Podcasts
Caveat
Ep 105
Caveat 12.16.21
Ep 105 | 12.16.21

The rapidly changing landscape of cyber insurance.

Show Notes
Transcript

Tiago Henriques: So we find ourselves in a market that is having a lot of demand. We have seen a lot of customer growth and companies that are just finding having cyber insurance either, one, extremely useful for them because of the protection and coverage that they get, but also because of all the tooling that we provide when it comes to the policy or, No. 2, we're also starting to see that a lot of companies are dependent on having cyber insurance to be able to close some contracts with other customers that they have as well.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben discusses a recent ruling from the 10th Circuit Court of Appeals that deals with warrantless wiretapping. I look at attempts to hold AI more accountable. And later in the show, Tiago Henriques from cyber insurance provider Coalition. He's here to discuss the rapidly changing landscape of cyber insurance. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben. Before we jump into our stories this week, we've got some feedback from a listener named Chris (ph). And Chris writes in and says, hi, Dave. Hi, Ben. Listening to the maximizing good online episode and Ben's comment about the constitutional right to privacy caught my ear. Is there an actual right? When I did my undergrad in information assurance, the law and privacy class both stated we don't have a constitutional right to privacy. The closest we had was Chief Justice Louis Brandeis' opinion on the right to be let alone. The last law class I took in 2017 was for grad school, but I don't recall a change to the right of privacy. Yes, GDPR and COPPA came out, as well as a few other states, but I don't recall a right to privacy. Did I miss something? 

Dave Bittner: Ben, did Chris miss something? 

Ben Yelin: Great question, Chris. 

Dave Bittner: (Laughter). 

Ben Yelin: You did not miss anything. You are absolutely right to ask this very important question. There is not an explicit right to privacy in the Constitution. It's not in there. There are a couple of ways in which Supreme Court justices have found a implicit right to privacy within the Constitution. 

Ben Yelin: The most commonly cited way comes from a 1960s opinion, Griswold v. Connecticut, which was about birth control among married couples. And in that case, Justice Douglas said that you can infer a right to privacy in the Constitution from a penumbra of various constitutional amendments. So the First Amendment right - freedom of association. He even mentions the Third Amendment. No one ever talks about that, but that's about not having soldiers quartered in your house. 

Dave Bittner: (Laughter) OK. 

Ben Yelin: Fourth Amendment - obviously, your right against unreasonable searches and seizures; Fifth Amendment - right against self-incrimination; and the Ninth Amendment, which says that just because a right isn't listed in the Constitution doesn't mean that it doesn't exist. So if you take what he referred to as a penumbra, you know, the variety of lights of indications from those amendments, you can infer a constitutional right to privacy. That's how he justified it in that case. 

Ben Yelin: And that case was the precedent case for Roe v. Wade, where the court said that because of that right to privacy, people have a right to an abortion, at least during the first trimester, pre-viability. 

Ben Yelin: The other way in which the Supreme Court has recognized the right to privacy is something called substantive due process. So the 14th Amendment says the state can't take away your liberty without due process of law. Most scholars think that that due process clause was more about procedural protections. You know, you can't put somebody in prison without giving them a fair trial. 

Ben Yelin: But some justices have interpreted that as granting substantive rights. So as part of due process, you can't deprive people of liberty if you are depriving them of something that's so fundamental to our system, fundamental to our system of ordered liberty. And some justices have imputed the right to privacy as one of those core liberties that can't be taken away by the state. There are a lot of scholars both on the right and the left who are very critical of this notion of substantive due process. Justice Thomas on the court - his reason for waking up in the morning is to attack substantive due process. He hates it. 

Dave Bittner: (Laughter) OK. 

Ben Yelin: So I realize this is a very long answer to the question. The Supreme Court has recognized that there is not an explicit right of privacy in the Constitution, but there is - they've recognized an implicit right to privacy that you can deduct from other constitutional provisions. And that's where it lies today. 

Dave Bittner: OK. So as we record this, what's going on with the Supreme Court and Roe v. Wade is not having it explicitly laid out in the Constitution. Does that potentially put it in peril? Does that mean it's at the whims of the current set of Supreme Court justices? 

Ben Yelin: Absolutely. 

Dave Bittner: Yeah. 

Ben Yelin: I mean, they - it is well within their purview to define the right of privacy as they think it should be defined or to have it not exist in the Constitution at all. There is now a majority that certainly disfavors substantive due process. 

Ben Yelin: But, you know, it's very possible they also disfavor the implicit right of privacy from the Griswold case. I think Supreme Court justices would be very reluctant to overturn Griswold, which gives people the right to purchase birth control. I don't see that happening in the short term. 

Ben Yelin: But, you know, I think what critics of the court's, you know, current thinking on abortion rights - and I think most legal scholars think that they're going to significantly curtail abortion rights next year. The thinking is that that's going to start a slippery slope. If the right of privacy isn't protected in that case, that same logic could apply to other cases that don't have to do with abortion. It could cut against this Griswold precedent. 

Ben Yelin: So to answer your question, absolutely, the right is in jeopardy due to the majority on the Supreme Court right now. 

Dave Bittner: All right. Well, to our listener, Chris, thank you for sending in that thoughtful question. 

Dave Bittner: We would love to hear from you. If you have a question for us - and by us, I mean mostly Ben (laughter) - you can send it to caveat@thecyberwire.com. 

Dave Bittner: All right, Ben, let's jump into our stories here. Why don't you kick things off for us? 

Ben Yelin: Sure. So this message comes from a Dave Bittner in my Twitter DMs - alerted me to this case. I also saw it on the news. 

Dave Bittner: (Laughter) Sounds like a handsome guy. 

Ben Yelin: He's a wonderful, handsome fellow. And he alerted me to an ACLU article about a recent 10th Circuit opinion - the United States v. Muhtorov. And this has to do with foreign intelligence surveillance, a topic near and dear to my heart. 

Ben Yelin: So prior to this case, two other circuits had examined Section 702 of the FISA Amendments Act. That section allows the government to compel internet service providers or companies that control the internet backbone to turn over the electronic communications of non-U.S. persons reasonably believed to be outside of the United States. 

Ben Yelin: But one thing that happens under that program is what's called incidental collection. So if you, a U.S. person, U.S. citizen, somebody who's here legally, is talking to a terrorist target overseas and that information happens to be collected, the government doesn't need to secure a warrant in order to obtain that communication and could, therefore, you know, charge you criminally if they find something incriminating. 

Ben Yelin: Two courts, the 2nd Circuit Court of Appeals and the 9th Circuit Court of Appeals, in separate cases have held that Section 702 does not violate the Fourth Amendment as it relates to incidental collection. So in both of those cases, you had people who were charged with crimes. The evidence that led to them being charged came from incidental collection under Section 702. They were talking to the wrong bad guys, and their communications were being monitored. And in both cases, those courts held that a person doesn't have a reasonable expectation of privacy in those communications, largely because of what's called the incidental overhear doctrine. 

Ben Yelin: And this comes from a long line of cases where if law enforcement is, you know, trying to surveil a suspected criminal and that criminal is conversing with somebody else and that other person incriminates themselves, that's fair game for a future criminal proceeding, if that makes sense. 

Dave Bittner: Now, in this case, where we're talking about international surveillance, let's say I'm the person who's communicating with the overseas person of interest. 

Ben Yelin: Right. 

Dave Bittner: Right. Is the information that the feds are gathering - is that only from my conversations with that person? Or is it that - the fact that I've communicated with that person at all, does that now make me a person of interest? 

Ben Yelin: It's both. 

Dave Bittner: OK. 

Ben Yelin: So they both - they can listen and read the content of those communications. But certainly, just the fact that you were talking to that target... 

Dave Bittner: Yeah. 

Ben Yelin: ...Could be suspicious. And what they do is then they go secure a traditional FISA warrant, which you can get for U.S. persons, that allows the government to surveil the communications of a U.S. person. 

Dave Bittner: I see. 

Ben Yelin: So it no longer has to be incidental. 

Ben Yelin: In this case, this guy, Muhtorov, was communicating with an overseas terrorist target, somebody who was part of an organization that our State Department had determined is a terrorist organization, the Islamic Jihad Union. They caught him talking to somebody involved with that conversation. They got a traditional FISA warrant, realized he was providing material support to terrorist groups. He was charged. 

Ben Yelin: Muhtorov says that he should have a reasonable expectation of privacy in this information. He challenges Section 702 as it applies in his case, but also what's called a facial challenge, meaning he thinks that this law is per se unconstitutional because it allows for the warrantless collection of U.S. persons' communications. 

Ben Yelin: What the court decided here is that Section 702 is constitutional for a couple of reasons. First, they mention, like those other courts, the incidental overhear doctrine. If the government has a legal reason to be surveilling somebody overseas as they do here - Section 702 allows them to surveil overseas targets - and they happen to pick up a U.S. person, that counts as incidental overhear. Generally, you don't have a expectation of privacy when you're talking to somebody else. You have to accept the risk that the government could be listening in on that person's conversations. 

Ben Yelin: They also brought up a really interesting point, saying that this invokes what's called the plain view doctrine. So let's say the cops suspect you of dealing drugs in your house. They get a warrant to search your house. 

Dave Bittner: Right. 

Ben Yelin: When they're searching your house, they happen to find illegal firearms. Even though they weren't looking for those illegal firearms, if those firearms were within plain view, that's fair game under the Fourth Amendment. They don't need to obtain a separate warrant. 

Ben Yelin: What the court is saying here is this is sort of like a plain view search. You know, the government had a legal reason to be surveilling this overseas target. And what presented itself in plain view was this U.S. person communicating with the overseas target. And so that information can be collected. 

Ben Yelin: I think that's, like, kind of a stretch, in my opinion. I would have just stuck to the incidental overhear doctrine. But it is certainly an interesting argument. 

Dave Bittner: So the ACLU and others take issue with this. 

Ben Yelin: Absolutely. 

Dave Bittner: What are their concerns? 

Ben Yelin: So there are a couple of significant concerns. One is after these communications are collected, they do go into a database. This database is searchable. If you are searching it for noncriminal purposes, then a warrant is not required. So there could be warrantless searches of this database, of these communications that have been collected. 

Ben Yelin: They're also concerned that this is a backdoor search method. Even though the law explicitly says you can't target an overseas person in order to collect the communications of a U.S. person, the ACLU and other groups are suspicious that the government is using Section 702 as an end-around. 

Ben Yelin: Let's say you have a hunch that a U.S. person is communicating with terrorists, but you don't have any proof. Go overseas, try and find a terrorist that they're communicating with. Listen to that person's communications. And then you might be able to intercept the U.S. person's communications. So that's certainly the nature of their concern. 

Ben Yelin: And then, you know, generally, once you allow programs like this, they see it as a slippery slope where we're just accepting this vast electronic surveillance state for national security purposes. Generally, in order for a search to be reasonable, courts do a reasonableness analysis where they weigh the government's interests against the private individual's interests. And previous case law has said that, you know, countering terrorism is the utmost interest that the government has. You know, if you picture a scale, you're putting a giant bag of pennies on that security side. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: On the other side is the individual's interest here. And what these court cases seem to indicate is that the individual interests here aren't that particularly strong because they are talking with terrorists and because, you know, Section 702 has a bunch of procedural protections. The program itself and the so-called minimization procedures have to be approved every year by the FISA Court. 

Ben Yelin: I think groups like the ACLU and others see that as very unsatisfactory, the fact that you can kind of invoke national security and then have this advantage in a reasonableness inquiry in our court system. So I think that's deeply concerning to them. 

Dave Bittner: What's your take? 

Ben Yelin: I'm concerned about it, too. I mean, I do think there's the potential for abuse under Section 702, especially when you know these communications go into a database. 

Ben Yelin: In terms of the legal analysis, I mean, I agree that incidental overhear applies here. If you're going to apply incidental overhear when, you know, you're trying to surveil a mob boss and that mob guy talks to some underling, they didn't realize that guy was actually part of the mafia and you don't need a separate search warrant to get evidence on that new guy, I think that makes sense. And I think that makes sense in this context. But I can also understand why people are concerned that, you know, this could be a method for backdoor searches and an end-around on Fourth Amendment protections. 

Ben Yelin: The other, you know, concern here, just from a practical level, is we now have three separate circuits who have upheld the constitutionality of Section 702. There has been no circuit split. So if you're the Supreme Court, you're looking at what's happening, you know, at the circuit level and saying, well, it doesn't really seem that there's any real dispute here. All these lower judges, you know, seem to agree that Section 702, as applied, is constitutional. So, you know, what interest would it be for us to take it up? 

Dave Bittner: Right. 

Ben Yelin: So I think that means that the Supreme Court probably doesn't have interest in adjudicating Section 702. And, you know, this program is going to be upheld for the foreseeable future as constitutional. 

Dave Bittner: All right. Well, interesting for sure. We'll have a link to stories on that in the show notes. 

Dave Bittner: My story this week comes from Ars Technica. This is written by Khari Johnson over at wired.com. And it's titled "The Movement to Hold AI Accountable Gains More Steam." And this article starts off with New York City's council, who evidently last month adopted a law that requires audits of algorithms used by employers in hiring or promotion, says this law is the first of its kind in the nation, and it requires employers to bring in outsiders to assess whether an algorithm exhibits bias based on sex, race or ethnicity. And employers must also tell job applicants who live in New York when artificial intelligence plays a role in deciding who gets hired or promoted. 

Dave Bittner: Ben, you and I have spoke multiple times about issues with algorithms unfairly - or being unable to recognize people of color, for example, with facial recognition things. 

Ben Yelin: Sure. 

Dave Bittner: We've heard stories of people being unfairly judged when trying to buy a home or rent an apartment or things like that. So seems as though some municipalities are taking notice, and they want to get some outsiders to take a look. What do you think of this? 

Ben Yelin: Yeah, I mean, it's encouraging what New York City is doing. I think the key thing is they're looking for independent, non-biased auditors. So maybe those are people in the tech industry who aren't directly connected to the companies involved here or, you know, people who work for civil liberties organizations. You know, maybe, for my sake, throw in a few academics in there. We always love to get our perspective. I think that's very promising. 

Ben Yelin: You know, the issue is there really hasn't been oversight for these algorithms, their use. And then we do post hoc research and realize that they have these biases, these racial biases, bias, you know, on the basis of sex as well. So it is promising that, at least in this city, there's an effort to put a spotlight on these algorithms to see if they're living up to their promise and if they're discriminatory. And we're seeing that in Washington as well with various proposals coming out of Congress. 

Ben Yelin: You know, the issue right now is this is narrowly confined to New York City. You know, it's not going to help the rest of the 330 million people living across the country and in other jurisdictions. I think we might see similar legislation in big cities across the country... 

Dave Bittner: Yeah. 

Ben Yelin: ...Big progressive cities where there is this backlash to the use of artificial intelligence. So I think that New York City could be a model, but it's certainly not going to be widely applied so that it, you know, applies in every single jurisdiction. 

Dave Bittner: Yeah. 

Ben Yelin: I think the endgame is really the Bittner proposal... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Which is to have a federal agency like the FDA or, you know, like the National Transportation Safety Board or something that has the authority to review these algorithms before they go, you know, on the market. So they have to be approved. 

Dave Bittner: Ahead of time rather than reactively. 

Ben Yelin: Exactly. Now, do I think that's going to happen in the short term? No. But that's what this movement, I think, is building up to. And the more we hear about biases among these algorithms, maybe that will inspire legislators, lawmakers at all levels of government to take a second look at this. So... 

Dave Bittner: Yeah. 

Ben Yelin: I think that's the goal here. 

Dave Bittner: This article does point out that there are some members of Congress who are working on a bill that would require this sort of evaluation at a national level when dealing with things like health care or housing or education and report back to the FTC. They also point out that three of the FTC's five members support stronger regulations of algorithms and that the White House actually put out an AI bill of rights recently. So it seems like there's some momentum here. 

Dave Bittner: Also in this article, they spoke with Julia Stoyanovich, who's an associate professor at NYU and served on the New York City Automated Decision Systems Task Force. And she points out that this auditing, in her opinion, is flawed because it only applies to gender or race. 

Ben Yelin: Right. 

Dave Bittner: And they've pointed out that, like, some of these hiring things have had sort of nonsensical judgments. Like, they'll score you on what software program you created your resume in or what font you use or... 

Ben Yelin: Comic Sans, negative 1,000 - yeah. 

Dave Bittner: (Laughter) Well, you know - but as I was reading this, I was actually thinking about that. Like, if I was just hiring someone, you know, no algorithms involved - a resume lands on my desk, and they formatted their resume in Comic Sans or, you know, they've formatted the resume in, like, one of those ransom note fonts (laughter)... 

Ben Yelin: Yeah, exactly. 

Dave Bittner: ...You know? - or like - or some spooky Halloween font or something like that, well, I'm going to pass some judgment on that, I think. 

Ben Yelin: Right. 

Dave Bittner: And is that unreasonable for me to do? I don't know. 

Ben Yelin: Yeah. I mean, for things like that, I'm kind of OK with it. I do think that this person makes a good point that it shouldn't only be limited to race and sex. I mean, they talk about things like people's sexual orientation, gender identity also being an area of potential bias. And I think that's true. Certainly, there could be biases introduced as part of artificial intelligence that relates to socioeconomic factors, and that isn't fair as well. You know, if we're talking about the font or the program that's used, I don't have an enormous problem except that it indicates that some nonhuman is reviewing these applications. 

Dave Bittner: Yeah. And I suppose, like, if I'm using the - if I'm - so let's just play out a nutty hypothetical here. If I'm using the most expensive word processor in the world, does that mean I get bonus points as opposed to the person who's using the free open-source tool that's available to anybody? Right? Should I be able to buy my way into a better rating when my resume is being evaluated by an algorithm? 

Ben Yelin: Yeah. And then to further game this out, what happens when people start trying to game the system? So you get information on how the algorithm works, and you pay to use the elite word processing service to... 

Dave Bittner: Right, right (laughter). 

Ben Yelin: ...Bump yourself up a few points. 

Dave Bittner: Right. So there's a business opportunity here (laughter). 

Ben Yelin: Yeah. 

Dave Bittner: Yeah. 

Ben Yelin: I mean, these are things that you do have to think about. 

Dave Bittner: Yeah. 

Ben Yelin: You know, if we're going to be using artificial intelligence, I think there are biases that could be problematic in the right circumstance. 

Dave Bittner: Yeah. 

Ben Yelin: On first glance, you know, I'm fine having a robot judge that Comic Sans sucks... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Rather than the actual, you know, hiring - person in HR. 

Dave Bittner: Yeah, that's... 

Ben Yelin: But in the abstract. 

Dave Bittner: Yeah, yeah. I suppose there's no downside to having someone from the outside have a look at this. I mean, I - you know, people are always - I mean, it does introduce friction, and it can slow things down, and it adds cost. And all those things are legitimate concerns. But it seems to me like it's such early days with algorithms still that having an outside look on this sort of thing is probably a good thing. 

Dave Bittner: I will point out also that - another thing that caught my eye in this article - they're talking about a forthcoming report by a private nonprofit who call themselves the Algorithmic Justice League. 

Ben Yelin: Oh, that is brilliant. 

Dave Bittner: We got to get somebody on the show from the Algorithmic Justice League (laughter). 

Ben Yelin: I know. And then I can't wait to see the movie when it comes out. 

Dave Bittner: Right, right (laughter). 

Ben Yelin: Yeah. 

Dave Bittner: Right, the movie. Yeah, exactly. But evidently, the - I mean, they are players in this space. They had an influential audit back in 2018 that found that facial recognition algorithms work best on white men and worst on women with dark skin. So... 

Ben Yelin: Shocker. 

Dave Bittner: There you go. 

Ben Yelin: Yeah, exactly. 

Dave Bittner: There you go. So cool name, but it sounds like they are actually doing some pretty important work there. 

Ben Yelin: Absolutely. 

Dave Bittner: So we'll have to ask our producer Jen to see if we can get someone from the AJL on the show, find out more about what they're doing. 

Dave Bittner: All right, that is my story this week. Of course, we will have a link to that in the show notes as well. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Tiago Henriques. He is from cyber insurance provider Coalition. And we discussed some of the rapidly changing elements of cyber insurance. Here's my conversation with Tiago Henriques. 

Tiago Henriques: So we find ourselves in a market that is having a lot of demand. We have seen a lot of customer growth and companies that are just finding having cyber insurance either, one, extremely useful for them because of the protection and coverage that they get, but also because of all the tooling that we provide when it comes to the policy or, No. 2, we're also starting to see that a lot of companies are dependent on having cyber insurance to be able to close some contracts with other customers that they have as well. 

Dave Bittner: Yeah, it seems to me - and correct me if I'm wrong here - that there's really been a bit of recalibration over the past year or so. A lot of the insurance providers have a better idea of exactly what they're signing up for. And so rates and coverages have shifted quite a bit over the past year or so. Is that accurate? 

Tiago Henriques: That is very accurate. And I think it's still something you're going to see over the next couple of months because, whether we like it or not, cyber insurance is still a very young product. And we're still learning the realities. We're still learning. We're learning how to price for risks, what sort of risks we want to cover and can cover, and also how we can best help our customers actively reduce those risks because it's not just - that's a big difference between cyber insurance and other types of insurance. 

Tiago Henriques: You know, typically, you buy a policy. You put it on the shelf and you hope you don't have to touch it again because if you do, it means you have a claim. But for cyber insurance to work, we need to be in constant communication with our policyholders. We need to be actively scanning them and telling them about issues we're finding, telling them how to protect themselves. It's not just a one-off, as other policies for car insurance or health insurance typically is. 

Dave Bittner: You know, I think about something like insurance for a building or even a homeowners policy where, you know, if I have fire extinguishers, if I have sprinklers, those sorts of things, that might lead to some sort of discount in my coverage because my home is well-equipped. Do we have similar sorts of things where if I can, you know, check some boxes for the insurance providers that we're putting certain best practices in place, that that may lead to a better rate? 

Tiago Henriques: We can, and we do. But it's not just check boxes. We are a data-driven company. And that's a little bit of what's different about Coalition, is that we definitely ask the customer to fill out the form. But our objective as a company is - and this is my team's responsibility at Coalition - is when we get policy requests from the underwriting platform - so blah.com is asking us for a policy. In three minutes, my team is going to go out and try and find absolutely everything we can about blah.com. What are their IP addresses? What are their domains, subdomains? Which technologies are you running? Which hosting (ph) providers are you using? Can we find any documents or pieces of news about this company? And we're going to build an entire payload with all of this data and try and understand how risky or not risky this company is to try and understand if we want to sell you policy and then price it based on all of these millions of data points that we collect as well. So the checkbox part is just one piece of the puzzle. 

Dave Bittner: Right. So, I mean, does that kick off kind of a collaborative process where you come back to them and say, listen; you may not be even aware that you have some of these underlying issues here; let's engage? 

Tiago Henriques: A hundred percent. This is our daily conversations with policyholders. 

Tiago Henriques: So one of the issues that we've seen in cybersecurity is, of course, shadow IT or IT that the customer doesn't even know they have that have a dependency on. So 100%, when we find critical issues, we'll either make them contingent - and we have a team of security analysts that essentially literally jump on the phone, and they will work with the customer, with the potential policyholder on trying to get those issues fixed, on trying to get the right firewall rules in place. Whatever it is, the contingencies or issues we found that would stop us from selling a policy or that even raising the price based on those contingencies, we will work with them. 

Tiago Henriques: And, of course, there is a certain point sometimes where the collaboration stops, where the customer goes, doing this change would be too big for us; we'd rather just pay the extra premium on the policy for it. But it is indeed a collaboration that goes on between us, the customer and the broker as well. The broker is a critical piece for this work. 

Dave Bittner: Yeah. Well, let's talk a little bit about ransomware, which is certainly grabbing the headlines these days. I mean, I think a lot of folks think about their cyber insurance policy as being a bit of a backstop against ransomware. On the provider side of things, how do you approach that? 

Tiago Henriques: So we are absolutely not a replacement for any best practices against ransomware. We, actually, on our underwriting process, always give recommendations for people to improve their security. So if you have something to remotely manage your computers, like RDP, Kaseya, ConnectWise, we always tell you to put them behind the VPN with MFA, with the right protection in place. So we are definitely the last milestone. When everything else fails, that's what the insurance piece is there for. 

Tiago Henriques: Specifically around ransomware, we've seen a decline on frequency and, you know, the amount of payments we've had to do with ransomware, especially around the way we're approaching insurance where we're trying to underwrite using data. So we're writing, say, for businesses. And the businesses that we're not writing, we're still helping them to go to a safer place than they were before they contacted us. So we've seen a decrease in severity and frequency as well. 

Tiago Henriques: And generally, you know, we as an insurance provider, we don't like to pay for ransomware. We always - of course, in the end, it's a policyholder decision, and this is actually something, I think, you know, many in the InfoSec industry don't understand - is that it is not the insurer's decision. We are there to pay if the policyholder decides that they want to pay. 

Tiago Henriques: But we can merely advise. And we always advise on having really good backup practices. Let's make sure that we can do that restoration. Let's make sure that, you know, we can get it back up and running without paying the ransomware. But in the final decision comes down to the policyholder and their counsel - if they decide to pay, we have to pay. But for us, as an insurance company, we always prefer not to pay. 

Dave Bittner: Are there things that people often overlook when they're putting together an insurance policy or when they're coming - you're starting that process? Are there parts of it that people don't always consider? 

Tiago Henriques: We've seen a couple. One, remote management software - what sort of software they are using to do remote management of their laptops, their machines. We saw an increase in remote management software exposures when COVID started. So that's definitely one of the factors. 

Tiago Henriques: The other one would be backups. We've seen a couple of situations where policyholders will attest that they have backups, even offline backups, but they haven't tested restoration. And then when that ransomware hits and they're going to try and restore, the backups are corrupt, or something happened, and the backups aren't actually working. 

Tiago Henriques: So those would be the two most common factors we've seen as "failures" - air quotes - that people, you know, have a misstep sometimes. 

Dave Bittner: Yeah. You know, I know that your boss, Coalition CEO, recently had a meeting at the White House with President Biden. Can you give us a little insight into that? What sort of policy things were discussed there? 

Tiago Henriques: Ransomware was the big topic. You know, the government wants to understand how they - we can help stop ransomware. And, you know, we believe that it has to be a collaboration between public and private sector. And we're certainly doing our part to try and help as much as possible. 

Tiago Henriques: One of the things that we're trying to do is - because we make money selling insurance, it means all the technology that we can build as a technology company we can give away for free. And we're going to continue to give away for free. 

Tiago Henriques: We - you know, as I mentioned to you before, one of the problems we see constantly is customers not knowing which assets they have exposed. Same thing applies to their vendors. You'll work with an MSP or an IT vendor that has privileged access to your computers. We look at your company. Your company's secure. But in reality, your IT vendor is not, and you don't know about that. IT vendor gets hacked, and hackers then pivot into your machines. 

Tiago Henriques: So what we - we're trying to do to stop that is, essentially, we are giving away our attack surface monitoring tool, and that's just one of many tools we'll be making available for free to any organization. They don't even need to be a policyholder. Even - it was a commitment we made at the White House, that we are going to build security tools and give them away for free for every organization to protect themselves. Specifically, this attack surface monitoring tool is available for free on control.coalitioninc.com. And any organization can use it. 

Dave Bittner: I can see organizations being a little reticent to have someone like you take a look, you know, behind the curtain, right? But at the same time, it strikes me that as much as they may be hesitant about that, on a certain level, that's an opportunity as well because you have sort of an independent third party coming in to take a second look at things. And I would imagine, for most organizations, that can be a bit of an eye-opener. 

Tiago Henriques: For sure. And the other part is for free. Like, this is actually something that people don't take into account, and it's quite important. We would do this for free. We help customers for free because lots of organizations, especially in our SME revenue band, don't even have an IT team, don't have a security budget. So that we're able to offer these services, including calls with our security analysts for free to help them step up their security, is really, really important. 

Tiago Henriques: And one of the things I always advise our customers is don't lie on your insurance policy. Don't tell us that you have some security controls in place that you don't because, one, when a claim happens, we're going to find out about it because we'll do a forensic investigation and we'll see it, and, No. 2, we're not here to fight you. We're here to literally help you level up. It benefits you. It benefits us. So, yeah. 

Dave Bittner: Yeah, it's interesting that - I think the collaborative approach is innovative. And I can't help thinking that, you know, this is the future of how this space is going to have to function. 

Tiago Henriques: A hundred percent. Again, everything that we're trying to do, it's not going to work if it's not a collaboration between us, the customers and the broker. All three parties are extremely important in making this work, be it because - you know, we scan all of our policyholders multiple times per month. So when a new vulnerability comes out, we send you a notification of it. When you're the customer, you need to make sure that you read that notification and you address the issues we found on the notification. If the person that was responsible for security leaves the company, the broker needs to make sure he's aware of it and updates our records so that we can contact the new person. So everyone plays a part in this triangle, essentially, of trying to solve cyber risk. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: That was really interesting. I mean, it's still such a new field that there really is space for emerging organizations to offer novel advice on cyber insurance just because I think we're not quite sure how to price it yet. 

Ben Yelin: And we're still, you know, in the early stage of other contractors, businesses looking at an organization to see whether they have cyber insurance. 

Ben Yelin: So you know, I just think the - this entire field of study is in its infancy. And so, you know, we're - I think we're going to learn a lot over the next few years. 

Dave Bittner: Yeah, I think it's tough on both sides. The folks who want to provide this - things are changing so quickly. But also, for the folks who have to buy it, who are obligated to buy it, you know, regulated to buy it, it's hard to plan out what your costs are going to be 'cause it's all in a state of flux right now. 

Ben Yelin: Absolutely. Yeah. 

Dave Bittner: All right, well, again, our thanks to Tiago Henriques from Coalition for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. 

Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by SpyCloud
Sponsored by SpyCloud

SpyCloud protects consumers, employees, suppliers, and citizens from the dangers of compromised identity. Its solutions make breached information actionable to prevent fraud— enabling a proactive, automated response that negates the value of stolen data before it can be used to cause harm. Learn more.