1
00:00:00,000 --> 00:00:04,840
Welcome everybody to today's CIT Tech for Business podcast.

2
00:00:04,840 --> 00:00:09,880
We are now three podcasts in and you may have maybe gotten inkling that we are kind of bouncing

3
00:00:09,880 --> 00:00:10,880
all over the place.

4
00:00:10,880 --> 00:00:14,280
Our favorite thing here is to talk about all of the tech tangents.

5
00:00:14,280 --> 00:00:18,180
So do know that at any point if you have an idea, something that you want to have these

6
00:00:18,180 --> 00:00:22,260
guys talk about a question you want to answer, you can always send those on over to info

7
00:00:22,260 --> 00:00:29,000
at CIT-net.com and we're more than happy to tangent right along with you answer any of

8
00:00:29,000 --> 00:00:31,800
those questions week to week as we get them.

9
00:00:31,800 --> 00:00:37,000
Today we are going to sit down with Kyle and Todd and talk about SEC compliance.

10
00:00:37,000 --> 00:00:40,000
Kyle Todd why don't you guys introduce yourself and get us kicked off.

11
00:00:40,000 --> 00:00:42,000
Hi everybody, I'm Kyle Leder.

12
00:00:42,000 --> 00:00:44,720
I'm the president and CEO at CIT.

13
00:00:44,720 --> 00:00:47,040
Happy to be with you today.

14
00:00:47,040 --> 00:00:48,040
I'm Todd.

15
00:00:48,040 --> 00:00:49,920
I am CIT's chief operations officer.

16
00:00:49,920 --> 00:00:53,200
I'm also the CISO at the organization.

17
00:00:53,200 --> 00:00:58,880
In case anybody doesn't know SEC in this particular instance does not stand for the college

18
00:00:58,880 --> 00:00:59,880
division.

19
00:00:59,880 --> 00:01:02,840
This is so it's not southeast conference.

20
00:01:02,840 --> 00:01:05,400
The security is an exchange commission.

21
00:01:05,400 --> 00:01:09,240
For those that are not aware there was a proposal that came out just a couple of weeks ago that

22
00:01:09,240 --> 00:01:13,760
was talking about some new compliance things that potentially were going to go on.

23
00:01:13,760 --> 00:01:19,680
And really largely they're focused heavily on cyber security and the risks that are associated

24
00:01:19,680 --> 00:01:21,520
with it.

25
00:01:21,520 --> 00:01:25,400
We can touch on briefly who potentially is going to be impacted on this in a minute but

26
00:01:25,400 --> 00:01:28,000
just kind of wanted to give you an idea what that is.

27
00:01:28,000 --> 00:01:32,080
So we'll share out some links as we get further along in this process.

28
00:01:32,080 --> 00:01:35,360
So for those that are listening we'll talk to it the best we can.

29
00:01:35,360 --> 00:01:39,160
For those that are watching the links will be added when we go through this at the end.

30
00:01:39,160 --> 00:01:44,480
So just kind of giving a real real super high level of what's going on is there are recommendations

31
00:01:44,480 --> 00:01:51,280
from the SEC that when a cyber security incident happens that organizations need to disclose

32
00:01:51,280 --> 00:01:52,280
the incident.

33
00:01:52,280 --> 00:01:56,720
And currently the way it's framed up is it's within four days which as soon as they found

34
00:01:56,720 --> 00:02:02,040
out there's something material which is pretty soon or pretty early I mean they need to disclose

35
00:02:02,040 --> 00:02:06,520
their policies their procedures for managing risks and the cyber threats.

36
00:02:06,520 --> 00:02:10,920
They want to make sure that they disclose the board mechanisms for cyber security risk

37
00:02:10,920 --> 00:02:17,680
oversight and they need to disclose cyber expertise on the board of directors.

38
00:02:17,680 --> 00:02:22,160
So I'll start there and then I'm going to ask Kyle a question is Kyle who does this

39
00:02:22,160 --> 00:02:23,160
impact.

40
00:02:23,160 --> 00:02:28,200
It's going to impact any of your public traded companies.

41
00:02:28,200 --> 00:02:33,040
Obviously comes through so your larger companies even some smaller equity based ones that are

42
00:02:33,040 --> 00:02:37,800
looking for public funding side of it's going to add significant cost and operation sides

43
00:02:37,800 --> 00:02:41,840
on to how you are protecting your systems.

44
00:02:41,840 --> 00:02:44,000
So there's a it's pretty far reaching.

45
00:02:44,000 --> 00:02:49,120
I mean there's a lot of controls that they're talking about here.

46
00:02:49,120 --> 00:02:54,120
And the time frames are talking about is very short you know I think that's the part that

47
00:02:54,120 --> 00:03:00,720
really jumped out to me is the how quick they want the notification to come through because

48
00:03:00,720 --> 00:03:03,360
these things are complicated.

49
00:03:03,360 --> 00:03:06,880
There's a lot to those things and I don't know about Utah but I looked at that I'm like

50
00:03:06,880 --> 00:03:10,400
wow that's that's quick turnaround.

51
00:03:10,400 --> 00:03:15,400
And the bigger you get I think the harder that becomes you know a smaller organization

52
00:03:15,400 --> 00:03:21,440
could be fairly nimble I think to have a pretty good idea of the significance and where the

53
00:03:21,440 --> 00:03:26,800
information's at but you know a large organization to really kind of get a handle on things could

54
00:03:26,800 --> 00:03:32,520
be pretty could take take quite a while granted they're looking for you know getting their

55
00:03:32,520 --> 00:03:37,480
policies out and everything but and not for all the full information but still that's

56
00:03:37,480 --> 00:03:39,920
very quick.

57
00:03:39,920 --> 00:03:45,760
And that's going to require you know I think a lot of them to look at their existing tool

58
00:03:45,760 --> 00:03:51,000
sets and definitely looking at their policies and certainly looking at their controls and

59
00:03:51,000 --> 00:03:59,080
really being able to you know be able to disclose things very very quickly which is ultimately

60
00:03:59,080 --> 00:04:00,920
what the SEC is asking for here.

61
00:04:00,920 --> 00:04:06,800
So a couple things I'll add on to that just just to kind of clarify this is not finalized

62
00:04:06,800 --> 00:04:11,880
so it is certainly possible it will change but I kind of wanted to throw a little background

63
00:04:11,880 --> 00:04:16,560
to kind of give the listeners an idea of what that actually means for most organizations.

64
00:04:16,560 --> 00:04:21,160
So when we work with our customers I would say on average it takes us about two weeks

65
00:04:21,160 --> 00:04:25,960
from the time that there's discovery to the time that we're typically recovered but that's

66
00:04:25,960 --> 00:04:31,200
as Kyle said I would consider that to be pretty nimble if you want to contrast that by what

67
00:04:31,200 --> 00:04:35,960
potentially is quote unquote the normal is you can use the Octa example that came out

68
00:04:35,960 --> 00:04:41,240
in the news just recently is that was discovered at the end of the of 21 I believe and then

69
00:04:41,240 --> 00:04:45,920
it took for the most part took the vast majority of three months to to say this is what we

70
00:04:45,920 --> 00:04:49,360
think happened and then it continued to evolve for another two to three weeks.

71
00:04:49,360 --> 00:04:55,080
So when you're talking four days you really have very little to no information to work

72
00:04:55,080 --> 00:04:59,000
from and go okay now I have to turn around and explain this to the world.

73
00:04:59,000 --> 00:05:03,240
Wow that's not a great thing they're a great place to be I would think.

74
00:05:03,240 --> 00:05:08,120
Yeah yeah that was my thought I mean they probably may have to revisit that time request

75
00:05:08,120 --> 00:05:12,680
stuff or the you know how much has to be disclosed within that four days being a much smaller

76
00:05:12,680 --> 00:05:19,840
subset and then mandating you know different tierings of data side with it but you know

77
00:05:19,840 --> 00:05:23,080
that part jumped out of me right away.

78
00:05:23,080 --> 00:05:31,960
I think the requirement for cybersecurity awareness within the board level of these organizations

79
00:05:31,960 --> 00:05:39,240
I think that's a very pro thing I'm very much in favor of that I think I think awareness

80
00:05:39,240 --> 00:05:44,520
at the board level of companies on cybersecurity if they're not already there this is a good

81
00:05:44,520 --> 00:05:50,560
thing they need to have it I think it's very important for the executive level and that

82
00:05:50,560 --> 00:05:55,120
board level operational sides of any business side to have good insight as to the risks

83
00:05:55,120 --> 00:06:01,000
that were that are involved in cybersecurity nowadays regardless of public traded or not

84
00:06:01,000 --> 00:06:08,840
it's just there's you just cannot ignore it in 2022 it's a significant risk to the business

85
00:06:08,840 --> 00:06:14,520
even more so than fire and theft from your traditional aspects of it this is something

86
00:06:14,520 --> 00:06:22,400
that should be considered and their certificate costs to the business and there's also certificate

87
00:06:22,400 --> 00:06:28,680
approaches that the business needs to take into account of their liabilities when approaching

88
00:06:28,680 --> 00:06:33,840
their their customer engagements because there's so much risk involved there's a you know there's

89
00:06:33,840 --> 00:06:37,560
that risk hot potato that you're going to have to work through with your customer sides

90
00:06:37,560 --> 00:06:42,360
on cybersecurity incidents and what that looks like so there's just a lot of high level business

91
00:06:42,360 --> 00:06:47,520
discussions that needs to be into the fabric of the company in all aspects of it it's not

92
00:06:47,520 --> 00:06:50,360
just a side conversation.

93
00:06:50,360 --> 00:06:54,720
I agree I mean to me it was quite frankly I don't want to say it was a long time coming

94
00:06:54,720 --> 00:06:59,640
but quite frankly it was a long time coming it really was I'd mentioned this to Kyle a

95
00:06:59,640 --> 00:07:04,200
couple days ago too is the last time the SEC did something like this it was back when they

96
00:07:04,200 --> 00:07:09,920
did Sarbanes Oxley as kind of a requirement and I believe that was 2002 or something along

97
00:07:09,920 --> 00:07:15,720
those lines and by comparison that was very transformational for organizations boards

98
00:07:15,720 --> 00:07:16,720
etc.

99
00:07:16,720 --> 00:07:21,640
Yes we love the cat if you're not cat people very sorry.

100
00:07:21,640 --> 00:07:26,400
I'm sorry for those that are just listening there's a cat on screen as I was saying this

101
00:07:26,400 --> 00:07:31,640
is a this is transformational I think to Kyle's point is you're going to see things change

102
00:07:31,640 --> 00:07:36,120
dramatically back when Sarbanes Oxley came out it's kind of hard to think about it at

103
00:07:36,120 --> 00:07:40,440
this point but there was a dramatic shift where all of a sudden organizations had to

104
00:07:40,440 --> 00:07:45,280
have that level of financial acumen added to the board and now it just seems like a

105
00:07:45,280 --> 00:07:50,280
given right you would absolutely include that well ultimately as a good outcome of this

106
00:07:50,280 --> 00:07:54,240
as I think you're going to see that security becomes a board level concern too which it

107
00:07:54,240 --> 00:07:58,360
always should have been it's gotten so bad over the last five years that it doesn't really

108
00:07:58,360 --> 00:07:59,920
surprise me.

109
00:07:59,920 --> 00:08:03,720
The one other thing that I would say is kind of a negative at the moment is there really

110
00:08:03,720 --> 00:08:09,160
aren't a lot of quality IT security individuals out there so for you look at the sheer number

111
00:08:09,160 --> 00:08:14,520
of organizations this will impact that there just may not be a ton of people that you can

112
00:08:14,520 --> 00:08:19,240
lean on and go hey I want you to join my board so a lot of organizations may need to reach

113
00:08:19,240 --> 00:08:23,800
outside and look for some additional help for their to supplement their board on the

114
00:08:23,800 --> 00:08:27,720
bright side the way that this is written is it currently is kind of anybody that has any

115
00:08:27,720 --> 00:08:32,840
kind of security background so it could be a security analyst or a CISO or whatever the

116
00:08:32,840 --> 00:08:38,400
case may be so you do get to tap into basically any cybersecurity experts expertise which

117
00:08:38,400 --> 00:08:42,080
is great but like I said I still think it's going to be a bit of a challenge for a lot

118
00:08:42,080 --> 00:08:43,880
of organizations out there.

119
00:08:43,880 --> 00:08:51,400
Yeah I think having those individuals that you know have the security background to understand

120
00:08:51,400 --> 00:08:59,560
the potential risks and having are able to bring that alongside the business aspects

121
00:08:59,560 --> 00:09:04,480
and operations of the business side of it to understand you know beyond the technicalities

122
00:09:04,480 --> 00:09:12,200
of it and really connect those two together and say you know these risks could affect

123
00:09:12,200 --> 00:09:18,760
our business because of this you know because of the way we hold customer data this is where

124
00:09:18,760 --> 00:09:23,960
customers you know they'd be able to correlate that to be able to explain it to their core

125
00:09:23,960 --> 00:09:31,680
board members in a business way is going to be the key there because you can't deal in

126
00:09:31,680 --> 00:09:38,320
technical terms with with all members of the board that's not their their their main acclimate

127
00:09:38,320 --> 00:09:46,000
you know but if you were to put those into into the business operational terms and risks

128
00:09:46,000 --> 00:09:51,120
because it's really to me it always comes back to the risk and you know put into those

129
00:09:51,120 --> 00:09:57,160
terms and how you're mitigating those risks with these new approaches to reduce it because

130
00:09:57,160 --> 00:10:03,280
that's that's what this game is going to be about is risk mitigation.

131
00:10:03,280 --> 00:10:08,280
I think it's been proven over and over again that no organization is immune no matter how

132
00:10:08,280 --> 00:10:13,680
good their stand side with it if they are targeted there is a significant risk to the

133
00:10:13,680 --> 00:10:21,320
organization but there are many great practices to be done that will dramatically reduce your

134
00:10:21,320 --> 00:10:26,560
risk footprint and that's you know I know for our approach to our customer sides of

135
00:10:26,560 --> 00:10:33,280
it Todd speak very very depth on this side of it but that's what it's about I mean putting

136
00:10:33,280 --> 00:10:37,840
in a framework and reducing of a lot of the risk I mean you're you're a gambling person

137
00:10:37,840 --> 00:10:44,720
your percentages drop way way down and that's what that's usually what it's about today.

138
00:10:44,720 --> 00:10:46,720
I kind of.

139
00:10:46,720 --> 00:10:47,720
Go ahead.

140
00:10:47,720 --> 00:10:52,000
Sorry I just wanted to pose a question so if I'm an organization that this is going

141
00:10:52,000 --> 00:10:57,680
to be affecting me later down the road right now this communication has gone out what do

142
00:10:57,680 --> 00:11:03,040
I do in order to be proactive so once this thing is finalized then I feel comfortable

143
00:11:03,040 --> 00:11:07,880
that I have X, Y and Z in place so can you give me a little bit of background of like

144
00:11:07,880 --> 00:11:11,720
if there's an organization where do they start from this point?

145
00:11:11,720 --> 00:11:17,640
Sure I mean I'll start and Kyle can fill in the blanks but one of the big takeaways that

146
00:11:17,640 --> 00:11:21,840
I had from the article just in general is that compliance is coming right if anybody's

147
00:11:21,840 --> 00:11:25,280
listened to me talk over the last year and a half I've been kind of saying you can see

148
00:11:25,280 --> 00:11:32,200
it starting to creep up whether that was starting with CMMC that started to impact the manufacturers

149
00:11:32,200 --> 00:11:36,480
or the executive order that came out that anybody working with the government needs to start

150
00:11:36,480 --> 00:11:40,400
to become compliant with things you can see it's continuing to tick up and again it's

151
00:11:40,400 --> 00:11:46,000
ticking up now for anybody that's in that's governed by the SEC so to me that's kind of

152
00:11:46,000 --> 00:11:51,520
the main takeaway that being said there are a lot of core functionalities and frameworks

153
00:11:51,520 --> 00:11:56,240
and they're all designed to reduce risk to Kyle's point so you know looking at risk you're

154
00:11:56,240 --> 00:12:00,360
looking at a variety of different things whether that's stuff that comes out generally so if

155
00:12:00,360 --> 00:12:04,320
you had a cyber attack you're looking at financial risks you're looking at potentially if you're

156
00:12:04,320 --> 00:12:11,120
a an organization that is traded you're going to have some equity problems and concerns

157
00:12:11,120 --> 00:12:15,360
and then you know if we get even get into this some of the down strokes are or the downsides

158
00:12:15,360 --> 00:12:19,320
could be potentially any litigation that comes from it but all that being said is if you

159
00:12:19,320 --> 00:12:23,840
look at common frameworks that are out there and you can use NISC or COVID or a variety

160
00:12:23,840 --> 00:12:28,000
of others they're all designed to start to lower that risk and there's core places that

161
00:12:28,000 --> 00:12:32,800
you should be focusing on this kind of gives you a little bit of a framework to write you

162
00:12:32,800 --> 00:12:37,600
should put in somebody that's got some security wherewithal and start looking at how do you

163
00:12:37,600 --> 00:12:42,080
get that advice if you're going to be under a regulation obviously you're going to look

164
00:12:42,080 --> 00:12:45,760
at trying to add that individual to the board but if you're not and you can see this coming

165
00:12:45,760 --> 00:12:49,640
at some point down the road which I would say it likely will you'd start to work with

166
00:12:49,640 --> 00:12:53,680
those organizations that do have the wherewithal and then they can help you build the framework

167
00:12:53,680 --> 00:12:59,240
where do you start is it cyber security training is it controls or is it security tools that

168
00:12:59,240 --> 00:13:04,160
you can put in place that help you start to reduce the risks that are associated with

169
00:13:04,160 --> 00:13:06,200
various different types of attacks.

170
00:13:06,200 --> 00:13:13,080
Yeah, yeah, no, I would agree with all that I think you take if you are publicly traded

171
00:13:13,080 --> 00:13:20,360
and you're starting to prepare for the likelihood that this does become come into law side with

172
00:13:20,360 --> 00:13:25,200
it that you start taking some steps now that if your board has not incorporated this and

173
00:13:25,200 --> 00:13:29,560
do it now I mean I think starting to take those steps to create the board seat that

174
00:13:29,560 --> 00:13:35,560
brings in that that cyber security individual into at the board level is is a good move

175
00:13:35,560 --> 00:13:39,040
regardless of the regulatory requirement.

176
00:13:39,040 --> 00:13:43,360
You know I know there's many large companies in the United States already have taken those

177
00:13:43,360 --> 00:13:47,320
steps sides with it you know and I think you know if they haven't they should be doing

178
00:13:47,320 --> 00:13:52,200
it already if you're not publicly traded I think you should consider having somebody

179
00:13:52,200 --> 00:13:58,600
with cyber security awareness on your personal private company board to have those insights

180
00:13:58,600 --> 00:14:03,700
in there if they haven't done that already that individual himself then I think should

181
00:14:03,700 --> 00:14:08,880
align themselves with security framework practice as Todd mentioned some of those I think you

182
00:14:08,880 --> 00:14:15,880
adapt a framework and that starts become part of the part of the discussion points for the

183
00:14:15,880 --> 00:14:21,240
board and I start to make them aware of what that framework is and what the risks are and

184
00:14:21,240 --> 00:14:28,000
then have those discussions on how you're remediating those risks because that's if

185
00:14:28,000 --> 00:14:32,000
that becomes part of the normal business practice self on it they're moving in the right direction

186
00:14:32,000 --> 00:14:39,160
on how to approach this side with it that's that's a big big takeaway for them to do right

187
00:14:39,160 --> 00:14:42,640
now that's why I like so much about this topic because whether you know this topic obviously

188
00:14:42,640 --> 00:14:48,520
is is targeted at a public traded company but I think the results for even a private

189
00:14:48,520 --> 00:14:56,280
one to it to adopt what they're talking about here is strongly recommended and is Todd alluded

190
00:14:56,280 --> 00:15:01,720
to we we firmly believe two other regulatory requirements are coming down the pipe even

191
00:15:01,720 --> 00:15:06,800
for private organizations through affiliations and whatnot you're going to be more than likely

192
00:15:06,800 --> 00:15:11,680
associated with some kind of regulatory requirement in the near future.

193
00:15:11,680 --> 00:15:17,640
Just to kind of expand on that so so if you look at how the world has kind of been transforming

194
00:15:17,640 --> 00:15:22,080
is if you did business with the Department of Defense you kind of had some pieces in

195
00:15:22,080 --> 00:15:26,080
place already and you already know your regulations with defarters and a variety of other things

196
00:15:26,080 --> 00:15:31,280
but then they started to say well if I'm doing business with any other partner third party

197
00:15:31,280 --> 00:15:35,280
so you're working with just as an example you're working with an organization like CIT

198
00:15:35,280 --> 00:15:38,960
you're going to be looking to that partner and saying hey what do you do and that's going

199
00:15:38,960 --> 00:15:42,920
to be true of any of these publicly traded organizations as they're going to go okay well

200
00:15:42,920 --> 00:15:48,480
do I work with this other organization downstream a little bit any third party is going to naturally

201
00:15:48,480 --> 00:15:53,160
get pulled into that and saying okay you now need to be compliant on a plus side as you

202
00:15:53,160 --> 00:15:57,320
start to get in front of this that actually becomes a differentiator for you you can go

203
00:15:57,320 --> 00:16:01,800
hey there's quick ROI because I can win business that my competition can't because I put my

204
00:16:01,800 --> 00:16:06,200
ducks in a row so I mean there's some there's some boons for companies out there too so

205
00:16:06,200 --> 00:16:10,760
I had to throw that in because it's tech for business right so there is there is a good

206
00:16:10,760 --> 00:16:15,760
reasons to do this for your organizations is it does set you apart it does get you in

207
00:16:15,760 --> 00:16:19,880
front of it it gets you going in the right direction and it's good basic hygiene in addition

208
00:16:19,880 --> 00:16:27,440
to yeah yeah there's a definite win-win component to it to allow those you know take those necessary

209
00:16:27,440 --> 00:16:31,640
steps now or start moving those directions because it's going to pay dividends being

210
00:16:31,640 --> 00:16:37,400
an early early adopter and those businesses already done it you know commend you for

211
00:16:37,400 --> 00:16:43,160
already taking those steps sides with it and continue to work through it but you know

212
00:16:43,160 --> 00:16:48,240
as we approach many organizations we find that their their hygiene is not at that level

213
00:16:48,240 --> 00:16:53,640
where they need to be and it's usually just they don't know what they don't know and

214
00:16:53,640 --> 00:16:59,480
that's knowledge is definitely power in this subject so getting that information again at

215
00:16:59,480 --> 00:17:05,880
the board level with leadership can understand the risks so they can make the necessary investments

216
00:17:05,880 --> 00:17:12,520
into how do they improve it.

217
00:17:12,520 --> 00:17:17,240
You know I don't I don't know what you've seen Todd I mean usually you know what what

218
00:17:17,240 --> 00:17:22,160
has come from organizations who don't do the preemptive approach side with it it's usually

219
00:17:22,160 --> 00:17:27,200
unfortunately after an incident occurs then all of a sudden you know the spend is done

220
00:17:27,200 --> 00:17:30,960
and that's that's what we definitely want to avoid and we hope you know this type of

221
00:17:30,960 --> 00:17:36,840
discussion you know leads to early steps to you know avoid that being being the reason

222
00:17:36,840 --> 00:17:41,600
for change in the organizational structure side with it because that's a it's a painful

223
00:17:41,600 --> 00:17:47,200
process we witness it it's not pretty you know and the the damage is to the business

224
00:17:47,200 --> 00:17:53,360
just from obviously the cost and downtime but then just a long term you know damage

225
00:17:53,360 --> 00:17:58,320
to the reputation of the business side of that in the possibilities for litigation as

226
00:17:58,320 --> 00:18:03,080
Todd talked about you know those are those are those are talk points we don't want to

227
00:18:03,080 --> 00:18:09,680
do you know and I think you know you can take some steps now if the business learns to make

228
00:18:09,680 --> 00:18:15,480
some early investments and priorities around it it's completely avoidable in our mind to

229
00:18:15,480 --> 00:18:16,480
avoid that.

230
00:18:16,480 --> 00:18:22,440
I'd agree I mean I'll use some statistics so one of the latest statistics I saw were

231
00:18:22,440 --> 00:18:26,880
48 percent of all attacks are on small and mid-sized businesses which is where we typically

232
00:18:26,880 --> 00:18:32,480
focus if that's true and then the statistic that followed up with it only about 14 percent

233
00:18:32,480 --> 00:18:35,720
of those organizations were prepared to deal with the attack in any shape manner or form

234
00:18:35,720 --> 00:18:40,360
so that's everything from tools to being able to recover that's a really small number if

235
00:18:40,360 --> 00:18:45,120
you ever look at the whole gist of everything that's a pretty darn small number so to Kyle's

236
00:18:45,120 --> 00:18:49,720
point of what does it look like if you're not prepared the likelihood of something happening

237
00:18:49,720 --> 00:18:54,600
and it being pretty devastating is high and so we got into the risk conversation of whose

238
00:18:54,600 --> 00:18:58,600
hot potato is that when we talk about the third parties and all that type of stuff if

239
00:18:58,600 --> 00:19:03,040
you are working with those businesses and they're going well gee I'll use the octa example

240
00:19:03,040 --> 00:19:07,920
is octa used a third party to help do some of their support and that's where their particular

241
00:19:07,920 --> 00:19:12,880
incident started well octa is quick to go hot potatoes yours good luck you're the ones

242
00:19:12,880 --> 00:19:17,000
where it all started and so that's the kind of stuff we want to avoid right so starting

243
00:19:17,000 --> 00:19:20,440
to prayer prayer for it finding the health that you need is definitely a good place to

244
00:19:20,440 --> 00:19:24,720
go and as Kyle mentioned there's all kinds of things we can do to kind of get you going

245
00:19:24,720 --> 00:19:30,960
on that platform it's just kind of understanding where you are today and like it or not most

246
00:19:30,960 --> 00:19:36,480
organizations have started on this process one way or another I would say a vast majority

247
00:19:36,480 --> 00:19:40,680
of organizations already have cybersecurity insurance as an example if you've got it you've

248
00:19:40,680 --> 00:19:45,640
already decided that there was some risk out there and you want to avoid it at all costs

249
00:19:45,640 --> 00:19:50,320
so you went and got your insurance so you're already on the path it's a good thing you

250
00:19:50,320 --> 00:19:54,080
should be doing those kinds of things one of the natural transitions you're starting

251
00:19:54,080 --> 00:19:58,080
to see is as that starts to happen those insurance companies are starting to ask a lot of the

252
00:19:58,080 --> 00:20:02,480
things that you're going to see from a compliance organization or a regulator saying do you

253
00:20:02,480 --> 00:20:07,840
do MFA do you do EDR you name it they're basically building out that foundation or that base

254
00:20:07,840 --> 00:20:14,000
layer of how do I start how do I start to put security around what I do day in and day

255
00:20:14,000 --> 00:20:16,920
out and how do I reduce that risk because that's what an insurance company is doing

256
00:20:16,920 --> 00:20:22,760
right reduce their risk they don't want to pay it no chance yeah yeah I mean that's

257
00:20:22,760 --> 00:20:27,680
exactly right I mean the insurance companies want to reduce their risk exposure that's

258
00:20:27,680 --> 00:20:36,080
what they do and they price it into the policies so those potential clients that they're looking

259
00:20:36,080 --> 00:20:42,080
at that are viewed as high risk they're either going to say we can't afford that risk hence

260
00:20:42,080 --> 00:20:47,960
we can't give you insurance which is going to put the business in a very bad position

261
00:20:47,960 --> 00:20:52,480
given the cost of it or they're going to want this have proof that they have taken steps

262
00:20:52,480 --> 00:20:57,880
to reduce their risk to make them an insurable entity no different than your health insurance

263
00:20:57,880 --> 00:21:02,880
saying do you exercise do you eat right otherwise I can't afford to give you that life policy

264
00:21:02,880 --> 00:21:09,240
because there's too high risk you're going to die you know that's the same idea here

265
00:21:09,240 --> 00:21:13,400
and it's definitely become in the last few years just so much more prevalent because

266
00:21:13,400 --> 00:21:19,880
they've had to pay out a lot more I think it's interesting and what we've seen happen

267
00:21:19,880 --> 00:21:26,840
is that there's you know the threat actors are aware of these policies as well and they're

268
00:21:26,840 --> 00:21:31,000
you know when you're seeing these ransom I mean they're targeting knowing that there's

269
00:21:31,000 --> 00:21:36,240
a high percent likelihood of payout of these policies so they've been abusing that as well

270
00:21:36,240 --> 00:21:40,400
now to the point that I think you know what they're asking for is ransom is what they

271
00:21:40,400 --> 00:21:44,160
believe the insurance coverage is that not what they believe the company has in cash

272
00:21:44,160 --> 00:21:50,320
on hand you know so you know they're even betting on that which is which it makes it

273
00:21:50,320 --> 00:21:55,000
even scarier which then means the insurance company is going to put more criteria around

274
00:21:55,000 --> 00:21:59,920
because they don't want to be put into that situational side of it so you can you can

275
00:21:59,920 --> 00:22:07,960
see where this is going and I think it's it's definitely trending to where you know the ease

276
00:22:07,960 --> 00:22:13,520
of being able to get cybersecurity insurance is no longer going to be as easy as it used

277
00:22:13,520 --> 00:22:21,240
to be just because of that trend that we've seen I you know the next few years I know

278
00:22:21,240 --> 00:22:26,440
I would say we fully believe it's going to become much more difficult to get the cybersecurity

279
00:22:26,440 --> 00:22:32,120
insurance and I think the unfortunate side effect that it's had is yeah we've always

280
00:22:32,120 --> 00:22:37,000
praised customers for having the wherewithal to go get it because it we view it's important

281
00:22:37,000 --> 00:22:43,720
to have it they've used it as a as as the check box that we got it ourselves covered

282
00:22:43,720 --> 00:22:47,280
and then they didn't take any other necessary steps to reduce their risk they said well

283
00:22:47,280 --> 00:22:52,600
I got insurance I'm fine you know and that's just unfortunately is not going to be good

284
00:22:52,600 --> 00:22:57,920
enough you know you're going to have to take steps to actually reduce your risk to reduce

285
00:22:57,920 --> 00:23:02,760
the likelihood that you would ever need to use that policy is is really what this is

286
00:23:02,760 --> 00:23:06,480
going to be about no longer can you say we bought the insurance I don't need to do anything

287
00:23:06,480 --> 00:23:10,720
else that's that's definitely where this is going.

288
00:23:10,720 --> 00:23:15,400
I mean I agree you look at it now I'll actually throw the sand and I feel like I may have

289
00:23:15,400 --> 00:23:21,920
said this in a podcast previously and if I didn't I will now but as you're seeing how

290
00:23:21,920 --> 00:23:27,840
the cyber insurances coming along is they've transformed dramatically and I would say within

291
00:23:27,840 --> 00:23:31,920
the last 12 months if I looked at the beginning of 21 it was pretty benign you were kind of

292
00:23:31,920 --> 00:23:35,680
going yeah I need insurance and I go okay how much do you want here's the bill and it

293
00:23:35,680 --> 00:23:41,080
was it wasn't quite that simple but it was pretty close by the end of the year I was

294
00:23:41,080 --> 00:23:46,880
being pulled into customer sites going okay let's let's answer the questionnaire by the

295
00:23:46,880 --> 00:23:52,440
underwriter and it was nearly a full blown audit from a third party coming in going okay

296
00:23:52,440 --> 00:23:58,200
let's look at your network diagram you know network diagram do I need one yes you do all

297
00:23:58,200 --> 00:24:01,880
of a sudden this became a big thing at the end of the year and so it's just getting more

298
00:24:01,880 --> 00:24:07,680
and more complicated some of the things I guess kind of just circling back to this particular

299
00:24:07,680 --> 00:24:11,320
compliance that's coming I wanted to kind of hit a couple of things just briefly so if

300
00:24:11,320 --> 00:24:15,120
you are under the regulations and you're trying to get informed on it what does that look like

301
00:24:15,120 --> 00:24:18,880
some of the things that I know are coming are number one we talked about it you're going

302
00:24:18,880 --> 00:24:25,120
to have a lot more reporting requirements currently that requirement is really really

303
00:24:25,120 --> 00:24:29,840
fast reporting so you need to have a good plan in place as to what does an instant response

304
00:24:29,840 --> 00:24:35,840
look like you'll you'll absolutely need it you will need some some reporting capabilities

305
00:24:35,840 --> 00:24:41,120
as we mentioned earlier I think you are going to be looking at some exposure there is risk

306
00:24:41,120 --> 00:24:46,440
associated with communicating early and often there are there absolutely is going to be

307
00:24:46,440 --> 00:24:50,440
some unintended consequences what those are I don't know it's still pretty early I think

308
00:24:50,440 --> 00:24:56,080
they're still looking for that kind of feedback coming back there are some specific things

309
00:24:56,080 --> 00:25:00,800
where there is no current or there is no delay in that reporting there's no safe harbor you

310
00:25:00,800 --> 00:25:06,160
need to do it as fast as you possibly can you absolutely are going to see that there

311
00:25:06,160 --> 00:25:10,400
are going to be very difficult these filling those board positions as I said they made it

312
00:25:10,400 --> 00:25:14,480
super broad so you can bring in anybody with experience but still going to be difficult

313
00:25:14,480 --> 00:25:18,080
not everybody's going to be comfortable joining a board you're maybe looking outside your

314
00:25:18,080 --> 00:25:23,840
organization etc so those things are coming and then one last little takeaway is for organizations

315
00:25:23,840 --> 00:25:28,400
and we see I see this a lot in banking and Kyle can expand on this a little bit too as

316
00:25:28,400 --> 00:25:33,280
we're wrapping up here is a lot of times organizations when they do have that compliance

317
00:25:33,280 --> 00:25:37,000
in place they tend to lean on compliance and go compliance you do it with this you figure

318
00:25:37,000 --> 00:25:41,720
it out this requirement is striking it right up to the board as high as you can possibly

319
00:25:41,720 --> 00:25:46,560
go and go you now need to deal with it you're ultimately responsible which is what you've

320
00:25:46,560 --> 00:25:50,480
been seeing from a lot of organizations anyway the frameworks always say that that's where

321
00:25:50,480 --> 00:25:55,000
the ultimate responsibility comes from but this is nailing that that down completely

322
00:25:55,000 --> 00:25:57,520
going this is where it's at.

323
00:25:57,520 --> 00:26:02,320
Yep yep that's correct it's putting it up at the highest level of the organization side

324
00:26:02,320 --> 00:26:07,960
with it which honestly is where I think it needs to be because it is this is you know

325
00:26:07,960 --> 00:26:14,560
there's a business survival side to this aspect of what this threat to the businesses are

326
00:26:14,560 --> 00:26:18,560
and I think for the protection in this case obviously protection of the shareholders that's

327
00:26:18,560 --> 00:26:26,320
what the SEC is saying you owe it to the investors in this organization to make sure that you

328
00:26:26,320 --> 00:26:31,720
are protecting their investment and this is significant risk and the boards that's the

329
00:26:31,720 --> 00:26:37,480
board's responsibility for the shareholders is protect their investment.

330
00:26:37,480 --> 00:26:46,360
So any other parting thoughts before we wrap up the show today.

331
00:26:46,360 --> 00:26:52,720
I don't have any I think this is a great topic though again now he's cyber security is always

332
00:26:52,720 --> 00:26:56,520
so easy to talk about just because there's so many aspects of it I know we talked about

333
00:26:56,520 --> 00:27:02,320
a ton of different areas that you know definitely tie into this particular one but again I think

334
00:27:02,320 --> 00:27:07,320
it's you can take this information and apply it to a private organization very easily and

335
00:27:07,320 --> 00:27:13,480
still still adopt a lot of what they're saying and you know that's that's really ultimately

336
00:27:13,480 --> 00:27:18,280
what what CIT is about here that's where we try to make you know the technology work for

337
00:27:18,280 --> 00:27:24,160
the business side of it is is bringing in that framework helping with that information

338
00:27:24,160 --> 00:27:29,680
you know we're happy to discuss with with our with our customers at the board level

339
00:27:29,680 --> 00:27:35,760
you know these level of issues sides of there and advocate for for change in those organizations

340
00:27:35,760 --> 00:27:39,920
ultimately because it's you know we we want to we don't want our customers to deal with

341
00:27:39,920 --> 00:27:47,080
the bad situation and I don't think anybody anybody wishes that on any organization at

342
00:27:47,080 --> 00:27:51,520
this point but you know so taking these next steps and anything you can do we're happy

343
00:27:51,520 --> 00:27:57,360
to have those discussions my party thought is is reiterating what what Kelsey said at

344
00:27:57,360 --> 00:28:02,360
the beginning is Phyla and I we love talking if you've got questions about this so you

345
00:28:02,360 --> 00:28:07,080
got cybersecurity the complies your name it we're happy to go through it with you so if

346
00:28:07,080 --> 00:28:10,160
it's something that you've got interested in or there's other items that are similar

347
00:28:10,160 --> 00:28:14,120
that you've got a passion about by all means let us know and we're happy to to get on and

348
00:28:14,120 --> 00:28:20,000
chat with you a bit yeah absolutely no we love it and thank you Todd for kind of taking

349
00:28:20,000 --> 00:28:25,680
that mean like yep sure talk to us 100% yes we are always hearing kind of just like Kyle

350
00:28:25,680 --> 00:28:29,800
said right and we're here in Minnesota Western Wisconsin but if you're outside of that and

351
00:28:29,800 --> 00:28:32,720
you happen to be watching the podcast because that would be our dearest hope is that we're

352
00:28:32,720 --> 00:28:38,160
helping anybody across all businesses we are still here to help you find those resources

353
00:28:38,160 --> 00:28:41,240
point you to the right people get you those people because we know it can be one of those

354
00:28:41,240 --> 00:28:45,360
things where you got a lot on your plate every single day and we're just here to help and

355
00:28:45,360 --> 00:28:49,880
help educate you and help you find all of those but if you want to connect with us directly

356
00:28:49,880 --> 00:28:53,720
that's what Tara and I are on here for for the marketing people that are sitting here

357
00:28:53,720 --> 00:28:58,320
and telling you yes emails go to the website and you can always find us you guys know it

358
00:28:58,320 --> 00:29:05,520
info at CIT-net.com or head out to our website it's CIT-net.com same as the end of our email

359
00:29:05,520 --> 00:29:10,160
we are here to answer any and all questions get you connected with Kyle Todd I'm sure

360
00:29:10,160 --> 00:29:14,280
they'd love to sit down have coffee with you guys all the good things will work for food

361
00:29:14,280 --> 00:29:17,720
but we are here every single week so send us your thoughts your questions and we look

362
00:29:17,720 --> 00:29:20,040
forward to chatting with you again next week.