By: Paul Ferrillo and Chris Veltsos
Yes, you are probably thinking that it is very presumptuous of us to put cyber security risk and bankruptcy risk in the same caption — yet alone in the same article. A few years ago, you might have been right. Even two years ago you might have been right. But as things always seem to change in cybersecurity, our world changed again last week. And forward-thinking boards should be thinking, “here we go again.”
The bankruptcy of the parent company of a large New York-based Medical biller that suffered a severe cybersecurity breach (not found until March of 2019 — 8 months after it might first have begun) resulting in the loss of millions of pieces of PII should be seen as an eye opener not only for boards of directors, but for insurance brokers and carriers alike. There always was a connection between D&O insurance and cybersecurity. Now that connection has been definitively proven. The “worlds” have now definitively collided. There is no turning back. Here are some thoughts about what’s next.
The Post Breach Bankruptcy of Retrieval-Master Credit Bureau
As recently noted by blogger Brian Krebs, “The [bankruptcy] filing… comes from the Retrieval-Masters Creditors Bureau (RMCB), the parent company of the American Medical Collection Agency (AMCA). Earlier this month, medical testing firm Quest Diagnostics said a breach at the AMCA between Aug. 1, 2018 and March 30, 2019 led to the theft of personal and medical information on 11.9 million patients” (see Collections Firm Behind LabCorp, Quest Breaches Files for Bankruptcy). From start to finish, the process here was quick. Brian first reported the breach on June 4, 2019 (a few days after Bloomberg). The bankruptcy filing of RMCB was on or about June 17, 2019, less than two weeks later. How did this happen so quickly?
- Major clients of AMCA terminated their relationship with the firm;
- Data breach cleanup costs were extensive;
- We assume regulators (federal and state) were all over the company from moment one;
- Class action lawsuits were immediately filed not only against AMCA, but others that used AMCA as well for collection matters (like, e.g. Quest and Lab Corp.)
The last bullet point is probably the easiest to say but the hardest to quantify:
- AMCA’s customers appear to have lost faith and trust in the company.
Like the case of the major credit rating agency that got hacked in the summer of 2017, we think that the demise of AMCA and the regulatory actions and litigations to follow will be a long, drawn out, ugly process, with the ultimate patients who had their information stolen caught in the middle of a process that might ultimately find their privacy claim to be unsecured during the bankruptcy process. Not a great ending for them. A crash and burn ending for AMCA and its parent.
The Implications of the Bankruptcy to Directors, Officers and Insurers
With the recent May 17, 2019 rating agency downgrade of the big credit rating agency because of the massive size of its cyberattack (see In a first, Moody’s downgrades Equifax’s rating outlook due to cyberattack) it was pretty clear that the world changed, as there had previously never been such an occurrence. But for the billion-dollar company, its long-term viability is probably assured barring unforeseen circumstances despite the higher interest costs it will likely incur in the forthcoming years.
But not all companies are billion-dollar companies, and not all of them can afford the massive financial consequences that we are seeing today. Especially if they did not buy buckets of liability insurance to cover them. Apparently, this was case in point for the parent of AMCA. Of course, there are many that ask, “could this breach have been prevented,” and “what could AMCA have done differently?” And these are good and healthy questions that should be asked, and probably will be asked and answered down the road.
But there is no “down the road” for many directors as they are faced with similar cybersecurity and data protection problems — today. Here are some questions and issues that should be given serious consideration by directors and officers as well as D&O and cyber risk insurers:
Key Questions for Directors and Officers
- Am I hearing my advisors correctly on “cyber risk?” This is the most important question. Are you, the director, getting an unvarnished and unfiltered view of the cyber risk facing your organization? An unvarnished view of the company’s risks (both internal and external) and cyber vulnerabilities? Of its resources and staffing? If the answer to these questions is “maybe” or “I don’t know” then ask yourself, “how can I fulfill my fiduciary oversight role over cyber risk without the full answers to these questions?” The answer is, “you probably can’t.”
- How am I protecting my “Crown Jewels” today? This is a basic question that our favorite framework, the NIST Cybersecurity Framework, asks you right off the bat. Ask this question of your CISO and his or her IT staff? If the answer is vague or ill-constructed ask the question again. If they say, “we have the best firewalls in the world,” then please see bullet point one, above. That would not be a good answer if that’s the only way critical data is protected. How do we know that the controls around the Crown Jewels are effective? How frequently does the company test that theory?
- Am I patching critical vulnerabilities on a timely basis? We learned after Petya/NotPetya in 2017 what many companies still ran ancient versions of Windows. While this might be okay for a company that makes calendars with funny dogs on each month, it is not a great idea for a data dependent company. Old architecture, old operating systems can mean unpatched vulnerabilities that are easily exploitable. The presence of unpatched vulnerabilities is often one of the root causes of a severe data breach.
- Should I be considering encryption or micro-tokenization? Should I be requiring these solutions of my vendors? The answer is that if you have sensitive PII, PHI, or other sensitive, regulated data, the yes you should consider encryption and micro-tokenization. Why? If it is valuable, then someone will try and steal it. And if they steal it and its not encrypted or tokenized, you will potentially be in for a world of hurt (e.g. AMCA).
- Do I have the right resources to quickly find and deal with anomalous activity in my network? Do I have enough staff in an era where no one can hire enough talent cybersecurity professionals? Do I have an up to date architecture and operating system? Do I have machine learning based anomaly detection? These are all good questions. Do you have answers?
- Do I/Can I trust the cybersecurity of my vendors to process my information (e.g. like AMCA?) Another great question that should be asked by directors. What sort of vendor due diligence program does the company have? How frequently is the data security of the company’s vendors tested? Annually? Twice a year? Does the company have a vendor due diligence program at all? If the answer is “no, I don’t know, or maybe,” see bullet point one
- When was the last time the company practiced its incident response and crisis communications plan? These should be practiced twice a year at least (more is better). Your crisis communications plan should be able to help you deal with a big problem like the ones that have made a splash on the news.
- Do I have enough D&O and cybersecurity insurance in the event my company suffers a big attack (like that suffered by AMCA)? The answer here is, “probably no.” Cyber breaches can be fantastically expensive. Costs can approach the tens if not hundreds of millions. Get as much insurance as you can afford, from carriers that will pay your claim.
Key Questions for D&O and Cybersecurity Insurers
- Am I considering all the factors I need to when underwriting companies like AMCA? There are lots of business judgment questions here, and lots and lots of underwriting questions. Can you underwrite solely off a written application? Or do you also review the technical security posture of the insured? Does the insured also have a sound approach to the people and process based aspects of cybersecurity? The more due diligence here the better. The more visibility here the better.
- When it comes to architecture, how old is “too old?” If the network architecture is as old as your family dog, then it is probably too old to be effective in today’s environment.
- How long should insureds take to patch critical vulnerabilities? For critical CVE’s it should take no more than two weeks. Two months? No. Two years? Never.
- Should you write both the insurer’s cybersecurity insurance AND its directors and officers liability insurance? Probably the best question of the totality of these questions. The answer is “it depends” on the risk you assess, and the premiums that you get.
The purpose of our article here is to outline how, in one case like AMCA, the distinctions between cyber risk and cyber claims, and D&O risk and D&O claims have become very blurry. In the case of AMCA, they are probably the same. How can you combat this conundrum? Be prepared. Use peacetime wisely. Ask a lot of questions. And if necessary, employ experts that can help you get the right answers to the more troublesome questions regarding cyber risk. You cannot help yourself if you don’t understand the company’s cyber risk. And the first step in understanding is to ask lots of tough questions.
Paul Ferrillo is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes.