Sprinklered Buildings Still Burn

Kurtis Suhs
Founder and Managing Director, Cyber Special Ops, LLC

Mr. Suhs serves as the Founder and Managing Director for Cyber Special Ops, LLC,  a cyber risk company that provides its clients with Concierge Cyber®, a revolutionary new delivery solution for cyber risk services modeled on concierge medicine.

Many insurance professionals have compared cyber insurance to employment practices liability (EPL) insurance which took decades for organizations to adopt; however that is where the comparison ends. Cyber insurance is more analogous to catastrophic commercial property insurance, in which state-sponsored actors and sophisticated crime syndicates target and seek to burn down your building 24/7/365 days per year.

According to FM Global, the three main reasons sprinklered buildings burn are 1) design deficiencies, 2) system impairments before a fire, and 3) system impairments during a fire.  Let’s evaluate how each of these causes compare with cyber loss.

Design Deficiency

Sometimes due to design deficiency or system impairment, an automated  sprinkler system fails to suppress a fire sufficiently and thus a building burns despite the system.

Water supply
Is the water source
—a public water supply?
—a fire pond?

Incident Response
Is the data breach team
—an external third-party service provider?
—an internal legal and infosec team?

System design
Is the system design adequate?
What is the system trying to protect?

Network Design
Is the network architecture adequate?
What is the system trying to protect?

Changes in occupancy

Changes in electronic assets                               

The building (organization) was devastated by fire (a cyberattack). The cause of the devastation was multifaced. The water supply (incident response plan) was limited because a single connection from the public water main (a few data breach firms) supplied the entire sprinkler system (cyber insurance market). However, the water supply (incident response plan) was limited and the water flow (insured’s cyber insurance coverage and limit) to the automatic sprinklered system (network defense) was marginally adequate for the task. The sprinkler system (network defense) was designed for a facility (organization) that processed a specific amount and type of paper (electronic assets). The plant (organization) was changed to process a new and greater amount of  hazardous coated paper (sensitive information). This change was made without reevaluating the sprinkler design (network design) or water supply (incident response plan).

The system (network) simply couldn’t generate enough water (cyber insurance) to mitigate this type of fire (cyberattack) and suppress it because it wasn’t designed for this use and didn’t have enough water (cyber insurance coverage and limit) for this type of fire (cyberattack). Furthermore, the local fire department (cyber insurer) wasn’t aware of the change in the amount and type of paper (the exposure basis) and thus didn’t know they were responding to a hazardous chemical fire (state-sponsored actor), which requires a very different firefighting response (incident response) as compared to a traditional uncoated paper fire (simple malware).

System Impairments Before a Fire

A fire that would normally be adequately controlled or suppressed completely can instead rage out of control and destroy the building.

There are three type of impairments that can occur before a fire (cyberattack) as follows:

  • renovation of building (network)
  • inadequate maintenance of property (network)
  • arson (state-sponsored actors and sophisticated crime syndicates).

Deliberate action by an arsonist (state-sponsored actor or sophisticated crime syndicate) can impair or disable an automatic sprinkler system (computer network) so the arsonist’s (threat actor) fire setting (cyberattack) actions will cause damage.

Arsonists (cyber attackers) learn how sprinkler systems (computer networks) work and find ways to defeat or overtax them. Limited only by their imagination, for example, they may close valves (software applications) or attempt to overtax the system (all computer servers) by setting multiple fires (cyberattacks) designed to circumvent, damage or destroy the building (organization).

System Impairments During a Fire

System impairments that can occur during a fire are often the result of human action that cause a protection breakdown.

The most common system impairment that can occur during a fire (cyberattack) is premature closure of a sprinkler system’s control valve (network defenses).

Another common system impairment is the inadequate monitoring of the sprinkler control valve (network defenses).

Call to Action:

For most businesses, the five most important categories of risk are tied to 1) theft of intellectual property, 2) business interruption, 3) theft or corruption of personally identifiable information, protected healthcare information, 4) credit and debit card data and 5) diminished cash flow. But which of these is a priority, to what degree, and for which organization assets?

If we really want to make cybersecurity better, we first need to ask what do we need to protect within the organization? All of this is highly dependent on the business, the internal network structure, and the other security controls that are in place premised upon the zero-trust information security model.

Organizations will never outpace the sophisticated cyber threat actor. Remember, the cyber adversary only has to be right once while your organization has to be right 100% of the time.

Cyber Perspectives on Coronavirus: Part 2

The second installment of Cyber Perspectives on Coronavirus focuses on the risks associated with the increase in the remote workforce and the role that HR can play in a company’s cyber risk culture. View the white paper written by one of the speakers, Tom Finan, here.

Listen here to the Cyber Perspectives on Coronavirus: Part 2 discussion:

Speakers:

Gail ArkinGail Arkin, SVP, General Counsel at Berkley Cyber Risk Solutions

Gail Arkin is the General Counsel of Berkley Cyber Risk Solutions, located in  Morristown, NJ.  Her responsibilities include the development of cyber insurance products and managing all regulatory, compliance, distribution and corporate legal matters. Gail has over 20 years of insurance experience, including over 15 years developing cyber products, and previously held the positions of senior vice president & general counsel for a financial lines division, general counsel for a wholesale and retail division, and a claims officer for professional and management liability lines of insurance.

T FinanTom Finan, Cyber Growth Leader at Willis Towers Watson

Tom Finan is a Cyber Growth Leader within Willis Towers Watson’s FINEX Cyber/E&O Practice.  In this role, Tom advances the company’s integrated approach to cybersecurity across all aspects of people, capital, and technology risk.  Tom previously worked as the Chief Strategy Officer of Ark Network Security Solutions.  He also served as Senior Cybersecurity Strategist and Counsel with the Department of Homeland Security’s National Protection and Programs Directorate.  While at DHS, Tom established and led the agency’s cybersecurity insurance initiative in support of implementation of Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.”  To advance that effort, he created DHS’ Cyber Incident Data and Analysis Working Group (CIDAWG), a private-public engagement forum that examined how a cyber incident data repository could help meet the information and analysis requirements of the insurance industry and technical cybersecurity professionals.  Tom previously served as the Staff Director and Counsel for the Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment with the U.S. House Committee on Homeland Security.

James-J-GiszczakJames Giszczak, Member at McDonald Hopkins

James is a member at the law McDonald Hopkins. He is chair of the litigation department and  co-chair of the data privacy and cybersecurity practice group. He advises clients regarding data security measures and responding to security breaches involving sensitive personal information and protected health information. He works with clients in a myriad of industries to assess and implement appropriate data security safeguards. Jim also litigates matters involving data security and data privacy, including defending single plaintiff and class action lawsuits.

Cyber University and More: PLUS’s Virtual Education

Successful Turnout at PLUS 2020 Cyber University

Last week, over 100 PLUS members attended PLUS’s virtual Cyber University. While this event has been held in-person in previous years, this year’s Cyber University was part of PLUS’s 2020 plan to provide virtual education to broader audience. Attendance for Cyber U doubled this year, and the staff at PLUS is proud to provide quality education in virtual space, especially in light of current circumstances.

This is the third year of PLUS Cyber University and registrants attended six live sessions over three days.  “The program content is incredibly strong, so the focus was on how to take an in-person event and continue to make it meaningful as a virtual one,” said Megan Moore, Director of Education and Professional Development at PLUS. Topics included: legal foundations, evolution of cyber coverage, interplay among lines, underwriting, breach responses, 1st and 3rd party claims, risk management, and breach scenarios. Moore added, “As we transfer this program to virtual, we made sure to include opportunities for attendees to reflect on what they’ve learned and apply it to their own experience as well as connect with each other outside of the session.”

Continuing to Provide Remote Education

PLUS is continuing to expand its virtual education offerings for all members. In May alone there are three top-notch webinars on a variety of professional liability topics, from the Sciabacucchi court case decision, to resolving D&O disputes virtually, to social distancing and telehealth.  Additionally, on-demand presentations from the virtual Healthcare and Medical Professional Liability Symposium are available to view, as well as Online eLearning modules for the RPLU program available to purchase. You can work through module content at your own pace, and even complete the exam entirely online!

“Over the last few years, we have been ramping up our ability to provide online and virtual education,” said Robbie Thompson, CEO of PLUS. “While PLUS will always offer outstanding in-person networking and education events, we knew that focusing on other ways members can also get professional development was critical to PLUS continuing to serve the professional liability industry.” From webinars, to the RPLU online eLearning modules, to webinar, to in-person events moved to virtual like Cyber University, PLUS is working to make education accessible no matter the circumstances.

PLUS Membership for the Win

Membership is an important aspect of PLUS, and PLUS staff has been working tirelessly (and remotely!) to provide new ways to engage members virtually.  If you are a PLUS member, you can register for any or all of the May webinars for free! If you aren’t a member yet, become one now to register for webinars, gain access to an archive of PLUS virtual education, and more. Check out previous posts on this blog to listen to PLUS’s PL Perspectives on Coronavirus podcast, and stay tuned for even more distance education offerings in the future.