[2021-06-19 Week #1118]

The Columbia lawsuit. This is just amazing. I've been telling businesses for a long time that insurance companies just are not paying out on many of these claims, the insurance companies come back to you after you've been hacked, or you had ransomware and you try and file a claim and say, okay, so no problem.

[00:00:20 ] Now you met all of these qualifications, right? And they have this big checklist. Everything. And I bet you most companies, if you have not seen this list would be totally surprised by what the insurance companies are requiring of you now, the same thing's true of home users. If you look in your home policy homeowner's policy, you probably see something in there that says ransomware or computer failures, et cetera.

[00:00:53 ] And they will cover dependent on your policy. Some amount of money, maybe it's 10 grand, five grand could be a lot of different things and it's not terribly expensive. Now you got to ask yourself, why is it so cheap, particularly when there are so many viruses, ransomware, Trojans, fishing, all of these things out there in the wild.

[00:01:15 ] And from a business standpoint, it costs a lot more. I know my business is paying a lot of money for the insurance. But we go through in detail, everything that's right there in the policy. And we even ask for a list of everything kind of separate list, so that we know what exactly they want. So we've got to check the list and I can send it to, if you want, just go ahead and email me.

[00:01:40 ] So if you have a a hack, if you have ransomware and you have insurance, you're probably going to file against the insurance, right? Because looking at all of these numbers, a medium, a small, medium business is going to be. But not a pocket about one and a half million dollars. And that's, if they're not paying the ransom, it's really expensive is difficult.

[00:02:04 ] And if you're a home user, oh my, you are, will never get your information back. You have maybe a 50% chance if you pay the ransom of getting. Your stuff back. Think about all the photos you have on your hard desk, all of the letters, all of the emails, same trick for business and to business. It's not just all of the emails, it's your contracts, it's your plans, your intellectual property, everything that you can think of that's out there.

[00:02:33 ]Getting it back. So this is interesting when we look at this. Company it's called cottage healthcare systems. They filed a claim of more than $4 million against a breach. Now that is a fair amount of money, but it is not unreasonable for a medium-sized company. The SBA, the small business administration says that if you're under 10 million in revenue, then you are a small business under 200 employees, right?

[00:03:05 ] It has those levels. So think of it that way, right? A small business is not necessarily just some home users. You can have some serious money involved in a small business. So they had claimed here this again, cottage health care systems that they had been just totally protected. At least not from the cybersecurity standpoint, but from the insurance standpoint.

[00:03:32 ] And for years, software vendors have assume that they can take that security risk and push it on to their customers. We're seeing this a lot in the medical business with doctor's offices. They've got these HIPAA regulations and they've got all kinds of private information. Plus they have payment card industry regulations that they have to fall under or agreement because they have credit card and other billing information.

[00:04:00 ] And of course the billing information that's going to the insurance company has to be protected as well. And these doctor's offices are making a very bad assumption that somehow they don't have to worry about it. And the reason they don't have to worry about it is it's quite simple because I'm using a cloud service.

[00:04:20 ]Have you heard that before? Do you know anybody that said that? So I'm using the cloud thing now. Yeah. Yeah. I'm using salesforce.com for a regular business for your customer relationship management or all of these patient management systems that are out there. Now there's some, I'm just shocked that.

[00:04:37 ] Won't charge the doctor's office, anything. And yet they'll keep all of the client records for the doctor and supposedly keep it safe. Maybe they will, maybe they won't. And then also on top of all of that, they'll do the billing and that's how they make their money because they shave a percentage off of every bill that they issue to the health insurance carriers.

[00:05:03 ]So these doctors are sitting there saying I'm using these online services. I've got Microsoft office email. I've got whatever it might be. Google has of course their professional emails too. And when those guys get hacked on fine, because they had my data. Reality is no, that is absolutely not true.

[00:05:26 ] And we've seen software companies, ship products. We've seen these cloud services deliver services with known vulnerabilities and expect the customer using the service or using the software to absorb all of the risk. And then the vendor of the services or software is protected from loss by. It's insurer.

[00:05:50 ] So this is called shifting risk and the software companies can delay fixing vulnerabilities in their code and maintain their release schedules because they're sitting there pretty thinking, oh, I'm fine. There's no problem here. I got my insurance and it's fine that the customer, that shrink wrap agreement, or maybe even it's a contract that was signed, which is more true for doctors, offices and regular businesses.

[00:06:16 ] Says that the doctor's office has a liability. I'm afraid to have to inform everybody here that you cannot shift that liability. The insurance company is not on hook for covering the damage. And this is a very big deal. And what I'm talking about is this insurance company called Columbia casualty, their division of this industry giant called CNA, which is a course in the insurance business.

[00:06:47 ] Oh, that's what they do. So they had paid out. This four mill Morton for a million dollar claim and their suit that was filed by the insurance company against cottage healthcare systems said that they hadn't kept their security controls up to date. And. When a breach occurred, they tried to put the insurance company on the hook to cover all of the damages.

[00:07:15 ] I've got a copy up on my screen right now from health it security.com. Talking about this. This is a, an older articles is in 2015, but even then we knew that you cannot fall back on your insurance. And that's why, again, that's why the rates are so cheap, right? They're just not paying out. So the suit is still underway and it's something we've got to pay close attention to because the court case documents are saying that Columbia quote, six declaration, that it has no duty to defend our identity and indemnify cottage in the underlying action.

[00:07:55 ] Or the department of justice proceedings. Yeah. Okay. Yeah. They're DOJs in on this as well. So they had to end their practice of what they were doing and frankly, keeping systems up to date, having the minimum required practices, including yep. Replacing just basic stuff. Default settings in their it environment, checking for vendor supplied security patches, implementing the patches within, 30 days, something reasonable.

[00:08:25 ] Most of us delay putting patches in place for least a week. You guys you're the best and brightest, if you put a patch in. The Jess came out, it might make things a little unstable, right? So a lot of us wait for, I think good reason, frankly. So the bottom line is this is again, over the course of seven years here, insurers understand that not all breaches are inevitable.

[00:08:52 ] And that the companies here, the healthcare companies, the software vendors, the cloud vendors have to do more to protect their clients. But from what I'm seeing, it just is not happening. It's not happening at all. We are getting people who are looking at an equation differently than you or I do. Look at what happened with the colonial pipeline.

[00:09:17 ] What do you think was happening in the board of directors meetings before the security breach? The same thing with TJX, same thing with home Depot, same thing with that, that meat packer, all of these guys. What do you think they were saying? They were saying, okay, Mr. It direct director. How much is it going to cost us to have good cyber security?

[00:09:37 ] And the it director is going to say, okay we need some really great hardware. We need also software. We needed on all of the workstations. We need smart switches so we can trace things when they're inside the network. We need 24 hour manned security operation center with at least one person.

[00:09:57 ] So that means four people, right? Because three people, plus people have to have vacations people go on training. I know my people spend at least a quarter of their time in training. Let me see that, over the course of a year, it's probably going to be five to $10 million minimum. And so the board of directors says five to 10 million.

[00:10:17 ] Oh, okay. How much is it going to cost us? We get breached, oh, maybe 5 million. Forget it then we're not going to secure our systems. And I'm not saying that this is the conversation colonial had. I'm saying this is the type of conversations businesses are having and they should not be having, because frankly.

[00:10:37 ] It is not only illegal because you are supporting terrorists by paying these ransoms, but you're hurting yourself and your customers stick around.

[00:10:48 ]Craig Peterson: Tesla has a number of cars out. And these things I think are just totally coo