Search
Close this search box.
EPISODE 136
Why Cyber Resilience is a Business Advantage

EP 136: Why Cyber Resilience is a Business Advantage

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

July 18, 2023

An $8 billion company was hit by ransomware and then was sued in court by one of its best customers. What’s the connection with cyber resilience? Let’s find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

“Case Study for Cyber as a Material Business Risk” — https://www.cr-map.com/124

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your host are Kip Boyle, virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today in episode 136 of the Cyber Risk Management podcast?

Kip Boyle: Hi, Jake. Today I really enjoy this kind of an episode. What we're going to do is we're going to learn why cyber resilience is a business advantage by looking at what happens in the real world to an 8 billion company, after it was hit by ransomware and then it got sued in court by one of its best customers. So we have all this amazing information that has become public and we want to share that with the audience.

Jake Bernstein: So you're saying that we can thank the legal system for this episode?

Kip Boyle: Yes, our litigious society has brought you the listener.

Jake Bernstein: Interesting. Well, I guess we're going to find out if it was one of those, gosh, you're being overly litigious or if maybe it made sense. I guess we'll withhold opinions on that until the end.

Kip Boyle: Well, it's always based on the facts, isn't it? If I've learned anything from Jake Bernstein is it's fact specific and it's based on a point in time and we need to define terms.

Jake Bernstein: That's right. That's right. So speaking of defined terms, this is sounds like another one of those cyber is a material business risk episodes. Is that right?

Kip Boyle: Yeah, it is. And we have to define that little turn of phrase a little bit better by looking at it from a slightly different angle. And it also happens that this is going to be a great time to also do one of those cyber resilience is a business advantage episodes as well. So we're going to do both.

Jake Bernstein: I think we need to do more of those. I think cyber security is seen as a cost center in most businesses still. And I'm not necessarily saying that's inappropriate, rent is a cost, but you have to pay it anyway. But if cyber resilience is something that you can gain from your cybersecurity program and it is a business advantage, then by all means, let's unpack these statements.

Kip Boyle: So we could say that spending on rent is sales enablement. Because if you run a retail location and you need a place for customers to come to, then your rent isn't just an expense. It's actually a way to bring revenue in. And that's really what I'm trying to say when I say that cyber resilience is a business advantage. But we'll get to that. Let's start by unpacking the first statement, which is that cyber is a material business risk. Okay, so most of the people listening to this episode probably work in cybersecurity, work in technology, probably not most of our audience is in finance. So hearing me and you talk about a material business risk may not ring any bells immediately, but a material business risk is one that may have a significant impact on the company's operations or its financial position or its prospects for future success.

We talked a lot about this actually back in episode 124. And in that episode we talked about this Texas company, a hundred million dollar Texas company, it was called United Structures of America. And in 2019 they got struck by ransomware and ultimately they went bankrupt. So this is not the first time we've brought this up, but material business risk is such an important idea that publicly traded companies are required to disclose all of their material business risks when they submit an annual filing to the Security and exchange commission called a 10K. So even though this is not a common thing that cybersecurity people and tech people talk about, it's becoming important to our work.

Jake Bernstein: And I haven't really talked about this, but since joining the larger firm where I work now, I've had exposure to companies that file 10Ks. And one of the big questions is if a company has had some manner of cyber incident, cyber attacks, cyber breach, ransomware, how much is required to be disclosed in the 10K? And we haven't talked about it yet on the podcast, I believe. I know we did an episode in 2022 about the SECs couple of cybersecurity related and proposed rule-makings.

Kip Boyle: Actually that was our episode of the year. That's how many views it was like the top most listened to of the year. And that's why inaudible.

Jake Bernstein: Well, we may have to do another one because the SEC was added again in the spring of 2023. And believe it or not, only did they reopen commenting period on the very same proposed rule that we talked about back in 2022, but they actually passed, or I should say proposed for additional ones. One of which would focus on this idea of cyber security disclosure in forms like the 10K. So it's still proposed, so it's not new, but the SEC clearly recognizes that this is an important issue and I think that it's probably going to be the case that we see the regulator come out and just say this is what material business risk means when we talk about cybersecurity. You just don't have a choice anymore. So this is extremely timely that we're talking about this and the 10Ks. So I think you're right. I don't think a lot of cybersecurity folks probably haven't had a lot of exposure to 10Ks at this point, but I predict within the next 12 months that will be significantly different.

Kip Boyle: Good. So I don't look at 10Ks very much because we don't work for that many publicly traded companies in my day job, but I am familiar with what a 10K is and I've read them before. So I'm glad to hear that you agree that this is going to become a bigger topic of conversation. And maybe we should start instigating this a little bit more in our local chapters of ISSA and ISC2. And they probably should start talking about this.

Jake Bernstein: Well, and like I said, the SEC recognizes the issue and something will happen. So this all makes sense, but now what about cyber resilience is a business advantage? I think we've talked about that over the, gosh Kip, years now.

Kip Boyle: Yeah. But we don't talk about it on every episode,

Jake Bernstein: So we certainly do not. So let's go ahead. Oh, I see. I preempted you by many businesses do view cybersecurity as a cost to be managed. But go ahead. Why is it a business advantage Kip?

Kip Boyle: Well, it's a business advantage because it's starting to really show up in a big way in companies, supply chains and so forth, so even though a lot of companies still view it as just it's a cost that I've got to manage. And also a lot of businesses see it as an annoyance and as an impediment to being agile and nimble and responsive to customers. They tend to think of it as a straight jacket or cement boots.

Jake Bernstein: Wait, are you saying that people think we're annoying?

Kip Boyle: So they've got to get out of that is what I mean when I say cyber resilience is a business advantage because that's really what great cybersecurity programs do is they make you more resilient. And that gives you an edge by having a really robust cybersecurity program. Customers who are looking for safety and security are going to be attracted to you. And we're already seeing this, although I would say it's nascent, but a lot of companies ask potential vendors to complete these detailed questionnaires, these surveys about their internal and their external cybersecurity practices before they agree to purchase from them.

The amount of SOC 2 reports is going through the roof because a lot of companies consider that to be a proxy for knowing whether a company is responsible enough to have a good cybersecurity program. And if your customer is demanding certain cybersecurity guarantees or a data security addendum or something like that, if you can't do that, then it's very difficult to close a deal. And your time to close extends, you want to close deals in 30 days, but it's taking you 90 days, 120 days, the cost of due diligence spirals and you lose all the profit you're expecting to make you off of that deal. Yeah. So being cyber resilient and having a robust cybersecurity program is a sales enabler as well. And in the end, it could save you money because you're going to realize revenue sooner. And when you get hit by a cybersecurity event, you're not going to get hit as hard.

Jake Bernstein: You bounce back faster.

Kip Boyle: It's not going to cost you as much, you're going to bounce back faster. And that's what I love about what we're going to talk about today is this particular case has both of these elements present.

Jake Bernstein: That's great. And before we get to it, I want to bring up two points about resilience. One is, I don't hear it as often as I did say two or three years ago, but for a while it became in vogue to say CIA plus R. Do you remember that when this was a thing that people were doing? It was like, oh, the CIA triad, confidentiality, integrity plus R. And the R was resilience.

Kip Boyle: I don't see that much anymore.

Jake Bernstein: I don't see it much anymore. It kind of came out of GDPR. There's hints in it that resilience is important. And that's one thing I wanted to add here. But the other thing I wanted to add is I almost disagree that cyber resilience is a business advantage. And you might be thinking, what are you talking about? And what I'm talking about is that it's almost like we've skipped over that phase and it's almost like cyber resilience is a business requirement. And I'm being maybe a little bit hyperbolic on this, but certainly I'm not, if we're talking about certain types of regulated information for example, if you want to work in the healthcare data space, if you want to work with financial companies, financial institutions, then cyber resilience isn't a business advantage. It is a business requirement. You are going to be stuck unless you can demonstrate some level of resilience.

Kip Boyle: Well, so what's interesting about the case that we're going to look at today is that here are two companies that got caught with their pants down, so to speak. Because even though both of them talked a lot about having robust cybersecurity and about resilience, at the end of the day, it was just that, it was talk. And both of these companies made big mistakes in the way that they went about doing it. And I see this happening a lot. There's a lot of assurances, a lot of verbal and contractual assurances about, oh yes, we've got a robust cybersecurity program. But when push comes to shove, many of them actually do not. And they gave false assurances in their contracts and it came back to hurt them. And I think that this is going to happen more and more. And so it's not just saying that you're cyber resilient, it's actually proving that you are when something awful happens.

Jake Bernstein: And we have touched on this in other episodes, I certainly have gone on many rants about how if you're going to make a representation about cybersecurity, it better be defensible. And I think we should just get into it. Because this is a prime example of what happens when maybe the statements that are made, the promises aren't backed up. So go ahead, Kip. Who is this about? What are we talking about? And let's dive into the lessons we can learn from it.

Kip Boyle: So as I do this, I can't help but to think about the Lincoln Law.

Jake Bernstein: The False Claims Act.

Kip Boyle: False Claims Act.

Jake Bernstein: Yes. That actually came up that I came up in a conversation with a partner of mine out of our DC office just yesterday, it's a big deal. It always has been.

Kip Boyle: It's getting to be a bigger deal again.

Jake Bernstein: It's getting to be a bigger deal specifically bout cybersecurity. And you may recall we did a full episode, I believe, on the-

Kip Boyle: False Claims Act

Jake Bernstein: And it was the Aerojet Rocketdyne case, if I recall.

Kip Boyle: And I'll put the link to that one in our show notes as well.

Jake Bernstein: That's perfect. That's perfect.

Kip Boyle: If people would like to go back to that. But again, there's two companies in this case who learned valuable lessons. I hope. I don't know yet, but they should have because this is a spectacular failure for both of them. So the first company that we're going to look at, this $8 billion company I mentioned at the top of the episode, their name is Expeditors, and they're a global logistics company. And the easy way to think about what they do is they're a travel agent for freight. Somebody calls them up and says, I need this pallet of X, Y, Z to go from here to there, or I need this 40 foot container to go from Hong Kong to Long Beach or whatever.

Jake Bernstein: And I need it expeditiously, hence the name.

Kip Boyle: And so if it can go slowly, it gets loaded onto a boat. If it has to go quickly, it gets loaded onto an airplane and it might get offloaded at the port and put onto a train or put onto a truck. So we can do all this stuff. And that's what they're good at. And they've been around for a long time. They're publicly traded. And the last time I checked in over 30 plus years, they've never had an unprofitable quarter.

Jake Bernstein: That's impressive.

Kip Boyle: It is. They're a very well managed company. And so 300 locations around the world, their workforce is almost 18,000 people. This is a big company. So I want you to think about, when you think about Expeditors, I want you to think about stacks and stacks of 40 foot long steel, rectangular intermodal shipping containers, the ones that stack up in the waterfront and in the truck yards, and that you can lift off a boat and put on the back of a semi-truck or drop it onto a train. And that's what they do. Now for some of its customers-

Jake Bernstein: And just to be clear, because I think it does matter, Expeditors doesn't own the containers, they don't own the ships, they don't operate the ships or the trains or the planes. I think it's great the way you said it. They're a travel agent for freight. And I suspect that's going to be an important detail to keep in mind.

Kip Boyle: Yeah, yeah, that's right. So they don't own any of these hard assets. They buy space on these hard assets.

Jake Bernstein: And you might say, Kip, that in a way they're a data company because what is being a travel agent other than exchanging data that happens to be linked to physical objects.

Kip Boyle: That's right. And that is going to come into play here for sure. And that's not just true for Expeditors, it's actually true for all logistics companies everywhere, of any stripe. And we'll talk about that in a moment. So now one of his customers who I'll talk about a little bit later in the episode, has taken advantage of one particular service that Expeditors offers, which is a very, very tight integration into their supply chain. And we'll explore that in a moment, but just hang on to the fact that Expeditors not only moves freight, but will actually take tremendous responsibility for all aspects of moving the freight, relieving their customers of responsibility for having their own logistics. So it's outsourcing.

Jake Bernstein: And I think that everybody in 2023 appreciates the phrase supply chain.

Kip Boyle: Yeah, exactly. So there's another dimension here. There's a supply chain risk dimension to this. Okay, so here's what happened. It's February 20th, 2022. So it's about 18 months ago by the time you're listening to this episode. And Expeditors made a public announcement because, well, they had to get ahead of something that was already very public. Its entire global computer network went offline.

Jake Bernstein: That's not good?

Kip Boyle: No. And it stayed offline for three weeks. So for three weeks they couldn't move data. And if you can't move data, you can't move freight. All right? That's the bottom line. So even though the ships were there, the trucks were there, the trains were there, the airplanes were there, there was nothing wrong with any of those things. But if you can't tell a carrier what's in a container, if you can't tell the customs officials what's in the container as it leaves the country, as it enters a country, you can't move that container. You're not allowed. And to make matters worse, when you don't move containers, you're taking up valuable space that should be a allocated for incoming freight. And so you get fined because you didn't move your freight in a timely way. So it gets really awful, really fast when all of these just in time inventory machinations, sand gets thrown into the gear as a monkey wrench or the machine just stops.

Jake Bernstein: And I don't know that we're going to get into the specifics of this end of it, but it's not just the fines that you're facing from that. It's all of the contracts that all had fulfillment requirements and timing that is all thrown out of whack as well.

Kip Boyle: And we're going to get to that.

Jake Bernstein: Yeah, we will. So there we go. It's almost mind mindbogglingly terrible.

Kip Boyle: Yeah, it is. It is. Now they were offline for three weeks until they could restart enough functionality to start serving customers again. And they couldn't even do basic bookkeeping and accounting during this three week total shutdown. So think about it, and I've said this before, when you lose your computers, you can't sell, you can't collect the money that you are owed or that you owe, you can't send it. And you can't fulfill the orders that you've taken. And that's what makes cyber material business risk because it chops your legs completely out from under you in one fell swoop. It's not like a hurricane where you get some kind of advanced notice. It's more like an earthquake that strikes completely without warning. And it took weeks and weeks and weeks to restore full functionality to these computer systems. So this was all in its own, it was an extremely traumatic event.

So Expeditors had said in it's public notices that a cyber attack could have a material adverse impact on the company's financial results. So they knew that. They knew it before this cyber attack struck that it was a material business risk for them. They didn't have their heads in the sand on that point. Okay. So what did it cost? So far as of the most recent available data, 47 million in lost business and fines for clogging up depots and terminals around the world with shipping containers that should have been moved a long time ago but couldn't. So 47 million for all that. And then another 18 million for investigations into what was the cyber attack? Why did it happen? What was the root cause? How do we contain it? How do we prevent it? How do we recover from it? And 18 million, so they're in for 65 million of cash, either cash foregone, because customers didn't pay it, or cash out of their bank account because they had to write checks fast. And no, they didn't have cyber insurance.

Jake Bernstein: So let me hit on that real fast. Because I think some might be gasping, aghast in this horror that the thought that a company like this wouldn't have cyber insurance. But I'm actually going to say that that isn't too surprising because who's insure 65 million at any reasonable price. If we think about the policies that companies can buy, first of all, if you can even get a 10 million insurance policy right now, it's going to cost you quite a bit. And I'm not saying that every company should self-insure, but I do think that at a certain scale, self-insurance is probably more efficient. Because even if you had gotten insurance, you weren't going to buy 65 million of insurance. It would've been prohibitively expensive.

Kip Boyle: I don't know. You're probably right. I know that cyber insurance-

Jake Bernstein: I'm pretty sure I'm right.

Kip Boyle: Cyber insurance is a hard market right now. It's difficult for people to get insurance at any cost. We've got customers that we're working with right now that desperately wanted cyber insurance and could not get it. So I'm not saying that Expeditors should have had a cyber insurance policy. I'm just stating-

Jake Bernstein: No, I agree. It's an important fact to issue. And I guess my only point is just that it's a good example. It's a conversation we've had with other clients, Kip, which is even if you did have cyber insurance, you weren't going to have $65 million of it. I pretty much promise you. And I'm not saying it would've been a waste, I'm not saying that at all. I'm just saying that people should appreciate the limits of insurance as a risk management tool. I think that the insurance industry itself has largely come down on companies using them as a proxy, literally investing nothing in cybersecurity. Thinking whatever, we have insurance, and no one here is saying that this is the case here. Clearly it wasn't because they didn't have cyber insurance. But I think that this is one of those situations where it's in case you forget, cyber insurance is not the end all be all of risk management. It's a component.

Kip Boyle: It's not a substitute for doing your due diligence and minding your due care. It's there for catastrophe. It's when you did your due diligence, but it didn't work because cyber attackers innovated and did something you didn't expect.

Jake Bernstein: And it might be that after this, Expeditors looks at how much it would cost to buy a 50 million plus set of cyber insurance. inaudible.

Kip Boyle: They might. And I don't know. I don't know.

Jake Bernstein: We don't know.

Kip Boyle: I'm just talking about publicly available information here. So I'm sure there's tons of details we don't possess that could explain things or open up new questions that we'd love to ask, but we don't even know that they should be asked in any event. Okay, so 65 million and counting, I'm sure that going to go up. Okay, so that's what happened to them standalone. Okay. So now what I want to do is I want to talk about the other company that learned a hard lesson from this about the need for cyber resilience. And so let's talk about them. So Expeditors has a customer, they have many customers, but this one in particular who had tightly integrated their supply chain with Expeditors. And I'll talk about what that meant in just a second.

Jake Bernstein: And just to be clear, that's a standard type service that Expeditors offers to customers who want it.

Kip Boyle: And they're not the only one. Other logistics companies will let you do that too, will let you outsource your supply chain management. So this customer filed a 2.1 million lawsuit against Expeditors, and I want to give you some of the excerpts from the lawsuits. So you can understand who this customer is and how they were aggrieved. So the customer is iRobot Corporation and nobody knows that name. What they do know is Roomba, the robot vacuum cleaner. The hockey puck shaped but much bigger than a hockey puck vacuum cleaner that trundles around your house and eats up all the little debris from your floor. I have one of those. Do you have one of those?

Jake Bernstein: I have two of them.

Kip Boyle: You have two of them. There you go. So all about it. So this is who hired Expeditors. They were a customer of Expeditors for 15 years. 15 years. So this was nothing new here. And what they're accusing Expeditors of is breach of contractual promises to ship products and provide real-time data on inventory.

Jake Bernstein: Now let's just pause for one moment to appreciate this. This is how cyber attacks can quickly spiral into major contractual problems. If you look, and we're going to get deeper into it, but the core claim here is a contractual promise that has nothing to do on its face with maintaining effective or resilient cybersecurity controls. They promised to do their core business, which is to ship products and provide realtime data on inventory. It just so happens that one cannot ship products and provide realtime data on inventory when one's Global computer network is down, offline and non-functional.

Kip Boyle: For weeks.

Jake Bernstein: For three weeks.

Kip Boyle: Not just for a few hours.

Jake Bernstein: Okay. Keep going. What's else did they claim?

Kip Boyle: So they specifically claimed that Expeditors own inattentiveness and negligence exposed its systems to attack. And I'm quoting out of the lawsuit right now. And that Expeditors lacked and/or failed to implement the necessary business continuity plan to ensure that it could continue providing services to iRobot. Now, before you say anything, and I'm going to invite you to comment, but I want to unpack their contractual obligation here for just a moment. So Expeditors received iRobot's new products from the factory wherever they were being built, probably in the Far East, probably in China. They had to store them, they had to maintain the security of the inventory during the storage, they had to ship the product to iRobot customers within 24 hours of receipt of an order. So this wasn't just bulk move stuff from the far east to the West Coast inaudible or wherever.

Jake Bernstein: Don't we call that dropshipping in a way? Maybe not. I think it is. So what you're saying is I'm a customer, I order an iRobot, I order a Roomba. And assuming I didn't buy it at the store, obviously. What happens is I probably have no idea that it's not being sent by iRobot. But in fact, what's happening behind the scenes is iRobot doesn't have a logistics department or division. It's Expeditors. So from the customer perspective, I buy a robot vacuum and it gets shipped to me within a day. Sweet. All is well.

Kip Boyle: Yeah. And you have no idea what the machinations were that made that happen.

Jake Bernstein: Nope. And it doesn't matter.

Kip Boyle: And it doesn't matter to you.

Jake Bernstein: To me the customer, to the end user.

Kip Boyle: All that matters is the thing shows up in a box, you pull it out and you have clean floors. But Expeditors had to ship products within 24 hours of receiving a retail order through iRobot from a person like myself or like you, and Expeditors had to update its system within four hours of any order or any stock movement. So Expeditors had warehouses in the United States, where they would bring the product in from the Far East, stock it in warehouses in the US. And then they would ship one item at a time if necessary out through United Parcel Service or the US Post Office, whoever. And then the iRobot customer of Expeditors would have at their fingertips data about their inventory levels that were no more than four hours old at any time for their entire supply chain, going all the way back to the factory. They had up to date information about where everything was and where it was coming from and where it was going to. This is what they had from Expeditors.

Jake Bernstein: Well, at least until Expeditors entire computer network went down. I think your explanation speaks for itself. I think we can all see where this is going. In a way, this is just a SLA, service level agreement, for physical world things instead of cloud services. But let's continue. Is there more, Kip?

Kip Boyle: Yeah. So I want to talk about how iRobot was damaged. I want to give you some more quotes from the lawsuit, so you can understand just how much it depended on Expeditors and how cranky it got when Expeditors couldn't fulfill its contractual obligations. But also I think iRobot made a big mistake here too, and I want to talk about that. So let me quote from the lawsuit a little bit more. All of the services that iRobot relied on Expeditors to perform came to a sudden and complete stop when Expeditors shut down its operating systems, products that were in transit sat idle and customer orders were unfulfilled. And so what did iRobot do? Well, they decided to switch logistics providers in the middle of this outage. And so here's what they said. From February to April, 2022, iRobot incurred over $1.2 million in costs and expenses to transfer nearly 12,000 pallets of products in 207 tractor trailers.

Jake Bernstein: That's a lot of robot vacuums, Kip.

Kip Boyle: From Expeditors warehouses in Sumner, Washington and Virginia Beach, Virginia to new facilities, in some cases across the country, iRobot was forced to reimburse retailers over $900,000 for various chargebacks as a result of late deliveries and other violations of the transaction terms. iRobot incurred an additional $80,000 for additional storage and demurrage costs caused by delayed shipments. So that's quote straight out of the lawsuit. So there are hard numbers attached to this.

Jake Bernstein: I'm actually surprised it's that low in some ways. I guess iRobot in a way was lucky.

Kip Boyle: Well, I think they did a good job in terms of response. They responded really well. Look at that. Somehow they physically sent their people to these warehouses, had them count all the Roombas, and then they went and figured out how to get them into different warehouses where they could then reassert control over them. So kudos to iRobot for taking control of the situation. But I think the problem here is that they had no contingency plan for what happens if Expeditors doesn't keep doing what they're contracted to do. So iRobot wasn't that resilient either. They depended on heroics in order to deal with this.

Jake Bernstein: And we could probably spend an additional 20 minutes just talking about whether or not iRobot was acting reasonably by relying on a single provider. And I'm not sure you're even saying that they should have had two providers of logistics. What you're saying is as quick as you acted, you probably could have acted even quicker had there been some kind of contingency plan in place. Now I will say we don't know that there wasn't. I'm guessing that that will be litigated between the parties. Because there's all kinds of, the legal phrase is contributory negligence. What Expeditors is going to do in this case in defense is basically say, okay, fine, but you also didn't do X, Y, Z. In other words, when a party is damaged from breach of contract, there's a duty to mitigate the losses.

And a good example of that is, let's say that iRobot was like, whatever, we're just going to wait until Expeditors figures all of it's issues out. And this is a hypothetical, let's say they had done that, and instead of only only having to reimburse retailers 900,000, they had to reimburse retailers-

Kip Boyle: 4 million.

Jake Bernstein: 4 million, whatever it might be. If they had done that, then in this lawsuit, what Expeditors would do would come back and say, yeah, even if we do owe you some money, we don't owe you all the money because you should have, and could have, mitigated your own losses. This is a common standard legal principle for damage mitigation. And I want to point it out only because even in this case, I will not be surprised if Expeditors says doesn't want to pay all 900,000 for chargebacks or whatever the costs are. And it's more than that. It's really about 2.1 million. And their argument will be, you could have mitigated even better had you had a resilience plan. So that is a great example because it allows us to talk about underlying Anglo-American legal principles that generally speaking aren't going to come up when we talk about cybersecurity, but are critical in these types of commercial disputes.

Kip Boyle: And this is why cyber has become a material business risk, just as serious as any risk to sales order fulfillment and accounts receivable, because it's threatening the viability of the organization. Look at all the reputation damage that's going on here. Reputation at the end of the day, that's all any of us have. Sure we've got some fixed assets, but those will get auctioned off if we go bankrupt and bankruptcy is not where we want to be. Now, I don't think either of these companies are really at risk for bankruptcy. I see no sign that that's in the cards for them. So unlike United Structures of America, I don't think we're going to see bankruptcy filings in the future. However, what I do see is severe executive distraction for months, they're going to have to fight this out inaudible.

Jake Bernstein: Or turnover Kip. And there is a cost to firing executives. Everything good that executive was responsible for or doing will be lost. Whatever institutional knowledge, these executives, and I'm not saying anyone's been fired, but I'm just saying if executives do get fired after something like this, and that is not uncommon.

Kip Boyle: No, it's not.

Jake Bernstein: There is a loss. And it's important to recognize that. It's not just punishing the person, that's part of it, but there is a loss to the business as well.

Kip Boyle: Yeah, there absolutely is. And there's lots of data on what's the impact of turnover for whatever cause, whether somebody retires or whether they get fired. So the point is that if somebody loses their job over this, I think what you're saying is additional costs.

Jake Bernstein: Additional costs. Correct.

Kip Boyle: And that potentially could have been avoided. So I think that's enough quotations from the lawsuit. The thing goes on for pages and pages and pages. I'll just say that what iRobot is asking for is they want a minimum award of 2.1 million, plus they want interest on that amount at 9% per annum from the date of the breach. And of course they want their court costs and their legal fees. And this all traces back to a cyber attack. All of this kicked off because Expeditor's computers got cyber attacked. So it's fascinating. The trail is clear. This all goes back to a cyber attack, a cyber event. And I think that makes this completely fascinating.

Jake Bernstein: And what I like particularly about it is that we didn't actually talk about someone making representations about their own security. The contract was pretty standard, pretty boring from a cybersecurity standpoint. You'll accept inventory, store it and ship it out within 24 hours. We didn't mention cybersecurity, Kip, in that. And this is why it's so important to remember that cybersecurity is really enabling your business because when you don't have the technology that cybersecurity protects, you can't do your business.

Kip Boyle: And we had a whole episode on identity crisis a while ago. And I'll put that into the show notes as well, where we said there's every company out there that's doing business over the internet is in fact a technology company. And to the extent that they don't recognize that and accept it, they are making themselves vulnerable to things like what we're talking about right now. I'll never forget talking to the CFO of a fruit company, as I was describing to them what we were finding in our security work. And this person looked at me with a thousand yard stare in their eyes and said, "I'm a farmer. Why am I talking to you about computers?" And I was like, "You're not just a farmer. You need to be a technology leader who knows a lot about farming."

Jake Bernstein: And every company is a tech company in addition to whatever they actually think their business is. And the only thing you said that I would disagree with was if you're doing business over the internet. I think in 2023 we just say, if you're doing business. Show me a company that isn't using the internet. And the reason I'm harping on that, there is a specific reason, which is doing business on the internet makes it sound like you're an internet company. And I guess what we're saying here is everyone's an internet company. Were not talking about a website. We're talking about the flow of data, the enablement of business being done. And if you know of any company in 2023 that is still doing business using fax machines and plain old telephone service and not the internet, I would love to know who that is. Particularly any kind of multinational company with 300 offices. How are you doing business without the internet?

Kip Boyle: Now, when they were founded, they did it. But I would say the velocity of the world these days, it's not possible.

Jake Bernstein: And here's the thing, is let's just say that this was 50 years ago, and I don't know that Expeditors was around, certainly iRobot wasn't.

Kip Boyle: 1979, I think, is when they were founded.

Jake Bernstein: So not 50 years ago. But even in the mid eighties, you simply wouldn't have a contract that says, no, you're going to update the global systems within four hours because it would've been impossible. Those numbers, those contractual requirements, assume the internet age and computers.

Kip Boyle: That's right. Good point.

Jake Bernstein: That is, that's an important thing to remember is we didn't talk about cybersecurity. We didn't even talk about computers, but those computers are what enabled those contractual terms. You simply wouldn't agree to them without computing technology.

Kip Boyle: Well listen, as we wrap up this episode, I just want to say one other thing about this case, and when we opened up the episode, we talked about 10K filings in the SEC. Well, it turns out that Expeditors, in a 10K filing, they did list cyber attack as a foreseeable and potential risk to Expeditor's ability to deliver services. And iRobot actually pointed that out in the lawsuit.

Jake Bernstein: Yeah, that's not going to help Expeditors any when it comes to a defense.

Kip Boyle: No. So that's a case where the right hand didn't know what the left hand was doing. Somebody wisely did admit that that was a material business risk, but the other side of the organization didn't do enough to manage that risk.

Jake Bernstein: Interesting. All right. Well unfortunately, this case is almost certainly going to settle, which means we may never know any more specific details, which is too bad because I would love to be able to dissect a full legal case that really dived into the negligence concept and what did or didn't happen. And maybe we'll see some of it, but I personally doubt it.

Kip Boyle: Well, I don't know either. But I agree with you. I agree with you that I would love to see full depositions, court transcripts, testimonies, allegations, I'd love to see all this stuff unpacked for our benefit. But yeah, who knows. Well anyway, that's all I wanted to say about that. I hope this was helpful to people who are trying to have a productive conversation with their senior decision makers about the value of cyber resilience and the value of robust cybersecurity programs for sales enablement and so on and so forth. So with that, I'll just say that wraps up this episode of the Cyber Risk Management podcast. Today we learned why cyber resilience is a business advantage by looking at what happened to an 8 billion company after it was hit with ransomware and was then sued in court by one of its best customers. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.