 So, good afternoon everyone. My name is Mirko Speretta. I am the director of the cybersecurity programs at Fairfield University. And I want to welcome you to this webinar, focus on building a cybersecurity safe harbor. This is a topic that, a discussion actually that started with the bill that was voted in July, in the state of Connecticut. A discussion that I had with William Roberts, who is going to be our first speaker today. William and I decided to create this webinar to talk about this new bill and talk about cybersecurity in general. So, the event is organized by the Fairfield University and by SHIPMA and Goodwin. Let me tell you a little bit more how the webinar is going to is going to lay out. So, we will have a first presentation from William Roberts and then between three and about 3 to 30. And then we will have, I will give a presentation about specifically the NIST cybersecurity framework. And at four, we will have a discussion with the panel of experts in cybersecurity. We will have Greg Krishenko, who is the CISO at Garden Life, Eric Monda, who is the senior IT security analyst at AdNet, Justin Hickey, who is the CISO at Fairfield University and William himself. One more thing about the webinar in general. We definitely want to provide as much information as we can about this bill and about cybersecurity and how to apply and adopt cybersecurity guidance in your organization. But we also would like to hear from you. So, this is very informal. If you have any questions, please type them using the Q&A feature in Zoom and we will address them immediately. So, this is the schedule, just a reminder of how the webinar is going to run. And now, turn it to Bill to start his presentation. Great. Thank you, Mirko. And thank you all for joining us this afternoon. I've been reviewing the list of 10 Bs. I think there's actually a few of you who I've worked with or in the past on various matters. So, it's nice to be seeing your names again. So, I'm going to share my screen now. What we're going to do at the first part is kind of get the boring part out of the way, the law, all the bad things that could be happening, all of the legal requirements that are applicable to local businesses. And then we're going to move on to the what to do about it phase with Mirko and Eric to talk about kind of how to take some of the legal requirements, some of the legal risks and put that into practice to safeguard your organization. So, with that, get this presentation started here. So, we're going to get right into things here. The first thing we're going to talk about is what I call the legal landscape, sort of like what is the law, what is the state of the law and what is the state of legal risk regarding cyber security. Generally, for most of you, barely a day goes by without something in the news regarding a breach or a hack or some sort of other cybersecurity related incident. But what I wanted to talk about is sort of what's the law on this topic? Sort of what is the legal landscape? What are the legal risks that these organizations face? And then as Mirko mentioned, we're going to look at two recent changes to state law regarding breaches and regarding a new cybersecurity safe harbor. So, let's get right into the legal landscape. The most important thing for a business to keep in mind is that everyone has sensitive data, everyone. I think there's a mindset very often we see with clients that if they're not in education or they're not in defense or not in healthcare or insurance or banking, maybe they don't really have much to be worried about. They may say, I make sewing machines. I make shovels. I don't really have much exposure here in terms of data privacy or cybersecurity. And that's a myth that I think is slowly rotting away, but one that we certainly want a way to rest now. Every organization, every business has some data that someone else wants and that if it falls into the wrong hands may cause real harm to your organizations. So we need to get beyond things like healthcare records or student records. We want to think about employee data. We want to think about contractor data, those part-time employees, the temp workers, your vendor data that could be tax ID numbers, social security numbers for individual solo vendors. I think we're talking about customer data, patient data, student or planned member data like in the insurance context. Things that aren't personal data, things like trade secrets for proprietary corporate data like financials or strategy. And while there is for good reason a lot of legal focus and a lot of industry focus on protecting personally identifiable data, we can't forget that in a breach or other cybersecurity context. Sometimes it's this trade secret data, sometimes it's the strategy data that can be just as damaging to your business. So the reality that we live in today is that pretty much all the data you hold is going to be sensitive to someone. Someone's going to want it and someone could misuse it. And all of that data is at risk of a breach. So when you have this data, when a business has this employee data, health plan data, the trade secrets, customer data, any of that, what could go wrong? So when we're talking about cybersecurity risks, when we're talking about the legal landscape in cybersecurity, what are we talking about? What as an attorney comes in for the most part when things go wrong? So what do we see in our practice as sort of the things that go wrong for a business in terms of cybersecurity? The easiest one and the one that gets the most press are a data breach, things like ransomware, hacking, phishing. Again, like I mentioned a few moments ago, barely a day goes by without something of that in the news. You're seeing it a lot now with schools. You're seeing a lot now with attacks on government agencies, etc. But there's more to it. There's a lot more to cybersecurity than just preventing the data breach. There's a lot more to your business's legal risk than merely the ransomware from Russia, for example. The second is company misuse of data. This could be something along the lines of one of your business teams misusing data, selling it appropriately, using it in violation of your own policies, becoming like federal trade commission items, or the state attorney general with unfair trade practices. So if you have a business that is collecting data from a customer, like a direct to consumer business, and you have a privacy policy, your lawyer wrote it, sounds great, it says you're not going to do X, Y, and Z. If one of your team members goes out and does X, Y, or Z, they're going to be cybersecurity and privacy law risk there. The third is employee misconduct or vendor misconduct. We see this a lot. And this kind of gets to both the privacy side of legal risk, but also a cybersecurity side. What safeguards do you have to prevent these types of things from happening? Employee theft is very common. Very often when you have a disgruntled employee leaving for a competitor, leaving for some other business, or taking data with them, spying on your competitors, or having your competitor spy on you, quite common. Blackmailing is actually, we see quite often as well, this employee misconduct, kind of what are this, and I want to be thinking about later when we're talking about NIST and some of these other cybersecurity frameworks is sort of what data do I have? What are the risks to that data? And how could a cybersecurity framework, cybersecurity safe harbor, like Mirko and Eric will be talking about, how could they reduce the likelihood of some of this conduct happening? And if it does happen, how could it help us identify it and stop it quickly? Loss of trade secrets. This is very common in the defense sector or in manufacturing. Employee whistleblowers. And what I mean by that, if you're collecting, especially personal data, and if you're not treating that data appropriately, if you're not using the data as you say you would, if you're disclosing it for inappropriate reasons, like you're selling it to someone when you said you wouldn't, when you're not safeguarding that data, you do run the risk of particularly a disgruntled employee, particularly one who you're just about to lay off or fire, going to an attorney to allege improper conduct. It's a great defense against getting fires and it is a risk for business. And then lastly, customer complaints. So a customer may complain regarding a privacy practice to an attorney general or someone similar. So all of these things are some of the risks that kind of brought us to this presentation. These are the risks that a business has. And then the discussion later will be talking about how to address these. So some of the legal implications of these things going wrong. We have lawsuits, lawsuits from customers, from patients that could be breach of contract claims in a business to business context. There could also be a government in investigation, attorneys, generals, and other very active in this space. Some additional risks. When we talk about a breach or a whistleblower, we're not only, I'm primarily just worried about the legal risk, obviously being an attorney, but there's more to it for your business. There's shutdowns, lost productivity. We've had clients who were basically they're producing shovels, for example, and they're shut down for three days due to ransomware, remediation costs, bringing in cybersecurity folks to kind of clean up the mess, dealing with angry customers, dealing with angry employees or patients or students, loss of a contract. That's kind of rare because everyone has breaches. So it's really unusual to see, but if you don't respond to the breach appropriately, your customers may just be gone. They really may. Marketing and business development headaches. It's really tough to win new business when your name is associated with a very damaging in investigation, for example. And then your insurance costs as well. The more breaches you have, the less cybersecurity you have, the higher up your rates are going to be going. So with that, and I'm going to checking, I want to make sure I'm checking also for questions. So feel free to put those into the chat box as well. Part two, we're going to look at some recent changes to the law. Like I mentioned at the top of this session, we're going to be starting off with changes to the breach law. All of you hopefully have breach policies. If you haven't already now is the time to be updating those to make the changes that I'll be talking about shortly. And then we're going to end this session with a look at the cybersecurity framework in the state and the safe harbor for that. So like every state, we have here a breach notification law that requires businesses to report data breaches. I have some of the technical language on the screen here. When you have a breach, when a business has a breach, and I'm talking about business in a very broad sense. It includes schools and other non-profits, for example. It requires you to provide notice to the affected individuals and also the attorney general. So since 2006, the law has been pretty narrow. You only have a data breach when you're talking about data in electronic form. So not paper records. I've never quite understood why, but if you leave a stack of social security numbers on the CT fast track bus in Hartford, that's not a breach. But if you email it to someone, it is a breach. I imagine the AG would like that change at some point, but we'll wait, we'll wait, wait to be seen. So it's only electronic form and traditionally up until recently, it's only been personal data that's defined here on the screen. Social security numbers, driver's license, ID card, credit card, or account numbers with access code, for example. So very, very narrow. That's changing, and it has changed on October 1, which really a new law was passed, which we'll go through, really brought the state's data breach law a little further into the modern times, because what happened here is that the state had won the first laws in the country. It was very groundbreaking when it came out in 2006, but up until recently, it's really been left in the dust as one of the weakest laws in the country. So this kind of brings it a little bit more into the norm. The first thing is it broadens the application. You no longer have to actually do business here. So what the AG is looking for, if you have the personal data of a Connecticut resident, but you're a New Mexico company, they want to be hearing about it. The law also shortens the notification period from 90 days to 60. It's still a really long time. So for those of you who may do business in the European Union and are dealing with GDPR, which is 72 hours, 60 days is still pretty long. Now, while Eric and the others can certainly attest that sometimes it's hard to know everything that happens within 60 days in a breach, it still is one of the more generous time frames as well. Some of the other key changes, the next, I'm sorry, key change here is the expanded definition of personal information. Like I talked about just recently, the definition of a breach only involved the inappropriate use or disclosure of a really narrow set of data, very, very narrow. This law changes that. So this is probably the most important thing aside from the 90 day to 60 day change for your own breach, breach policies and your own breach for a response program. So here's on the screen, I'm not going to go through all of it, but certain things you really want to keep in mind here. So like medical records, all of you, anyone who's an employer, you have medical data in some capacity, whether it's for the Americans with Disabilities Act, whether it's an employee's medical leave, whether it's an absence from work, for example, in those HR files, you have a lot more than just, you know, someone's review and tax document. So you see that you have a lot more here than you may think. So this is the new broader definition. Oops, sorry about that. Another thing, I put a lot here just because just in case it's relevant for someone here, you know, if you have a breach of login credentials, particularly excuse me, if you're the entity that furnishes the email account. So because we're being sponsored here by Fairfield, I'll pick on that. Fairfield, of course, just like most businesses, they furnish an email account to employees and staff and faculty and probably students as well. If you furnish that account and you have a breach of login credentials for that account, the state now has very special rules here for you to be following. So if you're that type of business like Fairfield University or Shipments, for example, that furnishes an account, you do want to look at this new requirement, see if it applies, and also bake that into your breach notification policies. So the next topic here is the safe harbor, and that's really the meat of what we're going to be talking about here. So to summarize, we started out with talking about some of the legal risks, all the things that could happen to your data, all those terrible things, typical lawyer stories, things that we deal with. And then we moved on to changes in the breach law. And I wanted to mention that again, because it's important for you to be aware of that, so you could keep your policies current and then you can continue to respond to any sort of breach in a compliant manner. But all of that comes back to having a good cybersecurity program in the first place, because having a good program will reduce the likelihood of any of those bad things from happening. It's not going to stop them. Bad breaches happen to good companies and no company is breach proof, no matter what you do. So even if we do everything, we're going to be talking about there's still a risk, of course, of a breach of a complaint of employee misconduct, but at least you're putting in the safeguards in place to reduce that risk. And then most importantly, from a legal perspective, from a customer relations perspective, from a marketing perspective, having a cybersecurity program in place means that when something bad does happen, you're prepared to respond to it in an appropriate and prompt manner. There's really nothing better for your attorneys that when you're being investigated by a government agency or you have a disgruntled customer suing you over a cybersecurity matter to say, you know what, again, bad breaches sometimes happen to good companies. Here's everything we have done. And here's everything that we've done beforehand and here's everything we did during the response. And that is invaluable because it really shows a plaintiff, it really shows the government that you're taking cybersecurity seriously and that there's really nothing to be seen here and kind of make those people go away. And there's been a lot of confusion about, okay, great, Bill, you're saying, I need to go do a cybersecurity framework, you go online, you Google a cybersecurity company, they start throwing some policies around, they start saying things like NIST or high tech or, you know, all this kind of stuff. And you're like, you're head spinning. So what the state wanted to do to be helpful for businesses is to really set forth in the law some standards that your business should think about following and also give an incentive for following those standards. And that's really where we come down now with the safe harbor. So this law came into effect on October 1st. All the details are here. But really what it means is that if you have a cybersecurity program that meets these framework standards that we're going to cover in a moment, and unless you act grossly negligent, which means just basically you just don't care at all. You don't even try. A court cannot impose punitive damages on your business. So that's really what the safe harbor does. It gives you some direction for how to implement your cybersecurity program. And kind of gives you a bit of a carrot to be doing so. I don't think it's a much of a carrot. And it could be a lot stronger, but it's something. So the next two slides here are kind of what we mean by the cybersecurity frameworks. These are the frameworks written into the law. And Mirko is going to spend some time talking about what you see now. This is the second and third bullet points, the NIST standards. These are very technical standards that you need to have a cybersecurity expert to be helping you with, not an attorney. And this is the second one here as well. You'll see some of these, the PCI standards for credit card. You see things more familiar ones like HIPAA, Grammich, Bliley, high tech. So, you know, these are the standards you want to see. Not all of these make sense for every business, certainly. But at least one of them will cover a few. So then if you have the safe harbor, if you go ahead, if you call up Eric and you say, you know what? I need a cybersecurity program. I really want to take advantage of the safe harbor. Which one of these frameworks works for me? You guys figure it out. Let's say it's NIST. Okay, great. We're going to be NIST compliant. So what does that mean here? The first thing I mentioned is no punitive damages, which is really a minor thing. So a punitive damage is something, as a damage a court imposes to sort of punish really bad behavior. I don't exactly know why the safe harbor relates to punitive damages, since punitive damages are incredibly rare in cybersecurity. It's so, you know, I don't exactly, there really isn't a whole lot of practical benefit, honestly to it. So, but I don't want to focus too much on that. There's actually a lot more benefit to one of these cybersecurity programs, rather than the safe harbors punitive damages provision is a lot more. The first one here is giving some direction. Like I said, so many clients, they struggle because where do I even start? This really gives you under the law a direction to follow. The next is marketing. It is so important to keep in mind that cybersecurity is not just about protecting your business. It's not just about reducing your legal risk. It's also really valuable for marketing and customer relations. And, you know, people are very nervous about doing business with someone that involves the transfer of data, particularly in the B2B side. So what you really want to do is think about if I'm miscompliant, okay, great, there's a cybersecurity reason to do it. There's a legal reason, but you could sell that as well. There are a lot of clients who are very successful in selling their cybersecurity program. There's business resilience. You don't have to be shut down for days should something happen. Even if there is something, you know, occurs like a breach of less exposure to government finds or penalties. And when you are sued for something else like breach of contract or a negligence matter, it's much, much easier to defend yourself. And you may also have lower insurance costs. So there's a lot of benefits to this aside from the punitive damages. Now, really quick, quick note, though, what it doesn't do. The Safe Harbor doesn't protect you from everything. It doesn't mean that the AG can't come after you. It doesn't mean that people can't be suing you, for example. But it is extremely valuable. So with that, I finished a minute early, so I apologize for going a little quick, but I do want to keep us on schedule here. And again, feel free to jump in with any questions either now or later in the program. And with that, I'm going to turn things back over to Mirko. Okay, so for my presentation, I will talk about, you know, reasons to use a cybersecurity framework. From Bill, we heard about the legal aspect and also the business aspect. From my point of view, I'm more biased on the technical aspect of cybersecurity and how that fits into your business. So we're going to look at some reasons of that. We're going to look at specifically the NIST cybersecurity framework among, you know, many frameworks that are available out there. I believe this is the one that businesses should actually start with. And then I will give you, you know, a brief outline of the programs at Fairfield U that are related to cybersecurity and the collaboration that we have with, you know, with businesses in the area between Fairfield University and and organization around. So why do we want to, you know, as a business in general, why do we want to worry about cybersecurity and specifically, why do we want to worry about structuring and having guidelines to handle security internally. Again, from my point of view, which is, you know, it is very technical, technology has a big play into it. And the reason is because technology changes and it changes fast and and those kind of changes make a big impact on any business. Think about, you know, at a personal level, think about the evolution of mobile devices. This is a visual representation of the memory of the iPhone in the first generation. And this is the visual representation of the latest version of the iPhone. And this happened through a span of about 13 years. Okay, so there are important changes at the technical level that should be considered. And, you know, from this reason, for this reason, we always need to maintain a perspective that is up to date about cybersecurity. That means always thinking in terms of, you know, what is the most secure way to store your data today? Should you use a technology that is based on premises? Should you use a technologies that is based on the cloud? So, you know, that is not that you don't have to manage and maintain directly. Or for example, how do you exchange information today? Do you do that through email? Or do you exchange information using online services? So, you know, it's important to be open to new technology and trying to understand how they both fit better for your business and think about how they also should be used or exploited to maintain the security of your data. So, you know, in here, there are many tasks, right? There are the tasks of identifying the technologies. There is a task of seeing how the technology fits in the business, what impact it has, etc. So, you know, it makes sense most of the time to have a business unit, a business function that is dedicated to that. And I want to give a specific example of this, of, you know, technology and discussion of technology and how technology impacts the business and cybersecurity. Nowadays, we hear a lot the expression of digital transformation. And the idea with that is that a business can adopt new technology and adopt new processes based on technologies that will improve their business. So, the key, you know, the key point here is adopting a new technology. And this one has as an impact on your organization. It can have a, you know, a small impact or smaller, I should say impact. If we think about transformations where you're moving your email servers online or you're actually using a cloud-based service like Office 365 or Google Workspace, you know, in those kind of situations, you are effectively, you know, moving some of these cybersecurity tasks to the point that you are allowing third-party to take care of those. But there might be more comprehensive transformation, right? So, you know, they can involve inventory tracking in your office that can involve a new customer relationship management software. So, you know, something that can impact not just your company internally, but also your client as well. Or, you know, if you, if your business is in IT, you might, you know, change completely the way you are handling the back end of your application, and maybe you are using, you're going to use a new middleware based on APIs. So, there is a variety of transformations here. And, you know, with each type of transformation and with each new technology that is used, there are implications related to cybersecurity. And it makes sense that these implications are managed, handled with the framework, with the cybersecurity framework. So, I see, you know, this idea of the framework to be actually a potential for the growth of the business, especially when you develop a culture, an internal culture of cybersecurity among everyone, all the people working in the organization. And I've seen this, you know, being very effective, especially when, you know, we foster productivity towards detecting threats, responding to threats and monitoring threats. The idea here is that, you know, cybersecurity awareness and productivity can really drive the processes within the organization to develop effectively your business. And, you know, if that was a little bit of a theoretical discussion, of course, there are many statistics that really make you think about the importance of cybersecurity from the, you know, from the point of view of securing your data. We know that in 2020, there were 43% of attacks that were targeted just to small businesses. And, you know, we see this happening as you know, something that hackers try to try to do, maybe just not because they really want to do any, you know, real damage, but they want to just test out some techniques, hacking techniques, and, you know, a small business that, or an organization that does not use a, you know, guidelines for cybersecurity might have a, you know, might not be, might be very vulnerable. You know, other data that we're seeing is related to human error. This is actually one of the main reasons, main threats within our organization. And a lot of, say, the majority of the security breaches involve that, it was some mistake that was done, maybe unintentionally doesn't need to be intentional, but it actually, you know, created a big problem for the business and the organization. And again, you know, if we look at, in general, at other problems that we see are, is actually there's phishing that seems to have impacted a 75% of the organization worldwide. And another one that is, you know, on the news pretty much every week is ransomware. And we see the impact of that in the cyber insurance claim that were filed in 2020. So again, these are all other reasons, other, you know, more concrete reasons to adopt the cybersecurity framework. Bill mentioned about, you know, different frameworks that are actually listed on the bill that we're discussing today. I would like to start with the NIST cybersecurity framework. So NIST is the National Institute of Standards and Technology. It is under the Department of Commerce. And I just want to make the distinction between NIST and NIST CSF because NIST is actually the Institute and the NIST CSF is the actual framework. This is a, I mean, this work started with the collaboration between the government and the industry. Back in 2014, they published the first version of the framework. And there was a major update in 2018 with version 1.1. And this is the current version that is actually being used. What is it? What is a cybersecurity framework? I would summarize in saying that it is pretty much a list of activities. So, you know, a set of tasks that everyone should follow within the organization in order to protect the business. So a little bit more in detail and a little bit more, you know, information about NIST and how NIST places itself along with other frameworks. The NIST cybersecurity framework is sort of a self-assessment that can be done by anyone. And it's sort of the foundation of other frameworks. In the bill that was passed in July, the ocean mentioned about the NIST 853, which is a much more comprehensive, I should say, framework. Well, much more because it's probably five to eight times longer than the NIST framework. Because it includes basically more activities, more guidelines to follow. And if you are compliant with this framework, you are pretty much compliant with FISMA and FedRAM, which is there. And I wanted to highlight this one, the Federal Risk and Authorization Management, because this is another framework that was suggested in the bill. Another important framework that you will see out there is the ISO 27000. This is more for organizations that have an international outreach. And it is actually a subset of the NIST 853. So if you are compliant with the NIST 853, you can actually become you know, become ISO compliant as well. Okay, but let's focus on the NIST cybersecurity framework. As I mentioned, we are at version 1.1. This is the one that, you know, you should look at if you want to start implementing this in your organization. As I mentioned, there are activities, many activities that are related to this. They are grouped into five main areas called identify, protect, detect, respond, and recover. So to give you an example, a practical example of what this means, let's focus on identify. And I would actually like to ask you to participate in a poll that I'm going to launch now. Okay, so I've just launched a poll in Zoom. These are five questions related to either devices that you use or services or emails that you have. And, you know, it basically gives you an idea of the type of question that you might need to answer when going, you know, through the exercise of applying the NIST. So if you can please go ahead and answer those questions. Those questions are, I don't know, anonymous. Okay. I would like to see from the audience what, you know, what kind of statistics we get. I can see some answers coming in. I'm going to give it 10 more seconds, and then I will close the poll. Okay, so I'm going to close the poll now. And I'm going to share the results with you. So the questions were related to, you know, either hardware that you use, how many devices that you use, the majority of the audience use more than three devices. I mean, own more than three devices they use on a regular basis, either all of them or most of them. I think the interesting answer is, you know, is about the question number three. So how many applications do you have on your phone? The majority are responded between 20 and 40. But quite a bit of you answer, I'm not sure. And also operating systems. How many of you use the latest version or not the latest version? And then email addresses. So I wanted to do this exercise because as you can see, there is a variety of answers, right? And this is basically related to your personal data. Maybe you are including devices that you use for work, but it's basically, you know, everything that you use on a daily basis. Imagine that this kind of inventory, this kind of question, should be done, you know, should be done for your business, for your organization. This is the first goal of the NIST cybersecurity framework to identify all, you know, devices, all services that are used within the organization and then and basically make sure that, you know, they use properly. They have the latest software. There's no misuse of application, etc. Okay, so I'm going to close the poll and this is what the area of, you know, identify means. Let's take a look at the next area, protect. And this one has to do with both people. So controlling who can access specific network. It has to do with software like antivirus that are installed on the computers of the, of everyone that works in the organization. It has to do with encrypting data and by encrypting, I mean, you know, both data that you store, either locally or the cloud, but also data that is transmitted. So, you know, if you are sending sensitive data using, using an email or using other services, you want that data to be encrypted. It also has to deal with backups, backups, backups of data, not just for the organization overall or for the services that are provided in the organization, but also for all the, for the employees. And it has to do with training as well. So, you know, making sure that everyone has the basic skills, the fundamental skills to think about, you know, protecting the data, protecting the assets of the, of the business of the organization, the intellectual property of the organization. And so, and this covered the second area of the NIST framework. So, I'm not going to go over all the area, but I did want to, you know, I did want to show you what, what, what, what it means, what kind of tasks, activities are required to, in order to comply with this kind of framework. So, it is, you know, an exercise that is comprehensive. It involves everyone within the organization. But it is, it is a very important exercise that will help all the internal processes. There are many resources out there that will, you know, try to help you to apply these frameworks in, in, in your organization. But I wanted to highlight three of them, because I think these are the most important one, and they have, they actually have very well curated guidelines on how to answer and address all the questions that I was showing earlier. So, the first one, of course, is the website of NIST itself. They have a very comprehensive description on how to use the framework. The second one is the website of the Federal Trade Commission. They actually have a section dedicated to the NIST framework for small businesses. And the third one is the National Cybersecurity Alliance, which is a non-profit organization, you know, that partners with government and industry. And they actually have on their website a program that is called Cyber Secure My Business. And will, and this one will help you to, you know, again, go through all the tasks that are required for, for the NIST framework. Okay, so, you know, so far I talked about the NIST framework. And I really wanted to give you the context and, you know, some main points to, to start working with it. If you want to create a safe harbor in your organization, this is a great, and you don't know where to start. This is a great starting point. I also wanted to mention, you know, as the last topic of my presentation, a couple of programs that we offer Fairfield. We have a Master in Cybersecurity. We also offer a Certificate in Cybersecurity. Next, starting next year, we will offer an MBA with a concentration of cybersecurity. This is a program that is coordinated between the school of business, the Donut School of Business at Fairfield University and the School of Engineering. But I also wanted to mention, you know, potential collaboration that that we would like to have with the organization in the area. Many of our students go through special courses where they have to basically work on a real project, a real life project. And as an example, some of our students are actually working with the diocese of Bridgeport to implement a cybersecurity framework for them. So, you know, keep in mind that there is this opportunity open. And also keep in mind that, you know, if you can, I mean, we are open to work with you on specific tasks like a vulnerability scan or to do special experiments on software that you either create or you use because we have a cybersecurity lab that is dedicated to these sort of tasks. Okay, so this concludes my presentation. And if you have questions, please write them in the chat. And then, and now, you know, this brings us to the last portion of our seminar, which is about, which is a panel. So for the panel this afternoon, we have Greg Krishenko, Eric Monda, Justin Hickey, and William Roberts. I will let them introduce themselves. So maybe we can start with Eric, just because he's the next one of my gallery here. I said that's a reasonable starting point. Hi, my name is Eric Monda. It's nice to meet everyone. I work with admin technologies. I've been there for almost 16 years. I've been in the security field in different capacities for the past 10 years. I focus on numerous areas in the security space, primarily though, in reference to incident response. So post a malware outbreak or something to that extent, along with different types of audits and assessments. I've been around the Nest framework and similar frameworks for quite some time. It's nice to meet you all. Thank you, Eric. And then I have Greg, might this. Hey, Marco, thanks. Greg Krishenko, I'm a head of security services at Guardian Life, and also I'm an adjunct faculty member at Fairfield University and a couple other universities. I've been in the security field for over 20 years now. I've been working in different capacities. I currently had a whole lot of different functions at my company, meaning security operations, incident response, threatened vulnerability management, also identity access management, and also governance and controls. So nice to meet everybody. Thank you, Greg. Next is Justin. Hi, everybody. My name is Justin Hickey. I'm the Chief Information Security Officer here at Fairfield University. We work close with the School of Engineering and with Mirko. And Mirko, this is a great event you've put on. I appreciate these types of talks. I think it's very important. I've been in IT security for about 20 years doing a variety of different things. But right now, we're focused on keeping Fairfield University safe. And glad to be here. Thank you. Thank you, Justin. And I guess by now, everyone knows Bill, right? Okay, so in the panel we have, we're going to go through some general questions related to cyber security, cyber security frameworks. But please, if you have specific questions, put them on the Q&A list and we'll go, we're happy to address them. I would actually like to start with that. I see there is a first question from Chris. And he's asking, to what extent do you have to go in order to prove you have adopted a framework? Do you need an audit? So is anyone who would like to start with that? Yeah, certainly. I could jump in. So, and I'm not here to sell anything, but there's always value in an outside third party audit of your cyber security framework. I think for good reason, there is often some skepticism when an internal IT staff claim that they have met a particular standard or a particular framework. Sometimes for good reason, of course, a business may not be as self-critical as a third party auditor. So therefore, their determinations and their statements may not be as credible in the eyes of a third party, such as an attorney general, for example, or a plaintiff. So I do think you probably would want, if you're going to go through the effort and the expense of complying with, for example, the NIST standards, I think having that third party audit, not so much like a certification in any way, but in terms of a statement that you do have the policies and procedures and the processes in place to satisfy each of the, you know, let's say 400 standards of the HIPAA security rule. To serve as a useful defense, I do think you do want that third party to be coming in for that purpose. Otherwise, you may have difficulty demonstrating in fact that you have a safe harbor, especially more so than on just paper. Thank you, Bill. Eric? I agree wholeheartedly with Bill. To me, a big component is also your organization. And not all organizations are created equally. Some are much more complex, some are much more simple. Some have advanced technical staff, others don't, and they have outsourced everything. And because of that, it could be kind of challenging at times, which I think we'll go into in some components throughout the different questions that we go through. Just even interpreting what certain questions are being asked as part of that framework can be challenging. Like, NIST has over 100 controls. So to be able to know what that actually is asking and how to implement it can be difficult. So we've seen a lot of organizations kind of do like a best effort on their own, and then maybe have like a gap analysis performed where someone will come in and help give guidance along with that type of audit, as Bill mentioned, to help give them the guidance needed to get them through to the end. And I think it's one more thing on that. I think it's important to note too that there's different levels of maturity on the NIST scale. And we do audits regularly, and it's not necessarily pass-fail. This is the level of maturity you're at today. So what CSOs and people in the security profession strive to do is not that it's impossible to think you're going to check every single one of those boxes, but progress, right? Progress over time. Show that you're growing in maturity. To have a perfect CMMI score isn't sustainable or practical, nor does it make business sense. So it's important to keep that in mind. Yeah. And also, to what Justin was saying, it is a journey. And you have to go ahead and kind of take a baseline of where you are and then build upon it. So every year, if you're truly focused on cybersecurity and managing risk, you're going to keep shipping away at the key areas where you need to go ahead and be comfortable with. Each organization, as Erica mentioned, has its own risk tolerance, and no organization is created equal. In this case, risk tolerance may mean different things at different companies. So when it comes down to it, you have to understand what's your senior leadership want. You have to go ahead and actually achieve. And then you work towards that to go ahead and achieve it. And then focus on there's only so many resources, there's only so many dollars that go around. So you have to want to make sure you're getting the good wins when it comes to what you're going to be putting in those funds to go ahead and actually boost your cybersecurity maturity level. Perfect. Thank you. And I mean, to elaborate on that, do you think that there is a difference between companies who need to be, for example, PCI compliant or HIPAA compliant versus organization that really don't have like transaction of money, etc. I mean, can those organizations get away without an audit and a formal audit, third party audit? I think each industry is different. So depending on what industry you're operating in, you want to make sure that you're meeting the actual regulatory requirements you have for your organization. So if you do have payment cards, you know, payment cards, you got to make sure you're meeting that. If you have HIPAA data, you want to make sure you're covering that. If you have GLBA, you want to make sure you're covering that. Also, you have New York DFS, which is the New York Department of Financial Services, which also has certain regulations and certain requirements. But then this framework is a good framework to be able to, the cybersecurity framework is a good framework to have as a baseline to see where you are. You're not going to be able to know what improvements you're able to make if you don't go ahead and actually do your own self-audit. So self-assessing is never, you're never going to be counted poorly on doing a self-assessment. It's really, you know, you're taking that action to go ahead and determine how good you're doing or where you need to improve on your security controls and your security organization as a whole. And even when there is no explicit legal requirement to be doing so, there's a couple, you know, reasons you'd want to be doing that. First is what I mentioned in my prior comments that there is value in any sort of legal proceeding. That's first. Second, there's also the importance for guidance to guide your internal IT staff, both in the short-term and long-term budgeting. The third, it actually can be in a way, you know, it's, you know, spending a small amount of money can save you money long, long term because a competent third-party cybersecurity auditor will come in and tell you what you need to spend money on and what you don't need to spend money on. They're going to help you direct your limited dollars to the most high value changes that you can be making. So I think in terms of selling anything to senior leadership, it's a short-term expense with potentially long-term value. And I think you could actually save money by bringing in a third party. We've seen that many times. Yeah, and additionally to Bill's point is, you know, organizations can only take on so much change at once. So a lot of these security transformations with these maturity things need to make sure that your organization should actually take on the change. You know, I've seen companies that over time have tried to go ahead and meet certain criteria and they failed because they try to put in too much at once and, you know, they don't do anything kind of really right. So they have to go back and actually redo it. So the big thing is making sure to Bill's point, finding the value add items and really focusing on those. And then, you know, again, it's more of a journey rather than just a destination that you're trying to get to. Makes sense. Thank you. And since we're talking about that, the implementation of this framework, what do you see, what is the main benefit that you have seen in either your organization or other organization after a cybersecurity framework was implemented? Eric, yeah, go ahead. So there's a lot, especially with NIST, but one in particular, not to rail the conversation of another framework, but passed to our neighbors to the north in Massachusetts. I was a CMR 17 back in, I think it was on March of 2010. And that regulation was put in practice in order to protect PI, personal information of residents of that state. We're working with organizations at the time who are frantically trying to get in compliance. So it's our development encryption, desktop encryption, a big list of things to do, similar to NIST and some of these other frameworks we discussed. And along that way, as you probably expect, the organization wasn't too happy about it. It was work, time, costs, things like that. We're slowing them down. But shortly after, they got fully compliant, realizing that the state of Massachusetts started hammering down on organizations, not being compliant, pretty large fines. Someone actually broke into their facility. And talking about what Bill mentioned earlier, and this is not like a financial institution, this was not something that on paper you would think would have a lot of PI, but they had their share of customer data, driver's license, social security and whatnot. Because of the situation, someone broke in, stole probably around 10 or 15 laptops, other pieces of electronic data. When they made their report to the attorney general's office, nothing happened. They actually got commendation for their efforts of putting that policy, that framework into practice. And as an organization, they felt good about it too, like, oh, this is why compliance exists to help protect us. We know all of our data on our laptops was encrypted, anything sensitive from a file perspective was encrypted. So it was work to get there. But when that bad thing happened, they immediately saw the benefit by their hard work because their data was safe. One thing I'll throw out there that I've seen is, seems to loosen up budgets a little bit, right? When you bring somebody in from the outside, it's not just you saying again and again, hey, we need to do X, Y and C. When somebody from KPMG or somebody else comes in and reinforces that, management understands that we're not just asking for this to do it and put it on our resumes. We're doing it because it's the best way to protect the company. And that's really the frameworks to me. They're just great guidelines. If you go through that entire framework, it may be costly, but you're going to have a much more secure environment when you're done. And you're never done, unfortunately, I should say. Yeah. In terms of picking up on your comment here about being never done, one of the concerns sometimes a senior leader will have is kind of like, you don't want to look beneath the hood type of an argument being like, I think everything's fine. We have two and a half IT people. One of them knows a little bit about cybersecurity. I really just don't want to know. And they often will ask us, is it worse to create this paper trail of negative findings? And that's a valid question. I completely get it, particularly because lawyers so often tell people, don't put bad things in writing. So why do I want to have a third party to come in and just tear us apart? So when addressing that issue, and I think, again, it's completely valid, I think it's important to recognize to pick up on Justin's comment that it's a ongoing process that in some ways the worst thing you could have other than no audit is a perfect one. Out of all of the incidents we've handled, we had one in California where the chain of medical practices said, oh, we have this HIPAA certification, like this little sticker they got, and it said they're 100% HIPAA compliant in every single way. Not a single risk management plan based upon their audit was nothing. It was blank because they were absolutely perfect. This third party said, perfect. I was like, really? I didn't know. That was impossible. That raised more questions with the regulators than it solved, honestly. It really did. It's not about being perfect. It's absolutely not about having this gold star getting the A plus rating. It's about identifying your weaknesses, identifying your room for improvement, and coming up with a plan to address those. You can't, as been mentioned, you're not going to be able to address all of them unless you are the most profitable company ever, and you're not going to be able to do it quickly. It's about knowing what your issues are and how to address those. That is not seen. With the exception of some plaintiffs' lawyers, but it's not seen by the regulators, and I know some are on here, so I don't want to speak for them too much, but in my experience, knowledge is not seen as a bad thing. Transparency is not seen as a bad thing. Yes, plaintiffs' lawyers will go off, but it doesn't really go anywhere. Plaintiffs' lawyers complain about everything, so it is important to recognize that you're not going again for this gold star A plus plus 4.0. You're going for transparency and knowledge. Thank you. Thank you for that. The bill that we discussed today is focused on creating a safe harbor, but the starting point is to basically avoid breaches in personal data and restricted information. What are the minimum best practices that your organization applies for protecting disinformation? Are there some guidelines that you guys would like to share with the audience about this? Eric? I feel like this is a really important topic. A lot of consideration can be given to it. I'll just mention one thing that I find to be really critical that I've seen in the field. You have to know where your data is. I've been involved in so many incidents, compromises, breaches over the organization. It's like, well, I don't have that data. As you begin investigating, like, no, you have 400 social security numbers here. You have this there. You have that there. We see that quite often where organizations don't have a good grasp on what type of data they have, or even if they do know. Like, hey, we know we have social security number somewhere, or we have driver's license somewhere. It's scattered in so many different locations that they have a hard time keeping a grasp on it and knowing where it is, who's accessing it. So for me, one of the most basic simple things that you could do is try to have a good understanding of the data you have and where it's stored. Definitely agree with that. Anybody else that have some tips to share? Yeah, sure. I'll go. Very similar to Eric's comment is once you know what data you have and where it is located, you want to understand what requirements apply to it. It's amazing how many times we get a call from a random car dealership and they say, we need a HIPAA compliance program. I say, why? Do you have a self-funded benefit plan? No, we get our insurance from SIGNA. Then you don't need, that's not what you need. It's not what you need to be spending money on. We saw that a lot with GDPR, the European Union Privacy Law. A lot of companies wanted a GDPR plan, even though they had absolutely zero exposure to GDPR. So you want to really focus your IT spend on the requirements applicable to your business and the requirements applicable to your data. So by understanding, as Eric mentioned, what you have, then you could look to be more narrow. We saw one of my slides where I listed all of the frameworks under the State Safe Harbor Law. You need to know which one of those makes sense. If you don't have any car data, who cares about PCI? If you're not a covered entity or business associate under HIPAA, who cares about the High Tech Act? And pressing the pause button to do some of this preliminary work will allow for the cybersecurity work to be much more focused and much more appropriate. Okay. So staying in the topic of protecting the data, but also using different services. Today, all organizations basically use some sort of cloud-based service. And maybe one of the reasons is that they think that the main benefit is that with this approach is a third-party responsibility to protect the data. So in that kind of scenario, does this mean that the organization does not need to worry about cybersecurity anymore? Or are there any best practices that should be followed in that situation as well? Eric? To me, this was a really excellent question because it happens often. You see these massive organizations that are really leaders in the cloud space like Amazon, AWS, Microsoft with their Azure and Office 365 platforms. And they kind of build this false sense of security. You're spending this money, you're on their backbone. You think you're receiving this top tier level of security, but most of these services are a la carte. You get what you pay for. So what happens is this, organizations invest and move the data to the cloud, which I'm not discouraging. Pretty much every organization needs to have a good cloud strategy these days. But part of that strategy has to be assessing the security and the risk associated with it. And what we've typically seen is that any compliance, any regulatory components, any frameworks equally apply to what is in AWS as to what's in Azure. And there's tons of articles out there that could help organizations to secure them. So there's NIST frameworks that can be implemented for your Azure or AWS workspace. There's CIS frameworks that could be implemented for those spaces. You'll find that all of them will talk about, hey, you need to have multi-factor. This is not a day and age where you can get away with single authentication. You need to have that out of the box though. They're not enforced. They're not required. You have to go out of your way to do that sometimes. It requires additional spending. But those are things that need to be considered. So I would just mention that as one. I'm sure others will want to add on to that. Yeah, I'll just add on that. And one of the biggest risks today, and this is somewhat new, is misconfigured cloud. And just as Eric said, out of the box, we have a cloud set up. And when you get in, you start looking at the settings, they do kind of default to rather insecure settings. So you can never, by outsourcing, I don't think you can ever be free of the risk and the work that needs to be done. You do have to become an expert on managing whoever is managing that for you though. So the risk doesn't go away by any means. Also, with going to the cloud, it is what's called a shared responsibility model, where the cloud provides you with the service. It's like the power company. How you want to go ahead and actually use it is on you as a customer. So you need to go in with what your expectations are to get out of it. It's just this point, definitely there are more less secure setups or less than optimal setups that are actually there today. But there are technologies out there that you can use that can kind of do some double checking to make sure that you've configured it correctly. So those would be solutions that you have to go ahead and purchase as an additional add on. But if you're going to the cloud, misconfiguration, multi-factor authentication are probably your two major things that you want to make sure you're covering, as well as also logging, because something will go wrong and you want to be able to track it back of what's going on. And then make sure that the access is appropriate for whoever is doing access within your cloud or set of clouds or SaaS providers. Make sure that the access is tied correctly because one misconfiguration on the access side and somebody can actually really do some pretty extensive damage on your environment. Yeah, and this, oh, go ahead, Erica. I was just going to add, I'm glad Greg mentioned that I'm a huge advocate for auditing and logging. Most organizations have very minimal auditing and logging enabled out of the box. Windows, by its nature, has minimal out of the box. That's one of the huge benefits I personally find with the cloud is that there's much more advanced levels of auditing. Granted, to truly get the most out of it, you need to go out of your way and configure it appropriately. But Bill mentioned this during his initial presentation, is that so much with these incidents, you can't prevent a breach, you can't prevent some type of incident from happening, they will happen. There's no question behind it. But it also comes back to how quickly can you confirm that it happened, how quickly can you then investigate and respond. And you can't really do that clearly if you don't have the appropriate levels of logging. You might have sensitive data like we talked about earlier. You know where it is. If you have detailed logging and you could prove with absolute certainty that the threat actor or attacker didn't get it, that's a huge win for you from a breach perspective. If you don't have that, if you don't have good auditing, you don't have good logging, then it becomes very subjective. Legal counsel is going to have to make a guess on their likelihoods and all those other things that need to be considered. So when it comes to the cloud, especially, same with internal though, having a very strong audit policy and log retention policy is super helpful. Yeah, logs in forensics, absolutely. You got to have that. Accountability is crucial. I'm glad to hear we're talking about logs. We all love logs on this board, right? Yeah, it's never exciting stuff, but it definitely helps you when you're in a pinch. The most important thing we do is logging. And I think one of them, for sure. And then making sure you're monitoring it for what things could go wrong as well. Because even if you're logging, if you're not monitoring, you can't open yourself up because bad things can be happening if you're not looking at the logs. Yeah, so another point that I think we can explore from Greg's comment earlier is the human error. Because I think it's not, I think it's one of the main threats in cybersecurity, as I mentioned in my presentation as well. So how does your organization help employees improve their skill in recognizing things like fishing, scams, social engineering, fake websites? Yeah, I'll take that one if that's okay. Just about every company out there, I hope, does some kind of annual compliance training for their employees. I think that's kind of table stakes nowadays. But above and beyond that, you have to test your employees. They're not going to love you for it. But you have to set up a fake fishing system. You have to fish them regularly. You have to be able to kind of pull up a report card on each of the users, with each of the employees showing how they've done over the years. And I think most importantly, though, you have to take kind of a kinder, gentler approach to training. When some of these people fail, a couple fishing tests or they pick up the USB drive that you planted and plugged it into their computer, they're going to be a bit defensive. And that's understandable. We try to have like a kinder, gentler approach. Look, you're not in trouble. We're glad that we've helped identify this weakness. Let's work on it. The days of getting angry or shaming people for failing these things are over. And I'd say the biggest reason is because these people can become your biggest strength. We've had people and it's people you would never think would fall for things. Some of the most intelligent people you know, they can be tricked. They're busy. What we try to teach them is slow down, examine each of these messages, each of these threats, and just think about it. Everyone is so busy, they're ripping through things. And that's why fishing is so successful because people have so much mail, they're trying to get through it all. So we've successfully turned some of our biggest offenders into our biggest heroes. They're out there spreading our word now, which is good. So you really have to take that into account. You have to consistently test your employees to make sure they're up to the job. And if they're not, you have to give them the training to get them where they need to be. Yeah. And on top of that, what Justin has mentioned is also find your internal champions. You know, the people that to your, to Justin's point, as you would never think would be an actual champion, really can go ahead and help really cascade the message down of how important security truly is. Another big thing that we've also seen over time is making sure people are aware. So having things like, you know, a security champions program or for things where you're starting things that are grassroots, get people talking about it, really goes in and helps social media has been a great thing I've seen in cases where we might do a USB stick drop or a phishing test. And some of our early career folks or even some of our security champions might actually alert the entire organization of it. And as, and it's a great thing to actually see that, you know, the human factor of crowdsourcing information and finding things that may be, you know, seem a little bit off and getting people as guard up really goes in actually helps benefit in that scenario. So I think as you can find that the personal aspects of it, you can really make sure that it actually helped benefit your organization. Yeah. And then to just add to Justin and Greg's comments, I'm a huge fan of that. I love how you mentioned that Justin about the commends. We've seen many organizations where they shame their employees. And because of that, they hide doing what they shouldn't, not purposely, but they click that link and they feel bad, but they're not going to report it because they don't want to be in trouble for doing something accidentally. That leads to a lot of bad situations. But that to me is really helpful for like the end users, the security awareness training, the phishing, all those recurring PSAs, Hey, there's this type of event going on. There's this new type of threat that's emerging. Please be careful about these types of emails. But even on the technical side, there's a lot of benefits that can be done. Be as human if you think of depending on the size of your organization, if you do have like an IT team, maybe it's even small, implementing simple things like change control where before a change is made, a request has to be submitted, has to be reviewed by a peer to make sure like, well, why are we making this change? Is it really needed? What are the potential impacts by implementing such a change? And then if you have even the possibility of auditing such changes after the fact, NIST and these other frameworks recommend regular risk assessments. And that's great. But there's a lot that could happen between your annual risk assessment that if you're able to implement controls internally to kind of help spot check human error, that can go a long way as well. Great. So are these also guidelines to sort of prevent or prepare your organization for new threats? And do you have other suggestions to do that? How can an organization prepare themselves to to new threats to new malicious attacks or ransomware, for example? Is the safe harbor a tool that can help companies with that? I'll start on that. So in most instances, the cybersecurity frameworks mentioned by the safe harbor law will include some component of incident management and incident response. And that's really where I would start on the non cybersecurity safe side, the non technical side. Because your employees, they need to know what to do quickly when they click, when they inevitably click on, then when they fall for a phishing scam. When that happens, they need to know what to do. You want something on your desk on their desktop or something to say, should something happen, you contact security at so and so, you call this number. And you want people to feel safe doing that. There sometimes can be a tendency among HR departments to enforce rules very strictly. And in my mind, very counter productively, we don't want to punish people for clicking on a phishing link. We don't want to punish someone for falling for inadvertently allowing ransomware to occur. There are times and places for punishment. There's plenty of bad actors out there. There's plenty of insider threats, but the falling for sophisticated phishing link is not one of them. We want people to feel safe that when they report this, HR won't be knocking on their door. We want to make it as seamless as possible. We want to make sure that they can do it when they're at work. We want to make sure they can do it when they're at home, when they're on vacation in a foreign country, when they're on vacation in Finland in a very different time zone, that someone back at the company will be checking those reports, that it will go to a distribution list. We know people aren't on leave. We know people aren't sleeping, for example. That is the first step of it. And then the second step, again, which these frameworks will help you with, but so much of it is your internal business is taking the framework and applying it is who's in charge, knowing your team is vital, knowing who at your company is going to be in charge of an incident, knowing who to be calling, knowing who your attorney is, knowing who if you have cyber security insurance, knowing who to contact there and when. Having a relationship with an outside IT or forensic firm is very important as well. This isn't the time to start interviews, for example. So encourage people to be open about these things, give them the tools to report them quickly, ensure that the reports are taken in promptly and ensure that there's a team on standby ready to go and knowing who your support is. And those are key points that carry through any of these frameworks and that will allow you to start on day zero to have a timely and appropriate response to even the most devastating of events. One thing I have a little just mentioned is looking at testing your plan and testing it regularly. So you might look at things like a tabletop or war game where you're bringing up a certain scenario or tax scenario and you're exercising your plan to see how you would respond. And the best way to go ahead and actually test out your plan is when you're not under crisis. So if you have the ability to go ahead and actually test yourself out in advance by bringing another third party or just having people sit down around the table and kind of say, this happens, what would you do next to just test out how that plan would operate? You can find potential gaps in your plan by just doing a walkthrough and having that done in a more non-threatening type of way, making sure that people don't feel like they're under defensive if something gets missed. You'd rather go ahead and be putting your plan together and actually execute your plan to perfection when the actual event does go ahead and actually occur because it's not more of if it's more when it's going to be there. You want to make sure you're prepared for that. Yeah, exactly. And the thing I would like to add, Mariko, you asked a question about ransomware. That's a huge buzzword. Everyone's concerned about getting ransomware. To me, a huge advocate, we've highlighted it numerous times throughout this panel and even that the presentation is beforehand, there's no way to be 100% void of any type of malicious attack. At some point, an incident will occur. It's inevitable. There's a lot of good things you could do to help prepare response times, your detection times, things like that. But just speaking of experience from instant situations I've been involved with, talking about the benefit of implementing a framework like NIST. Over the past three months, there's probably been five or six incidents associated with ransomware I've been involved with. Every single one was associated with a vulnerability to a system that patches were released back in March and April. If you and your network followed a framework like NIST that talks about having regular patching, regular vulnerability management, trying your best to stay on top of it. We're not talking about these nation-state attackers trying to break in through your front doors. That happens. We heard about solar winds and some other things where those big supply chain attacks do occur. That happens. Sorry, there's nothing anyone can do about it. But a lot of the things you hear about in the news about these schools and local municipalities and businesses, a lot of times when they get these ransomware events, it's like low-hanging fruit. If they just performed a reasonable framework like NIST, in many situations the possibility of that attack happening would be greatly mitigated. Again, the past five or six that I've been involved with during the past two months, if they followed NIST to a reasonable degree, again, as Justin mentioned, not perfect, but we're on that journey. Odds are they never would have experienced these ransomware events. These frameworks do help many ways of mitigating your risk and impact from these types of attacks. And a lot of it, like you're saying, Eric, is foundational stuff. You have to be able to patch all of your systems quickly. And if everybody had all their systems patched quickly, there'd be a lot less ransomware. I think you're right on. The municipalities and small businesses that are getting hit, they're low-hanging fruit. They just don't have the resources to build a cybersecurity framework or they just haven't had the time. But yeah, so much of this would be a non-issue if everyone patched their machines in a timely manner, had a plan and a deployment system that could push out patches in a matter of minutes, not hours or days. I think great insights about what each organization should do. So let me ask, I'm going to switch gear, but I want to ask one last question about cybersecurity insurance. I think organization would be interesting to know about having cybersecurity liability insurance. Should all organizations have that or not? I'll start with that. I think you need to have a really good reason not to have it, honestly. But the important, just as equally important is ensuring the type of policy you have. I look at a lot of these policies and we always say, Swiss is bliss, but Cheddar is best. And it's amazing how poor some cybersecurity policies are. I mean, the holes are just enormous. I mean, we had one recently where it ensured denied coverage because our client purchased a cybersecurity policy that excluded criminal acts. And it's like, well, what kind of breach would there be that's not a criminal? What are you talking about? But it was a really cheap policy. It was very, very basic. And we see things like that. Eric mentioned the solar winds and nation state actors. Sometimes policies exclude breaches carried out by a nation state. So the short answer of this is yes, but really spend the time finding the appropriate broker and don't just buy an off the shelf policy. The market for cyber insurance, in my view, is not nearly as mature as what you would have for auto or home or life. The insurers simply don't have a great grasp on the metrics, which is completely understandable given the incredible variation in cost, giving the constantly evolving threat and environment. It's very difficult to price out policies and produce policies with data that you just don't have consistent figures for. So finding the right broker, spend some time finding the right policy. Don't be afraid to review the policy. Don't be afraid to negotiate the policy. Really not. I know you probably are thinking negotiate insurance. I would never call a state farm to negotiate, you know, to find print in my auto insurance. I'm just looking for the cheapest one or something. But with cyber is really different. Again, it's not like life insurance or homeowner's insurance. It's much more customized. It varies much more in quality and coverage. So you want to spend some time looking through the exclusions and negotiate it. Really, you want to negotiate. If you're a large enough organization, the insurer will work with you because they're out to sell the policy and they want to sell a policy that's going to be appropriate. So it's a long-winded answer of yes, but be careful. Yeah, I would just add on there. Cyber insurance has not been very profitable for the past five years for cyber insurance holders or for businesses. And it's becoming almost difficult to get. If you have cyber insurance, ask yourself, do you have enough? And, you know, another point I'd like to make is another benefit of cyber insurance is if you ask for enough, they're going to ask you to meet certain standards. So it's almost like a framework amongst itself. They will check you. Make sure you have the components of a NIST framework in place before they will ensure you. I think that's kind of the future. They're going to start assessing you as you do this. And one last thing I'll say, test your cyber insurance, call them, file a claim, and see if they're living up to their SLAs and their agreements, because you might be surprised. How often are you going to actually file a claim? It's important to file a claim and make sure you're comfortable with that process. I'll just chime in. It's not unheard of in my world for a client to call their cyber insurance or ransomware and not hear back for three or four days. And by that point, the insurance is pretty much worthless because you can't wait that long. You need to go out and get things started. So you want to be looking at that. And also, to the point about cost, one of my slides, I mentioned the value of the frameworks aside from the Safe Harbor is exactly what was just mentioned by Justin. These frameworks can lead to cheaper insurance costs. They want to ensure. It's like, think about back to Otto. They want to ensure this safe driver. They want to ensure the person who drives the speed limit. These companies want to ensure the companies that are NIST compliant. So your premiums will be better. Your retention particularly will be better. And so you want to watch that as well. Some of these policies come in really high retentions almost making them useless except for the company kind of event. So a lot of those things, but the framework here is valuable to lower your costs and actually get coverage. Just one thing to add. It's in harmony with what was just previously mentioned. We've seen two organizations within the past few months that did experience ransomware events, did not follow any framework, did not have really strong security practices prior when their coverage lapsed. The insurance provider would not renew it unless they proved evidence that they performed a level of security work like risk assessment. There was a big list of things that they needed to do and not to mention the premium kind of skyrocketed after that, but it highlights the point. All of these are standardized components of these frameworks like NIST, CIS, ISO. So if you're doing those already and you're looking to renew insurance costs for going up, you're already going to be ahead of the game from that perspective. Hopefully lower premium is better coverage. So that's, you know, to stop win-win. Yeah. And then to the point of cyber insurance getting more mature than what they've been in the past, they're definitely doing more deep dive into what your organization is capable of doing. Yeah, where are you from a maturity standpoint? What controls do you have in place? How are you doing there? They'll also go ahead and look to see, you know, what capabilities that you have that can potentially help withstand kind of something like a ransomware or a denial service attack. And one of the other things that we've seen, you know, is just that it continues to increase from a cost perspective. I think what I've seen, and speaking with some of the brokers is, you know, the costs, if you already have an existing policy have doubled year over year because of all the losses that have been ensued by from a cyber insurance perspective. And if you do actually experience cyber insurances of those mentioning, you may also think about having a broker who contacted the bad actor. They will actually do kind of conversations with the bad actor try to negotiate that while you're working on getting paid for, paid by the cyber insurance company to have the money later. But there are companies out there that can go ahead and actually help, you know, negotiate with the bad actor when something does go ahead and happen. If you're looking to do that, there's also things that are happening from a government standpoint that says if you pay a bad actor and it's in an OFAC country, you may actually be subject to sanctions or financial penalties. So you have to be careful of who you're dealing with. And some of these brokers from a bad actor perspective negotiating on ransomware, they can they can send some of those things. And that's where sometimes you may get the authorities involved to help you make the right decision. Okay. Thank you, everyone. I think that we are done with the panel. And so I would like to thank the audience for joining the webinar. I am going to start a quick three-question survey to, you know, get your feedbacks on to get your feedback about about the webinar. I would also like to thank very much all the panelists and they're really valuable insights, not just about the, you know, safe harbor and the bill, but about a lot of the tips related to cyber security. So thank you, everyone, and enjoy the rest of your night.