Deal management for security

How to create outlook signature

hello everyone this is good here all right welcome to acg's featured session on managing cyber risks my name is vicki fox i'm a managing director at eisen fox which is a boutique investment bank in milwaukee and i'm also on the acg wisconsin board of directors today i have the honor of introducing our three panelists on a topic that just keeps growing in importance and in ways that our industry often doesn't think about or expect these expert panelists will offer up some key strategies on how to address cyber security concerns that affect the deal making process directly with us today are justin daniels shareholder with baker donaldson justin's corporate practice consists of representing domestic and international technology businesses and business owners in all aspects of their growth cycle igor rosenblitt partner with iron road partners is also with us igor's unique combination of investing experience due diligence expertise and decades of service as the sec's primary private markets expert allows him to provide insightful and practical guidance to clients grappling with complex regulatory and operational issues and last but not least we have bavesh badani a principal with khon reznik bhavesh has over 20 years of experience in the field of information risk management security consulting and private advisory services the three panelists will be offering their expertise in middle markets legal operational and regulatory issues related to cyber security there will be time for q a afterwards but please help me join me in welcoming our three panelists [Applause] good afternoon everyone and thank you for attending our session and i thought maybe a great way to introduce our topic is i was walking around today and i'm sure a lot of you are trying to juggle your deal work with your networking and i wonder how many of you have stopped to think of hey i had to connect to the public wi-fi here and work on my deals i get better speed with my computer and to just stop to think and say hmm how might public wi-fi connected to my phone or my computer make my deal a little bit insecure just want you to ponder that and so i want to turn to our steam panel today and talk a little bit about how are you seeing some of the threats evolve in the cyberspace when we talk about m a transactions and a lot of the deal work that our audience does um sure from our perspective so we uh serve a larger and middle market managers uh uh from a compliance standpoint and when i was at the commission five or six years ago um it would be regular practice for managers to get phishing emails and for managers to get ransomware and the threat landscape has just evolved and the regulator has evolved with a threat landscape the sec now has a unit in the division enforcement focused on investigating cyber security breaches and not just cyber security breaches at managers but also cyber security breaches at portfolio companies and so you run the risk as a manager of not only falling prey to some of the cyber security bad actors but to pour salt in the wound you then run the risk of at the same time being subject to an enforcement investigation by the securities and exchange commission and there are lots of uh kind of hooks and approaches that the commission uses with uh with that um and at the same time i think investors have evolved their view of the threat landscape and i think the important thing to say there is that it's worth noting and i we work a lot with investors it's worth noting that investors are willing to pay for good cybersecurity hygiene at their portfolio companies and occasionally at their managers as well and um i would anticipate as i'm sure all of you would as well that this situation is only going to get you know more intense not less as time moves forward yeah and if i may just step back right i mean why are we talking about cyber security now right i mean it's because we have evolved as a business i mean if you talk about cyber security and i started my career in the late 90s and i still joke about it when the only two sectors that cared about back then information security was financial services the large financial institutions and the dod not even our civilian agencies cared about information security why because information was not relevant or as relevant today information is currency in the business world right and the reason for that is because we are a connected economy the word cyber actually means connected that's why information security became cyber security is because we are a connected ecosystem how many of you in this room today to justin's point are trying to make deals on the fly while using your laptops your assets your phones why is because you're connected with applications with software assets with your clients with your prospects which are investors at a speed of light what does that do that has now become a risk to a business so cyber security has evolved it's become a business risk and as businesses are evolving the risk and the threat landscape evolving regulators are paying attention to it and that's why they are coming out with regulations to protect the businesses because frankly right now it's very hard to keep up with the evolving threat landscape and it's not just for the investment advisors the fund advisors the fund managers the pe firms the independent sponsors it's even for the large organizations because systems evolve hence risks evolve threats evolve businesses evolve we need to stay up to date with that and we are far behind so that's why we are where we are today and cyber is a big issue is because we are connected economy we want results right away but we are not upgrading our operations our infrastructure our view or maturing it to a point where we can sustain that growth and success and just to add one more thing about the regulator so i served for 11 years at the commission i think i served under seven different chairs and the obama administration the trump administration and then the biden administration uh you know as you would expect the democrats and republicans agree on almost nothing except for one thing and that is that uh cyber security is an important thing to invest in as a regulator and so no matter what happens in the future i would expect that the sec would continue to invest in cyber security expertise and uh by the way both in their own expertise to protect themselves and also to make sure that the registrant population is protected and i think that just will no matter what will ratchet up the pressure on managers so another thing i wanted to talk about is another good question for the audience is it seems one of the challenges you have with cyber security is in a word it's inconvenient so how many in the audience today do you use multi-factor authentication for all your banking websites all your other important websites and i wanted if our panelists could talk a little bit about some of the challenges that you see on deals to really look at cyber security when it impacts roi you might have to spend money on it you have to spend time doing the due diligence a lot of that is inconvenient when the cadence of the business deal is we're getting this done in the next 30 days and that's the way it's going to be well not only is it inconvenient it's amorphous so it's unclear if you invest x amount of dollars in your cyber security it's really unclear whether or not you're going to stop the next cyber security threat on your portfolio company but i don't think that's really the right way to look about it look at it i mean as a private equity manager you have a fiduciary duty to your clients to do what you can to protect their investments and that is a duty that you should take seriously regulators take seriously and i know your investors take seriously and even if you can't stop the next threat you need to do probably something a little bit more than just a minimum to make sure that you you can prevent it and i think it's some level that becomes existential for you as a manager doing the right thing even when the result is not always assured i mean i i'll just ask each one of you here how many of you have home security alarms and security system yeah why do you have them aren't you in a a neighborhood that you feel safe anybody yeah why do why do we i'm assuming a lot here have life insurance policies don't you all keep up with your health and and go to doctors and all and the point i'm trying to make is at the end of the day we all view things that are important to us and that's where cyber is going cyber is important to the business community we cannot view it as an expense item it is more of a item that you need to expend dollars to make your business better because your business depends on that right uh i was having a conversation with the ceo of a mid-market company about 550 million dollars in in revenue and the same conversation happened and my basic question to them was okay you you have revenue growth you know you are in a particular industry which which positions yourself to having twenty percent growth over five years let me ask you this question where is that growth coming from and he went along to say about his business model and my one question was do you know what data do you have in your environment today are you 100 confident about that because he was telling me that he feels that they've invested enough on the security of his environment and i asked one question i'm like do you know what data do you have in your environment today with with reasonable assurance and give me the percentage his percentage answer to me was pravesh if i was honest with you i don't have an understanding of even 50 of my data in my environment if you don't have 50 if you don't have an understanding of the data you use for your business in your environment what data protection strategies or cyber security strategies did you even employ that you feel confident is going to protect you from a breach and the point of this is and justin you can chime in here from a legal perspective the point of this is we are doing business on a regular basis where information is shared on a regular basis at a speed of light with the transactional uh diligence process that we all go through at the end of the day that information is what allows you to do the business and if you cannot protect that information reasonably with having good adequate controls or protocols in place you're always going to have an uphill battle they're always going to fight it now to igor's point how much is enough and unfortunately that's the point that even the federal agencies and some of the regulators are trying to figure out is there a formula and unfortunately there is none because again cyber is very relatively new if you go to an underwriter for life insurance policy they'll tell you yes i have a i have enough data to say you know what life expectancy is going to be up to 90 years right and in that i'm going to give you an um through my actuarial services i'm going to give you this percentage cyber is relatively new but i can tell you this in the next 10 years you will have that data where you will have an understanding of what percentage should i invest that will give me enough protection i i want to try and answer the how much is enough question and then i have a question for you the way the regulators view it is that they view everything through the lens of hindsight and so if you have uh any sort of breach the regulator will show up and say well you obviously didn't have you didn't do the right thing because you had this breach and whatever counter measures could have been deployed to prevent this breach you didn't deploy them and you will be in a position to defend yourself and explain why what you had was reasonable and so when you're thinking about what you're going to do and this is kind of how we advise our clients on everything think about sitting across the table from a regulator and say yes i had an issue but look at all the other things that i did and i guess my question to bavesh and justin is if you had a limited amount of capital and a limited amount of time where's the best bang for your buck to invest in for private equity managers for cyber justin do you want to go first so interestingly enough even though i'm an m a lawyer by trade i've handled multiple ransomware and data breach engagements for different private equity funds so my view of it is is from a more tactical point of view it should be table stakes now that everyone in the organization uses multi-factor authentication while it is not a cure-all the cost to upgrade to a microsoft license that allows it is minimal and you get a lot better protection the other one more on a business strategy end another question for the audience is do you have someone at each of your portfolio companies who is solely responsible for security because when the i.t person is also responsible for security that means you have no security because the last two or three ransomware events that i've handled were basically the root cause of it was somebody was working remotely who had domain administrative level credentials and they didn't have multi-factor authentication why was that because we moved so quickly to the remote workforce and the i.t person was in charge and they had a laundry list of stuff to do to keep things going keep people working keep the revenue coming in and that thing about oh that multi-factor authentication well it got put way down the list until the threat actor got in and they encrypted the whole network so in my view multi-factor is the number one tactical thing but just from an overall security standpoint you need to start with someone who is going to be the owner of security and that's what they do because again i t and security are always going to be at loggerheads because one is concerned about security and other ones concerned about efficiency yeah and i'll just add to that right i mean if you i tell my clients don't boil the ocean you don't need to start with the basics of security multi-factor is one of them you know don't allow access to information where it's not allowed yes it's an inconvenient to go to ten different folders or create access spend the time understand where your crown jewels are you know your business best right nobody can tell you your business better than you can so if you know your business best you should know what are your most critical assets or you can call it crown jewel or however you're going to determine and you make sure that you're protecting those assets with everything you've got including you know the term that you'll hear from a security perspective is defense and depth no different than any other terms such as risk management where you're trying to rely upon multiple stages of defense so that you're protecting your assets but the key is that's where you should invest the dollars and in today's day and age technology has actually become much more available and it's become a lot more cost effective so when p you know pe firms or or even actually uh target companies portfolio companies if you're thinking about it there are plenty of options available to you whether it's cloud-based or sas platform that you can take advantage of for a relatively low cost and a lot more protection right including microsoft microsoft is a gigantic firm but microsoft has come out with small business small to mid-size business cloud offerings especially for this so that they can extend the security features and because microsoft has so much buying power you can take advantage of it and say yeah you know what i can i can rely upon the security of of microsoft because if microsoft is doing it which has so many clients across different industry verticals and size i can take comfort in it so there are avenues available it's a matter of thinking about it right so where would you spend dollars make sure that you have the right i.t cloud solution right for pe firms that's the way to go make sure you have a security governance structure in place to justin's point somebody who owns security not somebody who's doing part-time and tactically do the basic things multi-factor authentication access control do not give access to everybody and anybody and have a resiliency plan oftentimes pe firms will come to me and say that's just a documented plan no it's not because it's not a matter of if you are it's when you will know you were right and at that point you need to get your operations back up and the only way to do it is with that resiliency plan incident response plan or the recovery plan because people will know exactly what they need to do and i i will add one more and this is you know has to do with how the federal securities laws are structured pretty much every large sec cyber enforcement case had to do with a failure of incident response and just from a regulatory perspective having a good incident response policies especially as they concern uh evaluating whether or not you need to inform your investors um i think it would be money well spent so justin let me ask you this question right i mean one of the things that we were talking about while we're preparing for the panel is you know pe firms care about diligence right you have a certain period of time and you need to get the diligence activities done so that you can go to closing you know what are being an m a lawyer and from your perspective what are some of the steps you would ask a pe firm to do as part of the diligence process so that they at least have some comfort with their cyber security so portfolio companies so when i've worked with pe companies usually after there's been an incident with a portfolio company things tend to change but i look at this process as a three-layer chocolate cake if you do these things you get the cherry on top which is the roi on your investment so what is that three layer chocolate cake number one is what are the type of questions that you're asking and for me it starts with three questions i might say hey can you provide me a schematic of your network that shows me the assets that are on your network and hey how does data flow through your network so i know where the data is the second thing i might ask you is what is your information security plan written and then how does cyber security report up to the board so they find out about these things and since what do you think the answer is if i said to all of you hey i would like to bring my third party diligence team and get on your network and we're going to look around what's the answer going to be the answer is not no it's hell no so then what kind of questions are you asking and then what are you building into your reps and warranties because what is the average amount of time that a threat actor is in your network before they engage in their mayhem anybody know about 270 days so think about security being a fundamental rep and some of the other different ways you have to look at cyber and then last but not least and this kind of builds upon the the past session about integration from our opinion from a cyber security point of view resist the temptation to go and integrate your network because once you have the network now you can send your security people in because the moment you as a pe group connect your network to the portco even for financial reporting now you have a connection so what does that mean if there's an undetected intrusion they can simply move across onto your network and if you don't believe me we can ask marriott that's exactly what happened when they merged with starwood so that's my kind of three layer chocolate cake approach to that problem you know i think for the sec it really comes down to um at least from a regulatory perspective uh it comes down to the disclosure um to investors and i guess in terms of the questions you would ask before kind of engaging at least the questions the commission is going to ask right now before kind of engaging in any sort of investigation is what did you tell your investors you were going to do from a cyber perspective and a due diligence perspective when you sold them your fund and did you actually do those things and you know with extended fundraising times and with multiple people fundraising it's more difficult than you think to um figure out exactly what your investors were told about cyber connected to what you're actually doing about cyber um right now and uh to take any remedial action i think that that that's a really worthwhile because the delta between what you told your investors and what you did is the primary legal hook that the sec will use to investigate you and if you take a step back and just spend a little bit of time identifying your disclosures and identifying your practices it might actually not take as long as you think i mean one of the things that we do a lot of cyber 90 diligence right and the basic premise of this again goes back to no business today can do business without the backbone of i.t right you need it applications you need i.t systems even for your quality of earnings you rely upon a system that's generating a report so that you can reconcile that or have some assurances on that how do you know that data is accurate and complete to begin with or is reliable because guess what the it system can be fudged with all the back-end numbers all of you remember enron don't you that's how enron came down it's because the cfo and the controller were fudging the numbers they were over s they were they were over reporting the numbers on many cases right why do you think that doesn't happen right now in the portfolio companies yes you have reps warranties yes you have certain disclosures that you put out there and you protect yourself but the point of this is it's very important in the diligence process to ask some of those tough questions and use that as part of your assessment whether you want to move forward with the deal and then protect yourself i have two examples i can share with you and i cannot disclose the names but you know we actually helped a very large pe firm go through a transaction that they were they were about to make and we actually found through the diligence activity that the portfolio company was breached three years back and they had no idea the target company that they were acquiring that this company was breached and their data was in the dark web for sale and we were able to go back to three years of record we purchased from the dark web from the perpetrators and we proved it that your data was on this particular platform at this particular time time with the screenshots that basically opened the eyes for the pe firms to say yeah we could have inherited a big liability because there was consumer data in it social security numbers so the company now protects itself by having an escrow account and putting aside dollar a percentage of dollar there to protect themselves in the event if that breach that happened three years back is going to be some kind of a legal liability on them now if we hadn't done that or if they were not prudent enough to say no we want you to do a proper diligence on this we wouldn't have found it that's one example and the other example is very similar to this is not the marriott it's a similar example of marriott where portfolio company uh they acquired the pe firm acquired the target company they had a bolt-on added to that they acquired and they wanted to integrate guess what happened the baltimore was attack was breached 18 months i think if i remember correctly and that just connected a pipeline or reporting into now the target company and eventually into the pe firm and that malware has actually traversed it back into the pe firm just nothing but by an api which is essentially an integration between the three networks hence resist your temptation to quickly integrate the network because that is literally your last line of defense because once you have that connection established and they've been in the network now they move laterally onto your network and i've seen cases where you've acquired a company maybe the bolt-on was three million dollars but then the ransomware engagement is 10 to 15 million dollars and going back out against the seller doesn't solve it and then of course you have the reputational issues because all of us in here as well as being with the pe firm or whatnot we're all consumers and so we're all aware of certain companies out there in certain industries now that have gotten really bad reputations over how they treat the data our data as well as the security that surrounds it yeah i mean that's the reason why sec just proposed a a cyber security disclosure rule that if it actually passes it's going to require fund managers to disclose cyber security incidents it's going to require fund managers to actually have board oversight and have a cyber security plan and it's going to require them to follow the five key principles of cyber security and make sure that any funds there the fund managers and any investments they're making that the they're they're doing some due diligence and assessments of those companies before investing the dollars and this is chances are it will pass there's a high likelihood of that and just to be clear when you disclose your cyber security incident the next step is you'll be investigated yep and the disclosure has to be in within 48 hours of you identifying the incident now question we always get is how quickly can i identify this incident well the only way to quickly identify incidents is if you have a good cyber security program and you've invested in tools and technologies that can help you identify those incidents well interestingly enough from your experience for the benefit of the audience what exactly do you know when you're handling a cyber incident in 48 to 72 hours not much right good and my point is by not knowing much so we're you're all a customer you use a particular app with like a healthcare company to credential and you're a hospital and all of a sudden they're down for three days and they put the sign on their website that's saying we're having a network outage usually when you see someone who's having a network outage that is code for we are having some kind of cyber incident and so when you're what's your reaction if you have silence from this company it's what negative and so my point is when you don't have a program in place and now you're faced with this situation you can handle the event and try to protect yourself from legal liability but technically if you're not providing the service you're in breach of contract and that goes on for several weeks and you start losing customers you're not getting them back and that's kind of another cost that people don't think about because you can't just focus on your legal liability because if you protect that but don't have a business to run because you've lost key customers what have you accomplished you know one one of the things i i've always in the cyber security world we have folks who look at things with a very uh gloom and doom eye because and it's not because they they really care about it from that perspective only it's because that's the way they have to look at it so they can prepare everybody else what potentially can happen right so when i'm talking to pe clients and i'm telling them it's not all gloom and doom it's you can protect yourself by doing some of the basic things the issue runs into is it's going back to the speed at which we want to close transactions or we want to go to the next deal and the next deal and the next deal and in the process we forget that there are basic blocking and tackling things that we just missed right so cyber security is going back to it's a business issue it's not a point in time oh i did it today i forget about it that's not how you want to deal with this you want to look at this and say pre-diligence or pre-pre-close and due diligence what did i find to igor's point did we have enough issues and they're identified and again nobody's perfect and i will tell you this you will never get complete security you want reasonable security to a point where you feel comfortable that you have enough control over it as as a fund manager pe as an investor or pe firm so that you can come up with a road map to help your target companies get to a point where they can self-sustain and protect themselves right but you don't stop there it's a continuous cycle and as a pe firm you should be thinking about saying if i've invested x amount of dollars i want to make sure that my investment is protected equally right that i don't get any surprises later on which is what ends up happening majority of the time because the target company has a technical debt and you have no idea what that technology that is or technical that is because you've not done a thorough diligence on it and now you've you know the target company comes to you and say you know what we have a two million dollar software license fine because we were using licenses that were expired how are you going to react to that oh where did this come from the reason you didn't know is because you didn't have continuous monitoring on that right so the point is this is it's a journey you can't stop at one point you have to continuously evolve in the journey keep monitoring and then get better at it right i have clients pe firms over the last two years have become so good at it that they've actually have cost of economics now and bargaining power across our portfolio companies with some of these security solutions you know including master's uh master cyber security insurance providers they're talking to them and they're making sure that they're all on the same foundational security tools they have the same master cyber security insurance provider so they're actually leveraging that for on the business side and saving some dollars how many of anyone in our audience had to go and renew the firm's cyber security policy how much fun was that how much was the increase what percentage the percentage increase experience has been 30 to 50 with increased premiums significant underwriting to the point where if you don't use mfa you're uninsurable by 80 of the industry in fact i was in the middle of a ransomware engagement the insurance company went off the grid and nobody knew why until we read in the paper they'd been ransomwared and paid 40 million dollars to get their network back thank god we got their approval to pay the ransom before they went off the grid but my point is a lot of people have thought in the past that insurance was a viable way to transfer the risk and obviously everybody on the st in this room has probably worked with reps and warranties insurance but now you have to be very careful about using reps and warranties insurance because is it going to cover the cyber risk and if so technically what will it cover a lot of them will carve it out and then what will the cyber insurance cover because i'll give you a good example of this how many of you have actually read the definition of what computer network is in your policy would it surprise you to learn that many of the policies the definition excludes personal devices of the employees so what happens if you have a breach that results from an employee who got their own computer to work at home because we had to pivot so quickly what's the insurance company say are they going to be nice and cover you because out of the goodness of the heart or what are they going to turn around and say no coverage ps have a nice day or you are no longer covered and the underwriters will come back and say insurance has lapsed they'll decline i mean we've got situations where in in in the recovery stage from an incident the cyber security insurance company has come to the client and said we're no longer doing business with you you're no longer covered through our insurance we've taken it back we've canceled the insurance so you know you got 30 20 40 you guys are lucky we have clients who are not getting any underwriters to write a policy for them or any cyber security insurance providers willing to give insurance to them because of some of the reasons that justin just mentioned no mfa no insurance you told you will get mfa in the next six months but you decided not to spend those dollars guess what no longer eligible for coverage i have a question mainly i'm curious about it what role does training play in uh good cyber security hygiene and who should get trained very good question let's ask the audience including portfolio companies how often what's the consequence if you're doing the training and you click on a simulated fish what do you think the consequences are the first time the second time so right there right there should be but are there right that's a basic question that's a basic promise right or you right i was going to say or conversely i apologize for interrupting what incentives can you give to a department to get the fishing rate down really low or have incentives so i've worked with some companies on creating not just the stick because the stick in this doesn't tend to work but what are some carrots that we can put out there so that people want to get trained because you know what most of the time when there are breaches you know where you can trace it back to it's us and so training is really important but some of the other questions around it is well how do you make it fun how do you make it interesting what incentives can you provide people to actually you know want to do it and consist and be consistent about it so we have a lot of smart people here right everybody answered everybody should get trained let me ask you a very difficult question and actually it's a very simple question with a difficult answer how many of you or your firms actually provide security awareness training to every single employee and the portfolio companies one two three that's it i heard many saying everybody so i i know there are many of you in there but that's the point humans are the weakest link because we are the most susceptible and the reason for that is because we have emotions right we are not robots if if you were run by robots trust me our cyber security incident rates were much lower and there's actually a study right now that's happening in howard and mit and they may actually publish it saying if ever the workforce has humanoids cyber security incidents will go down right it's because we are humans we have emotions and depending on what's happening on what particular day in our lives personally professionally that affects the way we think right so there are there are studies right now that are tying neuroscience impact and how people are thinking and emotion and empathy to how people click right so our awareness training that we do some of it is cookie cutter but some of it has to be more targeted to the audience to the folks to the employees and make it fun to justin's point it has to be fun otherwise you're not going to be engaged right so the goal here is the one lesson if ever you know to eager responders what role training plays i would say that plays the biggest role you could have the best process you could have the best tools and the best technology but if your people aren't trained all that investment is not going to make any difference to you right and that's one question that everybody keeps asking me what keeps security professionals or people like us in in the industry up at night it's not the next hack it's the people it's the inability of the people to understand or the lack of awareness situational awareness i should say at a particular point in time for folks to use the the training that they've been provided or their reflexes or their thought process to say no i'm not going to click on that link no matter how how many gift cards i'm going to get out of that right that's the point and that's what keeps us up at night because i can i can deploy the best security tools but i cannot deploy a tool against human there just isn't any i guess what one of our goals for our session today is to kind of have another opportunity to educate you about what this is and how it can be different because i i can just watch at the conference i'm sure there's many of you who are trying to network you're harried you're getting a bunch of emails it's just so easy to click on something that you shouldn't because you're going in four different directions because we're all under a lot of stuff to do and i guess the thing i would suggest to you is let me ask the audience a question when you were growing up did your parents use the seat belt on their car or did you i really didn't well what changed nowadays when i get in the car or what's the first thing you think to do you don't even think about it you put your seatbelt on well we had the mothers against drunk driving that put a big campaign to educate people that seat belts could help save lives and then we started to pass laws in every state but we have seat belts in fact we have regulations that make us ensconced in airbags in our car for safety and so the question is what can we do or how do we educate people so that cyber security becomes literally the digital seat belt of the 21st century and we can make it happen not tools not technology it's humans we can make it happen should we take questions yeah yes sir oh uh i recently ran into an issue and i don't know if you folks have thought about it or mentioned it where the client was reached and it turned out that we couldn't pay the ransom because the extortionist was on the specially designated nationals list meaning it was illegal to make that payment have you talked about redundant systems or other ways to address that sort of a problem where you you just can't make the payment and get your systems back um i'll take that one so just so everyone in the audience knows what's being talked about so if you want to if you make a business decision to pay the ransom the the office of foreign assets control is the depart is the part of the department of treasury that deals with foreign policy and so there's certain people that we cannot do business with or you can get prosecuted by the government and if you're on that list their wallet or other that's where the question is coming from you are legally prohibited from paying it your insurance company will not let you pay it and so to start to try to answer your question is it used to be that if you had backups and you stress tested your backups that would help you but the latest iteration from a ransomware perspective is what's called double extortion ransomware so what they do there is they get into your system they do their reconnaissance they exfiltrate the data and then they encrypt your network and then they basically put you into the kobayashi maru type of situation from star trek where if you don't want to pay the ransom they'll just download it on the dark web even if you pay the ransom they still have the data so in that instance it makes the situation incredibly difficult and it comes down to a business decision so at least in that instance if you have a backup at least you'd have data to run your network and you'll just face the consequences of the release on the dark web but if you've been in other situations like i've been where the whole network gets encrypted and the backups get encrypted and you have nothing that's even worse but that's kind of where we are which is why we try to talk so much about taking these preventative measures because if you're put into that situation and you have no backups you're in a serious situation and i can expect what people might do there it's literally between getting prosecuted and you have no company and no network i think we all know what the choice will probably be yeah and just to add to it right from a technical solution there's actually a solution how to how to uh prepare for a situation like this right i mean how many of you remember tapes backup tapes all right quite a few right so what if i told you that the industry is actually thinking about introducing the backup tapes again why you know i mean one of the advantages of backup tapes was it wasn't connected to your network it was literally a tape library right that became now that is actually what they are calling the off-site backup right offline backup it used to be off-site you put the tapes send it to sunguard or iron mountain and they would store it for you in a temperature control place now that same concept is happening with the offline backup where to justin's point cloud systems are all connected the backups are all connected but now you're going to go with the technical solution that says i'm going to keep a copy of my backup my entire environment offline maybe it's a tape or maybe it's a completely different disconnected solution so there are there are systems out there there are solutions out there there are uh there are ways to mitigate that or prepare for it but yeah if you get into a situation where you have none of that you know hard on a rock place right you're you're in a really bad place there and and it becomes a business decision was there a question down here down front yes please i'm coming with the uh finger just go thanks hi so i represent as outside counsel uh private equity funds of different sizes from emerging to riaa and i think the question ultimately is is there a one-size-fits-all with respect to cyber programming and management or where do you think the sec will land on this um if that's a question for me i think the sec has just two kind of different modes one is you're a registered investment advisor you're not and then the sec relies on the notion of policies and procedures and technologies being reasonably designed for your manager and so if you're a smaller manager your policies will likely be a lot lighter weight than if you're if you're blackstone and in that way the commission creates flexibility for itself to regulate as they see feed it's kind of an uncomfortable place to be if you're a manager but in fact they do this with every aspect of regulation and every aspect of the law and that's why i think i think our recommendation to our clients would be just imagine yourself sitting across the table from an sec examiner or an investigator saying well a breach happened what your response will have to be yes a breach happened but look at all these countermeasures we employed and our policies were reasonably designed to prevent that kind of breach but in many ways i have a lot of empathy as someone who was at the commission for 11 years if an incident happens by definition there's some failure somewhere and that's what the sec will hang their hat on yeah but it's not a one size fits all right so to to answer your question can you apply the same view of a cyber security incident in a large company versus a small to mid-sized company it's not the same lens not the same view right so it's not going to be the same program either it should be tied to your business it should be tied to the to the objectives of your business and how you are essentially positioning your business right that's what you should be thinking about as an organization when you design your cybersecurity program you know it's an analogy that once my client use you know what i'm okay with the honda i don't need you to design me a ferrari of a cyber security program right so it's the same analogy you can have cars of all different budgets all different types it depends on what you as a business think is going to be the most valuable for you and it's going to give you the most value for the dollars you're going to spend and give you the risk mitigation risk management comfort as a business and just to step back a bit there are actually not a lot of cyber security rules there's you know regulation sid which is focused on identity theft and there's regulation sp that's focused on pii but in the end the commission will always default to what did you tell your investors you were going to do and did you actually do it that's going to be their first kind of investigative thrust and then on the incidence response their question is going to be like did you fulfill your fiduciary duty to your to your clients by informing them that their data was breached they really have no other hook and even if these rules are passed there is you know this cyber rule really requires an annual review but it doesn't really say what your procedures look like that you even have to have reasonable procedures but understanding what you've said to your investors and what you're doing is probably the kind of the biggest bang for your buck from a regulatory perspective um any anyone else any other questions we'll happily hang out if there's other things you'd rather ask privately and instead of publicly i think that's it okay thank you everybody you