Cyber Security's New Silver Bullets - Privacy and Insurance

people hello everyone thank you so much for joining us here at besides Toronto I'm very excited to be here and today we're going to be discussing cyber Security's new silver bullets privacy and insurance I'm chunmai paniker and I will be moderating this discussion I'm a cyber security operations manager at fractional CSO I help companies Kickstart and manage their cyber security programs and also help them achieve their security and compliance goals I have a wonderful panel here with us uh Ken Rainer and Alan McDermott Ken is a insurance industry veteran and he actually graduated from Ryerson and jumped right into insurance [Applause] he retired but cyber security really intrigued him so he's back in Insurance doing cyber security insurance now and Alan can you give us a quick introduction sure so first off I just want to acknowledge cat food who's supposed to be the Privacy expert was not able to make it she had some family emergency she had to attend to so I'll do my best to speak I've got some privacy background not her level of expertise but hopefully he can provide some context I've been doing security for about 20 years now in various roles I've been I was in charge of security and economical Insurance Equitable life I've worked at Blackberry in security and a few other places so seen a breadth of things um yeah and really excited to be be here thank you so much so I guess I'll start my first question with you Alan uh what are some of the security sorry what are some of the challenges that security teams are facing when it comes to getting funding or resources or just even approval for their projects absolutely so this is really can be a frustrating thing for most cyber Security Professionals because it's so blindingly obvious that something needs to be done the problem of course is that a lot of the people who are not in that world they really struggle to understand they don't have that depth of knowledge and they've got different focuses a lot of the times when you're in front of you know Business Leaders they're in their mind they're trying to allocate funds money to maybe a marketing project or something that's going to bring in money compared to your project which is going to cost money potentially save us not you know if it if it prevents stuff but it's very hard to show that it's kind of like an asteroid didn't hit me that's great but how do we know you know does something prevent that or not so what happens is that there needs to be sort of that connection um and a lot of the times uh the challenges is how to make that into business terms things that they care about quantifying the risk which is why Insurance can be a brilliant thing um it's really about presenting to your audience and making them see the value in what you're doing uh yeah so the Big Challenge really is communication and changing the terms and saying it in the version that they understand and know honestly it should be like you ask them if you read the news and that that should be reason enough to invest in these things right well speaking of cyber insurance can can you give us a brief history it's a new thing and it's maturing so let's let's start with a little history there okay it'd be my pleasure um yeah I did graduate from Ryerson in 1969 which most of you probably weren't even born then but and and this is all new to me but the one thing that I was very pleased to see hasn't changed was my homeroom is still here the Imperial Pub is still is still working is still there so I'm very happy to see that anyway yes um I think before we get into changes for that's happening inside where of course everyone knows rates are going up and everything but I'll give you a little history as to why um of course insurance is based on history and Actuarial facts they gather data as to why claims occur where do they occur if you could take Auto for for example young drivers are more prone to have accidents in older mature drivers so they have higher rates and everything like that so they get all the numbers they get all the data they give them to a bunch of actuaries who oh by the way they're no actuaries in the crowd either okay good so the difference between an actuary and an accountant is the act the accountant actually looks at your shoes when he's talking to you um anyway I just thought I'd throw that in there so they get all this data they crunch the numbers and they come up with what they think is the right rate and then every insurance company massages that either increases it decreases it adds uh adds deductibles or different qualifications for insurance uh then cyber came along and no one knew anything about cyber well how do you really properly underwrite cyber when you have no history as to what you're expecting Warren Buffett is one of the smartest men in the world said none of my companies will be insuring cyber for the simple fact we don't know what we're doing so you have a bunch of companies or kind of dazzled by the dollars big dollars in cyber insurance and getting bigger all the time because the rates keep going up and they got into it and I don't want to say blind because if there's any cyber Underwriters in here I apologize but um but really they they didn't have a historical data to go fall back on and we came up through the ranks of insurance we sat at the knee of the great wise property underwriter who said you know this is what you look for this is what you do this is how you rate it this is how you communicate what you're trying to do where cyber had none of that cyber was just let's let's go get these premiums let's rate as much as we can so of course the inevitable happened they had a lot of losses I mean you have to remember you're dealing with career criminals whose only purpose in life is to hack your data and captured your your data and then use it to Ransom you for for ransomware and to get money back from you it's like trying to ensure a building for fire insurance and there's a whole industry out there dedicated to setting it on fire it's it's basically the same thing and these are not nice people and they're not stupid people and they really spend day 24 hours a day trying to crack into your data and and hack your uh your your your your information that you've got and you're holding uh for your customers so so to ensure that is is a a challenge um one of the largest insurance companies that write cyber have a one one question application it's like what is your your protection what is your software to protect from being hacked by uh by hackers I mean that's like asking a property insurer do you have a fire extinguisher well yeah I do but doesn't mean it works and it doesn't mean that it's in the right location it doesn't mean there's a lot of other things that can go wrong so um to to actually write a lot of business uh based on not the right questions and not the right uh or not the right answers I guess is very difficult so um so the premium started out at this level and then they they suffered a lot of losses mostly ransomware and ransomware is uh it's a Scourge really it's putting businesses out out of business 60 percent of small to medium businesses that are hacked go out of business within six months that's a staggering statistic UH 60 of businesses that are hacked I wrote a business in six months not the large ones not Rogers wink wink that was a that was a you know that wasn't the Cyber attack that was a malfunction on some of their equipment but um but they'll probably uh you know have to put in more stringent defenses against that sort of thing but I mean your problem basically is is your employees people open up uh malware and not knowing it they got an email from Walmart saying they've got a hundred dollar gift certificate and just have to go in there and open it and bang they're in so it's it's an extremely extremely difficult uh class of business to underwrite you can put all the uh detect and uh and and defend type of software that you can find uh in front of the problem but they always get through I mean the Department of Defense in the U.S was hacked Target in the U.S the big ones I mean there's nothing you can really well there is some things you can do to prevent it but they're not totally affecting nothing's 100 effective so the rates started out here and then they increased last year and sorry two years ago they're up between three and four hundred percent from what they were three years ago cyber insurance if you can get it so the trend is and I think that was the question and I got a little bit carried away sorry but the question was what can you expect next year or in the future for cyber insurance you can expect it to be getting much more difficult to get you can expect it to cost you a lot more money and you can expect that there'll be a lot of requirements that you'll have to have at your at your business uh in order to qualify for it you're going to have to uh you're actually going to put in multiple Factor authentication right now a lot of companies don't have that they could just use a password to go in but like all the new phones now you've got uh thumbprint I I retina identification password all that sort of thing and you're going to need that in your business as well otherwise you won't get it the companies just are losing too much money so they won't they won't insure it unless you have MFA and we're famous for three letter acronyms but multi-factor authentication is going to be mandatory probably next year um the rates are going to go up again but probably not to the extent that they were up uh last year or the year before I think it's starting to level off I talked to a few insurance companies before I came here today to find out what their plan was for next year on renewal and they are looking for rate increases but they're more concerned about making sure that you've got the protection at your end to make sure you don't get hacked and there are other there's other uh there's a company called new Shield sorry a Shameless plug it's a company that I work with but they have they have discovered a uh it's already discovered created a layer of protection that protects your data like and none of you remember this but we used to have overhead projectors we didn't have uh these things but it's like you put that acetate on the overhead and write on it and that's basically what new Shield does it covers up your data so that the hacker thinks he's got your data but basically he's got the acetate on top of it and it's peeled off your data remains untouched something like that is going to be mandatory from insurance companies to make sure that they can get their data back without having to pay the rent somewhere um and I think that's probably my five minutes for now maybe legislation would help too sure maybe some legislation on this front would help too yes for sure yeah absolutely yeah speaking of legislation actually uh what's happening with the Privacy legislation because we know that California is following the EU with CCPA and they really seem to be serious about it and we also have pipita where with Theory looks like it has teeth too so what what kind of changes are coming Alan and what what should Canadian businesses expect absolutely so similar to cyber security so my first question which I forgot to uh maybe speak to was a forcing function so something to help the the cyber security professional say hey here's a business reason to do something Beyond you know some technical mumbo jumbo that they see the reality is so cyber insurance is going to be a forcing function the other is privacy legislation so what's happening is they're really starting to to see basically come companies there's no money to be made by enforcing privacy so it's going to be legislated it's going to be forced a lot like seat belts or something like that is to protect you know the businesses and the people that work with them so what's happened is the gdpr so that's the eu's uh data privacy laws really do have some teeth like they've they require if you uh if there's a notification like a breach you have to notify them within 72 hours they do hand out fines Amazon was fined over 800 million dollars so that's going to make people sit up and take notice um CCPA which is California's consumer protection act um has actually just handed out a fine to Sephora for 1.2 million so it's really starting to to be much more prescriptive historically it was very hand wavy hey you know you should probably let us know if you think there was something that may have happened and then what happened is the lawyers got involved they said no no nothing to see here never really happened but what they're being as prescriptive to say okay here's the criteria here's the data if anything happens you need to tell us when and if you don't there's going to be repercussions so to Chin Vice point about Pepita that was or pipita I never know which one um it was very watered down like it was an older one it was you know 20 years old and it was similar to that so what's happened is they now have introduced a thing called uh bill c27 which is gonna have two big functions to it one's a consumer protection side and another one has to do with AI which I thought was kind of brilliant so the the consumer protection part is similar to gdpr or CCPA which says here's the criteria and if you as a business don't follow this there can be repercussions on the AI side what they're saying is because the nature of AI there's the big black box right you have data in Magic data out so what they're saying is they don't care about the black box the magic if at the end of that it can hurt or uh you know be detrimental to an individual in terms of privacy you can get nailed on that too so that's already passed first reading and that's what's coming from a business standpoint if you're a cyber security professional this is something you'll be able to point to and say okay you've got your opinions that may not be business sense I get it we're going to have to do this so this is definitely something to to keep an eye on that's awesome thank you and sorry one last one if you're doing deep business in the US so the us privacy legislation has been in my opinion well a bit of a disaster it's very messy state to state um they're about to pass legislation at a federal level uh that would override that well there's debates on how exactly this could be implemented but they're thinking big picture which would then be another uh very important piece in that uh puzzle three so on the fines and stuff would would Insurance help cover that because well insurance would pay for the lawyers and stuff but the fine is something I can see uh the insurance companies just it's like no we're not going to do this and actually that brings me to another important question which is do businesses or people who don't work in Insurance really even understand how to leverage their cyber Insurance like how much coverage do I need or is it is it going to be enough and when when to pull in the Cyber company uh the insurance company well probably the majority don't but that's why you really need a good insurance broker who knows his cyber and can put you with the right company so we'll give you the right coverage for your particular business and you should probably and well you shouldn't but if you have an I.T Department uh you know that's great but if you're too small to have your own I.T Department uh you'd have to go to MSP which is a Manning service managing service provider and there's several of those around that would look after all that stuff for you and they'd make sure you've got the right uh coverage they they'll monitor it like if you're going to install a multi-factor authentication they'll install that for you they'll manage it for you they'll make sure everyone uh is is trained in it properly that sort of thing so to do it on your own is a bit of a challenge unless you're like a two-man office but even then I think that uh sorry two-person office but even then you should uh you should probably get an MSP uh to look after your cyber it's it's hugely important uh uh it could ruin your business it could put you out of business um and remember that these there's like a lot of companies say well it'll never happen to me I mean I'm a small little little company who who would really care about might me but they're the kind that they go after because the uh the software you've got protecting your data is not as as robust as as the larger companies so it's an easy Mark for you uh for them and and the other thing is that um 40 of of businesses that have been hacked and paid the ransom get hacked again within six months so my recommendation is you don't pay it you contact your insurance company let them deal with it um they're they've got professionals as well that know how to deal with these guys and and can negotiate the price if you pay it on your own and then go to your insurance company and they might deny it because they're going to say you didn't alert us you have to tell them as soon as you know that your dad has been compromised you have to let them know that's part of the contract so they can take over they can they can manage the claim and and nobody wants a claim trust me it doesn't matter if you've got insurance or not if nobody wants to go through that your business is going to be down for well I think the average now is about in 14 12 to 14 days to get your data back even if you've got backup servers to roll it back it's still going to take a long time so you don't want to claim you want to make sure that you do everything you can to make sure that doesn't happen and and getting a you know in professional broker and professional MSP is the key to that so thank you so based on the insights that you guys just provided what what are some of the tips that both both you guys would give to take advantage of these new changes in privacy and insurance well I think if you get out ahead of the game like if you show that you're proactive in your cyber defense a company like new Shield or or others like that that you can install and put the software into your company ahead of time so that when you go for insurance the underwriter realizes that you're cognizant of what needs to be done you're a professional you've put in these barriers that are going to prevent or certainly reduce the number of cyber attacks that you're going to suffer and and hopefully eliminate the ransomware uh so I would say that yeah just don't wait for them to come back and it's going to be like well I think Alan mentioned I think the question was is there going to be government regulation around it when in my humble opinion I obviously I don't know but I would say yes that one day that it's going to be mandatory to have cyber insurance it's going to be like automobile insurance you can't go out there and drive without insurance too many businesses are losing their livelihood because of cyber attacks uh Joe Biden said he went on the record to say this has to this has to stop we can't keep we can't keep paying at ransomware and now our friend Mr Putin is going to attack businesses in countries that are supporting the Ukraine uh to to wreak havoc on them he can't use weapons against us but he can use cyber attacks so um in in addition to the the bad guys are out there trying to get money from you you've got Russia trying to just disrupt the whole economy by by cyber attacks so you've got to get out ahead of it get a good MSP make sure that uh make sure that um you've done everything you can to mitigate your losses um there's was it uh no not it wouldn't call me it was uh Mueller Robert Mueller when he was head of the FBI said there's only two companies out there there's those that have been hacked and those that are going to be hacked so it's just something that that we I just we have to live with it but we we can take ste