Cybersecurity Awareness Month with Pamela Hans of Anderson Kill

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society. In this episode, Justin interviews Pamela Hans of Anderson Kill on the many aspects of Cybersecurity, including who is responsible for it. (If you have a networked device, it’s you!) The discussion covers the effects of the new SEC ruling requiring many companies to report a cybersecurity event within four days of discovering that a material event has occurred, and what that means to you and your organization. Justin and Pamela also review her presentation at the RIMS Canada Conference 2023 and how a potential problem became a fun opportunity.   Lots to cover in today’s episode. Let’s get to it.   Key Takeaways: [:01] About RIMScast. [:14] Register for the RIMS ERM Conference 2023, which will be held in Denver, Colorado on November 2nd–3rd. RIMS will also host an ERM-based tour of Ball Arena in Denver on November 1st. Limited seating is available. Visit RIMS.org/ERM to register and listen to this episode to hear the code for 10% off your registration! [:41] About today’s episode on cybersecurity and presentation skills with Pamela Hans of Anderson Kill. [1:01] All about exciting, upcoming RIMS events! Would you like funding to hire a risk management intern in 2024? If so, take a moment to apply for a Spencer Internship Grant. The application form will close on October 15th. The link is in this episode’s notes. [1:28] If you will be attending RISKWORLD 2024 in San Diego, California, take a moment to sign up as a volunteer judge in the Spencer-RIMS Risk Management Challenge 2024. This is our annual international student competition. Full details can be found on the Spencer website at Spencered.org. Get involved; participate. We want to see you there! [1:52] Head to the RIMS.org/Advocacy page to register for The RIMS Legislative Summit, which is returning to Washington, D.C. on October 25th and 26th. [2:04] The RIMS ERM Conference 2023 will be held November 2nd and 3rd in Denver, Colorado. On November 1st, RIMS is hosting an ERM-based tour of Ball Arena, where the Denver Nuggets and Denver Avalanche play. There is limited seating. Register at RIMS.org/ERM2023. At checkout, type code 2023RIMSCAST for 10% off registration! [2:52] The ERM Conference 2023 will be different than years past. We’ve got some great changes. Book your travel plans now! RIMS will host a Post-conference Workshop for the RIMS CRMP from 9:00 to 4:00 MT on November 4th and 5th. Save $100 when you register for the conference and workshop in one transaction. Links are in the notes. [3:24] It is October; it’s cybersecurity awareness month in the U.S. and several other areas of the world and that’s why I’m so excited to introduce our guest, Pamela Hans, managing shareholder of the Philadelphia office of the law firm Anderson Kill. She focuses on insurance coverage, which includes cyber. [3:45] We’re going to talk about cyber trends. I met Pamela at the RIMS Canada Conference in Ottawa last month where she was delivering a session on “Getting the Deal Done.” We’re also going to hear her tips on how to handle the curveballs that might be thrown at you ahead of a live presentation and how to turn them into opportunities. [4:16] Justin met Pamela Hans of Anderson Kill on the last day of the RIMS Canada Conference 2023 when she was hosting a session. Pamela knows cybersecurity and October is National Cybersecurity Awareness Month in the U.S. [5:57] The trend of the phone calls Pamela gets is all about ransomware. A threat actor freezes up the system, completely takes control, and demands a ransom in return for a description key. But the trend in cybersecurity is data breaches to steal personal data. Recently Topgolf, Freecycle, Forever21, Duolingo, and Discord.io suffered breaches. [6:41] Those are just a few examples of cybersecurity incidents where personal sensitive data has been grabbed by the threat actor, with threats to use the data to do more damage to the individuals whose data was taken. [7:03] Pamela has also seen distributed denial of service attacks. The army of bots seems to be increasing in number while the cost is decreasing to rent a bot to execute a distributed denial of service attack. [7:50] When there is an exfiltration of personal data, that data can be used by the threat actor to do more damage to the individuals by impersonating the user and fraud. [8:29] Pamela addresses the SEC rules on the disclosure of cybersecurity events and the annual obligation imposed on publicly traded and registered companies to disclose their cybersecurity governance. That has an impact on the company and its stock price. The public may then decide which companies to trust by their cybersecurity protocols. [9:30] Justin refers to the RIMScast episode with Hilary Tuttle on the SEC cybersecurity reporting rules. They discussed the four-day reporting rule. Four days after the company finds out they were attacked in a material fashion they have to report the breach. [10:09] Pamela notes that a material breach is one that investors would want to know about before investing in the company, as the breach may affect the value of the stock and the company. This is an important SEC rule on cybersecurity governance. [11:41] Risk professionals should be asking questions about this rule now. Prepare to make these required reports. Run tabletop exercises with your response team. Ascertain now what “material,” in the cyber context, looks like to your company. Getting ready now is important, for when you experience a cybersecurity event. [13:23] Pamela speaks about the need for cybersecurity awareness. Any individual can be the gateway to a cybersecurity event. Everyone who has a device needs to be aware of cybersecurity risks to help prevent infiltration by cybercriminals of our phones, laptops, and businesses. [14:54] Cybersecurity is as simple as multi-factor authentication. Don’t give away your passwords. Be thinking about cybersecurity, Don’t click on the puppy dog. [15:58] Justin presents a special message from Bob Roitblat in case you missed his RIMScast episode. [16:16] Bob Roitblat is excited to be the keynote speaker for the RIMS ERM Conference 2023, in Denver, on November 2nd and 3rd. His keynote is “Elevate, Revolutionize, Maximize: Harnessing Innovation’s Promise.” Bob reveals what to expect and asks you to bring your “A game,” be ready to ask questions and interact to get value. [17:34] Go to RIMS.org/ERM2023 to register. If you enter the code 2023RIMSCAST at checkout, you will get 10% off your registration! It’s value with a discount! Bob looks forward to helping you elevate and evolve your risk management processes and your career! Be there in Denver, November 2nd and 3rd! Links are in the show notes. [18:36] Pamela reviews her career path, with degrees in civil engineering and then law school. She knew she wanted to solve technical problems for companies. Cybersecurity is a natural fit for her background. Cybersecurity is everywhere. [21:07] Pamela foresees two things from these new reporting rules. One will be SEC subpoenas to companies for information about their cybersecurity reporting and governance. Another will be shareholder scrutiny and lawsuits around failure to disclose or poor evaluation of materiality. The rule is self-enforcing through shareholder suits. [22:35] Pamela predicts we’ll see more D&O coverage activity because of this rule. Risk professionals need to be looking at that when renewing or placing new D&O coverage, asking their brokers about the impact of the new SEC requirement around disclosure and materiality. Risk managers will need to explain this if there is a subpoena or claim. [23:52] Risk managers also need to be thinking of looking across the entire insurance program, to see which insurance policies may respond in the event of an SEC subpoena or a claim related to disclosure. Now is the time to prepare for what may be coming. [24:40] Pamela says risk professionals need to ask their insurance broker what is new in their policy since last year. Are there new endorsements or policy language? New policy language or endorsements for 2024 will be enormously important. Risk managers should also run tabletop exercises with the insurance pre-approved response team. [26:53] Risk professionals should look at your policies now to see what policies will respond if you have an SEC claim and what the policy limits are. Your policies need to be on paper, not on your computer network, and not named “Cyber Policy 1,” or “Cyber Policy 2,” where threat actors can find and read them on the network. [27:54] RIMS plug time! Sponsor an episode of RIMScast! Contact us at pd@rims.org. Justin is pleased, humbled, and excited to announce that RIMS and RIMScast have won the 2023 Excellence in MarCom Award on October 24, 2023, from the New York Society of Association Executives (NYSAE)! [28:41] On Friday, November 10th, from 10 to 11, NYSAE is presenting a virtual program called ”Podcasting — A Revenue Stream for Your Association.” Justin is honored to be one of the panelists. A link is in this episode’s notes. [28:57] Upcoming Virtual Workshops: Visit RIMS.org/virtualworkshops to see the full calendar. Our friend Elise Farnham returns on October 24th and 25th to lead the two-day course Fundamentals of Risk Management. [29:20] Our friend Chris Hansen was recently on RIMScast. He will be leading Managing Worker Compensation, Employer's Liability, and Employment Practices in the US on November 7th and 8th. Be sure to register for that course! Information about these sessions and others is on the RIMS Virtual Workshops page. Check it out and register! [29:49] On October 12th, AXA XL returns to present Stand Tall: How to Boost your Cyber Posture Against Creative Cyber Criminals. [30:06] On October 26th, our friends from Zurich return to present a session on PFAS,  Forever Chemicals, and PFAS Litigation. On October 31st, Resolver returns to present Building Your Business Case for GRC Software in 2024. Metrics That Matter has Enhanced Decision-Making Across Your Cybersecurity Program on November 7. [30:36] There is a lot of great educational content for you in the next month. Visit RIMS.org/Webinars to learn more about these webinars and to register! Links are in the show notes. Webinar registration is complimentary for RIMS members. [31:08] About Pamela Hans presenting the last session on the last day of the RIMS Canada Conference 2023. The session was “Do You Want to Get the Deal Done? Obstacles and Opportunities in Contract Negotiation.” She had a packed house for the session. She discussed deal-breakers and opportunities. [33:58] You have tools as a risk professional to deal with risk transfer provisions you might not want. The session talked about how to make insurance work for you in this context and how to indemnify a counterparty that is 10,000 times larger than you. How can your insurance respond to make these provisions opportunities, not deal-breakers? [35:03] People left the session with ideas about what to ask their insurance broker and the business side, to know what they should be ready for. [36:09] Pamela was scheduled to present with two co-presenters but neither of them could attend. For Pamela, it was an opportunity to have fun with the people who were in the room. Presentations are better when they are conversations with the people in the room. It was terrific! [38:34] Justin suggests if you are going to present and your co-presenters back out, look at it as an opportunity. If you need additional materials get them from the organization you represent, but be confident you can do 20 minutes by yourself. Open it up to Q&A and that will take care of a lot of dialog. Pamela went past 60 minutes. [39:18] Justin fell asleep twice in the 17-minute flight back to the U.S. He was disappointed the flight attendant didn’t wake him! [40:54] Special thanks to Pamela Hans of Anderson Kill for joining us on RIMScast for National Cybersecurity Awareness Month coverage. The session handout from her RIMS Canada Conference session, “Do You Want to Get the Deal Done?” is available via the RIMS Canada Conference 2023 Attendees Service Center. See link in show notes. [41:16] Go to the App Store on your phone and download the RIMS App. This is a special members-only benefit. Everybody loves the RIMS app! [41:36] You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in our show notes. RIMScast has a global audience of risk professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let’s collaborate! Contact pd@rims.org for more information. [42:17] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. The RIMS app is available only for RIMS members! You can find it in the App Store. [42:41] Risk Knowledge is the RIMS searchable content library that provides relevant information for today’s risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [42:56] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com and in print, and check out the blog at RiskManagementMonitor.com. Justin Smulison is Business Content Manager at RIMS. You can email Justin at Content@RIMS.org. [43:17] Justin thanks you for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe!   Mentioned in this Episode: RIMS ERM Conference 2023 | Nov 2–3 in Denver, CO! Enter 2023RIMSCAST at checkout for 10% off registration! NEW FOR MEMBERS! RIMS Mobile App RIMS Legislative Summit — Oct 25 & 26, Washington, D.C. RIMS-Certified Risk Management Professional (RIMS-CRMP) Dan Kugler Risk Manager on Campus Grant Spencer Educational Foundation — Hire A Risk Intern 2024 | Deadline Oct. 15, 2023 Spencer-RIMS Risk Management Challenge 2024 — Be a Case Study or Join Judging Panel! “Do You Want To Get The Deal Done?” — Session handouts still available via the RIMS Canada Conference Attendee Service Center RIMScast to receive the 2023 Excellence in MarCom Award from the New York Society of Association Executives (NYSAE)! “NYSAE Webinar: Podcasting — A Revenue Stream for Your Association” RIMS Webinars: Stand Tall: How to Boost your Cyber Posture Against Creative Cyber Criminals | Sponsored by AXA XL | Oct. 12, 2023 PFAS Forever Chemicals — Regulations, Litigation, New Technologies | Sponsored by Zurich | Oct. 26, 2023 Building Your Business Case for GRC Software in 2024 | Sponsored by Resolver | Oct. 31, 2023 Enhance Decision-Making Across Your Cybersecurity Program | Sponsored by Metrics That Matter | Nov. 7, 2023 RIMS.org/Webinars Upcoming Virtual Workshops: Claims Management | Oct 10–11 Fundamentals of Risk Management | Oct 24–25 Managing Worker Compensation, Employer's Liability and Employment Practices in the US | Nov 7 See the full calendar of RIMS Virtual WorkshopsAll RIMS-CRMP Prep Workshops Related RIMScast Episodes: “Harnessing Innovation’s Promise with ERM Conference Keynote Bob Roitblat” ‘Cybersecurity Reporting Updates with Hilary Tuttle of Risk Management Magazine” “Cybersecurity and Insurance Outlook 2023 with Josephine Wolff” “Genuine Generative AI Talk with Tom Wilde of Indico Data” “Getting to Know Jackware with Dan Healy of Anderson Kill” Sponsored RIMScast Episodes: “Subrogation and the Competitive Advantage” | Sponsored by Fleet Response (New!) “Cyberrisk Outlook 2023” | Sponsored by Alliant (New!) “Chemical Industry: How To Succeed Amid Emerging Risks and a Challenging Market” | Sponsored by TÜV SÜD “Insuring the Future of the Environment” | Sponsored by AXA XL “Insights into the Gig Economy and its Contractors” | Sponsored by Zurich “The Importance of Disaster Planning Relationships” | Sponsored by ServiceMaster “Technology, Media and Telecom Solutions in 2023” | Sponsored by Allianz “Analytics in Action” | Sponsored by Alliant “Captive Market Outlook and Industry Insights” | Sponsored by AXA XL “Using M&A Insurance: The How and Why” | Sponsored by Prudent Insurance Brokers Ltd. “Zurich’s Construction Sustainability Outlook for 2023” “Aon’s 2022 Atlantic Hurricane Season Overview” “ESG Through the Risk Lens” | Sponsored by Riskonnect “A Look at the Cyber Insurance Market” | Sponsored by AXA XL “How to Reduce Lithium-Ion Battery Fire Risks” | Sponsored by TÜV SÜD “Managing Global Geopolitical Risk in 2022 and Beyond” | Sponsored by AXA XL RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars Risk Management Magazine Risk Management Monitor RIMS-Certified Risk Management Professional (RIMS-CRMP) RIMS-CRMP Stories — New interview featuring Roland Teo! Spencer Educational Foundation RIMS DEI Council RIMS Events, Education, and Services: RIMS Risk Maturity Model® RIMS Events App Apple | Google Play RIMS Buyers Guide   Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.   Want to Learn More? Keep up with the podcast on RIMS.org and listen on Apple Podcasts. Have a question or suggestion? Email: Content@rims.org.   Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn   About our guest, Pamela Hans LinkedIn Pamela HansSenior Shareholder, Cyber practice Pennsylvania office of Anderson Kill   Tweetables (Edited For Social Media Use): Consumers are giving their personal information to a company they want to do business with and then that company is attacked and the individual’s information can be used by the threat actor to do more damage to the individual by way of fraud. — Pamela Hans   A material breach is one that investors would want to have information about that might influence their decision to buy or not to buy a stock, because it may impact the value of the stock and the value of the company going forward.— Pamela Hans   Risk professionals should look at your policies now to understand what policies will respond if you have an SEC claim because of the reporting requirement and what the policy limits are. What are the requirements of notice? — Pamela Hans