Episode Five: Rachel Lavender

FBI Assistant Director Bryan Vorndran: Welcome to episode five of “Ahead of the Threat.” As always, I'm Bryan Vondran, assistant director of the FBI Cyber Division. And joining me is Jamil Farshchi, the chief technology officer of Equifax. Jumping right into our Top Three for this episode, we're going to discuss reasonably managed encryption. Second, we're going to discuss Scattered Spider. And lastly, we will touch briefly on the SEC cybersecurity disclosure rule.

So reasonably managed encryption, in the recent past, was have been a lot of press reporting on Salt Typhoon. And one of the questions that's always asked to the U.S. government is does the U.S. government support encryption or does the U.S. government not support encryption? And there's been some recent media reporting out there saying that the U.S. government reason– recently changed their position on encryption, and is now recommending it.

Listen, this is all essentially a myth. The U.S. government and the FBI specifically have always supported strong encryption. The addition here is a responsibly managed encryption, right? This encryption should be designed to protect people's privacy, and also managed so U.S. tech companies can provide readable content in response to a lawful court order. So some of this news in the recent cycle is a little bit frustrating, if I'm being honest with you, because it spins some words. The FBI has been really, really consistent about our stance on lawful access encryption. We're actually big, big supporters of it, but it has to be reasonably responsibly managed so that we can get what we need on the other side. Jamil, your thoughts?

FBI Strategic Engagement Advisor Jamil Farshchi: I mean, I completely agree, and, you just got to be careful of the of the headlines that are out there that try to draw your attention and create a lot of ire around folks. Isn't this story some of the stuff that I have heard about it? Isn't it…isn't it…isn't it targe–isn't it referencing you specifically in some of the guidance?

Vorndran: Well, I'm not really ready to go into that. I would just go back to what I just said, which is like the FBI's position is, you know, when it comes to lawful access, when it comes to encryption, it has to be responsibly managed encryption. We're big supporters of strong encryption, but there has to be readable content available in response to a lawful court order. How's that, Jamil? Good?

Farshchi: Amen.

Vorndran: All right. Sounds good. Jumping right over to Scattered Spider. So we're talking Scattered Spider here a little bit today as a precursor, as a seed for what will be our next episode. When we really do a deep dive into Scattered Sider and the resp– the reality is that very few cybercriminal groups have received as much attention over a period of time as Scattered Spider.

Scattered Spider is a group of loose, loosely affiliated individuals, that's very, very capable at SIM swapping and social engineering. A lot of the difference between them and some of the others is there is a U.S. presence, right? And that's was one of the first times at scale that we've seen a U.S. presence. And so it raises, as a late November press release was issued, really naming four individuals, that ranged from 20 years old to 25 years old, criminal charges tied to Scattered Spider. But again, a very, very prolific group responsible for many of the ransomware incidents and the extortion incidents, here in the United States over the past year-and-a-half to two years.

Jamil, within Equifax, within your, you know, industry partners, what are the thoughts on Scattered Spider?

Farshchi: Well, I think that they're really, they've brought to attention some of the weaknesses that some organizations have and quite frankly, how to bypass a lot of the controls that we invest millions and millions of dollars in every year. I mean, if you just go back to last year, I think it was, what, August or September time frame with the MGM and the Caesars breaches, I believe those were, Scattered Spider, as well.

And it … what it brought to bear was the help desk and how it's a weak link oftentimes because you can call as long as you're able to dupe the helpdesk agent and tell them that you're, you know, Bryan or Jamil and get them to reset your credentials, then you know you're going to have a pretty bad day. So I think to that end, that in some respects you could argue that it's good in the sense that they made us all aware of this.

And I hear, and talk to folks constantly that are working to solve for this problem. And there's been a whole variety of different solutions that have been put in place to address this. So I think that's good. But I think what's better is that, y'all have been able to identify some of these folks and take them down a path to bring them to justice, which I think is a plus.

The thing I will ask you is, you know, how many more of these guys are out there? And how many copycat organizations are there that are now reusing some of these same tactics that these guys sort of originated?

Vorndran: Yep. So I guess a few thoughts, right? Number one is, this recent press release, I think the date on it is November 20th out of DOJ, it names four, right? But there's been a host of other law enforcement actions, some public, some not public against this group to try to really, really degrade their capability. The second piece is, and I think this goes without saying, but I'll say it anyway, just because English– people and these criminals are English speaking does not always mean they're U.S based. And when individuals are not U.S. based, it does make our investigation, our ability to generate operational outcomes more difficult. And that's certainly the case here.

Jamil, to your question about how many more? Really hard to say, but what I would say is this: From a trend line perspective, we know that cyber criminals are very, very entrepreneurial. And we would expect that the trend line would increase to where you're going to see more and more activity in countries not just that are Russia, right? And that's what we're seeing here.

Farshchi: Yeah. I think you'll… I think we should expect, I mean, because this is what these guys do, they… someone figures out how to get around some controls and they find some success, I guess, and the bad-actor kind of way. And then everyone else jumps on board and tries to copycat the stuff. So I think that if you're an organization that has not yet addressed help desk authentication and some of these controls around here, you should do it now, because this is– I do not expect this attack vector to go away anytime soon.

Vorndran: Okay, great. And then on to number three, which is the SEC cybersecurity disclosure rule. Jamil, I know you had some things you wanted to raise. Let me just, take this one from the top. I think many of those who listened to our… those of you in our audience here understand what the SEC cyber security disclosure rule is, what the intent is behind it.

I just remind everybody that if you ever need help from the FBI filing for a request, simply go to fbi.gov/sec. And all the guidance, our internal policy, the rule itself are listed right there as kind of one-stop shopping. But Jamil, I know you said you had an article that you wanted to raise some interesting thoughts on.

Farshchi: Yeah, I ran into it earlier this week and look– so we are now at the one-year anniversary of the SEC cyber rules going into effect. And it has been the talk of the town amongst so many companies over the course of this past year. In fact, just earlier this week, I was asked to go to a tabletop for a large financial institution. And this the SEC rules were a meaningful topic of conversation, even at that. I ran into this article. It was in... I saw it in Axios and it was referencing this company called BreachRx. I don’t know who they are, but so they went through and did an analysis. Over the course of the past year on all of the SEC filings that on… within the 8-K’s that tie back to this and the findings are kind of crazy to me.

So I'll read off a few of them real quick here. “Only 17% of the 8-K’s specified material impact.” “Less than half of the findings provided specific insights into the organization's incident response procedures.” “Most of the filings describe the company's cyber risks and incident response and disclosure processes in nearly identical generic terms.”

And so when you when you absorb some of the insights here, it calls into question the effectiveness of these cyber rules. Now clearly there's a few companies out there when bad things are happening, they are writing these things in a meaningful, thoughtful, useful way for investors. But the majority are not.

And to me, I think–look... I'll mea culpa on this one. I have been a strong advocate for this. I thought that these rules were going to be extraordinarily valuable to the industry, to investors. I thought it would keep organizations more on their toes, but I myself read these regularly. I have the legal team send me the 8-K filings whenever they come in. And so I take a look at them as they come in throughout the year. And I agree with these findings. When I read these things, they're just not substantive at all. And I think one of the most interesting aspects of this is that a ton of companies file these things, despite the fact that they in the write-up themselves, say it's not material. And the whole point of this is to write it if it if they believe it is material itself.

So, I don't know. I think there's a lot of work to do here and, and I'm hoping and I know the SEC is working to sort of using this year as, they're going to feel it out and then potentially revisit it, and provide additional guidance later on. But I think if we look at it objectively for 2024, the results just haven't been where one would want them to be.

Vorndran: Yeah. Interesting data for sure. You know, when we look at the SEC’s disclosure rules, it does draw a little bit of a parallel here to IC3 and IC3.gov is really where there's mass filing of fraud and, ransomware incidents, etc. It's a site owned by the FBI, but that doesn't really matter. What we're starting to learn is that a lot of companies are using that portal, or counsel is using that portal simply to document that they filed with law enforcement to meet an insurance requirement, but it doesn't drive substantive engagement, right? And I've had discussion with counsel related to SEC where counsel has said, ‘we will almost never give away materiality, even if we choose to file.’ So some of these trends starting to show through. That's why I double down all the time, which is, yes, we're in a tech world, but, people matter, right? And substantive conversations really matter.

Farshchi: One question for you on this is so you guys play a big part in this whole thing, and you guys are on the front lines as it relates to the exclusionary path for disclosure on these things. And, I don't know, maybe you can answer this question, but, have you seen a meaningful number of companies request deferrals on the disclosure or not?

Vorndran: So I don't want to get into a specific number. I don't think that surprises you, but we have seen companies engage with us to make those requests. And I actually think the process works quite well, right? I mean, what we would recommend always in a scenario is give us a heads up when you're going to make that delay-filing request. Before you submit the form will ask, because there's a lot of conversations that we can have there to just streamline the conversation.

Farshchi: I remember early on you and I chatting about this, and there was some concern that, ‘hey, the volume of these things might be absolutely insane.’

Vorndran: Yeah, we just haven't seen that.

Farshchi: Yeah.

Vorndran: Yep, yep. All right, well, there you have it. The top three for episode five. Again, lawful access and responsibly managed encryption. Second scattered spider and third the SEC cyber security disclosure rule. We're going to now go to a previously recorded episode with Rachel Lavender of March– Marsh, where we get into a deep discussion about the cybersecurity insurance industry.

***

Vorndran: Welcome back. Joining us today is Rachel Lavender. Rachel, welcome. Thanks for joining Jamil and myself. Do you mind just giving the audience a brief introduction of who you are, your title, your role, and then we're going to jump right into some questions?

Rachel Lavender of Marsh & McLennan Companies: Thanks, Bryan, for having me. Rachel Lavender, I work for Marsh [&] McLennan Companies. I lead our cyber insurance brokerage practice here in the U.S. and Canada. And I'm really looking forward to the conversation today.

Vorndran: Great. Well, Jamil, I'm going to jump right in if that’s okay with you. So, Rachel, whenever I’m on panels—right?—with lawyers, incident response insurance—there’s only one group of people that says, “Hey, Bryan, can we talk before you go live?” And that’s generally the insurance providers. Can you give me some background about why that may be, and lead into your overall work and what the ecosystem is shaping up to be?

Lavender: Yeah. I mean, I think the ecosystem has evolved over time. You know, there was a time where, as an insurance broker, going out and helping our clients procure insurance was—it was pretty easy right before the threat landscape turned into what we know of it today. I think there was also a tendency of companies not being as operationally reliant upon technology.

So now there’s been a realization by the insurance community that we need all aspects of the business community to be involved and in the management of risk. And that includes law enforcement. And I can imagine having your perspective in some of the work that the FBI does is incredibly important and insightful and helps us all better understand how we can help clients better understand their risk and the threats out there that they face, as well as how to manage that risk.

Vorndran: And, you know, I’m going to go to Jamil here in just a second. I’m fascinated to learn how the industry actually works, right? As things have matured over the last 10, 20 years. But I don’t want to interrupt Jamil, because I know he’s got a whole host of questions he wants to ask you.

Farshchi: No. Go ahead. Go ahead. I think it’d be good for the audience to hear how the industry works, what’re the ins and outs.

Vorndran: I think, you know, we all understand property insurance. We understand automobile insurance, you know? I recently had a tree fall on my house and do massive damage, so I certainly understand that part of the insurance process. But I think it’s a little less clear, from a cyber perspective. What are the things that you think are most important for the audience to know about how the industry works, how you pool risk?

I think it’s super-educational for the folks listening.

Lavender: I think that if you had asked me this question pre-2015, I would have said, well, first of all, a lot of people would have said to me, ‘I don’t have cyber risk. It’s not an issue for me.’ Because there was a perception that cyber insurance was really used for a few key industries that collected a lot of data and, therefore, had a tremendous amount of privacy risk.

So, bad actors getting into the systems to steal information and sell it on the open market: So, it was truly, you know, education, industry, retail, banking, any consumer-facing, business. Where we’ve evolved to is now, as I noted earlier, the operational aspect of this and the technology dependency. And so, as a result, the underwriting for this insurance program or process has changed dramatically.

It’s no longer just about, ‘Okay, how do you handle information? How do you protect it?’ But it’s how do you handle all technology. The security of that technology throughout your economic ecosystem, as well as the other aspects of how people engage with that technology. Jamil and I have talked often times about, you know, probably the weakest link, the potential for the weakest link in all of this management, is the employee population.

And so, employee education of their role in protecting the firm from an outside threat is incredibly important. And I know Jamil and his firm spend a lot of time making sure the employees understand how to use the technology in a safe way, as well as how to ‘see it, say something,’ right? If you see a problem, report it up quickly.

I think from the insurance community’s perspective, how that’s evolved is from 2015 to 2018, our insurance market was very immature to a certain degree. We had a lot of capacity, and we were writing a lot of policies for the people who actually thought they had cyber risk. But I don’t know—when I say we were relatively immature, we weren’t really … we didn’t have enough claims data to truly underwrite the risk in an intelligent way. We didn't have the ability to correlate: ‘Will this control … could really help me prevent an attack or someone intruding in my network versus another control?’ We just didn’t have the data to prove that. Now we do. So that’s one of the ways this has changed.

And you know, versus property. Bryan, you mentioned you had a tree fall on your house. I mean, we have 100 … 50 years-plus worth of property issues and wind and hurricanes to sort of correlate and help people better protect their homes. So that’s a big difference, I think, and a fundamental lack of understanding.

Farshchi: I’m curious on that note, of the data that we have now. I know from my vantage point, we have a ton of cyber data that we analyze every single minute of every single day. But what gives you … what has happened to give you more … what data are you looking at, I guess, that helps you feel more confident in measuring the risk?

Lavender: Yeah, I think Jamil, we talk about, in the application process for insurance, most insurance programs require some form of an application, and it looks at … the typical application looks at some critical controls. We call them—Marsh calls them—the 12 controls that we focus on. And that’s after talking to all the underwriters.

But what we’re looking at is the big three being multi-factor authentication, EDR (endpoint detection and response), and privileged access management. Those tend to be the ones that most companies have the ability to outsource and—and bring a tool in to help them manage the security and the information.

But then there’s a series of processes too, right? I mentioned tabletop exercises and incident response planning. I mentioned security awareness and training of the employees. And then there are other aspects around email filtering and email management that go in hand-in-hand with some of those other tools. And then there’s a few other areas that I’ll just talk about: backups, any sort of remoting into systems and how that’s managed, end-of-life systems, and then the digital supply chain, if you will, and overall vendor management.

Those—those last areas that I just mentioned, they can be managed through some of those controls I talked about, but they also require a fair amount of multiple stakeholders throughout the organization, outside of information security, to come together to reach an agreement on what is our risk tolerance for each of these and how are we going to manage them?

Vorndran: So, you go ahead, Jamil. But I was going to … So, Rachel, you’re essentially talking there at the end about the ability to establish the proper culture throughout the entirety of an organization. So, it’s not just somebody in Jamil’s role or somebody in an information security role that has an audit committee that's trying to essentially manage and project risk. It’s organizational culture, which I think is a fascinating part of the conversation.

I’m going to flip the script here a little bit. You mentioned right off the top MFA, endpoint detection, and then privilege and access management is the big three, which I think are really helpful for the audience. So, let’s just say I'm a small to medium-sized business and I’m growing and I have revenue of—pick a number—$20 million last year. And I have projected revenue of $25 million next year. I don’t know anything about cyber insurance. Right? Because I probably can’t afford it in a growing environment. What are the questions you’re going to ask me as a business owner in those early conversations? And what would I need to be prepared to answer?

Lavender: I think that that—that’s what we are actually trying to solve for right now in the insurance industry. When you look at that small business, we actually started from $100 million and below; how can we adequately navigate providing those companies with some level of insurance regardless of what risk management tools they have in play?

There are a number of vendors as well that provide sort of a skinnied-down version; a suite of tools to protect your firm. Right? There are strategies that you can use. Many of the insurance companies are providing advice and, and oftentimes have a panel of those vendors that you can review. Here at Marsh, we’ve done the same thing.

We have a security team that we’ve been building relationships with vendors that that offer these types of tools, to companies. And we help pair those companies together, right? Who are the firms that need the help? Who are the firms that can help them? And we’ll help them … will help the firm that needs the help kind of navigate what are the criteria I need to look at to find the best fit for me?

But then in terms of insurance, what we’ve been doing is partnering with certain insurance companies who realize ... it’s kind of like when you first start up a business and you know, you have aspirational goals. So, there are insurance companies who want to be with you as you grow so they can provide skinnied-down—maybe not as broad of an insurance program as you could get once you reach that $100 million mark.

But start you small and they will give you a roadmap. They will tell you, “Okay, this year you should have a goal of implementing this control. Next year you should have a goal of implementing this control.” So, there’s a realization in the insurance community that we should be invested in helping those companies, in those early stages, so that they can grow, become a safer, better protected firm. And then they become a better risk, which means we can provide them with broader and broader insurance coverages at that more affordable rates.

Farshchi: How well—I was there, I was there, I was going there. How accessible is it, though, for these small- to medium-sized players? Because I talked to a lot of them when they have, unfortunately—it’s after they have a breach and they’re asking for advice. And it seems as if it’s difficult for them, especially with the ratcheting up of the control requirements for them to be able to obtain policies. Yet I know that back in the day ... when I say that, I mean, not that long ago.

Lavender: Five years.

Farshchi: Three or four years ago. Yeah, it was—it was many of them did have policies. And one of the things that struck me that I never really appreciated as much as I do today is that they oftentimes—these smaller companies—leverage insurance not just for the insurance aspect to make them whole after the fact, but they use it to your point about partners and things like that.

They use these folks in the event of an incident as well, like the breach coaches and things like that, which turn out to be an invaluable resource to them because they don’t have the expertise to solve a lot of this stuff or have the knowledge to be able to do it on their own. And so, I go back to my question here: Like, how accessible is it for small- to medium-sized businesses to get policies today?

And is that dynamic changing where it’s easier than it was just like last year and the year before?

Lavender: It is easier today than it was 24 months ago. The market has shifted. We have a much healthier market. We have new entrants into the market. We have a number of insurance companies that are targeting that small- to medium-sized business. In fact, many of the major insurers, in cyber—the Beazleys, the Chubb’s, and—I don’t want to get into a naming game. So, I want to avoid that. But they are all offering what we call the digital trading platforms. So, what they’re trying to do is make it easier for you to go through the insurance application process. And still collect data themselves to be able to risk, you know, differentiate on risk profile. But provide affordable insurance coverage.

Again, it may not have all the bells and whistles that even a $200 million company has, but it gets you a starter policy. The other thing I will say is that many of the business owner protective policies and who was referred to as BOPs (Business Owner's Policy), that some of these small businesses have, they will have some version of like a cyber coverage extension that you can include. Their agents … they’re probably using an agent, not actually a broker. But many of those BOPs have the option of adding some sort of cyber coverage extension. So, I think that is coming back.

Farshchi: That’s good.

Lavender: A lot of those companies pulled those back or added, you know, exclusions. But I think that that coverage is coming back.

Farshchi: I’m super-happy to hear that. And now I’m going to ask yourself this question: So, back in the day, I remember as a CISO going through the process and getting interviewed. And I remember back then, yeah, I would walk in there, and I, you know, I’d get just a handful of questions and they would be all over the place. And so basic. I walked out thinking, “How do they know anything more about my program than before I walked in?”

Nowadays, it’s like a Spanish Inquisition going through those things. The amount of data we had to provide and then the number of questions and the number of people on those calls, or in the meetings or whatever are next level, especially, I mean, at least for a company of my size and stuff like that. How do you see that changing in the future? Is that just the new norm; we should just get we should just get used to it and expect that going forward? Or is that going to change?

Lavender: It’s a great question. It’s one I’m asked almost every single day. So, we definitely … the pendulum swung, as you know, you and I experienced it together. We went through that “Spanish Inquisition” or “colonoscopy,” whichever you prefer. I do think we’re coming back to a place where, if you are a company such as yourself, who provides that cohesive, comprehensive application with the underwriting information, where we’re getting to now is, “let’s continue to provide that information.”

In some cases, I have clients who say, “Look, the application hasn’t material ... and my responses to the application has not materially changed in the last 12 months. But I do have updates. It’s not like I’m not doing anything, but I still have MFA, right? Like it’s still the same way it was. But where our roadmap has changed. Maybe we’ve decided to go a different route. Maybe we’ve decided, okay, our new roadmap is moving to the cloud 100%.” So, when we have those types of situations and that requires some planning, right? As your broker, I have to say 120 days out from your renewal date, “Where are you? Where … what journey or adventure do you want to take this year with the insurance inquisition?”

And if we can get ahead of that, we are a … and if we know there haven’t been any material changes in the business … we are able to augment rather than everything on paper, having a call that’s more thoughtful. And you, as the leader of your information security team and technology development team, sort of giving that overarching arc. Which is very similar, by the way, to how directors’ and officers’ insurance is procured for publicly traded companies.

They’re really underwriting to you, Jamil, just as with the D and O (directors and officers), they’re underwriting to the CFO or the CEO or they’re looking to: “What’s your leadership look like? What are you aware of? Are you cognizant of the future and what’s needed by the firm to protect it?” That’s where I think we’re headed is so that we don’t have to do the “Spanish Inquisition” every year. Maybe we just do it every other year. That is actually what was done at one point. There was a time in cyber and professional liability where you only did what we call the “main form application” every three years. Otherwise, it was just a renewal app. And the other two middle years.

Farshchi: Well, I know I’m not speaking just for myself here, but for every CISO out there, we all, we all hope and pray that that reality comes to bear.

Lavender: Now that is only going … I will … I do have to … I want to be careful because I know we have a broad audience, and I don’t want to find out my brokers are starting to hear from them saying, “Well, Rachel said …” What I want to make sure I am clear on is that option is available when companies such as yourself have reached a certain level of maturity with their cyber hygiene. Right?

Farshchi: That’s fair, though.

Lavender: I think you have a very good understanding of your data, where it is, how it’s stored, how it’s protected. You have a journey you’re going through that I’m intimately aware of. That require … It does require a certain level of maturity to get that flexibility. Otherwise, I do think most companies are making so many changes every year that unfortunately, we need that detail to be able to give the underwriters a sense of they’re not sitting stagnant; that they do have a plan.

Vorndran: So, Rachel, from an outsider’s perspective, right? Based on where I work, obviously don’t have this type of insurance. It would seem that there’s probably three areas of support that insurance provides, right? Number one is traditional remediation cost. Number two is potential litigation risk from loss of data. And number three would be ransom payments, extortion payments.

Just really interested in, perhaps a deeper dive. Your perspective. Are those the three topical areas? Are they wrong or are they right, or are they more expansive than that? And then put you on the spot here: act of war. Right? Is there any clause that if China, Russia, Iran, North Korea caused the problems and caused damages, do the insurance providers look at that differently than a traditional criminal act or set?

Lavender: Oh, I hope you kept track of all that. I’m going to need your help. I’m going to work through it all, though.

Vorndran: No problem there with me. Let’s take the easy ones first: the buckets of support.

Lavender: So, the buckets of support. I think you got it right. The response piece when there is a claim—that’s what in all insurance; it’s supposed to be there to get you through that pain point and make sure you cover those. We call it first-party costs: the costs that you’re incurring in responding to any loss event, that’s covered by that product insurance product.

So, incident response: I think you’re spot on. The litigation aspect, which unfortunately is the … can be the piece that makes the severity go through the roof, right? Law firms cost money and their hourly rates continue to be on the rise. The privacy … the people who specialize in privacy are even more costly. I also want to point out that these policies, beyond just the traditional cyber breach, when there’s a regulatory component, it’s a part of this, a part of that privacy exposure that makes it go up even more because defending against a regulatory action related to privacy breach is very difficult. And can take years to work through the discovery because oftentimes there’s a dual component. You have the class action for a publicly traded company that came out of that breach, as well as the regulator that you’re trying to manage. You know, if it’s the CFPB (Consumer Financial Protection Bureau) or, you know, other, similar, or a state attorney general.

And that’s the other part that gets really complicated, is you have jurisdictional issues because you could have multiple states that you're trying to navigate. Yeah.

Vorndran: You know, on that note, really quickly, I was talking to a financial services company, and they have 101 different reporting requirements if there's an intrusion. Right? To your point, I mean, whether that states, governments, you know, foreign entities; I mean, it’s really, really tough. But sorry, sorry for interrupting.

Farshchi: We’ve really got to harmonize that stuff though. It is …

Lavender: Absolutely.

Farshchi: … It is so hard to manage through that stuff.

Lavender: And that’s why for people like Jamil, getting all of his stakeholders within the firm— legal, HR, compliance, risk management, finance, and finance—needs to be a part of this, right? Because there’s a lot of money that’s involved in this. And oftentimes you’re being asked to front the money and then the insurance indemnifies you back for those, for those costs.

And then finally, you mentioned ransomware or ransom payments, and that is, that is also fraught with regulatory requirements. We all know you got the sanctions list. You’ve got to confirm or at least do your due diligence, that the party you’re paying, to the best of your knowledge, is not on that list. And if it’s … it gets really complicated when the exposure is in another country as well.

So, if one of your subsidiaries that’s in another country, you have to make sure that ransoms are legal and that ransom payments are legal in that country. Because we do have those issues cropping up—like we even have that issue here in the U.S. in a couple of … like down in Florida with certain types of organizations. So, I think you got the buckets right.

I do want to just say that although those are the main buckets, and we talked about incident response, what I would say the other thing insurance does, and we’ve already touched on this, is giving a business a sense of, we’re helping businesses hone in on, “How do I, how do I think about what my capital expenditures are going to be in the near term, in the long term, with respect to cybersecurity investment?” And that …

Vorndran: Almost give me a growth curve, right?

Lavender: I think that’s a lens. The insurance industry, [you] can say what you want about it. We collect all that data and we have all this claims data, along with all of the underwriting data that people like Jamil and his and his peers have provided. So, being able to bump that against one another of, okay, this company had a claim. This is what they told us were their security controls. Okay, what about this?

And then let’s look at another similar incident. Look at their controls. You can really start to digest in and give Jamil insights into: “We think given what you’ve told us about your cyber hygiene, you should target this as an enhancement.” Right? And then Jamil can take that to the board and say, “Look this is what the insurance industry is seeing. They have more data than anybody else on this stuff. Let’s ... I need your approval to invest in this and add this to my plan.” So, I think that's the only augmentation I would make to your buckets, Bryan.

Farshchi: How about would you ... oh, yeah. Go ahead.

Vorndran: How about this act-of-war conversation? Does the industry differentiate on Russia, China, Iran, versus a traditional criminal actor, etcetera, etcetera, or traditional fraud

Lavender: Absolutely.

Farshchi: Because wasn’t there … I feel like I read it, Rachel, a little while ago. And maybe we talked about it, I don’t remember. But Lloyd’s of London, didn’t they try to use that clause to get out of fulfilling a policy commitment, or not?

Lavender: So, okay, so I’m so happy I’m getting this question. So, I get to demystify some things. And then I get to clarify and sort of say what is at issue. So, first of all, cyber insurance pays. I want to just say that again: cyber insurance policies pay claims. We pay a lot of claims. If they didn’t, I wouldn’t be on this podcast and I wouldn’t have a job.

So, there was something around NotPetya and WannaCry with respect to a specific company whose property insurer denied coverage under that program because of a business interruption claim that arose out of a ransomware attack. They filed it under their property insurance program, and the property insurer invoked their war exclusion, stating that their property insurance was not going to pay.

So, I’ve said that a lot of times, why am I making that distinction? Because property insurers, although there was some ambiguity in that time period, they have basically moved to a place of saying, “We don’t want to cover physical damage and business interruption that is caused by a cyber event, i.e. ransomware.” Okay, so there’s been all this talk that insurance doesn’t pay for cyber-related events.

It’s not, it’s not every insurance; it’s just the traditional insurances. Cyber insurers will pay for it. Now, I’ve said that. “Now what is this ‘war exclusion’ you talk about? Rachel, why do I have an exclusion on my policy?” Well, candidly, most insurance policies have some form of a war or natural disaster … like they have these sort of catastrophic, systemic exclusions because the insurance industry can’t possibly cover the type of event that we’re talking about.

There’s not enough money out there to cover … because when an event like that happens, it hits everyone. And it would basically make us all insolvent, to try to pay all of those losses. So, what we’ve done in cyber is, the war exclusion has evolved over time to try to account for the types of new losses we’ve seen and the types of … but more importantly, the groups that are sponsored by nation states who are causing these attacks.

Now, what Lloyd’s did in London is they came out and said, “We as an industry, need to do a better job of managing this particular exclusion and how it meant, how it does or does not cover these systemic events, these catastrophic events.” And so, there was a great debate in which Marsh was heavily involved in. We respectfully offered alternative wording to them because we felt like some of the wording was too extreme, and that it was inadvertently excluding one-off cases that were not war situations.

So, what we’ve done is we’ve offered a tiered approach where there are criteria now that must be met, multiple criteria that must be met before that war exclusion is triggered. It has to do with things like, can you attribute the group in question to a country? Like, are you able to say, ‘It’s Russia attacking all American companies,’ for example?

I’m oversimplifying, but so what we’ve tried to do is create clarity there, as well as create some exceptions so that … I call it the “innocent bystander clause,” so that okay, yes, it’s a bad actor. And yes, they may have attacked over here in this country, but if there’s spillover and I just get hit by accident, my insurance policy is not going to get caught up in that war discussion.

Right? So, we’ve tried to navigate this exclusion, to ensure that it’s still has what it needs to prevent that systemic “everyone gets knocked out,” but still preserves the intent of this policy, which is to cover when individual—when an individual company is attacked and has been compromised.

Farshchi: So, the net of it then would be, short of a global catastrophic cyber-attack that takes out basically everybody, we should feel confident that even if it is a nation-state that attacks us, we will most likely be able to make a claim?

Lavender: I think the better way of thinking about it, Jamil, is there are so many hurdles now that have to be met to trigger that war exclusion that … and we’ve—we've been able to put some clarity around that now that … And there are options, right? So, we have some clients who tend to lean towards one option of the war exclusion versus the other because of just the nature of their business.

I think there’s optionality now and I think to … But getting back to your point, our belief is the war exclusion is not going to trigger, which would exclude coverage for the majority of people when it’s just a one-off attack.

Vorndran: That’s a fascinating conversation for somebody in my position, Rachel.

Lavender: It can get really complicated. I have like a whole series of slides that do a very deep dive in terms of comparing the language of the old traditional war exclusion to some of the more modern day—we call them the LMA (Lloyd’s Market Association) versions. And it breaks it down into the different categories of what we need to be focused on.

And that’s how we walk through … walk clients through it, to try to give them examples of, “Okay, this would get triggered if you had these types of events.” We can’t be perfect, right? There’s … we only know what we know, and we can only think up … and we think up lots of harebrained, crazy ways that an attack can happen.

Our biggest fear with tinkering with this language is the unknown, the thing that hasn’t happened yet. And if we over-tinker the language, we could inadvertently exclude something that really is not a warlike event. So that’s our biggest concern is when we start tinkering with language. Until you have an example of what you want to exclude, I don't think we should start just adding language without testing it.

Farshchi: Well, my takeaway here is that it sounds to me like I will have economic protection because of my policy. Unless Bryan and his team are unable to stop the global, massive cyberattack that hits everybody. So, it’s all on you, Bryan. Thank you, my man.

Vorndran: Thanks, Jamil. Yeah, we’re working on that one. Okay, well, listen, we’re getting close to time here. Jamil, I’m just going to go over to you for any last questions you may have for Rachel. And then, I’ll close it out for us.

Farshchi: I have one more. Rachel, I think there’s been a ton of advancement around cyber risk management and the modeling that is done. And you pointed to it earlier in terms of the fact that you have a lot more data today to be able to work from, which I think is great. What I would love to know is there any way, is there any way for organizations or people like myself to be able to engage with you and your partners to be able to get some more insight in terms of how you calculate that or at least some guidance?

Right? Because there seems to be a consistent challenge within CISO ranks and organizations in terms of how do we—how do we effectively measure cyber risk? And I know everyone has their own, you know, ways of doing it. And there’s various standards and stuff on there. I’ve never found any of them to be particularly effective. And so, if you guys have learned some stuff that we don’t know, I would love … I would love to be able to be able to gain some of that insight from you all, because this is your job. You guys are fundamentally experts at doing this. Your livelihood depends on it. And so, I think some collaboration and sharing in that respect would be really useful for the community.

Lavender: Absolutely, I think so. We have a couple of—I’ll call them services or products that we offer our clients. One is there’s some financial modeling we do with all of our clients, and we review this with your risk management team, Jamil. It’s sort of we take some of the basic information from your cyber application. And we run it through a pretty sort of standard modeling tool based on some basic assumptions. And we can review frequency potential, severity potential. And then we can also compare that to your insurance program.

The other thing we do though is a more sophisticated, bespoke level—which I think is where you’re getting at—is engaged with you in a statement of work where we do a deep dive and we can do what we call a stress test, where we really dig in.

We have a couple of consultants that come in and talk to you and your lieutenants to get some very finite information, and then we can stress test what the business could take in terms of a loss and what a loss would look like for you. And then we also just have a good old fashioned loss modeling where we, we take it outside of our standard modeling and, and make that more specific.

I think the data that we have … what’s great about our data is not only is it Marsh’s data, but we have a sister company called Guy Carpenter that works with the insurance companies for reinsurance. And we get that, we get that data, too, in the aggregate. And so that’s why our data lake is so large and why we’re able to do some of that bespoke modeling for you.

So we can ...

Farshchi: That would be really powerful, because even like when, when I've tried it in the past—and I love this space and I geek out in it all the time—but the problem I always have is I only have data of a population of one: like my organization. And so, it’s, it’s difficult to be able to glean a whole lot.

You know, if you know anything about statistics at all, you’re like, “Okay, that’s probably not going to be that useful.” We have … So, I think, I think that’s really interesting.

Lavender: We have a ton and we can compare your data to other clients as well. And then we’ve got the loss data and then some answers to some key questions from you around how your business operates. Then we can really put together a nice summary for you to give you and give you options and kind of choose your adventure.

Farshchi: Awesome.

Vorndran: So, Rachel, fair to say though, that that pool of data from a statistical perspective does point back to the three top-line items that you mentioned about MFA [multi-factor authentication], EDR [endpoint detection and response], and essentially privilege access management as the three primary controls.

Lavender: Those are definitely ones the underwriters seem to get focused on. But again, I go back to the other controls that I mentioned. I think sometimes insurance companies, because of the way they underwrite, I just I think this is an important caveat: Some insurance companies hone in on certain controls or certain aspects of risk management. So, you know, Insurance Company A may have had a lot of losses in business interruption. So, they’re going to focus on backup, like how do you manage your backups and then incident response planning. So, they’re going to really focus in on that versus other insurance companies may be heavily involved in manufacturing. So, for them, end of life systems is a big issue. So, they dig really deep into that. I think it does depend situationally on your industry class as well as the insurance company in question that we're talking to.

And that’s why we always approach multiple insurers. You know, Jamil mentioned it earlier. He’s like, got all these and these people in the room and there’s a lot of people to talk to. We try to differentiate so we get as many options for our clients.

Vorndran: It’s fascinating. I mean, it does speak to the maturity and the precision of the industry on your side.

Farshchi: So, can I ask one more, one more on that, along the same lines: To what degree do the underwriters care or ask about the engagement from senior executives or the board of directors as it relates to cybersecurity?

Lavender: They’re all over it right now. They want to hear how often Jamil is meeting with the board of directors. What are you reporting to them on? Are you reporting to the audit committee as well? They want to hear about capital expenditures. What’s your budget look like each year? Has it gone up? Has it gone down? They also want to hear how the board is supporting you on your staffing needs.

That we both know that’s a big issue right now. Our sister company, Mercer, deals with talent management, and we have a whole group of people who just work with CISOs and trying to find that talent. Those engineers, of which there’s a shortage. So, they were very interested in understanding how the board is involved and engaged in making decisions around this, and helping you manage the risk.

Farshchi: So, my takeaways would be then culture, because you mentioned that at the top, these core controls that you referenced. I think you said you guys have 12 overall, but certainly the three that—that we’ve been talking about here are critically important. And then finally, executive and board engagement, and the appropriate prioritization of cybersecurity would be the things that are going to help you along the way as it relates to cyber insurance.

Lavender: And engaging a good broker.

Farshchi: Of course, of course. Yeah.

Vorndran: Well, Rachel, that brings us to time. Listen, every time Jamil and I have the opportunity to talk to somebody on our short show here, right? I think I'm just astonished with how much I learn, but also the complexity of the environment that we're all operating in. I mean, Jamil did a great job summarizing the three key takeaways. I don’t know that I could have done it in three.

We’ll probably write a treatment for this episode because there’s a lot of fascinating parts of the conversation. But, Rachel, just appreciate you taking time out of your day to help educate Jamil and myself and our audience and wish you nothing but the luck in the future and appreciate you allowing us to get ahead of the threat with you.

Lavender: Great. Thank you so much, guys.

Farshchi: Thank you. Rachel.

***

Vorndran: We'd like to thank Rachel Lavender for her time and her contributions to Ahead of the Threat here. Certainly interesting conversations and deep conversation for the cybersecurity industry. You know, a few thoughts. Number one, I still don't have a good answer about why those in the insurance industry want to talk to me before I speak publicly. Rachel did a good job avoiding that question.

But secondly, the act of war exclusion is a really, really interesting and important part of the conversation relative to the cybersecurity space. I know that's on the minds of a lot of those companies that are insured. Jamil, how about you?

Farshchi: I think look, this is a nuanced topic. But it's one that every company, pretty much every company has to face and every CISO's dealing with on an annual basis, at least. I'm encouraged by the evolution of the marketplace over here. I am–I'm hopeful that some of the things she was talking about in terms of the evolve–the evolution of the risk modeling and some of the data points they have could potentially shed some light and help inform us on the security side to be able to make better, more well-informed decisions around investments and prioritization of remediation and things like that.

But, net-net, I thought it was really valuable and great insights that I think we can all, like, genuinely use right off the bat. And I think the last thing I would say is Rachel herself and Marsh have been great partners to myself and to Equifax for many years. And, you know, having a broker like that is extraordinarily valuable as you go through the process, especially if you, you know, have a complex situation or you have multiple tiers of insurance with a ton of underwriters. It really helps to be able to navigate that stuff. So my recommendation to anyone out there that's in a similar situation is to try to identify trusted partners like that, to be able to help you navigate the evolving landscape of cyber insurance.

Vorndran: Great. Well, that brings us to the end of episode five, Ahead of the Threat. Thank you, as always, everybody, for helping us get ahead of the threat. And we'll look forward to catching up with you next time.

Farshchi: Thank you.