Minimizing financial and reputational loss from Cyber Breaches/Ransomware attacks

first off uh thank you for joining us Robin Tong uh a KPMG partner I am the uh Canadian prairies technology risk and cyber leader so it is my pleasure today to welcome you to uh bides today we're going to be discussing um ransomware and cyber attacks so it is my pleasure to introduce you to we have a little bit of change of program I was supposed to be a moderator but I think uh I'm actually going to hand over the this important duties to my colleague uh Ganesh ramakrishan from our cyber incident response practice uh in GTA so with that I'm going to turn it over to Ganesh so just before that I will this is intended

to be a panel we want it to be interactive so if I'm going to be holding this mic here and uh at any point in time if you have any questions for our panelists please just raise your hands I'll come over making sure that you have the mic and everyone can hear you and then uh make this as interactive as possible how's that okay awesome over to you um thanks Robin and good morning everyone my name is Ganesh uh uh I'm from Toronto but I lead the interet response team uh uh for KPMG Canada and then I'm going to quickly hand it over to the panel over here maybe one round of introduction from everyone so over to

you Alex thank you thanks ganes yeah Alexander ra I'm a partner at KPMG together with Ganesh we lead the Cyber incident response team for KPMG here in Canada and uh as we are here you are the people you don't want to talk to right when uh from a cyber security perspective because we deal with a lot of sort of firefighting when when hits the fan unfortunately so I've been with KPMG for three years I was with mandian five years prior to that and uh yeah we had some interesting couple of years and changes in the threat landscape and uh threats and attacks are continuing to happen and unfortunately clients have to call us and they call

any one of us and with that Jason want to introduce yourself yeah I'm Jason CER I'm the president and founder of Cipher where a cyber extortion a ransomware emergency respond team I founded the company three and a half years ago just doing ransomware and cyber um extortion negotiations and and intelligence gathering and uh responses we since grown to over 100 people in uh UK North America Caribbean um and we also do incident response doing recovery remediation sometimes that's the alternative to not paying um I've seen exponential growth unfortunately in this business um you know given the types of attack vectors that are changing the innovation of threat actors and the fact that they're going after tech companies

and uh and others um who are targets uh for number of reasons we'll talk about today so our team's role is basically engaging with the threat actors and trying to get the data back and trying to get decryptors and unfortunately paying them cryptocurrency to do so I David Krebs partner with Miller Thompson um National Law Firm we've got office in Edmonton um Toronto Vancouver Calgary I'm based out a SAS Kon but I lead the national sort of privacy and and cyber group and uh yeah I work with sort of these gentlemen and others on these issues because there's also legal ramifications oftentimes of being a victim unfortunately which is one of the rare cases where you're a victim and

then you're you know the bad guy Allin one swoop potentially um and so yeah so I'm a breach coach and i' buys on sort of legal notification um sometimes it gets to litigation as well unfortunately um we can talk a little bit more about that but uh yeah nice to be here hey everyone my name is Nick hickey I am cyber services manager of Canada for Beasley Beasley is a cyber insur um so we help clients you know get Cyber Insurance get prepared for a Cyber attack in the event that they do have a Cyber attack will help you um remediate it and get you out of that Cyber attack through the use of um vendors like KPMG

and Cipher um prior to working for Beasley I worked for the Federal Court of Canada I did uh it cyber security engineering work for them in a top secret environment so plenty of experience from a technical point of view and happy to be here today thank you welcome you all uh so my first question is for all of you as well maybe quick perspective from forensics Ransom negotiation legal and insurance what's the current Trend around ransomware what Cy of threats you are seeing and what should everybody be aware about I guess I start um yeah um from a rans or from an instant perspective first of all we've seen a big dip over the summer from a threat actor sort of

taking time off we assume uh to enjoy the summer uh which usually it comes in Cycles I guess you guys can probably validate that so summers are usually slow but there are the odd cases and it I guess for us it was sort of a 50/50 ransomware or business email compromise right business email compromise where threat actors trying to intercept email communication and MISD director redirect funds into different accounts and yes that happens we just had a case $350,000 were sent to another country and the client actually paid right so and then we're called in to analyze how it happened and uh what could be done differently the next time so um uh from a ransom perspective um we

we've seen uh smaller Ransom groups unknown Ransom groups and maybe with that Jason you can comment on that yeah so uh has been quiet one of the largest groups called lock bit you may have heard them they've been involved in a number of Canadian incidents um self professed that they were going on vacation for about six or eight weeks they weren't answering the phones um they dropped negotiations Midway through you couldn't get tech support and the operator uh when he came back to the office City he had an inbox with 150 responses he needed to get to and he would over time um these guys are the most rep pacious most um you know uh

active group they went from you know hundreds a month to down to zero in terms of exploits um but in terms of the groups that we're seeing uh there's been a Resurgence because this last quarter is usually the biggest going into Christmas going into the Orthodox Russian um holidays in January uh we we'll we'll see um tons and tons of cases happen U and and I'll get into some of the stats in a moment they're basically going after uh organizations that are you know 50 to100 million do in size but there are also a bunch of small ones the more organized Ransom of Service Groups um try to hit these whales all the way up to billion dollar

companies and there was a another recent EXP Point called Klo it was a move it platform it's a file share transfer uh probably one of the largest um thefts of data and number of victims impacted over 300 our last count um so that has been happening um you know we're all getting ready for another wave um terms of some stats um we see the average Ransom cyber extortion demand in US Dollars uh around 3.16 million um we're negotiating and you know we see comp companies at all different levels from small medium Enterprise all the way to billion dollar operations publicly traded um the average payments that we're paying out is probably around 750,000 to a million

dollars if you ask me this about a year ago it would have been around half a million so it's getting up it's getting to larger percentages of their gross revenues that's how they equate it um and we're seeing demands that used to be let's say in the tens of millions we've seen 50 80 100 150 $175 million us demands and if that's somewhere between 20 basis points on a billion dollar company up to 5% and lock bit this group that went on holiday they just refreshed all their rules so companies are not going to be able to get away with less than you know half a percent all the way up to seven or 10% for smaller companies

and they're not going to give as high discounts anymore they're standardizing across the board they're only going to give 50% so when you're faced with $100 million demand um you got to look at a 50 million do us payment um just a couple more um stats most attack country has been the us but very very close after that is UK Canada Australia and Europe um you us obviously is the largest like thousands of cases a year um but we've seen a lot of activity in Australia um and then lastly in terms of uh the types of services Professional Services about 23% of businesses that are victims Financial Services 12% tech tech Hardware the kind of businesses uh

you you guys may be in about 11% manufacturing 11% and then Healthcare unfortunately 9% wow yeah that's uh those are those are interesting stats I mean I I don't know if I have a lot more to add on that front I think I can Echo that we've also seen a little bit of a you know downturn and I guess I always think that's a good thing for our clients because I end up handling a lot of these cases for our existing clients um at Miller Thompson and um what I have seen is that there's usually you know a wave of ransomware and then there's a wave of business email compromise sort of after that and

you can you know wonder why that is maybe you know data was taken during a ransomware and then that's used for BC um but but um ultimately um I think one thing that I've noticed over the last little while is that clients are becoming a little bit more aware that a ransomware situation is not just an extortion to get your you know business back up and running to get the decryptors it's really you know it might be a reportable privacy breach as well so I think that was a few years ago you know there's a little bit more of a no wait a minute this isn't a data breach this is just sort of you know a

ransomware attack and we're going to you know get the decryptors or or recover from backups and that's it now I think people are aware of you know you might have a reportable breach and you know we'll get into that a little bit later Alberta obviously is one of those jurisdictions where you have to where you have mandatory uh breach notification um but yeah other than that I don't have anything else to really add to to those could quickly add something in so from the Cyber Insurance perspective you know we see thousands of claims a year and last year I noticed there was a correlation between the ransom demand and the revenue of the company so Ransom would essentially make

up a percentage of the revenue low generally you know 1 to 3% 3% being on the higher now as Jason mentioned with some of these new groups they're a lot more brutal also public revenues aren't as noted anymore so if you're going for a smaller company whose public Revenue might not be known um you know you can see a company making $6 million in Revenue hit with a $5 million demand which you know if you don't have cyber insurance and if you don't have insurance to cover that your backups aren't up and running uh everything's encrypted you might go out of business so the ransom demands are completely sort of sporadic right now groups are

getting a lot more brutal as well so I just wanted to touch on that quickly oh yeah and sorry one thing that I did want to add which which was a bit peculiar for me um this year is that we saw a few more um threat actors just walk away um Ransom note and then that's it and for you know for the client you're in a really odd position because you don't know what's coming down the pike are you done are you not done uh what sort of issue do you have and and that was something um that was that was a little bit more prevalent I don't know if you found that but uh that was that

was something that popped up more this year that kind of reminds me of a couple of years where we were working on a case where they were get they were gotten taken down and we didn't know if they're going to ever get a decryptor after whether or not the negotiations going to be successful quick question for Jason just out of curiosity what's the maximum ever uh Ransom demand was uh and what's the minimum that uh somebody ever asked um maximum demands we've seen 150 175 Mill million dollar US these are you know multi-billion dollar companies I'd like to say that we're good negotiators um but in those cases um the maximum we've paid out is $30 million us and

I've done that a few times very interesting um we had an $80 million we got it down to three three and a half four so you know it all depends on the situation do you've do you have immutable backups is the data they stole that concerning the business what's the impact I'd really like to tell these guys to go stick it but sometimes you got to think and we'll talk about a little bit later the reasons to pay or not to pay but it's very fact specific to the organization and their reasons for whether or not they are going to engage negotiate and ultimately settle like if you want to continue on it pay or not to pay we we have

noticed over the last little while clients that are getting hit by ransomware that their first instinct is I just want to pay and I just want to move on with my business so they don't even ask anymore should I or should I not pay like obviously if they think or they should pay there's other repercussions or other decision points they have to take into consideration but that's what I'm seeing more and more they just want to get the incident out of the way and just move on with life one one quick thing to note too is about about payments um you know often time companies will think oh it's a simple we'll make a $3 million payment

and we'll be back up and running in 2 3 days it it's not as simple as that technology is getting way more complicated systems are getting more integrated and connected that you know sometimes companies do get the decryptor tool they go to decrypt and the data is corrupted too right so you're only getting back maybe 50 60% of what you previously had so big emphasis on on on things you can do to prevent this like backups IM mutable backups um and you know 50 other things that you should have in place as well yeah that that's a big change now because what you're getting is these ransomwares of service toolkits and the guy hacking doesn't necessarily have the

skills but they've been given you know a dashboard and a backend and they can toggle and they can run these scripts but they don't know when they're in proprietary systems what it is they've done they don't even necessarily what's know what's production versus archive versus active um or backup and the problem is is that when they break connections to things or they're in environments where they don't have the best tool so they have Linux and esxi but it hasn't been tested at the level or debugged at the level of Microsoft and they break things um we're finding that we've got to get our incident response teams in faster to assess whether the recovery can even happen why

go and negotiate then we hand it to Cryptor that's going to have 10 or 20% data validation on stuff that isn't going to be critical isn't valuable to the business and the sooner we know if we can do proof of decryption and an assessment to see if there's corruption the better off I am as a negotiator we may not want anything at all um and there are times where we've bought things where it's been swiss cheese and it had no effect and no value um I was wondering when somebody in an industry pays a ransom does that kind of paint a Target on everybody like you see maybe a big hotel gut hack that oh hotels are going to be really you

know hot uh for ransomware groups you know better watch out or is it just still kind of random is to wherever I think I'll take that so it is a bit of a crime of opportunity like if you left your door open in your house and someone sees that it's unlocked they're going to come in um there are groups that want to Target sectors because they know based on the nature of the data or the business that they have that they're going to be they're going to have a higher propensity to want to pay or have to pay if it was medical information or a critical service or a casino that they're losing billions of

dollars potentially um I don't have any direct experience with those cases but I can say that um sectors certain sectors like I said with the stats like Finance they have the money you go where the money is um does it paint a Target it paints a Target if the whole sector doesn't increase their level of protection so you got to spend money you got to protect um could they be retargeted likely not you know they're going to move on um do we continue to promulgate the if we pay it's going to fund more crime yes it's a concern we always have to think about the larger PR picture but the problem is you know it

was raised early you've got an existential problem your business is going to operate today are not not recover tomorrow like what what do you do and you can't think about um necessarily you know the greater good because you have a lot of people whose jobs and businesses rely on this um so I don't think they're going to necessarily paint a Target but it's a good business and they're going to continue to do it there's another question you guys mentioned the big wave that's coming is there any correlation between cryptocurrency prices and the round ransomware attacks that are coming out I know it's a a bare Market at the moment for cryptocurrencies and I in cyers Secure I

kind of noticed that there were more attacks when Bitcoin was super high versus right now what it's low I've been in all the Cycles now winter summer whatever spring it doesn't matter like we we don't hold crypto we buy it Market to Market but I do watch what happens with the waterfall of of funds after after um they've been paid some of them sit with it and some of them did very well you know it's 30% worth more you know at deals at Christmas that you know were then worth more some of them they don't care they expect there's going to be a hit they factor that in they factor in the the washing and laundering that may have a

cost of 10 or 20% um they've got to off-ramp this stuff somewhere it's getting hard and hard to do so the answer is demands are getting higher but the ability to get the funds out into fat is harder there are times where we have visibly moved the market with some of the trades we've had to do like I did a $30 million deal we transferred it and then half an hour later is worth uh 2 and a half% less an hour later was worth 4.8% less that was like $2 million difference but they don't care because the next day was up so they're going to they're going to play that curve I think it's more human driven like bank robbers

don't go over if the gold price is high right they need money they want money they can make money they go for it I think that's more it I think there's another question great thanks everyone just a question like Curious like what would drive an organization I particular from an education background like education organization what would drive an organization to pay heat to the demand even if the backup is there valid backup and like is it just the reputation cost or something else that they are fearing and uh and I believe like the client may be overruling or may have the final decision like do we pay or pay off yeah right yeah yeah I can take that so um

again the pay or not to pay um decision is sometimes I mean when we're doing incident preparedness for for clients right that's one of the things that I always tell CEOs and and boards to think about is would you pay right would you pay a lot of times no you know we don't want to support Putin or whatever we will never do this and then when you get hit maybe sometimes there's you know a change of heart but it's it's good to think about these things to say okay under what circumstances would we pay when would we not pay and what is it what is it worth and we you know when I work for example with you know with

Jason on some of these on some of these cases it's a constant checking right they might say we don't want to pay or we'll pay you say okay for what right for what do you want to pay is it manuf facturing a few years ago we had you know more in in my in my view or my experience um manufacturers hit so it was very quantifiable day one you're down losing 500 Grand day two you're down 500 Grand right they'll ask the recovery team how long till we get back to business 14 days okay 14 time 500 you do the math now then sometimes you'll say you know what we're not going to pay um I'd rather pay you know uh KPMG or

Cipher whoever um than paying these guys so I'd rather you know it's going to take us a few days but we're okay it's going to cost us this amount of money would' rather pay you now to your question why would you pay if you can get back up and running I think it depends on um the sector that you're in depends on the volume of data and it depends on what sort of blowback you're going to get right say okay well you know what if you have um let's say you're a victim of this uh uh back and you think you know what the information that was taken wasn't great we're just going to tell

everybody about it we're going to tell our customers you'll have seen these notices before you know your name email address and last four digits of your credit card number we're compromised we're sorry if you have any issues call us most people H how how many of you have gotten a notice like this yeah right who signed up yeah right like you're not you're not going to be too too worried about it now I have seen cases where you are very very concerned when it comes to health information sometimes with employees sometimes there's sort of there's issues that and then you know working with insurers you try to tease out okay what are you if there is Insurance why are

you paying right why do why do you want to pay what's the data sometimes you do not know the data because the forensic team like well maybe they have it maybe they don't and then you say okay worst case scenario that's what I always say worst case scenario you might find out there's another issue like a union right maybe the union members don't care so much but maybe the union cares and all of a sudden you say okay well we can't have this data leaked or it can also happen that you fear a class action lawsuit so millions and millions and millions of impacted individuals low sensitivity data might still push you to say we want to keep

this quiet or um you might have just a few but very very sensitive data right highly sensitive data you can imagine senior Executives with health issues that that that um you know don't want to come to light and so there's different reasons but they're usually related to reputational class action risk privacy risk and just to add to that is what does Insurance perspective have like do they support these run payments and so on so so there's a bunch of different ways of looking at this and it's Case by case right as you mentioned there's there's the financial aspect of it business Interruption if you're going to be losing $2 $3 million a day that's one

aspect of it second aspect of it is from a technological point of view do you have the ability to get backup and running how are your backups how long is that process going to take that's a huge Factor as well I mean if you have backups and you can recover in in a good amount of time I would always recommend doing that over making or facilitating a payment um obviously if we're talking about two three months of business Interruption loss that's a different story from an insurance perspective we do help facilitate payments that's something that you know is is built into our policies however there's a long list of things that needs to happen before

that process goes through there's also different sanction lists um so depending on the threat actor we might not even be able to negotiate with them same with Jason's team they're not able to negotiate with um the various sanctions so short answer is yes we can help facilitate payments the long answer is there's a big process that needs to go on before that point um huge due diligence process from our point of view looking at things like your like your backups right you told us you had backups and now your backups are encrypted but you told us they were offline so then it becomes a bit of a claims issue um so it it's super complicated in case-

by case basis now just one thing I wanted to add on that is that making a um making a payment and then not having that data released right publicly or on the on the dark web does not not get you out of potentially reporting that if it's a reportable breach and I think that's a misnomer see some people you know even even in the legal Community sometimes saying and that's and that's just not that's not correct that's not how the Privacy Commissioners look at it I mean you can you can read that yourself you go on the o oipc website it's very clear that that's not going to get you out of reporting usually okay now will a court maybe

depending on the judge right who knows what a judge is going to do but will a court potentially say well if you made a payment you did something to take additional steps to protect that and will that show that you weren't negligent or something like that maybe we don't have a lot of those cases out there yet but it's not it's not a a get out of jail free card I think it's more of a a reputational um sort of sort of uh play and on the incident preparedness side I always say mentioning the ofac or or or sanctions lists what if the worst casee scenario happened because you were not able to pay because if if if you're

on a on a boycotted list or sanctioned list or whatever else you you cannot make that payment especially if you have to deal with the US you do not want to deal with that regulator um you just don't and it's very cut and dry it's black and white there is no gray so what do you do then your most valuable assets are thrown up you know on the internet and how do you deal with that because you can never ultimately say we will pay to protect you might not be able to right no there's a question there so go ahead a lot of insight thank you um so do you have more insight into ransomware

as a service so before it's you mentioned that there's to Kits online that's provided by these uh AP groups but um how is the service charged is it like they take a cut out of it or you're really curious how do I get into this I don't know about this that's a good question friend good question good question yeah I like that um okay so just like your Tim Horton's franchise you've got a franchise or and you've got a franchisee franchisor is the operator provides all the software the back end the infrastructure the shame site that you know the leaks Blog the uh the malware you're going to deploy the reputation they've built that's going to scare

people and they're going to give you some training I I'll use lock bit just keep on that that one so they're again one of the one of the most active they have a hundred different Affiliates we call them franchises they pay the lock bit operator 20% of what they demand they're allowed to set their own prices they have certain rules like if they agree to provide a decryptor and to delete the data that they stole they must honor that and whatever else they may have um said in the chat room um they've got different tools um that are available to them that the lock bit operator provides and they're constantly improving Ming their code and they're

still looking for more coders to fix their their platform so you're basically in a franchise model but these Affiliates work on many different ransomware as of service models you could have a group that uh you know one day hits and comes out under the banner of lock bit but tomorrow they could be black Basta they could be black cat Alpha you know names that I'm embarrassed to say on a daily basis Klo and things like that K's more of a command and control so mob style but um basically they're setting out the rules the affiliate rules are posted they just had a general meeting about their rules they've set new terms and conditions for the young Affiliates who may not have

their own uh uh you know um their own um arsenal of money so they they're more apt to give bigger discounts they said we're not doing this anymore you're not allowed to Discount more than 50% and here are the pricing terms you can work within a you know certain realm but you can't go off the franchise models so so I should mention one thing you might know this but this this is you know these these actors there are in in Canada so these are criminal code offenses right and so it's not um I mean a lot of times law enforcement has their hands tied because the location of some of these threat actors you know are in countries that

aren't necessarily you know pursuing um these threat actors but that's not always the case you know we've had some prominent um actually with the help of for example Peele Peel District uh police and and others where there's an international um sort of collaboration interpole FBI you know local detachments and you know there's a prominent prominent case of a of a gentleman in in in Canada and you you know I mean these new market 20 minutes north of where I live he was a lock bit offer oper affiliate they caught him in his garage and They seized his computers so so there so there's serious serious offenses which um I think by now most people understand um but you know maybe not

every 16-year-old but they're not necessarily just want to add to your question I think we might also see a little bit more the the script kitties come back and the lone wolves with jot gbt I think you guys did some some tests with that right so yeah we wrote some malware we just asked the AI to uh you know develop something that encrypts and decrypts and gives us a code and locks all the data and boom also called usest it um uh um Nicholas I want to come back to you we talked about uninsured and insured um do you see a lot of organizations who come to you to want to reinsure getting denied insurance or

what are some of the protocols that should maybe follow so we have a pretty standardized process we have an application um that you have to go through the application asks some pretty standard questions based on technical things backups MFA implementation do you have a privileged access privileged access management tool in place it it's it's a long list um generally speaking if you're if you're a company with good security posture and and you know you have backups in a good place you'll likely be a good place to get Cyber insurance now depending on your limits and things like that that all depends on on a bunch of specifics um if you're if you're declined cyber insurance or or you can't

be insured by us um I think there's some bigger problems at hand because in the event that you do get hit with the ransomware you you not only don't have the systems in place you don't have the backups to get back up and running now you don't have insurance to help you out of that boat that that you're in now um so we're seeing a lot more clients come to us for insurance if they do get denied or they don't get coverage um you know we see other companies coming in for instance KPMG and getting them to a place where they're able to get that insurance because it's super important um I read a stat a couple weeks ago that

60% of small businesses in Canada that got hit with the ransomware last year that didn't have cyber Insurance went out of business six months later so we're talking you know heavy importance on on getting cyber Insurance whether you're a small Mom and Pop shop with revenues $1 million or um you know multicountry company that does S8 billion dollars a year right yeah and understand what the policy is giving you if you're small medium Enterprise your demand could be $250,000 to $500,000 of Ransom just extortion let alone the cost of all the advisers in the room and the Restoration in the downtime um about 60% of our clients have cyber Insurance when they come to us I'd say about 10 or 20% are

self-insured but these are very large companies who have the ability to self-insure and their limits that's the amount of money that they have to pay before they may have cyber kicks in could be anywhere from 10 to $25 million and we've hit those limits on some cases one thing to note too is you know cyber Insurance differs from from auto insurance so auto insurance has stayed the same for the past 50 years there was the invention of the seat Bel there's the invention of you know ABS brakes other than that it stayed pretty standard for the past you know 50 60 years with cyber Insurance you know there's new threat vectors every week There's new technology every week so

it's a bit more of a dynamic process right you know this year our application might look a little bit different than next year based on the forensic findings that we've had from the year um which I think is is important too because you want to remain um you want to remain standardized with what's happening in the world you don't want the standards go up too right standards go up a few years ago if you said oh MFA oh now if you say you don't have MFA it's like come on right yeah MFA MFA should be a baseline 100% that's that's pretty simple but but now you're looking at things where you have MFA bypass so is

that as important as we thought it was 2 years ago maybe there's a new aspect that's more important right so it's a constantly changing landscape with cyber Insurance um but and it's incredibly important to have and you mentioned a forensic result like investigations and like often times us investigators we can't even find any data because there is no logs or the log retention isn't there right so make sure that you log you detect and you keep the logs more than three months or 30 days so we can actually go in and find out what happens so because that is valuable data not only for you and the case but also when it gets aggregated like on the insurance

level so I just wanted quick

time you guys are in demand right there so some of the answers have gone into this since it came to my mind but uh you you've touched on a lot through some of the answers especially on the legal side about this move to double extortion both uh not only the ransom where the environment and encrypted but take all the data first or I think maybe exclusively take the data sometimes now how is that uh i' I'd be curious to know how that's impacting the insurance perspective well how do you handle that it's not just about having backups now it's about this leak of the company Secrets or privacy breaches also how that impacts the negotiation and the IR

side as well yeah great question thank thank you so we offer those Services right so our services aren't exclusive to to technical services so you know if you could hit with a ransom where we're not we're not coming in solely to do forensic work we're also there with a breach coach we're also there with negotiators um we also have various notification services available so if if you know breach coach comes to us and says listen 10,000 employee documents have been leaked we got to notify we have those notification services available through Equifax you in in different companies um we also offer communication services so if it comes um public media knowledge then we have that

ability to you know offer some PR Services as well so it's not exclusive to just technical um I hope that answered your question yeah thank you I just want to ask two questions one a and one B one a is that if all the details that the insurance company Des insurance company is looking for is available what is the um like the time frame or the SLA to get the claim so you're you're speaking specifically if you if you have a claim how long until we end up working on that when all the forensic data logs everything are very quickly very quickly so our long is very quickly sir so if you if you say say your company gets hit

with a ransom right now we would be on the phone with with KPMG or another forensic provider um basically within the hour to get a scoping call going from that scoping call we're going to set up the team figure out where we need to go um but the forensics at that point can take weeks months um but we work quickly we can work as quick as you do right so if you come to us and you know it's 5:00 P p.m. on a Friday and you say hey we've been hit with ransomware we'll be on a call 600 7: p.m. on the Friday we'll be working by you know no later than Saturday yes that that is starting

the work but that is not reimbursing the company oh you talk about getting reimbursed for the cost oh that that's that happens later that that's a claims issue it's going to go through a whole claims process to figure out what exactly is covered based on your policy one week two weeks one month one year it's Case by case right if you're talking a small BC where the fastest the fastest the fastest oh no now we're getting now we're getting specific see um you know weeks we'll say weeks how about that all all right all right all right I won't pressure you further question 2 a sorry go ahead question 2 a what am what exactly am I

trying to protect if I'm paying for cyber security Insurance oh hold on sir I'm just painting a question I'm not painting if I like somebody has stolen my car the person calling me that oh your car is now in United States I have your car if you can send the car is worth $70,000 if you can pay me $10,000 I will abandon your car the um at at the grocery store in Edmonton pick it up if you can send Bitcoin on but even though if I send that money what's the guarantee is it 100% guarantee that the guy will return the car is he guarantee that the ransom wear guy will decry thing and have my data back that's the

question sir maybe that's more for Jason yeah in in all the cases where we've negotiated a settlement 100% of the times we've received the cryptors but to my colleagues points earlier may not be as effective in the DAT of validation recovery so your car may be smashed keyed stereo's gone you got a car but is it worthwhile to you um the the other question I think you're asking is um oh I forgot the data leakage oh data leakage yeah so you have to think about it's a business case you know is that going to impact you and what happens if the data gets out if you don't make a deal and the question really you think

you're asking me is credibility and integrity and honor amongst the thieves and we are engaging with them either on their past reputations which I don't always believe because there's different Affiliates on each platform right um and we're trying to assess whether or not they're going to have the methodology of all the other thread actor groups and if we think they're going to deliver and how they're proving and working through if we have high risk we may tell you don't pay at all and there's a high risk you're going to be re extorted or the day is going to be leaked anyway what what you're paying sorry your car analogy it's a little bit like this your

car is gone let's say it's your mom's car you might be paying for Mom not to find out you stole her car you know what I mean it's it's somebody may have seen you but at least Mom isn't finding out right away you know I've never done that but I'm just saying you got to turn the odometer backwards I know there's one more question so sorry uh thank you so much uh my last question is uh basically so when a payment is made is do you guys track the payment afterwards on crypto exchanges and when do law enforcement get involved if you're able to track it and you're able to find the actor and whatnot and do funds get retrieved thank

you okay so we have to run compliance checks on all the indic available to us the name of the group the wallet the indicators of compromise the forensics teams would have found we have to get a comfort that we've done a risk-based due diligence approach after so prior to a settlement usually the wallets are clean there's no activity it's a fresh wallet if they're smart sometimes we have really dumb criminals that have sanctioned activity we can't pay um once it's been paid Our obligation is gone in terms of you know what's happening on the wallet but there's another obligation because I'm a money service business registered under finsen in the US fin Trak in Canada that we have to

file a suspicious transaction report or a suspicious activity report so in the US for example the SARS will get reported the nature of the crime the threat actor group the wallet the demand how much it was settled but the client's name is offc because a lot of what we do is under privilege and confidentiality um agreements with our Council um law enforcement if there's a cyber policy will likely be informed at the beginning because it's really the only defense you had you went and you talked to the FBI you asked them if they had any other indicia anything we should be aware about that could be funding a nation state threat actor or sanction entity

and if everything is cool then you're going to make that payment but in return they're going to want like an ic3 report where the icmp has their own uh uh reports that we as literally the guys inside the crime scene collecting the evidence would give through Council so our transcripts the wallet our ofac compliance report you know Council will decide if they want and how they're going to work with with law enforcement globally thank you uh I know we are almost at time so just a quick closing thought from uh everyone dos and Dons in event of a ransomware if comes to p uh forensics I already set mine like detection logging and keeping the logs a

good quality logs yeah one thing too is we often see you know companies get hit with Ransom where the first thing they try to do is get backups up and running those backups end up being encrypted wait wait for the you know I know you have in-house it and cyber security teams but you know wait for the forensic team to come in with with their expertise and um before you try to start restoring things right away we've seen it quite often where things go south when that happens so yeah hire a professional these people in the room have seen it before uh you can't just learn it on YouTube um you know we've done thousands and thousands

of engagements with thread actors there's things that we do and how we start to try and get the best result for clients don't go to the tour link yourself yeah don't click on that t link because it's going to start a clock and then I'm trying to beg for time when we didn't need to be that anxious at the beginning um it actually gives us a weaker position when you jump immediately too without having spoken everybody um you want to make sure that your environment is hardened and protected you want your forensics teams to make sure that they're not still in there they can't do more damage they can't continue to encrypt or steal data

um you want to validate prior to um an event where your data was you know make sure you have leased permissions make sure you've got immutable backups make sure you don't keep your insurance policy on the file server they attack because they're going to hold that up and go oh you got $10 million of cyber insurance and they're going to go why are you telling them you have cyber um and uh just be vigilant Vigilant Vigilant yeah um generally I think you most victims probably have a little bit more time than they um think so there's there's a risk to being you know um trying to brush things under the under the rug but there's also a risk in

trying to be overly transparent um and by that I mean you're hacked and then you know you want to go out and and I've had cases where you know people will post or CEO will post to their Facebook or send emails to their key customers we've been hacked that's not what you want to do you might you might have to do that okay depending on the situation but you don't have enough information at that point to really make anything more than you know what people call a holding statement or something that's quite you know generic that is usually the right call and you might not have to make that call right away so I think that's

another important uh learning thank you very much every thank you think we are thank you very much for thanks everyone thank you