UK Information Commissioner John Edwards explains how the ICO is working to provide clarity around the lawful use of AI

Read More

In the first week of January, the pharmaceutical giant Merck quietly settled its years-long lawsuit over whether or not its property and casualty insurers would cover a $700 million claim filed after the devastating NotPetya cyberattack in 2017. The malware ultimately infected more than 40,000 of Merck’s computers, which significantly disrupted the company’s drug and vaccine production. After Merck filed its $700 million claim, the pharmaceutical giant’s insurers argued that they were not required to cover the malware’s damage because the cyberattack was widely attributed to the Russian government and therefore was excluded from standard property and casualty insurance coverage as a “hostile or warlike act.”

At the heart of the lawsuit was a crucial question: Who should pay for massive, state-sponsored cyberattacks that cause billions of dollars’ worth of damage?

One possible solution, touted by former Department of Homeland Security Secretary Michael Chertoff on a recent podcast, would be for the federal government to step in and help pay for these sorts of attacks by providing a cyber insurance backstop. A cyber insurance backstop would provide a means for insurers to receive financial support from the federal government in the event that there was a catastrophic cyberattack that caused so much financial damage that the insurers could not afford to cover all of it.

In his discussion of a potential backstop, Chertoff specifically references the Terrorism Risk Insurance Act (TRIA) as a model. TRIA was passed in 2002 to provide financial assistance to the insurers who were reeling from covering the costs of the Sept. 11, 2001, terrorist attacks. It also created the Terrorism Risk Insurance Program (TRIP), a public-private system of compensation for some terrorism insurance claims. The 9/11 attacks cost insurers and reinsurers $47 billion. It was one of the most expensive insured events in history and prompted many insurers to stop offering terrorism coverage, while others raised the premiums for such policies significantly, making them prohibitively expensive for many businesses. The government passed TRIA to provide support for insurers in the event of another terrorist attack, so that they would be willing to offer terrorism coverage again at reasonable rates. President Biden’s 2023 National Cybersecurity Strategy tasked the Treasury and Homeland Security Departments with investigating possible ways of implementing something similar for large cyberattacks.

There is a growing (and unsurprising) consensus among insurers in favor of the creation and implementation of a federal cyber insurance backstop. Like terrorist attacks, catastrophic cyberattacks are difficult for insurers to predict or model because there is not very good historical data about them—and even if there were, it’s not clear that past patterns of cyberattacks will dictate future ones. What’s more, cyberattacks could cost insurers astronomic sums of money, especially if all of their policyholders were simultaneously affected by the same attack. However, despite this consensus and the fact that this idea of the government acting as the “insurer of last resort” was first floated more than a decade ago, actually developing a sound, thorough proposal for a backstop has proved to be much more challenging than many insurers and policymakers anticipated.

One major point of issue is determining a threshold for what types of cyberattacks should trigger a backstop. Specific characteristics of cyberattacks—such as who perpetrated the attack, the motive behind it, and total damage it has caused—are often exceedingly difficult to determine. Therefore, even if policymakers could agree on what types of attacks they think the government should pay for based on these characteristics, they likely won’t be able to calculate which incursions actually qualify for assistance.

For instance, NotPetya is estimated to have caused more than $10 billion in damage worldwide, but the quantifiable amount of damage it actually did is unknown. The attack caused such a wide variety of disruptions in so many different industries, many of which likely went unreported since many companies had no incentive to publicize their security failings and were not required to do so. Observers do, however, have a pretty good idea who was behind the NotPetya attack because several governments, including the United States and the United Kingdom, issued coordinated statements blaming the Russian military. As for the motive behind NotPetya, the program was initially transmitted through Ukrainian accounting software, which suggests that it was intended to target Ukrainian critical infrastructure. But notably, this type of coordinated, consensus-based attribution to a specific government is relatively rare when it comes to cyberattacks. Future attacks are not likely to receive the same determination.

In the absence of a government backstop, the insurance industry has begun to carve out larger and larger exceptions to their standard cyber coverage. For example, in a pair of rulings against Merck’s insurers, judges in New Jersey ruled that the insurance exclusions for “hostile or warlike acts” (such as the one in Merck’s property policy that excluded coverage for “loss or damage caused by hostile or warlike action in time of peace or war … by any government or sovereign power”) were not sufficiently specific to encompass a cyberattack such as NotPetya that did not involve the use of traditional force.

Accordingly, insurers such as Lloyd’s have begun to change their policy language to explicitly exclude broad swaths of cyberattacks that are perpetrated by nation-states. In an August 2022 bulletin, Lloyd’s instructed its underwriters to exclude from all cyber insurance policies not just losses arising from war but also “losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.” Other insurers, such as Chubb, have tried to avoid tricky questions about attribution by suggesting exclusions for cyberattacks that pose a “systemic risk” or impact multiple entities simultaneously. But most of this language has not yet been tested by insurers trying to deny claims. No one, including the companies buying the policies with these exclusions written into them, really knows exactly which types of cyberattacks they exclude. It’s not clear what types of cyberattacks courts will recognize as being state-sponsored, or posing systemic risks, or significantly impairing the ability of a state to function. And for the policyholders’ whose insurance exclusions feature this sort of language, it matters a great deal how that language in their exclusions will be parsed and understood by courts adjudicating claim disputes.

These types of recent exclusions leave a large hole in companies’ coverage for cyber risks, placing even more pressure on the government to help. One of the reasons Chertoff gives for why the backstop is important is to help clarify for organizations what cyber risk-related costs they are and are not responsible for. That clarity will require very specific definitions of what types of cyberattacks the government will and will not pay for. And as the insurers know, it can be quite difficult to anticipate what the next catastrophic cyberattack will look like or how to craft a policy that will enable the government to pay only for a narrow slice of cyberattacks in a varied and unpredictable threat landscape. Get this wrong, and the government will end up writing some very large checks.

And in comparison to insurers’ coverage of terrorist attacks, large-scale cyberattacks are much more common and affect far more organizations, which makes it a far more costly risk that no one wants to take on. Organizations don’t want to—that’s why they buy insurance. Insurance companies don’t want to—that’s why they look to the government for assistance. But, so far, the U.S. government doesn’t want to take on the risk, either.

It is safe to assume, however, that regardless of whether a formal backstop is established, the federal government would step in and help pay for a sufficiently catastrophic cyberattack. If the electric grid went down nationwide, for instance, the U.S. government would certainly help cover the resulting costs. It’s possible to imagine any number of catastrophic scenarios in which an ad hoc backstop would be implemented hastily to help address massive costs and catastrophic damage, but that’s not primarily what insurers and their policyholders are looking for. They want some reassurance and clarity up front about what types of incidents the government will help pay for. But to provide that kind of promise in advance, the government likely would have to pair it with some security requirements, such as implementing multifactor authentication, strong encryption, or intrusion detection systems. Otherwise, they create a moral hazard problem, where companies may decide they can invest less in security knowing that the government will bail them out if they are the victims of a really expensive attack.

The U.S. government has been looking into the issue for a while, though, even before the 2023 National Cybersecurity Strategy was released. In 2022, for instance, the Federal Insurance Office in the Treasury Department published a Request for Comment on a “Potential Federal Insurance Response to Catastrophic Cyber Incidents.” The responses recommended a variety of different possible backstop models, ranging from expanding TRIP to encompass certain catastrophic cyber incidents, to creating a new structure similar to the National Flood Insurance Program that helps underwrite flood insurance, to trying a public-private partnership backstop model similar to the United Kingdom’s Pool Re program.

Many of these responses rightly noted that while it might eventually make sense to have some federal backstop, implementing such a program immediately might be premature. University of Edinburgh Professor Daniel Woods, for example, made a compelling case for why it was too soon to institute a backstop in Lawfare last year. Woods wrote,

One might argue similarly that a cyber insurance backstop would subsidize those companies whose security posture creates the potential for cyber catastrophe, such as the NotPetya attack that caused $10 billion in damage. Infection in this instance could have been prevented by basic cyber hygiene. Why should companies that do not employ basic cyber hygiene be subsidized by industry peers? The argument is even less clear for a taxpayer-funded subsidy.

The answer is to ensure that a backstop applies only to companies that follow basic cyber hygiene guidelines, or to insurers who require those hygiene measures of their policyholders. These are the types of controls many are familiar with: complicated passwords, app-based two-factor authentication, antivirus programs, and warning labels on emails. But this is easier said than done. To a surprising extent, it is difficult to know which security controls really work to improve companies’ cybersecurity. Scholars know what they think works: strong encryption, multifactor authentication, regular software updates, and automated backups. But there is not anywhere near as much empirical evidence as there ought to be about how effective these measures are in different implementations, or how much they reduce a company’s exposure to cyber risk.

This is largely due to companies’ reluctance to share detailed, quantitative information about cybersecurity incidents because any such information may be used to criticize their security posture or, even worse, as evidence for a government investigation or class-action lawsuit. And when insurers and regulators alike try to gather that data, they often run into legal roadblocks because these investigations are often run by lawyers who claim that the results are shielded by attorney-client privilege or work product doctrine. In some cases, companies don’t write down their findings at all to avoid the possibility of its being used against them in court. Without this data, it’s difficult for insurers to be confident that what they’re requiring of their policyholders will really work to improve those policyholders’ security and decrease their claims for cybersecurity-related incidents under their policies. Similarly, it’s hard for the federal government to be confident that they can impose requirements for a backstop that will actually raise the level of cybersecurity hygiene nationwide.

The key to managing cyber risks—both large and small—and designing a cyber backstop is determining what security practices can effectively mitigate the impact of these attacks. If there were data showing which controls work, insurers could then require that their policyholders use them, in the same way they require policyholders to install smoke detectors or burglar alarms. Similarly, if the government had better data about which security tools actually work, it could establish a backstop that applied only to victims who have used those tools as safeguards. The goal of this effort, of course, is to improve organizations’ overall cybersecurity in addition to providing financial assistance.

There are a number of ways this data could be collected. Insurers could do it through their claims databases and then aggregate that data across carriers to policymakers. They did this for car safety measures starting in the 1950s, when a group of insurance associations founded the Insurance Institute for Highway Safety. The government could use its increasing reporting authorities, for instance under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, to require that companies report data about cybersecurity incidents, including which countermeasures were in place and the root causes of the incidents. Or the government could establish an entirely new entity in the form of a Bureau for Cyber Statistics that would be devoted to collecting and analyzing this type of data.

Scholars and policymakers can’t design a cyber backstop until this data is collected and studied to determine what works best for cybersecurity. More broadly, organizations’ cybersecurity cannot improve until more is known about the threat landscape and the most effective tools for managing cyber risk.

If the cybersecurity community doesn’t pause to gather that data first, then it will never be able to meaningfully strengthen companies’ security postures against large-scale cyberattacks, and insurers and government officials will just keep passing the buck back and forth, while the victims are left to pay for those attacks themselves.

Lawfare.

Read More

We’re pleased to announce our 2024 Partner of the Year awards. These annual awards recognize AT&T Cybersecurity partners that demonstrate excellence in growth, innovation, and implementation of customer solutions based on our AT&T USM Anywhere platform.

AT&T Cybersecurity’s 2024 Global Partner of the Year award goes to Cybersafe Solutions for the second year in a row! Cybersafe Solutions experienced incredible growth in 2023 and we’re thrilled to be partnering with their team to help customers orchestrate and automate their security.

In addition to Cybersafe Solutions as our Global Partner of the Year, we’re proud to recognize six other partners who demonstrated excellence in 2023. See below for the full list of winners and their feedback regarding their partnership with AT&T Cybersecurity. 

Global Awards:

Global Partner of the Year: Cybersafe Solutions

“I am honored that Cybersafe Solutions has been named as AT&T Cybersecurity’s Global Partner of the Year for the second year in a row.  Our continued partnership with AT&T allows us to continue to deliver managed detections and response services at the expert level that our customers have come to expect.  Thank you to everyone on the AT&T team who contributed to this success and I look forward to the continued growth of our partnership.” – Ben Filingeri, CEO

Growth Partner of the Year: Artilus, Inc

“Artilus is honored to be AT&T Cybersecurity’s Growth Partner of the Year. This recognition is a testament to the hard work of our team, who consistently goes beyond to deliver exceptional cybersecurity solutions to our customers, exemplifying the Artilus principle of ‘service over sales.’ We are proud to partner with AT&T and look forward to continuing our successful collaboration.” – Richard Cintorino, Vice President of Security and Network Operations 

New Partner of the Year: ThinkGard/VC3 

Regional Awards

These awards recognize partners that had the highest sales bookings in each of the 4 regions during last year:

APAC Partner of the Year: Scientific Software and Systems (SSS)

“Our managed security operations center is a critical cybersecurity service. We’re proud to partner with AT&T in the delivery of this service, and to be awarded APAC partner of the year is testimony to our collaborative approach to designing a world-leading managed SOAR service that secures trust for businesses across NZ and Australia.” – Luke Taylor, CEO

EMEA Partner of the Year: Exponential – E

“We are honoured and delighted to be chosen as EMEA Cyber Security Partner of the Year by AT&T. The threat landscape has evolved – and continues to evolve – in ways that would have been inconceivable just a few years ago. It’s partnerships like this, and the innovations they drive, that ensure cyber security continues to evolve in response. We thank everyone at AT&T and look forward to continuing working (and innovating!) together in the future.” – Mukesh Bavisi, Managing Director

Latin American Partner of the Year: GMS

“GMS is greatly honored to be recognized as AT&T Cybersecurity’s 2024 Latin American Partner of the Year. This marks the third time we have received this award, a testament to the commitment our partnership is built on. We look forward to continued growth and innovation alongside AT&T to further strengthen the cybersecurity posture of our clients in the Andean region.” -Esteban Lubensky, Executive President

North American Partner of the Year: Abacode

“We’re thrilled to be named the AT&T Cybersecurity North American Partner of the Year for 2024. This award reinforces our dedication to revolutionizing cybersecurity and compliance. It’s also a testament to our expertise, innovation, and the trust our clients place in our people, technology, and services. Huge thanks to AT&T for their vital role in our success—we’re excited for the journey ahead!”  – Michael Ferris, CEO 

Read More

Cifas claims that most business decision makers are worried about fraudsters targeting employees

Read More

Group-IB research warns of rising use of zero-day threats in targeted attacks

Read More

Employee Spotlight: Meet Jovohn!

From military beginnings to mobile security champion, meet Jovohn, our passionate Product Marketer and MAHC President. Discover how his unique path led him to advocate for customer safety and drive innovation in McAfee’s mobile business.

Can you tell us a bit about yourself and your role at McAfee?  

“Absolutely! I’m a proud graduate of Indiana University, and my journey to the Product Marketing team at McAfee has been my own personal adventure. Growing up as a military kid, I thrived on change, adapting to new environments every few years. From Alaskan frostbite to New Mexico sand dunes, those experiences shaped my adaptability and perspective. I loved team sports and dabbled in music, even engineering for a Sony artist before my 15+ year marketing career!

Recently, I transitioned from McAfee’s Retention Marketing team to my new role in Product Marketing, where I’m navigating the dynamic world of McAfee’s mobile business. Developing strategic marketing initiatives is not just a job for me; it’s a creative adventure, and I’m excited to bring that energy to the team!

But my role goes beyond crafting campaigns. I play a part in ensuring our customers receive top-notch mobile security solutions, directly contributing to McAfee’s mission of protecting our connected world. Every day, I’m involved in understanding the competitive landscape, gathering feedback from our customers, and using those insights to help shape products that truly address their needs. It’s more than marketing; it’s advocating for our customers and giving them the tools to stay safe online, which is core to our work at McAfee.”

What sparked your passion for marketing?  

“Believe it or not, it all started with Eddie Murphy’s “Boomerang!” This captivating movie offered a glimpse into the advertising world, igniting my passion for marketing. It started in high school with direct marketing, where I was the youngest voice in a call center where we provided direct marketing sales for telecom comapnies. After college, I built a foundation in market research, fascinated by the power of data and its impact on marketing decisions. This fueled my drive to become a well-rounded, data-driven marketer.”

What’s your favorite thing about working at McAfee? 

“After six years at McAfee, I cherish the collaborative and innovative atmosphere. Working with talented colleagues who become friends makes it even better. Our dynamic environment, fueled by teamwork, respect, and a constant pursuit of excellence, drives collective success. Plus, contributing to McAfee’s mobile business growth is incredibly rewarding! Seeing the impact our work has on safeguarding millions of people worldwide fuels a deep sense of purpose and accomplishment. I’m excited to collaborate with my team, developing and executing strategies that drive meaningful results while enhancing the security and digital well-being of our mobile experiences. It’s an opportunity to not only push the boundaries of innovation but also make a tangible difference in the lives of millions.”

Tell us about MAHC and your role as president! 

“Leading MAHC (McAfee African Heritage Community) is an honor, aligning with my passion for fostering diverse communities. I’ve been involved for five years, taking a more active leadership role in 2022 to truly make a difference.

MAHC is more than just a professional hub; it’s a space for engaging conversations that go beyond work, fostering a culture of respect and understanding that McAfee values. We host talks with individuals from all walks of life, making it a cathartic platform not just for professional growth but also for personal connection and understanding. It’s a unique blend of networking and genuine camaraderie.”

Life outside of McAfee? 

“My greatest joy comes from being a husband and dad. Our family is always on the go, from after-school activities to sports! Weekends are all about fellowship, connecting with grandparents, and staying grounded in what truly matters. Personally, I love finding a good show to binge, gaming, and soaking up the outdoors in open spaces. It’s all about balance and bringing a fresh perspective to both my personal and professional life.”

And finally, what advice would you give for anyone considering a career in product marketing?  

“Despite my non-traditional product marketing background, I bring a diverse skill set from market research and advertising. For those considering a product marketing career, I would embrace a multidisciplinary approach. This allows for a well-rounded understanding of consumer behavior, market dynamics, and effective communication strategies. Success for today’s marketers often lies in the ability to draw insights from various experiences and apply them creatively in today’s dynamic market landscape.”

If you’re interested in the work Jovohn does or want to learn more about our career opportunities at McAfee, please visit our jobs page or  join our talent network to receive updates on career opportunities from McAfee.

The post From Military Kid to Product Marketing: My McAfee Journey appeared first on McAfee Blog.

Read More