The ever-evolving cybersecurity field.
Kimberly Patlis Walsh: In order to mitigate the costly risk of ransomware and data breaches and malware attacks, you need to understand where you are across the risk continuum on vulnerability. And then you need to be beginning a plan of how do you address those risk?
Dave Bittner: Hello everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Today, Ben covers ramifications of legal developments in Texas. I discuss proposed legislation that takes the for-sale sign off the Fourth Amendment. And later in the show, my conversation with Kimberly Patlis Walsh. She's president and managing director at Corporate Risk Solutions. We're discussing cybersecurity and the insurance marketplace. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.
Dave Bittner: All right, Ben. I'm going to ask you to kick things off this week. And is it fair to say that your story this week is a doozy?
Ben Yelin: It's a doozy. It actually...
Dave Bittner: (Laughter).
Ben Yelin: ...Comes from the private message of one Dave Bittner, who alerted me to this...
Dave Bittner: (Laughter) Yes.
Ben Yelin: ...On Twitter, although I had been following the story. So it comes - our source we're using is Simple Justice, which is a criminal defense blog.
Dave Bittner: OK.
Ben Yelin: So the great state of Texas passed a law that, to most legal observers, was clearly unconstitutional. And the law was intended to prohibit censorship with - on online platforms. So for any online platform that has a certain number of users - I think they picked 50 million worldwide users - that platform may not censor a user, a user's expression or a user's ability to receive the expression of another person based on the viewpoint of that person, the viewpoint represented in the user's expression or another person's expression or a user's geographic location in this state, Texas, or any part of this state. The reason legal scholars assumed that this was blatantly unconstitutional is that the companies here, the social media companies, have their own First Amendment rights. So we have acknowledged that they can control speech on their own platforms.
Dave Bittner: Right.
Ben Yelin: Some people will say, well, Twitter is a public company. They're traded on the New York Stock Exchange. That doesn't matter. They are a private company that just happens to be traded publicly. So at least our thinking was that they had the right to police their own content moderation.
Dave Bittner: Yeah. And just - I mean, real quick here for the slow people in the room like me. Once again to review, the First Amendment protects us from the government, right?
Ben Yelin: Exactly. It says Congress shall make no law abridging the right of freedom of speech, freedom of religion, etc. So...
Dave Bittner: Yeah.
Ben Yelin: ...Those - that first clause is quite important. Congress shall make no law. It doesn't say your favorite social media platforms should not have content moderation policies.
Dave Bittner: Right. OK.
Ben Yelin: That would have been a very bizarre thing for our Founding Fathers to have said in the 1780s.
Dave Bittner: (Laughter) That's right.
Ben Yelin: But I digress. So this law was challenged by civil liberties groups and the tech companies themselves. They - saying that this abridged their First Amendment rights to police the content on their platform. We know from the Citizens United case that whether you like it or not, corporations are people, my friend, in the word of - in the words of Mitt Romney, and they have constitutional rights. So the district - a federal district court in the state of Texas did what was expected. They enjoined the law, so they prevented it from going into place. They said it was basically an obvious violation of the First Amendment. It was unworkable. Companies weren't really sure exactly how to comply, and that just seemed like the natural course of things. There was even whispers in the Texas state legislature that this wasn't actually a real effort to police the content moderation policies of social media platforms. They expected the courts to step in and put a stop to this.
Dave Bittner: Was this just political posturing by some folks in Texas to, I don't know, get the attention of their constituents?
Ben Yelin: Yes. And, you know, I have to - in their defense, part of being a legislator is doing political posturing. If you want something to be true and you want to will it into existence, the first step is passing some sort of statute and bringing on that constitutional challenge, because even if under settled precedent it's seemingly unconstitutional, you never know if you're going to get a friendly judge. So what happened here is after the district court, which is the trial court level in the federal system, after they enjoined this law, they put a stop to it, the state of Texas appealed the decision to the 5th Circuit Court of Appeals. There's kind of a widely known secret among legal scholars in this country - people who pay attention to appellate courts - that for whatever reason, the 5th Circuit is the most conservative circuit in the country, amenable to more right-leaning pieces of legislation. I think it's mostly just a coincidence of which presidents got to appoint the judges, but it's definitely a conservative circuit. And what the 5th Circuit did is they ordered that the motion to reinstate the law made by the state of Texas be granted. In other words, that law is now in effect.
Ben Yelin: So we don't have any explanation. This is a one-page opinion, as it were. It's not even really an opinion. It's just the result of a petition by the state of Texas. It is per curiam, meaning that there is no single judge that has signed onto this. They are speaking on behalf of the court, and we know that there is a dissenting judge. So as of now, this law is - has gone into place. In the state of Texas, which seemingly now has disproportionate control over our social media companies, it is illegal to instigate any type of viewpoint censorship.
Ben Yelin: This is a major logistical problem for the tech companies. A, they don't really know how the law is going to be interpreted, so they don't know what the state of Texas means in its statute by viewpoint discrimination. What counts as a viewpoint? If you want to prohibit hate speech, which I think most of our social media platforms would prefer to do, to keep their platforms clean, would that be a violation of this Texas statute? - because that is, in a sense, viewpoint discrimination.
Ben Yelin: So I think compliance with this law is just going to be exceedingly difficult. Not to mention our social media companies are going to have to adopt their policies generally in the other 49 states to comply with rules and regulations now in place in Texas, or are internet companies just going to stop doing business in Texas for the time being? I mean, that - if they find this law unworkable and they're actually facing either civil fines or criminal penalties, they may decide to use the stick approach instead of the carrot approach and say, unless you change this law, state of Texas, we are shutting off Twitter. We are shutting off Meta or whatever inside your state. I would say that that is a far-flung possibility, but it is not completely out of the question. So what happens next? I can already sense your question on that, Dave.
Dave Bittner: (Laughter).
Ben Yelin: So the 5th Circuit has stayed the injunction that was put in place by the district court to enjoin the enforcement of this law. There are a couple of things that can happen. The original petitioners, so the civil liberties groups and the companies themselves, could try and take this to the Supreme Court, and the Supreme Court could step in on what's known as the shadow docket. They could ask the Supreme Court to issue its own injunction to put a stop to this law. The Supreme Court could do so if this is blatantly unconstitutional, and they...
Dave Bittner: Which it is.
Ben Yelin: ...Could do so without - right, which at...
Dave Bittner: (Laughter).
Ben Yelin: ...Least it seems to be. So the...
Dave Bittner: Right. I mean, there's - there doesn't - don't seem to be any compelling arguments on the other side, the 5th Circuit Court notwithstanding.
Ben Yelin: Ray, and the 5th Circuit Court - because we don't have an explanation, we don't know why they think this potentially is constitutional. So...
Dave Bittner: Yeah.
Ben Yelin: ...The Supreme Court has nothing to work with. Sometimes they might look at a 5th Circuit opinion and say, oh, OK. That's compelling. The 5th Circuit looked into it. They reviewed the factual findings of the district court. And perhaps, you know, there's a constitutional issue we were overlooking. If Twitter and Instagram, whatever, petitioned to have this law stayed at the Supreme Court, the Supreme Court, without having a factual record before them in the 5th Circuit, could just say, based on our own precedents, this is clearly an unconstitutional violation of these companies' First Amendment rights, and this law is enjoined.
Ben Yelin: So that could happen. The Supreme Court would need to hold an oral argument to do that. They could do that just by granting this motion for an injunction. The other thing that could happen is that the companies could request that the 5th Circuit rehear this case en banc, meaning the entire panel of 5th Circuit judges. That is not an expedited process. They'd have to hold a separate hearing, separate oral arguments. So that could take a while. And also, based on what we know about the 5th Circuit Court of Appeals, I don't know that the result would be any different.
Dave Bittner: Huh.
Ben Yelin: It just has a lot of judges who are amenable to this type of legislation. So the result here is we have what the author of this blog post called a loony law that has been upheld and is going into effect. We don't know what Texas is going to do, how they're going to enforce it. We don't know how the internet companies plan to comply with it. And we are in this sort of bizarre legal limbo because of this very surprising decision from the 5th Circuit.
Dave Bittner: You know, I saw some comments over the weekend in response to the tragic mass shooting that took place in Buffalo, which was livestreamed.
Ben Yelin: Right.
Dave Bittner: And the comment was that the social media company - because of this ruling in Texas, the social media companies could be prohibited from deleting that livestream. They could be required to show it because otherwise it would be censorship in violation of that. Is that - are we being overblown here, or is something like that a possibility?
Ben Yelin: I think that is probably overblown. So if you look at the language of the statute, it is about specifically viewpoint discrimination. Social media companies could still ban certain types of speech as long as they're not discriminating on the basis of viewpoints. So any speech that depicts violence, which that video clearly did or at least depicts the intent to commit violence - that could probably be banned under this legislation.
Ben Yelin: The speech itself, though, like the manifesto, at least as a - you're looking at a plain reading of the statute. That would seemingly be fair game. And it might be illegal for these companies to delete it if Texas law was enforced because that's clearly a viewpoint. This piece of legislation bans discrimination on the basis of viewpoint. It doesn't say which viewpoints are more favored or more disfavored than others. And that's one of the reasons there's so much concern here is theoretically, it's easy to say, we want to represent all viewpoints. We don't want to have any bias in our algorithms or in our content moderation decisions...
Dave Bittner: Right.
Ben Yelin: ...Against any political group, any type of religious organization, etc. But in practice, that becomes difficult when you're dealing with speech that might have the tendency to cause violence. That's why the social media companies want to retain the power to execute their own content moderation practices. And at least for now in the state of Texas, it's unclear that they are able to do so.
Dave Bittner: Yeah. This is just so - it's kind of bonkers. I mean (laughter)...
Ben Yelin: It is. I mean, I think everybody is just very surprised that the 5th Circuit did what it did. It could be that - and they - again, they didn't release any language on the merits of the law. It could be that they thought there wasn't enough preliminary evidence to get the law enjoined. But if they were to rehear the case on the merits after the law has already taken effect, maybe they'd come to a different conclusion and declare the law is likely unconstitutional. Still, the standard for a preliminary injunction is that the petitioner - so in this case, the tech companies - would be extremely likely to prevail on the merits. And at least from my read of the case law and the history and common sense...
Dave Bittner: (Laughter).
Ben Yelin: ...Seems like the petitioners would have a very good chance of succeeding on the merits. So this is bizarre all around. I think it kind of threw everybody in the legal community for a loop. And we don't know exactly how this is going to turn out. Which social media platform is going to be sued first in Texas and for which content moderation policy? And are we going to get case law on what counts as viewpoint discrimination?
Dave Bittner: Wow.
Ben Yelin: Or is the Supreme Court just going to step in and say, even us, the current Supreme Court - this is too far. This is taking things too far. This is an affront to the First Amendment rights of these corporations. And let's just enjoin this before we get ourselves in any additional trouble.
Dave Bittner: Yeah, knock it off (laughter).
Ben Yelin: That very well could happen, too - yeah, exactly, which is basically what an injunction from the Supreme Court is - is, all right, guys. Like...
Dave Bittner: Yeah.
Ben Yelin: You know this is wrong. We know this is wrong. Stop it.
Dave Bittner: Right. Right. Well, time will tell, right (laughter)?
Ben Yelin: Yeah, definitely something we're going to have to keep following because you never know what's going to happen in the crazy state of Texas.
Dave Bittner: Yeah, it's wild. All right. Well, my story this week comes from The Hill. This is an opinion piece written by Alex Deise, and it's titled "Congress Should Pass the 'Fourth Amendment is Not for Sale Act'." Ben, you and I - we're both fans of legislation that has abbreviations. This is the...
Ben Yelin: Yeah, this acronym is not quite up to speed. It's the FANFSA Act.
Dave Bittner: FANFSA, FANFSA. Yes, not...
Ben Yelin: I feel like they could have done better.
Dave Bittner: They could have done better. Yeah. I don't know. What - why have interns if they're going to come up with substandard acronyms like this one? I don't know. But (laughter)...
Ben Yelin: Right.
Dave Bittner: The point of this is there is legislation that's been introduced in the Senate. Again, this is the Fourth Amendment is Not for Sale Act. Evidently, they have 20 co-sponsors from all over the map, including Rand Paul from the right, Bernie Sanders from the left. And in the House...
Ben Yelin: Strange bedfellows for sure.
Dave Bittner: Yeah. In the House, it's sponsored by the Judiciary Chairman, Jerrold Nadler, a Democrat from New York - evidently not making a lot of progress in terms of making its way through Congress. But I guess that's - these days, that's not a surprise for any bit of legislation. What this bill basically does is it keeps federal law enforcement agencies from doing an end-around on the Fourth Amendment by going to data brokers to buy the information that otherwise would require some sort of warrant or judicial oversight. Do I have that right, Ben?
Ben Yelin: Exactly. So the Fourth Amendment protects you against unreasonable searches and seizures by the government. If the government wants to obtain information through a legal process, through a subpoena or through a warrant, they have to go through the Fourth Amendment process, go to a judge, prove that there's probable cause that a crime is being committed or a crime is going to be committed and obtain that judicial authorization. But law enforcement has found this loophole - the fact that they can purchase data from these private companies. They don't need any judicial authorization to do so. They just need money. And we know these law enforcement agencies, whether they be state, federal or local, are generally pretty well-funded, especially these days. So if they want to get their hands on that data, they can purchase it from data brokers. So I think this legislation is relatively sensible and simple. It would just require law enforcement to go through the same process in obtaining this data as they would if they were using a traditional warrant or subpoena process. So it would have to be an application signed off by a judge or a magistrate. It would treat data that came from data brokers the same as data obtained through the normal court approval process. I think this is so sensible that it probably has no chance of passing...
Dave Bittner: (Laughter)...
Ben Yelin: ...And I know that's...
Dave Bittner: We're that cynical. We're that cynical (laughter).
Ben Yelin: Right. That is a common affliction of our members of Congress. I mean...
Dave Bittner: Right.
Ben Yelin: I think there's a belief that - why would we handcuff law enforcement and prevent them access to this extremely valuable tool? We are in a period of elevated crime rates across the country, specifically violent crime. And I think, to some legislators, maybe a majority or maybe a sufficiently sizable minority, they might say, why would we institute this policy now to give more rights to criminal defendants? I don't think that's a good argument because - just because we have, you know, high crime rates right now doesn't mean we should roll back traditional Fourth Amendment protections. So if we can agree that data obtained from data brokers is functionally equivalent to data obtained during normal court approval processes, then it would make sense that there would be the same legal regime for each. It certainly is interesting that you have this bipartisan coalition. There is always a civil liberties cohort in both parties. They team up on bills like this. Frequently, they're not successful because there also is a bipartisan coalition in opposition to these folks. But especially on all matters related to electronic surveillance, you often see these very strange bedfellows. So I know Rand Paul has been there on every single one of these issues, as has Senator Sanders. Chairman Nadler in the House is - has always been very progressive on issues of civil liberties and electronic surveillance as well. It is not moving. The way we know it's not moving is that Jerry Nadler is the chair of the committee - would have to move through in the House. And as far as I know, there have not been any committee hearings on it. So right now, this is just a idea that's out there, but every eventual piece of legislation starts out as a crackpot idea from a couple of enterprising bipartisan senators. So you never know. But it is Congress, so I wouldn't get my hopes up.
Dave Bittner: Yeah. Let me ask you this. Let me put you on the spot and ask you an unfair question to hit you with without any preparation. But that's one of my favorite things to do.
Ben Yelin: It is.
Dave Bittner: Can you think of any other examples where there have been opportunities over time through technology or through just, you know, the changes in day-to-day life, where a constitutionally protected right has found itself the victim of this sort of end-around?
Ben Yelin: Yes. The best example is the Fourth Amendment itself prior to 1967. So the Fourth Amendment says, you are free from unreasonable searches and seizures of your persons, houses, papers and effects. So yourself, your home, your papers - and effects is basically your stuff. That has a very physical connotation. And there was a case in 1928, Olmstead v. the United States, where the Supreme Court held there is no Fourth Amendment protection in something unless there is a physical trespass, a physical intrusion. So in that case, they affixed listening devices on the wires extending out of a defendant's house. And since that wasn't within his house - in his property, it wasn't on his stuff - that didn't qualify as a constitutional search and/or seizure. That was the law for about 40 years. And that became a convenient end-around for law enforcement in this country. Basically, all types of electronic surveillance, with minimal exceptions established by statute, that was all legal because the Fourth Amendment only protected your physical stuff - your physical home, your physical property. It took 40 years for a separate decision called Katz v. United States, where the Supreme Court changed the standard. There no longer had to be a physical intrusion. Now you can have a Fourth Amendment violation if you violated somebody's reasonable expectation of privacy. So we had a 40-year end-around, and it wasn't Congress that stepped in in that case, it was the courts.
Dave Bittner: Interesting.
Ben Yelin: But that was a significant loophole to the Fourth Amendment that wasn't commensurate with the technology at the time. I mean, we knew how to wiretap in the '20s. We knew how to wiretap in the '30s. We had the McCarthy era. There was a lot of surveillance going on then. There was J. Edgar Hoover in the FBI. So certainly electronic surveillance was going on, and it was largely unregulated because of how the courts had interpreted the Fourth Amendment. I think courts these days are far less likely to jump in and be as active in revisiting precedents in this area as they were in the 1960s. So I think it is incumbent upon members of Congress to do what the court did in 1967 in this case and keep the spirit of the Fourth Amendment alive, which is to protect people's reasonable expectation of privacy in their own information. And to do that, I think you have to institute some type of regulations against the government purchasing data from data brokers.
Dave Bittner: Hmm. All right. Well, good answer, Ben. History doesn't repeat itself, but it sure does rhyme, right?
Ben Yelin: It sure does, yes.
Dave Bittner: (Laughter) All right. Well, those are our stories this week. We'll have links to both of those in the show notes. And, of course, we would love to hear from you. If you have something you'd like us to consider for discussion on the show, you can email us. It's caveat@thecyberwire.com.
Dave Bittner: Ben, I recently had the pleasure of speaking with Kimberly Patlis Walsh. She is president and managing director at Corporate Risk Solutions. We talked about a number of things but mainly focused on cybersecurity and some happenings in the insurance marketplace. Here's my conversation with Kimberly Patlis Walsh.
Kimberly Patlis Walsh: The evolution of the insurance marketplace really has come out of the continuous threat of cyber misconduct and sort of the impact globally across the world. It obviously was very much compounded by COVID and the mass amount of people that have been working from home over the past two years. The cyberthreats and the cybercriminal methods have become increasingly sophisticated, and their ability to launch IT-directed attacks with seeming, you know, impunity has continued. The negative repercussions across the board for businesses - from the smallest, you know, startups that may be pre-revenue even to the Fortune 10 - we've seen have a pretty immaterial, precipitous and dramatic impact across the insurance marketplace as well, but more importantly, that - about the businesses and their impact on cyber and network security risks. If you were a financial institution or a health care company five, 10 years ago, you always knew you had a cyberthreat. And there's been a lot of focus around cybersecurity and network security in those industry sectors. I think largely, five years ago, most other companies and businesses said, I don't have personally identifiable information, or I don't have health information, and so I don't really have a cyber risk. And that really has been proven out to be a pretty naive thought process over the past five years.
Dave Bittner: In terms of the products that the insurance providers have been offering, how has that changed over the years? I mean, is it - is my understanding correct that, you know, originally this was, I don't know, practically an afterthought, something that kind of got tacked on a regular, you know, policy?
Kimberly Patlis Walsh: Yeah. I think you're largely correct, David. There has been cyber offering - some portion of cyber offerings within, you know, corporate crime - or fidelity, rather, where there's been some level of social engineering. But those kind of products were really financial products, and they weren't originally intended for this level and sophistication of cybersecurity losses. There have been some level cyber or network security risk protected within professional liability or errors in emissions coverage and, in some part, historically may have been even extended to a combined director and officer program or a D&O, E&O program - a professional liability and management liability program in the past.
Kimberly Patlis Walsh: I think probably maybe within the last five to seven years, there's been a dedicated, standalone cyber network security protocol and program in virtually every insurance carrier out there, especially the global ones, partly driven by regulatory development and requirements on cybersecurity across the board or legislation, penetration - you know, other requirements by either state or local governments or federal governments around the world.
Dave Bittner: Is it fair to say that there's been a bit of a reckoning in the cyber insurance world that, you know, prices have gone up, coverages have gone down in response to the - I don't know - the cold reality that organizations are facing these days?
Kimberly Patlis Walsh: I think largely if you don't have the level of security and protection and you don't understand where you even stand right now on vulnerability, and you haven't taken steps to create enterprise protection across the board on doing a security assessment or having controls and monitoring and penetration testing and helping your employees understand where the threats primarily come from, you are going to either not be able to get insurance for dedicated cyber coverage, or you're going to have a material restriction in your coverage, as you said. And what we've seen in the past - you know, these were probably mispriced five plus years ago in the single-digit, $1- to $5,000 per million to buy cyber insurance coverage on a dedicated basis. But again, largely, most of the - most businesses, unless you were in financial institutions, health care or related businesses, you didn't really buy the insurance because you didn't think you had the risk. And then as boards were requiring it, there was a very significant jump in investment firms buying dedicated cyber because they had to have a plan. Other insurance companies within network security or technology-based businesses or work-from-home businesses, other businesses that may not have originally had health care information or personally identifiable information - they all started buying it because it was the right thing to do at the board level and didn't have the parallel-level protection. And, you know, where those - where the tools that - to mitigate those types of loss really have come from - the same top eight or 10 items where there's been vulnerabilities that have been the same for the past 20 years.
Dave Bittner: To what degree are the insurance companies able to be sort of a positive influence on companies now? You know, I'm thinking of historically, you know, you think about things like sprinklers in buildings and fire escapes, you know, that - being able to get discounts on my insurance for having these sort of mitigations in a building that I built. Are we in a similar place with cyber insurance where, you know, those incentives are there and meaningful as well?
Kimberly Patlis Walsh: I think we are. I think that's a really astute point to make, is the parallel to the engineering and proper risk management protocols that were forced in liability coverages or property have very much paralleled in the cyber and network security. We're watching now evolution in the past three to five years, let's say, but much more so in 2021, especially in coming into 2022, where there have been connections between the legal community cyber response teams and forensic teams partnering, and then dedicated security teams partnering with law firms, partnering with folks like myself in independent risk management positions, the insurance brokers as well as insurance carriers. And everyone is aligned in those areas of having advisory support to businesses that have exposure. And now you not only have business interruption exposure and enterprise risk across the board irrespective of what industry sector you're in, you also have secondary director and officer suits or possible media and advertising challenges or full business interruption where you may not be able to conduct your business. We just saw the record-setting losses that have happened in 2021 create not only the ransom demands but then the post-impact into companies. It has bankrupted many companies. It has cost the creation of massive loss costs that has - in advertising revenue losses, in lack of clients that they may not be able to attract or keep as a result of their security breaches or their security vulnerability.
Kimberly Patlis Walsh: And so it is having a dramatic effect on how do you protect the enterprise. And so any investor, any management team as well as all of the advisors of those enterprises really need to be banding together. And we are watching the insurance carriers give - you know, if it's a credit-debit system that is happening, we're watching that develop in the cyber world as well, where they are giving additional credits if you have, you know, the top eight to 10 threats protected.
Kimberly Patlis Walsh: And if you don't, you are getting significant hits on - whether that is either your ability to achieve ransomware coverage extended on your programs, whether you can get protection for first- and third-party losses - and we can talk a little bit about what that means - or you are just getting full exclusions or you are going to have to ultimately self-insure. And that's a pretty significant change in the past three to five years that we've watched.
Dave Bittner: You know, I've heard people say that boards of directors, you know, speak in the language of risk - like, that's what they understand - and that it's up to the cyber folks to, you know, sort of translate so that they're speaking the board's language. First of all, I mean, is that a correct way to look at it? And do you agree with that approach?
Kimberly Patlis Walsh: Absolutely. I think this is a board-level discussion. It has been, and I think it's taken a while for some of the boards out there for both small companies that are privately held and large companies that are publicly traded, for all of the groups, for any enterprise being run to catch up. It has been a board-level discussion no different than, are you buying director and officer insurance; if so, how much and with whom? - because you - it's just a matter of when you're going to get sued for misconduct or potential financial mismanagement on the D&O side.
Kimberly Patlis Walsh: On the cyber side, you have a real requirement on, how are you keeping customer, employee and third-party information protected? And if you are, now there is also - you overlay that with a pretty significant amount of regulatory requirements, whether that is at the federal level across Europe or the U.S. requirements. You know, in early February - or mid-February, rather, the FBI and Homeland Security came out another warning about Russia coming after and launching not only real attack - physical attacks but also cyberattacks. You also have requirements from the U.S. government on infrastructure enterprises that have to have a different level of protection and a different level of attention on their own cyber vulnerabilities.
Kimberly Patlis Walsh: I think we're watching this. If you don't have a plan at this point at the board level and you are not able to speak intelligently about - you don't have to have a full, dedicated, you know, CISO where you're having a security officer - a designated security officer. Certainly the public company - publicly traded companies are - largely all do, at this point, have designated a CISO or a CTO.
Kimberly Patlis Walsh: Privately held companies are moving in that way to be able to address where those securities are coming from. And any third party that is contracting with those - any of these enterprises are really - it's front of mind across the board on, how are you protecting information, but more importantly, how are you protecting the enterprise? - because a business interruption for especially smaller companies or a publicly traded company has reputational risk. It has compounded director and officer risk. It has a number of other issues that, if you can't get - and we saw this with Colonial Pipeline. We saw it most recently with Sinclair, Capital One, you know, that has massively surpassed the Merck and Marriott losses that happened in 2019.
Kimberly Patlis Walsh: In 2022, this largest single loss that's on record right now is Capital One. That was over $400 million published with both insurers and the company having really, really significant payment out. And they had bought a very large tower of insurance at $400 million, and they expected to be reserved and fully blown.
Dave Bittner: So what are your recommendations then? I mean, in terms of organizations, the approach that they should take in balancing their coverage with their risk and, you know, all of those elements, what are your words of wisdom?
Kimberly Patlis Walsh: Yeah. I think the biggest way to make sure you are at least ready - breach-ready, as we call it - you know, you need to assess where you are on the continuum of protection of your assets. And in order to mitigate the costly risk of ransomware and data breaches and malware attacks, you need to understand where you are across the risk continuum on vulnerability. And then you need to be beginning a plan of how do you address those risk? - developing an incident response plan, understanding internally how to address those and those risks. There's - 95% of the losses are coming from human error, and they still are. That was 20 years ago. And if that hasn't changed - of the top eight to 10, you know, corporate cyber vulnerabilities I talked about before, at the very top of the list is multifactor authentication. And with the work-from-home concentration around the world, this has become the highest value in protecting your assets. It's the No. 1 place where we watch losses come out of in the past two years - that along with remote desktop protocols and protection and remote desktop web connection. And so if you are still using VPN and you're not relying on encryption and you don't have RDP gateway protections and complex passwords and, again, multifactor authentication and restricting access to all the firewalls and doing all of these additional endpoint threat protection, and then actively managing your systems and configuration - this is a 360-around risk. And that - those are just the Top 3 that I just talked about - and getting into a continuous hunt for network intruders and being proactive about that process and making sure your employees are proactive with your internal IT and external IT people to make sure that you are mitigating the risk but, most importantly, mitigating the cost and avoiding a business interruption.
Dave Bittner: Ben, what do you think?
Ben Yelin: It's just interesting how quickly cyber insurance got ingrained in the general field of risk management.
Dave Bittner: Yeah.
Ben Yelin: I mean, based on what she said, this is not something that companies thought about five to 10 years ago. And it took cyberattacks hitting every single sector of our economy - health care institutions, the federal government with OPM, state governments, local governments - where this is another type of risk that has to be managed. So you purchase insurance policies for all of your other types of risk. You have a policy out in case there is a fire in your company's building.
Dave Bittner: Right.
Ben Yelin: And this is just part of a 21st century calculation of risk. I think it's just going to keep expanding as there are more incidents and as this starts to affect different sectors. As you and I have talked about before, we just hope this doesn't turn into a flood insurance spiral...
Dave Bittner: Right.
Ben Yelin: ...Where the coverage becomes prohibitively expensive because paying out damages becomes expensive, so therefore, people can't afford it. And then these companies are extremely vulnerable to cyber incidents.
Dave Bittner: Yeah.
Ben Yelin: In that case, the federal government stepped in and sort of but not really solved the problem. But I...
Dave Bittner: Right.
Ben Yelin: ...Hope we don't get to this point as it relates to cyber insurance.
Dave Bittner: Yeah, I'm with you. I find it fascinating how quickly the insurance companies found themselves having to pivot, you know, to go from something that was sort of a - I don't know - a high-margin tack on that they could put on a regular policy. Like, oh, you want cyber insurance? Yeah, sure. We got that. Here you go. And now...
Ben Yelin: Right.
Dave Bittner: ...It's like, oh, my gosh, we actually have to, like, run the numbers on this (laughter). And it's - and it could be bad. And so, you know, we've just seen it become - it's much more numbers-driven now. It's expensive. It reflects the reality in which we live. And that happened fast.
Ben Yelin: Right. It sure did. I mean, that's something that's really in very recent history.
Dave Bittner: Yeah.
Ben Yelin: Especially it's just - it's become kind of part of the public perception of risk as much as it has among individual companies. I think people are just more aware because their employer has forced them to take trainings on phishing emails, etc. So I think there is a public consciousness around cybersecurity risk that there wasn't - that we didn't see five to 10 years ago.
Dave Bittner: Yeah. All right. Well, our thanks to Kimberly Patlis Walsh for joining us. We appreciate her taking the time and sharing her expertise with us.
Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Ben Yelin: And I'm Ben Yelin.
Dave Bittner: Thanks for listening.