This week’s podcast episode featured Founding Partner and Managing Member of Mullen Coughlin, Jennifer Coughlin. This firm is unique as it is “solely dedicated to counseling organizations regarding data privacy.” Mullen Coughlin provides three types of services: advisory compliance counsel, incident response services, and defense services. Jennifer has seen the advisory compliance counsel services booming recently. This includes risk assessments, incident response plan creation, and vendor management programs. Cowbell can also help support these efforts, through our dedicated Risk Engineering team and the risk engineering services they provide.
Jennifer has a strong pulse on how cyber claims have evolved over the past few years. She also distinguishes between first- and third-party claims in a useful way: first-party claims involve an organization’s investigation and response to a potential data privacy event, but there is no claim or lawsuit. On the flip side, third-party claims involve the defense against the claims (i.e., claims coming in from outside regulators and/or individuals).
When it comes to first-party claims, bad actors are always financially motivated. Organizations are being attacked more frequently, and as a result, there are more laws mandating that these organizations take certain steps and file certain reports if an incident occurs. Looking at specific types of attacks, Jennifer says, “over the past few years, ransomware has really been the attack du jour. We see the bad actors becoming more sophisticated in their attacks and ransomware became an effective tool for the threats actors to utilize to cripple organizations and put pressure on them to pay a ransom instead of trying to restore from backups.” Though ransomware surged recently, interestingly in 2022, specifically, Business Email Compromise was the most common type of attack, over ransomware.
On the other hand, third-party vendor events are increasing in volume, according to Jennifer. The Microsoft Exchange hack is a prime example of this. In 2022, the number of incident response matters is not as high as it has been over the last few years. Jennifer attributes this to organizations being better prepared and having cyber insurance policies. She highlights the evolution of underwriting of cyber, which imposes more requirements on organizations seeking cyber insurance coverage. In other words, organizations are motivated to get this coverage, so therefore, they are motivated to check all the security boxes. Another example of how cyber underwriting has evolved can be seen in Cowbell’s continuous underwriting approach. Simultaneously, law enforcement and government have become more inclined to extradite bad actors and assist organizations in checking these security boxes because it is in the interest of the U.S. to better combat cybercrime. When it comes to third-party claims, regulators are more active, more agencies are launching investigations, and litigation is on the rise. As a result, there is an uptick in third-party claims.
We asked Jennifer whether certain industry sectors are more at risk of cyber events than others: “Yes and no. The honest answer is that all industry sectors are at risk of data privacy events.” Though not all organizations necessarily have access to Personally Identifiable Information like social security numbers, business interruption of any kind can be time-consuming and costly. “Cyber crime is a crime of opportunity, where If you have a vulnerability and that vulnerability is detected, the chances are a threat actor is going to try to weaponize that vulnerability to get access to your systems and see what they can do, see what kind of harm they can do.”
Jennifer offers several suggestions that organizations can implement to improve their risk:
- Purchase cyber insurance. This shifts the risk and provides you with resources and 24/7/365 support.
- Back up your data. Jennifer recommends the “3-2-1 approach”: 3 locations, 2 copies, 1 of which is offline.
- Identify what and where your crown jewels (i.e., most sensitive data) are.
- Deploy Endpoint Detection and Response (EDR).
- Adopt MFA.
- Develop and test an Incident Response Plan (IRP). Equally important is printing your IRP so it is accessible even if your network is unavailable.
- Conduct tabletop exercises and identify areas of improvement in the form of lessons learned.
- Understand applicable legal and regulatory frameworks.
In conclusion, if you are a policyholder, talk to your agent. And if you are an agent, talk to Cowbell to understand what is expected of you under your insurance policy. Jennifer underscores the importance of communication with Cowbell to be prepared and fully understand the process and regulatory/legal frameworks, especially as it relates to third-party claims.
To hear Jennifer’s episode in full, please listen to the full podcast episode.
Visit the Cowbell Factor Podcast library to listen to last season’s episodes and subscribe to stay up to date on upcoming ones. It is available on most podcast platforms (iHeartRadio, Spotify, Google podcast, Apple podcast, Anchor and Radio Public). If you enjoyed this episode, consider rating it with 5 stars on Spotify and Apple!