of Business, and the MetroHartford Alliance. So, thank you all. 

(DESCRIPTION)

Text, What is Critical Infrastructure? “The physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” Cybersecurity and Infrastructure Security Agency, CISA dot gov. 

(SPEECH)

As you may know, the month of October is Cybersecurity Awareness Month. And it’s really designated by the U.S. Department of Homeland Security as such. 

Today’s program is part of a month-long educational program series at the Travelers Institute. We call it Cyber: Prepare, Prevent, Mitigate and Restore, which we launched in 2016 for our customers. We’ve hosted more than 50 live events and virtual events in this series. And last week we held an in-person event in Minneapolis. Some of you may have been there. 

Tomorrow we’re in Los Angeles. And if you’re in the area, please see our website to register. We have a few seats left, a complimentary luncheon downtown. 

So today on this webinar, we’re going to talk about a new law that will enhance our country’s ability to combat cybersecurity threats against critical infrastructure. This is important. This is a new law, and we’re going to tell you all about it. There’s a lot of requirements in this law. And we will break it all down for your business. 

But first, exactly what is critical infrastructure? According to CISA, which is the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security, it is “physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health and safety,” end quote. So that’s according to the Department of Homeland Security. 

So think about this in terms of banks, power companies, water treatment facilities, transportation systems, hospitals and much more. In fact, CISA says there are 16 critical infrastructure sectors, ranging from agriculture to nuclear reactors, again, to wastewater treatment facilities. So their value to our national security makes them a prime target for cyber hackers and ransomware thieves.

Think about the Colonial Pipeline attack, which shut down more than 5,000 miles of pipeline, leading to gas shortages in communities up and down the East Coast. So that was a serious hack. Or the hack on the nation’s largest beef supplier and meat suppliers that threaten meat supplies across the country, or the SolarWinds hack that exposed the sensitive data of major companies and top government agencies. So with ransomware attacks like these increasing almost exponentially over the past couple of years during the pandemic, we really do need to ensure that our essential networks are secure. 

But protecting critical infrastructure is very complicated. So that’s why on today’s webinar we have almost 6,000 people registered because we want to know what’s in this bill, this law. And 80% of this critical infrastructure is really owned by private entities, not the government. And I think that’s a surprise to a lot of people, that critical infrastructure is in private hands. 

So, there’s a lot of small businesses also that feed into this critical infrastructure. And that creates a potential entry point for these cyber thieves to exploit. So the small businesses that feed in various parts of our critical infrastructure are some of the biggest targets right now for cybercriminals. They’re considered kind of that low-hanging fruit for cyber thieves because of their vulnerabilities. 

So, we want to help all the small-business owners on the call today to understand what’s in this law. And that’s why part of the government’s cyberdefense strategy is really to gain greater insight into the ongoing attacks by these criminals. They require transparency. And this new reporting requirement of this new law is really put out there in front lines of cyberdefenses for CISA. They’re going to be required to report to CISA. And if they’ve experienced a cyberattack or made a ransomware payment, giving CISA that critical and timely insight into the dark world of cyber hacks, and in theory, really, the ability to prevent future attacks. 

So, I know this is a lot, but this is important. And what does it mean for your business? And what is going to be required of you? How does a business know if it’s part of the critical infrastructure for society? What needs to be reported and when? And how can businesses prevent this ransomware from even happening to their business? 

(DESCRIPTION)

In photos, speakers smile. Text, Speakers. Joan Woodward, Executive Vice President, Public Policy, President, Travelers Institute, Travelers. Matthew Eggers, Vice President, Cybersecurity Policy, Cyber, Space and National Security Policy Division, U.S. Chamber of Commerce.

Ken Morrison, Assistant Vice President, Cyber Risk Management for Bond and Specialty, Travelers.

(SPEECH)

So, we have an expert panel today that’s going to join us to break it all down. Two cybersecurity rock stars, really. First, we have Matthew Eggers. Matthew is the Vice President for Cybersecurity Policy in Cyber, Space and National Security Policy Division at the U.S. Chamber of Commerce in Washington, D.C. He leads the Chamber's Cybersecurity Working Group, which focuses on developing and advocating organizations' cyber policies before Congress and the White House. He frequently testifies before Congress regarding industry's perspective on cyber policy, legislation and regulation. 

Then we have my colleague Ken Morrison. Ken is Travelers Assistant Vice President of Cyber Risk Management for Bond and Specialty Insurance. He provides subject matter expertise on cyberthreats, cybersecurity and emerging technology in Underwriting, Claims and other teams across Travelers' enterprise. In this role, Ken also helps Travelers customers understand and mitigate risk. 

So, with all of that-- and I know it's a lot-- I'd like to turn the floor over to Matthew to kick us off. Matthew, you're up. 

(DESCRIPTION)

The Cyber Incident Reporting for Critical Infrastructure Act of 2022, Some Basics, U.S. Chamber of Commerce. 

(SPEECH)

MATTHEW EGGERS: Joan, thank you very much. Thanks for having the Chamber and me with you. I'm going to go through some very basics of the CIRCIA-- I think that's what we're calling it. There's some different ways to pronounce it, but that's what we're going to go with until we're told otherwise. 

(DESCRIPTION)

CIRCIA -- P.L. 117 dash 103. March 15th, 2022: President Biden signed CIRCIA into law. September 12th, 2022: Cybersecurity and Infrastructure Security Agency announced request for information (comments due November 14th, 2022), listening sessions: https://www dot cisa dot gov slash CIRCIA. 

(SPEECH)

Moving on, so it's-- it’s important to note that this legislation is something that the chamber put a lot of time into, our members in terms of crafting it, working with Hill staff and the administration to make improvements, to make refinements so it would be workable for both industry, those entities that would be reporting, and those that would be on the receiving end, principally CISA at DHS. 

There's a couple of things that are happening that I'll just mention. There is a request for information that is out. The Chamber, I would say our Cybersecurity Working Group is something that I lead. And we get together every Wednesday to look at things just like this. We're putting together our thoughts. 

There are also listening sessions. And unfortunately, they are just listening sessions. There's not a dialogue format in this period of sessions that I think are going to go toward the end of this month and maybe into early November. So if folks are thinking, hey, how do I learn more about what's being asked as the rule-making process gets underway, how do I offer feedback, that is a means or means to do that. And I've provided a link there, at least something that people can reference.

(DESCRIPTION)

Moving on, Selected Elements of CISA's Final Rule, must be written within 18 months following the publication of the pending proposed rule. The types of entities that constitute "covered entities" (whole or in part?) A frequent question: Will my organization be covered? (still unknown). The types of "substantial" (or significant?) cyber incidents that constitute "covered cyber incidents." Procedures for submitting reports on ransomware payments (24 hours) and covered incidents (72 hours). 

(SPEECH)

and I'm going to hit on just some really simple elements of the CISA's final rule. I say "final" because that's going to be the end product. There's still a proposed rule that needs to be put out. We're not there yet. We're going to be kind of getting to that point probably within the next year or two. 

That will come pretty quickly. But we're still at the early stages of everything. So let me kind of hit on a couple of things that are probably worth-- worth mentioning and highlighting for the audience.

So, what-- what are the kinds of entities that would be covered? Who or-- would these organizations be covered whole or in part? The act itself has a focus on covered entities, those entities that are part of critical infrastructure. There's a few other kind of criteria that an entity would probably take on or exhibit, if you will, that would maybe label it as covered entities, things related to the attacks that would jeopardize the economic and national security of the U.S. 

So when organizations think, hey, am I critical infrastructure, or they ask, am I critical infrastructure? Could I be covered? Just by reason of being critical infrastructure alone would not make you a covered entity. And that gets to the point there. 

Will my organization be covered? It's really still unknown. I think on some level if entities were or are what they would consider to be Section 9(a) entities from a 2012 or '13 executive order, that might put you in the zone of potential coverage. 

The types of substantial or significant-- there's a big difference. Substantial is not defined in CIRCIA. Significant is. And I think in a lot of ways, the reason we put that there, I want to highlight that, is we want to make sure that A, the number of organizations are scoped, we're not covering too much, and the nature of the events or incidents that would be reported to DHS would be, if you will, the right amount. So businesses aren't reporting noise and DHS is not receiving, quote unquote, noise. And so there is some-- some qualities of covered cyber incidents that are notable, such as key words like "substantial loss," "serious impact on entities." There's a big interplay in the act between covered entities and covered cyber incidents. 

There’s some things in there I'd probably mention in terms of procedures, which we can touch on, but 24 hours for the payment of ransomware, meaning you have to report to CISA within 24 hours of making that payment. That is really important. And then in terms of reporting covered incidents, entities have to make those reports into CISA after reasonably believing that they've got a covered cyber incident on their hand.

Moving on. 

(DESCRIPTION)

Key Safeguards Tied to Report Submissions. Grants legal liability protections when entities comply with the law and the final rule. Prohibits federal and state governments from using submitted data to regulate reporting entities. Exempts reported information from federal and state disclosure laws. Treats reported information as commercial, financial, and proprietary. Preserves trade secret protections and any related privileges or protections. 

(SPEECH)

These key safeguards, one thing I'd really highlight is we worked very hard probably in the 2011 to 2015 time frame to get protected sharing part of information sharing. Two kind of key safeguards that stand out, legal liability related to the submission of reports. Information shouldn't be used to regulate those entities that are reporting. And you want to make sure that when entities are disclosing, they are protected from disclosure. There's some other things here. But in the made, these key safeguards relate very closely to the 2015 Cyber Information Sharing Act. 

Moving on.

(DESCRIPTION)

Bilateral Information Sharing (Timely, Actionable, Prevent, Disrupt). Two semicircular arrows flow toward a semicircle that loops back toward the arrows. Text, Covered entity reports incident/ransomware payment. CISA collects, anonymizes, analyzes data. CISA disseminates threat information to private sector. 

(SPEECH)

Bilateral information sharing. I think the importance of this can't be stressed. It's not enough just to be doing reporting. Entities are expecting that the data that goes into CISA gets collected, analyzed, anonymized and is reported back out to the private sector. 

It's also important that information that goes into the government in some situation-- in some situations is used to prevent future attacks or disrupt bad actors. So the kind of the smart art here that I've got is to really show kind of a sequence and a interplay between the report and then information going back to the private sector. That is really important. The name of the game here is getting better situational awareness of threats and taking steps to defend against and disrupt bad actors. Moving on-- 

(DESCRIPTION)

Critical Infrastructure Sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater Systems. Source: CISA dot gov. 

(SPEECH)

KEN MORRISON: Well, thanks, Matt. And thank you, Joan, for having me. And so yes, here are the 16 critical infrastructure sectors. And as Joan said just a moment ago, what makes a company critical infrastructure is essentially the systems or services they provide are just so vital to our national security and public health or safety. So that's kind of the bottom line. 

And let's talk about the commercial facilities sector, for example. It has very wide reach and includes the type of facilities that draw large crowds of people for shopping, business, entertainment, motion picture studios or casinos or hotels, theme parks, amusement parks, arenas, stadiums, zoos, museums even, and public accessible real estate, like office buildings and condominiums and actually retail establishments, so stores and shopping malls. So that's quite a broad reach for that one sector. 

The energy sector, another one which literally powers the U.S. economy. And it's actually made up of three subsectors of electricity, oil and natural gas. The electricity subsector, for example, has over 6,000 power plants. And all industries in the country and every other critical infrastructure sector is really dependent on the energy sector to provide power and fuel. 

So how do you know if your company is considered critical infrastructure? Well, a good place to start would be the CISA.gov website. Look for the Infrastructure Security Link. And here you can dive into it, go into the pages for each sector, and see what might apply to you. But at the end of the day, all companies today are encouraged to voluntarily report any kind of unusual cyber activity or incidents to CISA. The hope is, as Matt was saying, that by quickly sharing this information, CISA can render assistance, provide early warning to help other companies possibly from falling victims to that. 

JOAN WOODWARD: Thanks so much for those kind of opening comments. We really appreciate understanding the nature of where the law is today. And I guess, as many of you know, I worked on Capitol Hill for about 12 years. 

And writing these laws are not easy. But getting concrete input from the Chamber and other industries really helps make these laws better. And so, the comment period that you just mentioned, Matthew, is really important. We're going to get into that in a minute. 

But first, I would like to turn the tables on the audience. And we're going to ask you an audience polling question. So, this is easy. You just kind of click your answer. 

So, do you think your business is considered critical infrastructure based on that list that Ken just had up there? And do you think you are critical infrastructure or not? And we're going to get into some of these answers in a second here. 

So, about two-thirds of the audience, 60%, say they are. A third say they are not. And about 11% say they don't know. 

So, I think our audience answers really get to the crux to some of the confusion, right, over this law. I looked at that list and it seems to cover almost everyone except maybe nail salons or dog groomers. I don't know. But they may be considered as well. 

But Ken, you gave us a good rundown. I know our audience really wants to know, how does the business know if they're considered critical infrastructure and might have to report? Because I look at the energy space, just to think about the energy space, and there's so many different areas of energy, right? There's solar. There's wind, as you say, the nat gas and electrical and oil. 

But talk about-- break it down for us in terms-- give us an example maybe, too, of a vendor or a third party that these critical infrastructure entities engage with who might have to report. 

KEN MORRISON: Sure. Well, from the concept of reporting, just remember that covered entities are probably going to end up being a subset of the critical infrastructure. So not everyone in the critical infrastructure will be considered a covered entity and thereby be bound by the reporting requirements. So DHS is going to decide what the specifics are. But potentially as you can see, the swath can be pretty broad when you consider that it could not only include those companies directly in the infrastructure, like factories and hospitals and water treatment facilities, but their subcontractors and vendors and suppliers and maybe their subcontractors and vendors and suppliers. 

And, for example, with the chemical sector, let's take. So chemical manufacturing plants, it's pretty obvious that's going to be critical infrastructure, but the companies that provide transportation for the chemical-- chemicals, right, so the trucking firms and such, and the company that provides warehousing or storage would be considered part of that critical infrastructure. And then take that to the next level. The companies that manufacture the machinery used in the plants or build the trucks, perhaps, or even the tanks or the pipelines-- it goes on and on. You can kind of see how this logically goes from one company to the next in the hierarchy of how we do business in this country today. 

JOAN WOODWARD: No, that's an excellent point. And I also think about, we get a lot of questions coming in the chat, too, right now about the financial services sector. So, obviously, banks are on that list. We saw that. And, of course, the financial markets at writ large-- right, the New York Stock Exchange, the NASDAQ, the exchanges out there, Chicago Board of Trade. You think about the financial infrastructure of the country-- well, insurance brokers and agents are also considered finance, correct, writ large. 

So the question is, are insurance brokers and agents considered to be critical infrastructure? Ken, I'm going to give that to you. 

KEN MORRISON: Well, if you look, again, you go back to that U.S.-- this isn't necessarily a plug for the U.S. search site, but it is terrific. But on their site, they have the different critical infrastructures. And if you look at the profile of the financial services sector, they said it's best described by describing the services offered. And one of the services that they include is risk transfer products. 

So yeah, I would say at least for critical infrastructure, insurance companies, brokers, agents are probably considered critical, critical infrastructure. Whether they're going to be considered a covered entity for the reporting, we're going to have to wait to see what CISA says about that. 

JOAN WOODWARD: OK. Yeah, Matt? 

MATTHEW EGGERS: I was just going to add to that-- I think Ken's right. I think that you look at it from a critical infrastructure kind of envelope and then you work your way down. A couple of provisions in the law that I think help maybe scopes who or what entities may be covered. There's a big emphasis on whether or not that entity is the target of a nation-state or a proxy of that nation-state or a surrogate. Some of the cyberattacks that we've read about in the news over the last couple of years give you a feel for where policymakers, CISA are aiming. 

And the other thing is the kind of the nature of disruption to, let's say, an infrastructure sector, parts of the economy. We are talking substantial cyberattacks, significant attacks. So, the bar for at least reporting for many, I think, out there is going to be pretty high. And I think on a lot of levels that's good. We don't want to over-report. 

JOAN WOODWARD: OK. So Matt, then tell us how these reporting requirements are going to help CISA prevent future attacks. How does that work? Because are these the same dark web actors, the thieves that are trying to steal your data, are they repeat offenders out there and the thought is CISA might collect data that would help them prevent-- I just, I'm trying to make the leap between reporting and how they prevent future attacks. 

MATTHEW EGGERS: A good way to think about it is there has been a strong effort to have industry reporting to government, almost like a neighborhood watch, so we can figure out the doors we need to lock and so forth. I think the big shift with CIRCIA is it's mandatory for a certain cross-section of industry. And the two primary avenues and requirements for reporting or the types of reporting relate to covered cyber incidents, substantial, major episodes. And then if you're a covered entity and you happen to be the victim of a ransomware attack and you make that payment, those are kind of the two things. And under this law, if you're covered, you've got to report it. 

JOAN WOODWARD: So, a couple of questions on the word "mandatory." Are there fines or penalties or fees if a covered entity is hacked and doesn't report? Matt, I'll go to you on that. 

MATTHEW EGGERS: Yeah, sure, I'll start. No, I'm glad to say that there are no penalties. It just cuts against the nature of public-private collaboration for there to be financial sanctions. Legislation that we did consider early on had them. This legislation does not. 

Now, from an enforcement standpoint, if a covered entity is believed to have suffered maybe a covered cyber incident or it made a ransomware payment and it didn't report, the outcome is that CISA should conduct outreach to this entity. If that isn't really working, CISA is authorized to issue a subpoena. And it should stop there. There are other things that can happen. But for the most part, I think on balance with many entities already reporting, I don't think we'll get to that enforcement piece, at least I hope not. 

JOAN WOODWARD: OK. Another question for you, Matt. Ken, we'll get right back to you. So are third parties, including insurers, insurers like us, allowed to submit reports for covered entities? So instead of the covered entity reporting on its own, can a third party, again, report that? 

MATTHEW EGGERS: Third parties are authorized to report on behalf of a client. One thing I would maybe highlight is third parties don't have to report, let's say, on a client. There's no requirement to do that. So we don't want to spook third parties that are, let's say, having relationships with, let's say, one of your covered parties. 

An entity could ask an insurer, let's say, or maybe a law firm or an information-sharing organization, hey, if you don't mind, would you make that report for me? Now, that doesn't absolve the covered entity from doing all that it needs to do because a third party is reporting. But there is that tool. 

JOAN WOODWARD: OK. So that's good news, I guess, for folks out there. Back to you, Ken. So what exact information will insurers have to share with CISA when they do have to report a cyber incident? What exactly-- what's the type of information that would have to be shared? 

KEN MORRISON: Sure. And so basically it's the who, what, where, when, how, maybe not why, but the basics, so the name of the organization, when it happened, where the incident occurred, who to reach out to, any kind of point of contact, how severe the incident was, what kind of activity was seen, and a description of what happened, maybe the number of people or systems that were impacted. If it was a ransomware event, what were the instructions provided by the ransomware attackers? What type of payment was requested and how much money and/or how much of whatever the payment is and when the payment was supposed to be-- supposed to be made? 

And also, there's supplemental reports that they're going to want as the incident continues so. If anything new or different becomes available or known, you're going to want to report that. If you make a ransomware payment after submitting the cyber incidents-- so remember, the cyber incident is within 72 hours. The ransomware payment is within 24 hours. The payment might not be made for a week or two after the incident. So you still have to report that. 

So, anything like that, you still have to comply with the rules. And then-- and then just keep them updated. And you're supposed to preserve the evidence, preserve all the information, and basically keep providing these reports until the issue is resolved.

JOAN WOODWARD: So, will CISA at some point after collecting this data, do you imagine, when a ransomware attack occurs on my business, can I go to CISA and say, OK, I'm reporting my ransomware attack, and can I tell you who's ransomwared me? And can you give me information back? Can there be kind of a real-time sharing of oh, this bad actor, don't pay this ransom because he has a bad history of giving your encrypted data back? Do you think at some point, Matt and Ken, there would be kind of that advice coming back from CISA to the person who's just been hacked?

MATTHEW EGGERS: I do think that there is-- —and the CIRCIA calls for it, is for parties that report a ransomware payment to try to get a feel for who the threat actors are. Right, I think one of the things we're trying to do is for the government to attribute these kinds of attacks to parties, so we can identify who they are and figure out a way to kind of mitigate their actions. I do think that CISA will also-- and one of-- in terms of thinking about ransomware payment and ransomware mitigation activities, there is a provision in the bill to kind of look at systems that tend to be susceptible to ransomware payments and work toward notifying owners of that, let's say, IT, OT equipment. 

JOAN WOODWARD: So, Matt, back to you just for a minute. What must be included in these reports? Ken gave us an overview of the time frames. But exactly what should the insured, our customer who's considered critical infrastructure, what exactly do they have to include? 

MATTHEW EGGERS: I think Ken hit it on the head. I might add a couple of things. One, maybe from a policy-making standpoint, one of the things we're trying to urge CISA to consider is in that initial reporting stage leveraging a very simple form, right? When you've got a crisis on your hand, you don't want to be spending a lot of time filling out reports, certainly when you've got a small window of time to operate with.

A couple other things that I think CISA is interested in, called for in the act, maybe some of the vulnerabilities in a system or a network that might be in play or responsible for what's happening. If you can kind of give CISA a feel for your defensive posture. And then maybe, three, I think we mentioned this, is any sense of threat actors that are in play. And typically, what happens is maybe in a more sophisticated organization that works with third parties that can kind of help identify whether we're talking, let's say, a nation-state actor, something like that, that's the kind of information that is valuable not only to CISA, but then when they push that information out to the rest of industry. 

JOAN WOODWARD: OK. And Matt, I'm not sure if you covered this, when does the law take effect? When is all of this-- I know the comment period is kind of ending next month, right? It's November 14, so if anyone's interested in issuing a comment back to CISA. But when do you anticipate this actually becoming effective? 

MATTHEW EGGERS: So, the president signed the law in March. We are in what's called an RFI, request for information stage in development of a proposed rule. CISA's got two years from March '22 to develop that. And then 18 months after that, they’ve got-- they've got to complete a final rule. 

That's when really this program becomes effective. I think they're going to hustle a little bit more, just given the sensitivity and the importance of this. But this won’t become-- we won't go game time until probably in about two to three years.

And the other thing I would just say is we've got a pretty good feel for the outlines of what-- of what is going to be required of parties. But we won't know with much certainty until the final rule is completed. And I think as we kind of roll through those entities that are likely to get covered, we'll probably have increasing input, we hope, into the final contours of a regime. 

JOAN WOODWARD: OK, so two to three years. What about the interim period? If someone is getting hacked or ransomwared, is there a place our insureds and customers should be reporting to the federal government right now? Is that the FBI? Is there a mechanism in place before this law takes place to report? I know it's not mandatory, but the government definitely likes to hear from private businesses when they've been hacked, right? Ken, you might have the answer to that one. 

KEN MORRISON: Of course. So yes, so voluntarily-- voluntary reporting is certainly encouraged. And there's a couple of different ways. So, one is the IC3.gov website, which is the Internet Crime Complaint Center. And that's one place you can report.

And I believe CISA also has a reporting mechanism. I believe it's report@cisa.gov is the email address to report any incidents, and on their website they also provide what type of information they want to see. And it's essentially what we just talked about. 

And so as I said, as Matt was saying, this information is collected, aggregated. You might not be the only one seeing this kind of incident. They'll take all this information and put it all together and then see what larger threat is evolving and looming and then use that information to keep us informed, tell us what indicators to look for. Maybe we can start putting up our defenses and provide any kind of assistance that they can provide. They do have a pretty substantial cyber, almost a consulting arm, that they provide free of charge to the citizens and the companies in the country. 

MATTHEW EGGERS: And I'd just put a fine point on this. This law, CIRCIA, probably wouldn't have been completed as easily if it weren't for the hard work that was put in a number of years ago to develop the Cyber Information Sharing Act. One of the key features is providing a suite of protections for entities that report voluntarily, either on their own or through a third party. 

JOAN WOODWARD: So, both your advice is if someone is hacked, they should definitely report because there's a bit of advice coming back to the entity who's been hacked from the government to help you maybe with your cyber hygiene going forward. Is that a good way to think about it, Ken? They can help you? 

KEN MORRISON: Absolutely. They can help. They can provide assistance. They can do vulnerability scans for you, for your environment for free. Phishing testing, risk assessments-- it's quite a pretty nifty service. 

JOAN WOODWARD: And do the businesses have to be a certain size to get that? Or can you be a sole proprietary person working, you know, in your own business? 

KEN MORRISON: I believe it is any-- any organization. 

JOAN WOODWARD: All right. So Matt, what have you been hearing from your Chamber members? You have some of the largest industries and companies in the world as your members and some of the small-business owners. So what-- what are you hearing from your membership about this new law? 

MATTHEW EGGERS: You're right. We're big. We're diverse. We've got the majority, the vast majority of our members are small businesses. 

I think in terms of just to maybe narrow things a bit, I would say in the context of the RFI, we learn a lot about laws that we work on when we kind of consider how we're going to implement them. So one of the questions that I think is interesting, is going to need some work, is the nature of an entity. It’s-- the feedback that we've gotten is are we really focused so much on the entity itself? Is that the bull's-eye? Or is it the nature of the cyber incident? And then you go from there. 

And I think, too, is not every organization maybe needs to be covered holistically, meaning you could have very large organizations that make very specialized technical equipment. And they also make home appliances. Do we cover that whole organization? 

The other thing, I think, is the furtherance of harmonization. You've got this new federal law that mandates additional reporting on top of what entities already have to report to different agencies. There is existing reporting out there. How do we bring that all together in a way that's coherent? We can maybe touch on that some more. 

JOAN WOODWARD: OK. And what do you think, Ken, maybe for you, what should businesses who are considered critical infrastructure, what should they be doing now to kind of prepare for the law when it becomes effective? 

KEN MORRISON: Well, in general, just make sure you're shoring up your own cyber hygiene, as it were. You want to be able to defend against attacks. But you-- part of what you want to do is have a plan in place for if and when an incident happens, so an incident response plan, so you're not relying on your memory when bad things happen. So have something written down so that you could refer to who does what when. And certainly, you're going to want to start including these reporting requirements and data gathering steps to make sure that you've got what you need when you need it. 

JOAN WOODWARD: OK, and how will businesses know when-- how will businesses know? I know inside the beltway, we're all focused on the regulations coming out. But will there be some sort of communications to let businesses know when it is effective? Because we said two to three years, that's a big difference between two years versus three years. How will businesses know when it's effective? 

MATTHEW EGGERS: Maybe just note that there is a provision in the law-- and I think DHS would do this anyways-- there's an outreach campaign that they're going to have to undertake. They'll work with groups like yours, insurance trades, the Chamber, other groups. I think most affected parties will probably have a pretty good feel for when things really kick off in earnest. I don't get the sense this is going to try to play a game of gotcha. It's generally not the approach that they seem to be taking. 

And then on the kind of the how do I kind of get ready, a number of critical infrastructure entities are already prepared, reporting and so forth. The one thing I usually try to stress to organizations is think about the things that you need to do to kind of keep yourself, business leaders out of the congressional hearing room chair. You're often not invited there for kind of just a positive outlay of things you're doing. 

But do you have a cybersecurity story, meaning if you had to write testimony on an event, do you like what you've got? And so you can think about all kind of the one, two, threes of controls or what have you. But think about that because for some organizations that is really critical. 

JOAN WOODWARD: So that gets us in, I think, to cyber hygiene. And is your business really clean when it comes to protecting it from ransomware or a threat? And talk about the best practices that all businesses and organizations should be following. So, I want to get into cyber hygiene as our next kind of category. 

But first I want to ask the audience another polling question just to see where they are with their cyber hygiene. Does your business use multifactor authentication? And that's when you're trying to sign into something and they say, we're going to text you a code and you give us that code back and then we're going to let you into your system. That's multifactor authentication. And does your business use it and use it across the board, not just for one thing, but use it for all your systems, because that's another thing we've seen is people say, yes, we have MFA, but they only have it on the right side of their business and not the other side. 

So, this is really good news and encouraging news, that over 90%, 92% of our audience say they use MFA. But there's still that 8% that doesn't know or they're not using it. So first I'm going to go to Ken. What do you think of these results? 

And, of course, these are a lot of our insureds. And so our insureds are ahead of the game because we keep talking about MFA. But give us your thoughts here. 

KEN MORRISON: Those are tremendous numbers. The 92% folks using multifactor is awesome because if you look at the, again, referencing the CISA site, they indicate-- they have a list of the most common security weaknesses taken advantage of by attackers. And the number one, top of the list, is multifactor not being used or enforced. So seeing that number is very reassuring. We're on the right track. 

And, as you said, our policyholders-- hello, everybody-- is part of our requirements is a multifactor attestation, that you use multifactor for things like remote access to the environment and for any of those accounts that have the keys to the kingdom, the privilege or administrator account. So that's really good to see. 

JOAN WOODWARD: Good. Good. So, do we know yet, Matt, if a covered entity has to report a cyber incident, whether they have to report that they have cyber insurance or not? Or we don't know yet whether they have to report that fact? 

MATTHEW EGGERS: No, they don't have to. I don’t-- I haven't seen any provision in that law that suggests that. That may come out in maybe a dialogue with CISA maybe behind the scenes. But no, there's no requirement for that. 

JOAN WOODWARD: No requirement to say you have cyber insurance. OK, good to know. Let's go on here because I want to talk about small-business owners. In Minneapolis last week we held a live event with a couple hundred agents, brokers, customers, with CISA and the Small Business Administration talking about best practices. And what came up a lot there was talking about small businesses because a lot of our mom-and-pop insurance agencies that might be out there are considered a small business by the SBA. 

How do they up their cyber hygiene, Ken, in terms of risk control that you work on every day with our clients and customers? What are the couple of things besides MFA in terms of best practices? 

KEN MORRISON: Well, it's absolutely true, the small businesses are considered a lower-hanging fruit. They might not have the resources to dedicate to cybersecurity. Or they might not have the funds to let them stay afloat for the up to weeks to recover from a ransomware attack. So this could make them even more susceptible to an attack or more likely to pay a ransom. So yeah, lower-hanging fruit. But 

The good news, perhaps, is that cyberattackers, for the most part, are in it just for the money, right? So if it's too costly to press the attack home, they might go somewhere else. So our-- my kind of mantra is make yourself a higher-hanging fruit. And I just referenced the weaknesses most taken advantage of by the cyber attackers, and multifactor being top of the list. So make sure you have multifactor in place. 

Right behind multifactor on the list is not having your software maintained, keeping it patched and up to date. Some of the best-loved vulnerabilities by the cyber hackers out there are over 10 years old, 10 years old. So keep your systems patched all the time. Let Microsoft be-- if you can, the automated patches, the automated updates. Go through your system. Keep things up to date. So that's a big one. 

Another one is use of vendor-supplied default configurations, usernames and passwords. And what I mean by that is when you buy a firewall or a router out of the box, it has a username and password. And if you google, what is the username and password to this particular brand of router, you will see it. And bad guys do that every day. 

So as soon as you get something like that, change the user ID. Change the password. Change the configurations. And move on from there. And remote access-- 

JOAN WOODWARD: How does one know how-- 

KEN MORRISON: Go ahead. 

JOAN WOODWARD: Sorry, go ahead. 

KEN MORRISON: I was going to say remote access. So, I think we mentioned this already. So remote access to your network, remote access is the front door to your network. You want to use a good, solid door. You want to keep it locked. You want to use a deadbolt and make sure that anybody trying to get in proves who they are. 

So solid door, use a secure remote access solution, like a good VPN. Lock the door. Lock down the VPN with tight, secure configurations. 

Use a deadbolt. So set up a firewall to detect, or better yet, prevent intrusions. And lastly, use MFA to have them prove who they are. Open ports to the-- OK, I'll keep going, but-- 

JOAN WOODWARD: No, no, no, well, go ahead. One more. I'll give you one more. Open ports, what is that? 

KEN MORRISON: Open ports, so open ports are kind of the windows and back doors to your network. So close all ports and services. Only open the ones that you really need for your business. And then reevaluate them periodically to make sure you still need them. Things like RDP, remote desktop protocol, Telnet-- these are ports, protocols that are kind of on by default and should never be open to the internet. And back to you, Joan. 

JOAN WOODWARD: No, and I get this question a lot. And we have a lot of questions coming in. Thank you all for your thoughtful questions. I want to get to a couple of audience questions. 

How often should a small business update their cyber incidence response plan? So everyone out there should have some sort of plan if you're hit with a ransomware or a phishing attack. You should have an incident response plan. 

What should be in that plan, Ken? This is the question. And how often should we test it or update that plan? 

KEN MORRISON: Great question. And what should be in the plan is based on what you do for a living, what your business is. You want to kind of have an idea of where the crown jewels are, what your primary business is, what your mission is, and be able to keep that going. 

So you want to have steps for what to do, who to call, who does what, who does what when. And it could be as high level as just a single sheet of paper with primary and backups, which is very important, of people to take what actions to notify somebody, things like notify your security internet service provider, notify law enforcement, if necessary, different ways to set up a backup facility. If you have to go to a different location, do you have the equipment ready to do that? So basically, it comes to just having it written down and not leaving it to memory, as I said before. 

And then exercise it. Walk through. Take a-- again, CISA, sorry, has terrific tabletop exercise templates. So pick a ransomware template and go through it line by line. This is what happens. What are you going to do? This is what happens. What are you going to do? 

And actually, honestly-- that's really key-- is discuss with all the key players, what happens when that happens? And then sometimes the answer is, I don't know. Sometimes the answer is, I can't do it right now. And that's what this whole purpose is. 

So figure out what you're going to do. And then at least once a year do that again. Walk through it because the world of cyber, the world of IT is so dynamic. It's constantly changing. So what might be in place today might not be in place in three months. So that's what I would suggest, again, for incident response. 

JOAN WOODWARD: All right. And Matt, do you want to add anything to that in terms of what you're seeing around corners coming up with this new law and other things that folks should really focus on with their incident response plan? Should they always make sure to have offsite equipment, right, versus just having it all in their office, so should be holding things offsite? 

MATTHEW EGGERS: Yeah, I think one of the good reasons organizations utilize insurance and the expertise of insurers is to get kind of feedback on these kind of suggestions. Hey, how do we-- do we utilize the cloud? And to what extent? What kind of data do we-- do we have there? 

It's interesting that the cybersecurity framework that was published, I want to say, in 2014 is being rewritten. And it's going to be version 2.0. It's a tool that businesses of all sizes, particularly critical infrastructures, are urged to use. It's flexible. And it's something that we often like to try to push small businesses to use in partnership with providers to kind of help them walk through it. 

The other thing I'll just add quickly is I've seen good use of, let's say, phishing training, nonpunitive training. I think that's good since in addition to MFA you want to make sure folks aren't clicking on links and PDFs that are malicious.

JOAN WOODWARD: OK, a lot more audience questions coming in. This is from Ellie Dodd. Ellie asked, "What about universities with or without a medical school, institutions of higher learning? Would they be considered critical?" 

KEN MORRISON: I believe they are part of the government facilities sector. As of fairly recently they were specifically called out as a subsector. 

MATTHEW EGGERS: I might put in a plug for my-- where I went to school, Indiana University. They operate the Higher Ed Information Sharing and Analysis Center. So universities should get plugged into things like that to swap indicators and warnings and so forth. 

JOAN WOODWARD: OK. This is a broad question. I think it's a really good one. I'll go to you, Matt, on it. Ursuline Foley asked, "How do you see this impacting corporate governance and boards? Because boards of public companies and private companies are increasingly worried about cyberattacks. So do you think this might change corporate governance for companies?" 

MATTHEW EGGERS: I think it will kind of help solidify and validate what a number of organizations are already doing smartly. And let me put it this way-- CIRCIA demonstrates the right way to develop policy and conduct reporting to government. It's protected. There are liability protections. This legislation was developed in partnership with industry. There is supposed to be bilateral sharing, among other things. 

There are other agencies that have rule makings that would push entities to report publicly before incidents are mitigated. That's not the right way to do it. So I would just say CIRCIA is headed down the right path. And kudos for them. 

JOAN WOODWARD: OK. Ken, this is going to be for you, from Jamie James. Jamie asked, "So if the insured has cyber liability policy in place, wouldn’t the carrier report to CISA? Or does the insured still need to do this?" 

KEN MORRISON: That's a good question. And right now, for other types of reporting, the carrier does not do the reporting. We might recommend, for example, that the insured, the policyholder report to the--  to law enforcement. 

Also, whenever we're involved in a claim there are other teams involved, one of which, a very important teammate is the breach coach team. So these are the attorneys that this is what they do, is they help with breaches. And they would facilitate that communication for current reporting. And I'm sure they would probably do the same for the CIRCIA reporting. 

JOAN WOODWARD: OK. Another question coming in, "How will this respond if an entity doesn't report immediately because that's the instruction within the ransom demand itself, not to advise anyone else outside the company until the ransom is paid?" That's a really good one. Who wants to take that? Ken? 

KEN MORRISON: That's a great point. Whether that will alleviate the ransomware reporting requirement, I don't know. That may be discussed and factored in at some point. But it probably would not at this point mitigate that responsibility to report.

MATTHEW EGGERS: I would just say by all indications it's that payment that triggers that report. 

JOAN WOODWARD: OK. Another question coming in from Misty Babb. "This sounds similar to the suspicious activity report required by FinCEN. So do we know if this is similar to that reporting requirement at 30, 60, 90 days, or 365 days?" And Ken, you're shaking your head. Yeah? 

KEN MORRISON: Well, there's FinCEN. There are several existing reporting requirements based on the business segment you're in. So financial has the FinCEN. If you're a defense industrial base, so if you do manufacturing for the Department of Defense, you've had to report for probably at least 10 years now a similar situation.

So, there are different reporting requirements in place right now. So hopefully they will coalesce at some point. It will be interesting to see if one has precedence over the other. 

MATTHEW EGGERS: And maybe just one kind of tidbit to throw in there. We are talking about reporting that's anchored to the disruption, significant impact of critical infrastructure. There's a lot of different reporting out there. But think certain entities that, if impacted, impacts critical infrastructure triggering certain kinds of reporting. That's one way to think about it. 

JOAN WOODWARD: OK. This is a really good one coming in from Rich Carlson. Rich asked, "Will CISA pay entities for cost for covered incidents? Is the government going to help you pay for this if you've been hacked?" Has that been brought up in the discussions, Matt, at all? 

MATTHEW EGGERS: It has, yes. Ways to kind of mitigate costs definitely come up, not direct payments. I don't think that is in the cards. One of the things that we are urging is for Congress to develop liability protections in conjunction with preemption, national preemption, for entities that can show conformance with industry-led standards, guidance, best practices. If they are supervised, if they're regulated, that liability protection ought to be higher, almost where suits are dismissed. That's a means of mitigating costs when you're doing the right thing and you can show it. 

JOAN WOODWARD: OK. This is another interesting question from Jordan Deleau. "Do these covered entities that have to report the cyber incident within at least 72 hours, is that from the time of the actual cyberattack or when the entity becomes aware of the cyberattack?" 

KEN MORRISON: That is a good question. And I believe it is from when they become aware of the cyberattack. 

MATTHEW EGGERS: Well, it's a very good question. I think this is one thing that we went round and round on in developing the legislation. Right now it says "once an entity believes, reasonably believes, reasonably believes that it has suffered a covered cyber incident," then it has to report within 72 hours. 

The problem with that is it benefits those looking back in hindsight. In the heat of the moment, entities may not reasonably believe that they've got a covered cyber incident on their hands. This will be a point of debate. 

JOAN WOODWARD: OK. Another question from Jeremy Dickey. "At what point is an incident reportable? If I have an EDR that catches the actor before anything is exported, are we still required to report it?" 

KEN MORRISON: That's another good question. And the answer to that will probably be a yes because it's not that there was you stopped the attack from happening, but that there was an attack, an unauthorized access. But I do believe that actual damage might be one of the key factors in determining whether or not this is a, quote, "substantial and report-worthy incident." 

MATTHEW EGGERS: It's going to be up for debate. I think key words like "substantial loss of data," I think, in conjunction with disruption, probably gets you in the zone of reporting. That's my guess. 

JOAN WOODWARD: All right, a question coming in from Lee Covington. Lee's a leader in this industry. "So, what are some best practices for vendors with access to your systems, such as website vendors?" So, Ken, I know you advise our clients every day about their systems are just as vulnerable as their weakest link in the vendor chain. So how do we make our vendor contractors be just as cyber clean as we are? 

KEN MORRISON: All right, and that's part of the thrust, I think, for CIRCIA in general, is the supply chain third-party vendor vulnerabilities that we've seen exploited. So there-- the fundamental cyber hygiene steps that you would take for your own company, you would want your vendors and suppliers and third parties to follow as well. There's also the contracts that you have with your third parties to ensure that they are using the adequate cybersecurity provisions. There's indemnification that your third parties may have to cover you in the event something happens that they might be responsible for. 

But at the end of the day, there's nothing that-- there's nothing that you should not do. So keep the cyber hygiene up. Use-- follow the best practices, multifactor authentication for one thing. So you've got a third-party service provider that provides support for your environment, they still need to use multifactor to get into your environment. So that's just one of the tactical things that you can do to help manage that risk. 

JOAN WOODWARD: Terrific. Well, Matt and Ken, I can't thank you enough. This has really been eye opening for, I think, for a lot of our audience members. And we will promise our audience that we will be back next year as this law becomes in effect. So we'll come back within the next 18 months to talk again with Ken and Matt to see where we are because, as you know, as Matt has told us, things can change when the comment period ends. 

So Matt and Ken, thank you so much for your time today. We're truly grateful. And we're going to have you back on without a doubt. So-- 

MATTHEW EGGERS: Thanks. 

JOAN WOODWARD: --I also want to-- thank you. I also want to let our audience know some of our really upcoming interesting programs that we have on the docket. We do have a survey, if you could fill that out, in the chat. I'd love to get your feedback. 

(DESCRIPTION)

Wednesdays with Woodward (registered trademark) Webinar Series. Upcoming Webinars: October 19th, Inflation, Interest Rates and the State of the U.S. Economy: A Conversation with Neel Kashkari, President and CEO of the Federal Reserve Bank of Minneapolis. October 26th, Under Pressure: Real Estate Market Update with National Association of Realtors (registered trademark) Chief Economist Lawrence Yun. Register: travelersinstitute dot org. 

(SPEECH)

And I'm also looking to hear from our audience what you want us to talk about in 2023. We're planning right now. So please let me know what topics you would like us to undertake on our webinar series. 

But as I mentioned, tomorrow we're in Los Angeles. So if you live around Los Angeles, we have a terrific program downtown. Go to travelersinstitute.org. You can register and sign up. We have some great guests there. 

October 19 on our webinar series we're going to hear from one of the leading voices at the Federal Reserve, the CEO of the Minneapolis branch, Neel Kashkari, is going to be with us to talk all things inflation, interest rates and the economy. And then on October 26, we're going to discuss the outlook for the real estate market, both commercial and residential, with the chief economist of the National Association of Realtors, Lawrence Yun. So I promise it's going to be a great lineup for November and December. We're going to get those to you in the coming weeks. 

Take care, my friends. Stay safe. And again, thank you to Ken and Matt. 

[MUSIC PLAYING] 

(DESCRIPTION)

Wednesdays with Woodward Webinar Series. Watch replays: travelersinstitute dot org. LinkedIn logo. Text, Connect: Joan Kois Woodward. Take our survey: link in chat. HashtagWednesdaysWithWoodward. Logo, Travelers Institute, Travelers. Travelersinstitute dot org.