Date(s) - March 3, 2021
12:00 pm - 1:15 pm
Cybersecurity and Cyber Insurance After COVID-19
Welcome to the Santomassimo Davis LLP webinar, where our team of highly experienced Outside General Counsel attorneys provides important information that you and your business can potentially act on. We hope to provide you with valuable information that can be used at work or in your life after listening to our discussion. For this webinar, our topic will cover a broker’s and an attorney’s perspective on cyber insurance and cybersecurity after Covid-19.
Adam Abresch will be joining our host, Alex Anglim, in this discussion to bring in a different perspective on brokers’ cyber risks and cyber coverage. We hope this discussion is insightful and helpful for you and your business as we share our knowledge from a broker’s perspective and an attorney’s perspective. If you would like to check out more of our webinars, you can find upcoming events here, as well as on our YouTube channel.
Alex Anglim 0:10
Hello, everybody, and welcome to the webinar. Thanks for joining us today, we’re going to be getting started with our program talking about cybersecurity and cyber insurance in the COVID-19 environment. And as we get started, I just want to do some introductory material. Again, thank you everybody for joining us. I hope the program will be valuable for everybody. It’s hard aim to provide all of you our listeners with actionable information that you can use and you go back to your when you go back to your desks and back to your offices after you listen in. So thanks for your attention. And as I said, we’ll we’ll try to make that pay off for you. To start with, we have a brief agenda, a capsule agenda. We’re going to begin as I said, with an introduction to my law firm, and also to my co-panelist, Adam Abresch, Abresch in his firm, Acrisure. Adam has a presentation for you on the broker’s perspective about cyber risks and cyber coverage, that he’ll go into some detail and provide you with a lot of information you can use from his particular perspective. Then I have a presentation for you from my perspective as an attorney as policyholder counsel for some key terms and issues that you should be aware of as you move forward and make your decisions about purchasing cyber policies, renewing cyber policies, and making sure you have the best protection for the money. And then we will wrap up. First, let me tell you a little bit about our firm, Santomassio Davis Outside General Counsel Solutions. Our firm, we like to think it’s organized a little bit differently from other law firms, we focus on providing our outside General Counsel, offering service offering or we serve as an outsource law department. So what that means is that we duplicate the resources of an in house law department that a very large organization might have a typical fortune 500 companies large enough to have a team of in house lawyers that are very well acquainted with their business very well acquainted with the business environment in which they operate, and how to use you know how to be strategic about legal problems. The mid-size company, middle-market companies not large enough to hire a team of in-house lawyers, but they can outsource that function to us. And we’ll duplicate that in a number of ways. First, by providing experienced business-minded lawyers that know what they’re doing. That would be very similar to the types of people experienced people that would be general counsels for significant-sized companies. Number two, make available lots of different team members, not just one person. So there’s a broader depth of expertise there. And then number three, if wanted, if desired by the client, we will do that on a fixed fee basis to replicate the salaried cost or the fixed cost of in-house lawyers rather than an hourly fee billing model. We think this makes us unique or very close to it in that we are willing to take the business risk associated with a fixed fee arrangement, rather than a retainer agreement that only benefits the law firm and it’s just a minimum purchase of legal services. With that, I’ll speak briefly about my co-panelists, Adam Abresch, who’s with us here today. Adam is the cyber risk practice leader for Acrisure. He’s responsible for designing custom cybercrime and technology solutions for the firm’s clients. He’s also a guest lecturer at Fordham and Hofstra, and he leads the cyber liability education for over 350 Acrisure partner agencies throughout the country. Acrisure itself is as it says here on the screen, the industry’s fastest-growing insurance broker. And it’s really great firm and I think you’re going to enjoy listening to Adam give us his perspective and in particular his depth of expertise as a broker in this particular area of cyber insurance coverage. I’m going to now switch over and allow Adam to jump in and share his screen. Adam, go ahead you can jump in anytime.
Speaker 2 4:35
All right, hang on just a second. I’m trying to share my screen right now. Hang on just a second. Looks like the screen sharing is not kicking over to me.
Alex Anglim 4:54
Is that right? All right. Well, we’ll go to the backup plan. It’s always good to have one, right and we do so I’m going to put your presentation materials up on the screen if you want to just begin talking, and I’ll get that rolling while we’re chatting.
Speaker 2 5:10
Yeah, absolutely. So first of all, thank you for having me today. Obviously, you know, cyber risk is something that’s near and dear to my heart, something that I do every single day, all day, day in and day out. So I hope to just kind of give everybody on here a little bit of a perspective as to, you know, what we see in the marketplace, every day, how things have changed, along with COVID, some of the numbers associated with cyber risk, what’s at risk for your company, how some of these breaches occur, the costs associated with a cyber incident. And then finally, some solutions at the end. And as always, we’ll leave time for some questions. So we can kick it over to the next slide.
And next slide.
Unknown Speaker 5:58
So obviously, as everybody here knows, you know, things have changed drastically since the COVID outbreak, right. And, you know, there’s been a number of different implications for business communities. And I think, you know, it’s important to think about how this affects cyber risk. So, you know, cyber risk is, has been affected by COVID, a number of different ways, right? There’s a number of different folks now that have been forced to the remote work environment. So you’re now you’re talking about, you know, Wi Fi networks that maybe aren’t secure as the corporate networks that they once had. You can also talk about how, you know, there’s a number of different applications that everybody’s using today, right? Like today, we’re on zoom, but I know that I use WebEx and Uber conference and Google meets and Hangouts, right. And all of those different applications all come with different logins. So now we’re talking about different credentials that folks have to remember. And what that does provides an opportunity for various bad actors to seize on all these new communications and input their take on it right and capture those credentials move from network to network. It’s a scary place to be. So Ginni Rometty is the former CEO of IBM called cybercrime the greatest threat to every company in the world, right? That’s pretty powerful statement. Why do we say that? You know, there’s up to 90% of folks in a recent survey, say that they had been directly impacted by a cyber incident. And if you look at the numbers behind cybercrime, if you look back to 2018, we’re talking in the billions, right? 600 billion is the overall worldwide cost of cybercrime in 2018. You notice in 2019, that number jumped to over 2 trillion with a T 2020. Numbers are still pouring in, but estimated to be over 6 trillion dollars. And that’s the total worldwide cost of cybercrime. So Cisco Systems recently released a report talking about the fact that they had tracked and monitored over 73 trillion threats over the course of a year, which translates to about 2 billion per day, that’s just Cisco. FBI recently said they came out they’ve tracked a 400% increase in cybercrime since the outbreak of COVID. 61% of all cyber-attacks are targeted towards small and mid sized companies. A ransomware attack happens somewhere in the world every 14 seconds and these hacking toolkits can be bought online on the dark web for as little as $1. Despite all that, only 30% of all companies currently carry standalone cyber coverage. And if you move to the small and mid-sized space, that number actually goes down slightly. So a couple of questions to keep in the back of your mind as we go through this presentation is do you have a cyber incident response plan? And will you survive a cyber attack? So I think this to frame everything, you know, this is a quote by Don J Cox, who is the CIO DLA Piper, a very large international law firm, right. And he talks about how they planned for the loss of certain aspects of their business, but they hadn’t planned for the complete loss of everything. So what happens when everything goes sideways? So let’s start off with what’s at risk for a company, right? It breaks down into three main categories. You have data, disruption, and dollars. Now, I will tell you data, right, we talked, we heard a lot about data breaches for a long time in the past few years. You hear a lot about data breaches, right? So it’s easy a lot of times for folks to say, you know what, I don’t traffic and a lot of data. I’m not a retailer. I’m not a healthcare organization. You know, I’m not a bank. I’m not, yeah, and it seems the list goes on and on. What we’ve seen is you know, data still a risk, certainly corporate data, folks have all that information. You know, whether it’s financial information, if there’s you know, different information that’s passing back and forth between you and clients. But also every firm has employees, right. And we’ve seen more cases, more and more cases where yeah, maybe you don’t traffic and a lot of data as part of your everyday business, right as a manufacturer or a wholesaler, for example, but you still have a lot of employee data, former employee, prospective employee data, that you’re responsible for protecting, W-2 information, financial information, direct deposit information, the list goes on and on. And so you’re responsible for protecting data on the premises while it’s in transit, emails, faxes, texts. And then finally, when it resides with a third party, right? A lot of people think that they absolve themselves of liability when they outsource something to a third party. But keep in mind data privacy laws apply to the owner and the collector of that data. And so you can’t transfer that liability even via contract, right. So if there’s a data breach, that data that you’ve collected and then entrusted to a third party, ultimately, you’re still responsible for responding to that.
Speaker 2 11:01
So there’s been a big shift recently, right, between data breaches, which is the classic cyber breach that we’ve heard a lot about to disruption, right, which is a disruption in the supply chain. And that’s been brought about by the extreme explosion of ransomware, which we’re going to talk about a little bit more detail. But ransomware has not solely focused on data, but it’s more focused on disrupting a company’s everyday life. And then finally, dollars, right. I think this is something that everybody understands. There’s an explosion of cybercrime, where people are stealing money, people are tricking people into sending money, people are compromising credentials, and then using that to impersonate people, and make transfers within bank accounts. So that’s what’s at risk. From a high level, let’s take a look at how some of these breaches occur, you can break that down into three main categories, you have your outside attackers, your insider threats, and your third party incidents. Let’s start with outside attackers, typically characterized by our friend here and hoodie. Alright, so I mentioned before, and part of the significance behind this map that I like to point out to people is that Johns Hopkins put out this map to help folks you know, kind of get an awareness of COVID, especially early on, when everything was still happening, still fresh. They came out with this map as a resource. The day after this map was launched, you could go online and buy an injection kit for $250. That would allow you to basically inject malware or malicious software into Johns Hopkins map so that when somebody clicked on something, it would download a keylogger software, a software that logs the keystrokes that somebody inputs into their computer, so that folks could capture login credentials and could penetrate people’s networks, right? So here’s Johns Hopkins trying to do something good. There are just as many bad guys if not more, on the other side, trying to use that for their own purposes. So there’s also been an explosion of fake COVID websites, folks for looking for information. So what are the bad guys? Do they set up a whole bunch of traps for people to click on right? Now, you heard me mentioned malware, malicious software. That’s what malware is, right? So it’s computer code that is designed to corrupt legitimate computer code. And now for I think, the third year in a row, there has been more malicious software or malware created in terms of lines of code than legitimate code. What does that tell us tells us that there’s a whole bunch of people out there dedicated to designing this malware and it’s not going away. And one of the most famous, most famous types of malware is ransomware. So ransomware is a type of malware that gets into a system and locks down either data or access to the systems. Alright, so a famous case of this happening is a company called Colorado Timberline. And what happened Colorado timber lines is one of the fastest-growing companies, small businesses in the US. And what they did was they were a printing shop. Right. So they’re printing shop out in Colorado small business growth, and they won the contract for Shutterfly. Right. So all those calendars, mugs, holiday stuff you guys got imagine being a small business that’s a printer and winning that contract? Pretty cool, right? So they’re growing and they’re hiring more people, and they’re bringing more people on board and they’re getting investors. And one day, they’re hit with a ransomware attack. They thought they had recovered. Turns out they had lost their recovery got hit with another ransomware attack. And now, Colorado, Timberline doesn’t exist anymore. So one of the fastest-growing small businesses in the country, growing by leaps and bounds, taking on investor money, and now it doesn’t exist anymore because they didn’t handle a ransomware claim correctly. Another type of ransomware that you’ll hear about is maze ransomware maze is a new variant of ransomware, it’s a little bit different because the bad actors infiltrate the systems get in and start to exfiltrate data, then they unleash the ransomware, which is kind of that big, red flashing light on your computer screen. But they only released that ransomware after they’ve exfiltrated the data. And then the threat that they say to all the folks that are affected by it is, if you do not pay us this ransom, we will publish all of the information that we’ve taken from your computer systems.
What you see on your screen right here is a type of ransomware called the wannacry ransomware. Now, I don’t know how many people have seen the ransomware screen, but what you’re looking at is the actual screenshot of what wannacry ransomware looks like. So if you look closely, what you can see there as the first question is, what happened to my computer? All of your files are encrypted, can I recover my files? Sure, we can get all of that access back to you. All you have to do is pay us how do I pay you pay us with Bitcoin? What’s a Bitcoin? Don’t worry, here’s the link. If you’re listening to what I’m saying, what it’s probably starting to sound like, is a help desk. And that’s exactly what it is. So ransomware is a business. These folks are operating as business people. That’s what they do. They come in every day, they punch a clock, and they unleash ransomware all over the world. So they’re trying to get your money in the form of Bitcoin into their wallet. That’s it, it’s transactional for them. It’s not personal. Another type of outside attack is a DDOS attack, a distributed denial of service attack. So this is a firm that Cravath large law firms hit with the DDOS attack. And basically, it’s a brute force attack. And so it’s designed to overwhelm the networks of a company, right? So you’re talking about billions or trillions of requests per second, all hitting your network simultaneously. So regardless of who you are, how big you are, that number of requests can shut you down. So it doesn’t matter if you’re a manufacturer or a law firm, or a financial services company or a wholesaler, right? You get hit with this, you’re entirely knocked offline. business email compromised, right? I didn’t even put the example of a company. Think about your firm, think about your company. Right? What would happen if somebody was able to take over access to your emails? Right. Now, we’re not even talking about spoofing. What if somebody got the logins and now they’re operating as you within your emails? What could they do? What kind of information could they get from your clients from the businesses you work, with from your bank? So insider threats, right, we talked about outside attackers, insider threats, what are we talking about? Malicious or disgruntled employees, right. I’m sure there’s none of those on this phone call today. But they do exist. And there’s not really much you could do to stop a malicious insider, right. And I like to tell this story, because it can happen at any organization. There’s a company called EnerVest, right. And a vest is a financial firm that helps execute trades on behalf of some of the big Wall Street banks. Now, that may not be what you do, but this story could happen to anyone. Basically, EnerVest decided they were going to fire their IT guy, their IT guy found out about that, before they terminated him and terminated his access. So he reset all of their servers to factory settings. And they took them three months before they were fully operational again. Now, another thing we have to think about not just malicious insiders, but think about insider threats from another perspective, right? You invest in firewalls, you invest in encryption, invest the invest in anti virus software. And despite all that, we still have our buddy Dave here in the corner represented by human error, we make mistakes. And it’s easy to make mistakes when there’s an entire army of people out there that are solely focused on tricking people. So phishing and social engineering, I’m sure you’ve heard these terms. Right? Here’s an example. And this is a particularly good one. I mentioned all those logins before, right? Everybody’s got logins, you have Microsoft, you have logins. So this is a really good phishing scam that went out there. Looks pretty legit, right? Got the Microsoft logo and everything. Hey, we just need you to confirm your email password and click here. And so somebody says, oh, okay, types in the password, they already have the username, and they go about the rest of their day don’t even know that they’ve been compromised. And now a bad actor has a username and a password. So they can start to use that to jump from your Microsoft account, to your email accounts to your banking accounts to your third-party vendor accounts list that goes on and up. Here’s another example of how folks utilize Kennedy’s fishing schemes. You’ll notice here This one’s focused specifically on COVID. Right, people are trying to get information about COVID. And, you know, if they get an email that supposedly from the Ministry of Health, right, this is overseas, they’re gonna say, Oh, well, you know what, latest update, I see this attachment right here Coronavirus latest update, I want to learn about that. So now all of a sudden, you click on that, and that attachment is blank. But what you don’t know is in the background, it just downloaded a whole bunch of malware onto the computer. So that’s how these things happen.
And just as a, you know, an example, right? How does this turn into money, you get somebody to go to a fake page, somebody enters their credentials. Now all of a sudden, that bad actor takes those credentials, goes in uses it to use a bank to essentially alter instructions or pay to a different account, and the attacker receives the funds. And that’s it. The last part of how breaches occur, third party incidents, right, what you’re looking at here is not the bottom of the table, it is the idea of a hub and spoke. So if you think of your company as the hub, and all of the other businesses or vendors that you do business with, as the spokes, that’s what you need to think about. Right? So if my hub is my company is being well protected, and we’re buying cyber insurance. Right? That’s great. What about all the people that plug into your networks? What about your cloud providers? What about your billing services? Credit Card processors? Think about all the third parties that your company uses to do business every single day? What kind of protections are they putting in place? What are your contracts look like in terms of then indemnification? So now we talked about what’s at risk and how breaches occur. Let’s get into the costs behind these what is the dollars and cents equal to you? Right? These are real-life examples. This is a data breach that occurred, my client. This is actually my personal client. This happened to a small firm, say a professional services firm. They had gotten a call one day my client got a call from the FBI, my client promptly hung up because he didn’t believe it was the FBI. FBI took them two or three more calls before he convinced them that he was actually an FBI Special Agent, also on the phone was the Department of Homeland Security. And the reason that they were calling him is that there’s a massive breach that they had tracked back to my clients firm. And they said, look, you know, we want to know if you’re aware of this, yes or no, and also, what you plan to do about it. That’s a scary call to get from the FBI and the Department of Homeland Security. Right. And so at the time, my client had a $250,000 add-on policy to one of their other coverages their, you know, their package or bot policy. And we had discussed getting higher limits, but they said, you know, I’m a small firm, I don’t think I really have to worry about this long story short, carrier paid out the $250,000. This, the 783 that you see at the bottom of the screen was the total tab. Ransomware just had another ransomware incident the other day, I can use all different kinds of examples. But what I will point out to you here is the actual payment in this case of the ransomware was just over $700,000. But there was another $700,000 involved in the legal and the forensic expenses, along with the data restoration and business interruption costs associated with that ransomware attack. Finally, business email compromise. This was somebody tricking someone into sending payments somewhere ended up wiring over $400,000 to the wrong account as a result of that.
So do you have a cyber incident response plan? Will you survive a cyber attack? Depends, right? That’s a lot of scary news. A lot of bad news.
The good news is,
there are solutions. And the best solution that we’ve come up with is the combination of cybersecurity and cyber insurance to make your organization resilient to cyber risk. So cybersecurity and cyber insurance, neither of them are a silver bullet, but the combination of the two will make your organization resilient to cyber risk. So, you know, in terms of cybersecurity, there’s a ton of information out there’s a ton of different ways to go. And I just want to bring this up because from a high-level 20 consensus audit guideline controls, if you take a look at this, breaking it down very quickly. What it’s saying is you should know what you have in hardware, what you have in software, how its configured, right, how it’s defended, who has access to it, how are you testing the security? What are you doing after you test it? What are you doing to test your incident response capability? And then what are you doing to train your employees surrounding everything that you have in terms of hardware and software? That’s what that says in a nutshell. So folks asked me what can I do okay, but what can I do? So high level will this stop everything? No, right? But it’ll help. Firewalls and antivirus software. I compare this to a lot of people say I don’t need insurance, I got a firewall. Well, I compare that to if you’re, you know, you have a whole bunch of gold bars sitting in your house and you put up a chain-link fence. Yeah. Will that stop a robber? Yeah, maybe one who can’t hop a fence. But you know, what, if they dig under it? What if they just hop it? Right? So it helps make it more difficult, but it’s not going to prevent it. Strong passwords and password management. I know people are rolling their eyes. Talk to a lot of folks that the carriers, you say if we just had stronger password management amongst these clients, we would have been able to prevent these events from occurring. Train your employees. You heard a lot of my examples, the employees the last line of defense against some of these attackers, multi-factor authentication, patching all these things, backups, and testing and updating all of your controls. So that brings us to cyber insurance. Right? The easiest way to think about cyber insurance is there are first-party coverages and there are third-party coverages. I’m going to turn this over to Alex in just a second. But from a high level to understand what these coverages are. Let’s dive into it super quick, high-level first-party coverage. The key coverage on here is the cyber incident response coverage.
Right? So, that’s going to cover you for the data breach
coach, right who’s a legal expert on handling data breaches. They’re gonna bring in the forensic investigators to figure out what’s happening. Is it still happening? What do we do now? They’re going to ask them to determine Do we have to notify anybody? Do we have to set up a call center? Do we have to provide credit monitoring? From a PR perspective? How are we communicating this incident not only externally, but within our company? Right? What are we telling our employees about it? Then you also have business interruption right, so BI, business interruption, typically covered under other policies. However, any business interruption that’s due to a cyber event is typically excluded on your property coverages. So cyber insurance picks up BI related to a cyber event. Ransomware coverage, we talked about all the expenses that come along with that ransomware coverage is included in cyber insurance, one of the key coverages digital data recovery to you know, the cost to restore or replace, recreate data also covered, cybercrime, the theft of funds or securities that we were just talking about. That is technically a crime coverage if it involves theft of funds or securities. However, you will typically find sub-limited cybercrime coverages on a standalone cyber policy and third party coverage. What about the lawsuits that arise out of a cyber incident? Right, so if somebody sues you for failing to prevent the unauthorized access to information, another case that I’ve just seen, my client got hit with lawsuits from a couple different companies, alleging that my client had hacked those companies. What it turns out was a hacker had gotten into my client systems use, my client systems as a home base to attack these other companies. And that’s why these companies thought my client was hacking them. Now, after we did an investigation to determine that, no, we weren’t hacking them. This is a bad actor in our system. Those companies then change the language in their lawsuits to come back and say, you know what, we’re now suing you, not for hacking us. But we’re suing you for failing to prevent the transmission of malicious computer attacks or computer code onto our systems. So because you weren’t protecting yourself enough, we suffer damages, regulatory proceedings, right? All kinds of different guidelines relating to data, HIPAA, CCPA, GDPR, fines and penalties associated with that, there’s coverage for that payment card industry, right. So if you’re utilizing credit cards as a form of payment, there are all kinds of regulations that come along and associated with that. And I know Alex is going to touch on that as well. And then finally, electronic, social, and printed media liability. So in a nutshell, those are your insurance coverages from the first party and the third party side. Alright, and the bottom line here is to have a plan, right, Benjamin Franklin pride and think this quote was going to be utilized in a cyber presentation today, in the midst of the pandemic, but I think it still holds true. So you can’t control who attacks you and what happens to your company, but you can control how you plan for it and how you respond to it. And so with that, I’ll turn it back over to Alex.
Alex Anglim 29:44
Thanks, Adam. And while we’re switching over here, get into sharing my presentation, I want to say you know a couple two quick things first, Thanks for pointing out that IT security and insurance products work together. Right to manage this risk, it’s really two halves of the same coin. And then while I’m putting my presentation up, I wondered if you might want to comment briefly on the insurance policy as a financial product, right, which is to get money to compensate you if something goes wrong. Versus in cyber insurance, where you’re actually getting a lot of service and expertise as part of this. I thought you might want to chat about that briefly. Sure.
Speaker 2 30:30
Yeah, absolutely. And it’s what separates cyber insurance from other lines of insurance in a large way, right? Like, it’s easy to look at a building and say, Okay, if that building burns down, right, it’s gonna cost me this many dollars to, you know, build a new one, that’s similar, right. But with a cyber incident. What’s coming along with that is the guarantee that when this happens to you, and you pick up the phone, there’s going to be a dedicated team of experts that are going to jump all over this right. And it’s different, as you know, as you kind of alluded to, it’s different than a third party claim or you know, a slip and fall claim, right, you get a slip and fall claim. And yeah, you need to respond to it in a timely manner. But you know, nothing, nothing terrible is gonna happen if it takes two days to respond to that, right. If you wait two days to respond to a cyber incident, there’s, there’s a chance that your your company may not be able to recover, right. So it’s crucial that you have those experts on standby, the cyber insurance is funding all their services, but also guaranteed that when you make that call, those folks are able to come in immediately and help you respond to it. So great point, though,
Alex Anglim 31:43
I think it’s really important to understand that and just to think about how very much at sea you would be if you didn’t have access to that, particularly for midsize and smaller companies. So with that, let me take over now and give you a little bit more of the legal perspective, what I come out of, you know, from the standpoint of a lawyer, I’ll make a couple quick notes. Some of the things that Adam covered, we talked about first-party coverage and third-party coverage, a little bit of insurance lingo really just means you know, first party coverage, you can think about your property insurance policy that’s going to pay the cost of fixing your own stuff. Third-Party coverage really covers claims that are going to be made against you or against your organization. So this period, we point that out at the beginning.
Really the multiple forms of coverage here, I’m not going to go into detail, because Adam already thoroughly covered what these different policies are available to cover. But I do want to point out that this is actually two slides, this list of different forms of coverage that are available within cyber policies. There are a lot of different items here. And I think when you’re thinking about your organization, whether or not you need to purchase this coverage, you should probably look through this entire list and realize it might be more than you realize, you may not have thought of all these different risks that you’re facing. And you may not have thought of all the different coverages that are that you’re facing. So for example, I think there’s a fair amount of companies out there that are thinking, well, we’re not really a technology or communications-oriented company. We’re not heavily web-based, we’re not dealing with a lot of, you know, consumer contact, the payment cards, therefore really don’t have what we perceive to be as large exposure. Well, if you went through this list, you’d find that you probably do, right, maybe you don’t have payment card liability, but data recovery, maybe your systems could be compromised, and you’d have a hard time coming back. And those could be systems that are you know, controlling your production line, for example, business income, you might also have ransomware exposure. So again, if you’re thinking you don’t need it, this list here can help you do a little bit of a reality check as to what the coverage is there for. So with that, let’s talk a little bit about assuming that you’re making the decision to go into the market or you already have gone into the market for cyber coverage. There are a few initial issues or things that you want to keep in your mind as you think about this coverage. The first and the foremost and I’m going to come back to this a couple of times is that cyber policies are still relatively new. That seems relatively obvious. But let’s point that out. That means that the forms, right, contracts, the language are continuing to evolve as technology develops. And as events develop, like claims incidents, the things that happen are going to have an impact on what insurance companies will write into their forms. And the forms that are out there now are different than forms that were available, you know, maybe five years ago is still changing pretty quickly as a rule for much the same reason these policies are much less standardized, then your long-standing forms of insurance like property, general liability, auto, etc. Those policies have been around for a very long time, much more standardized much more commoditized than cyber. Cyber policies will incorporate language portions of policies that have worked well in other types of insurance but might become unclear and whereas we’re going to see have become unclear in the context of cyber insurance. So they have tried and true portions of policy language and once you put that into a new context, it can create some problems. And for that reason, there are some key terms. Obviously, policyholders should read the entire policy, no doubt, but there are some key terms that really require some close focus for the policyholder. One of those is, rather I think, amazingly enough to people and surprisingly enough is the war exclusion. This exclusion is something that is just as old as the hills in terms of the insurance. I had described here is the old way, the old way your insurance policy, your property insurance, policy, etc. would have war exclusions very broadly written, the policyholder would totally ignore it, and it would rarely be invoked by the insurer, insurance companies because let’s face it, there are very, very few claims that have arisen out of war. It is just not something that you think about most likely when you buy insurance, to some exchange to some extent that’s changed because of terrorism, but still largely true. The new way is that there are several major cyber incidents, very, very expensive, very costly and severe cyber incidents that were caused by nation-states or state-sponsored actors. And as a result, insurance companies have denied major cyber insurance claims based on war exclusions. So there are some examples of those that are worth pointing out. One of them is NotPetya, which was in the list that Adam pointed out earlier. In some of the major attacks. This was a ransomware attack. The United States and the UK governments both determined that the Russian military launched the NotPetya attack. Their intent was to cripple Ukraine. But the United States and United Kingdom companies and other companies throughout the globe became victims inadvertently, of this attack, and affected large companies Maersk, the shipping company, Merck, FedEx, DLA Piper, which is a major major law firm, Mondelez food products company, many, many others damages worldwide were over $10 billion may have been the worst attack ever up to that point in time. Well, Merck and Mondelez, both very large companies, sophisticated companies had purchased cyber insurance, and were very disappointed to find out that their insurance companies were not willing to pay the loss. And the reason was the war exclusion. Other. Yeah,
Speaker 2 38:19
So just to pipe in on that, on the Mondelez case, specifically, the war exclusion that actually went to court for Mondelez was on a package policy and was specifically related to their, their geo on their property. And that was the one that they ended up going to court over in Mondelez’s case. So if you look into that case, that case law, and I agree with you, but the Sutton war exclusion is something that’s coming to a much sharper focus over the last few years. I know you’re about to dive into it here. But on that Mondelez case, the one that everybody saw, you know, kind of highly publicized that went to court with Zurich, that was focused on not their cyber policy, but some of their package policies.
Alex Anglim 39:08
Right, some of the silent cyber that we’re going to hit towards the end here. Yep. The two other examples WannaCry and Solar Winds. Again, these are major attacks reported in the news. The WannaCry attack was sourced back to North Korea, reportedly on the orders of Kim Jong-Un himself. Some of the victims were hospitals, manufacturers, and universities. So again, a lot of different companies, different types of entities out there that would not perceive their risk to include war-like action by a nation-state like North Korea, Solar Winds very similar.
This was a sophisticated hack into some very secure systems that stored in through the Solar Winds, network monitoring software, it was traced back to Russians is being reported in the news just this year, more information coming down, including that it was now being blamed by official state actors in Russia, not just people located in Russia. One of the interesting things about it, I have a quote here from the New York Times is that a lot of the victims were not aware that they were relying on software maintained in Eastern Europe, and many did not even know that they were using Solar Winds software until after the attack took place. So what’s that mean for you, as the policyholder? Well, what you need to be aware of is that the wording of the war exclusion varies greatly. And in part in response to incidents like NotPetya and WannaCry, you can get, you will see sometimes the broadest type of exclusion, which I’ve excerpted here, this is by no means the only form. But this is an example of a fairly straightforward or exclusion, that makes no reference whatsoever to cyber risks. If you see this in, in a policy or in a proposed policy, you want to resist it sort of full stop, right, you do not want this in your policy, there are better forms available, that are specifically oriented towards cyber insurance. And an example I have on the screen is from a travelers form that you can find in the public domain that you can review and read their war exclusion has two parts, the first of which is similar to the broad wording that I had on the screen a moment ago. And the second part says, very specifically, that the exclusion does not apply to an attack against a computer system with the intent to cause harm, etc, except when in support of one-A through one-C. So it requires that the cyber attack in order to be excluded, it’s only going to be excluded when it’s coupled with other war or warlike action. And that’s more than more closely matches, I think, the original intent of the war exclusion. So is this the only way to write this language it’s not and there are other insurers that are writing it differently? But you want to make sure that you get something like that to protect you against to make sure that the policy protects you against the kinds of risks that have loomed so largely already. The next key term that you really want to think about is the security standards exclusion, which might go by a few different names and have a bunch of different wording. But the purpose and the scope is similar from policy to policy where it appears. The idea or the upshot of this exclusion is that the insurer will not agree to be responsible for certain types of errors and failures by the policyholder, one example of languages in Philadelphia indemnities form, which is that the following is excluded. Failure to ensure that the computer system is reasonably protected by security practices and systems maintenance procedures that are equal to or superior to those disclosed in the proposal. And by the proposal, they mean the application materials in connection with your purchase of the insurance. Now in Philadelphia indemnities form it also says that covered causes of loss are negligent act, mistake, error or admission. So I think policyholders would tend to focus on the fact that the policy covers the negligent act of mistake, error or omission, but not realize that deeper down there is this exclusion that’s specific to maintaining the types of practices and procedures you told the insurance company that you had. Another example below is that a loss will be excluded if there is a failure to continuously implement the procedures and risk manage risk controls identified in the insurance application. Again, the upshot here is similar, that if you don’t continuously do or or upgrade from what’s disclosed in the application, the insurance company is not going to cover that. So why is that such a concern? Maybe at first blush, maybe that might seem fair, from the insurance company’s perspective, right? If this is what you tell us we’re covering, we don’t want to cover a greater risk. The reason there are several reasons it actually is a problem in my view. The first is that nothing about this area is static, right? There are continuing changes due to the covid 19 pandemic. For example, increased reliance on remote work, mobile device usage, use of new applications and new software packages that were not in use before, as Adam pointed out, use different Wi-Fi networks, home Wi Fi, for example. So this is an example of something that changed during the term of a lot of policies. What if one of those changes is inferior or lesser, not as secure to what was disclosed before the pandemic? So that creates a problem? What will the what there could be an equivalent change this year, we don’t know what it would be. Another thing is that there’s really tension here between the policyholder’s purpose in buying insurance, which is that they really do expect to buy coverage for their mistakes, right. It’s a major component of why companies why people buy insurance. And this exclusion really is at odds with that.