EP. 5: Expecting the Unexpected: Cyber Lessons from 2020

01/13/21 • 20 min

Insuring Cyber Podcast - Insurance Journal

What is the biggest lesson that cyber insurers should carry into 2021 after a year in which the COVID-19 pandemic took center stage?

In the first Insuring Cyber podcast episode of the new year, Tim Zeilman, vice president and global cyber product owner at Hartford Steam Boiler (HSB), discusses how lessons learned from the coronavirus pandemic and from recent significant cyber attacks are more related than insurers may think.

“I think the lesson is pay attention and learn the lessons of the close calls,” he says. “So when you think about the COVID-19 pandemic that we’re in the midst of right now, it’s not the first one. We had inklings that things like this might happen.”

Indeed, over the last decade, disease outbreaks such as Ebola and H5N1, or the avian flu, hit the news, although these outbreaks never amounted to the same global scale as the COVID-19 pandemic, he explains.

“I think you can make an analogy to cyber attacks,” he says. “We haven’t seen the big one yet. We haven’t seen the massive cyber hurricane that everybody worries about and models, but we have seen some smaller events. In particular in 2017, we saw NotPetya and WannaCry.”

He says the message to be taken away from this pandemic as well as the cyber attacks seen in the past few years is don’t ignore the near misses.

“Don’t expect that the future is going to look like that – that we’re always going to have these small, somewhat contained events that might be big but are not the massive big one,” he says. “I think that the bottom line there is really to keep your focus in cyber insurance on accumulation, to plan for that big one that might look like a WannaCry or a NotPetya event but on a much larger scale and much greater impact, and plan for what that would mean to your cyber insurance business.”

Also in this episode, Lauren Winchester, vice president of Smart Breach Response at Corvus – a provider of artificial intelligence driven commercial insurance products – takes a look back at some of the big trends in cyber insurance in 2020 and discusses what cyber insurers should be paying attention to in the new year.

“I think visibility into vulnerabilities is going to be really key – how cyber insurers manage to partner with other vendors or build in-house capabilities in order to get a better sense of their risk pool and the vulnerabilities among their policy holders,” Winchester says.

She adds that going forward into 2021, it will be important for cyber insurers and their clients to establish a greater partnership in order to better understand how they can work together.

“I think insurance buyers in working with their brokers should really be considering what else their cyber insurance company can be doing for them,” she says. “It’s really so much more than just risk transfer at this point, and they should and can ask more of their cyber insurer.”

Thanks for listening and be sure to check back for new episodes every other Wednesday published together with Insurance Journal’s Insuring Cyber newsletter.

The post EP. 5: Expecting the Unexpected: Cyber Lessons from 2020 appeared first on Insurance Journal TV.

What is the biggest lesson that cyber insurers should carry into 2021 after a year in which the COVID-19 pandemic took center stage?

He says the message to be taken away from this pandemic as well as the cyber attacks seen in the past few years is don’t ignore the near misses.

She adds that going forward into 2021, it will be important for cyber insurers and their clients to establish a greater partnership in order to better understand how they can work together.

Thanks for listening and be sure to check back for new episodes every other Wednesday published together with Insurance Journal’s Insuring Cyber newsletter.

The post EP. 5: Expecting the Unexpected: Cyber Lessons from 2020 appeared first on Insurance Journal TV.

Previous Episode

EP. 4: What Cyber Insurers Should Know About the Federal Ransomware Advisories

As the COVID-19 pandemic and the switch to remote work have highlighted cyber risks and drawn attention to the various methods cyber attackers are using, ransomware has continued to steal the spotlight.

Ransomware is a type of malicious software that is designed to block access to a computer system until a ransom is paid, and these attacks have increased in severity and frequency in the past year alone.

Just this October, the U.S. Treasury Department issued a warning that individuals or businesses, including cyber insurers, that help facilitate ransomware payments could be violating anti-money laundering and sanctions regulations.

The warnings came in a pair of advisories, one from the Financial Crimes Enforcement Network (finCEN) and the other from the Office of Foreign Assets Control (OFAC). The advisories came as the FBI and Homeland Security officials also warned in October that Eastern European criminals are increasingly targeting U.S. hospitals with ransomware and urged healthcare facilities to beef up their preparations.

“[The advisories] are going to create potential exposures and potential costs that arguably were not there before,” said Josh Mooney, chief privacy officer at Philadelphia-headquartered law firm White and Williams LLP, in this episode of the Insuring Cyber Podcast. “Cyber carriers are now going to have to take a look at what are some additional liabilities out there? And are they going to run afoul with U.S. law if they honor the obligations they have under their policies to help pay for a ransom caused by a ransomware attack?”

In particular, he added that these advisories will almost certainly add an additional layer of cost and potential liability with carriers in forensic firms – a layer that only adds to the already increased proliferation and sophistication of these attacks.

“Ransomware attacks that we’re dealing with today are very different than the ransomware attacks that we addressed and saw even as recent as 12, 14 months ago,” he said. “Before, again, as recent as a year, year and a half ago, the typical ransomware demand would be maybe in the five or six figures. Now, many of them start in seven or even eight figures.”

Ransomware has become so common that it’s actually turned into somewhat of a business model, according to Michael Carr, head of underwriting at insurance provider Coalition. He explains in this Insuring Cyber Podcast episode that there are groups – sometimes referred to as Ransomware as a Service, or RaaS – that establish footholds on companies’ networks and periodically sell that access to other groups who will drop malicious software on those networks and seek a ransom.

“So it is a situation where there’s the potential that you can be a victim more than once if you don’t properly recover from the first attack,” Carr said.

With this in mind, Carr urged victims of ransomware attacks to act quickly and work with their cyber insurers to respond.
“This is a situation where the first thing I would say is for Ghostbusters fans, who are you going to call if the incident occurs?” he said. “So is your cyber insurer going to have somebody on the other end of the phone line who can actually quickly engage all of the right resources, legal forensics, etc., to respond to the attack? Because generally speaking, the longer it takes to respond, the more expensive these things can become.”

Check out this latest episode of the Insuring Cyber Podcast to see what else Michael and Josh had to say and be sure to tune in every other Wednesday for new episodes published along with the Insuring Cyber newsletter.

The post EP. 4: What Cyber Insurers Should Know About the Federal Ransomware Advisories appeared first on Insurance Journal TV.

Next Episode

EP. 6: Making Waves: How New York Became a Leader in State Cyber Regulation

New York State Department of Financial Services (DFS) Superintendent Linda Lacewell spoke with Elizabeth Blosfield during the most recent episode of the Insuring Cyber Podcast about how she has always seen New York as a leader in cybersecurity and innovation.

After being confirmed to her post as DFS Superintendent in 2019, this is a legacy she aims to further.

“When I came into DFS...it quickly became apparent to me that the waves of innovation are crashing on the shores of everything that we regulate,” she says, adding that she believes “cybersecurity is the biggest risk for government and industry bar none.”

Lacewell says she saw this as an opportunity to continue elevating cybersecurity and innovation as matters of focus during her time at DFS, establishing its first cybersecurity division in May of 2019, and just two months later, establishing a new office of innovation at DFS.

Even before Lacewell’s time as superintendent, DFS was placing a greater focus on cybersecurity with its implementation of a first-of-its-kind cybersecurity regulation in March 2017 under the leadership of former DFS Superintendent Maria Vullo.

“I think this was a tsunami through the world of financial services,” says Peter Halprin, partner in law firm Pasich’s New York office, earlier in the podcast episode. “What it did, I think most importantly, and this was its design, was kind of forced the issue and forced the notion that companies need to pay attention to privacy and data at the highest levels, expressly senior management.”

In fact, DFS filed its first charges under the regulation in September of last year, serving a notice of charges to First American Title Insurance Company after alleging it exposed millions of documents containing consumers’ personal information. Halprin says this action was important as it demonstrated how New York’s cybersecurity regulation will be enforced moving forward.

“I think that this is an octopus,” he says. “It’s got a lot of arms and a lot of tentacles, and it’s going to go in a lot of different directions in terms of how it implicates coverage. But the First American action gives us all, I think, a moment to pause, reflect and think about what may come and what we should expect in the U.S. and perhaps elsewhere.”

Later in the year, DFS issued a report following its investigation into a cybersecurity incident involving social media company Twitter, in which verified accounts of public figures were hacked to tweet links pushing a bitcoin scam.

Twitter released a public statement on July 15, the day of the attack, saying that it immediately locked down the affected accounts and removed Tweets posted by the attackers when it became aware of the hack. It shared in a September 24, 2020, blog post that it plans to continue to prioritize and accelerate its efforts to increase the security of the platform and its teams.

“Protecting people’s privacy and security is a top priority for Twitter, and it is not a responsibility we take lightly,” a Twitter spokesperson told Insurance Journal in an email. “We have been continuously investing in improvements to our teams and our technology that enable people to use Twitter securely. This work is constant and always evolving.”

However, Lacewell is calling for increased regulation of social media companies in the future.

“The social media companies have become gigantic,” she says. “We as a society allowed it to happen. They got way out ahead of us, without regulation. The digital transformative changes have been happening alongside, generating the risks to cybersecurity. Government did not adapt, and that was a failure of the federal government because these systemically important companies now present, I believe, systemic risks and nobody is addressing them.”

For more insight into how New York is shaking up the world of cybersecurity and state cyber regulation, check out the rest of this episode and be sure to tune in for new episodes of the Insuring Cyber Podcast every other Wednesday. Thanks for listening.

The post EP. 6: Making Waves: How New York Became a Leader in State Cyber Regulation appeared first on Insurance Journal TV.