Cyber risk: Avoid, safeguard and mitigate

Recording date: 09/25/23
Air date: 10/11/23

Cyber risk is a rapidly evolving landscape. Over the past decade, device adoption has increased six-fold and it has doubled over the past three years. Michelle Chia, Head of Professional Liability and Cyber, and David Shluger, Vice President of Cyber Risk Engineering at Zurich North America, note that many businesses are not adequately prepared to deal with cyber threats. As the pace of technological advancements continues to accelerate, they urge businesses to prioritize cybersecurity and take proactive steps to protect themselves.

Guests:

Michelle Chia
Head of Professional Liability and Cyber
Zurich North America

Michelle Chia is the Head of Professional Liability and Cyber at Zurich North America, where she manages profit and loss for the Technology, Manufacturing and Miscellaneous Professional Liability and Cyber portfolios. In addition to industry engagements, she has collaborated with regulatory and defense stakeholders to build awareness and public-private partnerships to encourage cyber resilience.

David Shluger
Vice President of Cyber Risk Engineering
Zurich Insurance North America

David Shluger leads Cyber Risk Engineering within Zurich Resilience Solutions (ZRS) North America. He is responsible for the group’s technical advice internally to Cyber Underwriters, as well as consultative risk improvement strategy externally for customers. He works closely with cyber risk experts within Zurich, as well as leading technology providers to bring solutions to his customers.

Prior to joining the ZRS team, David worked as a Senior Deal Architect with Zurich’s Strategic Risk Solutions underwriting team. Prior to that, he served as Chief of Staff to the CEO for Zurich Global Corporate in North America, where he worked closely with the executive team to develop and deliver the team’s financial and strategic plans.

Host:

Stephani Gordon
Executive Employee Communications Business Partner
Zurich North America

As part of the Zurich North America Communications team, Stephani Gordon finds and shares stories by asking questions that connect people with ideas to pique curiosity, broaden awareness and create communities. Fondly considered a compassionate interrogator, she has coached executive communications for the CEOs of Zurich North America and Zurich Canada, lead C-suite video productions and connected employees with corporate strategy through storytelling and engagement. In addition to hosting this podcast, she unabashedly admits to spending too much time on TikTok in the guise of “anthropological study.”

Episode transcript:

STEPHANI GORDON: Hi, welcome to the Zurich North America Future of Risk podcast. My name is Stephani Gordon. I'm your host for this episode on trends in cyber risk and cybersecurity. Is your business keeping up? David Shluger is Vice President of Cyber Risk Services. Michelle Chia is Head of Professional Liability and Cyber at Zurich North America. So first of all, welcome David and Michelle.

MICHELLE CHIA: Thanks so much for having us.

DAVID SHLUGER: Thank you. Great to be back.

GORDON: So, I think we'd agree that cybersecurity isn't really considered an emerging risk anymore because really it's been a thing since before the 1990s and [escalating] with the evolution of the internet, when people started putting personal information online and companies started connecting their computer networks and their manufacturing plans to the internet. But I think you'd also agree that cyber is definitely an evolving risk for corporations, right?

CHIA: I'd like to add another social commentary footnote there. In 1999, “The West Wing,” a TV show that aired in the United States, predicted that this past decade would be all about privacy because of the internet. They have predicted something that has come true, which is so fascinating. Cyber risk is not only evolving, individuals and organizations are adopting the use of devices that are connected to the internet at an accelerated pace. So, it's evolving and it's also getting bigger simultaneously. And so, these statistics out there peg that the rate of adoption is about six times over the past 10 years and has doubled over the past three.

GORDON: Wow.

CHIA: That's a huge pace, right? And for the listeners out there, I wonder at what rate have you, as individuals, and your organizations connected devices to the internet? I can tell you that my rate is way beyond 6X and I think that's part of the reason why we think cyber resilience is critical. Cyber resilience is critical in our personal lives, as I just talked about mine, and for organizations — the ones that we work at, the ones that we buy things at, etc. — cyber resilience helps us avoid, minimize and mitigate business interruptions to our company's operations. So that's, I guess, why we're here today to help demystify and remind all of us about some cybersecurity basics. We're going back to the basics.

SHLUGER: Really well said, Michelle. And you know, I think cyber has really mirrored the evolution we see across business, right? We're seeing businesses more interconnected with global supply chains. We're seeing really rapid innovation and new products to market. Manufacturing is getting more automated. All of this is underpinned by technology. That's what makes it possible. We know and have learned, unfortunately, that technology can be very vulnerable and at the same time, change can leave companies vulnerable regardless of whether that's technology or other types of change. So, as we look at cyber risk and the best way to manage it, I think a lot of organizations are finding that they need to balance the speed at which they're able to change and innovate within the business alongside responsible protection of those revenue drivers.

GORDON: So, as an evolving risk, companies face new cyber issues when they move to cloud services or they start employing new digital technologies, or within the past few years, when people got catapulted into more remote working, right? Do you see an overall increase in the number of cyber incidents that are being reported? Or is it the nature of the threats that are different? Or both?

CHIA: Stephani, I love this question and people can't see how wide my smile is. I'm going to tee this up with another TV fun fact. There is an episode in “The Simpsons” in which Homer Simpson, who is a Nuclear Safety Technician — I looked that up — he works from home in this episode. So, “The Simpsons” predicted that remote working or working from home was possible. This was an episode from 1995.

GORDON: The Writers' Guild is ahead of its time.

CHIA: Honestly, it was so interesting. So, much like Homer Simpson, many of us, many of our employers allow us to work remotely very readily today. It allows us this increased workforce to have this flexible work arrangement. This partially occurred because during the pandemic we all had reasons why working from home occurred at a more accelerated pace and we pivoted from the traditional work in-person every day in the office and the plant. And that’s when the pivot really occurred. This drastic shift over remote work increased reliance — not resilience — reliance on network connection using the internet, which increased the opportunity for bad actors to leverage vulnerabilities in those connections.

GORDON: Sure, that makes sense.

CHIA: So, we're using the internet more, right? There's more opportunity to hack into computer networks. And, and so as a result, these bad actors identified and acknowledged that, [then] targeted [and] exploited companies and individuals. So, it was happening on a greater pace during that time period. Furthermore, they were able to identify tens or hundreds of companies with the same vulnerability. So, they basically scaled their commercial enterprise, which is a scary thought, but it's the reality of what happened. Organizations, individuals have the same vulnerabilities … you can impact them at the same time. And so, the headlines of cyberattacks, ransomware events, over the past three years has increased our awareness around the criticality of cyber resilience for us as individuals, for organizations, for many of our customers. And this has created this idea that organizations and individuals need to increase their protections against cyber threats. So that's great. We're better at protecting ourselves, unfortunately, however bad actors have acknowledged that and they continue to mature their capabilities and they continue to shift and evolve their techniques. So, with one upping, the next, one-ups as well, and it's kind of one of these cycles. We'll see what the tipping point is, but we're seeing this evolution over time from a threat and security perspective.

SHLUGER: Michelle, I remember that Homer Simpson episode, and I think he called himself a nuclear safety supervisor. Yeah, I think we can all agree that some roles just shouldn't be performed from home. But that's the new hybrid world we live in. I think, thankfully, like Homer's world, our real world has evolved along with the businesses in which we work. We know that remote work has tremendous benefits to employees. We know that companies benefit in that they can tap into a broader, more geographically diversified pool of candidates. Even the expenses associated with our physical offices have been impacted by this remote work. But as Michelle really pointed out, there are challenges and risks that come with that and we've navigated them as they've come. But one of those is that increased potential for cyber risks that threaten the business. And that's for a variety of reasons. I won't go into every single one of them, but as I work with customers and prospects and other companies, I see a wide variety of ways that they're responding to this level … this risk. The majority of the companies I interact with are at least doing the bare minimum. They're using virtual private networks or VPN, they're using multi-factor authentication or MFA, and these are an absolute must. Now don't mishear me. There are other things that are an absolute must, but those are just a couple of examples. What I would say is each organization really has to look at what it is they're looking to protect and what they need to protect, and then what's the best way to do that. And frankly, that's where experts can really help steer the strategy, because it's very difficult to know how much is enough, how much is too much, and really strike the right balance.

GORDON: So, you're talking about table stakes, right, David?

SHLUGER: Yeah, some of these are the table stakes that a company needs to do just to protect themselves. And I will add, every company is different. So, you don't look at your neighbor and say, “I have to just do what they're doing.” You need to look at your own organization. What it is you need to protect the work you do, the end customer. You support all of that and respond accordingly.

GORDON: So, just a follow up question to that: Where does generative AI fall into this conversation when you talk about evolving risk?

SHLUGER: When we talk about artificial intelligence, let me just set the stage a little bit. This is an incredibly broad topic, and I don't think you can pick up a newspaper, listen to a podcast without [someone] talking about AI. We're seeing the technology itself proliferate every part of our lives, both at work, at home, and oftentimes we're not even aware of where AI is impacting us. Most of the time, that's good but it's also something that we certainly want to be aware of. And don't forget, the theme here is evolution. It is going to evolve. But a lot of these applications are very positive. One of the really positive examples we're seeing over the last number of years is how AI is helping make cybersecurity more efficient and effective. So, I just wanted to set the stage that we're really talking about the cybersecurity application of AI.

CHIA: Yeah, like David said, that's probably another podcast in and of itself, if we talk about anything beyond generative AI for cybersecurity related matters, because it's such a large space and there's so many efficiencies and benefits that can be gained and also challenge. We have to manage risk, you know, from all perspectives more holistically. But yeah, generative AI has its benefits. Machines learn behaviors faster than individuals. On the other hand, machines can only learn what we teach them. And in the case of cybersecurity, what we have learned thus far, in the past 3, 4 decades is that the past does not always predict the future and the space will continue to evolve. So, how can we teach something that machines don't yet know [and] we don't yet know? There may be trends based on prior situations that we can use to inform the models and the technology, but not necessarily teach the technology something that we're not aware of yet, because what I don't know, I don't know. Also, if the wrong behaviors or data is being fed, then the AI won't necessarily be useful. So, we also have to manage towards that challenge. We have to make sure that a holistic perspective, a broad perspective, is fed in to teach this artificial intelligence. And so generative AI, as it relates to cybersecurity and I guess at large, is only as good as the direction it's provided. The potential for generative AI, I believe, is broad, but it can also be manipulated. And we have to be very careful about that latter part. It's not any different than an individual being manipulated on the one hand but we do have the ability to identify and detect when bad things are happening. But do we have the ability to check generative AI at this point when it's being manipulated? Because if we teach it one thing and it knows how to go in a path in one direction, how do we know it's going in the right direction in the first place? But I'm going to stop there because this is getting a little bit outside my area of expertise. I think, Dave, you had a couple more things that you wanted to add on this topic.

SHLUGER: Michelle, I think this may be becoming your area of expertise. I'm going to steal your idea and go back to another analogy. The way I view AI is sort of a lot like the suit that Ironman wears, okay? And it allows that human to be stronger, faster, more capable, but alone — without that human operating it — it's really not a useful tool. So, when I view AI within cybersecurity, I see applications where the security operations center can extend their reach. Those analysts can see more of the organization than they can just on their own, with their own time. The red team members have a better and stronger ability to really test the organization's defenses. The “threat hunters” can look further deeper at more modern variants of where malware may be lurking. And even the Chief Information Security Officer, him or herself, they can provide enhanced protection to the organization without drastically increasing their headcount. So, again, I don't think we've seen all of the ways that generative AI will help the cybersecurity function. But I do know that I'm seeing really, really critical ways to extend the reach of that team of watchers. And I know that we will, as Michelle talked about, we'll need to train whatever models, whatever tools we're using, to do what it is we need. They won't train themselves. So, it's always going to be the ideas and the learnings that cybersecurity professionals are coming up with. They're learning from their peers. They may be learning from industry partners they work with and then they're going to take that back and use AI again as a tool or like that Ironman suit to do more than they ever could without it.

GORDON: That's a clever analogy, David. Thank you, I appreciate that. And thank you both for your thoughts on that and we'll make a note that definitely sounds like an episode in and of itself. But I want to come back to when you were talking about companies doing the bare minimum and support, etc., and how that might also be evolving. Do you see any evidence that the companies you talk to might be getting fatigued with constantly having to reevaluate cyber risk and update their coverage or their mitigation strategies as things evolve? Because sometimes I think we like to put something in place and tick the box and say, “Well done. We've done that. We're moving on with the rest of our business now.” But in an area of evolving risk, sitting still is probably not an option.

CHIA: Oh, Stephani, you ask really great, yet tough questions, and this is yet another one of those. Definitely, cybersecurity is not for the faint of heart. There's a lot going on and it is layered. You have to build upon a solid foundation for sure. Cyber risk is rapidly evolving. Cyber resilience is critical for organizations. We already talked about that. Maintaining the baseline, the need to have controls, let alone best-in-class protections … it feels like a moving target. And I think that's part of the challenge. The risk is evolving and therefore the baseline controls are evolving and best-in-class protections are evolving. At the core of it, cyber resilience needs have constant update and upkeep requirements. Here's a bad analogy — unlike the Ironman analogy — it’s kind of like exercise. I need to keep on going and build upon what I've started. I can't just say, “Oh yeah, I went to the gym for a month and not go back to the gym forever and ever.”

GORDON: Wouldn't that be nice.

CHIA: It just doesn't work that way. Ah, it would be lovely, especially during the summertime. But the better question is why is this happening? Companies’ cyber insurance capacity needs to increase for two reasons: One, inflation. The cost of resolving a cyber incident increase periodically because wages increase and people are involved in the remediation process. So, there's that human element component, that human cost component. Also, with more cyber events the number of companies needing the same remediation services and capabilities that are in existence right now … it's basically a supply and demand scenario calculation that supply and demand both increase, which means that the price increases. Basic economics. But we do know that vendors are expanding their capabilities to meet demand, too. Secondly, with increased reliance on the internet, on smart devices like our phones, the scale of network downtime increases. And the good news is that there are methods that companies can employ to dampen this somewhat. And Dave will touch on that and has touched on that. However, the reality is that with a two- to six-times increase of use and reliance on the internet from manufacturing plants to professional services firms — like a law firm … from hospitality to retail — that business interruption … the net income loss increases substantially and can even be staggering for an organization that experiences a cyber event. So, all these things … I just listed like 10 things in like 30 seconds. There's a lot there and it's death by a thousand paper cuts almost.

SHLUGER: I took the question differently. So, Michelle, I think [you’re] really on point when it comes to the organization getting fatigued with how much they have to do and that steps up every year. When I really heard that, I was thinking fatigue sort of from a different angle. The threat actors and our and cyber adversaries, they view the human nature of us and the fatigue that we can experience … they view it as a weapon, or something that they can weaponize, and it's really effective. So, what I mean by that is we've seen a lot of attacks out there — varying types, but they all exploit a sheer volume of attempts. So, we can go way back in the archives and look at “brute force” attacks. Those are things where they're essentially trying to break in by cramming a lot of passwords in for lack of a better analogy, just essentially fatiguing the system. Then, we have what is still pretty popular — the mass phishing campaign, and that's them trying to fatigue the organization and assume somebody isn't on their guard and may click on something that hopefully they should have spotted. But again, all of these were made possible through the exploitation of fatigue to the system or the organization or the person. Now we see that same approach really targeting employees. So, one of these is called an MFA fatigue attack and we saw this in some recent breaches. So, this is where a barrage of multifactor authentication requests come into an individual's phone or mobile device or other [device]. And they come in and the employee may inadvertently hit “Yes,” when they meant to hit “No.” Or they may even think, “Well, I must've logged into something in the last couple minutes.” So, they hit “Yes,” but really this was an attempt made by a threat actor, and all they needed was the employee to indicate to the organization that that was them. And so, when they are led in in this way, it's really devastating because MFA works incredibly well, as long as it works. So, this is a method that we're seeing threat actors use to bypass MFA, which is on its own an incredible roadblock. Now, you could take this fatigue concept even to social engineering. So, if you work the IT help desk and you're taking call after call after call; imagine the fatigue that comes with that. And then someone calls, [it] seems plausible, the information they provide checks out. You may grant them that access, but that could be a threat actor who's calling in under false pretenses. It's getting really, really difficult to tell those apart and think about just how alert you have to be in order to decide [if the call is legitimate], if you're on the other end of that phone. So, kind of coming all the way back here, right? We know that humans are fallible. We know we get tired; fatigue is real. And that's why we can't rely on any single defense. We need the multiple layers of defense to make sure that we don't have any single points of failure that can bring the organization down.

GORDON: Both of you have spoken to how increasingly sophisticated cyberthreats are becoming, and I think it's important, David, that you went back so many years to talk about kind of how the threat has evolved, because again, it's not a one-and-done protection to keep up with that. And also, you talk about how employees need to stay alert. Well, the employees who are answering the phone maybe weren't with your organization a year ago when you did cyber training, for instance. So, [there’s] the need to keep doing it and keep doing it and stay on top of it, right?

SHLUGER: Absolutely. Yeah.

GORDON: Do you see companies … everybody's thinking about finances, as well, and looking for places they can trim. Is anybody cutting back on cyber or resilience protection, or are you seeing different behaviors based on small, medium versus large companies?

SHLUGER: In terms of cutbacks, companies have to always optimize what they're doing, and we always hope that they're optimizing and not cutting. So, we see that from time to time. But as technology's advanced, there may be better ways of doing things than there were in the past. When it comes to small and even medium-sized companies, they have very different needs. If I think about a lot of the small and medium companies I work with, I see that their staff is more limited, their budgets tend to be smaller, their scale of operations is smaller. It may be regional instead of global. And the sad reality is that unfortunately, they're subject to many of the same exact risks that larger companies are faced with. And we know that cyber threat actors generally do not discriminate. They look for the most vulnerable target and then attempt access. And if they're able to get it, they try to extract the maximum value from that target. So, in the end, I think we've been hearing this and have known this for quite some time, and our teams have done a lot of work — both on the underwriting side, on the services side — to make sure that what we provide is proactive and helps companies defend [against threats], that we have adequate post-incident response capabilities and then, ultimately, financial protection that's going to make the organization whole. So, maybe I'll let Michelle touch on some of that.

CHIA: I'm basically going to say the same exact thing as you, David, but probably from a slightly different perspective, but like, the same exact message. Upkeep is tough. I'm going to make this all about me now. When I have a packed day, when my schedule is back-to-back crazy and I wonder what I need to cut out of my schedule, sometimes that's the time at the gym, going back to that other metaphor that I talked about earlier. But the gym is really important. But can I get to the gym today when I have a packed day, a packed schedule? You know, in terms of talking about priorities that Dave touched on earlier, it's the same thing for all organizations. Medium and small organizations just have a more limited access to resources, whether it's time or money or people, it's all a limited resource. Things are finite. And to keep up with the best practices, that are developing at a rapid pace, it's difficult. Just maintaining is difficult enough as it is. And here's a selfless plug: this is why I'm so excited about the launch of our new admitted Cyber Insurance product. It's called the “Zurich Cyber Insurance Policy Concierge Suite.” This is a product that combines an insurance policy with a proactive and reactive risk mitigation service. We launched this product specifically for mid-size and small organizations because we recognize the challenges that they face, and we wanted to take one more thing that they have on their plate, off their plate.

GORDON: I appreciate that. You've both given a lot of great analogies. I wonder if a case study might be helpful if you have an example that might resonate with people in terms of what happens when a company becomes too complacent about their basic cybersecurity.

CHIA: Yeah, there are unfortunately way too many examples that we can point to. Cyber breaches are agnostic to industry, to size, to almost every single criteria except for cyber resilience. That's like the only criteria that has safeguarded organizations.

GORDON: I think David said, “Cyber threats aren't discriminatory.”

CHIA: That's exactly it.

GORDON: If they can get in, they will.

CHIA: That's exactly it. They'll find the weakest link or a scaled vulnerability. We can open up a newspaper and read about the most recent Fortune 500 organization. There are headlines [that] abound unfortunately. What we don't read about as much is the “mom and pop” shops or mid-size organizations that are being impacted. And so, I do want to bring that to light that organizations, regardless of industry, regardless of size are being impacted and cybersecurity teams are there to manage technical protections. On the one hand we have cybersecurity experts. On the other hand, we as individuals, as employees we are also responsible for things as simple as, "Michelle Chia don't use password 1, 2, 3 with a capital P and an exclamation mark at the end." Even that is not strong enough, right? We all need to do our part, and that is part of the whole complacency discussion right now.

SHLUGER: I fully agree. When I talk to smaller businesses that I work with, almost every single one either says, "Oh, I've been a victim," or "I have a peer or a competitor who was a victim of a cyber incident." So, it is absolutely everywhere or rampant in the industry. But as I talk to these individuals —and oftentimes at a smaller company, you're talking to sort of a senior level person because they wear so many hats — I don't attribute it to complacency. If you have ever met an entrepreneur or maybe were raised by two, you know they're not complacent individuals. They just may not have the right priorities or it just is not something that is in their wheelhouse and they really just need to be shown the way and shown how critical it is. And so, in any case, however, they've missed it, what they need are really simple, practical and affordable solutions. So, for that small and medium-sized enterprise, they need guidance from experts that helps them understand what their specific and unique risk is to their business and what is the best way to address that. Unfortunately, when they go out and search for it, oftentimes what comes back is the quickest one to serve them with an ad, right? And so, it's really hard for business operators to figure out which direction to go in. If they have the advantage of having some unbiased support and service that helps them prioritize from a risk-based, vantage point, I think that really helps them. Fortunately for those types of individuals, that guidance is available and really all they have to do is ask.

GORDON: But to your point, if it's something that's already not in your wheelhouse, then even finding the right help can be a challenge, right?

SHLUGER: Absolutely. That's where you need to know to trust your partners and work with organizations that do have that expertise.

GORDON: Sure. So just to pivot for a second, ideally, if a company is investing proactively to protect themselves against being a victim of a cyber incident, but then … what happens if something does occur? And this kind of almost goes to, again, those organizations that aren't completely staffed to deal with this issue themselves. I'm assuming part of the strategy is to have a plan about how to respond. Is that the competency that Zurich recently acquired with SpearTip?

CHIA: Yes. From the underwriting side, I can't tell you how excited we are about the acquisition. SpearTip brings additional tools that insurance can tap into under one roof. You have Underwriting, Risk Engineering, SpearTip … it's so exciting. And SpearTip services are not solely reserved for Zurich insureds. SpearTip will continue to work with multiple organizations, whether they are insureds of Zurich or not. And they will be able to provide these additional resources to our customers, which is very exciting for us. Just a quick analogy here: SpearTip is kind of like the firefighters. We can know when events occur, and we can identify them, notify the professionals. SpearTip basically comes in and helps with the remediation process because they are first responders, essentially. But not from a life and limb perspective, thank goodness. But I just wanted to put that out there. Why are these resources and tools needed? It's because we have our day-to-day jobs and SpearTip does the “firefighting” component. If a fire occurs, I'm not going to be suiting up and getting a hose to hose down the building. That's not my area of expertise. I'm not trained for that. But SpearTip is … from a cyber perspective.

GORDON: That's very helpful, Michelle. Thank you. That's a very good analogy. I appreciate that.

SHLUGER: I think that that's a great analogy. I'm going to steal that, Michelle. You know what SpearTip does is … it represents just a huge enhancement in the service that we can bring to our customers. And that's both in that response or “firefighting” capacity Michelle talked about, but also with some of the proactive support and consulting that they provide. So, Zurich has worked with SpearTip for about the last three years, and they've been in business for 18 years. All along the way, they've been helping companies secure their digital environment when things go bad or recover the way that they are used to operating, or recover their data. All of that is critical and it's an incredibly specialized skillset that you really don't need until you do. So, with SpearTip now being part of the Zurich Resilience Solutions team, we're able to address more of our customer's needs. And I think, frankly, the most exciting part of what SpearTip brings to the table is their security operation center, or their “SOC.” This is a service for customers that are enrolled or part of it, they can provide 24/7 monitoring of the customer's environment. So that means that when threat actors really like to attack, which is midnight on a holiday weekend, that attack has a very high probability of being thwarted because it's going to be noticed by the SpearTip analysts who are monitoring that customer's environment by real humans 24/7. And it's an incredibly effective strategy to either prevent or mitigate the impact that threat actors have. And just one last thing: We talked about medium and small enterprises looking to optimize their spend. Oftentimes I see companies like that spending sort of in the wrong direction, right? So, they may invest in personnel or higher cybersecurity people on staff and that may meet their needs. But oftentimes I see them hiring someone whose job it is to watch all these alerts and see if the organization is having some type of incident that needs to be managed. We have seen that they can achieve cost savings and actually get much better results by outsourcing with a 24/7 provider like SpearTip, because then they don't have to staff that function around the clock every day, including weekends. They're leaning on a provider that has those capabilities continuously.

GORDON: I appreciate that. That makes sense. And I think that's an important point when you talk about using the resources that you have … that you're not overspending in a way you don't need to for the right level of protection that an organization needs.

SHLUGER: Yep.

GORDON: So, I'm going to recap the conversation. You are seeing this increase of cyberattacks. The nature of the attacks is constantly evolving. Companies really need to hold the line and stay diligent in terms of their investment, their maintenance … including the corporate culture that embraces a cyber awareness mentality, right? Any additional thoughts?

CHIA: Final thoughts? Let me see how I can bullet point these. Ransomware is back on the rise. [It] was down for a little bit, but it's back up. Wire-transfer fraud is also on the rise. These are smaller dollars than ransomware, but they are still meaningful from the number of occurrences that are occurring these days. Privacy statute violations are on the rise. We didn't talk so much about the privacy statute regulation component, but that's also increasing over time. The risk is expanding and it's evolving. Those are the cons. I started with the cons. Here's a pro for the other column: “G.I. Joe,” another TV show, taught us that knowing is half the battle, which is great. Now, we know these items. I just listed off a couple of items that we should be aware of, but we still have to use what we've learned for that knowledge to be useful. So, thank you G.I. Joe. Now what am I going to do about it? At Zurich, we realize that businesses have multiple priorities and limited resources. Dave and I talked about that in almost every single response: priorities, resources. How do you achieve everything that you need to achieve, including the highest goal, which is to have a successful business and stay in business in the first place? So, the Zurich Cyber Insurance Policy Concierge Suite and SpearTip are two exciting ventures that we launched in the past year, and we're so excited about these two. We're here to help.

SHLUGER: Yeah, you can say that again. You know, for me, you know, bringing it home, we talked so much about evolution. That's I think how we got to where we are, I mean, both literally and figuratively in the cyber risk world. But I think that's has to be the theme going forward. It's going to continue to threaten our businesses. It's going to threaten those businesses in new and different ways. We have to be able to respond, be nimble and change tactics, as threat actors change their tactics. We know that's best addressed by a team and that means using your internal team to deploy risk management efforts, using your capital to secure the company through risk-transfer mechanisms and insurance. I think as we learn more — and I don't mean the experts in cybersecurity, but I mean the broader “we” as a business community — learn what we should be doing, don't forget everyone's going to be learning about that at the same time. And so, I think we're already starting to see that boards, investors, regulators … they're all starting to ask, “What are we doing? Should we be doing more? Are you doing enough?” So, my advice is better to see that coming, be proactive. Start now. We know the evolution is impossible to catch up to overnight. And so, hopefully some of the advice that Michelle and I left you with can help you take some really practical and tangible steps in your business. And again, I'll reiterate, ask for help. This is an area that sometimes you can get to the plan or the starting line a lot faster if you ask people where it is versus really try to study it and become an expert yourself.

GORDON: I think that's great advice. David, Michelle, thank you so much for joining us today. This has been a really interesting conversation about an evolving risk. Obviously, it's a business reality that's not going to go away. So, to share reminders and tips and resources that can help a company be as prepared as possible, and then also you talked a lot about SpearTip to have a resource potentially available in the event that something does happen. So, thank you so much for the conversation.

CHIA: Thanks for having us, Stephani.

SHLUGER: Thank you, Stephani, it's been a pleasure.

GORDON: And thank you to our listeners. We hope you found some takeaways that you can use from the conversation today. We look forward to bringing you another episode of Zurich's Future of Risk podcast soon.