Sprinklered Buildings Still Burn

Kurtis Suhs
Founder and Managing Director, Cyber Special Ops, LLC

Mr. Suhs serves as the Founder and Managing Director for Cyber Special Ops, LLC,  a cyber risk company that provides its clients with Concierge Cyber®, a revolutionary new delivery solution for cyber risk services modeled on concierge medicine.

Many insurance professionals have compared cyber insurance to employment practices liability (EPL) insurance which took decades for organizations to adopt; however that is where the comparison ends. Cyber insurance is more analogous to catastrophic commercial property insurance, in which state-sponsored actors and sophisticated crime syndicates target and seek to burn down your building 24/7/365 days per year.

According to FM Global, the three main reasons sprinklered buildings burn are 1) design deficiencies, 2) system impairments before a fire, and 3) system impairments during a fire.  Let’s evaluate how each of these causes compare with cyber loss.

Design Deficiency

Sometimes due to design deficiency or system impairment, an automated  sprinkler system fails to suppress a fire sufficiently and thus a building burns despite the system.

Water supply
Is the water source
—a public water supply?
—a fire pond?

Incident Response
Is the data breach team
—an external third-party service provider?
—an internal legal and infosec team?

System design
Is the system design adequate?
What is the system trying to protect?

Network Design
Is the network architecture adequate?
What is the system trying to protect?

Changes in occupancy

Changes in electronic assets                               

The building (organization) was devastated by fire (a cyberattack). The cause of the devastation was multifaced. The water supply (incident response plan) was limited because a single connection from the public water main (a few data breach firms) supplied the entire sprinkler system (cyber insurance market). However, the water supply (incident response plan) was limited and the water flow (insured’s cyber insurance coverage and limit) to the automatic sprinklered system (network defense) was marginally adequate for the task. The sprinkler system (network defense) was designed for a facility (organization) that processed a specific amount and type of paper (electronic assets). The plant (organization) was changed to process a new and greater amount of  hazardous coated paper (sensitive information). This change was made without reevaluating the sprinkler design (network design) or water supply (incident response plan).

The system (network) simply couldn’t generate enough water (cyber insurance) to mitigate this type of fire (cyberattack) and suppress it because it wasn’t designed for this use and didn’t have enough water (cyber insurance coverage and limit) for this type of fire (cyberattack). Furthermore, the local fire department (cyber insurer) wasn’t aware of the change in the amount and type of paper (the exposure basis) and thus didn’t know they were responding to a hazardous chemical fire (state-sponsored actor), which requires a very different firefighting response (incident response) as compared to a traditional uncoated paper fire (simple malware).

System Impairments Before a Fire

A fire that would normally be adequately controlled or suppressed completely can instead rage out of control and destroy the building.

There are three type of impairments that can occur before a fire (cyberattack) as follows:

  • renovation of building (network)
  • inadequate maintenance of property (network)
  • arson (state-sponsored actors and sophisticated crime syndicates).

Deliberate action by an arsonist (state-sponsored actor or sophisticated crime syndicate) can impair or disable an automatic sprinkler system (computer network) so the arsonist’s (threat actor) fire setting (cyberattack) actions will cause damage.

Arsonists (cyber attackers) learn how sprinkler systems (computer networks) work and find ways to defeat or overtax them. Limited only by their imagination, for example, they may close valves (software applications) or attempt to overtax the system (all computer servers) by setting multiple fires (cyberattacks) designed to circumvent, damage or destroy the building (organization).

System Impairments During a Fire

System impairments that can occur during a fire are often the result of human action that cause a protection breakdown.

The most common system impairment that can occur during a fire (cyberattack) is premature closure of a sprinkler system’s control valve (network defenses).

Another common system impairment is the inadequate monitoring of the sprinkler control valve (network defenses).

Call to Action:

For most businesses, the five most important categories of risk are tied to 1) theft of intellectual property, 2) business interruption, 3) theft or corruption of personally identifiable information, protected healthcare information, 4) credit and debit card data and 5) diminished cash flow. But which of these is a priority, to what degree, and for which organization assets?

If we really want to make cybersecurity better, we first need to ask what do we need to protect within the organization? All of this is highly dependent on the business, the internal network structure, and the other security controls that are in place premised upon the zero-trust information security model.

Organizations will never outpace the sophisticated cyber threat actor. Remember, the cyber adversary only has to be right once while your organization has to be right 100% of the time.

From Kurtis Suhs: Managing a Company’s Cyber Risk is a Team Effort

In the following guest post, Kurtis Suhs explains how general counsel is crucial in managing cyber risk before a cybersecurity breach occurs. This article was originally published in CyberInsecurity News in October, 2019. Thank you to Kurt for his insight on this important topic.

The general counsel’s role in managing cyber risk should start well before a cyber incident. From projects that may range from compliance work, third-party contract reviews and vendor due diligence to employee training and tabletop exercises, in-house counsel can be prime contributors to cyber risk readiness.

As the threats of significant financial loss and reputational damage continue to grow, lawyers can help drive the process to elevate their organization’s cyber risk readiness. In the past three years, the role of in-house counsel has greatly expanded in response to increased civil litigation, regulatory scrutiny and a steady stream of new international, federal and state laws.

General counsel are often well positioned to help coordinate the efforts of their colleagues. That is because cybersecurity is not just an IT issue, but a business strategy that may create legal obligations for the organization. And no one group can build cybersecurity alone. This is definitely a team sport, and it requires a roster that is wide and deep. Let’s review some of the players.

Board of Directors

Boards of directors are ultimately liable for a company’s missteps and responsible for its survival, and in today’s interconnected world, cyber resilience is a big part of that responsibility. General counsel today are seen as trusted board advisers who wield influence over their companies’ legal and business strategy. Instead of reactively analyzing an issue from a purely legal perspective, GCs help remove obstacles and foster business objectives in a proactive manner. Meanwhile, they are expected to ensure that the organization maintains the highest standards of legal and ethical behavior, adroitly balancing the dual imperatives of company performance and corporate integrity.

The importance of the law department is reflected in the second of five principles listed below, which spell out what all corporate boards should consider as they seek to enhance their oversight of cyber risks. These appeared in the Director’s Handbook on Cyber-Risk Oversight, published by the National Association of Corporate Directors (NACD).

  • Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT
  • Directors should understand the legal and regulatory implications of cyber risks as they relate to their company’s specific
  • Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the Board meeting
  • Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and
  • Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

Outside Counsel

In-house counsel should have a relationship with a law firm that has expertise and experience with data breaches, privacy laws and regulations. One of the most difficult challenges in responding to an incident is deciding whether it triggers statutory or contractual notification obligations that involve employees, customers, vendors, insurers, regulators and law enforcement.

But just as important, outside counsel should be hired by the company that has suffered the potential attack to retain the third-party vendors it will need to work with. This could ensure that discussions and work product are subject to attorney-client privilege. Without this attorney-client privilege, any third-party work product may be subject to discovery by the plaintiffs bar for use against the entity or the organization’s directors and officers.

Information Security

In conjunction with their information security teams and other personnel, the general counsel can help develop key aspects of a cybersecurity program. These should include data inventories, risk assessments, compliance strategies and incident response plan testing through tabletop exercises and breach simulations. With guidance from the information security team, in-house counsel should ensure that the written information security plan is achievable and has a buy-in from all stakeholders. Furthermore, general counsel should ensure that it complies with and meets the minimum standards required by relevant states.

Risk Management

In-house counsel should work closely with their organization’s risk management team to protect the company in the event of an attack. Insurance brokers and outside counsel should also be consulted to best match the types of coverage and policy terms that the organization needs. They can also help risk management evaluate cyber risk within each property and casualty insurance policy, examining for affirmative coverage, excluded coverage, sub-limited coverage or silent coverage (where cyber risk is neither affirmed nor excluded).

Human Resources

Given that a number of cyber incidents emerge due to the actions of an organization’s own workforce, in-house counsel can play a crucial role in managing those risks. The lawyers can assist the human resources department to ensure that an organization’s policies are not only drafted but followed, and that disciplinary measures are taken in the event of a violation. The areas covered should include cybersecurity, physical security, data security, security training and employee conduct.

Facilities Management

Physical security is a vital part of any written information security plan. Getting the right people involved will save valuable time and effort as plans and strategies are developed for new and existing resources. From the initial point of physical entry to the protection of an asset, general counsel can take an active role by offering oversight, marshaling resources and serving as an advocate for key stakeholders.

Law Enforcement

Organizations should also develop relationships with law enforcement before a cyber incident. General counsel can often serve as the initial point of contact and help agents access documents and witnesses. Time is of the essence, particularly with business email compromise through hacking and phishing attacks. If victims contact their local FBI field office within 48 hours of a loss, the FBI’s Recovery Asset Team has a 75 percent chance of recovering those funds.

The Bottom Line

Just as technology, advanced persistent threats, litigation, legislation and the regulatory landscape are rapidly changing, so is counsel’s role within the organization. By actively managing decision-making throughout the risk assessment and compliance process, counsel can help prepare their organizations to detect risk and effectively respond when threats arise.

Kurt SuhsKurtis Suhs is the Managing Director of Cyber Special Ops, LLC, a Georgia-based company that he founded to advance cybersecurity by using specialized teams and risk management techniques to prepare for and respond to a cyber event. He has over 33 years of experience in the insurance and financial services sectors, and helped launch the first cyber insurance product in 1997.

Using the concierge medicine model, Cyber Special Ops provides guaranteed access to highly credentialed third-party providers for a modest annual membership fee.

Northwest Chapter Looks at the Latest in Cyber Security

Last Wednesday, August 21, the Northwest Chapter hosted their fifth annual Cyber Liability Symposium in Seattle, Washington. Insurance professionals gathered for a seminar on the legal landscape of cyber security and the emerging threats present in this ever-evolving sector of the industry. After the seminar, attendees continued the discussion and enjoyed networking with colleagues at a happy hour reception.

Thank you to the two co-hosts, the CPCU Society and RIMS, and to the Northwest Chapter annual sponsors for making this event possible!