From Insurance to Crypto – Understanding The Trends in Law with Stephen Palley

In this episode of CHATTINNCYBER, our host Marc Schein interviews Stephen Palley, partner at Anderson Kill. He chairs the Technology, Media and Distributed Systems group of the organization. Stephen is also a regular speaker and prolific writer on insurance, construction, and technology. He is the lead editor and contributing author to the ABA Forum on the Construction Industry’s best-selling treatise on construction insurance.

When in law school, Stephen had planned on becoming a technology lawyer. In a few years, Stephen had learned programming, found a new method for settling cases, and turned it into a software program! He then came across Bitcoin and Ethereum – two branches of crypto assets, and started working for crypto clients both on the front end regulatory compliance and handling disputes. Hence, interestingly, Stephen had set his career as a successful crypto lawyer at a firm best known for representing policy holders.

Stephen speaks on regulatory crackdowns within crypto in the U.S. and China. The crackdown in China has impacted Bitcoin miners, and a lot of that impact has moved to the U.S. But Stephen firmly believes that a similar crackdown cannot happen in the U.S. Stephen also comments on recent guidance from the OFAC around Bitcoin and the facilitation of ransomware payments. He says the guidance puts victims in between a rock and a hard place.

Stephen also gives guidance for millennials and Gen Z’ers who are fascinated by cryptocurrency. He says no matter what new thing is brought up, you need to remember that regulators and law enforcement judges will have access to it. Also, this is never quick money without effort – risks exist.

Quotes

“We already have a fairly well-developed regulatory framework and a way of understanding crypto. I think it is too deeply embedded in our business at this point for it to disappear.”

“What we do tell people is that when faced with a conundrum, we definitely want you to be in touch with law enforcement.”

“If you are expressing a favorable opinion publicly about a security and you have a stake or position, and if you are being paid to promote it, under federal law, you have to disclose that.”

“Just because you gave something a new name doesn’t mean that regulators and law enforcement judges won’t be able to deal with it and address it.”

“One of the reasons for the fascination with space is pure and simple: the promise of hope for quick profits with not much work. I’m sorry, but it comes from somewhere, there’s always a risk, and somebody always pays.”

“What people don’t know is what’s happening behind the scenes. Most regulatory enforcement actions are confidential. You have no idea what the competitor is dealing with.”

Time-Stamps:

[01:03] – Stephen reveals his story of getting into insurance law and crypto.

[04:21] – Stephen comments on the regulatory crackdown in crypto in the U.S. and China.

[08:30] – Guidance from OFAC on Bitcoins and facilitation of ransomware payment.

[12:47] – Advice for the millennials and Gen Z who have a fascination with cryptocurrency.

[14:33] – Risk management and insurance policies.

Connect with Stephen:

Email spalley@andersonkill.com

LinkedIn  https://www.linkedin.com/in/stephendpalley

 

 

Cyber Risks and Their Threat to Finance With Omar Refaqat

In this episode of CHATTINN CYBER, Marc Schein interviews Omar Refaqat, Senior Manager of Crowe’s Cyber & Risk Consulting Practice. Omar has extensive experience working as a #Telecom and Networks Engineer at several successful companies before venturing into cybersecurity.

Omar’s chats about his engineering background which gave him a solid foundation to understand today’s threats, technologies, and opportunities.

Credit card fraud, email fraud, hybrid attacks, and sim spoofing are the different types of attacks increasing every passing day. Omar explains  simspoofing is the technique used to defeat MFA multi-factor authentication. In this type of #fraud, attackers redirect the messages or #data from your phone’s sim to their phone so that the authentication code you’re supposed to receive in your phone goes directly to them.

Cryptocurrency and blockchain adoption has exploded.  We chat about why there’s so much trust around the two technologies and why people are increasingly drawn to them.

Highlights:

“What we’ve seen over the last decade or so is really a convergence between that and cyber threats and cybercrime.”

“It’s interesting that it’s really a push-pull effect. The banks, central and insurance and credit unions are moving in this direction, but the cloud providers are finally also waking up to the fact that they have this huge industry out there that really wasn’t that excited about their products and services.”

“And that’s the basic technology underlying cryptos. Think of this as a distributed ledger where you don’t need an intermediary to provide that trust. And it’s really that everybody has access to it, you can see what everyone else is doing. And that’s where the trust comes from.”

“What we have seen from our perspective as an accounting firm, we have a risk practice, we have a consulting practice, we have a fairly large audit practice as well. All these things tying together security can no longer be treated as siloed service or applicant application.”

“The way we work with our clients is, as we said, we start with really helping them from the advisory perspective, from a consulting perspective in doing risk assessments, understanding where the technology risks lie in helping them put together those in various programs to help build controls mitigate the risk to the extent that they want to and they need to, and then come in as retirement as an audit practice and make sure that, that ethical framework is is compliant and effective.”

Time-Stamps:

[01:17] – Omar shares his life’s story with us

[03:44] – Omar shares about his time in the finance industry and the convergence of finance and cyber crimes

[06:43] – What is sim spoofing?

[15:15] – What technologies can financial services industries make use of?

[25:38] – Why technology can no longer be seen as a siloed type of service

Connect with Omar:

LinkedIn: https://www.linkedin.com/in/omarrefaqat/

 

 

 

 

 

 

 

 

 

 

 

Brian Warszona’s journey through the cyber insurance industry

In this episode of CHATTINN CYBER, Marc Schein interviews Brian Warszona, UK Cyber Deputy Practice Leader at Marsh McLennan. Brian has over a decade’s worth of experience in the cyber insurance space and has, over the years, shifted from the carrier side to the broker side of the industry.

Brian started his career working with Marsh in Chicago for six years. He then worked as an underwriter at Chubb for two years. Later, Brian helped create the Chicago office for another brokerage firm, before landing his current job at Marsh McLennan.

Brian discusses why shifting from the carrier side to the broker side gave him a whole different perspective on the industry. He could talk about risk in a way that would make it more efficient for both the company and the client. He was creating solutions and bespoke policies for the clients.

Brian explains in detail the terms underwriter and syndicate and how they function in cyber insurance. He also distinguishes an underwriter’s role at Lloyds and in the States and explains his preferences across the geographies. According to Brian, a syndicate has to report back into Lloyds about what they’re doing from a financial stability side of things.

We also discuss the impact of COVID in the industry. Brian shares that from a coverage standpoint, nothing has changed in the pandemic. But there have been revolutionary changes elsewhere. COVID has not only affected Lloyds but also changed the way clients deal with businesses. They don’t have in-person underwriting meetings with syndicates and underwriters from the syndicates so frequently today.

Towards the close of the episode, we talk about Brian’s article on human-capital management regarding cyber risk and discuss the points to keep in mind while identifying suitable vendors.

Highlights:

“I think it’s [the pandemic] allowing us to be a little bit more connected. In some cases, we probably have too many zoom meetings because of it. But on the flip side, we actually have a lot of communication going back and forth, whether it be through zoom teams, or instant messages or wherever it might be.”

“From an analytic standpoint, to the corporate side of things, I really wanted to be in that room with the client talking about, here’s what we can do here. And here’s all the different solutions.”

“I don’t think we can go through a cyber conversation around the market if we didn’t talk about ransomware.

Time-Stamps:

[00:58] – Brian discusses his journey in the cyber insurance industry

[02:21] – Brian shares why he decided to shift from the carrier side to the broker side of the business

[03:35] – Discussing the London insurance mentality

[05:30] – Explaining the terms syndicate and underwriting

[06:39] – The influence of the pandemic in revolutionizing work practices

[08:54] – Talking new requirements in London based carriers

[10:18] – Human Capital Management with regards to cyber risk

[14:59] – Identifying suitable vendors

 

Connect with Brian:

 

LinkedIn: https://www.linkedin.com/in/brian-warszona-36891b12/?originalSubdomain=uk

 

 

 

Cyber Insurance And The Pivots In Underwriting – An interview With Meredith Schnur

In this episode of CHATTINN CYBER, Marc Schein interviews Meredith Schnur, Managing Director and US Cyber Brokerage Leader at Marsh USA, Inc. Meredith offers actionable insights.

Meredith talks about progression in the cyber insurance space. Underwriting and brokerage today look a lot different from how it was in the past. In terms of negotiating arrangements with your clients, bigger always means better. Hence, you cannot survive without developing personal relationships with your clients.

We also learn the challenges that the cyber insurance industry faces – the most substantial challenge being underwriting. It’s not the strategies but the implementation of the strategy that is turning to be demanding. Also, the amount of information that clients have to supply to the underwriting community has undergone a dramatic shift. Hence, the challenge lies everywhere, from allocating resources, getting the right people to the table, answering their questions, understanding the cyber risk profile of an organization, and communicating that to the underwriting community.

Meredith also talks about the common misconceptions around cyber insurance. Clients are still unaware of the amount of underwriting and required information that needs to be supplied at any time. Hence, price hikes are not as welcome to them as we might require.

Speaking about where the future of cyber insurance is, Meredith, says it is undoubtedly in a sustainable and healthy market. For that to take place, stabilization is needed. In the next-generation training program organized by Marsh, building networks and coming out of your comfort zone is vital. Programs like the Track program and Cyber mentorship program help young minds receive adequate mentorship and support.

To part with, Meredith provides advice and guidance to the next generation of insurance professionals who are hoping to get into this field. If risk management truly thrills you, then it is highly recommended that you choose this field!

Quotes:

“From the late 90s to mid-2000s, we called it Network Security and Privacy because that was what it was. We were protecting the network and the overall adoption of this term cyber.”

“If you can’t truly understand the purpose of the policy and the intent of that policy, make sure we understand what the words really mean and what they say.”

“However, if you don’t have the ladder, the second part of being able to truly understand the art of relationship building, technical nature, and how to actually work with all different shapes, sizes, and each deal specifically, you can’t have it.”

“I think the largest challenge that we’re having, even with our largest clients, is the very sharp pivot in underwriting.”

“Sustainable healthy market is what I foresee in five years time. A sharp pitch pivot is needed and required in order to do that, along with stabilization.”

“It is completely underestimated how important having mentors in the business is. It is completely underestimated how to build a network and what building a network can do for your career and for your comfort level. It actually teaches you how to be comfortable in the uncomfortable.”

Time-Stamps:

[03:56] – While negotiating with clients, does bigger mean better in terms of leverage?

[06:07] – Challenges in today’s marketplace.

[08:32] – Misconceptions clients have about cyber insurance.

[13:02] – Next-gen training at Marsh to create future leaders in insurance.

[16:14] – Advice to young folks hoping to get into cyber insurance.

Connect with Meredith

LinkedIn: https://www.linkedin.com/in/meredithschnur

‘The Future of Cybersecurity: Why There is Scope for Improvement With Josh Gold’

In this episode of CHATTINN CYBER, Marc Schein interviews Josh Gold, Cyber Insurance Lead at Anderson Kill, one of the top law firms in the North-East. Josh is a shareholder in Anderson Kill’s New York office. He has represented numerous corporate and non-profit policyholders in various industries. Josh’s practice involves matters ranging from international arbitration, data security, directors and officers insurance, business income/property insurance, commercial crime insurance, admiralty, cargo, and marine insurance disputes. He has been lead trial counsel in multi-party bench and jury trials and has negotiated and crafted scores of settlement agreements including coverage-in-place agreements.

As an individual with extensive experience working around technology, Josh explains that technology is here to stay. Young attorneys can eye many opportunities in this area, counseling and guiding clients in the times to come.

Josh explains the landmark decision during the DFW case. He describes the fraud that happened and why it was a hard-fought case. He further shares that there has been some real traction for policyholders in getting insurance coverage for cyber-related claims today, not just under a cyber policy but also under many other business insurance policies.

Josh also talks about Landry’s case. He explains how they had their payment card information stolen. Landry’s got into a fight with their merchant bank, claiming that their retailer was responsible for the breach of their customers’ payment card information. The legal fight between the merchant bank and Landry’s lasted a while. However, Landry’s was, in the end, able to secure a decent win. Josh further expands on various property insurance cases in 2020 and how insurance coverage works in those cases.

Josh and Marc discuss the threats due to cybersecurity breaches in the future and why it could go beyond money and information to bodily injuries and threats to life. He explains the importance of cyber hygiene and why we need to be more thoughtful about such instances in the future.

Josh ends the conversation on an optimistic note and shares that there is scope for preventing cybersecurity crimes in the future. He shares that sound backup systems and cybersecurity hygiene could help us in the same.

Highlights:

“The changes in tech are exponential each year, and sadly, for our clients and for society at large, I don’t think cybercrime is going away, I think we’re going to be living with a lot of problems, a lot of perils. And I think they’re only going to get worse before they get better.”

“It was a hard-fought case [DFW case]; it took years to secure both the district court and the circuit court appellate rulings that we obtained, but a very good day for policyholders and I think we’re starting to see some real traction for policyholders getting insurance coverage for cyber-related claims, not just under a cyber policy, but under lots of other business insurance policies.”

“For really serious breaches, you may need all of that coverage to really fit all of the pieces of the puzzle involving the losses and damages that certainly arise from a breach.”

“If you had 10,000 great employees who were observing good hygiene, it just takes one or five of them to maybe compromise the organization systems.“

“I’m hoping that as we all become more sophisticated users, either as individuals in our personal lives or in our professional lives, when we’re remote, learning, remote working, communicating with our own devices, even if it’s through a web portal, we’re more careful about these things.”

“It’s my hope that between maybe having good backup systems that are insulated from your day to day computing operations, and then having kind of this – if all else fails group that can help you for free, get decryption tools, get your data back without having to pay a hefty ransom. That gives me some hope, that gives me some optimism that there can be an ability to fight back against some of these really strong and sophisticated cyber games that are obviously roaming the world right now, at least virtually causing all kinds of criminal mischief.”

Time-Stamps:

[00:47] – Josh Gold shares his background and about working with Anderson Kill

[04:16] – Learn in detail about the DFW case

[08:47] – About Landry’s case and how Landry’s won in the end

[13:29] – How can policyholders be hopeful about winning in the end?

[15:24] – The importance of maintaining cyber hygiene

 

 

Solving Cyber Disputes Through Arbitration- with Peter Halprin

In this episode of Chattinn Cyber, Marc Schein interviews Peter Halprin. Peter is an insurance lawyer and an arbitrator. He teaches international arbitration at Cardozo. In addition to teaching, he also writes articles and other academic pieces about different areas of arbitration.

In today’s episode, Marc and Peter talk about the challenges faced by cyber insurance, silent cyber, and arbitration. Arbitration is an alternative means of handling disputes. Peter says for sophisticated entities, especially in the cyber context, arbitration can be a really good way to resolve disputes. Apart from choosing the people to resolve the dispute, the main benefit of arbitration is that it is confidential, so you don’t have to talk about the embarrassing cyber breach or security lapse. They also talked about how the insurance coverage and mindsets of businesses changed in recent years.

Peter shared the case of G&G company. Recently the G&G company faced a ransomware attack. The company made the payment and looked to their prime carrier for reimbursement.. The carrier denied saying it was a voluntary payment and wasn’t related to the use of computers as is required under computer fraud coverage in the prime policy. The trial court agreed with the insurer saying there was no coverage, but the Supreme Court disagreed, saying the judgment for the insurer was inappropriate on two grounds. One is that they think that the use of computer could have been implicated here, and there was some measure of fraud that caused the transfer. The interesting thing about this case is that all of this stems from the idea that what enabled the ransomware attack was actually a spear-phishing or other campaign at the outset.  linkage. This is something to be considered.

Peter suggests that when you face challenges with BI claims, make sure you have the right legal counsel involved, involve forensic accounting, and work with the right broker to support you from the claims perspective. He wraps the episode telling us that it seems like because there are so many claims, carriers are very quick to bring in coverage council on their side. So, he calls upon carriers and brokers to work together on that outset.

 

Time-Stamps:

[00:53] – How did he become an insurance lawyer?

[03:09] – The benefit of cyber arbitration

[05:30] – The challenges people are facing with cyber insurance in 2021

[09:25] – The case of  G&G Oil Company

[09:52] – The obligations of cyber laws

[14:33] – Peter’s advice to people facing ransomware challenges

[16:33] – The wreak havoc of ransomware in the pandemic

[17:37] – How does ransomware affect the business income loss?

[20:10] – What the companies need to do at the moment?

[22:30] – What should be the coverage of your insurance?

[23:47] – Closing thoughts

 

Key Quotes:

“Arbitration is a really good place for cyber disputes.”- Peter [04:11]

“The main benefit of cyber arbitration is that it is confidential. And you also get to choose the people who resolve your dispute.” – Peter [03:42]

“The tentacles of cyber issues and where they pop up are unlimited.” -Peter [09:43]

“Just because you paid the ransomware, it doesn’t mean that you are necessarily in the clear. The actor can still remain in your system. Your data can still be corrupted. And dealing with OFAC and other guidance out there, there is a possibility that you may be transferring money to a sanctioned actor. And now you are exposing yourself to additional legal liability.” Peter [15:50]

“In terms of forensic accounting, clients should always check their policies to see what kind of coverage they have. Those people speak 1010 to each other, and so it’s important to have two people that speak like that to each other to resolve the issues.”- Peter [20:36]

“Having the right team in place both in the underwriting and the claim side is essential.”- Peter [22:18]

“Don’t limit your insurance to risk management.”- Peter [22:30]

“Casting your insured in a defensive position in the midst of a crisis is not the best thing to do for customer relations or otherwise.”- Peter [24:23]

Cybersecurity And Technology – Advancing Through Changes With Stu Panensky

In this episode of CHATTINNCYBER, Marc Schein interviews Stu Panensky, an experienced Privacy business attorney and commercial litigator. Stu’s law firm FisherBroyles has been established in 22 cities today. The world’s first and largest nontraditional law firm stands apart from the rest for two reasons- neither does it have any brick and mortar space nor any inexperienced associate lawyers.

Today, Stu narrates his story of being an expert practitioner in #cyberlaw. He started his cyber journey a jersey boy from the northeast. Stu did not go to law school to master cyber law. He cites two incidents that introduced him to the world of technology –

  • The first was when one of Stu’s senior colleagues decided to do a book on insurance coverage for technology. It allowed Stu to learn about the history of insuring technology assets and the issues that came along with it.
  • Stu worked as an architect and engineer liability lawyer, where he had to handle claims of technology and algorithms. He found this very interesting and challenging. Thus, cyber tech had become his area of focus.

Stu also talks about the changes in cyber and tech in the past decade. Earlier, only a few people knew about the cyber world, and even then, it needed explanation. But now, after ten years, everyone is aware of cyber insurance, thanks to news and media. The concept has become popular and far more sophisticated than how it used to be.

Stu chats about the challenges faced by higher education leadership teams understanding cyber risks – data, technology, and the nature of schools being the pain points in the work from home scenario today.

A privacy standpoint is necessary at higher levels of education. Schools need to audit and see whether the policies in their student handbook match with what they are delivering.

Tune in to learn from one of the industry’s most sought-after leaders, Stu Panensky, today!

Highlights: 

“The cyber insurance industry has a particular focus on cyber insurance and the issues are well known. And so it’s become a business peril.”

“I think almost every ransomware case we had in 2020 involves data exfiltration. It didn’t used to be like that at all. The extortions themselves are far larger now.”

“We love corporate privacy here at FisherBroyles, we have a really deep bench of corporate privacy lawyers. So we do all the website compliance, the terms and conditions, the privacy policies, we do the employee handbooks, the proactive corporate privacy, governance type of work.”

“Every case is different, and that’s why this is such an awesome practice because it really is sort of a new one every time; even in the business email compromise, which is probably the most routine matter that we get. Every system is different.”

“I think schools need to audit and see whether the policies in their student handbook match with what you are technically and technologically able to deliver.”

“It really has to do with the unique nature of FisherBroyles. FisherBroyles is the world’s first and largest nontraditional law firm. We’re in 22 cities in the US, we’re in London, and we’re growing.”

 

Time-Stamps: 

[00:56] – Stu shares his story of becoming a cyber insurance lawyer

[04:07] – How cyber insurance evolved during the past decade.

[08:26] – The cases cyber insurance deals with.

[11:30] – Challenges faced by higher education around the field of cyber risk.

[18:37] – Stu talks about FisherBroyles

 

Connect with Stu: 

Website: https://www.fisherbroyles.com/

LinkedIn: https://www.linkedin.com/in/stu-panensky-713b149

 

 

How Ransomware gangs lead Cyber Attacks : Understanding Cybersecurity with Thomas Brittain

In this episode of CHATTINN CYBER, Marc Schein interviews Thomas Brittain. He is the Associate Managing Director with the Cyber Risk practice of Kroll, a division of Duff & Phelps, based in St. Louis. He has over 14 years of information security experience advising organizations on secure configurations, risk reduction, incident response, and tackling tough security challenges. Thomas’ expertise ranges from incident response and security assessments to building and leading security programs. He is a Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), and a GIAC Certified Incident Handler.

Thomas shares his story of going from a military professional to chairing the Associate Managing Director role in one of the most prestigious IR firms in New York City. The foundation and training in the military certainly influenced Thomas’ drive. In the military, you don’t have an option to fail. You are to find a path forward, no matter what. Thomas shares carrying this perspective in his career and life.

To those looking forward to joining cybersecurity, Thomas gives away a few tips –

  • ●  Get a home lab setup – If you want to get into cybersecurity, you will have to experiment with different apps and software.
  • ●  Learn – Several sites give free education about these topics. INE and TryHackMe are examples. It would be best if you learned the basics first. There are YouTube videos you can learn from, which include videos of Professor Messer.
  • ●  Make sure you really want to work in this field. You’ll need to challenge yourself, think outside the box sometimes, and be ready to adapt to changes.Thomas then shares his views on an executive order passed by President Joe Biden on implementing new policies to improve national cybersecurity. The biggest concern in the order remains to be funding.

    We also learn about ransomware gangs, where they’re generally located, how they’re funded, and what their ransom demands are most often. Most of these gangs are located in the eastern European region and are funded by the ransom payments they have received. In 2020, their ransom demands went up to 60 million dollars even. Ransomware gangs today have started becoming more strategic.

Thomas also talks about the possible recruitment strategies for ransom gangs. He elaborates on the ransomware gang REvil, the one behind the Kaseya attack of 2021, and their attacking strategy. One of the most extensive techniques or tactics with this threat actor group is exploiting internet-connected vulnerable systems and managed security provider platforms like RMM tools (similar to Kaseya). Thomas further details the Kaseya attack, explaining why 1500 globally were put at risk – all simultaneously.

Towards the close of the conversation, Thomas explains the process of procurement of cryptocurrency by organizations – you have first to establish an account and then transfer funds to the wallet. After that, you procure your cryptocurrency, like Bitcoin.

Thomas has led an extensive discussion on ransomware gangs, cyber-attacks, and bitcoins today. There’s a lot you would take away from this episode!

Quotes:

“I think in this career field of cyber security, everybody has to be the CEO of their own career. Nobody’s going to give it to you on a silver platter.”

“This is not just a career field in which you’re going to come in, you’re going to get a great salary, and you’re going to do the job. If you don’t thoroughly enjoy it, if you don’t have the ability to think outside the box and really try to take on new challenges, this may not be the right career field for you.”

“Learn the basics first; how does a computer work? How does networking work? There are a lot of sites like, INE or TryHackMe that provide some level of foundation. There are other avenues like Professor Messer on YouTube that offer free videos to get that background or education.”

“I like to look at this as a chess game. So for every move, we make the advances, and then we make a counter move; constantly adapting to the things that we’re doing. And so we have to be ready to adapt.”

Digital Forensics, Crypto Codes, and Ransomware Attacks: A conversation on cybersecurity with Ondrej Krehel

In this episode of CHATTINN CYBER, Marc Schein interviews Ondrej Krehel, He is a former lecturer at FBI Training Academy and Chief Information Security Officer of IDT911, the nation’s premier identity theft recovery and data breach management service. Ondrej is also the Founder and CEO of LIFARS LLC,  a digital forensics and cybersecurity intelligence firm. He authors articles, conducts training, and is a frequent speaker at industry events, such as FBI Academy, RSA, HTCIA, ECTF USSS, and QuBit Prague.

In this episode, Ondrej shares history, explaining how he went from a mathematical physics student to a cybersecurity expert. His career started in crypto, working with code, and eventually oversaw nuclear power plants and Industrial Control Systems.

We chat about  Eastern European Ransomware gangs and the trends noticed in their attack measure. Ondre discusses the  Kaseya attack of  in which the hackers used chain exploit – meaning, it was all in one code. Here’s how it happened – The authentication bypass got them in the file upload and let them upload the files they needed. They got the right to deploy, did a command and code injection, and completely interacted with the system. Ondrej describes this to be a true military type of tactic on a system. The group that led this attack was formidable and had a clear understanding of the legal system in the U.S. 

Quotes:

“I actually exercise a lot and do a lot of specialized training. But I decided that cutting that social life for me, but moving to that career that was very unique, can only shape who I am today.”

“I think that’s what the industrial control system people are saying, that look, the code is so primitive, that it’s easy to do quality assurance. Once you start introducing complexity in integrations, we are not going to be able to control it.”

“These threat actors do diligence very well, they played a card of third party liability. They understand probably also insurance policy of that company not insist they read the policy, but they understand what the premium is, also what the limit of that is, and probably who owns it, and how likely they’re going to get paid.”

“These trackers right now do understand the insurance market completely, they understand how the insurance operates. I was important to this game, they understand the third party liability. And they try companies with a third party liability.”

“What the issue is when it comes to the rebel group is that the rebel group first gets maybe some intelligence. All these exploits, all the tools that we do believe in and debat are somehow connected to intelligence agencies in Russia. And at that level, basically, they truly use a cyber military type of skill set against the commercial enterprises.”

“The challenging piece for that crypto is it has some cell stacks attached to it. There are some fees attached to it, how you’re going to put that on your balance sheet at the end of the day. And also some legal aspects of dealing with the office of the asset controlling involve attorneys. ”

Time-Stamps:

[00:51] – Ondrej’s backstory and career in the crypto world

[04:26] – Ondrej shares his experience in the nuclear sector

[08:43] – The debate on whether to upgrade industrial technology or not

Connect with Ondrej:

LinkedIn  https://www.linkedin.com/in/ondrejkrehel/

How the Center for Internet Security Helps Businesses Against Cyber-Threats with Curtis Dukes

In this episode of Chattinn Cyber, host Mark Schein talks with Curtis Dukes, the former director of the National Security Agency (NSA) and the current Executive Vice President of the Center for Internet Security (CIS),  a non-profit organization that aims to make the connected world a safer place.

Their conversation begins with a discussion on Curtis’ background, specifically on his experience in the NSA. After spending more than three decades in service to the agency, he learned the following:

  • Computer systems must provide their users with a pleasing experience to ensure that they won’t switch to an alternative way.
  • Technology is so ingrained into who we are as a society that we no longer notice it, even though we’re online all the time.
  • Business owners must allocate sufficient resources for the regular upkeep of their hardware and software programs, so that these won’t be exploited by malicious adversaries.

Curtis also talks about the CIS, giving an in-depth explanation of its goals and current efforts. In addition to providing cyber-threat intelligence and analysis to State, Local, Tribal, and Territorial government entities (SLTTs), the organization has also introduced controls and benchmarks that allow businesses to develop effective strategies against cyber-threats. He further recommends that business owners show the efforts they’ve put into building their defenses when trying to obtain a cyber-insurance policy.

Regarding future trends, Curtis explains that the next few years will see ransomware playing an increasingly crucial role in cyberspace. To address this issue, the CIS has developed a community defense model that is based on genuine attack techniques. Published last August 2020 to much acclaim, this program will help businesses mitigate the risk of cyber-threats, enabling them to protect themselves from malicious agents.

Key Takeaways:

  • Technology has become so powerful and ubiquitous that our reliance on it has become invisible to us.
  • Small and medium-sized enterprises (SMEs) need to have sufficient resources to limit their cybersecurity vulnerabilities.
  • Business owners must thoroughly understand the impact of cyber-threats.
  • The cyber-insurance industry still lacks standardization.
  • Ransomware is evolving, with malicious agents often changing the way they operate.

Key Quotes:

  • “But you can quickly see that computers were going to be a disruption, not only within national security systems, which I was responsible for providing security for, but as an economic enabler for society.” – Curtis (05:07)
  • “Technology is ingrained in the fabric of who we are, and how we communicate as a society.” – Curtis (07:14)
  • “It went from ‘let me just lock up your data, and you need to pay the ransom, or you have to recover your data through some other means’ to they started modifying their operations. Not only did they lock up your data, but they also exfiltrated the data. If you didn’t pay the ransom then they threatened to expose the data, some of which could be harmful to the company or personally problematic, as well.” – Curtis (16:23)
  • “By mapping attack techniques to mitigation, I think that’s one way to raise cybersecurity across the board.” – Curtis (20:16)