CyberSecurity: Risks and Opportunities for Investors and Managers
Summary: Friday, May 18, 2018 at the Cleveland Racquet Club
This note summarizes our well-attended and sixteenth meeting of the Center for Free Enterprise sponsored by JP Morgan Private Bank, the Calkins Law Firm and Red Hawk Associates.
About our distinguished panelists:
Paul Beckwith is Chief Security Officer for Progressive Insurance (#120 in S&P in 2017). He joined Progressive in 2010 from PNC Financial Services Group. He was at NCB for many years and held many roles in IT and security including for 4 years as the anti money-laundering director. At Progressive, he is responsible for business continuity planning, physical security and the information security function.
Nick Chmielewski is responsible for managing the central region for Aon’s Cyber Solutions Group, which consists of 25 offices. Nick and his team are tasked with delivering cyber consulting services to current and prospective clients. His clients range from the middle market to some of the largest in the US. His work includes preloss cyber security work and assessments, testing cyber profiles and helping his clients manage risks, including in M and A transactions.
Chris Kakish is a Leader with Oswald Companies in the Professional Services Practice Group within the Property & Casualty Department. His current responsibilities include client consultation, stewardship, and oversight of the brokerage team responsible for the placement and negotiation of cyber liability coverage. His clients include financial institutions, private equity firms and professional service providers. Much of his work revolves around M and A transactions, usually in the middle market.
David Brown moderated.
3 Worries of the Panelists
- Security hygiene – lots of firms struggle with IT, keeping OS levels current, training employees in best practices for security, etc. The smaller the company, the more lax and vulnerable companies tend to be.
- Malicious code to mine bitcoin on your machines.
- If you are large enough to use the cloud, they can jump in on your place.
- Malicious intruders spend, on average, 190 days in a target’s systems.
- Risk management planning – vendors gaining access to you – how to qualify – vendors might have a bitcoin wallet – audience sees it as an IT issue – it is much more than that.
- General dos and don’ts of cyber training, prep.
Other Issues of Concern
GDPR – a lot of requirements for lots of people.
- If a EU business does work with you, you must comply
- See game companies not permitting use of their games in EU
- Lots of disclosures needed
- What is tech budget for an acquisition? Is it 5X systems & cybersecurity? Cyber budget is less than 10% normally, in M and A may be close to 20%
- Usually use a 3rd party – usually can’t do it before close,
- Want to cover in reps and warranties insurance if possible – underwriters look hard at it.
- New products or services – such as rep and warranty insurance
Other Notes From the Panelists:
1. Have to know where your data is located – is key
2. Audience sees it as an IT issue – it is much more than that – need risk management planning – vendors gaining access to you – how to qualify – vendors might have a bitcoin wallet
3. In M&A- reps and warranties insurance is important.
4. In M&A, average days in a system by a bad actor – may be up to 300 days
- Perfect time for bad guy to mine data from 2 companies
- Biggest example was the $300M cost in past 2 years
1. Phishing piece is big
2. Employee training is key – see in investigations
3. In M&A- see bad actors sit dormant in an environment
- Importance of cyber tools as part of due diligence
- What tools?
4. Integrations roadmap – for best practices
- How to assess?
- How to improve?
5. Cyber products have really changed
6. Reps and warranties
New cybersecurity products identified:
Quote of the Day
The hope of a secure and livable world lies with disciplined nonconformists who are dedicated to justice peace and brotherhood.”
– Martin Luther King, Jr.