The Get Cyber Resilient Show Episode #10 Transcript
Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast. I'm Garrett O'Hara.
Today, I'm speaking to someone I met many years ago at a conference in Brisbane. It was one of those ones where you say hello as you're grabbing a coffee and, 30 minutes later, you're still buried in conversation.
Cyber insurance is becoming more popular and, frankly, it's more important given how the world has changed. For me, it was great to finally sit down and record an interview with somebody who has been really in the thick of it for quite some time. Blake Deakin is the director and the principal broker at Cyber Insurance Australia. They actually are a Specialist Broker of the Year finalist in 2020 Insurance Business Awards. They've been around since 2016. And Cyber Insurance Australia worked with both commercial and corporate clients, so they have a broad experience. They work with those clients preparing them for and mitigating, uh, the ongoing cyberattacks that are targeted at Australian businesses.
In today's conversation, uh, we cover a lot. We actually cover the broad picture of cyber insurance, the general information how cyber insurance has been used, what's covered and the extent of that coverage, some of the gotchas, so what are the things that people need to be aware of, and then the current situation with COVID-19 so, you know, how SMEs are struggling, what's the increased risk profile of people working from home in general, and then also what's life like after COVID-19.
So, please sit back and enjoy the conversation.
Hello, everybody, and welcome along to another episode of the Get Cyber Resilient podcast. I'm joined today by Blake Deakin. And Blake is with Cyber Insurance Australia and has been for the last three-and-a-half years. Um, he also has spent time, uh, time at Arthur J. Gallagher, which is one of the world's largest insurance brokers.
Good morning, Blake.
Blake Deakin: [00:01:47] Good morning, Garrett. How are you doing today?
Garrett O'Hara: [00:01:49] I'm doing well. Um, I'm working from home as I think most of Australia is today and- and probably will be for the, uh, foreseeable future. How about you?
Blake Deakin: [00:01:57] Yes, so am I. It's a… it's a fun time at the moment of adjustment for everyone, I think.
Garrett O'Hara: [00:02:02] It- it really is. And I think, uh, some organizations doing, uh… doing that more easily than others. Um, with the… with the… your, uh, your background in- in cyber insurance, I thought that might be a really good place to kind of start and one wondered if you could just give us a broad picture of- of what cyber insurance is?
Blake Deakin: [00:02:18] Yeah, sure. So, cyber insurance has been around for more than 10 years. Uh, it's been around in the industry mostly for corporates. A lot of the SME market hasn't seen this policy or hasn't even heard of it because it just… the relevancy hasn't really hit home until, say, the past five to 10 years when we've seen more attacks coming towards these smaller businesses. So, e- essentially, cyber insurance was designed to look after data breaches, uh, and digital content, uh, for a business. The more we start to see businesses trading online and with a digital footprint, if you will, all of their files are digitized, they don't have anything, uh, physical anymore, if you will, in their offices, uh, they need to protect that the same way they would previously with, uh, say a fire policy for their… for those big old racks of files. Now, we do that digitally. And a cyber insurance policy's best past… uh, place to start there.
So the policies are in place just basically to cover a data breach, someone attacking your business, and how that's going to impact you. Will there be costs involved when that, uh, potentially private data goes out to the world? Could you get extorted, uh, for Bitcoin or other different ransoms? Uh, will there be business interruptions to you where you won't be able to continue trading and you'll have a loss of income? These are some of the standard questions that cyber insurance was designed to take care of as those things weren't explicitly covered under existing, uh, insurance policies.
Garrett O'Hara: [00:03:47] So one of the things that kind of gets, uh, into my mind as you describe that is potentially how hard it is to understand, um, things like premiums, uh, you know, given how complex the technology that is existing in most organizations and how complex their kind of security controls can be, um, how has the insurance industry gone with kind of establishing what good security looks like versus bad so that they can figure out you know, what- what the policy looks like for an individual organization?
Blake Deakin: [00:04:15] Understandably, they take a lot of, uh, points from their existing business models where, for example, a fire insurance policy EO, when they're trying to set that up and figure out those premiums, they would discuss things with the relevant authorities, uh, in those industries, people who were making safety equipment for fires, et cetera. We do the exact same thing in the digital sense. The insurers and underwriters, they start approaching businesses like Mimecast and other cyber security, uh, solutions providers in the industry MSPs around the world. They start speaking with them to understand what they believe is best practice and what the IT experts have said, "This is what you should be looking for. This is why you should be looking for that. This person's data is secure over that person's because of XYZ solution." So they've really relied on the assistance of the IT industry and the professionals that they've found in there who have been making these best practice guides for security for the past, you know, 15-20 years. And so they've relied on that expertise to understand better if, for example, Mimecast is securing their data correctly.
Garrett O'Hara: [00:05:28] Yeah, I get you. And- and the other side of that is if something does go wrong kind of establishing… uh, you mentioned, like the- the costs and the impacts to, uh, an organization and things like reputation damage is obviously a big one. Um, are we at a point, given the number of breaches that we see kind of happen and, you know, get reported, where those costs are understood in a better way because I think that's something in the conversations I've often had, that the cost of the breaches is probably the, uh, I think that people have struggled to really understand, but I'm guessing the insurance industry is probably in a pretty good place to have some numbers to support the- the impact in the course. Is that fair to say?
Blake Deakin: [00:06:04] Yeah, definitely. Uh, understandably, the insurance industry does see behind the curtain for all industries because we're dealing with the claims. So we get to see the real cost of this. We get to deal with the- the small nitty gritty costs that start to pop up, the strange things that people don't expect to have to pay for, uh, the defense costs coming out of nowhere from privacy breaches. There's- there's quite a lot that the general consumer or just the general business wouldn't see because it is all kept behind the scenes, and it is generally private information related to claims. So it's not going to be just thrown out there into the public sphere as quickly as it may need to be to, you know, get knowledge across the country and, uh, get people prepared. But unfortunately, that's the situation there.
But a- as far as these costs are going, the places that we're seeing the costs come from, uh, mostly, uh, the IT repair and response costs haven't been too drastic for small to medium enterprises. We have seen different business interruption cost be an issue though where we're able to get an IT firm to potentially go out to the property and step in, have a look, uh, and either assess the damage, figure out if we can, uh, restore data, we can still access data, what's really been touched. Uh, those costs have started to escalate over the past three to six months as the complexity of the claims is increased. But for small to medium businesses realistically, we were… we're seeing claims between sort of, you know, anywhere between like $20,000 up to sort of million dollars for the small businesses. Uh, and it is… it's so varied because the damages can be very varied as well. So-
Garrett O'Hara: [00:07:50] Yeah, understood.
Blake Deakin: [00:07:51] … it's… yes.
Garrett O'Hara: [00:07:53] And- and you mentioned, uh, strange costs, uh, that- that kind of tweaked my interest. So, like, I- I don't know if you're able to talk about some of the- the more interesting things where you've- you've seen costs associated with a breach that maybe, um, you know, we wouldn't normally think of.
Blake Deakin: [00:08:09] Yeah, definitely. So, uh, just one of them of the top of my head, uh, the new, uh, privacy laws that have come in around, uh, data retention, t- they also apply in other countries of course. In the US, we saw a company who had, um, one of their employees sent an Excel spreadsheet home to their Gmail address to work on at home. They didn't think too much of it. Uh, they opened that, uh, spreadsheet and in one of the other, uh, files within that spreadsheet was, uh, client listing with some very, uh, private information. Because they had sent that out, they had then incurred a technically illegal data breach, which they then had to notify all of the people which were in that spreadsheet even though it- it was opened by their own employee, it was using his home network. So they weren't able to confirm that his home network was secure as-
Garrett O'Hara: [00:09:04] Mm-hmm [affirmative].
Blake Deakin: [00:09:05] … their business network would be. And as a result, they were forced to notify all of their- their customers which were in that spreadsheet. Now, some of these notification costs just to let people know that you have had a data breach, that's one of the unknown costs that people didn't expect. Understandably contacting… you might have 1,000 clients, you might have 50,000 clients, the timeframe to write letters formally to all of them and contact them, either by physically posting them, emailing them, or what have you, is quite time consuming.
Garrett O'Hara: [00:09:40] Mm-hmm [affirmative].
Blake Deakin: [00:09:40] You also do need to give them time to respond to that. So you can expect a lot of phone calls coming back in in response to that data breach, people wanting to know what's happened to their data and if they should worry, et cetera. So, we've seen in some of the, uh, bra- businesses with large client bases when they're doing these notifications, those notification costs are quite substantial. We've seen, uh, small call centers being set up with contracts explicitly for notification costs. So, for example, uh, one of our insureds in America has had a- a cyber breach, they've had to notify a very, very large number of customers. So they've then had to contract a- a call center, uh, a service provider to give them 50 staff members for the next six to 12 months just to take inbound phone calls related to their data breach because they don't understandably have an extra 50 admin staff to be working through this consistently for 12 months. So that's one of the unknown or unforeseen costs that… for businesses is the notification costs which come attached to the privacy legislation.
Uh, there are others. That's just one of the main ones that sticks out off the top of my head.
Garrett O'Hara: [00:10:59] Yeah. Um, and as you talk to that, I mean one of the things that I- I wonder about is like when it comes to cyber insurance, my assumption is the policies can get very complex. Um, and I wonder if you're able to talk about like, what's… by default, what's covered, what's the extent of coverage, um, and do you guys-
Blake Deakin: [00:11:16] Mm-hmm [affirmative].
Garrett O'Hara: [00:11:16] … see like a best practice? You know, there's a- a particular policy type that applies to maybe 90% of SMEs with some customization or are they very bespoke and you kind of have to design them per- per organization? So, yeah, really like what's covered, what's the extent of coverage for, you know, an SME or even, a, you know, full enterprise?
Blake Deakin: [00:11:35] Yeah, definitely. So, some of the typical costs that you'd run into would be business interruption expenses. So if, for example, the business had ransomware, and they've, uh, encrypted their documents, and they're trying to figure out should we pay the ransom, should we call our IT guys? Making that decision could take them a day or two. And if they decide to restore their data instead of pay that ransom could take them another… could take an hour depending on their setup, could take a lot longer depending on who their backups are being done by. Those business interruption, uh, expenses where they've had to stop trading normally deal with this. Uh, that can be quite a substantial cost depending on how much one does in… uh, trade in a single day.
Uh, there's also a cover for response and data restoration costs. So, essentially, to get some experts to- to contact you, advise and help step in and tell you what's happened, how we're going to stop this, clean up the network, make sure there's no, uh, you know, nasty untoward individuals still with access, uh, and then work out the best way to restore any data or if it has been lost or unencrypt data if it's, uh, available to us.
Uh, another important area is legal fines and penalties which I just touched on briefly with the privacy legislation causing a- a bit of a headache for people. Uh, we can see here that, in that scenario, some businesses will go straight to litigation and they will just send you litigation immediately. You may also get fines from the government for privacy breaches which you have been fairly negligent for. Uh, for example, if you weren't securing any of your data, you did have a breach, you notify the government. Technically, you- you would have broken the privacy legislation that came in in recent years, and there is a fine or a penalty, uh, that could be associated with that.
Um, [inaudible 00:13:30] cover for blackmail and extortion costs as well. So people clicking on dodgy emails with, uh, you know, just run of the mill ransomware that could… goes out in a big phishing attack, that sort of stuff for the small businesses is… it's more common than we want it to be. And the interruption to their business or the extortion amount that they're being thrown is it could be $3,000 just to get them to pay. It could be $25,000. So we do have covering a lot of these policies as standard for blackmail and extortion as it is one of the main things we see come up.
There are a- a few other areas which are a bit more niche, but that's when we touch on the more, uh, custom or bespoke policies for, uh, different businesses in strange models in different industries and things like that.
Garrett O'Hara: [00:14:24] Yeah. I get you. W- what's your take on the, you know, pay the ransom versus don't? And there's obviously a little bit of a disparity in terms of, uh, you know, whether you're, uh, in governance, um, and, you know, rightfully so the policy should be, you know, don't negotiate with terrorists, don't pay the ransom. But from an insurance perspective, if there's an opportunity to get data back at a cheaper cost, like do you guys have a stance on that?
Blake Deakin: [00:14:47] [laughs] Yes, you can… you can see the, uh, the underlying dilemma there for an insurer. Uh, they work financially so they don't want to have-
Garrett O'Hara: [00:14:56] Yeah.
Blake Deakin: [00:14:56] … to spend more money than necessary. They do want to help you to the outmost but they don’t wanna have to… uh, unnecessary fees isn't something they're looking for, so, yeah. And then, in those scenarios, they're really trying to work out the costs, uh, involved. And they'll really, I guess you could say that they're- they're being very, very meticulous in picking out those, um, those clients and which ones they want to pay at this stage. But it's- it's a little bit still up in the air.
Garrett O'Hara: [00:15:26] You know, understood. What are the gotchas? So, you know, things that, you know, when people think of cyber insurance, uh, you know, they think it's a, I don't know, a perfect safety net, but I'm assuming that that just can't be realistic. Like, what are the things that you- you maybe in your experience, think… people think they get as part of cyber insurance that they don't or things that they should be doing, so that when they do claim… you know that the claim is successful, can you kind of run us through your experience of, call them, gotchas?
Blake Deakin: [00:15:54] Yeah, sure. So, uh, there's a few things that I've seen in policies, uh, in clauses there surrounding, uh, social engineering cover that's probably one of the biggest ones is social engineering. If people aren't aware is when someone's trying to gain access to your network without, uh, physically breaching that network or doing anything other than talking with your employees in one way or another, trying to get them to provide unnecessary information or just, uh, you know, calling someone, asking for their name or details and calling back to pretend to be [inaudible 00:16:29] to anyone that's relevant. So we're seeing those policies coming up.
20 years ago, if someone walked into, uh, an accountant's firm with a phony mustache and a silly hat and said, "Hi, I'm the director. I want all the petty cash, uh, immediately," they would laugh and say, "We know who the director [laughs] is. You can't come in here." Now that's happening in a digital sense. Very, very similarly, where you're getting this dodgy-looking, uh, email come through from the director, uh, to one of the admin stuff saying quickly pay this invoice of $5,000, and it's… we're seeing that through social engineering that that email address might be slightly different. And it's all orchestrated as a scam through another party. We're seeing that type of, uh, situation happening quite a lot because that would be considered, uh, you know, con artist's trick. It's not technically someone breaching your cyber network or your IT network. All they were doing is using social engineering tactics to then get a password to gain access. They didn't… uh, for lack of a better term, they didn’t hack anything to gain access. There was no protocols breached for them in the software to gain access. They use your password and walk straight through the door because they’ve got… given that password.
So those types of incidents wouldn't be covered under typical cyber insurance policy the same way you shouldn't just give out petty cash to anyone who walks in the door. So, we… those types of things can be covered under cyber insurance. And we do look to cover those under most of the policies we write here at Cyber Insurance Australia. But it is something to look out for because a lot of insurers, uh, and brokers will try and sell you a very cheap insurance policy, which may not actually cover you if someone emails pretending to be someone that they're not and you fall for it. Uh, that's one of the main gotchas, I guess.
Uh, other gotchas that lay hidden in the… in the paperwork are, uh, clauses surrounding the network being used. So if the insured, as I mentioned earlier, took their laptop all their work content home and started using their- their home network, arguably, that home network isn't secure, uh, whereas their business network is. So if they're taking their-their work laptop home using their home network to freely access any of their work files, they could be in breach of their cyber policy as they would only be covered under their secure business network that it's attached to, uh, for the purposes of the policy. So i- it's just a couple of little gotchas there to be… to be mindful of.
Garrett O'Hara: [00:19:11] That's fine. And- and one of the things… um, and I know we- we spoke as we're kind of chatting about what to talk about today on the interview, um, was Mondelez. And you know, that that kind of story hit the news, uh, whenever that was a year ago. Probably my time's wrong there. Um, but I know there were-
Blake Deakin: [00:19:26] Yeah.
Garrett O'Hara: [00:19:27] … some litigation involved because, yeah, there was confusion over what was covered and what wasn't. Um, [inaudible 00:19:32] kind of run us through that story, just from your perspective, given, you know, your insider insurance and this is your area of expertise?
Blake Deakin: [00:19:39] Yeah, absolutely. So, uh, from my understanding in everything that I've read about them, the case is still ongoing, uh, for Mondelez versus Zurich, who was their insurer. But, essentially, NotPetya the attack, uh, the ransomware attack that went around, uh, effected numerous businesses around the world, and stopped their trade in various fashions but, uh, Mondelez, uh, were a candy manufacturer. They weren't able, uh, to logistically start shipping any products. They weren't able to do international orders for a period of time. And so their estimated costs for not only the IT, uh, investigation and data restoration side but also their loss of income, they were estimated at $100 million. Uh, Zurich turned around and said, "This is not covered as this, uh, NotPetya, the attack was deemed to be, uh, warlike or hostile action because it was attributed to Russia. So, because it was deemed as warlike, similarly to a terrorist attack, the insurers have a clause there to say, "We don't want to cover you if there's a war," and they deemed this a warlike action.
So Mondelez then sued Zurich and is currently still trying to sue Zurich over there to say that that's not really fair. Robbed, do we have a security camera that could give us footage to give to the police? In a digital sense, if I've invaded your network has… is there anything to monitor me leaving footprints around? You know, these are the stuff… these are the conversations that we start to have on the back of that a- attribution discussion where if we can figure out exactly who's done this and we can attribute it correctly, we can most likely pay out that policy. But, uh, you know, in this… in this scenario, being a warlike, uh, instance, yeah, i- it's… I think those larger attacks, if we see a global one like that, we will have to wait on government definitions. But for smaller ransomwares and small attacks around the country, they wouldn't define those as a, uh, you know, warlike action just because it's most likely just a, uh, phishing… bulk phishing email that got sent out from someone, uh, in a different country, not exactly a, um, you know, potentially, uh, a Russian war or act of war, if you will, so.
Garrett O'Hara: [00:22:05] Yeah, no-
Blake Deakin: [00:22:05] It's very important.
Garrett O'Hara: [00:22:06] And- and you mentioned earlier on when we were talking with the gotchas, uh, you know, what- what network is somebody working on. And you mentioned the, uh, the example where somebody brought an Excel file home and, you know, that that was not covered because they weren't part of, uh, what was considered a secure network. With COVID-19, that must be huge at the moment. You know, there's so many of us who are now working at home using work machines. Um, if you're lucky, you've already got things like VPNs that are part of your normal kind of BAU operations but, um, like what's… how do you guys see the current situation of COVID-19? And what's the impact in terms of insurance and insurability of organizations?
Blake Deakin: [00:22:47] Yeah, definitely. So it's a… you hit the nail right on the head. It is a big issue at the moment. Uh, as you know, uh, there are a lot of businesses who- who are very, uh, digitally, uh, proficient, if you will. They have a lot of good solutions in place and they appreciate the risk that they've got there. But we also have… I hate to say probably the majority of businesses around the country, especially in the small to medium, uh, group that's just simply aren't as tech savvy or responsive as they- they really need to be. And that's going to be a big problem there. They're thinking it's as simple as just going to buy a laptop, for example, from office works, uh, giving that person… putting all the files on it from their office and sending them home and giving them a mobile phone to call when the reality is that you- they have an unsecure network at home and you've given them a treasure trove of personal information which you really need to secure.
So because the understanding across the board isn't there, I see a lot of the Australian businesses haphazardly struggling to quickly get someone working from home and, at the same time, they're going to leave themselves very vulnerable.
Garrett O'Hara: [00:24:02] And it's particularly risky at the moment. I'm going to say, one of the things I've seen so much coverage of is how many of those social engineering attacks are being sent out through SMS and through email. And, you know, pretending to be from the, you know, the CDC or from Australian governments, you know, with updated COVID information or information around how Centrelink will work for you if you've lost your job. So, just to kind of riff on your points, it- it's interesting because people are now working from home and potentially unsecured environments but, actually, there may be at a higher risk because there's just so much, uh, COVID-related phishing scams that are being sent around. One of our, um… the guy who actually runs our local messaging security operations center, Andrew [Ghazni 00:24:47], uh, is chatting to him and he- he reckon that there's about one in eight of the emails we're seeing at the moment mentioned COVID. That-
Blake Deakin: [00:24:54] Wow.
Garrett O'Hara: [00:24:54] … that's a huge amount of volume… that's not all bad emails or- or malicious emails. But that's just the-
Blake Deakin: [00:25:00] Sure.
Garrett O'Hara: [00:25:00] … the huge, huge volume of COVID-related stuff, uh, that's out there at the moment. So it points to… I mean, it's obviously a unique time of our lives in- in general. But, um, yeah, just in terms of the risk that people are at home, it's, uh, it's even more so, uh, because of-
Blake Deakin: [00:25:15] … what's going on. Um, absolutely.
Garrett O'Hara: [00:25:18] Yeah, like it is. It's just quite bizarre. Um, look, as- as we get kind of close to the end here, I would be keen to get your thoughts on what do you see life after COVID-19 looking at… uh, looking like? What do you… what do you think is gonna be different with… w- well, generally with the world but probably from a cybersecurity and- and cyber insurance perspective, what do you think we'll be different?
Blake Deakin: [00:25:38] Yeah, for sure. So, uh, because as you touched on this- this gigantic work from home initiative that's sweeping across the nation and most nations, any businesses that are able to do are… they're going down that path. Anytime we go head firsts into something without appreciating the risks, we're going to have a lot of people that are get burnt by that, unfortunately. So there are going to be a lot of businesses who go into this and have problems, but there are going to be a lot of businesses that go into this. They see the effectiveness of working from home. They appreciate this cyber risk there because it is greater working from home, of course. Uh. and I think we're going to have a- a more understanding and knowledgeable, um, set of businesses around the country moving forward. We're going to have more people working from home consistently moving forward, and we're going to have more cyber insurance events and policies sold as a result, unfortunately. [laughs] There will be more claims to come. There will be people who get burned but it is a stepping stone in the right direction, in my opinion.
Garrett O'Hara: [00:26:47] Yep, yeah, no, for the… from a few people, you know, hopefully, uh, it was a society and I- I kind of believe in this that it will be a thing that pushes some- some good changes. And, um, you know, obviously it's a horrible situation we find ourselves in at the moment but, yeah, my- my view is three- three to six months from now, we'll come out of it stronger, better, and we'll have learned lessons. Um, it will be, hopefully, a more resilient cyber in… uh, cyber, uh, nation, um, as a result of that.
Um, we have run into, uh, a- a time limit here, I'm afraid. Uh, Blake, this is definitely an area where I- I feel like we could keep on talking for quite some time. Um, I just really wanted to, uh, thank you, uh, really thank you for taking the time for kind of filling us in on, but the broad aspects of cyber insurance, some of the gotchas, um, and obviously how it relates to, uh, the current strange situations that we find ourselves in where… this working from home but, yeah, really, thanks so much for joining us today.
Blake Deakin: [00:27:44] No worries. Thanks a lot for having me. It's been- been good. And as you said, you- you- you… I could talk about this stuff all day. So if anyone's got questions, they wanna have a chat, I'm sure they'll find my details somewhere around the- the podcast.
Garrett O'Hara: [00:28:00] And there you go. As mentioned, we have included Blake's details in the show notes, so please do contact him for any questions out of today's interview.
Over the next couple of months, we have some great guests, so please do stay tuned and watch it for details. Otherwise, stay safe and thank you for listening.