The CISO and The SEC Cyber Regulations and Their Impact on Privacy and Security

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:21

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:37

Hello, I’m Justin Daniels. I am a shareholder and corporate m&a and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk and when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:59

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Well, hello.

Justin Daniels 1:37

Yes, I think the pollen count in Atlanta is only, what, 40,000.

Jodi Daniels 1:41

That’s why my car is a bumblebee because I drive a black car and then it looks like a bumblebee with all the yellow on.

Justin Daniels 1:46

As it should, considering you have a Steeler license plate.

Jodi Daniels 1:50

That’s your fault. And then when we walk outside on the deck, there’s a little pathway that hasn’t. Anyone, if you don’t like pollen, don’t come to Atlanta in the spring.

Justin Daniels 2:01

Indeed. But speaking about our guests today, I think it’s interesting how our community works, because both of us are friends with Keith Novak, who introduced us to Jeff Mastalski. And then Jeff introduced me to our guests today. And we are joined by Svetlana Braunsheidel, who is the General Counsel and VP of Operations for PNG Cyber. Her experience spans executive Operations, Business Development, legal and national security fields. Svetlana, welcome. How are you today?

Svetlana Braunscheidel 2:38

Hi, thank you for having me. Thank you for making me do something that is extremely outside my comfort zone. So we’ll see how I feel after this podcast is done. I know what gave us far. And yeah, I love your little trajectory of who we met when. And obviously Jeff was my first major hire for PNG last year. And I think we, you know, we got really lucky with that hire. And we’ve done really well since so check it out, Jeff.

Jodi Daniels 3:04

Well, we’re excited that you’re here and what a great example of okay to try something new, we all have to push ourselves and challenge and we are excited to talk to you. And we always start with understanding how you got to where you are today. So tell us a little bit about your career evolution.

Svetlana Braunscheidel 3:24

So this is going to be slightly long whenever you need me to — but so basically, I always wanted to be a lawyer. So I came to the United States a month before I turned 10. And initially, I loved this country. I thought I was going to be the president, somebody rudely told me that I couldn’t be because the Constitution said so. So I came home crying. I said, What’s the Constitution? So I read it and I said, who wrote this? And my dad said a bunch of blipping attorneys and I said, Okay, great. I’ll be a flippin’ attorney. So at a very young age, I always knew I was going to be an attorney. Initially, I really wanted to go into banking, finance. I really love personal finance and reading credit card Terms and Conditions. At some point, I graduated high school early, I graduated undergrad early and to get into law school, obviously is very expensive, and I didn’t have because I was still kind of young and I didn’t have the support. I ended up joining the military. So I enlisted at 20 as a cryptologic. Russian linguist analysts Russian didn’t come in until they assigned me that language a little bit later. So I ended up doing Russian language training despite the fact that I am Russian. So that kind of worked out at the Defense Language Institute Foreign Language Center in Monterey, California. And then I did cryptology training in San Angelo and thankfully God my orders changed from Anchorage, Alaska to San Antonio, Texas, which would have really impacted my life because Alaska does not have a law school and the mission was very different there than in San Antonio. So anyway, I guess they shouldn’t — San Antonio, thankfully got accepted to the one law school in San Antonio as I had a really supportive command and branch chief, they allowed me to do both law school and my military component at the same time. And I guess I should have mentioned this, but when you’re a linguist, the military forms you out to the National Security Agency. So I was in a billet for NSA, started out working Russian organized crime, and at some point transition to Russian cybercrime. So I was doing that and law school and clerking at NSA thinking I was still going to be a bank and finance the journey, a lot of things happened. And this job really made me realize how much I loved the national security space, and cybersecurity specifically. So I ended up getting out of the military finishing my JD got an LLM and national security from Georgetown, I really wasn’t sure if I was going to do illicit finance and cyber, and ended up getting an opportunity to start out in the private sector and law firms as a dedicated cybersecurity and data privacy attorney. So I did that for a few years, at a couple of law firms, and I really loved it. And in the middle of a transition to another law firm, had a lunch with our current SVP. And he said, Why don’t you come and be our general counsel? And so that was almost two and a half years ago. And here we are.

Jodi Daniels 6:15

What a cool and fascinating story, do we actually have to talk about all these other things today?

Justin Daniels 6:20

I told you, she was really cool. So I didn’t realize this would be cool.

Svetlana Braunscheidel 6:26

So I can recite it in Russian, and then time can be called and then we’ll be done.

Jodi Daniels 6:33

You know, for anyone listening? Who would like that you can reach out directly? Well, I’ll translate for you. Yeah.

Justin Daniels 6:39

But anyway, given your role at your current firm PNG, can you talk to us a little bit about any kind of specific trends you’re seeing as it relates to cyber attacks in the last 12 to 18 months, given the variety of use cases that come across your desk.

Svetlana Braunscheidel 6:57

So I’m going to be honest, I did, what I think a lot of vice presidents do is I delegated this down to my team who does all the work and is way smarter and knows way more than I’ll ever know. So I do obviously oversee a lot of the high level engagements, but they’re doing all of the core work, and seeing this on a daily basis. So a lot of the commentary was, you know, the last year specifically seemed to be the year of critical vulnerabilities. So they were seeing a lot of unpatched network appliances being exploited, exploited at alarming rates. Also, the time between the vulnerabilities, you know, discovery and exploitation thereof, has significantly shortened. So it’s becoming obviously more imperative for companies to really focus on their programs. There was also sim swapping and search engine optimization, which we’ve seen, obviously, sim swapping is a lot more targeted, essentially, that means somebody has to go to a you know, cellular provider, or pretend to be you. And then if appropriate checks are not followed a clone of that phone is then provided to this individual. So obviously, that is being usually targeted, and kind of like the technology and research sectors, because they’re really trying to obtain a lot of that, you know, IP information. And then search engine optimization. I think we all know we type in whatever we want to search, the first few things that pop up is usually what we’re on. Oftentimes, those could be the alternate websites that are being created by threat actors that are obtaining your information. So you know, all of this being you know, in mind, clearly, there’s still a lot of intelligence still being used by threat actors to try to continue manipulating, you know, companies and individuals.

Jodi Daniels 8:41

Justin, does any of that surprise you?

Justin Daniels 8:44

No, considering I’ve seen a few SIM swaps myself? Not at all. I think what’s more, it really, from what Svetlana was saying is the time between the reconnaissance and the infiltration to the time when they start engaging in the mayhem has shortened. So you have less time to figure it out before the threat actors in and now they’re actually going to actively engage in some type of cyber mayhem.

Jodi Daniels 9:12

Well, that’s comforting. Now, as the “she said privacy” of our podcast, I always like to ask my privacy related questions. And as an organization that works with a lot of CISOs. Are you seeing CISOs having more responsibilities for privacy in their organizations?

Svetlana Braunscheidel 9:32

So I’m going to say a very high level, yes. caveat, right? Because, you know, I think that whether it’s a CISO, our CIO or whatever role that’s still being occupied by an individual that assists with this component of compliance within an organization. I think there’s still a little bit of departure of accountability. And the reason I say that is, despite the fact that we talk about this regularly and almost ad nauseam and so therefore, I think, you know, cyber and privacy is a constant in our space, I still think that it is very new to some companies, especially smaller companies. And that is not the focus until something blows up in their face. And so I think the reality of the situation is unless you are in a regulated industry, and something is being essentially forced fed to you by the SEC, or whomever it is, yes, top of mind, but maybe not on a, you know, sufficiently day to day basis until there’s an issue. And then we have you know, these conversations.

Jodi Daniels 10:37

Are you hearing any of them talk about any of the privacy laws? I’m just curious, because we have, as of this recording five effective privacy laws right now, several more states coming. And they’ve been on a flurry of passing new legislation? And I’m just interested to know, are these security professionals speaking about the privacy laws, and that they, you know, when they’re going to actually implemented or tackle and do something might be different? But I’m, I’m just interested to know, are they even aware of the plethora of privacy laws that we have?

Svetlana Braunscheidel 11:12

I think, I want to say no, to be honest, I think the majority of the internal stakeholders that are playing a role in an incident either, you know, pre, during even post, they feel like that is being outsourced or being taken care of by somebody else. Right, which is why we often have tri party agreements and outside counsel and outside counsel is leading that discussion. Hey, be aware. And this is where you’re headquartered. And this is how you may be impacted by you know, the current legislation that has been passed. You know, there’s a high level overview of understanding that that is important, but especially again, midsize to smaller businesses, I think they just, you know, that is something they’re either outsourcing or they expect somebody else to lead the discussion. Obviously, with larger corporations, I think that is very different. That is not the majority of our client base.

Jodi Daniels 12:02

We appreciate your sharing.

Justin Daniels 12:04

So Svetlana, kind of getting a little bit more tactical, because our audience may have never been through the start of an investigation when you have a cyber event. And I was wondering if you could talk our audience through a little bit. So if I get a call about a cyber incident, and I need to have a forensic investigation done yesterday, walk me through the steps that I would need to take to engage with firms such as yours, and what are some of the real important things that you have to get right in the contract? Or you could have real problems down the line?

Svetlana Braunscheidel 12:36

Yes, thank you for that question. And obviously, it will, it will vary depending on how you are finding out about the incident and the initial reporting mechanism you’re using. And the reason I say that is because oftentimes, if you have cybersecurity insurance policy, there is already a kind of an outline of what you need to do, right, whether you report it directly to your adjuster, and then the adjuster calls you and obtains the necessary information and tells you hey, thanks, we already have panel providers, which essentially means we have created partnerships in place where we’ve negotiated rates, you know, how we want things done, you know, speed of response, all of that stuff. And so we’re gonna either tell you here, you know, p&l providers, and you can select or we will like for you, and we’ll we’ll schedule an initial call with the relevant parties, the relevant parties is always, you know, at least PNG or, you know, one of our competitors, outside counsel, sometimes they use another party if you need threat actor negotiations, despite the fact that png does that sometimes, you know, the adjusters or other relevant parties want to use a different party associated with that. And then sometimes you also have mssps involved, right? So they say, We’ll schedule a call with all the relevant parties we all get on. There’s a, you know, a lot of people and then we ask the client to walk us through the incident. Once we have an understanding of what the incident looks like, we present a scope of work SOW and an MSA a master services agreement. These documents have already usually been pre negotiated and vetted by the relevant parties on the call, aka the outside counsel and the adjuster. So they’ve already looked at these documents or go with it, they’re good with the rates or go with the terms. And so usually, as long as they think that the budget is within their perception of fairness, or the scope of work, it’s all very quick. We usually send those engagement materials within 30 minutes posts shall call usually vetted and approved within 30 minutes to an hour, you know, so everything is being executed within two hours. And then we obtained the necessary credentials to start assisting the insurer with restoration recovery, collecting the necessary artifacts to really know what happened within the network.

Justin Daniels 14:51

So Svetlana, is it fair to say that when you get people who call you who’ve never dealt with your firm before who have not ever had an incident before and practiced, they can lose a lot of time in having to negotiate agreements, as opposed to having them prevented. And one of the advantages of working with someone like your firm and you is, you kind of take care of that for them, because you already have the tri party agreement, you already have the language because if we don’t have privilege from the outset with outside counsel, any kind of investigative report that you do, would not be privileged in in a litigation would be subject to disclosure. Would you mind talking a little bit about that?

Svetlana Braunscheidel 15:31

Yeah, absolutely. And, you know, I’ll talk about that. But also, I think the contract aspect of it aside, even if you don’t, you know, have pre negotiated piano vendor agreements kind of in place, I think, generally speaking, reaching out to a vendor who already has a working relationship with all the relevant parties speeds all of this up significantly faster, right. But as far as the actual contracts go, yes, you know, we’ve been in position where we were not considered, you know, a panel vendor, or we did not have a relationship, either with the insurance company or the outside counsel. And, you know, obviously, I’m on the receiving end of all of the red lines, sometimes that can take days, because if you have not already put something in place, and you’ve agreed to the damages clause, and you’re working with a, you know, larger company that has its own in house counsel team, so the outside counsels review, then gets sent to in house counsel, that gets kicked back. And all at this point in time you’re losing artifacts logs are being cleared, the company is put, you know, if it’s a ransomware attack, or whatever is basically at a standstill. That being said, usually if it is an urgent situation that has been negotiated while the work is being done, right, we very rarely wait to, you know, sometimes if a client says, I’m going to sign this, but I just need to get access to DocuSign, or whatever, right? We add that right and understanding. So we’re not going to be at a standstill for 72 hours, just because somebody, for example, can’t access their email and provide signature. But, you know, obviously, having all of this in place significantly shortens the amount of time and yes puts everything in a tri party agreement under privilege. And all of the parties that previously worked together before on, you know, dozens of occasions, and therefore they understand expectations. They know how to set expectations, and they understand, you know, the tone to carry with relevant clients.

Jodi Daniels 17:26

The theme here I hear is preparation. Having everything in line is always better than waiting to the last minute. This is true in all parts of our life. One of the other big areas that people might be influenced to start preparing is companies who have to deal with the SEC rules and interested to know, are you seeing any behavior shifts, and I should really get my cyber hygiene in a row because of the influence of these new rules.

Svetlana Braunscheidel 18:01

Justin, I said pass on this question no. So what I will say is, personally for us, and I did ask my team as well, we are not necessarily seeing a push in that space. And the reason for that is, again, I just don’t think we’re predominantly working with the regulated industry that obviously needs to focus on this. I think the new SEC rules are encouraging and inspiring additional discussions around the fact that we are still nowhere where we need to be in regards to our cyber hygiene and just basic requirements across the board for our risk compliance programs. I think that is going to in time probably make people you know, focus more, but from like my perspective, my team’s perspective, we haven’t necessarily seen that be the driving factor.

Jodi Daniels 18:51

Just I know you have some thoughts and where you think the market is going, your crystal ball predictions.

Justin Daniels 18:58

So my crystal ball prediction and don’t play the lottery on what it is. If you’re a smaller privately held company with a publicly traded customer, and you go to renew your contract, and you get a big fat security addendum that says hey, vendor, if you have a breach, this is what we want. This is how quickly we want it. And we’re basically going to hijack your whole incident response process, because we might have to make a materiality disclosure the SEC, I think that’s where these smaller companies are going to run into it. Because they may not get a renewal of the deal. If their hygiene isn’t up to speed. And so they may get a very onerous security addendum that may require them to have to revisit some of these terms, because what I’m seeing is a company will say, well, we need to have all this information and whatnot. And my response is, well, if I give that to you, I’ve breached my customer contract with about 20 other customers. We simply can’t let you have approval over how we handle an incident that has to be us.

Svetlana Braunscheidel 19:58

I mean, that absolutely makes sense. So we all know money talks. And I think that in this industry, you know, especially whether it’s the insurance market that really pushed a lot of the hygiene components, or right now you’re not getting work unless your sock two compliant, or you’re not getting work unless you can provide your West vendor incident response plan and you can walk your potential partners through your BCDR. So you know, these things are going to end up being pushed down. And obviously having that in place preemptively is going to save a lot of headaches. Whether companies do that or not, I guess we’ll find out.

Justin Daniels 20:33

That’s my take. And mark, I’m still well.

Jodi Daniels 20:35

That’s your crystal ball. Yes, it’s, it’s back to you. It’s back.

Svetlana Braunscheidel 20:39

And so in your magic numbers for the next MakerBot lottery is-

Justin Daniels 20:42

My Bitcoin. Having it in four days, two days. Anyway. I guess another thing I wanted to ask you about Svetlana. So I had an IRI handled last year. I’m sorry. And snapshots are acronyms.

Svetlana Braunscheidel 21:02

Yes, I know, see an event it’s fine.

Justin Daniels 21:04

Our listeners don’t see the post it notes. I get no acronyms. Maybe well, anyway, Svetlana, I handled an incident last year, where for whatever reason, the insurance company didn’t know which policy to use. And it took them three to four weeks to get back to us as to what the rates are. And when they came back, we got into it. I told the client I was like, this is kind of crazy. And so what I wanted to get from your perspective a little bit is how are you seeing the insurance market. And their sensitivity to pricing for the good vendors, like B and G is impacting how companies access good incident responders to help them take care of responding to events when they have insurance? Because they expect that’s why they bought it.

Svetlana Braunscheidel 21:53

Yes, um, so what I will say is, and this goes back to, you know, some of your earlier questions about just obtaining a vendor recording, I think that the partnerships that we have in place with not, you know, not only outside counsel, but the insurance companies are really valuable, and brokers as well, right, because they have the ultimate relationship with the insured, and they can kind of direct the conversation and expectations. And, you know, especially if you sometimes have difficult parties, including MSSP, SonicWALL, they can kind of manage all of that. So I think those are relationships that we need to have, and we need to manage appropriately. I think that the bottoming out of REITs for the insurance market is not sustainable. This industry specifically is a lot of hands on work, it is extremely time consuming. It requires a lot of expertise, a lot of education, a lot of training, a lot of very expensive individuals, because they have all of that, right. And so if you want that level of hands-on experience with really competent, qualified individuals who can treat your insured appropriately, I think you have to pay for that value. And so I think there is a pretty courageous crap and see in the work that is being performed by some of the larger vendors that have Superbowl commercials that support fortune 500 companies versus the midsize to smaller businesses that you know, may only be focused on kind of the rate component and vendors are made making panel specifically because of kind of the negotiated cheaper rates.

Jodi Daniels 23:32

Well, that makes a lot of sense, with all the knowledge and all this nephew’s and incident that you see what is your best and favorite cyber tip.

Svetlana Braunscheidel 23:44

So I’m actually and I have a lot of tips. But I also asked my team this because I think I probably would have said something along these lines, but not as well. And I had my directors give me three jabs. And I think they all ultimately mean the same thing. But the first one was trust, but verify the second one and know when to ask for help. And the third one is question everything. And I think ultimately, it’s the same thing, which is, you know, the trust but verify aspect of it. And ultimately what that means is just because it’s deployed does not mean it’s been properly configured, right? Just because it’s been rolled out does not mean it’s been properly enabled. And so words matter. And Jody, thank you for correcting us on our acronyms because this is our you know, day in day out of our mouth, and a lot of people don’t necessarily know what it means. But words matter because the terminology actually does not mean sometimes what even the client thinks it means right? So yes, you deploy your endpoint detection and response solution, but did you properly configure it to ensure that it is actually doing what it’s supposed to do? Yes, you rolled out your MSA, your multi factor authentication, but you did you actually enable it. So now your employees are forced to set it up on every single relevant account? There’s email or you know, whatever. So having the appropriate parties in place, not only your internal IT or your outsource, outsource MSSP provider to be able to vet that and ensure that they enabled log collection. So when you do have a potential incident, and we have the necessary artifacts to really be able to ascertain what happened, right, or they, you know, EDR solution has been properly enabled to ensure that it actually stops the next ransomware attack instead of just sitting on your legacy systems not doing anything having a third party like PNG, or you know, anybody else to be able to go in confirm these things. And if they, you know, if they hadn’t done it, just say, hey, we took care of it. It’s been done going forward, make sure you are, you know, service providers do this going forward, I think is extremely beneficial.

Jodi Daniels 25:49

Excellent tips. I even wrote them down.

Justin Daniels 25:51

We’re very pithy in the configuration but not I like it. That is good. So Svetlana, when you’re not doing all this cool cyber stuff, what do you like to do for fun?

Svetlana Braunscheidel 26:03

My favorite hobby is proving people wrong. And that takes a lot of my time, believe it or not, but I love doing that. I also love cooking, spending a lot of time with my furbaby going on leisurely walks with my early morning coffee. I live in downtown Washington, DC. I’m very lucky to be here. So now the really nice weather is coming out. I love riding the National Mall, going to the Lincoln Memorial, enjoying the side and spending time with my hubby.

Jodi Daniels 26:34

Well, we’re so grateful that you came and shared all of this great information with us. If people would like to learn more, where should they go?

Svetlana Braunscheidel 26:42

I’m so big cyber, I will say there’s a dash and the reason there’s a dash is because somebody else bought them. Just regular PNG Cyber without a dash. So PNG-cyber.com is our website. I am on LinkedIn, I respond to every single LinkedIn message which is a problem but feel free to find me still on I’m getting there Braunscheidel on LinkedIn and send me a message and we can swap information and I can share all the information with the with a very smart people on my team that actually do the work as well.

Jodi Daniels 27:13

Well, thank you again for joining us today.

Svetlana Braunscheidel 27:17

Thanks guys really appreciate your time.

Outro 27:24

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.