Hi everyone! My name is Rich Gatz, a longtime data privacy attorney and cyber claims professional. I am doing an AMA today where I'm going to discuss data privacy, the ransomware epidemic, and cyber insurance.

The genesis of this was several threads in /r/sysadmin and other subs about cyber insurance and ransomware. As a long-time redditor, I thought an AMA would be a great opportunity to clear up any confusion about these complex topics.

Have you been wondering why so many companies are being impacted by ransomware, or the types of consideration taken into whether or not a company pays? Or maybe you just want to know what the heck cyber insurance actually covers? Well, this AMA is for you.

A little bit more about me: I’ve started working in cyber insurance in 2013 as a privacy and technology subject matter expert solely because I was the only person at the company that knew what bitcoin was. I am also a Fellow of Information Privacy with the International Association of Privacy Professionals and a barred/licensed attorney. I currently work for Coalition, Inc., the worlds’ largest “insurtech”, and handle data privacy and cyber incidents every day.

Proof: https://imgur.com/ycohNpl https://imgur.com/a/uhPNnhd

I'll start answering questions today at 10 AM PT/ 1 PM ET sharp. So please feel free to start asking questions now.

I'm here! And ready to answer questions till at least 3 PM ET and potentially after if there is interest! Thanks to everyone that has asked questions already.

Signing off for now - cyber claims pause for no one - but I'll be checking in on this post and this account sporadically, so please feel free to keep asking questions and I'll respond when able.

Thank you again, sincerely, for all of the questions. This was a wonderful experience and I appreciate all of you.

Cheers.

Comments: 223 • Responses: 90  • Date: 

Security_Chief_Odo88 karma

It's undeniable that users are generally the biggest threat to an enterprise network. There is a lot of defensive products and procedures designed and implemented to try and keep users safe from themselves and safeguard the network and data.

In your experience, has there been a case of an insurance company or litigation against an end-user that "allowed" a ransomware event to propagate? In other words, have you dealt with a case of a company punishing the user as the source of an infection?

CyberClaimsGuy116 karma

Not in my experience no. Ransomware attacks are a crime. That would be like punishing a person for getting robbed. Yeah, maybe you shouldn’t have been walking in a place known for robberies with five Rolex’s on your wrists; but ultimately it isn’t your fault that you were targeted for a crime.

Cyber insurance policies do typically have a subrogation provision that allows the insurer to recoup costs against liable third-parties. This is typically seen when our policyholders have a third-party service provider that may have been negligent and/or a preventable issue with software or hardware that was the proximate cause of the loss.

hippopotosauruses11 karma

Have you seen subrogation actually used (e.g. under a network security liability insuring agreement, or against some supplier's E&O) in cyber insurance? And if so, is it used often?

CyberClaimsGuy22 karma

I have seen that provision exercised in a couple of instances. Generally no though as if the Insured has a relationship with a vendor or other entity, then they may have cyber insurance or want to make their client whole.

A lot of times it is Insurance versus Insurance. But I would not say it is often, but it is something that is used. I think as we see more and more companies rely upon other entities for their cyber security this will potentially increase.

CyberClaimsGuy29 karma

I should ass that in the past year, we've seen 48% of our claims originate from phishing attacks/human error. So even though we would not go after an end user for reimbursement for any loss, we would certainly want the company to engage in good training programs and have a great insurance policy as well.

CallMeAladdin49 karma

I should ass

Buy me dinner first, sheesh.

CyberClaimsGuy36 karma

HAHA. Good catch. Leaving for posterity because what is an AMA without a crass typo.

rastapete22 karma

did you mean a "cradd" typo?

CyberClaimsGuy13 karma

LOL

Dozekar13 karma

Other side of the road here, working in infosec management the requirements for us to provide these training and technical solutions to mitigate some of the risk is basically be required to get affordable insurance now. This is huge as previously it was hard to get other execs to take this seriously in a lot of orgs. when insurance threatens to drop you because you won't pay for a EDR, execs pay attention fast. This is doubly true when every business to business contract you have requires it and you're in breach if you don't have one. You then get legal feet first down throats to force it in too.

Obviously ever org doesn't play ball the way they should on this, but I'm seeing huge executive changes when people see the insurance application and the operations team has to start stopping them and telling them they have to put no for all the answers. That gets organizational change in a way nothing else has for years now in virtually every organization I've heard from.

CyberClaimsGuy6 karma

That's great insight and I'm glad there are some positive changes coming out of the hard market.

vvanasten36 karma

I really hope I never have to make a claim, but what happens when we call our cyber insurance provider to report a claim like ransomware? What is the typical response?

CyberClaimsGuy64 karma

I hope you never have to report a claim too! Generally, if I am talking to someone they’re having a bad day; or about to discover they’re having a bad day. But I do like this genre of insurance because I feel like I can make a difference in that “bad day” from minute 0. You don’t really have that ability in other lines of commercial insurance as they’re longer tail claims and exposures.

The first thing to make sure you do is report an incident (actual or suspected!) to your insurance carrier IMMEDIATELY. We work with a ton of great brokers and some of them want to be notified first, but at the very least notify the insurance carrier at the same time you notify your broker. Time is of the essence and minutes matter when getting assistance with your incident. I’ve had Insureds who had a known business email compromise but didn’t change passwords until they called me. If there was a long delay between talking to me that can lead to additional loss or damages.

The following is how we handle claim calls where I work so I won’t speak to other market participants but we do take a more hands on approach with claims handling.

You would contact us via our 24/7 claims hotline, claims email or chat function on our website and that goes direct to the claims team. Our average response time is under five minutes. So you’ll ideally be speaking with a claims attorney or claims manager instantaneously. We will triage your call to understand what is occurring and provide some immediate assistance in regards to stopping the damage from the ransomware event. Things like disconnecting impacted servers from the internet or shutting down your network while we determine what type of access was made and which parts are encrypted.

We’ll also get information regarding size of network, number of employees, type of work you do, and type of data you hold. During that call we’ll be reaching out to our preferred panel vendors for privacy counsel/breach coaches and incident response. Once those conflicts checks are clear we will set-up a “scoping call” with counsel and forensics to get additional information. It is key to have someone with knowledge of your network on this call! Typically we set this up in the next 30 minutes to an hour. Again, time is of the essence!

It is important to have legal counsel on this call as we want to preserve privilege of any investigation that is undertaken as well as to advise the Insured on any data privacy or other regulatory/compliance issues. Forensics will ask technical questions so that they can prepare a Statement of Work for the investigation and analysis of the incident.

During this call we will also evaluate the type of access, encryption, and data involved - if possible. We’ll need to determine if we need to engage a service provider to engage the Threat Actor in negotiations for purposes of getting data back.

After the call counsel will be engaged by the Insured. Counsel does not have a contractual relationship with the insurance carrier! It is solely between the Insured and counsel.

Once the forensic statement of work is approved by the carrier, counsel, and the Insured; forensics will have a “kick-off” call to get their collection tools in place and typically an EDR solution to monitor the network for persistence of the Threat Actor access.

Then we’re off to the races; kicking the TA out of the network, remediating and restoring the network to how it was before the event, and potentially negotiated a ransom payment if needed as a last resort.

After the network is clean and up to date, then we’ll have the Insured fill out a Proof of Loss to determine if they’ve incurred any business interruption losses or extra expense (costs to defray a BI loss).

Dozekar13 karma

IMO you want to do two things at the same time. launch your disaster response plan \ incidence response plan and call insurance. You will frequently want to have a vetted IR team with your insurer and you will want to contact them at the exact same time as you're contacting your insurance. You WILL take additional losses in the form of organizational disruption if you don't have a DR play you can initiate NOW. This is general organizational advice and doesn't work for all orgs, but if you can take one week off your standing back up time, it's worth paying for some of the IR capabilities on your own for most execs.

And when you get fully ransomwared you will be standing shit back up for weeks whether you're restoring from backups or decrypting shit. There's also no guarantee you will get everything back up. Heard a story from a tribal gov and they lost priceless language recordings and culture data that they were never able to fully restore.

CyberClaimsGuy6 karma

A lot of good things here. You definitely want to call your carrier asap. I always tell policyholders:

You don't need to stop your team from applying a tourniquet, but point and tell someone to notify your insurance carrier.

You'll want to get them onboard so they can consent to costs being incurred and also get you in touch with their panel privacy counsel and IR firms. A lot of policies have restrictions when you go off-panel; and a lot of IT firms (no offense guys and gals) do not have the capability to appropriately respond to severe cyber incidents (even though they'll say they do).

Mindstorm8932 karma

Got a joke for you, you've probably heard it a thousand times:

Why couldn't the police catch the cyber criminal?

CyberClaimsGuy19 karma

I've actually not heard this one....

Why?

Mindstorm8948 karma

He just got up and ransomware.

CyberClaimsGuy18 karma

HAHA. HOW HAVE I NOT HEARD THAT

Mindstorm896 karma

Glad you like it!

Hopefully you can use it in a meeting or something :)

CyberClaimsGuy3 karma

Lol for sure

tankerkiller125real27 karma

What can I as a System Administrator tell and/or say to our executive team to finally convince them that our general business insurance is not enough to cover a cyber security event? I've tried multiple times now and I've been shot down every time with "we already have business insurance"

CyberClaimsGuy30 karma

I really appreciate this question because I have spent a lot of time with sysadmins who have told me privately - or publicly on scoping calls! - that they wanted to harden their network but were told that there was no budget or business need for it. There are a couple of things that I say to prospective policyholders:

  1. Do you work with computers? The answer is almost always yes. Okay, what would you do tomorrow if your entire network was done and you could not access any files on your servers. Does your current insurance policy cover the incident response: provision of third-party vendors - legal counsel, forensics, ransom negotiators, restoration specialists?

General business policies might have some limited protection but from what I’ve seen it is sometimes as low as $5,000 to as much as $100,000. Which with a systeminc incident is not enough.

  1. Does your policy pay for ransomware? A lot of policies are excluding this for coverage. A lot of CGL policies exclude loss of data/digital assets. If your business was ransomed and you had no ability to recover your data, could you still function? Could you provide payment in three days for $100k to get your data back? What about $500k? What about $1.5M?

The answer is often no. I’ve had claims with very, VERY, large companies that were unable to provide payments on such a short time frame. This is also why it is REALLY important that your insurance policy have PAY ON BEHALF coverage. Not reimbursement/indemnity for cyber extortion/ransomware. The carriers should pay the ransom - if necessary - not force the insured to do so.

The other thing is that everyone is at risk for a cyber incident. It is generally not something that is targeted. You have open holes in your network or a zero day exploit and you win a bad luck lottery and BOOM, you’re compromised and ransomed.

At the end of the day, people ultimately have the choice to purchase cyber insurance to protect themselves when they get hit with an incident. Or they purchase it after they’ve been hit with an incident. Just hope that the latter doesn’t utterly destroy your company.

HeftyAd411112 karma

Can you give us a brief run down of the process once you are contacted by a Customer concerning a claim?

CyberClaimsGuy9 karma

See post here. Happy to answer any additional questions you might have:

https://old.reddit.com/r/IAmA/comments/s8l16f/iama_data_privacy_attorney_and_cyber_insurance/hthk61b/

edgemuck11 karma

I’ve heard that a lot of cyber insurance claims aren’t paid out. Is this due to security failures on the customer’s part? Considering it is impossible to be completely secure, what barometer are insurance companies using to decide when to pay out?

hippopotosauruses51 karma

Obviously I'm not OP, but I also work in the cyber insurance industry.

I'd need a small novel to address how claims are actually processed, but I think we need to untangle a couple of concepts.

Cyber insurance terms, like other insurance terms, are set at the time of underwriting. And those terms remain in force for the duration of the policy (usually a year). An insurer can't change the terms of coverage once you make a claim.

Insurers are trying to underwrite to an overall picture of cyber security posture. What does your network look like? Who manages it? What security controls do you have, and how do you deploy them? We underwrite knowing full well your security posture isn't akin to an impenetrable fortress. If it was, you wouldn't need us. But we give better terms to good risks, and worse terms to bad risk. If a risk is bad enough - which is common in this market - we won't offer terms at all.

As for cyber insurance claims not paying out, that assertion makes the rounds at security conferences, usually by salty old admins or some guy who heard it from a guy who heard it from a guy. And if you dig into the specific claims (assuming you can even get a name), you'll find it's almost never a cyber insurance policy at issue. It's somebody getting hit with ransomware and trying to get coverage under a property policy, or a general liability policy, or a crime policy. E.g. that Mondelez v. Zurich claim that was all over the news after NotPetya. That was a property insurance policy.

Those policies don't underwrite your cyber risk and generally aren't intended to cover it. And these days most of them have very bright line exclusions for cyber risk. But a few years back, those exclusions weren't always so clear, and sometimes creative lawyers win and find coverage on those policies because courts uniformly resolve language vagaries against the insurer, not the insured.

But if you're buying actual cyber insurance coverage, where your cyber risk posture is underwritten, you'll find those claims get paid. Unless you're, like, lying on the application or intentionally misrepresenting your security, then you can expect it to be declined. Just keep an eye on sublimits. These will be obvious - on a declarations page or summary of coverage from your broker. Cyber insurance policies cover a lot of different things, and not all of them have full limits all the time. And some will have coinsurance. Nobody's being cute or hiding it, but insurance policies are complicated things, and your broker ought to be explaining them to you.

Edit: also, beware the sort of self-fulfilling prophecy of the person who uncritically buys the cheapest thing they can, doesn't spend any time on the details, and then complains that it doesn't work how they wanted it to. It's frustratingly common in insurance and tech, and cyber insurance sits right at the nexus of both. And there are some seriously crappy companies out there selling "cyber insurance."

Edit 2: I'm going to shut up and let OP respond. It's his AMA and I'm just some rando on the Internet.

CyberClaimsGuy32 karma

This guy/gal cyber insurances. Well said.

jeremynd016 karma

Dear rando - greet response. I want to dig into the part about lying. My company has submitted half a dozen cyber insurance applications in the past year, and every one has a question like "do you employ current industry standard practices for security."

I HATE this question, and I always say "no" to make it a point of contention: what is standard? What is current (today, or the day I have to file a claim)? I feel like it's a setup.

I probably make it out to be more than the intention, because I try to stay abreast of threats and man, criminals are creative.

Anyway, do you have any thoughts on what this means?

CyberClaimsGuy7 karma

So this is something where you want to reach out to your broker and ask them exactly what the application means. Some policies will be able to disclaim if you make a material misrepresentation on your application. So don't leave anything to chance. Leverage your broker for an explanation from the carrier and get that explanation in writing.

Generally, you won't know what the intent is unless you ask, and that question is way too broad. Which admittedly can go to your failure as which industry standard does it reference? For what industry? Is this NIST standards? Is this complex passwords on email accounts?

Dozekar2 karma

To clarify I work as an executive implementing infosec, not as an insurer but we work with them a lot.

Generally you can safely say yes when you apply any of the cybersecurity standards as recommended (NIST/ISO/critical security controls). There are published standards for this. Do you implement one? If you make a reasonable attempt to do this, then generally you should be able to answer yes to this. If you yolo security and think windows defender was turned at config time on servers (maybe), then it's probably best not to answer yes. Note that the recommendations for all of them have ways of identifying the risk and value of any given asset that cannot have a given control applied to it, and determining if the organization should be applying that control. If you follow this process sometimes you are gonna look at low value assets\data and not apply all protections to them as it's a bad business decision.

CyberClaimsGuy3 karma

I think one of the issues with this question is it is so broad and doesn't really give any idea what they're looking for. If a carrier wants NIST controls in place, they should say so.

[deleted]1 karma

[deleted]

CyberClaimsGuy1 karma

Oh, a 100% agreed. You'd still have issues of trying to determine which parts of NIST would mean compliance and if you're 30% compliant with NIST can you answer YES on the app or not.

And yes, we've done a lot at Coalition to make our UW process more streamlined and easier for our Insureds and broker partners. But we also have the tech ability to help review risks and are not reliant upon thirty pages of application questions to determine if a risk is appropriate or not.

CyberClaimsGuy12 karma

I think this is 100% not true. I pay cyber claims all day err day. And if you look at the market trends since Covid hit - when everyone started working remotely and ransomware became a legit epidemic - you’ll find that premiums are increasing and coverages are decreasing. This is what we call a “hard” insurance market. The reason for this? Insurers are paying claims!

I’d love for some type of article or data that demonstrates this because it is not what we’re seeing at my company or in the marketplace generally. That being said, I think I work for the best insurance company in the space and honestly we WANT to pay claims. It is how we sell our product and why we keep our customers. We have risk mitigation tools and processes to keep our claims frequency lower than the general marketplace average, but at the end of the day we are here when our Insured’s are having that “bad day” and we make it better by paying them for their losses.

As far as when an Insurance company decides to pay out it is a very objective analysis. An insurance policy is a contract, one which has provisions that need to be honored by both the insurance company and the insured. Now, insurance policies can have language that requires legal interpretation, but generally deciding to pay is not something an insurance company does. It pays when it has the legal obligation to pay.

In some policies there is language like, ‘reasonable and necessary’ in regards to payments, but that is also an objective analysis. And please keep in mind that in the US insurance contract law any ambiguity goes to the favor of the Insured. So carriers know this and act appropriately.

Cyberinsurance4 karma

Not OP but the hardest part of claims settlement is quantifying business interruption loss (loss of profits and extra expenses). Payment on ransomware loss, notification loss is pretty standard and not controversial. So other issues may arise if insureds look to use their own vendors when insurers may require the use of their own vendors. Long story short, if you want to use your vendors, schedule them at the time of binding (also get a broker who knows cyber and tech e&o)

CyberClaimsGuy4 karma

I do agree that evaluating proof of loss is difficult especially as it usually turns on specific definitions on what qualifies as BI loss or extra expense. Also, agreed that you'll want to ensure you have insurer consent to use non-panel vendors.

This is another reason why I ask all policyholders to REPORT CLAIMS OR INCIDENTS IMMEDIATELY. If you have a vendor that does a lot of work and it is done without the carrier's consent, that may not be covered under the policy.

Dozekar1 karma

Yeah, at the same time depending on your insurer they make take an unreasonable time to get back to you and start IR. Sometimes the savings from the business side is worth the cost of some activities not being covered. I've personally seen this. The business needs to determine if they're willing to foot the cost before they engage these third party services though. A good incident response plan covers this as well.

CyberClaimsGuy2 karma

Yes, responsiveness is item no. 1 with cyber claims. It is why we have claims calls go right to the claims team. We usually are speaking with the Insured within 5 minutes, and scope within the hour. Typically, we are more constrained by the Insureds availability.

But to the other end of that, some times the vendors an Insured uses prenotice are not IR or forensics experts. They'll nuke the network without identifying access vector and leads to issues.

Especially when the Insured doesn't report the first incident and then they get pwned worse and there is now a coverage issue.

SolDoggo10 karma

From a professional in the field, what do you see the future of cyber security becoming? Do you see any reason to expect cyber attacks to decrease/increase based on the level of attention companies and governments are now paying to cyber crime/ransomware?

CyberClaimsGuy12 karma

I don’t think we’re going to see cyber security ever becoming anything less than a potential existential threat to companies and individuals. We live in a digital age and this has made cyber crime ridiculously lucrative. I think you can see this just by how many companies have bought/trying to buy cyber insurance over the past two years and just how much more capacity there is for it. A lot of companies still don’t have cyber insurance! In fact some estimates say that only 10 to 15% of SMBs have cyber insurance. But they’re still likely working with computers and face a risk for BECs and ransomware events.

OSUTechie7 karma

Not sure if you are still doing this. I was working with our underwriter because they put in new requirements before they would renew our cyber insurance. He mentioned that many insurance companies are dropping offers of Cyber Insurance. Are you seeing the same?

Do you think we will see more companies start to implement stricter requirements on issuing policies. Not just requiring MFA, which seems to be the #1 added requirement for policies in 2021/2022. Things like Endpoint Encryption, strict password policies, etc?

CyberClaimsGuy9 karma

Still here! Yes, we are unfortunately in a hard market/sellers market where many cyber insurance carriers are trying to stay in this line of insurance while also reducing their loss ratio from the past couple of years. So you’re going to see guidelines becoming more strict and carriers leave the market entirely or leave certain segments.

I’m not an underwriter so can’t get too nuanced but there are definitely still carriers providing robust, full service cyber policies for good risks.

And frankly, have a business case to harden your network is not the most terrible thing, IMO.

Sheep_Dogs6 karma

What kind of requirements/controls do you see companies needing to implement in order to qualify for cyber insurance? I know this year's requirements/conditions came as a surprise to a lot of companies. Example: A lot of companies began enforcing MFA for local on prem privileged accounts/domain admins.

CyberClaimsGuy11 karma

So it really depends. Requiring MFA is something that a lot of carriers are doing just because it is one of the easiest and most comprehensive ways to keep your system/emails from being compromised. We see a lot of lateral movement within networks with various malware scraping creds from high level accounts and then using that to completely pwn the network. I can’t tell you how many times I’ve been sitting on a ransomware call where we see unauthorized logins from sysadmin accounts that just used username and pw. We’re even seeing these being brute forced.

So, as I mentioned in a prior comment, given all of the claim activity, carriers are in a sellers market and are able to harden their underwriting guidelines in the hopes of reducing claims for their insured.

I am a HUGE proponent of MFA, primarily because I have been on way too many claim calls where MFA would have stopped a serious attack or funds transfer fraud from ever happening.

I do understand and empathize that it is often difficult to get that buy-in from non-tech stakeholders, but hopefully these requirements will ultimately make sysadmin and other IT professionals jobs easier. Hopefully you’d much rather deal with implementing 2FA over a ransomware/BEC call on a holiday or weekend :).

reddittttttttttt2 karma

Why does coalition require us to disable auto discover? That's a big deal. Is this commonplace? Is there a best practices doc to retain functionality?

CyberClaimsGuy2 karma

That I don't know. Is this through the underwriting process or are you an actual policyholder?

reddittttttttttt1 karma

Policyholder that received the directive.

CyberClaimsGuy1 karma

Not sure I have the technical expertise to answer. I'd recommend reaching out to [email protected] for clarity.

reddittttttttttt1 karma

I appreciate it. Thanks for doing this!

CyberClaimsGuy1 karma

My pleasure!

Cyberinsurance5 karma

Hi Rich- how often have you seen carriers enforcing the war exclusion?

CyberClaimsGuy10 karma

Never. At least not in my professional experience. Most reputable cyber policies now have explicit coverage for “cyber terrorism” which would provide coverage for nation-state attacks. Interestingly, there was a recent holding in a case that answered whether or not that exclusion could be used:

https://news.bloomberglaw.com/privacy-and-data-security/mercks-1-4-billion-insurance-win-splits-cyber-from-act-of-war

I was not surprised by this holding as most war exclusions are fairly narrow and would require a formal attestation of war or armed conflict. Even if you know that China, Korea, or Russia was behind a cyber attack it may not trigger the actual war exclusion. It will be interesting to see if this language is modified in future policies to make it a broader exclusion.

bartpieters5 karma

Could you specify which privacy laws you are proficient with: EU and US privacy laws are very different beasts for instance (***edit to make this post a question***) ?

CyberClaimsGuy10 karma

I would consider myself proficient with US privacy laws (I have my CIPP/US) and EU/UK GDPR (do not have a CIPP/E but have advised and practiced in privacy long enough to be very familiar with it.

And I agree, they are incredibly different. But I'm a huge privacy by design kind of guy so I like looking at the most stringent privacy regulatory framework - cough, cough, GDPR - and trying to get my policyholders/insureds to satisfy those regulations if possible. Doesn't always mesh with business needs, but if you're making an attempt to comply with GDPR then there is a good chance you'll be compliant in most US jurisdictions.

rastafunion5 karma

So Schrems II happened and the Privacy Shield is no more. The ECJ did affirm SCCs but also indicated that the reach of US agencies would make it a challenge for firms to successfully enforce equivalent protection contractually. Do you think EU-US data transfers are still realistically feasible with SCCs and if so what would you say are the minimum technological safeguards to implement to pass the test? (Leaving aside the relative lack of enforcement on that point for now)

CyberClaimsGuy6 karma

This is a great question. I do think that the updated SCCs are viable for data transfers as that is really the only viable method to legally effectuate the transfers since Privacy Shield went away. There is some confusion - IMO - as to whether BCRs would be as enforceable as SCCs, but they are certainly an option for larger companies.

That being said, the new SCCs - as you're probably aware - did not deal with everything held by Schrems II and there are potential issues with US laws making it impossible for some companies to comply with the new SCCs.

I think that we ultimately will have to wait for an updated and official regulatory framework from the Federal government before we can really say that companies do not have at least some risk.

As to the technological safeguards, which this is something that I am not an expert on, I think that there will need to be encryption of data, accessibility and restoration of data in a timely manner; and testing the processes and organizational measures in place generally. But again, not something I'm super knowledgable on from a technological perspective.

Often times with our GDPR related claims the difficulty is recognizing when a breach is confirmed and/or if their internal security teams have the ability to determine if a breach for purposes of providing notification on a required and timely basis.

NeilGiraffeTyson3 karma

I really wish the US Fed gov't would create a regulatory framework that would result in the US being deemed adequate, would make life much easier for businesses.

CyberClaimsGuy3 karma

Amen there. It is coming, but TBD on how soon, and how it will be implemented.

vinj43 karma

What would you say to someone trying to get into the web security field and do you think the prospects are as good as other computer fields?

CyberClaimsGuy3 karma

This is a little outside of my wheelhouse but generally I would say if you’re passionate about it or interested in it, go for it. We need more security engineers and we need more people to help customers with cyber security. I think the prospects are great and will be even more important as we transition to web 3.0.

vicejesus3 karma

How can I protect my crypto from a hack? Is there any insurance available?

CyberClaimsGuy8 karma

Honestly, keep it in a cold storage wallet and have an offline trusted location for your seedphrase and any necessary passwords. Not your keys, not your coins and all that.

But in the cyber insurance space we typically are just seeing insurance for companies. For a long time cyber policies did not cover digital currencies but we are seeing that change for some coverages. In fact, Coalition’s cyber policy in Canada has funds transfer fraud coverage for digital securities. So if you, as a business, are engaged with cryptocurrency, you’ll want to review your policy for specific coverage for that and ensure that there is no exclusionary language that would limit your coverage.

On an individual basis I am not aware of any cyber insurance that would insure crypto at this time - but that might just be a knowledge issue for me. I know that there is some decentralized insurance protocols for some liquidity provider platforms.

workcomputeraccount13 karma

What do you think of using immutable backup companies services, like Rubrik for instance, as a strategy to mitigate cyber risk? Do you work with companies that use these solutions?

CyberClaimsGuy11 karma

I think a solid back-up solution is truly the only way you can fight ransomware. There are too many vagaries with human error, zero day exploits, and potential supply chain compromises to ever say that you’re “ransomware proof”. So having a good back-up is the way you can give the TA a middle finger and go about your business.

So whether that back-up solution is immutable, tape, or downloading your information to a USB drive (don’t keep it in your car please…. Too many claims of these being stolen after a break-in. And password protect and encrypt it por favor) just make sure that you’re backing up your critical data; keeping it compartmentalized from your primary networks, and TESTING it. Too many times I’ve seen Insureds with “full back-ups” that hadn’t been uploaded for six months or were corrupted. z

We do work with companies using some of these solutions! Unfortunately immutable back-ups is not a catch all.

decipher_xb3 karma

Can cyber insurance claims be denied? What would constitute a denial and is there documented basic things that policy holders must do as a minimum to ensure claims won't get denied?

CyberClaimsGuy6 karma

Absotutely. As I referred to an a prior post, an insurance policy is a legal contract where both the carrier and insured need to comply with the provisions. Some of the biggest issues I see are:

Late notice. An Insured turns in a claim outside of the policy period. Cyber insurance policies are typically known as “claims made and reported” policies. This means that the claim or incident must be reported within the policy period in which the claim or incident occurred. So if you’re policy is renewing on Jan 1st, and you had a claim on August 1st of the year prior and you don’t report it, you may have claim denial.

I LOATHE these. I hate not being able to provide coverage for a matter that would have been otherwise covered if the Insured had just provided notice to us. Unfortunately, lack of timely notice often increases the exposure and potential liability of the matter so there is a good reason for why this is enforced.

An exclusion applies. An insurance policy is generally made up of the Declaration, Insuring Agreements, Definitions, Exclusions, and Terms and Conditions.

Declarations - where you findthe policy period and the type of coverages - and what their limits and retentions/deductibles are.

Insuring Agreements - also known as the “coverage grant” which outlines the coverages available and what the policy actually covers.

Definitions - you’ll often find bolded or otherwise emphasized terms in an insurance policy that will further outline what the coverage is specifically. It is really important that when reading the Insuring Agreements and exclusions that you understand what those defined terms mean.

Exclusions - these modify the Insuring Agreements by LIMITING coverage. For instance, you may have an unlawful collection exclusion on the policy so that if it is alleged that you unlawfully collected data in contravention of a law that there would be no coverage for those allegations. Or another common one is infrastructure failure. So if you file a claim because your county’s electricity was out for a week.

Terms and Conditions - these outline how you use/leverage the policy and include things like how to provide notice of an incident and your obligations as an Insured under the policy and the obligations of the Insurer under the policy.

No Insuring Agreements are triggered. Sometimes there are unique circumstances that just don’t fall under cyber insurance. They might be something that more typically falls under an E&O or crime policy, but if nothing is triggered then there is no coverage.

PedroCPimenta3 karma

Every once in a while my grandma asks me to repair her potato computer (regular maintenance) claiming viruses are the culprit and that she will upgrade to a better computer... how do I explain to her that having a better computer while she downloads tons of power point presentations and accessing websites without certificates won't keep her safe from viruses?

CyberClaimsGuy6 karma

I would ask her if she locks the doors at night. She'll say yes. Hopefully.

That is like saying, "I don't lock my doors at night. But hey, I'm replacing my door, but still going to keep it unlocked. So now people can't get in my house."

DoctorLazerRage3 karma

What are you seeing as the cutting edge in consumer privacy "trolls" these days?

CyberClaimsGuy5 karma

Honestly, it has been a little quiet. I think this is going to change though given the private right of action available under the CCPA/CPRA.

We have seen an uptick in BIPA (biometric privacy) lawsuits and other matters typically where there is a statutory right to damages and a potentially large class of plaintiffs.

DoctorLazerRage1 karma

Thanks - I've been surprised I haven't heard more about it myself. Are you seeing the BIPA suits primarily under GDPR or is there a set under CCPA going on now?

CyberClaimsGuy6 karma

So we're primarily seeing them under Illinois' BIPA law.

If you have a potential BIPA risk you'll want to review your insurance policies for coverage. They are typically not covered under cyber insurance policies.

DoctorLazerRage2 karma

Fortunately I have no nexus with the subject matter of the Illinois BIPA - thanks for the response!

CyberClaimsGuy2 karma

My pleasure!

OpticalDelusion3 karma

I'm a small business owner that serves as a technology vendor to my customers. I lose sleep worrying about getting hacked and then being sued into oblivion, even though I do have cyber insurance. I just worry "legalese" will spell my doom somehow.

Are there any gotchas I should watch out for in my policy? Anything I should be aware of like that?

CyberClaimsGuy6 karma

Make sure you have a large enough limit to protect all your clients should you get hit with ransomware or something. Make sure you have ransomware/cyber extortion coverage. I’ve seen several instances where MSPs didn’t have enough coverage or the right coverage and couldn’t pay a ransom increasing the amount of potential damages their clients suffered.

I’d also make sure that you have tech E&O coverage. A cyber policy doesn’t include that by default typically, so you may have to do an additional underwriting process to get that coverage. This is for the third-party claims you could potentially suffer.

You’ll also want to look out for any type of professional services exclusions to ensure that you still have coverage for first party loss even if there is no third-party coverage for services related to your business.

I’d also make sure your first party coverages are pay on behalf so that you don’t face an out of pocket risk for any damages/claims.

So not so much as “gotchas” but just read your policy carefully and anything you don’t understand talk to the carrier or your broker about. If you can’t get answers then think about switching either of those to someone who will give them to you.

ta-dome-a3 karma

Hi /u/CyberClaimsGuy, thanks for doing an AmA on such an interesting topic.

I'm a lawyer working as a bit of a corporate generalist, including some data privacy-related matters since the small amount of knowledge I have on the subject happens to be the most on our team. I want to increase my knowledge and competencies in this area and was considering going the IAPP route. I was wondering how seriously is IAPP accreditation truly taken amongst lawyers and other privacy professionals, and whether you'd recommend pursuing to a fellow attorney?

CyberClaimsGuy4 karma

Thanks for coming by and asking questions!

Yes, a thousand times yes. The IAPP certification is the standard for privacy professionals and I cannot speak more highly about it. It is not the hardest test but it is not something that you can not study for as someone that doesn't do privacy every day. Even then I'd still recommend reading the study material.

The coolest thing about the IAPP is that the study materials are legit and you learn something that you will apply in your day to day. It is not a cert that you will not use.

I learned so much by getting my CIPP/US and CIPM. I've been thinking about taking the CIPT for a better technical background.

I would say it is very, very respected in privacy circles.

billy_teats2 karma

How have you dealt with ransomware payments that the US has embargo’s against? Do you work with 3rd party’s to facilitate an under the table agreement or do you have to tell the insured that they can’t get their information back?

CyberClaimsGuy3 karma

So, our policy - and every other cyber policy - has an exclusion for payments or any related damages to a sanctioned entity. We will not process payment to a sanctioned entity or their subsidiaries under any circumstance.

The policy would provide coverage for the restoration of that data or for business loss as a result of the data being gone forever.

DeadFyre2 karma

Do you think people are entitled to privacy in public?

CyberClaimsGuy3 karma

Well, this begs the question, my personal opinion or what the legal answer is. :)

I personally believe that privacy will become one of the most important aspects of our modern life and that people should be entitled to privacy by default. It should not be something that you opt-out for, but instead something that you need to opt-in.

GDPR says, "Consent must be freely given, specific, informed and unambiguous."

I'm down with that.

DeadFyre1 karma

Well, this begs the question, my personal opinion or what the legal answer is. :)

I'm sorry I wasn't more clear, I was interested in your personal opinion.

GDPR says, "Consent must be freely given, specific, informed and unambiguous."

So, when you enter a brick and mortar store, for example, and are recorded on closed-circuit TV (a ubiquitous occurrence in any public shopping venue), you would advocate that the shopper be required to sign a consent form, dictating exactly what the footage captured of them will be used for? What is wrong with implicit consent?

CyberClaimsGuy1 karma

No worries!

Maybe an issue in misinterpreting you initial post, but I thought the hypo would people just enjoying PUBLIC not on private property. There is less an expectation of privacy on private property, which a store technically is.

5h0ck2 karma

IR retainers and cyber insurance go hand and hand these days but it's not enough given the rise of FIN type groups. Historically some immature (security skills speaking) companies would treat it as a risk that could be offset by insurance. This approach has obviously aged like milk.

Are you seeing a rise in control requirements, validation requirements, or even tabletop/cyber defense assessments by insurance companies to ensure customers are actually taking the appropriate measures to make a best effort in securing their infrastructure?

CyberClaimsGuy1 karma

We are 100% seeing an increase in control requirements and validation of general security protocols and processes. A lot of carriers will not even write a policy unless MFA is implemented tenant wide and doing that even a year ago would have been considered madness.

We are also seeing EDR requirements for certain risks and industries as well as more thorough vetting of Insured networks during the UW process. Coalition has been doing this for a while but now the rest of the marketplace is trying to catch up.

I've not seen tabletops used as a vetting protocol but it is certainly an activity recommended to help bolster your security planning and processes.

somejunk2 karma

This is a niche question, but one that's currently being argued about where i work. In an application for insurance it asks for an estimate of how many "digital records" we have. I know nothing about this field, but i feel like this is a domain where this probably has a specific meaning. Does it?

sorry if this question is vague/uninteresting, thanks for doing this!

CyberClaimsGuy4 karma

With that definition I would ask the UW/Broker whether they are looking for "ALL FILES" that are digital. Or if they are specifically looking for records that contain personally identifiable information or private health information.

They're trying to determine potential exposure for either restoration costs and/or notification should the entire database be accessed or exfiltrated.

And no worries! This is why I'm here!

idea-questions1 karma

Hello sir. I made this account specifically to ask some questions that I am embarrassed to ask. If you check my profile, you will see my post from last night and the day prior.

Embarrassed to ask this question, but I need help..

I want to modernize my business and Keep up with my competitors but do not know how to approach it.

The patients that I help are often disabled or very poor. I am able to help to get medical assistance with their hospital bills if they provide their documents.

However, they cannot always do so.

Scenario 1: a patient is grieving the loss of their newborn, and and cannot drop off their sensitive documents. They are willing to upload photos of their sensitive documents (drivers license, birth certificate, social security card) .

Or scenario 2: person is disabled and has no vehicle or transportation to our office, but would rather submit their documents electronically. They call, and ask if there are uploading options via their mobile or online.

Is there a way I can have patients upload photos of their sensitive documents via electronic submission from their mobiles?

And can you please tell me what kind of lawyer I might need to speak to about advice, unless you might be able to spare some.

Thank you very much for your time

CyberClaimsGuy1 karma

So there are definitely secure file upload applications and websites that you can leverage for this service. Dropbox is probably the most well known. I'm not up to date on the cost for such things though.

You'll just want to make sure that it is a SECURE upload and is done over HTTPS.

If you're looking for a lawyer for advice about privacy in a medical context you'll want to make sure that you are speaking with someone with HIPAA knowledge. Depending upon if your business is considered a covered entity under HIPAA or a business associate you'll have different rules and requirements to follow.

And no worries about the question at all! Happy to help.

JulesCDC1 karma

My sister was the victim of a very sophisticated hack/phishing scam in her PayPal account. She logged in to do something and had a notification (under the little notification bell) that said there had been some suspicious activity on her account, so it was locked. It guided her to check her email for a verification email and follow the link in it. She does just that and upon clicking the link, it has her login again and answer a serious of identity questions including to verify her SSN and address, etc etc. That still doesn’t unlock so she gets PP support involved and apparently the entire notification, email, verify info was a phishing scam as well as she had 2 unauthorized transactions on her PP account.
PP is taking care of those fraudulent transactions (this is all equally as frustrating as she uses the PP Cash feature) of course, but the data phishing is still a big concern.

I’ve advised her to 1. Remove all connected bank or credit accounts from her PP. 2. Get a Credit Karma account and use their guide to lock her credit on all 3 bureaus. 3. Get an identity monitoring service outside of Credit Karma (and demand PP pay for 3 years of premium enrollment) and 4. PP advised her to file with the FTC

My first question is which monitoring service would you recommend? Secondly, what else should/could she be doing to protect herself from blowback of her SSN and all sorts of info out there in the world? And finally could this have been any sort of local hack and she needs to upgrade her network security (I set it up to be pretty solid with a strong password but it’s not like she is monitoring attempts or anything on it)?

CyberClaimsGuy2 karma

I think that this is pretty well thought out and can't really recommend a lot more to do in this situation. Freezing credit accounts will be really important.

Generally though, the access to banking information is much more serious than access to a social security number. There have been so many large scale breaches that everyone's social security number is readily available on the dark web. They don't even charge a lot for it.

So the chances of her having her SSN used are pretty small. I call it winning the bad luck lottery.

However, if banking information was disclosed - account # and routing # - there can be some shadiness there. So I'd recommend having new account #'s implemented and new CC cards if that information was connected and accessed.

JulesCDC1 karma

First thank you so much for the fast reply. This happened just this morning so the panic is good and fresh.
No banking info was confirmed or shared during the phishing questions thankfully. And she had a debit card linked to the PP account that I’ve advised her to unlink.

I’ve honestly never seen such a sophisticated phish. I work in point of sale, am QIR certified and working on my ETA CPP and speak fluent credit card security and this was unreal to hear the process originated from her actual PP notifications. I’m am so shook that unlinked my own accounts in my own PP.

CyberClaimsGuy3 karma

Yeah, it is crazy how sophisticated these people are. I had a claim similarly where they sent fake texts mimic-ing a Bank of America fraud alert. The Insured spoke to multiple people and on multiple days and was socially engineered to giving up their logins to the bank website.

I had another Insured who was a law firm and they had a several month long relationship with a client who ended up defrauding them of money by sending them a check and requesting a wire before the check cleared.

This is why I don't blame people when they get his with this stuff. It is just so darn hard not to fall victim and things are getting more and more sophisticated as we go.

ittimjones1 karma

Do u have a legal term for ID10T or PEBKAC?

CyberClaimsGuy4 karma

Ha, no. We deal with a lot of unsophisticated Insureds so we try not to castigate them or blame them for the incident. Everyone gets hit with this stuff and it happens to very sophisticated people.

Heck, I had a matter once with a Fortune 50 CTO that had their AOL account compromised and funds transferred out of an investment account....

dratspiker1 karma

I’m an attorney that worked in real estate transactions and tax for 5 years prior to joining a cybersecurity incident response team in 2010. I’ve been working in that field since then and occasionally get to use skills I learned as a lawyer but I’m not practicing law. Now I have an international team of my own and greatly enjoy my work.

Any career advice for someone like me who misses the legal side of things?

CyberClaimsGuy1 karma

You know, there are millions of attorneys who would LOVE to be in your position. But I definitely get it. I'm lucky that in my current role I get to manage both aspects of the claim to some extent.

But honestly, I think it would just be to move in-house in a privacy counsel or security counsel role. Just having that legal background can pay dividends understanding the risks and exposures a company may face.

Plus, you could always go back to full-time private practice :).

Forcasualtalking1 karma

CCPA (+CPRA on the horizon), other states introducing similar legislation, what else can we expect from data protection legislation in the US?

Would this ever become federal?

CyberClaimsGuy2 karma

I think we're going to see more and more development towards a CCPA/CPRA like system in other states before we get so many different standards that the Fed government will be forced to act. There are some bills being discussed now specifically dealing with ransomware and you would think the juxtaposition between ransomware and privacy would encourage a federal privacy regulation.... but I digress.

But yes, I think as we're seeing in NY, Colorado, and other states that they are moving towards a more regulated privacy framework and that is going to keep happening.

And honestly, I hope we can get a federal framework in place that will provide some consistency because have 50 different breach statutes is a cost driver when dealing with notifications to impacted individuals. But I'm sure it will be something like, "This is the least amount of regulation, states can be more restrictive" so you'll have the same issues as now but a federal framework to comply with as well.

Forcasualtalking1 karma

very interesting, thanks for the reply.

working on gdpr over in europe, so am always interested to see how the ol' US is doing.

CyberClaimsGuy1 karma

My pleasure! Hopefully you're not getting too stressed out by the DPAs :).

Forcasualtalking1 karma

Mostly dealing with the ICO (UK) and AEPD (Spain), so not too bad. The German authorities though........haha

CyberClaimsGuy1 karma

HA, yes, those Germans. I've had a couple of matters with their DPAs. Much rather deal with the Spanish, and then a little bit better ICO.

I'm just really glad the UK GDPR is like a carbon copy of EU GDPR. I would have been very upset if I had to try to learn an entirely new framework.

blueberrysir1 karma

How did you start your career?

CyberClaimsGuy1 karma

Posted the story in a couple of other comments :).

Hibbo_Riot1 karma

Most of this convo is about commercial insurance. How do you see this playing out on the homeowners insurance side? Plenty of companies are offering personal cyber coverages. I find it tough for the average consumer to understand their personal risk in this space. Thoughts here?

CyberClaimsGuy1 karma

Yes, this is something that is becoming more and more prevalent and I really think it hasn't shown its true utility yet. Most of these policies are in regards to identity theft and in some cases data corruption/hardware issues as a result of a security failure. But generally, the typical homeowner doesn't have a HUGE risk. As I said before it is kind of like winning a bad luck lottery.

If you're the type of person - or know someone - who could easily fall victim to a scam and/or has super unsafe data hygience practices, then it is something to consider. Especially if it is an add-on or free on another policy. But in my prof. experience - SO FAR - I haven't seen a huge utility.

But admittedly, I am in the commercial side and not the personal lines side so the above is only based upon my very limited knowledge.

Hibbo_Riot1 karma

Full disclosure I’m on the personal side and also have a hard time selling the utility of it other than consultation in the moment via like a cyber scout. It’s a very cheap add on like $4 a month but unless someone’s crypto wallet is stolen or hacked, I don’t see the actual loss sustained. Now as cyber criminals innovate and move from low hanging fruit with high upside (companies), to the personal space, it will only get more crowded with threats. But right now, it’s hard to make it tangible for a customer, where as say a tornado and home damage is obviously tangible and seen as an actual “threat”.

CyberClaimsGuy1 karma

Absolutely. Glad to see that my knee-jerk thoughts are in line with what is going on. LOVE WHEN THAT HAPPENS.

But yes, I think it is something very akin to early commercial cyber policies. There really weren't a lot of claims. The loss ratio for cyber insurance was basically nothing and was just printing money for carriers.

That changed quite a bit so I wonder if personal lines cyber is on the same trajectory.....

sFnjez1 karma

Is a master in intelligence an security studies worth it?

CyberClaimsGuy1 karma

Afraid that is a bit outside of my wheel house. I have no insight on that at all. Best of luck though!

bensport91 karma

Security Engineer here in the vulnerability management space. I was wondering what you've seen in terms of remediation from the companies you've insured. Are they having dedicated teams specific to remediating vulnerabilities identified, or still more the traditional sysadmins being the remediators and security teams more just being the identifier and alarm raisers for vulnerabilities? Not to get into specifics but we run super lean and trying to wrangle all of our server owners to remediate has been a feat. Log4J has brought a spotlight for us but we want to capitalize on that to get the resources we need. Any insight would be greatly appreciated!

CyberClaimsGuy3 karma

It really depends on the company: their size and senior level buy-in for this type of work. Remediation/restoration is something that is specifically covered under our policy, so if we have an actual incident we will pay for restoration/remediation back to the status quo of the network.

But on pre-incident work it is again a mixed bag. My company, Coalition, actually proactively scans publicly available domains for vulns and will notify our Insureds. So while we don't take the place of their security team we can augment it and provide a different view.

But generally in our space we deal with IT professionals who are not very sophisticated with ransomware and more advanced threats. I've had a couple of insureds who had knowledgable staff or vendors and the decrease in exposure/damages is exponential.

At the end of the day, a company that relies on an IT or computer network to run their business needs to have processes and procedures to identify threats, security needs, patches, and then the wherewithal to actually do something about it. It truly will save a ton of money by dedicating time and staff to these issues.

Hope that answers your question.

throwawayshirt1 karma

How does one subpoena PayPal for identification of the bank account linked to a particular PayPal user/account?

CyberClaimsGuy2 karma

That would be a question for qualified legal counsel in your jurisdiction.

billhartzer1 karma

Why doesn't cyber insurance cover domain names? Like if your company's domain name is stolen, and the company loses all access to their website and email?

CyberClaimsGuy2 karma

It depends on the nature of the theft and what exactly the damages are. If the theft was a result of a security failure on the company's computer systems our policy would respond to investigate and remediate the breach. We also having phishing coverage available where we would assist in taking down impersonating websites and pay for any damages as a result of the impersonation.

But to your actual question, I don't know. Some underwriters somewhere either thought it wasn't something that would drive revenue or it would be too high on claims or it just wasn't something they want to do.

Maybe we should offer it though?

billhartzer1 karma

When it comes to stolen domain names, usually the domain name being stolen isn't a result of a security failure on the company's computer systems. Domains are held and configured at domain registrars, so I don't think it would necessarily qualify based on what you're describing (it is a security failure on the company's computer system).

What I suspect is that some underwriters don't necessarily fully understand domain names, and how they can be stolen.

But with many company domain names being stolen (lots of it in the news lately), it definitely would be something that you should offer. Considering that there's only one company right now out there offering Domain Name Protection coverage.

CyberClaimsGuy2 karma

Appreciate the post man. And yeah, domains are tricky and there really isn't a solution for that in the general marketplace.

GoneInSixtyFrames1 karma

If a company falls for a scam, User X falls for billing scam, pays bill. Company Y missing funds, company X is refusing to pay because "they already paid". Federal agencies involved and cleared company Y of wrong doing, does Company Y sue company X for the money or is that an insurance claim?

CyberClaimsGuy1 karma

Could be both depending upon if insurance coverage is available. Our policy has a coverage called Funds Transfer Fraud that would apply if it was Company X that was insured and would pay the loss resulting from the fraudulent transfer.

If Company Y was an Insured we have an "invoice manipulation" coverage that would get them back their net costs for the goods/services provided.

klop20311 karma

How do you see the landscape changing with the advent of new AI technologies such as GANs and VAEs?

For example if an AI generates a piece of code and that code id malicious then does the creator of said AI system become liable? Even if the intent was to do something non malicious?

CyberClaimsGuy2 karma

I'll admit to not being familiar with those technologies, so I'll definitely look into them later!

But we do have experience with a lot of cyber security tools that were meant for good but are used for bad ... cough, cough... Cobalt Strike ... cough. So I would assume a similar legal framework would apply.

Generally, you're not liable for the actions of other people. Especially the criminal actions of other people. If someone takes your software or algo or hardware and does something outside of its intended use and without your permission; you're generally not at fault for it.

But I do see AI, deep fakes, etc. contributing to cyber security issues going forward.

klop20311 karma

Thank you.

CyberClaimsGuy1 karma

My pleasure!

dendritedendrite1 karma

What is the most requested cryptocurrency from the people that make the ransomware? I’ve seen a few articles mentioning Bitcoin and that some ransomware groups even take a discount if people pay in more private coins ever since companies like chainanalysis have been able to trace transactions on crypto with public ledger. Is this true?

CyberClaimsGuy1 karma

It's really just bitcoin at this point but we're seeing more requests for monero as it has a bit more obfuscated protocols and transfers.

Yes, we're seeing some TAs offer up to 25% discounts for paying in monero.

Chainanalysis is top notch and I've met with them several times. They do great work.

BFeely11 karma

Would you consider the claims made by VPN services to be misleading when it comes to data protection?

CyberClaimsGuy1 karma

Depends upon the VPN service but I've seen way too many VPNs that say they don't log and they suffer a breach and there are a bunch of logs.

It is very easy to create your own vpn at home.

BFeely11 karma

I meant in terms of claims that it prevents your bank info from leaking, despite banks being required to use strong encryption anyway.

CyberClaimsGuy1 karma

Yeah, might be a little bit too technical of a question to me. Or maybe I don't understand it. :)

shaihalud691 karma

Thanks for being here! When I asked about what I could do to make sure I was in compliance with my cyber insurance coverage (in terms of measures I had to take to be in compliance with the policy), I was kind of flubbed off by my broker. Should I try to bypass them and go to the insurer directly? And should I maybe bypass the broker as well, or switch insurers?

CyberClaimsGuy1 karma

When you say in compliance with your policy what do you mean?

shaihalud691 karma

Make sure that I'm following all of the proper security measures to maintain my coverage. Very small 3-person business, all working remotely.

CyberClaimsGuy2 karma

I'd be interested in seeing that language.

But yes some carriers are trying to fix their underwriting by narrowing coverage. I personally don't like it. And we don't do that.

pompario1 karma

As someone who will be taking the bar in a few months in curious. How did you get into this line of work? What type of jobs did you have as a recently graduated lawyer?

CyberClaimsGuy2 karma

Pure, dumb, luck.

Wanted to be a trademark lawyer out of law school and work in-house; however at that time most places were hiring people who could do patents AND trademarks. I couldn't sit for the patent bar as I didn't meet the academic threshold for science classes (11 credits short!). So I actually went back to law school for a year to try to get my LLM in IP law but that ended up getting cut short due to getting my first legal job as a private practice insurance defense attorney. I enjoyed litigation and depositions, didn't enjoy the billable hours. So I ended up applying to a bunch of jobs and just ended up working in professional liability claims.

I jumped around a bit but ended up at one company doing large law and large accountants claims and during a presentation on one of my reserve requests the group was asked if anyone knew what bitcoin was (this was 2013) and I did. So I ended up talking about it and nobody knew what I was saying so I drafted a white (ish) paper about it and was eventually asked to help write a cyber policy. I started handling cyber claims shortly thereafter.

AusFrosty1 karma

If I insure my home contents, as a home owner I am expected to implement some basic security- eg lock the front door, window locks etc. if I don’t and I get burgled my insurance company may not pay out because I am partly to blame

Does a similar principle apply in cyber insurance? If not now do you see it applying in the future?

CyberClaimsGuy1 karma

Depends upon the cyber policy. Ours doesn't mandate specific security protocols at this time. You'd have to ask the underwriters if we will in the future.

But we do ask that you investigate any incidents and if you do not cooperate in an investigation there could be a potential coverage issue.

Based upon some of the posts in this thread it appears that some carriers are mandating some specific security measures.

wolf_metallo1 karma

Would it help an organization to calculate their "Cost avoided due to cyber tech" in order to get better insurance? For example, if an org deploys and maintains EDR, thereby resulting in potentially reducing the endpoint attacks by X%.

If yes (i.e. they would get better insurance quotes), then how should an org calculate this cost avoidance factor? Is there some formula or data point that insurance companies use to estimate the events that were avoided?

Thanks in advance for your input and time!

CyberClaimsGuy1 karma

That would be a great question for an actuary! Unfortunately I have no idea. I do know that having EDR in place is beneficial to our underwriting process. But I'm not sure it is analyzed in that way. Really interesting idea!

Repulsive_Lettuce1 karma

I once Googled a username I used to use and on the first page of Google there's a random roblox forum with quite a few usernames and passwords. It's not even roblox accounts as I've never played. But my and other people have names and passwords in plain view on the preview text of the link on the first page of Google. I've reported it to the host of the website/webmaster and also to Google. I got no response from the website and Google just vaguely told me there wasn't an issue. Is there anything I can do? Can I report this to someone as an internet crime? The link is still there and shows maybe 8 usernames and passwords, could be for anything, and that's how I learned the hard way to not use the same name and password for everything.

CyberClaimsGuy2 karma

Great question. I would report it to Roblox themselves instead of the forum page as they may be able to address.

jowww871 karma

What are your thoughts on the colonial pipeline situation and how that incident was handled both from an insurance and breach response standpoint?

CyberClaimsGuy2 karma

I think it was generally handled well. I don't have insight into the objective analysis regarding the ransom payment but I can say that often times you know fairly quickly if you're pwned and you need to consider payment. I also don't know what negotiations were done either.

Fixerr1 karma

I found the below to be an interesting article.

Are things like youtube history, and non-public-facing activity on a reddit account considered 'private data'? Are there 3rd parties that make non-public-facing activity on online accounts in general ....less than private data? Also... what's your favorite operating system?

https://mindwise-groningen.nl/welcome-to-hotel-california-you-can-check-out-any-time-you-like-but-you-can-never-leave/

CyberClaimsGuy3 karma

So, generally, I would expect that unless you're REALLY into privacy that there are a bunch of companies that know all about you. The data might be anonymized but generally if you're on the internet and using a typical browser your online activity is being tracked.

I would just assume that at least some algorithms know everything about you because nothing is ever free. if you're using a service and not paying for it, something is being collected.

This is part of the reason why GDPR has a pretty substantial rule on cookies on websites. Which has caused thousands, if not millions, of hours of stress for marketing and front-end engineers.

Fixerr1 karma

Thanks for your reply!

CyberClaimsGuy1 karma

My pleasure!

TheHeckWithItAll1 karma

When there is an ongoing ransom ware taking place, are you involving/working with the FBI? And how often, if ever, are the ransom ware actors identified / caught?

PS: I’m a retired insurance defense attorney … spent most of my career defending bad faith litigation … would have loved getting involved in cyber liability but never heard of it until your post!

CyberClaimsGuy2 karma

Yes, we have a very close relationship with the FBI and involve them as soon as practicable in all of our ransomware claims.

Unfortunately, I've not had any of my ransomware TAs arrested but I'm hopeful someday the data we provide may get us one or two.

Yeah, it is a cool area of law/insurance to be in. Different stuff everyday and short-tail incidents - usually.

Bad faith insurance litigation ain't no joke though! Hope you're enjoying retirement!

danhakimi1 karma

Why do you think companies continue to use technologies without end to end encryption, such as Slack, over encrypted technologies like Matrix?

Do they prefer unencrypted technology they can monitor? Do they prefer Slack's feature set? Do they not value their security enough? Or are they afraid that implementation costs and bugs in Matrix will cost them more in the long run?

CyberClaimsGuy2 karma

I feel that a lot of companies make business decisions based on things other than the most robust cyber security prevention and risk management tools. Other cases are that the current tech is too entrenched into their day to day to go and just turn it off and start something else up.

It is the constant battle between:

Business Need/Choice & Cybersecurity/Risk Prevention-Management

Dog-Human1 karma

Our company is forcing us to download a mfa app to our personal phones to be able to access company data.

Is this a security risk? Or a good idea? Both for the company and the individual.

CyberClaimsGuy1 karma

I wouldn't think so if it is a trusted and verified application. MFA is really, really, REALLY important in stopping cyber incidents. Generally authenticators just provide a code and should not be looking at or using a lot of services on your phone.

But yeah, I think it is a great idea.

Dog-Human1 karma

But is that not just putting the onus of security on technology owned by the worker? What if a worker likes to download Russian apps and connecting to non-secure systems as a hobby? The company has no right to search your phone, no?

CyberClaimsGuy1 karma

Oh, I see what you're saying. Yes, I mean it does open up the risk profile to access that application if the employee is doing risky things. And obviously you always have the right to say you're not downloading something to your personal phone. I do not think just having an mfa application would entitle a company to search or otherwise mandate controls over a personal device.

Flee4me1 karma

Any advice for someone considering a move into the private sector from academia?

I'm European (Brussels) with a background in law (Master's degrees in criminal law, human rights law, and intellectual property / information technology law). I've been working as a legal scholar for the past few years (publishing and providing legal counsel for international research projects on data protection, privacy, AI and surveillance) and am in the process of getting a PhD.

Depending on my prospects as a postdoc, I'm thinking of going into the private sector (consultancy, perhaps) in a few years so any advice would be welcome. Thanks!

CyberClaimsGuy1 karma

Afraid I can't really help you as that is a bit outside of my bailiwick and experience. I know that there are some great organizations that do research and what not, I'd look at the IAPP for instance, but as far as a private sector gig with that expertise I'm really not sure. But I would think that type of background would be in high demand given our need for work on our privacy frameworks and their interpretation.

There might be some policy focused gigs at some larger tech companies: Google, Apple, MS, Amazon, etc.

mjcornett1 karma

I’m a recent law graduate hoping to break into privacy. I had entertained getting an LLM in Cybersecurity/Data Privacy, but any tips for getting into the field without taking on more debt?

CyberClaimsGuy2 karma

Depends on what you want to do; whether legal practice, in-house, or insurance.

There is a crazy need for private practice privacy attorneys. If you have an interest, I would study for and get your CIPP/US through the IAPP as a great starter certification that outlines general legal knowledge regarding privacy requirements.

Then just start applying. Once you've been a privacy attorney at a firm for a couple of years you should have some options to move in-house or wherever really.

zeanobia1 karma

Why is it so hard to take down the Kiwifarms website?

CyberClaimsGuy1 karma

Never heard of that website before!

CyberClaimsGuy1 karma

Whoa. What terrible people. I'll never understand how doing things like that is fun.

dieselxindustry1 karma

Can you specify what kind of exposures you look for when underwriting a policy? I feel like in my experience the level of granularity insurers take to assess risk isn’t deep enough to justify the risk exposure. I guess to simplify it, what questions do you ask when determining risk exposure? MFA? Firewall brand? Current maintenance agreement? Average age of employees lol?

CyberClaimsGuy1 karma

I'm on the claims side, not the UW side, but I think that from Coalition's perspective, we try to keep our applications short and to the point and not ask super broad questions. We want yes or no answers with some questions regarding number of PII records, etc. But we also perform a security scan on our prospective Insureds and make sure that there are no critical vulnerabilities on their systems prior to binding. If there are we may give them time to fix or may just decline coverage if the problems are bad enough.

We do ask if they have MFA implemented and other similar questions.

failsatfunny0 karma

An insurance company is profitable when it sells coverage and then denies claims. The trend for cyber insurance companies in the last year has been to deny renewals. This does not appear to be a sustainable business model. Do you believe cyber insurance companies will still exist in 2-3 years?

Bakkie3 karma

An insurance company is profitable if they handle their investments wisely and choose which risks to insure and set a premium price commensurate with the risk.. They don't make their money off just collecting premiums.

Source: I am an insurance lawyer and claims adjuster

CyberClaimsGuy1 karma

Great point!

CyberClaimsGuy1 karma

I would disagree with the first statement. An insurance company is profitable when it's premium and investments exceeds its expenses (which include claim payments). Insurance is very highly regulated and especially in the commercial space you often deal with brokers and sophisticated insureds. Every claim denial is rigorously reviewed to make sure it complies with the appropriate jurisdictions' laws.

Bad faith insurance claims are real and expensive. No reputable insurance company would invite those.

Yes, a lot of carriers on non-renewing A LOT. Frankly, it is because they lost their shirts over the past couple of years as they did not accurately underwrite their risks. Prior to covid the cyber market was in a super soft market and you could get crazy limits for de minimus premium. This led to carriers over extending themselves.

Obviously no one could predict covid and insurance policies are a year long. So you saw a huge uptick in claim activity and expense ratios.

Other carriers - like Coalition- had an underwriting process that actively looked for vulnerabilities and made sure that the obvious issues with their security were considered or closed. This has led to a lower frequency of claims against the market.

So I definitely think that cyber insurance will exist in the future. There is actually a ton of companies that don't even have it! So there is market still there. And as carriers get better at underwriting risk they'll be better able to keep from losing everything during large events.

leftleafthirdbranch-1 karma

During BLM a lot of people were giving their full names and addresses when signing petitions. Do they have to worry about potentially being on an FBI watchlist or, if not that, at least in some kind of danger?

CyberClaimsGuy3 karma

A little outside of my wheelhouse but I wouldn't think so. The government has a LOT of information about people. They wouldn't need to rely upon BLM registration lists.