Tech Refactored

S2E36 - Cybersecurity and Insuring Your Everyday Life

April 15, 2022 Season 2 Episode 36
Tech Refactored
S2E36 - Cybersecurity and Insuring Your Everyday Life
Show Notes Transcript

Every day it seems cybersecurity is in the news. From data breaches to ransomware to national security, these incidents have become a feature of every day life. And they affect everything from individuals and small businesses to nation-state actors. On this episode we’re joined by Asaf Lubin to help us understand the challenges of cybersecurity generally and, in particular, the role of cybersecurity insurance in addressing some of these concerns. 

Asaf is an Associate Professor of Law at Indiana University Maurer School of Law and a Fellow at IU’s Center for Applied Cybersecurity Research. His research includes the regulation of cybersecurity harms, liabilities, and insurance as well as policy design around governmental and corporate surveillance, data protection, and internet governance.

Disclaimer: This transcript is auto-generated and has not been thoroughly reviewed for completeness or accuracy.

[00:00:00] Gus Herwitz: This is tech Refactored. I'm your host Gus Herwitz, the Menard Director of the Nebraska Governance and Technology Center at the University of Nebraska every day. It seems that cybersecurity is in the news from data breaches to ransomware, to national security concerns. These incidents have become a feature of everyday life and they affect everything and everyone from individuals and small businesses to large multinational, uh, corporations and even nation states themselves.

Today we're joined by Asaf Lubin to help us understand the challenges of cybersecurity generally, and in particular to [00:01:00] think about the role that cybersecurity insurance might play in addressing some of these concerns. Asaf is an associate professor of law at Indiana University, Maurer School of Law, and a fellow at the Center for Applied Cybersecurity Research.

His research includes the regulation of cybersecurity, harms, liabilities, and insurance. As well as policy design around governmental and corporate surveillance, data protection and internet governance. Asaf, Welcome to Tech Refactored. 

[00:01:30] Asaf Lubin: Thank you so much for having me, I'm delighted to be here. 

[00:01:33] Gus Herwitz: So I, I'd like to, uh, start with a bit of a puzzle of a question perhaps when I talk to people about cyber security and how to improve cyber security and even the fact that I teach cyber security at a law school very frequently, the, the response.

Isn't cybersecurity a technical issue? So I, I wonder if I could just start by asking, what, what is cybersecurity law and policy and aren't [00:02:00] these just purely technological issues? 

[00:02:02] Asaf Lubin: Yeah, I think that's a great question. Reality is that the last decade or two have introduced an array of cybersecurity related regulation.

Those take the form of either administrative regulation through agencies like the FTC or scc. They might take the form of private litigation, data breach class action suits or action through contract. Uh, and so over time there's now a body of law that we might call cybersecurity law that tries to give a comprehensive answer to some of the same question that we're seeing across different.

[00:02:41] Gus Herwitz: So let, let's dive into that a little bit. You started your response there by mentioning administrative agencies like the FTC. Um, what, what is, uh, the role of these agencies and what are some of the agencies involved in this space? 

[00:02:58] Asaf Lubin: Yeah, [00:03:00] Take the SCC, the I, the SEC's role is in part to regulate the markets and to ensure that, um, um, markets are run effect.

And in the age of cybersecurity, as you just demonstrated in your introduction, companies are subject to all kinds of data breaches in ransomware attacks. And as a result of that, there is an expectation that an agency like the SEC, this, the Security Exchange Commission. Will be able to regulate these markets in this area.

So for example, in 2018, they introduced, uh, a guidance to these companies on how they effectively disclose cybersecurity incidents to their investors. Um, and we're still seeing all kinds of companies doing a. Bad job at disclosing these incidents despite the guidance which leads to enforcement actions by the FCC against them.

[00:03:48] Gus Herwitz: So the idea there is the security is an exchange commission. S c, they're really focused on protecting investors. I don't want to invest in a company that [00:04:00] has experienced a, a material, a data breach, or that has bad cybersecurity practices. So the, the s e C is making, uh, those. Disclose that information and more broadly, by doing that, that hopefully will I improve the overall investment in cybersecurity that these companies have.

[00:04:19] Asaf Lubin: Yeah, and I, I actually believe in security by disclosure. That is to say, I think that markets can evolve more effectively and consumers, regulators, legislators can understand. The evolution of cybersecurity, threats, liabilities, technologies in a more effective way if we have better information that is flowing across the markets and into the hands of both individual consumers, but sophisticated elites as well.

[00:04:48] Gus Herwitz: So what, why is that sort of disclosure so important? And we, we read the news. This is how I started. Every day I opened the newspaper or go to my [00:05:00] newspaper.com and read the newspaper online. And I see cyber security, uh, stories. I. I know we all know these are issues. What, what does it matter if companies are disclosing, uh, information about what they're doing or incidents that they experience?

[00:05:15] Asaf Lubin: Think ransomware attacks is one example. If we are all concerned about the rise, the wave of cyber security attacks like ransomware, which have now reached a point that there's one ransomware attack every four seconds across the globe, if that's a concern to us, then the only way for. Law enforcement to take a role in, in enforcing against this concern is if they, they're aware of these cybersecurity breaches when they take place, and they have a better grasp of the magnitude and nature of, of these attacks.

If companies for reputational reasons are not disclosing information when they're attacked. The concern is that, uh, lack of information would result in lack of enforcement, and so [00:06:00] that's on the law enforcement side. But the same is also true in the investor's side. So the ability of the markets to self regulate in order to ensure that those.

Who do have good job at cybersecurity are rewarded for their good cybersecurity 

[00:06:14] Gus Herwitz: practice. So there, there's a mantra out there. I, I'd like to get your take on this mantra and then ask a follow up question. The mantra is, uh, there, there are two types of companies out there, those that have been attacked and those that don't know that they've been attacked, um, or a breached or whatever, cybersecurity instant terminology that you want to put in there.

The, the idea is that, um, Everyone gets, uh, uh, attacked or their servers get compromised or what's not nowadays. First, I, I'd like to ask whether you think that that is, uh, uh, still the case, um, that that saying is a couple of years old at this point. Um, and then the, the second follow up question is, uh, assuming that it's at least somewhat true, Is it a [00:07:00] blameworthy sort of thing?

If, if someone, if a company's systems are compromised, is it the sort of thing that a company should really feel embarrassed about or investors should be concerned about? If a company, uh, discloses we, we suffered a data breach. We had this bad cyber security thing happened to. 

[00:07:20] Asaf Lubin: Yeah, so cybersecurity is a risk. It's just like any other risk. That is to say the risks can materialize. Risks often materialize. But cybersecurity as a broader process is one, the merits thinking within the company that goes beyond the likelihood of risk, um, materializing. That is to say. What are you doing to both mitigate losses once the risk actually materialize and to prevent it to the extent that you can?

And where companies should be embarrassed is that when they don't employ even the most basic cybersecurity measures, like say, end to end encryption or to factor authentication, or things that we've [00:08:00] now come to take as basic use, Secur basic security controls. If they don't employ that, they should be called out, and enforcement issues... 

[00:08:06] Gus Herwitz: So speaking of enforcement, uh, and returning back to the earlier part of the, the discussion, we've said a little bit about, uh, administrative, uh, agencies and the administrative state. The FTC enforces something called, uh, Gramm-Leach-Bliley, um, which is a, a law that deals with, uh, financial institutions and actually several agencies, uh, uh, enforced that law.

The, uh, a Department of Health and. Services does HIPAA related enforcement. That is the, uh, health insurance, uh, Portability and Accountability Act. There are two a's one p uh, for listeners who might be confused about that. Um, so there, there are a lot of administrative agencies, but you also had mentioned private law mechanisms are institutions.

Um, what, what's the role? What are private law institutions here and, uh, what's their role in the cyber security landscape. [00:09:00] 

[00:09:01] Asaf Lubin: Yeah. And, and the answer is that to some extent because of the overt involvement of, um, federal administrative agencies operating through sectoral regulation on the federal level, um, um, the, the role of private common law based, um, regulation of cybersecurity is one that is, uh, kind of growing and subject to, to an e.

Think toward law, how do we concept conceptualize cybersecurity negligence? What are duties of care in this space? Is, is a hard question to answer in part because of certain restrictions on standing grounds that plaintiffs have when coming before these courts. They need to articulate some form of material.

Particular harm in part under Article three of our Constitution, which has been adopted in other state constitutions, So, So states adopt similar standing requirements and so many times that there's a data breach, these plaintiffs have a [00:10:00] hard time demonstrating what that particularized harm is that they suffered.

And as a result, many of these cases get dismissed and. There's not as much of an evolution of a common law on state courts as there is a common law of the FTC. 

[00:10:14] Gus Herwitz: Mm-hmm. , I know that's So for, uh, listeners who may not be familiar with this idea that, uh, the idea of standing means that courts won't hear cases unless there's something that they can actually do about it if, uh, the plaintiff wins.

So, uh, Asaf, you look at me funny and it hurts my feelings. I can't sue you. Have the court say, eof, you are mean to Gus. You need to do something there. There needs to be some, uh, concrete harm there. And with, uh, things like data breaches and a lot of cybersecurity incidents, it, it's clear that something went wrong, something bad might have happened, but it's unclear frequently what the actual harm is that a court could do something about.

So the courts have [00:11:00] been reluctant to get involved in these cases. Is that basically.

[00:11:07] Asaf Lubin: That's- that's exactly right. And so that's been a, an, an area right for scholarship in, in the last few years. And Daniel Citron, many, many of our colleagues have written about privacy harms and tried to. Provide court some guidance on how to be able to still treat these evolving harms as something that we can consider as particularized, despite Supreme Court guidance, like the one in Trans Union.

[00:11:34] Gus Herwitz: So clearly if I hack into someone's computer though, I, I've done something. Problematic. So I, I hack into Google's systems or NASA systems and steel information or, uh, uh, I hack into critical infrastructure and cause a, a generator to overheat and need to be, uh, repaired or replaced. Ha have I, uh, violated a laws when I do that?[00:12:00] 

[00:12:02] Asaf Lubin: Yeah, so we have a whole body of criminal statutes that might try and regulate this, the Computer Fraud and Abuse Act, or, uh, various kinds of state and damage under the cfaa, where in parts the conceptualization. Conceptualization of damage is some kind of an impairment over the integrity of the data. So say I only take the data a copy of the data, but you still have full access.

Is that an impairment on integrity? These are the kinds of debates that we have, even in the criminal context, that are making it difficult for prosecutors just as much as in the private sector. Uh, to be able 

[00:12:38] Gus Herwitz: to bring claims. A related topic, uh, especially with the cfaa is if I hack into someone's systems and one of the things, uh, that they claim is a damage is that they need to do some investigation to find out if I caused any damage and they need to upgrade their security to be better.[00:13:00] 

Well, is that actually damage when they had to upgrade their security? That, that's something they already should have done. So how do we, uh, uh, actually attribute their response to, uh, an attack, um, in the context of assessing damages there? 

[00:13:19] Asaf Lubin: Yeah, and I should say that also manifests in the private litigation under the cpa.

So for example, a recent complaint that was just filed by the EFF Against Dark Matter, a cyber surveillance tech company. One of the allegations there is that that surveillance company assisted the UAE and surveil a human rights activists. And the activist, one of her claims for damages is the fact that she had her house.

Had to change phones. So again, we're kind of coming up against the same definitions here. Is this the kind of damage 

[00:13:51] Gus Herwitz: to see? So at some level, what one of the questions in this entire area seems to be who's [00:14:00] responsible for when bad things happen? And I guess this, this goes back to, you said cybersecurity is about risk management with with risk management.

Do we blame the crack in the sidewalk when you trip over it? Or should you have been paying attention and be careful about where you're walking and how you're walking? Well, it was someone's responsibility to maintain the sidewalk. So is it their responsibility for not having maintained the sidewalk, figuring out.

How we're going to say, or who we're going to say should have been there in the first place. Avoiding these harms, even when there might be a bad actor involved, gets uh, drawn up into the analysis. Yeah. 

[00:14:42] Asaf Lubin: I'd say even more broadly is that the nature of cybersecurity risks are particularly the kind that merits are broader thinking that that really incorporates a public private partnership.

That is to say that the entities that best [00:15:00] understand certain elements of this risk are the kind that, um, Possess information that the general public doesn't have access to. Right? When you think about cybersecurity as a national security risk, now can we really expect multi-med businesses to have an understanding of this evolving risk if they don't have the, the, the, the access to resources or capacities to, to be able to understand it?

And so there's. Kind of in whole array or holistic approach, way of thinking about cybersecurity, which requires us to understand this as a multi-layered risk. The merits, the involvement of, and the whole assortment of multi-state. Yeah. 

[00:15:37] Gus Herwitz: Can you say a bit more about the, the national security and even the, um, international, international law, um, law of arm conflict level.

Concerns in cyber security. We, we've been talking about cyber se security kind of as a, I'm a company and I get hacked, or I'm a, a customer of a company in my data has been breached. It, it turns out that [00:16:00] if I experience a ransomware attack that might have been caused by a group of, uh, hackers from Russia who kind of have some light affiliation with the Russian government or some affiliations like that.

What. How, how does the domestic relate to the national and international here? I, 

[00:16:21] Asaf Lubin: I, I can't help by note the fact that we're having this, uh, discussion in the wake of a Russian invasion, a territorial invasion into Ukraine. And what I think cybersecurity risks on the international level demonstrate is that governments now have capacities to engage in a whole array of below.

Obvious threshold of physical manifestations of violence, um, and still cause significant economic, social, um, and cultural harms in in various societies. It is precisely for that reason that the UN has been involved for many years [00:17:00] now in various efforts to t norms for, um, good cyber security behavior. Uh, that includes the group of governmental experts, the U N G G E and the open ended working group, the U N O E W G.

All of these bodies are trying to set norms for what would be acceptable, unacceptable behavior. So for example, can you engage in attacks against critical infrastructure? And how do we even define the concept of critical infrastructure to set certain rules of the world? The same is also true for various forms of cyber espionage in the regulation of those.

[00:17:35] Gus Herwitz: Uh, so let- let's, uh, come back to, uh, really where I, I started the, the conversation noting people are surprised when I say I teach cyber security law and policy at a law school. Isn't this a technology issue? You also teach, uh, cybersecurity law and policy. What, what are your views on the, the pedagogy in this area, the teaching, uh, of this field?

[00:18:00] Material and, and really the direction, uh, that at our role in, uh, the field, 

[00:18:07] Asaf Lubin: Yeah, I think that this is a fascinating area for anyone interested in the evolution of pedagogy. Really the rise in cybersecurity law and policy courses is, is a recent phenomenon. I'd say that the early courses came out in various variations of them, uh, kind of in the early 2002, early two thousands, and, and, and courses are taking.

Uh, shapes and there's no one size fit, fit all in part because of the various constituencies that we serve with these courses. Some of these courses are directed solely for a law school audience. Others have a combination through MS programs. That includes business, school audiences and informatics, or computer science audiences, or international affairs and policy students.

And so finding the right balance between the technological elements of the material, the [00:19:00] political science elements of the material, the legal and the business, combining all of them together is a really hard challenge for all professors. 

[00:19:08] Gus Herwitz: Yeah, at at the same time. It makes teaching and learning this material both really, really hard because there's so much of it, and no one can be an expert in more than just a small portion of the, the subfields that make up the, the macro field of cybersecurity.

But at the same time, It's just fun and invigorating because, but before I started working in this area, I never thought about, uh, or frankly knew anything about, um, the, the law of armed conflict and international humanitarian law and that that's a central issue in the field. So for those who are interested really in.

A very true, uh, lifetime learning commitment and opportunity that this is a great field, 

[00:19:55] Asaf Lubin: but I, I now also wanna say a word to our colleagues. I, I still [00:20:00] have conversations with some who wonder whether or not cybersecurity law is a field that merits its own course slash course in law school. And I think that it's, it.

Even if this type of conversation, I, I think it doesn't, but even if it did have merits say 10 years ago, I think we've reached a point in the maturity of, of the case law and the maturity of the materials. And here I talk about the existence of actual textbooks and case books. Thus, you, yourself are an author of one of them.

That are now justifying the existence of these sorts of courses. And I should say, if you don't offer cyber security law and policy courses to your students, you are also doing them at these service. Both because there's tons of jobs out there for cyber security lawyers as the regulation continue to increase, so does the need for lawyers to help support, uh, those efforts.

But it's also the case that even if you're not gonna be a cyber security lawyer, Even if you're just at regular lawyer, you're gonna need to think about cybersecurity in the [00:21:00] context of your practice because you yourself might be the subject of a hack with cybersecurity breed. 

[00:21:04] Gus Herwitz: Yeah. I'll go even, uh, a small step further and say, just look at the range of materials we've spoken about in the last 15 minutes.

We've have, uh, uh, some constitutional law. We have torts, uh, with our contracts in there. There's administrative law, criminal law, international law, national security law. You could almost go so far as to say you could teach an entire two or three years worth of law school curriculum from the perspective of cybersecurity law.

So, uh, that, that might be, um, uh, taking an even more aggressive position than, uh, you're taking, uh, as to whether this should be a class. No, this should be the class. And it, it turns out a off that I actually invited you, uh, on. Uh, there's been some recent developments in an area that's, uh, near and dear to both of our hearts, cyber security insurance.

Um, so we're going to take a brief break and when we come back, [00:22:00] uh, we will turn to talk about cyber security insurance.

[00:22:09] Lysandra Marquez: Hi listeners. I'm l Sandra Marque. 

[00:22:12] Elsbeth Magilton: And I'm Elsbeth Magilton. And we're the producers of Tech Refactored. 

[00:22:16] Lysandra Marquez: We hope you're enjoying this episode of our show. One of our favorite things about being producers of Tech Refactored is coming up with episode ideas and meeting all our amazing guests. We especially love it when we get audience suggestions.

[00:22:28] Elsbeth Magilton: Do you have an idea for Tech Refactored? Is there some thorny tech issue you'd love to hear us break down? Visit our website or tweet us at UNL underscore NGTC to submit your ideas to the show.

[00:22:39] Lysandra Marquez: And don't forget. The best way to help us continue making content like this episode is word of mouth. So ask your friends if they have an idea too.

Now back to this episode of Tech Refactored. [00:23:00] 

[00:23:01] Gus Herwitz: and we are coming back talking with Asaf Lubin, a professor. The Indiana University Maurer School of Law about cyber security, and we are going to turn now to talk about cyber insurance and what it can or cannot do to address the cyber security concerns we have been talking about as well as some recent, uh, developments in the field.

Asaf, can you, uh, just start by telling us a little bit about the history of cyber insurance policy? 

[00:23:33] Asaf Lubin: So before the break, we talked about cyber security as a risk, and if cyber security is a risk, then obviously we might wanna turn to insurance as a way to transfer that risk. So cyber insurance, just like any insurance policy, transfers the risks from the potential victim to an insurance company, say a commercial insurer in exchange for a premium.

And the history of these types of insurance policies go quite a long way [00:24:00] back. Uh, they start with errors and emissions policies that go back to the 1980s with the introduction of computers to more to larger swats of our production lines in our areas of public activity. But one of the biggest kind of coalescing moments around cyber insurance occurred in 2000 with what I hope most.

The audience would remember as buck two K. When I tell it to my students, many of them don't know what I'm talking about, but that was that moment where we were all fearful. When the computers will turn January 1st, 2000, that planes will fall from the sky and everyone will buy an insurance to protect themselves.

And then the last. Big development here in the United States occurred with J Data Breach Notification Laws, which began in 2003 in California, and now spread across all 50 states. Those came with a lot of costs associated with them because if you had a data breach, you needed to open a notification center and you need to pay for social security monitoring, and all of that [00:25:00] came at the cost and so, To this day, cyber insurance policies number one claim has to do with data breach notification and the old area of data breach, uh, response.

[00:25:11] Gus Herwitz: So when I am buying a, uh, cyber insurance policy first, I'm probably going to be a company buying one of these policies in individuals. Uh, as I understand it, tend not to have these sort of policies, though, I guess that, that, uh, Well, I, I, I was going to let me rewinding a, a little bit, uh, Though I, I guess, individuals might have coverage, uh, through maybe, uh, umbrella policies or their homeowner's insurance for some types of cyber coverage.

I, I guess I, I want to start by asking, well, first, am I right about individuals? That's kind of a, uh, a side question, but, uh, the type of coverage that you were just describing seems to generally be. Tied to, uh, specific types of claims, the, the Y2K [00:26:00] bug, um, data breach, uh, notifications, uh, and things like that. Are there umbrella, uh, cyber incident policies, uh, that companies get nowadays? 

[00:26:12] Asaf Lubin: Uh, So I'll take each of those questions in turn. Just briefly on the first point, it used to be the case that individual cyber insurance was not really a thing, and that is significantly changing now, both as an add on to existing property insurance and as a standalone cyber insurance for individual that is now 25% of the market here in the.

States, and it can cover a lot of things that you might not expect cyber insurance policies to cover, like cyber bullying. There's now certain harms from cyber bullying that are covered by individual cyber insurance policies. What used to be an access line is now becoming a common product, but you're still absolutely correct.

The majority of the policies go to businesses, and in that context, the two primary. Coverage areas, just like in most insurance policies are first [00:27:00] party harms and third party harms. So in the first party category, we'll find various harms to the company itself. That could be, uh, cyber extortion, the pain of the ransom, which is a big controversial thing.

Or forensic costs incurred in the investigation of a data breach or various notification costs of the kind that I described before. But then there's the third party liability coverage, and that say the liability to third parties in the context of the class action suit or various kinds of, uh, liability to administrative agencies like the ones we talked about before, say the SEC If they subject you to a fine. 

[00:27:35] Gus Herwitz: So how, how, how effective has cyber insurance been at, uh, I guess is it intended to prevent these harms or really just cleaning up after bad things happen? 

[00:27:50] Asaf Lubin: Yeah, so I'll say that the jury is to some extent still out on this question, in part because cyber insurance policies, since the [00:28:00] 2010, are certainly a different kind of product on the market than the kind of the the early cyber insurance policies that were describing before, and that one is still evolving.

The recent, uh, rise in cyber attacks in the context of the Covid 19 pandemic, which had all of us working from home and therefore working remotely and online, had resulted with an increasing claims, which is meant for many companies, insurance companies, the need to change their policies to restrict their liability in part by.

Lower caps or introducing more exclusions. And that also impacts the abilities of some of these p insurers, uh, to actually effectively regulate the market as we increase the insurance gap, where thereby also in increasing, limiting the ability of the insurers to effectively regulate. There's been some studies, some of them are coming out in a special symposium by the Connecticut Insurance Law Journal in the next few months that have suggested that [00:29:00] cyber insurance has so far not done what we at hope it would do, which is to engage in private regulations.

[00:29:05] Gus Herwitz: Yeah. So the, the rough idea there is that insurance companies. They don't like paying out on their policies. So what they, uh, have an incentive to do, uh, frequently is make the entities that they are ensuring more safe, uh, or reduce their risk. So by having insurance companies come in and look at, uh, your, uh, cyber cybersecurity policies and how you handle your data and everything, they're going to educate you and help you improve your cybersecurity and stuff like that.

And, I know I, I was a big proponent of that theory several years ago, but, uh, as you're suggesting us off, that really doesn't seem to have played out in recent years. Do you have any sense, uh, if that is true, that that hasn't been playing out? Uh, what the cause for that failure is? Uh, 

[00:29:57] Asaf Lubin: Yeah, there's a, there's a bunch of institutional [00:30:00] limitations on cyber insurers and their ability to do that in the same way that say, fire insurance is capable at lowering the likelihood of fires.

And, and I think I'll, I'll maybe I'll, I'll name. Two, although we can talk about probably a dozen, but one is the actuarial challenge of cyber insurance. That is the ability to underwrite and effectively price cyber insurance policies. So to be able to incentivize, be better insurers. Insured entities who are doing a good job in their cyber security practices.

That depends on the ability of the insurer to understand what are good cybersecurity measures and to be able to effectively assess those through the use of the primary tool that insurances. Companies use to underwrite, which is questionnaires. So if the tool we're using as a questionnaire, you are only as good as your ability to ask the right questions and to expect good res, good and detailed responsive responses from your insured.

So [00:31:00] in the wake of that, what insurance companies have tried to rely on is ensure tech. Various kinds of technologies that are supposed to assist them in engaging in various sorts of monitoring of networks. And in fact, they will, um, incentivize you to work with some of their, uh, assessment companies by saying, if you work with my company and get, uh, monitored regularly by them, say, We will lower your premiums by, by a certain amount.

And so now there's a whole market that supports the insurance market, but again, that is still evolving and, and it hasn't taken, uh, clear shape yet. And 

[00:31:37] Gus Herwitz: so much of this goes back to the, the idea that the entire field and the entire technology, frankly, of computers and the internet. We're talking something that's literally only 30 to 50 years old.

So we're, we're still figuring out a lot of this stuff. Um, so how do we actually do security is a great question and it's a hard [00:32:00] question. And you, you mentioned, uh, the pandemic and the transition to work from home where suddenly a lot more companies were sending information and dealing with people remotely.

It's a lot easier to pretend to be someone else for identities and things like that. When you're working remotely, you suddenly have employee home computers that are connected to employee home networks. That's much harder to secure. It's much harder to monitor how they're going to be used, and you have employers having to open up their networks, making it easier for folks to get in and doing so very frequently on an ad hoc last minute, uh, sort of basis.

So again, we're just figuring out how to live in this. Which makes it really hard to know how to do it securely when we're just trying to figure out how to do it at all. Let, let's turn. Yep, 

[00:32:51] Asaf Lubin: go ahead. And, and I'll say on top of that, there's also an evolving regulatory, So it's not only that the technological.[00:33:00] 

And threat environment that continues to change. But so much of the regulations around cyber security are recent. We've talked about some of them, right? The FTCs regulation of cyber security through regulations like the JBA that you was citing before. Um, Those are extremely recent, uh, additions to the legal risk environment that companies have to deal with.

And if our understanding interpretations of these laws continues to evolve, insurance companies then need to respond to them, respond to them in real time, and that poses a new risk. And in addition, I'll, I'll say one last thing, which is that we also have a cyber aggregation risk problem. Here the concern is so much of the risk that insurance industry has to deal with is kind of centralized around, say, uh, a handful of cloud service providers or choked through various kinds of supply chain issues so that if there is a failure at some [00:34:00] point around around that chain, it could result in cascading effects.

Huge swats of the market denying insurer's abilities to effectively diversify their portfolios, to be able to prevent going under in the case of a major 

[00:34:16] Gus Herwitz: cyber incident. Yeah. And this is, uh, getting into the weeds of insurance theory, but this is such an important issue. Um, the idea of insurance is that you can ensure against, Rare risks for when they happen.

So you have a a hundred people all paying into a pool for the incident that's going to happen to one out of a hundred or two out of a hundred of those individuals. So on, on net, uh, the pool, it's ultimately ensuring itself. But when you have these correlated risks or single choke points, as I, I think you refer to them suddenly, When the bad thing happens, it's not one or two of those hundred individuals are affected, but [00:35:00] it's 80 or 90 of them affected, and insurance just doesn't work, uh, in those sorts of circumstances.

I, I want to, uh, throw a hypo at you, A hypothetical question, um, that we'll tease out some of the other issues that, uh, uh, we should try and touch on what happens. Let, let's say, I am a large conglomerate shipping company. Uh, I don't choose that example for any particular reason. Um, and I, uh, I experience a significant ransomware attack, and there is evidence to suggest that that ransomware attack was coordinated by a subnational, uh, ransomware gang.

Has loose affiliations or suspected affiliations with a, a nation state government, Let's say Russia. Again, I'm not picking this for any reason whatsoever, and I call up my cyber insurance company and say, We've experienced a ransomware attack. We'd like to [00:36:00] make a claim. Well, what's uh, the response going to be?

[00:36:03] Asaf Lubin: Yeah. Completely random question. Well, The answer would be, let's look at your policy for a second, and the question will be, what policy is it in the first place? In the cyber insurance market, we have a phenomena called silent cyber. Silent cyber is the situation where you're relying on general policy, say a property and casualty insurance policy, or in errors and emissions, and that policy doesn't explicitly exclude cyber.

That's where most of the claims that came from St. Na Petty, and the example you gave, that generated a lot of the claims going to court because those policies were not standalone unique policies with tailored language for the cyber age. They were old policies with ambiguous language and so, In the case of Merck, the shipping company, their policy had the following sentence in there, Loss or damage caused from hostile or warlike [00:37:00] action in a time of peace or war should be excluded.

And now the question becomes, what is hostile or warlike in cyber space? And so, The reality is that there have been now multiple academic articles that tried to answer this, but what we get from the New Jersey judge who issued the ruling in the Merck decision is a very limited if we hope for some treatises on on, on peace and war.

You didn't get any treatises like that. The judge simply says that we need to interpret. Contract in the way that's most favorable to the insured, taken into account their reasonable expectations. And those reasonable expectations should include an understanding of hostile or warlike action as those involving only traditional forms of warfare.

And given that cyber attacks like the one that allegedly Russian in Ukraine, was not traditional. This insurance exclusion did not apply, [00:38:00] and therefore Merck had to, uh, Merck was entitled to compensation. Okay. But yeah. No, whether or not that is the right interpretation of, uh, of that clause may. So 

[00:38:11] Gus Herwitz: this, this, uh, is a another bit of insurance theory.

I guess we could call it the idea of exclusions, and this is what insurers do when there are things that are very difficult for them to ensure because either, as you discussed before, soft. Um, it, it's hard to put the actuarial value on certain types of incidents, so it'd be really expensive too, or, uh, just unclear what the cost would be to ensure them, or they might be the sort of incidents that are highly correlated with other risks.

Insurance companies just exclude them. So they say we're not going to cover that sort of thing if, uh, we can't predict when war is going to break out and if war breaks out. That is something so far outside of the realm of what we're trying to ensure against, that it's [00:39:00] excluded from the policy. And it turns out with a lot of cyber focused policies, another reason they might not have been as effective as, uh, uh, many of us had hoped has been that the hard stuff to ensure.

Is getting excluded from the policies and that's exactly the stuff that we were hoping these policies would actually help us better under, uh, to better understand. 

[00:39:23] Asaf Lubin: That's exactly right. So, so now we're moving from this amorphous language of all style of warlike, which we don't know necessarily how to interpret in, into cyber age to just saying states, uh, sponsored attacks.

So now there's a state sponsored attack exclusion, and that's easier. For an insurer to prove subject to intelligence reporting that are founded, admissible in the court. Which by the way, there's a whole evidentiary question here around attribution and how do we know that Russia actually did it? Your words in the hyper was loose ties.

Would loose ties be sufficient under a preponderance of the evidence [00:40:00] test? That too remains to be seen, but the bottom line that I will say is, We have a u, um, evident, um, a language problem with these, uh, policies because there's no uniform language being utilized and because regulation of insurance in the United States is that on a state by state basis.

So our ability to mandate certain uniform clauses or language is, is nonexistent. 

[00:40:27] Gus Herwitz: So we, we should, uh, We should have touched on this. I, before when I introduced this hypo, uh, listeners might be thinking, you're talking about a multibillion dollar shipping company getting attacked by Russia. What's the relevance of this to me?

Well, it, it turns out that ransomware attacks are one of the most common, uh, forms of, uh, cybersecurity incident out there. And many of them are coordinated by groups that are in other countries, sometimes with some connection to those countries, governments, [00:41:00] and they target people on an, on an opportunistic basis.

They don't target your small business. Because they think you're strategically valuable. They target your small business very frequently because they sent out a phishing attack, an email attack to, uh, 50,000 email addresses, and one of your employees happened to click on a link in that email, or you're running an outdated piece of software that they randomly detected.

They're, they're not targeting you individually. They're targeting you because through some bit of a circumstance they found you and were able to get into your systems. 

[00:41:38] Asaf Lubin: Yeah, and even if you did not run a business, you might be as just a citizen in this country affected by ransomware attack because of the fact that ransomware attacks also target various kinds of public entities, cities, school district, district hospitals.

We've already seen a case where one pregnant woman had. [00:42:00] Child died during pregnancy in part due to certain alleged me medical malpractice, which she claims is the result of the fact that was, that the hospital was under a ransomware attack and that she claims, again, that she was not notified about. And had she been notified, she would've chosen to get medical, um, services elsewhere, which goes to show you that ransomware could hit you even in the most indirect.

[00:42:28] Gus Herwitz: Soles a question before we start ran, Uh, Ranson ransom. Wearing up, uh, wrapping up, uh, is about ransomware. Should people pay ransoms if they are affected by ransomware? Just as a broad matter of policy, Should we allow that? Should we encourage it? 

[00:42:48] Asaf Lubin: That's really one of the, at the hitting at the heart of how we conceptualize the ethical questions around various kinds of cybersecurity decision making.

On the one hand, we [00:43:00] might say that in certain extreme situations, say like the hospital example I was giving, it makes sense to not completely prohibit. The payment of ransom, Say the hospital does not have the ability to recover in other ways. It did not have data stored and is not able to quickly come back on its feet.

This could have real economic and social effects on the society where paying the ransom might result in a quick fix that will be worthwhile if on the other side is potential death to individuals or significant bodily injury. On the other hand, Every payment that we pay supports a criminal enterprise that continues to grow and the result will be more ransomware attacks.

And so the reality has been that while multi-agency guidance and reporting have suggested to individuals, the direct general recommendation is not to pay. Our federal government has yet to completely prohibit the practice [00:44:00] and insurers have. All across the board denied indemnification in the case of payments.

And so in we're in a weird in between space and, and, and the reality is that it's still to this state, like left to the individual decision of each victim. Well, 

[00:44:17] Gus Herwitz: us off, we've covered a ton of material in the last 40 minutes or so. I, I'll just hand it to you for any last, uh, thoughts or ideas you want to leave us with.

Yeah, 

[00:44:30] Asaf Lubin: I, I, I think that cyber insurance is going to remain one of the most exciting areas of thinking about cybersecurity harms and liabilities. So, going back to Gus's original point that he wrote about this way back when, I think that the same theory, theoretical questions that Gus posed. Then still remain relevant here.

And I, I will also say in that special symposium of the Connecticut Insurance Law Journal that I mentioned is coming up, I have a piece that talks [00:45:00] about ensuring evolving technology more broadly as we think about other technologies from artificial intelligence. To space faring technologies. The way insurance plays a role in this evolution could have certain parallels and similarities regardless of the subject matter in question.

And so thinking about the intersectionality between insurance and technology is something that we should all, uh, continue to explore and. 

[00:45:28] Gus Herwitz: Well, thank you Asaf, and, uh, we will be sure to, uh, put a, a link, uh, in the notes to this episode, to that forthcoming symposium because these, these are just really great issues and I am sure that we will continue to talk about them for quite a while to come.

And thank you to our listeners for joining us on this episode of Tech Refactored. I've been your host, Gus Herwitz. If you would like to learn more about what we're doing here at the Nebraska Governance and Technology Center, or you'd like to submit an idea for future episode, you [00:46:00] can go to our website@njtc.unl.edu, or you can follow us on Twitter at UNL underscore NGTC.

If you enjoyed the show, please don't forget to leave us a rating or review wherever you listen to your podcast. If you don't do that, we might need to hack into your account and leave the rating for you. Our show is produced by  Elsbeth Magilton and Lysandra Marquez and Colin McCarthy created and reported our theme music.

This podcast is part of a Menard governance and technology programming series. Until next time, I'll be here to ensure your security is cyber.[00:47:00]