From supply chains to the boardroom, cybersecurity is impacting our economy. It’s no longer a question of ‘if’ your company will be targeted, but “when” will it happen. In Episode 4, Barry Hensley, Chief Threat Intelligence Officer at Secureworks and Souwei Ford, Atlantic/SE Cyber Team Leader at Willis Towers Watson talk to Roy Hadley and Chris Kane about cyber crimes, how it’s become an invisible economic threat, the questions businesses should be asking, and the actions that need to happen now.
Listen online and find us wherever you subscribe to podcasts on Anchor.fm
Transcript and Show Notes
Host: This is Boom! The Southeastern Commerce Podcast brought to you by the law firm of Adams and Reese. We talk with regional leaders in trade, economic development, government, and business as we explore what’s new and what’s shaking from Texas to Washington, DC.
Christopher Kane: Welcome to this episode of Boom!, a podcast sponsored by Adams and Reese. I am your host, Chris Kane. We’ve got a really important topic today, and, you know, on this podcast, we spend a lot of time really talking about economic development areas and projects and where we see commerce opportunities particularly on the horizon or, you know, in the process of really blooming. Today we’re going to take a little bit different approach, and it’s one that’s really important to commerce, and it’s cybersecurity. Anybody who’s been paying attention to the business world now for probably the last, you know, three to five years, it is in headlines upon headlines upon headlines. And it’s a really critical and important topic to discuss, understand, and appreciate in terms of how it can be a threat to your business, how it can be a threat to you, your customers, your employees, and we really want to do a deep dive in this arena today.
And doing research for this—and I’m going to introduce a few folks here in a second—I’ve learned a little, and I’ve got some folks here who know a lot. But in 2020, based on some research I did, I understand that over $1 trillion in global losses occurred from cybercrimes. It just blew my mind. In 2020, in large part or at least a credit to what we’ve seen with COVID, we’ve seen four – a fourfold increase in cybersecurity complaints. Again, a lot of people going home, working remotely, and how the pandemic has impacted, of course, every – yet another area of our lives.
So to understand these issues better and to bring some information to you, we have reached out to a couple folks. First is Roy Hadley, who is special counsel here at Adams and Reese and is on our Privacy, Cybersecurity, and Data Management team. And we also have Sou Ford. Sou is with Willis Towers and Watson, where Sou runs the cyber team for Willis Towers and Wilson. And we also have retired colonel Barry Hensley, who leads Secureworks’ Counter Threat Unit and Cyber Threat Analysis Center.
As I mentioned, I’ve got folks here who are a lot, lot smarter than me on cybersecurity. And to get us kind of rolling, Roy, why don’t you help me introduce our guests today and talk a little bit about what the three of you do on a regular basis in cybersecurity and explain that to our audience?
Roy Hadley: Fantastic. Thanks, Chris. It is a pleasure to be here today, and it’s a pleasure to really have couple of people that I consider to be friends and good buddies and partners in crime—no pun intended—with respect to cybersecurity. Both Sou and the Colonel – and I call Barry the Colonel because I feel like we’ve been through war together. But both – I’ve had the pleasure of working with both of them, in particular with the City of Atlanta when the City of Atlanta had its ransomware attack back in 2018. Sou was in charge of the insurance program, and we worked with Sou to help kind of get us back and get insurance going and renewals and those sorts of things on the cyber front. And then the Colonel and I spent many a day in the bowels of city hall really kind of working through the ransomware attack and getting things back in order and getting the city set up. So I feel very close to both.
And I’ll start with Sou. Sou, I know, again, you’re in charge of cyber over at Willis Towers Watson, and what do that mean? What are you doing over there with respect to cyber insurance?
Souwei Ford: Thanks, Roy, and thanks for having me on today. So I fit out of the Atlanta office for Willis Towers Watson, where I head up the cyber team responsible for the mid-Atlantic southeast region. I’m also the national resource for public entity cybersecurity. So in my role, we consult with clients on issues relating to the procurement of cyber insurance, which these days is quite complex and involved because the underwriters have such a heightened scrutiny these days with regards to cybersecurity and specifically policies, procedures, and controls and the security posture and architecture of the organization. So we find that we’re often helping the risk managers connect with their IT professionals internally to ensure that there’s a good story to tell and/or providing some best practices for consideration to the IT team so that when it comes to the procurement of cyber insurance that we’re able to get the best terms and conditions available in the marketplace.
Roy Hadley: Good stuff. And, you know, you mentioned something that we’re going to really – I think Chris is going to kind of pull out of you a little bit more, and that’s how cyber ultimately affects – business cyber insurance affects the risk management profile of a business and how that affects the economic development of that business in, quite frankly, their operations. So great stuff. Look forward to talking about that.
Colonel, I’m a big movie buff, and one of my favorite movies is Pulp Fiction. And anybody that has seen the movie, you know, they know an incident happens, and they’re worried about it, Samuel L. Jackson. And he finally calls somebody, and they say, “Well, I’m sending the Wolf. The Wolf is on his way.” And he said, “That’s all you had to say: the Wolf is coming.” And I look at you as the Wolf. You know, when Colonel is coming, then you’re in good shape. May not be a good thing that he’s coming because that means you had a problem, but he is definitely one that can help solve that problem. So if you don’t mind telling us, what do you do at Secureworks? What’s your role other than being the Wolf?
Barry Hensley: Roy, I appreciate, one, the opportunity to come talk about a very important topic but also a tremendous partner that you specifically has been through so many incident response engagements that we’ve done over the years, as you’ve been a great mentor and advisor through this journey because any time an organization is in – having an incident or a breach, obviously that’s a very critical, emotional event for that leadership team, and how they respond is ultimately going to determine how that business is going to be resilient and recover.
And so I’m – and I appreciate the compliment, but honestly, I’m blessed to be surrounded by, you know, an organization, Secureworks, a managed security service provider who supports 5,000 customers in 63 countries. And based upon that, I’m able to leverage the tremendous insights of threat researchers, incident responders, individuals that know how to emulate the threat, but also people that are in what I call the daily fight of the security operation center. And through their various insights, it lets us make the right informed recommendations of how the organization should not only prepare – hopefully, prepare your organization to defend your network, but if you are breached, how you’re going to rapidly respond and recover from that as well. And so the day in the life of Barry Hensley is somewhat complex but also very inspiring as well because we do believe we’re making a difference in the security industry.
Roy Hadley: Absolutely. And for both of you – and then I’ll kind of turn it back over to Chris to follow up on this. He mentioned a $1 trillion number for cybercrime and the impact of it. Do you all think and have you seen that number’s right, or is it more or less?
Souwei Ford: Well, I would guess that we’re probably in that area, but if anything, we’re probably underreporting or underestimating because there are a lot of incidents that are not reported, and we’ve certainly seen some small to midsize companies who have gone out of business because of a cyber event. So not sure how you quantify that, but certainly, I think we’re in the right realm. But if anything, we’ve underreported that number.
Roy Hadley: Colonel, your thoughts?
Barry Hensley: Yes. I totally agree. I think – if you look into probably the top three cybercrime-related activity that we see, it’s actually – you know, we’re going to talk a lot about ransomware today. It’s actually continued to be business email compromise. And if you look at the FBI reporting over the last couple of years, there’s been close to – in 2020, I think it was about 20,000 business email compromise complaints that were actually reported to the tune of about, I think, 1.8 billion or something. But we – just the amount of business email compromise that we see just across our sample of the industry at large, when you start to do the math of what that looks like across the globe, it’s got to be ten times that. It’s just back to the soundbite of who made a complaint or who reported it versus the true insight of the magnitude of the impact, both in financial laws but also individual organizations’ impact.
Now, if you then go with the – to the ransomware discussion – you know, if you go back and look at Colonial Pipeline, which was impacted by a DarkSide threat actor, you know, we were doing multiple engagements with the threat actor DarkSide around that same timeframe dating back as early as the Thanksgiving period. Well, those never made the press, and so while there were a lot of emotional concern around that specific threat actor and the impact it had to critical infrastructure, we solved just as much impact in the areas that organizations never thought about. And so I do believe that those numbers are probably underestimated only for the fact that if you start to multiply what we actually see with what’s reported, it’s probably truly a larger number.
But in the end, I think it’s all about the impact to everything, of the businesses, to the economy that we need to assess when this is all said and done. I am concerned about the critical infrastructure of the nation, but who would have ever thought that a meat packing company would all of a sudden become critical to the food supply of the nation from a cybercrime perspective?
Christopher Kane: Well, I love how right out the gate Roy does a little fact check on me, and had the research come back incorrect, I would’ve told everybody that Roy is the one who gave me research. But since it comes back that it – it sounds like it’s about right, if anything a little bit underreported. I’ll take credit for it, Roy.
Roy Hadley: There you go.
Christopher Kane: Well, Barry, you know, let’s stay along this line for a second. You were mentioning business email issues and ransomware and social engineering and how these different ways and modes of attacks are occurring. We – here at the farm – and it just – anecdotally of our own business, we’ve gone through a number of improvements and practices and testing our own folks and ourselves to be more aware and understanding of threats, right? And so the appreciation I have from it, since this isn’t my area of the law, is my own experience in terms of what we’re being taught and what threats we see coming our way. It’s critical to all businesses, right? And it’d be helpful maybe if you could talk about some of those threats and what – and how they’re different from each other and what folks should be really on the lookout for and why it’s important, the why in terms of evaluating your operations, evaluating your hard business structure in terms of day-to-day operations.
Barry Hensley: Wow. That’s more of a dissertation, I think, is what you’ve asked for.
Christopher Kane: {Laughs}
Barry Hensley: I will attempt to provide some brevity of an answer. First of all, I think it’s important to know that much of what we initially see – if you look at our incident response engagements we did last year—you know, let’s just say it was about 1,500 breaches that we were involved in—83% of those were cybercrime related, you know, an adversary trying to monetize their access. And it was about, you know, 10% that was traditional nation state looking for intellectual property or something from a – that enabled their – a national interest. We saw insider threat, probably another 7 or 8%, and then, you know, a small degree of hacktivism was out there.
But if you peel back the cybercrime perspective, people don’t realize just how much of that is opportunistic. I think a lot of people, going back to Roy’s point, think this is some Tom Clancy movie, and somebody woke up today and said, “I’m going to build a targeting plan against some specific manufacturing company, and all of a sudden, I’m going to go make $40 million.”
A lot of that’s very opportunistic, that these adversaries were scanning the Internet, looking for known vulnerabilities. And based upon those known vulnerabilities, they stumbled into some organization, and they did a Google lookup inside of a host machine and says, you know, “Oh, believe it or not, I just got, you know, access to a $30 billion, you know, biotech organization.” And all of a sudden, they then turn that into more of a focused, targeted I’m going to go build a campaign to now monetize the access that’s out there today. And so one thing I would tell you is don’t be the opportunistic success of a threat actor.
And so what does that really mean? How well do you know your attack surface? How would you know your environment from an adversary perspective? And so if an adversary is sitting outside in and they’re looking for avenues of approach in your environment, what does your parameter security controls look like? What does your supply chain look like? How potentially could an adversary take advantage of a supplier that’s supporting you, has the backdoor into your environment? You make some changes associated with moving people to remote. Who hasn’t implemented multifactor authentication? How can they take advantage of the places you took risk and exceptions that ultimately give them a small crack in a window that allows them to pry their way in?
And so I think about it all the time as it’s – you need to assess – do an ongoing assessment in the organization—notice I said ongoing—where you’re emulating a threat. You’re testing your ability to respond to – your ability to detect the emulation of the threat. And you’re challenging yourself that if the bad day happens, have you rehearsed? How do you minimize the impact of the adversarial success into your environment?
Roy Hadley: And…
Christopher Kane: Yes, it is…
Roy Hadley: Chris, I’m going to jump in one second, if you don’t mind, because one thing that Barry said that – multifactor authentication, you know, is key, and that’s one of those kind of basics that you have to have now. And I know I’ve had conversations around the insurance market and companies trying to get insurance and what – the multifactor being one of those things that if you don’t have in place, you almost can’t get cyber insurance. Is that – I’ve heard of that. Sou, is that true? And if so, what other things that you have to have that some of the things that the Colonel mentioned, but there may be others, that you really have to have from a cyber hygiene perspective to one, make sure your enterprise is as safe as it can be but then two, to be insurable, let’s just say? Okay.
Souwei Ford: So, Roy, absolutely. Underwriters these days have heightened their scrutiny of potential insured clients, and they are keen to see some specific policies, controls, and security measures in place. And these tend to be, I think, fairly basic security measures. So the first and most important really is multifactor authentication, or MFA. Underwriters would love to see organizations fully deploy MFA. However, I think minimally they want to see MFA deployed for remote access, email access, and privileged access so that they can ensure that that minimum requirement can alleviate in many cases, according to the underwriters, somewhere between 60 and 95% of the claims that they are seeing.
The second item that most underwriters will want to see a client or an organization have is an incident response plan. So we’ve seen many companies deploy and test over the years their disaster recovery and business continuity plans. However, so many of them still lack the components if they were to suffer some sort of cyber event. So I think some of the more recent examples that we’ve read about in the news, these companies have had plans. Unfortunately, none of them took into account or did they practice issues stemming from a cyber event.
And the third item really are backups. So even if you should have a hacker come into a network, if you have segregated and/or encrypted or some sort of immutable backups that you can have access to, then you’re more likely to be up and running a lot sooner than companies who have trouble getting access to their backups as well as mitigating any perceived need to pay the ransom demand. So we are seeing now with the capacity in the marketplace being so restrictive that for many clients seeking either new coverage or additional coverage, that not having all three results in an automatic declination to propose any sort of coverage by the carriers.
Roy Hadley: Wow. That’s impactful because I know a lot of companies depend upon cyber, unfortunately, as their main cyber risk reduction strategy.
Souwei Ford: Oh, absolutely. The cyber policy is at its core a balance sheet protector, so it absolutely will provide coverage for the expenses related to responding to an incident. But we also find that the resources that these underwriters have put in place to be at the disposal of these insurers is very valuable as well, as are the pre-negotiated rates with these vendors. So there’s a lot of benefit to these policies these days, but certainly for some either public entities and/or private organizations, you know, this could be the difference between staying in business and not staying in business. When there is a cyber event, the expenses are pretty much loaded up front, not like typical litigation where you can spread the cost from quarter to quarter. So having the correct cyber insurance and having enough limit is absolutely critical these days.
Christopher Kane: Sou, let me ask this question, and it may not – I may not be as artful as I would like in asking it. I’m familiar with a lot of disaster recovery work and, unfortunately – we’ve talked about on the podcast before. Unfortunately, in our footprint, we’ve had a lot of experience particularly with natural disasters and the BP oil spill, and now, of course, we all have enough experience dealing with a pandemic. But this – you know, those instances that – how you go about being able to evaluate, you know, an actuarial of the losses and historical occurrences – cybersecurity, to me, is – it’s just a different – completely different animal to attack from an insurance perspective. I mean, as I appreciate literally anywhere in the world one can be sitting there, planning and/or acting upon an attack and doing the damage, right? And the technology is increasing day by day on all fronts, including the ability to conduct attacks. So how does the insurance market go about pricing this sort of protection and risk mitigating product?
Souwei Ford: That is – that really is the question. I think, you know, previous to this year, 2021 and 2020 and the pandemic and the massive boost to remote work, there was a lot of carriers jumping into the cyber insurance space. And so with any product, right, there’s that supply and demand. And because there was so much supply, the coverages got really broad, and the prices got really competitive.
And then when ransomware really started to accelerate and more and more companies felt that they had to pay the ransom, that’s when the profitability really turned for many, many carriers. And for some carriers, they were starting to see that they were going to be profitable very shortly. So I think we’re at a place in the market where we are looking at significant increases to premium because I think that the underwriters are seeing that the frequency has gone up as well as the severity for these claims, and so they’re now having to price into the product both frequency and severity.
And then also terms and conditions. So for clients that don’t have all of what they deem to be minimum standard of security measures, right, they’re not only going to increase your retention or deductible, maybe provide lower limits, but they’re going to start to take away certain coverage. So for clients that really don’t have, you know, at least MFA and separate encrypted backups, et cetera, they don’t have EDR, they have open ports when they’re doing the external scans, we may find that ransomware as a coverage is excluded from the policy.
And so a lot of clients are left thinking, “Well, what am I buying if I’m not getting ransomware coverage?” I mean, we still do have traditional hacks. We still do have loss of personally identifiable information, and there is that privacy component of the cyber policy. But you’re absolutely right; there’s a significant coverage that is being taken away. And some carriers are allowing a midterm review so that if the insured does adopt some of these controls and security measures, they can regain the coverage back.
So I think we’re actually in a time when we’re all trying to figure it out, and you have some winners and you have some losers. And the winners are going to be the ones that have been really proactive in making sure that they do have the proper controls in place, and they do have an incident response and business continuity plan that does include cyber events. And for those that don’t, you know, they’re really paying the cost right now and potentially getting very restrictive coverage.
Barry Hensley: Yeah. And, you know, it’s interesting because I think on a broader scale too – in my practice and I think as our firm is seeing this evolve with our variety of clients, we’re seeing – it’s not just pushback. It is requirements in contracts now to have certain standards met and to basically satisfy—and it makes sense what you describe as the why—satisfy a hardening of the cyber systems being used when you are working with certain vendors. And I know even our firm has seen that with a number of our clients where we’ve got to take a look on how, you know, we improve and protect, you know, our clients’ information, our information. And it’s an ongoing, everyday, evolving process.
And, Roy, you know, I know you obviously are front and center with a number of clients, not just government, as you mentioned earlier, but also on the private side. You know, talk a little bit about what you’re seeing in this regard and some of the requirements and conditions and mandates that are being put on vendors through contracts and, as you go in and help evaluate a client, what you’re seeing in terms of what proactively they should be doing on the front end.
Roy Hadley: Right. Thanks, Barry. That is a great question because one of the things that we really are seeing a lot of in the marketplace is companies really starting to look at their vendors. Vendor vulnerability is – has always been huge. You know, it’s almost like a chain that you’re trying to build, and if you have a weak link from your vendor, then your chain is weak. And so we really are starting to see a lot in the marketplace of contractual requirements with respect to the cybersecurity posture of vendors.
That said, we’re also starting to see and I think we’re going to see a lot more of just actually making sure that what the vendor says is actually true. You’re going to start, in my opinion, see more companies making vendors hire firms like Secureworks to do an assessment of that vendor’s policies and procedures and posture that they’re saying they’re doing to make sure that they’re doing because, you know, you’re only – you know, a piece of paper is just that, a piece of paper. And if you’re not actually doing it, then, you know, nothing has been gained. So I think you’re going to see more of that independent certification of adherence to those contractual requirements.
You know, you’ve always had in contracts performance metrics and those sorts of things, and I look at cybersecurity and privacy as performance metrics. And so you’re going to see more of those because, as you and Sou both said, the market has changed. The market is morphing and will continue to morph because the threats are constantly evolving. So it’s a dynamic thing, and I think for companies to be as secure as they can, they’re going to have to be dynamic in how they approach this thing called cybersecurity.
Christopher Kane: Yes. You know, Roy, we – you know, this – on our podcast, we spend a lot of time talking about economic development and the direction of commerce and things we’re seeing. And as I mentioned at the beginning of the podcast, this area is – it is so important, and it’s something that we really need to talk more about, right, talking about what threatens really our basic fundamental economy. We saw not just a couple months ago a major supply chain debacle. And being involved in the global trade, transportation, logistics team, that woke up a whole lot of folks. I don’t know why they weren’t woken up before. They should have been, but, you know, we really – it – this topic is front and center of everybody’s mind, and it directly impacted the economy for a significant period of time.
I’d like – we’re getting close towards the end of our time today. I’d like to go to each of you and talk about in your mind – and I’ll – Barry, I’ll try not to make this a – such a broad question that requires a dissertation. But really if you could – maybe one or two things that you could tell our audience from a trend standpoint that concerns you and/or that they should really be aware of as it relates to being prepared and/or on how to address if a cybersecurity attack occurs. Barry, we’ll start with you.
Barry Hensley: Yes. I think it’s important to know that this is somewhat a chess game, and so many people are reacting to the last thing that happened. And so all of a sudden, we think about how do we defend the parameter? And then we said, “How do we defend the endpoint?” And in many cases – there was a recent paper that we had did around identity is the new parameter. And so when you start to think about your security program – you know, initially we saw a ransomware like the City of Atlanta where the adversary tried to encrypt a bunch of systems to include paid backups to bring a degree of pain to you that would inspire you to go pay.
And then everybody went and worked hard about building disaster recovery program, and so the adversaries – and then people stopped paying the ransom for a period of time. And then the adversary said, “Well, I’m going to do extortion. I’m going to steal data, and I’m going to name and shame you.” And then people, you know, didn’t pay that, and all of a sudden, they said, “Well, I’m going to notify your customers.”
And so my point is as we think through – I’m going to use the term the defensive measures that organizations put in place to reduce their risk. You ought to be thinking about what is the adversary thinking about their counter to that? So when the insurance companies say, “I won’t cover ransomware,” well, maybe the adversary pivots to, you know, a different type of extortion. And would that still be covered within the policies as well? And so I think for every action there’s a reaction, and how are you thinking through an ongoing living cybersecurity program, not one that was built to yesterday’s threats?
Christopher Kane: Yes. That – you know, that’s critical, and I think that’s exactly one of the concerns that I have in talking kind of – probably at a lower level than you guys are dealing with but from an economic development standpoint is really trying to get this across and make sure people have this as a priority and a focus. And I know the three of you each are dealing with that on a daily basis, sometimes on a front end but all to often on a back end. Sou, what are your thoughts?
Souwei Ford: Yeah. So I think, Chris, you actually write about why have companies not woken up to the issues, and it still surprises me somewhat when we speak with companies and organizations where there’s so much pushback against things such as encryption. “Well, it slows down, you know, the speed of my laptop. It’s one more step to encrypt,” or, “MFA is another step,” where that convenience outweighs the security. And it’s that mindset that really is problematic. And so what we’re finding now is because so many companies don’t want to layer on security measures, that they slow down the system or add steps to employees’ day of having to get privileged access or part of getting into the network remotely, et cetera, that what we’re seeing now is that insurance is pushing to have those security measures in place.
So this is absolutely an example of when insurance ends up driving business decisions rather than businesses coming to those decisions because it’s the right thing to do. And so what we get a lot is, “Well, why are the insurance carriers, why are the underwriting mandating all this?” And I think on the flip side, underwriters are saying, “Well, we’re kind of surprised that you haven’t already done this,” right? MFA – and correct me if I’m wrong here, but it’s been available for at least the last ten years, so it’s not new technology. It’s – you know, in some instances, it may take some effort to deploy, but it’s what the companies should do to protect themselves, their customers, their employees, and just the business itself. But it’s unfortunate that we’re finding that insurance sometimes drives those decisions.
And we’ve actually had conversations where the IT professionals are thanking us because they have been sounding the alarm for years, and they’ve never been able to get funding from senior management. So I think, you know, it’s the good and the bad, but hopefully, we’re all driving to more secure environments.
Christopher Kane: You’re telling me it comes down to the – to what every other decision comes down to, right? Money, money, money.
Roy Hadley: Money, money, money.
Souwei Ford: Right.
Christopher Kane: That’s right. That’s right. Well, Roy, what’s your thoughts?
Roy Hadley: You know, I think I’m going to echo what Barry and Sou both said but just in a slightly different way. And that is if I had to leave one piece of advice with everyone, it would be to think of cybersecurity as a dynamic thing and not as a static thing. Too often you’ll get someone that’ll say, “Hey, look, we have an incident response plan, and it’s two years old, but we have one.”
And the problem is that your business has changed, the threats have changed, the bad actors have changed, as Barry said. You know, they’re going to go where the money is, and if in, ransomware, they’ll go there as long as they can. If it’s in ransomware plus stealing data and trying to extort you that way, they’ll go there and whatever it is. And the thing is they’re very smart. They’re very creative. And so I would say to anybody think of cyber as a dynamic, ongoing business operation in and of itself, and be dynamic in your thoughts because your adversary is being dynamic in their thoughts. It’s not static. It’s ongoing.
Christopher Kane: Well, guys, this has been very educational. And candidly, as you guys all know and provide tons of information on a regular basis through webinars and preaching about the importance of this issue, it really could have like a two-hour program in order to try to begin to digest all the critical components. Unfortunately, for our podcast, we don’t have the format to do that, but I do appreciate it.
And before we go, I do want to ask one more question, and it’s a much more lighter question than cybersecurity and the much more important things we’ve been talking about. When we got on before the podcast, we all were talking about and lamenting on the hot southern conditions we have decided to live in, and we, I think, all are yearning for the fall. And so instead of talking about like we did during COVID and asking, “Hey, when X, Y, and Z restaurant opens up, where do you want to be and where do you want to go back to?” I want you to envision the fall. And you guys are in Atlanta. I don’t want to talk about football because y’all probably got some Falcons fans, and I’ll upset the Saints fans. But non-sports. This fall in Atlanta, what are you looking forward to doing when the temperature changes? Barry, we’ll start with you.
Barry Hensley: You know, I’m an avid bass fisherman, and right now the fish have went deep on me, so they’re pretty hard to catch. The fall, the waters cool off, and the fish start prepping for the winter, so I’m looking forward to getting back on the water.
Christopher Kane: Nice, nice. All right, Sou.
Souwei Ford: Wow. Non-sports. Well, I’m looking forward to maybe hitting the road and traveling. Oh, the fall is perfect because all the college students are back in school, and, you know, wherever you might go, it seems like it’s a little bit less crowded. So I would love to be able to hit the road.
Christopher Kane: Yes. And we all have cabin fever, I know, so I’m sure wherever you go will be fun. All right, Roy, what you got? What you looking forward to this fall?
Roy Hadley: Okay. So I – you know, you said non-sports, but mine is kind of pseudo-sports. I have twin 16-year-old daughters that play softball, and so they’ve been playing all summer. We were in a – we were at a tournament in Chattanooga, Tennessee, last week. It was 98 degrees. Humidity was high. I’m looking forward to being out on the softball field watching my daughters when it’s 80 degrees and the humidity is low and the breeze is blowing.
{Laughter}
So that’s my fall. {Laughs}
Christopher Kane: Yes, yes. Nice. Well, see, I was going to brag about Jazz Fest. We have fall Jazz Fest this year, and festival season is going to be in October. But you just made me change my whole tune, Roy, because my daughter is an avid golfer, and I’ve been trucking around golf courses all summerlong at 2:00 in the afternoon when it’s 110-degree heat index. So I’m with you. I’m looking forward to walking around a golf course when it’s in the 70s, and I don’t have to have 84 layers of sunscreen and sweat all over me. So that’ll be…
{Crosstalk}
That’ll be good. Well, look, in all seriousness, Sou, Barry, Roy, thank you so much. We’re going to continue this conversation, guys. And I know, Roy, your team is – continues to put out a lot of content. To our listeners, please look for that. You can find it at Adams and Reese’s web page arlaw.com. Please check us out on social media. If you like this podcast, I ask you to please, you know, share it, send it out. Invite your colleagues to listen with these important tidbits and information to help bring some awareness and critical thought to this topic. So thank you to you. And to our listeners, thanks for listening, and look forward to our next podcast.
Roy Hadley: Thank you all. Enjoyed it.
{Music}
Host: Thanks for listening. And if you like this episode, tell a friend. You can also find transcripts, links, and more on our website, adamsandreese.com