BSidesATL 2015: Buy the Dip by John Foster

hey everyone how are you doing today great I celebrated my 41st birthday last night and I'm over caffeinated right now so we're going to be having a lot of fun today all right um so uh as you can see I'm wearing my apt costume uh here uh again you can't go to any conventions in Atlanta because we've got Dragon Con and Anime Weekend in Atlanta without being in costume uh you know so uh you know right here all right and yeah and the hacker right bad stereotypes all right so um you know our presentation uh today is going to be entirely Finance based uh you know we're not going to get into uh systems and other things we're going to

talk about companies that have been hacked uh how it's affected their stock prices um you know take a look at the um you know top line revenue and other things to see if customers really are leaving um you know I've dealt a lot with uh investors as well so we're going to talk about how to deal with hostile investors on the board and a little bit of Treasury and cyber Insurance uh you know that's kind of a Hot Topic that's been coming up a lot today so uh you know it should be interesting then finally if we have time we'll get into a hypothetical exercise over defending your information assets using no I.T lawyers accountants

and no technology all right so uh disclaimer first no facts are involved in here these are all opinions so don't try to sue me for uh slander reliable all opinions are mine none of my clients employers or anything like that unless you want to sponsor I'll gladly take your money to say anything you want me to all right no offer to buy or sell Securities we're going to be talking about the stock market so I'm not a licensed financial advisor so you need to go and get personalized advice from someone who's a licensed financial advisor accountant attorney or whatever it happens to be seek sane and qualified advice I've had plenty of people tell me I'm insane uh

if you think I'm insane at the end of this my attorney wants to talk to you you know and if we have enough names I can get away with anything okay so um years ago I was working at internet security systems back pre-ipo uh which was uh really fun yeah go ISS uh but I took a turn out of uh Technical infosec and got into compliance oh God it's one of those compliance guys um you know personal reasons uh you know compliance you know from an infosight perspective you think PCI and other garbage like that but you know compliance is an interesting uh field it typically reports the board of directors so even the CEO has to worry about us

which is cool um you know and we deal with a lot of things like anti-bribery anti-corruption child labor in your factories environmental regulations conflict minerals stuff like that you know it's a topic that's important to me so that's why I made the switch um you know I'm a financial researcher uh kind of a semi-pro I'm also a certified treasury professional something you probably don't see in the infosec world quite a bit uh you know and then I'm also known as a Cost Cutter and an activist henchman we'll be talking about activist investors and what they can do for your information security budget my email address is up there that also works on skyperlink and my Twitter handle is dearest leader it's

easy to remember because Kim Jong-il is dear leader but he's only loved in North Korea I'm loved and respected everywhere so that makes me dearest and that's just how I troll bro Kim I'm laughing at the ridiculous haircut all right so fun stuff I do a lot of volunteer animal rights and environmental work I've been a nightclub promoter uh here in Atlanta booking DJs in the live act since 1998 and used to be a model and I appeared in several role-playing game supplements that's actually me on the far left so back when I had hair so you know what a cool side activities uh you know the Wardrobe also lets me get into stock photography too so you

know that's where I make a lot of my money these days uh so just so the talk is what we've been told is wrong this is like the History Channel uh you know but instead of looking at pre-columbian Viking ruins and civilizations that we've done but we're going to be looking at numbers etched forever into the NASDAQ now there's a lot of bad information out there and uh you know a lot of myths such as North Korea hacking Sony uh the only way that could have happened to get them off of the Abacus and into something modern is if aliens help them so you heard it here before it airs on the History Channel all right so getting into the

presentation uh you know we we hear stories that if you get hacked you're going to have irreparable uh reputation damage your customers are going to leave the board's going to get fired and you'll get hacked out of business uh yes this is fun that the um you know vendors have been saying for a long time and everyone wonders why this doesn't work on executives well you know it turns out that that's not really correct so we're going to turn your world upside down like this cat cute cats um and what we found by drilling into the numbers is uh you know companies really aren't getting hurt from this uh there's a lot of consumer apathy out

there and uh you know we're going to look at numbers to actually show that uh you know this is the case so let's put on our thinking caps classes in session uh we'll cut straight to the big boom and what we uh have done here is hypothesized that hack companies are going to go out of business so how would you do that in the market well you know you would use back testing which is putting on hypothetical trades at a previous date and testing to see how they turned out today uh you need to hear um theories like selling May and go away so you know you should be in the in the market for the first five months of

the year and then get out until the next January so you can look at cyclical things and see if this works or not so what we're going to do hypothetically speaking is short sell 100 shares at the market on the close of uh the market on the day of the day of the breach so short selling for those that aren't familiar with the market you borrow 100 shares from your broker you sell it at the current price you hope the stock drops you buy it back at a lower price pocketing the difference and then you give those shares back to your broker and what we found here is going back to 2011 is that very few companies have

actually gotten hurt and have you actually done this which I don't is that you would be down 55 574 dollars assuming that you shorted 100 shares of each one of these companies every time they ended up in the news so looking at this says that you should be buying the dip hypothetically rather than shorting it so you know you're probably thinking wait a minute you lost how much money by doing this we thought they were going out of business you know this should be a Surefire thing well uh turns out that things are different in the market please direct your uh attention to the video screens closest to you because this is a little difficult to read so what we did was we

took a look at Target and xrt xrt is the entire retail sector exchange traded fund uh you know so it's a bucket of retail companies and we're looking at the time frame around the breach and you know we can see that yeah Target performed lower than the rest of the retail industry but there's not a big Divergence with a sharp vertical drop in the uh stock price so this kind of says that ah things are flat there's nothing really going on there but you know let's take a look at Target after the breach so this is from Black Friday into uh you know the uh preceding quarter and uh you know you say oh well

look we got hacked look at stock prices it's going down and it hits an all-time low well you know there's several things here when you dig into this chart that stand out number one is that the implied volatility statistic up in the upper left-hand corner and this mouse is not going to work uh it is 25 and what we have here is we have a gap on earnings day so that says the target beat expectations you have a gap whenever um you know the opening price is significantly higher than the previous day is closed so people were buying this thing like crazy and it's just taken off since then so that's not a indication of

something that's really hurting implied volatility is the supply demand for derivative options you know so this is Ensure reference you know put options in the market so people were not buying Insurance on their portfolios expecting things to go really South now when we look at Walmart oh my God that looks exactly the same did I have the same chart uh no these are these are two different charts that's interesting um so you know implied volatility is 23 Walmart's a bigger company so you would think that they would do better uh you know not surprising there but look at this we have a gap down so as far as Wall Street is concerned even though Target got hacked they're doing better

than Walmart so here you had the price open lower than the previous day there's a small Gap in between here now let's look at the whole Market gosh then I get my charts mixed up again because this looks like uh Target and Walmart uh you know let's go back uh yeah they do look a lot alike okay so if we uh follow the hypothesis the whole retail sector must have gotten a hacked uh and this here is very interesting the implied volatility statistic is 52 so that is twice the risk of the entire retail sector uh versus either Target or Walmart now if we think back to Christmas shopping season 2013 uh you know we have the

polar vortex going on it was cold people in the Northeast couldn't get out of their houses so okay this is uh probably to be expected that uh things uh you know went South during the uh shopping season now if we look at Target today and we got the breach all the way over here uh you know they are up about 20 bucks uh from their low during the uh bad shopping season in 2013. and uh you know MarketWatch says that they're Black Friday sales are up 40 percent okay this does not sound like a company whose customers are going to leave them but you know they're not the only ones uh out there uh you know Home Depot is

in exactly the same situation uh it's uh gone up quite a bit a high of 117 and you know the Wall Street Press is all about you know and who cares about uh you know the uh Home Depot data breach now but we do get into technical analysis of uh Home Depot you know we can draw a couple of trend lines uh here and see that it's in a bullish up channel uh and uh we also have the 50-day simple moving average this Thin Blue Line here and this is where um you know Traders will look and say oh well the Stock's doing well it's going to be above that line and you know we

can see here and here uh the stock has touched that line a lot of people have come in buying you know this next candle is green and it goes up uh from there so you know we're not really uh seeing that there's anything uh wrong with Home Depot thanks okay anthem on the day of the breach you know we've already got a bullish trend line uh in here and uh you know we can clearly see that the stock bounced off of this didn't really go anywhere for the the rest of the day uh but the interesting thing is this purchase right here uh somebody bought 59 894 shares in a single order and dropped uh you know

roughly eight million dollars on this stock at one time uh you know so again would we expect uh you know this company to be going out of business if the professionals this is obviously not an individual investor but if the professionals are plowing this kind of money into anthem all right and you know if we look at the correlation index here it's highly correlated to the S P 500 uh you know so on days of the S P 500 is up Anthem is typically up that's just one of those staple stocks that tends to do well uh here we have a horizontal Trend so we have double top uh stock went below that bounced above it and you notice it

bounces off of it here and continues upwards uh so we got a bullish Channel 50-day SMA is trending upward uh we have a macd moving average convergence Divergence bullish crossover about to occur again the relative strength indicator is starting to point up now this thing's probably got some legs to run a little further uh it didn't get below this horizontal support uh you know so it unless something really wild happens uh it's going to continue up oh and notice the 50-day SMA suddenly turned sharply upwards after they got reached strange all right uh this one's a little more difficult to to read so I don't like reading PowerPoints but I'll read this one for you this is a press release

from standard employers the day after Staples I got hacked and it says we have seen many instances of payment related data breaches at retailers we rate and all of these situations so far the cost companies incur because of these breaches end up being manageable and have not had a material impact on credit protection measures or consumer Behavior All right so it's not me up here is the crazy guy saying ah this stuff doesn't matter s p is out there saying that yeah nobody cares about that so you know while you're thinking about uh you know Santa Claus not being real and companies getting hacked out of business no Krampus is though uh you know we we have to think all

right what's what's going on here well first of all uh you know the the truth of the matter is data breaches aren't really hurting companies today okay it's just not happening no matter what we've been told and uh the reason is uh quite clear uh because Honey Badger Don't Care uh in an experienced survey one-third of customers after receiving a breach notification letter said they did nothing okay they didn't proactively call the bank and say cancel my card anything like that well that's not really too surprising because since a lot of people were foreclosed on a few years ago by the same banks that have the credit cards I'm sure a lot of people are actually going to the stores

that were breached and saying oh please steal this number I want to get back at these guys all right um but real really one reason consumers don't care aside from the hypothetical breach fatigue that we keep hearing about is the Fair Credit billing act uh when that's unauthorized charges to fifty dollars now most all of you have probably gotten a letter from your credit card companies that say oh we cover you down to zero dollars you owe nothing okay so what's the incentive for being careful shopping online or you know caring if the number gets stolen from a retailer not your problem it's the people that foreclosed on your house it's their problem all right

so now what does cause pain well Batman is well known for causing pain but not in this particular case um so again we have to beat up on Aquaman too just because

so if you pull up an oil rig okay that's really going to hurt your your stock and your company's reputation you know if you get your a bunch of credit cards stolen or social security numbers stolen that's not something that people are going to be seeing on the news every day and they're not going to be feeling at the grocery store whenever the price of shrimp doubles or you see Greenpeace on TV with all these oil soaked Birds uh you know these real world events are what really uh hurts companies reputations and from an infosec perspective yeah that is kind of sad because you have other things competing for people's attention and this sort of

bad news sells more news stories than data breaches do another one that came up uh in the past week was Lumber Liquidators so 60 Minutes uh did a coverage on them once some of their factories and found out that they had levels of formaldehyde in their product that exceeded California your EPA levels so put the scoring in your house and now you got all these toxic fumes coming out that exceed uh the the you know appropriate levels stock drops by more than 50 percent you can say that Lumber Liquidators got hammered all right and till some funds who's been shorting them for many years has continued to short them and uh you know they've uh run out

of shares to short there are so many short positions out there that you can't find any stock to borrow to short this thing anymore so this one may go to zero but they didn't have a data breach uh so you know you're probably still thinking uh you know but you know the infosec Press says that CEOs get fired and we have to make fun of Donald Trump while we're at it too uh you know you need to get rid of that Tribble on his head so uh at least I got the card cut going all right so the financial reality of what happened uh you know with Target is that they uh had a pre-tax loss of almost six

billion dollars you know Walmart ran into the same problem uh whenever they moved into Canada as well you know American companies when they move into a different country they tend to underestimate the complexities you know especially if you're in retail supply chains and other things it's more expensive uh so that's one of the things that in the Wall Street Press they talked a lot about this uh misguided Adventure into Canada uh you know a few stories mentioned like one or two lines about the data breach but when we look at what gets people fired uh you know do you lose uh 5.4 billion or you know the data breach was 0.191 billion with a insurance uh

coverage of 0.46 billion so you had a pre-tax loss of 0.145 billion against top line revenue of 72 points 618 billion in the finance world we call this a rounding error uh you know that that is uh you know nothing significant and as s p said that's not material but when we do a fundamental analysis of what's going on you know we look at the Q4 uh earnings call transcript uh earnings per share was 1.50 okay they were guiding 143 to 147 so they kicked it out of the park on earnings per share Q4 sales were up 3.8 percent okay so it should be negative if customers are leading leaving full year sales are 1.3

percent in store and online sales are up 30 percent uh you know and Target as they used to call it's kind of lost it's Panache you know a lot of people aren't really shopping there uh you know compared to what it was 10 years ago big tell for me though is that they increase the dividend 19.8 percent and they paid out 1.2 billion dollars to stockholders yes written on a large number of the target board members get kicked out and they're less uh short-term than likely yeah I haven't kept up with what's going on with the uh with the board uh it's quite possible that an activist investor moved in uh you know to take control uh

you know really interest finding the numbers more interesting but we will get to board replacement in uh just a moment you guys will find that interesting so Home Depot uh according to their earnings call uh they carry 100 million in cyber insurance and their gross breach uh expenses before insurance for 63 million and uh yeah after insurance that's 33 million against 83 000 million in Revenue oh gee that looks like another rounding error okay so uh earnings per share up uh 43.8 percent uh for the fiscal year 14 up 25.3 percent uh you know so online business they said that it's 36 versus last year increase of 13 so their online business has doubled uh there and they're also so

increasing their dividend by 26 so better than a Target and they're initiating an 18 billion dollar share buyback program uh so again you know these guys are apparently doing everything right uh financially uh Anthem is another one that was in the news lately uh we uh have not had an earnings call since that breach but they have 200 million in insurance okay so they got twice as much insurance as everybody else does uh it'll be interesting to see the financial impact especially with all the buying that's going on in their stock so you know we have to ask you know are we spending too much on security the vendors on the back are going to start throwing things at me

in a moment um but you know when we look at what happened Target and Home Depot they didn't really get hurt and you know as an investor my question to Target would be well you have these different teams miscommunicating to each other ships crossed in the night nothing happened better off just reclaiming those synergies and funneling that into a shared buyback program and splitting some of it into a cyber insurance program just my opinion all right so with um with uh JP Morgan uh Jamie Diamond's letter to the shareholders uh in 2013 says they have a security budget of 250 million with a thousand employees now the vendors are probably happy about that because you can sell a lot a lot to

jpu Morgan uh you know a lot of small companies will be happy to have 250 million in top line revenue let alone just having that for uh you know a security department yeah it's a nice Powerball jackpot there uh you know and in computer weekly after the breach okay they said that JP Morgan was going to double their security budget so uh someone some lucky Chief security officer somewhere is on his or her way to being a billion dollar CSO now how's that uh it's almost as good as Apple being a trillion dollar company uh you know so we we have to think about uh who else out there is looking at how much is

being spent on Security Programs and uh we get into the activist investors these are some of my favorite people in in the world I've worked for companies uh with similar people top left we got Jeff Smith of starboard value uh top right down the web of third Point LLC Carl icam bottom left of Icon Enterprises and Bill Aikman of Pershing Square so you know what activist investors do is they will buy share of a company try to get control of the board and most of these guys uh you know some of them not all of them so I don't get sued uh are are your stereotypical corporate writers they go in and got the company and then sell all

their shares other active investors out there are you know kind of more compliance oriented they want to get rid of child labor in the factories you know they'll take reduced profits for better environmental policy or getting rid of child labor so you know activist investors it's a whole ecosystem just like everything else but these guys will have a lot of power as you'll see so starboard value and that's Jeff Smith their uh storming the gates of Olive Garden his fund owned 8.8 percent of Darden which is the parent company that owns Olive Garden on Red Lobster and he published a 294 slide on why the company sucks uh just bluntly putting it uh and you know some of the stuff was like

dishwasher safe to go containers well why would you spend extra money on that you know and then other things they were doing they weren't putting salt in the water to cook the pasta because that would avoid the warranty on their cookware so they were giving everyone crappy tasting food so in addition to some Financial stuff in the presentation yeah he said look they could just change the way they run the restaurant so when activists call for replacement of board members that's a campaign so he went out and solicited the other uh investors and said hey I want to wipe out all 12 board members uh you know here's a presentation saying what we can do if we

do it and the shareholders approved this guy didn't own 51 of the stock he only owned 8.8 percent and just by getting out there in an activist campaign uh you know he was able to do it you know Business Week had a story on 28 year old guy who started out with fifty thousand dollars and he would team up with guys like this and be the uh propaganda manager and go and talk to other shareholders so you know there's a lot of activism going on everywhere in Market you know to also show how much this can hurt and if you've ever run an infosec program and you see that relational investors bought into your company uh yeah you're going to have a

lot of fun uh so Tim kin is a machine shop they make ball bearings and other gears and parts so this uh company came in bought up a lot of their shares and by the time they were done uh the pension was cut from 33 of cash flow down near nothing uh they cut the capex budgets by 50 across the board and uh 50 of cash flow was then funneled into share of BuyBacks to enrich the shareholders so you know if you're running an infosec program and you suddenly have to do it with half the money the next day uh that's got to be a little painful you're going to have to think of other Alternatives so why are

we talking about activist investors well uh after doing a little digging I found that third Point LLC and according to activists investing review 2014 they have conducted five campaigns uh they're apparently a really good company because the return uh Daniel loves getting for his investors is 73.4 percent so so you know what did he go in and start gutting companies and cutting costs uh you know things really work out well it turns out that third point was an investor in Sony now if we look at what uh relational did to Timken you could probably say that there's some serious cost cutting going on at Sony as well and Daniel was seriously going after Sony Entertainment well that was

the subsidiary that we heard of that got hacked back in November December time frame uh you know so and what uh you know third Point said was they were trying to get the CEO to spin out Sony Entertainment and either IPL it or break it off into a separate company with different management they felt that Sony's management was not that great so what Sony did was they compromise and said yeah we're just going to cut costs a lot and that was enough to get third point out of the way they said well we couldn't uh really take over the board we couldn't Force this spin out so we're selling our stock and we got out for 20

well that was the quarter before Sony Entertainment got hacked now you hear about how bad it was they couldn't get access to their email and they were faxing stuff to each other well you know third Point made out with 20 well since Sony got hacked uh in November December time frame stocks up 25 okay so again it may suck if you're there but you know for the investors the sort of thing works out really well um next area that is uh something that a lot of uh infosight types don't really see that much of is debt covenants so you know you hear about your Equity investors but your debt investors are really the ones that you have to uh

really worry about because they wield a lot of power over uh your company you know you have restrictions on your loans that uh say you have to have a certain debt equity ratio or something like that now in terms of debt covenants uh if you buy violate the Covenant immediately it accelerates the maturity of the loan thus the entire balance comes due at one time oops so if you got a two or three billion dollar loan the entire balance comes due they start hitting you with late fees and then they start digging your company's credit and you know that's just one area you know Radio Shack went bankrupt uh recently because they were not able to sell the company

because they had a debt Covenant in place so they had to get the bank's permission to start closing stores and shutting them down uh you know other area is uh preservation of capital Covenant this is where the banks can require you to have a certain amount of insurance and in a lot of cases uh you know you're going to have cyber Insurance you're going to have uh you know building fire Insurance you name it uh you know you can also have restrictions against dividends that you can pay and what sort of equipment you can buy so if you think going to the CEO and saying oh I want to buy buy this firewall or this UTM device or what have

you and you know they say now we can't afford it there's probably a banker somewhere in the background that said you know unless you've got a regulatory reason to spend money on this we're not going to allow it so a lot of your budgets may actually be going to the banks for their approval not just to the CFO for his approval so you may have your hands tied and and some of these um penalties are immense debt covenants are there to enrich the bankers and not the shareholders so Acadia Capital uh loans some money to fxcm they're a currency brokerage so again no data breach but a big Financial impact so they in The Brokerage world if the

customers don't have the money to cover losses The Brokerage has to pay so they lost 300 million in one day um and so but Leucadia came along and said hey we'll loan you 300 million to your term 10 interest and it goes up every quarter until it hits 17 percent and then they can't sell equipment buy equipment or do anything without going to locate media Capital first and then if they don't pay the loan off in three years Leucadia can force a sale of the company so this is where your debt investors have power over your Equity investors and I just absolutely love these loan terms here so let's say they sell the company Leucadia gets 100 of

the money to pay off the loan next 350 million uh from the sale they get half of it any money between 350 million and 680 million they get to keep 90 percent of the money and anything after that they keep 60 percent so uh you know this is why I got into Finance because this is uh you know where all the money is and you may think that this is unfair but you know you did click I agree so right so um you know we'll talk about uh another area of the company that you may not deal with a lot of infosec but it's very important you need to get to know who is your head of Treasury uh treasury

normally handles all of your company's Insurance your workman's comp uh your uh business continuity disaster insurance they also handle your cyber insurance and one of the interesting things when I first started going to financial conferences years ago was you know you got treasurers and attorneys sitting up on a panel saying we protect the company from data breaches well wait a minute you don't have any uh it equipment how are you doing that well they say that you know to a financial department impact to a company is shown on the balance sheet well if your insurance is covering you know the Consultants to do the forensics you can get insurance to cover lost Revenue as an add-on so at the end of the day with

the proper insurance coverage it's like the Servco commercials it's as if nothing ever happened and you know this is how a lot of Executives you know they're familiar with insurance they're not familiar with uh you know technology and things like that you know the treasurer comes to them and says yeah we got some cyber risk but I bought a 200 million dollar insurance policy and we are covered so um what does Insurance do well it substitutes a qualified promise for uncertainty a lot of people think it's certain but uh when you look at the the contracts that insurance companies have out there they're going to have a lot of exclusions now unlike homeowners renters or automobile

cyber insurance and general business insurance is very customized it's not because they want to sell you the hole in the donut not the rest of the donut it's that every company has different needs and you know they want you to talk to your broker about you know what you can do uh you know what your needs uh actually are so we'll talk a bit about some of the pitfalls with uh with insurance um you know cyber typically falls under Arizona emissions you know also known as professional liability so it's the same class as if someone slips and gets injured uh you know or you know you have a medical malpractice uh suit you know some of the terms to be aware of is know

the difference between first party insurance and third-party insurance your first party insurance is going to cover uh you know what happens to your company uh so if you have to bring in a consulting firm forensics PCI stuff like that uh you know that's covered under first party uh insurance if you're worried about the cost of breach notification letters things like that that's third party that is a third party that you have uh wrong uh in the course of your business there's a lot of exclusions in your standard policy so it says we don't cover terrorism or military uh conflict and things like that so you need you need to take a look at the policy language and this is why

you need your Treasury Department and probably an insurance attorney looking over these things because think about if you have five or six insurance policies a lot of companies will try to save money by getting something with a 20 million dollar deductible that only covers up to 50. then they'll get a different policy that has a 50 million dollar deductible covers up to 70. you know because the risk to that second insurance company because they have 50 million of front-end leeway before they have to pay anything the premium is going to be a lot lower so sometimes you're better off going to a single company other times you're better Staffing different insurances now if there's a clause in there that says oh

yeah our insurance company goes last and you have a different insurance company that also says the same thing you're going to end up in court uh you know suing both of those insurance companies to figure out who is supposed to pay you know waste of time and energy so do your homework up front insurance companies are going to pull pull you into buckets based on your industry so if you're a retailer you don't want to be getting insurance for an oil drilling company and vice versa so you know talking to your insurance broker is um you know something that everyone should do and if you're not having the discussions with your treasury officer uh you know about about this stuff you

know about your assets what information you have how many customers records could be breached uh you know the treasury Department really does need to know that um common exclusions and gotchas so insurance is there to replace equipment and other things it will not replace any lost Revenue you can buy that as additional coverage so it's just like a Disability Policy uh you know so if you have your data center catch on fire or someone breaks in and deletes your entire database tables while you're restoring you know you can have your Revenue replaced you know it's the same as a business continuity policy typically these Revenue replacement policies will cover your revenue from the previous quarter and pay that until

you know you're back up and running you know I've seen some debt covenants actually require companies to have two years worth of Revenue coverage uh you know because the banks want to get paid back and yeah if you've got two years to get back on your feet you know the banks are more likely going to get paid the other uh gotcha here is if the insurance policy says it covers fines and penalties fines are technically from the government so PCI is not government so you need a separate policy to cover that you know again they're not trying to sell you the hole in the donut they're uh trying to make sure that you don't get too much insurance but there's so

much out there that you probably need all of it uh so um an Eno trigger uh is a wrongful act so someone slips and breaks their leg uh you know you're going to be uh paying for that uh securing and privacy policies uh you know the trigger event is a security failure or a privacy event and if you don't look at the fireprint more than likely it says it's a legislative only event so you know you see a lot of companies out there who will do a breach notification saying well we're not sure if the data was stolen or we don't believe the data was stolen insurance won't cover that unless you buy the extra coverage because that's what's

called a voluntary notification and unless the law says that you have to do it you really uh have to do that out of pocket unless you bought that extra insurance so another reason why companies don't actually do the notification is they're probably sitting around with their attorneys saying uh yeah we technically haven't uh triggered the breach notification statute so let's uh not not preemptively send any emails or anything like that uh you know you can add on a lot of things to your insurance policy as well such as punitive damages uh talk to your insurance attorneys about this one because some states such as New York uh will prohibit insurance from paying cumulative damages only compensatory

damages uh so certain jurisdictions uh your insurance may not help you so why pay for it unless you're actually going to get coverage and then also if you do have one of those jurisdictions you may want to talk to your CFO about setting money aside for lawsuits and other things uh you know we see that a lot of the Wall Street Banks set aside money to cover lawsuits from the whole housing uh crash and we'll probably see companies setting aside money to pay damages for cyber incidents as well can you just Reserve that balance sheet and you know hold on to it another interesting area of insurance that's uh going to be controversial to a lot of people in the

room is cyber extortion in insurance so you get you know some Locker wear that encrypts all your files or someone breaks in doxes you and says hey we're gonna put this stuff out here uh well you can buy additional coverage to cover paying that off now we hear that oh you should never pay a ransom in the insurance world uh paying ransoms is kind of a common thing you know some of my previous clients from years ago had kidnap and Ransom insurance for all of the executives so you know they're traveling in a foreign country they get kidnapped Ransom gets posted insurance company will pay however many millions of dollars of coverage the company has

you know the different client had mercenary and rescue insurance so they would actually cover the cost of hiring mercenaries to go stage a rescue if if the um you know Ransom was turned down so really you know you got insurance out there send guys and balaclavas and rifles in but eventually we're going to get to the point where you got guys with these and laptops you know trying to get your get your data back all right so um you know in the few minutes we have left uh we're going to do a hypothetical exercise um you guys probably be horrified and amused by this one uh you know so we're going to be Consultants who are working

practiced investors to secure data and protect the company's assets so this is the scenario you're a compliance consultant for an activist an investment firm a new campaign has replaced the board and c-suite the target company will be transformed into an investment Holdings company and operations will be spun out Target companies recently completed an acquisition but has not completed a merger your mission is to protect the IP assets of the company while producing returns for the investors so wait a minute we can't spend money we can only uh you know cut and oh yeah the Chief Information officer the CSO and the chief marketing officer were used to obtain synergies yes bill uh yes and by and by the

and by the okay so um you know my dream team is these groups here um you know whenever uh you know we go into a company I'm going to leverage uh you know compliance and audit both financial and I.T uh you're going to need legal involved and any sort of restructuring process and of course you're going to need Finance because you're going to be loading up on insurance uh so what would you do with your audit compliance group well you need to find where all your assets are so you can buy insurance on them uh you know the the financial Auditors will be able to find you know your physical assets it Auditors will help you with

your information assets uh you know compliance and legal is going to look at your contractual requirements uh one thing that I always do to improve shareholder value is Implement ISO nine thousand one fourteen thousand one twenty seven thousand one whether it's a manufacturer data center company uh because number one you have you find out what your legal and contractual requirements are number two it opens you up to government contracts which causes you to actually spend less money on information security I had the client about two years ago who won a government contract and in the contract it said that the contractor agreed to be subject to State Freedom of Information Act for anything pursuant to that contract so

all of a sudden the entire email form is public okay so now you don't have to spend a lot of money on DLP and other stuff to protect your email because the Little Town Newspaper can just simply say hey government agency send me all of your email and send us all of your contractors email okay well yeah we saved some money there that's awesome legal all right so if you're not going to put a bunch of ips as an encryption uh in uh you know what you can do is you can patent your IP Patent Trademark copyright whatever okay this is where we use lawyers to protect the information um you know to an activist investor uh

you know trade secrets are bad they can get stolen you've got no repercussions except for the party that did the stealing so once it's out it's out uh but if you're if you patent it you can go patentrolling people and sue them for millions of dollars and typically you know in an activist world you're going to start licensing those I uh IP patents to the competition you know because it's doing you no good if it's just sitting there and you're not collecting royalties from it uh you know legal's also going to incorporate new subsidiaries and you know they're going to be the ones uh over seeing some of the compliance activities because compliance is just going to say yes or

no you know it appears to be compliant with the law legal is going to really take a look and say okay yeah but even though it ticks the box it does look kind of negligent or hokey so you know we may or may not support uh that um so Finance you know you're going to ensure your assets that um you know the Auditors have surfaced and uh the other uh important department that's going to be involved in one of these exercises is your tax department because uh trademarks patents and copyrights are taxed differently in different countries so you know if you have a global company you may uh and I apologize for this one uh you you may

have a reason to put some of the stuff offshore which is why you need to talk to some licensed accountants uh you know subsidiary companies are very important this is pulled from Tiffany and companies 10K and we're not going to do anything this complex where companies own companies who own companies for this exercise but you know uh in in any type of company you can really restructure uh like this so the headquarters becomes the holding company the important thing in this situation is to know that the Holdings company doesn't produce any goods or services so one of the subsidiaries is going to be the operating company and uh you know we're going to have a real estate company a

staffing company equipment Leasing and IP you can stack your different business lines in separate legal entities as well uh you know and the important thing about this is defense against contagion all right uh and uh yeah we're talking Financial contagion not computer viruses but each legal entity is self-contained so the customers have a contract with that one company they can only Sue that one company provided your attorneys have set it up properly uh so you know they have separate accounting uh books and bank accounts so the only money at risk is what's in that bank account for that one company and what a lot of companies do holding companies do is they'll charge management fees down into the

subsidiaries and uh you know they will uh move that money out of those bank accounts so by the time you file your lawsuit there may not be any money in that anyway okay you know this is how you protect the company against this sort of thing intellectual property all right uh trademark patent and copyright if you notice this Dunkin Donuts cup the logo is actually owned by ddip holder LLC this is important because uh you know companies license but they'll put the IP for the logos and other things into one company sometimes in a low tax jurisdiction Amsterdam you know has some great coffee houses that's probably why Starbucks went there um and uh their non-tangible is taxed at

5 so you know if you look around online you know the guardian and other newspapers have said hey Starbucks charges uh you know Netherlands charges Starbucks UK like four pounds for the logo so they're only making one pound of profit off of every cup of coffee uh you know and if you're really looking out for the shareholders your tax department is going to be doing this and while you're working with legal to get this stuff under trademark you really need to be talking to your tax department you don't have one I'm sure there you can talk to one of the uh big four Consulting companies uh out there or a mid-tier company uh you know to cover

that uh you know to bring all the value to a company and what we typically do is fire all the employees and hire them by a staffing company uh yes all right Phil Phil knows what I'm talking about uh you know the value here is managers give people busy work and if they're paying by the hour that tends to go away it makes the employees happy plus we don't have to lay people off you know we can actually open a new line of business Contracting these employees out to other companies uh you know so you're uh yeah saving a lot there uh Salem lease of assets uh you know some people may consider this controversial you sell

buildings to get cash you sell your source code license it back uh why you want cash can drive more debt for share BuyBacks that's why you want to go in debt so you can enrich the shareholders and finally the operating company has no real assets there's nothing to sue for and see it's only uh replicable so you know you have a restaurant or something like that someone falls and breaks a leg you just spin up a new Corporation it takes less than five minutes to do online you transfer the business licenses and everything to that new Corporation you bankrupt the old one boom you're done all right so first commission to college all right Perfect all right so at the

end of the day we got revenue for per employee up uh We've protected the IP by attorneys so we don't have to spend a lot on I.T and we completed the financial Renovations of the company so at the end of the day you know uh when you leave here flood doesn't sell well uh people in creativity are your greatest asset okay so don't be afraid of trying something different uh you know years ago whenever I had an activist investor take over and I thought oh my God we're going to get hacked out of existence now I've been at companies as a consultant where we've had no vulnerability patching going on we laid all those people off and put

them in the staffing company for other clients and you know we've uh you know did not have any newsworthy data breaches during that time so again you know if you use bankers and attorneys it's a different way all right we got question here question here foreign

companies nuclear companies and so forth they're going to be a lot more tight-lipped and because uh they're in a regulated environment uh you know an activist investor is going to have to comply with the law so they can't cut it and gut it to the extent that they would be able to in a non-regulated environment

um you know it's definitely going to affect the prices in the short term uh you know how much damage that's going to do in the long term but again they won't be able to cover it up as easy as other companies with these with that's true it's it's a regulated Monopoly so uh you know and we can see with Target and others yeah and Andy okay okay that is awesome well what he's going to do is he's going to stick you in the staffing company and then you're going to be working in some call center so there you go

in the very back when the baseball cap

all right well had a client a few years ago that did this now in China uh one thing that the government will do when you first start doing business there and you always want to do business with China uh not because I'm wearing a Chinese flag pen on my suit or anything like that um but you always want to do business with China because okay they're they're hypothetically could be bad actors you know they could be bad actors in Russia too um you know client I had a few years ago uh you know what they did was they went to the Chinese government and said oh uh you're going to license this IP for 10

years now the standard IP agreement is typically five and uh what the what the Chinese uh will sometimes do is you start doing business there and they say oh by the way you owe us a business tax but you can get out of paying my tax if you license your intellectual property to us well now that now they have your Blueprints and everything so my client went Uber aggressive with them and said oh great we'll license everything that you want but you're going to pay us for 10 years and you're going to have Delaware as the court venue so you're not going to get out of it uh you know by breaking the contract you know zelon

musk said if you're dependent on your patents for more than five years you're doing it wrong so you know by forcing your business partners into a long-term licensing agreement hypothetically they be paying for IP licenses after something has lived past its useful lifetime all right thanks very much appreciate it yes [Applause] foreign