Skip to main content
Right of Boom
January 30, 2025

September 28th, 2020

In this video, industry experts engage in a critical discussion on the challenges of cybersecurity disclosures and breach notifications. They explore the implications of legal and regulatory requirements, providing insights into how companies, especially MSPs, need to navigate these complex issues. The conversation highlights the importance of having a robust incident response plan and the evolving nature of cyber risk management.<ul><li>The importance of breach disclosures and the legal implications for companies and MSPs, especially in light of recent high-profile cases.</li><li>The necessity for MSPs to have legal counsel and a clear incident response plan in place to handle potential data breaches and related legal challenges.</li><li>The growing need for MSPs to adapt to increasing cybersecurity risks and ensure adequate insurance coverage, while also managing client expectations regarding security and breach possibilities.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right. Week 20. Can you guys believe week 20 every week goes by. I can't believe it. 20? Yes. Um, and, um, we are closing in on 2200 in the community. Um, and just, uh, to go over a few quick things. Um, joining us today is Lisa Shasti. Lisa is the co-founder of Shasti and Percy, a legal firm here in Tampa, Florida. She's also president of InfraGard. Lisa, thank you for taking my request, uh, at like the 12th hour, not the 11th hour. That's okay. Um, we'll get right to you momentarily.

Just a few quick, um, highlights, uh, on, on what's going on, everybody. So, Chris Sanders, who was supposed to be with us today on, uh, honeypots and the role of, uh, Texan and Deception, unfortunately, became ill this past weekend. So we got that notice first thing this morning. Uh, and then, I don't know, I gotta tell you, since this, this is the healthiest six months of my life, it's like, but I'm afraid if I ever actually, when I eventually leave the house, I'll have no more immune system.

Take zinc. You good? Yeah. I haven't even sneezed in six months. All right. So, um, so then, you know, immediately, you know, I, I reached out to Wes and I'm like, okay, so Wes, what are your thoughts here? And he's like, you know, Andrew, we really need to talk about disclosure. I was reading a little bit about the Uber ciso, and you know, what's going on there.

Now, the CloudFlare ciso, although I'm not sure is he even, you know, employed right now, but, um, but you know, Wes, um, let, let's just kind of start there. Like, why did you feel discussing, you know, something at a public company, you know, as big, you know, SEC type of thing was applicable at a macro level, and then maybe you can kind of bring it down and yeah, your thoughts, where you're thinking.

So, uh, first of all, I feel a little, um, responsible since I'm the one that brought Chris on board and had been hyping him up for so long. And then, uh, he's, you know, not feeling under the weather. So, uh, that's on me. So I figured, Hey, I better, we better, I, I better suggest some kind of content, right? And so, as all good CISOs do, I just think, Hey, what's keeping me up at night right now?

And one thing that has been circling in my head for a few months now, um, I, well, at least a month, is this idea of security disclosures, breach disclosure. Do we handle those things? How do we handle those things? You look at what happened with the Uber CISO being charged, and there's a lot of implications in that we really need to cover it, right? So, first of all, before we go too deep into all of this, just to cover that news story, so I'm not a lawyer, right?

Everything I say is, uh, just my opinions, all that kinda stuff. Lisa, who's over here, is a lawyer and will be able to share a lot more from her perspective as well. It'll be much more insightful. But lemme just say this. So DOJ charged the, the former Uber CSO guy named Joe with Obstruction Justice and a couple other things. And what it all came down to is, I think if you guys know the history of Uber, it wasn't just one breach. It was two breaches that they had.

Uh, they did a pretty poor job of disclosing and, and sharing and keeping that data out. And you actually look at what happened in Uber's brand reputation. We just took a nosedive because people weren't happy about it, and we know why they did it. We know why they, they, they wanted to cover it up because, you know, for all of us, it's, it's reputational damage that we don't want to normally take if we can avoid it.

And so you, you see a lot of times from legal, from, uh, CEOs, from the board to keep pressure down and say, Hey, don't share this if we can all avoid this. And so one of the things that I think came outta that article is I think a lot of CISOs nationwide and worldwide are probably shaking in their boots a little bit, because realistically, we've probably had breaches that we just, the consumers have never been party to, don't know anything about it.

Uh, and that's kind of a scary proposition for them, saying, could I be next? I didn't share about a breach that we had. We successfully covered it up and handled it under the table. No one knew about it. All the ev, everything's tucked away. Could charges come back to me on all of this, and then to bring this home for MSPs that are on this call today. What about you? If you have a breach, what happens?

Or your party to that and involved in it, and your clients say, don't share, don't talk about it. Don't do anything about it. And here you are saying, oh, no, what if I am actually required to do something about this? And my client is saying, no. So these are the things Angie we're gonna talk about today.

I just wanted to set that tone for us, because I think there's a lot of implications for MSPs, even though we traditionally serve SMBs more, it's still going to be a growing issue, and we are seeing new legislation clarify around breach notifications while Andrew. Yeah, absolutely. So with that, I'm gonna be sensitive to Lisa's time. And Lisa, you know, you, I, I thank you again for coming on. I've been fortunate enough to have a conversation with you.

You're familiar not only with the vendors, with MSPs, but you're really familiar with the broader scope of the legality of this whole thing You serve on InfraGard as the president. Is this a real thing for MSPs as third parties? And, and what should they be thinking about? How do you look at this from your lens? Okay. So thank you for, uh, inviting me to join you today. Um, you know, this is enjoyable. I love this group. Um, I'm, I'm sort of a nerd myself, so I really enjoy being around nerds.

Why I chose this area, um, to practice in. It's important, um, because I feel like we're all kind of brothers and sisters around here, and we need to help each other through these things. Um, you know, and I think a lot of times, first of all, I am the CISO's best friend because I'm the one who will com explain to the board, look, it is not the, or the who is responsible for this. Everybody's responsible for it.

And by the way, your oversight and your, your budgeting and your dedication of interest in what they have to say and to protect you has everything to do with whether this is a successful, you know, company and, and managing incidents. And the thing is, everybody's gonna be breached, right? I mean, it's gonna happen. So we've gotta have a plan.

If you are sitting there thinking that you're gonna wrap your head in a towel and not look out at the outside world and not be breached, and then when you are breached, not tell anybody, it's just that it's not gonna work. The thing, uh, the thing about this disclosure, which you've asked me to talk about a little bit, I'm just gonna introduce some of my, my current thoughts. And one is that, um, yeah, it's a thing. It's really too bad that we have to have a law to us to do this.

Um, second of all, my, my countering thought is, um, okay, so we have a law and we can be enforced against my clients can be enforced against, right? But how dare you enforce against me when OPM gets hacked and, you know, OCR gets hacked and all these things are happening daily, right? And they live in fear, you know, of being hacked.

And I was on a call with a bunch of government agencies just recently, maybe two weeks ago, and it was all their people trying to figure out how to collaborate and not get hacked. And they're, they're trying to figure out systems, right? So it's like, well, wait a minute, you know, they're worried about reputational damage too, and yet they are the enforcers.

So my thought process is, I think just as a matter of courtesy and doing the right thing, you know, it's, it's a good idea to disclose matters related to cybersecurity. Whether you are doing a private placement, you know, that is not a public company, or you are in the public company realm where you're, you're dealing with the, um, SEC, um, just a little word about my background. I used to be general counsel for an international investment bank with 17 offices around the world.

And that's what we did. We, we, we raised money for companies. We also, um, bought companies and sold 'em, and we would take a recently declassified technologies and we would build a company around them and then, uh, you know, get the right management in place after we muck it all up and, and then sell them. So, um, you know, I've seen this stuff from the inside out, and most people's, most people's, um, response is, we don't wanna tell our clients about this. We don't wanna disclose this.

We don't wanna disclose that we have any risks that's gonna chill investment in our company. Well, yeah, if you're really egregious, but if you do the basic things, I mean, let's just have a risk assessment every year. I mean, heck, I'd even, I'd even settle for every two years, whereas we're supposed to have 'em every six months, right?

And those of you with larger companies, you'll know, you know, hey, uh, but, but the thing is, you know, if we, if we, if we have these basic things in place, you know, just the basics, right? You're gonna be in a much better place, and then you can disclose the things that you feel are risk and, and writing risk factors isn't hard, by the way. Go ahead. Sorry. Yeah, no, no.

So these are mainly, you know, these MSPs with us are mainly working with, let's just call it companies, 250, you know, employees and under, you know, these are the ones that Gary's been around for years. And, you know, when I was talking to Gary off stage, he's like, you know what, how do we synthesize this? Gary, I don't wanna put words in your mouth, but, you know, for the MSPs on this call, and, you know, you said something to be very funny off stage about cyber insurance.

So let me kind of, Yeah. I said, yeah, we're talking to them about thinking about disclosure. They haven't even have to ask their customers if they have cyber insurance yet. Let's start with, yeah, let's, let's start with little steps, then we're gonna work, we'll work up to the work up to the bigger ones. But, uh, I, I love that I put a little hashtag out there. Everyone, everyone will get breached. I mean, I think that's an awesome statement.

And one thing that, you know, from being around, um, uh, Chris Lore, uh, the time to think about this is not after a breach. Thank you. You know, I'm an emergency room doctor, thank you, Gary. Because I go in and I'm like, look, and I talk to people all the time. I'm like, okay, okay. So I'm gonna tell you, here's how we do it. And I bring in my technical guys, by the way, you need to be on a hosted system. You need to be on a managed system. You can do this.

So the MSPs are my, they're my, my rock solid, you know, groundbreaking, you know, frontline people, right? These are your people. They're gonna protect you as well as they can, but you have to make this, you have to enable them, right? And so, you know, disclosure comes after all this. And I keep saying, look, it'll literally cost one 10th of what it's gonna cost you if I have to handle this during a breach one 10th.

That is the metric I'm telling you over several breaches, several years nationally, internationally, and everything that we've handled. And I will say, one cost, would you not rather do it now? I mean, pay your insurance bill now. Don't wait for the hurricane to hit you and then go, oh dear, I have to rebuild my, you know, 300,000 home. I mean, that's just not good. So Kyle, um, I know Rita, we're doing this ad hoc, you know, do, it is a, it is a, you know, small business yourself.

Any thoughts on this running? You know, I think you guys are probably just bordering sub 100 right now as you think about this disclosure. And while we have Lisa with us here for these next five minutes, anything come to mind from your side? No, I mean, we, we had six new people start today at the company. I know that, you know, even for us, right? IT, security led organization will be compromised.

And so I think it's, you know, one part of the beauty is us just all having this conversation where even in the chat, where I've been spending most of my time has been people saying like, yeah, I don't even believe when you say like, oh, I've never been hacked, or, I'm not going to be hacked. But you almost lose credibility instead of just being real, right? Uh, you know, real knows real in this situation, or you call a spade a spade.

Uh, Lisa, while we have you, I, I'm curious, you get to see all walks of life. One of the questions that we tend to always ask somebody on here is, where do people start? You talked about managed services. Obviously most of our audience is some form of M-S-P-M-S-S-P, maybe some type of telco agent as well. There's all kinds of these in there. But do you have any recommendations on where folks like that should start? Yeah, I think you, you start with, with counsel, and I'll tell you why.

Because if you're gonna go do an assessment, this came from, you know, Amazon's general counsel. I'm not the genius that came up with this, but, uh, you know, the, the, the thinking is that you start with counsel because when you are going to do some sort of assessment of your situation, maybe gap analysis or something, uh, let's not call it a risk assessment. Sounds too formal. It's just a gap analysis.

'cause you got stuff in place, but you just need to figure out where you're deficient, right? So to start with somebody outside counsel, not in-house, because if you do it in-house, you do not have attorney client privilege. So when somebody is sending, let's say the CEO is sending, uh, emails to the outside technical assessment firm, guess what? All those things can be discovered by the regulators when you're breached.

However, if you're sending those, those things to me, I am, I am getting that information and the, and the assessor sending that information to me then, and they can be saying, this is all messed up. We've got these liabilities, we've got these concerns, you know, then I am getting that in order to provide legal advice. And it's very clear I'm not inside the company because I'm not an employee. So this is not a business function. This is legal.

And so that way you have attorney client privilege potentially on these, on these, uh, conversations. And all this stuff doesn't go, you know, then you don't have the news reporters later saying, oh, dear God, look, they knew it was all messed up and everything, you know, because it's, it's privilege. And so start there. You know, the, the attorney part of it is the tail wagging the dog. Believe me, you guys can bill better than I can bill every day.

But I mean, the, the assessors are really gonna be the ones that you're gonna wanna put your money into. Legal counsel there is there to just sort of direct and receive information and then make sure your policies are compliant with the law. If you're expecting your technical people to tell you whether something's legally compliant, then you're asking your podiatrist for neurosurgery advice. You know, it's just like, it's, it's mismatched, right?

And I'm not gonna be the person that somebody's gonna ask, you know, well, how do I configure this particular firewall? I don't know. I mean, let's go, let's go talk to the guys that know about that, right? So that's what I would say is start with council so that they can just get you started and, and hire the right people. There's a way of doing this. And, and we do it that way to protect our clients. And believe me, just recently it worked really nicely. I'm so glad we did it. Good.

Go ahead, Gary. Yeah, Andrew. So, um, one of the things is we've seen situations where people don't think about this. Um, they put something out, one, as we've said on other things, they use the B word, okay? So they put breach actually, you know, in, in the statement, which pretty much common, right? That's not, you know, great advice. Um, it turned out it was not a breach, okay?

They felt can, 'cause they weren't planned for it, they saw this anomaly, they put out a communication and, you know, it impacted how their customers viewed them, even though it turned out that it really wasn't, that really wasn't a breach. And so, um, here your communication became the issue, not a, not a security incident. I'd say that's not good, right? Would we agree on that? Yeah. It's clearly one of those things that's not solid.

Um, I, I see some of the audiences, uh, throwing up questions back and forth. Um, I know while we have, Lisa, did you see the one, uh, you know, there, Andrew, that somebody actually said, Hey, between the last couple weeks of cyber calls, they called out the business impact analysis, incident response plan, and business continuity plans. And one of their questions for Lisa, where did, where, where the heck do these three documents fit with outside counsel and cyber insurance?

Um, Well, what it, what it is is, I, I will I explain this in a stepwise fashion, generally, um, you know, outside council is the beginning point. So we're, we're sort of the ringmaster. We're not the the main act, right? So we hire the forensics people, we hire the assessment people, we work with the MSP, and we talk a lot, right? We, we, we configure things a lot. We talk a lot, we make notes. We, you know, and we make sure that everybody gets the right information.

Um, we're not standing in the way, but anything that is, um, really operative or opinion based, we wanna have it in our inbox. 'cause we're not getting subpoenaed. The people in the company are, and you do not want that to get the CEO's inbox, you know, so that the people can subpoena.

And, and the other thing is, um, we also, you know, so like first you have to figure out, you know, take your baseline, make sure of where you are and where your gaps are, you know, put together a, we put together a one year plan, because generally there's a lot of things to happen. But we, we try to cram up the, the first 90 days with the most important things. And we do it also budgeting column, because we realize that budgeting, personnel, holidays, all these things matter.

So we take all that into account, we create a year long plan to address it. Then we come back the next year and we say, okay, let's go through this and see how we've done, but we're available, you know, the whole time, you know, hey, you want to consult in the meantime, usually it takes a 10 minute call. It's not that big of a deal, you know, and, and move on. The, the plans, the resilience plans and all that kind of stuff grow out of these things.

They are the sort of the, you know, first you have to bake the cake and figure out where you are, where your data is, you know who you have as data subjects, where are they in the world? Because there's grid, the size of the globe, you know, to, of laws that you have to comply with depending on where they are. We, we had a breach where we had, um, 140 countries affected, including a hundred percent of the GDPR countries.

And in Ghana, did you know that if you did not previously have a certificate signed by the government, knowing that you can export Ghana, uh, data, then you could be jailed there. So I was telling my client, I'm like, uh, you got one data subject there. Don't get it. God, okay, just don't have, that's probably something. Um, but all those things layer on top of that. And frankly, I don't know how anybody buys cyber risk insurance.

I mean, I, I would buy some, you know, policy that at least covered, uh, this is female compromise, if that's 85% a problem. But I, I would not, I would wait and enhance that policy and really scrutinize it, um, at the time that I knew what my risks are that I cannot address or otherwise mitigate, because then I know what my open holes are and those I wanna offload to insurance. So I don't have that information until I do all this other work. I mean, I just don't have it.

That's so, Yeah, buy some insurance, but, you know, what are you buying? I don't even know if you need it. Really interesting, Lisa. Um, we had a, a one, I think one of the best cyber agent insurance people on that we could have last week. And literally they won't write policies without what you're saying right now. They're one of the few that will not touch without assessment gap analysis. Insensitivity to your time, Wes, I'm going to let you wrap.

If I could put you on the spot, could I, to wrap things up with Lisa, maybe on just one thought, first Thought here, uh, here, and here's how we're gonna do it, Lisa, there's a really good question that Dustin just, um, answered in, and, and I'll read it. Just, I want to that to get, I want this to be covered on air because Dustin is zeroing in on what I think is really important here.

He says he'd be interested to hear when an MSP thinks and knows a breach should be reported, and, um, what their client or counsel says when they should, when they shouldn't, is there thresholds? Is each one handled individually? You know, how do we handle that? And then also, you see the latter part of that question that he's asking too, um, with your clients as well. So Lisa, you see that question that's there in the chat from Dustin.

Could you give us your, unfortunately, I'm kind of unfamiliar with your chat situation here, so lemme see if I can figure it out. Okay. No, no worries. Lemme just look at Chad, hang on. Sure. Um, Yeah, just, just scroll up and Justin. Okay, I can throw it in. Wes, I can throw it into the question. I got it, Got it. Okay. So, so when an MSP thinks or knows the breach, uh, should be reported, uh, and it should not, let's see. Okay, counsel says it should not, don't do it.

Um, okay, so here's what your counsel, first of all, not all councils created equal. It's just like not all MSPs are created equal. The people on this, on this, you know, meeting are the top of the game, right? Because they are actually interested in figuring this stuff out. Uh, the rest of 'em, uh, good luck. So, um, I would say that if you believe there was a breach, legal counsel should be aware of how to analyze whether that is, you know, called the B word breach, right?

It's an incident until it's a breach. I don't know what kind of data was, was exposed. I don't know. And by the way, exposure is the, is the threshold. It's not that somebody accessed it or downloaded it, it's it's exposure. It's the fact that it could be accessed, right? So if it could be accessed, and it is, uh, PII, in whatever jurisdiction the data subject resides. So if they're in Switzerland, it's different than if they're in Michigan.

It's different than Georgia is different than Florida, it's very different than California. Uh, because, you know, you're kind of getting into the realm. You know, cybersecurity may not be the issue, even though in like at least three states, there are security standards, but, um, privacy becomes the issue because now their information's not private. But that's not really something that you guys are used to dealing with, and that's not, it's not really your responsibility.

Your responsibility is security. So an attorney who's knowledgeable says, this is not a breach. You don't need to report it, believe them, because if they're knowledgeable and you trust 'em, that's one thing. If they have experience in this area, if they don't have experience and they're just, you know, winging it, or looking at the Florida statute 5 0 1 1 7 1, then don't, I mean, because there's way more analysis for that. You know, you have, you have to give more information.

Like, tell me all the data subjects that were exposed. Tell me where they live. Tell me, you know, tell me about the information that was disclosed. I mean, if we look at the information, let's say you have somebody or last name or something and, and you have maybe, um, the size of hat they wear, okay? That may not be a breach in some jurisdictions where biometric standards are in place. It might be, it depends on the case law. So it just, it just depends on what we're talking about.

I can't just say that's a brief And that really illustrates, I think the, where the crux of where we're getting, right? I mean, you've gotta understand, if, if you only operate in state, like let's say we saw some chat, you know, Illinois, uh, you've gotta be aware of how you're working with your clients because at the end of the day, I think my video just went out. Let's see if it gets back on.

At the end of the day, you may have, some of your clients are doing business internationally or wherever you may be storing some of that data on their behalf. And so I can tell you as a ciso, you know, even going through privacy shield at perch, uh, was significantly difficult for us in wrapping our heads around what all of this looks like, how the EU treats and handles all this. What is confidential private information may be different from state and US-based regulations.

I mean, we're having a CISOs to play the jack of all trade and understand all of these different privacy regulations as it applies to us. That's difficult, and it's only going to grow and get more and more difficult. Not fun for any of us to be in, but this is, this is the nature of where we're at because of how I think traditionally technology companies and, and others have handled breach notifications or, or lack thereof of not sharing with them, right?

It's forced regulation down on top of us. So, yep. Uh, Lisa, thank you for your insight today. This has been really good. Thanks, Lisa. A bit of a hornet's nest today. Made everyone worry a lot more, uh, but it's good thing to start thinking about. Okay, well, thank you for inviting me. It was fun to meet you guys. Lisa, thanks so much. We will have you back. I really appreciate you coming on so quickly. Okay, thank you very much guys. You again, Lisa, have a good one. Thanks, Lisa.

Hey, guys, I was thinking about something, right? So let's say you're an MSP and you have, uh, you know, you're managing five, 600 seats, right? So now think about the perspective, kind of like Lisa has. She's dealing with companies that have five, 600 employees. They probably also have in-house counsel at that point. They do, they have in-house counsel, um, they have a security team, maybe somebody assigned to writing and maintaining their plan, right?

And, and they basically cumulatively have the same exposure as that MSP does. So one of the things people were asking where to start after our conversation, um, when Justin was on, I mean, I think you start with with, if you talk to your provider and find out like, how is that gonna work if I get a breach? Because many times you'll get some legal re representation, you can get access, have your plan reviewed. So that, what do you think? Is that a good place to start?

Yeah, so well, well, I'm gonna make one comment and then maybe it'll go to, to Wes and get, get some thoughts from everybody out there. But it's interesting, Gary, you're like, Hey, 500 employees and they've got all these things, starting to get all these things in place.

I'm gonna throw something in chat, which, um, uh, came from, uh, where your, your daughter went to law school, Harvard, and it was just really interesting, the percentages of companies, and these are the biggest of the big that they did this on, really, like, they were, they were talking about like disclosures and like, for example, tabletops, they mentioned tabletops. Do you know, tabletop disclosure in these large companies, increased year over year from it doubled 3% to 6%.

So, and, and it goes through all these different metrics. So it's just, it's really interesting that it, it, there's almost like west, there's almost an infancy in this disclosure piece. But I think, like anything, I'm glad we're talking about it because, and, and we could bring lair on. I'd love to get his perspective. Um, yeah, let's see if we can get layer on. Um, and, and, and while we're waiting for the guy, uh, hopefully he's, he's joined today.

Um, you know, this, this is an ever evolving issue, not just, uh, disclosures and breach notifications, but privacy is a big deal inside of all of this. Uh, on top of all of that, um, just rising costs that are mounting around compliance and GRC and having to juggle state international. I mean, this is big stuff, right? And, and I'm telling you, I, if you're worried about that as an MSP, I am right there with you at perch.

I mean, we have mountains and mountains and mountains of data because we're a sim, right? And so I worry about this, it keeps me up at night of trying my best. I feel like I've, you know, I'm a guy with a snorkel and waves coming over me and I'm barely breathing. You know, it's, it's very, very difficult. And it's, it's certainly something that's stressful for all of us, and it does eat into the margins, and it does eat into, uh, you know, um, uh, our, our ability to be efficient.

But Chris, maybe I'll just start with you on this question. Um, should MSPs be worrying about this? I mean, you, you see this from the front lines more than anybody I know. Are these things that MSPs need to be concerned with and why? So I came on right as you were explaining that. So you might have to say breach Notification. No worries. So breach notification, understanding state laws, uh, international national laws around, um, what is a breach? How do we define it?

Who our customers are, the MSPs need to concern themselves with that they need legal counsel, all of those kinds of things, Chris. Yeah, I think it's important, especially we've seen more MSPs have clients that, that cross those borders, right? And so I think it's very keen to understand how your clients, how they exist, uh, where they exist.

And if there are going to be those situations where at least, you know, for example, G-D-R-G-D-P-R is gonna be in play or some other, you know, something else is gonna be in play. Now, do you need to know all the details and everything? No, that's what attorneys are for. But I think it's important to know when you're gonna pull that lever.

For example, with CCPA in California, I mean, it's pretty, pretty simple what the thresholds are on there for, but the rule is, is like, for example, somebody calls us from California, we're just going to automatically defer to an attorney anyway because it's California. And so those are the types of things you just, you just, you don't, you don't wanna mess with.

Uh, so at least you need to have a working knowledge of where those kind of hotspots are and know when you need to pull that, you know, attorney lever. But you don't need to go out and hire somebody on staff to be detailed knowledge worker about that. Uh, Mike Beard, uh, he had a good little thing that everyone can do. He said one of the first things he mentioned in their plan was just who not to communicate that there was one person, right?

That is tasked with communicating and the whole company is trained that no one else is communicate. So if you don't do anything else, even if you don't have a great plan, that will be a good step one. Yeah. Right. Good point. Really good point. Yeah, that's a great point. We always tell people you need to keep it close to the vest. Um, you know, you need to know those people that you're actually gonna talk to.

And you need to keep those like super tight because all it takes is one, you know, one pair of loose lips and it's, it's gone. I mean, it's out the door and, and you're gonna have a, a nightmare on your hands, most likely if it gets out. Chris, what things can happen like that you've seen, like, it, it an example or two people say X and they should have never said that. So obviously the, the big ones are saying stuff like hack, breach, breach, uh, compromise, uh, we got hit with ransomware.

Uh, if you've been hit with ransomware telling 'em, you've already talking to the attackers, telling them that you've paid the ransom or you are paying the ransom or you're negotiating the ransom, uh, there's actually an article out there today about a, uh, you know, about a, a situation where, you know, somebody talked about their deductible and got in some kind of details about their insurance policy, which necessarily isn't, um, against any rules, but just, just doesn't make any sense why you wanna talk about those types of things.

So you wanna have, you know, you wanna be clear and you wanna keep things as generic as possible until the attorneys tell you to do something otherwise. Got it. So last week, Andrew, uh, someone said, oh, told me that my Facebook got hacked, right? So I go look, and it wasn't, so then we do a search and we find out like somebody made another Gary Pika account, like took my picture, there's a few pictures of me out there, um, put it, put it on it. And so I had to report it to Facebook.

And then one of my customers said, oh yeah, that Gary Peak has taken me fishing this weekend. You've had a lot of Gary, it may not be Facebook, but you've had a lot of, you know, Gary p impersonations over the years in the, uh, training business as it is. I mean, yeah, absolutely. Yeah, yeah. I did see something real quick that Jonathan popped up on that chat to, to wes about regulated companies. So that's a good point.

So, but what I wanna say is this, when you're a regulated company, whether it's healthcare or banks or whatever, there I have yet to come across one where you just have to jump on the phone and tell 'em right away. And so typically, again, breach counsel is gonna advise you on that. So if you're a bank, for example, yes, you do have to call the regulators. There's an reasonable time.

Typically your bank's gonna have an existing relationship with the regulator anyway, so they're gonna have a good, good idea. Now there are some true deadlines about that, and if you're a bank and closing branches and all that kind of stuff, that's a whole different ballgame. But you're right.

But when it really comes to the event and if you really aren't aware of what exactly has happened, there really is, I don't know of any issue where you just gotta jump on the phone right away and say, Hey, something happened to us. We don't know what the hell happened to us. But I'm telling you anyway, it doesn't really do much good at that point. I'm just, uh, laughing and smiling because my days at a banker. Uh, yes, that is correct. And uh, sometimes it'll happen in reverse, Chris.

Uh, you'll get a DOJ uh, summons and subpoena and basically a gag order, uh, in which they say, uh, you will not talk about this, you will not share about this, but this is the information we demand. Uh, and so, uh, you may be party to that as an MSP, right? If you serve a regulated entity, especially in financial services where, you know, let's be honest, that's the stop for where money movement happens.

Uh, and ergo, all things money laundering, you may be involved in those kinds of things as well. And you may be brought into something like this, right? And so understanding how to handle that and protect yourself as you go through that process. Um, and that's what I meant way earlier in chat when somebody asked if I've been involved in any breaches, sometimes we get pulled into them in which you are not first party to, but you're second or third party.

Um, that's delicate stuff as well that we've gotta be prepared for. And this is where good incident response planning and Chris knowing your customers is really important, right? If I'm serve banks, I need to know my banks, You need to know your banks, you need to know who the compliance people are because they're the ones you need to be involved.

So if you have an incident response plan and you don't have anything talk about, hey, the you don't have a contact for the bank compliance person, you're in trouble. But I would tell you another thing that one mistake, Andrew, that I forgot to mention. Yeah, that's really important. When we get, in a lot of cases what happens is the first people victims call is software vendors.

Like, uh, whether it's something simple as Intuit with QuickBooks or it's something more specific as a line of business application and they call them for support and they really tell them way more information than they need to. They do, right? So it's more like, Hey, I'm having a technical issue with the software. I need help.

They tell 'em all sorts of stuff about the ransomware attack and all sorts of stuff On a recorded line that is absolutely discoverable And you have no idea if that's even the real person's name that you're talking to. So, um, so anyway, uh, that's another Okay, hashtag don't do that. Yeah, exactly. Yeah. It's interesting you say that, Chris. 'cause I was involved recently I a request with a very, from an MSP, big MSP to a very big vendor because their console had gotten compromised.

It was inside, you know, is issue. And they got on the phone with the big vendor, public vendor started explaining stuff they just done, we're not gonna, we can't help you. Exactly. Is that kind of the thing, Chris, especially With internal issues. So one thing I, you know, I mentioned this before, but when it, if it's an internal issue or suspected internal issue with an intern, an employee or a former employee or whatever, that's a whole new ball game.

It's a whole new ball game of how you collect evidence, who can collect evidence. A chain of custody is, is, is basically reviewed with a fine tooth comb in those situations. So yeah, most of the time you're, you gonna need to really follow the law. So for example, when we get involved, if we get involved, somebody calls us on something that's involving that we, and it's remote, we typically will find somebody local.

'cause a lot of times you have to have somebody with a PI license depending on what state you're in to actually collect that type of evidence and to do all that type of stuff. So I, you know, I For the chain of custody kind of thing. Yeah, exactly. 'cause 'cause the idea obviously is a lot of times you want to go for criminal or civil type stuff against that.

And if there's any whole or anything in that, you know, your, your, your likelihood of seeing success going after that employee goes way, way down. So, yeah, so you really, if it, it's instant response plan, take the internal stuff a much different direction, in my opinion than you would the non-internal stuff. Got it. Got it. Yeah, Kyle can talk to that 'cause he's growing like leaps and bounds.

So when you're small, it's not as important, but when you start getting bigger, these things start to really make a Difference. I, I actually wanted to share some of that. I've noticed salespeople are always better at telling stories, so I learn a lot from it team, ironically, sometimes, uh, the things I learned the most are, uh, you know, the way that you solve problems when you're small. Like when I think about like a, imagine you're just a local reseller, a local service provider, right?

Whether it's a local MSP that support your couple counties, yeah, maybe you're, you're on state lines, so you might have to worry about, uh, you know, doing business across or intrastate, but it's not that big of a deal. Like at the end of the day, handling two states is a much bigger deal that as you're growing and becoming a, you know, multi-state, uh, you know, entity.

And so as you move from like local to regional, especially if you're in this audience, considering that like these are part of your costs when you ask like, why do the big guys have to charge so much? These are some of the undisclosed pieces. And for us who went from a national provider over the last couple of years to a global provider and actually making sure we could have that type of compliance, I can tell you it is costing me an arm and a leg.

And if we would've messed up our pricing ages ago, I would be paying through it through the nose right now, either losing the margin where it's just flat out coming outta my profitability or, uh, just not going to business, not growing as fast because I didn't grow properly. So not everybody gets it right. I sure as heck didn't get right on my first company. So I just encourage, if you think you're behind that power curve and you are, you know, you have the ambitions of doing something right?

If you wanna live the smaller, you know, local, regional, uh, or local lifestyle instead of going regional, that's great. But that has also might prevent you from maybe passing due diligence if you're getting acquired by like a PE back thing because you weren't thinking for the future, which means your valuation on that exit's gonna be a heck of a lot lower.

Well, it's interesting, Gary, this this comes back to what you always talk about with MSPs and you know, do you have process in place and what's your price? Like, you ask people a few questions about their business and I'll, I'll kind of hand this to you about, you ask people, you know, how many employees do you have? What's your service revenue? Things like that. And you know, some things right away And Yeah, but listen, yeah.

And Andrew, uh, this just came up, I was talking to a really great MSP, um, right, one of the best. And what he said to me is, I, I have a question. He wanted me to put it out on my peer office hours. We kind of get all of our peer members a couple times a month and ask people like, are we getting paid enough based on how much more risk we shoulder today than we did a year or two ago? And this is someone asking that question, who's at 1 75 a seat all day long? And he's saying, I don't think so.

I I think the risk is going up faster than, than where we are right now, you know, with this and looking at the investments that MSPs are gonna have to make in people and process and tools over the next couple years just to close the gap, uh, for the things we're talking about. And so I, I think that's a question every provider should be asking themselves right now. Are you getting return on risk? Hmm. Really good question. Really Good question.

I, I had one other thing I was thinking as we were doing this. If I'm a provider and I'm out in front of a prospect right now, um, everyone's talking about like what they're doing to try to keep you secure. How many people in their sales process are talking about what they have done, right from an IR standpoint to make that a competitive advantage?

And just saying, Hey, listen, I can, we'll talk about all that stuff too, but guess what, at some point no one can tell you you're not gonna get breached. No one, no one can tell you that how much time. So what's equally as important is what's the preparation level there? And that's a question that they're gonna, you're gonna knock out most of based on what we've seen here, right? You're gonna knock out most of your competitors.

So again, I, I think all the time we spend on these different aspects, you can get paid for it, you can use it as a wedge in a sales process. That work pays dividends, but it's work. Well, I think the, the thing that's coming out a lot, Gary, on these things is, you know, and, and I, I really want to talk offline with you guys, but, uh, to do something around business impact analysis. It's something that we've asked for.

I know since you had me up to you a year and a half ago when, when I came up, and I think, you know, it's a huge mechanism to differentiate. It's a huge mechanism for ms for the customer to, to step back and go, what data and what systems are actually worthwhile and how long, you know, what's our mean time to be operational again?

And all those questions we, wes fair is, is that, you know, something that we've gotta start doing to differentiate and to, you know, build, you know, in the, the, the budget that these people are gonna have to spend. Yes, for sure. And something I wanted to come back to at David Powell wisely said, even though he's a roll tide guy, we've gotta excuse that, um, I love what he said. He is like, look, you're making a risk transaction here with your clients, right? They're handing you some risk.

Uh, you're taking that. And in the past as we've done that transaction, cyber risk hadn't been that big 2018 and before, as we know, it's ramped up significantly. We're actually taking on a lot more risks than we've taken before. And I'm not sure that commensurately, uh, the dollars have come back to us, right? You see what happens as a result of this. And so I'm sure You are sure. Yeah, yeah, Yeah, I'm sure. So are we, and so is, I know Chris and Kyle as well would agree. Uh, yeah.

And so here's the deal with this is you guys, I say this a lot, it's a broken record, but this is a risk-based conversation, right? And one thing that you'll hear many security people say is, I can transfer some risk, but I can't outsource it.

And so it is important, Gary, going back to what you were mentioning about your sales teams, make sure that they're enabled when they're having those qbr they're, they're sitting there even in the actual initial phases of, you know, doing the, the, the initial introductions for a potential new client is have those risk conversations and, and let 'em know, Hey, we understand that you are transferring some risk to us. This is why our margins are a little bit higher.

This is why, you know, we're, we're a little bit more than the guy down the road that you're unhappy with. Uh, but look what you're getting out of this. And you can't completely eliminate that. In some case, we're transferring some risk to them too. That's right. Yes, that's right. And so we've gotta have these conversations because again, going back to some of the chat we've had earlier, you should never have a client say, I thought that couldn't happen to us.

I thought that was not supposed to happen. I thought we, we wouldn't get a breach with your services. If that's the mindset that they have. We're making some mistakes in the process because we've got a level set. You know, I've always, again, I've said this a lot too with my board. Every time I would share with them, I'd say still show them, hey, cyber risk for us is still a very high risk item.

I don't care what we invest in it because I want you guys to have that expectation when something happens that it was going to happen at some point, we should have been prepared for it. That mindset is really important. Yeah, it's interesting, you know, an upcoming cyber upcoming events we're doing, Wes one that I know we're gonna be doing, and I, and I put this out there. So it was first covered by Joe Panari on, and it was the most recent umbrella data.

And I had the opportunity to speak to, this is a data scientist, really interesting. I didn't realize Cisco, uh, in their umbrella team actually has data scientists. And I got on the phone with him and we were talking, we're gonna do something around, you know, how that data, you know, is looked at with us and, and 'cause obviously with your threat intelligence and stuff.

But what was really interesting was he brought up, you know, this, I I, I can't even tell you what it was, but it was the most detailed amount of data I've ever seen. And then he started to go through the various verticals of various industries and the attack vectors. And he goes and he goes, you know, he goes, and with the MSP, he goes, I can't quite figure it out. 'cause okay, he's a data scientist, so he doesn't have all of the knowledge that we do in terms of the industry.

And he says, you know, with the MSP umbrella platform, all we see is, you know, one tenant, the MSP, we don't see all of their tenants underneath. But the one thing that was really strange he goes, is, man, the a PT groups focusing on them. He goes, that, that I find really strange. And maybe you could share some context on that we, for what a PT groups are and what, you know, 'cause Well, how about this?

So, uh, uh, Chris Laer, you got asked an interesting question about huntress a a, a week or two or three ago from the Soden guys, right? That, uh, you wanna share what they had asked you? Yeah, so with the Soden guys, and I have a case right now, but uh, you know, I, I have to deal with them quite often and then, you know, they're also known by as rebel.

And so when I have my conversations with them, um, you know, the, the idea is to try to negotiate down and try to understand if they took data and what they took and all that, try to get as much information out with them. So build some rapport and, uh, this, in this one case, um, he goes, yeah, you're with Huntress, right? Man, you do not know how hard it was for me. Say, yes, I'm, my name is Kyle and I will, I have now have you in my sights and will I will hunt you down, you down and kill you.

But no, I said, nah, I'm not hunters. But anyway, it was kind of interesting how they thought I was huntress for some reason.

So what's, you know, the, the, there's notoriety, but you know, the one thing I've always said about Huntress is that, you know, it's been, they've been relatively unknown and doing their things behind the scenes, but I think, uh, now Kyle's dealing with a little bit more, they know, they know 'em pretty well now, And they, they know you as an MSP, they know your RMM, they know how it works, probably better than you do in many cases. And these are scary things, right?

I mean, think about the RMM for a minute. It's just exploit kit, uh, completely resident just waiting for them to get access to it, right? And so, uh, yeah, I mean the entire model has changed. Andrew, I should have, I should have asked him if I could go fishing with them though, if that would Yeah, appropriate. Chris, there's, maybe we could close, I know we'll wrap things up here, but there was a question, uh, by Dave Mason.

He says, let's say a client is compromised in some manner, like ransomware for example. Should we work to recover the system or stop and insist that they contact their counsel? Great question. So really it comes down to what is, what is in the best situation. So a lot of times you can start working on restoration and figure out, do I have good backups and do those types of things without disturbing anything. So really from the, from, from the get go, you really don't want to mess with anything.

If, if, if the only time I've seen where someone have a valid argument about powering things off is if something they wanted to stop something from spreading. Most of the time by, by the time we find out it's too late. So you want to disconnect the network but not necessarily turn, that's the first thing you want to do. You don't wanna start restoring or re-imaging or wiping or that type of thing.

'cause you could be destroying a lot of good evidence, especially people go, well, their workstations, I don't, they're meaningless. No, because the attack could have happened there first. So they're not meaningless. But in today's world, having that attorney as early as possible from an attorney-client privilege is really important, especially if you have an existing relationship with that client.

Because there was the Capital One case that was mentioned in the news just a couple months ago where they had an existing relationship, I, I believe it was with FireEye and they had an existing relationship. And so fire, I did this work then when the attorneys came on, typically that's all covered retroactive under attorney-client privilege.

Well, in this particular case, the judge ruled since this, since captain one already had an existing relationship with the IR firm, that it wasn't covered under attorney-client privilege. So all that work that was done by them was discoverable. So in today's world, and it's moving very quickly, having those attorneys engaged as quickly as possible.

I mean, we've got a few cases lately with law firms that we've never worked with before and it used to be we could just do a statement of work with some legal language and everybody was happy. Now they're like, we want to see a, a full MSA, we wanna see statements of work. We want them to have multiple signature lines. One for the law firm, one for you, one for the client. So the world is changing very quickly.

So I would say err on the side of caution and get breach counsel involved as quickly as possible. Chris, would that be cyber insurance phone for Dave's question? Cyber carrier first if there was cyber insurance involved, then there you're gonna discuss about pulling counsel in. Can you tell us what what comes first there?

Yeah, so, so yeah, it, so it would be a good idea to call your cyber insurance first because they're gonna have their list of legal firms that they've already pre-approved, pre-vetted, have rates with and everything. And they're very capable firms, big firms, not some guy operating now of his garage. I mean these are usually larger firms at the very national and sometimes international presence.

So you definitely want to take their advice, if so, now the only time is not all insurance carriers are available 24 by seven. So if you get caught on the weekends, sometimes you might have to do your own deal, make your own decisions there, and then deal with the carriers on Monday. And so, you know, a lot of times people will just go and say, Hey, look like, we'll get calls and say, my insurance carrier's not responding, it's Friday evening. Can you guys help us?

And we'll go ahead and start helping them through that. And 99, I mean, a hundred percent of the time so far, the carriers will, you know, pay our bills. They'll, somebody might take over on Monday, but they will take, you know, they'll, they'll let us, they'll pay for, for the work. Okay? But that's the only case we go with your carrier first. If they make a recommendation, do that. It's gonna be much easier for you just handling the claim.

The law firms are capable as hell, so they're gonna help you and then, and then you'll be in much better shape. And it, it, it makes your decisioning easier, uh, when you get into a situation. Chris, one question if I could, 'cause I get this a lot. We get it on Cyber Nation. I've heard it a lot, we've got it on the incident response planning. Should, should, knowing the cyber carriers dictate the IR firm a lot? Yes. Should they have somebody like you?

Should the MSPs have a relationship with somebody like you, a firm like yours? Can you, are, are there pros and cons to that? I know I'm giving you, uh, putting in a spot here, but, but we get asked those questions. Should we have an IR firm? I'm retainer, Right? So I will give you my, uh, I'll give you my, my view on what's gonna happen in the future. Sorry. Uh, I think that, um, we're gonna see cyber policies, especially for MSPs change.

Um, and they're probably not going to change in favor of the MSPs. I mean, I, I don't think I'm saying anything secret there that's kind of common sense on what's going on. So I do think that there's going to be, and, and, and it's gonna occur outside the space too. I mean, people are getting the hell be out of 'em on cyber claims, right? It's just, it's just the fact these ransom amounts keep getting bigger. I mean I had three cases this weekend and all of them are seven figures.

So we'll just put it that way. So the point is, is um, you have to, uh, think about alternative ways and maybe not filing an insurance claim in the future may be an option. So we've actually had companies approach us, uh, and say, look, we may not wanna file a claim every time. We may just want to handle that ourselves. Now that's still gonna mean you're gonna probably need to get attorneys involved and get us involved, but you might say, Hey look, we just don't want to, to, to file that claim.

Uh, because once we file that claim, our premiums are gonna jump for whatever business reason you decide to. So having that relationship is there, or you may just wanna have that relationship to say, Hey, is this even worth filing a claim over? Maybe it's something that we say, Hey, this is what's going on. What do you think about this? Is this something that we should be concerned about as an MSP and we might have to file a claim?

Or is this something that probably occurred within our client, the client's responsible, so therefore the client team's gonna cover? I mean, maybe having someone like us just to cover those types of questions and answers, uh, is a great option. But I think in the future you're going to have to subsidize that, that that cyber insurance is not going to be there to bail you out a hundred percent. Andrew, I know we're running out of time.

Uh, a lot of this obviously our audience, our MSP partners, but I'd love to remind them, you know, you're also somebody's customer and somebody else is holding your data as well. Mm. Please, please, please make sure you're holding them. I shared just a second ago and chat a URL of one of the emails I dread sending the most, but send probably once a month I have to send one of these suckers out.

It's just flat out to a vendor that we all are leveraging within the community saying, Hey, here's these issues. It's disclosing information or code execution, you name it. The worst one that comes to worst. And somebody asked me in chat, how many of these get no response per days? And sadly my response to them is all of 'em.

So just keep in mind, while you're concerned of you being the vendor to your own clients, you have your own vendors that you need to make sure how would they respond in this situation. And that's part of you doing due diligence, right? Especially if you're going from a local, you know, service provider to a regional service provider. You're gonna have to figure this out or you're gonna have to make sure that your providers are also covering in this way or know how to respond.

So, um, it goes both directions. Really, really good point Kyle. Thanks for bringing that up. Alright, so wrapping things up, what we got coming up here on the cyber call. So we will have Chris back, Wes and I'll get back with him and, and schedule that 'cause that is gonna be a really fun event. We are gonna have Mike Beard and Justin, uh, re rmo back next week. We're gonna, Gary, we're gonna get into sales convo next week with you.

Um, one of the really interesting things that Mike does, you know, they're 14, 1500 employees, is they do calls with Mike being the cso, their CFO and CEO. And they call it having the conversation. Other, you know, different from us being parents, but their conversation is what's the speak look like? You know, we as MSPs are so focused on the technical jargon and things of that nature.

Historically, I'm not saying all but what does the C level people in that organization, and again, it could be a 20 employee company, but what are they listening for? What words resonate, what, what transpires value, et cetera. That's next week. We've got Sunil Yu coming on, which is gonna be phenomenal. Um, if you haven't heard of Sunil Yu look up Cyber defense matrix and you will know where products live, um, in the identified tech, et cetera, et cetera.

So we got a lot of great stuff coming up here. Closing out week 20. Um, Wes closing thoughts? Hey, uh, in interest of time, no closing thoughts. All right, Chris, thank you for coming, Kyle. No, thank you. I'm looking forward to that honeypot conversation. I just can't wait for it. I think it's gonna be awesome. Be fun. And Gary, all good. Great call. All right guys, take care. Everybody remember, look out for fake Gary Pikas. They're everywhere. Yeah. All right, I'll see you guys.

I'll take you fishing.

Related Videos

September 28th, 2020 | Right of Boom