Cyber Savvy
A successful cyber-attack has taken your company off-line. The FBI and CISA have been contacted. What now? As you know, if this hasn’t already impacted your business (either directly or indirectly), it will.
How can you make yourself a harder target, mitigating against cyber-attacks? What does all the terminology mean and why does it matter? What happens if an attack is successful?
Join DTC, Inc. as we outline, in a straight-forward manner, many of the issues surrounding cyber security which directly impact business owners. Our Cyber Savvy podcast episodes feature Mike Shelah as he brings in a new guest each month.
New episodes will be posted twice a month on the first and last Thursday, make sure to follow and subscribe wherever you listen to your podcasts, so you don't miss new content!
We would love to hear from you! Please send us your comments and questions to: AskUs@DTCtoday.com
Cyber Savvy
Season 1 Recap and Season 2 Preview
Welcome back Cyber Savvy fans! This first episode of the season recaps what was discussed in season 1 as well as what is to come for season 2, including the Henry Schein attack of October 2023.
Special guest Andrew Rose is an award winning CISO, Speaker, Brand Evangelist, Industry Analyst, NED & Board Advisor, CISO Mentor, Ultra runner - passionate about driving information & cyber security through a people-centric focus. He is also a board level Advisor with recognized expertise in information security and risk management, ISO27001, information security strategy; security organization and budgeting, security awareness, EU Data Protection, business engagement; information security policy development; and governance, risk, and compliance (GRC) initiatives.
Andrew Rose began a cybersecurity awareness program in 2016 while at a major agricultural bank after recognizing that the ag sector wasn’t getting the attention it needed about the risks posed by cybercriminals and other adversaries. He helped coordinate several symposiums and events focusing on the topic. He is now an independent contractor and volunteers his time to bringing cybersecurity awareness, education, mitigation, and response to the ag and food supply chain (and other special projects). His focus is on mitigating emerging threats. In addition to his experience in cybersecurity, he has a deep understanding of banking/finance, risk management, and other professional service sectors related to food, agriculture, and climate.
Michael Urbanik is an Account Executive with R.K Tongue Co., Inc. and is licensed in both Life & Health and Property & Casualty Insurance. He has experience working with both large and middle market commercial clients. He enjoys helping his clients understand the risks they face and develop cost effective plans to successfully mitigate and transfer these risks.
Did you enjoy today’s episode? Think we missed an important sector that should have been discussed? We here at DTC, Inc. would love your feedback on today’s episode! Please email us your comments and questions at AskUs@DTCtoday.com.
Want to hear more? Past episodes are all posted, including on YouTube! Follow and subscribe on your favorite podcast app to ensure you don’t miss out on the conversation!
[Intro Music]
[00:00:00 Andrew Rose]
Welcome to Cyber Savvy. This podcast was created by DTC to bring awareness, mitigation and response to cybersecurity threats companies and organizations face daily. Be prepared. Be cyber savvy.
Well, Mike, it's good to see you again. It's been a- we've had a wonderful little Christmas break here, and I'm excited to get back into our podcast. And for those in the audience who don't recognize my voice, my name is Andrew Rose.
I'm a cybersecurity specialist and I’m helping out DTC here with their cybersecurity posture, and I am so excited to have my good friend Mike Urbanik here. Mike is the risk management specialist for cyber security, insurance liability and really a lot of other things that he brings to the table. One of the reasons I enjoy having him on these podcasts is his thoughtful as well as in-depth knowledge of these areas.
And then he and I shall engage in friendly banter about multiple points that he is making during his presentation. But before I get into that, Mike, who are you and who is R.K. Tongue?
[00:01:11 Mike Urbanik]
Thank you for that lovely introduction, Andrew. Again, as you said, my name is Mike Urbanik. I'm an insurance agent with R.K Tongue. R.K. Tongue is over 100-year-old independent broker based in Maryland, but we service mostly the mid-Atlantic with capabilities elsewhere as well.
But that's our predominant region touch a large variety of business sectors, mostly, I'll say, white collar style businesses with an emphasis on health care and dentistry. But with that being said, cyber liability and cyber risk and cybercrime is a industry agnostic threat. No matter what you do, if you use computers and conduct business via computers, you are at risk.
Some businesses more than others. But it's a growing concern for many of our clients and we're just happy to be involved in the conversation, share the things we are seeing and talk about with the world at large, what you can be doing to protect yourself and your business better.
[00:02:15 Andrew Rose]
Yeah, and I'm going to add one thing too, just for those of you who did not review what DTC is on our website, when you came to this blog or this podcast, DTC is a high end outsourced I.T company that specializes in dentists and other high end medical practices that has sophisticated needs.
So, we're we're very happy to have R.K. Tongue, also a white glove provider of the same services to a similar community as well. And Mike, I am going to push back on one thing there. You said that the cybercrime is a growing threat and a growing bit of awareness. I, I would venture to say it is the top threat right now to businesses.
It has become so ubiquitous that the old statement was it's not if it's when the new statement is not when it's again, this is just becoming such a recurring threat to all businesses. And again, that's why I'm so excited to have you here and discuss the state of risk management. You know, we have certain assumptions. We built certain plans and policies and protocols going in to 2023.
Now that 2023 is over and moving to 2024, a lot has changed. We've learned a lot of lessons and I'm going to sit back and let you walk us through kind of the where we were, where we are and what your predictions are, where we're going.
[00:03:28 Mike Urbanik]
Yes, thank you. 2023 was was certainly another strong year when it comes to cyber-crime.
One of the challenges I think any industry faces with dealing with crimes is getting an accurate understanding of how much is going on, what types of crimes are being committed, because ultimately a large number of them go unreported.
Now, cybercrime is infamous for that. Our best benchmark is going to be something that the FBI produces called the IC3 report, and that came out of the 2023 report, came out just a month or so ago, and it estimated there were 880,000...
Well, these these are what was reported, 880,000 Internet crimes were reported. I've seen statistics that 90% of Internet based crimes or cyber-crimes go unreported. So, this is a fraction of what is happening out there. There's a much larger amount of crimes than what we have access to. But we can take this maybe as an indicator as to what was reported, meaning what's on the rise, what's on the decrease, what's going on out there.
It's some sort of information. It's certainly not the end all, be all perfect source. So, we have to take everything we see here with a grain of salt, but it's still a great tool. So, okay, we have this report. What did it say? Because like I said, this is probably the most authoritative or informative report we have out.
[00:05:01 Andrew Rose]
Hey, Mike, and I just want to interject real quick. Go ahead. First for the audience who doesn't know what IC3 is, this Internet complaint center that the FBI and the Center for Critical Infrastructure Security Administration run.
And they use that as a portal that you can report an Internet crime that's occurred to you. You can report anonymously on behalf of a parent or someone else or someone in the neighborhood.
They use this as a compendium so they can track trends, they can triage, and they can respond to things as well as put together reports as well. So, Mike, I'll turn the mic back over to you.
[00:05:33 Mike Urbanik]
No great explanation. I often forget the forest through the trees and just launch into this. Exactly that. It's it is a great source of information.
It's actually not a unfriendly report to read. I encourage people who are interested in this to go out and find it. You can just Google 2023 FBI IC3, it'll come right up. And in in that report they highlighted a couple of things. One was Internet investment fraud. This was up significantly. They said 38% year over year.
What is Internet investment fraud? This is typically fake cryptocurrencies investment scams. These often target individual investors who are speculating on, you know, making profit. There's bad actors out there. So, anyone who likes to do that type of investing, use your due diligence, work within reputable sources. This isn't a big, you know, threat to passive businesses. This is someone who's out there engaging in this space.
But obviously an area of concern and we'll talk about cryptocurrencies and what that might mean for other events later on. The second biggest one they talked about was email compromise. And we'll talk about this later and how it plays in. But overall, you cannot have access to another person's email. To gain access is a crime, plain and simple.
And this is really dangerous because for all the websites we use, if you forgot your password, what do they do? They email you a link to reset your password. So once your email is compromised, that is typically the cash, the treasure trove. The bad guys need to go in and change all your accounts, reset your passwords, and really take ownership of what was your digital persona or digital platform.
So very, very dangerous. They had about 21,000 complaints. They estimated this was 2.9 billion in losses. So again, we we estimate maybe 90% of that is reported. So very significant number we're talking about there. Another concerning trend we saw was increase in ransomware complaints. This was up 20% year over year. They have a really nice segment here where they break it down into which industries were targeted the most.
No surprise, health care and financial industries were the primary targets. We've talked about this in our previous podcast, but what does ransomware do? It locks down your computers. You cannot access your digital infrastructure. You can't log nodes; you can't access records. Most businesses have all their records digital These days. If you don't have computers, you cannot work. And when people's lives or money is on the line, you're more likely to pay a ransom for the ransomware.
So, it's no surprise these industries who rely heavily on their digital infrastructures were targeted. Some of the names they referenced out there, Lock Bit, Black Cat, Akira Royal, Black Basta. These are some of the predominant viruses or mediums that the the bad guys are using. It's interesting to see where these attacks come from as well. They said about 60% of all these attacks originate overseas.
So, these are state actors. It could be Russian, North Korea, Indian, anywhere else. Those are several of the large ones and they're referenced in the report. But we see international bad actors attacking U.S. businesses, and that makes it incredibly difficult for any sort of US based law enforcement to pursue them.
So really, again, the dynamic, interconnected world we live in poses new challenges all the time. And then the last one they talked about was tech customer support and government impersonation. This was pretty interesting to me. This one was up for the government impersonation, 63%. In tech support, 15%. Most of these types of crimes, they target individuals. So, this is someone calling an elderly person saying, hey, you know, you owe back taxes or Medicare type fraud.
If you want to get enrolled, please call here. Pay this amount. It... they really prey on a naive grouping of people. The most- the majority of the losses came from people aged 60 years and older. I know that's not the predominant topic of our podcast here. We try to focus on businesses, but there might be individuals in your business who are 60 and older and certainly younger people were impacted, but they could be ones who could be targeted for phishing scams, etc. and that could impact your business.
So just take a look around, understand who you surround yourself with. Maybe you have friends and family in that age group and just help them be aware of what type of attacks are attacking them. So overall, the amount of crimes went up year over year and we saw some interesting swings in certain segments that are saying, hey, the bad guys are favoring these types of attacks or targeting these types of businesses.
[00:10:41 Andrew Rose]
And I do want to chime in a little bit there, too, about the personal side of some these attacks. I spoke to a very large company that was the victim of a persistent cyber-attack. And the first attack happened to their personal home. And then somehow, they plugged in to their first business and then it went laterally to the second business.
And unfortunately for this example, I won't name their name, they paid the ransom. And then that just opened the door to multiple attacks, follow along attacks as well. So, you got to be careful. And in the age of social engineering, a lot of these attacks don't originate through your work, through your company computer. They figured out who you are and they're going to have that social engineering attack.
And Mike, you touched on a few of those, the financial, the relationship building, academic credentialing the press. They will pretend they’re press and they'll contact you whatever it takes to get inside your machine so they can move laterally that into your organization's machine. But good, good, good job bringing that up. So, looking at 2023, I mean, what were some of the big takeaways?
I mean, you went into 2023 with certain assumptions. We thought the industry’d be certain ways and respond in certain ways. But it's been a sea change from January 2023 to January 2024.
[00:11:52 Mike Urbanik]
In some ways, yes. And in some ways no. There was things that we expected. We we expected this risk area to continue to grow, which it has.
We knew who were going to be targets. We see some of the analytics here that say, yes, these were the targets. And I would speculate that we're going to see more of it going into 2024. A couple of things I think will fuel the fire. There's been a resurgence in the value of cryptocurrency during the lockdown, and COVID. Cryptocurrency had kind of its moment and a number of these businesses fell apart.
The valuation was down significantly. Currently, as of today, I believe Bitcoin is trading at $72,000 for one Bitcoin. It has gone up, I don't know, 40% within the past year. And because of that, other cryptocurrencies are trending in that direction as well. And when cryptocurrency trends well, we see an influx in crime because this is the perfect medium for currency to change hands.
It is the medium in which bad guys will commit the crime. You pay them money, or they withdraw money transferred into the cryptocurrency and then it's gone forever.
So, when when there's a lot of activity there, I would expect to see more crime because that means the money can be flowing. So, I wouldn't be surprised. I think they'll ultimately be some surprises when it comes to what is the medium or what type of attacks will we see more artificially, and intelligence engineered attacks.
We've talked about AI in the past and what its role could be and how scary it is if someone could put one of these AI's tools to work for them to commit crimes or solicit. Come up with phishing emails, you know, will it be a return to more efficient and smishing? What avenues will the bad guys take? I think that that is always subject to change, you know, as the industry responds and we build defenses around one area, obviously they pivot and go somewhere else.
So that's where we saw certain types of crimes increase this past year. But the overall message is for businesses, you need to prepare because the bad guys are not stopping. We've not figured out any sort of monumental way to decrease crime. It's only going up and these crimes pay, and bad actors get into business where it pays.
[00:14:16 Andrew Rose]
You know, you raise a really important point.
In a meeting prior to this we were discussing the ‘Right of Boom’ conference. It's just preparing for the inevitable. And I really can't hammer this point home enough. You will... I won't say guaranteed, but you're highly likely that you will be the victim of a ransomware attack if you're a business owner. What do you do? And if you tabletop that game, plan it, make sure you've got contingency plans in place.
You can minimize the amount of damages done as well as build muscle memory amongst yourself and your staff on how to respond to something like this. And Mike, you and I have talked about this many times. It's an emotional thing. You know, this is not a rational event. This is this is your life's... Everything you've worked for is now held in ransom, is held in extortion scheme.
So, knowing what steps and protocols that most companies should take at this point in time is important. And, you know, we can talk about now on the safety of our of our offices here, but when you're under stress and that situation's unfolding and you've got bills that are due and you've got invoices coming in, you can't track anything at payroll to make, that can be a scary situation.
So, I just want to put a fine point on what you said.
[00:15:19 Mike Urbanik]
Yeah, absolutely. We all do it every day. We use our computers. We see how much of our businesses are tied to computers, even our individual lives. And if they disappear, you lose that connection point to all your records, all your ability to communicate, your way, to communicate to clients.
It's devastating. And, you know, every year we get several phone calls where people call us and say, hey, I've had an incident. You know, I need to use my policy, or do I have coverage in place? And depending on where they are, we could give some good news or some bad news. But it it'll shut businesses down for weeks at a time.
I've seen reports from major corporations where they're attributing flat sales or negative numbers to cyber incidents and it can it can really devastate a whole year of production. And like you said, it's you feel exposed and it's not like a fire where you can go in and visually see the damage. It's very hard to see this digital landscape with your own eyes if you're not a very well-informed person in the industry and say, Hey, you know, did I do the right thing is I'll be gone.
Am I still vulnerable for the future? So, it is it is a major threat out there. It can tank a business. There can be a lot of negative repercussions. And I think business owners are really starting to wake up to this fact now. And if you don't have a plan, it's 2024. If you're listening to this and you don't have a plan, you really need to stop what you're doing and put something in place.
[00:16:48 Andrew Rose]
You know, that's obviously it's critically important. A couple of things. I recently ran a field exercise with a large company in Pennsylvania that was the victim of a persistent cyber-attack. And when the attack occurred to to reinforce what you just said, they didn't report it because they just felt it was it was something like the weather, you know, as it was, it was just a bad event.
They had to go through it, take care of it. They didn't pay the ransom. They had to replace all their equipment. And then the total cost was around $600,000 just for the hardware itself to replace that. So, it is an inevitable. Let me let me go back to something you said before. When someone calls you up and they say, hey, we've been the victim of a cyber-attack, thank God they get your phone number first of all, to call you.
They knew where to get that. What information are you going to need from them? Right at that point in time? What should a business at least have handy? You know, whether it's a printed copy of something when they start communicating with you?
[0:17:39 Mike Urbanik]
Well, luckily, when they call us, hopefully they're a client with us already. If they are not a client and they they're in the midst of a cyber-attack, it's going to be pretty challenging for us to do anything at that point.
But when they call us and they are a client, luckily we are able to then pull up their policy. We have data and information on their account. We don't expect them to have a printed copy. You just don't need to do that anymore. And then we're going to contact the carrier and let them know, Hey, we need to file a claim for X, Y, and Z client.
Here's their policy number, here's what's happening, here's what's going on. And that's where we get to outsource the solution and the remedy here to the carrier. And we've talked about this in the past. What do cyber liability policies do? But the carriers are going to come and indemnify you. They're going to make you whole. And that can mean a lot of different things.
Certainly, it's going to mean addressing the threat, you know, replacing the computers that they need to be replaced, paying for i.t staff to come in, install that free download, do the backup ups. Maybe they're able to put in some antivirus and remove it, whatever the indemnification needs to be. That's what the policy is going to come in. There can be components of if you have a data breach and patient records are compromised or client information is compromised, you’re required by the state most likely to notify these individual.
That takes time, that takes manpower. There's cost there. These policies can pay for that. There's a component to these policies as well. For business interruption. Let's say you were closed for a week and you lost several thousand dollars in income that you would have been open because you had to send those patients elsewhere or you had to default on contract because you couldn't hit the time.
These policies can help come in and pay for some of that lost income. So there's a lot that these policies can bring to the table because there's a lot of different moving pieces that can be impacted to a business when it comes to cybercrime.
[00:19:36 Andrew Rose]
Just a side note, one of the things I really enjoy about our relationship is when I see different pieces of legislation or technical jargon, I send it your way and you've got this ability to go and read through these and pluck out the little gems.
And not too long ago I sent you some proposed legislation in the state of Florida where you were astute enough to pull out that one sentence that mattered the most, at least in my reading of that, is that if a business in Florida, according to his legislation, followed everything and had a checklist done, then they were indemnified against any kind of cyber-attack.
When you're reading that, you thought, boy, if at least again, my my interpretation of your your response was boy if a state of Florida puts something like this into effect, that would give them a business competitive advantage, economic advantage of why a business would want to locate to Florida, because they follow this checklist, and every box was checked.
Now they are no longer going to be paying for any kind of cyber-attack that may occur to them.
[00:20:30 Mike Urbanik]
My thing is they're probably not liable for damages is what you're thinking. If they had all these measures in place, they were legitimate measures, an attack occurred. They are not liable for the damages to other people. So, what that would do is it would help mitigate and lower insurance costs, because then insurance companies can take that into effect that people aren't liable for damages to their patients or clients.
That's huge, right? Like any sort of limitation on that helps control costs and payouts. Indemnity is making someone whole. So, you know, the state of Florida would not be paying someone to make them whole. Yeah, we can talk about this in another podcast. We could do like a whole like what is government doing to help?
[00:21:13 Andrew Rose]
Depending upon where that conversation goes with the state of Florida, i'm sure, i'm sure other states will follow suit and then we can start tracking what that looks like, which is a mishmash of different types of policies when it should be a national policy, in my opinion.
[00:21:25 Mike Urbanik]
Yeah, I think to try to track what all 50 states are doing, they're all probably doing completely different things to various varying levels of effect.
And just because something gets proposed nowadays, we know that doesn't mean anything in today's political climate. So, if I were to tell a business owner, you can rely on the state to get your back, I would not hold my breath on that for one second because no faith that the bureaucracy will act quickly enough to help the business owners.
You have to manage this on your own and get your hands around it, plain and simple.
[00:21:58 Andrew Rose]
Amen to that. So, we've touched on a few things here. Some of the trends that we're looking forward to. Obviously, social engineering is going to be a big one going forward. What are some of the things that our business owner should keep an eye on Moving to 2024 now that we're seeing the maturation of our adversaries?
[00:22:13 Mike Urbanik]
Sure. I think there's going to be a continued trend towards malware attacks. There's a pretty interesting economies of scale when it comes to these types of attacks and how bad guys can get a hold of these malware products and deploy them. There is a whole economy where people develop the products, they sell them to people. Those people purchase these and then they use them to commit crimes.
When we see and I see three report like this, it's saying, Hey, the number of malware attacks is going up and ransomware attacks are going up. They're going up because they're being effective. That's the simple truth. Or they're being able to deploy them far more often and more reaching. So, I don't think there's going to be any decline there.
These are very challenging to deal with. It's very effective when it comes to getting money out of a business. You lock everything down; you request funds to pay. You know, they can be millions of dollars, or they can be tens of thousands of dollars in the hundreds of dollars. It really just depends on whoever the bad actor is and what they want the ransom to be.
You know, if they get a hold of a corporation like Target or a medical hospital, they're going to request millions. If they get individual dentist's office, they might request thousands. But that doesn't mean it doesn't still have a significant impact. So, I think we're going to see a continued trend increase here. And I think, one, it's because it's effective.
And to again, I said the rise of cryptocurrencies and the resurgence here, it's just the perfect medium for the financial transactions of cybercrime to take place.
[00:23:50 Andrew Rose]
One thing I'll add to that too, and this is just Andrew, seeing it from kind of the trend lines, it appears that the threat actors are defining where that Goldilocks number is too.
When the ransomware attacks first began, they were asking for certain amounts of money. Sometimes those asks decrease and even though they're not getting the larger amounts on, on average they're getting an amount that the business is viewing as a cost of doing business as an operational cost. And this is Andrew getting way out there on the prediction side of things.
But if you if you extrapolate and watch where this is going, as any business is being held for extortion, and if you're the receiver of those extortion fees, you want to protect what it is, you have your income source. I can see a world where one cybercriminal gang will use this as a protection racket that, you know, if we catch another a cyber gang trying to get in here, we'll thwart them.
You keep on paying us your money almost like a dark firewall, I would imagine. You know, and again, I hope that we don't get that dystopian, but I can almost see that sort of criminal under underground operating in that instance.
[00:24:51 Mike Urbanik]
I think that the the landscape for cyber-crime and cyber criminals is wide open. From what I've seen, they're infinitely crafty and creative when it comes to engineering these types of attacks and and who knows what the landscape will become.
But there could be cyber-criminal on cyber-criminal attacks. I would not be surprised, just as more and more people enter this space because it pays out plain and simple.
[00:25:15 Andrew Rose]
The other piece, too, and you touched on it briefly, was the impersonation piece, the cybercriminals doing the social engineering, calling up clients, pretending to be their I.t company, pretending to be their insurance company.
To glean that information, they need to have additional access. What are what are some things at least in the back of your mind, that people on the receiving end of these phone calls can think about. I mean, personally, I'm always suspicious. I'm just hyper paranoid by nature. So it's, you know, prove to me you are who you are.
I'm going to call you back or send you a text. Give me some idea. Is there I mean; I don't I don't want to share if this has happened to you guys or not. But what are some things that you can counsel your clients on to be aware of this?
[00:25:54 Mike Urbanik]
That's a great question. I think the biggest part is a very healthy level of skepticism.
Be very cautious on calling phone numbers off the Internet unless you are 100% sure it is from a legitimate source. If you get an email with a customer support number, take that phone number and Google it and make sure it takes you to the legitimate website. Is it taking you to Verizon? Is it taking you somewhere else? And just verify phone numbers, Be cautious of any emails.
Look at the email you can inspected if you're savvy enough to see where it might be taking you any web links, you will get a lot of emails and spam filters do a good job, but again, the bad guys are infinitely crafty and think, this is from Verizon, but it's not so just do some due diligence on the front end.
If you do speak with someone, ask for an employee number, ask them to give you a call back. Most companies will have kind of boilerplate language. They'll ask for a phone number; they'll ask for an email. If you get disconnected, there'll be a notification that this call could be recorded for customer service and training purposes. You know, those are good signs.
You're talking with a reputable person to do your due diligence because they are certainly out there. They're impersonating I.T. companies, tech services, whether it's Microsoft, Windows, Apple, anyone like that. But to me, the big one that's concerning is government. You know, they might be impersonating your local utility corporation, they might be impersonating Medicare, Medicaid, the IRS tax fraud one is huge.
We've seen people will be dressing up as a local utility company and they'll come to your door with a clipboard and a vest on saying, Hey, you're behind on your utility payment. They can take your check right now. So, if that's happening in the real world, it's it's happening in the digital world as well. And that's concerning.
And they're certainly targeting a very vulnerable population ages 60 or older. I think they've identified that this population struggles to do the proofing, do the vetting of who they're working with. They might be a little more trusting than someone younger who is more of a Internet veteran. So, you know, help your friends and loved ones who are in that age group to develop that healthy level of skepticism.
And if someone calls you or they want something immediately that's also a red flag. Typically, you can say, hey, let me digest the information and give you a call back. And where is that callback number going to? Is it suspicious? Is it a 1-800 number? How legitimate is it? Any reputable business will have a reasonable callback number.
Any bad actor will have something that's potentially a red flag.
[00:28:40 Andrew Rose]
Indeed. And a recent story of something that happened to me. I got an invoice from a very large, reputable association after hours that came in about 6:00 at night for an event that I didn't register for. And I found that to be highly suspicious. And also, they didn't have my right employment information.
So, I called the number and of course, it went to voicemail because it was after hours, and I was worried that it was a business email compromise that they somehow got in their system and sent in fake invoices with fake routing numbers to every 50,000 people in their database. I was able to reach their i.t department after hours through some intermediaries and found out that it was a test email that was supposed to go to just the CEO.
But for some inexplicable reason they also picked me one of 50,000 people to send it to and it was fortunate that it happened that way. But that got me to thinking with the business email compromise being so common, it wouldn't be hard for a threat actor to sit inside your billing systems and invoices out with a different routing number for the payment information on the back end.
And for those businesses that don't have after hours support, that there's no way to reach somebody to see is this legitimate? That could have an enormous impact on the business. And then where does that liability fall?
[00:29:52 Mike Urbanik]
Yeah, those type of attacks, the invoice manipulation are are very frustrating. You can get it on both sides of the coin. So, you can have someone if you're a business owner, someone emails you a fake invoice, you think, this is my monthly mortgage statement.
And you they're letting you know the account number has changed. Please send your payment to this account number. People fall for stuff like that. You're busy. You got things going on. A supplier is impersonated. That's. That's devastating. They've taken money from you. The trade off as to if they get in to your email and they get into your patient records or your client records, they understand who you're working with, and they can send out something impersonating you.
They know what your bill looks like. They put the letterhead on it. Everything. Dentistry is a perfect example of where this can be really prevalent, because how many times do we go to a dentist? Insurance is supposed to pay for X, Y, and Z. Well, we found out it only paid for X and Y and you know, it was $63.
I get that fairly often. I pay that $63 because I trust my dental practice. Well, what happens if a bad actor gets in there, realizes who's been to the practice recently, manipulates the invoice and sends off several hundred of these emails saying, Hey, insurance only picked up X, Y, and Z, please send us 25, 30, $100, what have you.
And now all of a sudden, your patients are sending money to someone else, whether that was real money owed or not. And what do you do now? Your reputation is damaged as a business owner, so those type of attacks are very devastating. They typically develop once someone is inside your system, they could get access to your email or engineer or something very similar.
So, once you have a data breach or you are breached, the number of crimes that can take place, whether they impact you or impact people you work with, are pretty numerous.
[00:31:51 Andrew Rose]
Well, and additionally, the other companies that you might be affiliated or related to are connected to. I mean, I know you talked in the past about ensuring that your vendors have appropriate certificates for insurance that follow certain protocols.
I mean, yeah, that was stuff we talked about, but now it's something that's urgent that all businesses that need to know where their connections are, how protected everyone is. Can you talk about that a little bit?
[00:32:15 Mike Urbanik]
Yeah, absolutely. So, we talked about the cyber-crime trends, but there's also going to be a business trend. It was pretty common practice for each business when they when they signed agreements, whether it's with your landlord, maybe a business agreement, they're going to want to see general liability insurance business hazard insurance for banks, landlords.
But it's becoming more and more requested to see a certificate or proof of a cyber liability insurance. I think the world is changing and this and this is a part of it that businesses only want to do business with other businesses who are protected and how do they prove that they are protected? Well, this is one of the ways they can prove.
So, if you provide proof that you have cyber liability, that also proves in today's world that you have firewalls, that you have multi-factor authentication, that you have backups, that you have antivirus, because you cannot get cyber liability insurance nowadays without having all of those other things. So that's basically the indicator that says, hey, we want to do business with you, but we only want to do business with you if you have your act together and you're not going to compromise our systems.
So, prove it by sending us a certificate of insurance, which is a document produced in the insurance world that shows someone else what lines of coverage you have and the amounts verifying you have cyber liability insurance. And then they once they see that, they take that as the indicator, okay, this person is trustworthy. They have their act together, we can engage.
So, I see it from a contractor compliance side. A big one is anyone who wants to do digital work for the federal government. They're required to have typically $1,000,000 of cyber liability coverage first and third-party limits. I've seen as high as 5 million. I've seen clients in the private sector have limits of $50 million with $5 million retention, which means that's their deductible.
So, it's a wild landscape as to how much you need, and I'd say you need to talk with your insurance agent to determine the right amount. But we see the world take this as the trend moving towards if we're going to do business together, we need to have cyber liability coverage to protect one another. So it's becoming a business component here more and more.
[00:34:40 Andrew Rose]
One of the things you mentioned there, when these companies attest that they have firewalls and all the other protections in place, who checks that? I mean, is it is it just taking their word for it? They're signing a legal document of that. There's not accurate in their you know, way falls on them Or is there are there do you guys I should say you did this insurance industry do secondary checks to ensure that these things are accurate?
[00:35:00 Mike Urbanik]
Yeah, that's a great question. So so right now, I guess we would talk about how do you get cyber liability coverage because that that plays in to this. And I'll say let me let me give you a quick anecdotal history lesson. So about five years ago, cybercrime was certainly relevant. Then you could approach your insurance agent or multiple carriers and say, hey, I want $1,000,000 of cyber liability coverage.
And they would say, Great, you have a pulse, you have a federal ID that was the minimum required and here you go. Now, that was for the basic businesses, of course, more complicated businesses. There was always more underwriting involved. But you could get this coverage very inexpensively and very easily. Well, fast forward a couple of years and the landscape has dynamically changed.
You know, the amount of crime has skyrocketed. Carriers are paying out these policies because attacks are happening. So how do they mitigate that? They ask for more premium and they underwrite better. So, they are now no longer accepting simple applications. You're going to have to disclose all these applications. Do you have these measures, yes or no? And some of the questions are going to ask, do you have a firewall?
Do you partner with a third party I.T. vendor? If so, what is the name of this product? What is the name of the IT company you work with? Do you have multi-factor authentication? Do you have it on phones? Do you have it on emails? And they're not necessarily asking for proof beyond an insurance application because an insurance application is the proof you are putting your signature on it.
You are dating it, you are attesting y- they have these things and if you don't, you know that's borderline insurance fraud and you certainly do not want to be committing that. And also, if you say these things, you have an attack, and they go to help you with the claim. Well, they might deny your claim if you don't have the measures, you attested that you did. So, we work with a lot of clients when they get this application to help them answer these questions correctly.
A lot of times it's a combination of myself and their IT vendor that they work with because most layman people don't know what these things are. So, anyone who is going into this space feel free to ask the person you're working with some of these questions, and even more so. Sometimes they get the answers to these questions. They submit the application back to me.
I worked with the carrier to come up with a proposal and we have to limit the coverage they're getting because they don't have multi-factor authentication, they don't have some of these measures and it's not uncommon for the client to go in and buy these services or implement these services so we can get a better, stronger insurance policy. So that's where the landscape of getting this coverage is, is trending.
It's certainly being underwritten far more than it ever was. And I don't doubt that the underwriting questions will only get longer, and five-page applications will become ten in another five years.
[00:38:03 Andrew Rose]
You know, there is a risk in the intelligence community that businesses are going to continue to see these required protocols, procedures that need to be implemented before these insurance policies can be written, and then the deductibles get so large, and the policies become so expensive that they start going without coverage.
What do you- I mean- That's a big question. What do you think? I mean, is this the time when the government steps in as a backstop? Is it just that people then will set aside a certain amount of money every year to pay their ongoing ransom notes as insurance company recap or insurance and recalibrate? What are your thoughts?
[00:38:38 Mike Urbanik]
Great question.
I don't know where that will trend and if the government will step in, but I'll say the premiums have trended up and I'll give you just anecdotal information. Every business is different. The limits play in the the security features you have play in. No two businesses pricing is identical. And that's just true for most insurance in general. But I will say about three years ago an individual dentist solo practitioner could achieve or purchase $1,000,000 cyber liability policy for about, I'll say, 4 to $500.
Now, that same policy is about 850 to $900, so almost doubled in price, but it's not unachievable. And I'm very sympathetic to my clients. You know, I see inflation eating away at everyone's profit margins. Everyone wants more. You need to buy more services. I'm not naive to that, but I really want to emphasize you cannot neglect this anymore.
The risk factors are too high. You need to just understand this is a component of doing business in the 21st century and you need to have policies like this in place. What used to be optional is quickly becoming mandatory from a protection standpoint, but also, it's becoming mandatory from an industry standpoint that you will not be able to work with certain vendors if you do not have this coverage in place.
So, jump on that bus sooner rather than later.
[00:40:09 Andrew Rose]
Agreed. And, you know, obviously, R.K. Tongue should be your first call for any kind of risk management insurance policies and contact DTC for oversight of your I.T. Networks and other affiliated programs and what have you. Mike, do you have any anything else that you'd like to cover for 2023 and 2024?
Because I do want to mention recent 10-K filing as well to set up our next podcast.
[00:40:32 Mike Urbanik]
You know, I think we've covered the topic pretty well. I don't have anything to add other than just a reminder this is not going away. Business owners and individuals need to be very mindful. I think there's also fatigue in the industry when it comes to businesses just helping clients out.
When it comes to absorbing these costs, people are less likely to do that. They want everyone to carry their own insurance, carry their own coverage, protect themselves better. So adopt this strategy. If this is not part of your business plan, you need to change that immediately because this problem in this challenge is not going away.
[00:41:12 Andrew Rose]
I completely agree with you on that one.
So, we are obviously well ensconced in the dental community. So, anything that happens in the dental community, regardless if it's cyber or not, sends reverberations throughout the industry. And there was a major dental supplier that was the victim of a significant cyber-attack last fall. And we all watched things unfold from what we could. It's kind of like trying to discern what is happening from the outside.
But with the new law, with the publicly traded companies, there's a new law that they required to file an FCC report outlining what happened during their cyber event. And this company, Henry Schein did file that report on the 28th of February. And you and I have had a chance to go through and read it. And it was very revealing and the information that it shared with us.
And you picked out a few interesting pieces, I think that based on our conversations that we're going to have a podcast dedicated to dissecting this step by step. But there is one piece towards the end there, I believe it was $5 million deductible, a $60 million policy am I reading that correctly? I remember you extrapolated that thought. That was an interesting point.
But overall, I think this is a fantastic case study on how a ransomware attack unfolds, how different people handle this and the ongoing implications, because this is not done yet. This is still having significant drag on their overall revenues.
[00:42:36 Mike Urbanik]
I mean, they in that report, they don't go into the specifics of how the attack took place, exactly what the remedy and the response was.
You kind of got to read between the lines. If you go into the earnings reports, they will in almost every section. They referenced the cyber incident as a major reason as to why their earnings were impacted. And we know that this this attack shut down their ability to receive funds for weeks at a time. And it hamstrung employees and sales personnel couldn't couldn't do their job.
So, it crippled an entire company for weeks, if not months. But they did give some explicit what they are doing. A company like this has a chief security officer as well, as I imagine, a full staff to accompany him to implement patches services to work with their I.T vendors in that section. It did say they maintain a cyber liability policy with respect to the incident.
They have a $60 million insurance policy with a $5 million retention. So, I don't know if this was purchased prior to the incident or after. My guess is most likely after due to that retention amount, A retention is a deductible. So, if they want to file a claim with their insurance carrier, they need to believe that the damage is going to be over $5 million because they're responsible for the first $5 million of that claim.
So that's a huge deterrent. Put on the company by the carrier, meaning like, hey, we will step in, but only if this is significant. And I doubt- I bet the premium for that policy is very significant. So that's a repercussion that can happen to businesses. Let's say you are a victim of an attack. You then say, Hey, i want to do the right thing, I'm going to work with i.t companies.
I want to fill out an application and get liability insurance. But on that application, they're going to ask, hey, do you have anything currently going on or has anything occurred in the past? And you can't lie on these applications because then that's insurance fraud and then you might get declined. You might not be able to purchase coverage, or they might put significant limitations on the coverage like a high deductible or increased premium.
And it makes getting this coverage more difficult in the future if you're a victim of it, which is a challenge. And I work with my clients to get over that. But again, that's one more reason why you should be proactive, because if you're reactive, you're you're going to get hit over the head even harder when it comes to coverage and premium.
[00:45:30 Andrew Rose]
Wow. You know, that's sobering. You know, it almost feels like you're going to be the inevitable victim of a cyber-attack and then now you're at the mercy of understanding. Was that attack caused by negligence on your part or is it a nation state actor who got it in any way? And would that even be determinant upon whether they get renewed or not or another policy to those come into play?
Or is it more just, you know, here with the attack here as the result was a dollar decision and we're moving forward?
[00:45:55 Mike Urbanik]
Yea I’m going to say it's typically a dollar decision I don't think they're going to ping you if it was a state actor versus just an individual criminal. I don't think that weighs in to their decision making. It may in the sense that if you are a business who is operating on an international scale and you might be saying things in the media to put up like a target on you, they might not want your business.
But if you're just a normal, I'm going to say 99.9% of the businesses out there who are just there to conduct business, they're you're not making political statements, things like that. You're not maybe Raytheon or one of the defense contractor. I don't think that's going to play into the calculation. I think what it's going to play into it is whether you can be renewed or not after an attack is how big was the attack, how much did we have to pay out?
Is the carrier maybe how many number of attacks did you receive? High frequency, low dollar amount is another reason to get dropped by a carrier, because if you're consistently filing claims, that means, well, there are big ones coming down the line. Even if you have three small ones, three strikes, you're out because that means the fourth one is going to be a big one.
So those are factors as to why you might not get coverage or why you might not get renewed after an attack.
[00:47:14 Andrew Rose]
Boy, that's a really- that drives it home as well. I mentioned that field exercise ended up in Pennsylvania. The company that hosted it didn't pay the ransom has significant cost to replace all the hardware simultaneously. And a company in the exact same sector got hit by the exact same gang with exact same techniques.
They paid the ransom and now they're the victim of a persistent attack. So their ransom was not a high one. But that goes right back to your point. The high frequency, low dollar, that is a red flag, too. So, I mean, for me, that's indicative that they didn't do the right thing. So, Mike, I appreciate you're sitting here with me.
And, you know, this is this has certainly been not an uplifting and cheerful conversation about the state of the world that it's in. And any of those business centers are sitting out there right now questioning whether you have an adequate cyber liability policy or whether your risk management is where it needs to be. This is a fantastic time to reach out to Mike and his team and R.K. Tongue to review your policy to ensure that you have what you need going to 2024.
Because if you listen closely, things have changed quite a bit in the past year. In the past five years, since cyber liability insurance policies have become available. And additionally, if you need to have a steady set of eyes on your i.t networks and making sure that you're always updated, that always your patches are coming through when they should be, that your servers are being replaced in a timely fashion and that you're that your secure to the best of abilities.
That is where DTC comes in DTCtoday.com is our web site. And Mike, if somebody wanted to reach you and have a review of their policies or even approach you about getting a new policy, how would they get in touch with you?
[00:48:55 Mike Urbanik]
Yeah, you can go to the R.K. Tongue website, that’s, RK Tongue, T-O-N-G-U-E
You can find my contact information there. Again, Mike or Michael Urbanik. That's the best way to get a hold of me. You can call or email the company and more than happy to talk to anyone, any industry about this type of risk because it is a growing topic on, on all my renewal meetings, all my new business proposals.
We are we are talking about this and more and more I'm seeing businesses have something in place. But equally, there are a number of people who have just not addressed this, and it is a major risk factor. If my job is to help you protect your business when it comes to insurance, it is my due diligence in my role to talk about this with you.
[00:49:43 Andrew Rose]
Indeed, And I so appreciate your voice on this and your your insights as well. And here's a bonus piece for our listeners out there. Even though this is mostly focus to the specialty medical industry, warm weather is around the corner. People will be getting on the water in their boats. And if you do on a marina somewhere in this region and you're curious about what kind of insurance policies you might need for your marina, Mike, would you talk a bit about some of the other ancillary service lines that you guys have to ensure that everyone's boats stay safe, and they're docked?
[00:50:16 Mike Urbanik]
Yeah, we are a full-service broker we can offer insurance to. I'm going to say, almost every industry out there, unless you're a dynamite manufacturer, I probably can't help you. So, we could. We would love to talk with you there. We also offer benefits, programs, 401k planning, personal lines insurance, anything that has the word insurance R.K. Tongue can typically help with.
So, I'd love to have a conversation with anyone who needs help.
[00:50:43 Andrew Rose]
Fantastic, and thank you again, listeners, loyal listeners for tuning in to this. And next month we should have a very exciting dissection of the Henry Schein 10-K filing.
[Outro Music]
We would love to hear from you. Please email us your questions or comments to askus@DTCtoday.com
New episodes of Cyber Savvy are posted the second Tuesday of every month. For more detailed information, visit our Web site at DTCtoday.com. Be prepared. Be cyber savvy.