What To Do When Ransomware Hits: Simulation for CEOs, CISOs and Directors

Posted on in Presentations

Current CISO, board members, and former top federal cyber officials “role play” a board of directors meeting, with real examples and specific options, including dealing with the FBI, CISA, insurers, customers, and the news media, negotiating the ransom, directors’ responsibilities, and repairing the company’s reputation.

Video Transcript

   >> Please welcome Glenn Gerstell.

(Music playing)

   >> GLENN GERSTELL: Good morning, and thank you for joining us today at a simulation of a meeting of the board of directors of a fictional midsized American company, Respectable Plastics, that has just suffered a ransomware attack.

   I'll set the stage for our presentation this morning, introduce the cast, and then I'll join them myself. 

Much like you do when attending a show or seeing a film, please suspend your disbelief just a little.  For the next 50 minutes, we're going to compress what would probably take a series of weeks or perhaps months of board meetings into just a very short period of time.  And just pretend that you are the members of the board of directors itself participating in a meeting at which we're considering this ransomware attack.  So we're going to be taking lots of liberties with how things get discovered, presented, discussed, and resolved.

   Our cast of characters is only going to be played by four people.  It's fictional, of course.  And we're not really representing any real people or companies.  None of our experts here are representing their actual employers.  And speaking of experts, let me introduce our cast. 

Suzanne Spaulding is a former undersecretary of the Department of Homeland Security, where she was responsible for the organization that was the predecessor of CISA.  She serves on several corporate and advisory boards and is the director of the defending democracy project at the Center for Strategic and International Studies.

   Preston Golson is a principal director at the Brunswick Group, where he counsels companies on cyber incidents.

   And Bob Huber is the chief security officer and director of research at Tenable.

   My background is that I've served from 2015 to 2020 as the general counsel of the National Security Agency, and I was a lawyer in private practice before that, serving on and advising a number of corporate boards.

   So let's join the first board meeting, which I see is already underway.

   >> SUZANNE SPAULDING: Oh, Glenn, you're late, but glad you could make time to join us.

   >> GLENN GERSTELL: Sorry.

   >> SUZANNE SPAULDING: I want to thank all of our board members for coming together on such short notice and our team for taking a break from what I know is a very busy incident response effort to be with us as well and bring us up to speed.  We count on our board members, of course, all along we have, for providing us guidance with risk management, and this is very much an effort at risk management here.

   So to bring us up to speed, you all know that we've been hit with a ransomware incident, and Bob is going to bring us up to speed.  Bob, I have your report, but I want you to brief the board. 

Bob, of course, is our CISO.  You all are very familiar with Bob because he has briefed the board on numerous occasions and was a key player in the development of our playbooks, which you're familiar with, and the exercise that we all participated in last year.  Bob, tell us where we are.

   >> ROBERT HUBER: Absolutely.  Thank you, Suzanne.  So she's correct, we did suffer a ransomware attack that's compromised a significant portion of our users' work stations and laptops.  So the first notice we had of this was from folks in the billing department when they get a message on their screen, which I'll share a screenshot of what that looks like.  We're still in the throes of determining the scope of the problem across the enterprise, but it's clearly a double extortion attack.  It's twofold. 

So what this means, most folks are familiar with a ransomware attack, encrypt your files, render the system inoperable.  That affects our operations.  The double component to that is collecting our sensitive data and potentially making that public, sensitive data to our operations.

   So in addition, they've obviously done some homework on the organization, as the person they initially targeted was our vice president of operations in charge of plant operations.  And here is a screenshot of what they sent John as well.

   So we have a limited time window that we're operating within.  They're already operating freely in the environment.  We have to figure out very quickly what we want to do with the ransomware guy, as they claim we only have three days to pay the ransom.  Right now, though, I do need more time to assess things even if we are proceeding according to our plans. 

So the security team is executing on the incident response plans, and we've engaged our enterprise crisis management team with the leads across the business.  So that's not just security, that includes legal and communications as a part of that team.

   As you mentioned, prior to this incident, we did exercise for such a scenario using CISA's tabletop exercise packages.  I do feel confident in our ability to contain the activity and mitigate further damage, although it's going to take time. 

We've already identified how they gained their foothold, which is via a targeted phishing attack, where they appeared to be a customer who reached out to an employee with the organization with an order change.  And the employee clicked on the document.  That launched the malware.  They elevated their privileges, gained additional access through the network.  Now we have lateral movement within the enterprise, which means they're freely moving about the enterprise. 

So what we've done is we've taken from the initial attack all the indicators of compromise and artifacts.  We've deployed them to our security controls across the environment, so we have detections in place for the initial attack.  So if we see additional attempts, we feel confident that we can contain and mitigate that.  Where we have some gaps would be on the lateral movement.  We still need to identify how they're moving across the organization.

   So our previous exercises, just to point out a few things, if you recall correctly, we did have a few gaps when we conducted these exercises previously.  One of our gaps was business continuity and disaster recovery.  And those gaps essentially are the fact that while we did identify the most critical components of the organization, not every component had a business continuity or disaster recovery plan.  That's our gap.  We've not tested them fully.  They've not been developed for all areas of the program.

   Another area that had some difficulty is we had an acquisition that became a new division part of the company.  They were not included in the exercises.  I have no visibility or very limited visibility to get into their environments. And we're not certain of their business continuity and disaster recovery procedures. 

So we're going to continue to focus on the most critical assets, functions, and processes we identified as part of our own business impact analysis.  And if you recall, what we do is we poll the business to understand what areas of the organization must continue to operate for continuity operations.  Like I said, we've identified those areas.  That's where the focus of our investigation is at.

We also have an incident response firm on retainer for just such an event.  Lesson learned for myself, we did not budget for this last year, so it is a zero‑dollar incident retainer.  What that simply means is we're the end of the line when we call, so I can't guarantee a response time.  But I must say we also have cyber insurance.  We have a $20 million policy.  If we choose to exercise that policy, we must engage the approved incident response firm by the provider to work with us to resolve the issue.

  >> SUZANNE SPAULDING: All right.  Well, Bob, thank you.  That's sobering but very helpful.  Really appreciate it.  You know, we have our playbooks.  We did our exercises.  But as your report reveals and confirms, no good plan survives contact with the enemy, and we are in contact with the enemy.

   >> ROBERT HUBER: Absolutely.

   >> SUZANNE SPAULDING: And so we are going to have to adapt, and we are going to have to make some decisions, and that's why I'm so grateful for all of you being here, because we are going to have to make some decisions about notifications, who we notify when.  We're going to have to make decisions about ransom payment.  And I know we've had discussions about this in the abstract, but now we're facing a very real situation.

   Glenn, one point of Bob's summary, on the acquisition that we recently made, I know that you had a network with an outside counsel on doing the due diligence around their cybersecurity posture as part of that acquisition.  So I might ask you to circle back with them.


   >> SUZANNE SPAULDING: And let's figure out why Bob doesn't have greater visibility into that and what in hindsight might have been missed.  But first, Glenn, I'd like you to bring us ‑‑ you know, talk to us as our general counsel about this notification process.  What are some of the legal concerns that we may face?

   >> GLENN GERSTELL: Sure.  Well, after that sobering report from Bob, I'm not sure I'm going to add a lot more good news to this.  But you won't be surprised, of course, to know that a ransomware attack really triggers a whole series of legal issues.  And, fortunately, as you've said, we've already worked through most of them in our exercise last year, but let me just remind you of some of them and talk about a couple of new things.

  So really the first question I think for us from a legal point of view is: What are we required to do my law and by contract?  And then we need to think about how we should go about minimizing legal liability to third parties like our customers and suppliers.

   In that regard, since we always have to be worried about litigation and since we want to really investigate this incident thoroughly.  We're already going to go -- have to spend time doing that.  I'm going to send a formal memorandum around right after this meeting.  And, Bob, I'll work with you on this in coordinating it.  And we're going to direct all of our staff to preserve logbooks, emails, other possible relevant evidence about the cause and nature of this incident.  I think that's an important first step. 

You know, and, look, fortunately, our company is not in a heavy regulated industry, and so unlike my friends who are general counsels at some really financial services and other heavily regulated companies, who have very specific requirements about notifying their regulators, we don't have to tell any regulator in our industry about this incident as just a pure legal requirement.

   I do want to get to our separate public disclosure requirements with the SEC in a minute.  Let's consider that separately. 

So we're not really required to notify anyone in that sense, but, you know, we might as well be since I think there are a lot of people we want to notify.  But I think the question is really:  But how and in what order?  Those are the big questions.

   So, first, I know we had some interactions with the manufacturing ISAC, the Information Sharing and Analysis Center, that CISA helps coordinate.  And we all sort of implicitly agreed to notify each other in that organization. 

And then you recall we had a couple of visits and meetings with the FBI office downtown, but it turns out that the agent who was actually handling cyber has been promoted, and he's now moved, so I don't know that we have a contact anymore.  I guess we can just call the local office of the bureau.  They're certainly very helpful, and they'll transfer us to the right person, but that's something we're going to have to get on right away. 

And the Department of Homeland Security was supposed to appoint a state coordinator for CISA, but I don't think they actually got around to doing it.  Or at least if they did, I'm not aware of it.  So we're just going to have to probably call the head office in Washington.

   >> SUZANNE SPAULDING: Yeah.  Didn't our plan say we were going to stay on top of this and make sure we had current contact info for the peeple (Inaudible) [00:12:01].

   >> GLENN GERSTELL: Yes, it did say that.  And I know ‑‑ thank you, thank you, Madam Chair.  I know you're going to tell me that we should keep all these numbers and phone numbers and contacts up to date.  And we do.  I mean, we have a process for every month looking at this stuff, but it's ‑‑ frankly, it's hard to keep up with all the government moves.  And what with everyone on our side focused for the last couple of months on the acquisition that Bob was talking about and then we had our executive retreat after that, I just think, sorry, some of this housekeeping stuff got pushed back further.  And I know ‑‑ I know I'm going to have to look into why we weren't on top of this.  I get it.  So I'll take care of it.

   But more to the point, you know, I really don't see any downside to notifying CISA.  There's a chance that they can at least tell us what other companies are doing, or if they know if anyone else got hit by the same gang, too, that's going to be useful. 

I know, Bob, I know you already talked to some of our outside cybersecurity vendor, and they said that was definitely the right thing to do, to talk to CISA.

   And on the FBI side, I'd vote for telling them too.  You know, look, since I'm the lawyer, I'm supposed to point out the counterargument, so I'll do that.  There's no question it does have some possible downsides, and we can think about it, because it's not just telling the FBI.  I mean, the bureau is going to want, understandably, to see the ransomware software, to know how it got into our system, whether it jumped from here to other corporate victims, what other corrupted servers it communicated with. 

In other words, they're going to need to really get into all of our systems.  And that's their job, and that's why we want them investigating every big cyber incident in America, as long as it's the other guy.  But, look, seriously, I think there's an upside here because they may know a lot more about this ransomware gang that we'll just never find out.  We don't have anything to hide, but I don't like the idea of them getting to see every stupid email that some employee wrote.  And by the way, based on the number of emails I get, I think the majority of them would probably qualify in that category.


   >> GLENN GERSTELL: All right.  Look, I'm just trying to lighten things up here.  But what if some employee had been mailing about, I don't know, price fixing or something or who knows what?  I mean, I think we're okay, and I feel pretty comfortable about it.  And I understand -- look, the bottom line is I understand the FBI doesn't come in treating us as a crime scene.  They genuinely want to help on the cyber side, and I know that from my prior interactions with them.

   >> PRESTON GOLSON: Glenn, doesn't CISA have new rules requiring 72‑hour notice of material cyber incidents under the new law?

   >> GLENN GERSTELL: Yeah, Preston, as always, you're right on top of things.  But ‑‑ you're right, there is a requirement, but that requirement under the Cyber Incident Reporting for Critical Infrastructure Act, which was passed this March ‑‑ enacted this past March ‑‑ hasn't yet become effective in the sense that CISA hasn't yet adopted the rules.  Now, I'm sure as soon as they roll that out, we're probably going to have do to do some regulations, but technically that rule is not yet in effect.

   >> SUZANNE SPAULDING: And is that the same with regard to our subsidiary in France in terms of the EU directive, not yet implemented?

   >> GLENN GERSTELL: Yes, Suzanne, you're right.  I mean, that's a good point.  Same thing there.  So the EU, as -- for the other board members, has just agreed on a new set of rules called the NIS2 Directive that when it becomes effective, probably later this year, each nation state will have to implement its own rules, and that will ‑‑ that will affect our French subsidiary, and it will in all probability require notifying them of major cybersecurity incidents.  So that's something we're going to have to keep in mind if we have to go through this again in the future, but it doesn't technically apply right now.

   But to the point, I think even though we don't have a current specific duty to notify regulators, it's still something we should discuss.  And that's, I think, important for the board here.  I know our plan said that was the intent.  And, indeed, we even -- Bob, I think we even empowered you in the plan as the CISO --

   >> ROBERT HUBER: Correct.

   >> GLENN GERSTELL: -- to do so if you had to.  I mean, you had that authority.  And I think that's the right thing for the plan.  But it was all subject to review at the time, and, well, now is the time.

   And let me add one more thing, which is, you know, if we don't notify regulators or law enforcement, I'm worried that it looks like either we have something to hide or that we didn't take this seriously or both.  And we just don't want to be in that position if we get hit with some lawsuit over this.

   >> SUZANNE SPAULDING: Yeah.  This is a good point for me to remind you what you all have heard me say time and time again.  The shelf life of secrets is vanishingly short.  This is going to become public.  Even if we wanted to try to keep it secret, I think given our profile, we are unlikely to succeed.  Our employees are finding out, and, if nothing else, they're likely to talk to friends and family.  So we should assume it's going to come out. 

And more importantly, as I've also mentioned quite frequently, our touchstone in this company is trust.  I mean, our name is Respectable Plastics.  Right?  The people need to trust that we are ‑‑ that our products are safe, that we are a reliable supplier.  Right?  And so that's really important.  We need to get out ahead of this story with accurate information. 

We can learn from others' mistakes; right?  We look at Colonial Pipeline.  There was no actual serious shortage of gas, but because of poor communication, as much as anything else, there was a run on gas stations, long lines, and gas stations ran out. 

We are the largest manufacturer of baby bottles.  Right?  We are not in danger in the near term of running out of baby bottles, but we're in the midst of a baby formula shortage.  It wouldn't surprise me a bit if we don't communicate this properly if there is a run and empty shelves at grocery stores.  And that's a hit to our reputation and to the trust the public puts in us. 

Nobody talks about the Kaseya breach.  They communicated that to their customers.  They got ahead of that.  That's where I want us to be.  You know, we've got to think about sequencing and timing of notification, but, to my mind, there's no question that we are going to proceed along that path.

   >> GLENN GERSTELL: Yeah.  You know, I think ‑‑ I completely agree.  The timing of this, to your point, Suzanne, I think really needs to be thought through very carefully.  Clearly it's going ‑‑ you're absolutely right, clearly it's going to look bad if we sit on the news or if we tell, you know, some big customers first but not others and then we subsequently tell the regulators and the law enforcement.  So we've got to get the sequence right.

   So I think for me, I think the sequence is that we first notify CISA and the FBI, probably as close to simultaneously as possible.  They're each going to want to know about the other, of course.  And then right after that, we need to do our public SEC disclosure in which we can state in that disclosure that we have notified the authorities.  So I think that's going to look good.  That will be reassuring to our investors and potential investors.  And then subsequently we can at least tell some key customers in one‑on‑one conversations a little bit of the details.  Now, we can't --

  >> ROBERT HUBER: Glenn, if I might interject here.


   >> ROBERT HUBER: I just want to be clear so we understand this.  So customers are going to come fast and furious.  As Log4j would prove, I immediately got hundreds of inbound requests from customers asking us the status and posture of the organization in response to Log4j.  So I would expect that to be extremely amplified.

   >> GLENN GERSTELL: You're all right.  We're definitely ‑‑ this is going to get out.  Customers are going to find out about it one way or the other.  Our employees know.

   >> PRESTON GOLSON: Yeah.  I think they're, like, what we're seeing, you know, the bad guys have a vote.  And oftentimes how it comes out is that the ransomware takers will maybe start leaking data.

   >> GLENN GERSTELL: Correct.

   >> PRESTON GOLSON: And they go directly to our customers to sort of, like, get them to let them know to ratchet the pressure up on us to pay their ransom.  And, also, just the disruptions.  You know, as our people aren't being able to file orders, they're going to figure out something is going on.

   >> GLENN GERSTELL: But, you know, let me just ‑‑

   >> SUZANNE SPAULDING: And, Bob, don't we have contracts that require some notification?

   >> ROBERT HUBER: We absolutely do.

   >> GLENN GERSTELL: We do.  But let me just make one point before, which is, you know, we can't ‑‑ I just want to be very clear that we can't really tell customers about the full nature of this before we do the public disclosure, because then we're going to be wrongfully passing along what might well be material inside information about our company.  So there's a balance here that we have to be careful about. 

But on the contracts point, yes, you know, look, we do have some contracts with big customers that we've previously categorized.  We've gone through them.  I've worked with Bob on this when we were doing our plan.  And, yes, we do have to tell them under the terms of the contract something that would interfere with our ability to perform the contract in a timely way.  No surprise there. 

In fact, actually, one of our contracts with the Department of Defense has much stricter requirements, which I'm going to have to double‑check tomorrow, as I think about it, but that is typical for DOD contracts.  Again, we need to be careful in what we disclose to customers before we've made this broader public disclosure.


   >> ROBERT HUBER: Agreed.  And since I happen to be the Lucky Stuckey who reviews most of the security addendums for lengthy contracts, I know with certainty that many of them require us to notify them once we confirm there's been breach within 48 hours.  So we do have that requirement with most of the large enterprise contracts, and that timer has started.

   >> SUZANNE SPAULDING: Yeah.  Great.  So, Preston, what's our coms plan here?

   >> PRESTON GOLSON: Yeah.  So I agree with you 100%, Madam Chairman.  From a communications perspective, as we develop our key messaging to stakeholders, we want to show that we're handling this issue as responsibly as possible, also, to limit misconceptions or perceptions about inaccurate information about our operations. 

So saying that we work with law enforcement, I agree with Glenn and Bob, it shows that we're being a responsible party.  It also implicitly reminds people that we are the victims of a crime.  And, lastly, it reminds people this is a matter that's under investigation. 

I can go forward and talk a little bit more about our best practices that we've talked about before from our planning.  It's best practice, we believe, to develop a core set of key messages, which I kind of call the Rosetta Stone of our messaging.  It's the basis for all of our stakeholder communications, whether it be to customers, employees, regulators, to react to the media, if necessary.  We need to get these right. 

A few objectives of these key messages, they need to accomplish our -- they need to be as transparent as possible, to be the North Star you've laid out for us, to provide the right amount of information without getting too out and far in front of the investigation.  We need to provide some element of -- a general element of who, what, when, where happened.  But we have to be cautious, though, about providing timelines that may get ahead of the details.  We don't want to say things that we have to take back later, because that will bring down the trust you mentioned. 

We also don’t want to promise timelines we don't end up meeting.  We should be thoroughly vetted by Glenn's team, obviously, to make sure that we are sequenced appropriately and that we are not putting ourself in legal jeopardy is what we're saying. 

And once we have these key set of messages, we're able to take those messages and then flow them through a whole series of specific messaging, whether it be holding statements.  If the issue leaks out, how do we go to the media before we have more things to say just to hold them in a certain space so we can buy ourselves some more time.  We need a full Q&A document, where we go through the most likely questions we're going to receive from ‑‑ and with defensible and accurate answers that are approved by legal. 

We need to have employee communications.  Because, as you said, our employees are finding out, the rumor mill is heating up.  We need to lessen their anxiety.  But, also, we should assume that anything we give our employees will make it out publicly.  So we have to make sure that's something we're comfortable being out in the public domain. 

Our customers are critically important.  So this key message is we're going to inform our talking points for customers.  We probably want to begin with our biggest customers first as well as our customer CISOs, because, as Bob mentioned, his phone will be ringing off the hook, as well as talking points for our investors to make sure they're confident in the company.

   So ‑‑ and last thing, of course, we need media talking points, because, as you said, this could go out.  Somebody could have a misconception about this affecting the baby bottles shortage or something like that.  We need to be ready for that so we can respond to them and make sure they understand the accurate information.  And, of course, we'll have to draft some notifications in conjunction with the legal team.

   >> SUZANNE SPAULDING: So, Preston, that's an awful lot of work for your tiny staff.

   >> PRESTON GOLSON: Yes.  And as we discussed in our plan, we believe that ‑‑ we do marketing; right?  We don't do crisis all the time.  So we believe we should bring in an outside communication adviser team who does this sort of thing on a regular basis to help us support creating those documents and helping us think through what we should be doing from a communications perspective, because there's lots of trends that are changing every day, and my little team is not able to do that.  We need some assistance with that.

   >> SUZANNE SPAULDING: Yeah.  Absolutely work with Glenn to make that happen.  Glenn ‑‑


   >> SUZANNE SPAULDING: ‑‑ so it sounds like one of the first things we need to do so that we can move forward with our customer notifications is just a notification to the SEC.

   >> GLENN GERSTELL: Yes, you're right, Suzanne.  That's really a gating item here.  So, look, I mean, the board is already familiar, of course, with the risk factors portion of our SEC report, our annual SEC report, the 10‑K form that describes our vulnerability to malicious cyber activity and how it might affect our company.  And we've also set out our policies and procedures in this area as part of our description of board oversight.  So I think we're okay on the disclosure we've had this far.  And we've occasionally updated our quarterly reports or so‑called 10‑Q reports. 

But I think the question now is: Do we need to make a special current disclosure?  It's on something called form 10‑8Q ‑‑ 8‑K, rather ‑‑ if we think this incident is material.

   In the same sense that we judge any disclosure to be material to an investor's decision to buy, this cyber thing is no different.  It's the same kind of materiality standard, whether an investor would consider it important in buying, selling, or holding our stock.

  This is all based on a February 2018 disclosure, interpretive release by the SEC Commission.  But, you know, based on what I'm hearing from Bob earlier about the projected revenue impact and, also, just taking into account the fact that we still don't have total certainty about just where this is going and just how ‑‑ if we're going to have further downstream consequences, I think we should err on the side of considering this as material. 

And the regulations in the SEC ‑‑ the SEC has some proposed regulations that we know where this is going, which is ‑‑ the regulations haven't been adopted yet, but they are going to require a formal amendment to 8‑K.  So I think we need to go ahead and do that.

   And then just one last obvious point, which is, as I said before, our directors, our officers, and other corporate insiders cannot trade a public company's securities while in possession of material nonpublic information, and that could well include a cyber security incident like the one we've got right now. 

And, in fact, from an appearance point of view, it might not even be prudent to trade right after the ‑‑ if we make the public disclosure.  So I think we need to be real careful.  I want all of our officers and directors to coordinate with the lawyers in my shop to make sure we're doing this correctly in this area of public trading. 

So I think the bottom line is I recommend we file an 8‑K disclosure as soon as possible even if we don't have all the facts and we're still investigating.  There has to be some balance.  I think we should notify the FBI and CISA first, as I said, tell them we're going to do a public disclosure.  We don't want to be in a position where we're sitting on the news and some shareholder could complain and sue us.

   >> SUZANNE SPAULDING: Yeah.  Well, you know, all of this sounded very reasonable when we were developing the playbook and even when we did the exercise.  Now it seems overwhelming.  We've got a week's worth of work to do, and the extortionists have given us three days.  So we're going to wrap this meeting up.  We're going to adjourn.  And you're all going to get back to work.  We're all going to get back to work.  Thank you for coming.  Oh, not over.


   >> SUZANNE SPAULDING: That's just the first board meeting


   >> SUZANNE SPAULDING: All right, everybody, welcome back for our second board meeting.  A lot has happened in just two days.  First, yeah, that was supposed to signal the end of the board meeting, the next board meeting. 

All right.  On to board meeting two.  Thank you very much for coming back.  First, I'm going to ask our general counsel to report to us on the extortion services firm that we have hired.  Glenn.

   >> GLENN GERSTELL: Yep.  So, well, look, based on what we had at the last board meeting and further discussions I had with Bob's team, so we've gone ahead and hired an extortion services firm.  We actually had a recommendation from our cybersecurity vendors to who to use, because this wasn't part of our plan originally that we were going to hire them, but I think it makes sense.  Bob, I know you checked them out with some of your counterparts, so that's good.

   You know, over the past few years, some really good specialized firms have arisen that focus just on this problem, interestingly enough, and they now have experience in negotiating with the ransomware gangs.  They know how to communicate with them on the dark web, something we don't do.  We don't even have to get involved.  And, of course, look, it always helps in any negotiation to have an agent in the middle, who can sort of buy more time and say he has to check with the principal, and that sort of gets us one step removed directly from dealing with these criminal people whom we don't want to do.

   So, you know, my sense -- Bob, I think we should really should hear more from you, but my sense is we have a little bit of breathing room, but, you know, I think you said you had told them to try to buy some more time.

   >> ROBERT HUBER: Yeah, that's correct.  I think we don't share the common definition of "breathing room," but we did bring the extortion services firm in.  They do think they can buy us more time.  Whether that's enough, we'll find out.  But let me pull up the latest from the team.  My phone's been buzzing the entire time I've been in here.  Messages rolling in. 

So our approved incident response firm, they're on the ground, engaged and working with the internal team.  So we're making good progress there.  Still not completely contained from the lateral movement perspective.

   And I will note more critically our plant operations, they are functioning.  There's no issues there, but our logistic systems is impacted and offline.  What does that mean for us as an organization?  No shipments go out the door.  We do have offline tape backups, but we need to engage with the logistics vendor to rebuild the system.  It's a legacy unsupported system.  We can't do that ourselves. 

So as a ‑‑ out of abundance of caution, we're actually going to ‑‑ we're recommending to shut down plant operations for safety reasons and ensure that we have no issues within the plant itself, even though we don't believe it's affected at this point.

   Suzanne, I know one of the questions that's been on your mind:  Is there a financial impact to employees?  Those systems are still functioning properly, and employees should be paid as usual. 

And, lastly, it's very obvious, the elephant in the room, the real challenge for us is going to be restoring from backups within the time we have allotted.

   >> GLENN GERSTELL: So I think ‑‑ I'll just interject.  I think that removes any question about materiality here.  I mean, there's just no question about that.

   >> ROBERT HUBER: Absolutely.

   >> SUZANNE SPAULDING: And, Bob, are we hearing from any of our customers yet?

   >> ROBERT HUBER: Yes.  So I have some messages on the phone here and on the screen.  It looks like the proverbial cat is out of the bag.  I have a few emails from CISO counterparts.  I believe Glenn, our general counsel, got some too.


   >> ROBERT HUBER: So I have a sample of what we're getting inbound.  So, Preston, my question to you is: What's the message back to these (Inaudible) [00:31:00] ‑‑

   >> PRESTON GOLSON: Yeah.  So we're updating the key messages in Q&A to reflect the latest state of play that you've given us.  What we're going to do is we're going to take those in terms of talking points for you, Bob, and we're going to actually sit down with you for 15, 20 minutes, do a mock interview with you with our outside advisers to make sure that you are ready and prepared to answer any questions you receive from your CISOs.  So our advisers will play the role of the CISOs, and we'll run you through that, and we'll get those talk points approved right after this meeting with Glenn's team. 

We -- just as a general matter here, we shouldn't be surprised that this is happening.  This is what we expect.  As a rule of thumb, we should consider what we would want them to do for us if the shoes were on the other foot.  If our clients or if they had a ransomware breach, what we want to hear from them to make ourselves feel comfortable about our situation.  So you want to take that sort of knowledge and reflect that back to your counterparts.  Give you language to help them sort of understand where we are and help them understand kind of how they can feel comfortable that we're handling the matter responsibly.

   >> ROBERT HUBER: Yeah, I appreciate that.  I'll look for those talking points, and we'll do dry runs.  Appreciate it.

   >> PRESTON GOLSON: All right.  Thank you.

   >> SUZANNE SPAULDING: All right.  So, Preston, are we hearing from the press?

   >> PRESTON GOLSON: Yeah.  We're receiving inquiries to, again, from customers and from a local news reporter about what's going on.  The word is, as you've mentioned before, that it wasn't going to stay secret.  Thankfully, for customers we've turned our key messages into talking points and intermessages for the customers, which we've been getting out to them.  We're backing that up with talking points for key customers that our relationship managers can use when they talk to them about what's going on, and we're updating the master Q&A document with the latest information. 

So so far what we've told them is that as soon as we discovered the incident, we moved quickly to take steps to mitigate it.  We've enlisted a top outside forensics firm to help us work through the matter, investigate the matter.  We've told them that the security of our systems is of paramount importance to us to help to, again, rebuild that trust.  And we also committed to let them know if they've been affected down the road, we'll contact them. 

So it's kind of, like, not everyone is happy about that per say, but they appreciate that we're talking to them.

   >> SUZANNE SPAULDING: Great.  So I understand we ‑‑ you have heard from a local ‑‑

  >> PRESTON GOLSON: Yes.  Yes, we do have a question that hackers are starting to leak out information to try to drive the pressure up on us.  So we've seen a question from the media.  And here's how I'd recommend we respond to that question.  We don't feel obligated to answer every question that they give us, but what we do need to do is we need to sort of give them a rough idea of the incident, how it occurred.  I called it an incident and not an attack.  That's just a little, small wording there ‑‑ choice there. 

We shouldn't feel obligated to explain all the gory details about how the incident occurred.  It's not advisable to tell the world about your security vulnerabilities, and most reporters won't expect us to do that anyways because a lot of companies don't do that. 

We shouldn't also discuss how the ransomware negotiation is going.  We shouldn't say anything about a pay or pay/no pay decision.  And oftentimes we can explain this that we don't want to give the bad guys any additional publicity.  But we also –- but we definitely want to focus our attention on the points we mentioned before about that we're handling it responsibly, managing the investigation, and so forth.  So we'll address those questions that we want to answer, and we're not going to dive into the questions that we think we shouldn't deal with at this time.

   >> ROBERT HUBER: I do think at some point, given past experience -- we can table this for later -- they will ‑‑ customers ‑‑ their CISOs will come to us asking for technical details ‑‑


   >> ROBERT HUBER: ‑‑ to help prevent this themselves.

   >> PRESTON GOLSON: Yes.  Instances of compromise is essential (Inaudible) [00:34:16].

   >> ROBERT HUBER: Absolutely.

   >> PRESTON GOLSON: We should share those as we're able to.

   >> GLENN GERSTELL: Yeah.  Well, you know, look, I agree with all this.  I just want to underscore again that I ‑‑ and I'm glad our plan required this, that the three of us in particular really stay tightly connected, because issues on the press side and operations side and legal side all need to be very closely coordinated really in a realtime basis.  So I'm glad our plan says that.


   >> GLENN GERSTELL: And, in fact ‑‑

   >> PRESTON GOLSON: Totally agree.  And we have a rollout plan that really sequence almost minute by minute or day by day kind of what the sequencing of things.  And we'll keep apprised of that to make sure we're keeping everything in order.


   >> SUZANNE SPAULDING: Glenn, we've done the SEC notification?

   >> GLENN GERSTELL: Yes.  So just right before this meeting, we filed the 8‑K.  I just got notice from our outside counsel that it was filed minutes ago.  So I think, Preston, if that's the case, since we can ‑‑ we've got that, we can go ahead with your news release. 

And you recall we also have that ‑‑ the group in the sales team that we had rehearsed before -- they did a rehearsal of this, actually, just two months ago, I think.  And so they're going to go ahead with the calls to the key customers ‑‑

   >> PRESTON GOLSON: That's great.  Awesome.

   >> GLENN GERSTELL: ‑‑ with your talking points.

   >> PRESTON GOLSON: We'll get moving right on it.


   >> SUZANNE SPAULDING: Great.  All right.  We're going to adjourn this meeting, and we'll have a ‑‑ our next board meeting will be on June 13th.  Thank you.

   All right.  Thanks, everybody, for coming together again.  Thanks for all the hard work.


   >> SUZANNE SPAULDING: We are in for a very heavy meeting today.  We need to find out where we are, and we're going to have to make some big decisions, particularly about whether to pay this ransom.  Our negotiations firm has bought us some time, but we are bumping up against a deadline again. 

So, Bob, as always, why don't you start by bringing us up to date.  How are we doing on our resilience?

   >> ROBERT HUBER: Sure.  So far so good.  We've been able to restore most user work stations.  We're about 80% complete.  We feel we've contained the incident.  We're not identifying any additional lateral movement.  So it doesn't seem to be growing. 

For safety reasons, we still recommend to keep the plant offline just in case.  And we're coordinating with the logistics provider.  And it will take about 72 hours to restore the shipping system.  So we'll likely lose any orders submitted during that time frame.

   >> SUZANNE SPAULDING: All right.  Glenn, you filed with the SEC.  I understand we've heard back from the SEC already.

   >> GLENN GERSTELL: Yes.  Our friends at the SEC.  Well, look, the reality is, you know, not surprisingly, the staff at the SEC, which monitors us very closely, they're -- an important area for them, so they've jumped on our somewhat skimpy 8‑K filing.  And we got a note from them.  I'm going to put it up on the screen here, if I can. 

And you recall that when we ‑‑ what we put out the other day was just a simple statement saying that we're evaluating the extent of the incident.  And that was right.  We didn't have more details at the time.  We didn't want to speculate.  And we indicated some of the basics.  But that was the right call.  And the alternative was saying nothing, and that ‑‑ we all agreed that was the wrong approach. 

But not surprisingly, the SEC staff wants more information.  And so I think we have to think about filing supplemental 8‑Ks as material news develops.  And Bob just gave us some more updates here on the nature of how long the shutdown may persist, et cetera.  So I'm going to sit down with him after this and get into the details and make sure we understand if that's really material enough to warrant another disclosure or whether we're already covered. 

But this just illustrates ‑‑ I think, Suzanne, we just have to be prepared for really a day‑by‑day evaluation.  We have to be on top of developments here.  If the market thinks that based on our disclosure even though it is material, it really isn't a big deal, for some reason that's how it's treated in the press, at the end of the day if it looks like we're going to have a major hit to revenue, that's not going to look ‑‑ that's not going to look good.  So, Bob, I'm just going to count on you to work very closely with me and make sure we really understand the details and make minute‑by‑minute decisions as to whether further disclosure is needed.

   >> ROBERT HUBER: Absolutely.

   >> SUZANNE SPAULDING: Yeah.  Thank you.  We're going to have to decide whether we're going to pay this ransom.  And there are lots of issues we're going to have to take into consideration as we contemplate that.  I know we have talked about this and we've made some preliminary decisions about that, but, again, we're now in a very real situation. 

And, Glenn, one of the things we've talked about, of course, in our planning on this is the potential legal liability, the legal concerns with paying.  Why don't you walk us through that again so it's fresh in our mind.

   >> GLENN GERSTELL: Yeah.  Well, you're right, that is a key issue for us, even if we do ‑‑ even if we do decide we want to Pape ransom, which is there's a logistics piece to this and a legal piece.  So the first part is having a cryptocurrency account in the first place and a facility available to us, because ransom is to be paid in a cryptocurrency. 

You recall we decided to fend off actually setting up that account, because that was part of our board decision several months ago.  So now we're going to have to move really quickly, and maybe we can get the ransomware service company to help us set that up. 

But more importantly, from a legal viewpoint, we need to make sure, as we all know, that neither the cryptocurrency exchange we use, if, indeed, we are using one, or the ultimate recipients are sanctioned by the U.S. Treasury.  There's a detailed guide, and it was issued in September 2021 from the Treasury's Office of Foreign Assets Control that basically says you have to make sure your ransom payments do not go through a person or a company on OFAC's Specially Designated Nationals and Blocked Persons List, the so‑called SDN list.  But the problem is that we're almost surely not going to know for sure the real identity of who we're paying.  They're not going to tell us their real names and give us their driver's license, for gosh sakes. 

So the OFAC rules impose strict liability regardless of whether you know you're dealing with a good guy or bad guy, someone on the list or not.  So you could be stuck.  So in theory, we could get fined or worse if it turns out we paid someone who is, in fact, on the sanctions list and we didn't know it.  And, frankly, I think many of the ransomware gangs are on it.

   So, fortunately, on the other hand, there are enforcement guidelines.  OFAC's enforcement guidelines say that they will take into account the existence, the nature, the adequacy of a company's sanctions compliance program ‑‑ we have one, as you know ‑‑ and along with whether a ransomware victim such as us promptly notifies the authorities, which we're doing. 

So if you've made a good faith effort to comply with the sanctions prohibitions and you've made a prompt disclosure to the federal government, then, you know, my feeling is that probably OFAC isn't necessarily going to take serious enforcement action against you.  But, look, that's a case‑by‑case decision by the government. 

In any event, we have asked the ransomware services firm, because we've been worried about this, to specifically do due diligence on this ransomware gang to the extent they can.  They've apparently worked with this gang beforehand, and so we're going to try to find out exactly how the funds are going to get to them, whether it goes through a sanctioned exchange or not and who the actual recipients are, and we're going to ask for a written report from the firm showing their due diligence because that's going to be important.

   And the final thing is we've got to talk to our insurance provider, as Bob has alluded to before, because, look, they've got an interest in this, obviously.  And, you know, they're going to be familiar with who else has paid this gang.

   >> SUZANNE SPAULDING: Yeah.  That's really smart, Glenn.  Thank you.

   So, Preston, I see we just made the news.


   >> SUZANNE SPAULDING: Does this change our posture?

   >> PRESTON GOLSON: No, it doesn't.  Thankfully, this is why we pushed so hard to notify our customers so that they would know ‑‑ the news wouldn't come as a shock to them.  So hopefully it took a little bit of sting out of it. 

Our adviser is going to monitor the news, and we're going to make sure that we stand by to correct any inaccuracies that come out for reporting.  So it's a good thing we told people ahead of time so they're not hearing it first when they saw the news.

   >> SUZANNE SPAULDING: Yeah.  Good.  So I've just been handed a note from the staff.  We've got ‑‑ we should be expecting a call from the White House.

   >> GLENN GERSTELL: Oh, good.



   >> SUZANNE SPAULDING: I understand apparently the White House has just made a decision to make an urgent shipment of medical supplies related to the pandemic to countries in need all across the world, and we are a primary supplier for one of those elements of that medical equipment.  And they are going to expect us to ramp up our manufacturing and be able to provide those within a matter of days. 

Normally we would ‑‑ you know, we would respond to a call like that and we would ramp up our manufacturing.  But, Bob, where are we on being able to even begin to restart our manufacturing?

   >> ROBERT HUBER: I wish I had a better answer.  Days, but it could be one to two weeks at this point, according to our supplier.

   >> SUZANNE SPAULDING: Okay.  Well, that's not good news, but I appreciate that, and we're just going to have to figure out how we navigate this. 


   >> PRESTON GOLSON: We've got ‑‑ we're going to develop some talking points around this new development.  I'll talk to the operational team and figure out if there's any sort of work-arounds we have that we could, you know, background to their ‑‑ don't tell the White House, actually.  But we're going to work on that.  That's a difficult issue.  We'll get some talking points on it as quickly as possible.

   >> SUZANNE SPAULDING: So, listen, guys, we've done a lot right.  Right?  We developed our playbooks.  We've talked these issues through.  We exercised it.  We thought we were ready.  I do feel like this is kind of overwhelming us at this point.  And we are running ‑‑ we are simply running out of time.  So I think we're going to have to make a decision here.  And I'm just going to review the bidding based on my notes from our conversations over the last few days, right, when we think about whether we're going to pay this ransom.

   You know, we discussed this in our meetings from a public policy perspective.  Right?  We don't want to pay ransom.  We don't want to ‑‑ and from our own selfish perspective, we don't want to encourage future attacks on us or, frankly, on anyone else. 

As Glenn has pointed out, we have potential legal liability.  We may have, you know, financial implications from that.  We have contained the damage largely so far.  Bob's team has done a terrific job, and the whole team across the board, the entire enterprise, in mitigating the consequences of this attack. We might be back up in a day, right, but it might be weeks. 

The White House is demanding ‑‑ their request for our ramping up raises the stakes for us significantly.  It's a big reputational hit to our ‑‑ to the trust.  We've talked about the potential reputational hit with respect to our customers. 

So this is a really hard decision, and it's not obvious to me which way we go.  And this is why I value the ‑‑ this board, because I really need your input as we have to make a ‑‑ as I as the CEO, in addition to chairman of the board, have to make a decision here. 

So I'm going to put this to a vote.  I'm going to ask all of you on the board.  I want everybody who thinks that we should pay the ransom, to please raise your hand.  And could we bring up the lights so I can see the hands?  All right.  And everybody who thinks we should not pay the ransom, please raise your hand.  Well, that's really interesting.

   >> GLENN GERSTELL: Suzanne, we've got a tough board.



   >> SUZANNE SPAULDING: A courageous board, very courageous.  All right.  Well, that's very important input for me, and I will take that under consideration. 

We have a few minutes left before our ‑‑ the time we said we were going to adjourn this meeting today.  I think ‑‑ listen, we are not out of the woods by any means, but I think it's ‑‑ you know, we got a couple minutes.  Let's do a quick hot wash and capture some of the most important lessons that we've learned so far in this exercise so that we can do this better if something like this ever happens again.  Let's kind of walk through. 

Preston, do you want to start?

   >> PRESTON GOLSON: Yeah.  No, I would say communications are critical.  We're always better off with transparency and accountability.  We want to look back on our decisions we made ‑‑ we want people who are looking at our decisions look back on them and say that we made the right decisions at the right time and under the circumstances. 

And I would just add to that, the coordination between all of our teams is critical.  You know, whatever I say has to be a reflection of operational and legal decisions.  Also working very closely for a consistent voice amongst the team here has been critical for making sure we have the right communications that go out at the right time.

   >> GLENN GERSTELL: You know, for me, as I think about what we've done over the last couple of board meetings, it's always tempting to defer disclosure until you have more facts and more certainty because you don't want to make a mistake.  You don't want to go out too early with something.  But I think for me the lesson I've got is that it's always better to err on the side of prompt disclosure, say what you know and what you don't know, and just manage the uncertainty.  We're uncomfortable with uncertainty, but the reality is, look, nobody gets criticized for disclosing too early.  I haven't seen any criticisms of that.  This is all going to be judged in hindsight.

   >> ROBERT HUBER: Yeah.  So I think from a security perspective, listen, there's always opportunities for improvement across the security program.  So I think probably the most impactful thing we can do is my recommendation is we stand up a full committee of the board to specifically cover cybersecurity, which would be the top risks and the maturity of the program and the progress we're making against the program.

   I have some tactical areas to address.  I think security awareness training, phishing training, vulnerability and remediation patch management, two‑factor authentication, active directory security, some of those components are more tactical.  But I think for the execution they ask for the resources and the evaluation of investments and return on investment.  That's why I'm asking for the full committee of the board.

   >> SUZANNE SPAULDING: Yeah.  That's an excellent suggestion.  And I guess for me it is -- again, it goes back to the value of preparedness, the importance of having these playbooks, of having exercise, of engaging the board in that process, but really remembering that, as I said, no good plan survives contact with the enemy, and make sure that you have processes and institutions in place to adapt to what the facts ‑‑ where the facts drag you.

   >> GLENN GERSTELL: Yeah.  I think that's exactly right.  As you said, you know, building resiliency into the plan itself and having some sort of checkpoints in places, which we had in our plan, where we said we're going to be discussing this and here are some options and how it might go.  So rather than just having a rigid something set in cement, I think that's important. 

And, look, also, we discovered throughout this process that in dealing with the CISA and the FBI that having ongoing relations with the regulators and law enforcement is really critical, and I'm so glad we didn't wait until, you know, we had the incident to first start those dialogues.  Having that, being able to pick up the phone and know exactly who you're talking to has really proved helpful in this particular case.

   >> ROBERT HUBER: I love having the plan, but we need to develop muscle memory.

   >> PRESTON GOLSON: Yeah.  Practice.

   >> ROBERT HUBER: It just has to be, yeah, internalized to include our partners outside of our entity, whether that's law enforcement or other partners.


   >> GLENN GERSTELL: And one more thing just occurred to me, which is, you know, I realized as I worked with Preston on this, that we were really fortunate that we had a library with ‑‑ between the communications team and the legal team where we already had copies of other disclosures from other companies and press releases from other companies.  And, fortunately, Preston had already started a draft of a press release when we did through that exercise.  So just the exercise of going through that draft, although it was painful at the time, you know, that really saved us a lot.

   >> PRESTON GOLSON: Yeah.  It's great to work out these things in peace time rather than fire.


   >> PRESTON GOLSON: So if you can kind of write that -- 80% of that draft, then it becomes ‑‑ you can anticipate what you may need it for, and then you make the adjustments at the time of the event.

   >> SUZANNE SPAULDING: Great.  Well, and I think if we ‑‑ we can go back and revisit our policy of having retainers, you know, that aren't zero retainers so that we can command some priority and retainers for outside communications help and as well as legal help.  So I think that'll be important.  Because what we've found is time moves very fast in this situation; right?  I feel like we've been racing here.  So ‑‑

   >> GLENN GERSTELL: It feels like almost 50 minutes, frankly.

   >> SUZANNE SPAULDING: Yeah, it feels like 50 minutes.


   >> SUZANNE SPAULDING: Almost.  With 38 seconds left to go.

   >> GLENN GERSTELL: Yeah.  Exactly.

   >> SUZANNE SPAULDING: So everything you can do to save yourself some time in this incident is really important.  So I just want to thank the team.  You guys I know have been working around‑the‑clock.  And I really, really appreciate it.


   >> SUZANNE SPAULDING: I want to thank the board very much for your help.


   >> GLENN GERSTELL: Thank you.


   >> SUZANNE SPAULDING: And we are truly adjourned.  Thank you.

   >> GLENN GERSTELL: Okay.  Thank you.


(Music playing)

Glenn Gerstell


Senior Adviser, Center for Strategic and International Studies (CSIS)

Preston Golson


Director, Brunswick Group

Robert Huber


CSO, Head of Tenable Research, President Tenable Public, Tenable

Suzanne Spaulding


Former Undersecretary, CSIS

Share With Your Community