Podcasts
Caveat
Ep 194
Caveat 11.9.23
Ep 194 | 11.9.23

Transforming the cyber risk environment.

Show Notes
Transcript

Scott Stransky: And now cyber risk is even bleeding over to the real physical world. So you can imagine a CAT event where bad actors take over a dam or a power plant and cause physical damage to property and lives by using cyber means. We've seen a few examples of this in the past, but we haven't seen anything at the large scale that would truly be a catastrophe yet. Luckily, those are the types of events that we need to be prepared for in case they were to happen.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner. And joining me is my cohost, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hey, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: Today, Ben discusses a new antitrust lawsuit against Google. I've got the story of California putting limits on license plate data. And later in the show Scott Stransky of the Marsh McLennan Cyber Risk Analytics Center is here to discuss developments in ransomware, cybersecurity investment, cyber risk analysis, and how artificial intelligence may transform the cyber risk environment. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right, Ben. Let's jump right into our stories here. You want to lead things off for us.

Ben Yelin: Yes. This is one for the gamers out there. Do you play Fortnite, Dave?

Dave Bittner: I do not. But my son is an active gamer, so I kind of -- I absorb these things through osmosis by cohabitating with him.

Ben Yelin: That's right. I'm the same way with a lot of friends. I'm not a gamer myself.

Dave Bittner: Right.

Ben Yelin: But I know how obsessed people are with Fortnite, which was created by Epic Games.

Dave Bittner: Yep.

Ben Yelin: And they have sued Google, and this case is going to federal court in San Francisco. There's going to be a month-long trial. And it is a new antitrust lawsuit against Google. So we've talked a lot about Google's legal troubles. They're kind of being attacked on all fronts. They're currently facing off against the Justice Department in Washington, DC, basically, on another antitrust claim, that they are abusing their dominant position in search engines and advertising to crush their rivals. Previously, Epic, the parent company behind the Fortnite games, had sued Apple. The allegation is that it's an antitrust violation that you have to make purchases through the App Store because Apple in the Apple App Store takes a cut. I think it's like 15%.

Dave Bittner: It's -- yeah. It's -- it -- depending on who you are, it's either 30% or 15%.

Ben Yelin: Right. So for bigger companies with larger assets, I believe, like, it's/, is that how it's determined, based on the level of assets? Yeah.

Dave Bittner: Yeah. But it's still -- I mean, it's a size -- it's not like the couple of percent you pay to the credit card company. It's a sizable chunk.

Ben Yelin: Totally. So Epic Games had sued Apple. They went to federal court. Basically, Apple won on almost every issue. That was a bench trial, a civil trial. So Epic Games is now suing Google, and there are a couple of things that are different about this case. One is that Google on their devices allows for sideloading. So what Epic Games tried to do is they told their users that you could purchase things within the game itself so that you would not have to go to the Apple Store. And Apple -- and Google, I guess, did the same thing, removed Epic Games or Fortnite from the App Store as a punishment. And this is sort of the antitrust charge of the whole thing. It's different with Google because they do allow what's called sideloading. So you can download games, programs, etc., from the internet browser on a phone instead of the App Store. But, to do so, you have to jump through a bunch of procedural steps. I don't know if you know exactly how this works. I don't have a Google device. So I've never done this.

Dave Bittner: No. I don't either. But I think it's along the lines of just the way that you would load something onto your desktop PC where you can just go to the company's website, decide you want to download something, download it, install it, and that's it.

Ben Yelin: My understanding, and this is based on the filings in the lawsuit, is that Google has made this process very difficult. There are a bunch of warnings that come up that are like, Are you sure you want to do this?

Dave Bittner: Right.

Ben Yelin: If you do this, your device might spontaneously combust; and, you know, you'll be sent out into outer spaces as punishment for your bad deeds.

Dave Bittner: Yeah. Well, and I think it's fair to note that Apple kind of led the way with this with iOS of only allowing things to be installed through the App Store. And that has led to significant security benefits over being able to load things. So there's a -- there's a major reason why they do that, and Apple will argue for that. But the flip side is you've got to look at it and say, Yeah. But Apple is also getting their significant revenue for everything you do.

Ben Yelin: And Google is getting the same cut in the Google Play Store. So, really, the facts on those grounds are similar. But there are two differences in this case. One, as I said, is the sideloading.

Dave Bittner: Right.

Ben Yelin: The other big difference is the fact that this is going to be a jury trial. So the previous Apple trial was a bench trial, meaning the judge was both the finder of fact and the finder of law. In a jury trial, it's the jury that is the finder of fact. So now you have normal people -- I assume it's going to be six jurors, as there are in most civil trials -- making a determination about whether this qualifies as anti-competitive practices. It's largely going to center around the question of what is the market here? Are we just talking about the market for App Stores, the market for video games, the market for online gaming? And are these practices that Google has introduced inhibiting others from joining whatever market is at issue in this case? What's interesting to me is the fact that I think a jury might be more sympathetic than a judge would be. A judge, while looking at precedent, a legal precedent is going to have some degree of knowledge both about the law and is going to understand something like the security features that are present and having Apple and Google require you to download things from their app store. Juries are not experts. They are lay people. Could be your grandma. It could be a tech bro who lives in downtown San Francisco in a, you know, billion dollar apartment.

Dave Bittner: Right.

Ben Yelin: So it's, I think, a risk for the defendants in this case, Google. Both parties have agreed to have this be a jury trial. The other interesting element of this is that Google originally had a consolidated lawsuit against Epic Games, but all of the other parties, and these are -- or, I'm sorry. It was Epic originally had filed this lawsuit against Google with a bunch of other parties. All the other parties settled outside of court with Google Play. So Epic is kind of entering this battle on their own. It's just going to be a really interesting trial, and I'm curious to see if, when you try to explain this to lay people, if it comes off as such a anti-competitive practice that it violates both state and federal antitrust laws. So I'm going to be keeping a close eye on it. I think it has a -- the potential to be very significant in how we use applications on our devices, and our future ability to be able to download anything without going through that sort of Google Play Apple Store gate.

Dave Bittner: Is what Epic Games is after here he is the taking down of that walled garden, not just for Google but across the industry?

Ben Yelin: Yeah, they are. So their prayer for relief in their civil complaint would be to force Google to alter its Play Store rules, allowing companies to offer competing app stores and making it easier for developers to avoid the cut it collects from these in app purchases. So that is their prayer for relief here. There's kind of a free rider problem, to be honest, on the part of these other companies that were a part of the lawsuit. They settled with Google. But somehow, if Epic wins here, it's not just going to apply -- the verdict isn't just going to apply to Epic. It's going to apply to everybody who wants to create some type of alternative to the Google Play Store. So I find that aspect of it really interesting. But, yeah. That is the prayer for relief here. It is to start to tear down that wall, in the parlance of Ronald Reagan, and take away this barrier that requires every single purchase to go through the App Store and make it subject to those additional fees.

Dave Bittner: It's interesting to me that they're pursuing this with Google. And is my understanding correct that they already lost with they're pursuing this against Apple?

Ben Yelin: That's correct. They lost on almost all elements of the case. There were narrow parts of it where they got a judgment. But they lost -- their case in chief they lost, yeah.

Dave Bittner: It seems to me like the stronger case would be against Apple because Apple doesn't allow sideloading. Can't Google just say, hey, look. Sideload.

Ben Yelin: That's what they're trying to say. But Epic in the complaint is saying, well, sideloading actually doesn't really solve the problem of these anti-competitive practices because not only are there a bunch of procedural hoops you have to go through but, for somebody who's not technologically savvy, it can almost be prohibitive to try and download something away from the App Store. I didn't read the briefs carefully, and you'd probably understand the technology more than I would. But it seems like it's not as simple as me or you just going in and sideloading one of these applications. Like, it takes a bit of effort. You have to disable certain settings on your phone. Like, it's a whole -- it's a whole to do.

Dave Bittner: Yeah.

Ben Yelin: So, in that case, in effect, it is an anti-competitive practice, even though there is this alternative option. Now, Google is going to argue and I think rather persuasively in the court proceeding, because they have sideloading, yeah. Our -- their case against Epic Games is even stronger than Apple's. Apple's won the case.

Dave Bittner: Right.

Ben Yelin: But the variable factors here are the fact that this is a jury trial. And you're going to have people on the jury presumably who use these devices and might not be aware that, for all the applications they download, Google was taking a 15 to 30% cut of the profits. And they might not look favorably on the fact that people have to jump through all these hoops to identify an alternative. So that's really the variable factor here. Juries are unpredictable. There's a reason why you want to take a risk with a jury. If you think your argument is going to be more persuasive to a layperson than it is to a judge with expertise, then you're going to request that jury trial. But it's also risky because juries are fickle. You don't know what the makeup of the jury is going to be. You don't really understand the jurors until you kind of observe them during the trial. I mean, there's a process to strike jurors for cause, and each side has some peremptory strikes. But, really, it's kind of a crapshoot when it comes down to it. And there are also -- I think there's going to be more of a performative element to this trial. Obviously, you want to perform in front of a judge when the judge is the finder of fact. But there's a way, you know, attorneys act around juries to help make them feel more favorable to your side.

Dave Bittner: I've seen LA Law, Ben. I've seen Law and Order.

Ben Yelin: So you understand the legal system better than anybody. Yeah.

Dave Bittner: Well, well, sure.

Ben Yelin: I object, Your Honor.

Dave Bittner: I'm practically an expert. Yes. I've seen A Few Good Men. I'm familiar with a courtroom drama.

Ben Yelin: Oh, yeah. You know, the OJ trial was the best courtroom drama ever.

Dave Bittner: Sure and sure.

Ben Yelin: That was about Johnnie Cochran, in particular, having this connection with the jury where he would look them in the eye, and they would see him favorably, despite the fact that his client was probably guilty. So yeah. I mean, that's just the risk you take with a jury trial here. I find it interesting that that's the path that Epic has chose to go down.

Dave Bittner: Yeah.

Ben Yelin: They're on this losing streak in court, and they're trying to take a different approach here. And I'm just curious to see whether that makes a difference on the ultimate adjudication with the case. I'll also say, in civil trials, there's something called a judgment notwithstanding the verdict where, if the verdict is something that's just plain wrong as a matter of law, then the judge, in some circumstances, can just reverse that verdict. There's also, of course, the avenue of appeal for each side if they lose. These things don't exist in criminal court. If a defendant is found not guilty in criminal court because of double jeopardy, the state can never appeal. And there is no judgment notwithstanding the verdict in criminal trials. So give you a little Law 101 lesson on the day, just some elements that'll be interesting here.

Dave Bittner: I'm curious too. You know, you mentioned the expertise or the potential, the aspirational expertise of a judge, hearing something like that. This -- is this based on the assumption that a judge taking their job seriously would cram up on knowledge about whatever is being put in front of them in a way that perhaps jurors would not?

Ben Yelin: Yeah, especially federal judges. Sure. I mean, there are certainly exceptions. But they're going to be pretty competent and know how to do research and hire clerks that can make them instant subject matter experts in a way that a jury just can't do. I mean, I think judges want to uphold their reputations as being reasonable as people who study the law, study the facts, and make educated decisions. I think jurors are told that they should do that. But they're also human beings who might, you know, run their own food service business or have some type of service job. Like, they're not familiar at all with this technical field.

Dave Bittner: Right, right.

Ben Yelin: So, yeah. It's just a -- it's certainly a greater risk there really for both parties because you just don't know what to expect from a jury in these circumstances.

Dave Bittner: Right. Interesting. All right. Well, we will have a link to that story in the show notes. My story this week comes from the EFF, the Electronic Frontier Foundation. They put out a little notice highlighting that California's Attorney General Rob Bonta, has issued guidance stating that automated license plate reader data is not to be shared with out of state or federal agencies, that that is, in fact, illegal. Automated license plate readers are something we've touched on here many times. And I think this is quite interesting.

Ben Yelin: I would just like to say I'd like them outlawed because now the main highway that goes through Baltimore City 83 has speed cameras. Oh, those are aggressive. For all of you who live in Baltimore, you've probably gotten many notices that are a direct result of these automatic license plate readers. But I digress.

Dave Bittner: That's one of the -- it's one of the value propositions of a -- of a GPS system like Waze where it can tell you, you know, speed camera reported ahead.

Ben Yelin: Right. Exactly. Now, you could just drive slower but --

Dave Bittner: Well, there's time for that. Who has time. But I find this interesting. And one of the -- like, this is some of the trickle down things, how everything is related. A big part of this is abortion --

Ben Yelin: Absolutely.

Dave Bittner: -- and the overturning of Roe versus Wade. And what we've seen from some states to try to ban interstate travel or to try to punish people traveling between states or out of states to seek medical procedures like abortion. And I guess this is California saying to those states, we are not going to share that information from our automated license plate readers. Don't even ask. In fact, we consider that to be illegal. Am I on track here?

Ben Yelin: Yeah. I think a lot of this is motivated by abortion in the wake of Dobbs. You've seen this in a number of blue states. Because abortion has been, for all intents and purposes, outlawed in a bunch of states, there is going to be -- there are going to be people who travel for the purpose of seeking an abortion. And we've already seen some pretty aggressive investigations in red states, including some that are close to California. There was recently a case reported in Idaho where they used a bunch of digital surveillance methods to effectuate an arrest for an illegal abortion.

Dave Bittner: Right.

Ben Yelin: So I think what the red states in these circumstances will try to do is say, hey. We suspect this person of traveling to California for the purpose of getting an abortion, which is illegal in our state. Will you share data that would help us prosecute this in court? And California is saying, in essence, go F yourself.

Dave Bittner: That's the official legal term for it.

Ben Yelin: Yeah. We are not going to share this data outside of California.

Dave Bittner: Yeah.

Ben Yelin: We want to protect people's civil liberties. California also, I think this has to do with the policies around immigration, particularly undocumented immigrants where there's a concern that the federal government is going to come seeking to effectuate arrests or deportations and are going to make use of California's license plate reader data to effectuate those arrests.

Dave Bittner: I see.

Ben Yelin: And the state of California has a policy, and it's a relatively progressive state; it's a progressive Attorney General. I just think they don't want to be involved in that.

Dave Bittner: Yeah.

Ben Yelin: So they're using the powers that they have been granted by statute, this SB34 which passed in California requiring safeguards for the use of these license plate readers. And they're using that to protect California citizens, visitors, residents from the strong arm of both other states and the federal government.

Dave Bittner: Can we go up a level here and explain to me, I feel like up until this moment I have always considered interstate travel to be something that we took for granted here, that there are no -- no border checks between the states in the United States. And, yet, here we have a case where states are saying, if you travel to another state, there could be penalties for that. Is there precedent for that? And, like, am I right in thinking that this is unconstitutional?

Ben Yelin: So there is a constitutional right to travel that's implied in the Ninth Amendment and the Privileges and Immunities Clause of the Fourteenth Amendment. It's not an absolute right, just like any right is not absolute.

Dave Bittner: Yeah.

Ben Yelin: And we have see -- like, states have passed laws that they're not necessarily banning travel for travel sake. But if you go out of state for the purposes of doing something that's illegal in that home state, the State can still prosecute you. So if you go from Idaho to California to obtain illicit drugs, that's still illegal, even though it didn't happen in Idaho, f there's an Idaho law saying you can't travel out of state and bring illicit drugs back into this state, even if there aren't border checks, right.

Dave Bittner: Right. I can't just -- hypothetically, not saying that I ever did this --

Ben Yelin: A friend of yours.

Dave Bittner: I can't travel to Pennsylvania to buy fireworks, bring them back into Maryland, where fireworks are illegal. They could come after me for that.

Ben Yelin: Yeah. Now, I think the equivalent here would be Pennsylvania saying we want to protect our citizens' rights to shoot dangerous fireworks into the sky, so we are not sharing our license plate data with you that shows that Dave Bittner traveled to Pennsylvania on X date and was seen going to a fireworks retailer. I don't think that part of it is unusual, even though there is this implied right to travel.

Dave Bittner: Yeah.

Ben Yelin: Generally, for the purposes of criminal prosecutions, I mean, states want to engage in that type of data sharing because, for most crimes, I think there's a shared interest in prosecution. Right. But we have this major policy disagreement here. The state of California thinks getting an abortion is a protected constitutional right. These other states think it's a crime. So that's what makes this situation unique. And the same is true for things like undocumented immigration, et cetera.

Dave Bittner: Right. I -- because I would -- before I saw this story, I guess I would imagine that this sort of license plate data would be shared as a courtesy, right?

Ben Yelin: Right.

Dave Bittner: The feds come to you and they say, Listen. We're working on something. Would you mind sharing your license plate data? Why not?

Ben Yelin: Yeah.

Dave Bittner: Sure.

Ben Yelin: We'll help. Yeah.

Dave Bittner: We're gathering the data. We're all law enforcement folks here. Have at it. So it's interesting to me that California has put in a bill specifically protecting this information and for reasons I guess I -- personally, I've just never really considered before. But they're -- they seem legit to me.

Ben Yelin: Yeah. I mean, it's well within their rights as a state to do this. And I think this is mostly a statement of policy that California is not going to be a party to prosecutions in other states on the basis of reproductive health. I think that's really the ultimate statement here. This is a story about automatic -- automatic license plate readers, but it's as much a story about California kind of staking out its place as a safe haven for abortion rights and for immigrant rights.

Dave Bittner: Yeah. I'm just imagining it. I wonder to what degree do states have license plate readers at their borders today? I don't know the answer to that. Is that a trend we could see increasing with this sort of thing. In other words, we know when you left; we know when you're coming back, right.

Ben Yelin: Even if California doesn't share, we have video surveillance of when you crossed the border from our state into California is what you're saying.

Dave Bittner: Right, right.

Ben Yelin: Yeah. I mean, I really -- I'm sure our listeners might know. I don't really know the extent to which that already exists. And unlike with countries, like, we don't really closely monitor all state border crossings. Some of them are on really rural roads. Some of them are, like, in -- within residential neighborhoods you can go from state.

Dave Bittner: Right.

Ben Yelin: So I think it's, like, it's just far more difficult to monitor.

Dave Bittner: Yeah. No. It's fascinating. All right. Well, we will have a link to that story as well. And, of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's caveat@n2k.com. Ben, I recently had the pleasure of speaking with Scott Stransky. He is from the Marsh McLennan Cyber Risk Analytics Center. And we're discussing some of the recent developments in ransomware, cyber investment, and cyber risk analysis. Also some stuff about AI and particularly how all that mixes into the insurance industry. Here's my conversation with Scott Stransky.

Scott Stransky: So my center has three main missions. The first mission is to build models to quantify cyber risk from a financial perspective, meaning, if there's a cyber incident on a certain company or set of companies, how much will that end up costing from an economic perspective and also from an insurance perspective, a cyber insurance perspective. We did this using a lot of proprietary data that we have. For example, we have data on companies' cyber self-assessments. These are things like what cyber controls they may have? Do they have multifactor authentication? How are their passwords, employee training, and other types of things like that. And we joined that with our cyber loss data. Whenever a client does get cyber insurance, we end up finding out if they end up suffering a cyber insurance loss. And we can bring those datasets together to try to find predictive signals. So the first area of focus for our center is on building these types of models. The second area of focus is looking at external datasets, things where we're not going to do it ourselves, either because we don't have the time to do it or because other people are already doing it in a way that we think is quite good. So we go out and evaluate lots of third party datasets to figure out which are the most predictive, again, for estimating financial losses and bring those in to complement the ones that we have ourselves. And, thirdly, we participate in thought leadership activities. This means speaking at conferences and events, writing papers and blogs and articles, and also working with academic institutions to advance the state of cyber analytics.

Dave Bittner: So what is the typical use case here? Who comes to you for this sort of evaluation?

Scott Stransky: We work across our Marsh McLennan enterprise. So on the insurance brokerage side, we're working with corporations all the way from very small mom and pop shops through the largest Fortune 500 companies who are looking to buy cyber insurance to help protect themselves in case they have an incident. And our role is to help them understand what cyber insurance is, how can it help them, how it can be a part of their risk strategy. And then, of course, actually end up going to the insurance carriers on their behalf and getting them the cyber insurance policies. On the Guy Carpenter side, it's a bit different. They're the clients are the insurance companies themselves who are looking to transfer some of their own risk to the reinsurance market. And we act as a broker in that sense. So we look at portfolio risk for an insurance company and try to understand the single points of failure in that portfolio and how those could lead to aggregation risk as we transfer the risk to reinsurers. We also work with our Oliver Wyman colleagues who are doing deep consulting studies with many clients, again, to try to understand cybersecurity from a quantification perspective. Our real mission at the center is to quantify cyber risk for all the folks in the insurance value chain.

Dave Bittner: Let's talk about quantifying cyber risk. I mean, that's an area that I've heard folks talk about quite a bit. Where do we stand when it comes to that? I mean, what is the state of the art there?

Scott Stransky: There are models, and there have been models for almost 10 years to help quantify cyber risk. And they've improved quite a bit. If you think about natural catastrophe modeling, things like hurricanes and earthquakes, we've had models for those for 35, almost 40 years now. So those are quite mature models. Cyber risk models aren't that mature, though they are quite useful for our clients as a decision-making tool. So we have different types of models. For example, there's models for what we call attritional risk. This is risk from your everyday ransom attack, a data breach, maybe a DDoS attack that causes business interruption. And to build these models, there actually is a lot of data available. So we felt quite comfortable in the loss estimates that come out of those types of models. On the other hand, there's another type of model called a CAT model, or catastrophe model. This is for very wide-scale large events. Think about like in the terms of natural disasters, Hurricane Katrina hitting New Orleans, something that's way beyond the scope of a single ransomware attack on a single company. This could be a major cloud provider failing. This could be a power grid failure that takes down a whole lot of companies in a geographic area of the world. It could be a mass ransomware attack. It could be a lot of different types of things. And there are CAT models out there for this type of risk. Since we haven't seen a true major CAT yet for cyber, those models are built with more expert judgment than the models I was mentioning at first for ransomware things. So, while they are very useful, we do have to understand that -- that less data was feeding into them. And we can use them as a as a tool as guidance. But, again, we have to understand the limitations of each type of model before we employ them for our clients.

Dave Bittner: Can you give us some examples of types of things that would be considered a catastrophic sort of cyber event?

Scott Stransky: Yeah. I mean, I spend too long thinking about worst-case scenarios. That's a big part of my job. Indeed, a matric cloud provider is probably the most common one that people talk about in the cyber insurance industry. If you imagine a cloud provider that has 20, 30, 40% market share failing for some number of days or weeks, that's going to take down a lot of companies that rely upon that cloud. And that can cause a lot of loss, a lot of business interruption in downtime for all of those organizations. A lot of that loss would be insurable. Depends obviously on the exact insurance contract and the exact wordings, but a lot of that loss could be insurable. And, therefore, people want to model that type of risk in advance. But cloud is just one of the things that we can think about. There's a lot of other types of major CAT potentials: mass ransomware, Think about NotPetya from a few years back but just at a larger scale that infected a lot more companies than NotPetya did or WannaCry. You can imagine a case where there's some sort of a wormable virus that just goes from company to company, causing downtime or ransom extortion payments or even data breaches across the board. So there's a lot of that type of risk. And now cyber risk is even bleeding over to the real physical world. So you can imagine a CAT event where bad actors take over a dam or a power plant and cause physical damage to property and lives by using cyber means. We've seen a few examples -- examples of this in the past where people have hacked factories or small dams, but we haven't seen anything at the large scale that would truly be a catastrophe that, yeah; luckily, those are the types of events that we need to be prepared for in case they were to happen.

Dave Bittner: You know, it's my understanding that we've seen quite an evolution of how insurance companies are approaching cyber. I think a big part of it is, as you mentioned, the data is becoming more available. They're getting a better understanding of exactly what they're dealing with. From your perspective, where do we stand right now in terms of the influence that the insurance company have over establishing good cyber policies within these organizations?

Scott Stransky: Yes. So we're getting to a point where insurance companies are going to start to incentivize best cybersecurity practices. If I can take another analogy to the natural catastrophe world, if you live in Oklahoma and you want to buy property insurance on your home, the insurance company may give you a discount if you put hail resistant roofing materials on your home. And that makes sense because then you're less likely to have a hail loss if there is a storm. It may cost more upfront to install those hail-resistant shingles. But, in the end, you do better because you don't have to keep replacing your roof. You don't have contents damaged inside your home. And the insurance company does better, as well, because they don't have to pay out as many claims. So we're getting to the point where this can happen for cyber. For example, today, if a company, say, does not have multifactor authentication, MFA, well, that's a very important thing to have. And insurance companies know that having MFA reduces your risk of suffering a claim. So insurance companies can start to incentivize you to get MFA across your systems. It's not cheap, obviously. But, over time, you can make back that money and lower insurance premiums. And, of course, fewer claims, lower risk to your reputation if there is a cyber incident. And that really does help the whole cyber -- cyber ecosystem become more resilient. And I think insurance is at a great place to play that role because companies biggest -- the big companies in the world are buying cyber insurance policies today. So if the cyber insurers offer incentives for best practices that are known to reduce risk, it really helps everybody, I suppose, except for the bad actors. And that's a good thing.

Dave Bittner: Do you feel as though cyber insurance is at a point or approaching a point of equilibrium here where the things balance out, and it's ultimately a long-term, stable ecosystem.

Scott Stransky: So cyber insurance has been around for many years. The first cyber insurance policies, they weren't called cyber insurance, but it was covering the same types of things. They've been around for more than 20 years. So we are at a very stable point. Obviously, the insurance market for any type of risk goes through ups and downs, hard period, soft periods, etc. But we feel that the insurance market is in a great place for cyber. More and more companies are buying cyber insurance because they see the value. They see that, yeah; companies are getting paid out when it's due. Insurance companies are helping incentivize best practices, which people appreciate. And it's a part of a risk mitigation strategy. It's certainly not the only thing to do. You shouldn't just buy insurance and go to sleep and fire your IT staff. That's definitely not our intention. But insurance is very much a part of a comprehensive risk strategy that you would have.

Dave Bittner: I guess I'm wondering about, you know, we've seen insurance companies who handle traditional risks. And sometimes we'll see them say, We're pulling out of a certain market. You know, there are too many hurricanes in Florida or too many fires in California. And I wonder long-term with cyber, as you say, because we -- we haven't had any of those huge events so far, how will the insurance companies place their bets against those eventualities?

Scott Stransky: Now, I think this is where modeling can be very helpful. If you think about back to the natural catastrophe analogy, we had Hurricane Andrew in 1992. Before Hurricane Andrew, there were models for hurricane risk, but the insurance companies did not really rely upon them. And, in fact, 11 insurance companies went out of business during Hurricane Andrew because they couldn't afford to pay out all the claims. So what we don't want to have happen is something like that for cyber, where one day when we do have the CAT event the insurance companies are not prepared. Luckily, the models are more advanced than they were back in 1992. As you can imagine, computing power is much better today. The models are much more sophisticated, for cyber and for natural perils. So this is actually a good thing. Insurance companies who are doing proper modeling, building their own models, using models like the ones we've built, using third party vendor models, we do expect them to be more resilient when a catastrophe event does happen because they're going to be better prepared. They understand what the potential risks are. And they themselves are managing their portfolio better, whether it's transferring the risk to the capital markets, to reinsurers, or just understanding the types of risks that they're taking on in the first place. So it's my view and maybe I'm coming at it a little from the quantitative perspective, since that's who I am, is that cyber quantification actually can help cyber insurance companies be much more resilient when the big one happens.

Dave Bittner: You know, we've certainly seen that artificial intelligence has captured the public's imagination, and I'm curious what effect it's having, if any, on folks in your business. When you're establishing risk profiles, certainly is this something you all have your eye on?

Scott Stransky: Definitely. We have our own version of artificial intelligence within our company. It's walled off from the outside world, so we're allowed to put some of our data into it without it getting exposed to the world. And I think a lot of companies are starting to do that. Of course, there's a risk. If you just go on the public version of some of these AIs and start uploading sensitive data, that's very dangerous because then the bad actors can potentially even ask the AI and get some of that secret information back. So AI has to be done correctly. And our view is that the best way to do that is to, quote, unquote, wall it off from the outside world. That said, AI has a lot of value once it is walled off. You can put in some incident data or logs or historical data and ask it to find things that may be anomalies or things that a human would have to spend hours looking at these things to find. The AI may be able to find very, very quickly. This allows the humans to then do even more important things, better things, improve the cybersecurity in other ways while letting the AI do the more mundane tasks. So we think AI has a lot of benefits. Of course, there's also some risks. As I said, if you put sensitive data into a public AI, that's a huge risk. Obviously, the bad actors could be doing things with AI to try to get into companies as well. So AI, when used correctly, comes with a lot of opportunity; of course, when used incorrectly, comes with some risk.

Dave Bittner: Do you have any words of wisdom for those practitioners out there who are, you know, shopping around for cyber insurance trying to do analysis of their own cyber risk? Are there any particular questions they should be asking their providers?

Scott Stransky: Definitely. So when we look at cyber insurance risk, we produced a study earlier this year, that showed that certain cyber key controls were most correlated with cyber losses. And I can share a few of them here. For example, if you harden your active directory structures, you're like 5.58 times less likely to have a cyber insurance loss than if you don't. So that's something that we can now say. Well, here's something you need to do. Similarly, if you patch your systems within seven days of a vulnerability being announced, your risk has a reduction of a factor of over two. You're half as likely to have a cyber insurance loss. There are absolutely things that companies can do. And insurance carriers can start to offer, as I mentioned earlier, incentives for companies doing that will improve the cybersecurity of the companies, reduce the risk of a claim chance for the insurer, and make it a lot harder for the bad actors to get it.

Dave Bittner: Ben, what do you think?

Ben Yelin: AI is really showing up everywhere, in all these places that, I mean, we've been talking about ransomware for years. And I think this is just another area where AI is going to play a really important role, and I thought that aspect of it was really interesting.

Dave Bittner: Yeah. It's fascinating, you know, that we have folks like Scott who -- at places like the McLennan Center who are dedicated to analyzing this and sharing their information, you know, not only with folks in the industry but trying to spread the word, you know, well, through podcasts like ours.

Ben Yelin: Absolutely. We play some productive role in society, Dave.

Dave Bittner: There you go. We'll take it. Take the win. Well, our thanks to Scott Stransky for joining us. We do appreciate him taking the time. That is our show. We want to thank all of you for listening. N2K strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. The show is edited by Elliott Peltzman. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.