Decoding Cyber Risks: Cyber Threat Trends of 2020
About this webinar - Part 1
In this two-part episode of our Decoding Cyber Risk advisory series, McGriff’s Taylor McLean sits down with Clay Blankenship, a Managing Director of Ankura's Cyber Incident Response Team, and Jason Cables, a Managing Director of Ankura's Forensic Accounting and Claims Consulting Practice, to discuss cyber threat trends seen throughout 2020.
In Part 1, Clay and Taylor discuss cybersecurity incident trends through 2020 and the impact COVID-19 has had on the type and amount of incidents seen. Clay provides a few examples of real-life threat scenarios, discusses Ankura's involvement, and identifies how you should respond.
Cyber Threat Trends of 2020 - Part 1
Clay B.: [00:00:00] They'll have offsite backups, they'll have multiple types of backups so that if the threat actor gets one, then they're able to recover from another. Threat actors are smart to that now. So now they're taking the data and they're holding it and saying, pay us for the decrypter, or we're going to release your data on the dark web, which forces their hand to pay them, regardless of whether they have backups or not.
Taylor M.: [00:00:29] Welcome to McGriff's Decoding Cyber Advisory series. I'm Taylor McLean a member of McGriff's Executive Risk Advisors team in Houston, Texas, in this two-part episode, we will be discussing cyber threat trends of 2020 with Clay Blakenship and Jason Cables of Ankura. In part one, we will hear from Clay Blankenship, who is the managing director of Ankura's incident response team.
Clay has investigated hundreds of cases involving breaches worldwide. Clay, do you mind telling us a little bit more about Ankura and the incident response team?
Clay B.: [00:01:01] Sure. Thank you very much. A little bit about Ankura. We're a global consulting firm and our tagline is collaboration creates success.
And that is true. We've seen it time and time again, over and over within our different divisions. We have expertise in all these different industries and primarily what we're focusing on today with my presentation is cyber security. So, about the Incident Response team, we have team members that are spread out across the United States.
We have team members in every time, every time zone, and we are 24 seven three 65. We have a 1-800-HOTLINE number that if you call it, one of the consultants or one of the managers will pick up. If it doesn't, you can leave a message and then we'll call you right back. You can also reach out to us through the incident email address, email@example.com. Much of our initial work, if not, all of it can be done remotely, and we've proven that, and especially with the COVID situation, all of our cases have been, worked one hundred percent remotely since this started. Ankura is on multiple insurance panels. These are just some of the, the main ones here, but there are others as well.
2020 the year of uncertainty, that's to say the least, we started out with tensions with Iran, we quickly went into COVID-19, and now we're facing the presidential election, which the cyber threat actors are using as a stepping stone and playground to conduct their nefarious operations.
So, here's some historic examples of when you have certain things happening in the world. 2009, we had the swine flu and there was an uptick in phishing emails and fraudulent counterfeit vaccines, 2014 to 2016, Ebola. Remember that was a scary time. We saw an uptick in spam and phish emails as well. The 2016 presidential election, which nobody can forget, there's a series of spam, phishing emails, as well as many other things in social media that went along. A little-known thing with the plague in Madagascar, you know, we saw some donation and phishing fraud, but 2020 has been its own own beast in its own right. We've just seen a number of different things, that we'll talk about here in just a little bit, but definitely an uptick in spam and phishing emails, malicious links, payloads in emails, and even on some social media and social engineering happening.
So, some of the observations that we're seeing, you know, this first bullet we talk about COVID-19 alerts and tracking maps. So, we've seen threat actors actually embed their malware into a phish, that it's trying to send you a COVID-19 alert or tracking map, and, you know, the unsuspecting users going to click on that and sends them out.
Our ransomware research shows, that there's just been a huge window of opportunity for threat actors. We've even seen the COVID-19, malware being deployed and where it's actually called COVID-19. We've also seen, seen a heightened situational awareness from, from corporations and companies.
They've had to find a new way to work and having to work remote. So, they've had to, you know, be more secure, aware of what's going on. Right. Disruptive and destructive attacks continue to be prevalent. The focus on critical services. You see an uptick in not just the disruptive, typical ransomware, where it stops your business, for just a short period of time.
And then you have to recover, you decrypt, and you're back up and running, but we've seen in a lot more destructive processes where the malware will actually destroy the master boot record, which will stop the systems from booting up. This is all just more time or downtime for the companies. And then one thing we're going to talk about more in depth here a little bit later is the extortion activity. That has been on the rise. System vulnerabilities - you may be familiar with sometimes you'll get an email from a bad guy or a threat actor who says, Hey, I've breached your system, pay me 50 Bitcoin, and I'll tell you how and how to fix it. So, we've seen a lot of those here lately as well. Incident response threat trends across the United States.
As always, we're seeing email compromise. These are usually related to phishing and it's not just isolated to office three 65. We've seen across the board with on-premise exchange Gmail as well as other platforms. There's various other platforms that we've seen companies use and, and they're not immune to it.
Ransomware, we see multiple variants out within this first quarter, you know, the typical RYUK, that's kind of on a die down right now DoppelPaymer we've seen. But MAZE has really been on the uptick and Sodinokibi has just remained you know, in the forefront for a while. And then there's others.
The asterisk that you see on this notes that, that these variants have now been associated with data exfiltration. So, if you, if one of these variants are at play, then you can almost count on there being data that has been exfil from the environment. Here's a graphical representation of the trends that we're seeing here at Ankura in Q1 47% of the incidents that we take in, are were ransomware 40% were email compromised.
And then we also have, you know, a series of other types of incidents that come in whether it be an intrusion malware or some type of other unknown threat that they want us to investigate.
Taylor M.: [00:06:40] Clay, do you mind elaborating, even though it's the smallest percentage on the graph view, do you mind elaborating what kind of other malware you guys are seeing in 2020?
Clay B.: [00:06:52] Most of the time when we get a report for malware, most of the time, what we're seeing is either what is going to be a precursor to ransomware, which is either Emotet, Trickbot, or, or even Dridex. The occasional backdoor that's beaconing now. But, but that’s primarily the one, with intrusions, the client has, has seen, an authorized login to the environment and they want us to investigate that and usually it'll turn out to be, you know, had been going on for a little bit longer than they thought. With the other types of incidents, we're talking insider threats, rogue employees, data theft, things like that. So, a new form of extortion. This is what we're seeing a real uptick in with. Before they used to be just ransomware.
They'd hit you with ransomware, encrypt your files. Make you pay for, make you pay for the decrypter, and decrypt it, but that's not what's happening anymore. What we've seen is we've seen a lot of more corporations get smarter with their backups. They'll have offsite backups, they'll have multiple types of backups so that if the threat actor gets one, then they're able to you know, recover from another.
Threat actors are smart to that now. So now they're taking the data and they're holding it and saying, pay us for the decrypter, or we're going to release your data on the dark web. Which forces their hand to pay them, regardless of whether they have backups or not. Typically, we're seeing this now with Maze and Sodinokibi, and Nemty which is, it's kind of interesting that Sodinokibi went this way because we saw Sodinokibi before was just strictly ransomware.
They encrypted your files and you had to pay when they first started, you could buy one key. So, if you only have one system, then. It would allow you to buy that one key and not the rest of them, but they found out that everybody was buying the one key for their backup servers and decrypting their backup servers.
So, then they decided, okay, well now we're going to take your data and make you pay for everything. So, here's some real-life examples. Here's one for ransomware. You know, a company had been experiencing anomalous logins. They weren't successful, but they've been going on for several months. And then they got hit with DoppelPaymer, and then they discovered that they actually had successful logins to some of these VPN accounts.
Once they got in and deployed the malware, they found the ransom note where they said, Hey, you're going to pay us this money. And by the way, here's a list of your files that we took. So, they threatened to leak that information on the dark web, if you didn't pay the ransom. So, what did Ankura do at this point?
Ankura was engaged and we began a forensic investigation. The evidence found, we found evidence of Dridex, which is a credential harvesting malware, which would totally explain why all of a sudden they're able to get valid VPN credentials because it's probably harvesting through that Dridex. There were some other Trojans also mixed in there with it.
Or which the Dridex usually will result from the, from a phishing attack. The threat actor will create a phish, embed their malware. The unsuspecting user clicks on it, opens up a PowerShell empire back door that, that downloads the Dridex. The Dridex then propagates on the system and spreads throughout the environment and begins harvesting credentials.
The Ankura, the threat Intel team they were able to search the dark web and leverage accounts, leverage backstop personas, and confirm that the data was out there,
Taylor M.: [00:10:31] Clay. For, for the folks listening in who are in a risk management role or a broker role like myself that are looking at this from the insurance perspective, can you elaborate on what role, the breach response team from the insurance carriers play in tandem with, with Ankura?
Clay B.: [00:10:53] Yeah, so, so the first thing that happens is when the client understands that they they've, they've had some type of an incident, they don't know how serious it is.
They, they don't know really what's happening at the moment. They contact your insurance company and, and advise, Hey, we think we've had a breach. The insurance company will then immediately put them in contact with a breach coach and a forensic investigation firm, such as Ankura. Then a scoping call is held, you know, we'll.
Get details of, of what they've seen. We're going to ask some questions to try to get a better understanding of it or environment. And then at that point, you know, we'll issue, the paperwork is the statement of work and engagement letter that will go to the council and then the insurance company approval.
And then as it's like with the incident with the, with ransomware the role becomes very critical at certain points, especially when once contact is made with the threat actor. If the client. Chooses to pay the ransom in order to conduct business operations, then we're going to get, or, or whoever we have doing the negotiations is going to get a number of, of Bitcoin from the threat actor.
And we're going to provide that to the insurance company. And the insurance company will have to authorize payment so that the bad guy can be paid. And then we can get the decryption key and get the business back up and running.
Taylor M.: [00:12:17] Interesting. Thank You
Clay B.: [00:12:20] So here's a real-life example of an email compromise. So, this technology company got a notice from one of their clients says, Hey, we're receiving emails that look like they're scam, and they're asking us to make ACH payments that just don't look right. So, you know, they began doing their own investigation.
They've noticed they've had an uptick in phishing emails. They thought that they had it all our control. But then they found that a, an unknown threat actor, had set up a fake domain and is rerouting responses from particular email accounts. In their own investigation. They identified that they had five accounts compromised so they asked us to, to do the analysis, confirm and make sure that nothing else was happening out there. So Ankura, we conducted our forensic analysis. We found that, 31 additional accounts. So, there were 36 total that were compromised. We found that there was potential data exfiltration by forwarding rules set up.
So, some of the accounts had 40 rules that all the emails in and out were being forwarded. To a particular threat actors address, and we found a possible data exfiltration by way of synced accounts. So, what synced accounts means is that the threat actor was using clients such as outlook or Thunderbird or something that would sync the entire mailbox.
And then we were actually able to find the, the Initial users, that the initial compromised user, on their system, we found the actual phishing email that started the whole thing. And, you know, right here on the right is a screenshot that shows an example of that original email
Taylor M.: [00:14:02] Clay, before you change slides in, in today's world.
Now that during coronavirus pandemic more and more companies are having their employees work remotely from their homes. Has there been an uptick in this email compromise activity?
Clay B.: [00:14:21] Yeah, that's a, that's a great question. And we have, we've seen, we've seen, as you saw the slides earlier with the 47% being ransomware and 40% being email compromise, that has been almost a flip-flop since COVID. We've seen more email compromise cases than ransomware cases, but they're both still very prevalent. Here's a real-life example of an intrusion. The FBI contacted this high-profile law firm and said that access to their environment was being sold on the dark web. The law firm provided us a screenshot which showed this, the list of servers that were available.
They conducted their own internal investigation with, with their crack IT team. And they narrowed down the focus to a group of, of systems. They called us and asked us to do conduct a thorough investigation to make sure that the whole universe of known compromise was there. We did we determined the entry point was a particular server where we saw multiple log-ins from Russia dating back about two months prior to when they were notified. We identified potential data exfiltration artifacts on the machine, and then the threat Intel team also found on the dark web credentials from this company and all the users from that company posted out for sale on the dark web.
Taylor M.: [00:15:43] Thank you, Clay. I know that a lot of the trends are at the forefront of our client's concerns. And I know there was a lot of good takeaways for both us at McGriff and our clients so we appreciate your time informing us on these trends.
About this webinar - Part 2
In Part 2, Jason and Taylor discuss how to prepare for and respond to business interruption losses resulting from a cybersecurity claim. You will learn:
- Why cyber is the leading global risk
- Best practices to put into place to prepare for a cyber-claim
- How to quantify and prepare a business interruption loss when submitting a claim to the carriers
- How Ankura has helped clients manage different loss scenarios by reviewing case studies
Cyber Threat Trends of 2020 - Part 2
Jason C.: [00:00:00] If you do have a cyber event or any claim, the first thing you want to do is activate that team that we just talked about on the prior slide. You want to activate those folks and you want to appoint a centralized person to represent the company both in terms of dealing with the insurance company, as well as to get all the information and talk to all the different departments or locations that might be impacted by that loss.
So cyber can.
Taylor M.: [00:00:26] Welcome everyone to McGriff's Decoding Cyber Advisory series. I'm Taylor McLean, a member of McGriff's Executive Risk Advisors team in Houston, Texas. In this two-part episode, we will be discussing cyber threat trends of 2020 with Clay Blankenship and Jason Cables of Ankura. Jason Cables, he will provide us an update on what Ankara has been seeing in the business interruption world, and how to prepare and respond for a cyber claim.
Jason is a managing director, as I mentioned of Ankura's forensic accounting and claims consulting practice. Jason has over 20 years of experience measuring business interruption, property damage, and extra expense claims stemming from cyber breaches, catastrophic events, product recalls, product liability, and fidelity claims for corporate policy holders.
Jason has prepared approximately 300 insurance claims. Most of which settled in the normal adjustment processes. Jason is active in the Dallas, Fort Worth, Houston, San Antonio, Tulsa, and Oklahoma City risk and insurance management society chapters. He is also currently a board member on the Houston RIMS Chapter.
Also, in exciting news for McGriff, Jason has had a recent success with our McGriff colleague, Ernie and a McGriff policy holder, which we are always happy to hear success stories for our team. So, with that, Jason, I will turn it over to you.
Jason C.: [00:02:08] Excellent. Thank you, Taylor. I appreciate it. And thanks Clay.
A lot of great information in that first session. I am a CPA, so a lot of the terms used by Claire, kind of over my head and my specialty really lies in the measurement of the insurance claims and preparing for them as well and some keys you can do or you can recommend for your clients that they do an advance of a claim that'll make it go much smoother.
So, with that, I will, I think we just had the introduction. I'll skip past that. I'll talk about the business or option risk perspective, and then really again, preparing for, and responding to insurance claims in general with a specific focus on cyber. So why is this important? As of 2019, cyber joined business interruption as the leading global risk, according to the Allianz Risk Barometer. We find that with increasingly connected global economy and just in time production that our clients are utilizing, business interruption claims are seemingly more complex and more frequent than otherwise in history. They don't have the inventory. They don't have the overrun to deal with issues. So, one, one hiccup in one place is sending a chain reaction down that's resulting in business interruption. Also, the rising costs of cyber incidents are causing them to be the most feared trigger of insurance policies at this point in time.
Other concerns include threats from nations and affiliated hacker groups. You know, again, what we're talking about here, as well as the likelihood of litigation, following a cyber breach. All that to say, as we all know, business interruptions and cyber are on the forefront of risk managers' minds, and it's really important so that's kind of sets the stage for why we're going to talk about this.
A lot what I talk about here is not specific to, to cyber losses. They're generally good practices for preparing for any loss you might have, but there are definitely, they definitely apply to cyber events. So, activities to do before a loss include establishing your risk claims team. That starts with the risk manager.
Who's the quarterback of the process typically, because they're the liaison between the businesses like accounting and finance operations, your placement broker, or claims advocate, your claims preparer someone like myself. And by the way, for those that don't know, a lot of policies actually cover independent, forensic accounting fees.
So, our fees simply become part of the claim. Whether it's a cyber event or traditional property loss. And then of course your recovery or remediation resource. So again, the quarterback of the claim’s management process is risk management, generally speaking. Sometimes with cyber, it gets elevated to legal, et cetera, but we definitely recommend involving risk management.
Next, it's really important to read and understand your policy language. I say this about every policy, but here with cyber events, we actually see where sometimes multiple policies might respond, including a traditional cyber policy. As well as a property policy or even a kidnap and ransom policy. If it's, if it's a ransomware that's requesting money, sometimes that is enough to trigger a kidnap and ransom policy.
And all of these policies might cover different things, have different sub limits, but knowing where you have coverage can help you maximize the recovery. And I would also add that it's really important to understand the definition of how your policy is triggered, because that can vary as well. So just again, understanding your policy, understanding what it covers and what it doesn't. And again, if multiple policies are enforced, so you can be strategic in where you claim certain items.
Next, it's important that you ensure your reportable values, your business disruption values, and your replacement cost valuation are up to date because if they're not up to date, big problems can ensue.
Taylor M.: [00:06:09] Do you mind expanding on, on why it's so important to have the accurate business interruption values?
Jason C.: [00:06:17] Great. Thank you for asking that. This is something I'm pretty passionate about and something that I can also help your clients with an advance of a loss. And we do that for a lot of McGriff clients.
It's a, it's a pretty speedy. It's a pretty speedy analysis for us, but making sure that they're done right is really important. For one, policies can have co-insurance penalty. So, if they're not recorded right, even if the loss that triggers everyone's eyes on this particular policy is underneath your deductibles or underneath your limits of insurance, you can still face a co-insurance penalty.
So, we of course don't want that. The other thing, and this is really important, post loss is that often the first thing the insurance company does when there is a loss, is they look back at the reported values to develop the reserve, the reserve for the insurance claim. And so, if the numbers are not correct, then obviously the reserve could be inaccurate and I've never seen claims go more poorly when they were under reserve, they get all the attention of executives and the insurance company.
And so, every time the claim values go up, as you might imagine, there's a lot of pushback against that, as opposed to if they were accurate in the first place. And then the last thing, and it's also equally as important is it helps you with your purchasing decisions and your recommendations of what your limits of insurance should be.
What kind of additional coverages you might need, like ordinary payroll or extended period of indemnity, these extra bells and whistles. If you fully understand what losses might look like, you would make sure you had in place. You know, for the future. So, great question. Business disruption values are more often than not wrong.
When, when someone hasn't that does this for a living, hasn't looked at them. The forms are confusing. And so, if anyone ever had any questions, feel free to reach out to me and I can give you my 2 cents. Also, it's important to prepare a business continuity plan. You know, having a plan is one thing.
And sometimes a company might take this on as a one-time task, but as we have a business continuity group, as they'll say, it's a process and not a one-time activity, it needs to be tested and refreshed as time goes on to make sure that it's still meeting the needs of your, of your company. Now that if you do have a cyber events or any claim, the first thing you want to do is activate that team that we just talked about on the prior slide, you want to activate those folks and you want to appoint a centralized person to represent the company both in terms of dealing with the insurance company, as well as to get all the information and talk to all the different departments or locations that might be impacted by that loss. So cyber can sometimes, you know, cross borders, multiple locations. We'll talk about that in the case study a little bit, but having that centralized person, which in my experience again, is risk managers, risk management to make sure that a- all the messaging is proper to the insurance company is consistent and make sure that we're, you know, getting the information we need and really that facilitator is really important. The other thing that you want to do is maintain a log of your business impacts on a daily basis that this cyber event has caused. And this is easier done in a real time than to try to recreate it at some later point in time. And one illustration of that isn't related to a cyber event.
But with hurricane Harvey, a lot of our clients suffered from multiple things like ingress egress, service interruption, civil authority, and some of these insurance companies wanted to know day by day, which was it that was causing which, you know, that, that heart, that pain that our companies were suffering.
And if they hadn't captured it in real time, it was very difficult to go back and recreate it. And so similarly capturing what's happening to your business on a daily basis is going to be very helpful in explaining the overall loss in particular with business interruptions. Next you want to maintain a general ledger, set up a special account to capture these direct expenses, to recover and maintain your operations.
Following the cyber event, you know, you're going to need things like detailed invoices and work orders, basically everything that you, your company would require to reimburse or to write a check for a particular contractor, the insurance company is going to require the same thing. So, you want to make sure you get all that information, consolidate it and keep it in a safe place that you have it.
Along those lines, you'll want to capture the labor. Any internal labor utilized often was cyber events, internal labor utilized to recover, to restore, to recreate backups or recreate data. To the extent you utilize your own people. It's really important to track those costs by person by day, with the description, their hourly rate, all of that, I will highlight you know, I don't recommend you actually move this out of your accounting records, your standard labor.
To the extent you can add a field to track it within that same labor count. That's fine. I don't like moving it out to a special account, however, but just to make sure that we're tracking it. Ultimately, if it's not tracked, you're not going to be able to get reimbursement for it.
Taylor M.: [00:11:35] Jason, what would you tell your clients who are asking about the recoverability of salary labor expense?
Jason C.: [00:11:44] That's an interesting one. So traditionally salaried labor is not compensable because the insurance company makes the argument. That it is not incremental, right? If you're supposed to make $50,000 a year, you still made $50,000 a year and it doesn't represent an incremental expense. I have seen my clients make the argument that I could have paid a third party.
It would have cost a lot more. Our people know our systems better. We mitigated a business corruption. So, you will see those, those kind of equity arguments made. I've also seen where following a very, very big cyber event, these folks were working nights, weekends, et cetera. And at the end of that, they were offered effectively a reward or a bonus payment because they were salaried, but yet they had put forth these extraordinary pay-, efforts. And so, in that circumstance, we didn't make a claim for the actual salary. We made a claim for the incremental portion, which in this case was the bonus. So, it is a tough sell. Don't get me wrong, but to the extent it's occurring and it doesn't, you know, it makes sense for you to capture it.
It's not going to cost more money to capture than what we're talking about. I would go ahead and capture it and make those arguments if you can. Business interruption. So now we're talking about tracking the status of all open customer orders or backlogs or, or whatever metric your business or your client's business may have had.
We want to secure it as of the day, prior to the incident, the cyber-attack, and this is going to provide the most recent view of the company's expected performance pre cyber incident. Sometimes the systems are overwritten with time. And so that's why I say it's important to preserve it so that, you know, we have a snapshot in time before the cyber event.
The other thing is you want to begin tracking all your customer inquiries. Log the cancellations or the rejected orders things that would indicate that there have been a loss of sales or revenues on the customer side, anything you can, and again, I would highlight, this is one of those things that if you don't have a system for capturing it as those phone calls come in, or as you're emailing customers to, you know, tell them that you can't fulfill an order, if you don't have a metric to capture it, it's often very difficult to get later.
And then you want to preserve again pre-loss production schedules, sales planning documents, again, prior to the cyber event. And we also need to be mindful of any changes that occurred in the loss, the pre-loss period to your business or expected changes that we wouldn't know about if we simply looked at your financial statements.
So, if you had a planned expansion or you were in negotiations for a big, big, new customer, things like that, that would have changed the way that I would view your forecast. We would need to know that, or let's just say you had a big plant shut down to do your annual maintenance. Well, we would have to consider that too.
So, I need to know not only what your view was before the loss, but also need to know what planned expansions or changes to the business were anticipated. There was one of the things I wanted to highlight about the middle paragraph, about tracking the customer inquiries. Oftentimes an insurance company will think or ask to say, show me all your canceled orders.
That should be the law and practice as a practical matter. That's not usually the case. And the reason is, is because once a customer found out that you couldn't fulfill order one, he didn't, he or she didn't call for order two, three, and four. So, there's no record of it. In other words, or sometimes I've heard, I've seen where word gets out.
And so. Even though, you know, the rumor mill is fired up again. You don't get the purchase order to then cancel, or you don't, you never get called about that opportunity. So, capturing this data, isn't generally a good metric for measuring your entire loss. But what it does do is provide that anecdotal evidence that you can then provide insurers to help them understand the numbers that we're later calculating. Again, the top bullet we need to forecast pace reports, market demand, you know, all those things that. Any particular client would utilize in their normal course of business. As of the day of the, before the cyber that, you know, preserving. We also need to identify and track any outsourcing expenses or opportunities.
So, for example, if you make widgets and you went to a competitor to get those widgets, to meet current demand for your customer, because you knew if you didn't you might ultimately lose that customer. We need to know about that, and then we need to value it. So that becomes a little bit different than a business interruption.
Now we're looking at what you purchased it for versus what you could have made it for. So, it's still a claim related item it's just different. So, we need to know about those opportunities. When we're forecasting business interruption there's really three things that we're trying to do. One is to look at the actual experience of the business prior to the loss and we do that utilizing pre-loss trending year over year, monthly averages, budget accuracy, kind of again, looking at a historical view. We also have to consider what would happen during the loss and that's for businesses like oil and gas, which are like subject and market trends. We would need to understand the trends that were going on during the loss period and adjust our forecast accordingly.
You know, if the market takes off, we would improve our forecast. If the market goes down, we would have to adjust downward because if a business is tied to the market. We need to know what's going to happen during the loss period and we would consider those factors. And then the third piece is the actual experience of the business during the loss.
So again, considering were they able to sell anything? Were they able to mitigate or outsource, you know, how, what actually happened from a financial perspective and that's how we measure business interruption? So, some key takeaways to business interruption, cyber matters, or I guess cyber matters in general.
Is just to be proactive in measuring and submitting your claim. Well, it's simply provide the data to the insurance company and ask them to measure it because in my experience, first of all, insurers are incentivized to pay as little as possible. Right. So, they're not going to look under every rock. They're going to review what's provided to them, but they're not going to go making sure that that was the totality of the claim. And in fact, the matter I helped Ernie with, I came in very late in the game because the policy holder tried to prepare their own claim. Got stuck, realized it wasn't going well and brought me in and we were able to, you know, unblock the road and get all of the financial recovery that the client was-, was deserving of.
So, make sure and just proactively. Calculate and submit your claim.
Taylor M.: [00:18:43] Jason, that was, I'm going to piggyback off that point a little. I had a question. Do you feel A, you feel like the process runs smoother, the easier you get involved and B how, how often are you jumping in, in the middle of these claims and having to provide more detail after a portion of the information has been submitted to the carriers?
Jason C.: [00:19:11] That's a great question. The short answer is the earlier we can be involved, the smoother it goes, and that happens for two reasons I would say. One is we're making sure we're preserving all the documents that we're going to need. We're measuring the claim in accordance to the policy, in accordance to how we know they're going to require and, and need to understand the claim. And the third thing is directly corresponding with the client to manage their expectations. If they think that they're going to get paid for all their salary labor, I'm telling them, Hey, hold on that is a bit of a gray area, right? I'm pumping the brakes and managing that, their expectations.
I'm telling them where I see that there's differences in interpretations, in the policy language, I'm not licensed in insurance, but I can tell you what I've seen and where, how I've seen things play out historically. And then again, we're going to put forth, not a pie in the sky claim.
When I say you know, we've uncovered every rock, we've maximized the clamp. We're going to put four with a claim where we've supported the entire claim amount with source documents and a clean claim package that they can then send them through the auditors and the adjusters and, and review. And so that becomes very important too.
That's not to say we won't have areas of difference because as you might imagine, every time we submit a claim, almost always the insurance company comes up with something less. That's the nature of the game. But at the same time, it's a well-supported claim that we can stand behind. And now, hopefully we're both in the fairway, so to speak.
And we're talking about small areas of difference rather than bigger is a difference. We do get involved in claims that that have started down a bad path. And in fact, I was, I've been hired twice now from losses stemming from January. That because of COVID-19 complications. The insurance company simply didn't want to pay.
And didn't, didn't agree with the financial numbers. And so, I've been hired to come in and say, okay, we have, it's just, like I said, you know that the expectations of the business during the loss we have to take on COVID-19 we can't say that we were in a bubble and it wouldn't have impacted our business either positively or negatively.
But now the question is how are we going to get around that? And that's what I've been able to help with. So, we do get involved late in the game from time to time. I can tell you that most of the time, once we get involved, things go much smoother. Sometimes we get involved and they get escalated because it just shows you that the insurance company wasn't going to pay that claim no matter who submitted it.
But oftentimes just our involvement because the insurers and the auditors have worked with us a number of times, it's going to go smoother generally. So, I, did I answer your question in enough detail?
Taylor M.: [00:21:58] Yeah, that was perfect. Thank you.
Jason C.: [00:22:02] Excellent. The, the common theme that I would say is managing expectations.
So, the next one is assist in the reserve setting process, and it really dovetails into the next item, which is preparing loss, estimates, incurred and estimates. Soon as soon as you can stomach it because you want to get on one page, all of the known areas of loss, even if they are to be determined. And we want to communicate that regularly.
Updating it to the insurance company. As I highlighted on the business interruption values comment, whenever a claim is miss reserved it's challenging. And so, anything we can do to open up those lines of communication is really important. And so, there's a couple of reasons it's important to issue interim claims one, it starts the audit process.
The insurance company can provide their feedback. We can take their feedback and either address it with why they're wrong and, you know, the claim is right, or we can agree and we can make accommodation. So, in theory, we're going to be narrowing areas of difference throughout this whole period of interruption.
And then B we're going to set the stage for periodic payments. Usually initially after a big claim, partial payments are pretty easy to get, but at some point, you have to start issuing documents, right? You have to give calculations and documents, and this becomes a cadence for that. And so again, if you're waiting until the end of the period of interruption into the claim to start your claims process, you're doing it all wrong because for one, it could be mis reserved for two.
You're now going to start the dialogue of, I don't understand your calculation, explain it to me, provide these documents. Whereas you could have started that, you know, months earlier, so really recommend issuing interim claims, updating them. The other thing is it really helps to have your client, in my case, my client, and you know, your client, McGriff's clients help participate in presenting the claim, explaining it.
It shows the insurance company that they believe in their claim. They understand their claim. They didn't just have some forensic accountant come in here and do something in a backroom. And here's the number. Cause I worked with them to help them understand it. I, you know, and they should believe in it at the end of the day, it's their claim and complex claims, I see a lot of people email them to the insurance adjuster. No, you should at a minimum, have a web meeting now that we're in COVID-19, but you should have a meeting to roll out the logic and conclusions within that model, because not only will it lead you to lead them to your conclusions and how you got there, but hopefully you can pre, proactively derail any misunderstandings or, or false conclusions that they may have. And so again, you're trying to start the process by showing I believe in this claim, here's the claim and derail any misconceptions they have in that process. And that can be really useful. And then along those lines to set feedback, or seek feedback and establish completion date.
So, hey insurance company, I'm recommending, we issue a claim once a month. Within that period of time, I would love it. If you could have reviewed it within two weeks and provided your feedback and within a week of that issue to partial payment, if you agree that one is warranted and now we're keeping the pressure on, right, we're keeping the process moving.
And so again, my whole aim and where I add probably the most value in terms of we're going to maximize the claim, we're going to measure it all. We're going to submit it. And we're going to shorten the period of time because whole process takes by having that open dialogue. And so, it's really important.
In the end business interruption claims are very complicated and they do take time. So, if your client thinks that this should have been done last week, we have to manage our expectations that this does take time. There's certain things and activities we can take on to expedite it. But at the end of the day, complicated claims absolutely take time.
So, we just have to be patient and diligent and we have to be responsive to the insurance company. We have to play hot potato with their requests for information and get them back over the wall as quickly as possible. And really just keep the, keep the pressure on the claims process. Again, we're looking to maximize the claim and get it done as quickly as we can, so our clients can go back to work.
Are we doing okay on time, Taylor?
Taylor M.: [00:26:27] Yeah, let's, let's go into the case study.
Jason C.: [00:26:31] Perfect. The first case study has to do with a global company that on June 27th was impacted by NotPetya. And for them, this was the big one. This was every location they operate in. All shut down, all came in the same day with the same message on their computer saying ransomware, which I'm not, again, this isn't my expertise.
I understand that they couldn't have even paid the money and unlocked it. Like it, it asks for money, but it didn't really want the money. So, every aspect of their business was shut down. In terms of shipping sales, even things like entering a building, you think about key fobs, et cetera. Also, anything that was running on non-PCs, Windows I should say, often was drawing from databases that were Windows.
So even though you may have had an Apple computer, all of the underlying databases were not Apple, and so every aspect was shut down. So, when we think about the business interruption values, this is the maximum foreseeable loss that you're reporting. Generally. It's not for a year, but it is the big one.
And so, for, for this particular client, they had a lot of claim components. They had to do an investigation to determine the source. Also identified any third parties that would need to be notified through the data breach. In this case there wasn't actually a data breach. It simply was you know, harden, or the securing of their networks so they couldn't use it.
They had to hire a lot of third-party vendors and internal labor. This is actually my example where they paid their salary people a bonus. A lot of, lot of work to do, to restore all of these worldwide computers, servers, networks, and bring them back. They had to harden the network because two things, one the same virus could go right through it.
But two. I understand that post cyber event, everyone of their, you know, everyone tries to re attack them until the vulnerability is closed. And so, they had to harden their networks. In doing so, sometimes the computer systems you have no longer can function. If you think about an older PC now you've encrypted it.
Sometimes they don't perform. So, it required a lot of updates and upgrades and things like that. And then of course business interruption was, was substantial. You could imagine, you know, step-by-step adding back all of these computers and PCs and servers and just because maybe you got back 50% doesn't necessarily mean that you're 50% efficient because there's a lot of integrated system that until, all of them are up, none of them are useful. You know, so it was, it was a very complicated matter. This didn't impact my client, but for those of you that have seen in the newsroom relating to this particular loss event an insurer has, an insurer has alleged, this is an act of war and said, they've enacted that exclusion.
And so that's in litigation right now because as I understand it, it had to do with, you know, I think Russia and the Ukraine or something in a tax software company or something. I'm the accountant guy, I'm not the cyber guy, but in any event, it was a substantial matter. There were many, many very large companies impacted by it that were equally impacted as my client was so.
Taylor M.: [00:30:12] Jason. In, in an event like this as large as this one for, for a global company, like you've mentioned, how long would you say on average, would it take to quantify and, and organize all the documents before you submit the business interruption loss to the carrier?
Jason C.: [00:30:33] Yeah. So, we did, we, we actually measured and submitted all areas of the claim so when it came time for the hard costs, we were communicating those as fast as we could. Right. Accumulating, not only the incurred, but the estimates to complete, we had work orders, POs, things like that. So, we're communicating the hard costs. We want to start that review the business interruption, you know, Oftentimes, we have to wait several months, right, to get actually to figure out what's happening and develop the methodologies, et cetera. So, we also issued multiple business interruption claims. So, we're again, that same process. We had a long loss period from beginning to end. I mean, granted, again, things start coming online and it's progressive. It's not a full interruption for the full cream, but we wanted to start that process early.
So, it gets to the hard cost. That's more straightforward. We're going to issue a claim, you know, within probably six to eight weeks. I mean, first you have to start getting invoices. That's what part of what the delay is for the business interruption. We're definitely trying to submit an estimate within, within six to eight weeks, if it's an estimate and then we really refine it and we might issue like a formal business interruption claim within the first couple months. And then we again, update it with the passage of time again, going through the audit process. So, if we have agreements, we'll incorporate that into the next round.
And again, it's all about managing the expectations, especially on a big, big loss like this, so that we're all on the same page, that this is a big loss.
Taylor M.: [00:32:10] Great. Thank you.
Jason C.: [00:32:11] Great. The other case study I have we've actually, this is not specific because we've done this probably three or four times, and it's the regional hospital ransomware.
Regional hospitals, I think generally don't have the IT budget. I think that they're probably easier targets. Some of them have very dated IT systems, again I'm the CPA so I'm- I'm just telling you what I understand. But they are regularly targeted and so we've had several where they had ransomware put into their hardware, their network, and they were unable to do patient charting, access prior charts, create new ones, perhaps operating MRI machine. I mean, everything is networked now. And so, for this, for these clients, they have to, generally they have to evacuate their critical care patients. They have to go on what's called emergency room diversion, which basically means they put a note out to all the ambulances.
That say, Hey, don't come here unless it's like a nosebleed, you know, if it's anything serious, you have to go somewhere else, which obviously causes business interruption also. And so, the costs generally, I think, every time I've dealt with this, they have paid for the decryption tool. So, they have those costs, of course, similarly to the last, they have to figure out how it got in and how to prevent it.
So, they have all of those costs. They might have notification costs that they had me, you know, patient files compromised. But the big point also of course, is the business interruption and here, with several that I've worked on, they actually had, what's called an extended period of interruptions. So, after all of their systems were recovered and tested and all that, well, it took a while for those ambulances to start coming back.
Right. They may have heard that they might be back, but they're not positive. And if I have a critical patient, I don't want to risk it. So, I went to the hospital that I knew could handle it. You know, maybe it was on the news, sometimes it is. And so, patients. You know, potential patients might just choose to go to a different hospital.
So, in each case they had a little bit of a, a ramp up once they were able to operate until they were fully back to normal in terms of the cost and revenue side of things. So those ones are typically not nearly as large, obviously as a big global shutdown. But they can be significant. They can be significant for a pretty small company.
And so, we do, we have seen probably again three or four of these relatively recently that are specific to community hospitals. So those are kind of the two examples of cyber breaches claims that I've worked on. I know that we've touched on a lot. I don't know if you have any other questions related to those examples or if we've hit our limit, but I really do appreciate being part of this.
Taylor M.: [00:35:09] No, I think that was all the questions that I had today. I will open it up for those listening. If anyone has any questions that they would like to ask Clay or Jason about the topics that they covered, let someone from McGriff know and we will be happy to connect you with either one of them or get your questions answered.
On behalf of all of McGriff - Jason, Clay, thank you very much for your time and thank you for this valuable information. Obviously, there is a lot going on in, in 2020 in the cyber world, and we really appreciate your time enlightening us at McGriff and our clients on what the trends are in the business interruption preparedness space so thank you both for everything today.
No problem. Thank you.
Insurance products and services offered through McGriff Insurance Services, LLC, a subsidiary of Truist Insurance Holdings, LLC, are not a deposit, not FDIC insured, not guaranteed by a bank, not insured by any federal government agency and may go down in value.
McGriff Insurance Services, LLC. CA License #0C64544