Who is Responsible for Securing the Supply Chain? Managing Liability for Supply Chain Attacks

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

Another colossal cyber-attack on the global supply chain took place this month, which saw over 1,500 businesses infected with ransomware via a breach of a third-party vendor, Kaseya. The breach comes on the heels of other large-scale supply chain attacks against SolarWinds, Microsoft, and other major third-party vendors.

This brings critical questions to the forefront for our industry: who is accountable for supply chain breaches and who owns the risk?

In this CyberPHIx episode, we attempt to answer these questions during this engaging podcast interview with Eric Zematis, Chief Information Security Officer for Lehigh University.

Eric discusses approaches for managing liability for supply chain attacks including business accountability and communication, cyber liability insurance, third-party vendor obligations, and government intervention.

Highlights of the discussion include:

  • Managing and communicating third party risk with the business
  • Accountability for the business in oversight and management of vendor risk
  • The history and evolution of cyber liability insurance
  • Cyber liability policies and coverage considerations
  • Supply chain vendor accountability before, during, and after breach events
  • Government accountability and roles in combatting supply chain cyber attacks
  • Standards organizations and resources for managing supply chain risks


Brian Selfridge: [00:00:20] Hello and welcome to the CyberPHIx, your audio resource for information security, privacy, risk, and compliance, specifically for the health care industry. I'm your host, Brian Selfridge. In each episode, we will be bringing you pertinent information from thought leaders and health care, cybersecurity, privacy, and compliance. In this episode, we will be speaking to Eric Zematis. Eric is the Chief Information Security Officer of Lehigh University in Pennsylvania. He'll be speaking with Eric today about managing liability for cybersecurity attacks on the supply chain. And third party vendors will attempt to answer a tricky but important question who is responsible for securing the supply chain? This all occurs amidst the backdrop of massive cyberattacks against Kaseya, solar winds, Microsoft, and other vendors that have led to breaches of tens of thousands of companies inside and outside of healthcare. So let's dive into another great conversation with yet another amazing guest, Eric Zematis.

Brian Selfridge: [00:01:16] Hello and welcome to the CyberPHIx, the leading podcast for information security and privacy, specifically for the health care industry. I would like to welcome my guest, Eric Zematis. Eric is the chief information security officer at Lehigh University in Pennsylvania. Eric is also an adjunct professor in Decision Support and Technology Analytics at Lehigh and a computer science instructor for the University of St. Joseph prior to these roles. Eric served as the CISO for Charter State College and was director of Systems, Infrastructure, and Telecommunications for Western Connecticut State University. I'm excited to be speaking to Eric today about trying to figure out who is responsible for securing the supply chain. It's a big question. We'll discuss approaches for managing liability for supply chain attacks, including business accountability and communication, cyber liability insurance and coverage, third-party vendor obligations and government intervention, and whatever else comes into our heads or mostly Eric's head. So, Eric, I'd like to thank you very much for joining us today. We're really excited to talk to you on the CyberPHIx.

Eric Zematis: [00:02:16] Great. Thank you.

Brian Selfridge: [00:02:18] Well, Eric, it seems like these supply chain attacks keep one-upping one another each week rate. We had solar winds late last year. We thought that was a pretty big deal. Then the Microsoft Exchange breach came along. And now we have the latest Kaseya supply chain attack. And I'm sure by the time anyone listens to this, they'll be like three more of these where we're seeing impacts of fifteen hundred organizations at a time. Eighteen thousand four solar winds. Thirty thousand for Microsoft getting pretty crazy. So we have a pretty tricky question to grapple with today. Who is responsible for fixing all this and securing the supply chain and where is the accountability? So will come at this from a couple of different angles and hopefully will approach at least one or two, two answers to that, those questions. So let's start with the business themselves. So at the end of the day, I mean, it seems to me that the business feels the most pain from these disruptions, right? They've got to deal with the ransomware disruptions, the loss of financial assets, the regulatory impacts and all that. You know, the business has the data. We contract with third parties. We share the information. It seems like there should be some accountability there. So where do you think the lines are drawn around accountability for breaches from the business themselves versus just pointing at vendors and saying, this is your fault, go fix it?

Eric Zematis: [00:03:33] Well, I mean, it's a very difficult task. So you have. Our visibility and defenders are somewhat limited, so you can go to third-party services or some kind of scorecard. There's plenty of them out there that are kind of evaluating externally, evaluating business risk with our partners. We can insist on seeing various external audits. But if you look at two reports or other things that verify the effectiveness of their security controls, we and we can do those things. But. They only give a small picture, and we know internally that we go through very, very many of the same things, and we kind of know where all the weaknesses might lie in our environment. So that only gets to a certain level. But I think it's really every bit of it to be doing that, that baseline type of controls. And then we need to make sure that we're working with our legal teams to make sure that that is independent of an incident that the offender has the appropriate amount of they're taking on the risk and not us as customers. So I think that's an area where we can as an industry if we all push back on vendors and say, hey, if you're breach, you breach by data, that's your problem. And you need to be financially and responsible. And what that does is it doesn't prevent, you know, the solar wind effects from happening. Of course, it's happened again, our part to follow solar up so it doesn't prevent those things that are happening. But it puts the financial motivation to these companies to say, hey, when we deliver a product, they're expecting it to be secure. So, you know, you can't add features. One of the features you have is a secure platform. So I think in this marketplace, we'll see more demand for that type of thing and that they'll invest more in it because it's profitable for them to do that. That's what businesses do. They say they make products that are part of that product be secure.

Brian Selfridge: [00:05:45] Products like the seatbelts in the car, we've been building our own seatbelts for too long. I think maybe we need some more accountability there from the vendors. So how do you communicate with the business around supply chain risk? I mean, I know a lot of what information security is this sort of black box and all these mysterious things happen, people in hoods and, you know, hackers and stuff. How do you take that mystique in that technical jargon that goes with our field and then the complexity of supply chain and third parties in the mix? And how do you communicate about the challenges and the responsibilities that the business has to oversight of this with business-level stakeholders?

Eric Zematis: [00:06:28] So I sit down with folks and we have a conversation that comes up with something like this. You know, I'm going to talk to you for a couple of minutes and determine whether I, as the security person, even care about what you're doing. So what could trigger my interest-sensitive data or valuable data integrations with other systems, connections with other systems? So I have had a couple of questions that I would ask, that the business leaders, as the requirements product first they start off with telling me about it does. And then we get into questions about how is that going to integrate around data or systems. And as we walk through that, I kind of tell them the type of things that would elevate a risk score or make it something riskier. Sometimes I question whether or not they even need to have certain data. So, you know, can you work off of other data elements to get the match or close enough to the match? And a lot of times they really the business leaders really identify with that and say, yeah, we're going to make sure that they don't have access to Social Security numbers or other sensitive data because they really don't need it. It doesn't provide a lot of value for me. So if they have problems matching because they know Social Security, number two, they're not going to happen very often or when it does happen, it's just a little more work for the vendor and that's what we're paying them for.

Eric Zematis: [00:08:14] So we often reduce our risk right up front by reducing the amount of data we provide to the vendor. That being said, when you're dealing with something like solar winds, which doesn't have. The whole reason they're there is to help you run your network in your environment, so there's no way to not have that real tight integration. So at some point it was vendors where you have to take that step, you have to have that share and with their help, the military. But the risks are one big risk actually often talk to stakeholders about is the risk of availability because they often don't think about that. The systems can go down. This was unavailable for an hour or the impact if this is unavailable for eight hours, but the impact would be just 24 hours. Somebody with the impact would be and that helps them kind of think through. And then often they have to think that through they either insist on some kind of contract provisions or the SLA or they come back and say, you know, I'm looking at two equivalent vendors and one seems like I have a lot more availability guarantees. I'm going to go with that vendor. So those are kind of some of the common things that we deal with and talk about to help the business understand the risks involved.

Brian Selfridge: [00:09:32] Now, do you give them suggestions or a playbook and say, look, here are some things we can do? You can look like going to another vendor is not always an option. I understand a lot of cases, but how you say, hey, we need to remediate this or that issue in particular in order to move forward, how much coaching do you have to do in that versus just letting them kind of decide how to take things forward when you present the risk?

Eric Zematis: [00:09:55] So, you know, when we're talking about a brand new vendor, the new service that we haven't used before. Of course, there are some options. But in your situation, it sounds more like you're talking about a renewal or other type of thing where, hey, we've been doing this whether for 10 years and really there's no way we're going to change. They would have to be egregious. And in that situation, we still cannot go over that risk exercise. And if something in our conversation potentially makes them uncomfortable, then one of the steps they often take is that I say, hey, well, you know, get their CISO on the phone with me and we can talk it through. And so if that doesn't happen a lot with these vendors and talk with each other, like, yeah, the only person that's ever asked for me, you know, it helps us kind of create a relationship. And that's the person I want to call if there's a problem. Right. So knowing the direct dial number for their CISO is a useful tool. So that is. You offered a tool to use to say, hey, I'm going to talk it through with them, or there may be some obvious, like mitigations that you're concerned about the loss. Can we talk to them about maybe not giving them that data or be concerned about how they're connected to our systems? I can directly try to address those issues rather than just generically just hope everything's OK now.

Brian Selfridge: [00:11:26] How receptive is the business to these kinds of conversations? So internally, you're just dealing with your application, your business owner, or somebody that you're presenting these risks to? Are they open to it and making the changes that need to get done? Or are they just trying to be like, look, just approve this thing and get off, get this off my plate and let's move on? Or they really sort of vested in the answer not that they don't care about the business, but like how much, how much do they really, you know, got your back, so to speak, versus just trying to move the contract through or whatever.

Eric Zematis: [00:11:57] Well, I think that you know, what you're presenting is a very common thing and say, hey, this is a check box that we need to clear in order to purchase. So how quickly can we get through that check box and the term we used about getting off your back and that type of thing, as the business owner needs to understand? And I make it very clear to people that. I am here to help you prevent breaches of your data and it may not be all your data and maybe other people say this. I represent the interests of other business owners. And when there is a breach, if you chose the vendor, let's say if I recommended something and I said I'm really concerned about this vendor, I tell them that you can pretty much choose whoever you want. You don't need my signoff. But when you choose and you ignore the risks that I present, then, of course, I'm going to tell the board exactly what happened and that puts the onus on them. And then we're on the same side of the table rather than negotiating against each other up there to help them and enable them to do what they need to do. But that's flipped the script on them in a confrontational way, but a way that makes it clear. Oh, yeah, that's right. I am. This is I am like this is better. And the vendor turned out to be evil. Well, then, yes, of course, that makes sense. Of course, they're not dealing with vendors that you're going to be able, but that helps really move the conversation forward. And then I try not to put a lot of I'm trying to make the review as light as possible and appropriate. That's why I do the risk assessment upfront to say how much risk is here. And if it's low, then I might tell them a few things. I'd recommend both of the technologies in the security person, but I. Typically pretty hands-off if it's highly secure data and it's not their data. Well, then I get other people involved as well that own the data that involves so.

Brian Selfridge: [00:14:02] So I want to switch gears a little bit and talk about cyber liability protection, cyber liability insurance, and, you know, it seems like the standard line these days in security circles is it's not a matter of if, it's a matter of when you're going to get breached. And so it seems like a lot more and more organizations are carrying some sort of cyber liability policies and protections. I'd like to get your thoughts on sort of the evolution of cyber liability coverage and get a sense of where we are today and maybe even where it's heading. So let's talk about maybe the history first. Not that you are a professor, but maybe not in the history of cyber liability insurance. But we'll do it. We'll do our best. When did some of this coverage first start popping up in the market and then maybe when did it start to become really the norm from your perspective?

Eric Zematis: [00:14:45] Yeah, I've had a better life insurance policy since about 2011, 2012, It was a pretty new line of business for them, in fact, so knew they didn't know how to underwrite it. So they just were they basically told me that we're just writing these policies and we don't know if they're going to be profitable or not. We're just the business. We're taking advantage of the business, but we don't know what kind of where we are. So I would say probably that the two thousand eight, two thousand seven is when we start to see the origin of some of these policies. And we've seen a lot of development in the policy since then. So, you know, if we fast forward to now, very rarely have real data to actually know that the costs are far higher than they thought they were going to be. So now that we're seeing a lot more underwriting around those policies, but I think there's a lot of in addition to financial losses, a lot of value with these cyber spenders.

Brian Selfridge: [00:16:09] So are there different types of policies out there? I mean, you can go with different carriers and I'm sure that that creates different premiums and, you know, payment amounts and policy coverage and all that. But is there are there different flavors or is it just a matter of choosing your carrier of choice?

Eric Zematis: [00:16:26] Well, I've had three different carriers at this point, and I'd say that they're pretty similar. But I think some of the non-financial offerings that they offer might be could be a differentiator. So, for instance, some of the policies will be the companies will help you do more to internally assess your risk. It's in their interest to do that, but help you identify, maybe help with some doing some risk assessments, even doing some work risk assessment workshops with your I.T. teams and that type of thing. And that's been invaluable as far as they don't use as underwriting, but they use as an educational tool to help identify the pieces in there. Some of them have robust libraries of training materials, things that you could share with employees, or technical types of tools. And then, you know, that's so they do a bunch of been doing more on the story for each type of care offered a service that is valuable is when we go with a new carrier. Typically, I tell them I want to have a simulated breach, so I want to call into their branch manager and have a conversation like we were going to have a breach so I could set up. And it's a half hour conversation, but I want to hear the type of things that that breach manager is going to provide his advice, what type of resources are going to be available, and rather looking at the paper of a policy. It's helpful to have a conversation with a person. And so the two vendors I've done that with in the past were willing to do that. I think it was valuable because then when I talked to general counsel's office or risk management or other senior leaders, I can tell them the service is available. I can tell them what it's like. Do I get a call? And I got a person? Do I leave a message with that phone number? What's on the other side of that phone number?

Brian Selfridge: [00:18:25] Now, can you get a sense either from those conversations or from the policies themselves of what type of events are covered and maybe which ones aren't? I mean, it's always a big question and, you know, to speak to specific carriers. But, you know, I wonder if you make that phone call in there, like, I'm sorry, sir, that's that's not covered by the policy. Nope. That's not covered either. I'm not sure they would answer you right on the spot there. But just from your experience, do you do you know what's in and what's out so we can, you know, help folks prepare for what they'll eventually have to pay for, sort of outside of cyber liability insurance, generally, at least.

Eric Zematis: [00:18:59] Yeah, I mean, obviously, the time for those questions, that's part of why I do that I want to have some indication of what services are available to me initially from a security perspective. I don't want to say I don't care about the money, but it doesn't come out of I don't have a pool of money that draws on my budget  Am I going to have access to forensic support and who's that going to be? So what companies do you work with? And so preferably, you know, your work currently a CrowdStrike shop. And so if CrowdStrike's involved, well, at least then they have all my important data anyway. They could in theory, more easily consume it than someone who could. There may be. Some other conversations that can have for those companies to make sure that they're going to be able to come into my environment and it's quickly make an assessment as possible and then other things like legal services, I might have our communications folks kind of be aware of how that would work.

Eric Zematis: [00:20:40] And the reason I have that perspective, because I came from a state institution and with a state institution, of course, we have rules around purchasing and there's emergency waivers and that type of thing. But really they want to do an hour different. So I have a breach. And the first thing we have to do is go to a four week RFP to get a forensic analysis that, well, that's not a efficient. So really, one of the reasons that we brought on that cyber policy when I was with the state of Connecticut was it allowed us to instantly start to work with the people we needed to work with and not go got their purchasing for a month and then respond. So I think but I think that carried over in a private institution now it's still delivers a lot of value. So a bunch of people on retainer, we can just work with our cyber carrier. And when we do have that bridge or we're able to respond much more effectively.

Brian Selfridge: [00:21:41] How about the application process for cyber liability insurance? Has that changed at all over the years? I mean, remember when I was, you know, in the role that the applications are fairly straightforward? They maybe even like one pagers with a checkbox about do you have a network firewall, yes or no? OK, we'll give you coverage. I presume it's not that anymore. But what are the was the application process look like these days? And maybe how is that changed as carriers become more aware?

Eric Zematis: [00:22:08] Yeah. So the you know, this year, as we looked for renewing our policy, there was multiple pages just on ransomware related type of incidents. They wanted to know what your configuration was as far as things like local administrative access, where you're using every tool antivirus. How widely was that deployed across your environment? They were asking questions around network segmentation, anything that we talk about, how much spread you would have from an incident. So anything that might reduce, spread or the ability for ransomware attack to be carried out. So it was very detailed. You know, I didn't find it very difficult to complete. They were looking for information like we have a 24 by seven SOC. How do we who do we have the responding to incidents? How how quickly are they responded? What do we use for vulnerability management tools and other types of things? What's our policies around response to those type of things? So it was kind of bread and butter things for people working in the security world, but it was very in depth. So it didn't take long to complete the things that we know we're doing or we know we're not doing. But it did take a considerable it was very much more in-depth. And yes, that's great.

Brian Selfridge: [00:23:50] Sounds like they're getting better at it's knowing our wacky space at least enough to make some decisions around.

Eric Zematis: [00:23:57] Yes, then it does present problems around, you know, they asked, you know, if you have a sock. Yes or no? Well, what do you consider a sock? You know, I have people that respond to that, but they're you know, they're not in a fancy room with all the screens. So the screens are looking for that, that you have an incident response or what are they looking for? So if there's still interpretation that can be done on those things.

Brian Selfridge: [00:24:27] Excellent. Well, I'd like to talk a little bit about what we're talking about accountability today. We talked about the business. We talked about cyber liability, which gives us some sort of coverage and helps us out. But let's beat up on the vendors now. We've waited this long talking about supply chain risk and then not talking to the vendors a little bit. So I guess similar to my sort of prior question for the business. But what are some of the obligations that vendors have to secure data? I know that that may be a sort of obvious question, but maybe what's the bare minimum that vendors need to be doing? Is it certifications is like what's what's the bare minimum that may be what some of the above and beyond, you know, things that vendors can do to to to to proactively manage risk for breaches?

Eric Zematis: [00:25:13] Well, I think I think the roadmap is there. I mean, how do you do things securely? Well, it's not an unknown type of function, but as organizations get larger and larger. The complexity of the organization somehow makes it difficult to kind of implement. So I think some of our vendors have always been successful in innovating their products. And sometimes that puts pressure on, you know when the security wants to audit the source code for two months or they're not given the resources because it's really not. The customers are clamoring for security. Two years ago, they just wanted to do a feature. So when. They weren't going to delay launching products, so they were just pushing products, pushing products, pushing products. I think that the market is going to be changing, particularly when you think about maybe governments going after you. So it's one thing to lose businesses. And again, I don't even see you take the example of solar winds. I haven't heard of a mass exodus of people leaving solar winds because they can't really operate without it. Right. So maybe that they're not going to be doing so.

Eric Zematis: [00:26:37] Maybe there will be a big decline in solar winds and other types of when vendors do get hit. But I think that they're understanding that they may have much stiffer fines or they may even have the E.U. or the United States government finding them for insecure practices or legislation that allows that to happen. So there's so many pressure points to say security needs to be done better. But it brings us to the question, too. So that's. They know the right things to do. Those aren't impossible, it's just that all the pressures are against doing things in a secure way, all the best. And now we're starting to flip that around a little bit. So I think we'll see. Naturally, the market will drive some of the improved security and then everything. So if in five years no one's even heard of, went to the company, went out, then the other companies to fill the space know that they, their own only wanted to buy their way from having a problem with that. So so hopefully we'll see some.

Brian Selfridge: [00:27:42] Without naming names, can you think of a vendor went through an assessment and you were like, wow, they really have their act together and, you know, scored well and again, without naming them outright, what are maybe some of the behaviors that you would hold up as sort of the Gold Star for up there? We have a lot of vendors and suppliers that listen to this. What would you say they can do to make sure they sort of pass with flying colors or really get proactive for assessments that you do?

Eric Zematis: [00:28:12] I really can't think of someone that I was like. Impressed with persay, I would generally say when I'm dealing with a small vendor, they have issues and when I'm dealing with larger vendors, they're at least able to present that they do security better. So, you know, if you have a 20 person shop, it's just tough to do all the security things right. So it's you know, you're you're innovating to create this new app or this new service and your whole focus is around. Getting that out the door and selling it, you know, whether you're going to go to venture capitalists or you're already owned by venture capitalists, the security piece is really the last piece in there. So I do see a lot of effort. And I can tell just by looking to use the survey tool called The Hack, that which is to hire a specific kind of security survey tool that standardized across a lot of higher exit comparisons and that type of thing. And I can tell within 20 seconds of looking at a hack back in response. How big the company is, so small company will typically say AWS handles that, AWS handles that, said it's like their answer to everything. Well, it doesn't make it over that you don't even understand what you're saying. So we're largely vendor will have. They've already gone through that process and they feel that in the hiring space, so they have a very much more well defined tool that they turn back. So so that's more of the differentiator. I see. I guess the question that comes back to what do we do when one of our vendors does behave badly and, you know. It's again, I mentioned it's difficult to change vendors, there's relationships internally with our business and business partners.

Eric Zematis: [00:30:20] So how do you handle that? And I guess you really need to assess each situation one at a time and decide, hey, what was the reason for the breach was the nature of the breach, what caused it? So we had a vendor who we really don't purchase from, but we refer to our students. And there was a credit card incident happened this spring and they breach credit card. So I said right off the bat to our eternal business owner, I said we can never do business with this company again. If they're going to handle credit cards, they need to handle credit cards through a third party. They go if they do that, then I think we'll be in good shape. And a week later, they're not, hey, we're not going to use PayPal for all of our payments. So that's that we should unnoticeably because you didn't have that skill. So they're very skilled in what they do. And they made a good business decision. I think they said, hey, you know what? You know, we did. Why would I'm sure the CEO is like what? I don't understand why. If we can have someone else do this, why were we doing internally? You know, the CEO probably got an education as far as you know. You know, again, they can deal with third party vendors that have the resources to kind of protect that credit card data. That's what I toss and turn to see if we can push everything to our third party gateways rather than just in every situation. I think it's better.

Brian Selfridge: [00:31:52] I've become fascinated of late by the the post breech response from vendors and how they how they handle being in the spotlight. And it's look, I don't envy anybody that has to go through it. And it's a difficult situation. But just to give an example like this, a breach that just happened a couple of weeks ago and the CEO came out over the weekend as it was happening over the Fourth of July holiday. And he said something to the effect of, well, we're just in the early stages of the investigation, but I bet you it's going to be a fourth party and a third party to us that's responsible for this and not us. And I was like, oh, man, bad answer. Just don't lead with that. So and, you know, some vendors get secretive and they you know, we don't we tell you what's going on with this breach and others are sort of open the kimono and let you know what's going on is there are they're either good or bad examples you've seen from vendors. You're not necessarily with your own situations or maybe with them, but that is there a better or worse way to handle responding to a breach as it unfolds that that could help or hurt your business down the line, depending on how you behave as a supplier.

Eric Zematis: [00:32:58] Well, I mean, use the open kimono analogy, and it would be great if every time we think about it, we would learn if every breach everyone had to be honest and it was a PR, but it was like this is what happened to Bob, maybe not to another person, but if I, an accountant to someone in accounting did X, Y and Z, they had a phishing attack. We didn't provide this. We didn't provide a segmentation or there was some reason that that that became worse. And it had to be we let Bob be a local admin machine. And then that led to if we had that type of information, then all the security people around could use that as a road map for can that happen here? That's what we think. Right. So when we see one of these incidents happened, we say, is that our better now? OK, what happened? It could it happen here? And it's very easy to get everybody focused on that. And if we had more details that would allow us to do that and it almost continually, we'd be assessing ourselves against these real world threats in a much more easy, easy manner.

Eric Zematis: [00:34:13] I think that when we see these questions, we go back to the cyber liability. When they're asking these questions, it must mean that they know that those things would have made a difference. Right. So they see they're dealing with breach response in an insider type of method. So. So if they're asking those questions, it's because this local admin permission really is a problem in real world. It's created issues. And so therefore they don't want to see it in policies that they hold. So I think that that forthrightness would be great. But what am I looking for from a vendor, since they can't be forthright and I understand they can't. I definitely don't want what you're talking about with Carsia, where the CEO is like I think you'll find it's one of our some third party to us. So it's not our responsibility. Right. So it wasn't me. It was just someone I hired and paid a lot of money. No, no. That's that's still you. You know, you're still the one that did that. So, you know, it's a it doesn't. That's the last thing we want for a response, I guess, to say.

Brian Selfridge: [00:35:25] Well, it's interesting you say that if we if we knew what happened, I agree, I mean, if we could get more visibility into what went on, we'd be so much more able to learn from that as an industry. Do you think? I wonder if that's why these new regulations that are in draft, like there's a bill drafted last week or two weeks ago from the US federal government? It's not it's not you know, it's in its infancy. So whether it will make or not, we don't know. But it's got a provision for breach reporting within 24 hours of the event, which I just find sort of a wild idea of how you would even report anything, having gone through incidents myself, that's of any reasonable intelligence that within twenty four hours don't play that part. There's a little more leeway there. But is that what those breach notification laws are trying to do? Is do we need regulations to help us get to that point, do you think?

Eric Zematis: [00:36:13] Yeah, I mean I think those breach notification laws, I mean, three days is pretty common. I try to remember what the EU mandated. It might be 24 hours there as well. And it sounds good, but of course, if inside baseball is, you know, that's apt to declare a breach, though, and it takes a while to determine you have a breach. Right. So I need to determine if I lost data. Well, guess what? Most of my systems are tuned for lose it for tracking lost data. So I have to prove something. Didn't happen or something happened or proved that something that didn't happen, which is to prove it didn't happen. Is it possible? But the proving something happened and what happened to its heart. So it could be and we know that from rich data that the average breaches discovered something like 270 days after it happened. Now, the good news is ransomware is that the attackers are telling us much earlier that we've been breached because they want their money so they don't wait two or three days. You know, in the ransomware situations, as soon as they own us, they'll let us know. So we know much more quickly now than we used to. But even then, we wouldn't know what data was taken until either we buy it back or we figure out what happened. So I think that those notification laws are well-intended. And certainly, after the clear breach, I should have to tell who was involved. I think that's a good privacy control, but it all comes down that some may be months and months and months after it happens.

Brian Selfridge: [00:37:55] It's funny, I was talking to another appear in the industry that does a lot of these investigations and forensics things, and they said, you know, whenever they always chuckle when they see in the news like we didn't, there's no evidence to say that the data got out. They said what that means translate to is that we don't have logs and we've got no way of figuring it out. So we therefore don't have any, you know, positive evidence that it went out. It's like, well, yeah, that does. Don't don't ever let that make you feel good when you see that in a press release.

Eric Zematis: [00:38:24] I think that's a good point. And unfortunately, that's why we do extensive logging. But. I would always almost say that, you know, how do you feel about our risk against this, huh? Well, I think I feel good, but, you know, I think that we don't have a problem or it's more of that. You know, one of the what's the fear? The the unknown. Unknown. Right. So, you know, the thing we're scared most about it is the things we don't know. We don't know. So it's yeah. That quadrant is a is a scary place because we don't really. Yeah. It's a complex environment that we are involved in and a lot of moving parts of people, a lot of other things. And so, you know, even if we have pretty good controls and we're pretty comfortable, there's still that fear that something could happen. And that's what goes on with these vendors. Right. So they had you know, they didn't think that they would be injecting malware into their clients. But it turns out that's what they should have been thinking. That was that's an example probably of what used to be an unknown. Unknown.

Brian Selfridge: [00:39:32] Well, since we're in the habit of invoking the late Donald Rumsfeld and governmental known knowns and known unknowns quotes, let's let's talk about the government a little bit. What what role do you think they and we can stick to the US government for now. But but more broadly, I guess, what role do you think the government should have or does have in combating supply chain risk? Is it purely regulatory or is it guidance based? We have diplomatic stuff as our primary channel of let's go beat up on Putin for all the ransom. Like what what do you think's the right levers that the government should and could pull to help us out here?

Eric Zematis: [00:40:11] Well, that's a good question. I have kind of two main thoughts about that. One is, you know, we're quoting political figures will go to Reagan. And he said Scary was the hero of the government. And I'm here to help. So the government often isn't very effective at things. So there's a danger of regulation that doesn't really help and in fact, could hurt. So we always have to have that out there. But, you know, one of the things that I'll do a presentation sometimes is, you know, I'll show my security staff and then I'll show the country of Russia or China and then be like, you're really not fair. So in that respect, that's what the government has been more effective at doing is more. So when you have nation states who are attacking that nation states and I think that that. Will demands a response from the government, because you really about just like if we had if Putin was sending troops over here, well, there'd be a different conversation, right. So but you can't just come over and take over our infrastructure and other type of things and not expect some kind of response. So I think that we'll start to see that. I know that a couple of years ago, you know, the Department of Defense started taking more of an offensive strategy. And I'm not privy to what type of things have been done. But certainly the NSA and other organizations have been more aggressive in the past. But I think that the government is seeking to have more offensive capabilities to kind of fight the war, not on our turf, but others. So it's kind of a frightening world to where this can happen. And you know what if it escalates into other things. So, yeah. So we think we have to move forward cautiously and really consider where where government needs to respond and where government may provide more friction than out.

Brian Selfridge: [00:42:29] Well, I wonder if it's any coincidence that the Carsia websites and servers went down this week, just several a week or so following the attacks. You know, it seemed to me that that was very likely government intervention or, you know, maybe there was a configuration error on the on the side of the kissy kissy guys, but I doubt it. So I wonder if this is going to just escalate, you know, as these attacks move forward.

Eric Zematis: [00:42:58] And again, it's the stuff that we're in, a lot of stuff, I'm sure it's happening in the background that we don't we're not going to see or hear about. But yeah, so we'll have to kind of keep keep our eye on that. I think the government is trying to get more. They've been talking about where a research institution. So things like CMC for federal security, defense grants and that type of thing, they want to raise the bar. So I think it's reasonable that the government can use this position as a large consumer and say, hey, if you want to do business with us, you need to be doing durations of your security controls and certification before you can do business. So I think that things like that use market forces in a way that leverages the buying power of the U.S. government. So maybe those things will help.

Brian Selfridge: [00:43:56] How about the standards bodies, so you've got the government, but then you have these sort of private industry, sometimes government funded standards, bodies like like NIST and others that can provide guidance, provide resources, invest in sort of helping the rising tide, floating all boats kind of thing. Are there are there standards bodies that you would recommend to your peers out there that that really work for you and maybe specifically around third party risk if if they if such things exist that you could say, hey, check out their resources, you can save yourself some time. You mentioned that questionnaire. That's that standardized. Might be a good place to start, for example.

Eric Zematis: [00:44:32] Yeah, I mean, the what? We align our security program around NIST hundred seventy one because of federal financial aid and GLBA concerns and CMC. So that's kind of helpful for building a program, but it really doesn't. It's a tough place to start, right? So it's pretty arcane and it's just difficult to kind of understand. So I'm not sure that that's the most useful place to start. You know, something like the know what used to be called the SANS top 20. I think it's just the ..

Brian Selfridge: [00:45:20] Critical security controls ...

Eric Zematis: [00:45:22] That. Yeah.  So I think that that because it is a better roadmap for someone to kind of start with where they can at least say, OK, well, it makes some sense. So the priority risks are the most the things they address, the most risk are kind of at the top of the list. And it kind of is a way to tackle this. So but it starts with some real basic premise. You know, first thing you need to do is know what's in your environment. And we know as security folks that that's a big stumbling block, it seems so basic, like what's running in our environment. Most people are like, oh no, you know, that's hard to figure out because it's dynamic and it's changing. And so, you know, focusing on those type of things, I think it's somewhat a road map to say, you know what? And if I have a small shop, it's a lot easier. Right? So if I have a lot of resources, it might be a tough problem to solve. But I have the resources to solve it. If I'm a small place, you know, then NIST isn't a great place to start, but something like, hey, you know, I need to have understanding everything on my network. I only have a couple hundred devices. I think I can do that. And then you need to know what software is on your machines. And you might say, hey, that's hard because I have local admin people. It's all stuff all the time. Well, maybe I need to remove that. And then I have a pretty static environment. I can figure out what's the software. And as we go down that list, I think that there's some helpful things that can begin to kind of make a lot of sense once to understand if someone is trying to do for two hours and you were a technical person, this makes a lot of sense. I think I can use some of these things here.

Brian Selfridge: [00:47:02] Well, I regret to say I truly regret to say that we're up on time and this has been a fantastic conversation. And, you know, we set out trying to solve who's accountable for third party risk and some things we can do. I think we made some headway today. I think there's some real some real tidbits in there, if not some major guidance to take away. So I want to thank you so much and to thank my guest, Eric Zematis, who is the chief information security officer at Lehigh University for for your insights and really appreciate you taking the time to share this with our with our audience and with your peers.

Eric Zematis: [00:47:35] You're welcome, Brian. Thank you.

Brian Selfridge: [00:50:54] Again, I would like to thank my guest, Eric Zematis, for sharing his insights on managing liability for cyber attacks against the supply chain. I appreciate it. Eric's perspective about ways to get prepared for supply chain incidents, including simulating events with your cyber liability providers, having constructive dialogue with the business and your vendors around managing cyber risks and so much more. A lot of great takeaways from this discussion today, and we're very appreciative of Eric's time. As always, we'd like to have your feedback and hear from you. Our listeners feel free to drop us a note about what topic you'd like to hear about or thought you'd like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of the CyberPHIx. And we look forward to having you join us for another session coming up soon.