Speaker
Hello and good afternoon, welcome. This is Mishcon’s Digital Session, Turning Words Into Action. What I’d like to do now is just hand to our panellists to introduce themselves. I’ll start with our guest, Vanessa Cathie from Lockton. Over to you, Vanessa.
Vanessa Cathie
I’m Vanessa and a Vice-President at Lockton Insurance Brokers, which is the largest privately-owned insurance broker in the world.
Joe Hancock
I’m Joe Hancock. I’m a Partner in Mishcon de Reya but I’m not a Lawyer. I head up our Cyber Security Practice.
Mark Tibbs
My name’s Mark Tibbs. I’m the Cyber Intelligence Director at Mishcon.
Speaker
Okay so, without further ado, let’s move to our first question. This is around Crypto Currencies. Do they create ransomware?
Joe Hancock
There’s no doubt that being able to make anonymous or pseudo-anonymous payments easily has helped cybercrime more broadly. Whether that’s kind of created ransomware or not, I’m not sure. Ransomware to me, comes from a combination of threat actors that have, you know, historically cyber criminals have not been the most sophisticated, have stepped up in sophistication, a trickle-down of capability from state-sponsored actors to the cybercrime community, for organisations having a higher awareness around the impact of a cyber attack and therefore being able to pay for it and the payment mechanisms themselves. Along with a whole host of other reasons.
Vanessa Cathie
I think that it’s clear that cryptocurrency has definitely facilitated ransomware attacks and allowed them to proliferate. The big advantage you’ve touched on of course, Joe, is the anonymity factor. The tracing of cryptocurrency is certainly far more complicated for instance, than tracing a bank transfer. So, the criminals are obviously far more likely to get away with it. I think, if Governments regulate to disrupt the flow of digital currencies, this may well reduce the number of ransomware attacks but I also think it’s fair to say that a determined criminal will always find a way to take advantage, cryptocurrency or not.
Speaker
Where does insurance fit into the response?
Vanessa Cathie
The most critical points for the purposes of this discussion is that a typical standalone cyber policy will cover ransom payments. It will also extend to the cost associated with the ransomware, so including the costs of engaging specialist negotiators for instance. They will also cover the first and third party costs relating to the data. So, the first party costs are the victims own costs in dealing with the breaches, plus the third party costs so the liability for the insured in dealing with third party claims resulting from a data breach. I think one of the most essential benefits of where a cyber policy fits in and where the insurance fits in is the access to a breach response team. So, this means 24/7 access to experts including a legal team, IT forensics, crisis management and PR consultants.
Speaker
Joe, in a previous life you were an underwriter, so you’ve seen both sides of the fence haven’t you? What are your thoughts on this?
Joe Hancock
I think insurers fit in before the response is triggered. You know, a good broker will be providing you value through the insurance buying process and not just helping you understand what you need to buy but actually what risk you face, where best you can access service that can help you ahead of this being a problem, providing you with good risk management advice from their experience of what the market looks like but also what else is happening out there. So, insurers to me, fit in alongside a cybersecurity team, cybersecurity consultants or the wider kind of response.
Speaker
What we’re witnessing is certainly many insurers being… wanting to take the discussion to before the event to get, again, organisations very much aware of the pro-active measures they do need to be taking. Mark, do you have any thoughts, any additional comments?
Mark Tibbs
There’s been a lot of press and probably sensational media headlines around you know, the role of insurers in a negative way in terms of ransom advice but I think there’s been less focus on the role of insurers in a positive way because they do, in some senses, hold the key to making businesses up their standards. And I also think, reading the Ransomware Taskforce Framework Report, there’s some really innovative ideas for policymakers around how insurers can be more involved. I think there’s some great novel ideas in the way that the insurance industry can actually positively impact the problem that’s been caused by ransomware rather than just being held up as a scapegoat.
Vanessa Cathie
There may be some merit in encouraging businesses that are the victims of ransomware attacks to actually be more open with the details of the actual attack, such that there should not be any stigma in publicising attack and a rising tide of disclosure rather than keeping the attack hidden will not only bring these things out of the shadows but will also ensure that the Governments have overall data on these things.
Speaker
The need to share sits at the heart of the solution to much of this. Really, that’s what sits behind the Executive Order that The White House put in place back in May, because really that is all about opening up and really getting to the heart of the problem with organisations sharing more, doing more together. Mark, could I hand to you to explain a little bit more, your thoughts on this, please?
Mark Tibbs
Yeah, my understanding of it is that it applies to Government contractors for the Federal Government. And I think, overall it’s a step in the right direction, it will raise standards. It won’t go far enough because it just addresses those contractors working with Government and Government entities in the US. The Biden Executive Order is going to have a slow impact and it will probably improve standards at a slow rate and it will probably be adopted more widely, I would think.
Speaker
It’s quite an aggressive set of timelines.
Mark Tibbs
Yeah, might be some, you know, problems with overcoming those timelines and the red tape that it introduces might slow things down somewhat.
Speaker
So, it’s a very good initiative, it’s the doing of it that we really need to see some progress and development on.
Joe Hancock
I think that the Executive Order was rushed out as a policy argument to show that something was being done about this ransomware crisis and I think it isn’t going to change a single thing. We know that ransomware’s a problem. We know how ransomware threat actors carry out their operations. We know the TTPs that are being used. We know the problems and we know that organisations still think that cyber is somebody else’s problem or it won’t happen to them. And every initiative I see, always has the core of it, “We should all share more” and it’s one of those statements that you can’t say the opposite of and so everyone sticks it in there and applauds and actually, to me, it’s just rushed kind of policy making. If the Biden Executive Order had a budget associated with it, for any organisation to access, maybe that they match the funding, maybe they said, “If you do any of these things, we’ll provide guidance” that would have made a huge difference. But none of that’s there. The Federal Government needs to get better at doing what it’s doing already - “You need to all share among yourselves. Not really going to say what that is but please share more and I want you to do it to really aggressive timescales,” so everyone will comply with that order and nothing will change.
Speaker
Vanessa, do you have any thoughts on this?
Vanessa Cathie
The attacks on critical infrastructure are increasing and obviously there’s a need to be seen to be doing something to change that. Obviously, the Biden Administration guidelines only really relate to the States and of course, ransomware is not just isolated to the States and it’s important that these measures are replicated for the rest of the world.
Speaker
Is it immoral to pay ransomware operators?
Mark Tibbs
It’s a bit of a blunt thing to say. It’s a bit of a one-size-fits-all to say it’s immoral, as a blanket statement and I suppose people do take that view because it you know, paying a ransom will obviously incentivise other ransomware gangs to do the same sorts of things. In my view, there are drivers that mean that in specific circumstances, the only moral decision would be to actually make a payment. You have to protect your business, protect your customers, protect your employees or even your country. The CEO of Colonial Pipeline which is obviously, and a sort of a seminal kind of attack on infrastructure to some extent, he said that. He said that he didn’t take it lightly but he took it to protect his country because there were so many other businesses in the economy that depended on the pipeline that, okay they hadn’t done everything perhaps they could have done to defend against it but at that point, in that moment, they had no choice, I don’t think and I think it was the moral, the moral thing to do was to try and protect their industry and protect the critical national infrastructures. We should be aiming to be in a position where businesses don’t have to pay. That would be the best position to be in so they don’t have to make those difficult moral choices but yeah, that’s my view on it.
Joe Hancock
There are many things we need to do to solve the cybercrime problem, let’s call it that and not just a ransomware problem but to solve extortion in its widest sense, online and I think that one of those is going to involve stopping the payment of ransoms. But there will need to be a mechanism in place then to support at least the first victims of these crimes who then don’t pay. So, whilst I kind of see this inevitable regulation coming and you’re kind of seeing it through the US Treasury Sanctions where that’s the Government saying, “We’re not really sure we like these payments because we know they’re going to criminal groups. It needs to stop at some point. We’re not quite sure how to stop it.” But you can see how there’s a direction of travel there and I think that is part of the solution but there then does need to be a recognition that if you remove someone’s ability to pay and therefore someone’s ability to recover, somebody else has to step into those shoes.
Mark Tibbs
If it was going to be the case that payments are made illegal tomorrow, there’d be so much pain borne out by so many people and so many countries that it just wouldn’t be practical. Getting to that point would be great and that’s where we should all be aiming, but at the moment that is just not, not viable.
Vanessa Cathie
The FBI has recommended that no payment of ransoms is the way to go but really that’s a rather simplistic approach. There are financial issues here but there are also human safety issues often. To put this in context up here, there was the attacks, were the attacks on the Irish Health System last month and in the US on the Massachusetts Hospital. I think it’s fair to say that when there’s a ransom demand on a health provider, there’s typically a positive response by the patients themselves to the payment of ransom. And I think perhaps as a general comment, ransom payments are potentially more negatively viewed by those not operating in the health spectrum. So, I think you know, to pay or not to pay, it’s obviously a very difficult decision. My thoughts are that if a business can recover quickly then perhaps not paying the demand is the best answer, but I do think that there should be some softening of pressure around whether or not to pay.
Speaker
Any other aspects of this before we move on?
Joe Hancock
I think this year will be the tipping point for some of these attacks. Politicians will be forced into making political responses, once you start attacking healthcare systems, where there is a victim that everyone can agree is not a fair victim. Ransomware groups, I think, have just gone at them, I feel I’m supporting them now but have gone a bit far. They’re not being selective enough in what they’re doing. They’ve really stretched their business model and you might get a ransom from a hospital but you know, you’re not going to be able to do that forever because you’re really going to really turn yourself into a real burning issue that people feel they need to deal with. I expect you’re going to see, as we see, there’s lots of elections coming up in the next few years starting with France not too far away, the UK a couple of years away. Actually there will be some political statements around this and people will take a platform and say, “I’m going to stop this. I’m going to do something about it.” You can see how that then ends up at a military response, which I don’t think is necessarily the right answer but where people could end up.
Speaker
So, what are the pitfalls to some cyber-insurance policies?
Vanessa Cathie
I think two things immediately come to mind. The first involves consent provisions. Sometimes businesses that have cyber policies in place, they don’t realise that when they’ve been the victim of a breach, they can’t necessarily make all the incident response decisions entirely by themselves. They have to be mindful that when they’re engaging service providers post-breach, that they do engage with their insurers as part of the incident response process. I think that’s important to note. Another pitfall I think, is to be very clear on what you think you’ve actually bought or what you have actually bought. We know of businesses that have been caught out because they actually think they have a cyber policy when in fact what they actually have is a limited element of cyber cover under a more traditional policy. To put this a little bit into context, professional indemnity policies have cover for some cyber-related issues.
Speaker
Joe, given some of those potential areas for issues and problems what would you recommend?
Joe Hancock
The fact that not all the decision making is your own anymore is definitely one to consider. The number of times I see incident response policies that don’t reflect the fact that coverage is in place. Often see the insurer put into the same group as Comms, PR, Legal, Data Protection. A bit of an afterthought in there with everybody else. The most mature organisations we deal with, we see the insurer, all of the support that the insurer can provide being taken and also… and being therefore built into the plan as well. I think one of the pitfalls I see is, you are at the mercy of the quality of the provider written into the policy. There are some policies where the response you’re going to get is not necessarily going to help you. I’d say work with your insurer to select an incident response provider that’s acceptable to both parties. Insurers are often agreeable to you having someone else who’s not on their panel, written into the policy. Because the insurer knows that you will get a better response, it will be more cost-effective for them and you’re more likely to have a better kind of claims experience with them.
Speaker
I’ll bring this session to a close. May I first of all thank Vanessa, our guest speaker for joining the panel. Lovely to have you with us today, Vanessa. Thank you for your input. Joe, Mark, thank you again for your views and again, thank you for joining us today. Thank you very much.
The Mishcon Academy Digital Sessions. To access advice for businesses that is regularly updated, please visit mishcon.com.