John Smith from ExtraHop on the aftermath of an insurance claim.
Dave Bittner: My guest today is John Smith. He's a principal sales engineer at ExtraHop. Our conversation was sparked by the recent news that Mondelez, a company that owns the Oreo and Cadbury brands, is suing its insurance company for refusing to pay out damages caused by the NotPetya attack. The insurance company Zurich refuses to pay out the policy, stating that there's an exclusion for a hostile or warlike action by a government.
John Smith: It's interesting. I first got interested in cyber insurance back in 2014, when a company called Schnucks was actually sued by their umbrella policy. And I kind of saw early on that there was going to be some friction with the insurance company when they started offering, you know, cyber insurance. They wanted to kind of move that out of the umbrella policy and offer that as a separate rider.
John Smith: Obviously, the Cadbury lawsuit that stemmed from that is part of where I saw maybe there being some friction where they weren't quite fully underwriting this in the same way; they were underwriting it more as a hazard insurance, right? Like flood insurance or hurricane insurance - I live in Florida, so both of those are relevant - versus something that is inevitable, right? I mean, I have life insurance, and, you know, it is inevitable that I won't be on this earth forever, and sooner or later, they're going to have to pay. But part of that underwriting was I had to get on a scale, a nurse came, and I had to take a physical. We don't really do that with cyber insurance.
John Smith: So they're sort of - I think what I saw was an issue where maybe the industry didn't have a full understanding of the risks that they were undertaking, really, as not something that is a hazard; it is more something that is an inevitability. And maybe there was going to be some changes. And, obviously, the pending friction with the myriad of both Merck and the Cadbury lawsuit - both of those have a lot of friction and will be settled in the courts. And so I kind of saw that there were some opportunities there to maybe reassess, you know, how you talk to customers, basically kind of have an understanding of where underwriting is maybe not fully understanding what they're getting themselves into.
Dave Bittner: So where do you suppose we find ourselves today? If I'm an organization that wants to go out and buy an insurance policy as part of the spectrum of tools I want to use to protect myself, what am I going to encounter?
John Smith: You need to have an understanding of at least one of the outcomes you need in order for them to pay out. But if you look at the - where they're basically saying the recent breach was an act of war, an act of war is becoming a common tool that insurance companies are using to basically - to limit their risk and liability for a breach.
John Smith: You have to assume that there will be collateral damage in any state-sponsored cyberwarfare campaign, right? If you look at the U.S. military, they sort of cordon off or they organize their theaters by coms. There's Northcom, Africom, Southcom. Cybercom is a global command, if that makes sense, right? So while - if you look at the U.S. and the Ukraine, we are - I Googled it - we are 5,687 miles away from the Ukraine. And while you might be 5,000-plus miles away from a conflict, if it's a cyber conflict, in most cases, you are digitally fractions of a second away from that conflict. If you have a public IP address, you are basically in theater. So you have to understand exactly what risks you're going to take in terms of what Get Out of Jail Free cards are there for the insurance company. I don't know if I'm using the right term, but...
Dave Bittner: Yeah.
John Smith: You have to understand, like, what are the things that could nullify your policy, right? And you need to understand that we live in this world where if it's a digital conflict, if you have a public IP address, you are in theater, and you definitely run the risk of collateral damage in the way that physical confrontations don't.
Dave Bittner: Yeah, it's an interesting thing to think about. I'll admit I hadn't thought about it that way. I mean, it's - in my mind, I'm imagining that the unlikely happened and Canada found themselves at war with Mexico, and, you know, Mexico is flying a plane over the U.S. heading towards Canada and accidentally dropped a bomb on someone in the U.S. Well, I suppose the insurance company could say you're not covered by that because that was an act of war even though the U.S. wasn't an active member of that war.
John Smith: Absolutely. And in the world of TCP/IP - right? - in the digital cyberspace, everyone is in theater. That's why - again, that's why the U.S. sort of isolates that as a single command because it is a global conflict. Like I said, in general, you are faster than you can blink in terms of how fast it takes for communications to get to you. So you're always in the blast zone when you're on the public internet, and so you have to have that understanding when you negotiate your policy with your insurance company.
Dave Bittner: It also strikes me that it seems as though some organizations - they kind of try to have their cake and eat it, too. And what I mean is this - that they will say - perhaps just from a PR point of view, they'll say, well, we got attacked and the data was breached, and we believe this was a nation-state, and so, goodness, gracious, there's nothing we could've done about that because it was a nation-state. But I suppose that opens them up with their insurance company for the insurance company to say, well, OK, if that was a nation-state, then, you know, act of war. We're not covering you.
John Smith: I agree. In fact, we're probably going to have to wait for the courts to settle this and determine at least how that's liable either way, right? One of two things I think will happen, and I'm not a legal expert or an insurance expert. But what I will say is that if the insured prevail, then you're going to see tougher policies and you're going to see something a little more consistent with the underwriting of health care. You know, if - you know, for me, take, for instance, I was a little heavy and my blood pressure was a little high, and I paid a little bit more. Now I made some lifestyle changes, and now I'm paying less.
John Smith: And I think you're going to see the act and the practice of underwriting cyber policies is going to evolve drastically to one that accommodates - both incentivizes the insured but at the same time also gives some assurances for the company that's on the hook, basically, that they're doing all they can to prevent the breach, right? If I'm a race car driver or I like skydiving or if I build my house on the beach in the Caribbean, my homeowner's insurance is going to be much more expensive and, obviously, my health and life insurance runs the risk of being more expensive. So I think what's going to happen is both to the insured and the insurers - how they work with one another is going to evolve over time.
Dave Bittner: That's John Smith from ExtraHop.