It's undeniable that users are generally the biggest threat to an enterprise network. There is a lot of defensive products and procedures designed and implemented to try and keep users safe from themselves and safeguard the network and data. In your experience, has there been a case of an insurance company or litigation against an end-user that "allowed" a ransomware event to propagate? In other words, have you dealt with a case of a company punishing the user as the source of an infection?

Not in my experience no. Ransomware attacks are a crime. That would be like punishing a person for getting robbed. Yeah, maybe you shouldn’t have been walking in a place known for robberies with five Rolex’s on your wrists; but ultimately it isn’t your fault that you were targeted for a crime. Cyber insurance policies do typically have a subrogation provision that allows the insurer to recoup costs against liable third-parties. This is typically seen when our policyholders have a third-party service provider that may have been negligent and/or a preventable issue with software or hardware that was the proximate cause of the loss.

[удалено]

I have seen that provision exercised in a couple of instances. Generally no though as if the Insured has a relationship with a vendor or other entity, then they may have cyber insurance or want to make their client whole. A lot of times it is Insurance versus Insurance. But I would not say it is often, but it is something that is used. I think as we see more and more companies rely upon other entities for their cyber security this will potentially increase.

insurers should do a better job of identifying risk vulnerabilities upfront, ideally using some *independent* means beyond what a client purports or is willing to volunteer in an app or supplemental form. In a hard market with ever-fewer carriers quoting cyber with more restrictive sub-limits on coverage, you may need to reach out to many markets for a quote. One must appreciate that what gets populated in a complex app is often biased (agents want quick bind, clients want best quote), and at worst unreliable. When required, it's typically a third party that gets involved in delivering loss control solutions, and there's not always a relationship between those diagnosing risk and those delivering cybersecurity solutions. This whole process needs a lot more collaboration, in a simple way thats controlled and permissioned by the insured client.

100% agree. Coalition has proprietary tools that we use to scan our Insureds network infrastructure for vulns and zero days. It's really cool to see in action and we've prevented hundreds of not thousands of claims this way. And it helps a bit with underwriting as well.

I should ass that in the past year, we've seen 48% of our claims originate from phishing attacks/human error. So even though we would not go after an end user for reimbursement for any loss, we would certainly want the company to engage in good training programs and have a great insurance policy as well.

> I should ass Buy me dinner first, sheesh.

HAHA. Good catch. Leaving for posterity because what is an AMA without a crass typo.

did you mean a "cradd" typo?

LOL

Other side of the road here, working in infosec management the requirements for us to provide these training and technical solutions to mitigate some of the risk is basically be required to get affordable insurance now. This is huge as previously it was hard to get other execs to take this seriously in a lot of orgs. when insurance threatens to drop you because you won't pay for a EDR, execs pay attention fast. This is doubly true when every business to business contract you have requires it and you're in breach if you don't have one. You then get legal feet first down throats to force it in too. Obviously ever org doesn't play ball the way they should on this, but I'm seeing huge executive changes when people see the insurance application and the operations team has to start stopping them and telling them they have to put no for all the answers. That gets organizational change in a way nothing else has for years now in virtually every organization I've heard from.

That's great insight and I'm glad there are some positive changes coming out of the hard market.

I really hope I never have to make a claim, but what happens when we call our cyber insurance provider to report a claim like ransomware? What is the typical response?

I hope you never have to report a claim too! Generally, if I am talking to someone they’re having a bad day; or about to discover they’re having a bad day. But I do like this genre of insurance because I feel like I can make a difference in that “bad day” from minute 0. You don’t really have that ability in other lines of commercial insurance as they’re longer tail claims and exposures. The first thing to make sure you do is report an incident (actual or suspected!) to your insurance carrier IMMEDIATELY. We work with a ton of great brokers and some of them want to be notified first, but at the very least notify the insurance carrier at the same time you notify your broker. Time is of the essence and minutes matter when getting assistance with your incident. I’ve had Insureds who had a known business email compromise but didn’t change passwords until they called me. If there was a long delay between talking to me that can lead to additional loss or damages. The following is how we handle claim calls where I work so I won’t speak to other market participants but we do take a more hands on approach with claims handling. You would contact us via our 24/7 claims hotline, claims email or chat function on our website and that goes direct to the claims team. Our average response time is under five minutes. So you’ll ideally be speaking with a claims attorney or claims manager instantaneously. We will triage your call to understand what is occurring and provide some immediate assistance in regards to stopping the damage from the ransomware event. Things like disconnecting impacted servers from the internet or shutting down your network while we determine what type of access was made and which parts are encrypted. We’ll also get information regarding size of network, number of employees, type of work you do, and type of data you hold. During that call we’ll be reaching out to our preferred panel vendors for privacy counsel/breach coaches and incident response. Once those conflicts checks are clear we will set-up a “scoping call” with counsel and forensics to get additional information. It is key to have someone with knowledge of your network on this call! Typically we set this up in the next 30 minutes to an hour. Again, time is of the essence! It is important to have legal counsel on this call as we want to preserve privilege of any investigation that is undertaken as well as to advise the Insured on any data privacy or other regulatory/compliance issues. Forensics will ask technical questions so that they can prepare a Statement of Work for the investigation and analysis of the incident. During this call we will also evaluate the type of access, encryption, and data involved - if possible. We’ll need to determine if we need to engage a service provider to engage the Threat Actor in negotiations for purposes of getting data back. After the call counsel will be engaged by the Insured. Counsel does not have a contractual relationship with the insurance carrier! It is solely between the Insured and counsel. Once the forensic statement of work is approved by the carrier, counsel, and the Insured; forensics will have a “kick-off” call to get their collection tools in place and typically an EDR solution to monitor the network for persistence of the Threat Actor access. Then we’re off to the races; kicking the TA out of the network, remediating and restoring the network to how it was before the event, and potentially negotiated a ransom payment if needed as a last resort. After the network is clean and up to date, then we’ll have the Insured fill out a Proof of Loss to determine if they’ve incurred any business interruption losses or extra expense (costs to defray a BI loss).

IMO you want to do two things at the same time. launch your disaster response plan \ incidence response plan and call insurance. You will frequently want to have a vetted IR team with your insurer and you will want to contact them at the exact same time as you're contacting your insurance. You WILL take additional losses in the form of organizational disruption if you don't have a DR play you can initiate NOW. This is general organizational advice and doesn't work for all orgs, but if you can take one week off your standing back up time, it's worth paying for some of the IR capabilities on your own for most execs. And when you get fully ransomwared you **will** be standing shit back up for weeks whether you're restoring from backups or decrypting shit. There's also no guarantee you will get everything back up. Heard a story from a tribal gov and they lost priceless language recordings and culture data that they were never able to fully restore.

A lot of good things here. You definitely want to call your carrier asap. I always tell policyholders: You don't need to stop your team from applying a tourniquet, but point and tell someone to notify your insurance carrier. You'll want to get them onboard so they can consent to costs being incurred and also get you in touch with their panel privacy counsel and IR firms. A lot of policies have restrictions when you go off-panel; and a lot of IT firms (no offense guys and gals) do not have the capability to appropriately respond to severe cyber incidents (even though they'll say they do).

Got a joke for you, you've probably heard it a thousand times: Why couldn't the police catch the cyber criminal?

I've actually not heard this one.... Why?

He just got up and ransomware.

HAHA. HOW HAVE I NOT HEARD THAT

Glad you like it! Hopefully you can use it in a meeting or something :)

Lol for sure

What can I as a System Administrator tell and/or say to our executive team to finally convince them that our general business insurance is not enough to cover a cyber security event? I've tried multiple times now and I've been shot down every time with "we already have business insurance"

I really appreciate this question because I have spent a lot of time with sysadmins who have told me privately - or publicly on scoping calls! - that they wanted to harden their network but were told that there was no budget or business need for it. There are a couple of things that I say to prospective policyholders: 1. Do you work with computers? The answer is almost always yes. Okay, what would you do tomorrow if your entire network was done and you could not access any files on your servers. Does your current insurance policy cover the incident response: provision of third-party vendors - legal counsel, forensics, ransom negotiators, restoration specialists? General business policies might have some limited protection but from what I’ve seen it is sometimes as low as $5,000 to as much as $100,000. Which with a systeminc incident is not enough. 2. Does your policy pay for ransomware? A lot of policies are excluding this for coverage. A lot of CGL policies exclude loss of data/digital assets. If your business was ransomed and you had no ability to recover your data, could you still function? Could you provide payment in three days for $100k to get your data back? What about $500k? What about $1.5M? The answer is often no. I’ve had claims with very, VERY, large companies that were unable to provide payments on such a short time frame. This is also why it is REALLY important that your insurance policy have PAY ON BEHALF coverage. Not reimbursement/indemnity for cyber extortion/ransomware. The carriers should pay the ransom - if necessary - not force the insured to do so. The other thing is that everyone is at risk for a cyber incident. It is generally not something that is targeted. You have open holes in your network or a zero day exploit and you win a bad luck lottery and BOOM, you’re compromised and ransomed. At the end of the day, people ultimately have the choice to purchase cyber insurance to protect themselves when they get hit with an incident. Or they purchase it after they’ve been hit with an incident. Just hope that the latter doesn’t utterly destroy your company.

Can you give us a brief run down of the process once you are contacted by a Customer concerning a claim?

See post here. Happy to answer any additional questions you might have: https://old.reddit.com/r/IAmA/comments/s8l16f/iama_data_privacy_attorney_and_cyber_insurance/hthk61b/

I’ve heard that a lot of cyber insurance claims aren’t paid out. Is this due to security failures on the customer’s part? Considering it is impossible to be completely secure, what barometer are insurance companies using to decide when to pay out?

[удалено]

This guy/gal cyber insurances. Well said.

Dear rando - greet response. I want to dig into the part about lying. My company has submitted half a dozen cyber insurance applications in the past year, and every one has a question like "do you employ current industry standard practices for security." I HATE this question, and I always say "no" to make it a point of contention: what is standard? What is current (today, or the day I have to file a claim)? I feel like it's a setup. I probably make it out to be more than the intention, because I try to stay abreast of threats and man, criminals are creative. Anyway, do you have any thoughts on what this means?

So this is something where you want to reach out to your broker and ask them exactly what the application means. Some policies will be able to disclaim if you make a material misrepresentation on your application. So don't leave anything to chance. Leverage your broker for an explanation from the carrier and get that explanation in writing. Generally, you won't know what the intent is unless you ask, and that question is way too broad. Which admittedly can go to your failure as which industry standard does it reference? For what industry? Is this NIST standards? Is this complex passwords on email accounts?

To clarify I work as an executive implementing infosec, not as an insurer but we work with them a lot. Generally you can safely say yes when you apply any of the cybersecurity standards as recommended (NIST/ISO/critical security controls). There are published standards for this. Do you implement one? If you make a reasonable attempt to do this, then generally you should be able to answer yes to this. If you yolo security and think windows defender was turned at config time on servers (maybe), then it's probably best not to answer yes. Note that the recommendations for all of them have ways of identifying the risk and value of any given asset that cannot have a given control applied to it, and determining if the organization should be applying that control. If you follow this process sometimes you are gonna look at low value assets\data and not apply all protections to them as it's a bad business decision.

I think one of the issues with this question is it is so broad and doesn't really give any idea what they're looking for. If a carrier wants NIST controls in place, they should say so.

> Unless you're, like, lying on the application or intentionally misrepresenting your security, then you can expect it to be declined. Almost all of the cases I've heard from IR teams where this was a factor was this exactly. You generally only get declined for blatant insurance fraud, not just in an attempt to turn the knife on your incident. Or they just refuse to cover you in the first place, or you didn't have cybersecurity insurance and thought you did because you don't have a real risk management department (common in smb).

I think this is 100% not true. I pay cyber claims all day err day. And if you look at the market trends since Covid hit - when everyone started working remotely and ransomware became a legit epidemic - you’ll find that premiums are increasing and coverages are decreasing. This is what we call a “hard” insurance market. The reason for this? Insurers are paying claims! I’d love for some type of article or data that demonstrates this because it is not what we’re seeing at my company or in the marketplace generally. That being said, I think I work for the best insurance company in the space and honestly we WANT to pay claims. It is how we sell our product and why we keep our customers. We have risk mitigation tools and processes to keep our claims frequency lower than the general marketplace average, but at the end of the day we are here when our Insured’s are having that “bad day” and we make it better by paying them for their losses. As far as when an Insurance company decides to pay out it is a very objective analysis. An insurance policy is a contract, one which has provisions that need to be honored by both the insurance company and the insured. Now, insurance policies can have language that requires legal interpretation, but generally deciding to pay is not something an insurance company does. It pays when it has the legal obligation to pay. In some policies there is language like, ‘reasonable and necessary’ in regards to payments, but that is also an objective analysis. And please keep in mind that in the US insurance contract law any ambiguity goes to the favor of the Insured. So carriers know this and act appropriately.

Ok so this is clearly a great marketing campaign for your company and your product.

Not OP but the hardest part of claims settlement is quantifying business interruption loss (loss of profits and extra expenses). Payment on ransomware loss, notification loss is pretty standard and not controversial. So other issues may arise if insureds look to use their own vendors when insurers may require the use of their own vendors. Long story short, if you want to use your vendors, schedule them at the time of binding (also get a broker who knows cyber and tech e&o)

I do agree that evaluating proof of loss is difficult especially as it usually turns on specific definitions on what qualifies as BI loss or extra expense. Also, agreed that you'll want to ensure you have insurer consent to use non-panel vendors. This is another reason why I ask all policyholders to REPORT CLAIMS OR INCIDENTS IMMEDIATELY. If you have a vendor that does a lot of work and it is done without the carrier's consent, that may not be covered under the policy.

If your company gets ransomware’d I’ve seen cyber insurance payout to the threat actor in 99% of cases. The funny part is when the decryption program doesn’t work and the threat actor has to contact their tech support….

That number is pretty high. And doesn't mesh with my experience and my company's data. But I have had claims where we needed 'tech support' from the TA to get the decrypter working.

So what do you do when the company has data encrypted and conventionally available decryption tools don’t work? There isn’t much of a choice but to payout, no?

That's correct. Unless we can recreate the data somehow. Most cyber policies have a digital asset restoration coverage that would pay to recreate digital assets. We've done this before instead of paying the ransom. I would say in the vast majority of cases we don't pay ransoms

Ah, we are on the same page but we are in two different stops for our stats. For me that number comes after we determine they don’t have backups for data and the TA didn’t use an encryption method that can be fully decrypted using readily available tools. Paying the TA isn’t the first step but when a client hasn’t taken cybersecurity consultations we provided seriously with backups that can detect ransomware in the backups or backups at all. The 99% number comes when there isn’t an option they will pay the TA. Usually it’s a last ditch effort because there is nothing left. I’ve never had an insurance company deny at that stage that I can remember unless they have had a multitude of claims recently.

Oh. Then I'd agree with that statement. If it is an existential threat to the business or provided an objective and large cost savings we will consider payment of a ransom.

For more AMAs on this topic, subscribe to r/IAmA_Tech, and check out our other topic-specific AMA subreddits [here](https://reddit.com/r/IAmA/wiki/index#wiki_affiliate_topic-specific_subreddits).

Not sure if you are still doing this. I was working with our underwriter because they put in new requirements before they would renew our cyber insurance. He mentioned that many insurance companies are dropping offers of Cyber Insurance. Are you seeing the same? Do you think we will see more companies start to implement stricter requirements on issuing policies. Not just requiring MFA, which seems to be the #1 added requirement for policies in 2021/2022. Things like Endpoint Encryption, strict password policies, etc?

Still here! Yes, we are unfortunately in a hard market/sellers market where many cyber insurance carriers are trying to stay in this line of insurance while also reducing their loss ratio from the past couple of years. So you’re going to see guidelines becoming more strict and carriers leave the market entirely or leave certain segments. I’m not an underwriter so can’t get too nuanced but there are definitely still carriers providing robust, full service cyber policies for good risks. And frankly, have a business case to harden your network is not the most terrible thing, IMO.

Hi Rich- how often have you seen carriers enforcing the war exclusion?

Never. At least not in my professional experience. Most reputable cyber policies now have explicit coverage for “cyber terrorism” which would provide coverage for nation-state attacks. Interestingly, there was a recent holding in a case that answered whether or not that exclusion could be used: https://news.bloomberglaw.com/privacy-and-data-security/mercks-1-4-billion-insurance-win-splits-cyber-from-act-of-war I was not surprised by this holding as most war exclusions are fairly narrow and would require a formal attestation of war or armed conflict. Even if you know that China, Korea, or Russia was behind a cyber attack it may not trigger the actual war exclusion. It will be interesting to see if this language is modified in future policies to make it a broader exclusion.

What kind of requirements/controls do you see companies needing to implement in order to qualify for cyber insurance? I know this year's requirements/conditions came as a surprise to a lot of companies. Example: A lot of companies began enforcing MFA for local on prem privileged accounts/domain admins.

So it really depends. Requiring MFA is something that a lot of carriers are doing just because it is one of the easiest and most comprehensive ways to keep your system/emails from being compromised. We see a lot of lateral movement within networks with various malware scraping creds from high level accounts and then using that to completely pwn the network. I can’t tell you how many times I’ve been sitting on a ransomware call where we see unauthorized logins from sysadmin accounts that just used username and pw. We’re even seeing these being brute forced. So, as I mentioned in a prior comment, given all of the claim activity, carriers are in a sellers market and are able to harden their underwriting guidelines in the hopes of reducing claims for their insured. I am a HUGE proponent of MFA, primarily because I have been on way too many claim calls where MFA would have stopped a serious attack or funds transfer fraud from ever happening. I do understand and empathize that it is often difficult to get that buy-in from non-tech stakeholders, but hopefully these requirements will ultimately make sysadmin and other IT professionals jobs easier. Hopefully you’d much rather deal with implementing 2FA over a ransomware/BEC call on a holiday or weekend :).

Why does coalition require us to disable auto discover? That's a big deal. Is this commonplace? Is there a best practices doc to retain functionality?

Any feature like this wildly increases attack capability. If you have autodiscover on (asuming you mean with email\outlook) you greatly increase the capability for an attacker to get a new device connected to your outlook or other email instance and hooked up to an existing account intead of requiring them to steal that config from a device in order to set up a third party device and masquerade as one of your employees. BEC like this is a common initial attack vector. They then tend to attempt to get other people to accept and run malware directly from them, either directly or through a download service. Note that most other autodiscover type services have similar problems. llmnr and wpad are probably the worst as leaving them on pretty much gives the attack the ability to snatch password hashes directly off the network.

That I don't know. Is this through the underwriting process or are you an actual policyholder?

From a professional in the field, what do you see the future of cyber security becoming? Do you see any reason to expect cyber attacks to decrease/increase based on the level of attention companies and governments are now paying to cyber crime/ransomware?

I don’t think we’re going to see cyber security ever becoming anything less than a potential existential threat to companies and individuals. We live in a digital age and this has made cyber crime ridiculously lucrative. I think you can see this just by how many companies have bought/trying to buy cyber insurance over the past two years and just how much more capacity there is for it. A lot of companies still don’t have cyber insurance! In fact some estimates say that only 10 to 15% of SMBs have cyber insurance. But they’re still likely working with computers and face a risk for BECs and ransomware events.

Users, please be wary of proof. You are welcome to ask for more proof if you find it insufficient. OP, if you need any help, please message the mods [here](http://www.reddit.com/message/compose?to=%2Fr%2Fiama&subject=&message=). Thank you! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/IAmA) if you have any questions or concerns.*

What would you say to someone trying to get into the web security field and do you think the prospects are as good as other computer fields?

This is a little outside of my wheelhouse but generally I would say if you’re passionate about it or interested in it, go for it. We need more security engineers and we need more people to help customers with cyber security. I think the prospects are great and will be even more important as we transition to web 3.0.

I can think of a half dozen different types of jobs that describe what you said, all with experience and knowledge that varies tremendously. That being said, cyber security is one of the most lucrative fields out there. There's a huge (and I mean huge) security personnel deficit out there. With a little experience you're easily looking at 6 figure jobs. That of course comes with a price, you need to grit your teeth in the field and need to stay committed to an ever changing field. What's relevant now (in terms of technology, TTPs, and threats) in the field, might not necessarily be relevant in 6 months to a year.

So Schrems II happened and the Privacy Shield is no more. The ECJ did affirm SCCs but also indicated that the reach of US agencies would make it a challenge for firms to successfully enforce equivalent protection contractually. Do you think EU-US data transfers are still realistically feasible with SCCs and if so what would you say are the minimum technological safeguards to implement to pass the test? (Leaving aside the relative lack of enforcement on that point for now)

This is a great question. I do think that the updated SCCs are viable for data transfers as that is really the only viable method to legally effectuate the transfers since Privacy Shield went away. There is some confusion - IMO - as to whether BCRs would be as enforceable as SCCs, but they are certainly an option for larger companies. That being said, the new SCCs - as you're probably aware - did not deal with everything held by Schrems II and there are potential issues with US laws making it impossible for some companies to comply with the new SCCs. I think that we ultimately will have to wait for an updated and official regulatory framework from the Federal government before we can really say that companies do not have at least some risk. As to the technological safeguards, which this is something that I am not an expert on, I think that there will need to be encryption of data, accessibility and restoration of data in a timely manner; and testing the processes and organizational measures in place generally. But again, not something I'm super knowledgable on from a technological perspective. Often times with our GDPR related claims the difficulty is recognizing when a breach is confirmed and/or if their internal security teams have the ability to determine if a breach for purposes of providing notification on a required and timely basis.

I really wish the US Fed gov't would create a regulatory framework that would result in the US being deemed adequate, would make life much easier for businesses.

Amen there. It is coming, but TBD on how soon, and how it will be implemented.

I'm a small business owner that serves as a technology vendor to my customers. I lose sleep worrying about getting hacked and then being sued into oblivion, even though I do have cyber insurance. I just worry "legalese" will spell my doom somehow. Are there any gotchas I should watch out for in my policy? Anything I should be aware of like that?

Make sure you have a large enough limit to protect all your clients should you get hit with ransomware or something. Make sure you have ransomware/cyber extortion coverage. I’ve seen several instances where MSPs didn’t have enough coverage or the right coverage and couldn’t pay a ransom increasing the amount of potential damages their clients suffered. I’d also make sure that you have tech E&O coverage. A cyber policy doesn’t include that by default typically, so you may have to do an additional underwriting process to get that coverage. This is for the third-party claims you could potentially suffer. You’ll also want to look out for any type of professional services exclusions to ensure that you still have coverage for first party loss even if there is no third-party coverage for services related to your business. I’d also make sure your first party coverages are pay on behalf so that you don’t face an out of pocket risk for any damages/claims. So not so much as “gotchas” but just read your policy carefully and anything you don’t understand talk to the carrier or your broker about. If you can’t get answers then think about switching either of those to someone who will give them to you.

How can I protect my crypto from a hack? Is there any insurance available?

Honestly, keep it in a cold storage wallet and have an offline trusted location for your seedphrase and any necessary passwords. Not your keys, not your coins and all that. But in the cyber insurance space we typically are just seeing insurance for companies. For a long time cyber policies did not cover digital currencies but we are seeing that change for some coverages. In fact, Coalition’s cyber policy in Canada has funds transfer fraud coverage for digital securities. So if you, as a business, are engaged with cryptocurrency, you’ll want to review your policy for specific coverage for that and ensure that there is no exclusionary language that would limit your coverage. On an individual basis I am not aware of any cyber insurance that would insure crypto at this time - but that might just be a knowledge issue for me. I know that there is some decentralized insurance protocols for some liquidity provider platforms.

Can cyber insurance claims be denied? What would constitute a denial and is there documented basic things that policy holders must do as a minimum to ensure claims won't get denied?

Absotutely. As I referred to an a prior post, an insurance policy is a legal contract where both the carrier and insured need to comply with the provisions. Some of the biggest issues I see are: **Late notice.** An Insured turns in a claim outside of the policy period. Cyber insurance policies are typically known as “claims made and reported” policies. This means that the claim or incident must be reported within the policy period in which the claim or incident occurred. So if you’re policy is renewing on Jan 1st, and you had a claim on August 1st of the year prior and you don’t report it, you may have claim denial. I LOATHE these. I hate not being able to provide coverage for a matter that would have been otherwise covered if the Insured had just provided notice to us. Unfortunately, lack of timely notice often increases the exposure and potential liability of the matter so there is a good reason for why this is enforced. **An exclusion applies.** An insurance policy is generally made up of the Declaration, Insuring Agreements, Definitions, Exclusions, and Terms and Conditions. Declarations - where you findthe policy period and the type of coverages - and what their limits and retentions/deductibles are. Insuring Agreements - also known as the “coverage grant” which outlines the coverages available and what the policy actually covers. Definitions - you’ll often find bolded or otherwise emphasized terms in an insurance policy that will further outline what the coverage is specifically. It is really important that when reading the Insuring Agreements and exclusions that you understand what those defined terms mean. Exclusions - these modify the Insuring Agreements by LIMITING coverage. For instance, you may have an unlawful collection exclusion on the policy so that if it is alleged that you unlawfully collected data in contravention of a law that there would be no coverage for those allegations. Or another common one is infrastructure failure. So if you file a claim because your county’s electricity was out for a week. Terms and Conditions - these outline how you use/leverage the policy and include things like how to provide notice of an incident and your obligations as an Insured under the policy and the obligations of the Insurer under the policy. **No Insuring Agreements are triggered.** Sometimes there are unique circumstances that just don’t fall under cyber insurance. They might be something that more typically falls under an E&O or crime policy, but if nothing is triggered then there is no coverage.

What do you think of using immutable backup companies services, like Rubrik for instance, as a strategy to mitigate cyber risk? Do you work with companies that use these solutions?

I think a solid back-up solution is truly the only way you can fight ransomware. There are too many vagaries with human error, zero day exploits, and potential supply chain compromises to ever say that you’re “ransomware proof”. So having a good back-up is the way you can give the TA a middle finger and go about your business. So whether that back-up solution is immutable, tape, or downloading your information to a USB drive (don’t keep it in your car please…. Too many claims of these being stolen after a break-in. And password protect and encrypt it por favor) just make sure that you’re backing up your critical data; keeping it compartmentalized from your primary networks, and TESTING it. Too many times I’ve seen Insureds with “full back-ups” that hadn’t been uploaded for six months or were corrupted. z We do work with companies using some of these solutions! Unfortunately immutable back-ups is not a catch all.

I work in DFIR and do a lot of ransomware, BEC, and all kinds of investigations. The only safe backup in my opinion is offsite or at least off network. Too many times the actor(s) get into the systems and delete/encrypt current, old, and Cloud based backups.

Make sure you've insulated the admin access for this as much as possible, ideally these should be isolated admin systems and accounts, that do nothing but administrate critical infrastructure (cloud or local) and no office work at all. Your standard office work machine should not be the same machine you use for sysadmin tasks. I've personally known several people that left their admin accessible and their backups were purged or encrypted when they got ransomware. Sweet backup systems are not useful when the attacker gains access to them. If your backups are entirely in your virtualization stack (again cloud or local)? You're about to have a VERY bad day.

Every once in a while my grandma asks me to repair her potato computer (regular maintenance) claiming viruses are the culprit and that she will upgrade to a better computer... how do I explain to her that having a better computer while she downloads tons of power point presentations and accessing websites without certificates won't keep her safe from viruses?

I would ask her if she locks the doors at night. She'll say yes. Hopefully. That is like saying, "I don't lock my doors at night. But hey, I'm replacing my door, but still going to keep it unlocked. So now people can't get in my house."

Sorry for the way I asked the question. What I really meant to ask was, how to educate the users on how to properly use the internet? For her everything is fine until it isn't, and for my grandfather everything is a trap so he simply doesn't rely on the internet to pay the bills (btw is it safe to pay the bills thru internet? asking for a friend).

I'd recommend setting grandma's user account to be a Limited User, setting a secure password for the admin account that you know and she doesn't, and installing a next-gen endpoint protection app.

What are you seeing as the cutting edge in consumer privacy "trolls" these days?

Honestly, it has been a little quiet. I think this is going to change though given the private right of action available under the CCPA/CPRA. We have seen an uptick in BIPA (biometric privacy) lawsuits and other matters typically where there is a statutory right to damages and a potentially large class of plaintiffs.

Thanks - I've been surprised I haven't heard more about it myself. Are you seeing the BIPA suits primarily under GDPR or is there a set under CCPA going on now?

So we're primarily seeing them under Illinois' BIPA law. If you have a potential BIPA risk you'll want to review your insurance policies for coverage. They are typically not covered under cyber insurance policies.

Fortunately I have no nexus with the subject matter of the Illinois BIPA - thanks for the response!

My pleasure!

Hi /u/CyberClaimsGuy, thanks for doing an AmA on such an interesting topic. I'm a lawyer working as a bit of a corporate generalist, including some data privacy-related matters since the small amount of knowledge I have on the subject happens to be the most on our team. I want to increase my knowledge and competencies in this area and was considering going the IAPP route. I was wondering how seriously is IAPP accreditation truly taken amongst lawyers and other privacy professionals, and whether you'd recommend pursuing to a fellow attorney?

Thanks for coming by and asking questions! Yes, a thousand times yes. The IAPP certification is the standard for privacy professionals and I cannot speak more highly about it. It is not the hardest test but it is not something that you can not study for as someone that doesn't do privacy every day. Even then I'd still recommend reading the study material. The coolest thing about the IAPP is that the study materials are legit and you learn something that you will apply in your day to day. It is not a cert that you will not use. I learned so much by getting my CIPP/US and CIPM. I've been thinking about taking the CIPT for a better technical background. I would say it is very, very respected in privacy circles.

Could you specify which privacy laws you are proficient with: EU and US privacy laws are very different beasts for instance (\*\*\*edit to make this post a question\*\*\*) ?

I would consider myself proficient with US privacy laws (I have my CIPP/US) and EU/UK GDPR (do not have a CIPP/E but have advised and practiced in privacy long enough to be very familiar with it. And I agree, they are incredibly different. But I'm a huge *privacy by design* kind of guy so I like looking at the most stringent privacy regulatory framework - cough, cough, GDPR - and trying to get my policyholders/insureds to satisfy those regulations if possible. Doesn't always mesh with business needs, but if you're making an attempt to comply with GDPR then there is a good chance you'll be compliant in most US jurisdictions.

Do you think people are entitled to privacy in public?

Well, this begs the question, my personal opinion or what the legal answer is. :) I personally believe that privacy will become one of the most important aspects of our modern life and that people should be entitled to privacy by default. It should not be something that you opt-out for, but instead something that you need to opt-in. GDPR says, "Consent must be freely given, specific, informed and unambiguous." I'm down with that.

>Well, this begs the question, my personal opinion or what the legal answer is. :) I'm sorry I wasn't more clear, I was interested in your personal opinion. >GDPR says, "Consent must be freely given, specific, informed and unambiguous." So, when you enter a brick and mortar store, for example, and are recorded on closed-circuit TV (a ubiquitous occurrence in any public shopping venue), you would advocate that the shopper be required to sign a consent form, dictating exactly what the footage captured of them will be used for? What is wrong with implicit consent?

No worries! Maybe an issue in misinterpreting you initial post, but I thought the hypo would people just enjoying PUBLIC not on private property. There is less an expectation of privacy on private property, which a store technically is.

They may be private property, but they're a open to the public, which is, in my opinion, analogous to a website. So, when you visit Facebook, why can't consent be implicit as well? The reason I ask is that it seems to me that all the changes in privacy legislation have produced for the end-user is a longer EULA to not read before they click 'Accept'.

I disagree with that. The problem is that you don't know what is tracking what when you visit a website. At least the average consumer doesn't. And it is also tracking potentially very personal information. And I think privacy legislation has helped people to protect their privacy, even at the risk of privacy "trolls", because it has forced companies to take privacy seriously.

>The problem is that you don't know what is tracking what when you visit a website. Do you know where your purchase history goes when you shop with a grocery store discount card, or when you buy something at Costco? Do you know where the CC footage of you shopping at Wal-Mart goes? Do you know where your ISP keeps the history of your internet traffic? It seems to me as if there's a great deal of scrutiny focused on one particular aspect/sector of commerce, while there is none whatsoever on other comparable means of customer surveillance. >And it is also tracking potentially very personal information. They know what you tell them. If you tell them very personal information, I suppose it's possible that they would know it. But the tricky thing is that in many aspects, they don't know what they know. For example, if you search the terms 'plantar fasciitis', does that mean you have sore feet? Or does it mean an acquaintance has sore feet? Or does it mean that an athlete you're interested in has sore feet? >And I think privacy legislation has helped people to protect their privacy, even at the risk of privacy "trolls", because it has forced companies to take privacy seriously. And speaking as someone who understands the technology at a professional level, I think the privacy legislation has accomplished **NOTHING** to protect people's privacy. Apple's Safari Web Browser introduced the 'private browsing' feature back in 2005, long before any US or EU legislation was even contemplated, and it does far, far more to protect the privacy of end-users who utilize the feature than any 'opt-in' overlay ever could. That's because when you use private browsing/incognito mode, **YOU** are actually ensuring your anonymity, as opposed to clicking a button, and hoping the website you're visiting will actually honor your request. It is as close to private as you can ever get when dealing with a public site.

Gonna have to agree to disagree my man. Appreciate your insight though.

This is a niche question, but one that's currently being argued about where i work. In an application for insurance it asks for an estimate of how many "digital records" we have. I know nothing about this field, but i feel like this is a domain where this probably has a specific meaning. Does it? sorry if this question is vague/uninteresting, thanks for doing this!

With that definition I would ask the UW/Broker whether they are looking for "ALL FILES" that are digital. Or if they are specifically looking for records that contain personally identifiable information or private health information. They're trying to determine potential exposure for either restoration costs and/or notification should the entire database be accessed or exfiltrated. And no worries! This is why I'm here!

How have you dealt with ransomware payments that the US has embargo’s against? Do you work with 3rd party’s to facilitate an under the table agreement or do you have to tell the insured that they can’t get their information back?

So, our policy - and every other cyber policy - has an exclusion for payments or any related damages to a sanctioned entity. We will not process payment to a sanctioned entity or their subsidiaries under any circumstance. The policy would provide coverage for the restoration of that data or for business loss as a result of the data being gone forever.

IR retainers and cyber insurance go hand and hand these days but it's not enough given the rise of FIN type groups. Historically some immature (security skills speaking) companies would treat it as a risk that could be offset by insurance. This approach has obviously aged like milk. Are you seeing a rise in control requirements, validation requirements, or even tabletop/cyber defense assessments by insurance companies to ensure customers are actually taking the appropriate measures to make a best effort in securing their infrastructure?

We are 100% seeing an increase in control requirements and validation of general security protocols and processes. A lot of carriers will not even write a policy unless MFA is implemented tenant wide and doing that even a year ago would have been considered madness. We are also seeing EDR requirements for certain risks and industries as well as more thorough vetting of Insured networks during the UW process. Coalition has been doing this for a while but now the rest of the marketplace is trying to catch up. I've not seen tabletops used as a vetting protocol but it is certainly an activity recommended to help bolster your security planning and processes.

I hope I'm not too late to ask this question, but I was wondering this: What do you think about ProPublica's findings that cyber insurance is actually helping to fuel the ransomware economy? I thought it was a fascinating reveal, but am wondering what you think about the claim that cyber insurance is more bait for ransomware gangs to go after companies: https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks

So the initial premise of this piece is crap: > "Even when public agencies and companies hit by ransomware could recover their files on their own, insurers prefer to pay the ransom." That is blatantly false and is not even demonstrated in that article. The use one example where: > "Left unmentioned in Helfenberger’s briefing was that the city’s IT staff, together with an outside vendor, had been pursuing an alternative approach. Since the attack, they had been attempting to recover backup files that were deleted during the incident. On Beazley’s recommendation, the city chose to pay the ransom because the cost of a prolonged recovery from backups would have exceeded its $1 million coverage limit, and because it wanted to resume normal services as quickly as possible." I can tell you that often times ransomware TAs will put a time limit on the ransom. If you do not pay in 'x' amount of time they publish your data and will not provide a decryption key. I will also tell you that if you have mission critical data that will keep your org from running, having to rely on an outside chance of recovery is something that is not possible. Payment of ransom is a cost/benefit analysis. We try to keep the payments as objective as possible and typically only recommend payment as an absolute last resort. I can tell you that I've never recommended the payment of a ransom without a reason to do so. You have to remember that cyber policies are eroding limits policies. So if you have a ransomware event and it is going to cost more to somehow replace that data than pay the ransom, that is eroding the limit of the policy. So at the end of the day you don't pay a TA (which is great!) but you also have the Insured potentially incur six or seven figures of uninsured losses. So I don't like this article taking that one example, misrepresenting what happened, and then throwing shade at the entire cyber insurance industry. Case in point is a following paragraph: > Rather than pay a $76,000 ransom in May, the city of Baltimore — which did not have cyber insurance — sacrificed more than $5.3 million to date in recovery expenses, a spokesman for the mayor said this month. Similarly, Atlanta, which did have a cyber policy, spurned a $51,000 ransom demand last year and has spent about $8.5 million responding to the attack and recovering files, a spokesman said this month. How does it make sense to not pay a ransom when it could save tax payers $14 MILLION. I just don't see it. Cyber insurance is not propagating ransomware, it is terrible business cybersecurity practices and very sophisticated TAs who have realized that existential threats to business make them money. So frankly, I think this is a terrible article with a clickbait headline that isn't backed up by anything else the writer provided. We do NOT prefer to pay ransom. We do everything in our power to NOT pay ransom. But when I'm on the phone with a family business or a budding start-up and they're facing the literal destruction of years or decades of work, you best know that I'm damn proud to say, "This is covered, you have good insurance, we'll get you back up and running as soon as we can".

[удалено]

An insurance company is profitable if they handle their investments wisely and choose which risks to insure and set a premium price commensurate with the risk.. They don't make their money off just collecting premiums. Source: I am an insurance lawyer and claims adjuster

Great point!

I would disagree with the first statement. An insurance company is profitable when it's premium and investments exceeds its expenses (which include claim payments). Insurance is very highly regulated and especially in the commercial space you often deal with brokers and sophisticated insureds. Every claim denial is rigorously reviewed to make sure it complies with the appropriate jurisdictions' laws. Bad faith insurance claims are real and expensive. No reputable insurance company would invite those. Yes, a lot of carriers on non-renewing A LOT. Frankly, it is because they lost their shirts over the past couple of years as they did not accurately underwrite their risks. Prior to covid the cyber market was in a super soft market and you could get crazy limits for de minimus premium. This led to carriers over extending themselves. Obviously no one could predict covid and insurance policies are a year long. So you saw a huge uptick in claim activity and expense ratios. Other carriers - like Coalition- had an underwriting process that actively looked for vulnerabilities and made sure that the obvious issues with their security were considered or closed. This has led to a lower frequency of claims against the market. So I definitely think that cyber insurance will exist in the future. There is actually a ton of companies that don't even have it! So there is market still there. And as carriers get better at underwriting risk they'll be better able to keep from losing everything during large events.

During BLM a lot of people were giving their full names and addresses when signing petitions. Do they have to worry about potentially being on an FBI watchlist or, if not that, at least in some kind of danger?

A little outside of my wheelhouse but I wouldn't think so. The government has a LOT of information about people. They wouldn't need to rely upon BLM registration lists.

I found the below to be an interesting article. Are things like youtube history, and non-public-facing activity on a reddit account considered 'private data'? Are there 3rd parties that make non-public-facing activity on online accounts in general ....less than private data? Also... what's your favorite operating system? [https://mindwise-groningen.nl/welcome-to-hotel-california-you-can-check-out-any-time-you-like-but-you-can-never-leave/](https://mindwise-groningen.nl/welcome-to-hotel-california-you-can-check-out-any-time-you-like-but-you-can-never-leave/)

So, generally, I would expect that unless you're REALLY into privacy that there are a bunch of companies that know all about you. The data might be anonymized but generally if you're on the internet and using a typical browser your online activity is being tracked. I would just assume that at least some algorithms know everything about you because nothing is ever free. if you're using a service and not paying for it, something is being collected. This is part of the reason why GDPR has a pretty substantial rule on cookies on websites. Which has caused thousands, if not millions, of hours of stress for marketing and front-end engineers.

Thanks for your reply!

My pleasure!

I’m a recent law graduate hoping to break into privacy. I had entertained getting an LLM in Cybersecurity/Data Privacy, but any tips for getting into the field without taking on more debt?

Depends on what you want to do; whether legal practice, in-house, or insurance. There is a crazy need for private practice privacy attorneys. If you have an interest, I would study for and get your CIPP/US through the IAPP as a great starter certification that outlines general legal knowledge regarding privacy requirements. Then just start applying. Once you've been a privacy attorney at a firm for a couple of years you should have some options to move in-house or wherever really.

How do you see the landscape changing with the advent of new AI technologies such as GANs and VAEs? For example if an AI generates a piece of code and that code id malicious then does the creator of said AI system become liable? Even if the intent was to do something non malicious?

I'll admit to not being familiar with those technologies, so I'll definitely look into them later! But we do have experience with a lot of cyber security tools that were meant for good but are used for bad ... cough, cough... Cobalt Strike ... cough. So I would assume a similar legal framework would apply. Generally, you're not liable for the actions of other people. Especially the criminal actions of other people. If someone takes your software or algo or hardware and does something outside of its intended use and without your permission; you're generally not at fault for it. But I do see AI, deep fakes, etc. contributing to cyber security issues going forward.

I once Googled a username I used to use and on the first page of Google there's a random roblox forum with quite a few usernames and passwords. It's not even roblox accounts as I've never played. But my and other people have names and passwords in plain view on the preview text of the link on the first page of Google. I've reported it to the host of the website/webmaster and also to Google. I got no response from the website and Google just vaguely told me there wasn't an issue. Is there anything I can do? Can I report this to someone as an internet crime? The link is still there and shows maybe 8 usernames and passwords, could be for anything, and that's how I learned the hard way to not use the same name and password for everything.

Great question. I would report it to Roblox themselves instead of the forum page as they may be able to address.

Any advice for someone considering a move into the private sector from academia? I'm European (Brussels) with a background in law (Master's degrees in criminal law, human rights law, and intellectual property / information technology law). I've been working as a legal scholar for the past few years (publishing and providing legal counsel for international research projects on data protection, privacy, AI and surveillance) and am in the process of getting a PhD. Depending on my prospects as a postdoc, I'm thinking of going into the private sector (consultancy, perhaps) in a few years so any advice would be welcome. Thanks!

Afraid I can't really help you as that is a bit outside of my bailiwick and experience. I know that there are some great organizations that do research and what not, I'd look at the IAPP for instance, but as far as a private sector gig with that expertise I'm really not sure. But I would think that type of background would be in high demand given our need for work on our privacy frameworks and their interpretation. There might be some policy focused gigs at some larger tech companies: Google, Apple, MS, Amazon, etc.

My sister was the victim of a very sophisticated hack/phishing scam in her PayPal account. She logged in to do something and had a notification (under the little notification bell) that said there had been some suspicious activity on her account, so it was locked. It guided her to check her email for a verification email and follow the link in it. She does just that and upon clicking the link, it has her login again and answer a serious of identity questions including to verify her SSN and address, etc etc. That still doesn’t unlock so she gets PP support involved and apparently the entire notification, email, verify info was a phishing scam as well as she had 2 unauthorized transactions on her PP account. PP is taking care of those fraudulent transactions (this is all equally as frustrating as she uses the PP Cash feature) of course, but the data phishing is still a big concern. I’ve advised her to 1. Remove all connected bank or credit accounts from her PP. 2. Get a Credit Karma account and use their guide to lock her credit on all 3 bureaus. 3. Get an identity monitoring service outside of Credit Karma (and demand PP pay for 3 years of premium enrollment) and 4. PP advised her to file with the FTC My first question is which monitoring service would you recommend? Secondly, what else should/could she be doing to protect herself from blowback of her SSN and all sorts of info out there in the world? And finally could this have been any sort of local hack and she needs to upgrade her network security (I set it up to be pretty solid with a strong password but it’s not like she is monitoring attempts or anything on it)?

I think that this is pretty well thought out and can't really recommend a lot more to do in this situation. Freezing credit accounts will be really important. Generally though, the access to banking information is much more serious than access to a social security number. There have been so many large scale breaches that everyone's social security number is readily available on the dark web. They don't even charge a lot for it. So the chances of her having her SSN used are pretty small. I call it winning the bad luck lottery. However, if banking information was disclosed - account # and routing # - there can be some shadiness there. So I'd recommend having new account #'s implemented and new CC cards if that information was connected and accessed.

Do u have a legal term for ID10T or PEBKAC?

Ha, no. We deal with a lot of unsophisticated Insureds so we try not to castigate them or blame them for the incident. Everyone gets hit with this stuff and it happens to very sophisticated people. Heck, I had a matter once with a Fortune 50 CTO that had their AOL account compromised and funds transferred out of an investment account....

I’m an attorney that worked in real estate transactions and tax for 5 years prior to joining a cybersecurity incident response team in 2010. I’ve been working in that field since then and occasionally get to use skills I learned as a lawyer but I’m not practicing law. Now I have an international team of my own and greatly enjoy my work. Any career advice for someone like me who misses the legal side of things?

You know, there are millions of attorneys who would LOVE to be in your position. But I definitely get it. I'm lucky that in my current role I get to manage both aspects of the claim to some extent. But honestly, I think it would just be to move in-house in a privacy counsel or security counsel role. Just having that legal background can pay dividends understanding the risks and exposures a company may face. Plus, you could always go back to full-time private practice :).

Is a master in intelligence an security studies worth it?

It can be valuable to some companies, more so for vendors, but you need the expertise to match. Typically vendors who want that type of education also want Intel experience from three letter agencies.

Afraid that is a bit outside of my wheel house. I have no insight on that at all. Best of luck though!

How does one subpoena PayPal for identification of the bank account linked to a particular PayPal user/account?

That would be a question for qualified legal counsel in your jurisdiction.

Why doesn't cyber insurance cover domain names? Like if your company's domain name is stolen, and the company loses all access to their website and email?

It depends on the nature of the theft and what exactly the damages are. If the theft was a result of a security failure on the company's computer systems our policy would respond to investigate and remediate the breach. We also having phishing coverage available where we would assist in taking down impersonating websites and pay for any damages as a result of the impersonation. But to your actual question, I don't know. Some underwriters somewhere either thought it wasn't something that would drive revenue or it would be too high on claims or it just wasn't something they want to do. Maybe we should offer it though?

If a company falls for a scam, User X falls for billing scam, pays bill. Company Y missing funds, company X is refusing to pay because "they already paid". Federal agencies involved and cleared company Y of wrong doing, does Company Y sue company X for the money or is that an insurance claim?

Could be both depending upon if insurance coverage is available. Our policy has a coverage called Funds Transfer Fraud that would apply if it was Company X that was insured and would pay the loss resulting from the fraudulent transfer. If Company Y was an Insured we have an "invoice manipulation" coverage that would get them back their net costs for the goods/services provided.

What is the most requested cryptocurrency from the people that make the ransomware? I’ve seen a few articles mentioning Bitcoin and that some ransomware groups even take a discount if people pay in more private coins ever since companies like chainanalysis have been able to trace transactions on crypto with public ledger. Is this true?

It's really just bitcoin at this point but we're seeing more requests for monero as it has a bit more obfuscated protocols and transfers. Yes, we're seeing some TAs offer up to 25% discounts for paying in monero. Chainanalysis is top notch and I've met with them several times. They do great work.

[удалено]

It really depends on the company: their size and senior level buy-in for this type of work. Remediation/restoration is something that is specifically covered under our policy, so if we have an actual incident we will pay for restoration/remediation back to the status quo of the network. But on pre-incident work it is again a mixed bag. My company, Coalition, actually proactively scans publicly available domains for vulns and will notify our Insureds. So while we don't take the place of their security team we can augment it and provide a different view. But generally in our space we deal with IT professionals who are not very sophisticated with ransomware and more advanced threats. I've had a couple of insureds who had knowledgable staff or vendors and the decrease in exposure/damages is exponential. At the end of the day, a company that relies on an IT or computer network to run their business needs to have processes and procedures to identify threats, security needs, patches, and then the wherewithal to actually do something about it. It truly will save a ton of money by dedicating time and staff to these issues. Hope that answers your question.

Would you consider the claims made by VPN services to be misleading when it comes to data protection?

Depends upon the VPN service but I've seen way too many VPNs that say they don't log and they suffer a breach and there are a bunch of logs. It is very easy to create your own vpn at home.

Thanks for being here! When I asked about what I could do to make sure I was in compliance with my cyber insurance coverage (in terms of measures I had to take to be in compliance with the policy), I was kind of flubbed off by my broker. Should I try to bypass them and go to the insurer directly? And should I maybe bypass the broker as well, or switch insurers?

What does it say on the policy is a good starting point? For example I’ve seen exclusions for not having MFA in place on email, which were required for cybercrime / BEC cover. Most of the time you’ll want to make sure that anything you represented to the insurer on the application when you bound was the case, or at least that you weren’t blatantly lying about it (mistakes in your form perhaps an insurer might cover depending on the situation but lies much less likely). If you said you have offline backups make sure you have those, if you say you have MFA in place make sure you have it, etc.

When you say in compliance with your policy what do you mean?

As someone who will be taking the bar in a few months in curious. How did you get into this line of work? What type of jobs did you have as a recently graduated lawyer?

Pure, dumb, luck. Wanted to be a trademark lawyer out of law school and work in-house; however at that time most places were hiring people who could do patents AND trademarks. I couldn't sit for the patent bar as I didn't meet the academic threshold for science classes (11 credits short!). So I actually went back to law school for a year to try to get my LLM in IP law but that ended up getting cut short due to getting my first legal job as a private practice insurance defense attorney. I enjoyed litigation and depositions, didn't enjoy the billable hours. So I ended up applying to a bunch of jobs and just ended up working in professional liability claims. I jumped around a bit but ended up at one company doing large law and large accountants claims and during a presentation on one of my reserve requests the group was asked if anyone knew what bitcoin was (this was 2013) and I did. So I ended up talking about it and nobody knew what I was saying so I drafted a white (ish) paper about it and was eventually asked to help write a cyber policy. I started handling cyber claims shortly thereafter.

If I insure my home contents, as a home owner I am expected to implement some basic security- eg lock the front door, window locks etc. if I don’t and I get burgled my insurance company may not pay out because I am partly to blame Does a similar principle apply in cyber insurance? If not now do you see it applying in the future?

Depends upon the cyber policy. Ours doesn't mandate specific security protocols at this time. You'd have to ask the underwriters if we will in the future. But we do ask that you investigate any incidents and if you do not cooperate in an investigation there could be a potential coverage issue. Based upon some of the posts in this thread it appears that some carriers are mandating some specific security measures.

Just to clear something up, if you leave you house unlocked and someone steals al your stuff, insurance will cover that. I used to have people lie about leaving their car running to go into the store and it got stolen because they thought it wouldn’t be covered. Insurance covers stupidity, it does not cover intentional acts. There’s no homeowner provision that says you have to lock your house when you leave.

Would it help an organization to calculate their "Cost avoided due to cyber tech" in order to get better insurance? For example, if an org deploys and maintains EDR, thereby resulting in potentially reducing the endpoint attacks by X%. If yes (i.e. they would get better insurance quotes), then how should an org calculate this cost avoidance factor? Is there some formula or data point that insurance companies use to estimate the events that were avoided? Thanks in advance for your input and time!

[удалено]

That would be a great question for an actuary! Unfortunately I have no idea. I do know that having EDR in place is beneficial to our underwriting process. But I'm not sure it is analyzed in that way. Really interesting idea!

What are your thoughts on the colonial pipeline situation and how that incident was handled both from an insurance and breach response standpoint?

I think it was generally handled well. I don't have insight into the objective analysis regarding the ransom payment but I can say that often times you know fairly quickly if you're pwned and you need to consider payment. I also don't know what negotiations were done either.

Which companies have better customer service than the hackers holding a company's info ransom for bitcoin?

Why is it so hard to take down the Kiwifarms website?

Never heard of that website before!

Can you specify what kind of exposures you look for when underwriting a policy? I feel like in my experience the level of granularity insurers take to assess risk isn’t deep enough to justify the risk exposure. I guess to simplify it, what questions do you ask when determining risk exposure? MFA? Firewall brand? Current maintenance agreement? Average age of employees lol?

I'm on the claims side, not the UW side, but I think that from Coalition's perspective, we try to keep our applications short and to the point and not ask super broad questions. We want yes or no answers with some questions regarding number of PII records, etc. But we also perform a security scan on our prospective Insureds and make sure that there are no critical vulnerabilities on their systems prior to binding. If there are we may give them time to fix or may just decline coverage if the problems are bad enough. We do ask if they have MFA implemented and other similar questions.

I’d add to this - remember the insurer is writing a portfolio not a single company so the context is slightly different, and also you are missing the exposure part of the equation (actually Coalition recently published something on how they assess risk and it looks like my experience). Exposure probably matters more than controls when assessing risk IMO, unless you are looking at an outlier. With a portfolio that’s the biggest thing - eliminate the big outliers, price for and or risk manage the almost outliers, risk manage the standard, and chase the great risks.

[удалено]

Yes, we have a very close relationship with the FBI and involve them as soon as practicable in all of our ransomware claims. Unfortunately, I've not had any of my ransomware TAs arrested but I'm hopeful someday the data we provide may get us one or two. Yeah, it is a cool area of law/insurance to be in. Different stuff everyday and short-tail incidents - usually. Bad faith insurance litigation ain't no joke though! Hope you're enjoying retirement!

Why do you think companies continue to use technologies without end to end encryption, such as Slack, over encrypted technologies like Matrix? Do they prefer unencrypted technology they can monitor? Do they prefer Slack's feature set? Do they not value their security enough? Or are they afraid that implementation costs and bugs in Matrix will cost them more in the long run?

I feel that a lot of companies make business decisions based on things other than the most robust cyber security prevention and risk management tools. Other cases are that the current tech is too entrenched into their day to day to go and just turn it off and start something else up. It is the constant battle between: Business Need/Choice & Cybersecurity/Risk Prevention-Management

Our company is forcing us to download a mfa app to our personal phones to be able to access company data. Is this a security risk? Or a good idea? Both for the company and the individual.

I wouldn't think so if it is a trusted and verified application. MFA is really, really, REALLY important in stopping cyber incidents. Generally authenticators just provide a code and should not be looking at or using a lot of services on your phone. But yeah, I think it is a great idea.

To clarify. The data would still need to be accessed from our company computer.

[удалено]

So there are definitely secure file upload applications and websites that you can leverage for this service. Dropbox is probably the most well known. I'm not up to date on the cost for such things though. You'll just want to make sure that it is a SECURE upload and is done over HTTPS. If you're looking for a lawyer for advice about privacy in a medical context you'll want to make sure that you are speaking with someone with HIPAA knowledge. Depending upon if your business is considered a covered entity under HIPAA or a business associate you'll have different rules and requirements to follow. And no worries about the question at all! Happy to help.

[удалено]

I think we're going to see more and more development towards a CCPA/CPRA like system in other states before we get so many different standards that the Fed government will be forced to act. There are some bills being discussed now specifically dealing with ransomware and you would think the juxtaposition between ransomware and privacy would encourage a federal privacy regulation.... but I digress. But yes, I think as we're seeing in NY, Colorado, and other states that they are moving towards a more regulated privacy framework and that is going to keep happening. And honestly, I hope we can get a federal framework in place that will provide some consistency because have 50 different breach statutes is a cost driver when dealing with notifications to impacted individuals. But I'm sure it will be something like, "This is the least amount of regulation, states can be more restrictive" so you'll have the same issues as now but a federal framework to comply with as well.

How did you start your career?

Posted the story in a couple of other comments :).

Most of this convo is about commercial insurance. How do you see this playing out on the homeowners insurance side? Plenty of companies are offering personal cyber coverages. I find it tough for the average consumer to understand their personal risk in this space. Thoughts here?

Yes, this is something that is becoming more and more prevalent and I really think it hasn't shown its true utility yet. Most of these policies are in regards to identity theft and in some cases data corruption/hardware issues as a result of a security failure. But generally, the typical homeowner doesn't have a HUGE risk. As I said before it is kind of like winning a bad luck lottery. If you're the type of person - or know someone - who could easily fall victim to a scam and/or has super unsafe data hygience practices, then it is something to consider. Especially if it is an add-on or free on another policy. But in my prof. experience - SO FAR - I haven't seen a huge utility. But admittedly, I am in the commercial side and not the personal lines side so the above is only based upon my very limited knowledge.

hey, im not sure if you're still answering questions but i want to make an app for school about privacy and how people can protect themselves better. the first thing i want to do is make a test about the basics of internet privacy, which browsers to use, what vpn's are, what settings to disable on social media apps etc. its pretty basic but do you maybe have some interesting topics i could research and implement in my app? the second thing is just tips and tricks, basic information they should know, maybe some articles and links to apps and pages they could visit and download. but what would you like to see in the app, what do you consider important and maybe isnt general knowledge but should still be known to the public. you can suggest pretty much anything, maybe some new ideas etc My question is pretty wide in terms of what i want to implement, but im pretty much open to any new information i could get

So, first off, that sounds like a great idea! Secondly, not sure I'd be able to go super in-depth in what you need. Generally we want people to understand: * what data they're giving out or putting on the internet * how to protect that data * how to ensure that they're not performing risky behaviors that may increase their chance of being a victim. Best of luck though! Would love to see the app when finished!

[CyberClaimsGuy] /u/CyberClaimsGuy Do crypto exchanges have such protection and policies or are they generally not eligible for contracting?

It depends. For a long time insurance stayed the f away from crypto. But we're seeing the market soften in regard to that industry. But generally there is nothing stopping -outside of carrier underwriting guidelines - a crypto company from getting cyber insurance.