EPISODE 90
How to Buy Cyber Insurance in this Turbulent Market

EP 90: How to Buy Cyber Insurance in this Turbulent Market

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

October 12, 2021

Cyber insurance coverages are going down and prices are going up. Not everyone who wants to buy a policy will be able to get one. Why? Our guest Chris Brumfield, cyber insurance expert from brokerage Alliant, will explain. And if you’re an attorney, Jake Bernstein, Partner with K&L Gates explains why this matters to your firm and your clients (and you’ll get an ethics CLE if you listen to the end). This episode was originally broadcast as “The Ethics of Cybersecurity: How to Buy Cyber Insurance for Your Law Practice”.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management podcast. Our mission is to help executives thrive as cyber risk managers. Your host are Kip Boyle, virtual chief information security officer at Cyber Risk Opportunities and Jake Bernstein partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Kip: What we're going to talk about today is cyber insurance. We're going to focus primarily on how to buy cyber insurance for your law practice, but some of you had said after we invited you to attend, I got a couple emails. And folks are like, okay, but what if my client asks me, do I need cyber insurance? What do I tell them? So, we're going to add that as well. We're going to cover that in addition to. So, feel free to ask us any questions about that. So, who's here on the panel today. There's myself. I'm a virtual chief information security officer. I'm also the co-host of the Cyber Risk Management podcast. So, if you have any interest in cybersecurity from a management perspective, I would invite you to listen if you don't already. My co-host is Jake Bernstein. So, Jake, why don't you go ahead and introduce yourself, please.

Jake: Thanks, Kip. And to clarify everyone, Kip is a real human. He is virtual insofar as he provides services to multitude of different companies. So, I love that. You're virtual CSO. He's a machine, a robot. I am a practicing attorney. I'm a partner at K&L Gates in the Seattle office. And most of my practice these days focuses on data protection, privacy, and cybersecurity.

Kip: Great. And Jake's going to really, really cover for us thoroughly, the aspects of cyber insurance for your law practice. We can all talk about the topic of what do you tell a client when they ask you if they need cyber insurance. But the real expert here on cyber insurance today is Chris Brumfield, who's our guest. Chris, please introduce yourself.

Chris Brumfield: Thanks Kip and Jake. Well, my name's Chris Brumfield, so I work with Alliant Insurance Services or for them. I'm a professional liability advisor in cyber insurance specialist. And I'm looking forward to helping folks. I've been doing this for, gosh, insurance 13 years now with a little bit of background in the reinsurance world. So, I got to work with the really complex and interesting world of reinsurance, which actually is sort of the hidden underpinning of the insurance that you all will be purchasing.

Kip: Great. Chris, I really appreciate you being here and one of the reasons why Jake and I invited Chris to come to join us is because this is a topic that is shifting fast. What's interesting is, is that as Chris observed, when we were kind of chatting before we started today, insurance dominantly is a very slow moving industry. Very, very slow to change industry. But cyber insurance is actually the opposite right now. It's moving fast and furious and people are scrambling to try to figure out what exactly should they be offering in terms of coverages and so forth and pricing and all that stuff. And I don't want to steal Chris's thunder, but we're really glad you're here, Chris. So, I'm just going to turn it over to you. And if you could just please give us a primer on what is cyber insurance? And how do you even begin to buy a policy?

Chris Brumfield: Yeah, absolutely. And I think it's important, like you said before, Kip, that this really, while this is applicable for your firms, this is actually really applicable for your clients as well. Because we've heard from our clients as well as Kip has and Jake has. Well, what do I talk with about my clients and do I have a requirement? Do I have a duty to bring this up with my clients? And I would say, it's not a bad idea. But so what is cyber insurance? Well, you're going to hear cyber breach, insurance for hacks, data insurance. You're going to hear all sorts of terms, but really cyber insurance is meant to cover you in the event that you have a breach. So, if you are hacked, or you are extorted, or you're a victim of social engineering, all of that is meant to be covered by cyber insurance. And that can mean both the benign breach, where someone has access to your system and nothing happens. Or where you are completely locked out and your computers and servers are turned to paper weights.

And it's meant to indemnification, I won't use a lot of insurance terms. I'll try to keep it pretty tame, but it's meant to indemnify you and literally as the slide says, it makes you whole again. So, it brings you back to where you were before you had the breach. And there are a few different forms. You might find that some insurers will throw this cyber insurance law, add it onto an existing policy you already have. And we see that in the form of whether it's a professional liability policy, or it's a crime policy. They'll add some throw in coverage. And I jokingly say oftentimes, that's better than nothing, but it can be throwaway coverage. Because what they do is they'll sublimate that. And so they're either going to put a real small number on that, that isn't usually adequate if you have a breach. Or it's going to erode your practice policy.

And the problem with that is you have typically, law firms are going to have what's called claims made, and that's called a wasting policy. And the reason it's called a wasting policy is as soon the attorneys are involved, as well as the cyber specialist in there, that all goes against that annual aggregate. So, you're pulling, you're effectively taking the protection app from malpractice, and you're depleting that with a cyber claim with an, probably inadequate supplement.

Kip: I didn't even know that was a thing I did not pick that up from prior conversations, Chris. That's great.

Chris Brumfield: We've had so many conversations on this. But it's a fascinating world. At least I get excited about it.

Kip: Well, I'm glad you do because somebody has to. And why not just give it to somebody who really enjoys it.

Chris Brumfield: Yeah. Well, and one of the questions as we are frequently asked is what does it actually cover? And it's actually really broad. So, it covers everything from the moment ... I almost joke that it's prepaid assistance, having a prepaid SWAT team, if you have the right insurer, because not every insurer is equal. They're not all created equal. And if you have the right insurer, they have a SWAT team on standby. It's going to respond. So, you have your cyber attorney, you have your IT specialist and you have your cyber forensic specialist. So, if you have a suspected breach, even you just think there's a breach, you effectively have prepaid with your insurance premium to have those folks on a retainer, I would say.

So, they'll spring in action, help you identify with your IT folks, if you've had a breach. And then they help you patch that breach and they help you figure how to get to where you were. And what's really important with this is the notification requirements for different states are all different. Every state has its own notification requirements. You have to meet those requirements if you have a breach or a suspected breach. You have to meet those. So, the nice thing about cyber insurance is they help you meet all of those on your behalf.

Kip: Yeah. Oh, I just want to make a comment about, where you said how you've sort of prepaid for some highly technical services. And I think that's really cool because if you need a digital forensics team on a no notice basis, that's difficult. That's very difficult.

Chris Brumfield: It is.

Kip: Right Jake? I mean, you've seen that, I've seen that.

Jake: It's hard.

Kip: Yeah. Yeah. There's potential issue too, though, right? Because we just saw this with an incident that Jake and I are responding to right now where the insurance company offered digital forensics, but it was kind of like compromised a little bit. Right Jake? Do you want to like, just give a little thumbnail sketch of what sometimes can be a downside to that approach?

Jake: I mean, in this particular incident, the insurance company, I fully owned the incident response firm and it was, I think it was a situation where we might have had some adversity with the insurance provider. And because of that, the idea of only being able to use their captured forensics firm was not well received.

Kip: Right. Right. So, and not every insurance company operates like that. This one happened to. So, anyway. So, Chris, as you were talk, I realize that this is stuff that's coming up in the real world as Jake and I practice our trade here. So, I wanted to put it out there. And what do you think about it, Chris?

Chris Brumfield: I think you're right on that. That goes back to having the right insurer and understanding how they handle their claims and having maybe perhaps pre-selection of inaudible before you have a breach. You say, hey, I'd like to use Jake. He understands this world. And I would like to have him preauthorized. And you're not always going to get it. But if you don't ask, you're not going to get it.

Kip: And this-

Chris Brumfield: And that is important.

Kip: Yeah. And I think Jake, if I remember right in the incident that I just mentioned to you, that's what happened. Is that the insured ended up going with people who are not on the pre-approved list and there was a little, like a negotiation process to make that happen, right?

Jake: Yeah. That's right. And I mean, Chris is correct. In a way the client's lucky that the insurance provider was even willing to do that because many are not.

Kip: Okay. Well, cool. So, right. So, Chris, are you ready to talk about how to buy an appropriate policy?

Chris Brumfield: Yeah, absolutely. And something that's ... So, the marketplace, we already talked about finding qualified validated insurers. And something that's underpinning this as well, that you probably should be aware of inaudible if Kip doesn't get to what Jake would, there's a cyber breach epidemic or pandemic happening right now. And really it's just, the proportions are inaudible. The last couple years, there have been an increase of two to 300% in claims. And this is only the reported claims. You know someone, you are working or know of someone who has been affected by a breach or their firm has, and they might not have coverage and they are not talking about it. It is absolutely not talked about. And behind this, you also need to know there's reinsurance. So, insurers by reinsurance to, just like you by insurance to transfer that risk.

So, in the event, they have a big, large losses. They get reimbursed. The reinsurers, many have lost their interest, or they're pulling back, or limiting their capacity, is what it's called. So, that makes the primary insurers who you buy your insurance from, it makes them even more nervous when they go, wait a minute, we can't even get coverage. Or the coverage is increasing by 50 to a 100% in cost. Wow, you need to really be concerned with this. That's underpinning it. If the reinsurers are nervous, then their primary insurers get really nervous.

Kip: Now this is kind of like coming into an inside baseball thing now, right Chris. Because most people, they don't understand what reinsurance is and generally they don't need to. They don't need to know or care about it. But I think this is a really interesting peel back the cover comment that you're making about the fact that this is really uncertain ground that everyone's standing on right now.

Jake: And how far does this kind of go. Does reinsurance get re reinsurance and re re reinsurance? I mean, I assume it stops somewhere. But the practical question, I think Chris, for you to maybe talk about it a little is, do you see a situation where there's going to be clients or even small law firms who can't get cyber insurance? Is that a risk right now?

Chris Brumfield: I would say in some ways effectively we are facing that. And that's because the-

Jake: Oh, wow.

Chris Brumfield: The insurance industry as a whole is slow moving, like Kip said. But in cyber, they've been very quick to identify that they are just getting hammered. And I'm not here to be in an apologist for them. They chose to write those policies. They've been absolutely brutalized. And what they've all adopted just about, there are few that will offer now, but you have to have certain requirements like MFA in place. crosstalk.

Kip: Multifactor authentication.

Chris Brumfield: Yeah. Multifactor authentication. They won't write it. And the few that will, they're also requiring that you have it in place within the next year. So, that's inside and outside MFA or multifactor authentication. So, they're-

Jake: crosstalk.

Chris Brumfield: Oh, go ahead.

Jake: If only someone had said this three or four years ago.

Chris Brumfield: I feel like if we go back in the archives of your podcast this probably is going to be addressed. inaudible twice.

Kip: Yeah.

Jake: Oh yeah. Just a few times.

Kip: Yeah. And this is fascinating because this is very reflective of what we see in the cybersecurity space, which is it's an arms race. And so, remember, I'm sure everybody on this ... I know every on this panel and probably many attendees remember a time when you could just walk up to a computer touch the space bar, it would wake up and you could use it like. No password required. Then we needed passwords. But we could put ABC123. And then, oh, no, that's not good enough now either we need to also use our username.

And just over time, things just got more and more locked down. Well that's because the cyber attackers got better and better and better at stealing our stuff. And so now here comes the insurance companies and they're going to figure out what really works, which I love that. And they're going to tell us. And I think that's fantastic because that's what we really need to know. Just like firewalls in row apartment buildings, just like airbags and daytime run lights on passenger cars, right? Like our-

Jake: Sprinklers.

Kip: Sprinklers. So, our buildings and our cars are safer today than they were 40 years ago because insurance drove standards to decrease the risk of a claim. Would you say that's right, Chris?

Chris Brumfield: Yeah, absolutely. And there a long ... That could be a whole podcast, a whole session on how the improvements in auto safety have been driven by the insurance industry, and fire safety. And I mean, there's a myriad of ways it's underpinned and improved the world we live in.

Kip: Yeah. And I think that's happening here with cyber. I absolutely believe that the same thing is going to happen to the best of their ability. I just saw a news story the other day that said that in the lack of, in the leadership vacuum on the national level, with respect to the press office, the presidency, Congress and so forth. Insurance companies are now having to take a leading role on the national stage because nobody else will do it and they desperately need it.

Jake: Yeah. And in the cyber space, it's really very similar to, we use the term cyber hygiene. It's very similar to life insurance. You can buy life insurance, but they're going to come, and they check your blood pressure, your cholesterol, they check your medical history. And if you're a smoker and you report five drinks a day and never exercising, if they decide to cover you at all, it's going to cost you a lot more. And as was alluded to Kip and I have been wondering for years now, even when we first met Chris and his partner, Jay Soroka. When is cyber insurance going to wake up and start doing this? And apparently the answer is not that long from when we asked the question, at least in the scheme of things.

Kip: Yeah.

Chris Brumfield: Well, we feel it's maybe a few years behind. And it was already felt like at times the pricing was throwing a dart at a dart board. But they've changed. And that's part of the insurance requirements or insure requirements. The underwriters are using a lot more scrutiny. They've adopted much more high tech than previously, their methods where they do passive scans before they'll ensure you, and they identify potential weak points. And part of that, and we were talking about coverage and availability, and this is partly in bundling. I don't want to get too far off the agenda, but I know few folks probably want to know about bundling. You can bundle certain insurers and that works really well. And others probably not the best route. So, you'd want to ask, go ahead and talk with your broker.

And I'm always happy to help if you have questions. But effectively, they're either underwriting out bad risks. So, you're saying we can't offer this, or they're limiting coverages. So, we're seeing that with limiting social engineering. If you have a million dollar policy or $5 million policy, whatever it is, there is going to be a supplement for social engineering. And maybe that's a 100,000 or 200,000, but they've tamped that down. And what that tells me when the insurance industry is requiring multifactor authentication as a prerequisite to get a policy, and they're also limiting in certain segments, like social engineering, that's where they're getting hit. And they're getting hit hard. So, they're responding in that way by limiting the coverage. And there are some insurers that have, they've also sought to differentiate themselves by having betterment. So, they'll help you upgrade your system if it's sorely in need of that, so that they can help you block breaches. Or they'll cover, like one insurer I can think of, I won't say their name.

But they don't have a deductible for computer forensics or legal experts. So, if you have a claim, and that's where most your costs are going to pull up in for first party coverage for your firm. So, that's a pretty important distinction you're going to want to take a notice of. And, oh, one other exclusions, one exclusion from one policy, they defined devices that are covered. So, what your cyber insurance will cover, and everyone's working from home, or at least partially at this point. As any device that is not, it's not considered a covered device if it's not owned or leased by the firm. So, effectively ... Yeah. Kip gets it. Effectively they were excluding any personal devices. And I would make the case if I'm inaudible, well, gosh, you had a breach, but it actually came through one of your employees home router. It literally had to get to them through that router. So, because of that, it's not a covered loss.

Kip: Well, not only that, Chris, but this whole B-Y-O-D, right? Bring your own device. None of that's corporate owned.

Jake: That's brutal.

Kip: So, there could be large swaths of incidents that won't get covered because people have a B-Y-O-D. That might actually fuel the shift back to corporate owned devices.

Chris Brumfield: Yep. And there's creative ways to get out, but you have to know what the policies say. It's really important to actually read them. And other exclusions that you can find are the CCPA, which I know you've talked about before. California Consumer Protection Act. There are statutory damages there where you're going to end up being on the hook if a California resident, I believe, Jake you might know the exact amount. It's either 700 or $750.

Jake: crosstalk. Yeah. It's the $750 statutory damages provision of the California Consumer Privacy Act.

Chris Brumfield: And not all insurers cover that. So, some insurers will cover the CCPA, some won't. And so what happens is you have a potentially very expensive loop or missing portion of coverage, if your insurer isn't going to cover that because you're on the hook for that. And that's not proving they had any damages. That's just saying I live in California and I was a member of a breach.

Jake: Yeah.

Chris Brumfield: You have a real big opening there, especially if you have a number of clients that are California residents or considered themselves to be.

Kip: So, I want to move along to an aspect, an angle of this that I want to make sure people understand, which is making sure that you have the right coverages. And then we're going to hand it off to Jake. And Jake's going to talk about the specific legal aspects, right? The specific obligations that attorneys have and why cyber liability insurance may be a good thing to purchase for their practice. But this a really old a case here that I'm bringing up and this has to do obviously with a restaurant and not a law firm. But I just think it's a really good way to illustrate this point that you need to make sure that you have the right coverages. You just absolutely have to.

In 2014 PF Chang's had a credit card data breach. And one of the consequences of that is that bank of America charged them 1.9 million to cover the cost of reissuing all the credit cards that had been breached. So, PF Changs filed that as a claim. So, Chubb was their carrier. They had paid $135,000 premium for their cyber policy. And Chubb denied the claim. And so Changs took them to court and they lost. And so the upshot, and Chris, this is where I'm going to hand it off to you, is that it seems that they didn't have the right coverages in place, right? Yeah. I think they had first party coverages, but they didn't have third party coverage.

Chris Brumfield: Yeah. And that gets into knowing what you're buying and having, an educational approach. You need to understand what you're purchasing and why. And you need to have, frankly, you need to have a broker that understands or inaudible to explain why. Because I mean, I would not want to be a part of that claim or a claim similar to that, because I think the first step that PF Changs or a client would take would be, why didn't you tell me about this?

Kip: Yeah, for sure. And that's a big lesson. That's a huge tuition payment, right there. $1.9 million to get to learn that lesson. But anyway, so folks, I mean, that's just another thing that we want to make sure that you understand is that have to know what your coverages are, and you need to know what your exclusions are too, because as a risk manager for your firm, you've got to manage to your exclusions. You've got to know where you don't have coverage so you can add additional protection. As your chief information security officer for this hour that we are together, that's how I think about that. So, any last words, Chris, before we turn it over to Jake?

Chris Brumfield: No, last words would be, and I don't care who you talk to inaudible, but if you don't have cyber insurance already, you're sort of flying uncovered out there. So, just consider to think about it, because it's relatively, the amount of risk you get to transfer over is pretty big for what you actually pay.

Kip: Even though coverages are going down and costs are going up, you still think it's worth it.

Chris Brumfield: I still think it's worth it. I wouldn't be comfortable if I was operating a business without it.

Kip: And as a broker, you could always choose not to offer it if you didn't think it was worth it, right?

Chris Brumfield: Oh yeah. And there's some clients where they're, I just was in a discussion yesterday with a very small firm. They're just getting their feet off the ground and it didn't make sense for them at that point because they would easily recreate anything they had. But if you're in a situation where downtime, you have to figure out how much is this downtime going to cost, if we're down because of a breach because some ... And all it takes is someone clicking on the wrong link. And we have a firm that that actually happened. They clicked on the wrong link and I mean, bam, $11,000 in losses right away.

Kip: Yeah. It's breathtakingly easy to fall into something like this. It shouldn't be, but it is. So, on that note though, let's turn it over to Jake because he wants to talk about rules of professional conduct. And this is the very, very lawyerly part of the conversation now that we've sort of introduced cyber liability insurance, kind of what it is and what's going on. So, Jake, you just let me know when you want to see a next slide and I'll go ahead and drive slides for you.

Jake: Great. We'll go ahead and advance by one. And while you're doing that, I'll just answer this question in the chat. Is this something that even small businesses need? I would say yes, because I think there's affordable policies. I mean, look, if you're really small, the exposure to the insurance company is significantly lower. So, I think everyone needs it, yes. I think a solo lawyer office needs to pay attention to this.

Kip: At least consider it.

Jake: At least consider it. And let's dig into why. But go ahead, Chris, before you, crosstalk.

Chris Brumfield: I was just going to say, if you're looking at a non or benign breach, those can be anywhere from 7,000 to $10,000, depending on how many ... I mean, the forensic specialists are billing at attorney rates in some cases. So, yeah, if you can afford just to throw seven or 10,000 hours out for a claim and you have one or two of those a year, which we had a client have. Small. Then that's fine. Or maybe you spend 3,000 on an insurance policy.

Jake: Yeah. And what we're going to talk about here is the ABA 2012 technology amendments. And the reality is, is that even though these were originally proposed, gosh, what is that? Almost 10 years ago.

Kip: Nine years. Yeah.

Jake: Yeah. Nine years. Is that, I want to say it last count, 39 or 40 of the 50 states and territories have adopted these amendments in one form or another. I would encourage the individual lawyers who are outside of ... So, Washington state did in 2016, I can just say that right out front. Everyone else, if you're not a Washington state lawyer, I would go check status of this. There's sites that track it. But basically what the ABA did was said, okay, we're going to provide these amendments. Some of them are just comments.

So, model rule 1.1, which we'll get to in a moment is the straightforward competency rule. And then they added actual model rule 1.6 C, which we'll talk about more. And then they have got some formal opinions. So, go ahead and advance slide deck. So, this is comment eight and what it did was it really just added that one clause starting with including the benefits and risks associated with relevant technology. So, small change, big impact. Lawyers need to know what their technology does for them. And if we have any older lawyers on the call you might remember that there was debate about whether or not lawyers could use email. And it took time before the Bar associations decided that you, yes, it was ethical to use email. There were questions about the privacy. There were questions about the attorney client privilege. Don't make fun of us, Kip.

Kip: It just seems so quaint. I'm sorry.

Jake: It does, right. It does. It certainly does now.

Kip: Yeah. Now it does.

Jake: But when it first existed, it was not so much. And there is actually, there's a whole ABA formal opinion specifically about that from the early 90s or maybe it was even mid 90s. But go ahead and move forward. But-

Kip: Sure.

Jake: And so what it says is that now competency includes the understanding of the technology that you used to deliver legal services. And that has really changed immensely. And fortunately the competency requirement can be satisfied either by your own individual study or through the association with qualified lawyer or non-lawyer assistance. So, you can have an IT department, you can hire a virtual CISO. That's all acceptable in terms of being competent. Go ahead, please.

1.6 C on the other hand is a much bigger deal. And the text of the model version is a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to information relating to the representation of a client. So, this is obviously 1.6 is the confidentiality rule. And this adds this whole idea of what ultimately becomes reasonable cybersecurity. And what we see is that comment 18 says that a lawyer has to act competently to safeguard information, and you have supervise folks. You have to, it's not just a lawyer, but it's also anyone who's subject to the lawyer supervision. And then go ahead and advance, please.

Kip: There you go.

Jake: And then here's this other really, really important one, which is what it boils down to is, and I'll let people read it. But what it really says is if you've taken reasonable efforts to prevent the access or disclosure in inadvertent or unauthorized, then it's not a violation of paragraph C. In other words, it is only a violation if you have not taken reasonable efforts to prevent the breach of information. So, go ahead. So, for the first of the two formal opinions I want to talk about is 477 May 11th, 2017. Now the ABA rules state that we cannot provide copies. However, you can Google it and download it. So, I highly recommend that you do that. And this one, this 477, really one, it actually kind of cites back to the email opinion. And it really focuses on 1.6 C and the reasonable efforts.

And of course, because lawyers wrote this, it is a factor based examination. It's not susceptible to hard and fast rules. And you see immediately that the ABA rejected requirements such as firewalls, specific types of passwords. And instead went with a ... Yes, Chris, it means it's a constantly moving target, which is important. Because as Kip mentioned earlier, the innovation from the attacker side is nonstop. And what you see here is that, what's crucial is the process that you follow, the process to assess risks, to identify and implement appropriate security measures that respond to those risks. You have to verify that they are and then ensure that they are continually updated. And absolutely having cybersecurity insurance is a component of this risk analysis and the types of measures. So, advance, please.

Kip: Mm-hmm (affirmative). There you go.

Jake: This formal opinion is full of guidance. One of the things that says is, hey, determine how electronic communications regarding client matters ought to be protected. It's always a good idea, label when it's confidential, have some kind of information classification policy, make sure that you've trained, not only the lawyers, but the non-lawyer assistance. And this is a big one, due diligence on vendors providing communication technology. Particularly if you're not using a super well known one. It's really, really important that you can be responsible for hiring a company to help you that itself is not secured well.

Kip: So, Jake, can I ask a question real quick about minimum viable? Because I talk to my customers all the time about, don't try to write huge thick tomes of how to do stuff. Just make it the least that you can make it and still get the job done, take a minimum viable approach. Does that work here in terms of 477?

Jake: I think it does, because I think you're going to be iterating on that. Now, if you take a minimum viable approach and then you stop, I think you might have trouble. But I think the opposite it's actually true. I think if you start with a minimum viable approach, you can at least say you've done something. Imagine a situation where someone has let perfection be the enemy of good. And they're just like, we don't have anything in place until we get it perfect. And then something happens to them. That's not the greatest position to be in. I don't know that that's particularly reasonable to expect. So, yes. It's a good point.

Kip: Okay. I just know a lot of people are put off because they think that these policies have to be, like you said, perfect, or they have to have thought in advance about everything. And if you can't do that, then you might as well not do at all. And I just wanted to be clear that even for the attorney trying to follow these rules of professional conduct, don't let that stop you.

Jake: Well, and the irony of the situation is that all of this trouble is caused by digital technology. A very binary reality. But cyber-security and compliance are anything but binary. There is analog, if you can get, they're a spectrum. One is not simply compliant or not compliant, or secure or not secure. It's a constant evolving situation. Okay. So, the next one is the slightly newer one, October 17th, 2018, 483. This one is specifically about what you have to do after experiencing a data breach. And I'm going to go relatively quickly here to leave time for questions, but basically this particular publication talks about, well, what is a data breach? How do you know if you've been breached? What do you have to do after a breach is discovered, et cetera, et cetera. So, let's go ahead and dive in.

So, this is really fascinating. A data breach for purposes of formal opinion, 483 is a data event where material client confidential information is either misappropriated, destroyed or otherwise compromised. Or where a lawyer's ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode. And that last one is fascinating. And it'll show up a few times and we'll talk about it. So, a few hypotheticals, because it wouldn't be a inaudible without a hypothetical. If there's no actual compromise of material client confidential information or MCCI, then it's not a data breach. If there's ex filtration or theft of MCCI, then clearly it is a data breach. Now, interestingly enough, ransomware that didn't access any material client confidential information, but blocked the ability to use the information still would be considered a breach.

And then this is the most fascinating, let's say that there's no MCCI involved at all. The only thing that happened is that your IT infrastructure has been hosted. That is still considered a breach if you can't perform legal work, because particularly in court, I would actually wonder if it has happened where someone stands up a hearing and says you're or honor I was not able to submit the brief or prepare for this hearing because ransomware destroyed my computer. I don't know. I honestly have no idea how that would go over. I think some judges might be understanding, I think others might be not so much. So, I think it's an interesting question.

Chris Brumfield: I think it's worthwhile to point out that all four of those items would be covered by cyber insurance.

Kip: Wow. Well done.

Jake: Yep. That's very good. Okay. Let's go to the next one. So, how do you know you've been breached? Well, I have news for you. You have to pay attention. There was a brief discussion in the ABA formal opinion about, well, do these responsibilities ever get triggered if we don't check? And if we don't know? And they decided, I think pretty quickly that ignorance is not bliss. You cannot stick your head in the sand. You can't be the ostrich. So, you have to employ reasonable efforts to monitor your technology and office resources connected to the internet. So, really that I think is- crosstalk straightforward.

Kip: And this can be hard to do, right, Jake? But I mean, it's straightforward to understand and to say. But actually it can be very difficult to do because most malicious codes these days install silently, right?

Jake: Well, it is hard. And in fact, detect is one of the three primary functions of the NIST Cyber Security Framework. And so it is not at all a trivial component, this is a major, detection is a major, major deal.

Kip: Yeah. It can be very hard to do.

Jake: And it can be very hard. But what the ABA says is that's too bad lawyers, you have to do it. And this is, I mean, really this is the only reasonable conclusion. So, other implications are that law firms, you do have to know whether your employees are following the firm's cybersecurity policies and procedures. And then there are other regulatory and legal provisions. CCPA might still apply to you. For employees, again, this harkens back to model rule 5.1 and 5.3. You have a duty to supervise and train.

It applies associates, other lawyers, non-attorney staff, and even third party vendors. So, it extends. Are hackers really smart? They certainly can be. And yes, sometimes they have nation state resources. The point of this question was basically, look, is it fair to that I have to prevent attacks if the Chinese military or Russian mafia wants to come after me for whatever reason? And what the ABA said was, okay, the legal standard in the broader marketplace is not perfection, because perfection is impossible. Instead, what they said is that ethical violations will occur primarily through inaction. So, the requirements for reasonable efforts to avoid beta loss, detect cyber intrusion. It's not for thou shall not get hacked or breached. So, what they really focus on is, it's the lack of reasonable effort plus a breach that will lead to an ethical violation.

So, advance. Okay. So, you've been breached. Now what? So, really the first thing you got to do is stop the bleeding. Patch the hole. What that means is, ensure that, one, you know where all the holes are and that information isn't leaking out of your digital corpus. That may make no sense, but I went with it. So, how do you do that? Well, be prepared. You have an ethical duty to act reasonably and promptly to stop the breach and mitigate damage resulting from the breach. How do you do that? Well, the best way is to proactively develop an incident response plan and practice it. Again, this is a huge component of where cyber insurance can help you. As Chris mentioned earlier, an incident response plan is going to involve resources. It's going to involve forensics, counsel, et cetera. All of that will be covered. And not only is it covered monetarily, but it's right there. It's like right there at the fingertips. You don't have to go and find it. You don't have to go and figure out who to call. It's all in your policy. Super helpful.

Kip: I love the concept of a data breach coach, which I don't think we've mentioned so far in the session. So-

Chris Brumfield: No, we haven't.

Kip: Chris, would you just give like a very quick thumbnail sketch of what a data breach coach is when you have a policy?

Chris Brumfield: They are your point person. And usually depending on the insurer, you're going to hear from them within 30 to 60 minutes and literally that quickly. And they walk you through the entire process. So, you don't have to know who to contact. You don't have to have your Rolodex. You call in inaudible coach walks you through and connects you with everyone you need to be connected with.

Jake: Real quick. I noticed that the, we got a question. I think it was sent just to me. So, I'll read it. We work a hundred percent onsite. Does the underwriter look at less exposure, for example, because you're a city that does not work remotely and blocks all overseas connections? Or is that entity going to get lumped into the rest of the market with other remote work situations? And Chris, please answer. But my guess is that no, one of the things we're seeing is that insurance are taking a, okay, let's actually look and analyze the risk posed by every individual customer.

Chris Brumfield: Yeah. Yeah. The underwriters are scrutinizing that more, and that would be something we would actually highlight to the insurer as well to the underwriter. And they do passive inaudible as well. So, they're much more involved and it's not just, here's your policy. Thanks for completing a one page application. It's-

Kip: Like they used to be.

Chris Brumfield: Some of the applications are five ... Yeah. It used to be that way. Now some of them are five to seven with lots of follow up questions. And you have to anticipate some of those. But that's a good point. And you can point that out to your cyber insurer.

Jake: Yeah. Yeah. Cyber insurance questionnaires probably always should have looked more like the due diligence work that I do on M&A, the reality is until reasonably, they-

Kip: They didn't know what to ask.

Jake: They didn't know what to ask. They just did not. A one page form-

Kip: Yeah. They just didn't know.

Chris Brumfield: Yeah, they didn't.

Jake: Okay. So, crosstalk specific information about what your incident response process should look like. This is straight out of the ABA opinion. You can also to find information at the NIST Cyber Security Framework, that's nist.gov. And basically the incident response process, these are the things you got to do. I want to kind of move it along, so I'm not going to read them all. But this is the goal. Who do you call? So, again, we've just talked about this. You have the added problem as a lawyer of respecting duties of confidentiality, but you can call your own lawyer, definitely the insurance company. Generally I recommend law enforcement. You do have to do some additional analysis about whether the client would object, if it would harm the client, would it benefit the client. And then yes, don't forget your actual client. Next slide.

Kip: Hold on, Jake. I'm I know we're time pressed, but here's a lot of choices when you call law enforcement, are we calling the beat cop down the street? Are we calling the city PD? Who are we calling?

Jake: So, if nothing else, you do, you can call the city police department, ultimately though it's the FBI and secret service.

Kip: Yeah. And you can find them on the internet pretty easily. There's a cyber crime task force in every major metropolitan area. So, think FBI first.

Jake: Yeah, FBI first. Must you call your client? So, this is an interesting question. Look, we wouldn't want, no one would want to call their clients and admit that we got breached. It would be a horrible thing to do. Generally speaking though, the ethical duty is to, yeah, you're going to have to keep your client informed. If MCCI was actually, or reasonably suspected of being accessed to closed or lost. Yes, you do. Former clients, it's less clear. I recommend that you agree on a records return or destruction policy. So, you simply don't have that information to be breached. And then if you don't have any MCCI, you don't have to worry about notifying former clients. So, go ahead and next slide.

Kip: Yep.

Jake: This is interesting. What do you have to tell the client? So, I'm sure at this point I would be shocked if there was anyone, any adult living in the US right now who has not received at least one breached notification, email, or letter from someone. Most of the time, they don't say much. What the ABA considered is are those really good enough for lawyers? And I think that they've come down to the side of no. You really need to be a little bit more specific. You need to provide enough information so the client can decide what to do next. You have to tell them the extent of the access or disclosure. And if you don't know that what reasonable steps were taken and weren't successful, or if they're still in progress, what you're going to do next. And then to keep that going. So, it's more than just the statutory data breach notification laws puts on the average business. Lawyers have to go farther. So, go ahead and next slide.

Kip: Sure. And that brings us to the end actually. So, Jake, before we transition into Q&A, is there any last thoughts?

Jake: I just cannot emphasize enough the need to take this kind of stuff super seriously. I don't know of any Bar associations taking ethical action against a law firm or a lawyer yet. However, there have been class action lawsuits filed against law firms for basically failing to adequately protect client information. So, I would bet though, that as this is kind of percolated in the industry, that there will be moments, there will be disciplinary proceedings regarding this.

Kip: Okay. Okay.

Chris Brumfield: And I'd also add that if you haven't seen it yet, either yourself, your firms or your clients are going to start being required actually to cover cyber insurance or to carry it. Because we have seen that happening where we've had requests for folks who haven't had it in say probably 80 to 90% of our clients have cyber at the point. That was probably 50%, a few years ago. So, it is being required. Because we've had clients come to us and say, we need cyber insurance tomorrow, because we have a client that is requiring it.

Kip: Yeah. So, that's what, in my line of work, I would call that supply chain pressure. I can't do a deal unless I have it. And so I'm just, it's the cost of getting this deal closed. And so Jake, when a law firm is advising a non-law firm ... I remember that there's, doesn't the inside council issues some kind of like requirements to the outside council?

Jake: Yeah.

Kip: What is that?

Jake: OGC. OGCs is outside ... or OCGs, Outside Council Guidelines. Yeah. And what it is, is it's basically the equivalent of your kind of typical security or policy or something, or set of requirements that non-lawyers, that businesses pass between themselves all the time. It's what the law firm is expected to do in order to actually provide services. So, it's particularly common with regulated industries. You can't represent a bank or anything like that without kind of dealing with the OCGs.

Kip: Right. Okay. Okay. Right. Thanks. I thought there was a legal equivalent of that. So, all right. So, we've reached the end of the prepared material, the things we absolutely wanted to share with you so that you could be well informed on this topic. And if anybody has questions, we'd love to take them now. So, let me pass it back to Melinda to coordinate questions.

Melinda: Thank you, Kip. So, it looks like we did a fabulous job at answering a lot of the questions throughout the presentation, but if anyone has any other questions, feel free to put them in the chat or in the open Q&A. Whichever is easiest for you. And we'd love to answer them. And I'll give you guys a few minutes to get them in.

Kip: And if you don't have a question, maybe you've just got a comment, like I'm overwhelmed, or you've got to be kidding me, or who are these jerks that are making our lives so miserable anyway?

Jake: Criminals.

Kip: Anything like that. Yeah. It is. It really is. It's criminals. And so I'll just share this statistic. This year the global loss for cyber crime and cyber failures is approximately six trillion dollars. And if you aggregate all that up the way I just did and put it, compared to other national economies, it's actually the third largest economy on planet earth behind the US and China. And it's expected by 2025, that number will increase to 10 trillion dollars. And in 2015, I think it was less than a trillion. To just give you an idea of how fast this has accelerated and the hockey stick shaped curve that it's become. And there's really no end in sight. There's just no end in sight. Our governments have no idea really what to do about this. They're frantically trying to figure it out, but they haven't. And there's just nothing on the horizon that's going to suggest that we're going to see this fall off or even level off.

Jake: Other than starting to ... look, part of the reason is that no one was prepared. We have a long way to go. This is another situation where we really are looking for cyber herd immunity. But that requires everybody to play a part. And we're not there yet.

Kip: Yeah, that's true. I mean, this is not unlike what we're wrestling with as a nation with-

Jake: And I say that because we don't want people to think it's hopeless. I think that's a dangerous impression to give is that, oh, we can't stop it. Individually, there's not much we can do about the overall trends. But the more that people individually take action, like these practices will work. They will reduce risk. Activating MFA, using concepts like the essential ade from the Australian Signals Directorate. Really, there are things that work. So-

Kip: Yeah. Well, let's talk about that because we just got a great question on that point.

Chris Brumfield: Exactly. And the question is, are you facing a CIO that was trying to create a loss prevention strategy instead of using cyber insurance? And I'd say the first part of that is great. So, the fact that there's a loss prevention strategy being used, critical. I'd say that is the first step. But what needs to be understood is that cyber insurance doesn't mean that the CIO is going be put under the microscope and told they're doing a bad job. It's meant to work alongside with, and to make the CIO look even better because they're looking at the risk from a holistic standpoint. It's not meant to take over their job or inaudible them doing something wrong. It's really meant to partner with them and to help them in that because they see this day in and day out.

So, unless your CIO specializes in cyber breaches and that's all that he sees or she sees every day, then they are not going to be able to handle it or understand it the way that either, Jake, you deal with this all the time or the cyber insurers, that's all they do for a living. Quite literally. And yeah, refusal to uses inaudible. That's going to be hard. There are some insurers you can place with. But it's 98 ... The insurance industry as a whole is said, well, gosh, 98% of breaches could be avoided with MFA.

Jake: Well, and I mean, I would say that if that city official was my client, I would tell him or her that refusal to use MFA is essentially per se, unreasonable. And that if that person was an officer or director of a corporation and owed fiduciary duties to the corporation, he or she would be in breach of those duties by taking that attitude. It's a tremendous liability that would create instantaneous problems. So, that I think ... And no, I don't see a trend of organizations going rogue on cyber insurance. I think cyber insurance is harder to get, but these days, really the act of getting it and doing what's required to get it, it is protective.

The insurance companies aren't coming up with these things. Well, I guess that's the beauty of the insurance model, right? Is that their interest, which is to not pay out claims actually does meet with the, it's the same interest that the insureds have to not be injured. Everything, whether it's fire or automobile safety, we don't want to get seriously injured in a car accident. We don't want our houses or buildings to burn down. What the insurance industry is doing to ... what they require to make those things less likely is good for both parties. And the same is true of the cyber insurance industry.

Kip: Now, from a crosstalk-

Jake: It just took them a little longer to get there.

Kip: Yeah. Now, from an operational perspective, I want to also say that a loss prevention strategy, fantastic. Applause. If I had a button that would make applause happen on this webcast, I would do that. But to say you have a loss prevention strategy, but not use MFA. That's like saying we're going to have lifeguards, but we're not going to give them the safety gear that they need to pull swimmers out of the water. I mean, it just doesn't compute for me. These things go together. We know they go together. So, why would you tie one wrist to one ankle? I don't get it.

Jake: Everyone I have to run. But maybe Chris and Kip will stick on for a few more questions, but please feel free to reach out if you've got additional questions.

Kip: Thanks Jake.

Chris Brumfield: crosstalk along without you, Jake.

Jake: Bye. Bye.

Kip: Bye.

Chris Brumfield: Thanks.

Kip: So, Chris, what do you think about what I said, or anything else about organizations going rogue on cyber insurance?

Chris Brumfield: I think I would not want to have to stand in front of a board and explain why I didn't think it was worth. And oftentimes these policies ... And I'm not quick to spend anyone's money. And I, at one point had my own consulting contracting business. So, I'm very quick to look at everything with a critical lens. But I don't want to stand in front of a board and explain why I thought I could say 0.001% of the annual revenue of the firm or even 1% of the firm's income and then suffer a breach that then is multiple percentages of the firm's annual revenue. And that's not including all the additional headache that happens. Because these are not ...

You'll get made whole, and they'll bring you back to where you were, they'll pay the extra expenses. They'll pay for your replacement of software, hardware and, or repairing or recreating work you've done. But that doesn't account for all the time that is invested in that. So, you are having to effectively shift your focus off your clients and customers, and you're having to focus internally and not nothing revenue generating. And that ends up having a large cost and you can and say, yeah, some of it's going to be covered because of loss of income, which is covered by cyber policies. But if you're having to shift internal staff off of other matters, it's going to be really hard to document that inaudible.

Kip: I want to make a comment about the fact that this is a city is another thing that I think is important, is cities have a different dynamic. It's not so much about revenue generation. It's about tax collection. And they have a reputation. But when their reputation gets trashed because citizens' personal information was compromised because they had a data breach. But I mean, citizens can't just decide, well, I'm not going to buy water and police services from the city anymore. It's a little different. The dynamic is a little different. And cities are also used to kind of self-insuring. Very large cities, kind of self-insure to a lot of risks that they're facing, either because they can't get any insurance for it and it's the only way that they can deal with that risk, besides putting some controls in place.

So, I acknowledge that the dynamics are a little bit different there. But let's say this, how would the mayor feel if they were going to lose the next election because of a cyber breach that caused tremendous reputational damage to their administration? Because a lot of citizens had their sensitive information leaked onto the internet. And I think perhaps that might be a good business case to present to the CIO. Anyway, that's a thought.

Chris Brumfield: And there is coverage on these, these policies have coverage for PR. So, if you find yourself squarely in the crosshairs of the media or the local media usually, because they will pick that up very quickly. Then not in addition to the CIO and or the mayor or anyone else brought in, they will actually launch a PR campaign to help explain what happened and how it's being addressed. And that even makes the CIO look smarter, because, hey, not all only did I take these steps to prevent this from happening, but I also was prepared in the event that it didn't go, and it only cost X percent to do so.

Kip: So, I think we're out of time. I know folks need to get onto other things. We really appreciate the fact that you were here today. Please feel free to reach out to us afterwards if you have some additional questions or thoughts, if you'd like some clarifications, we'd be pleased to hear from you. So, contact information is here on the slides. You can hit reply on the emails that we've sent out, letting you know and hey, don't miss the session. And yeah, we're here to help. So, thanks for being here.

Speaker 1: Thanks for joining us today on the Cyber Risk Management podcast. If you need to overcome a cyber security hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.