Decoding Cyber Risks: Mock Cyber Event – Ransomware Breach

Narrator: [00:00:00] It's 1:00 AM on Sunday morning at a local hospital. Phones are ringing and notifications are pinging on computers throughout the location. It seems like a normal day as nurses and doctors change shifts. One hour later, everything stops.

Phones and computers fall dead silent as an eerie message referencing a shadow of the universe spreads across every network connected monitor. Then without warning, the computers shut off completely. You've been breached and hit with a ransomware attack. This is a real event that happened to a Fortune 500 company and one of the US's largest healthcare providers.

One of the many unforeseen impacts of COVID-19 is how overcrowded hospitals cause healthcare providers to emphasize virtual services for minor health issues, further increasing their risk and exposure to cyber threats. Welcome to another episode of Decoding Cyber Risks with McGriff, an advisory series where McGriff's executive risk advisory team and their business partners sit down to discuss hot topics around cybersecurity and provide insights that help mitigate, respond to, and properly insure against cyber threats and events.

If you have data, you have risk. In this episode, McGriff's Taylor McLean is joined by Jason Trahan from Disaster Recovery Services and, together, they give us an inside look at a cyber-event.

Taylor: [00:01:15] Today on McGriff's Decoding Cyber Risks, we will be walking through an example of a cyber-event, specifically focused on the healthcare industry.

My name is Taylor McLean with McGriff, and I will be talking with Jason Trahan of Disaster Recovery Services this morning. Jason, first of all, we went in to say, thank you for agreeing to come on and talk about this very relevant topic in today's world. If you want to start off and give those listening a brief introduction to yourself and to Disaster Recovery Services, we can go ahead and get started.

Jason: [00:01:56] All right. Well, thank you very much, Taylor. And thanks for having me on today. As Taylor mentioned, I'm Jason Trahan with Disaster Recovery Services. I'm the commercial insurance claims practice leader for DRS and for the last 23 plus years now I have assisted clients to prepare, manage, and settle their claims from a variety of events, including cyber.

So I started my career back in, what is now big four public accounting. I've also worked doing claims within the broker arena as well before leaving to, to work with our team here at Disaster Recovery Services. You know, where we really focus on really being a turnkey solution for our clients after a loss event.

So excited to be with you here today. And thanks for having me, Taylor.

Taylor: [00:02:47] Jason, the first thing I wanted to ask you about was, especially with a lot of attention in the news recently about the Universal Healthcare Services breach, do you feel like the healthcare industry is more vulnerable to a cyber-attack right now as the world has been essentially forced to move more and more virtual during the pandemic.

Jason: [00:03:12] Yes. I mean, I think every industry really is a little bit more susceptible now because you know, when COVID-19 happened, everybody had to find a way to do things more virtually. So whether it's meetings, it went to zoom meetings and WebEx and Go To meetings. You know, we're all interacting in the workplace more virtually.

And healthcare is no different. Healthcare saw a big uptick in telehealth services. As a result of COVID-19 preventing a lot of elective procedures. It prevented patients from being able to go in and see their doctors for more routine type services so they wanted to free up the system to be able to deal with COVID-19 patients. That had a broad impact across the healthcare industry.

And actually even with the passage of the CARES Act, you know, a lot of those funds were encouraged to help healthcare providers develop more telehealth service capabilities, to be able to see patients virtually and in a safer environment. By virtue of all that going online, you know, bad actors have really stepped up opportunities now to get a hold of personal and private information, as well as just disrupt services to the healthcare industry in general. And that's kind of the scenario that we'll, we'll go through here today.

Taylor: [00:04:41] Do you have any advice that you can give to really any size of healthcare company that's trying to manage their IT security exposure while also ramping up their virtual capabilities and tools to continue seeing patients.

Jason: [00:05:00] Yes. I mean healthcare, like any other industry is, is trying to protect their IT infrastructure the best they can. And so they'll, they'll try to set up a, you know, a detailed IT safety plan, but a lot of that it costs money. And so what you'll see is organizations will invest in protecting the infrastructure the best they can, the best they know.

And then for that risk that they don't know about. Then they'll look to mitigate that risk through things like cyber insurance. So for the event that we'll talk about here today, so we've got our fictional organization here, Happy Feet Orthopedic Practice, or HF, that as a result of COVID-19 now sees approximately half of their patients online via telehealth and they've invested in expanding that online capability so that they can continue their business operations through the pandemic.

And then via social engineering email, a bad actor has now gained access and disabled that telehealth platform in a ransomware attack. And so this has now halted their telehealth patient services and potentially compromised patient health records.

So when an event like this happened, what should the organization do? Who do they call for help? How do they restore those business operations? And yes, they have their own plan, but as we'll see, next slide, cyber coverage can come into a big play in helping respond to that event as well.

So here HF notifies their IT forensic consultant services and their breach council, as well as their cyber broker. So whenever you purchase your cyber coverage, yes, you're going to notify your broker to activate these, but in placing that coverage, you're going to be aware of those vendors that are available to you.

And the most important one after a cyber-event is going to be your IT forensic consultant. Those are the IT guys that are going to come in and quickly try to assess what the problem is. What happened after the breach, secure your systems and then determine what scope is needed to help repair those systems.

In conjunction with that, you're going to have breach counsel. This is legal counsel that's going to come in and help the organization determine what's occurred. What is their liability as a result of that breach and help guide them through that process. And these are all vendors that can be activated through that. And your cyber broker can definitely help not only notify your insurer and get these vendors started, but then also help guide you through the process too.

And another one that we've got here is public relations and crisis management. So when a breach comes out, you know, and we all see it in the news organizations need to, to manage that brand reputation, what has happened? How are you responding to it? What parties have been impacted? Those communications are critical and a good PR crisis management firm can help manage you through that process.

And then finally here, the cyber team is not just those up above, but then also your internal points of contact to help restore operations, working to understand what backups are available, how you can get operations restored. And then also on the financial side, helping to quantify what's happened and gather that documentation that will be needed for the subsequent claim so that you may have as a result of that, and that can include both internal and external consultants.

Taylor: [00:08:42] One thing I was thinking about that I thought you've covered that was great. That I wanted to mention from the insurance broker side, you know, we try to stress to our clients, if you do have these relationships in place pre breach, you know, we really encourage that. But we always recommend coordinating with your insurance carrier to make sure your breach counsel, your IT forensic services firms. If you know your PR firm, if you have certain vendors that you, you have either retainers with or great relationships with, let your insurance broker know, and we can work with your primary cyber carrier to make sure that process is streamlined. They're pre-approved by your carrier or you have negotiated rates so that in the event of- of a breach, it's a smoother transition so I think that what you were pointing out is, is great, and getting ahead of it and having these reasons chips before is extremely important.

I also wanted to ask you, when clients come to you and they have these incidents, do you feel like most of your clients have detailed incident response plans in place so that they know who and how they're supposed to be notifying like you just discussed on the slide?

Jason: [00:10:00] What we really see is the larger the organization, the more likely they're going to have a sophisticated risk management department, a more sophisticated IT department, and they'll have a lot of those risk mitigation plans in place. As you get down to more than mid-size and especially the smaller healthcare providers, or maybe even individual physician practices, you know, they may have worked with their broker to purchase a cyber-policy, but they're really going to be dependent on the broker to help guide them through that process because they don't have as sophisticated an infrastructure as some of those larger organization.

Taylor: [00:10:39] Would you say that you noticed significant differences if there is a well-thought-through and organized incident response plan in place that would you recommend to clients listening today if they haven't done so already to, to work on implementing an incident response plan.

Jason: [00:10:58] Absolutely. I mean, it's critical. Pre-planning is key. As you mentioned, you know, just a moment ago about having vendors in place. You know, this is not a team that you put together after a breach occurs. You need to have all these vendors in line before this happens; it's just going to expedite the recovery and it's also going to help the whole claim process go a lot faster as well too, if you've got these teams in place, because there are a variety of different costs that- that you're going to incur after a cyber-event. And so in order to minimize those costs and the impact of your organization, it's really key that you have these teams in place beforehand.

So on this slide here under typical cyber claims expenses, you'll see PR and crisis management that we just talked about, also the investigation and forensics. The real tip of the spear after an event that's going to come in and assess what happened and help define the scope to restore you as normal. But then there's also going to be notifications. So that breach council, you know, based on what's happened is going to help you with those notifications as well as potential credit and protection monitoring from that lost or breached personal and private information.

And there's also the electronic data restoration. So once you've stopped and blocked off the bad actor, you know, how do you restore the data through backups, rebuilding those systems in those environments to restore your, your operations. And that's going to come with a lot of IT related costs. And then for some clients, there could be cyber extortion costs involved.

And you mentioned the Universal Health Services event earlier, and that was deemed to be, you know, ransomware event. And we've worked with a lot of clients who through necessity have had to pay the ransom to get the- the keys, to be able to get ahold of their data again, because either they had compromised backups or are non-functioning backups and there's coverage available for that.

And, and your broker and your insurer can help guide you is to how that process will play out. And then there's also security and privacy privacy liability costs. So as a result of the breach could be subject to fines, other legal costs. There could be settlements as well as even payment card industry assessments, if you're not following the proper protocols for those industries.

So these are all just sort of out of pocket costs that could occur as a result of a cyber-claim. But this hasn't even addressed yet the operational impacts they could have to your- to your organization, which we'll talk about on the next slide.

Taylor: [00:13:46] Interesting, on this slide, when I think about it from the insurance broker perspective and talking with the variety of clients and different industries, you know, when you think about certain classes of business, maybe a manufacturer or a company that does more B2B type work maybe some of these claims expenses are less likely to be triggered under the policy or the client is less likely to rack up large dollar amounts for these expenses.

But, you know, when we- when we really focus on- on the healthcare world, like we're doing today, but it really highlights to me that any of these claims expenses or insuring agreements on the cyber policy could be triggered and probably would be triggered and then would incur large expenses, you know, and as we've mentioned, a couple of times today that universal health services breach that we've all been watching, when you're thinking about it, from that perspective, I'm looking at this slide and I'm looking at, you know, a potentially very large cyber loss. So it- it, I think it's great that you walked through all these and highlighted them as we're specifically focusing today on the healthcare space. So I think that's great.

Jason: [00:15:02] Yeah, no. And, and I think you'll, you'll see that, especially you mentioned oil and gas and a lot of other industries that might say, well, I don't deal in a lot of personal private information, so I really don't need cyber coverage. There's not a lot of exposure there for me, but actually the biggest losses that we've seen in cyber are actually operational impacts.

Shutting down, whether it's shutting down factory operations, shutting down point-of-sale sites. And so it's not just that private information breach that cyber response to, but then also the operational impacts. And unfortunately, within the healthcare industry, they're faced with both.

They're holding a lot of very sensitive. Personal information and healthcare records and medical information that could be breached by bad actor, but then also on the operational side as well. So especially in the wake of COVID-19, whereas we mentioned most providers are having to go more to a tele-health type platform, you've got especially a lot of small and mid-sized healthcare providers that might see anywhere between 40 to 60% of their patients now through a telehealth platform.

So if that platform were to be compromised or taken down as a result of a bad actor event, they could not only see all the costs that we just discussed on the last slide, but then just operational revenue impacts by being unable to see their clients. And so that's what we're going to talk about a little bit on this slide here and some of the extra expenses to try to resume those normal operations.

So what we see with our clients that may have an operations or point of sale taken down, they're having to set up some sort of temporary operation. So they can get back to their patients or clients as quickly as possible. That could be setting up, well purchasing, PC servers to set up a temporary environment, maybe in a third party data center, trying to rebuild that environment, separate cloud services, to be able to operate that or if that external network is totally compromised, they may have to bring things in house.

And I've seen that with clients before having to set up a Wi-Fi network and that ran additional cost of bringing workers in-house to their main location, because they could no longer use VPN and remote connectivity. So they had to cover travel costs and employee expenses to get everybody at their home office to be able to resume operations as normal as possible in a very enclosed environment while the IT infrastructure was recovered, you know, after the cyber event. And, all this drives additional costs as well as potential business interruption or just that loss net income and continuing expenses.

From an operation. So if we transition to the next slide, we can talk a little bit about business interruption,

Taylor: [00:18:01] That is exactly my- what my next question was going to be, how has COVID-19 complicated quantifying a business interruption loss, or, you know, how- how have you had to make changes to- to deal with COVID-19 playing a role in, in lost income?

Jason: [00:18:22] Yeah, it's definitely complicated - the loss calculation. Whether you're a healthcare provider, or any other industry, COVID-19 has likely impacted your business. And so whether you've incurred a fire loss or hurricane or cyber event, as we're talking about here, as you go to establish your business interruption loss, at its basis, business interruption is trying to establish what revenues and-, and business interruption would you have earned had there been no loss of that? So over the last six months, everybody's been compromised to some degree. So there's been some sort of decrease in business and insurers are going to look at that and they're going to want to see how is your business or how is your industry recovering?

So, as we mentioned back in March, you know, all elective procedures were stopped for healthcare providers. So within April and May, they saw a massive impact in revenue generation within those sources. And then even as those elective procedures were allowed back, as we got into the late May time period, there's still a building back of the business.

And a lot of resistance for some patients to want to come in for an appointment. And so, although emergency care, you know, has resumed and restored as normal, a lot of those normal run of the mill checkups and, and patient visits has still been slow to recover and in the COVID-19 era. And if you're incurring a cyber-event in this environment, you-, you will have to find ways to demonstrate what your sales would have been had there been a loss of it.

So a couple of things to consider is you're looking at business interruption coverage within cyber policies is the different offerings. And the two ones that you'll see are gross earnings and gross profit. So gross earnings looks at things from a period of restoration as well as typically an extended period of indemnity.

So what does that mean? So if I have a loss event, the period of restoration is how long does it take me to get those physical systems and operations back to the same condition that existed at the date of loss? So that's, how do I get my website back up? How do I restore all the data? What is that time period that it takes to do that?

And whether that's one week or one month or longer, you know, that period of restoration measures my loss during that period. However, it may take longer than that for me to get my sales or my patient visits back to normal. And that's what, that's what an extended period of indemnity is intended to cover.

And this'll typically be a defined period, whether it's 30 days, 90 days, 180 days, what this allows is a time period for you to restore those business operations back to the condition that existed at the date of loss. So there's one option of coverage there.

The other is gross profits. Where this will be a defined loss period. So this is where you'll say, okay, I want to purchase a 90 day period or 180 day period, maybe even a 365 day period, and what this does is this will measure any of my business interruption losses during that defined period that I purchased under the policy. And where this becomes important as it really depends on the duration of your period of restoration after a cyber-event.

Do you feel that with your it infrastructure and your recovery plan, you wouldn't have a loss that would run much longer than a week or two, or are you susceptible for some of the claims that I've worked on before that or a month or longer before they get their systems back up and running? So if that's the case, you may want to consider the gross earnings versus the gross profit, the option, because if you have a very short duration period of restoration, but it takes you a long period of time to recover, then you may want to look at either purchasing gross earnings with a longer period, extended period of indemnity or just purchasing a gross profits option that takes into account what you feel would be that sort of maximum time period, that would take you to recover.

Choosing either of these options and what fits you best is where you should really work with your cyber broker to figure out what fits your organization.

Taylor: [00:23:00] Well, thank you, Jason so much for your time. And for all of this valuable information, it's clearly very relevant in an already risky cyber class of business. It's obviously even more relevant in today's world with all the continuous changes. On behalf of McGriff and myself, we want to thank you again for providing all of this valuable information.

If anyone listening has any additional questions for Jason or would like to get in contact with them, please reach out to your McGriff broker and we will be happy to put you in touch with him. Other than that. Thank you again, Jason, and looking forward to the next series with you.

Jason: [00:23:42] Thank you very much for having me, Taylor.

Narrator: [00:24:00] Hi, everyone. Thanks again for joining us for another episode of Decoding Cyber Risks. Before we go, our legal team wants to remind you that this podcast provides general information and does not constitute legal advice. McGriff, its representatives, and affiliates do not offer legal advice. Please consult your legal professional regarding your specific situation.

Thank you.