Personal Liability Cyber Breaches
Topics: cyber breaches personal liability, personal liability cyber breaches, Can You Be Personally Liable From A Breach, Cyber Security Land Mines, business leader liability in cyber security, who can be liable for cyber security handling, who can be from cyber security breach, who can be personally liable for cyber security handling, cyber security insurance land mines, can ceo be liable for cyber security handling, landmark lawsuits on cyber security liability, top mistakes in cyber security insurance, top risks in cyber security insurance, cyber insurance done right, how to obtain cyber insurance the right way, best ways to obtain cyber insurance, proper ways to obtain cyber insurance, osint in cyber security insurance, how to choose proper cyber security insurance, traps to avoid when buying cyber security insurance,
Keywords
cybersecurity insurance, liability in data breaches, changes in the insurance industry, AI impact on cyber insurance, accurate application process, personal liability for CEOs, regulatory scrutiny, SolarWinds breach, importance of cybersecurity, cyber insurance, cyber breach, risks, liabilities, cybersecurity measures, exclusions, coverage limitations, subject matter experts, cybersecurity roadmap
Summary
In this episode of Cybercrime Junkies, host David Mauro interviews Joseph Brunsman of the Brunsman Group, a thought leader in cybersecurity insurance. They discuss the liability in data breaches and the changes happening in the cybersecurity insurance industry. They also explore the impact of AI on cyber insurance and the importance of accurate application and underwriting processes. The conversation highlights the increasing scrutiny from regulators and the potential personal liability for CEOs and executives.
The episode concludes with a discussion on the SolarWinds breach and the need for businesses to take cybersecurity seriously. In this conversation, Dino Mauro and Joseph Brunsman discuss the importance of cyber insurance and the potential risks and liabilities that businesses face in the event of a cyber breach. They emphasize the need for businesses to proactively plan and implement cybersecurity measures to mitigate these risks. They also highlight the changing landscape of cyber insurance policies and the need for businesses to stay informed about exclusions and coverage limitations. The conversation concludes with the reminder that businesses should consult with subject matter experts and develop a comprehensive cybersecurity roadmap.
Sound Bites
- "The cyber insurance industry is going through significant changes."
- "Business owners are applying for a legal contract when they seek cybersecurity insurance."
- "CEOs and executives can face personal liability for data breaches."
- "Now you need to start worrying about cyber insurance"
- "You may not know that you have these exclusions until 14 days, seven days prior to your insurance renewal"
- "You're more likely to experience a cyber event. You're more likely to have your coverage denied by cyber insurer"
Chapters
- 00:00 Introduction to Cybersecurity Insurance
- 02:18 Changes in the Insurance Industry
- 06:11 Importance of Accurate Application Process
- 09:34 Personal Liability for CEOs and Executives
- 13:54 Regulatory Scrutiny and Enforcement Actions
- 19:40 Lessons from the SolarWinds Breach
- 26:25 Prioritizing Cybersecurity in Business
- 27:23 Addressing Legacy Hardware and Software Exclusions
- 35:05 Understanding the Limits of Cyber Insurance Coverage
- 43:20 Taking Proactive Steps to Mitigate Cyber Risks
Dino Mauro (00:02.926)
Come join us as we dive deeper behind the scenes of security and cybercrime today, interviewing top leaders from around the world and sharing true cybercrime stories to raise awareness. But first a huge thank you to all of our executive co -producers who subscribed to our Prime membership and fueled our growth. So please help us keep this going by subscribing for free to our YouTube channel and downloading our episodes on Apple or Spotify podcasts so we can continue to bring you more of what matters.
This is Cybercrime Junkies, and now the
Dino Mauro (00:50.666)
All right. Well, welcome everybody to Cybercrime Junkies. I'm your host, David Mauro in the studio today. I have the pleasure of speaking with Joseph Brunsman of the Brunsman Group, a thought leader in cybersecurity, one of the leaders in the cybersecurity insurance industry. And we're going to be discussing some cybersecurity insurance landmines today, some key cases that have been happening in litigation and overall get some great insight. Joseph.
Welcome to the studio again, my friend. Hey, thanks for having me back. Always fun to talk about stuff I nerd out on. absolutely. Yeah. And I absolutely welcome you back. You were with us for listeners and viewers that may not be aware like right in the beginning, like about a year ago when we first started. So we've got some upgrades in our equipment. So that's all good. So I'm really glad to have you here. you know,
One of the things that are top of mind that we hear about all the time are who's liable in some of these big data breaches, right? We see regulations, see investigations, we see fines being issued, there's notices of class action lawsuits, and the cybersecurity insurance industry, just like every industry within
insurance industry, right? Like all of the subsets, they really drive behavior a lot. so first, let's start from the beginning. Tell us what is, what are some of the bigger changes that have been happening in the insurance industry for cybersecurity? Yeah. So the cyber insurance industry, people have to understand is within a few years is going through the changes. What traditionally took probably about 40
for other insurance products to go through. Right. So great point. Great point. Exactly. So, know, if we go back to 10 years ago, 2013, right? What was the big deal? It wasn't not that big of a deal. So, and we've talked about this a lot of that has to do with the dark web, the productization, the formation, the organized crime element that has gotten involved in cyber crime and, just the large scale of
Dino Mauro (03:18.03)
attacks that are going on. Oh yeah. mean, who would have forecasted supply chain attacks 10 years ago? Not a thing. Who would have forecasted a triple extortion events? Exactly. Five years ago. Cyber espionage. Oh my goodness. Yeah. Yeah. It's getting crazy. And so the insurance market
They're not really sure. I think what to do about a lot of this. you know, now we have AI coming down the pike and people are asking me what impact is AI going to have on cyber insurance? And the answer is I have some ideas, but I don't really know. And I don't think anybody really knows until disaster strikes. And then it's going to become a problem. And then the insurance industry is going to start adding additional exclusions to the policy to try
deal somehow with this AI issue. Yeah, right now we're seeing some big changes that really actually make sense in the cyber insurance world. Do you want me get into some of the bigger ones? Well, we were on earlier, we talked about when you were on before we were talking about that, that one case, the ICT case in central Illinois where the manufacturer had
applied for cybersecurity insurance with travelers, hits or ICS, was ICS in travelers and had applied and answered one of the questions of the application that yes, we have multifactor authentication, but they didn't. They only had it on one server and the ransomware attack actually, you know, affected another component in their infrastructure. And then travelers had to rescind, revoke the contract. What, you know,
What changes have happened for business owners in applying for security insurance? So what we're seeing now, just in the pure application process, and I think we're going to see more changes on the policy side, but just on the application side, what we're seeing is really where I thought, guess somewhat naively, that the insurance industry should have been, you know, five, 10 years ago.
Dino Mauro (05:42.096)
and that is they're starting to ask very specific pointed questions. And so for the business owners out there, they have to start realizing, you know, they are applying effectively for a legal contract, which is what insurance is. Right. So if you're a business out there and your nephew is the company's it guy, that's just not going to cut it anymore. Like you have to
legitimate professionals because you know, frankly, say this with love in my heart as a former IT guy, the ability, think for a lay person who is probably world -class in some other industry, being able to accurately and adequately answer the questionnaires we're seeing coming out, the possibility it's just getting smaller and smaller and the odds that they, even in good faith,
answer something incorrectly, I think it's just getting way too high. And the risk there is obvious, right? The risk there is that if you don't answer those questions correctly, the risk isn't underwritten correctly. And therefore then they're going to wind up declining coverage when there's an event. Yeah, if you have a material representation, which would be kind of the official term, but if you just say something and you don't have that thing, all of these
policies, when a claim occurs, you have to assist the insurance company with that investigation. They're going to find that out. Right. And that is even that. that is not the day you want to be finding that out. Right. Like it's better to spend the time in the beginning and doing it right. Because on the day of boom or shortly after boom, when your files are turning white and, you know, clients
calling and things are just, it's all messed up. can't, you know, you've, you're dealing with cyber criminals extorting you. have to deal with that. have to like legal HR, all of the PR is involved, all of this. And that's the time when you have to be like figuring out you didn't fill out the application adequately. Right. That's a tough, it's a tough thing. And, and we have to think too that the travelers ICS case was
Dino Mauro (08:06.902)
a very kind of traditional insurance industry case, right? Where the insurance companies going, Hey, you lied on this application. Now, truthfully, to be fair to ICS, the application and questions that they were presented were pretty asinine. So broad that I think personally, I think the insurance guy had some culpability there that you can't send out questionnaires that contain the word, cetera.
Right. Unless you really know what they're getting at. so the application is just kind of the front end on the back end, right. You already kind of alluded to, we're already seeing, you know, increased activity from bad guys and novel ways that most business owners can't anticipate. Now we're seeing regulatory bodies really start taking a hard look. So we just saw solar winds. they just got slapped with another Wells notice.
So that's going, we could talk about that in a little more detail. Yeah. No, let's, let's, let's jump right in there. So, explain to the listeners what a Wells notices. All right. So Wells notice, and this is under the kind of broad umbrella of business owners can no longer barehead in the sand that goes for the entire C suite, right? It's if you have a hand in this,
you have to start taking this seriously. And I always recommend to business owners, please ask what you feel are stupid questions, right? Because I'm not an expert in your industry. not an expert in my industry. And so it is fair game to say, what does this mean? What are our obligations here? How does this actually play out? We could talk about some of the crazy. if, right? Like what if something like this happens? Would I be covered?
What if something like this happens when I be covered? Right. Yes. And so this Wells notice, the gist of a Wells notice is it's the sec it's a letter that comes from the sec and it says, Hey, our employees thinking we are going to bring an enforcement action against you. have an opportunity to respond. All right. Now notice of intent from the sec. Yeah. It's like a pre
Dino Mauro (10:31.566)
pre -litigation letter. Yes. Not a phone letter to receive, would imagine. No, no. And this is the second Wells notice letter that the SEC has written for listeners of this show. They should be aware that Wells notice got sent to pretty much all the top executives as well as the CISO, as well as the CFO. So not even the CFO is safe. Right? So the SEC is saying,
Hey, if you're an SEC registrant, we're taking this seriously. We're coming after you right now. Maybe the listener of this show is going, ah, we're a private company though. So we don't have anything to do with the sec. Maybe you're correct, but now the FTC is also bringing personal enforcement actions in case of Drizly, like the CEO that follows that guy for 10 years.
That was a really interesting case. The Drizzly case was interesting, right? So for those that don't know, Drizzly is a alcohol delivery service, right? And the FTC told the company that they have to implement all these security changes, right? All these rigorous changes. But also they told the CEO directly that, and I believe the CEO was pushed out of that role at that company.
or maybe still there, but they told the CEO that for the next 10 years or so, no matter where you go, you have all of these restrictions and anywhere you go, you have to have specific security standards implemented. It was a really shocking case, wasn't it? Yeah, it was. I think in the light of FTC Chairwoman Khan's disclosure on
Right. She effectively says, Hey, the days of CEOs failing up in her words are gone. So if you're the CEO of an organization, that organization experiences a breach. We can come after you personally and that consent orders follow you around. And probably the worst part of this for any executive is going. All right. Well, maybe I'm a CEO and I think I'm special, right? Which probably true CEO, right? You're a unique individual.
Dino Mauro (12:57.358)
You're not so unique that you do not compete against other people trying to get CEO jobs. There's only so many of you, but there's more than one. And so the board of directors of these other organizations, do you think that if you have the FTC breathing down your neck for a decade, that's all the reporting requirements. They can come in whenever they want. It doesn't even count the 20 or consent over against the company proper. No board of directors.
in my mind would take that right to say, we'll bring the government into our, into our boardroom. We'll bring them into our company. No business is going to want to do that. And so it was, it's effectively you either have hope you really enjoy your job or you're going to be flipping burgers. Right. So that, that's something that I think was in your words, truly shocking.
It was in that case and that that case was kind of egregious, wasn't it? Because what happened was the CEO was aware as well as other executives there of a data breach about two years before kind of notifying people of it. Was that it? lot of it. Sorry, keep going. No, I was. Please go ahead. Like from what I understand, it said the FTC says.
CEO Drizzly's CEO, James Corey Rellis, was alerted to a potential security incident two years before a data breach was exposed to the public, where it exposed personal information of 2 .5 million customers of the alcohol delivery service. And the FTC said, so egregious were Rellis's actions, according to the agency that
only will his company face a series of data privacy requirements, but Rellis himself will as well. he has to, anywhere that he goes, has to have a data protection program, and, a complete like information security program. And they listed out all of these different things that any company he has an interest in or owns in or serves in management in any capacity and has to serve. So that's unlike other
Dino Mauro (15:21.536)
Yes. I think business owners and executives need to understand that the broad scope of all of this is that the walls are closing in, whether it's the hackers, the regulators, the plaintiffs bar with class action claims. They're all coming for you. And it's something that if you, if you are not taking this threat seriously, if you don't have a plan of implementation, if you're skipping the QBRs with your
If you think this is somebody else's problem, all of these entities are saying, this is your problem and it's your personal problem. And we're going to keep enforcing that. it's, understand like right now the economy is hurting. We don't have unlimited money, right? Executives are sitting there. They're trying to weigh kind of all of these competing interests. And I understand, but the big dogs, the attorneys.
bad guys, they're all saying this has to be something top of mind, right? have all these new laws coming out, the new C disclosure laws. You know, the SEC coming after solar winds again, right? Where all it honestly takes, and this is on the class action claim side, this is a regulatory side, a company has one bad day. And then it turns into what I call the investigation death
documents start getting subpoenaed, right? You have an email from the CISO where it's, say I talked to the board, I talked to the CEO. I told him my security flaws. He told me to pound sand because we don't have money for it. That's going to pop up in court. And then your ship is sunk or you're a business. You sat at a QBR, your MSP said, Hey, you know what? I think these additional security controls are going to be useful for
right for XYZ reason, you told them, no, all right, well, what's the plaintiff's attorney going to say? You knew there was a problem and the plaintiff's attorney is going to say, but you're this greedy businessman and you cared more about your take on pay than the security of your customer's personal information. And so your guys got hit. Now you're going to pay. it's just whether that's right, wrong or otherwise, that's just the way the world's
Dino Mauro (17:47.093)
Right. So it's very similar to other class action suits and product liability, malpractice clay cases. I mean, look at like, you know, scaffolding incidents, you know, construction incidents, things like that. If you don't comply with certain regulations like OSHA or things like that, and you save money by not doing it, you are liable, right? You will be liable. Like there's, there's a, there's not a shortage of attorneys.
Right. And so what'll happen is they, they have power of subpoena. They will uncover everything. And then there's a, the right way and the wrong way of handling a breach, right? Trying to cover it up, doing things. If you're in a public company, like what we saw with Equifax, right? The Equifax breach, the executive team found out about it. And before we all found out about it, they were doing insider trading or allegedly doing insider trading. And so there's a whole host of things
Obviously one should not do, but it's very similar to knowing that a big accident happened, right? Well, before we tell the public that this huge accident happened or defective product, right? Before we tell the public of that, let's do these things in our personal interest against the interests of the customers. Yeah. mean, you know, the SEC, which is now coming after SolarWinds again,
All of this, think, got sparked off yet again because SolarWinds just settled this big class action claim following that event from, what was it, 2020, I think. Anyways, that - Yeah, we've had people on. had Robert Cioffi on who was one of the heads of one of the MSPs who had SolarWinds. And when that compromise occurred,
You know, all of his clients, described what it was like that day and just seeing his files and not being able to help the clients and all of that. was, it was very moving. It was tragic actually. Now, now put that in light of, I have it right here. 10 former employees of SolarWinds stated that SolarWinds did not employ the cybersecurity measures they purported to have, including that no security team, no security information policy.
Dino Mauro (20:09.623)
no password policy, no security awareness training, no network segmentation. And the court held that CEO quote acted with at least severe recklessness when he touted the security measures implemented at SolarWinds. So there was also the stock trading issue at SolarWinds, if you recall, where allegedly, allegedly they didn't know.
but the CEO sold like 20 million and the two, think private equity, venture capital guys sold 260 million. Uh, but a few days before it came out in the press, between the time of the incident, the not the, the general technology awareness of the incident and the public disclosure. Shocking. God, what great timing, right? Like they didn't know who would have known. Um, yeah, you know, all of this just points to businesses.
have to start getting into this, right? Like I see a lot of firms out there where you have the big cheese running the ship. and he goes, I'm really good at engineering or accounting or manufacturing or insert whatever in the blank. I don't know a damn thing about cybersecurity and this field is so complex and it's so overwhelming. I can't even begin to understand it. So I have only got a couple left, a couple of years left.
the next guy's right? The world is saying it's not the next guy's problem. It's still your problem. It's matter of good faith, isn't it? I isn't there a good, mean, there are affirmative defenses that can be raised to some of these class action claims, right? Like if they have real -time detection, they have certain, you know, they look at the NIST standards or the SIS controls, or they look at
rules and guidelines out there and they're doing some of them or most of them, right? I mean, sometimes the threat actors are still going to get in, but a lot of it looks, I mean, I think from what I've seen is the investigations and the class action suits are really looking at egregious behavior, right? Like this was brought to your attention. You said no, because you didn't want to spend the money there, right?
Dino Mauro (22:34.729)
And when that occurs, then you're not even doing best practices, right? But, but for an organization that's doing best practices and then just succumbs to a advanced persistent threat or a, or a threat actor, there may be some liability, but it's, it's not necessarily going to pierce that veil. Is it? mean, is it, what are you saying? Yeah. So I'll tell you a, an illustrative story.
I have the benefit of being the dumb insurance guy in the room at every conference. I'm one of the dumb technology guys. So I just get to sit in the room and go, yeah, we can, we can provide one of these layers and then just listen in as, as people commit complete negligence in the managing of their brands. So one of these conferences that I was speaking at, brought me into speak and I'm sitting in the speaker's room. You know, and I see a guy who was just dressed to the nines.
So I asked him, I'm like, Hey, what do you do? And he goes, I'm an attorney. And I was like, flavor of attorney are you? Exactly. And we were all attorneys, like everybody and their brother is an attorney. So he goes, I bring class action claims after data breaches. And I was like, really? I was like, Hey, I'm just the insurance guy. I was like, what, what is that silver bullet that you look
And he goes, stupid easy. goes every time he goes, we bring a class action claim. We subpoena the internal documentation of whoever's in charge of security. look for a couple of keywords. get right to the email where it says I presented and this happened in the solar winds case. and the guy actually quit in protest, but he goes every time he had presented to the executives, I presented to the
These are the flaws that we have in our cyber security. These are the most egregious things we need to deal with right now. You know, we're not secure. They told me to pound sand because they don't have money for it. We're definitely going to get hit. They know it. They just don't care. Right. Some internal communication. goes every time we get that. Yeah. So then I asked him, I was like, what is it you would hate to see as a plaintiff's bar attorney trying to bring a class action
Dino Mauro (24:57.175)
So he sat there for a second. goes, I've never seen it. And his words, he goes, because they're too dumb and greedy. Once again, those were his words. But he goes, if I got in there and this company goes, yeah, we knew we weren't perfect, but the executive team had sat down right with the say our MSP or sizzle, whoever we worked out a plan of implementation.
Right. Okay. These are the, these are the vulnerabilities we have layers of security, right? Layers of security to kind of detect, defend, et cetera. And then some incident response planning about what happens, a tabletop exercise, something like that in case something happens, they're kind of doing everything they can do. Right. Yeah. Right. So if you're sitting there, you're going, weren't intentionally being negligent or grossly negligent or overly reckless. Like we had budgetary constraints.
So we sat down and we said, all right, how do we start eating this elephant? One bite at a time. Two months from now, we're going to implement this. Six months from now, we'll have the budget for that. Two years from now, we're going to have the budget for this. Right. Obviously you have to keep up to date with that. It's not a one -time deal, but because that would sink the ship right there. Exactly. And, or at a minimum, it would sink it from a hundred million dollar class action case to a $50 million or a 25. Like it would.
it would give you so many defenses that it's reasonably great negotiating leverage. certainly, certainly. that's all of this is within light of, think companies need to start doing that anyway, even if they're not care, if they don't care whatsoever about regulatory bodies, whether it's the state attorneys general or it's federal regulators or it's the bad guys coming after
right? Or the plaintiff's part. The SEC, the SEC fines and the FTC fines are going to be pennies on the dollar to what they're ultimately going to wind up paying. Right. absolutely. Even if they ignore that part, just think of the overall exposure and what defense will you have when it does happen? And you're correct. And I would say, let's say there's a business owner out there and he goes,
Dino Mauro (27:23.845)
I'm not worried about any of that. Right. Well, now you need to start worrying about cyber insurance because as you alluded to previously, cyber insurance is tired of just throwing hundreds of millions, billions of dollars out the door. So those policies, they are a changing, right? So the application is just kind of the front end. What is your, and not so bad in the public eye.
Cause it may not even get litigated like travelers versus ICS did. Well, you add exclusions to the cyber policy. Now who is reading that cyber policy? Well, I'm a nerd. So I read them and it's what I do. But the general rule there is the insurance guy, absent special circumstances, probably doesn't have to read it. Probably doesn't have to explain what's in it. Doesn't have to tell you about any alternatives that are out there. The business owner, they're not reading
maybe the MSP has taken a look, right. In very specific circumstances, but what we're seeing are things that entirely make sense from the perspective that business owners have to plan ahead for because there are exclusions coming. either a already have them on your policy. You just don't know it. Nobody told you and you didn't read it or B they're coming at your next renewal or in the near future.
And you may not know that you have these exclusions until 14 days, seven days prior to your insurance renewal. So some of those that I think business owners really need to start honing in on great example, legacy hardware and software exclusions. Right? So let's say you're a, you're a medical practice. You have some MRI running on windows 2000 or whatever.
Well, is that supported or not? Is it part of your network or not? Are you going to buy a new MRI machine to avoid that exclusion? Those things are crazy expensive. Probably not. So now it's, you can't expect your IT folks, your MSP to suddenly just isolate something from your network in five minutes. Right. It's, just not that simple. So you need the lead time to do it. So is that exclusion going to be in your next policy?
Dino Mauro (29:49.301)
I don't know. don't know your business, but if you just plan for it ahead of time, it won't be a big deal. Another one, like the legacy software, right? How many businesses don't even know what software they're using or at every QBR with their MSP, they're like, Hey, the software is out of date. It's not supported. We don't deal with this. It's in our MSA. It's in our contract. And the business owner goes, well, it's still working. we'll just keep using
Exactly. Right. Or that could potentially expose them to liability should because it's not supported. There's no patching. So once those vulnerabilities are known, there's no fix for it. So threat actors are getting right in. Yeah. So it's, it's a double whammy. You're more likely to experience a cyber event. You're more likely to have your coverage denied by cyber insurer, right? Because a cyber insurer, think about it. If you went, Hey, I have this great expensive
There's no locks on the doors. What insurance company is going to ensure that they're not right. Then you have to worry about, well, if that comes out in a class action claim that you were or regulatory action that you're using knowingly using software that's no longer supported and has, I mean, the business owner wouldn't know it, but just go online. You'll see all of these known vulnerabilities in the software.
how would you sit there as a business owner or as an executive in that organization and say, we promise we weren't being negligent. We just knowingly use this piece of software where there was a readily available alternative that was more secure that would have kept our clients information more secure. We just didn't do it because that costs money, right? That is not going to be a good defense. We're seeing other occlusion.
things that business owners would have literally no insight on critical vulnerability exclusions. So what's that? Well, manufacturers put them out there. MITRE has this giant running list of critical vulnerabilities. The one of these are known, known things, known vulnerabilities that expose an organization to threat actors.
Dino Mauro (32:12.543)
And they're sold by IABs like initial access brokers on the dark web for ransomware gangs and cyber crime gangs to attack. Exactly. Right. So at least as the insurance policy is concerned, the one that comes to mind is they said, Hey, if this is a CVSS of eight or greater for the CVE, which is nonsense to any non -technical person, which should scare the average business owner.
You have 14 days to implement the patch after it comes out. Now that's something where, yeah, the CEO could be held personally responsible for that because if he's on record is saying, let's say it's a large accounting firm and he goes during tax season, you don't change anything on our network. No exceptions. Don't even ask this big critical vulnerability comes
Right. It guys go, the boss man said, nothing gets changed. Then you get your toast. Right. The attorneys are going to crucify you. The insurance company can try coverage. And all of this is this, let's say you get away with all of it, right? You don't get sued. The insurance pays out. You didn't have the exclusion. Well, guess what? Now it's your next renewal. You're going to have to justify.
what you've done to avoid a similar event occurring anyways. So you're going to spend the money one way or another. It's just a matter of, I just tell business owners, go, Hey, my grandfather once told me, he goes, how do you know if someone is being truthful? Like what is the most foundational metric you can use? And the most foundational metric you can use. I think this is true. My grandfather was a wise guy. He goes,
If it's against someone's best interest and they're still telling you, so that's where I'm coming from. Hey, you don't want to update your network. You want to keep having breaches. I'm going to make a ton of money if you can eventually even get insurance. So take it from the guy who goes, Hey, the better your controls are, the lower your premium is going to be both in the future, the less likely you are going to have a breach.
Dino Mauro (34:35.679)
And on and on. then the less exposed, the lower exposure you would have in the event that you do have a breach. Exactly. Exactly. So take it from me. I'm the guy saying. So high level, let's back up just a quick second. High level cybersecurity insurance, a standard plan, the things that it covers, not everybody even understands exactly what it all covers. It covers the duty to defend broader than the duty to indemnify still in those policies. Right? So it means you get a lawyer.
right, to defend you in cases. They'll pay for the lawyer. They'll pay for the judgment, but they won't pay for the full judgment in like a class action suit. Will they? Or will they be on the hook for that? So it depends. And this is where companies have to start being very
economical is maybe the best way to put it, or they have to start thinking about just the, the dollar figures involved. So I wrote an article for journal of accountancy or CPA journal, something like that 2019. I went through every class action claim and I was like, Hey, if you're not a billion dollar company that lost like 200 ,000 records, you're good. Well that's gone. now it's going against, we're seeing class action claims against even much smaller organizations. And so
It's difficult to determine what the metrics are. The best I've heard is about 300, 350 ,000 for defense and about 600 to 650 ,000. This is just for a small business. about 600, 650 ,000 for damages awarded. That's a million bucks out the door. But we also have to think if you're a small medium sized business, well, how big is your cyber policy? Because if you're getting hit with a class action claim, it's not going to be.
It's not going to be 650 grand. It's not going to be 500 grand. Right. But we have to think you already had to pay for the ransomware event or the data breach or whatever that situation was. Yeah, that costs money. Now you got to go to court. And as we're seeing now, right. So you have those big class action claims. That's almost a million bucks right there. Now you have to think, all right, well, now the regulators, as we saw in this SEC Wells notice against solar winds,
Dino Mauro (36:57.781)
Now they're taking the information from those class action claims to bring regulatory issues to your door. Right. So it just like keeps compound compounding and compounding. And the easy answer is sit down with your MSP, sit down with your IT folks. You know, how do you eat an elephant one bite at a time? Right. It's yeah. those QBRs, attend those quarterly business reviews and take, take the advice that
subject matter experts are providing. Yeah. Because you can always use that as an, as a defense to lower that amount. Yes. I think that's going to be material in a defense. I would say, many MSPs have I talked to that go, we never have anybody show up at the QBR or they've pushed that. They've pushed that back for years. It's like, well, are you under the new FTC safeguards rule?
you're going to need to document as a business owner that you were there. Right. So there's, there's, the people that are listening to this, if they go, I don't even know what the FTC safe roads rule is. I've never even heard of a Wells notice. Good. Let's, let's, yeah, let's explain what, is the, so the FTC will have, they're a con they will enforce unfair business practices or consumer protection, right? Against private companies.
Yes. And they've, yep. Big companies, small companies, billion dollar companies, individuals, everybody. And all of that information, while it is not public, that investigation is in public. the findings and the evidence can be used in a civil proceeding. I would imagine. Well, the, so the FTC complaint that's going to become public.
So all your dirty laundry is going they're under investigation is public for sure. Yeah. So I would say, you know, generally they're going to come in when they see something really egregious and this, so the FTC, the new safeguards rule, I mean, there's a bunch of ways this could play out. There's a bunch of regulatory bodies that deal with Grambling, Bliley act that falls under this, but FTC is dealing with, financial institutions with the new safeguard rule, right?
Dino Mauro (39:20.001)
That doesn't just mean if you're a business owner watching this, you're like, I'm not a bank. don't care. No, that's not who it is. They've gone after, blood testing companies. They've gone after, auto dealerships, right? Cause they said, the information you have your financial institution under the law. So it doesn't matter how the business owner classified business or even how somebody else classifies their business. It's how the FTC classifies your business.
And so, you know, whether it's a class action claim and then the FTC gets involved or the FTC gets involved, that opens up avenue for discovery for a class action claim. I mean, it's just bad news all around when the answer is so simple. it's so simple. do reasonable efforts, right? I mean, just, just basic best practices, just kind of, you know, allocate the, because it's,
it's a fraction of what you'll ultimately have to pay, right? Oftentimes these, these standards or these systems of these layers of security are pennies on the dollar to what you're going to be exposed to. And yeah, you know, and breaches are in the news every day. So the odds of it happening are always increasing. Yeah. I think that,
think the metric was something like 60 % of companies increased prices after a cyber event because they have to pay for all these additional controls, et cetera. Plus, if you get hit with an FTC consent order, not even counting the individual craziness that would befall you, but the consent order against the company, that's a 20 year consent order. And it changes the technology. That's not insurable.
Insurance companies aren't going to pay for the next 20 years for all the stuff you got to do. Right. That's just not happened. And then you got to start thinking, all right, well, let's say I need to bring in an MSP. I touch the stove. It's hot. I don't know what this stuff means. I need a subject matter expert. Well, now you got to think what's that guy going to charge you when he Googles your name and he finds out, Oh, this guy's under a consent
Dino Mauro (41:45.793)
Well, if I was an MSP, I'm going to say, I'm charging you minimum three, four times the going rate because now my liability exposure when you have the federal government poking around all the time is astronomical. So, then, then there's the Drizzly case that we were talking about earlier where the CEO personally anywhere that he goes now has, has all these restrictions
And for people listening, the way that that personal consent order was written,
I reasonably believe that could just as easily apply to a CIO, CISO, CFO, if you're a public company and you have to report on the effectiveness of your internal controls, all of that, right? It could very easily befall anybody within the C -suite. So it's something where there's all these moving parts and the easiest answer
Just sit down, figure out where we at, where do we need to go? Have a plan on how to get there, right? Make sure the CFO is there so you can fund it. Right. It's, it's, it's really, I don't want to say it's that simple, but that's, that's how all this begins. Right. As you go, all right. I have to be, I have to put my pride on the shelf and say, this is something I fundamentally don't understand because it's probably too complex.
really for any one person to truly understand. so like any other problem in business, what do you do? And it's a big problem. All right, I'm going to need legal here. I'm going to need IT. I'm going to need finance. I'm going need all these folks sit down together. Yeah. The, the, wisdom always bubbles to the top, right? You're always brighter collectively than any one individual. Yeah. precisely. That's, that's really interesting. So what,
Dino Mauro (43:49.581)
What happens in a scenario when the cybersecurity insurance isn't enough? Let's say somebody gets a million dollar policy, but they get hit with a lawsuit for class action, or even if it's not a class action, it's just a data breach lawsuit. What happens if it's a $3 million lawsuit? Is the business liable for the excess? It starts funny. I was actually just...
I was in Dallas. I was presenting at this big MSP conference and I was sitting down with some attorneys and we were trying to hash this out, right? Like what would actually happen? Yeah. And it's very fact pattern dependent, to sound like an attorney. I'm sorry for a little while, but no, because oftentimes they'll, they'll just settle within the policy limits. And sometimes they're not going to, if the organization is in a position to pay.
Is that a fair statement? I mean, it depends. the insurance company generally I'll say has a legal obligation to settle within limits. But if you start, if you have a data breach and you have regulatory issues at the same time you're dealing with class action claim, you know, I don't, I can't imagine how court to deal with that, but I know that the attorneys I was talking to, right? The insurance company is going to throw their hands up and they're going to say, yo, we had a contract
X million. You blew through that. We're out. Right. End of story. Has that point these attorneys I was speaking to, you know, their point was, you know, piercing the corporate veil could be difficult. but it depends, right? Because if the executives were acting in a, you know, grossly negligent fashion and that's in the documentation,
And that guy's got a summer home or, know, he's got a home and wherever, right? They said, they're like, yeah, you know, if they acted so far outside the bounds, if they were just sitting there with their blinders on and they're like, that's the next guy's problem. I'm not going to deal with this. Then he's like, yeah, they'll go after now the actual mechanics of that. I'm not a litigation attorney. I'm not a plaintiff's bar guy.
Dino Mauro (46:12.191)
I try to sit with the good guys and help everybody out beforehand. but you know, to boil it all down, would say the same thing. I tell all my clients, which is you only want to talk to me once a year when I'm taking your money. Like that, that's a good year. If we're talking twice in a year, you're having a really bad day. And unlike all the other types of claims we deal with, when it comes to suck claims,
It is the wild West. Like I can't forecast with any amount of rational certainty what's actually going to happen because maybe you just had five records that belong and there were residents of some other state you don't belong in and that state attorney general, goes, Hey, you know what? I'm going to run for Congress next year. How am going to do that? protections.
Right. Well, and there's several states that have bolstered privacy laws, right? There's several states and a lot of them are taking you in and you may have clients that you didn't even really were aware of as a leader that those laws there would apply. there's quite a bit of exposure there. That's really good. A great example is Massachusetts.
that breach notification law and the data security requirements built into it, like 18 different administrative, technical and physical safeguards applies to any resident of Commonwealth of Massachusetts. So maybe you're a dental office and you just had someone on vacation, they had a dental emergency. Now you have their record and that gets breached. Well, God bless you. You might have to deal with all that craziness
or you're an accounting firm next to a military base, right? And just on and on and on. And what's, what's the easy answer to all of this? It's sit down, figure out where you are, where you need to go, how you're going to fund it to get there. That's the easy answer. Either way I tell companies, I'm like, Hey, take it from me. You're either going to increase your security the easy way or the hard way, right? The easy way is plan of implementation.
Dino Mauro (48:34.829)
The hard way is class action claims, regulatory issues after a breach, insurance requirements, et cetera, consent orders, right? it's, it's just where the world is going. It's where it's headed. It's probably where we should have been honestly, 10 years ago. Yeah. I would agree. So what, uh, so we'll have links to, uh, to your insurance practice in the show notes. Um, I will tell you people, if you can engage
Joseph Brunsman, there's a wealth of insight and knowledge that you provide and really appreciate you stopping by the studio. I mean, this is just always insightful. There's always going to be great stories to talk about and it is the Wild West right now. So we're going to see a lot of big changes in the year to come. So what if you're going to leave the audience with any
Words of wisdom, Joseph, what would they be? words of wisdom. I thought I would just tee it up. Like, what would you guide a business owner to do? Sit down with the, sit down with the MSP, lean in a little, listen more. Yeah. So I'd say words of wisdom. One, do Brazilian jujitsu. It'll change your life. Yes, I hear. But two, as it pertains to this
You have to start somewhere. Right. And I promise you, if you're sitting out with all the executives, you're the big cheese and you're going, Hey, you know what? I'm the guy in charge. I can't be the guy that looks like I don't know what's going on. You have already failed and you are setting yourself up for disaster. So if you don't, if you don't know what EDR, MDR, XDR, what a firewall does, what NIST CSF or ISO 2700, et cetera, et
None of us except right, but we're going to talk about it and we don't want to insult your intelligence. But if you don't know, just ask. And when they make suggestions on what to do with those, right, take those into consideration because declining those things could result in liability later. Exactly. And it's something where I think all of us are responsible parties. We know, yeah, your business
Dino Mauro (51:01.761)
doesn't have unlimited resources. like, yeah, you need insurance. That's just part of it. Right. need defense in depth. That's going to be part of it. You need, you know, all the internal administrative controls that's going to be part of it too. it's not just even though CEOs are being held responsible. It's, it's really, takes the whole team to get there. And I promise you all the other people on your team know no more than you do about this topic. And
any other issue you would have in your business, bringing the subject matter experts. As you could probably tell, I love this stuff more than I probably want to admit to my wife. I was nerd out on this way before it was cool. And so there's plenty of us out there, right? That are super passionate about this, that want to help you, that will help drive towards that ultimate solution. So just figure out where am I at? Where do I need to go? How do I get
Easy to develop that roadmap with your subject matter experts. Excellent. Well, thank you so much. Really appreciate it, buddy. We will. We will talk to soon again. Thanks. See you. right. Sounds good. Thanks.
Dino Mauro (52:20.973)
Well, that wraps this up. Thanks for joining everybody. Hope you got value out of digging deeper behind the scenes of security and cybercrime today. Please don't forget to help keep this going by subscribing free to our YouTube channel at Cybercrime Junkies podcast and download and enjoy all of our past episodes on Apple and Spotify podcasts so we can continue to bring you more of what matters. This is Cybercrime Junkies and we thank you for joining
