Search
Close this search box.
EPISODE 124
Case Study for Cyber as a Material Business Risk

EP 124: Case Study for Cyber as a Material Business Risk

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

January 31, 2023

“A $100 million Texas company called “United Structures of America” got struck by ransomware in 2019. You’ll be surprised at what happened next. Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

“Cyber Extortion of Patients”–https://cr-map.com/podcast/51/
“Quick Look at the ‘Essential Eight’ mitigations”–https://cr-map.com/podcast/63/
“How to Really Make Sure that Cybersecurity is Everyone’s Job” (pt 1 & 2)
https://cr-map.com/podcast/88/
https://cr-map.com/podcast/89/

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today in episode 124 of the Cyber Risk Management Podcast?

Kip Boyle: This is a cool episode. I've actually had this in the queue for a while. What we're going to do today is we're going to learn about what happened to this $100 million Texas company. They were called, and I just gave it away, United Structures of America, and they got struck by ransomware in 2019. And I want to unpack this. This is a really interesting case.

Jake Bernstein: Well, Kip, as you know, a lot of companies get struck by ransomware. So why focus an entire episode on this one particular incident?

Kip Boyle: This one's really unique. I think it's a rare chance to know some of the details we typically don't find out. And is also, this case also has a very unfortunate outcome. And because of the outcome or because of the details, I think this is worth spending an entire episode on. There is a remarkable amount of transparency on this ransomware attack, and I want to tell you how that came about. The first reason why it came about is because they had to file for bankruptcy as a result of this ransomware attack. And their bankruptcy filing was made public shortly after they filed the paperwork on January 11th, 2022. So about a year ago. And most interestingly, and in combination with the bankruptcy filing was that the former president of the company gave an interview to the Wall Street Journal about the cyber attack, the resulting bankruptcy. And I think he was very candid and I think he shared some really insightful experiences he had going through that, and I think our listeners would find his perspective helpful.

Jake Bernstein: Well, and that is fascinating and I think it's definitely going to be worth this episode. Let's go ahead and give a profile of USA, United Structures of America, then review the timeline of the ransomware attack, and then we can discuss the aftermath. How's that work?

Kip Boyle: Yep, yep. You're a mind reader. Either that or you read the script before we start, because that's exactly how I want to do it.

Jake Bernstein: Possibly both.

Kip Boyle: Yeah, possibly both. I also want to try to stay consistent with the Data Breach Investigations report because we cover that report every year and every time we cover it, we always say there's a difference between a breach and an incident. And I'm alleging that this was a breach, not just an incident. So what do you think about that?

Jake Bernstein: Well, I think it's a great example of how you can't always just take definitions and easily apply them to any particular situation. This is what makes the law so challenging at times, because here it is. The DBIR defines incident as a security event that compromises the integrity, confidentiality, or availability of an information asset. So any successful ransomware attack by definition is an incident. No question. A breach is an incident. So here we are, it's a subset, we've talked about this before, that results in the confirmed disclosure, not just potential exposure, of data to an unauthorized party. In other words, a data breach compromises the confidentiality attribute. And we've gotten to the point with ransomware that we have to assume breach, which is an interesting way of putting it because it is... Yes, I think we don't know for sure that this particular ransomware event resulted in the theft of the data, what we call double extortion. And you'll talk about that in a second.

But I think, and I'm just going to go off script briefly and complain slightly about the DBIR's definitions here because let's just say for a second that this isn't a breach because we don't know if the data has been, there's been confirmed disclosure. A ransomware attack that results in a bankruptcy doesn't feel like merely an incident, does it? And I think there's a little bit of that going on here as well. But I think, I'm glad you brought this up because it just illustrates, I was having a conversation not too long ago with someone who wanted or thought that why can't we just program a bunch of algorithms to apply the law? Why is it so hard? And this is just a perfect example of why we just don't have computing technology yet that's able to handle the nuance of life. So putting that aside for the moment, double extortion ransomware, the timing seems right. Is that correct?

Kip Boyle: Well, yeah. So there's a couple other things I need to add in here in order to round this out. So first of all, this breach, as I would like to refer to it, this breach happened in 2019. Well, 2019 was the time when this double extortion ransomware technique started to become public. So the Maze gang was operating a ransomware as a service, and they're not in business anymore, but they double extorted, I know business loosely.

Jake Bernstein: Well, and I was going to say, it's also, we don't know if the same exact people are just, oh, have reopened under a new name.

Kip Boyle: Well, how many times does a restaurant fail? And-.

Jake Bernstein: I believe quite a few.

Kip Boyle: And it reopens under a new name, but the same people are working with.

Jake Bernstein: Yeah. Fairly often.

Kip Boyle: So I'm assuming that that's probably going on here as well. It is a safe bet, but Maze double started an American company called Allied Universal in 2019. And the United Structures or ransomware attack happened about the same time. Now, the reason why that data didn't become public, the reason it wasn't released is because as you're going to find out, United Structures paid the ransom. So there was no incentive, or there was a much lower incentive for their data to be publicly exposed as a result. Anyway, so this is my thinking about the time period that this happened, but certainly today in 2023, we're talking about multi-level extortion. We're talking about assumed breach. And so I think this is a reasonable way to think about it today.

Jake Bernstein: Okay, I totally agree.

Kip Boyle: Okay. So yeah, let's unpack that a little bit. Multi-level extortion, it's not just double extortion anymore, is it?

Jake Bernstein: Is not, it is not at all. And we see multi-level extortion. The encryption of the files, of course is just the beginning and how pedestrian only encrypting all your files. The second step, as you said, is threatened to release those files and ClearTax to the open internet. The next one is followed by denial of service attacks and then moving on to direct communications between the cyber attackers and the victims, the victim's customers, and other stakeholders. So what is that? At least four levels of extortion there.

Kip Boyle: At least. Yeah.

Jake Bernstein: At least. But you know what? That is an episode for another time. We have covered direct communication with customers, extortion technique back in episode 51. That was the cyber extortion of patients. And since we have show notes now, we'll put a link to that episode in the show notes.

Kip Boyle: And that's an example of where just because you read off the multi-level extortion in certain order doesn't mean that it's always going to go like that.

Jake Bernstein: Yeah, yeah, yeah. A ransomware, multi-level extortion almost always does start with encryption, but the rest of it is more flexible.

Kip Boyle: That's right. That's right. It's like a floor routine in gymnastics. Who knows how they're going to go next. Okay. Let's get back to United Structures and see what we can learn from this case. And so let's learn a little bit more about who United Structures actually was. So what do we know about them?

Jake Bernstein: Okay. Well, so we know that they were a Houston based steel manufacturing and design company. They were founded in 1980 and were privately held. They purchased raw steel from suppliers, processed the steel to the specifications of their customers, as well as designed steel based buildings. They had 450 employees at the height of their business. The president was a guy named Dane Drake, who according to his LinkedIn profile, had worked there for 24 years. And then outside of the bankruptcy filing, the United Structures attributed its closure to crippling, this is a quote, "crippling business circumstances that were not foreseeable," specifically the company cited the lingering effects of all those steel tariffs, financing issues, and "a recent cyber attack."

And you and I were talking about this before we started recording, yes, there were other factors in play. And no, we cannot predict what the future would've held for this company without the cyber attack. But I think on their own, none of those things I think would've necessarily led to the bankruptcy of this company. But I think that the ransomware attack, particularly after we talk about what happened with it, I think it was just particularly brutal.

Kip Boyle: Yeah, it was definitely a piling on. Probably no one of these things would've liquidated them, but this cyber attack definitely pushed them over the edge. So, all right, let's now get into the timeline of the attack itself. So again, I love this because we're getting a really good transparent view into what actually happened. So the first thing we need to know is when did they get exploited? And based on the forensics and what was released in those two sources that I mentioned at the top of the episode, there was an IT administrator and that person had a laptop, which was breached on May 25th, 2019. And why was that laptop breached? Well, because the password to the ID admins account was the address of the business. And that had been their password for at least six years, maybe even longer. And so that's how the attackers came in as administrators and that's how they were able to set up the ransomware attack.

Jake Bernstein: That is very, very unfortunate. What are some other details of the attack here? What other timeline data do you have? Because I know you've got a bunch.

Kip Boyle: There's a bunch. But I want to make a comment about the entry point, okay. Now I don't want to disparage this individual, but I do want to reemphasize something we talked about recently, which is your IT people are not your cybersecurity people.

Jake Bernstein: Oh my goodness. No.

Kip Boyle: This is a big mistake that I see senior decision makers making all the time, especially in the mid-market, where they think that their IT people are going to be able to handle all that. And this is another example of many where that just was not true. Okay. So the president, Dane Drake, said that the attack became visible at about 6:00 AM on May 29th. So it's about four days after the breach and right after the Memorial Day weekend. And that's consistent with this idea that these cyber attackers love to mess with us around holiday times and when we are at our least capable of responding. And so there's a lot of authenticity there. They had 400 computers altogether, desktop computers and servers, and every one of them became inoperable and by noon that day, so within six hours of discovering all production had ceased, none of the steels getting processed, none of the orders were being fulfilled.

And I found some quotes from Dane Drake, the president, which I thought were just, again so insightful. So he says, "At first I was optimistic, this was another unfortunate event. I was under the impression that we had a fully operational backup system. It was installed. And so I wasn't terribly concerned until around the noon hour. But I realized that the backup system was installed but never initiated and not properly ready. And one of the many lessons I learned is to always have fire drills and dry runs to make sure the backup systems are operational and working properly." Ouch. What an awful way to learn that lesson.

Jake Bernstein: Yeah, and you're right. I think this is such one of those, the transparency here makes it a very useful learning exercise for folks, for our listeners.

Kip Boyle: Yeah. Because-.

Jake Bernstein: Even though it's really... And it gets very sad as we will see.

Kip Boyle: Yeah. It gets even more sad. And we're recording this in between Christmas and New Year, so it's a bit of a blue Christmas thing as we-.

Jake Bernstein: Yeah.

Kip Boyle: ... this, but... Okay, so the ransomware, how much did they want? Two bitcoin per IP address? And that meant at the time to unlock all 400 machines was $11 million, just over $11 million. And the president of the company, he paid it. He paid it. But here's another interesting wrinkle that the transparency brings. He paid it on June 1st and it was late. And he said the reason why he had to pay it late is because, "he was not familiar with how to get a hold of Bitcoin. And it was not as easy as I expected." And I think, that's a quote that sums up a lot of what we're going to hear.

Jake Bernstein: It does. Although, keep in mind that this was back in 2019, also known as pre-FTX, literally it may have just started. And you know what? Honestly, I don't know how easy it is to get Bitcoin these days.

Kip Boyle: It's not.

Jake Bernstein: I still don't think it's very easy.

Kip Boyle: Well, and as easy as it may or may not be procedurally, what I know is that there are waiting periods.

Jake Bernstein: Yes.

Kip Boyle: There's actually holding periods where, so you can't just rapidly acquire and move Bitcoin. So if you as an organization think that you might pay a ransom, then it behooves you to purchase Bitcoin in advance so that it's available when you need to move it or have some arrangement with a financial institution who has a reserve of cryptocurrency that can move it for you however you do it. But here is an example where the president had to scramble and probably had to sweet talk the attackers into being patient. And just extra stress.

Jake Bernstein: Yep, exactly. And I'm sure the attackers were patient because they have nothing to lose by waiting if they can get their money.

Kip Boyle: But he doesn't know that.

Jake Bernstein: He does not know.

Kip Boyle: Because he's never faced this before.

Jake Bernstein: Yeah, exactly.

Kip Boyle: He has no clue about this. He's learning as he goes. Unfortunately-.

Jake Bernstein: Yeah. I was just going to ask you. So how much did they get back?

Kip Boyle: Well, so they paid the ransom, this $11 million, but they got a key, but it didn't really work. And so they only got a limited amount of their data back. And then the hackers demanded even more ransom to unlock the rest. So they had a knife, they plunged it in this company's back, and they were just twisting it slowly.

Jake Bernstein: Then they twisted it, yeah.

Kip Boyle: And just kept doing that. And, yeah. So it's awful.

Jake Bernstein: It is awful. And out of curiosity, when did this company tell their customers that they'd suffered a pretty serious attack?

Kip Boyle: It wasn't until the second week, and we've talked about this before, public relations for the preservation of your number one asset, which is your reputation. I don't know, because I can't tell from the sources. I don't know if that was based on a fear that they like, oh my gosh, we can't tell anybody. I don't know if that was based on a coverup attempt or, and I think this is just as likely, they were so distracted with dealing with the attack they just didn't even think about.

Jake Bernstein: And I suspect there was at least one other factor, which is they also didn't know how big of a deal it would be. I think all three of those-.

Kip Boyle: Good point.

Jake Bernstein: ... things point is over the course of this time, like the guy said, he didn't think it was that bad at first, and then you're trying to deal with it and it's like, yeah, I can understand why. Again, this was 2019, I think that was really just the very beginning of the somewhat now historical ransomware surge over the pandemic. But it's interesting. So anyway, here's what ultimately happened to United Structures. So the ransomware attack wiped out United Structures data relating to accounts receivable, accounts payable, current orders, customer information, the current CNC machinery files, along with essentially all of its business data. Ouch.

Kip Boyle: And everybody knows what CNC is, right?

Jake Bernstein: Yeah. What is that? Oh, I know. I always say I... Kip, do we know what CNC stands for?

Kip Boyle: We do know.

Jake Bernstein: It's not CAD, which is computer aided design.

Kip Boyle: No, it's not. It's Computer Numerical Control.

Jake Bernstein: That's right.

Kip Boyle: And what this means is that these days when you are machining parts, you've got a chunk of aluminum and you want to shape it into a certain shape or whatever used to be that a person would stand at a lathe or whatever, and they would do that by hand. These days they actually have machines that automate all that. And these CNC files are like the program that tells the machine what to cut, how deep to cut, how long to cut, all that stuff. So without those programs, those CNC files, the machines have no idea how to manufacture parts.

Jake Bernstein: So unsurprisingly, it had to shut down its Houston facility and laid off all of those approximately 450 employees by late 2019. The company struggled for years to reconstruct its data and was eventually forced into bankruptcy and ended up filing its declaration, like you said, at the beginning on January 11th, 2022.

Kip Boyle: Yeah. Gosh. So what was that? Two years of wallowing in the mire of downstream from this attack? This is so wrong and awful just on every level. Why is it that companies that are doing their best out there, they have these payrolls, people have careers, so on and so forth, meaningful work serving customers, and then they just get wiped out by a tsunami of digital awfulness. It's just wrong. And, yeah. That's why we're in business, because we don't-.

Jake Bernstein: It is to some degree, we don't like this at all. And just to go back to the causes of the bankruptcy and the destruction of the company. If you think about just logically, and we don't know, this is a little bit of speculation, but the tariffs, just any macroeconomic situation, any company can weather, I don't want to say any, most companies can weather that kind of stuff. It's cyclical. It happens. But when you look at what this company lost, they literally couldn't operate. It was bad enough to lose your accounts receivable and accounts payable. But if we just play some what if games, if all they'd lost was their AR and their accounts payable and even their current orders, that would've been so obnoxious. But they probably could have reconstructed that over time and gotten things going.

The problem was, is that they couldn't produce anything. At least this is my argument, my supposition here is that without those CNC machinery files, and we often talk about protect the crown jewels. And I think this is really a helpful, just a quick thing to mention is that when you think about what are our crown jewels? Well, first of all, it a hundred percent depends on your business. It totally does. But I can tell you right now, accounts receivable and accounts payable, your CRM, those are important to all businesses. I get that. I agree. I'm not certain, and I'm not going to say this categorically, but I'm not certain that for a majority of industries, those should be considered the crown jewels. If your entire business is based off of marketing, maybe then the CRM is your ground jewel. Maybe it's.

Kip Boyle: Well, we know some companies get acquired because of their customer list. Not all, but some.

Jake Bernstein: Yeah. And sometimes that's not just the list, but it's the contracts and the existing relationships and that kind of stuff.

Kip Boyle: It's the book of business.

Jake Bernstein: It's the book of business, which is much more complex than just the digital data.

Kip Boyle: Yeah. It's the contracts and everything.

Jake Bernstein: Yeah. Anyway, just a good example is a company that got ransomwared like this, someone could still buy them for their book of business because that book of business still exists. The problem here though is that what I argue is I would argue that their CNC machinery files, whatever allows you to convert your labor and time into money is really, should be considered the crown jewel of any given business.

Kip Boyle: And raw materials.

Jake Bernstein: And raw material. Yeah. Well, and yes.

Kip Boyle: In this case, because they had steel coming in one door, finished product going out another.

Jake Bernstein: And that's a better way of saying it. It's that black box that lets you, whatever operates within the black box that lets you take some input, whatever that is, whether it's only time and energy, or whether it's time, energy and raw materials and produce something that you can sell. I think people should think of that as their crown jewels.

Kip Boyle: Yeah, I agree. And in a non-manufacturing sense, where we're just knowledge workers, we're selling software or advice or whatever it is, you have the equivalent of CNC files, whether it's-.

Jake Bernstein: Absolutely.

Kip Boyle: ... programs or document templates or working papers, whatever it is you draw on in order to be able to deliver services to customers or digital deliverables or whatever. So it's not just manufacturing, it really is flippable across the board.

Jake Bernstein: Oh, no, it really is. It definitely is.

Kip Boyle: I'm glad you took a moment to make this point. Okay. Let's keep going.

Jake Bernstein: Yeah. And to finish my thoughts on this is, okay, so obviously they didn't ask to be attacked, but they were. But also I think it's important to recognize that they weren't ready.

Kip Boyle: Not at all.

Jake Bernstein: And I think our listeners can learn a lot from this breach/ incident/ definitions are challenging/ there will always be a job for lawyers. Let's continue to do that by reviewing some quotes from the president of the steelmaker and design firm who's Dane Drake that he gave in the June 2022 Wall Street Journal article,

Kip Boyle: And think about it. That was three years after he first stumbled into this. So he had a lot of time to think about it.

Jake Bernstein: All right, so here we go. These are all quotes. If I vary, I will make it clear. So first one, "My normal concerns were overtime and production and supply chain. And now all of that was taken away." That's an interesting quote. And what do we say Kip? We say that cybersecurity really needs to always, it needs to become just another business risk. This guy is saying, my normal business risks are overtime, which always costs more money. Production, supply chain-.

Kip Boyle: What he's saying is, I'm so distracted by this event and this event has taken away from me, my normal concerns through the distraction and the fact that he has no capability to manage his business, because all of his levers and knobs that he's used to having to pay attention to don't work anymore. There's no way for him to manage his business. Plus he's got these crazy people breathing down his neck. And so I think we've said this before where cyber risk is the ultimate business risk because in one fell swoop, it can decimate you, it can eclipse all other business risks. And completely, Phil, your field division.

Jake Bernstein: It certainly can. Here's another quote. "We did not have an incident response team, but I was able to obtain that by noon the day of the attack, and they helped me. It was amazing how much information they found so quickly of how porous and naked I was to the world, if you will, from a cybersecurity standpoint." This is a common sentiment that I hear is once an incident happens and the forensic team, whoever it is, gets in there, almost always, it's like, Hey, did you know this, this and this? And we've both had clients-.

Kip Boyle: That's right.

Jake Bernstein: ... who are shocked about it.

Kip Boyle: They can't see it until somebody shows it to them and they're in a receptive mind.

Jake Bernstein: Yeah. Yes. Okay, next one. "I had no idea who I'd invoiced the month or two months before. I rebuilt my accounting system with bank statements. Not the way I recommend anybody to do that." Yeah, that's definitely no fun at all.

Kip Boyle: Oh, well, we know what he did for some of those three years following the attack.

Jake Bernstein: Yep. Yep.

Kip Boyle: Is he tried to rebuild his finances.

Jake Bernstein: "We also had tax liabilities. And if I need to pay or if I'm audited, we're in a situation where we don't have records to support us." That's a really interesting point because I think it's one that gets forgotten a lot of the time when we're talking about this stuff. So often we look at the short-term consequences of a ransomware attack. And this is a really good example of a longer term one.

Kip Boyle: Yeah. And on a related note, there was a payroll automation company that people had outsourced to, a lot of people, who, I think it was in early 22 or late 21, and I can't remember that part, but there was a payroll outage and a lot of companies got in trouble because they didn't meet payroll on time. And so their states got involved and penalized them because they didn't pay workers on time. They didn't-.

Jake Bernstein: Wage and hour claims.

Kip Boyle: ... they didn't remit payroll taxes on time. It was a complete and utter failure in the HR world because of a ransomware attack. So these second order effects are really interesting.

Jake Bernstein: They really are. Next quote. "I did not have cyber insurance."

Kip Boyle: Well-.

Jake Bernstein: Just as the quotes continue here, and that is something that I would recommend today with any business. Our caveat, if you can get it. In 2019-.

Kip Boyle: You could-.

Jake Bernstein: ... this is almost an unforgivable sin. Anyone could have gotten it for not much money, for pretty darn good coverage.

Kip Boyle: Yep.

Jake Bernstein: Here's a great quote, "because the enemy, if you will, is always adapting and I was not." That's just such a concise way of summarizing everything we say. And then, oh, another, I like this one too. "Arrogance is not welcome in this environment." It is not.

Kip Boyle: Yeah.

Jake Bernstein: We've seen this-.

Kip Boyle: I got to tell you. Yeah. Dane Drake, I love the candor of his comments. His willingness to be vulnerable in this interview with the Wall Street Journal, his willingness to admit after having reflected on it, after having lived in the pain of it, to be able to say these things out loud and on record is stunningly refreshing.

Jake Bernstein: It is. And what the thing is, is this is true of so many people. This individual has the guts to say it out loud, but all of these things are, so many people could have given these quotes.

Kip Boyle: Oh, absolutely. And that's the other thing about them is that they're so broadly applicable to anybody in his situation.

Jake Bernstein: Well, here's one that makes me sad.

Kip Boyle: I thought you'd enjoy this one.

Jake Bernstein: "I did not." Sorry, I'll start over. "I did not have any legal assistance." Well, okay. So that really does flow from the previous quote, which was, "I did not have cyber insurance." So it's not surprising. And a lot of law firms, the breach response work is still pretty specialized. There's a handful of law firms out there, a relative handful that do it a lot because they're on an insurance panel. And then there's an even smaller thimble full that isn't on a panel, but that still has incident response capabilities. Most of your standard business lawyer, business law firms, particularly small ones, just aren't going to have that kind of ability. So that's totally predictable. And then last, let's end with, there's two questions here from the Wall Street Journal in this interview.

What do you think about cybersecurity training for employees, is the first one, and what are your thoughts about that having gone through this particularly damaging attack? And this is his response. "I think it's extremely important. You need to have training. You need to test employees to see if they open phishing emails. If the employee fails or does not take their training on time, there should be constructive disciplinary actions as a result, because that person that does not value your security could be a point of breach. Easier said than done. But that's something where security and HR need to be aligned a hundred percent." Well, what do you think about that, Kip?

Kip Boyle: Episode 88 and 89 of the Cyber Risk Management Podcast talked all about that, how to make sure that cybersecurity is everyone's job. And that's what he's saying here in other words, but I love his words because these are the plain spoken words of a senior decision maker who has recognized that this is a business risk that should be treated like other business risks. If you violate company policy, you go through constructive disciplinary process. And that could be like I showed up to work drunk, or I stole company property, or I drove the forklift around in the warehouse in a very unsafe way.

Jake Bernstein: Well, the funny thing is too, is all of those things would be automatic. Nobody would question that. Nobody would ever even push back on discipline for that kind of stuff. You could combine them too. What if you came to work drunk and then drove the forklift wild drunk in a crazy fashion? You probably just get fired. And I'm not saying that, no one's ever said that failing one phishing exercise is grounds for termination.

Kip Boyle: I don't think it should be.

Jake Bernstein: And no, and I don't think it should be either.

Kip Boyle: But there should be some consequence. And that's-.

Jake Bernstein: There should be some consequence. But more importantly, it's the repeated, the inability to learn should be concerning.

Kip Boyle: Yeah. Yeah.

Jake Bernstein: The first one, no, the second one, no, but if you... Again, I'm not categorically saying three strikes you're out is correct either. But there needs to be some real heart to heart conversations if you have an employee who three times or more just keeps clicking.

Kip Boyle: That's right. With reckless abandon. So in this quote that you just read off, Mr. Drake talked about something called constructive disciplinary actions. Well, another term for that is a progressive disciplinary system. And these systems are designed specifically to catch and call people and get them back on track. In other words, employers who use these systems are saying, we don't want to fire you. We just want you to follow the rules. And so we're going to start with a verbal warning. And if you do it again, we're going to move that to a written warning. And if you do it again, then double secret, written warning, whatever the system is, and it progresses up to the point where fourth, fifth time, whatever the system is, you are now a person who's demonstrated that you have no interest in complying with the rules. So we're going to say goodbye to you now. So you have every chance to get back on track and you haven't taken it. And so we're going to part ways. And I think that is how companies should be treating violations of cybersecurity policy, including phishing. Yeah.

Jake Bernstein: Yep. And just to play, not devil's advocate, but just to illustrate that there's many ways to skin this particular cat, you could also have a situation where assuming it was possible and compatible with someone's work duties, they could get an increasingly locked down machine.

Kip Boyle: That's right.

Jake Bernstein: And there's all kinds of things that you could do. Eventually though I think what would happen is you get to a point with someone where you can't lock down the machine anymore without preventing them from doing their job, and they're still doing it. This can put you out of business. So I-.

Kip Boyle: That's right.

Jake Bernstein: ... think it's really important to remember that.

Kip Boyle: It's huge. It's such a huge risk these days.

Jake Bernstein: It is.

Kip Boyle: 15, 20 years ago, it was just really, the computer would get a virus on it. You'd have to scrub the virus off and somebody would not be able to work for half a day or something like that, but obviously it's-.

Jake Bernstein: It'd be annoying.

Kip Boyle: Yeah. But it's spiraled completely out of control now.

Jake Bernstein: It really has.

Kip Boyle: So unfortunately, Mr. Drake and everybody who was working with him learned the hard way that cyber is a business risk and has to be treated that way. Now, before we close out the episode, there's another second order effect here that I think we should talk about. We talked about paying taxes, we talked about payroll, all that sort of thing. So let's talk about their bankruptcy filing. So we know that they didn't have financial records because Mr. Drake said that they lost their financial records and he had to redo his best to reconstruct them with bank statements. But bank statements don't contain everything you need.

Jake Bernstein: They don't.

Kip Boyle: That's just cash. It's just a record of-.

Jake Bernstein: It is just cash. Yeah.

Kip Boyle: ... Cash in, cash out.

Jake Bernstein: Cash out.

Kip Boyle: It's not an accrual accounting system. So they are obviously missing a lot. How do you file bankruptcy without disclosing all your assets and all your liabilities? How does that work?

Jake Bernstein: Well, so I will say first that I'm not a bankruptcy lawyer. So this is just high level understanding of how bankruptcy works. But essentially, this company, United Structures of America, qualified to file under sub chapter five of Chapter 11. So that means that it was still required to file schedules and a statement of financial affairs. They were able to avoid the petition date filing requirements by submitting a statement under oath, explaining their lack of financial information, which of course was it's encrypted and we don't have access to it.

And as a debtor filing under sub chapter five, United Structures was able to confirm a plan of liquidation without the approval of any creditors, who I'm sure were quite frustrated with the lack of information regarding their finances. But what are you going to do? This is part of the-.

Kip Boyle: It's gone.

Jake Bernstein: ... reality. And then finally, United Structures avoided the requirement of filing a disclosure statement in which debtors are typically required to provide adequate information for creditors to make an informed decision about the debtor's plan to exit bankruptcy.

Kip Boyle: There was no plan to-.

Jake Bernstein: To disclose.

Kip Boyle: ... bankruptcy.

Jake Bernstein: There was no plan to inaudible bankruptcy. This is it. So yeah, again, not a bankruptcy lawyer, but that is a high level overview of what would've happened.

Kip Boyle: Yeah. Yeah. I can't imagine that this type of bankruptcy happens very often where you're allowed to essentially go through this trap door where you don't have to do this, and you don't have to do that. And does it seem like there was a lot of unusualness here? And I got to think the creditors probably at first were like, oh, BS, of course you have all this, you just don't want to give it to us. I got to imagine there was a lot of probably incredulity.

Jake Bernstein: And back in 2019, I imagine yes. I honestly wouldn't be surprised that this has happened much more often in the recent past, simply because of cyber attacks, but I have no personal knowledge of how often this happens.

Kip Boyle: But I just think about the creditors right. Now, there's a new credit risk in the landscape, isn't there?

Jake Bernstein: There is.

Kip Boyle: That an organization would get hit by a ransomware attack, it would be the straw that breaks the camel's back, it goes bankrupt, and they go bankrupt with no records.

Jake Bernstein: Yeah, no, that's brutal.

Kip Boyle: And as a creditor, what are you going to do? You got nothing.

Jake Bernstein: Well, hopefully you're a secured creditor.

Kip Boyle: Hopefully.

Jake Bernstein: And hopefully-.

Kip Boyle: Because there are tangible assets in this case.

Jake Bernstein: Yes, in this case.

Kip Boyle: But in a knowledge-based company, there wouldn't be. There would be no tangible assets. There'd be nothing to sell because everything would be encrypted and unavailable. All your intellectual property would be gone.

Jake Bernstein: Gone. Absolutely.

Kip Boyle: So I just find, again, this case is so worthy of its own podcast episode because it's allowing us to see these second order effects in addition to some of the other things that we're able to look at here. So let's take a moment, and as we wrap up the episode and just ask the question, United Structures wasn't ready for this, and they paid the ultimate price for it. What should they have done to survive this ransomware attack?

Jake Bernstein: Well, obviously we don't have another 40 minutes on this episode. So I will mention episode 63, which is called a quick look at the Essential Eight Mitigations. Those are designed to reduce the risk of malware of all kinds, including ransomware. And we'll put a link to that episode in the show notes. But I would say what's almost extra sad about this is that they at least ostensibly had someone at least thought to buy a backup solution. It wasn't configured, it was never run. So obviously you don't really get any points for that there.

But I think what that makes me think is that, gosh, the dangers of checkbox style, managing cyber risk. It's like-.

Kip Boyle: Yep.

Jake Bernstein: ... someone just asked, well, do we have a backup system? And it's not a lie. It's not false for someone to have answered, yes, we bought one. And this is a perfect illustration of the dangers of checkbox security.

Kip Boyle: Yep.

Jake Bernstein: Yeah. We check the box, we have a backup system, but nobody asked, okay, is it-.

Kip Boyle: Does it work?

Jake Bernstein: ... does it work? Has it been tested?

Kip Boyle: Yeah.

Jake Bernstein: And you just can't stop with the, do we have it?

Kip Boyle: Look at these blinky lights. Isn't that impressive?

Jake Bernstein: Yeah. Yeah.

Kip Boyle: And you know what? This is a great thing for you to talk about, because I know from working with customers who are trying to get cyber insurance policies, that the insurance carriers are actually asking the question, have you tested your backup data system? And how quickly can you restore everything that's being asked now?

Jake Bernstein: Yeah.

Kip Boyle: So you have to have an answer to that. So that's good.

Jake Bernstein: Well, and that's very good too, because let's be honest, and again, I'm not, as everybody knows by now, having listened to me for a 120-ish episodes, I think I've missed one or two here and there. I'm not a security engineer, but my argument I will make is that if you are prepared, you probably should be able to recover from this kind of attack within a business week, maybe even faster, maybe slower. Again, everything's going to be a little bit different, but the insurance companies here, they need to stop paying ransoms. And one of the ways that they're going to minimize that, is they're just not going to ensure you if you haven't tested your backup. And-.

Kip Boyle: That's right.

Jake Bernstein: ... know that you can get back up and running in a reasonable period of time.

Kip Boyle: Or if you lie, if you lie on the application and say, you can do it-.

Jake Bernstein: Don't lie.

Kip Boyle: ... and then you can't-.

Jake Bernstein: Yeah, that's a bad-.

Kip Boyle: ... just to be clear, it's not likely you're going to be referred to prosecution for lying on the application, although you could be, really, what's likely to happen is they're going to refund your premium and say, policy withdrawn and then you're not-.

Jake Bernstein: They may not even they refund the premium. That's a breach of-.

Kip Boyle: Okay.

Jake Bernstein: ... That's actually... And-.

Kip Boyle: Breach of contract.

Jake Bernstein: Yeah. So you're correct. You're correct that you're never going to get prosecuted for perjury on that. However, what would be most bad for you is if you go through a claim process, the insurance company spends money defending you, figuring it out, and then discovers afterward that you'd lied about having this, they will sue you for all of that money. And you'll also, I guarantee you'll have sacrificed whatever premiums you've been paying.

Kip Boyle: And most importantly, you've lost the recovery resources-.

Jake Bernstein: Oh, totally.

Kip Boyle: ... that the policy should provide. So again, checks checkbox security will not help you here.

Jake Bernstein: No.

Kip Boyle: So anyway. Okay. Any final words, Jake?

Jake Bernstein: No, I think we've really hit this one out of the park.

Kip Boyle: Yeah. Yeah. I feel really good about this, and I hope our listeners found this to be useful, insightful, and if you are a cybersecurity professional, you should probably ask your senior decision makers to listen to this episode so that they can more fully appreciate the business aspect of this particular case and talk with them about it and say, what do you think? And try to get that conversation going, enrich your conversation with your senior decision makers about this topic. But, okay. So that wraps up this episode of the Cyber Risk Management Podcast, and today we learned what happened to a $100 million Texas company that was called United Structures of America after it got struck by ransomware in 2019. And we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.