Strong passwords for employees. Using multifactor authentication for remote access, administrative access and email access. Avoiding having open ports to the outside that don’t need to be open. Utilizing next-generation antivirus or Endpoint Detection and Response. And understanding whether and how cyber insurance may support all of those things additionally.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewingTim Francis, Enterprise Cyber Lead at Travelers.
Tim Francis is a Vice President at Travelers and serves as the company’s Enterprise Cyber Lead. In that role, Tim has oversight of the company’s cyber product management, including underwriting strategy and products for businesses of all sizes, public entities, and technology firms. A graduate of the University of Maine, Tim has been with Travelers since 2005, and became the company’s Enterprise Cyber Lead in 2010.
Q: Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
A: I grew up just outside of Hartford, Connecticut. I’m the youngest of six kids and grew up on a small farm. Went to the University of Maine and studied history with the idea that I would go to law school. One thing led to another and law school didn’t seem like the right path for me. After talking to some friends who were working in insurance, I realized that there was a lot more to a career in insurance than I initially thought and decided it might be a good opportunity.
Q: Is there a particular story that inspired you to pursue a career in cybersecurity?
A: I started to become interested in cyber issues and the connection with insurance back in the late 1990s when a lot of the focus in the industry related to cyber and technology issues was on Y2K and the implications that might have on society. That piqued my curiosity and my interest.
Q: Can you share the most interesting story that happened to you since you began this fascinating career?
A: It’s not really one story, but in this area of insurance I’ve had a chance to learn about the world of cybersecurity and an opportunity to meet and speak with professionals who are simply the best at what they do. They might be from the FBI, law enforcement, former NSA, military or the private sector and have fascinating insights into the world of cyber crime. It’s a pretty small universe of people in our part of the industry and many of these individuals have become friends over the years as we’ve shared information and intelligence in our respective areas of trying to work against cyber crime.
Q: None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
A: I began to take on cyber responsibilities at Travelers in 2007 and at that time the cyber industry was really in its infancy. But there were many individuals who had already spent and invested years in developing that industry. I can recall attending various conferences where I would simply begin talking to individuals, and they offered me advice and consultation. What was then a very small group of people was also a very close-knit and welcoming group of people. Those who helped me include Mark Greisiger at NetDiligence; John Mullen from Mullen Coughlin; and Toby Merrill, who was with Ace Insurance.
Q: Are you working on any exciting new projects now? How do you think that will help people?
A: With cyber, we’re almost always working on projects, whether that’s reacting to changes in the marketplace and changes in the threat environment, or trying to be proactive in terms of getting out ahead of where that threat environment may be. We’re discovering and identifying ways to better assess risk, model risk, underwrite risk and price risk, as well as help our customers with their own risk management and offer guidance and best practices to avoid incidents occurring. It’s an ongoing project that changes as fast as the threat actors evolve their tactics and procedures.
Q: What advice would you give to your colleagues to help them to thrive and not “burn out”?
A: To the extent that you can, make sure you have a great support system, both personally and professionally. Expand your resources internally and externally. Also, take advantage of the resources that might be less conventional. That might mean working with and getting expertise from your own corporate security folks, even though they’re on a different side of the same coin.
Q: Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
A: The pace of change in cyber means that there is never a dull moment. You’re always being forced to learn and challenge your own perspectives, challenge what is known versus unknown. To me, that is what’s exciting about the job.
Next, the people I get to work with, not only here at Travelers but the vendors we utilize pre- and post-breach. It’s a great group that is passionate about cyber. Along with the agents and brokers who sell these products, it’s a wonderful group to be associated with.
Lastly, at the end of the day, there is a tangible connection to the insurance coverages that we have and the value that we bring. Time and again, we hear stories about saving companies from going out of business when they have a cyber event because they had coverage with Travelers. Nothing makes you feel better about the value that you bring when you hear those stories.
Q: Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
A: The severity of the ransomware trend that we’re in the midst of is having a tremendous impact on the industry, on our customers, and on the way insurance providers are prepared to assess risk and price risk. There’s no sign that trend is slowing, so the industry really needs to find ways to appropriately address that challenge.
Q: What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
A: We are continually looking at ways in which we can best assess the threat landscape, and ultimately help our customers by identifying vulnerabilities they may have. One of the ways we do that is we utilize cybersecurity scoring data; an example of that is a relationship we have with BitSight that allows us to better assess the cybersecurity posture of many of our customers.
Additionally, we have a variety of partnerships that help our insureds avoid risk. That includes the partnership we have with NetDiligence, which supplies customers access to our Travelers eRiskHub; the partnership we have with Symantec that provides, among other things, a cybersecurity helpline to customers who need information to protect themselves better; and a new partnership we have with SentinelOne to provide a leading Endpoint Detection and Response solution to our cyber customers.
Q: How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
A: I don’t think there is any one-size-fits-all solution. Every company is different and has its own priorities that it needs to balance. But some of the ways that are important and impactful in terms of reducing the cyber security threat don’t need to cost a lot of money. For example, making sure that strong passwords are being utilized; making sure that various controls that might be imbedded in software, such as multifactor authentication, are turned on, or closing ports that don’t need to be open. Even things like employee training don’t need to cost a lot of money, and many carriers, Travelers included, offer resources for organizations that may lack the means or may not know where to get started.
Q: After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
A: The ability to address it timely is critically important. One vital piece of information is having an incident response plan in place. No plan is perfect, but almost all plans are better than none. If an organization has a plan — and if it has practiced that plan — then when an event happens in real time, they’re better situated to deal with it.
Waiting until you have an event to think about this is the wrong time to do it. The value of having cyber insurance is not just using the insurance to offset the costs of an event. It’s being able to tap into the network of expert providers that an insurer has at their disposal to address the situation. That can be a breach coach, a forensic provider, a ransom negotiator, a data restoration organization and a public relations firm. Certainly, though, if an organization has cyber insurance, then they should be reaching out to their carrier as soon as they can following an event.
Q: How have recent privacy measures like the California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
A: They affect business in general because it creates another layer of requirements and obligations that a company may need to follow in order to protect their employees, customers or the public. Those can be confusing and complicated, particularly when an organization needs to run the business on a day-to-day basis. They may lack the ability to focus on and understand those issues and what the requirements mean for them, so to be able to access a network that can help guide them through it is important.
Q: What are the most common data security and cybersecurity mistakes you have seen companies make?
A: I think the most common mistake companies make is assuming that whatever solution they’ve put in place, whether that be software or training, guarantees that they won’t suffer an event. The sad reality is that best practices still aren’t fool-proof.
Q: Since the COVID-19 pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
A: Not necessarily errors, but there are certainly things that companies should be aware of with so many employees working remotely. Chances are that those employees are depending on routers that aren’t as secure as the corporate network. That might create a vulnerability, especially when an employee whose device has become compromised returns to the office. To combat that, stress the importance of strong passwords and employee training so suspect email links aren’t being clicked.
Q: Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
A: My five: Strong passwords for employees. Using multifactor authentication for remote access, administrative access and email access. Avoiding having open ports to the outside that don’t need to be open. Utilizing next-generation antivirus or Endpoint Detection and Response. And understanding whether and how cyber insurance may support all of those things additionally.
Q: You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? (Think simple, fast, effective and something everyone can do!)
A: Be kind, and treat everyone the way you’d want to be treated.
Q: How can our readers further follow your work online?
A: I have a LinkedIn account, and most of the great cyber work we do at Travelers can be found at Travelers.com/cyber.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!