Podcasts
Caveat
Ep 142
Caveat 9.22.22
Ep 142 | 9.22.22

How will cybersecurity insurance change in the coming years?

Show Notes
Transcript

Gary Brickhouse: The scrutiny that's being provided by the cyber liability companies is not going to go down.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben discusses the Fifth Circuit's controversial take on content moderation. I've got the story of the Pentagon taking a closer look at its covert psychological operations. And later in the show, Gary Brickhouse from GuidePoint Security joins us. We're discussing continued changes when it comes to cybersecurity insurance. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's start things off here, and I'm going to let you take the lead. I have to say, this story that you're doing this week - I've seen a lot of discussion on Twitter, and I don't want to, you know, bury the lede or - I don't know - ruin the surprise, but there's - people seem to be taking the point of view that the Fifth Circuit Court has kind of gone bonkers here (laughter)? 

Ben Yelin: Yeah, they've really - they've come up with a decision that I think goes against decades' worth of internet law. 

Dave Bittner: OK. 

Ben Yelin: And is a major threat not only to big tech companies, but could be an inflection point in First Amendment law generally. And it's really a profoundly - I don't want to say disturbing because I'm not sure that the outcome is necessarily going to be disturbing to people. I'll say eye-opening because it certainly contains a lot of legal theories which, if extended to their logical conclusions, would render a lot of what we teach in constitutional law to be relatively moot. 

Ben Yelin: So with all that background, I'll get into a little bit of the history here. We've talked about this story in the past. Basically, Texas passed a law, HB20, which said that large tech companies - and they specified which companies qualify - generally, ones that are available to the public and have a certain number of users - are barred from moderating content on their platforms based on viewpoint. So they can moderate for a bunch of other things. The Texas law allows them to moderate for threats of violence, harassment or any speech that might violate federal law. But they are not allowed to moderate based on the viewpoint expressed by the users. 

Ben Yelin: Now, again, this doesn't only - this is - the impetus for this law was alleged viewpoint discrimination against conservatives - this idea that users were being deplatformed for their political views. But the law doesn't actually say anything about it being political viewpoints that are being censored here. It could be any viewpoint on any issue. And the law prohibits these platforms from any sort of moderation activity, deleting accounts, suspending accounts based on the viewpoint of the users. 

Dave Bittner: So somebody could just come in and make a nuisance of themselves - you know, comment on every post in some platform and say, I love chocolate chip cookies, they're the best, and just take over, right? 

Ben Yelin: Yes. 

Dave Bittner: And this law would prohibit the platform from deleting or suspending their account. 

Ben Yelin: Well, it only addresses viewpoints - it only addresses suspending accounts based on their viewpoints. So it leads to some possibly absurd conclusions. This was mentioned in another article that I read. 

Dave Bittner: OK. 

Ben Yelin: But let's say somebody is harassing a woman, an individual, by saying something like she's ugly. If you take this Texas law literally, the only way you could suspend that user for harassing this woman and calling her ugly is if you would suspend another user who called her attractive because that's the only way you would not be discriminating based on the viewpoint of the user, if that makes sense. 

Dave Bittner: Wow. 

Ben Yelin: So that could lead to a possibly absurd conclusion like that. 

Dave Bittner: OK. 

Ben Yelin: So Texas passed this law. The enforcement mechanism is actually relatively weak. You can - any individual user who feels that they have been wronged under this law, that they've been censored can sue one of these tech companies, or the attorney general of Texas can bring a suit. But the relief is an injunction, basically forcing the platform to put the user back on the platform, to end a suspension, etc. And there wouldn't be any damages awarded. So the punishment is pretty nominal. 

Ben Yelin: But obviously, this could have profound effects. Technically, it's limited just to the state of Texas. But as we know, when one state or entity or jurisdiction comes up with a law this sweeping, all of the platforms are going to have to conform their policies to comply with this law because it's really hard to determine which of their users actually live and reside in Texas or are Texas users for the purpose of this law. And then there's another section of the law that's pretty burdensome, that has all these reporting requirements that basically these tech companies have said, we're not going be able to comply with these. They're just too complicated. 

Dave Bittner: OK. 

Ben Yelin: So the district court - the federal district court held that this law was unconstitutional because it abridged the free speech rights of the platforms. Basically, there's this idea that the First Amendment protects individuals from government interference when it comes to their own speech, but also it protects you from the government compelling you to speak. So the government cannot force you to say something against your will. And that was the general holding of that district court case. There have been some Supreme Court cases that have alluded to this, talking about this idea of editorial control. Basically on a neutral platform, it is the right of a private entity to exercise some degree of editorial control. The 5th Circuit, in a decision that didn't say anything at all, reinstated the law, overturning the district court. The Supreme Court went back to the 5th District, said, not so fast, you can't do that. We're going to take this law back out of effect, so restore the original injunction from the district court. You have to actually go through a full proceeding and hear this case on a - on the merits and draft a decision on the merits. And that's what the 5th Circuit did. 

Ben Yelin: So there's a three-judge panel, one Trump appointed judge and two George W. Bush appointees, and in a 2-1 decision authored by an individual, a judge named Andy Oldham, saying that this law is constitutional. It is not an infringement on the First Amendment rights of these platforms. The money quote is that - today we reject the idea that corporations have a free, willing First Amendment right to censor what people say. Because the district court held otherwise, we reverse its injunction and remand for further proceedings. So in the view of this court, the district court erred because they mistook moderating and censoring content for compelling speech. And that's a distinction that this 5th Circuit panel does not see. They don't believe that this law has the effect of inhibiting free speech. They believe this law has the effect of inhibiting censorship. This is a really surprising conclusion, to say the least. 

Dave Bittner: I was going to - I really want to interrupt you, but I want to let you finish because there's some go, go, go, go (laughter). 

Ben Yelin: I mean, you can interrupt me at any time. I'm trying to kind of sort through this myself. 

Dave Bittner: Yeah. 

Ben Yelin: So there are decades' worth of court decisions basically supporting this idea of editorial control for private companies. 

Dave Bittner: Right. 

Ben Yelin: There was a case back in the '70s when there was a neutrality law in the state of Florida, which basically said if a newspaper prints an op-ed, they have to print an opposing view. And The Miami Herald said, we disagree with the opposing view in this case. I think it was some political statement that they didn't want published in their own newspaper. And the Supreme Court said that a private company, in that case, the newspaper, cannot be compelled to speak. They cannot be compelled to publish something that goes against their wishes and values. What the court is saying here - what the 5th Circuit is saying is that content moderation platforms like Twitter and Facebook are distinct from newspapers. Newspapers have editorial pages. They have a limited number of space in each issue. So you can only write a set number of articles. It's not unlimited the way the broader internet is. And they say, confirmed by Section 230, these platforms are properly viewed as platforms. They're not speakers in and of themselves. They hold themselves out as being available to the public. Anybody can post. So they are just fundamentally different in nature. 

Ben Yelin: That view leads to some pretty problematic results. So, for example, if there was Nazi propaganda on one of these platforms, if you read this Texas law literally, that is a viewpoint. And you would not be able to censor or suspend an account based on that viewpoint unless you also suspended an account that expressed the opposite viewpoint. So this was another hypothetical I heard. Let's say there's a Nazi on Twitter posting Nazi propaganda. The only way that Twitter could ban them is if they also banned somebody who said maybe Jewish people shouldn't have been annihilated in the Holocaust 70 years ago. That's... 

Dave Bittner: Wow. 

Ben Yelin: ...The end result of what this law would do. So that's sort of one of their justifications. They laid out several justifications, just kind of throwing, you know, what at the wall to see what's - what stuck. One of them that they are really flirting with, which is an interesting argument we've seen reflected other places, is that these platforms are, for the purposes of the law, common carriers. So generally, the First Amendment only applies against the government. 

Dave Bittner: Right. 

Ben Yelin: The first words of the amendment are, Congress shall make no law. It has been incorporated to the states. As far as I know, Twitter and Facebook are not government entities, at least as we speak. But there's this whole area of the common law where private entities can be regulated if they are, quote, "common carriers" - basically, if they have cornered the market and are something that's so in the public sphere that they are the equivalent to a government agency - so things like telephone companies, methods of communication, railroads, transport. 

Ben Yelin: Justice Thomas, in a concurrence to a separate case, hinted at the idea that these platforms could be held up as common carriers and thus, state governments or the federal government could potentially regulate them and force them to comply with these types of policies. And the majority in this case basically agrees, saying that for all intents and purposes, these companies should, or at least could, be considered common carriers, which would allow the Texas state Legislature to regulate their activities. In a lot of different ways, these companies are very distinct from a telephone company. I mean, they do Twitter, Facebook. They do have much more of an editorial component to them than just a simple phone company that facilitates phone calls from one place to another. They have a brand to protect, and they also have a market. They - sites like Twitter and Facebook are competing with other social media sites, and they would rather have a platform where there isn't a lot of Nazi propaganda because that might be very unpleasant for the users of that platform and they... 

Dave Bittner: Right. 

Ben Yelin: ...Might decide to go elsewhere. 

Dave Bittner: Right. 

Ben Yelin: So the end result of this is a rather convoluted decision that upholds this Texas law. So for the time being, at least in the state of Texas, these companies are barred from discriminating against users on their platforms based on the viewpoints of those users. The tech companies and their trade associations are certainly going to appeal this to the Supreme Court. Based on what the Supreme Court did at an earlier phase of the judicial history here, it seems likely the Supreme Court is going to strike down the 5th Circuit's decision. 

Dave Bittner: (Laughter). 

Ben Yelin: But we can't be 100% sure. 

Dave Bittner: That's the thing - isn't it? - right now. Like, either (laughter)... 

Ben Yelin: You do not want to be relying on the Supreme Court to overturn decisions that might have shocked legal observers because it's happened repeatedly over the past several years. And there is a 6-3 conservative majority. Granted, a couple of justices seem disinclined to uphold the Texas law at earlier stages in this proceeding, but we just don't know what's going to happen. I would guess that the Supreme Court is going to hear this case on the merits, but for the time being, the Texas state Legislature has completely changed internet law in this country. And for the first time, there is a ban on these platforms from moderating the content of their users. And that's something that's really profound and groundbreaking. 

Dave Bittner: It just seems chaotic to me. I mean, we - you and I, we talk about - all the time about how, you know, every now and then someone has this notion that they're going to have a total, you know, hundred percent free speech platform, and it never works. It just... 

Ben Yelin: No, it never works. 

Dave Bittner: ...Doesn't work. You can't do it. Stop... 

Ben Yelin: We've talked about - and even if these companies, as they have, try to present themselves as beacons of free speech - those are our values; we want to foster a political conversation - it just doesn't work in practice because, ultimately, you're going to get an army of trolls or people with, frankly, patently offensive views, whether political or not... 

Dave Bittner: Right. 

Ben Yelin: ...That make the platform unusable for everybody else. And that's going to hurt the market share for these platforms. I don't - personally don't want to be on a website where they allow Nazi content... 

Dave Bittner: Yeah. 

Ben Yelin: ...Or things that are similarly offensive but that could be considered viewpoints. And if you take the Texas law literally and this decision literally, that's exactly what's going to happen because that is - whether you believe in it or not, it is a viewpoint. It's not necessarily harassment or anything else against the law to express a Nazi ideology. It's a viewpoint. And therefore, you can't suspend a user for expressing that viewpoint, even if that viewpoint is the annihilation by genocide of an entire class of people. 

Dave Bittner: Right. 

Ben Yelin: And that's what this decision does. 

Dave Bittner: Do the judges reveal at all what - really what they're after here? Like what - you know, why this - why supporting such a fundamental change - because to me, like - this, to me, was so established that it was a joke, right? Like, every time someone would scream censorship at Twitter or Facebook, you know, folks like you would have to come out - folks who actually know this stuff would say it's not censored. The First Amendment protects people against the government. It doesn't protect people - you know, it - right? Like... 

Ben Yelin: I know. I've had to face the fact that maybe I don't know what I'm talking about anymore... 

Dave Bittner: Oh (laughter). 

Ben Yelin: ...That maybe everything I've ever said is just an illusion... 

Dave Bittner: Right. Right. 

Ben Yelin: ...Because the 5th Circuit can come along and say, you know, it's actually not, Twitter. Being a private company is actually not the most relevant factor. 

Dave Bittner: Right. 

Ben Yelin: And they basically say that for a variety of reasons. One, they don't think that this actually counts as speech. Editorial control, in their view, isn't a well-founded principle at the Supreme Court. I disagree with that wholeheartedly. They say that this isn't speech, this is just stopping the censorship of speech. But to me, that is a form of speech. Moderating the content on one's own platform is speaking with a editorial voice. It's making a decision about the values and the practices of the company, which is, in effect, a form of speech. And then they also say that even if it is speech, that these are common carriers that could be subject to federal or state regulation, even though they're private companies. And that creates a bunch of potentially problematic outcomes. The dissenting judge in this case, a guy by the name of Leslie Southwick, is a George W. Bush appointee. He is no squish. He is extremely conservative. He is actually somewhat sympathetic to the majority and is against viewpoint discrimination in all its forms but says you can't really deny that this is constitutionally protected speech on the part of these platforms. If we get to a point where the platforms completely lose control of their own service, that they lose the power of content moderation, then the platforms have lost their voice. They've lost their place in the market. 

Dave Bittner: Right. 

Ben Yelin: It will destroy their platform, basically. 

Dave Bittner: I'm thinking, like, if I had a restaurant and somebody, you know, came to my restaurant every day and caused a disturbance, you know, so where the other diners could not enjoy themselves, it should be within my rights to show that person the door. 

Ben Yelin: Right. I mean... 

Dave Bittner: Isn't that what we're talking about here? 

Ben Yelin: There's a sign in restaurants that say we refuse the right to refuse service to anyone. 

Dave Bittner: Right. 

Ben Yelin: Now, what this court cites is a case - and you and I have talked about this case - from California probably about 30 years ago now, where a shopping mall tried to stop a group of individuals from distributing leaflets. And the Supreme Court said that for all intents and purposes, that shopping mall is a public forum. It's open to the public. Anybody can go in there. And therefore, as a quasi-public entity, even though the mall was privately owned, they cannot censor speech. There are a bunch of reasons why this case is different from that one. That one wasn't a content-based restriction on speech. That was just a general prohibition against distributing leaflets. As much as the court here insists otherwise, this is a content-based restriction on the speech of Twitter and Facebook and all of the other tech companies. They are forcing them to put particular content on their website. That is, to me, the definition of a content-based restriction. And courts, especially the Supreme Court, looks very disfavorably (ph) on any speech restriction based on the content. And I think it is a mistake in this decision for the majority to say, well, this actually isn't a content-based restriction; it's actually a content-neutral restriction. I'm not going to get into the importance of that distinction. It does change the level of scrutiny that the court has to apply to that law. But you can see why it's fundamentally different when we're talking about the generalized right to distribute leaflets in a public mall, regardless of what those leaflets say, versus - you can imagine a hypothetical in that case where the leaflets being distributed were about exterminating the Jews or something. 

Dave Bittner: Yeah. 

Ben Yelin: And I think it would be much more within the mall's discretion because it would disturb other users, might hurt their business, might dissuade certain customers from shopping in that mall. It would probably certainly be in their discretion to remove those users from their platform, their platform being the private mall. So you can see why I don't think that's a particularly apt comparison in this case. 

Dave Bittner: So where do we stand now? I mean, are we in a - like, a - are we in a no man's - in the time between this - so this is in effect and - but as you say, it's going to go to the Supreme Court most likely. What happens now? 

Ben Yelin: It's anarchy, man. 

Dave Bittner: (Laughter). 

Ben Yelin: I mean, the law is in effect. There are a couple of options that the trade associations that represent these companies have. They can appeal to have this court - to have this case reheard en banc, meaning it wouldn't just be a three-court - or a three-judge panel of the 5th Circuit. It would be the whole 5th Circuit. 

Dave Bittner: Which is how many? 

Ben Yelin: I don't know the exact number, probably something, like, 15 judges. 

Dave Bittner: OK. 

Ben Yelin: I don't think that's a viable option. If you know anything about the 5th Circuit, it's - your chance of getting a favorable decision from the full 5th Circuit is just as good as getting a favorable decision from a three-judge panel. 

Dave Bittner: OK. 

Ben Yelin: It is a very conservative circuit. The vast majority of the judges are George W. Bush or Donald Trump appointees. 

Dave Bittner: OK. 

Ben Yelin: So you wouldn't fare well there. 

Dave Bittner: Is this kind of like one of those things in football where, you know, it's - the call on the field has to - it's harder to overturn the call on the field. You have to have overwhelming evidence, that kind of thing. 

Ben Yelin: Yeah... 

Dave Bittner: Yeah (laughter). 

Ben Yelin: ...For the standard of review. 

Dave Bittner: Right, right. 

Ben Yelin: Well, sort of. I mean, generally, that is how review works in our appellate system. That's why they do it in football. 

Dave Bittner: Yeah. 

Ben Yelin: It is based on our legal system - that the burden is on the losing party to prove that the decision was egregious. I think these companies are going to take the tack of appealing this to the Supreme Court and urging them to grant certiorari so that the Supreme Court hears it on the merits. They also could request that the Supreme Court issue another separate injunction, which would be an emergency stay of the 5th Circuit decision, saying that this 5th Circuit decision is so egregious that we can't allow it to stand, even while we review the case on the merits. That's a much harder standard to overcome. The Supreme Court would have to see that this type of law would cause irreparable harm to these tech companies. If I'm the tech companies, I could very plausibly allege that type of harm for a number of reasons. One, the nature of these platforms is going to be fundamentally different if they lose their right to do content moderation. 

Dave Bittner: Right. 

Ben Yelin: I've said this several times in the past. I think it's true for me. I think it's true for you. We would leave those platforms if content moderation was so weak or insufficient that we were confronted with offensive, troll-ish (ph) so-called viewpoints. 

Dave Bittner: Yeah. 

Ben Yelin: Whether we believe in a robust First Amendment or not, that would just be a very unpleasant experience for us, and we'd leave that platform. If enough of us leave the platform, they're going to lose their advertising dollars, and that's going to be irreparable harm to their business. And I could see that happening. I mean, if our feeds get clogged with a bunch of, quote-unquote "viewpoints" that are so unpleasant and objectionable, and Twitter or Facebook is banned from doing any type of content moderation, I think a lot of people are going to leave the platforms. 

Dave Bittner: Yeah. 

Ben Yelin: So I think you could certainly argue irreparable harm there. If they don't reach that irreparable harm bar and there isn't an injunction, then this law will stay in place until the Supreme Court hears it on the merits. Like I said, if I had to guess, I think the Supreme Court is going to reverse this decision. But there's no way to be a hundred percent sure. And we could be entering a new era where the teeth of content moderation have been extracted from these websites. And, basically, the Texas state Legislature, or any other state legislature, could determine what type of content is permissible on these private platforms. 

Dave Bittner: Well... 

Ben Yelin: And that's really a fundamental seat change. 

Dave Bittner: Suppose the Supreme Court agrees with the 5th Circuit here and says, yes, you're absolutely right. And after that, you know, chaos ensues, you know? It just - it's clear that it's unworkable. Is it then up to Congress to come in and try to make - you know, make sense of this? 

Ben Yelin: Yeah. So Congress could do that. They could preempt Texas state law or any other state law by passing a law, either explicitly preempting it, saying that this is a area of federal concern and our laws will preempt yours, or they could implicitly preempt it by coming up with sort of a nationwide standard. And in that case, courts would likely find that the federal government's rules preempted state rules 'cause the internet is a national thing. You can use it in all 50 states. And therefore, it falls under federal jurisdiction. Federal government has the right to regulate interstate commerce. The internet is pretty clearly interstate commerce. So they could do that. 

Ben Yelin: But you kind of just have to question all of these legal precepts. I say things like, oh, well, you know, the Congress could come in and pass a law preempting state law. If we're throwing into question decades' worth of First Amendment law and internet law, what's to say that the courts won't step in and reverse decades' worth of law on preemption? I mean, we're in a whole new world. Everything's changed here, and we have to rethink some of these doctrines that we thought we understood. So the answer is yes, Congress could step in. I think they could pass a law that clearly preempts state law. But I - that's not a hundred percent foolproof. And, as we've mentioned many times, Congress has a really difficult time agreeing on laws that are politically controversial. 

Dave Bittner: Yeah. 

Ben Yelin: And this would certainly be politically controversial in a polarized Congress. So that would be very difficult, even if the Supreme Court stepped in. 

Dave Bittner: All right. Stay tuned. Time will tell (laughter). 

Ben Yelin: I'm sure we will talk more about this. And there's so much to this case. I recommend that people read up on it if they can. We'll have more in the show notes. I tried to do it justice. 

Dave Bittner: Yeah. 

Ben Yelin: But I'm still wrapping my head around it, and I think it'll take a while to digest. 

Dave Bittner: Yeah. Yeah. Well, in the interest of time, we're going to make that our only story this week. We would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Gary Brickhouse. He is from GuidePoint Security. And we're discussing, you know, some of the volatility we're seeing in the cybersecurity insurance market, something that touches most organizations these days. Here's my conversation with Gary Brickhouse. 

Gary Brickhouse: You know, from a cyber liability insurance perspective, I think companies - obviously, those insurance carriers saw a need - right? - just in the same way that they - you know, if you look back over the history of, you know, needing insurance for your vehicle or for trips or for, you know, natural disasters like hurricanes, there was always a need for it. And if, you know, any time there was an opportunity to protect an organization or help them - you know, protect them financially, you know, to help reduce the amount of losses incurred, great. It's a great fit. And so, you know, over the last few years, you certainly saw this, you know, sort of jump up pretty dramatically, I would say, in terms of helping companies reduce that risk and give organizations - you know, in the same way that we do risk management work for all aspects of our business - right? - this was just one more way to reduce the risk of, you know, the financial hit of having, you know, either the ultimate impact of a ransomware event or operational issues tied to it, you know, whatever those things might be. And I think - and so I think they did a good job of putting offerings out there and allowing companies to, you know, pay into that and cap their, you know, liabilities, you know, as best they could. 

Gary Brickhouse: But then what you saw - especially, you know, within the last, I'd say, two years in particular, with the amount of, you know, ransomware, as it continued to rise, as organizations were continuing to sort of cash in, so to speak, on their insurance policies - I think the - you know, the insurance companies found out really quickly that, hey, wait a minute. You know, we're hemorrhaging quite a bit of money on behalf of these companies. And so I think it - you know, really, to bring it up to where we are today - in a really fast, you know, statement - you know, I think they realize that, man, we took on a lot more risk than we had anticipated. And we didn't anticipate that organizations would be, you know, relying on these policies as much as they have needed to. And so whether that's a statement on, you know, sort of the state of our industry - and maybe the insurance carriers didn't quite, you know, anticipate a spike in ransomware, for instance, right? And they sort of got caught. 

Gary Brickhouse: The other thing, you know, that I always think about is, you know, they just don't - they haven't historically had the claim data - claims data to really make educated decisions about it as, say, like, hurricanes, for instance, right? I mean, we have decades' and decades' worth of claims data on hurricanes - you know? - how impactful it was and, you know, how many people filed claims and what were the claims - you know, what was the average claim amount and all those sorts of things. And the same, obviously, in the - you know, in the automobile industry. But we don't have that in cyber today, and we're getting it very quickly, obviously. And they're in hints, right? I think that's why you see all the activity today that I'm sure we're going to unpack more around - you know, just sort of rising premiums and all the scrutiny that's going into an organization's ability to get liability coverage. 

Dave Bittner: Yeah, it's interesting to me to see how there's been this shift. And cybersecurity companies are, in some ways, you know, driving security practices within organizations - the insurance companies, you know? It's similar to - I think it's similar in the way that, for example, if you're going to insure a building, you have to have sprinklers, you know? You have to have fire - those sorts of things. And we're seeing that in cyber as well. 

Gary Brickhouse: Yeah, absolutely. And what I would even say - and again, they have the same sort of standards that you're referring to. You know, those are becoming more and more sort of stated and known. What I would say is - I really make - it makes me think about two things. One is from a controls perspective - like, again, to use the sprinkler analogy. You know, they're really focused on things like multi-factor authentication and endpoint protection. You know, the logging and monitoring that comes with that encryption - right? - is a big deal. So those are all becoming sort of these baseline fundamentals of what's expected, you know, from an organization. 

Gary Brickhouse: Now, what I would say is, you know, again, over the past few years, it started with, you know, more or less of a yes-no checkbox. Do you have this? Yes or no. And they sort of took that answer. And so I can tell you, you know, within our own organization of having to go get cyber liability insurance - right? - it - you know, several years ago, it was a, you know, fairly straightforward yes-no checkbox sort of exercise. And that has only grown in complexity. And so now I would say it isn't enough to just say, well, yeah, we have multifactor authentication. They want to see evidence of that, right? They want to see that - your configuration. They want to see how your endpoint devices are being managed to, you know, the - like, the EDR controls, for instance. You know, how are those systems locked down to make sure that they are configured appropriately, and how often are they getting updated? Again, so it isn't just enough that, hey, I have this in place or I'm going to tell you I have this in place. We're seeing a big push from the insurers to really want to validate that. You know, so those validation exercises - and, frankly, the - or, subsequently, the time it takes is just increasing, you know, dramatically to go do all those things. 

Dave Bittner: You know, something we've talked about on this show from time to time is the notion that - or the question, I suppose - could cybersecurity insurance go the way of flood insurance, where the private companies say, we can't handle this and the federal government ultimately becomes the backstop? Do you suppose there's a possibility we could be headed in that direction? 

Gary Brickhouse: Yeah. I mean, certainly the possibility's there. What's interesting - what I think sort of will play into that discussion is - again, is the scrutiny around policies has - have increased. We're starting to see more and more sort of carve-outs to when they will and will not sort of pay out on those claims. So, for instance, a lot of policies today have a carve-out for nation-state. So, for instance, if the ransomware that you have in your environment is tied to a nation-state attack, they may not pay out that claim. Similar, if it has - like, if it - if you didn't have, say, MFA, multi-factor authentication, deployed fully in your environment and, you know, the attack happened in a particular part that could have been prevented, at least in the carrier's eyes, then they're not going to pay out. 

Gary Brickhouse: And so I think as you see sort of more and more of those carve-outs, more and more of those reasons why the insurance companies, you know, will choose not to pay or, you know - I think at some point, could it lead to that? Absolutely. Could I see the government stepping in to some degree and saying, hey, we've got to provide this level of - some base level of coverage here for some of these things? Sure. I think the difference, though, is - you know, again, I think there's a lot of ownership on behalf of the companies to sort of protect themselves and to have the right level of controls. Whereas, you know, in some degree, you know, you can't really prevent a natural disaster, although you can reduce the impact of it. I don't know that that is how everybody feels about malicious activity, right? I mean, I think at the end of the day, people seem to think that, hey, all malicious activity can be prevented. I don't know that I (laughter) agree with that holistically... 

Dave Bittner: Right. 

Gary Brickhouse: ...But I have a feeling that that will be the pushback, you know, from, say, like, a government side. I think they'll say, well, you know, just do better, right? Do better. You know, improve the controls that you have and reduce your risk, and you won't need the insurance anyway. So I don't know. I see that - it's an interesting question and thought. It seems that if that were to be the case, it seems it would be, you know, more longer-term than near-term for sure. 

Dave Bittner: What sort of potential changes do you see on the horizon? If we're headed for hard times financially in the economy, if we're - if we do go into a recession, how is that going to affect the relationship people have with their cyber insurers? 

Gary Brickhouse: Yeah. Oh, man, that is such a great question because, you know, what we're seeing right now is a fairly significant increase in the premiums across the board. And so, you know, I don't have a specific number for you, but certainly what we've seen just through our own experience is, you know, usually like a 5X type growth, right? We're not talking, you know, small, incremental, you know, increase. We're talking, you know, significant increase in the premiums. And so I think, you know, that's going to lend organizations - it's going to put them in sort of an interesting perspective, right? Because from a economy standpoint, if revenue's down and economy's down and then now they're having to pay more, to some degree, for less, is it really worth it, right? And the other thing that we're seeing, too, that comes into play is a lot of organizations and carriers now, they're restricting their liability up to about $5 million. And so - and that may not be holistically true. But, again, we are seeing a move of lowering the - sort of that coverage cap to around 5 million. 

Gary Brickhouse: Well, OK, so how much am I going to pay out (laughter), and how much am I going to get back? And if I can - the most I can only get back is 5 million anyway, is it worth it? I'll just roll the dice. And so, you know, I think there's going to have to be an interesting conversation. You know, and I think the - you know, history will bear it out over the next year or two of what happens between sort of a - you know, if the economy does continue to go down, we do go into a recession and where companies are looking to invest money. And I will just tell you, like, in this case, I could see people not going down the path - looking for other alternatives, right? They can take that 5 million and invest it in other areas - right? - where they might feel that it better secures them. 

Gary Brickhouse: Now, with that being said - just to talk out of the other side of my mouth for a minute - what's interesting is, you know, while that may be happening, we see - especially on, say, like, the service provider side of the house, this is becoming more and more of a non-negotiable, right? This is sort of table stakes. You have - you know, if you're going to do business with me, do you have cyber liability insurance? And let me see it. You know, like, what do you - how much are you covered for? And so, you know, it's going to create an interesting dynamic because, to some degree, some organizations don't have a choice. You know, they're going to have to pay it regardless because if they want to continue to do business, again, that has become table stakes, you know, to continue to offer the services or product that they're doing. 

Gary Brickhouse: And again, you can look at some of the data that you see happening out there with, you know, breaches that are tied to service providers and the services that they provide, you know, where - you know, all of a sudden, you have a service provider that has some sort of a breach, and now that breach can impact, you know, thousands of customers. You know, guess what, right? You know, as that attack vector is, you know, right in the spotlight right now, we're only going to see more of that. And that's only going to push requirements for those type of organizations to have, you know, again, some certain level of liability insurance. So to those companies, you know, the economy isn't going to matter, right? They have to do it, you know, just to stay in business. 

Dave Bittner: What's your advice for organizations trying to get a handle on this? Any words of wisdom for how to approach things with the rapid changes that we're seeing? 

Gary Brickhouse: So what I can guarantee (laughter) - what I guarantee is that at the end of the day, like, the scrutiny that's being provided by the cyber liability companies is not going to go down. It's only going to continue at the pace that it is or continue to grow. And so to that degree - right? - I think companies should start to prepare for that in the sense of, you know, assuring that they have the right level of security controls in place, you know, prior to, certainly, of, you know, either going up - you know, going up for renewal or for getting more - you know, just going for coverage, you know, straight out. Know that you're going to be asked these questions. Know that the organizations are going to do a fair amount of digging and validation of those controls. And frankly, if you don't have these things, you might be in trouble, and you may not get either. You know, you may not get the level of coverage that you want, or you may not get any at all. And I would even say for some organizations who, you know, maybe in years past, you know, they haven't been asked to validate the controls that they have, you can pretty much guarantee that you're going to, you know, on your next renewal. 

Gary Brickhouse: So in terms of just sort of advice and preparation, I would tell organizations, you know, just know that that piece is coming, know that they are scanning your environment - right? - from the outside to understand what vulnerabilities you have. You know, they're becoming more savvy in terms of your security posture. And just be prepared to strengthen that as best you can, you know, either - you know, prior to going in and trying to get coverage. 

Dave Bittner: Ben, what do you think? 

Ben Yelin: I'm worried that we're going to get into the doom loop of federal flood insurance. And this interview didn't do any - didn't do much to assuage those concerns. 

Dave Bittner: Yeah. 

Ben Yelin: It just feels like the way the threat landscape is now, the cost of insuring companies is increasing. The premiums are increasing. If fewer companies are willing to pay the premiums, that could start an insurance death spiral where there's not enough money in the pool to pay out claims. And I think Mr. Brickhouse talked about that very - in a very compelling way. So I'm worried about how this market is going to develop. Since everyone and their mother is getting hit by ransomware attacks, this is more of a concern. And I think the market is going to have to work itself out where it can properly assess risk and address the needs of customers without going bankrupt as an industry. 

Dave Bittner: Yeah. All right, well, our thanks to Gary Brickhouse for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Keeper Security
Sponsored by Keeper Security

Keeper is the top-rated cybersecurity platform for protecting organizations of all sizes from the most common password-related data breaches and cyberattacks. Learn more at Keeper Security.