Evolving Landscape of Cyber Insurance

December 5, 2022

James Turgal, Optiv’s Vice President of Cyber Risk, Strategy and Board Relations, joins the hosts of Cyber Security Matters to talk about the cyber threatscape, nation-state actors and the potential impacts to the cyber insurance industry.

 

Dominic Vogel: Hello everyone. Welcome to a brand new edition of the Cyber Security Matters Podcast. I'm your host, Dominic Vogel, and joining me as always is the man who's out of this world, Christian Redshaw. Christian, how you doing today?

 

Christian Redshaw: Always so complimentary, I am awesome.

 

Dominic Vogel: That's good.

 

Christian Redshaw: How are you doing, sir?

 

Dominic Vogel: I'm doing fantastic, and I'm really, really excited for today's guest. It's James Turgal. He is a Vice President at Optiv. I think we're just gonna be blowing away by this conversation, so I will stop mumbling and we're gonna bring James aboard.

 

Christian Redshaw: Please do.

 

Dominic Vogel: James, thank you so much for joining us on the Cyber Security Matters Podcast. How are you doing today?

 

James Turgal: Doing great, thank you.

 

Dominic Vogel: Fantastic, Christian and I are really looking forward to having you on the show today. And you know, we've read your bio with great interest and you're very well traveled, very interesting person. We're really looking forward to this conversation, but thought maybe we could start off with you sharing a little bit about your personal and career narrative and sharing a little bit about yourself so our listeners and viewers can get to learn a little bit more about you.

 

James Turgal: Yeah, absolutely. And thank you for having me on. So yeah, I have a well traveled past, you know, grew up in Scottsdale, Arizona. I have a Undergraduate Degree from Northern Arizona University in Economics. Always wanted to go to law school, always wanted to be a litigating attorney. Went to law school, Western Michigan University, actually I have a Master's of Law in Corporations and Securities Regulations from Georgetown. Practiced law for probably almost four years, hated it. Absolutely hated it. So I'm a recovering lawyer for all of you out there who are in the same boat. But I ran off and joined the FBI. Worked Columbian, Mexican cartel, hardcore, southwest border drug cases for years. Moved throughout my career, was the special agent in charge of our Arizona field office. So I actually got to go home as the SAC, to be the head of the FBI in my hometown, which was very cool by the way. Went through my career, was also the head of HR, so I was the Chief Human Capital Officer and then ended my career as the Executive Assistant Director for Global IT and the FBI CIO. So one of those rare guys that was able to actually be, you know, the cyber agent on the street working cases, the head of HR and the head of IT.

 

Dominic Vogel: Wow, that's a heck of a story for an ex-lawyer. That's absolutely incredible.

 

Christian Redshaw: And you still seem like a nice guy. So we're enjoying the conversation. We're at ease. So in terms of talking about cyber crime, I mean, there's a business to it, there's a corporate structure a lot of the time, I would say there's nation-states and you have the individuals, but can you tell us what, you can tell us what you know about cyber criminals? How do they organize themselves? What are they after? And how are they going after organizations to get what they're looking for?

 

James Turgal: Yeah, that's a great question. It is, so it is big business. You're actually, I've investigated hundreds and hundreds of cyber cases. Been the guy that actually, you know, interviewed these guys, interrogated them, put handcuffs on them. So I mean, they are, they run this as a business. The more organized, both nation-state and organized crime types of proxy organizations actually have call centers. They have HR groups that are connected to the actual threat actor group, you know, in a word, they're after data. You know, I meet with boards every day in my day job with Optiv as the Vice President of Board Relations. And, you know, three different areas that I can tell you, it's really critical to understand the whole cyber world. And that's data, ecosystems and attack surface. And so these guys are after data, whether they ransom it, steal it, suppress it, or delete it, or, you know, wanna take it and then, you know, broadcast it out on the dark web, data is everything. And that's exactly what they're after. And as far as preferred attack methods, I've seen it all, right? Whether it's, you know, script kiddies, whether it's the guy, you know, the 14-year-old sitting in grandma's basement in Belarus with, you know, a bunch of Monster energy drinks, you know, hacking away at night--

 

Christian Redshaw: In a hoodie.

 

James Turgal: This is, you know, the actual like nation-states where you have, you know, hundreds sitting in rooms with laptops just sitting there coding, banging away at IP addresses. So I really have seen the benefit of all of those different areas, but they're after the data.

 

Christian Redshaw: That's pretty hard hitting, but very succinct. Can you bring it home even further, James, and give us maybe a quick story or two about some of those things you alluded to with arresting, handcuffing people or even, you know, some of the crazy cyberattacks that you've seen.

 

James Turgal: Yeah, no, absolutely. There, unfortunately, you know, with a history or 22 years of experience doing this, there's no lack of stories. I think a couple of the ones, there's some classified stuff out there that I couldn't talk about, but certainly the, you know, a couple of them come to mind. I've actually, one of the very first botnets and botnets are a huge problem today, right? The little zombie computers out there that have been taken over by malware and certainly the bot farms that are run by threat actors. Well, when I was the supervisory special agent running the Cyber Taskforce in Cincinnati, we actually took down one of the Bureau's very first botnet cases. And so it was a guy who was an enterprising Ohio State University student who had about a 2000, 2200-square foot house, north of Columbus. And we had all these IP addresses that were coming back, you know, to one house and one place. And there was just a ton of illegal activity going on, on all of these different computers that were coming back to one place. And so we, right, we do what we do, right? We did surveillance, we, you know, investigated everything. And again, it all came back to the one house. And so imagine, right, we roll up for the search warrant and we show up to this house that we've been doing surveillance on, and it's just a real single family house in a nice neighborhood, but there are air conditioning units hanging off of every window. And even some of, like the back door that was converted into an air conditioning unit as well, right? In my world, I call that a clue, right? So we roll into this place, we execute the search warrant thinking we're gonna have like 20, 30 computers? There were 468 computers, I think, in this house. They were on the counters, they were on the floor, they were in the bed, you name it, they were, and that was the first, you know, bot farm. It was 468 computers, all coming back to that same IP address. And it was the middle of Winter when we executed the search warrant. All the air conditioning units are running. It's like 30 degrees outside, but it was like 90 degrees inside.

 

Dominic Vogel: Wow.

 

James Turgal: I mean, just crazy. And we interviewed the neighbors and said, "You know, hey, did you see anything weird, right? "Did anything strike you as as odd?" And they were like, "No, he's a really nice kid. "He was always nice to us." And like, it didn't matter that there were air conditioning units on every window.

 

Christian: In the Winter time.

 

James Turgal: And every door. No, we just thought he was a nice guy.

 

Dominic Vogel: What a great story.

 

Christian Redshaw: Believe the best of people, I guess--

 

James Turgal: You can't that stuff up, right? Truth is stranger than fiction.

 

Dominic Vogel: The people of Columbus are too kind to one another.

 

James Turgal: Yeah, clearly.

 

Dominic Vogel: The question I wanted to ask you, James, is, I guess focus around, you know, you mentioned how you speak to boards every day, right? And for boards, they need to be able to understand ultimately in the organization, you know, what's worth protecting? You know, the old security adage, "If you try to protect everything, "you end up protecting nothing." Very well, so how do you guide boards through the process of identifying what needs to be protected, even establishing their cyber risk tolerances.

 

James Turgal: So it's really that, it is, that is the critical question, right? So, and I ask that question to both the C-suite, the CISO, the CIO and the board as well, because not necessarily all the time are they actually on the, you know, the same page. And when I sit with boards, I talk in terms of, you know, talk to me about, do you understand what the, let's say I call it, my top 10 list. What are the top 10 critical business applications that run your business, right? So when I'm the CIO of the FBI, I can tell you what my top, you know, 10 or 20 applications that we ran every day, that ran the business of the FBI. So I look at the board and say, "Do you know what those top 10 applications are? "Do you know where the data goes for those top 10 applications?" If you build something, if you're manufacturer, if you're financial services, whatever. You can easily identify What are those top areas. And then you gotta drill down to, What do you do with that data? Where do you store it? Do you encrypt it? Do you back it up? How often? All of those really critical conversations. And I usually hearken back to another case that I ran where it really kind of drives the point home. I ran a case where there was a pharmaceutical company that was breached, and we're sitting there, I interviewed a bunch of people, I interviewed the CEO and the CIO. So interview the CIO and ask him, "What are their crown jewels? "What are you trying to protect?" He's like, "We're a pharmaceutical company" "It's formularies. "We spend billions of dollars every year "on these formularies. "They're locked away in that data center over there." "It's all segmented, air gap, we're good to go." I'm like, all right, TenFour. So I ask the CEO that question, he pauses for about 20 seconds, and then he looks at me and says, "Look, I know we're a pharmaceutical company." He said, "But turn around and look out that window. "You see that building right there?" I said, "Yeah," he's like, "There's a nuclear reactor in that building, "so we make nuclear medicines." He said, "If the data gets out "about how that nuclear reactor works, if someone, "if that gets in the wind "and threat actors are actually, "or our competitors are actually able to change "just the most minute aspects of the radiation "as it applies to that particular, you know, medicine." He said, "That's a business killer." "Or if someone gets the information and access to it, "blows it up? "That's a business killer." He said, "We would never survive that." He said, "Look, I know we're a pharmaceutical, "We spend billions on formularies, "but I can, we can survive the monetary aspect "of the, you know, of losing the formularies." And I tell that story to boards because two very amazing individuals, lots of experience, well traveled, great educations, they didn't answer that question the same way. And so you really need to be on that same page to be able to understand really what are the crown jewels from your individual standpoint. And then you need to put your heads together because you need to protect the same thing.

 

Dominic Vogel: You illustrate that so well with that story there, James, I mean, that's extremely profound. And so my follow up to that it's, somewhat related is, with boards that may view cybersecurity as a tech issue or IT issue or say, "Well, can't we just buy a, you know, "a tech tool to deal with this?" How do you get them past that and have them see it more as a business issue? I mean, much of what you said earlier would apply, but how do you get them past, at least with some boards who just see it purely as an IT issue?

 

James Turgal: Yeah, I mean, it's really difficult with some boards. Some boards are, you know, individuals that, let me just say are more, looking at this more as a profit and loss, right? They're looking at strictly the P&L, what is the shareholder value of whatever company is and whatever it is that they do. Most of the time when I get those really directed questions, I'm able to provide from some examples of, you know what? There were this case, this case and that case, here are actual FBI cases, actual cyberattacks, that there was actual P&L loss. There was such an absolute attack on both the critical infrastructure of that company, and the actual value. So there's some big examples out there. You know, Marriott SPG, from a merger acquisition. There's a number of different cases where I can actually show the loss of shareholder value and certainly the loss of P&L because of a cyberattack. When you start to have those conversations at that level, when you start to relate it to IT is not a cost center anymore. Gone are those days where you can look at IT and cyber and think that it's a just a cost center. And right now, it's a business enabler. 'Cause if you don't do these things, you're not gonna be in business.

 

Christian Redshaw: Very well said. I wanna switch gears, James, a little bit over to insurance if that's okay with you and just dive into a couple of aspects there. And I think about managing cyber risk and I think about what cyber insurance does. I tend to think that not all cyber risks are insurable risks. And so for those organizations that are just looking kind of as a one-size-fits-all or insurance solves the cyber risk equation. I think of things like, your reputation or loss of customers as examples of things where, you know, the insurance is designed to make you whole until your customers come back, but it can't actually enforce that reality and make the clients or customers or business partners come back. What are your thoughts on that subject?

 

James Turgal: Yeah, so I've spoken a lot and I've written a number of articles and been interviewed a lot by the media on the whole concept of insurance and as a as a recovering lawyer, as I described earlier, I've had a tremendous amount of, both my legal practice experience with insurance and insurance aspects like the underwriting, all of those issues. And when you put that in the context of cyber, so cyber insurance was this novel thing, eight, nine, 10 years ago when everybody thought, "Well, you know, cyber's becoming a thing. "And for those who got it, like, okay, "you know, we should probably have cyber insurance." The unfortunate part is that most of the actual carriers had very little understanding of what cyber really was. They had no idea. What the really downside was, they didn't understand the threat actors, they didn't understand their motivations. And so they're writing these policies and then all of a sudden we have situations where you're actually hit by a nation-state or otherwise, and you are, you're down, right? You're down hard and it is, you know, hundreds of thousands of millions, tens of millions of dollars in actual damages. Not just your reputation, but, and it's also the piece of not just you. There may be loss of customers, but now you've gotta, now you have to talk about third parties, both upstream and downstream from your organization. Vendors, customers, clients, partners. Your impact and impact of a cyberattack on you has a ripple effect out to steps three, four, and five to these other organizations. And unfortunately, cyber insurance carriers found out very quickly, especially in the last three years, that this is not necessarily the best business proposition out there because they're losing, they're paying out tons and tons of money. So they started, in the last couple of years to really start to understand the basics. What kind of cyber hygiene does a company have? How do you make certain that it's one of those, they're making certain that their underwriters are asking questions and verifying that you have some, you know, doing at least the basics. But now that's gotten even more complicated. Lloyd's of London came out three weeks ago, or a month ago and basically made a statement to their affiliates that, you will not underwrite any further insurance claims or pay out any claims where a nation-state is attributable as the actual, you know, victimization here. So if a company that is insured has been victimized by a nation-state actor, they're not gonna cover it. And I have a really hard time with that 'cause having worked this at the grassroots level, attribution to an actual nation-state, to an actual person behind a keyboard that's actually sitting in the politburo or you know, sitting in the SVR in Russia is really, really difficult. And sometimes it takes not just months, but it takes years to actually, attribute that to those particular nation-states. Now, yeah, there are forensics, there's a number of classified ways to do that. But those sources or methods are not gonna be utilized in a civil, commercial area. In order to determine attribution. So I think there's gonna be kind of a reckoning coming with these insurance companies because you, one, they can't show that it was, or it wasn't attributed to a nation-state, and it really puts them in a quandary, but it really now hurts the insured. So the companies themselves who are trying to use insurance as that, let's buy down risk in the following areas. And that's what, from a company standpoint, that's really what this is. And cyber insurance is not the end-all be-all. And I hope that they understand that it lessens the risk in certain areas. It buys down or spreads that risk along a certain continuum, but it is, unfortunately, changing at an alarming rate, especially with what Lloyd's put out.

 

Christian Redshaw: So nation-states, if they can, it can get attribution is no longer an insured peril according to Lloyd's of London. It's kind of an interesting thing. It's way more nuanced than what I'm sure that they had originally thought. I also think too, you know, one other just kind of side note here is, if something is attested to on an insurance application, but it isn't actually a reality, then it's possible that the insurance claim, or I should say, almost certain that the insurance claim will not get paid out. So that is something to think about from the actual company, from the insured's standpoint as well.

 

James Turgal: Oh, absolutely. And you even have threat actors out there, I work cases where threat actors get the whole conversation about insurance. And they'll, as they go through your system and they go through your ecosystem and they start to dive into your files, actually looking for whether or not you are insured. I've actually had cases where they go and they find the declarations page for your cyber insurance policy, and when they send you, and when they lock down your system and execute the ransomware, they actually put the ransomware banner up there with a picture of your declarations page. That says, "Hey, we know you're insured, "we know you're insured for this much, "so let's just cut to the chase and pay it."

 

Christian Redshaw: Wow, very crazy. So just to wrap up then, the insurance discussion here. When I think about cyber insurance, where, in your opinion, does that fit into the picture? Because you're talking about, it's a way to buy down and spread your risks. To me, it's risk transfer. Would that be something that organizations should start with when they're managing their cyber risk or there're maybe other things that they should do before transferring the residual risk?

 

James Turgal: Yeah, no, that's a great point. The whole concept of insurance spreading risk, transferring risk. So if you're able to have a good, what I consider when I talk to boards, I balance the conversation of cyber insurance and transferring or spreading that risk with their internal response and resilience capability. So if you are an organization that actually has, you have, you know, you back up your files, you encrypt your data, both in transit and at rest, you back it up often and you back it up and then you actually save it in offline backups. You actually have sat down and mapped out where, what are those top 10 applications? Where does that data go? What is the, what are those business critical applications? So if you map that all out, it's not a question of, you know, so when you get hit, it's not a question of if, it's when, so when you get hit and when you're attacked, your response is so practiced and it's, okay, right? You get the checklist out, you know, the threat actors hit these systems and these applications are down, boom. They're, we pull those server blades, we move or recalibrate those, re-baseline those. We reload everything back on, and then you're back online. And so it's your ability to have, not only built in that muscle memory with either cyber wargaming and looking and practicing this so that it's not a crisis, right? You don't wanna learn how to build the wings on an airplane while you're trying to fly it. Same concept here with, you know, with cyber. Don't talk about, try to figure out resilience after your, after you're already attacked. So you spread that conversation out between resilience and response and then that whole conversation about how much cyber insurance you need to spread the remaining risk is a much easier conversation to have. It's a much directed conversation and certainly, a much cheaper one as well.

 

Dominic Vogel: James, I can say with 100% confidence that you're the best ex-lawyer we've ever had on the show. This has been an absolutely brilliant conversation. The insight, the stories, the narratives you shared, I mean, this is one that I think Christian and I are gonna be listening to again and again. This was an awesome conversation. Thank you so much for joining us on the Cyber Security Matters Podcast today.

 

James Turgal: Oh, it's been my pleasure, love to do it again.

 

Dominic Vogel: Absolutely, James. You're welcome back anytime. And Christian and I will be right back to wrap up today's episode.

 

Narrator: Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy, and operate complete cybersecurity programs. From strategy and managed security services, to risk, integration and technology solutions. At Optiv, we manage cyber risk, so you can secure your full potential. For more information, visit optiv.com.

 

Dominic Vogel: This week's episode of Cyber Security Matters is brought to you by TELUS Business. The 2022 TELUS Canadian Ransomware Study highlights and busts some common myths about ransomware. One of the more common myths is that robust backups are a reliable way to recover from an incident. The study data shares a different story. Threat actors are increasingly using multiple extortion with 63% of ransomware victims experiencing a multiple extortion attack. Meaning their data was encrypted, exfiltrated, and held for ransom. In this new reality, backups can only solve half the problem, restoring your systems, but that cannot help recover any exfiltrated data. So while backups can be a useful tool within your overall recovery plan, proactively investing in ransomware controls to prevent and minimize the impact of an incident is a much more effective way to manage your risk. To learn more about how ransomware is impacting organizations like yours, visit telus.com/ransomwarestudy to get your free copy today. TELUS Business, cybersecurity that works for you.

 

Dominic Vogel: That was an incredible conversation. I mean, just the stories that James shared, like the, just the visceral reactions I got to those stories were incredible. I can only imagine the countless stories he must have over the course of his career. But I'm curious to what one of your key takeaways were.

 

Christian Redshaw: Yeah, for sure. The young man with the air conditioners in Ohio and the pharmaceutical company, very cool. And I know he's got more, so we're definitely gonna do a part two there. I think what is, what I kind of, the bottom line outcome for me is that, the insurance industry is still really trying to figure out cyber insurance. They don't have all the answers, but they're starting to realize that, and they're looking for how do you actually manage and reduce risk.

 

Dominic Vogel: Absolutely and we wanna extend a special thank you to James for joining us on the podcast today. And as always, we wanted to send a special thank you to our sponsors, Optiv, and TELUS for sponsoring today's episode of the Cyber Security Matters Podcast. And to our loyal listeners and viewers, thank you for joining us each and every week. If you did happen to miss a previous episode, do check out the Cyber Security Matters YouTube page, and/or listen on your favorite podcasting platform. Until next time, be well, be safe, and we'll see you again once again on the Cyber Security Matters Podcast.