Read the full episode transcript
00:00:00 Speaker 1
This episode of the Energy Pipeline is sponsored by Caterpillar Oil and Gas. Since the 1930s, Caterpillar has manufactured engines for drilling production, well service and gas compression. With more than 2100 dealer locations worldwide, Caterpillar offers customers a dedicated support team to assist with their premier power solutions.
00:00:28 Speaker 2
Welcome to the Energy Pipeline Podcast with your host KC Yost. Tune in each week to learn more about industry issues, tools, and resources to streamline and modernize the future of the industry. Whether you work in oil and gas or bring a unique perspective, this podcast is your knowledge transfer hub. Welcome to the Energy Pipeline.
00:00:51 KC Yost
Hello everyone and welcome to this episode of the Energy Pipeline Podcast. A few months ago we had a great conversation regarding cyber security with our guest Philippe Flichy, Fractional Business Information Security officer at Cykur. One of our listeners noted that during our talk, Philippe mentioned that cyber related incidents are not typically covered by corporate general liability insurance. So that was a surprise to me. I'm an engineer, I don't know corporate insurance or deal with much of that at all. So I have an expert in the family that's in the industry, my favorite niece who works for a very large insurance company. And so I just asked her if that comment was true and she said it was absolutely correct that it is an adder that they will offer to corporations, but it is specifically an adder like I want to add pepperoni to my pizza or whatever, or not have pepperoni. You decide whether you want to have that cyber security or not. So with all of this background, we decided it was important to ask Philippe back to visit about insurance company or the lack of insurance company, if you will, when it comes to cyber attacks. So with all that being said, welcome back to the podcast there, Philippe. Glad to have you here.
00:02:08 Philippe Flichy
Thank you very much KC.
00:02:10 KC Yost
Glad to have you. Okay, so before we start talking about insurance for cyber security, take a few minutes to refresh everyone about your background.
00:02:21 Philippe Flichy
Well, my background is management information system. Been for 20 years in the oil and gas industries with the major oil and gas service companies working mostly on what we call the digital transformation. And recently talked to some of my former colleagues and said, "You know what? It would be great if we could start a company that really help mid-size companies with the knowledge we have for Fortune 500 companies when it comes to cyber security." Because those companies cannot afford someone like us full-time, but they can greatly benefit from a slice of us. So we decided that we would slice ourselves.
00:03:09 KC Yost
Excellent, excellent. So the next question is the elevator speech for Cykur, and I think maybe you've started into that conversation. Anything else you want to add about Cykur, where you're located and-
00:03:20 Philippe Flichy
So we are located in Houston, Texas, but we can really cover US-Canada easily, and we cater to any type of industries, but mostly middle market companies.
00:03:34 KC Yost
Okay. All right. And our podcast last time covered specifically mid-level companies in the energy industry and their exposure to cybersecurity and that type of thing. So from that perspective, let's get into this issue about general liability assurance, not covering cyber-related incidents. Can you go ahead and talk to that and refresh people on what you said last podcast?
00:04:04 Philippe Flichy
Yes. So basically general liability insurance is general liability. And because cybersecurity is so peculiar, most of the case times it's going to be excluded. There's going to be some verbiage that says, "No, we're not covering cyber liability when it comes to your general liability." And so it goes with property insurance as well because property insurance typically insure physical damage to properties. Maybe you could have in certain cases if a cyber event actually creates a physical damage, maybe it would be in, maybe not. You better check on that.
00:04:57 KC Yost
Yeah, I saw that and I wanted to drill down. So let's say bad character X is over somewhere and they are able to manipulate a compressor that is on pipeline Y to the point where they're able to starve it of fuel, but make it run to the point where it freezes and locks up and creates a great deal of physical damage. So that's cyber attack and physical property insurance, right? Maybe?
00:05:40 Philippe Flichy
If I were the insurance agent, I would certainly make sure it's out.
00:05:45 KC Yost
Yeah, okay. All right. All right. Okay. So that's the best example. I could come up with something like that and you're saying it's not good, so fair enough, fair enough. So what about-
00:05:58 Philippe Flichy
Go ahead.
00:05:58 KC Yost
I'm sorry. I was just going to say, so what about professional liability insurance?
00:06:04 Philippe Flichy
By definition, professional liability covers legal costs and damages related to professional services, error of emissions. So it could, but same deal. And that's why it's extremely important to have a professional that goes over all your insurance policy to review that.
00:06:31 KC Yost
It's not to say that they're bad people or all but insurance claims adjusters are there to try to minimize the amount of money that they have to pay to their client. And so gray areas would tend to side toward the exclusion area?
00:06:57 Philippe Flichy
Yes, like almost any kind of insurance. When it becomes too big of a different topic, then you want to ensure it specifically.
00:07:06 KC Yost
Okay. All right. So with the pepperoni pizza analogy that I did before and what my niece was talking about, you can actually buy cyber liability insurance to make sure that when you're in these gray areas you're covered. So it's not as if you have to worry about my example with the compressor or the professional liability. You've got a level of coverage, right?
00:07:38 Philippe Flichy
A certain level of coverage, and that's why typically we propose our client to have an agent we work with that for free will review absolutely everything because as usual, any contract, the devil is in the details. And typically the way an insurance, cyber insurance is built, the policies built, you have few pages that give the overall coverage and then you have zillions of pages behind that sometimes are nested and where they say yes, but in this case I won't do that and in this case, in that case I won't do it and so on.
00:08:22 KC Yost
So you guys, Cykur actually have an insurance expert that will look at the policies and go through it with your clients so that you, with your security protection systems and with this expert can make sure that a client, and again we're talking about if you will, mid-size energy firms can get what they need to have, right?
00:08:53 Philippe Flichy
Correct. And we'll get it later I think, but it's a whole equation and we'll talk about it later I think.
00:08:59 KC Yost
Okay. All right. Okay. So what coverage areas are we talking about when it comes to cyber liability insurance?
00:09:07 Philippe Flichy
So the first one is data breach. So basically you can be insured to pay for notifying your affected parties, the credit monitoring you will have to pay for all the private information that have been stolen and all other type of legal fees.
00:09:29 KC Yost
Okay, I think I understand that.
00:09:33 Philippe Flichy
And then you go to business interruption that covers the loss of income and extra expenses during the down time. And that's where the equation we're going to talk a little bit later is very important because an insurance company wants to minimize their risk. So what we do is that we help minimizing the risk so that the insurance is there exactly like you have a health insurance. When you're in good health, then you have usually a lower premium than if you are very sick because you are less inclined to ask for paying for different costs.
00:10:16 KC Yost
Okay. All right, super. So what about extortion?
00:10:20 Philippe Flichy
That is very, very important. So typically bad actor figures that... Remember on our last episode I mentioned that on organized crime you had organized as very important. Well guess what? They figured out that usually the profit of a company is about 10%. So the ransom is going to be 10%.
00:10:52 KC Yost
All right. Okay.
00:10:54 Philippe Flichy
So rather than having all your profit evaporating, it's great to have an insurance company that can say, "Well okay, we're going to help you." And not only are they going to help you in paying, what is even more important is they're going to help you in negotiating. And once again, on organized crime, the guy that is putting the little bad thing into your system is not the guy that is negotiating with you.
00:11:26 KC Yost
Really?
00:11:27 Philippe Flichy
They have a guy that is specialized at negotiation. So guess what? It's great to have a cyber insurance guy who specialized in negotiation as well because then you have two negotiators talking to each other.
00:11:40 KC Yost
So now you understand that you're talking to an engineer who goes out in the field and builds a pipeline here and there and all of that stuff. So this is mind-boggling to me. I just thought when we're talking about extortion, I want $ 1.2 million. Well that's what we're going to have to pay you is $ 1.2 million. But you're saying that there's a negotiation there?
00:12:02 Philippe Flichy
Oh absolutely. Oh yeah. And not only that, but on top of that, remember that you're dealing with a criminal, right?
00:12:09 KC Yost
Right.
00:12:10 Philippe Flichy
Okay. So usually nowadays they tend to do what we call double extortion. So not only are they asking you for a ransomware, but then they're saying, "We copied some of the stuff you had before we encrypted everything. If you want us to put it on the dark web, send it to your best competitor, whatever it is, that is going to hurt you." They will be more than happy to do that. So that's another incentive to pay the ransom because some people are saying, "Well..." And we'll go to that equation later, but I'll have the right tools and stuff to prepare for that and I think I can put everything back in place while the negotiator is going to make sure that they're not going to come up with the plan B.
00:13:01 KC Yost
Okay. All right. Okay. All right. So another bullet point that you have is network security liability. What would you like to talk about that with regard to coverage areas?
00:13:14 Philippe Flichy
Yeah, so that's the legal fees and the damages that are related to failing to prevent an attack. So basically you haven't done everything and no one can do everything perfectly. Right?
00:13:25 KC Yost
Right.
00:13:26 Philippe Flichy
That's why there's still attacks. And so well you have legal fees that are covered in case there's damages related to that.
00:13:40 KC Yost
Are there regulatory fines that you're exposed to?
00:13:43 Philippe Flichy
Yes, especially if you are... So depending on the industry, you have different type of possible regulation that you have to comply to. And when you're a public company, then you have to report to the SEC. Think if I remember correctly, you have three days to report. Don't take me completely on that, but I think that's what it is. And if you don't, you start having penalties and all of that. So yes, it is really important.
00:14:15 KC Yost
Okay, so you sufficiently scared me. I appreciate that very much. I'm glad that I'm on the back nine and trying to retire here. But if I was 30 years younger, had my own company and trying to build things, what actions can I take to try and get the best insurance and what actions can I take to protect myself as best as possible to move ahead? What do I do? Hire you and then what?
00:14:55 Philippe Flichy
So the first thing we're going to look at is review the policies you have because we want to know where we're starting from. If you don't have any, okay, we're going restart us a step later. And the step later is the risk assessment. So what we do is coming and having a holistic view at your risk, overall risks. And that's why actually some companies are even asking us to do their disaster recovery plan, which has... There's some cyber in it, but it can be other things because it's the whole analysis of your risk. If this department cannot work for so many hours, days, weeks, whatever, how much is it going to cost you? And then you go on, go all the different things. One thing that some people don't realize is that they can say, well maybe my payroll is not as important because it's not something that I run all the time. And what I come and I say, well, if the incident arrives on the 29th or the 30th of the month, how important is that. You face jail time in certain states if you don't pay your employees on time?
00:16:19 KC Yost
Ah yes, yes, yes, yes, yes. So you do the policy review, you do the risk assessment, and at some point in time you're going to take this and quantify all your potential exposures and losses?
00:16:39 Philippe Flichy
Right.
00:16:40 KC Yost
And do you actually set a timeframe for that when you're doing this analysis that the typical cyber attack, ransom delivery, all of that takes four days or 10 days or something to that effect?
00:16:55 Philippe Flichy
So there are statistics on average, a small to mid-size company is blocked for 21 days before getting back in business.
00:17:07 KC Yost
21 days.
00:17:08 Philippe Flichy
21 days. Of course our objective when we are hired is to reduce that to days or hours.
00:17:19 KC Yost
Sure. But at the end of the day, when we're going through this first process and we're trying to quantify this, you start off and basically say, look, the average is you're going to be down three weeks, so we're going to start with that to quantify to put dollar amounts to this and then we'll go from there. Is that what you do?
00:17:38 Philippe Flichy
We go a little bit the other way around. We tell them, "Hey, how vital is this piece of software for you? How many hours or days or what you can live without it?" Because that's really what we're trying to aim, is to figure out what systems do we have to put in place so that it doesn't hurt too much and there's always this 20/80 rule. So you want to get 80% for 20% of the cost and not the 20% that cost 80%.
00:18:15 KC Yost
Gotcha. Gotcha, gotcha. And so when you look at payroll and salaries and that type of thing, yes, you only do it twice a month or if it's every two weeks, maybe three times every six months or something to that effect. Nevertheless, the timing is such that it could be the next day. So that becomes a critical thing. All right. So from that basis then you start looking at the enhanced coverage, you start adding the pepperoni to the pizza, so to speak.
00:18:47 Philippe Flichy
Yes.
00:18:48 KC Yost
Simple analogy, but I grew up in a town with mostly the Italians and I like pizza. So there we go. So what do you do? What is this enhanced coverage look like?
00:19:00 Philippe Flichy
We start looking at how the policy matches some of the things we can do to reduce the risk so that we reduce and limit the deductibles and make sure that it fits. It's exactly like when you're choosing an insurance for your car, you can decide to have 500 deductible or you can go for 5, 000 deductible. I don't know if-
00:19:27 KC Yost
Sure. Right. So you look at the different policies and you look at different insurers as well.
00:19:34 Philippe Flichy
Absolutely.
00:19:35 KC Yost
Okay.
00:19:35 Philippe Flichy
And then we go back and we say, "Hey, but if we were to do this, what kind of discount would you give us?"
00:19:44 KC Yost
Oh yes. Okay. All right. Okay, so if we put this action into place, then what do we do? Okay, I've got you there. Now with that being said, some of those, if we do these things are things that are actually required by clients or companies on their own, right?
00:20:07 Philippe Flichy
Oh, absolutely, yes.
00:20:08 KC Yost
And so that's already in place, so you might as well try to take advantage of it from your insurance premium perspective. Right?
00:20:15 Philippe Flichy
Good point.
00:20:16 KC Yost
Yeah. Okay. All right, good, good, good. So you've mentioned it I guess three times. So I'm anxious to get into this cyber insurance equation. Tell me, I'm just going to stop right there and let you talk about the cyber insurance equation.
00:20:32 Philippe Flichy
Okay. inaudible-
00:20:33 KC Yost
I'll nod my head. Beg your pardon?
00:20:36 Philippe Flichy
How many hours do we have?
00:20:37 KC Yost
No, you got about 10 or 15 minutes left.
00:20:42 Philippe Flichy
You're good. You're good. So what's happening, actually recently I found out the National Association for Insurance to Commissioner, NAIC, which is really the standard for insurance, is now developing AI tools to identify your cyber risk.
00:21:03 KC Yost
Really? Wow. Okay.
00:21:05 Philippe Flichy
So that's exactly what we play with this equation. So what is the equation? The equation is to say its people first. So just a reminder, on average, small and mid-market companies, so companies under 2 billion revenue, the average incident cost in 2022 was $865, 000.
00:21:35 KC Yost
Say that again. Say that again please.
00:21:38 Philippe Flichy
865,000. That was the cost of remediation and the average cost of ransom was 555, 000.
00:21:49 KC Yost
Geez.
00:21:50 Philippe Flichy
So we are talking, I mean, when people say I don't want to spend the money to talk to you, I'm like, "I don't know, but I think it's a penny on the dollar."
00:22:02 KC Yost
Well, penny wise, pound foolish. Right? Okay. Okay. All right.
00:22:08 Philippe Flichy
For us it's people first, and that's where you were joking about the fact that we are business information security officer because we are looking really at the business more than the technology. We have companies we can point you at for the technology but the important thing is the business. Because already when you do all this risk analysis, it's looking at your business overall and people are key. 85% of all the bridges that happened resulted at some level from a social engineering.
00:22:51 KC Yost
So I think we talked about this in the last episode, but I still work part-time for a firm and the IT department and you know them. I mean they were the ones that introduced us, but they actually have spam decoys out there to test us on whether we open up those emails or not. And I mean there's no rush retribution or anything like that, but it's pointed out to you that you screwed up. And they're constantly doing that to make sure that we all are constantly aware that that is out there and that helps them know whether we, that 85% are trying to do our share to protect ourselves, right?
00:23:48 Philippe Flichy
And so the idea is to help enhance that. So there's many things. First of all is of course that's obvious, it's training, but doing training in short videos or things that are not boring and where people can just have five minutes, they do something, they don't have to spend half an hour and like I did it. You have the video running on one screen, you're doing your emails during that time. This is not helpful. It's rather to have very short ones, very pointy and people will remember it. So that's the first thing. Second thing is that you talked about this phishing exercise and whatever. Well you can reward people because they found the thing, the fish, and if they fell for it, you send them to a very short video that explains them how the other guys tricked them. So you're trying to make things that are more lively. And at the end of the day, I don't remember if I mentioned that last time, but you want to build muscle memory. Each of us, the first time that we drove a car, we were pretty self-conscious because everything was in the forefront of our brain. And now everything is so much in the back that actually could even be dangerous now. But you want to have reflexes that are done automatically without people doing huge calculation just like, "Oh, that's bad. Oh, I'm on my phone. I don't see half of what I see on the screen." I should be double cautious or I don't take the habit of not answering your emails on the phone. That actually usually the people that fall for phishing, it's because they've done it on the go at the airport on the phone.
00:25:52 KC Yost
I got you. I gotcha. And I suspect complacency has a lot to do with that as well. People just get relaxed and like you said, they're stressed, they're paying attention to something else. But as anything else, humans become more relaxed the further away from a situation that they become. So these little snippets of training and reminders and me knowing that Rocky is out there trying to catch me. I know to be leery of any email sent.
00:26:24 Philippe Flichy
Then you can do the reward as well. You can say, well, you're going to wear badges or figurines that you put on your desk, whatever it is, but something that makes it a little bit more fun.
00:26:39 KC Yost
Okay. Yeah.
00:26:41 Philippe Flichy
And then depending on the company, some still have pretty much in-office type of thing. You come to the office, oh, you have all those little figurines. Like when we were kids and we're going to the gas station and we are often getting those little things to add into the collection. Same thing.
00:27:01 KC Yost
That must have been a French thing. We didn't have that in West Virginia.
00:27:04 Philippe Flichy
Well, it was Exxon in France.
00:27:08 KC Yost
Fair enough, fair enough, fair enough.
00:27:10 Philippe Flichy
Then the next thing is to get what we call champions, employees in each different departments that are volunteers to be a little bit quote unquote, a first responder here that helps the other peers and that way he or she's more considered than others and get a little bit more training and get more into testing certain things before we deploy them to others. All those things. The training, you have different training for different people and especially help desk. Remember the two main attacks on Caesar Palace and MGM in Las Vegas, both of them were social engineering targeting the help desk. So train the help desk to be resistant and know the different ways people are going to try to fool you. Last but not least, it's what we call tabletops. So we rehearse situations like an attack or whatever with people around the table that are going to be the one participating in the team that respond to whatever matter that we have to attend. And that way same deal. You build those muscle memories and you know for a fact, oh yeah, that's that person I'm going to talk to. And guess what happened in those thing. Typically at some point it's just like staring eyes, everyone, it's not me, it's not me, it's not me. And you're like, okay, we have a problem because that thing fell after the table and we try to figure out who should be the one doing that and those kind of things and how to modify and optimize the procedures that we are using.
00:29:21 KC Yost
Okay, cool. So that literally takes care of 85% of the problem, if you will, exposure.
00:29:29 Philippe Flichy
So actually you have a second bit. You're asking to have too much information here. Then you have the process and planning. Actually the tabletop respond very much to the process of planning. So we typically help companies build the plans and the procedures, and then we have people training to maintain them and be aware of them. The big thing is that for instance, insurance, if they know that you're not reviewing your policies and procedures and response plan every year, they're going to penalize you. And that's AI thing that we talked about before. That's typically what it does.
00:30:18 KC Yost
I see.
00:30:19 Philippe Flichy
It collects bunch of bits like this says, " Oh, well those guys." It's what we call shelf wear. It stays in the shelf and say, " Oh, we did a disaster recovery five years ago, it must be good." Well, half of the people are now a new position.
00:30:34 KC Yost
Gotcha, gotcha. So what about technology? Things that we need to do in technology?
00:30:41 Philippe Flichy
Of course technology remains extremely important, but it needs to be coherent and complementary. We touched on it a little bit last time. The idea is not, I want this shiny object like a kid that wants that toy in the window display. We want things that fits with each other and we want ways to aggregate all this information together. If we have two very good tools, but they don't talk to each other and I cannot see the superposition of those different information, then it's almost useless. Because then I'm a rubber neck, I'm going back and forth and trying to compare two things and often it's not presented the same way.
00:31:34 KC Yost
So with all of this between the people and the technology and the controls and all of that stuff, are there auditors out there that can actually give you some level of certification that you can get to present to the insurance company to say, " Hey, we're doing a good job here?"
00:31:54 Philippe Flichy
Yeah, one thing... if we're going there on the technology side, unalterable backups is extremely important and a lot of people think that when they are a client of Microsoft, Google, Amazon, whatever it is, that their data is backed up. Well indeed, those companies can give you back a data that you just erased a few hours ago and yes, they will put it back. They're not responsible to do that. It's not in the contract and if it's infected, they don't care.
00:32:28 KC Yost
Well, I sure am glad you mentioned that because I wasn't aware. Okay, well, interesting.
00:32:34 Philippe Flichy
And that's why unalterable backup is very important. Unalterable backup. It's like you remember the old days of the CD-ROM, you can print on it. You cannot retrieve anything out of it. So that means that you always have at least at some point a version that was good because the backup is going to back up things even when the malware is already on it. So once the malware has been exposed, whenever you recover that boom, it's going to be locked again because the encryption is into the file.
00:33:10 KC Yost
Is in the file. Yes, yes, yes.
00:33:11 Philippe Flichy
But when you have those unalterable backups, A, you can go back to the file that doesn't have the virus and B, then you know the virus you have, often after a while we can define the virus and then we can go through a process that goes through all those more recent files that have been infected and remove the virus.
00:33:35 KC Yost
And what you're saying is unalterable backup, which is backup that cannot be altered.
00:33:42 Philippe Flichy
Correct.
00:33:43 KC Yost
Gotcha, gotcha, gotcha.
00:33:44 Philippe Flichy
Now in terms of certifications.
00:33:47 KC Yost
Yes.
00:33:47 Philippe Flichy
The main one people should consider is one called SOC2. And it basically-
00:33:56 KC Yost
SOC2?
00:33:58 Philippe Flichy
Yeah. And now that I'm saying that, I'm using an abbreviation that I don't remember the-
00:34:07 KC Yost
But it's S-O-C, the number two. S-O-C, the number two. Okay.
00:34:13 Philippe Flichy
The interesting thing is that the certification is given by the Association of Accountant. I don't remember the exact title. So basically it started really from an accounting perspective, but then it really moved into more of a cyber thing.
00:34:38 KC Yost
Gotcha, gotcha. Okay. All right.
00:34:40 Philippe Flichy
And that is an incredible stamp to have because it tells your clients, you can trust me, I've been audited, and the SOC2 means that it's every six months you're going back and you're reasserted again and again and again.
00:34:57 KC Yost
I see.
00:34:59 Philippe Flichy
And it looks at different technical things that have been put in place, but also like what all that we mentioned those policies, procedures have been reviewed and all of those good things.
00:35:12 KC Yost
I see. I see. And keeping up with technology and I mean, my laptop is three years old and I understand it's already four generations past due what I can buy up at Best Buy right now. So I totally get it. Totally get it. This has been a fantastic conversation. Fascinating. I really appreciate you coming on. Is there anything else you want to pass on to everyone before we start signing off?
00:35:40 Philippe Flichy
I think it's good. Anyone, all your listeners can reach to you and I can send you actually some bullet point list. A, for the personal hygiene and also for a small companies a number of things that they should really be considering.
00:35:59 KC Yost
Perfect. Perfect. Well, they can email me and I'll send them to you. Okay. All right.
00:36:05 Philippe Flichy
Yeah. Or you send them. Yeah, whatever.
00:36:06 KC Yost
Yeah. So Buddy, thanks so very much for taking the time to visit with us today. Great continuation of that topic, and thanks to the listener who sent this in. It's been a great, great conversation. I appreciate it. So if anyone else would like to learn more about Cykur, you can find them on the web at cykur.com. That's cykur.com, cykur.com. Thanks to all of you for tuning into this episode of the Energy Pipeline Podcast sponsored by Caterpillar Oil and Gas. If you have any questions, comments, or ideas for podcast topics like this one, feel free to email me at kc.yost@oggn.com. Also want to thank my producer Anastasia Willison-Duff and everyone at the Oil and Gas Global Network for making this podcast possible. Find out more about other OGGN podcasts at oggn.com. This is KC Yost saying goodbye for now. Have a great week and keep that energy flowing through the pipeline.
00:37:11 Speaker 5
Thanks for listening to OGGN, the world's largest and most listened to podcast network for the oil and energy industry. If you like this show, leave us a review and then go to oggn. com to learn about all our other shows. And don't forget to sign up for our weekly newsletter. This show has been a production of the Oil and Gas Global Network.