Home

Search
Close this search box.
EPISODE 53
 
Webinar Replay: The Ethics of Cybersecurity: How to Buy Cyber Insurance for Your Law Practice
 
EPISODE 53
 
 
Webinar Replay: The Ethics of Cybersecurity: How to Buy Cyber Insurance for Your Law Practice
 

WEBINAR REPLAY: THE ETHICS OF CYBERSECURITY: HOW TO BUY CYBER INSURANCE FOR YOUR LAW PRACTICE

About this episode

In this episode, special guests Chris Brumfield, Melinda Miller, and Jake Bernstein join our own Kip Boyle to discuss the importance of cyber insurance. The focus of the discussion is specifically focuses on law practices, since this was recorded live for a group of law firms, but much of the content is just as useful to other industries outside the law, too. 

First, Chris discusses what cyber insurance is and what it covers. There are different forms of cyber insurance, and there are different premiums offered based on the different types of breaches or suspected breaches that are covered by the policy. We also mention that it is necessary to identify a qualified and validated insurer, since there are lots of challenges that insurers are facing right now in terms of insuring against cyber threats.

During the discussion, a step-by-step process on what to do when a security breach happens is also be laid out. Who to contact? Who will scrutinize the incident report and what they will look into? What is the relevance of insurance questionnaires? 

If you plan to be a consultant, this episode contains a lot of great nuggets of wisdom you can use during your marketing and contracting phases, too.

What you’ll learn

  • What ABA Opinion is
  • What the NIST Security Framework is
  • How MFA, CISO, CLE, and MCCI are associated with cyber insurance

Relevant websites for this episode

Other Relevant Episodes

Episode Transcript

Jake Bernstein: 

I think a lot of people are like, “Oh, I’ll just watch it later.”

Kip Boyle: 

Oh, I do that all the time. Because everybody’s busy, double, triple booked. So, yeah. No, and I’m totally fine with that. Yeah. There’s going to be plenty of opportunity to see this later.

Jake Bernstein: 

Yeah. If nobody’s here, we’ll just treat it as a podcast recording.

Chris Brumfield: 

Sure.

Kip Boyle:

Yeah. Exactly. Yeah. Two podcast episodes in one day then. Thank you, Jake. This is great.

Chris Brumfield: 

Productive. It’s a productive day.

Jake Bernstein: 

Yeah. 

Kip Boyle: 

Chris, I can’t wait to hear the latest and greatest experiences you’ve been having trying to get coverage for people. Things are just moving so fast. I just feel like I have to talk to you all the time to see it.

Chris Brumfield: 

Yeah, it’s crazy. It really is. There’s very few insurers that will… There are a few left that will still allow you to have the… not have MFA in place. But one of them is requiring it has to be by the next renewal. It has to be in. So it’s just, it’s really interesting to watch how quickly… Insurance doesn’t move quickly. I mean, it’s a slow moving-

Kip Boyle:

Typically, yeah.

Chris Brumfield: 

Typically. But it’s pivoted very quickly. But it’s very interesting.

Kip Boyle: 

Yeah. I think I’ve shared with you before that, to me, this is like the emergence of fire insurance, right? Like the very, very, very beginning of the invention of fire insurance where Seattle and San Francisco had just burnt to the ground and we were like, “Let’s insure that.” Nobody knew… How do you build a city that’s fire resistant? Right? They had to figure it all out. I just feel like that’s what we’re going through here, right? Is how do you insure an organization and make it cyber attack resistant? 

I think this is fabulous because I think everybody’s always struggled for years. What works? Right? What actually works? I just think insurance companies are going to… They’re going to figure that out and they’re going to tell us. Right? Because they’re betting big that they’re right.

Chris Brumfield: 

They are. Your analogy is actually really spot on because it is this… It does work sometimes like a fire because you’ll have one infected party, someone clicks on the wrong link, and it just goes right through and then they spam a whole bunch of other folks, and they’re trusted. Then they click on a link. Well, before you know it, the houses are burning all around.

Kip Boyle:

Chris, you know where the term firewall came from, don’t you? That’s not a cyber security-made term.

Chris Brumfield: 

Yeah, that’s physical construction of a building because they had to have… They had these row homes or town homes and you actually had to create a fire wall that was thick enough to stop wire from… not water or wire, but fire from spreading from one unit to the next.

Kip Boyle: 

Yeah, exactly. We borrowed that term when we realized that we needed to compartmentalize our data networks. So I think that goes… It’s all tying back to fire insurance. 

Chris Brumfield: 

This is great because you’re actually… It’s nice to be speaking with a fellow nerd like myself because I also am a reformed contractor in a completely different life. So now, we’re talking to both insurance, fire insurance as well as construction at the same time. Just [inaudible]. And cyber. So, I mean, it’s best of all worlds.

Kip Boyle: 

What a great mashup, right?

Chris Brumfield:

 Yeah. Yeah, best Wednesday ever.

Kip Boyle: 

All right. It looks like it’s top of the hour. So Melinda, you’re here, right? 

Melinda Miller:

Yes, I’m here. 

Kip Boyle:

Great. Do you think we should probably get this thing going? 

Melinda Miller:

I think so. 

Jake Bernstein:

We certainly can. We have two attendees. I usually would give people a couple of minutes just because almost everyone is probably hitting the join button now. So maybe, I say… I vote for a two minute delay, which is standard.

Kip Boyle: 

It may be standard in your line of work, professor counselor. 

Jake Bernstein: 

That’s right. I really should have gotten my professor [crosstalk]-

Kip Boyle: 

This is show business. This is show business.

Jake Bernstein:

Yeah.

Kip Boyle:

This is a different business.

Jake Bernstein: 

This is the pre-show banter you said you wanted.

Kip Boyle:

It is the… See? And I said it’s the show. I said it was a show, right? And the show must go on.

Jake Bernstein:

It is ultimately a CLE, but yeah. 

Kip Boyle: 

Okay, okay. Fine. It’s a mashup. That’s great. It’s a CLE, it’s a show. I’m happy to wait another minute so that we can get as many people from the top as possible. So yeah. So listen, for those of you who have joined, love the fact that you’re here. I’m not going to call you out by name because this is going to get recorded, this is going to get posted on YouTube and elsewhere. But when it comes to Q&A, if you’d like to share your name at the end, just know that we’re totally fine with that as long as you are. But we’re glad you’re here. Thank you so much. 

No, the audio didn’t go dead. I just took a sip. But I will say I’m seeing some names that I recognize and I’m taking notes to thank you later. 

Chris Brumfield: 

Glad you clarified so it wasn’t that I didn’t have such a menacing undertone. 

Kip Boyle: 

I’m all about menace.

Jake Bernstein: 

Well, we now have more than double the number of attendees as panelists, so I think we can start.

Kip Boyle: 

Well done. Well done.

Chris Brumfield: 

That’s the criteria. 

Jake Bernstein: 

That is definitely the criteria.

Kip Boyle: 

All right. Okay, Melinda. Let’s get it kicked off. Everybody, this is Melinda Miller. Go ahead, Melinda.

Melinda Miller: 

Hi, everyone. Welcome. I am really excited to be here with you today. I am here as an extra support, so if you have any questions, please put them in our Q&A section or you can reach out directly to me through the chat. I will answer all the questions that I can and then for all the other questions that are directed at Kip, Jake, or Chris, I will make sure that they answer them in our open Q&A section. If you’re having any trouble at all or something’s not working right or maybe you’re having trouble hearing one of us, please reach out to me. I will help you in any way that I can. Then the last part I wanted to share is we would love to hear from you guys, so if you have any comments or thoughts throughout the presentation, put them in the chat. Talk with us. It makes us more fun for us as well to get to know you. So with that said, I’m going to have Kip introduce today’s topic. 

Kip Boyle: 

Right. So everybody, this is a continuing legal education. You’re going to get one ethics credit. I’m not an attorney, but Jake says that’s super cool to get an ethics credit. For whatever reason, those things are rare and often boring. We’re going to try to make this not boring for you. But what we’re going to talk about today is cyber insurance. We’re going to focus primarily on how to buy cyber insurance for your law practice, but some of you had said… After we invited you to attend, I got a couple emails and folks were like, “Okay, but what if my client asks me, ‘Do I need cyber insurance?’ What do I tell them?” So we’re going to add that as well. We’re going to cover that in addition too. So feel free to ask us any questions about that. 

So who’s here on the panel today? There’s myself. I’m a virtual Chief Information Security Officer. I’m also the cohost of the Cyber Risk Management Podcast. So if you have any interest in cyber security from a management perspective, I would invite you to listen if you don’t already. My cohost is Jake Bernstein. So Jake, why don’t you go ahead and introduce yourself please?

Jake Bernstein: 

Thanks, Kip. To clarify, everyone, Kip is a real human. He is virtual in so far as he provides services to a multitude of different companies. Right?

Kip Boyle:

Yup.

Jake Bernstein: 

So I love that. Virtual. You’re a virtual CISO. He’s a machine, a robot. I am a practicing attorney. I’m a partner at K&L Gates in the Seattle office. Most of my practice these days focuses on data protection, privacy, and cyber security.

Kip Boyle: 

Great. Jake’s going to really, really cover for us thoroughly the aspects of cyber insurance for your law practice. We can all talk about the topic of what do you tell a client when they ask you if they need cyber insurance, but the real expert here on cyber insurance today is Chris Brumfield, who is our guest. Chris, please introduce yourself.

Chris Brumfield: 

Thanks, Kip and Jake. Well, my name’s Chris Brumfield. So I work with Alliant Insurance Services, or for them. I’m a professional liability advisor and cyber insurance specialist. I’m looking forward to helping folks. I’ve been doing this for, gosh, insurance, 13 years now with a little bit of background in the reinsurance world. So I got to work with the really complex and interesting world of reinsurance which actually is the hidden underpinning of the insurance that you all will be purchasing. 

Kip Boyle: 

Great. Chris, I really appreciate you being here. One of the reasons why Jake and I invited Chris to come join us is because this is a topic that is shifting fast. What’s interesting is that, as Chris observed when we were chatting before we started today, insurance dominantly is a very slow moving industry, very slow to change industry. But cyber insurance is actually the opposite right now. It’s moving fast and furious and people are scrambling to try to figure out what exactly should they be offering in terms of coverages and so forth and pricing and all that stuff. I don’t want to steal Chris’s thunder, but we’re really glad you’re here, Chris. So I’m just going to turn it over to you and if you could just please give us a primer on what is cyber insurance and how do you even begin to buy a policy?

Chris Brumfield:

Yeah, absolutely. I think it’s important, like you said before, Kip, that this really, while this is applicable for your firms, this is actually really applicable for your clients as well because we’ve heard from our clients as well as Kip has and Jake has, what do I talk with about clients? Do I have a requirement? Do I have a duty to bring this up with my clients? I would say it’s not a bad idea.

So what is cyber insurance? Well, you’re going to hear cyber breach, insurance for hacks, data insurance. You’re going to hear all sorts of terms, but really, cyber insurance is meant to cover you in the event that you have a breach. So if you are hacked or you are extorted or you’re a victim of social engineering, all of that is meant to be covered by cyber insurance. That can mean both the benign breach where someone has access to your system and nothing happens or where you are completely locked out and your computers and servers are turned to paperweights [inaudible]. 

It’s meant to… Indemnification. I won’t use a lot of insurance terms. I’ll try to keep it pretty tame. But it’s meant to indemnify you. Literally as the slide says, it makes you whole again. So it brings you back to where you were before you had the breach.

There are a few different forms. You might find that some insurers will throw this cyber insurance. They’ll add it onto an existing policy you already have. We see that in the form of whether it’s a professional liability policy or it’s a crime policy. They’ll add some throw-in coverage. I jokingly say oftentimes that’s better than nothing, but it can be throwaway coverage because what they do is they’ll sublimit that and so they’re either going to put a real small number on that that isn’t usually adequate if you have a breach or it’s going to erode your practice policy. The problem with that is you have… Typically, law firms are going to have what’s called claims made and that’s called a wasting policy. The reasons it’s called a wasting policy is as soon as the attorneys are involved as well as the cyber specialist in there, that that all goes against that annual aggregate. So you’re effectively taking the protection out for malpractice and you’re depleting that with the cyber claim with a probably inadequate sublimit.

Kip Boyle:

I didn’t even know that was a thing. I did not pick that up from prior conversations, Chris. That’s great. 

Chris Brumfield: 

We’ve had so many conversations on this, but yeah, it’s a fascinating world. At least, I get excited about it. 

Kip Boyle: 

Well, I’m glad you do because somebody has to. Why not just give it to somebody who really enjoys it? 

Chris Brumfield: 

Yeah. One of the questions we are frequently asked is what does it actually cover, and it’s actually really broad. So it covers everything from the moment… I almost joke that it’s prepaid assistance, having a prepaid SWAT team if you have the right insurer, because not every insurer is equal. They’re not all created equal. If you have the right insurer, they have a SWAT team on standby that is going to respond. So you have your cyber attorney, you have your IT specialist, and you have your cyber forensics specialist. So if you have a suspected breach, even just you just think there’s a breach, you effectively have prepaid with your insurance premium to have those folks on your retainer, I would say. So they’ll spring into action, help you identify with your IT folks if you’ve had a breach, and then they help you patch that breach and they help you figure out how to get to where you were.

What’s really important to this is the notification requirements for different states are all different. Every state has its own notification requirements. You have to meet those requirements if you have a breach or a suspected breach. You have to meet those. So the nice thing about cyber insurance is they help you meet all of those on your behalf. 

Kip Boyle:

Yeah. Then I just want to make a comment about… Well, you said how you’ve sort of prepaid for some highly technical services. I think that’s really cool because if you need a digital forensics team on a no notice basis, that’s difficult. That’s very difficult.

Jake Bernstein:

It is.

Kip Boyle: 

Right, Jake? I mean, you’ve seen that. I’ve seen that.

Jake Bernstein: 

It’s hard. 

Kip Boyle: 

Yeah. 

Jake Bernstein: 

Yeah.

Kip Boyle: 

Now, there’s a potential issue too though, right? Because we just saw this with an incident that Jake and I are responding to right now where the insurance company offered digital forensics, but it was kind of compromised a little bit, right? Jake, do you want to just give a little thumbnail sketch of what sometimes can be a downside to that approach?

Jake Bernstein:

I mean, in this particular incident, the insurance company fully owned the incident response firm and it was… I think it was a situation where we might have had some adversity with the insurance provider and because of that, the idea of only being able to use their kind of captured forensics firm was not well received.

Kip Boyle: 

Right, right. Not every insurance company operates like that. This one happened to. Anyway, so it was just, Chris, as you were talking, I realized that this is stuff that’s coming up in the real world as Jake and I practice our trade here, so I wanted to put it out there. What do you think about that, Chris?

Chris Brumfield:

I think you’re right on. That goes back to having the right insurer and understanding how to handle their claims and having maybe, perhaps, preselection of counsel before you have a breach. You say, “Hey, I’d like to use Jake. He understands this world and I would like to have him pre-authorized.” You’re not always going to get it, but if you don’t ask, you’re not going to get it-

Kip Boyle: 

And in this-

Chris Brumfield:

and that is important. 

Kip Boyle: 

Yeah, and I think, Jake, if I remember right, in the incident that I just mentioned to you, that’s what happened, right? Is that the insured ended up going with people who were not on the pre-approved list and there was a little… like a negotiation process to make that happen, right? 

Jake Bernstein: 

Yeah, that’s right. I mean, Chris is correct. In a way, the client’s lucky that the insurance provider was even willing to do that because many are not.

Kip Boyle: 

Okay. Well, cool. So right. So Chris, are you ready to talk about how to buy an appropriate policy?

Chris Brumfield: 

Yeah, absolutely. So the marketplace, we already talked about finding qualified validated insurers. Something that’s underpinning this as well that you probably should be aware of that [inaudible], if Kip doesn’t get it to, Jake would, there’s a cyber breach epidemic or pandemic happening right now. It really, it’s just the proportions are staggering. The last couple of years, there have been an increase of 200 to 300% in claims. This is only the reported claims. You know someone. You are working or know of someone who has been affected by a breach or their firm has and they might not have coverage and they are not talking about it. It is absolutely not talked about. 

Behind this, you also need to know there’s reinsurance. So insurers buy reinsurance to, just like you buy insurance, to transfer that risk. So in the event they have large losses, they get reimbursed. The reinsurers, many have lost their [inaudible] or they are pulling back or limited their capacity, is what it’s called. So that makes the primary insurers, who you buy your insurance from, it makes them even more nervous when they go, “Wait a minute, we can’t even get coverage,” or the coverage is increasing by 50 to 100% in costs. “Wow, we need to really be concerned with this.” So that’s underpinning. If the reinsurers are nervous, then their primary insurers get really nervous.

Kip Boyle: 

Now, this is kind of like coming into an inside baseball thing now. Right, Chris? Because most people, they don’t understand what reinsurance is and generally they don’t need to. They don’t need to know or care about it. But I think this is a really interesting sort of peel back the cover comment that you’re making about the fact that this is really uncertain ground that everyone’s standing on right now. 

Jake Bernstein:

How far does this go, right? Does reinsurance get re-reinsurance and re-re-reinsurance? I mean, I assume it stops somewhere. But the practical question, I think, Chris, for you to maybe talk about a little is do you see a situation where there’s going to be clients or even small law firms who can’t get cyber insurance? Is that a risk right now?

Chris Brumfield: 

I would say in some ways, effectively we are facing that. That’s because the-

Jake Bernstein: 

Oh, wow.

Chris Brumfield:

the insurance industry as a whole is slow moving, like Kip said, but in cyber, they’ve been very quick to identify that they are just getting hammered. I’m not here to be an apologist for them. They chose to write those policies. But they have been absolutely brutalized. They have all adopted just about… There are a few that will offer it now, but you have to have certain requirements like MFA in place and the underwriting-

Kip Boyle: 

Multifactor authentication.

Chris Brumfield:

Yeah, multifactor authentication. They won’t write it. The few that will, they’re also requiring that you have it in place within the next year. So that’s inside and outside MFA or multifactor authentication. So what they’re doing-

Jake Bernstein: 

Weird.

Chris Brumfield: 

Oh, go ahead.

Jake Bernstein:

If only someone had said this three or four years ago. 

Chris Brumfield: 

I feel like if we go back in the archives of your podcast, it probably is going to be addressed [inaudible] twice.

Kip Boyle: 

Yeah.

Jake Bernstein: 

Oh, yeah. Just a few times.

Kip Boyle: 

Yeah. Well, and this is fascinating because this is very reflective of what we see in the cyber security space, which is it’s an arms race, right? So remember, I’m sure everybody on this… I know everybody on this panel and probably many attendees remember a time when you could just walk up to a computer, touch the space bar, it would wake up and you could use it. No password required. Then we needed passwords, but we could put ABC123. Then, oh, no, that’s not good enough now either. We need to also use our username. Just over time, I think, just got more and more locked down. Well, that’s because the cyber attackers got better and better and better at stealing our stuff. 

So now, here comes the insurance companies and they’re going to figure out what really works, which I love that, and they’re going to tell us. I think that’s fantastic because that’s what we really need to know. Just like firewalls in row apartment buildings, just like airbags and daytime run lights on passenger cars. Right? Like our cars-

Jake Bernstein: 

Sprinklers.

Kip Boyle:

Sprinklers. So our buildings and our cars are safer today than they were 40 years ago because insurance drove standards to decrease the risk of a claim. Would you say that’s right, Chris?

Chris Brumfield: 

No pun intended. Yeah. Absolutely. There is a long… That could be a whole podcast, a whole session on how the improvements in auto safety have been driven by the insurance industry and fire safety. I mean, there’s a myriad of ways it’s underpinned and improved the world we live in.

Kip Boyle: 

Yeah, and I think that’s happening here with cyber, right? I absolutely believe that the same thing is going to happen to the best of their ability. I just saw a news story the other day that said that in the leadership vacuum on the national level with respect to the Office of the Presidency, Congress, and so forth, insurance companies are now having to take a leading role on the national stage because nobody else will do it and they desperately need it.

Jake Bernstein: 

Yeah, and in the cyber space, it’s really very similar to, we use the term cyber hygiene, it’s very similar to life insurance. Right? You can buy life insurance, but they’re going to come and they check your blood pressure, your cholesterol. They check your medical history. If you’re a smoker and you report five drinks a day and never exercising, if they decide to cover you at all, it’s going to cost you a lot more. As was alluded to, Kip and I have been wondering for years now, even when we first met Chris and his partner, Jay Soroka, when is cyber insurance going to wake up and start doing this? Apparently the answer is not that long from when we asked the question, at least in the scheme of things.

Kip Boyle: 

Yeah.

Chris Brumfield: 

We feel it’s maybe a few years behind. It was already felt like at times, the pricing was throwing a dart at a dart board. But they’ve changed. That’s part of the insurance requirements, or insurer requirements. The underwriter is using a lot more scrutiny. They have adopted much more high tech than previously, their methods where they do passive scans before they’ll insure you and they identify potential weak points. Part of that, and we were talking about coverage and availability, and this is partly in bundling, I don’t want to get too far off the agenda because I know you folks probably want to know about bundling, you can bundle certain insurers and that works pretty well. Others, probably not the best route. So you’d want to ask, go ahead and talk with your broker. I’m always happy to help if you have questions. But effectively, they’re either underwriting out bad risks, so they’re saying, “We can’t offer this,” or they’re limiting coverages. 

So we’re seeing that with limiting social engineering. If you have a $1 million policy or $5 million policy or whatever it is, there is going to be a sublimit for social engineering. Maybe that’s 100,000 or 200,000, but they’ve tamped that down. What that tells me when the insurance industry’s requiring multifactor authentication as a prerequisite to get a policy and they’re also limiting in certain segments like social engineering, that’s where they’re getting hit, and they’re getting hit hard. So they’re responding in that way by limiting the coverage.

There are some insurers that have… they have also sought to differentiate themselves by having betterment, so they’ll help you upgrade your system if it’s sorely in need of that so that they can help you block breaches. Or they’ll cover… Like one insurer I can think of, I won’t say their name, but they don’t have a deductible for computer forensics or legal experts. So if you have a claim, and that’s where most of your costs are going to pull up for first party coverage for your firm. So that’s a pretty important distinction you’re going to want to take a notice of.

One other, exclusions. One exclusion from one policy, they defined devices that are covered, so what your cyber insurance will cover, and everyone’s working from home, or at least partially at this point, as any device that is not… It’s not considered a covered device if it’s not owned or leased by the firm. So it’s effectively… Yeah. Kip gets it. Effectively, they were excluding any personal devices. I would make the case, if I’m that manager, “Well, gosh, you had a breach, but it actually came through one of your employee’s home router. It literally had to get to them through that router. So because of that, it’s not a covered loss.”

Kip Boyle: 

Well, not only that, Chris, but this whole BYOD. Right? Bring your own device. None of that’s corporate-owned.

Jake Bernstein: 

That’s brutal.

Kip Boyle: 

So there can be large swaths of incidents that won’t get covered because people have a BYOD. That might actually fuel the shift back to corporate-owned devices.

Chris Brumfield: 

Yeah, and there’s creative ways to get around it, but you have to know what the policies say. It’s really important to actually read them. Other exclusions that you can find are the CCPA, which I know you’ve talked about before. California Consumer Protection Act. There are statutory damages where you are going to end up being on the hook if a California resident, and I believe, Jake, you might know the exact amount, it’s either $750-

Kip Boyle:

It’s the private right of action, right?

Jake Bernstein: 

700… Yeah. It’s the $750 statutory damages provision of the California Consumer Privacy Act.

Chris Brumfield: 

Not all insurers cover that. So some insurers will cover the CCPA, some won’t. So what happens is you have a potentially very expensive loop or missing portion of coverage if your insurer isn’t going to cover that. Because you’re on the hook for that and that’s not proving they had any damages. That’s just saying, “I live in California and I was a member of the breach.” You can have a real big opening there, especially if you have a number of clients that are California residents or consider themselves to be. 

Kip Boyle: 

So I want to move along to an aspect, an angle of this that I want to make sure people understand, which is making sure that you have the right coverages. Then we’re going to hand it off to Jake and Jake is going to talk about the specific legal aspects, right? The specific obligations that attorneys have and why cyber liability insurance may be a good thing to purchase for their practice.

But this is a really old case here that I’m bringing up. This has to do, obviously, with a restaurant and not a law firm, but I just think it’s a really good way to illustrate this point that you need to make sure that you have the right coverages. You just absolutely have to. In 2014, P.F. Chang’s had a credit card data breach and one of the consequences of that is that Bank of America charged them $1.9 million to cover the costs of reissuing all of the credit cards that had been breached. So P.F. Chang’s filed that as a claim. So Chubb was their carrier. They had paid a $130,000 premium for their cyber policy and Chubb denied the claim, and so Chang’s took them to court and they lost. So the upshot, and Chris, this is where I’m going to hand it off to you, is that it seems that they didn’t have the right coverages in place, right?

Chris Brumfield: 

Mm-hmm (affirmative). Yeah.

Kip Boyle:

I think they had first party coverages, but they didn’t have third party coverages.

Chris Brumfield: 

Yeah. That gets into knowing what you’re buying and educational approach. You need to understand what you’re purchasing and why, and frankly, you need to have a broker that understands or will explain why. I mean, I would not want to be a part of that claim or a claim similar to that because I think the first step that P.F. Chang’s or a client would take would be, “Well, why didn’t you tell me about this?”

Kip Boyle: 

Yeah. For sure. That’s a big lesson, right? That’s a huge tuition payment right there, $1.9 million, to get to learn that lesson. But anyway, so folks, I mean, that’s just another thing that we want to make sure that you understand, is that you have to know what your coverages are and you need to know what your exclusions are too because as a risk manager for your firm, you have got to manage to your exclusions, right? You have got to know where you don’t have coverage so you can add additional protection. As your chief information security officer for this hour that we’re together, that’s how I think about that. Any last words, Chris, before we turn it over to Jake?

Chris Brumfield:

Well, last words would be, and I don’t care who you talk to or purchase from, but if you don’t have cyber insurance already, you’re sort of flying uncovered out there, so just consider it or think about it because it’s relatively… The amount of risk you get to transfer over is pretty big for what you actually pay.

Kip Boyle: 

Even though coverages are going down and costs are going up, you still think it’s worth it?

Chris Brumfield:

I still think it’s worth it. I wouldn’t be comfortable if I was operating a business without it. 

Kip Boyle: 

As a broker, you could always choose not to offer it if you didn’t think it was worth it, right?

Chris Brumfield: 

Oh, yeah. And there’s some clients where… I just was in a discussion yesterday with a very small firm. They’re just getting their feet off the ground. It didn’t make sense for them at that point because they would easily recreate anything they had. But if you’re in a situation where downtime, you have to figure out how much is this downtime going to cost if we’re down because of a breach because some… All it takes is someone clicking on the wrong link. We have a firm actually that that actually happened. They clicked on the wrong link and bam, $11,000 in losses right away.

Kip Boyle: 

Yeah, it’s breathtakingly easy to fall into something like this. It shouldn’t be, but it is. So on that note though, let’s turn it over to Jake because he wants to talk about rules of professional conduct. This is the very, very lawyerly part of the conversation now that we’ve introduced cyber liability insurance, what it is, and what’s going on. So Jake, you just let me know when you want to see a next slide. I’ll go ahead and drive slides for you.

Jake Bernstein: 

Great. Well, go ahead and advance by one. While you’re doing that, I’ll just answer this question in the chat. Is this something that even small businesses need? I would say yes because I think there’s affordable policies because you’re… I mean, look, if you’re really small, the exposure to the insurance companies is significantly lower. So I think everyone needs it, yes. I think a solo lawyer office needs to pay attention to this.

Kip Boyle: 

At least consider it.

Jake Bernstein:

At least consider it. Let’s dig into why, but go ahead, Chris, before I start.

Chris Brumfield: 

I was just going to say, if you’re looking at a benign breach, those can be anywhere from $7,000 to $10,000 depending on how many… I mean, the forensic specialists are billing at attorney rates in some cases. So yeah, if you can afford just to throw $7,000 or $10,000 out for a claim and you have one or two of those a year, which we had a client have, a small one, then that’s fine. Or maybe you spend 3,000 on a insurance policy. 

Jake Bernstein: 

Yeah. What we’re going to talk about here is the ABA 2012 Technology Amendments. The reality is is that even though these were originally proposed, gosh, what is that, almost-

Kip Boyle: 

Nine years?

Jake Bernstein: 

almost 10 years ago.

Kip Boyle: 

Yeah.

Jake Bernstein: 

Yeah, nine years. Is that, I want to say, at last count 39 or 40 of the 50 states and territories have adopted these amendments in one form or another. I would encourage the individual lawyers who are outside of… So Washington State did in 2016. I can just say that right out front. Everyone else, if you’re not a Washington State lawyer, I would go check the status of this. There’s sites that track it. But basically what the ABA did was said, “Okay, we’re going to provide these amendments.” Some of them are just comments, so Model Rule 1.1, which we’ll get to in a moment, is the straightforward competency rule. Then they added actual Model Rule 1.6(c), which we’ll talk about more. Then they have got some formal opinions. So go ahead and advance slide deck.

So this is Comment [8]. What it did was it really just added that one clause starting with including the benefits and risks associated with relevant technology. So small change, big impact. Lawyers need to know what their technology does for them. If we have any older lawyers on the call, you might remember that there was debate about whether or not lawyers could use email. It took time before the bar associations decided that, yes, it was ethical to use email. There were questions about the privacy, you had questions about the attorney-client privilege. Don’t make fun of us, Kip.

Kip Boyle: 

It just seems so quaint. I’m sorry. 

Jake Bernstein:

It does, right? It does. It certainly does now.

Kip Boyle: 

Yeah, now. Now, it does.

Jake Bernstein: 

But when it first existed, it was not so much. There is a whole ABA formal opinion specifically about that from the early ’90s or maybe it as even mid-’90s. But go ahead and move forward.

Kip Boyle: 

Sure.

Jake Bernstein: 

So what it says is that now, competency includes the understanding of the technology that you use to deliver legal services. That has really changed immensely. Fortunately, fortunately, the competency requirement can be satisfied either by your own individual study or through the association with qualified lawyer or non-lawyer assistance. So you could have an IT department. You could hire a virtual CISO. That’s all acceptable in terms of being competent. Go ahead, please. 

1.6(c) on the other hand is a much bigger deal. The text of the model version is a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. So this is obviously, 1.6, is the confidentiality rule. This adds this whole idea of what ultimately becomes reasonable cyber security. What we see is that Comment [18] says that a lawyer has to act competently to safeguard information and you have to supervise folks, right? It’s not just the lawyer, but it’s also anyone who is subject to the lawyer’s supervision. Then go ahead and advance, please.

Kip Boyle:

Here you go.

Jake Bernstein: 

Then here is this other really, really important one, which what it boils down to is, and I’ll let people read it, but what it really says is if you’ve taken reasonable efforts to prevent the access or disclosure, inadvertent or unauthorized, then it’s not a violation of paragraph (c). In other words, it is only a violation if you have not taken reasonable efforts to prevent the breach of information. So go ahead.

So the first of the two formal opinions I want to talk about is 477, May 11th, 2017. Now, the ABA rules state that I cannot provide copies. However, you can google it and download it. So I highly recommend that you do that. This one, 477, really, one, it actually cites back to the email opinion and it really focuses on 1.6(c) and the reasonable efforts. Of course, because lawyers wrote this, it is a factor-based examination. It is not susceptible to hard and fast rules. You see immediately that the ABA rejected requirements such as firewalls, specific types of passwords, and instead went with a, yes, Chris, it means it’s a constantly moving target, which is important, right? Because as Kip mentioned earlier, the innovation from the attackers’ side is nonstop. 

What you see here is that what’s crucial is the process that you follow, the process to assess risks, to identify and implement appropriate security measures that respond to those risks. You have to verify that they were implemented and then ensure that they are continually updated. Absolutely having cyber security insurance is a component of this risk analysis and the types of measures. So advance, please.

Kip Boyle: 

Here you go.

Jake Bernstein: 

This formal opinion is full of guidance. One of the things it says is, hey, determine how electronic communications regarding client matters ought to be protected. It’s always a good idea, label what is confidential, have some kind of information classification policy. Make sure that you’ve trained not only the lawyers, but the non-lawyer assistants. This is a big one. Do diligence on vendors providing communication technology, particularly if you’re not using a super well-known one. It’s really, really important that you can be responsible for hiring a company to help you that itself is not secured well. Next slide.

Kip Boyle:

So Jake, can I ask a question real quick about minimum viable? Because I talk to my customers all the time about don’t try to write huge, thick tomes of how to do stuff. Right? Just make it the least that you can make it and still get the job done. Right? Take a minimum viable approach. Does that work here in terms of 477?

Jake Bernstein: 

I think it does because I think you’re going to be iterating on that, right? If you take a minimum viable approach and then you stop, I think you might have trouble. But I think if you… I think the opposite is actually true. I think if you start with a minimum viable approach, you can at least say you’ve done something. Imagine a situation where someone has let perfection be the enemy of good and they’re just like, “We don’t have anything in place until we get it perfect,” and then something happens to them. That’s not the greatest position to be in, right? I don’t know that that’s particularly reasonable to expect. Yeah, that’s a good point.

Kip Boyle: 

Okay. Because I just know a lot of people are put off because they think that these policies have to be, like you said, perfect or they have to have thought in advance about everything, and if you can’t do that, then you might as well not do anything at all. I just wanted to be clear that even for the attorney, trying to follow these rules of professional conduct, don’t let that stop you. 

Jake Bernstein: 

Well, the irony of the situation is that all of this trouble is caused by digital technology, a very binary reality. But cyber security and compliance are anything but binary, right? They’re as analog as you can get. They’re a spectrum. One is not simply compliant or not compliant, or secure or not secure. It is a constant evolving situation. 

Okay. So the next one is the slightly newer one, October 17th, 2018, 483. This one is specifically about what you have to do after experiencing a data breach. I’m going to go relatively quickly here to leave time for questions. But basically this particular publication talks about, well, what is a data breach, how do you know if you’ve been breached, what do you have to do after a breach is discovered, et cetera, et cetera. So let’s go ahead and dive in.

So this is really fascinating. A data breach, for purposes of Formal Opinion 483, is a data event where material client confidential information is either misappropriated, destroyed or otherwise comprised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode. That last one is fascinating. It’ll show up a few times and we’ll talk about it. 

So a few hypotheticals, because it wouldn’t be a CLE without a hypothetical. If there’s no actual compromise of material client confidential information or MCCI, then it’s not a data breach. If there’s exfiltration or theft of MCCI, then clearly it is a data breach. Now, interestingly enough, ransomware that didn’t access any material client confidential information, but blocked the ability to use the information, still would be considered a breach. 

Then this is the most fascinating. Let’s say there is no MCCI involved at all. The only thing that happened is that your IT infrastructure has been hosed. That is still considered a breach if you can’t perform legal work because, particularly in court, I would actually wonder if it has happened where someone stands up in a hearing and says, “Your Honor, I was not able to submit the brief or prepare for this hearing because ransomware destroyed my computer.” I don’t know. I honestly have no idea how that would go over. I think some judges might be understanding. I think others might be not so much. So I think it’s an interesting question.

Kip Boyle: 

Chris?

Chris Brumfield:

I think it’s worthwhile to point out that all four of those items would be covered by cyber insurance. 

Kip Boyle:

Wow. Well done.

Jake Bernstein: 

Yeah, that’s very good. Okay. Let’s go to the next one.

So how do you know you’ve been breached? Well, I have news for you. You have to pay attention. There was a brief discussion in the ABA Formal Opinion about, well, do these responsibilities ever get triggered if we don’t check and if we don’t know? They decided, I think, pretty quickly that ignorance is not bliss. You cannot stick your head in the sand. You can’t be the ostrich. So you have to employ reasonable efforts to monitor your technology and office resources connected to the internet. So really, that, I think, is fairly straightforward.

Kip Boyle: 

This can be hard to do. Right, Jake? But, I mean, it’s straightforward it to understand and to say, but actually, it can be very difficult to do because most malicious codes these days install silently. Right?

Jake Bernstein: 

Well, it is hard. In fact, detect is one of the three primary functions of the NIST Cybersecurity Framework. So it is not at all a trivial component. This is a major… Detection is a major, major deal. 

Kip Boyle: 

Yeah, and it can be very hard to do.

Jake Bernstein:

And it can be very hard. But what the ABA says is that’s too bad, lawyers, you have to do it. I mean, really, this is the only reasonable conclusion. Other implications are that law firms, you do have to know whether your employees are following the firm’s cyber security policies and procedures. Then there are other regulatory and legal provisions, right? CCPA might still apply to you. 

For employees, again, this hearkens back to Model Rule 5.1 and 5.3. You have a duty to supervise and train. It applies to associates, other lawyers, non-attorney staff, and even third-party vendors. So it extends. 

Are hackers really smart? They certainly can be and yes, sometimes they have nation-state resources. The point of this question was basically, look, is it fair to say that I have to prevent attacks if the Chinese military or Russian mafia wants to come after me for whatever reason? What the ABA said was, okay, the legal standard in the broader marketplace is not perfection because perfection is impossible. Instead, what they said was that ethical violations will occur primarily through inaction, right? So the requirement is for reasonable efforts to avoid data loss, detect cyber intrusion. It’s not for thou shalt not get hacked or breached. So what they really focus on is the lack of reasonable effort plus a breach that will lead to an ethical violation. Advance.

Okay. So you’ve been breached. Now what? So really, the first thing you got to do is stop the bleeding, right? Patch the hole. What that means is ensure that, one, you know where all the holes are and that information isn’t leaking out of your digital corpus. That may make no sense, but I went with it. So how do you do that? Well, be prepared. You have an ethical duty to act reasonably and promptly to stop the breach and mitigate damage resulting from the breach. How do you do that? Well, the best way to is to proactively develop an incident response plan and practice it.

Again, this is a huge component of where cyber insurance can help you. As Chris mentioned earlier, an incident response plan is going to involve resources. It’s going to involve forensics, counsel, et cetera. All of that will be covered. And not only is it covered monetarily, but it’s right there. It’s like right there at the fingertips. You don’t have to go and find it. You don’t have to go and figure out who to call. It’s all on your policy. It’s super helpful.

Kip Boyle: 

Yeah. I love the concept of a data breach coach, which I don’t think we’ve mentioned so far in this session.

Chris Brumfield:

No, we haven’t.

Kip Boyle: 

So Chris, would you just give a very quickly thumbnail sketch of what a data breach coach is when you have a policy?

Chris Brumfield: 

They are your point person and usually, depending on the insurer, you’re going to hear from them within 30 to 60 minutes. Literally that quickly. They walk you through the entire process. You don’t have to know who to contact, you don’t have to have your Rolodex. You call the insurer, the data breach coach walks you through and connects you with everyone you need to be connected with.

Jake Bernstein: 

Real quick, I noticed that we got a question. I think it was sent just to me, so I’ll read it. We work 100% onsite. Does the underwriter look at less exposure, for example, because you’re a city that does not work remotely and blocks all overseas connections or is that entity going to get lumped into the rest of the market with other remote work situations? Chris, please answer, but my guess is that no, one of the things we’re seeing is that insurance companies are taking a, okay, let’s actually look and analyze the risk posed by every individual customer.

Chris Brumfield: 

Yeah. Yeah, the underwriters are scrutinizing that more. That would be something we would actually highlight to the insurer as well, to the underwriter. They do passive scans as well. So they’re much more involved and it’s not just here’s your policy. Thanks for completing a one-page application.

Kip Boyle:

Like they used to be.

Chris Brumfield: 

Some of the applications are five… Yeah, it used to be that way. Now, some of them are five to seven with lots of follow-up questions and you have to anticipate some of those. But that’s a good point and you can point that out to your cyber insurer. 

Jake Bernstein: 

Yeah. Yeah, cyber insurance questionnaires probably always should have looked like the due diligence work that I do on M&A. The reality is until recently, they-

Kip Boyle: 

They didn’t know what to ask.

Jake Bernstein: 

They didn’t know what to ask, but… They just did not. Right? A one-page form-

Kip Boyle:

Yeah, they just didn’t know.

Chris Brumfield: 

No, they didn’t.

Kip Boyle: 

Now, they do.

Jake Bernstein: 

Yeah. Okay, so specific information about what your incident response process should look like. This is straight out of the ABA opinion. You can also find information at the NIST Cybersecurity Framework. That’s nist.gov. Basically, the incidence response process, these are the things you got to do. I want to move it along, so I’m not going to read them all. But this is the goal. 

Who do you call? So again, we just talked about this. You have the added problem as a lawyer of respecting duties of confidentiality, but you can call your own lawyer, definitely the insurance company. Generally I recommend law enforcement. You do have to do some additional analysis about whether the client would object, if it would harm the client, would it benefit the client. Then, yes, don’t forget your actual client. Next slide.

Kip Boyle: 

Hold on, Jake. I know we’re time pressed, but there’s a lot of choices when you call law enforcement. Are you calling the beat cop down the street or are we calling the city PD? Who are we calling?

Jake Bernstein:

So if nothing else, you can call the city police department. Ultimately though, it’s the FBI and the Secret Service.

Kip Boyle: 

Yeah. You can find them on the internet pretty easily. There’s a cyber crime task force in every major metropolitan area. So think FBI first. 

Jake Bernstein: 

Yeah. FBI first. Must you call your client? So this is an interesting question, right? Look, we wouldn’t want… No one would want to call their clients and admit that we got breached. It would be a horrible thing to do. Generally speaking though, the ethical duty is to, yeah, you’re going to have to keep your client informed. If MCCI was actually or reasonably suspected of being accessed, disclosed, or lost, yes, you do. Former clients, it’s less clear. I recommend that you agree on a records return or destruction policy so you simply don’t have that information to be breached. Then if you don’t have any MCCI, you don’t have to worry about notifying former clients. So go ahead and next slide.

Kip Boyle: 

Yeah.

Jake Bernstein: 

This is interesting. What do you have to tell the client, right? So I’m sure at this point, I would be shocked if there was any adult living in the US right now who has not received at least one breach notification email or letter from someone. Most of the time, they don’t say much. What the ABA considered is are those really good enough for lawyers? I think that they’ve come down on the side of no. You really need to be a little bit more specific. You need to provide enough information so the client can decide what to do next. You have to tell them the extent of the access or disclosure. If you don’t know that, what reasonable steps were taken and weren’t successful or, if they’re still in progress, what you’re going to do next, and then to keep that going.

So it’s more than just the statutory data breach notification laws puts on the average business. Lawyers have to go further. So go ahead and next slide.

Kip Boyle: 

Sure, and that brings us to the end actually. So Jake, before we transition into Q&A, is there any last thoughts?

Jake Bernstein:

I just cannot emphasize enough the need to take this kind of stuff super seriously. I don’t know of any bar associations taking ethical action against a law firm or a lawyer yet. However, there have been class action lawsuits filed against law firms for basically failing to adequately protect client information. So I would bet though that as this is percolated in the industry that there will be moments, there will be disciplinary proceedings regarding this. 

Kip Boyle: 

Okay.

Chris Brumfield: 

I’d also add that if you haven’t seen it yet, either yourself, your firms, or your clients, it’s going to start being required to actually to cover cyber insurance or to carry it. Because we have seen that happening where we’ve had requests for folks to have it and, say, probably 80 to 90% of our clients have cyber at this point. That was probably 50% a few years ago. But it is being required because we’ve had clients come to us and say, “We need cyber insurance tomorrow because we have a client that is requiring it.”

Kip Boyle: 

Yeah. So that’s what, in my line of work, I would call that supply chain pressure. Right? I can’t do a deal unless I have it. So it’s the cost of getting this deal closed, right? So Jake, when a law firm is advising a non-law firm, I remember that there’s… Doesn’t the inside counsel issue some kind of requirements to the outside counsel? What is that?

Jake Bernstein:

Yeah. OGCs, outside counsel guidelines. Yeah. What it is is it’s basically the equivalent of your typical security or policy or something or set of requirements that non-lawyers, that businesses pass between themselves all the time. It’s what the law firm is expected to do in order to actually provide services. So particularly common with regulated industries. You can’t represent a bank or anything like that without dealing with the OCGs.

Kip Boyle: 

Right. Okay, okay. All right. Thanks. I thought there was a legal equivalent of that. All right. So we’ve reached the end of the prepared material, the things we absolutely wanted to share with you so that you could be well-informed on this topic. If anybody has questions, we’d love to take them now. So let me pass it back to Melinda to coordinate questions.

Melinda Miller: 

Thank you, Kip. So it looks like we did a fabulous job of answering a lot of the questions throughout the presentation, but if anyone has any other questions, feel free to put them in the chat or in the open Q&A, whichever’s easiest for you. We’d love to answer them. I’ll give you guys a few minutes to get them in.

Kip Boyle:

If you don’t have a question, maybe you’ve just got a comment like, “I’m overwhelmed,” or, “You have got to be kidding me,” or, “Who are these jerks that are making our lives so miserable anyway?” Anything like that.

Jake Bernstein: 

Criminals.

Kip Boyle: 

Yeah. It is. It really is. It’s criminals. So I’ll just share this statistic. This year, the global loss for cyber crime and cyber failures is approximately $6 trillion. If you aggregate all that up the way I just did and compare it to other national economies, it’s actually the third largest economy on planet Earth behind the US and China. It’s expected by 2025 that number will increase to $10 trillion. In 2015, I think it was less than a trillion. To just give you an idea of how fast this has accelerated and the hockey stick-shaped curve that it’s become. There’s really no end in sight.

Chris Brumfield: 

No.

Kip Boyle: 

There’s no end in sight. Our governments have no idea, really, what to do about this. They’re frantically trying to figure it out, but they haven’t. There’s just nothing on the horizon that is going to suggest that we’re going to see this fall off or even level off. It’s awful.

Jake Bernstein: 

Other than starting to… Look, part of the reason is that no one was prepared, right? We have a long way to go. This is another situation where we really all right looking for cyber herd immunity, but that requires everybody to play a part and we’re not there yet.

Kip Boyle: 

Yeah, that’s true. I mean, this is not unlike what we’re wrestling with as a nation with-

Jake Bernstein: 

And I say that because we don’t want people to think it’s hopeless, right? I think that’s a dangerous impression to give, is that, oh, we can’t stop it. Individually, there’s not that much that we can do about the overall trends, but the more the people individually take action, like these practices will work. They will reduce risk. Activating MFA, using these concepts like the Essential Eight from the Australian Signals Directorate, really, there are things that work. Let’s see-

Kip Boyle: 

Yeah. Well, let’s talk about that because we just got a great question on that point. 

Chris Brumfield:

Exactly. Exactly. The question is that are you facing a CIO that was trying to create a loss prevention strategy instead of using cyber insurance. I’d say the first part of that is great. So the fact that there’s a loss prevention strategy being used, critical. I’d say that is the first step. But what needs to be understood is that cyber insurance doesn’t mean the CIO is going to be put under the microscope and told they’re doing a bad job. It’s meant to work alongside with and to make the CIO look even better because they’re looking at the risk from a holistic standpoint. It’s not meant to take over their job or tell them they’re doing something wrong. It’s really meant to partner with them and to help them in that, because they see this day in and day out. 

So unless your CIO specializes in cyber breaches, and that’s all that he sees or she sees every day, then they are not going to be able to handle it or understand it the way that either… Jake, you deal with this all the time. Or the cyber insurers, that’s all they do for a living. Quite literally. Yeah, refusal to use MFA, that’s going to be hard. There are some insurers you can place with. The insurance industry as a whole has said, “Well, gosh, 98% of breaches could be avoided with MFA.”

Jake Bernstein: 

Well, I mean, I would say that if that city official was my client, I would tell him or her that refusal to use MFA is essentially per se unreasonable and that if that person was an officer or a director of a corporation and owed fiduciary duties to the corporation, he or she would be in breach of those duties by taking that attitude. It’s a tremendous liability that would create instantaneous problems. So that, I think… No, I don’t see a trend of organizations going rogue on cyber insurance. I think cyber insurance is harder to get, but these days, really, the act of getting it and doing what’s required to get it is protective. 

The insurance companies aren’t coming up with these things… Well, I guess, that the beauty of the insurance model, right? Is that their interest, which is to not pay out claims, actually does meet with the… It’s the same interest that the insured have to not be injured. Right? Whether it’s fire or automobile safety, right? We don’t want to get seriously injured in a car accident. We don’t want our houses or buildings to burn down. What the insurance industry is doing to… what they require to make those things less likely is good for both parties, and the same is true for the cyber insurance industry. 

Kip Boyle: 

Now, from an-

Jake Bernstein:

It just took them a little longer to get there.

Kip Boyle: 

Yeah. Now, from an operational perspective, I want to also say that a loss prevention strategy, fantastic. Applause. Right? If I had a button that would make applause happen on this webcast, I would do that. But to say you have a loss prevention strategy, but not use MFA, that’s like saying we’re going to have lifeguards, but we’re not going to give them the safety gear that they need to pull swimmers out of the water. I mean, it just doesn’t compute for me. These things go together. We know they go together. So why would you tie one wrist to one ankle? I don’t get it. 

Jake Bernstein:

Everyone, I have to run, but maybe Chris and Kip will stick on for a few more questions. But please feel free to reach out if you’ve got additional questions.

Kip Boyle: 

Thanks, Jake.

Chris Brumfield: 

We’ll try to limp along without, Jake.

Jake Bernstein: 

Bye-bye.

Kip Boyle:

Bye.

Chris Brumfield: 

Thanks. 

Kip Boyle: 

So Chris, what do you think about what I said or anything else about organizations going rogue on cyber insurance?

Chris Brumfield:

I think I would not want to have to stand in front of a board and explain why I didn’t think it was worth… Oftentimes, these policies, and I’m not quick to spend anyone’s money and I at one point had my own consulting contracting business so I’m very quick to look at everything with a critical lens, but I don’t want to stand in front of a board and explain why I thought I could save 0.001% of the annual revenue of the firm or even 1% of the firm’s income and then suffer a breach that then is multiple percentages of the firm’s annual revenue. That’s not including all of the additional headache that happens. Because these are not… 

Yeah, you’ll get made whole and they’ll bring you back to where you were. They’ll pay the extra expenses, but pay for your replacement of software, hardware, and/or repairing or recreating work you’ve done. But that doesn’t account for all the time that is invested in that. So you are having to effectively shift your focus off your clients and customers and you’re having to focus internally and nothing revenue generating. So that ends up having a large cost. You can say, yes, some of it’s going to be covered because of loss of income, which is covered. Right? Cyber policies. But if you’re having to shift internal staff off of other matters, it’s going to be really hard to document that [inaudible]. 

Kip Boyle:

I want to make a comment about the fact that this is a city, is another thing that I think is important, is cities have a different dynamic, right? It’s not so much about revenue generation. It’s about tax collection. They have a reputation, right? But when their reputation gets trashed because citizens’ personal information was compromised because they had a data breach, I mean, citizens can’t just decide, well, I’m not going to buy water and police services from the city anymore. It’s a little different. The dynamic is a little different. Cities are also used to self-insuring, right? Very large cities self-insure to a lot of risks that they’re facing either because they can’t get any insurance for it and it’s the only way that they can deal with that risk besides putting some controls in place. So I acknowledge that the dynamics are a little bit different there.

But let’s say this. How would the mayor feel if they were going to lose the next election because of a cyber breach that caused tremendous reputational damage to their administration because a lot of citizens had their sensitive information leaked onto the internet? I think perhaps that might be a good business case to present to the CIO. Anyway, that’s a thought.

Chris Brumfield: 

There is coverage on… These policies have coverage for PR. So if you find yourself squarely in the crosshairs of the media or the local media usually, because they will pick that up very quickly, then in addition to the CIO and/or the mayor or anyone else who is brought in, they will actually launch a PR campaign to help explain what happened and how it’s being addressed. That even makes the CIO look smarter because, hey, not only did I take these steps to prevent this from happening, but I also was prepared in the event that it didn’t go and it only cost X% to do so. 

Kip Boyle: 

So I think we’re out of time. I know folks need to get on to other things. We really appreciate the fact that you were here today. Please feel free to reach out to us afterwards if you have some additional questions or thoughts, if you’d like some clarifications. We’d be pleased to hear from you. So contact information is here on the slides. You can hit reply on the emails that we’ve sent out letting you know, hey, don’t miss the session. Yeah, we’re here to help. So thanks for being here. Melinda, what else do we need to say or do in order to wrap up?

Melinda Miller: 

Yeah, so we will send a recording out shortly after tomorrow just sharing the same recording with you if you would like to see it again. For all of the reporting, I saw that question come in. You can either report it yourself or if you would like us to do it, we just need your number and your first and last name, your WSBA number and your first and last name, and I will be able to report it for you.

Kip Boyle: 

Yeah. Oh, and one more thing. We do these free CLEs once a quarter. The next one is going to be December 15th at noon. Is that right, Melinda?

Melinda Miller: 

Yeah, that’s correct.

Kip Boyle: 

Great. So we’ll let you folks know what that’s going to look like content-wise and we’ll give you a heads up. We hope you will come back. I think that’s a wrap, right? 

Melinda Miller:

Yeah. Thank you so much, everyone, for being here.

Kip Boyle:

All right, everybody. Take care.

Chris Brumfield: 

Thank you.

Melinda Miller:

Bye. Thank you. 

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

Jason Dion
Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.

Wait,

before you go…

Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!