Dive into the evolving cyber threat landscape as cybersecurity data privacy attorney, Shawn Tuma, shares insights from his vast experience in dealing with incident responses. Learn about the indispensable role of insurance in incident response planning, how to negotiate with carriers, and the considerations needed in building an effective incident response plan.
Guest: Shawn Tuma, Co-Chair, Data Privacy & Cybersecurity Practice at Spencer Fane, LLP [@SpencerFane]
On Linkedin | https://www.linkedin.com/in/shawnetuma/
On Twitter | https://twitter.com/shawnetuma
On Instagram | https://www.threads.net/@shawnetuma
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Devo | https://itspm.ag/itspdvweb
___________________________
Episode Notes
In this episode of the Redefining CyberSecurity Podcast, host Sean Martin sits down with cybersecurity data privacy attorney, Shawn Tuma. They delve into a comprehensive discussion on cyber risk, cybersecurity incident response, and cyber insurance.
During their discussion, Tuma shares a wealth of knowledge stemming from his deep involvement in thousands of cyber incident responses. He discusses the evolving cyber threat landscape, singling out business email compromises as now topping the list and how the evolution of threat actor tactics has exploited the human element in organizations.
The conversation segues into the crucial role of insurance in incident response planning. Tuma goes into detail about the issues that organizations face with insurance, especially when they aren't familiar with the terms stipulated in their policies. He also emphasizes the importance of getting the insurance carrier involved early on and the necessity for businesses to have pre-approved incident response teams.
The episode wraps up with Tuma’s advice on building a robust incident response plan and how insurance plays a key part in the strategy.
Key Insights Provided:
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Securing your Business Against The Latest Cyber Threat Trends: Incident Responses and Insurance Essentials | A Conversation with Shawn Tuma | Redefining CyberSecurity Podcast with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody, this is Sean, the host of Redefining Cybersecurity podcast here on the IPS, ITSB magazine podcast network. And, uh, today I get to talk about a topic that many, many of you might know, many, Many might not know actually that, uh, many moons ago I built, uh, built a sim for a big yellow company.
So, uh, risk management and IR kind of run through my, my veins, if you will. And I, I tend to lead toward more risk management. I, I like that topic as, as a way to prevent. The other topic from happening and, and, uh, my guest Sean Toom is with me today. And he, he and I, uh, kind of tease that out a little bit before we started recording Sean.
And it's a pleasure to have you on the show today.
Shawn Tuma: Hey, it's, it's my pleasure as well. Sean, thank you so much for having me.
Sean Martin: Yeah. It's been, been a while. I'm thrilled to reconnect with you and to hear about all the good stuff [00:01:00] you have going and to dig into this topic. Um, I think we have many facets. We'll, uh, spin off into, uh, before we get into that, though, for those who don't know who you are, maybe a few words about some of the things you've been up to working on anything from your past that, uh, will help shape people's minds for why this is an important topic for you.
Shawn Tuma: Sure. Uh, thank you. Yeah, I, uh, so my. My role is I'm a cybersecurity data privacy attorney, and I'm co chair of the practice group here at Spencer Fane, a primarily U. S. based law firm, and, um, you know, my daily life, if you will, um, we have a full service team here that works on all of those issues. All business matters, but privacy, compliance, cybersecurity, all that good stuff.
Um, my role is more in the lines of incident response. [00:02:00] So, um, um, been practicing in this area since 1999 when I graduated law school. And, um, And, um, handled my first health care data breach in 2001 before we even knew the rules on this stuff. So, so I've had the, the joy, I guess you could say, of learning to fly without a net a lot and making up a lot of this stuff as we go.
Um, and, and these days, most of my practice, I'd say probably 75 percent is devoted to incident response, serving as a breach counsel for companies. Breach quarterback, coach, whatever name you want to use for it. And, um, you know, what I've discovered over the years is there's a lot of repetition. And when we're seeing.
You know, what's causing companies to get, to get in this position where they need our incident response services, um, you see patterns develop, you know, [00:03:00] and you know, it's not to say that, that we, we see everything or understand everything. Um, and you know, and as an attorney, um, I've been doing this a long time, but I'm still just an attorney.
I'm not a. Qualified to be a see, so I'm not qualified to be a, you know, network, um, you know, technician or whatnot. I'm, I'm an attorney, but I bring a perspective of someone who's now been involved in thousands of these incidents and, um, And, and the other 25 percent of my practice is risk management. It's trying to take the lessons we learn from the incidents, from the real world things were happening or we're seeing happen and, and bring that.
Two companies to help them understand what we're seeing in the market, what's happening to their competitors and how they can avoid those. And so, um, that risk management process is [00:04:00] something that I really love as well. And if I had my way, I would do a hundred percent risk management, um, because it's a much easier life.
You know, you actually plan things out. You're not on call 24 seven. And, uh, And, and you're helping prevent things, but we're finding that, um, companies are still reluctant to, um, to engage in that kind of risk management process for a number of reasons. Um, and one of those is they, they really, you know, midsize smaller companies, um, they, they really don't know what to do.
There's so much information out there, so many experts, so many best practices that they're, they're suffering from almost what I would call like paralysis by analysis, they have some budget, they have some resources, but they don't know where to put it. And so, um, you know. We try to help, help [00:05:00] guide them in that way, and a lot of times it's not using our services, it's using connections we have and, and professional partners we, we know and work with, um, but a lot of that comes through, um, incident response planning as well, uh, you know, if you start with, with what an incident looks like, and then you start working backwards from there and saying, hey, what will you do When you're in this scenario or that scenario or these other things it brings a lot of that into focus And it helps them start understanding what Vendors what help they may need along the way and so you know it's all part of a big process really It's hard to separate one from the other.
Sean Martin: Yep. I know that Know that very well, and I'd like to get your perspective Kind of looking back in time a little bit here in terms of building out an IR plan, an incident response plan, I would [00:06:00] venture a guess based on my experience and knowledge that certainly looking at a, at a security information event manager solution before they came sores of today, things were driven by events.
Some, sometimes they may be risk events, but more often they were. Attack events, something bad on the network, something bad in an application, something bad with a user that then a team had to kind of consolidate, correlate, translate into, well, what do we do with that? And. What you just described kind of paints a different picture of we, we have a lot of information about actual compromises, real incidents, the response to those events and how, how we clean up from them, how we then, as you also described, look at risk management based on that to do [00:07:00] more than just look at events in a sim, which is the primary tool, I believe, uh, for incident response.
So given that wherever we come from, yeah. Where are we now with respect to IR and incident response and then we'll kind of dovetail from that into looking at how How teams plan for better incident response.
Shawn Tuma: Yeah, so, you know, I, um, I would say we, um, we're continuing to evolve, obviously, um, in what we're seeing.
And the events That get most of the attention are obviously the outside threat actor attack cyber events that, um, that, that end up being reportable events for whatever reason, whether it's a privacy breach under the breach notice laws, or, um, maybe a [00:08:00] material cyber event under SCC, uh, requirements now, or, um, you know, under contract.
You know, many contracts contain legal obligations for reporting and disclosure. Um, and so those are the ones that get the most attention and those tend to be more severe, um, and more, um, kind of James Bond ish like in there, you know, we had a threat actor from a nation state or whatever, that kind of stuff.
And so people focus on that. When they think, um, incident response and cybersecurity. But what we see is there's a whole lot more stuff that goes on. And a lot of it is insider, not malicious, but negligence or just. or people make mistakes. You know, we live in a very [00:09:00] complicated world. We're dealing with very complicated systems and little mistakes can have really big consequences.
And so a lot of our advisory services are advising over things like that. Like, Hey, we had an employee that took data or we had an, I got a call earlier today. We had an employee that left and we look back at the DLP solution for two months and saw this download of data. And now we have company data that's left.
The company is that a privacy breach and What do we do with the former employee and all of that kind of stuff. And those aren't the kind of things that get attention in the news and make their way out there. But they're very real events because it absolutely, if they took customer data or whatnot or trade secret data or whatever, there, there's certain implications to that.
Um, [00:10:00] you know, and then, and then a lot of what we see, you know, For the last couple of years, we've dealt with a lot of ransomware attack cases, um, and we still do deal with a fair amount, but not as much as we do. Now, business email compromise cases, um, business email compromises at the top of our list now and.
Part of the reason I think is because security tools have improved over the last few years significantly, and it makes it harder for these threat actors to do some of the technical, um, work that they've been doing, and, and they found the human.
Sean Martin: Can I, can I pause you there on that note? Are they the, the protection tools like the endpoint and, and network?
I think So. Security tools or is it the other controls like, uh, MFA and encryption and things like that, or a combination? [00:11:00]
Shawn Tuma: I, I think all of it. Um, and, and I think part of the reason from at least the world I live in is, I think part of that is. You know, two, three years ago, we heard all this talk about the hardening of the cyber insurance market, how premiums were escalating, coverages were going down, excuse me, and there were these lists of required, uh, you know, um, controls that had to be in place before you can get coverage.
And everything you just mentioned is on that list of, of controls that had to be in place because the insurance carriers know what was causing them to pay money out in premium or in, in coverage. Right. And so that's what they tried to put into their list to reduce their risk. And I think that has helped improve security significantly over the last couple of years.
Um, You know, [00:12:00] we've seen much better backups. So we've seen successful ransomware with attacking the primary network in a server or two here or there or whatnot, but a much better ability to recover from that. We are seeing more data theft as the extortion tool instead of the encryption, but the data is not always sensitive data.
Um. You know, so, so that's evolving, but, but with the MFA, you know, still the vast majority of business email compromise cases we get, there was no MFA. Um, they're, they're reusing the same passwords there. It's really the basic. Stuff that we've been preaching for years. And so I think, um, that threat actors have, have come back to it's, it's easier to trick people, um, and if you can get them to wire [00:13:00] money or something like that, you're getting a payday of a couple hundred grand, I mean, even millions sometimes with very little effort.
And very little, um, ability to trace their tools or whatnot. Um, and so no backups can help with that. Yeah, no backups can help with that. And, and, and it's still just tricking a human being. It's the old Nigerian prince, but it's just a little different twist in that they got into one parties. Email system did the man in the middle pretended to be someone spoofed a domain and someone didn't bother calling to verify that change in banking instructions, you know?
Sean Martin: So talk to me a bit about, cause that, that seems like, well, it's a business process, right? Um, some of it in systems, some of it. Not, it could be a phone call, obviously email compromise says there's email there, [00:14:00] um, but then a disconnected system to actually do, actually do the transfer, right?
Shawn Tuma: Yeah. It's a failure of, of a business process of, of,
Sean Martin: so how does that roll into detection and response and how you look at.
Guiding companies to say, here, here's how you hopefully prevent, but look for incidents that signs of a smaller event before the big one hits, or I don't know what, yeah, talk to me about that.
Shawn Tuma: Sure. So what we try to do is, um, the first thing we want to do is gather the facts and understand what's happened and we want to understand the timing because if it was a very recent, uh, let's usually they're discovered with a water transfer.
Someone says, Hey, you still haven't paid. And then the other party says, I paid you two weeks ago. And then everybody goes, Oh, where'd the money go? Right. And then they pull the email chain and someone starts looking through that and they spot that, that [00:15:00] spoof domain. And then they say, well, it's not my fault.
It's your fault. Your system was hacked. Not mine. Nobody knows whose system was hacked. Then they start saying, well, do, do you have insurance to cover this? Um, what a lot of people don't realize is even if you do have insurance, sometimes that insurance requires that, that, that phone call have been made and documented.
And if it wasn't. Made and documented, then it voids your coverage, right? So you got to know your policy, but then it makes its way to us because they get into a dispute over it and they call and say, well, whose fault is this? And then we look at it and say, well, you know, one party's email was hacked. We don't know which, but somehow they got this email chain to get into the middle of that transaction.
We don't know which parties yet. So we'll want to bring in forensics and we'll want to. Look at our clients network [00:16:00] and make sure that their email system was not the one compromised or. If it was the one compromised, make sure we get it secure. Make sure we gather all the forensic evidence from it that we can.
Um, depending on what service they're using, if it's Microsoft and they have one of the higher Microsoft licenses, they may be able to get the logging data to show exactly what the threat actor did in the email account, um, to see what. What emails were accessed, which, what were forwarded, what were deleted, all of those kind of things.
Um, and part of the problem there is whichever party's email account was accessed may very well have a data breach of that account as well. Because whatever data is in that email account, this threat actor now had access to it. So we want to determine was our client's email [00:17:00] account accessed, were they the culprit?
Um, we want to protect that and we want to know if it wasn't our client, was it one of the other parties? Um, and so one of the things we'll see is if it was our client and unfortunately many times it is there, the threat actor will get in and they'll set up auto forwarding rules, auto deletion rules and things like that.
So that as soon as the email account hit, the email hits their account, it Automatically forwards it, deletes it from their account so they never see it. And now the threat actor is getting it and can use that spoofed email to interact with the other parties. And so, um, gathering the facts is very important then.
opening a dialogue with the other parties. Um, because the way the courts treat these cases is they look at multiple factors in determining who's at fault for the loss. Um, and there's no clear standard out [00:18:00] there right now. The law is really in, um, in, in, in its infancy and how these are being handled. And so they'll look at, you know, some, some fault to the party whose email was hacked.
But then there's a question of when did they know, did they know it was hacked and they didn't give notice to the other party? And maybe if they had given notice, could the other party have avoided this right in a timely manner. But then they'll look to the party that wired the money. If you know, whichever party that was and say, well, Hey, you had the best opportunity to avoid this by picking up the phone and calling when you got this email saying, Hey, wiring instructions are changed.
You know, these days, everybody should know this is a risk. You could have avoided it. Had you called, you didn't call, um, you know. So therefore there's fault on you. Then we look at the terms [00:19:00] of the agreement. Was it a, you know, goods that were being transferred? When did ownership transfer? Was it upon transmittal of payment?
Was it upon receipt of payment? Was there a security interest in the goods? All this kind of stuff. We're getting down into the terms of the contract now to determine all these issues. And so it's really a messy situation. And, um, You know, litigation doesn't help any of the parties in this case because the money's gone at that point.
Um, if we get it quickly, obviously we want to try to go to, uh, federal law enforcement, um, FBI or Secret Service, get an IC3. gov report filed, and then make Personal contact with law enforcement, because if it's really quick, they might be able to trap those funds, but not very often. So that's all part of the initial phase.
Then we've got that. Was it a data breach? You know, and if [00:20:00] it was, if data was taken out of that email account and it was our client. Now we're in the full data breach response process. We got to then go in and analyze the inbox or accounts. See. What personal data was in there, you know, assemble that list, put together notifications and do all that.
And it's really a very time consuming and expensive process that, that people don't understand, Oh, someone just. Got into my email and sent a spam email. Yeah, that's what it could lead to. So it can be a mess.
Sean Martin: So I have a gazillion questions. I'm going to stick with the IR focused one for a moment because I'm sitting here thinking about some incident response.
process, um, and I have no idea that this is happening. Why not? Am I not looking at the right [00:21:00] events? For me, it's, if I see an email config change, change from no forwarding to auto forward and, or no forwarding to auto forward and delete. That sounds like a very important part of this scheme working, and maybe that event could trigger at least an investigation for that account, right, to see if, did that user do it on purpose or, or not.
So I don't know, are there things an IR team should be looking for specific to this type of case?
Shawn Tuma: That is absolutely a critical tool that, that an IR team should be looking for. If you see those kind of rule changes in the environment, um, that's. That's like a big red flag. Another one is to, to use, you know, geo location, uh, monitoring for, or, or blocking, you know, for accessing these accounts.
Um, because a lot of times, you [00:22:00] know, the threat actors is somewhere else and they may, you know, ping pong off a different, um, you know, servers or whatnot to get to you. But a lot of the cases that we investigate, we do find, um, there was activity from IP addresses that had they been looking form would have been flagged.
They clearly weren't relevant to the client. So that's a big issue. Um, another, another issue is a lot of times we represent parties in this mess, so to call it, that didn't have their email account touched whatsoever. Um, you know, someone may be spoofing their domain, but they never got into their network.
They never penetrated it at any level. And. They're just, they're kind of a victim of circumstances here. And so, you know, knowing how to, to [00:23:00] have a domain. So tracking domains that are, that are being registered, that spoof yours could be an indication that someone's trying to do this by, by sending spoofed emails.
And they may never make it even into your system. You know, but it could be through different third parties. And so, um, you're really playing whack a mole there. Um, but having your, you know, your accounting team, um, well versed in this type of activity and understanding what takes place here, having them understand, um, not to answer questions on the phone, if someone calls and says, You know, Hey, this is such and such, send me a list of all the AR, you know, for the last month to this email address.
I mean, we had a case where that happened recently. Don't do that, you know, because now someone's going to spoof [00:24:00] your domain and go and try to collect all of that money, you know, and that's what they're doing. They never penetrated your network, but they got someone in your accounting department to do something dumb, you know?
And so teaching people. how the threat actors do this and how they're always evolving is a great tool. Um, and then, you know, avoiding using email for, for payments, you know, for transmitting payment. Um, information and wiring instructions to the extent you can have a, a secure portal set up for that kind of stuff and make sure your business partners know, because a lot of times big companies are the ultimate victims of this because they have the deep pockets, but it's their little small vendors whose email account got hacked and who's wiring money and the money [00:25:00] gets lost.
And, and yeah, then they're like, well, we don't have it. What do we do? We don't have insurance. We can't pay this. And so, if you're a big company, it's almost like thinking ahead for your small vendors. It's a very simple part of this supply chain risk management. It's understanding this little vendor I'm doing business with, their, the revenue of their whole company is less than our security budget.
We know they're going to make mistakes. How can we help keep them from making such mistakes? That's going to help us in the long run. And so, you know, techniques like that are very helpful.
Sean Martin: Fantastic stuff, Sean. I want to have a few minutes left. I want to broaden this a bit too. Have you paint a picture of IR planning?
I mean, we, we did a nice deep dive there for, for BEC. Um, how, how do you go [00:26:00] about helping teams build out an IR plan? That's I'll say all encompassing. Um, from risk management to compliance to getting insurance and auditing for that. And yeah, compliance with standards and whatnot. How do you help teams kind of build that plan out?
Shawn Tuma: So Um, I'll tell you, Sean, I'm not a big fan of most IR plans, um, and rarely do I ever find myself asking for one when we get hired to serve as breach counsel, because generally speaking, I've found most of them are not helpful. Um, In our typical scenario, we get hired by the company, and the next step is to bring in expert vendors who are going to do, you [00:27:00] know, your DFR firm.
They're going to come in, they're going to deploy their tools in the environment. They're going to do the investigation and the analysis. And they're the experts, so there's not much we can really tell them on how to do their job. Um, where I find the biggest fault comes in. Is. Companies don't know they're going to need to hire those DFR firms.
They don't know what DFR firms they're going to hire. They don't realize that their cyber insurance may preclude them from hiring. The top three that they want to work with. And so they, because the policies, well, yes. So, so most of the cyber insurance policies now, and there are hundreds of different carriers out there.
They have provisions, [00:28:00] excuse me, in them that say the carrier has the right to either select or, or. You have to select from their list of approved vendors and if not, they don't have to cover that loss. And so if you want your coverage, you've got to select one of their approved vendors. Now, most of these policies, if you have a firm you want to work with, most of these carriers will let you use your own firm, but it takes a day or two or three of negotiating and haggling and doing all that.
To get that approved. And so what we see happen many times is if a company does know who they want to use, they have their team that they've built a plan around. They've, they've practiced through their tabletops, but they haven't gotten them approved under their cyber insurance on game day, they come in [00:29:00] and they.
They, they tell me, Sean, Hey, this is what we want to do. And I say, well, who's your cyber insurance carrier? And they say, well, we'll deal with that tomorrow or next week. I tell them, no, you can't do that. You got to get them involved first and they have to approve these vendors or else they're not going to cover this.
Right. And they go, well, this is crazy. We've been practicing with this team and we've got everybody in place and I show them the language in the policy and then everything stops because now you got to make a choice of do we go with the team we know and and potentially jeopardize our coverage? Or do we now?
Try to negotiate with the carrier, which if it's a Friday and we know these incidents many times happen on Friday, we want to be working Friday afternoon. We don't want to be. haggling with an insurance carrier Friday, Monday, Tuesday, before we get [00:30:00] to work. Right. And so to me the most essential aspect of incident response planning, it comes down to something that an old general said, um, Omar Bradley said, amateurs talk strategy and tactics, professional study logistics.
And, and most of it comes down to logistics. How do we, how do we, Build the team. How do we know how to reach them and have them approved? So we have them ready to go at game time. And so to me, it starts with learning. Well, number one, do we have cyber insurance? I believe most companies should have cyber insurance these days.
Do we understand our policy? Let's lay it out. What does it require for our, does it require pre approval? Does it require selecting from their list of approved vendors? Whatnot. Um, those things can [00:31:00] be negotiated ahead of time, but you don't want to do this in the heat of the. The moment, right? You want to be working.
You don't want to be dealing with insurance. So these are things we can do ahead of time. And then we want to say, okay, here's our approved team. How do we reach them? Who's our point of contact? What's the mobile number? What's the second mobile number or the backup person's mobile number, right? All these logistical questions.
Um, if we're dealing with payment cards, you know, how do we notify our merchant? Our processing bank of this incident, how quickly must we, because many times that's 24 hours or less. Um, and it's very, um, you know, antiquated tools. We have some where they have a requirement to fax them the notice to a fax machine that hadn't been operating for the last 15 years, you know, yet we're going to get penalized at the [00:32:00] end for not complying with that.
These are the kind of logistics we need to. To understand, you know, so we got to understand what are our obligations going to be when this happens and then work backwards from there. Who are we going to need? How are we going to need to reach them? Do they have to be approved? What are their contact? You know, all these types of things.
To me, that's the first step of your hour plan. Is knowing what we're going to need, building that backwards like that. And so at my very shallow level of our planning, right, I'm not competent to come in and, and build the, our plan for, for Microsoft or some highlight that, right. But I have a perspective to bring, you know, What are we going to do with this basic level?
And then who are we going to trust as the experts to go deeper and deeper and deeper as each of those layers must. So that's where I like to start because [00:33:00] in my practice, that's where I see the biggest deficiency is I get a call on a Friday, we're ready to go. They're ready to go. But I have to tell them you can't go or you got to go, you know,
Sean Martin: that's a super insightful and I want to, rather than continuing down the, the IR planning route, I want to spend maybe the last moment here on the insurance piece.
Um, wasn't long ago that I'd heard multiple times that, Carriers weren't offering new coverage, and where maybe 10 years ago, you might, you might have an opportunity to see select from 10, right? The one that you want to work with, or now you might not even get one to respond to you. Um, I don't know the reasons why I didn't hear that part.
So, so [00:34:00] where do we sit now? Because what I'm trying to figure out is our cyber insurance. entities at whatever level. Um, there's reinsurance and all that stuff too. We don't have time to get into all of that. I don't think, but are they an organization's friend here? If, if not, how can they be just, just in, in putting together how they, how an organization will deal with an event and the relationship with an insurance provider?
Shawn Tuma: Yes. So the answer is they should be an organization's friend. Um, we work with a lot of insurance carriers and, and we have had tremendous, um, experiences with them. We find they do pay claims, um, when, when they should and they pay very quickly because. They know that [00:35:00] that our moves at the speed of light, you know, and so they're they're moving very quickly with that and they have an interest in making sure that incidents are handled properly because they know that a properly handled incident may be a problem.
a fraction of the coverage amount, whereas one that goes sideways will be a full limits loss for them. Um, and, and how you handle it can mean the difference. So they come in and they want to help in, in the experiences we generally have. Now, there are some carriers we, we steer away from very strongly and, uh, obviously I won't mention them here, but you know, um, it's just, I think an organization has to understand their role and they have to understand how to work with them properly.
And that really starts in how you [00:36:00] procure your policy. You should have a good broker that understands cyber. And there are many, many different forms of policies with many different coverages and a lot of variance between each and the only way to get the right coverage. Is you have to understand your risk.
So now we're back to risk management, right? You, it all starts with the risk assessment. You have to know yourself, you have to know your risk so that you can talk to your broker about your risk so that they can go out and find you the right coverage that's going to cover your risks. Then you should work with the underwriters.
And I know many CISOs, um, you know, whenever they get this list of, of. Questions from the underwriters. They, uh, they, uh, they don't like it. I'll just put it that way. And, and, and what they need to understand is what these underwriters are [00:37:00] trying to do is the same thing. The CISOs are trying to do. They're trying to minimize the risk because they don't want to pay the money if they don't have to.
And so. A lot of times what the underwriters are asking for is exactly what the CISOs have been asking management for, for five years, you know, so now they can use this as a tool to help get the security they've been, or the tools they've been wanting to get or services or whatnot. Right. So then the next step is when you get your policy, people need to read it and understand it.
You need to lay that policy out and look at it. As you're going through your incident response planning, because the policy will have very granular requirements in there about what is covered, what isn't, how to give notice, how to get approvals, all of those kind of things. If you look at those things ahead of time.
You can build that into your incident response process, and you should, and then this should all work [00:38:00] seamlessly because, you know, a lot of carriers now will offer some level of incident response planning assistance and Proactive, um, work before an incident. And so you can, you can start developing your relationship with them before you need them.
That way when the time comes where you do need them, you know who to call, you know how they're going to work with you, you know they've already approved your team, and instead of spending days You know, fiddling around with them, you got them on board. They're ready to approve the work, get going literally within, you know, an hour.
Um, many times we, we can have everybody on the phone, everything approved, have a scoping call within the first hour of even knowing this happened. Have that SOW completed and approved within the second hour and be working with teams. [00:39:00] Deploying assets shortly after that. So if you're looking at a Friday afternoon, man, getting that Friday night, Saturday, Sunday, built into your work time to start assessing it and understanding it helps you come out Monday morning a lot better off than if Monday, you're still trying to get your team in place to get to work.
You got to look at them as a partner, but you got to play by their terms. You got to know their terms and, and understand that it's part of the process and something you need to work with
Sean Martin: those terms. He very, uh, unlikely you get to set them yourself.
Shawn Tuma: That's right.
Sean Martin: Uh, Sean, well, I could talk to you for hours.
Um, I, I feel. Well, there's so many paths we could take, um, I, I feel we need to get on again simply just for risk management because I, I believe we can, we can have a nice chat, uh, chat about that [00:40:00] for today. I mean, super insightful for me, um, I've not gone through that process of, of connecting insurance and IR teams to an IR plan and, um, And some of the nuances there.
So, uh, very helpful. I presume a lot of, a lot of our listeners and watchers will, uh, will benefit from that. And if somebody has gone through the process, a few tips in there to say, you might want to look at your policy to be sure you're ready for that Friday night, uh, that Friday night event that might just come, come its way.
Um,
you know, I realized I didn't answer the other part of your question. It is easier now. There's a greater appetite for new coverage than there was two years ago. Still have pretty high premium. So
very good. Well, thanks for that, Sean. Um, always a pleasure catching up with you. Uh, it's been too long. I'm grateful, grateful to have you on [00:41:00] today.
Uh, we'll, we'll make this happen again for, for risk management very soon. And, uh, Appreciate you spending the time and sharing your stories with us. For everybody listening and watching, thanks for joining. And of course, be sure to subscribe, share, and take heed in some of the tips and advice provided by Sean today.
And stay tuned. Lots more coming to you here on Redefining Cybersecurity on ITSP Magazine. Thanks, everybody. Thank you.