Podcasts
Caveat
Ep 287
Caveat 12.4.25
Ep 287 | 12.4.25

Jumping into a time machine.

Show Notes
Transcript

Dave Bittner: Hello, everyone, and welcome to Caveat, N2K CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host Ben Yelin from the University of Maryland Center for Cyber Health and Hazard Strategies. Hey there, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: On today's show, Ben has the story of how a new California law might impact web browsers nationwide. I look at the Supreme Court's case involving ISP providers and copyright liability. And later in the show, my conversation with Daniel Woods, Principal Security Researcher at Coalition. We're discussing the rise of cyber insurance exclusions and the consequences of that trend. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right, Ben, let's jump into our stories here. Why don't you start things off for us?

Ben Yelin: So the state of California is at it again. We've talked about this in a bunch of contexts, but they tend to set the national standard in the tech world just because of how large of a state it is. It has the highest population in the country, but also, it's where Silicon Valley is located. So we've talked about that in the context of CCPA, data privacy, cybersecurity, etcetera. The newest law, which was signed by Governor Gavin Newsom last month, relates to web browsers. So the bill that passed builds on CCPA, which granted California residents the right to send opt-out signals. But instead of the past, where browsers were not obligated to make this process any simpler -- you'd have to press that opt-out button every time you went to an individual website. Now, under this law, browsers have to have a clear setting that allows users to opt-out with a single click one time rather than repeatedly going to an individual website and opting out when you're there.

Dave Bittner: So is this a universal setting? Is it set it and forget it? Or is this something -- is it once per website visited? How's it work?

Ben Yelin: Set it and forget it, my friend. So you get that new device, you get your new operating system, you open up your browser, there has to be a very clear, universal opt-out something, usually a button that you have to click.

Dave Bittner: Right.

Ben Yelin: So the fancy term for that, for those of you who are smarter about this than I am, is a "global privacy control signal."

Dave Bittner: Okay.

Ben Yelin: So once you enable this setting, it communicates your opt-out preference to every single website you visit. And this applies to California residents, interestingly, not just when they are in California, but when, A, they are out of state -- which is something that's going to present perhaps some interesting territorial problems -- and also if they're using a VPN and pretending to be out of state. So this has a pretty broad impact. And this is something that privacy advocates have been fighting for a long time, for decades. And it's going to have a big impact in the industry. Obviously, for now, it only impacts the state of California, but web browsers have until January 1, 2027, to comply with the law. And by that time, they will have gone through this process of creating these universal opt-out keys. And now that they're there, I think users in other states are going to want to have them and use them. And so this could potentially become the de facto national standard. And as a result, you might not need some of those third-party extensions or specialized browsers that can perform this function for you. So that's kind of the downstream impact that we could see from this bill. And it's part of a wide array of tech-related privacy legislation. This is just kind of the next frontier. But I never thought, you know, when I first logged on to the internet in the 1990s, eventually we'd be talking about browsers again. Doesn't it feel a little bit antiquated?

Dave Bittner: Yeah, I guess. I mean, okay, a couple of interesting things come to mind. First of all, I guess we should not be surprised that California is leading the way here. At the same time, California is where most of these tech companies are, right? So you would imagine they have a lot of influence, lobbying influence, to get what they want. And yet we have this kind of adversarial position here.

Ben Yelin: Yeah, I mean, it's a really complicated, dynamic relationship. Usually the big tech companies try to pick their battles. So Governor Newsom had said that he supported a broader bill that didn't just apply to browsers but also applied to mobile settings. Which would have gone far further than the bill that was actually signed. So I think sometimes they're responding to the threat for more stringent regulation, and they're willing to agree on a compromise.

Dave Bittner: I see.

Ben Yelin: Sometimes they're not, and they're just against it. And the California State Legislature just goes against their wishes. And it does happen. I mean, they don't have universal pull in the California State Legislature. I think there are a lot of legislators, particularly those who have been elected in the past few cycles, who legitimately care about data privacy. And it's not like, you know, one donation of $200,000 to somebody's campaign committee means they're automatically going to be anti-new privacy settings. Like, I think we're not in that era where it's such an obscure field that the industry has a lot of disproportionate sway on legislative outcomes.

Dave Bittner: So the notion here is that once both California and the browser makers go through the exercise of making this tech work, then that will make it really easy for other states to piggyback on top of it.

Ben Yelin: Yeah, it's kind of a freebie. I mean, states can pass legislation that's equivalent to what California has done. And I'd expect to see that in bluer states, your New England states, Colorado, etcetera. Because the browsers are going to conform to the California law anyway, so you might as well get your name, Legislator X, on a law that protects people's data privacy. Like, look, now it's mandated in this state. Even though browsers in that state were going to be complying with the California law anyway, you get to hold a nice little signing ceremony. So I think that's what the medium-term impact is going to be for the next couple of years as we look to some of those other states. I think this could end up becoming a de facto national standard, even for states that aren't inclined to pass this as a regulation, just because it's really hard to maintain 50 separate compliance standards. And, you know, we've been down this road before with GDPR and CCPA. I think a lot of these companies would prefer to have one federal standard, to have the federal government pass a standard and preempt state laws on this. But they're not doing that. And so states are coming in and are taking advantage of this vacuum and passing their own legislation on their own terms. And it has the impact of creating potentially a new national standard without the consent of legislators from the other 49 states.

Dave Bittner: Is your sense that there are legislators who are just, they're fed up with this? Their constituents are saying, we're fed up with this, enough is enough?

Ben Yelin: Yeah, I mean, it is very frustrating as a consumer to have to jump through hoops to protect your information. And I think the spirit of the CCPA law is giving people that opt-out power. And I think you can't fully effectuate it. I mean, most people use the same five or six web browsers, and if they are not creating this easy, boomer-proof, one-stop shop [laughter].

Dave Bittner: You're getting awfully close to Gen X there, Ben, so be careful.

Ben Yelin: I know, I know. And no offense to our boomer listeners, wonderful generation. But yeah, it's one of those things where it makes things easy on the part of the consumer. And sometimes you just need that little nudge to compel companies to institute these privacy practices. And I think this does come from consumer frustration and that being reflected onto legislators who know a lot about the industry because it's right there in their home state.

Dave Bittner: It's interesting to me reading through this article that they were talking to Tom Kemp, who's the Executive Director of the California Privacy Protection Agency.

Ben Yelin: Yeah, he's taking a victory lap on this one.

Dave Bittner: But he says they don't expect any pushback from the browser makers or from the tech companies. Like there's this -- it seems as though this has been accepted and it's going to be a real thing.

Ben Yelin: Yeah, I think so. I think it's one of those things that like it's easy for a web browser to implement. So if you're going to save your lobbying resources and your best lawyers for some of the other high-stakes battles, like it's just worth sitting this one out. What I'm interested in is what some of these third-party advertisers do. Because third-party cookies, cross-site tracking, all of that stuff is going to become far less profitable once this goes into effect. So how are they going to try to stay afloat with those types of revenue challenges?

Dave Bittner: Right.

Ben Yelin: And there are ways they can do that in terms of how they're producing advertisements for people. And there are a lot of models that already take into consideration CCPA generally and people's ability to opt-out website by website. But yeah, I don't see there -- it's interesting that he said that. I agree that I don't see the industry really fighting on this. I think to the extent that they would have been against this, it's just not something that's worth them investing their time, resources, etcetera, into stopping.

Dave Bittner: So what's your understanding of, if someone does not comply here, would they be looking at fines, that sort of thing? California would be sending them a hefty bill?

Ben Yelin: Yes, we would have civil penalties, so up to $2,500 per violation. And then there's a separate threshold for intentional violation, which is $7,500. Those are the numbers that already exist under the CCPA, so it would just be extended to browsers in setting up this feature. Those seem like small numbers, but then if you multiply that by the potential number of violations for non-compliance.

Dave Bittner: Right.

Ben Yelin: Assuming a lot of people use your browser, like that ends up being real money.

Dave Bittner: Yeah.

Ben Yelin: We also already have a regulatory agency set up by CCPA. So the California Privacy Protection Agency can do things like audits, inspections, fines, all that sort of thing. And then there is a shield from liability, which I think is going to make the tech companies happy if they include the required opt-out feature. So they have kind of the carrot and the stick to comply with this law. It would be a defense in a civil proceeding that they included the state-mandated opt-out features if somebody were to try to argue that their data was stolen.

Dave Bittner: I see. Well, at first glance, I like this [laughter]. I guess the cynical part of me wonders how will the advertising companies figure out a way around it?

Ben Yelin: Yeah, I mean, that's what I keep thinking about here too, is like, there's no free lunch. And now that third-party advertisers, like their entire business model might be ruined, like how are they going to attack us next? Are we going to be seeing ads on our eyelids? Like I just.

Dave Bittner: I just saw this past week that was Stellantis was putting ads in people's dashboard displays and people were freaking out about it. Rightfully so.

Ben Yelin: Right.

Dave Bittner: Yeah.

Ben Yelin: I get it, like the personalized ad model is very lucrative, but companies existed without having those algorithmic tools for a long time. And it's going to be frustrating for them, but I do think there are probably ways they can figure out how to maintain a revenue model without running afoul of this law. And I think there are tools that already exist. They're probably not happy that they're going to have to use them, but I don't think this is going to drive that entire industry out of business.

Dave Bittner: Yeah, absolutely. All right, well, we will have a link to that story in the Show Notes. My story this week comes from the folks over at Ars Technica. This is written by John Brodkin. And this is about the Supreme Court here in the US who are hearing a case that could trigger a big crackdown on internet piracy. I feel as though we jumped in a time machine, Ben, and we're jumping back to the Napster days and, you know, fighting old battles.

Ben Yelin: Metallica and standing up for the industry and saying, you know, don't give my stuff out for free on Napster, yeah.

Dave Bittner: So this is a case that could determine whether internet service providers would be obligated to terminate accounts that have been accused of repeated copyright infringement. And this is coming from a case involving Cox Communications and some record labels, notably Sony. And they're arguing based on the Digital Millennium Copyright Act. There's a lot of quotes from some of the justices here in this article, Ben. Should we go through this and get a little of your inside analysis of it?

Ben Yelin: Sure. I can be the -- you can be the play-by-play man. I'll be the, add my color commentary.

Dave Bittner: Yeah. So they say some of the justices here have questioned Cox Communications' past enforcement efforts. Some of the justices are worried about requiring ISPs to basically be a police force to police these large institutions. They specifically called out universities.

Ben Yelin: Right, because it's much easier if it's individual accounts in a household.

Dave Bittner: Right.

Ben Yelin: That's far more practical. Like, okay, I've purchased Cox Communications. I'm clearly downloading pirated material. There's only two of us in the house. So you have pretty good odds of finding the right person. Think about like a large public university dorm with 500 people who really don't care about pirating music.

Dave Bittner: Right, right.

Ben Yelin: And didn't live through the Napster era and are just happy to get things for free and not have to, you know, pay for the new hot album.

Dave Bittner: Right.

Ben Yelin: And that's, I think, the big issue here. It's not just that these big accounts create significant legal problems, but also just compliance problems. Like it's much more difficult for the cable companies and, frankly, the universities to go in and figure out which one of these 500 students is the one that's pirating the material. And then as Justice Alito said at one point in the oral argument, okay, you've busted the 20 students who've cribbed music illegally off of the internet. They're just going to get 20 more who are doing it. Like there's no end to the process. And there's no -- like shutting down somebody's access or account might not be a sufficient disincentive if people think they're not going to get caught.

Dave Bittner: It strikes me that some types of copyright protection, specifically downloading music, is a horse that's left the barn. And that the music industry is clinging to this notion that their product has more value in their customers' minds than it does, you know.

Ben Yelin: Interesting. So you think the music industry is overreaching here?

Dave Bittner: I do. Well, in that, for example, right, when compact discs came out and I was a teenager and me and my friends ran out and we repurchased all of our favorite albums at $18 a pop, right? Because we must have the pure, crisp, amazing sound of compact discs, right? So there's that sort of running joke of how many times are they going to make me buy the White Album by the Beatles, you know, like over and over and over again. And -- but what I think is that your average kid growing up today doesn't -- who probably has a Spotify subscription, who probably has an Apple Music subscription, one of those major providers, they don't really see there being any value in an individual song, right? If I say to you, what's it worth to download a song? They'll say, I don't know, a couple cents, I mean.

Ben Yelin: In the Spotify context, yeah. I mean, you are paying -- and I guess every circumstance is different. It depends on how prolific a Spotify user you are. Yeah, you're paying a very minimal marginal cost per song.

Dave Bittner: Right. So the record companies in the industry are -- again, I'm using the word "clinging," which is my bias placed upon it. But clinging to this notion that a downloaded song is worth like a $7,500 penalty or something. I don't see that lining up with reality anymore. So I guess I'm happy to see some skepticism from the justices here. You know, the Supreme Court not famously known for being on the cutting edge of what the kids are thinking these days.

Ben Yelin: Certainly not.

Dave Bittner: Right?

Ben Yelin: Yeah.

Dave Bittner: So anyway, that's my own little soapbox editorial here.

Ben Yelin: No, I mean, I think that's a very interesting perspective. Like if you had asked me three years ago, what do you think is the potential risk for liability of Cox Communications to the threat of pirated music, like how vulnerable are they? I would have been like, like it wouldn't have been one of my top concerns. They were ordered to pay $1 billion in damages based on a federal case that they lost. And apparently the music industry was very compelling to a civil jury in thinking that their intellectual property was threatened by Cox's inability or alleged unwillingness to throttle this type of content. That $1 billion in damages was overturned on appeal, but they did maintain a finding of willful contributory infringements, which can carry its own monetary penalties. So Cox is not in the position they were in before the Court of Appeals overturned that extremely high damages bar. But, you know, they're still facing this threat. And I kind of agree with you that it's surprising to see Sony and the rest of the music industry fighting so hard on this. Now, they have a statute behind them. And that's where -- that's kind of their strongest point of emphasis. Piracy is illegal on the internet due to the Digital Millennium Copyright Hack.

Dave Bittner: Which is from when, what year?

Ben Yelin: I think it was the late 1990s.

Dave Bittner: Yeah, yeah.

Ben Yelin: So, you know, we're going back a few decades here. And there are processes outlined in that statute for any victim of a copyright to request to get that content taken down. The request, you know, usually that goes to an individual who has pirated the material or has recycled somebody else's content through video. You can use the mechanisms available through the DMCA. It's harder when you're talking about a large cable internet company like Cox Communications. It just seems to me to be a different animal entirely. A lot of it relating to how you prove intent or whether this has been done purposefully. Because Cox would just say like, we're trying, like we're trying to comply with the DMCA, but we're not like actively reviewing every online transaction from our billions of users and putting all of our personnel on preventing the piracy of the latest Taylor Swift song or whatever.

Dave Bittner: Right. And nor would their consumers want them to be. There's privacy issues here, right?

Ben Yelin: Absolutely.

Dave Bittner: And I would also, I mean, a lot of the online communications are encrypted by default, so they don't have a view into it. There's just a lot of -- I don't know, again, I keep harping on this, but it seems to me like the music industry keeps bellying up to the bar about this notion. And, you know, spend your efforts somewhere else. You know, if somebody wants to buy a subscription to Spotify or Apple Music, they will do so, and the music industry gets their cut of that. But if somebody wants to download an illegal copy of, you know, Purple Rain, you kind of have a hard time stopping them.

Ben Yelin: Yeah, and if you throw the figurative army behind stopping this piracy, then that does raise First Amendment fairness concerns. I mean, you might inadvertently stop people from sharing things that don't violate copyright laws. Or people at colleges are going to get busted for false allegations of piracy because Cox Communications is so concerned about this liability. Like it's just a very significant practical challenge and I'm actually happy that the justices recognize this. That, for one, it's unclear from the original DMCA statute whether secondary liability should extend to these internet service providers. And two, even if the intent of that legislation was clear, like, how does this actually work in practice? And I think there was a lot of skepticism from the justices on that. Having said that, though, like, I don't think we have any clear indication exactly where this case is going to land. Like, they're kind of skeptical of everybody's arguments, both Sony's and their co-plaintiffs demand for strict termination and also Cox for not doing enough to curb infringement. So when you have skeptical questions in both directions, it is a bit of a crapshoot.

Dave Bittner: I just, you know, again, getting up on my soapbox, I think the answer here is that we are long overdue for reform of our copyright regime. You know, my personal opinion, copyrights last too long and they just don't reflect the reality that we live in in the digital world where -- the copyright laws are written for a world with physical media. And I feel as though they have not kept up or reflected where we are in the digital world. And so that leads to these positions where these behemoths are going at each other and they have to -- and then they get in front of the Supreme Court and the Supreme Court is.

Ben Yelin: They're sitting there like, all right, guys, like, what are we supposed to do about this?

Dave Bittner: But also applying a set of laws that were envisioned and were effective under the physical media age. So the Supreme Court has to deal with the laws that they have, but the laws that we have, in my view, don't reflect the reality of the world we live in. And that's frustrating [laughter].

Ben Yelin: I agree. And I also agree with the first point that you made, which is probably the most salient to me. Which is like, I kind of thought we had this all figured out, at least as it related to music. Like there was a model that was making everybody happy. I can purchase a service for an extremely reasonable price, considering the amount of music I can then listen to and download. And the companies that own that intellectual property get a nice cut of that. Spotify has a billion users, as does Apple Music. It's like I did kind of think this is a problem that had been solved, which is why, yeah, I'm surprised to see this as an active case at the Supreme Court.

Dave Bittner: I'll share, this is anecdotal and a fuzzy memory of something that I recall from the past. So forgive me if this isn't entirely accurate, but my recollection is that there was a -- back in the late '90s or early 2000s, I remember reading some reporting that the amount of jail time an individual could get for illegally videotaping a movie in a movie theater and sharing it online was longer than the average time served for murder.

Ben Yelin: I'll just ignore the question of whether that's true, because it would be really funny if it were.

Dave Bittner: Yeah, yeah.

Ben Yelin: I mean, we all remember the horror stories from the early 2000s of like, they were going to pick on that one guy who downloaded a bunch of songs off of LimeWire.

Dave Bittner: Or grandma, you know.

Ben Yelin: Yeah, they were going to make an example out of somebody.

Dave Bittner: Right, right. Yeah, you downloaded some songs, and now you owe us a quarter million dollars. Like, I thought cooler heads had prevailed and would come to our senses, but evidently not.

Ben Yelin: We have not. Yeah, we have definitely not.

Dave Bittner: All right, we'll have a link to this story in the Show Notes. I tell you what, let's take a quick break to hear from our show's sponsor. We'll be right back after this. [ Music ] Ben, I recently had the pleasure of speaking with Daniel Woods. He is a Principal Security Researcher at an organization called Coalition. We're talking about the rise of cyber insurance exclusions and the consequences that that trend may have. Here's my conversation with Daniel Woods.

Daniel Woods: So I'd love to start actually in the 1990s when the internet was just starting to be adopted by consumers and companies, and there was this big question, what kind of losses will this generate? And it wasn't actually clear at the time what the main lust drivers would be. So there were companies, some of now the biggest cyber insurance companies, who thought the biggest lust driver would actually be media liability because companies can now, you know, publish blogs, and that essentially means that they are publishers. And they thought that most of the liability would result from that. There were others who thought it would be about fraud, others who thought it would be about security. And the industry wrote pretty broad third-party liability coverage to basically cover a range of scenarios. And that's where I think run for collection claims emerged from. Because when they first started to hit the market, insurers were already offering coverage, they just weren't underwriting to it.

Dave Bittner: Well, help me understand that. I mean, is it a matter that different insurance companies kind of place different bets on the things that they thought were going to likely be the real issues here?

Daniel Woods: Yeah, so I guess insurers have theses about what will be the big claims driver, but brokers sit in between the consumer and the insurer. And what those brokers essentially did was they argued for the broadest policy they could. So over time, cyber insurance picked up all these different triggers. It might be a data breach, it might be ransomware, it might be funds transfer fraud where you're tricked into sending money. It might be the media liability I mentioned at the start, when you publish something on your blog and generate liability that way. And then another potential trigger could be wrongfully collecting data about consumers.

Dave Bittner: So where do we stand today in terms of the type of coverage that's available?

Daniel Woods: Yeah, so because -- and this will sound crazy. Cyber insurance never drove that many losses. Insurers always made money. So they just, over time, offered more and more coverage. We've been in a soft market since around 2021, and that means there's an oversupply of insurance. So most cyber insurance policies now will pick up all of the coverages I just mentioned.

Dave Bittner: Well, explain that to me. I mean, I guess I see all these stories in the news, particularly about ransomware attacks and companies suffering big losses. How does that reconcile with the insurance companies still turning a profit?

Daniel Woods: Yeah, I mean, it's a good question. I guess insurers take in however much in premium, and what they aim for is to pay out around 70% in claims. So before ransomware even came around, they were paying out more like 10 to 30, at most 40% in claims. So they were making a lot of profit. Because the gap between 70% and 40% is essentially profit. And then the ransomware wave hit, and when it hit in around 2019 and 2020, it really rocked the market. And there were some insurers paying out more in claims than they'd collected in premiums. So they're definitely losing, you know, they're not making a profit. And those insurers and pretty much the whole market around 2021, 2022 started to hike prices to basically cover the ransomware incidents we were seeing in the news.

Dave Bittner: And so these days, my understanding is there are a lot of exclusions that people will find in their policies. Can you take us through the spectrum of the types of things that have been disallowed?

Daniel Woods: Yeah, so I will say, you know, if you read the news -- these, of course, make very interesting news stories, so you see news reports about them. They're not very frequent in the market. One of the reasons for that is, like I said before, brokers sit between the insurer and the customer, and they have so much market power at the moment that they're negotiating out some of these exclusions. That being said, I think there are some kinds of exclusions related to very specific insurance wording about like the definition of business interruption, how you prove there has been a loss of profit, whether they cover certain contractual disputes. And there are, you know, disputes that are in any line of insurance. I think the interesting one for cyber insurance is disputes over the insured's security posture at the time they made a claim. Because we have seen, for instance, there was a big case in Canada with Hamilton and I think City Council, and they had on their insurance application said that they enforced MFA only for when they make the insurance claim, or I guess more importantly, when the threat actor tried to get into the system. They discovered that MFA wasn't being enforced and that was material to the claim. So that is an example of what you have in mind where insurers exclude claims because of security issues, but they are relatively rare.

Dave Bittner: One of the things I've seen mentioned is this notion of patch windows, where the insurer gives the insured a certain amount of time to apply patches. How does that play out?

Daniel Woods: I mean, the idea here is essentially -- and it all relates to who holds responsibility for a loss. Insurers, you know, could say blanket will cover everything. The problem there is you get moral hazard where the customer doesn't take measures to reduce their risk. So the idea behind what I call "CVE" exclusions is that as the insured takes more and more time to patch, you know, a system, then potentially their coverage reduces. And it's typically the times I've seen it, been on a sliding scale where it takes a year for it to reduce to zero.

Dave Bittner: So if I am a CISO and I'm looking over my coverage, are there certain things I should be looking out for? Are there any red flags or potential pitfalls here?

Daniel Woods: Yeah, so I would say, you know, if you're a CISO, you don't really know much about insurance. The industry has developed this, you know, distribution model where the broker sits in between the insurer and the customer. And I think the main thing is make sure you have a specialist cyber broker. Because if your broker is used to selling property insurance, commercial insurance, they probably don't know the ins and outs of a cyber insurance policy. They might not be able to spot exclusions. So I actually think it's not the role of the CISO to really, you know, understand coverage language. They should have a partnership with a broker. And part of that partnership from the CISO perspective is accurately representing their security posture to get the best terms possible.

Dave Bittner: It strikes me that we've seen cyber insurance maturing into almost a risk enforcement mechanism. Is that an accurate perception?

Daniel Woods: So I think there's different ways of seeing this. A lot of people expected that insurance would do exactly what you say, that they would enforce exclusions when the customer didn't follow security procedures, they would offer discounts for security controls. I think what we've seen, especially at Coalition, is that that model just creates kind of distrust between the customer and the insurer. And actually, a better model is where the insurer is helping the customer to try and reduce risk. So that's where Coalition does things like scan the external perimeter of a customer. And tell them, like, hey, we've seen this security issue which has caused claims in a bunch of other scenarios. You should probably fix this. And in fact, you can speak to our security support center to help you fix it. So rather than say the cyber insurer is an enforcer, I would say that, you know, the best cyber insurers are actually a partner with their customers.

Dave Bittner: And a bit of a motivator, I suppose, right? Because you know, if you want the best rates, it's in your best interest to take care of the basics.

Daniel Woods: Exactly. And I also think what insurers can do is they have this much broader perspective -- like Coalition has about 100,000 customers. We can observe what causes losses at the other customers and share that information with a customer, so they know that certain security issues are associated with an elevated rate of compromise. Like there's one example we published in our claims report. Cisco ASA devices are associated with a five times increase in the kind of likelihood of reporting a claim. So we have very -- you know, we're sending out Zero Day alerts when vulnerabilities are released in those products. We're helping customers make sure that MFA is enforced. Because we just see so much attention directed at those products. And I guess the net of that is one customer makes a mistake, but the other 99,000 can learn from that mistake.

Dave Bittner: What's your advice to those security professionals who are thinking, you know, it's time for my renewal, maybe I'm taking a fresh look, shopping around some. How should I approach that? Yeah, so I would make sure you have an insurer who's actually supporting you. So some insurers will just collect a questionnaire. The questionnaire gets filed away in a drawer. And your big anxiety is, you know, what happens if a breach happens and what I reported isn't accurate? I would say that CISOs and security practitioners should look to work with an insurer who's actively supporting them in their role. So, for instance, you know, one challenge that security practitioners face is they struggle to get the resources to invest in security. An insurer as an external party can help drive that conversation. They can use claims data to kind of speak, I guess, the language of business leaders and help them get the resources to secure their organization. I see. So they can provide you with the resources that you need as a security professional to present to, say, your board of directors, to get the funding you need to properly offset that risk.

Daniel Woods: Potentially in saying, you know, our insurance requires this, is a pretty compelling message. [ Music ]

Dave Bittner: Ben, what do you think?

Ben Yelin: Yeah, this is really a fascinating area for me, just because the industry of cyber insurance is still evolving, it's still at a relatively young age, and they're trying to come up with a sustainable model. I know you and I have talked before about comparisons to flood insurance, where it's just like, eventually the flood and its damages are going to swamp the ability of companies to insure it. And so when we're talking about these large systemic risks, attacks from nation states, etcetera, it's just hard to understand how this market is going to work. So it was a really interesting conversation.

Dave Bittner: Yeah, just this week, I had a story on the CyberWire Daily about Beazley, which is one of the world's largest cyber insurers. They're pulling back from the market because of ransomware and hacking claims are driving higher losses, it's a report in the Financial Times. So some volatility in that industry, if some of the biggest providers are thinking twice about whether or not this is even something they're going to offer.

Ben Yelin: Yeah, and I think that's a scary proposition. Because when you're not insured, whether you're a private business or a local government, like the downstream impact of the inevitable ransomware attack is going to be catastrophic for everybody.

Dave Bittner: Yeah. All right, well, again, our thanks to Daniel Woods from Coalition for joining us. We do appreciate him taking the time. [ Music ] And that is Caveat, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to caveat@n2k.com. Our producer is Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tre Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: N2K Networks, Inc.