ISMG Editors: The Shifting Cyber Insurance LandscapeAlso: Global Privacy Trends; Tornado Cash Founders Charged Anna Delaney (annamadeline) • August 25, 2023
In the latest weekly update, four editors at Information Security Media Group discuss the shifting dynamics of cyber insurance, why APAC is approaching privacy regulations around emerging technologies, and how U.S. authorities charged the co-founders of cryptocurrency mixer Tornado Cash with money laundering
The panelists - Anna Delaney, director, productions; Suparna Goswami, associate editor, ISMG Asia; Rashmi Ramesh, assistant editor, global news desk; and Tom Field, senior vice president, editorial - discuss:
- Highlights from a conversation with CISO Erik Decker of Intermountain Healthcare at BlackHat 2023 on cyber insurance renewal strategies;
- How the privacy landscape in APAC compares with those in the E.U. and U.S.;
- How U.S. authorities unveiled charges this week against a Russian national and a Washington state man for creating, operating and promoting now-sanctioned cryptomixer Tornado Cash, which they say helped threat actors such as the Lazarus Group launder more than $1 billion.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Aug. 11 edition on the White House's drive to secure code with AI and the Aug. 18 edition on lessons learned from the Lapsus$ crime group.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney, and this is our weekly editorial take on ISMG's top cybersecurity news and interviews. I'm very pleased to be joined by Tom Field, senior vice president of Editorial; Suparna Goswami, associate editor at ISMG Asia; and Rashmi Ramesh, assistant editor, the global news desk. Good to see you all.
Tom Field: Nice to be seen.
Suparna Goswami: Yes. Always a pleasure.
Delaney: So, Suparna, big news this week.
Goswami: Yes, big news! Throughout India, everybody saw that. So India space agency, ISRO, successfully landed Chandrayaan-3, which is the mission's name, lander model on the moon's south polar region. So what makes it special is that India is the first country to land on the moon's South Pole. No other country has been able to do that so far. We even broadcasted this event in our recent summit. I thought this is apt for this week.
Delaney: The whole world is watching as well. So great news. And Rashmi, I think you're in the woods?
Rashmi Ramesh: It is a banyan tree that's about 400 years old and spread across three acres of land. And this is in Bangalore.
Delaney: You always keep us guessing, don't you?
Ramesh: From the woods.
Goswami: I don't know where she gets to see such lovely places in Bangalore. I need to go with you and explore Bangalore.
Ramesh: It's closer to where you live than where I live.
Delaney: Well, Tom, is looking rocky out there. Tell us more.
Field: I was at the South Pole of the moon. I got there first. No, I was traveling with my family couple of weeks ago. We visited an Indian Casino in the State of Connecticut. This is the Mohegan Sun. You can appreciate this Anna. You get out somewhere, you're doing something different, you sit down for a moment, you look around you say, hey, that's a virtual background for my next Editors' Panel. That was the situation.
Delaney: That's exactly what I did last week. So I was in East Sussex in the U.K. for a few days. And this is called the Mermaid Inn, in the ancient town of Rye. It's one of England's oldest inns, originating from 1156. And this particular street and its surrounding streets are quintessentially very English, cobbled picturesque roads, and you feel like you're on a film set.
Field: Awesome, it is beautiful.
Delaney: Yes, it is. Well, going to another film set. Now, I know, Tom, you were in Las Vegas the week before with Eric Decker of Intermountain Healthcare at Black Hat Conference. And you were talking about cyber insurance renewal strategy. So tell us more. How are the dynamics shifting in the cyber insurance space?
Field: This is a topic we follow for years now, since the advent of cyber insurance. In the past few years, the storyline has been how expensive it's become to renew. You're talking about 100% to 300% increases sometimes on how much you pay your underwriters, and how hard it can be to acquire cyber insurance. Eric Decker, the VP and the CISO of Intermountain Healthcare, was telling me that he's seeing questionnaires of up to 500 questions to be filled out to be able to acquire or reacquire cyber insurance. It has become increasingly difficult. Now, why has it because there have been so many incidents and insurance companies have had to pay out. And insurance companies don't have the history with incidents like they do with your home, auto and business. Cyber insurance is new to everybody. And everybody's trying to figure it out. He was at Black Hat specifically talking about what do you have to do to qualify to reacquire cyber insurance. And how can you get the best potential value. One of the points we discussed was, what are the five critical controls you need to have and demonstrate to be able to qualify for cyber insurance. I want to share a short excerpt of our discussion where he talks about exactly what those five controls are.
Erik Decker: Yeah, so this is based on Marsh. Marsh is one of the biggest brokers in cyber insurance. And they have produced a bunch of some very specific requirements on this. So having endpoint detection and response capabilities in place that is monitored 24/7; multifactor authentication on everything that's accessible from the internet, especially your remote access tools, your VPNs and such. Backups that are tested and validated with tabletop exercises; having privileged account management over your most sensitive accounts, like your domain admin accounts and such. And then the last one was email protection and web filtering protection. Those are the basic things. If you don't have them, you might not be getting insured.
Field: Those are the basic things. You don't have, you don't get cyber insurance. It seems easy, but there are so many organizations that struggle just to have those basics covered.
Delaney: And, Tom, do you get a sense from Eric or other security leaders that you speak with around how well-prepared companies are when it comes to understanding the terms and conditions of the cyber insurance policies?
Field: Well, no, because they're shifting as rapidly as the regulatory environment beneath them. It's a moving target. And yet, you can't not have cyber insurance for that major incident. And when the incident does occur, the cyber insurer is the one calling the shots in terms of who you use for remediation, who you use for your immediate breach response, and who are the subcontractors you bring in. We have the privilege, I guess you could say, of watching this industry come together. As we watch, but it's not necessarily a pretty scene.
Delaney: Suparna, I know that you were part of the team that hosted the ISMG Summit in Delhi this week. How do conversations around cyber insurance compare there?
Goswami: Although there was no exclusive session on this particular topic, the topic did come up. The topic where ransomware was discussed, this topic did come up on cyber insurance and how companies are adapting to it. But the hard fact and truth is that most of the companies, the panelists said, do not understand the nuances of it. Even insurers are selling because there is a lack of understanding of the market. So they are just selling it. But because it's so expensive, not many companies are able to afford it. The bigger ones are going for it. But again, the finer nuances, none of them are able to understand or comprehend it completely. But what was accepted was that cyber insurance to a large extent goes a long way in tightening the security controls of the organization. But again, the argument was that if the bigger companies are going for cyber insurance, they would anyway be having those basic security controls in place. But yes, they will make that extra effort to put those in place. But not for the medium and small companies. They are nowhere there.
Delaney: Thank you, Tom. Suparna, you recently conducted a panel discussion comparing the privacy landscape in APAC to other regions such as the EU and the U.S. What did you learn?
Goswami: I did a panel with panelists from Indonesia and Singapore. The panel included DPOs, CISOs and legal experts. I was very curious because there was so much talk happening around privacy in APAC these days. So I thought, why not ask them the approach toward privacy. And whether it is different or not. So as you know, in EU, privacy has always been a fundamental right. In fact, some of the first laws that came around data privacy date back to 1914. So, people understand the context of privacy. Individuals treat the privacy of others with the same respect they desire for their own privacy. On the other hand, privacy is a very new concept in APAC. Because it's a new concept, it is more inclined toward security side of things. You ask any CISO and he will say that if he has to choose between security of data and users' rights, they will always choose security of data. And talking about security, they'll say, fine, if the data is secured, you are taking care of privacy. But nobody talks about individual rights of individuals that, unfortunately, is missing. And even I find that even true for India as well. None of them speak about individual rights. Now this was EU. I asked them about the privacy culture in the U.S. Now the panelists felt that in the U.S., the right of privacy tends to get associated with commerce. So they say that cases are usually being filed at individual levels by people. People probably will sue companies, but not at a larger government level. You can see that because privacy is managed by the Federal Trade Commission. And it says there is no proper or exclusive data protection authority that we have in the EU. Even APAC most of the countries are planning to have now. But U.S. doesn't have that. And so I asked him the other differences. Other differences of course lie in how legislations are structured. So in EU as we all know, it is entirely governed by GDPR, whereas in APAC, it is pretty fragmented. So each country has its own legislation. Culturally also, in APAC, each country differs a lot. So if you compare China's privacy law with that of India, despite India and China being neighbors, there's a huge difference. So it's a difference in terms of culturally also. There's a huge difference in the two laws. And this also creates, unfortunately, a lot of problems for your CIOs, CISOs or DPOs, because most businesses work in multiple jurisdictions these days. So keeping up with all policies in the region can get tough. And since APAC is probably the hub for BPO companies, so you will have companies here following GDPR, you will have companies here following probably the CCPA. There are sectoral laws, and there are individual laws and privacy laws of each country. So it creates a huge problem. So I asked one of the CISOs, what do you do to manage this? He shared that he probably would follow the strictest law that is there in this region. So in APAC, it would probably be South Korea or China. So if a business can comply with the strictest law, then it has just to take into account the minor differences between our jurisdictional requirements. But yes, he probably would follow the law that is there in South Korea or China, at least for APAC, and then he would know that more or less that takes care of the laws in the other region.
Delaney: So how are these regions thinking about regulations around emerging technologies, you've got AI, biometrics, IoT? Are there stark differences in how APAC is approaching these compared to the U.S. and EU?
Goswami: In APAC, it's in the last three or four years that privacy discussions have gained significant momentum. There are talks around regulations around say IoT and AI, but most of the governments here have taken a lighter approach. So Singapore, which you probably will expect that it has probably the most mature privacy law in APAC has taken the light approach, as it does not want to stifle innovation. India, I know, has opted out of from regulating AI. Government has said we are not going to regulate AI, let the industry flourish. But China has taken a tough stand. China has published new rules for generative artificial intelligence, and has become one of the first countries in the world to regulate the technology that powers popular services like ChatGPT.
Field: The leadership is going to come from Asia and from Europe on this, Suparna. It's not going to happen in the U.S. Right now, we can't get out of our way politically to be able to come up with sensible regulation on things such as data privacy, never mind generative AI or any of the other issues that come up. Even though these are supposed to be nonpartisan issues, we can't get over partisan issues to get to those. So the leadership is going to come in Asia-Pacific and Europe.
Goswami: And in fact, China, I think only from August 15, the regulation around AI has been applicable. So it's just been affective from August 15 - two to three weeks back.
Delaney: Thank you so much, Suparna. Well, Rashmi, Tornado Cash was back in the news this week as the two founders behind the crypto mixer were charged by U.S. federal agencies. Tell us about what's been going on.
Ramesh: Always fun to talk about Tornado Cash. You are right. The U.S. charged Roman Semenov - a Russian national - and Roman Storm - a Washington State man - over creating, operating and promoting Tornado Cash this week. Now, Tornado Cash was a crypto mixer that was extensively used by threat actors like North Korea's Lazarus Group to launder more than 1 billion during its few years of operation. Now, these two are charged with conspiracy to commit money laundering, sanctions violations and operating an unlicensed money transmitting business. Now the indictment says that they created the core features of the service, paid for critical infrastructure to operate it. Advertised it as a service that allowed anonymous and untraceable financial transactions, chose not to implement KYC or anti-money laundering programs, and did not put in controls, despite knowing that hackers use their platform to launder illicit money. So they face up to 45 years in prison if convicted on all charges. We don't know when the sentencing is yet but that is the maximum prison sentence they can face. Now, Storm's lawyer later said in a statement that the case hinged on a novel legal theory, which can have dangerous implications for all software developers. So, he said that Storm like Alex Pertsev, who was another Tornado Cash developer, who was arrested last year in the Netherlands, and is currently awaiting trial, only developed the software. And if software developers are liable for how that software is used, it can have dangerous implications. So this case is so important for the whole of the decentralized finance ecosystem, mainly because of this one hook in a space where no one entity or person is solely responsible for owning anything. Do they become liable when the software or its users violate the law? So we have to also shed light on who's responsible for putting in place these KYC and anti-money laundering measures. And the fact that a lot of decentralized finance software use open source also adds another layer of complexity to this question.
Delaney: Fascinating topic. What's the status of Tornado Cash itself? Is it disappeared? What's happening?
Ramesh: Both yes and no. So the designation means that Tornado Cash cannot be used for legitimate purposes anymore in the U.S. But it's not like hackers told the law enforcement line. So of course, they still use the mixer. The only thing is, it's now used mostly by threat actors. And the whole point of a mixer is that it helps mix different coins of different denominations and makes it harder to be traced. So with all the legitimate transaction stopping, it's so much easier for law enforcement to track illicit activity on it. It's always easier to find a needle in a haystack when it just has a dozen pieces of straw rather than hundreds. And another piece of this puzzle is that Tornado Cash's code is already out there. So you and I can set up our own Tornado Cash if we want to. And Sinbad, which is a shiny new mixer on the block, that's believed to be Tornado Cash 2.0. So has Tornado Cash disappeared? Yes and no, at this point.
Delaney: I seem to recall that crypto advocates had strongly criticized the ban on Tornado Cash as it infringes on people's expectations of privacy. Does that sentiment still remain?
Ramesh: Yes. So this is also a question that six plaintiffs filed asking the government to withdraw its sanctions against Tornado Cash. They said that the Treasury exceeded its authority in sanctioning the crypto mixer because it's not a person or a property, it is a piece of software. They said that it violated their First Amendment right to speech because it did not allow them to privately donate to social causes. Like, for example, if a Russian wanted to donate funds to Ukraine and the ongoing war via Tornado Cash it, they could not because Treasury had sanctioned it. And this lawsuit was backed by Coinbase, which is the largest crypto exchange in the U.S. But this week, a U.S. judge said that these arguments do not hold any water. He said that Tornado Cash is an entity that is governed by voting members of a DAO or a decentralized autonomous organization that works similar to the stockholders of a corporation and therefore can be designated for sanctions. He also said that the mixer does have a property interest in smart contracts that are designated. And the third argument about the sanction violating First Amendment rights, the judge said that the First Amendment does not protect anyone's right to donate money to social causes through a specific bank or a service.
Delaney: Well, it's a storm indeed. Rashmi, that was great analysis. Thank you so much. And finally and just for fun, as we approach the end of August, I think we can still call it summer. I'd like you to come up with a fun title for a summer novel on generative AI. Tom go for it.
Field: I have a prop in honor of one of my favorite books of all time. It's going to be "Zen and the Art of Generative AI."
Delaney: Very good. I love it. Suparna?
Goswami: I thought of "Jenna in a Bottle: Who Is the Real Master?"
Ramesh: Love that.
Delaney: Love that play on words. That's great. Rashmi?
Ramesh: I would go with like scary Jedi stuff make Stephen King proud. "Everything You Watched on Black Mirror but Real."
Delaney: Very good. At least one of us is going down that route. What about this: "Sunlight Synthesis - A Summer of Generative Wonders." It's a sizzling novel. Well, Suparna, Rashmi, Tom, this has been great fun, excellent.
Delaney: Thank you so much.
Goswami: Thank you.
Ramesh: Thank you, Anna.
Delaney: Thanks so much for watching, until next time.