Financial R&R: The Increasing Focus on Cybersecurity

Intro (00:01):
Welcome to Financial R&R, a show dedicated to financial insurance and risk management solutions and trends shaping the market. Today. Here are your host, Ron Borys and Ryan Farnsworth.

Ryan Farnsworth (00:13):
Well, welcome everyone. This is Ryan Farnsworth with Alliant Financial Institutions and with yet another edition of Financial R&R, where we discuss trends and topics and issues that are impacting financial institutions. And we're actually here to talk about a topic today that impacts more than just financial institutions, which is cyber security, ransomware attacks. And to talk a little bit about what needs to be said that hasn't been said or addressed before, as we all know, ransomware attacks are, nearing an all-time high, according to FBI data, but what's been alarming to all of us has been the losses that have been associated with those ransomware attacks in the last 12 to 18 months. And we're gathered on the heels of the Kaseya attack. And we want to talk a little bit about why that was a big deal, why this was different. And with me, we have our Alliance specialty claims and cyber specialists, Steve Chappelle, David Finz and Matia Marks welcome everyone. So, from a claims perspective and with your expansive knowledge and background, why is Kaseya such a big deal, why is this different? Why should our clients care more, than others that they've heard?

David Finz (01:24):
So, what makes this one of the most noteworthy events that have happened in recent years, and it's not singular in this regard, but it's what makes it distinctive if you will, is apart from the fact that its indiscriminate nature and it's sort of ricochets around the globe once it's been released. And also apart from the fact that these aren't necessarily even the largest service providers out there, it's the fact that the ransomware is emanating from a managed service provider, or even more to the point, a root managed service provider that services others. And the problem with that has to do with remediation. Normally, what happens is your service provider provides a software update its automatically installed on your system and that patches, whatever it is that they are looking to safeguard against. Well, what happens when the provider of those software updates are themselves, the one that is being attacked, you can't remediate the way you normally would because their system is infected. And in fact, what has happened here is that Kaseya’s network was used to push out through these service providers, malware rather than a software update. So the only way to stop that is to essentially shut off connection to Kaseya, and those networks in order to sort of contain this, but that doesn't do anything about the fact that many systems were already infected a patch is not going to help you once. You've actually been infected with the ransomware.

Ryan Farnsworth (02:58):
They poisoned the river, essentially, right? And, everyone downstream had to deal with the after-effects. And there's a lot of layers to these types of discussions. So, Matia from your perspective, what is it that firms should be doing and thinking about when it comes to these types of issues?

Matia Marks (03:14):
I mean, I think that it's very important for clients and companies in general, to be talking about cyber risk management in general, and making sure that they're doing everything that they can do to be prepared and testing out their plans in advance of having to deal with one of these issues and making sure that if there is insurance that the IT department and the legal department is aware, the insurance operates and knows who to notify in the risk management department. Should you need to notify someone so that you're not trying to figure that out in the midst of dealing with a situation,

Steve Shappell (03:53):
Further to preparation, right? Preparation, regulators, SEC, and state regulators like New York's guidance. They gave June 30th on ransomware attacks, right? The theme is you need to prepare, right, and give more and more detailed guidance on not only preventing ransomware but preparing for it. So, it's a great point that we particularly David and some of his people are spending a lot of time on this point.

Ryans Farnsworth (4:22):
Steve, you said it, the regulators are, are becoming more front and center on these issues. David, what's your perspective on, the regulator's and the government's stance in stepping up on these matters?

David Finz (04:32):
So, the New York state department of financial services, which regulates many of the financial institutions operating in New York, or have headquarters in New York, they issued guidance that basically consisted of two components. One had to do with reporting ransomware to the department, which is what they're requiring is for regulated entities to give notice of any cyber incident no later than 72 hours after it has occurred, actually, you know, sooner, if possible. And then the second component that has to do with preventing ransomware. And they've given a lift of several measures, several security controls that they expect regulated entities to have in place in order to minimize their exposure to ransomware, not coincidentally, these are many of the same controls that cyber insurance underwriters are looking for their policyholders to put into place. So, while compliance with a regulation does not in and of itself equates security, and it doesn't guarantee that you will not have an attack, from a standpoint of saying, what did you do to prevent this from a standard of care? It's important to take lead, with respect to these requirements, and make sure that you can at least demonstrate that you've put these minimal controls in place.

Matia Marks (05:51):
To piggyback on what David's saying about the NYDFS. The SEC issued back in February of 2018 guidance regarding cybersecurity disclosures for public companies. And the division of enforcement is now looking at whether companies may have failed to disclose that they were a victim of the recent solar wind attack and violation of the securities laws. In fact, late last week, the division sent out a number of investigative letters, seeking information from companies regarding their exposure to solar winds. And they also said that in exchange for providing that requested information, that they would not forward move forward with an enforcement action against those companies on those grounds. We also learned late last week that the, a SEC levied it first monetary fine against the company stemming from a cybersecurity risk management failure. So, I definitely think that we're going to be seeing more actions from the CC and D regard in your future

Ryan Farnsworth (06:48):
Question for you, David, is it a good thing that regulators and the government in particular are stepping up the way that they are on these types of issues?

David Finz (06:57):
Well, I'm glad to see that there's a tension being devoted to the issue because obviously once these regulations are in place, we expect the vast majority of organizations will comply for purposes of avoiding being in the regulators cross hairs. But again, I don't think that we can rely upon regulations to solve the problem. We cannot regulate our way out of this ransomware crisis. There needs to be a cultural shift on the part of organizations and their employees to be aware of good cyber hygiene. You could have the best controls in place, but if one phishing email manages to get through a filter and an employee clicks on it, it could end up infecting an entire network. So, you’re ever going to be able to regulate a way this exposure, but what you can do is begin to implement the controls that again, both regulators and for that matter insurance underwriters are looking for so that you are in the best position to thwart an attack or minimize the damage, once one has occurred. And in fact, we are advising our clients around those controls, and we have a prioritization list that we can offer to clients so that they can address these in the near medium and long term and better position themselves when they approach the insurance market, when they approach the underwriters to obtain coverage.

Steve Shappell (08:19):
And further to that point, David, right. I think most of our clients really get that regulators standards here are not going to be that helpful. As we've seen over the decades, right. Regulators are always behind in kind of the state of the art, right? You look at financial markets, right? The regulations always lag behind the current need. And so thankfully I can guarantee that our clients are way ahead of regulators and thinking miles ahead of current standards, right? It's great that there are some force standards, but I think regulation is not going to be to David's point a solution here. The commercial marketplace is going to find much more advanced and quicker solutions.

David Finz (09:06):
Well, the problem with regulations is we're fighting the last war, right? The threat environment continually changes. And I would expect underwriters to be more nimble in saying, Hey, these are the claims that were seen and here is how they are being executed. Right? These attacks are being perpetrated by these threat actors in a certain manner. And therefore here are the controls that would've prevented them. And they're able to gather that data and change their underwriting posture because it's their capital at stake in matter of weeks or months, not years.

Ryan Farnsworth (09:37):
So what's next, as we think about helping our clients and what Alliant’s doing David, you referred to various exercises through a submission process that we are working with our clients to help manage their cyber security risk. Of course prepare their policies to have the most state-of-the-art coverage. As we work with the legal in-claims team here within Alliant, what is it that clients can be doing now? So that they're not the next headline in the wall street journal for a ransomware attack.

David Finz (10:08):
So, as I mentioned, many of the controls that the regulators are eyeing reflect, they mirror several of the factors that the underwriters are looking at as well. Multifactor authentication is probably the lowest hanging fruits in terms of controls that companies need to put in place. Patch management is also important, anti-fishing training for employees. And again, we have a prioritization list that we can share with clients to help walk them through this. Additionally, many, if not most primary underwriters of cyber insurance are now requiring something called a ransomware supplemental questionnaire, which provides few dozen questions around the controls that a company has in place. And they are even going as far saying, we can't offer coverage until you address these vulnerabilities, or we will offer coverage subject to your correcting these prior to, or within a certain number of days after binding from our standpoint, the best way to approach the markets is to address those controls beforehand and position you in the best possible way. So again, we use the ransomware supplemental questionnaire as a gut check to see whether in fact, you have the controls in place that will allow us to position you in the best possible light and see what you can do to get many of those implemented as possible before we go to the underwriters. So we can get you more favorable coverage terms.

Matia Marks 11:39):
And then I would also add to that clients should definitely take advantage of all the resources that are available to them in the policy for pre-breach services. So that again, you can undertake a tabletop exercise, have firms endorse onto your policy, that you might use that you're not fighting that fight as you're ransomware event at the same time.

Ryans Farnsworth (12:01):
Steve from a claims perspective, what can firms be doing? We're talking about preparing them through renewal and underwriting processes from a claims perspective. What can we be thinking about?

Steve Shappell (12:12):
Apart from kind of the tabletop exercise and the preparation that David and Matia were talking about right. In the event of a claim, right? People here at Alliant and at the insurance company are really good at this, right? We have people who do this all day, every day, both here and in insurance companies. And so, the thing to do is to reach out early and often, right? And get people engaged that do this for a living and Matia talked about it. And I think David talked about the coaches and the vendors that want to have relationships with having them lined up in advance is critical. And then executing right, reaching out early and executing because it is a fire drum telling you when this happens, it's all hands. And when you have an event like this involving thousands of other companies, it is a fire drill. And we need to be prepared not only with the tabletop exercises, but with appreciation that there's thousands of other companies going through this at the same time, and we need to be nimble and responsive. So, moving fast and having a lot of communication is the key.

David Finz (13:18):
Yeah. One of the things I would add to that is that the good news is cyber insurers are paying on their claims. Right? However, one of the areas where there are coverage disputes or some friction at the outset has to do with the choice of service providers. So, if an organization has a specific vendor that they have a relationship with that they would like to use, that is not on the insurer's preapproved panel, the time to have the conversation about adding them to your policy is with the underwriters as you're approaching renewal, not in the throes of a claim as it is playing out. I'd much rather have that conversation with an underwriter who’s eager to bind the coverage and get the premium on the books than I am to have it with an adjuster in the hours and days following an event, because then we first have to get the firm vetted and the clock is ticking and that is never a good scenario. So it's best to have those conversations upfront.

Steve Shappell (14:14):
We completely agree. Right. And that's, I think Matia was kind of hinting at that when we were talking about the tabletop, right? It's all going through tabletop exercise is incredibly valuable, because you do things like that. It's like who would be my vendor? And to kind of Matia’s point you vet them, right? It's not some vague exercise. You really vet them, and you solve for a lot of these issues early because again, right, it is chaos when this happens and you're going to want people you want and the firms you want advising you and representing you. So, it's really important to make sure that this is resolved again early and often.

Ryan Farnsworth (14:55):
Well, there's no doubt that this is an evolving complex and ever changing risk where talk is cheap action needs to be put into place. And we look forward to working with our clients to help them find a more rewarding way to its risk through this issue, by implementing a lot of these practices and processes and procedures as the hackers and other cybersecurity incidents take place. We'll work to prepare our clients so that they're not on the front page of the wall street journal, David, Steve and Matia thank you for your time, your insights. We look forward to the next opportunity to get together and we look forward to speaking then.