Podcast: Data Privacy in a COVID World with John Merchant, John Mullen and Rob Rosenzweig


Cybersecurity is a broad and complex industry, cyber insurance is an area that a lot of people are still trying to understand. In this episode we talk with breach coach, John Mullen with Mullen Coughlin, Rob Rosenzwieg with Risk Strategies, and John Merchant with Ascent Underwriting about data privacy and how cyber insurance plays a role in reducing your risk of business interruption and impact.

Transcript

Erin Keating:
Hello, and welcome to our inaugural episode of Cyber Clan’s Incidentally podcast. We are so excited to invite back John Merchant with Ascent Underwriting. John, you joined me on the teaser episode to talk a little bit about what we could expect in upcoming series of this podcast and for this first one you were kind enough to bring on two of your friends in the industry to talk shop, so if you wouldn’t mind reintroducing yourself to our audience as well as bringing on your speakers and then we can go from there.

John Merchant:
Sure, I’d love to. Thanks Erin. Appreciate it. My name is John Merchant and I’m with Ascent Underwriting. I’m the Managing Director of Cyber Insurance for North America and I would like to introduce two colleagues, two gentlemen I’ve known for quite a long time actually. First will be Rob Rosenzweig. Rob is with Risk Strategies. He is Senior Vice President and national cyber risk practice leader. There’s also John Mullen. John Mullen is a co-founder and partner of Mullen Coughlin, a cybersecurity focused law firm with 50 plus lawyers. Again, focused primarily on cyber.

Erin Keating:
Awesome. Well Rob and John, thank you so much for joining us today. We really appreciate your participation in this piece.

John Mullen:
Happy to be here.

Rob Rosenzweig:
Our pleasure.

Erin Keating:
So today we wanted to talk a little bit about data privacy risk in a COVID world. Obviously this is a lot of what everyone’s talking about. It’s relevant, but it doesn’t mean that what we’re experiencing now hasn’t been experienced in the past. It may just be exacerbated or highlighted right now. So I think what we’d love to hear from both of you are what are some of the current cyber threats that you’re facing and how have those changed in the time of COVID?

Rob Rosenzweig:
If I can kick things off. There is certainly some level of uptick in the number of incidents we’re seeing and some of that is specific to COVID-19. I think the threat actors unfortunately are realizing that that organizations are vulnerable right now. Obviously there’s a lot of fear around COVID-19 and some of the phishing emails that are being sent out are specifically targeting that and trying to entice individuals to click on those links using some ruse about COVID-19 but I think more of the activity that we’re seeing right now is less specific to COVID directly and more as a function of the change in the way that we’re all working. So, as all organizations have to pivot and shift to this work remote environment, you’ve seen an operational strain on companies, you’ve seen a technology strain on companies, you’ve got folks using technologies that they’re less accustomed to.

Rob Rosenzweig:
You also have associates that all of our clients logging on to sensitive company networks and applications using their own personal devices that might’ve already been infected or maybe aren’t quite as secure as company-issued devices. The last piece of that, which I think is probably the most important piece of that, even the companies that were sort of best positioned to deal with a lot of cyber threats and had great controls and procedures in place. Some of that’s fallen by the wayside with that operational strain, but also just simply because not everybody’s on premises together. So I get an email that looks like it’s coming from John. I no longer have the ability to just walk down the hall and say, “Hey John, did you actually send me this email?” And you’re just trying to move quick. You’ve got your dog’s barking in the background, your kids running around, you need to get work done and some of those checks and balances that’s fallen by the wayside.

John Mullen:
Thanks Rob. This is John. I’m going to add to that. I would say this, the malicious actors are still out there. They’re not giving anybody a break because they’re not on COVID-related home staying, they’re just not. The employee-related matters, I think that’s one way to think of it is you’ve got more stress but not more resources. So the same amount of IT resources and policies and procedures you always have, they’re still there, but you’ve got much more stress on your system. To Rob’s example, in the social engineering world where you know a lot of companies have certain policies when certain payments are requested through an email or something, it’s much easier to pop your head down the hallway and say to the CFO, “Hey, did you authorize this payment?”

John Mullen:
Well, that CFO could be somewhere else and now you’ve got an email sitting in front of you and you’re trying to decide, “What do I do? I just emailed and texted and called the CFO, I’m not getting her. I’ve got a deadline staring in front of me here with this email. What do I do?” That times many, right? Is what we’re seeing here. So it’s not so much that COVID related problems are so unique and so different, it’s just more stress on an already stressed out system in terms of security.

Erin Keating:
I’m curious what the types of clients that you all see, are bigger companies more at risk here? Smaller companies, midsize companies? I mean, one usually thinks of a large company having their own internal security systems, perhaps even a CISO in charge of their information security and then you’ve got small to midsize businesses who frankly may not have those types of controls in place, but still maybe working with very large companies. We all know of the target breach, for instance, a couple of years ago it wasn’t actually target, it was a vendor that worked with target. So what are you all seeing in your businesses given the size of the clients that you have? Is anyone at more risk than another?

Rob Rosenzweig:
I think it’s a different risk. The bad guys are fairly agnostic when it comes to the size of the company that they’re targeting. We just have different criminal groups that have different levels of sophistication and some are going to target larger enterprises. Some are going to target smaller enterprises. So we’re seeing incidents across the board and it’s really not discriminatory based on size. But I mean, you’re spot on in your comment that when we do see these and these incidents specifically targeting small and medium-sized businesses, more often than not, not only are they less prepared to respond, but they obviously don’t have the financial wherewithal that a Fortune 500 company might have and responding to that particularly right now when we’re dealing with uncertainty in the economic environment that’s putting some strain company’s balance sheets anyway and the last thing they need is a cyber incident taking their eye off the ball and further causing unnecessary expense to their organizations.

John Mullen:
Yeah, I would say that if you think about it, medium and smaller businesses have been struggling just to catch up to all of the data privacy regulations and constraints that they’re supposed to be operating, supposed to be addressing. So as a matter of resources they just didn’t have and don’t have the kind of resources that the big companies have and then you have a disproportionate impact, right? Because as Rob says, somebody in a Fortune 500 or even 2000 company who gets hit, they can weather that storm. Somebody in a smaller company who has a big problem relative to their size because they don’t have the resources and because those are not being strained even more, they’re just not in a position to really fend for themselves too well here. I do think that’s where they’re thankful they have cyber insurance when these events happen.

Erin Keating:
Well, and that leads me to a quick question. As you both keep saying that we’re maybe not under different attacks, but we’re under different stress levels of the attacks once they’re coming in. Is that causing any changes in how you evaluate the risk? And maybe John Merchant, you could speak to this or Rob on when you’re evaluating the risk factors with companies that are now just coming on, perhaps even for the first time evaluating cyber insurance, is it different now because of the stress level of the system and people’s ability to approach the incidents and actually respond to them, remediate them and get it resolved for lack of business interruption, if you will?

John Merchant:
From an underwriting standpoint and this is the other John, call me short John. John Mullen, tall John. John Merchant, short John.

Erin Keating:
I really helped on a podcast you know.

John Merchant:
Well, for those of us who know us, they’ll get a chuckle out of that. So yes, I’d have to say that from an underwriting perspective, any time there is a disruption of this magnitude, it is absolutely a consideration or an additional risk factor that we have to take into consideration. The problem right now is, it’s such a great unknown. We have never seen anything of this scope before. A large company, medium company, small company, all hoarding their work right outside the protected four walls of the network all within a week, quite frankly. My company, for instance, went out a month ago to do a work from home practice day and haven’t been back. It’s been quite a test just like that.

John Merchant:
Similar to mergers and acquisitions or divestitures. Anytime an underwriters sees a seismic shift either within an industry or an individual company of this magnitude that absolutely has an effect. What we haven’t been able to see just yet, because we’re only six weeks in to this, at least in the United States and in most of Europe, six to eight weeks in, is the tail of potential claims coming in or events happening. We think they’re going to come because of this disruption. We just haven’t seen it yet, so we’ll be able to tell you when a year hindsight’s 2020 that this did have quite a disruption.

Rob Rosenzweig:
I think you’re starting to see some underwriters ask more questions about it. Just what are you doing in terms of our employees using their own personal devices? How are you managing that process? Are you still focusing on employee training and testing on phishing in the work remote environment? I think what will be interesting too, when you think about overall market penetration in cyber insurance, the small and medium-sized businesses were probably the least penetrated market segments. So depending on who you ask, maybe 10 to 15% of companies under a couple of hundred million in revenues have been buying cyber insurance historically. On one hand you’d say, given the financial uncertainty, maybe they’re not going to be investing in an insurance policy that they hadn’t otherwise been purchasing prior to this, if their businesses are teetering on the edge of bankruptcy. But I think the other perspective here is once the virus is curved, to a certain extent, it’s likely that the way we worked is going to be shifted for a while. It’s not forever.

Rob Rosenzweig:
So now is the viewpoint, is cyber insurance more critical piece of any company’s insurance portfolio than it ever was prior to this? Given the strain that we’ve spoken to, throughout our conversation thus far. I think it’ll be interesting to see whether you start to see more companies getting their toes in the water and realizing that they need to buy cyber insurance as a result of this.

John Mullen:
Well, my only thought was the market was already hurting and I see that just my exposure to guys like John and Rob. I suspect that this will continue as Rob just said, to raise the need for a little more underwriting in each individual case and at the same time it’s likely to drive buyers who weren’t in the market or were on the edge of being in the market to realize, “Well, if we’re going to exist in this new world, we better have a backstop.” And oftentimes that backstop is going to be cyber insurance.

Erin Keating:
That makes sense. That turns me on to a question around the current regulatory landscape. What does that look like right now?

John Mullen:
I guess I’ll take that one to start. I’m not going to spend 15 minutes boring an audience about regulations. Let’s put it this way. Every state in the union has a rule. Every one of them are a little different from the one next door. That’s one. Many, many different federal industry-specific rules overlaying that, HIPAA and all kinds of other things along those lines. Then you’ve got state regulators, like insurance regulators also overlaying yet more regulation on top. And we’re not even talking about things like GDPR and overseas things and other industry specific things. So to say that there is a lot of regulation is an understatement. We’ve been tracking these regulations and statutes for 15, 16 years. On average of the 50 States, 12 to 14 of them change their statute every single year.

John Mullen:
Not only do you have net new statutes with almost no chance for any courts to interpret what they do or don’t mean in the wording, on top of that, you have constantly changing statutes and the overlay to your regulatory question is contracts. Five, 10 years ago, very, very little in the way of contracts existed between different parties with respect to cyber and data privacy issues. Now, there’s all kinds of things being thrown in contracts that some people read and some people don’t and that also changes the aspects of who reports to whom? Under what circumstances? Under what trigger? So the complexity is continuing. It’s unlikely to ever be simple.

Erin Keating:
I was going to ask about that because supply chain obviously has come up a lot in a newspaper lately, so anyone who wasn’t thinking about supply chain before, even down to basic folks who are going, “Where did my meat come from when I got my hamburger at the store around the corner.” It’s now becoming pretty normal for people to talk about the logistics and supply chain of everything, which to me speaks a little bit to that need for attention to contractual relationships between well, in government big prime contractors versus subcontractors, but in the regular commercial world, anyone that is on top of another contractor or relying on another small business or medium business does need to be paying attention to those regulations and furthermore into their contractual language based on if they’re attacked, how does that impact who they’re working for and working with? Is that becoming more of a practice and apparent in the work that you’re doing?

John Mullen:
Well, we’re seeing a lot more of that in the contracts, but think about this. First of all, there are very few attorneys in the country really understand it. So you have these clauses being thrown into contracts left to right. It says things like, if someone’s data is compromised, what does that mean? I can give you 15 examples [inaudible 00:13:46] John or Rob, about what compromise is or isn’t and how it’s a close call. And so are you supposed to notify the people or the other entity to that contract when something is compromised in your definition or theirs?

John Mullen:
So you can just see one word. There’s many words just like that, that finds their way into these clauses and creates confusion. So when an entity is responding to a data privacy incident, maybe they’ve been quote “breached” maybe they’ve triggered, notice these, maybe they haven’t. Adding the contractual piece to it simply adds to distress and the complexity and the need for expertise in responding to it because it really, you can interpret it a million different ways and frankly the statutes aren’t very well written and they have lots of ambiguity in it and anybody in the insurance world knows one word can change the definition of an entire insurance policy, let alone being in a statute like that.

Rob Rosenzweig:
Apologies, I’m misconstruing the question a little bit, but if I understood you correctly, you bring up a good point. I think there’s often a misconception when we talk to clients, particularly small and middle market businesses that they think that by signing a contract that might have some good protections in there with a vendor about what that vendor is going to do for them in the event that there’s been unauthorized access to data that they’ve shared with that vendor, that they’re sorely mistaken. John Mullen can correct me if I’m wrong, but you can certainly have contractual protections, but ultimately the regulatory obligation, the potential liability and absolutely the reputational impact is going to go back to the business that actually collected that data from the consumer or the employee and then entrusted it to that vendor.

Rob Rosenzweig:
So part of the beauty and the value in having cyber insurance is irrespective of what contractual benefits you might have, whether you’ve gotten some protection in that contractual negotiation, you now have the policy that gives you access to those expert vendors, funds your ability to respond, protect your own interest and ultimately if there is a recovery via that contract that can be pursued, but you don’t have that immediacy because you’ve got that initial backstop through your insurance policy.

John Merchant:
To echo Rob’s point about the level of expertise that is one, required and two, procured when a company buys a cyber insurance policy is to allow them to continue to run during this events, where contractual protections with a vendor contract are just words that don’t do much more than maybe give you a limit of liability of X and then you’re on your own. Got to figure it out by yourself where cyber insurance call for a long time cyber liability, I don’t use that term and most folks in the industry don’t use it anymore because it’s cyber insurance services.

John Merchant:
It’s meant to start prior to an event occurring. Walk you through the events while you can continue to open your doors every day and do business and then close it out. Essentially it’s a cradle to grave. Whereas a cyber liability to me says that if a claim was made against you for some identification because you lost data, that doesn’t solve for the incident responses necessary, the triage services, the ransomware that has to be negotiated, the payments that need to be made, the business income loss that needs to be assessed. All that actually comes along with cyber insurance services. It’s a very holistic 360 product, very dissimilar to what it was 15, 20 years ago, just liability.

Erin Keating:
So going back to talking about the regulatory landscape, are there specific authorities that are particularly active right now and how are they investigating any situations that are arising?

John Mullen:
Yeah, I’d say there’s about six or seven States, Indiana, Vermont, New York State there. There’s six or seven of them and that’s up from two or three, three years ago, who are highly invested in enforcing these laws. They’re very much about protecting their citizens, ensuring that the rights are protected, et cetera. The good news is that the state level, although they’re asking questions and although they are sending letters and demanding responses and doing followup and all that, they tend to be reasonable. They simply want answers to their questions. They want to apply pressure where need be and if you get far enough down the route, you might end up with a non-litigated agreement on how you’re going to behave with respect to data privacy and their citizens for the next fill in the blank two, three years period of time.

John Mullen:
I would describe them as fair enforcement measures that we’re seeing more of. So it does tend to give any one given event a little more of a tail in terms of activity because regulators aren’t necessarily jumping and asking questions within the first week. They could wait three months and you get a letter, you submit a response, you wait another couple of months, et cetera. On the federal level, certainly HIPAA enforcement side, OCR has historically been much more aggressive, although still fair and much more likely to result in large and significant fines. Not always traceable in terms of the logic behind them. I’ve seen fines in the millions for a couple of hundred identities lost. I’ve seen fines in the hundreds of thousands for millions of identities lost. But the net of it is that if you’re being investigated by the Fed, you have a much higher risk of more costs, bigger fines, et cetera.

John Mullen:
Overseas, the GDPR enforcement is really just in its infancy and that kind of does apply to many US entities depending on if they’re subject to GDPR requirements. Then the other thing I would say on the enforcement side is there are more and more States, California parts of New York, even in healthcare in New Jersey where you have proscriptive requirements. In other words, the laws and United States used to be, if you lose this, then you have to do that. That’s pretty easy to understand. You lose this, you do that. Now it’s more and more, you must have all of this stuff done it and in place. And then if you lose this, you have to do that. But you also have to go back and show us that you were compliant in the first place. So those sort of proscriptive laws are out there. They’re proliferating and they’re much, much more difficult to show that you are compliant.

John Mullen:
So as time goes on, we’re seeing more of the sort of… To use John’s term holistic enforcement and statutory coverage. In the law of the United States, as I said it used to always be about the security. That’s the backend of it. Now, it’s getting to be more and more also about the front-end, which is the privacy piece and how you’re protecting, how you’re using, how you’re collecting, how you’re sharing data. So all of that comes under this and I just say we’re likely to see more and the trends already going in that direction in terms of enforcement.

Rob Rosenzweig:
John Mullen brings up a great point about the shift in the regulatory environment and there being more ability for state regulators and international regulators to initiate an investigation, not because there’s been an incident, but simply with an inquiry about how you’re collecting and storing the information of others. That’s an important distinction when thinking about the cyber insurance policy that you do have because there are some cyber insurance policies on the marketplace that can only be triggered if there’s a regulatory inquiry after there’s been a security incident where a well-crafted policy like the Ascent policy form is triggered by there simply being a regulatory inquiry alleging that you are not in compliance with a state, federal or international law or anyone alleging that you as an organization have violated your privacy policy. So to have that coverage is really important because it will allow you to bring in the experts that you need to respond to that regulatory inquiry even if there hasn’t been a security incident.

John Merchant:
I want to add one more thing too from the underwriting side and having experienced this a couple of times and talking to our claims folks, is the importance of having a law firm like Mullen Coughlin on board who knows how to talk to regulators. They are a prickly bunch. Some of them, you don’t bring in any old law firm to speak to a state attorney general or a regulator. You simply don’t, and if you do, it can go sideways pretty quickly and I can tell you it goes sideways because I’ve seen claims go up exponentially in costs because an insured went ahead and called their [inaudible 00:22:13] law firm to talk to the State Attorney General of Missouri and it didn’t go well and that cost money quite a bit and it costs time for the insured to clean that up after the fact. So it goes back again to that, the expertise that you get by going with an insurance policy for cyber that brings along not only the words in the policy itself but all of the expertise, both loss prevention and obviously legal counsel that are specialized in cyber.

John Mullen:
As much as I like hearing John say that, I would also tell you that that same analysis applies to the forensic vendors that we use. For instance in the Ascent environment there will be a group of approved forensic companies that I have at my discretion the ability to use any one of them depending on what kind of case, whether it’s a business email compromise, a large or a small ransomware or something else. Having a suite of experienced forensic vendors is very, very different from what we see when the same company that goes out and hires their employment lawyer, because he went to a cyber class once and convinced them he could handle it.

John Mullen:
That guy then goes out and hires his buddy who has a “forensic expertise” firm and you can see one mistake just leading to the next and it’s the cascade of mistakes and less than it feels, some real experts get busted. It’s not just the lawyers, it’s also the forensics. The beauty here is guys like Rob at Risk Strategies, guys like John at Ascent, they know who those vendors are. They know who the proven ones are, who’ve been at it for a decade, who have dedicated teams, who don’t do anything else. That level of expertise does help quite a bit.

Rob Rosenzweig:
I would just add one comment too. I think as an industry, part of the challenge, right? Is as we covered, there’s only a small percentage of businesses that are buying cyber insurance. But even in addition to that, we need to do a better job of educating even the existing segment of buyers because there are so many clients that we talked to that have spent the money and bought a cyber insurance policy and they have an incident and they’ll call us and go, “Oh well, we reset our password so we’re good to go.” Right? “We don’t need to do anything.” It’s not out of a negligence. It’s not out of them having their head in the sand and not understanding the implications. They just don’t know any better. So to communicate to those businesses that you not only have a financial backstop, but you have access to these expert vendors who can lead to a better outcome for you and the insurer that’s actually paying the bill is imperative and we need to do a better job making sure that everybody understands that value proposition, both buyers and non-buyers.

Erin Keating:
I will say in general as again, a layman in the industry and someone who has to buy insurance for a variety of things on a daily basis, I would like to have a lawyer and a broker and forensic… I would like to be able to consult a team of people to understand when I’m even just buying my airline insurance for my ticket. As a lot of people in COVID just experienced, everyone who plans spring break, did you buy the right insurance? Are you getting reimbursed for your trip? There’s a lot of talk about how insurance has so many levels. And for something like this that it’s not just important that you have the coverage for whatever event affects your business, but truly it can cripple a business.

Erin Keating:
It could take a business out, it could take an entire supply chain out if someone has an incident and does not have the proper team around them to respond to that quickly to remediate it quickly, to have the coverage to be able to afford getting back and restored into business. So I see it as a holistic picture and I appreciate the way that you guys are painting that, because it makes sense to even someone here who has not had to buy cyber insurance before. Thank goodness.

Rob Rosenzweig:
We’ve done a bad job as an industry, right? I think people go into this with the preconception that it’s like the auto insurance, you get into an accident, your price is going to go up by 40% next year, whereas not to speak for John Merchant here, but in talking to most underwriters, they’re more concerned when they don’t hear from a policy holder during a year than when our client contacts them for help with an incident. So, it’s very simple, right? The quick… Unlike any other risk or any other line of insurance, there’s a direct correlation between the quickest possible response with the best vendors and the costs and reputational impact of the outcome. So something that… If they call us, they call us and they call Mullen Coughlin right away, that could be dealt with for you know, 15 $20,000. That’s great. If that lingers for a week, two weeks, three weeks, a month, that could turn into a million dollar issue and nobody wants to see that happen in the business that’s facing it and certainly not the insurer that’s footing the bill.

John Mullen:
And if you use those right experts, the likelihood of a repeat is much, much lower. That helps in a couple of ways. No one wants to repeat event. The other thing is I think you can make a decent argument. Again, I’m not an underwriter that the company that had some experience with a relatively minor and well handled event is a better risk going forward that the company who hasn’t reported one yet. Because the one the company that had the problem, who responded properly and had the right set up, with the right policy, the right broker and they sort of went through the normal steps, that company learned its lesson, handled it efficiently, utilized the resources from the well-written policy but also is much, much less likely to have that reoccur.

John Merchant:
They are, John. I can say that most companies when they have an event like this, although there’s always going to be some sort of a hole in the roof that needs to be patched because roofs age, weathered and it’s going to happen year-after-year, there’s going to be events. The severity, because we measure things in frequency and severity, we’re always hoping for the frequency to go down post event because this company has learned all the things that they might not have done properly prior to that, but also you can’t fix everything. There’s no such thing as 100% certainty when underwriting these risks, but at a company that’s had an event, the likelihood of a severe event happening again we’ve seen does go down quite a bit because you’ve been through it once you know what to do, you know who to call.

John Merchant:
Again, experience helps in these matters. So the severity will drop quite a bit and that raises the awareness. Then you hope the company that has that at a trade event talks to other companies and said, “This happened to us. You should go ahead and look into cyber insurance and it helped us get through and keep our revenue coming in and our doors open and we didn’t lose any customers because it was handled properly.” And I wish I had known six months ago before this event happened that I should have done A, B, and C and now I’m doing those things and I’m much less likely to have an event.

Erin Keating:
So let’s assume that a company during this time faces a data privacy event. How does cyber insurance apply to this?

Rob Rosenzweig:
So even if the incident turns out to be absolutely nothing, you’ve got access to the [inaudible 00:29:14] team of vendors that can help you make that determination and respond and investigate the incident. So Ascent has on their policy very clearly a toll free number and an email Dropbox that allows their policy holders to contact them 24/7. We similarly as a brokerage firm have that mechanism for our clients to contact us at all hours as does John Mullen and his team at Mullen Coughlin. However, the client ultimately gets to us, we’re going to understand what’s transpired thus far and assuming we think it warrants reporting as a claim under the policy, we’re going to do that and assuming we think it warrants some level of investigation and consult with legal counsel, we’re going to set that initial discovery call with an expert law firm like Mullen Coughlin. I’ll stop there and allow John Mullen to kind of pick it up from there as to how his firm typically starts to engage with our clients when they have an incident.

John Mullen:
Yeah, thanks Rob. The way it works is as you just teed it up, right? There’s a call of some sort, whether it goes right to Ascent and feeds over to us, whether it goes to you and you kick it to us, whether it comes directly to us. In any case, once we are aware that there is a potential event evolving somewhere, we typically are able to clear conflicts and be on the phone with that entity within 10, 15, 20 minutes. So, it is a very quick turnaround time. I kiddingly say, “What’s the likelihood in your life that you get an 800 number given to you by the insurance coverage of any kind and you think you’re going to get any help at all? Let alone help within a half hour.” And here it really does work that way. The insurance industry figured this out.

John Mullen:
There is now a way it works and that’s the way it works. You call, you get a call back, you’re on the phone with counsel and the entity that is having the problem. They hear a few very comforting things early on. They hear that we’re their lawyers, not the insurance carriers, lawyers, that we have attorney-client village with them. That we’re not charging them for the first call, we’ll get paid later. That we’re going to have a game plan for them before we hang up call one. Those are all very, very helpful things.

John Mullen:
By the end of that call, we’ve triaged the event, we already know if they need forensics or not and if they do, we’ve already begun to set up that call to happen within the next half hour. So you call that…. The first time you called Rob Rosenzweig or Ascent or one of us, it was a Friday night at six o’clock by 6:30 they were on with us. By the time we got off at 7:00 we’d set up a forensic call at 7:15 and we were off and running, getting that company remote help immediately that night through the weekend, give them our cell phones, so do the forensic guys. And you’ve begun the process of recovery literally within the hour of reaching out.

John Mullen:
That just doesn’t happen in most business contexts. Here it does. And it doesn’t matter for a second that they “didn’t have a law firm or a retainer” didn’t have forensic companies on retainer. You don’t need it. That’s the whole point of the recovery part of the policy that you just brought. I’ll kick it back to either Robert, John. Because there’s a lot more to it, but that’s the initial piece.

Rob Rosenzweig:
Yeah. I would just say, I mean John made… Just to make a couple of things crystal clear there. While the engagement of an expert law firm like Mullen Coughlin is facilitated through the insurance policy and the relationship that the brokers and the insurers have with those expert vendors, that’s a direct relationship between the policy holder that’s dealing with the incident and the law firms. So the guidance that they’re getting is not conflicted in any way. Sure, it’s paid for by the insurance policy, but the law firm is working for the policy holder. They’re not working for the insurance company. Where the insurance sort of comes back into this, right? Is behind the scenes we’re having a dialogue directly with ascent and keeping them abreast of what’s happened, but doing that at a high level because we don’t want to jeopardize the attorney client privilege.

Rob Rosenzweig:
John Mullen and his team are retaining all the other vendors as he explained, but they’re doing so in cloaking their work product and attorney-client privilege. So all of the communications that go back and forth between counsel and the forensics firms in the investigation and the report that they’re ultimately going to issue. We don’t want that to be discoverable in litigation or any regulatory inquiry. So we’re kept abreast at a very high level, but we’re having those conversations behind the scenes with the carrier, making sure that they’re saying, “Yeah, this is covered. It’s okay for Mullen Coughlin to retain X, Y, Z forensics firm. And yes, we agree you should notify these individuals and we’re going to pick up those costs.” And we’re just managing that really being the quarterback behind the scenes and making sure that our client, the policy holder understands that everything is going to get paid for, what their obligations are.

Rob Rosenzweig:
Because you have to recognize this is a scary landscape and unchartered territory for any business that’s going through a cyber incident. They’ve never dealt with a cyber incident before. They’ve never dealt with a cyber incident with or without insurance. So oftentimes when they’re talking to John Mullen or someone at his firm, they don’t know where they fit in the food chain, who they’re working for. So we really need to kind of reinforce and explain to them how everybody fits in the food chain and how it’s to their benefit.

Erin Keating:
It’s interesting you say that and it sort of teases up for our next episode next week that we hope to have one or all of you back on for. In that particular episode, we’re going to go a little deeper into what incident response looks like and some of sort of the if you will, emergency services that need to be brought in to attack and understand and resolve the issue. But it makes me think about the fact that you’re right about an education piece. So many people think about insurance as someone you call after your house has burned down and then you’ve got a couple of months to reconstruct it or you’ve got a car that’s totaled and you need to go figure out how to get the next car and so forth but a data privacy issue is an immediate danger to the business, to your clients, to again, perhaps an entire supply chain and cessation of business and so on and so forth.

Erin Keating:
So I imagine it’s just a very different way of thinking of engaging insurance than how you might in your everyday life. And so people really need to understand the benefit of being able to reach out quickly and-

Rob Rosenzweig:
And the speed at which it needs to move is unlike anything else, which is you need to be with both brokers and insurers that really know this marketplace intimately because it’s… Again to use the auto insurance analogy. You get in a fender bender, you drop your car off the shop, they’re not going to do the work until the insurance company says, “Yeah, we approve this estimate.” We can’t wait for that to happen here. So there’s got to be somebody that can really coordinate and connect all the dots and say, “All right, yeah. It’s okay for John and his firm to retain XYZ forensics firm. We know that’s within line with the cop policy terms and conditions.” Because it’s not as if the carrier is going to get around to issuing a coverage letter that says, “Yeah, each and everything is covered.” By the time you actually need to take steps A, B, and C.

Erin Keating:
I think that’s truly helpful. Well, I think we’ll wrap up episode number one, but I want to make sure I give everyone just a final minute here to… If there’s anything that you feel we left out of this particular conversation and of course we hope you’ll come back and join us for more conversations around this. But feel free to join us with any parting thoughts and then we’ll wrap up.

John Mullen:
I would tell you this, if you’re anybody who owns or runs a business or an entity and has responsibility for risk management, do listen to your broker, do talk to your insurance carrier. When we get these cases and as I mentioned earlier, we get something along the lines of nine or 10 net new files per day all year long. So there’s a lot of them. They’re always, always the stressful situations. We get through the clients are ultimately well taken care of and they get through that stress point. The ones who do it, vast majority of the ones we deal with have insurance policies for cyber in place. Every so often we’ll get one that hadn’t yet bought cyber insurance. That client has a whole different experience. The client with cyber insurance has a difficult stressful time because of the nature of the beast. The client who has the same problem without insurance has a catastrophically more difficult time. So I would encourage everybody, talk to your brokers, talk to your carrier, really make sure you’ve covered this base.

Rob Rosenzweig:
Yeah, I would just, I guess echo on top of that. The need again to be with a truly specialist broker that’s got that dedicated expertise on cyber insurance who understands which of the 100 plus insurance carriers that are in the business of offering cyber insurance really are committed to this marketplace and do it well. Because, John Mullen’s absolutely right. There’s a tremendous difference between a company going through an incident that has insurance and one that does not, but there’s a further distinction between organizations that go through an incident that are with the right insurer that’s set up the partnerships with the right vendors versus an insurance carrier that’s less committed to this marketplace. So that’s an important process and understanding for every business as well.

John Merchant:
All I can really add is just historically, not even historically, two months ago, we weren’t even talking about this and two from now, there’s a very good chance we’ll be talking about something completely different when it comes to cyber insurance, cyber insurance services and just the threats and exposures. The one thing about this entire coverage line is that the speed at which it evolves and changes is tremendous compared to some other lines that evolved over literally decades before any actual change is made and cyber continues to change in the product, but also it is driven by the exposure continually changing. In 2021 and 2022, hopefully we’re still doing these podcasts. It’d be great. We’re talking about interesting and new exposures that you just have to keep in front of. So that’s my two cents for the end. Thanks again to Rob and John, I appreciate you guys coming aboard.

Erin Keating:
Yes, thank you guys.

Rob Rosenzweig:
Thank you for having us.

Erin Keating:
Yeah, absolutely. This was wonderful. I for one will now promise to go out and be an advocate to anyone I know that’s in business to say, “Go check your policies, because this is helpful again, to just even be aware.” I have to tell you that I started doing cyber security podcasts and marketing communications work just a few months ago. Now I’m looking at my computers going, I swear I have no idea what I have on my computers, if I’m protected. I’m so worried now. So this is good. This is a good worry to have. It means that I’m on my toes and thinking more succinctly about what I’m doing. But I really appreciate all of your time. This was wonderful education for our listeners and we again, hope that we will be speaking with a few of you next week to start talking about what incident response looks like and just further down the chain of how we actually go and resolve these types of issues. So thank you so much for your time and we’ll talk with you soon.

John Mullen:
Right. Thank you.

John Merchant:
Thank you.

Rob Rosenzweig:
Sounds good.

John Mullen:
Bye now. See you guys.

Rob Rosenzweig:
Thank you. Stay safe. Bye-bye.

Knowledge Base

Incidentally In the News: Garmin Ransomware

This week in the news we learned about a massive ransomware case with Garmin. Today we discuss what systems this impacted, how preparing for disasters like this are just as

Read More +

Incidentally in the News: Russian Hacking of Vaccine Research

Russians are potentially the perpetrators of widespread malware attacks on healthcare organizations, pharmaceutical companies, and university research programs working on finding a vaccine for the global coronavirus pandemic. Today we

Read More +
icon-dark icon-light icon logo-light