Martin Hinton (00:05) Welcome to the Cyber Insurance News and Information Podcast. I'm your host and the executive editor of Cyber Insurance News, Martin Hinton. And joining me today is Kelly Miller with FTI Consulting. She is a leader and an expert in communicating in incident response and how to explain and navigate that whole process I think I've got a lot of that right. Kelly, first of all, thanks so much for joining us. I wonder if you might correct me where I got that wrong and then also tell us a little bit about your background and how you got to this point in your career. Kelly Miller, FTI (00:33) Yeah, absolutely. I'm super happy to be here. It's always really fun to talk about this incident response is just such a wild world. I, you know, being alongside some advisors with really interesting jobs, it's always fun when we can compare notes. And I personally think the communications piece of all of this is fascinating. So I love to talk about it with other folks in the industry. ⁓ In terms of background, I have always been a communicator interested in technology at the beginning of my career. ⁓ ⁓ I'm here in Washington DC and I ⁓ had more of a kind of typical DC job ⁓ for the first few years of my career, really focused on tech and telecom policy. And I started to just slowly wade into cybersecurity. I was at a trade association where... A lot of ⁓ the wireless carriers had some certainly interesting ⁓ cybersecurity issues. And then I moved into ⁓ the firm side of things where I started working with clients and a couple of my clients were in the cybersecurity space and I started to get more familiar with these issues. ⁓ Like I think many of us in incident response world, I kind of fell into it. ⁓ I came to FTI in 2020 and was doing a lot of different things, but ⁓ You know a few months in I got a call from some folks that were you know starting to wrap their mind You know wrap wrap their mind around what is this practice going to be for for crisis communication? specifically around cyber security incidents I joined a you know a huge insurance matter and one that got a ton of press and required a lot of communications diligence and ⁓ You know it was it kind of could have been seen as a side project for me me kind of lending a hand with this new cyber security communications team, but I never looked back. I fell in love with the practice and I've been doing it for the past five years since then. Martin Hinton (02:33) Fascinating. So we're going to get into some more detail, but I want to start with that first moment you hear about a breach that you learned some CEO got a call from the IT department or wherever it might have been. Paint that picture for me. What's the first thing Kelly thinks when, you know, if you will, the fire alarm goes off? Kelly Miller, FTI (02:52) Yeah, yeah, absolutely. And oftentimes I think it's important to kind of set the scene of, who are those first calls that, you know, come in when, you know, those fire alarms start going off internally in an organization. First couple of calls are usually to, you know, cybersecurity insurance and cybersecurity counsel, their lawyers. And then it's normally us that get that kind of second call from there. And so from the get-go, we need to get up to speed with what information do we know? How can we verify? this and you know in those first few hours really we're just looking for information and we're also looking to start immediately from the get-go to start to institute process to be able to verify information. A lot of things are unknown in those first few hours and candidly often in the first few days of a cybersecurity incident, ⁓ you know, we kind of we're coming in and we're trying to figure out what's going on. What can we tell people internally externally? How can we start to paint a picture in a very chaotic time? Martin Hinton (03:55) So this sort of gets us into the next topic is about how communication can decide outcomes. know, ⁓ comms is a risk control, not just PR lipstick, right? There's a real value in clear communications. Because what we hear this, I think a lot of people may be listening to this or watching this think we're talking about public relations and external comms, but a lot of it's coordinating internal communications. And you just touched on this. And one of the questions we shared in advance was in the first 24 hours, what's the big mistake that you can make in this field? I think I know the answer, but journalists don't get paid to think they know the answer. what's important in the first 24 hours that you always have in the back of your mind or can lead to bigger problems? Kelly Miller, FTI (04:36) Yeah, yeah. mean, yeah, before I get to answering that question, the preface that you said is exactly true. I say all the time that I don't think organizations necessarily get judged that harshly for having cybersecurity incidents anymore. Everyone has had them. ⁓ Everyone expects them. InfoSec teams, there's a lot of empathy going back and forth. But what is not tolerated is bad communications around a cybersecurity incident. So I think it's a really, really important job for us to figure out how can we thread the needle of being proactive, transparent, but responsible in communications very quickly. it, to that point, the first 24 hours, the worst thing that an organization can do is over promise. Whether that is, ⁓ you know, with facts of, we, you know, we have no evidence, you know, saying that, you know, no data was touched or, you know, everything's running smoothly when, you know, in reality, you might have to walk that back in a couple of days, then you're immediately losing with the folks that you're communicating with. ⁓ to the same extent, something else you can over promise, not about the impact ⁓ of the incident itself, but I see so many organizations over promise in the cadence of communications that they're going to give. Sometimes it's the instinct of an organization to say, every hour we're going to blast out communications ⁓ to all of our stakeholders. And once you get your hand on, a good handle on the first couple of facts you have, you might not have a lot to update for, you know, certainly a few hours and sometimes that can lead into days. So if you've set that expectation, if you've over-promised that, you know, we're gonna have these hourly updates, you know, no data was taken and then a couple hours later you're saying no update or actually maybe one of these systems might have had, you know, the threat actor might have gotten in there, you're setting yourself up for failure. So it's really important to have diligence around getting the facts straight and verifying them very early on. Martin Hinton (06:38) I mean, it sounds to me, and this is something you obviously, if you've paid attention to how incident response works, you have to find this balance between having a very good plan for when things go bad and having a very good plan that can change with information you didn't expect. I mean, the best plans are all adaptable. If you're building the of the run book and that sort of way this is all going to unfold, how do you, I mean, again, like the best incident response starts before the incident, right? I mean, that's a probably, probably, Makes sense, right? But you don't build the firehouse and buy the fire truck after someone's house catches on fire. These are basic ideas that are maybe a little vapor in this digital world. In that first hour checklist and how you plan all this out, what kinds of things are happening? We know you said it, that facts are incomplete and you're dealing with little bits of information and there might be real pressure to put out statements that you have to walk back later, which as you know, it's a huge, huge problem. You can't undo. a mistake or a misstatement. The lie is halfway around the world before the truth gets its pants on, right? So I think that, I just wondered if you might dive into that sort of, and you used a great word. It's not just steps or a protocol. You used the word cadence, which is this very, very sort of precise way to describe a pattern or a movement through a plan, an incident, a circumstance. So just tell me a little more about that sort of situation. Kelly Miller, FTI (08:05) Yeah, yeah. Really good question. ⁓ And I can answer within the first hour, but to your point as well, mean, it's incredible when we have the luxury of working with clients that we've actually gotten to know ahead of time, that we've done preparedness work for, that we've gotten to know each other because a lot of what you do in that first few hours, it might not be necessarily getting a concrete statement out if you don't have that ready. It's establishing processes. And so it's not, again, about when we're working an organization ahead of time on say, you know, a crisis preparedness plan that, you know, that can sit next to your, you know, technical, ⁓ technical crisis plan. ⁓ We're not necessarily, you know, writing draft statements ahead of time. We're way more focused on establishing processes of, okay, who are the people that we're going to need in the room to get the right information? How can they get that verified? How can we quickly get statements signed off? You know, my folks that work in comms and how know how frustrating it can be to just, you when they have a press release to put out, that can take weeks to, you know, get approval. When you're in moments of crisis, particularly a cyber crisis, you need that approval instantaneously. So in those first few hours, it's actually a lot less about... ⁓ you know, getting things done. It's about establishing processes, making sure we have true cross-functional, a true cross-functional team that knows how to get in touch with each other, that, you know, is able to, you know, to, you know, get together often and share things in real time. So, and that takes a little bit of work to get to that point. Martin Hinton (09:45) And just to clarify, we're talking about legal forensic people, the external security company, maybe the executives, you need the whole C-suite involved, depending on the type of company, the board has to be notified. mean, we're not even getting into the issues of ⁓ compliance and say, know, like depending on, mean, that gets really complicated because you can't comply until you know actually something happened that requires some sort of public statement, right? Like it gets really, really muddied. Having everyone quote unquote, as much as we need to be in the same room anymore, in the same space, or like you said, like you have to be available. You're on call like a doctor or a surgeon. That's the sort of mindset that you wanna have sort of cascading over all the really important decision makers. Is that a fair way to look at it? Kelly Miller, FTI (10:33) yeah, absolutely. just, and making sure, you know, as well that, ⁓ you know, this is, I I'm really conscious when I come into a new engagement that often this, that I can be walking into what is sometimes like one of the worst days of these folks career. You know, you work so hard at, you know, standing up good cyber programs. No cyber program is immune. So many folks have all these conflicting priorities and then everything is basically thrown up in the air. If systems are locked down, for example, you think there might be data exposure. And so it's also really important to make sure that all of those external folks that you mentioned are also able to connect very quickly to establish a relationship with internal folks to understand those nuances. I'm sure we're going to get into this later on, but there's a lot of different groups of people that we need to talk to. And that totally varies client to client. So I need to connect very quickly with internal comms or general counsel or other C-suite folks to understand, you know, what are these buckets of audiences that we should be communicating with? Because it's not standard across companies. ⁓ You know, it varies by industry. Sometimes, you know, we're getting those really good facts early on that's, know, ⁓ you know, our salespeople will often have back channels to these kinds of customers or our customers talk to one another a lot on these forums offline. And if we don't know those details where it's impossible for these outside advisors to know some of that, to have some of that intelligence, if we haven't you know, establish that connection early on. Again, we're gonna have to walk things back and we're not gonna have as precise as, you know, a communication strategy as we might be able to if we're able to get that all established. Martin Hinton (12:16) You've gotten this into the next topic, but I just want to touch on this because you were discussing the matrix of a situation, the way the flowchart looks. And then with your reference to the way maybe salespeople also know someone, you know, because they do something that's semi-related or they're involved with the same charity. This other idea that there's personality involved and there's the human component of all this involved. And listen, the truth of the matter is, and I've come from an environment where very high stress, breaking news environments, Some people don't manage those situations very well. And the brightest people sometimes get really, really, really ⁓ hard. And to your point, it's the job of people in that situation, and I've been in that situation myself. I don't know, is it bringing calm to the moment and helping everyone sort of realize, yeah, this is stressful, but what's gonna really help us now is everyone steps back, has that moment of thought before action, and we understand how things work. You touched on personality. ⁓ I mean, you're dealing with situations where, and again, it's very practical to consider response. We know these attacks happen when people least expect them. The CEO is on a plane, it's the Lunar New Year, it's a holiday weekend, or all these things are used to the advantage of the bad actor to make an attack more likely to succeed. And ideally, people know that in advance so that they kind of expect it. I wonder whether or not you just touch on that idea a little more, the personality of it all. Like, we know that in business people need to get along. to succeed, even if they don't like each other, right? They don't have to like each other to get along and to want to succeed as a business. Tell me a little bit about that idea. Like, I mean, is there like a, is there any kind of human psychology part of this for you and like making sure people who are having a panic attack over something like, my God, this didn't, tell me about that to the degree you can. Kelly Miller, FTI (14:00) Yeah. 100%. I mean, sometimes, you know, what we're bringing along with, you know, this structure and discipline that I keep, you know, that I keep hounding on in terms of just good communication, that also just gives people something to focus on. It can feel so chaotic and overwhelming. And if you don't even know what the next step is, as someone who's never dealt with a cybersecurity incident before, of course you're going to be overwhelmed. So all of the advisors, ourselves included, you know, we also need to, you in those early hours, you know, also provide a here's what's to come. We're in this period right now where again, systems might not be working or your customers are really, really worried about what data has been included. But here's what this is going to look like in 24 hours, 72 hours, even a month. a simple thing that we have to establish very quickly ⁓ with a lot of our clients is that a forensic investigation is not something that takes hours. It takes weeks, not even days. It takes weeks usually. I don't think I've I can maybe count on, you know, the... one hand how many incidents I've been involved in that, you know, where we had, you know, a true, you know, end of investigation and the end of the week. And those are very minor incidents. I mean, this takes a lot of time and that a lot of this is, yeah, I mean, you're talking about psychology. It's uncertainty reduction is that, you know, even if you don't have all of the facts right now, what can you say? What can you share? What, how can you preview to audiences of what's to come? Like all of that is, is really, really critical. And I think all of us, all of us advisors, we all make jokes at some point that we double as therapists as well because, again, we're talking to people that are super, super stressed out and haven't done this before. And, you know, we're there to help. We have a very niche specialized role. You know, I'm never, ever competing with, you know, the internal comms folks or existing PR agencies that might be in the mix. I'm there to do something super specialized and help them get back to doing what they're very good at doing. collaborative and you really need to establish trust very quickly to make sure that you you can work together efficiently. Martin Hinton (16:10) think the reducing uncertainty line I'm gonna have to steal. Stand noted. But you're right. I you said it already. For you, this is what you do. For them, it's the worst day, the worst week of their careers. that is, again, like remembering, I mean, our language is littered with things to help us remember this. Walk a mile in their shoes or whatever it might be. ⁓ That empathy, everyone thinks that that is a bit soft, but empathy is about understanding your opponent, your adversary, as much as your teammates. And that helps you. find the best in them or the weakness in them depending on what you might be looking for. You touched on this before, stakeholder map and the message ladder, right? So tell me what those things are. There may be people watching this who know what those mean, but explain those concepts to me. Kelly Miller, FTI (16:57) Yeah, absolutely. what we usually do is we have a general idea of the different audiences or stakeholders. I basically use those words interchangeably that we want to talk to. Everyone, there's always internal employees. There may or may not be a board or shareholders. ⁓ There's media. There's your customers. There's vendors and partners that you're working with. We know those basic buckets, but again, we want to have conversations very early on to understand the nuances of all of those groups so that when we communicate something, no one's getting left out, that there's no confusion of, ⁓ know, employees heard one thing, but, you know, a different audience heard another. ⁓ We usually like to, and you know, these kind of communications playbooks that we put together, we like to start with key messages of, you know, this is going to go to every single audience regardless of, you know, what else we're telling them or how we're positioning this, but we want this to remain absolutely clear. We are all singing from the same songbook. We all have the same facts. And this has been established that gets reviewed by council, that gets reviewed by the client. We update those frequently and then those then get disseminated against to all of those different stakeholder groups, those audiences. But of course, will be differences in the ways that we're actually talking to different stakeholders. I think a really good example is for lot of organizations establishing ransomware, their employees, it's really important to nail that as one of your first audiences. One, that they hear from you first. You do not want your own employees to read a media article about an incident and they didn't even know that it's happening on their own systems. That's not gonna build trust with the folks that you're really gonna be relying on for a lot of disseminating the messages that you need in the coming weeks. And then two is, The very specific example I use is payroll. When a ransomware attack happens, companies, there's differences in the way that their employees are paid. I don't know any organization that's gotten hit where systems are locked down, they're not able to do business as usual. One of the first questions from their employees is, am I going to get paid on Friday? If you are able to answer that definitively or provide workarounds, if that's not the case, get that information to your employees. really important point to hit, but you definitely don't need to offer that detail proactively to your customers, for example. So you've got those key messages that everyone gets, but there'll be these kind of nuanced differences that you want to make sure that you're hitting with those different audiences. So yeah, a lot of what we do is kind of map out those audiences, make sure that everything is consistent, but tailored and bespoke to... ⁓ to the different end readers of the communications that you're sending out. Does that answer your question? Martin Hinton (19:56) It does. I I think, you again, like you say it so elegantly and eloquently, and it is such a fundamental, you got to know your audience. Like, who am I trying to tell what? And that idea that you don't, again, particularly in a time when people's attention is hard to keep and maintain, nevermind, you know, like there is the real need to be precise, direct, on point. Again, I've said it. Our language is full of cliches forever that help us trying to remember not to say too much or too little to make sure we say the right thing to the right people for the purposes of making sure the right people understand the situation. So again, like that idea of having a sense of what they're gonna care about or what they need to know in order for them to continue doing their jobs for the company to navigate these troubles is really interesting. We don't have to spend a lot of time on it, but we were talking a little bit about legal, regulatory and insurance alignment and the sort of way comms can affect. And obviously for us, things like cyber insurance and compliance and that sort of thing are really interesting. I just wonder if you could discuss a little bit about that space where you mentioned that at the beginning, you might have your cyber security incident response team and your cyber insurance people would get called and then you get called. I just wonder whether you might explain more about the cyber insurance realm in this sense. Kelly Miller, FTI (21:17) Yeah, yeah, absolutely. So it's a really collaborative process between all the advisors that come in. There are very, very few. accounts that I'm on where we don't have external counsel. would say it's a very rare exception where we don't have, ⁓ you know, yet the cybersecurity lawyers that do just like I'm doing cyber comms day in, day out. They're the same thing. All they do is incident response communicate. I mean, legal ⁓ advisory and every word that we're writing is reviewed by counsel even before it goes to the client. so that collaboration is absolutely critical if we're not and And that's a huge advantage to having our team being so niche is that I am by no means a lawyer, but I can certainly, I've certainly learned the kinds of edits that I know a lawyer is going to be inclined to give. And we have an understanding of the legal obligations and regulatory obligations down the line that we're going to need to be conscious of. Also the concept of legal risk, where we closely follow ⁓ the different kinds of lawsuits that we're seeing out of different states. So if your communication strategy is not led by legal considerations, ⁓ you're just going to lose in the end. So it has to be a very, very collaborative process between our team and lawyers. And well, ultimately, we always defer to them, you know, if it comes to, know, at what time are you going to disclose to this regulator? We also, you know, we've built a lot of muscle memory of what you need to do to get to that point, what these risks are. Of course, there can always be healthy tension as between, you know, some, I joke sometimes, you know, a lawyer's instinct is to say nothing. Communications is always about saying something. So, you know, we want to make sure that we're meeting a happy, you know, we have a happy medium that includes, you know, business risk along legal risk. But, ⁓ you know, it's really important that we work with people we trust. A lot of the lawyers that, you know, I'm working with, I've now worked with on dozens, hundreds of accounts in the past. So we have a really strong working relationship. I think our clients really benefit that from that. ahead of time. Martin Hinton (23:29) I was at a conference with a cybersecurity company in New York and one of the panels in the last couple of months, one of the panels was about the legal environment and the long tail of incident response and the class actions suits, the classes are getting smaller. There's a lot more precision and that part of it touched on the megapixel issue and the data leakage that the legal part of it is as it is with all things anyway, particularly at this level, you have to be incredibly precise because the law is words that are govern our understanding of relationships and business agreements, but because of the technology is so new and in flux and there's all kinds of laws in different states and this sort of thing, having that precision and making sure that you craft an elegant, intelligent, wise message. I mean, it's something I guess I thought about, but I didn't think about the idea that you might see a lawsuit 18 months down the road or something like that, but that is something that could come back if you said something wrong and that... the wake of an incident that you have a real issue that you could avoid if you just thought about it little longer. The vice of collaboration is one where there's sometimes a little pressure and a little disagreement, but that often is what creates the most precise message. A little bit of like, head banging, I always thought was a good thing. A little conflict, a little intensity, a little passion about, we should say it this way, we should say it that way. And I think that that is something that it's often hard to cultivate nowadays because people worry about people getting upset or angry and then... professional environments. I'm probably talking more about my own space now, but this idea that we want to make something, create something of value, whatever the message, sometimes you need a little bit of conflict to sort of ring out the words the right way. again, it's interesting to hear you say that. Now, one of the things we discussed before this was the messaging externally, you know, the media. And you made the point when we were doing our pre-call that you could do a whole podcast on this period. So we won't go into the detail that we need to to cover this topic. We'll have to have you back on. So there's too much to note, but I wonder if there might be any particular thing with regard to communicating to say the media, particularly if it's a big company or something that people think, I know that company. And the thing that jumps to mind for me coming to this space from a broad journalism background into a very specific sort of niche coverage space. is that a lot of people don't understand how any of this works. you can't assume knowledge or if you start to talk about, we're recording all the logs so that we know exactly where the breach occurred and how many, know, like what, social engineering, people, you know, they think of movies and they think of hacking and maybe that's not what it is, but that's the one that jumped in mind for me is you have to, you know, explain it like everyone's a fifth grader maybe, I don't know. Kelly Miller, FTI (26:14) Yeah. Absolutely. I was going to go there exactly. I have so much empathy for reporters these days. know how publications are becoming sparse, newsrooms are shrinking. A lot of really, really good reporters are expected to cover so many things. And so I never walk into a conversation with a reporter who is not on a cyber beat, assuming much knowledge of any sort. And I always try to take a minute to make sure I'm getting them up to speed. ⁓ And then also, I think another thing that you kind of emphasized at the beginning is that media can just be such a small part of an actual communications response as well, is that a lot of times what we're putting together is it's all about consistency. so a written statement is going to look pretty much the same as what we're saying to our customers. And we really want to be transparent with media too. a lot of it is, again, we're singing from the same songbook. ⁓ of our incidents, it might not require. too much of this, you old school PR. thinking of like DC specifically, you know, meeting at the bars and, you know, getting down to the juicy details of a story. I mean, we have to have a lot of verifiable facts and oftentimes the best way to do that are written statements. But that said, when we're able to work with reporters that, you know, understand this space and, you know, and can help us tell a story that, yeah, you know, I could do an entire different podcast on that of, you know, what those phone calls look like, how to establish relationships with media ahead of time. That's another huge reason why I recommend that organizations start to think about communications ahead of time is that you want to have a map in your head of who are the reporters that can actually help us get the information out that we want to get out. Because it's not always just about defending your reputation. I've worked with a lot of health organizations, for example, where a certain hospital has different capabilities. they want to help get, know, because, you know, certain systems are shut down and they want to make sure that, you know, patients are, you know, being properly rerouted. And sometimes it's, you know, we're working with reporters to make sure that they're getting that message out. so, yeah, media is very important, but with so much consistency, lot of, you know, of consistency of messages. for most of the incidents I'm working on, it doesn't end up looking too different than some of the other audiences that you're communicating with. Martin Hinton (28:50) One of the things I said to you when we were discussing how we couldn't discuss all of this was that nowadays every company is a media company, right? They all exist. I I was reading something today in the Wall Street Journal that the number one addition to job listings over the course of the last 12 months was the storyteller capacity, right? What's the story of our company? How do you explain our idea so that people can envision the world with that idea thriving in it is the way I've often put it. And that gets me to the internal comms and... making sure people don't start to complain if you misstep talking to employees early on, or you're not quite sure right away about payroll on Friday like you touched on. It's a huge problem, right? We know that the way we write everything down now is, it creates a lot of ability for things to be misinterpreted. You know, we see this with emails, particularly text messages that are abbreviated between two people communicating on a topic that they know. So they leave out a lot of nuance that... for someone who isn't familiar can think, they're up to no good. How do you manage that sort of thing? you know, like, you know, obviously that comes down to like individual managers having a team and sitting them down and being like, listen, you know, we need, we need to let this where we don't know what's happened. How do you deal with all that? Because listen, I'm a journalist, right? People talk and I, I would tell them not to, but, they do. They want to tell people. We're not very good at keeping secrets. God bless it. Tell me about that. Kelly Miller, FTI (30:06) Yes, they absolutely do. Yeah, and I think you're absolutely right. And it's a really important point that you're honing in on is that in the absence of information, again, we're getting back to this, know, this kind of psychological concept of, you know, of making sure that uncertainty is eliminated. When you don't have concrete facts, you start to speculate. And oftentimes when employees are spec, are talking to folks, they might be talking to your customers, you know, anyone who's externally facing, if they don't have from you an update on what has happened, ⁓ you know, even if that doesn't say, you know, a ton about data impact and how the threat actor got in. If you don't have strong talking points to reference back to, it's almost human nature to start to fill in the blank and say, it's like, I don't know, this is that big of a cyber incident. We got this password reset, but I think that it's probably fine. That's legal liability, that's reputation liability if your internal folks are saying those kinds of things externally. ⁓ ways to I think get that across. Like I said, message discipline is really, really important to making sure that we've established very clear facts and those are communicated in writing very clearly to the workforce. I mentioned password resets. think a lot of organizations might be a little naive and think that they can sneak in some cybersecurity updates without having to let the broader employee base under the hood. things look suspicious. If out of the blue, certain systems aren't working and then you're asking people to reset their passwords, they're gonna speculate. And it's so much better to just get your facts straight with them instead of having them start to again, fill in the blanks. And so again, we always like to start with getting the facts out and writing to an internal audience. But sometimes me and my team, we'll get on the phone with folks that are talking to customers and just field questions. again, the point of empathy is like, talk to them about how difficult of a position that they're in right now. You know, they have customers that are demanding answers, looking to them for information, and they're in this weird gatekeeper position. And so we want to give them all the tools that we can. Sometimes that's, talking points to, you know, to, to, you know, convey forward. But other times, you know, we also want to give them holding language of, know, if you are pressed on this, you can escalate to this person internally. And we'll get back to them with, when we have more information, giving them outs as well and giving them just yeah, more tools and just ways to vent their frustrations as well. I wanna make sure that we're hearing from them about what are the questions that customers are asking right now. Let's make sure we address that in our next FAQ that we're sending around to folks. Martin Hinton (33:01) Yeah, you make a good point. As you were talking, I could imagine a salesperson talking to a client and then not having a disciplined message. That client has a friend of the Wall Street Journal and suddenly you have a person familiar with the situation in the newspaper. And also you made a good point. Everyone wants to seem like they can fix the problem themselves, but the ability to escalate, the ability to say, you know what, I don't know the answer to that question. Like putting people in a comfortable place where they can say, I don't know. Kelly Miller, FTI (33:16) yeah. Martin Hinton (33:30) but I know someone who can find out, but you've got to give me some time, right? again, you've used the phrase message discipline. That's what we're talking about. That's message discipline. Like, you don't let someone talk you into saying more than the message initially said. You stick to the message, which can be very frustrating for journalists, but it's also fair for companies to behave that way because the truth of the matter is being transparent and telling people everything aren't two things that can happen. That's just not possible. There's a lot of privacy requirements. particularly depending on the information situation and that sort of thing. And I think that that's really interesting to think about the idea of, because so many companies have external points of contact. You think about how many threat actor vectors there are because every employee is on the internet. The same goes for them leaking a Slack message or something like that. That gets me into the next point is sort of the recovery narrative. And one of the things we know is that, you know, you can, If you've had knee surgery, know rehab starts the day after the surgery or even in the hospital, they get that knee moving on one of those funny little machines. That is the case in this space as well. So talk to me about the way you don't over promise, but you do encourage people to be optimistic. I don't know if that's a fair way to put it because customers need to be reassured that they can get what we sell them that they need for their business. and they're not gonna miss an order or whatever it is. There's a lot of moving parts here that need to be communicated clearly. Tell me a about how that all unfolds for you. Kelly Miller, FTI (34:59) Yeah, absolutely. A couple of things come to mind. One is that oftentimes I find myself distinguishing when I'm talking to clients about like restoration versus this kind of broader data investigation. That those can be completely different topics to your clients, including your clients might have, ⁓ or the other stakeholders that care about an incident. These are different teams within one organization. InfoSec really cares about the data. Everyone else basically cares about like, you able to do the job that we've you know, rely on you to do. Or same with patients of, you know, they need to know two things. Should I go to my doctor today? Is the doctor open? ⁓ The doctor's office might be, you know, experiencing a ransomware attack. And then maybe a couple days later, they're thinking, okay, wait, what does that mean about my data? Is my, you know, personal health information out there on the dark web now? So you need to address both of those things and almost kind of handle them as, you know, very different trains of thought. ⁓ So I think that's an important point and one that we're always kind of keeping in mind ⁓ as we proceed. And another point that ⁓ I kind of want to make about this, what does recovery look like in the long term is that I... I love that ⁓ my job has certain limitations. You said at the beginning, PR is not lipstick. It absolutely is not. I cannot control the new cybersecurity. ⁓ know, endpoint detection or, you know, if you're, you know, if you're evaluating, you know, access controls, like that is not a communications job. If you haven't done that as an organization, then you're going to have a much weaker message than if you can point to concrete things that your organization has done to better understand what happened and then improve your systems for moving forward. So. I guess the succinct way to say that is that I like that communications is not the do-all end-all for how an organization ends up faring ⁓ post-incident. They need to walk the walk too. I can help you talk the talk a lot better if you've backed that up, but organizations really need to walk the walk. I don't want to live in a world where you can just communicate away without underlying facts. ⁓ you've got to have concrete things to point to. So those are just two points ⁓ that kind of triggered when you asked that question. Martin Hinton (37:32) Yeah, I know that almost the word concrete gets us onto the next topic. And we touched on this a little bit, but I want to do, you know, just have a little standalone moment where we acknowledge the fact that there's nothing like practice. And, you know, I don't know, I've never played any sports at any high level, but you think about how long a team in any sport practices or how many hours of practice exists for a 90 minute soccer game or a 60 minute football game. And we use sports analogies a lot because sports is everywhere and it's a huge part of our media space. We see the game. We maybe read about the practice if we're really interested in. But when we read about the great players, the people who spend hours studying film of the opposition and know every variation of what a team might do in any given situation, those sorts of ideas are basic and simple. It's standard to watch game tape and all that sort of thing. It doesn't happen in this space for a lot of companies. And it's not just this sort of thing that doesn't happen with. I come from a media environment where I work with people and trying to get TV people to watch themselves on camera so that they could maybe improve their appearance. It was often like pulling teeth. And I wonder whether you might talk about the value of prep and the way it helps specifically the ability to move into that space where you can start to communicate in a way that maintains trust or rebuilds trust or encourages people to trust you with the message you're delivering. Kelly Miller, FTI (39:05) Yeah, such a good point. And I think I'm going to steal that analogy about, you know, the number of hours spent behind the scenes to, you know, make something look really good, make a play happen. ⁓ There's a few ways we could, you know, use that analogy very well. ⁓ But, trust is truly foundational in that it starts with. you know, the incident response team of, know, even within an organization, you know, how often are you engaging with the privacy, you know, as the general counsel, how often are you engaging with the privacy officer, your communications team outside of crises? How can you really establish that you are seeing, you know, this world from one another's perspective so that when, you know, rubber hits the road, you guys are able to make decisions more quickly and then have kind of more informed under decision, like understanding of where you want to get in the next couple of days. ⁓ It's so, so fundamental. so, yeah, and again, it's a lot of times when we're talking to organizations about the importance of preparedness in the early days, they might say it's like, yeah, we wanna have pre-drafted statements ready to go. And to your sports analogy, that could be a play that you have established, but if... the defenses, you know, working in a certain way that you're not able to run that exact play. have to be able to adapt to run another one. So it's just as important to have those reps, to have that practice, to be able to trust each other, to make the right decision that is then presented to you in real time. you know, again, ⁓ I, I need to stop at the sports analogies. It's been too long since I've played basketball. I was gonna get into zone versus man-to-man defense and how that can be, you those are completely different ways to play offense and you never know what you're gonna get hit with. So you need to be, you can't have a plan for every single situation, but you need to have working relationships with one another so you can adapt and yeah, and build a good strategy in real time. Martin Hinton (41:01) You remind me, I spent a good six years or so doing military history documentaries. And one of the things I fell in love with was the concept in military planning that a plan never survives first contact. So you can have all the plan in the world, but the minute you put it into motion, your enemy, your adversary, the weather, a CEO on a plane, half the board unavailable, there are things you cannot control and that plans are adaptable. I mean, would you ever, do you think it's wise to have like a, you know, the draft of a statement that, you know, can be adapted depending on what you need to say or what you could say? Or do you always go into things blank? Like, I mean, is there any value in it? Like a, like a run book, if you will, like literally like a, you you grab it off the shelf. You see that in military planning where there's like, it's an attack on this. We've got a plan for where things come from and who we need to call. Is that... too much or is it wise? What do you have to say about that? Kelly Miller, FTI (42:01) It's a really good question. And I'd say potentially, but it's just missing the broader picture is that, ⁓ that, yes, it doesn't hurt to have some things drafted ahead of time. ⁓ And for some organizations, culturally, that's how they get their reps in. Like that is very important to make sure that, you know, they've got a draft, they've got, you know, know, certain language in place. But what is just leagues and leagues more important is establishing the working relationships ahead of time and having a structure in a plan so we know, okay, when a cyber incident, we think that this is true go time, what is our out of band communications? How are we internally able to get in touch with our cyber insurance, to get in touch with ⁓ our cyber counsel, to talk to our crisis communicators? And when are we gonna meet? Who's gonna own that Zoom? What is our agenda going to look like for that? And then once we have an idea of the facts, how is this product, that we're talking about. How is that gonna get approved and then how is that gonna get disseminated? All of that I think is just... infinitely more important than the words themselves ahead of time. The words become important to make sure that you are reflecting the true reality of all of the facts that you've been able to gather from InfoSec, from customers, from employees, that you're able to get all of the right information together. I just think process is so much more important to establish ahead of time. And that's what we focus our preparedness efforts on with organizations. Tabletops are great. Tabletop exercises are great for kind of giving that true real world feel what is this gonna be like? But ⁓ I think most teams walk away from that. ⁓ More appreciative of the understanding of how to work with one another more than the language that they ended up with at the end of the day. Martin Hinton (43:50) So we hear this phrase tabletop. What does that look like? How do they actually unfold? mean, is it like a day long thing? mean, tell me about the actual, maybe the literal makeup of a tabletop exercise. Do you bring everyone together or you put a CEO on a plane with bad internet? I mean, how does that work? Kelly Miller, FTI (44:09) Yeah, absolutely. it totally varies in time. ⁓ I think a half day is a pretty good timeline, a couple hours to a half day where we get true decision makers, the folks that would be in the war room in real time, and we present them with a make-believe scenario about a certain cybersecurity or data privacy, or increasingly we're doing way more AI infused tabletops because that's gonna be, we're gonna see more in that space. And then we talk about what would we do, who would we alert, what are the steps we're gonna take. And then what the FTI team, what my team does is then we kind of inject new escalations of, okay, first these systems are locked down, what are you gonna do? And then a couple hours later, it's a reporter got. when I was talking to a threat actor and it has a couple of questions for you. How are you going to respond to that? So we just, I think it's a really effective way to get that. real like incident feeling without, ⁓ you know, without sacrificing, you without actually losing the sleep that you might, that you're probably going to during a live incident. So I find them really, really helpful. But a lot of our clients do both where they will actually, you know, put together this full plan where, you know, we're establishing all those processes. You know, my team's also, you know, interviewing executives ahead of time. We kind of talked about, you know, this fact versus reality of You know, there's ways that certain things might work in practice, but how is information actually disseminated? We can see an organization, an org chart ahead of time, but it's not until we're talking to select people within that org chart where we really get an understanding of, these are the people that are talking to each other on a day-to-day basis. This is how information actually flows, which means that we should cut this person as a decision maker and it should instead be someone that's informing this person to tell us. So again, it's very bespoke and ⁓ Yeah, just underlying this whole point, whether it's a tabletop or whether it's putting together a full plan that, you you cannot fully prepare for any specific incident, but you can get that muscle memory going by thinking about this ahead of time and actioning, you know, some key steps. Martin Hinton (46:30) Not to bad with the sports analogies, but it sounds like a scrimmage. Kelly Miller, FTI (46:33) Absolutely, yes, yes. Tabletop is a scrimmage, period. Martin Hinton (46:39) So I wanna come to some quickfire questions and I've got three of them that I shared with you in advance for full transparency with the audience. Three avoidable errors you still see in 2025. Kelly Miller, FTI (46:50) ⁓ I know I've probably beaten this point to death by this point, but it's one that is worth mentioning again is over promising organizations that set the tone in the wrong and the early hours of an incident, whether that's promising to communicate too often or making really concrete statements about no ⁓ data impact. ⁓ It's just impossible to have certain information in such early days. And while I understand the instinct to want to share more and more, you have to have some discipline in verifying information and gaining a true understanding of what happened. promising, think is the number one. A very niche one that has come up in just a couple of the past couple of months, but I think is a really helpful takeaway for organizations is when we're talking about these different audiences, these different stakeholders, you need a way to reach them. And you certainly need a way to reach them in when your outlook might be compromised or you're not using ⁓ certain communications channels as you normally would because they might be involved in the cyber incident. Make sure that you know how you're going to communicate with different customers ahead of time. so ⁓ make sure that your email lists are up to date. Make sure that a lot of time, information is stored in different places. Marketing has one list. Legal might have another list. And so taking the time to make sure that you're really buttoned up in how you can reach different audiences, that's really, important. ⁓ And then the third mistake I would say is, it's just not leaning into transparency enough. Again, we talked about this healthy battle between, not battle, but discussion between legal and comms and talking about legal risk, business risk. It can be a lot of an organization's instinct is to just say nothing. And that leads to so many problems ⁓ that you're not gaining trust with your audiences, they're going to be more perturbed in the long run and more likely to escalate their situations, ⁓ whether that's looking into the possibility of a lawsuit or trying to pull the plug ⁓ on a connection between your two environments. ⁓ If you're just stonewalling. completely, that's just not gonna earn you any trust in the long run. So while you do need to verify facts, it has to be this happy medium. You have to say something and you have to be responsive. So I think those are the three main things. Martin Hinton (49:32) Is there any particular line or phrase you'd ban from a breach statement? Kelly Miller, FTI (49:36) ⁓ that's a very good question. ⁓ I think that... Yeah, you did send this to me ahead of time, so I should have been better prepared. Martin Hinton (49:48) There's a reason I do that because these are not these are kind of pointed questions, but go on give it a think we can move on to the next one and come back to this if you like Kelly Miller, FTI (49:56) No, no, okay, okay, a line that, you know, breach statements. You know, I really don't like the way that sometimes ⁓ that a lot of organizations will kind of defer to the concept of the dark web and threat actors in ways that make it seem scarier and more, ⁓ and just kind of add the sense of mystery to, again, an audience that is, that. audiences that might not be used to the concept of threat actors. If you're naming a threat actor by these sometimes bizarre group names that they have, ⁓ if that's going out into a media statement for... know, reporters that might not necessarily be familiar with, you know, with cybersecurity, ⁓ you know, specifics, it can just be confusing. So once you get to niche in kind of cyber world, if you're not able to kind of dumb it down and walk things back and provide proper context, I really don't like that. So there's a few lines about, you know, actively monitoring the dark web. that I just like to, sometimes it can be hard to avoid certain language because of legal requirements and because we want to make sure that we're opening ourselves up to the possibility of what might change down the line. But you need to contextualize that when you're going to get a little niche. So that's my answer there. Martin Hinton (51:14) Yeah, I mean, one of the things about this space is the, and again, I mentioned military history documentaries, there's a lot of inside baseball talk, right? Like people who have had years of education and experience in a very specific field. And in order to amongst each other, demonstrate their expertise and knowledge, they have acronym-laden conversations where you, I mean, I used to have a sort of an Excel spreadsheet where I would enter them and have their, and I just gave up. Now, if I don't know what it means, I just ask again, because there's just too many to keep in mind. And I see a lot of statements, not even in the crisis environment, but just regular statements that are meant to be press releases to the general media. And you're like, I would have to drop this into chatGPT to have me explain it to me. And again, this is two and a half plus years now in this space where I think that that idea that given how much the technology world matters to all of us, the economy relies on these things to work. And when they don't work, even if it's just a technical problem like the AWS outage or the CrowdStrike update or a really comprehensive attack like the CDK automotive one, was for people watching who maybe don't know this space. Basically, you couldn't buy a car the way you used to. You have to go back to the old fashioned way and use paper for maybe a week or so. I can't remember exactly, but that's very disruptive. And I think that putting this in, again, human terms, taking all this ones and zeros and making people realize why it matters. is something that anyone listening in this space, you need to do a better job of, right? Because it really does matter. Whether it's boomers and retirees being targeted by AI cybercrime because they've got $1.6 trillion in assets, they are ripe for cons already. And it's only going to get worse for them. And you're going to wind up on the phone with your mom trying to wonder out why she bought 100 grand worth of Bitcoin. And it is a real, real problem. Which brings me to the last question. and you've touched on this. And it reminds me of a line that's one of my favorite. Mark Twain in a letter wrote that the difference between the right word and the wrong word is no small matter. It's the difference between the lightning and the lightning bug. And I wonder whether there's a small change in wording that you've seen or you would ask people to consider, and maybe you've touched on this, that is one of those, words matter, right? Every little word matters. That's why, Press releases, it's so hard to get them out as you touched on. We go back and forth through stakeholders over quotes from people on an agreement. And then if it's two companies, then it's two companies worth it. And they're kind of siloed in a way that is normal and helpful in the way companies are organized. So get used to it. Is there a word that sort of harkens back to the lightning and the lightning bug in Mark Twain or Fray? Kelly Miller, FTI (54:02) Yeah, I really like this question. anytime we're going to bring Mark Twain into an interview is a win for me. ⁓ But I think there's an easy answer that touches on legalese and a lot of the way that I need to be in lockstep with the lawyers that I'm working with. But then I think ⁓ a bigger point that I also want to make. So first is that ⁓ You you always want to think ahead, you know, about you want to make sure that you're taking into account legal risk and that facts can change. Is that an incident can look so different than it does in the first couple of hours that it might in a few days. And so I actually, you know, we always want to make sure that we have those proper caveats, you know, at this time, at this point in the investigation. Here's what we know. But I think the broader point on that is to make sure, you know, if you say, you know, it's very easy to say, you know, at this point, we don't believe data was exposed. ⁓ because maybe you haven't even looked into that at all. That doesn't mean you should be saying it. You should have a ⁓ high degree of confidence before you're even going to introduce that concept into the world, is that we don't think data was exfiltrated. Technically, sure, at this point, you don't know that, but that doesn't necessarily mean that you want to say that. Words still matter, that even if they have the proper caveats, that might not be a road that you're willing to go down. ⁓ So I think that's an important point, but. But just to make sure that we are always anticipating potential lawsuits, potential of regulator inquiries as we're putting together language. some of our discussion really sparked this other idea that I had for this question is that ⁓ small change really matters in that. You could get in a company that's actively experiencing a cyber incident, could receive an inbound question. And instead of just responding to say, no answer or no update, which might be true to a degree, how can you escalate that internally? How can you make sure that you're being mindful of this ongoing relationship that you have with this organization? Or is it a moment in time where you might need to get CISO to CISO on call ⁓ to have a little bit more of a conversation than lawyers might be comfortable putting something in writing. So I think it's just really important to make sure that you're thinking creatively about, yes, we might be bound by certain facts at this time, but how can we build trust in other ways besides just written communication? So that was another thing that just came to mind for that question and kind of small changes that non-updates, there's very different ways to handle those. Martin Hinton (56:36) Yeah. Yeah, I I envy you in that I like challenging things, but in a time when people have grown about as cynical as maybe ever in the modern age, trust is easy to lose, hard to gain, hard to maintain, hard to gain back. I am, again, like that idea of the transparency, authenticity. I the word I always like is, I don't like the word truth. I like the word honesty. And I think that we can be straightforward with what we know now. Be clear about that. And moving from Mark Twain to the Star Wars, there are no absolutes, right? Only the dark side deals in absolutes. The idea, you don't say anything. You don't put it out there for yourself to be bitten by it later on. It's hard to do though. It's so hard to do. ⁓ Listen, we've been talking about an hour, Kelly. So I wanna give you the opportunity to touch on anything that maybe we discussed that you wanna bring up again, or maybe there's something that- Kelly Miller, FTI (57:10) Yeah. Martin Hinton (57:39) that was in the rundown that we discussed before this that we didn't get to, that you do want to talk about. Is there anything else you'd like to say before we wrap up and say good night? Kelly Miller, FTI (57:49) Actually, one point that we made ahead of time is not only is preparedness so important, what I often find myself is so important in just again building that muscle memory, having a better response in the moment. it truly will save you money in the long term as well. Like a lot of organizations I think are resistant to doing too many exercises and I completely empathize with the point that like a lot of cyber can be seen as a cost center ⁓ if you're not positioning it in the right way. ⁓ I can just say from experience that the clients that we've worked with ahead of time, ahead of their incidents, we are so much more efficient ⁓ when it comes to working in times of crisis. And it always pays off to think about these things ahead of time. So that doesn't mean that you need to spend millions of dollars on a communications plan, but starting to think about this even internally is so, so important. It'll give you such a leg up. Martin Hinton (58:50) And there is an enormous amount of resistance that you see it in all the reporting about CISO burnout. I it's the least enviable job in the C-suite ever. And to your point about planning avoids cost, avoids greater expense. You're starting to see, because there have been incidents where you can do comparative now where it's clear, we're talking about millions of dollars less in lost sales and that sort of thing. And again, it's so basic, the idea that if you practice for things when they might go wrong, Kelly Miller, FTI (58:57) Absolutely. Martin Hinton (59:18) when they do go wrong, because I got news for anyone out there, it's going to happen to your company, small, medium or large. You are not immune from this sort of problem. it's like having a warehouse where you store lumber and not having a fire alarm or sprinkler system. It's so very basic. And again, to your point, the number of companies that are like, not this quarter, not next quarter. And it is profoundly. And again, two plus years in this space now as a journalist. I'm stunned by the fact that, to put it bluntly, a lot of cybersecurity really sucks at big companies. It's stunning to me. ⁓ it's, ⁓ again, if you're in the cost center, corporates don't care. It's just a way to, again, we'll get through it, I guess. Well, listen, is there anything else you'd like to touch on? Kelly Miller, FTI (59:54) ⁓ totally. No, this was such a good conversation. I look forward to sending this to all my relatives who don't know what I do for a living. Martin Hinton (1:00:17) That sounds fantastic. Well, Kelly Miller with FTI Consulting. ⁓ So grateful for the time. It's been really, really fascinating. I think that there's a lot to take away for the layman all the way up to the board level. I really do appreciate you taking the time to share your expertise and your experience with us on this topic. Everyone else, thanks so much for watching. If you've got a question or a comment, please drop it wherever you might be listening to this. And if I can't answer it, which is highly likely, I'll get back to Kelly. Kelly Miller, FTI (1:00:18) You Martin Hinton (1:00:44) You can find her at the links in the show notes as well as FTI consulting. So if you're looking for an expert who can explain it in simple terms, I recommend it. So we'll cross the editorial barrier there. Again, thanks for watching. I'm Martin Hinton. This is the Cyber Insurance News and Information Podcast. Enjoy the rest of your