►
From YouTube: Budget Review Subcommittee on General Government, Finance, Personnel, & Public Retirement (8-17-22)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
E
B
D
D
We'll
start
with
commonwealth
office
of
technology,
mr
david
carter.
F
There
we
go
perfect
again,
I'm
I'm
david
carter,
I'm
the
chief
information
security
officer
with
commonwealth
office
of
technology
and
I'd
like
to
thank
the
committee
for
giving
me
a
few
moments
this
morning
to
share
with
you
about
the
security
program
within
the
commonwealth
office
of
technology
that
serves
the
executive
branch
of
government.
F
We
leveraged
two
frameworks
for
that
that
foundation,
the
national
institute
of
standards
and
technology
special
publication,
853,
also
referred
to
as
nist
853,
is
a
comprehensive
risk
management
framework
that
is
a
governance
framework.
That's
used
by
most
state
governments
and
originally
started
as
a
a
federal
and
is
a
federal
framework.
F
But
it's
adopted
by
state
governments
for
two
reasons:
one,
it's
a
very
comprehensive
framework
that
gives
us
broad
coverage
across
all
the
controls
that
we
need.
It
has
212
foundation
controls
the
commonwealth
aligns
to
the
moderate
baseline,
which
gives
us
a
a
control
framework
of
around
283
controls
that
we
we
leverage
in
our
program.
F
We
also
use
the
miter
attack
framework
and
that's
less
of
a
conventional
framework
and
that's
more
of
a
catalog
of
the
techniques
and
processes
that
the
bad
actors
use
when
they
perpetrate
their
their
attacks.
That
gives
us
a
comprehensive
checklist
of
things
that
we
can
compare
our
security
controls
against
to
make
sure
that
we
have
adequate
coverage.
F
F
F
We
had
nine
low
findings
that
are
pretty
much
informational
and
10
moderate
findings
that
we've
worked
on
since
that
that
report
in
2020.
We
currently
have
a
statement
of
work
out
for
our
2022
report.
This
is
the
miter
attack
framework.
The
columns
in
this
graph
indicate
the
goals
and
objectives
of
a
thread
actor
each
one
of
those
blocks.
Underneath
of
those
indicate
a
specific
tactic
that
they
can
use
to
try
to
achieve
that.
An
attack
is
a
chain.
F
It
is
the
number
of
links
each
one
of
these
boxes
represent
a
potential
link
in
that
chain.
If
we
can
break
that
chain
at
any
point
at
any
of
those
links,
we
stand
a
chance
of
a
good
chance
of
of
stopping
the
attack,
as
you
can
see
where
we,
when
we
first
picked
this
up
in
2018,
we
didn't
have
a
lot
of
coverage
here.
All
of
these
red
blocks
are
areas
that
we
have
opportunity.
F
F
The
items
in
blue
are
those
tactical
initiatives
that
we
plan
to
implement
within
the
next
six
to
12
months,
and
the
yellow
are
those
that
we,
we
are
more
strategic
about
and
they're
going
to
take,
probably
throughout
our
two-year
strategic
plan
and
I'll
discuss
more
about
the
strategic
plan.
At
the
end,
we
take
a
layered
security
approach,
a
lot
of
times
when
a
technician
like
me
starts
talking
about
layered
security.
We
start
talking
about
individual
technologies
in
the
depths
of
our
technologies.
F
I
prefer
to
look
at
it
in
more
higher
level.
We
have
four
layers
that
we
focus
on
employee
network
endpoint,
which
is
your
workstations
and
servers,
and
your
data
data
is
obviously
the
goal.
The
threat
actors
know
we
have
really
strong
defenses
in
the
network
and
the
endpoint
realm,
as
most
enterprises
do
so
we're
seeing
the
trend
that
they're
focusing
on
our
employees
and
we're
doing
the
same
thing.
F
We
have
a
security
awareness
program
and
we
partnered
with
the
department
of
personnel,
and
they
were
tremendous
partners
in
this
helping
us
get
a
awareness
program
in
place
that
is
part
of
our
employee
evaluation
system
that
ensures
that
all
employees
have
a
awareness
training
every
year
as
part
of
their
evaluations,
and
they
also
have
it
at
onboarding.
So
when
they
come
onto
state
government,
they
have
the
awareness
training
they
need
before
they
start
using
our
systems.
F
In
addition
to
this
formal
training
that
we
have
that
that
goes
through
the
personnel
cabinet
and
through
my
purpose,
we
also
do
other
activities
throughout
the
year
like
in
october,
it's
national
cyber
security
awareness
month.
We
have
presentations
and
and
do
various
activities
during
that
month,
just
to
put
some
numbers
around
that
this
last
october
we
had
four
presentations
out
of
those
four
presentations.
We
had
1
750
participants
in
those
which
was
really
good
numbers.
F
We
also
do
various
activities
that
require
interaction
and
set
up
mailboxes
for
those,
and
we
receive
nearly
16
000
emails
during
that
month
and
that's
that
that
equates
to
about
22
20,
well,
whatever
sorry
a
little
slow
in
my
math
this
morning,
but
that's
a
lot
of
instances
where
our
employees
thought
about
security.
That
month,
that
was
a
great
success
and-
and
we
were
really
proud
of
that-
we
also
fish
our
own
people-
fishing,
I'm
sure
you
all
have
heard
about
it.
You've
probably
seen
it.
F
Those
that
click
on
those
emails
are
directed
to
a
page
that
lets
them
know
that
they've
been
fished
and
it
gives
them
an
idea
of
what
to
look
for
the
the
fishing
facts
on
this
slide
really
kind
of
explain
the
importance
of
that
93
percent
of
all
attacks
involve
phishing
at
some
point,
usually
early
on
in
the
attack
chain
and
depending
on
which,
which
source
you
go
to
between
45
and
75
percent
of
all
emails
in
motion
at
any
given
time
on
the
internet
are
spam
or
malicious.
F
F
We're
marked
you
know
well
below
the
the
average,
but
when
we
started
we
were
above
the
average.
So,
in
approximately
about
a
year
and
a
half
we've
had
this
program
in
place,
it's
been
usually
successful
in
bringing
our
numbers
down
and
where
we
sit
right
now
we're
we're
in
the
top
three
percent
of
all
people
globally
that
use
our
vendor's
solution.
F
F
This
is
a
snapshot
from
our
email
defense
system.
The
state
for
the
last
90
days
received
43.2
million
emails
out
of
those
16.2
actually
made
it
to
user
mailboxes.
F
We
blocked
62.5
percent
of
all
email
that
came
into
state
government
18.6,
18.6
million
of
that
was
just
because
they
came
from
sources
of
bad
reputation.
They're
known
for
fishing
they're
known
for
malware,
they're
known
for
those
bad
things,
8.4
million
were
signature-based.
That
means
we
know
they're
bad
we've
seen
them,
and
we
have
signatures
that
say:
they're
bad.
F
The
the
next
two
numbers
are
the
ones
that
I
think
really
talk
about
the
strength
of
what
the
system
provides.
112
000
emails
made
it
through
all
of
the
other
defenses
and
the
only
reason
we
blocked
it
is
because
we
were
able
to
quarantine
and
explode
that
detonate.
That
package
in
a
safe
sandbox
area
and
determine
that
it
was
doing
bad
things.
F
We
call
that
zero
day,
you've
never
seen
it
before,
there's
no
signatures
for
it,
no
real
easy
way
to
detect
it
other
than
to
just
see
what
it
does
and
see
how
it
behaves
and
you're
going
to
start
seeing
a
theme
of
that
as
I
go
through
this
and
then
40,
I'm
sorry,
47
000
were
blocked
because
of
of
links
and
the
same
methodology
was
applied
there.
The
system
followed
the
link
and
looked
at
what
that
link
tried
to
do
so.
Those
are
those
behavior,
heuristical
type
defenses
that
we
employ
our
network
defense.
F
Obviously,
a
network
of
our
size
produces
a
lot
of
information
for
us
to
analyze.
There
can
be
tens
of
millions
of
events
generated
in
a
month
and
then
the
incidents
that
that's
come
from
that
can
be
in
the
tens
of
thousands,
but
we're
really
only
concerned
about
the
top
three
percent
of
those
a
lot
of
that
is
noise.
A
lot
of
that
stuff
is
is
taken
care
of
by
our
proactive
defenses
that
get
in
front
of
the
threat
that
that
keep
them
from
posing
a
risk
to
our
environment.
F
F
F
This
slide
kind
of
demonstrates
that
progression
when
we
first
transition
to
the
new
security
incident
event
management
system.
As
you
can
see
on
the
left,
we
had
150
000
a
little
over
150
000
events
generated,
and
then
we
began
bringing
in
all
of
the
infrastructure
and
we
had
788
000
events
that
can
quickly
swamp
our
analysts.
F
These
represent
our
endpoint
defenses.
This
is
the
defenses
that
live
on
all
of
our
servers
and
all
of
our
workstations
on
the
left
is
our
endpoint,
detecting
response
and
on
the
right
is
our
malicious
code
protection.
That's
also
referred
to
as
antivirus,
but
modern
technology
is
much
more
advanced
than
just
antivirus.
It
protects
against
a
lot
of
other
things.
F
The
key
points
on
this
are
all
of
the
items
on
the
left
are
behavior-based
they're,
not
necessarily
based
on
signatures.
We
don't
have
to
know
what
a
threat
looks
like
in
order
to
defend
against
it.
We
just
have
to
know
how
it
behaves.
We
look
for
things
going
on
in
the
system
that
are
anomalous
that
are
not
normal
day-to-day
activity
and
flag
that
as
being
out
of
the
norm,
and
we
can
look
at
that
and
determine
that.
It's
malicious
and
block
it
proactively
before
it
executes
on
the
system.
F
The
the
highest
peak
on
that
graph
on
the
left
is
execution.
That's
where
a
threat
actor
has
attempted
to
execute
code,
whether
that
be
somebody
opened
an
attachment,
they
shouldn't
have
or
clicked
on
a
link.
They
shouldn't
have
or
there's
malware
executing
on
a
system.
We
can
stop
it
cold
because
our
endpoint,
detecting
response
system
detected
it
and
can
shut
it
down
on
the
on
the
right.
F
F
There's
a
concept
in
it
called
zero
day.
Zero
day
is
when
nobody's
ever
seen
it.
Nobody
has
a
signature
for
it
and
nobody
can
stop
it
unless
they
detect
how
it's
about
how
it
behaves
and
that's
why
we've
taken
security
in
the
commonwealth
in
the
direction
of
looking
at
how
something
behaves,
as
opposed
to
just
looking
for
bad
things.
We
have
to
look
for
good
things,
behaving
badly.
F
Our
plan
is
tested
and
validated,
and
it
covers
the
entire
life
cycle
of
an
incident
from
the
time
that
we
detect
that
to
containment
to
recovery,
getting
the
system
back
on
its
feet
and
then
the
most
important
step
is
the
follow-up
after
that,
to
make
sure
that
we
learn
from
that
incident
to
make
it
an
opportunity
for
us
to
do
better
tomorrow
than
we
did
today
if
an
incident
occurs,
it
occurred
for
a
reason
and
we
have
opportunity
at
that
point
to
stop
it
so
many
times
things
stop
at
that
stage
of
we're
back
up
and
running.
F
Now
we're
not
going
to
sit
static,
secure
the
threat
actors
are
not
static
and
we're
not
static
either.
So
we
have
an
ambitious
strategic
plan
to
continue
to
build
on
our
success
in
our
security
program.
We
want
to
enhance
our
monitoring
and
this
is
taking
it
down
to
the
data
level.
We
watch
our
network
very
closely.
We
watch
our
endpoints
very
closely.
We
watch
our
our
boundary
to
the
internet
very
closely.
F
That
can
be
a
challenge
because
of
the
pervasive
use
of
encryption.
If
you
do
a
google
search,
it
sends
you
to
a
secure
browser.
Page,
that's
secured
end
to
end
everything
across
the
network.
Now
is
encrypted
it's
hard
to
to
get
visibility
on
all
of
that
data.
So
that's
part
of
our
strategic
plan
is
to
put
creative
ways
in
place
to
allow
us
to
have
that
visibility,
data
defense.
We
have
petabytes
of
data
in
our
environment.
F
The
data
belongs
to
the
agencies.
The
infrastructure
belongs
to
us.
There
has
to
be
a
pairing
between
us
and
the
agencies
and
the
ability
to
catalog
that
data
and
know
where
the
crown
jewels
live.
There's
a
reason:
banks,
don't
build
bank
vaults,
big
enough
to
hold
their
office
supplies
because
vaults
are
expensive.
You
don't
want
to
apply
top-tier
security
to
everything,
so
we
have
to
catalog
and
categorize
all
of
the
data
in
our
environment
and
have
that
holistic
view
of
what
we
have
in
our
possession.
F
So
we
can
build
the
right
walls
and
build
the
right
protections
around
it
and
then
identity
protection.
We
already
have
enterprise
identity
management
for
our
internal
identities
that
that
interfaces
with
our
personnel
system
that
allows
us
to
do
things
in
in
very
real
time
with
our
personnel
actions,
so
we're
really
in
good
shape
there.
But
this
is
focused
on
the
citizens
we
want.
Our
vision
is
to
have
a
citizen
have
a
single
identity
when
they
come
to
the
state.
F
They
right
now,
there's
multiple
ways
that
they
can
log
into
various
systems,
and
we
want
to
make
sure
that
they
have
that
cohesive
experience,
and
that
gives
us
one
door
to
defend
as
opposed
to
having
multiple
doors
to
defend
the
way.
It
is
today
risk
management
we
want
to
be
able
to
catalog
and
have
a
holistic
understanding
of
all
risks
in
our
environment.
If
you
have
a
security
guy
that
sits
in
front
of
you
and
says
we,
we
have
no
risk
you're,
you're,
100
protected.
You
need
a
new
security
guy.
F
We
want
to
make
sure
that
we
have
a
full
understanding
of
all
risks
in
our
environment
and
we're
applying
our
spend
and
our
defenses
in
the
appropriate
areas.
Staff
development.
I
want
to
make
sure
that
I'm
investing
in
my
staff.
As
I
said
earlier,
the
threat
actors
are
not
static.
My
staff
can't
remain
static.
F
I
have
to
make
sure
that
they're
trained
on
the
latest
technologies
and
they're
trained
on
the
latest
security
threats
that
are
out
there.
This
also
has
a
benefit
from
a
recruitment
standpoint,
state
governments
and
it's
a
national
thing,
not
just
kentucky
it's.
The
state
government's
pay
scale
has
challenges
competing
with
private
sector
that
pay
top
dollar
for
the
security
resources
that
are
available
out
there.
F
So
I
can't
afford
to
to
to
reach
out
and
and
pay
the
the
six-figure
salaries
of
the
top-tier
security
folks
out
there,
but
I
can
build
my
own
and,
and
that
has
two
benefits
one.
We
know
how
they
were
trained.
We
know
how
well
they
were
trained.
Two.
F
I
can
build
a
workforce
that
has
the
same
passion
of
the
folks
that
I
have
in
my
in
my
staff
today,
I'm
very
blessed,
and
that
my
staff
have
servant
hearts.
They
find
a
lot
of
value
in
serving
the
citizens
of
the
commonwealth
and
that's
because
they
grew
up
in
the
environment,
their
their
their
professional
growth
was
in
the
environment
of
serving
the
commonwealth
and
serving
the
citizens,
and
it
means
a
lot
to
them.
F
If
I
can
build
a
workforce
like
that
with
new
folks
coming
in
build
their
skill
sets
up
and
have
them
have
that
same
passion.
There's
a
tremendous
benefit
from
that,
and
then
we
want
to
do
more
with
what
we
have.
We've
made
great
investments,
as
you
can
see
in
some
of
the
previous
slides
those
have
paid
off
well
for
us,
we
have
really
good
coverage,
but
we've
used
90
of
the
capabilities
that
we
have
simply
because
we
are,
we
are
rebuilding.
We
are
building
from
the
ground
up
a
really
secure
architecture.
F
F
F
The
state
will
receive
20
percent
of
the
funding
available
and
the
local
governments
through
the
state
will
receive
80
percent
for
the
state
opportunity
we're
going
to
focus
on
privilege,
access
management.
Those
keys
to
the
kingdom
accounts
the
the
accounts
that
have
the
highest
level
permissions.
F
F
We
also
want
to
implement
email
fraud,
defense.
We
have
strong
defenses
for
email
in
our
environment.
We
saw
those
slides
earlier.
We
want
to
expand
that
to
cover
things
outside
of
our
environment.
There
are
technologies
in
place
that
can
allow
us
to
sign
messages
for
the
commonwealth
and
if
messages
are
sent
that
appear
to
be
from
the
commonwealth
that
are
not
signed
by
us,
then
email
systems
will
reject
them.
That
will
keep
somebody
a
threat
actor
on
the
outside.
F
From
attempting
to
spoof
and
appear
to
be
official
communication,
we've
seen
people
attempt
to
redirect
payment
for
contracts.
We've
seen
people
attempt
to
reach
out
to
our
citizens
to
steal
their
pii,
posing
as
a
state
organization
or
a
state
entity,
and
and
putting
these
fraud
defenses
in
place,
will
help
prevent
that.
F
We
want
to
enhance
our
security
monitoring
in
our
strategic
plan,
we're
looking
at
the
data
this
I'm
looking
at
the
depth,
because
we
need
to
increase
our
spend
in
the
amount
of
data
that
we
retain
the
amount
of
time
that
a
threat
actor
lives
in
a
technology
environment
before
he's
detected
is
typically
six
to
seven
months.
By
that
time,
a
lot
of
good,
valuable
forensic
information
has
been
overwritten
or
lost,
so
we
want
to
increase
the
amount
of
data
that
we
retain
in
our
in
our
security
systems
to
make
sure
that
we
have.
F
F
F
This
program
will
allow
us
to
pull
all
of
those
together
and
and
bring
that
into
a
really
cohesive
security
approach,
making
the
most
of
all
it
purchases,
not
just
those
for
security
and
then
on
the
local
government
opportunity
we're
working
with
the
kentucky
office
of
homeland
security
as
well
of
the
as
the
cyber
security
and
internet
security
agency,
formerly
a
section
of
dhs
to
establish
a
cyber
grant
committee
that
will
allow
us
to
work
directly
with
our
local
government
partners,
give
them
some
guidance,
some
education,
some
awareness
of
what
they
need.
F
We
have
some
counties
that
do
extremely
well,
but
we
have
smaller
counties
that
don't
that
rely
on.
You
know
their
local
computer
guy
down
the
street
to
help
them
with
their
I.t
needs,
and
we
want
to
give
them
the
guidance
they
need
to
build
sound
proposals
for
this
money
and
then,
ultimately,
we
will
score
those
proposals
and
look
at
funding
allocation
that
will
probably
follow
two
pass,
one
which
will
be
managed
services
that
that
counties
can
consume
like
managed
security
services,
the
monitoring
and
things
that
they
need
to.
F
Let
them
know
when
things
are
going
on
an
environment
and
local
services,
local
resources
for
them,
like
the
endpoint,
detecting
response
capabilities
that
I
talked
about,
that
the
state
uses
can
be
applied
at
a
county
level,
purchasing
things
like
that
with
with
this
funding,
so
that
I
know
that
was
like
drinking
from
fire
hose.
That
was
a
lot
all
at
one
time,
but
I
certainly
am
open
to
any
questions.
D
Thank
you
for
your
succinct
and
down
to
earth
presentation.
Do
we
have
any
quick
questions
from
any
of
the
members.
C
Thank
you,
mr
chair
over
here.
Thank
you
for
the
presentation.
I
actually
found
it.
You
know
very
fascinating
and
there
are
lots
of
little
questions
based
on
a
lot
of
the
things
that
you
shared
with
us,
but
I'm
gonna
do
some
real
general
questions.
If,
if
I
may
chair,
you
say
when
you
said
that
that
we
had
an
11
percent
or
their
their,
the
open
rate
is
typically
11.
C
I
think
you
mentioned
four
emails
that
are
potentially
not
good
and
our
our
open
rate
is
three
3.2
percent,
which
sounds
great.
Can
you
define
who
our.
F
Is
the
executive
branch
of
government
we
email
all
employees
within
the
executive
branch
of
government?
What
we
do
is
we
choose
four
specific
templates
that
that
follow
current
trends,
that
we
see
and
send
those
out
in
a
random
fashion
to
all
email
recipients
in
the
executive
branch.
And
then
we
track
the
special
links
within
those
emails
and
the
attachments
within
azimus
to
know
when
they're
open.
C
All
right
great
and
we
could
we
could
use
some
of
that
on
the
in
the
lrc
some
training
for
for
us-
and
I
don't
know
if
your
office
works
with
here,
because
we
we
also
get
these
emails
and
and
some
do
get
through,
so
that
that
would
be
interesting
to
see
what
our
open
rate
is
for
legislators.
I'm
sure
it's
not
going
to
be
3.2
percent.
C
I
also
have
a
question
related
to
the
use
of
cell
phones.
I
didn't
hear
any
anything
real
other
than
computer
use.
So
is
this
anything
that
that
your
office
does
relate
to
cell
phone
usage?
Yes,.
F
Sir,
you
know
I
had
a
limited
amount
of
time,
so
I
covered
the
tip
of
the
iceberg,
but
we
do
employ
office,
365,
microsoft,
office,
365.
and
the
way
that
works
is
we're
required
to
use
the
the
microsoft
suite
of
applications.
Because
of
the
way
we
manage
data
on
those
devices.
F
First,
we
we
enforce
policies
on
those
devices
to
make
sure
that
they're
secure
to
make
sure
that
they're
locked
down
and
then
we
also
containerize
any
state
data
on
those
devices
through
the
microsoft
office
365
platform.
So
that's
why
you
have
to
use
office
applications
to
get
to
them,
because
microsoft
can
wrap
a
wrapper
around
that
data
and
control
it.
So
if
a
device
is
lost
one,
it
is
encrypted
and
protected
by
passcode
and
two
we
have
the
ability
to
wipe
just
that
state
data
that
is
in
those
containers
on
those
devices.
F
C
Question
jared:
thank
you.
We
hear
in
the
in
the
private
sector
of
some
kind
of
insurance
protection
if
the
worst
does
happen
and
things
are
locked
out.
C
I
imagine
we
have
some
kind
of
protections
in
that
realm.
If
something
really
really
bad
happens,.
F
Yes,
sir,
we
have
the
commonwealth
office.
Technology
has
a
cyber
liability
insurance
policy.
It
provides
60
million
dollars
in
financial
coverage,
but
the
real
benefit.
The
real
strength
from
that
policy
is
that
it
keeps
people
on
retainer
for
legal
representation
of
public
relations
and
technical
response.
F
Those
are
highly
specialized
skills
and
they're,
not
skills
that
you
typically
can
afford
to
keep
on
a
shelf
until
you
need
them.
So
having
that
in
our
pocket.
Having
that
that
ability
to
reach
out
and
get
a
go
team
to
hit
the
ground
should
an
event
occur
of
a
decent
scale,
that's
very
valuable
to
have
in
our
pocket.
Now
we're
looking
at
possible
alternatives
to
that.
Looking
at
paying
the
retainers
directly,
because
the
cost
of
that
insurance
is
going
up
exponentially
because
of
the
level
of
risk
in
the
in
the
insurance
space.
F
So
we're
seeing,
we
have
seen
a
200
percent
increase
in
premiums.
Other
states
have
seen
up
to
500
percent
increases
in
their
premiums.
It's
it
it's
getting
bad
out
there
and
we're
we're
looking
at
other
states
that
have
taken
creative
approaches
to
to
get
the
same
sort
of
technical
protections
without
the
high
cost
premiums.
D
G
G
Understand
I've
been
been
in
that
chair
before
we're
waiting,
and
I
don't
know
if
we
have
it
back
yet
or
not.
A
payroll
study
from
the
personnel
cabinet.
G
You
know
pending
the
second
year,
increase
in
pay
for
state
workers,
and
so
what
I
think
I
hear
you
saying
in
your
presentation,
if,
if
we
as
a
general
assembly,
were
able
to
put
in
a
different
tier
for
cot,
specifically
as
it
pertains
to
we'll
say,
high
level
employees,
people
with
specific
knowledge
and
skill
in
cyber
security,
I'm
assuming
would
that
be
beneficial
to
the
cabinet.
To
have
that
extra
tier.
There.
F
Absolutely
I
just
had
a
a
conference
through
nacio
with
my
peers.
In
other
states,
we
had
35
states
represented
of
those.
There
were
three
states
that
had
specialized
rates
established
for
like
security,
the
the
high-skilled
workers
and
it's
been
tremendously
helpful
for
them
as
a
recruitment
tool,
because
it
is
challenging
for
us
to
compete.
We
have
to
compete
with
six
figure
salaries
and
the
ability
to
100
work
remote,
and
that
can
be
a
challenge
to
try
to
match
that,
with
the
benefits
offered
by
state
government
in
the
salary
scale.
H
H
F
D
D
But
lrc
is
separate
from
what
you're
doing
yes,
sir
okay,
now
are
you
all
actively
recruiting
from
the
four
universities
that
now
many
universities
teach
cyber
in
kentucky,
but
four
of
them
have
the
top
line,
the
top
tier
the
military
grade?
Are
you
working
with
them
on
recruitment.
F
D
What
about
are
you
familiar
with
virginia
shutdown
a
couple
of
years
ago?
Yes,.
F
D
Okay
and
that
their
main
thing,
I
talked
with
their
I.t
man
that
went
through
that,
and
he
said
the
biggest
thing
was
backups.
How
are
we
on
that?.
F
We're
very
fortunate
in
that
we
have
our
own
alternate
data
center,
so
we
have
a
secondary
location
for
all
of
our
data
that
synchronizes.
Now,
of
course,
if
something
happens
here,
it
will
synchronize
that
to
the
other
location,
but
we
have
multiple
layers
of
backups
and
multiple
opportunities
to
recover.
We
have
point
in
time
backup
systems
that.
D
F
D
Because
if
you
don't
have
a
company
on
retainer,
then
you're
scrambling.
Yes,.
D
If
it's
not
just
us
that
it
is
affected,
then
you're
in
you're,
in
line
with
everybody
else,
to
try
to
get
help
all
right
in
the
extent
of
the
breach.
I
was
going
to
ask
you
about
that
on.
You
know
how
many
breaches,
but
you
know
the
extent
I
liked
your
sandbox,
because
sometimes
you
want
to
follow
what
they're
doing
instead
of
just
stop
them.
Yes,
is
that
pretty
much
what
you
were
saying
with
that.
D
Because
volume
versus
the
damage
is
the
damage
is
more
important
than
your
volume.
Do
you
all
prosecution?
We
have
the
a.g
on
next.
Do
you
all
try
to
find
who's
doing
this
and
prosecute.
F
I
have
a
good
partnership
with
our
local
fbi
and
they're
kind
of
the
enforcement
arm,
they're
the
ones
that
want
to
take
these
actions
because
they
typically
cross
state
lines,
if
not
country
lines.
So
we
work
closely
with
them
to
get
them
any
and
all
information
that
may
be
pertinent
to
an
investigation
and
allow
them
to
take
the
enforcement
action.
D
H
E
I
Okay,
so
the
first,
the
first
thing
to
note
with
data
breach
notices,
is
that
there
are
two
different
data
breach,
notice
statutes.
So
the
first
is
krs
365.7
and
generally,
that
statute
is
going
to
apply
to
private
businesses.
That
statute
provides
a
roadmap
to
private
businesses
who
suffer
a
data
breach
on
next
steps.
What
to
do
next
now,
importantly,
for
this
presentation,
that
statute
does
not
include
notice
to
the
attorney
general
or
other
state
agencies.
I
If
they
suffer
a
data
breach
based
on
this
statute,
they
will
provide
notice
to
our
office
and
there's
a
form
which
is
called
the
fac
001
and
that
form
is
what's
provided
to
our
office,
along
with
the
list
of
other
state
agencies,
and
so
and
so
again.
The
the
statistics
we
have
for
you
today
are
based
on
those
krs
61.933
data
breach
notices
that
are
provided
to
our
office.
I
I
Shortly
after
shortly
after
we
began,
the
subcommittee
had
asked
for
four
years,
so
we
went
back
and
did
find
2018
and
2019
source
data
and
we've
added
that.
But
the
specific
data
that
we
had
tracked
was
when
our
administration
started
in
early
2020..
I
What
what
we
have
found
of
these
total
358,
the
vast
majority
of
data
breach
notices
we
receive,
are
actually
accidental
breaches
or
inadvertent
breaches
and
a
quick
example.
Let's
say
an
agency
is
emailing
personal
information,
they're
supposed
to
be
emailing
it
to
recipient
one.
They
accidentally
email
it
to
recipient
2..
Now
that
is
a
data
breach
and
that's
going
to
fall
under
krs
61.93,
so
our
office
is
going
to
receive
notice
of
that,
and
that
agency
is
going
to
tell
us
what
steps
they're
taking
to
correct
that.
I
So
breaking
it
down
even
a
little
further
into
a
more
narrow
subset
of
just
ransomware
attacks.
So
from
the
data
breach,
notices
we've
received
under
61.93,
the
ransomware
ransomware
attacks
are
rare.
We
had
two
and
20
20
2
in
2021,
one
thus
far
in
2022,
but
what
I?
What?
What
I'll
note
in
the
next
slide
is
that
the
cost
to
an
agency
for
a
ransomware
attack,
as
opposed
to
a
different
data
breach,
can
be
substantially
different.
I
So
one
of
the
things
that
the
subcommittee
had
asked
us
to
take
a
look
at
was
the
cost
to
agencies
for
these
data
breaches
and
the
form
the
fac001
that
is
sent
to
us
in
the
event
of
a
data
breach.
It
has
a
field
or
a
form
that
allows
the
agency
to
to
add
in
the
costs
that
they
had
based
on
this
data
breach
and
again
noting
that
most
of
them
are
accidental
or
incidental.
I
Most,
agencies
reported
to
us
that
they
did
not
incur
substantial
cost
based
on
the
data
breach.
However,
even
in
those
accidental
or
inadvertent
data
breaches,
the
agencies
noted
that
they
did
have
to
spend
staff
time
to
investigate
the
breach,
to
provide
notice
to
the
impacted
individuals
whose
information
was
taken
to
provide
notice
to
our
office,
as
well
as
the
other
state
agencies,
and
to
to
train
staff
on
what
happened
and
to
update
policies
and
procedures
to
try
to
ensure
that
what
happened
doesn't
happen
again.
I
I
Hopefully
you
have
a
cyber
cyber
insurance
policy,
but
regardless
either
you
or
through
your
cyber
insurance
policy,
you're,
almost
always
going
to
have
to
to
hire
a
cyber
security
firm
to
come
in
and
investigate
forensically.
What's
going
on
what
data
has
been
locked?
Can
it
be
unlocked
you're,
also,
typically
going
to
have
to
hire
a
law
firm
to
deal
with
the
compliance
issues
with
that
and,
and
so
so
those
two
things
alone
would
be
substantially
more
cost
than
obviously
an
agency
with
the
other
type
of
of
data
breach.
I
The
other
thing
that
potentially
could
be
a
cost
for
that
agency
that
we've
seen
rarely,
but
we
have
seen
it
is
if
a
breach
does
occur.
An
agency
may
choose
in
its
response
to
provide
free
credit
monitoring
services
to
those
impacted
individuals,
and
so,
if
you
had
a
large
ransomware
attack-
and
there
were
a
ton
of
impacted
individuals,
it
could
be
a
substantial
cost
to
pay
for
credit
monitoring
for
all
those
individuals.
I
So
so
that's
what
agencies
do
through
krs
61.93?
They
investigate
the
breach,
they
notify
the
proper
parties.
So
what
does
our
office
do
so
our
office?
First
of
all,
what
we're
doing
is
we
are
receiving
those
notices
that
we
just
discussed,
we're
tracking
them
we're
logging
them
and
then
we're.
We
are
reviewing
them
to
ensure
that
the
agency
is
following
the
proper
procedures
based
on
the
statute.
I
I
So,
just
because
we're
not
receiving
notice
from
those
private
companies
doesn't
mean
we're
powerless
to
act,
and
so,
since
2018
we've
entered
into
12
multi-state
settlement
agreements
with
private
companies
that
are
based
on
data
security
practices
and
in
those
in
total,
with
those
12
multi-state
settlement
agreements,
we've
recovered
over
a
little
over
five
million
dollars
and
we
have
instituted
lots
of
injunctive
relief
to
require
those
companies
to
update
their
practices.
Much
like
you
just
heard
from
from
cot.
I
E
Good
morning,
just
to
give
kind
of
a
broad
briefing
about
ransomware
where
and
what
it
is
ransomware
as
it
name
its
name
implies,
is
software
that
creates
a
condition
where
it
ransoms
a
network
away
from
the
users
it's
used
in
completely
opportunistic
attacks.
It
can
be
executed
from
hundreds
or
thousands
of
miles
away.
E
E
If
they
choose
to
do
so,
they
don't
have
to
monetize
the
data
on
the
system
and
that's
important,
because
historically
a
hack,
somebody
would
get
into
a
system
and
they
would
offload
the
information
and
that
data,
and
then
they
would
use
that
to
create
fake
credit
cards
or
passports
or
some
other
type
of
way
that
they
would
then
monetize
that
money
that
data,
but
with
ransomware,
that's
not
necessary.
All
the
data
is
there
still
on
the
network,
it's
just
encrypted
and
not
accessible
by
the
legitimate
user.
E
It
can
be
deployed
across
numerous
platforms.
So
not
just
the
network
servers
it
could
affect
the
individual
laptops
for
a
company
or
for
a
small
business
could
in
fact
cell
phones,
particularly
as
well.
It
sped
spreads
primarily
through
clicking
of
malicious
links
or
through
gaining
access
to
systems
through
weak
passwords
or
unsecured
remote
desktop
protocol.
E
Just
a
word
on
the
passwords.
Sometimes
human
beings
can
get
kind
of
lazy
and
they
will
use
the
same
password
for
their
work,
email
as
they
would
for
their
personal
email
that
personal
email
might
become
compromised
and
then
the
bad
actors
would
go
out
and
look
for.
Where
does
this
person
work?
What
access
might
I
have
to
their
email
at
their
business?
So
that's
a
way
that
they
may
be
able
to
manipulate
that.
E
This
is
just
a
quick
diagram
about
the
typical
anatomy
of
a
hack.
This
is
what
we've
seen
historically,
where
a
bad
actor
would
perform
reconnaissance,
in
other
words,
sort
of
basically
determine
if
the
juice
is
worth
the
squeeze.
Does
that
network
have
enough
data
and
information
on
it
that
a
user
might
be
willing
to
pay?
Some
type
of
ransomware
then
comes
the
initial
compromise
that
goes
back
to
clicking
on
a
malicious
link
or
some
other
access.
E
E
They
get
a
larger
hierarchy,
access
to
the
system,
and
then
they
maintain
their
presence
on
that
system
and
they
move
throughout
it
to
where
they
can
find
the
most
vulnerable
and
the
most
profitable
sections.
And
again
this
is
typically
what
we
see
in
a
hack.
Then
they
exfiltrate
that
data
and
again
this
is
where
a
typical
hack
sort
of
strays
away
from
ransomware.
In
this
particular
case,
ransomware
does
not
make
that
data
go
off
the
server
it
stays
on
there.
It
just
prevents
a
legitimate
user
from
using
it.
E
E
H
So
you
mentioned
inside
jobs
and
I
think
we
were
talking
about
private
companies,
but
I'm
familiar
with
like
ransomware
and
stuff.
That's
done
by
actors,
let's
say
within
the
fbi,
for
example.
So
how
does
your
office
handle
something
like
that
when
you've
got
ransomware
being
done
by
someone
who
you
ordinarily
may
normally
ask
for
or
help
with
investigation.
E
Well,
one
of
the
things
about
ransomware
is
that
ransomware
essentially
is
just
encryption.
It's
just
a
program
that
encrypts
a
data
source.
You
don't
have
to
be
particularly
good
with
computer
programming,
because
that
software
is
available.
You
can
buy
it
on
the
dark
web.
If
you
choose
to
do
so,
and
just
for
a
few
dollars,
the
way
we
would
handle
it
is
what
we've
done
in
the
past.
Is
we
coordinate
with
united
states
secret
service,
as
well
as
the
fbi's
internet
crime
center,
to
investigate
those.
E
They
do
and
I
apologize
so
the
local
field
office
would
initiate
the
investigation
for
something
here
in
kentucky.
They
would
then
relay
that
information
that
they
collected
to
the
ic3
and
they
are
the
clearinghouse
of
larger
threats,
so
they
could
look
at
it
and
see
a
profile
that
might
apply
to
you
know.
This
is
something
we've
seen
with
this
ransom,
this
particular
version
of
ransomware.
So
then
they
would
be
coordinating
with
the
local
field
offices
here
in
kentucky.
D
So
when
a
company
pays
a
hacker
for
shut
down
their
system,
they
have
to
hope
that
the
bad
guy
is
honest.
E
B
J
Hi
good
morning
committee,
my
name
is
brian
cobb
and
I
am
the
chief
information
officer
for
c
forward
inc.
We
are
a
managed
service
provider
serving
northern
kentucky,
cincinnati,
lexington
and
louisville.
B
Great,
thank
you
and
chairman,
thank
you
so
much
for
having
us
here
to
talk
about
this
issue
today
great
presentations
before
us,
so
I
think
you've
got
some
good
general
information.
This
is
absolutely
something
that's
impacting
businesses,
big
time.
The
trends
are
going
in
the
wrong
direction
in
terms
of
attacks
and
in
terms
of
the
cost
of
preventing
attacks,
as
well
as
the
cost
of
dealing
with
an
attack.
B
If
you
have
to
face
that-
and
so
it
is
certainly
something
we're
concerned
about
in
terms
of
the
cost
of
doing
business,
most
of
the
breaches
are
external
attacks,
but
there
are,
of
course,
internal
ones
that
happen
as
well.
As
we
just
heard.
Most
of
the
attackers
are
motivated
by
money.
There
could
be
other
reasons
here
and
there
with
the
vast
majority
it's
money,
and
these
are
some
of
the
hardest
hit
industries,
and
you
know
you
see
government
in
there
you
see
health
care
in
there.
B
That's
pretty
common
when
you
think
about
personally
identifiable
information,
but
one
of
the
things
that
we're
seeing
with
ransomware.
You
don't
have
to
have
that
kind
of
information
anymore,
and
so
it's
changing
a
little
bit.
Who
is
under
attack
and
then,
of
course,
small
businesses
are
not
immune.
B
In
fact,
they
are
often
targeted,
and
this
is
for
very
specific
reasons
that
brian
will
talk
about
and
representative
pratt.
We
work
with
you
and
your
committee
on
these
issues,
we're
very
concerned
about
it.
I
was
looking
at
some
research
that
was
reported
on
by
forbes
recently
a
survey
that
was
done
that
found
that
small
businesses,
with
less
than
100
employees,
were
three
times
more
likely
to
be
targeted
by
social
engineering
attacks
where
you're
using
a
person
to
gain
access.
B
So
this
is
not
something
that's
just
hitting
the
big
guys
at
all
a
couple
of
the
numbers
I'll
just
run
through,
and
this
was
done
by
a
survey
by
the
u.s
telecom,
the
broadband
association
for
small
midsize,
critical
infrastructure
businesses
and
there's
a
dif
there's
lots
of
different
ways.
You
can
split
and
divide
this
data
to
kind
of
get
a
sense
of
how
big
this
problem
is,
but
for
this
particular
one
we're
honing
in
on
those
small
and
mid-sized,
they
did
a
survey.
B
75
percent
said
that
they
had
been
had
at
least
one
breach
in
company
history,
average
cost
170
thousand
dollars
and
seven
and
a
half
months
to
resolve
it
doing
lots
of
things
in
response
to
those
attacks
and
industry
experts
are
recommending
that
you
dedicate
10
to
15
of
your
I.t
budget
towards
cyber
security,
or
cyber
hygiene
as
well,
sometimes
call
it,
but
we're
actually
seeing
businesses
spending
even
more
than
that
from
their
I.t
budget.
You
can
see
in
that
graph
on
the
right,
those
50
to
100
and
100
to
500.
B
Employee
businesses
are
spending
the
most
according
to
the
survey
that
they
did
of
their
I.t
budget
on
cyber
security,
and
these
are
some
of
the
common
actions
that
are
being
taken
by
businesses,
and
I
can
tell
you
the
chamber
just
my
personal
experience
from
when
I
started
a
few
years
ago.
We
do
so
much
more
than
we
did
back
then,
and
it's
not
that
we
just
know
more.
It's
just
the
risks
have
gone
up,
there's
so
many
more
attacks,
small
businesses
and
small
organizations
are
getting
attacked.
We
use
the
multi-factor
authentication.
B
B
B
B
If
the
email
doesn't
come
from
the
real
kate
shanks-
and
we
see
so
many
fake
emails
from
ashley
watts,
our
president
and
ceo
and
they're
kind
of
silly,
because
they're
usually
full
of
errors-
and
they
just
don't
sound
like
anything
she'd
ever
say,
but
there
are
some
that
come
through
where
you
really
have
to
scratch
your
head
and
be
like
well,
this
is
an
excel
sheet.
My
boss
wants
me
to
work
on
and
then
all
of
a
sudden,
you
get
into
trouble
department
of
homeland
security,
cyber
security
and
infrastructure
security
agency.
B
So
there
is
this
federal
body,
that's
working
on
this
and
then
we're
seeing,
of
course,
businesses
spending
more
and
more
whether
they're
spending
on
mitigating
in
these
practices
that
they're
putting
in
place
liability
insurance.
That
we've
talked
about
a
little
bit
or
they're
spending
on
cleaning
up
the
mess
when
they
do
get
an
attack.
B
And
then
I
can't
miss
an
opportunity
to
to
complain
about
covid
because
it
had
such
a
significant
impact
on
workplaces.
You
think
of
all
the
people
going
to
work
from
home
during
covet
in
2020,
and
it
was
about
getting
people
up
and
running
quickly.
Were
some
security
measures
skipped
and
did
that
create
an
increase
that
we're
seeing
in
some
of
the
attacks,
the
ppp,
the
ui
fraud?
We
have
testified
on
the
ui
fraud.
B
These
criminals
are
opportunistic,
and
so,
when
you
had
all
this
government
programming
government
money
which
we
needed
at
the
time
flowing
to
individuals
into
businesses
and
made
them
ripe
for
attacks
and
then,
as
we've
already
heard
today,
people
are
the
weakest
link.
Most
of
these
attacks
are
coming
through.
People
about
80,
82
percent
are
coming
in
through
people
and
then
covet
made
us
weaker
if
you're
working
from
home
and
you
get
a
suspicious
email.
Perhaps
you
just
normally
you'd
be
like
oh,
that
person's
two
doors
down,
I'm
gonna
go
ask
her.
B
Why
she
sent
me
that
well
now
you
to
pick
up
the
phone
and
send
a
message.
These
are
things
businesses
have
to
think
through,
as
you
have
a
workforce,
that's
more
and
more
remote
and
then
ransomware,
which
was
explained
really
well
just
now.
This
is
where
we
are
right
now.
These
attacks
are
through
the
roof
and,
as
was
pointed
out,
you
don't
have
to
be
somebody
that
has
personally
identifiable
information.
You
don't
have
to
be
a
bank
or
healthcare
or
government.
B
You
can
be
an
engineering
firm,
a
small
engineering
firm
that
works
with
highway
contractors
or
that
builds
schools,
but
you've
got
data.
That's
important
and
you
could
be
vulnerable
to
these
ransomware
attacks,
because
your
data
is
important
and
we're
also
seeing
more
manufacturers,
because,
if
you
think
about
advanced
manufacturing-
and
you
think,
maybe
you
have
equipment
or
systems
connected
to
the
internet,
all
of
a
sudden
that
ransomware,
you
don't
have
people's
credit
cards,
you
don't
have
their
social
security
but
they're,
taking
down
a
piece
of
equipment
that
you
need
to
operate
to
serve
your
customers.
B
So
that's
where
we're
seeing
the
situation
kind
of
evolve
and
become
very
difficult
and
then,
additionally,
the
the
insurance
market,
which
has
been
mentioned
it's
very
much
a
young
market
compared
to
some
of
the
other
property
and
casualty
coverages.
That
you'll
see
it's
evolving
with
the
risk
and
the
loss
cost.
These
last
few
years
has
been
very
high,
has
been
increasing
because
of
the
risk
and
so
you're
seeing
sort
of
this
balancing
out
and
these
changes
in
costs.
Because
of
that.
J
Yeah,
thank
you,
kate.
I
think
the
the
slide
that's
up
right
now
that
you're
looking
at
pretty
much
shows
what
we're
seeing
as
a
trend,
not
only
in
the
in
kentucky
but
across
the
globe
and
you've
heard
about
it
already.
Ransomware
attacks
are
just
on
the
rise
and
I'll
talk
a
little
bit
about
why.
I
think
that's
happening,
which
mr
hedden
already
alluded
to
earlier
on.
The
next
slide.
J
You'll
see
two
graphs
here
that
I
think
show
a
point
that
kate
brought
up
the
size
of
businesses
that
are
being
impacted
by
ransomware
are
typically
in
the
10
to
1000
range.
Those
are
the
businesses
that
can't
afford
to
protect
themselves.
The
way
larger
businesses
can
they're.
Also,
you
know
if,
if
I'm
an
attacker
and
I
attacked
a
major
corporation
and
make
the
news
that's
going
to
be
bad,
because
I'm
going
to
be
I'm
going
to
be
a
major
target
for
law
enforcement.
J
But
if
I
hit
a
mid-size
business
now
I
fly
under
the
radar,
I'm
still
making
generating
income
and
and
and
without
a
lot
of
the
risk.
J
In
fact,
there
was
a
there
was
an
affiliate
from
one
of
the
ransomware
gangs
that
we
that
somebody
actually
had
an
opportunity
to
interview,
and
he
alluded
to
the
fact
that
if
I
I
can
hit
one
major
business
and
score
really
score,
really
well
and
really
big,
but
then
I'm
I'm
a
huge
target
and
it
creates
a
geopolitical
firestorm
and
and
that's
when
they
kind
of
run
and
hide.
J
So
so
it's
better
to
to
hit
those
mid-sized
businesses
and
then
the
graph
on
the
right
is
just
a
ransom
payments
by
quarter,
and
you
can
see
back
in
2018
ransom
payments
were
relatively
small
as
criminals
determined
that
they
could,
that
this
was
very
successful
and
that
the
fact
that
kate
alluded
to
earlier
about
businesses-
all
you
need
to
do
all
you
need,
is
a
business
who
cares
about
their
data.
You
have
to
have
data
to
operate
your
business,
you
have
to
have
financials,
you
have
to
have
working
documents.
J
If
you
don't
have
that,
you
can't
operate.
So,
that's
why
any
business
it
doesn't
matter
who
you
are
doesn't
matter
how
big
you
are.
If
you
think
that
your
data
is
important.
You're
willing
to
pay
for
it
to
get
it
back,
so
I've
been
in
the
trenches
for
the
past
at
least
eight
years.
I
think
my
first
ransomware
case
that
I
was
involved
in
was
back
in
2017.
J
The
ransom
demand
was
eight
thousand
dollars.
That
was
a
relatively
small
organization
under
20
employees.
The
last
two
ransomware
cases
I
was
involved
in
involved
businesses
in
the
40
to
50
rain
employee
range.
The
ransom
demands
were
between
400
and
500
thousand
dollars.
So
those
are,
those
are
major
costs
for
for
a
small
business
next
slide,
so
you've
heard
a
lot
about
ransomware.
J
J
So,
as
mr
hedden
said,
bad
actors
are
going
to
get
in
and
they're
going
to
encrypt
the
data
on
the
network
and
that
pretty
much
takes
the
ability
of
the
company
to
operate
away
so
they're
they're
kind
of
dead
in
the
water,
but
before
they
encrypt
that
data,
they're
gonna,
they're,
gonna
steal
all
the
data
and
they're
gonna,
pull
it
all
off
and
and
they're
gonna.
Most
businesses
now
can
recover
from
a
ransomware
attack
just
by
using
backups.
You
know,
as
mr
carter
said,
from
cot,
they've
got
good
backups.
They
can
recover.
J
J
I
talked
a
little
bit
earlier
about
the
rise
in
ransomware.
Mr
hedden
touched
on
this
earlier,
but
it's
all
about
ransomware.
As
a
service,
you
don't
have
to
have
technical
expertise
to
pull
off
a
ransomware
attack
anymore.
You
can
simply
buy
ransomware
on
the
dark
web.
J
If
you
don't,
if
you
have
issues
pulling
off
your
ransomware
attack,
no
worries,
you
can
just
buy
their
24x7
customer
support
and
they
will
help
you
pull
off
the
attack
right
along
with
you.
So
that's
kind
of
what
we're
dealing
with
and,
as
I
said
earlier,
you
know
if
you
think
you're
not
a
target
you're
wrong,
because
it
doesn't
matter
who
you
are
or
where
you
are.
J
One
thing
that
was
lightly
touched
on
earlier
was
was
business,
email
compromise
and
I
I
did
want
to
touch
on
that.
That's
when
a
bad
actor
will
gain
access
to
someone's
email
from
then
they're
gonna,
they're
gonna.
Look
through
the
sent
items,
they're
gonna,
look
through
all
the
email.
J
J
We
need
you
to
change
your
ach
to
redirect
payments
to
another
bank.
We've
had
probably
four
of
our
own
customers
fall
for
fall
for
the
scam
and
literally
wire
tens
of
thousands
of
dollars
to
to
the
bad
actors.
J
This
was
talked
about
a
little
bit
earlier
as
well
most
criminal
activities
overseas.
It's
just
really
difficult
to
find
them
because
they're
operating
on
the
dark
web
and
it's
even
more
difficult
to
prosecute
them.
This
is
a
statistic
from
the
fbi:
criminal
crime
complaint
center,
but
from
2014
to
2019,
business
losses
jumped
from
from
60
million
to
1.8
billion,
and
that
number
is
a
lot
higher
a
lot
higher
now.
J
So
the
other
thing
I
wanted
to
bring
up,
because
this
is
something
that
we
deal
with
almost
on
a
daily
basis
at
this
point-
is
assisting
our
customers
with
their
cyber
liability
insurance
applications.
You
know
the
effect
of
all
this
ransomware
and
that
rise
of
ransomware
and
business
email
compromise.
J
The
insurance
industry
is
taking
a
major
hit
through
no
fault
of
their
own.
Cyber
loss
ratios
soared
from
47
percent
in
2019
to
73
in
2020..
So
that
is
exactly
why
we're
seeing
cyber
liability
insurance
premiums
double
triple
quadruple.
I
think
you
heard
numbers
earlier
two
three,
four
five
hundred
percent
increases.
That
is
exactly
what
we're
seeing
with
all
of
our
small
to
medium-sized
business
customers.
They
will
either
not
insure
you
at
all.
If
you
don't
meet
certain
criteria
or
they
will
take
coverage
down,
so
they
will.
J
You
know
a
five
million
dollar
policy
might
now
be
a
one
million
dollar
policy
and,
oh
by
the
way,
we're
also
going
to
increase
your
premiums,
a
modest
amount.
So
so
the
coverage
that
you're
getting
is
less
and
you
have
to
pay
the
same
or
more
for
it.
J
So
so
what
insurers
are
doing
is
they're
they're,
demanding
these
high
cost
disruptive
but,
in
my
opinion,
necessary
solutions
to
even
cover
small
businesses.
So,
as
kate
said
earlier,
it's
it's
multi-factor
authentication
across
the
entire
organization.
It's
it's
having
policies
and
procedures
in
place.
There's
cyber
liability
insurance
questionnaires
that
are
I've
seen.
You
know,
50
questions
long
and
five
pages,
so
they're
very
in-depth,
but
this
is
something
that
businesses
should
already
be
doing
a
lot
of
it.
J
So
so
I
think
what
we're
seeing
this
shift
in
the
market
is
is
becoming
very
costly
to
small
businesses.
It's
it's
not
only
the
cyber
liability
insurance
premiums
that
are
going
up.
It's
the
solutions
that
you
have
to
implement
the
cost
of
those
solutions.
J
It's
also
the
cost
to
the
business
after
implementing
the
solutions,
as
kate
alluded
to
earlier,
if
our
multi-factor
authentication
doesn't
work,
if
it
quits
working,
she
might
be
completely
locked
out
and
can't
do
her
job.
Okay.
So
that's
what
we're
seeing
that's
kind
of
what
we're
seeing
across
the
the
small
and
medium-sized
business
market.
B
Thank
you,
brian
and
I'll.
Just
have
a
couple
thoughts
to
to
end
on
can't
get
up
here,
not
talk
about
workforce
or
the
chamber.
This
is
y'all
have
heard
us
complaining
about
workforce
challenges
now,
for
a
couple
years
really
longer.
The
talent
pipeline
for
cyber
security
workforce
is
huge.
It's
something
to
think
about.
There's
a
lot
of
problems.
I
think
you
heard
today
that
you,
as
a
legislative
body,
may
not
be
able
to
tackle
there's,
not
a
legislative
solution
for
everything
that
we
talk
about,
but
you
just
think
about
the
talent
pipeline.
B
Some
states
have
looked
at
cyber
security,
safe,
harbor
statutes
where
you
put
in
statute,
maybe
standards
that
some
industries
are
already
doing
you're,
defining
things
like
what
what
kind
of
what
a
what
a
quick
enough
response
is
and
then,
if
businesses
choose
to
adopt
those
standards
or
perhaps
they're
already
doing
it,
they
have
access
to
the
affirmative
defense
if
they
against
the
liability.
B
Sometimes
it's
what
you
don't
do
and
and
we're
often
concerned
about
any
sort
of
patchwork
of
regulations
across
the
state.
We
think
a
lot
of
these
issues
need
to
be
dealt
with
the
national
level
and
making
sure
that
we're
bringing
businesses
to
the
table
to
develop
broad
consensus,
relying
on
public-private
partnerships,
because,
at
the
end
of
the
day,
innovation
is
key.
You
know
just
hearing
from
cot
about
how
they're
trying
to
study
these
criminals
and
how
they're
getting
in
so
that
we
can
learn
how
to
safeguard
ourselves.
B
I
think,
is
important
and,
to
the
extent
that
we
have
criminals
in
our
own
backyard,
doing
this
stuff,
making
sure
that
we
have
support
for
law
enforcement
of
criminals.
I
think
is
key.
You
know.
Obviously,
people
on
other
in
other
countries
attacking
us
is
one
thing,
but
to
the
extent
that
there's
stuff
happening
here,
we
need
to
make
sure
we're
prosecuting
those
criminals
to
the
full
extent.
So
with
that
chairman
I'll,
happily
open
it
up
for
questions.
D
Yes,
there's
a
multitude
that
have
cyber,
but
there's
four
that
has
to
have
the
top
line
and
you'll
hear
this
at
the
one
o'clock,
a
r
meeting
we're
having
university
louisville
presentation,
that's
going
to
go
over
this.
Thank
you.
D
But
you
but
you're
right
you'll,
hear
that
this
afternoon,
750
000
jobs
now.
B
A
Mr
chairman,
when
you
talk
about
these
criminals
and
what
they're
doing
to
businesses
are
most
of
them
coming
from
outside
of
the
united
states,
or
are
they
internal.
B
J
A
Well,
let
me
ask
you
this
to
further
it
down.
Where
are
are
most
of
these
coming
from
have
the
is
there
a
tracking
areas
that
says
that
it's
in
europe
or
coming
from
asia
coming
from
africa
or
coming
from
south
america?
Is
there
a
an
area
of
the
world
that
is
much
more
into
this
and
successful
at
it?.
J
Yeah,
I
think
what
what
I've
seen
mentioned
is
mainly
eastern
european
countries-
middle
eastern
countries,
russia,
china,
north
korea,
your
your
typical,
what
you
know
your
typical
countries
that
you
would
expect
to
be
pulling
off
a
lot
of
these
attacks,
but
that
doesn't
mean
they
don't
happen
from
from
other
areas
around
the
world
as
well.
H
I
just
want
to
follow
up
on
that.
So,
if
you're,
a
hacker
from
the
united
states,
are
you
using
multiple
vpns
from
the
obvious
people
are?
We
are
we
talking
about
data
as
far
as
where
the
last
point
was
that
came
in
here,
so
it
looks
like
it's
from
iran,
or
are
we
talking
about
tracking
vpns
to
their
original
source,
because
we're
really
tracking
that
much
information?
Somehow
I
mean
because
it
seems
like
to
me
the
obvious
way
that
people
do
things
from
inside
is
make
it
look
like
it's
from
outside.
B
J
Yeah
no
she's
correct,
but
the
all
the
all
of
the
data
that
we're
seeing
is
based
on
the
the
actual
originating
source
is
definitely
not
the
end
source
through
through
multiple
vpns.
D
If
you
have
someone
that's
close
to
you
family
friend,
whatever
they
can
somehow
get
into
your
email
by
knowing
you
they,
you
forgot
your
password
and
they
know
your
answers
and
then
they
go
into
your
401k
and
they
might
have.
Then
they
say
we'll
send
the
the
instead
of
a
text
to
the
email
and
they
change
your
codes
or
or
your
passwords
and
stuff
and
how
they
get
your
password
is.
First
of
all,
they
say,
if
you
forget
your
password,
there's
simple
questions:
what's
your
mother's
maiden
name?
Well,
they
know
that.
D
So
what
you
ought
to
do
is
give
some
phony
maiden
names.
So
even
your
personal
people
close
to
you,
don't
know
how
to
get
in
your
in
your
stuff.
Now
we
were
talking
about
the
cyber
workforce
in
the
pipeline.
You
know
I'm
very
interested
in
the
workforce
in
kentucky
well
you're,
going
to
hear
about
a
kentucky
regional
center,
we're
going
to
try
to
start
here
in
kentucky
at
1
o'clock
in
the
a
r
if
anyone's
interested.