Why Every Organization Needs A Crisis Communication Wing With Jamie Singer

In this episode of CHATTINN CYBER, Marc Schein interviews Jamie Singer, Managing Director FTI Consulting formerly, Executive Vice President at Resolute Strategic Services and Resolute Public Affairs. She is an ​​experienced strategic communications advisor with deep expertise in crisis communications, and has counseled Fortune 500 companies through some of the biggest reputational crises of the past decade. During the conversation, Jamie and Marc explore the need, process, and tips for effective crisis communication in organizations.

Crisis communicators are partners to legal and breach counsel. The latter engages them in a tri-party agreement to protect privilege, helping them act as an interplay and an ongoing dialogue for risk mitigation.

When must an organization have a crisis or strategic communication with an expert? Jamie Singer explains that strategic communications need to start early when an organization engages with its forensics firm and insurance carrier. This is partly due to the increasing number of ransomware cases organizations face today (both internally and externally), rendering their systems inoperable for operations.

However, communicating a data privacy breach or incident with the clients or media should happen only after careful thought and investigation. Because the cyber world is fluid – information and facts change quickly. It’s possible that in the time you communicated an incident, the positions have changed and the risks mitigated; but by then, the organizational trust would have gotten in jeopardy. Organizations must be careful about the cadence and timing of reporting such incidents.

It’s all easy until the media comes into the picture. With the internet always up-to-date with the recent advancements in any space, cybersecurity traders and bloggers are also the first to break any reports of security breaches in organizations. The nature of the news, however, is often ‘report and move onto the next’, a fact that organizations can leverage. Jamie Singer explains that companies can use media to get their key messages to the key stakeholders through written statements (and not LIVE interviews as they might backfire).

What can organizations do to mitigate cyber risks and reduce cyber incidents? Work on the communications aspect – consider your communications protocol, review and improve messaging. It includes finding a way to communicate even when corporate emails are unavailable.

For more, tune in to today’s episode!


“A common pitfall we see is companies saying too much and too quickly – Crisis Management 101 – you should communicate the minute something went wrong as transparently as possible. The problem with cyber is, investigations are quite fluid, information and facts change frequently. And so the early bird doesn’t always catch the worm in these situations, if you communicate too quickly, before your systems are remediated, or before you have all the facts that can actually erode trust.”

“There’s often a lot of focus on what we say to customers and media and external stakeholders, but we continue to see the employee audience being forgotten, and they shouldn’t, because they wear two hats there, they could be impacted by the incident and they interface with customers. So they need to know what’s going on.”

“We approach media typically as a transaction, how can we use media to make sure we are continuing to reiterate our key messages to our key stakeholders, and often that can be accomplished through written statements.”


[01:55] – When must an organization have crisis communication?

[03:21] – Why you must think before communicating with the rest of the world about a potential (or observed) data security breach

[06:19] – Managing the media in the event of a cybersecurity threat

[08:02] – What can companies do to be better prepared in the event of a cyber incident?

Connect with Jamie:

Website: https://www.linkedin.com/in/jamie-singer-11a3bb13/




Cybersecurity Protection for Cyber Insurance : An interview with Maria T. Vullo

In this episode of CHATTINN CYBER, Marc Schein interviews Maria T. Vullo, Founder, and CEO of Vullo Advisory Services, PLLC, a strategic advisory firm. She serves on several for-profit boards, is Regulator-in-Residence at the Fintech Innovation Lab, and an Adjunct Professor at Fordham Law School. She was formerly the New York’s Superintendent of Financial Services, responsible for managing a 1,400 person regulatory agency that supervises New York’s banking and insurance industries. Maria has extensive banking and insurance regulation expertise, BSA/AML compliance, an understanding of cybersecurity and data privacy, fintech and insurance, and strategic litigation.

In today’s episode, Maria discusses her insightful career in DFS, working in private law and consulting practice later. She shares her experience working with private and public sector institutions and how both have added to her expertise in the law.

Maria talks about finalizing the DFS Proposed Regulations Part 500 (Cybersecurity Requirements for Financial Services Companies) in 2017 and its significance. Not only was it a big deal in cyber, but it was the first in the nation at that time and is still a leading force in cybersecurity regulations. Maria adds that DFS has a huge responsibility in helping manage cybersecurity risks. It is responsible for the safety and soundness of all the banks and insurance companies that are state-chartered. Since any cyber risk could also create a potential financial risk to them, the DFS had to take steps to consider cybersecurity seriously.

The government plays a huge role in combating cyber risk or ransomware. After the ‘SolarWinds hack’, the largest global cybersecurity attack that happened recently, the federal agencies and governments passed a pervasive executive order asking all private and public agencies to bring a unified approach to handling cybersecurity issues.

The New York State Department of Financial Services (NY DFS) recently issued new Ransomware Guidancefor regulated companies to prevent successful ransomware attacks. This happened post realizing that 74 of their regulated institutions had suffered ransomware attacks, 17 of which needed to be paid the ransom.

We also discuss the world of FinTech pre and post COVID and why insurance suffered in these times. Maria explains that in financial services, consumer protection will be a big issue for the Biden administration. Virtual currency is another central area of regulation considering its global reach.

Maria closes the conversation by stating the massive role of cybersecurity protection in enabling cyber insurance. It will continue to grow in importance in the coming years!


“If you have a significant cyber cybersecurity attack, that’s a financial attack and you have a ransomware attack that stops your business, has a huge impact, if not a closing impact on your bottom line.”

“DFS as a regulator is very, very concerned with the financial soundness of banks, insurance companies, because there’s all these people out there that rely on financial services for their banking for their insurance policies.”

“The more that you follow the regulation, the more that you have security and everything else, the less likely it will be that you will suffer one, or if you do, there’ll be mitigation measures that won’t have as serious an impact.”

“Cyber insurance is such a critical issue for all companies. And I think that it goes hand in hand with cybersecurity protection.”

“The stronger your cybersecurity protections, the better able you are to get a good cyber insurance policy.”

“The last thing that I want to see as a former insurance regulator is for insurance companies to not be in the space or for the pricing to be such that people can buy cyber insurance.”


[00:57] – Maria’s experience working with both private and public sectors and how both of them helped her build a strong career in law.

[02:52] – About the DFS Proposed Regulations: Part 500 – Cybersecurity Requirements for Financial Services  Companies

[05:17] – New Ransomware Guidance for regulated companies on preventing successful ransomware attacks by the DFS

[07:43] – The role of government in combating cyber risks

[10:32] – Fintech today

[13:00] – The regulations around virtual currency today

[15:58] – Maria’s parting advice for the listeners

Connect with Maria:

LinkedIn  https://www.linkedin.com/in/maria-t-vullo-b40a7258/






Regulatory Compliance In Cybersecurity And The Practices To Mitigate Cyber Risks With Jennifer Coughlin, part 2

In this episode of CHATTINN CYBER, Marc Schein interviews Jennifer Coughlin, Founding Partner at Mullen Coughlin, a law firm exclusively dedicated to representing organizations facing data privacy events and information security incidents and the need to address these risks before a crisis hits. Jennifer focuses her practice solely on providing organizations of all sizes and from every industry sector with first-party breach response and third-party privacy defense legal services. The second part of the conversation talks about regulatory compliance, investigations and movements, cyber insurance, how to mitigate cyber risks, especially those due to ransomware attacks, and the present and future cyber threats.

On the regulatory front, many new laws and guidelines on cybersecurity are being proposed; regulatory investigations, too, are picking up well. Data shows that while over 30 movements happened in 2021, so far in 2022, 20 have occurred. These indicate:

  1. Increased reliance upon data and information systems
  2. A recognition of the impact of losing access to data and information systems
  3. Uncertainty around what businesses are doing with the massive amounts of data collected
  4. Consumers’ recognition of data privacy
  5. Victim organizations have a ton of data that could help in the fight against cybercrime.

Cyber insurance companies are helping organizations reduce the uncertainty due to cyber risks by setting up a vetted procedure and providing the necessary education to respond to data privacy incidents. With an evolved cyber insurance underwriting, companies can have increased safeguards, better implementation, and response to cyber incidents.

How can your company mitigate cyber incidents? Conduct a data-mapping exercise, considering carefully the data you have on your system, the access controls, cost, loss in the case of security violations, and testing around that. Next, consider Multi-Factor Authentication – it’s a necessity in any company. Mullen Coughlin has a 3-2-1 plan indicative of their practice of keeping 3 backups in 2 different locations, 1 of which is offline.

Before dealing with ransomware attacks, companies need to take the time to understand their contracts, obligations, and responsibilities, so they’re aware of the laws that apply in the case of a cyber incident. Being aware of the timelines and laws could help faster implement the necessary cybersecurity controls and practices.

Additionally, training the employees properly about healthy cyber practices is essential. There needs to be proper learning and reinforcement of cybersecurity practices in organizations.

Towards the close of the episode, Jennifer shares that cybersecurity incidents are not predicted to decrease in a coming couple of years. Job security in the industry appears strong.

Listen to the conversation for more details!


“All these movements (around cybersecurity laws) are indicative of their recognition that victim organizations have a ton of data that would be really helpful in the fight against cybercrime. And they’re not getting their hands on that. So under all of these movements, they’re talking about sharing more information with them. So that when these laws are crafted, when these government meetings are happening, they have additional information that can be really helpful to the conversation.”

“The cyber insurer has already figured out the call you make to set into motion, to ring the bell that is going to set into motion everything that needs to be done to efficiently and compliantly respond to these data privacy incidents; they’ve identified the resources that are needed to do so, they vetted these resources that are needed to do so.”

“Vulnerabilities are being identified all the time, you’ve got zero day exploits being identified, you need to make sure you have a patch management program so that you’re monitoring for patches issued for vulnerabilities, assessing whether or not those patches need to be applied to your system and making sure those patches are being applied to your system. ”


[00:45] – What’s going on in the regulatory front of cybersecurity?

[03:34] – Insight into the plaintiff’s bar

[10:59] – Reducing or mitigating a potential cybersecurity incident

[20:49] – Cyber risk prediction for 2022-23

Connect with Jennifer:

Website: https://www.linkedin.com/in/jennifer-coughlin-59b81425/



Why Accounting, Disaster Recovery and Incident Response Are Critical In Any Organization With Ted Carlson

In this episode of CHATTINN CYBER, Marc Schein interviews Ted Carlson, Co-Founder and President of Marcum Technology, a renowned Information Technology Consulting Firm in the US. During the conversation, Ted and Marc explore the former’s journey into consulting and technology, Marcum’s service and client diversity, and some thoughts on ransomware attacks.

Marcum Technology is essentially an accounting firm, with technology being its core driver. In addition, the firm offers robotic process automation, business continuity, disaster recovery, and incident response through digital forensics. Ted explains how the company helps organizations prevent ransomware incidents by using parallel networks, adequate backups, and strong infrastructure. He adds that depending on the severity of the attack, the recovery process could vary. Firms should practice testing and rehearsal to ensure business continuity during an attack.

Gathering lessons from his entrepreneurial journey, Ted suggests why you shouldn’t be hesitant to chase your passion. Though taking advice from people could help sometimes, it’s essential to do what you enjoy because that’s what would produce better results sometime down the road. He also states why you might not want to wait for years shifting and switching jobs only to choose another path later – it would be challenging to restart your career 20-30 years after. Don’t let people hold you back from living your dreams.

Tune in to the episode to learn what it takes to build a successful career in the rapidly evolving consulting industry.


“Whenever there’s a merger or acquisition, we’re basically stripping off the technology components of those firms. And we’re kind of blending them into the marking technology division.”

“You can take a certain advice from people, but you really, at the end of the day, have to do what you enjoy, and (do) whatever you feel confident, and that will produce better results down the road.”

“Whatever interests you have, and whatever excites you, I would say, don’t wait, because a lot of people end up waiting and switching during career changes 20-30 years later. And, it’s not that easy to do.”


[00:41] – Ted’s entrepreneurial journey

[01:22] – Advice for college students to chase their passion

[04:18] – More about Marcum

[05:19] – How to prevent ransomware incidents in companies

Connect with Ted:

LinkedIn: https://www.linkedin.com/in/ted-carlson-14977a18/
















Understanding the 3 Tiers Of Cybersecurity Regulation With John T. Wolak

In this episode of CHATTINN CYBER, Marc Schein interviews John T. Wolak, chairman of the Privacy & Data Security Team at Gibbons P.C. He has extensive experience handling privacy and security issues, cyber insurance coverage, policies, endorsements, risk mitigation and exposure, and due diligence for regulatory compliance. He has been named an “Insurance Lawyer of the Year” (Newark, NJ) by Best Lawyers® and selected for the New Jersey Super Lawyers list for Insurance Law. During the conversation, John recollects his journey into cybersecurity, his experience working with the Y2K problem, biometric technology, and the regulatory tiers that apply to biometric data handling.

After graduating law school, John clerked for a federal district court judge in New Jersey. He then joined Gibbons, and as a young associate, he was staffed on one of the most massive environmental insurance coverage matters of the late 80s and early 90s, an experience that proved not only challenging but very interesting. It set his trajectory in legal practice. He later got involved in the Y2K bubble, which ironically wrapped up in early January 2000. Over the years, John has counselled, covered and handled various cyber issues, most recently, diving into biometrics.

Drawing parallels between the Y2K problem (or the Year 2000 problem) that “caused” data formatting and storage issues after the year 2000, and the issues surrounding cybersecurity today, John explains how uncertainty is the common ground. We’re now faced with the uncertainty of compliance obligations, risk mitigation, and cyberattacks, especially since biometric data usage has increased.

Biometrics are the physical or behavioral characteristics that are used to measure or identify an individual, including facial recognition and fingerprints. With biometric verifications and data usage on the rise, privacy advocates are increasingly concerned about its risks and possible violations.

Biometric data has three tiers of regulation. The first is the biometrics-specific regulation that addresses only biometric information and its collection, use, processing and storage. The second tier is biometrics within the definition of personal information, and the state-specific regulatory regimes, like the CCPA, the Colorado statute, and the Virginia statute that say any individual’s personal information must be appropriately used, stored and protected to ensure privacy and security. Most states have included biometric information within their Breach Notification statute and require notification of a breach involving an actual fingerprint or algorithmic formulae of a fingerprint – that’s the third tier.

Towards the close of the episode, John shares why individuals need to be aware of the private right of action, and how it can be a pain or a joy for different people. The private right of action is a statutory provision that provides private citizens the ability to enforce compliance with a statute by commencing a lawsuit against an entity violating the statute. It can generate a lot of litigation, and often proves a joy to plaintiff’s lawyers as any failure may allow the plaintiff or plaintiffs in a class action to recover statutory damages. The pain caused is to the business that does not comply with the statute and is the target of the lawsuit and damages.

Listen in to learn more about the cybersecurity regulations in effect today.


“The y2k risk was kind of the fear of the unknown. What was going to happen if my computer system completely goes down? That’s a simple statement, or simplistic statement about the issue, but it was the fear of the unknown.”

“If you’re a cyber person, that’s where you look. But you may have competitive situations where your due diligence opportunities are going to be somewhat limited and targeted, and you’re to get through to next rounds, you may have some more confirmatory due diligence at the end.”

“So you have to do a risk assessment, and you have to allocate resources based on your assessment of the risks.  And obviously, the more sophisticated the risk assessor is, the better off that process can be. So, it is something that needs to be done at the outset. Because unless you do it at the outset, you’re not going to be able to engage in a really fully informed risk assessment process to allocate those resources.”


2947828.4 099999-00169


[01:00] – John’s cybersecurity journey

[02:15] – Cybersecurity and M&A transactions

[09:44] – Front end, Back end, and Due diligence evaluation

[11:58] – Is there an increase in deals engaging reps and warranties coverage?

















The Importance Of Building Good Client Relationships In Cyber Insurance With Joseph Lazzarotti

In this episode of CHATTINN CYBER, Marc Schein interviews Joseph J. Lazzarotti, Principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits their Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer focused on compliance, Joseph also is a member of the firm’s Employee Benefits practice group. During the conversation, Marc and Joseph explore the latter’s insightful cybersecurity journey, Jackson Lewis’s growth and service offerings, and the importance of better client-service provider rapport in cyber insurance.

Joseph started at Jackson Lewis in the early 2000s as an ERISA and tax attorney doing employee benefits work. At the same time, the HIPAA Privacy and Security Rules and the first data breach notification law in California were passed, which piqued Joseph’s interest. It led him to investigate cyber security issues for clients, and he gradually built a growing team around it.

Jackson Lewis stands as a forerunner in insurance panels with a fair advantage of deep experience dealing with carriers. They understand the rate pressures, the need for responsiveness, the process of doing insured work, and encourage meaningful customer relationships.

Over the years, clients have started to become more engaged in buying cyber insurance. Though one could attribute it to a contractual obligation, they’re mainly concerned about dependent business interruption from a cyber incident. To help with that, Joseph advises firms to examine the coverages, risks, retention, coinsurance, and related aspects to better understand the client business and help them achieve their sayings wisely.

Interestingly, people tend to have a good relationship with their brokers on the health plan side. Joseph hints at how the trend is gradually setting in in cyberspace as more cyber firms are working on building better client relationships by assessing and handing policies that genuinely benefit them.

Further in the dialogue, Marc and Joseph discuss cyber compliance and its ever-changing landscape. Though the term has existed for a long time, it has continually evolved with new amendments to cyber laws and acts and varies from institution to institution. It’s necessary to comply with any regulations, for non-compliance can impact your reputation.


“Compliance is a great word, and it means different things to different people. Some people, when they hear compliance, they’re like, well, if we’re 80% of the way there, that’s good enough, that’s compliant.”

“Compliance also means doing all the things that you need to do with respect to the regulatory environment in which you’re in. And for different companies, that means different things.”

“You may not be able to make information available to your customers, you may impact your reputation, all of that also plays into compliance in the sense that if we comply with a reasonable set of safeguards, we can really save our business.”

“What’s interesting there is this personal liability, potentially, right with fiduciary obligations under ERISA for companies that don’t do that, for individuals who don’t meet their fiduciary role, as well as on the other side for advisors and other entities that service plans.”


[00:43] – Joseph’s entrepreneurial journey

[03:43] – Where to contact Joseph

[05:17] – Advice around insurance coverage for clients

[12:33] – Cyber compliance amid the rapidly changing organizational landscape


Connect with Joseph:


Email: joseph.lazzarotti@jacksonlewis.com

















Biometric Information Privacy and Cybersecurity With Peter Halprin

In this episode of CHATTINN CYBER, Marc Schein interviews Peter A. Halprin, partner at Pasich LLP’s New York office, where he assists policyholders with insurance coverage issues. He is also an adjunct professor of law at Cardozo Law with expertise in areas of arbitration, commercial law, dispute resolution, and processes international arbitration. Today’s conversation is centred around privacy laws and explains the Biometric Information Privacy Act (BIPA) in detail.

The BIPA came around in 2008 and had since stood out from other privacy laws for its extensive litigation surrounding its purpose, scope of implementation, and relevant details. It intends to cover protection for biometric risks, including fingerprints, retinal scans, and several other face or body detections that have become commonplace today by regulating the collection, dissemination, storage, consent, and destruction of any associated data from the point of generation.

Any exclusion on the distribution of materials that violates a statute, particularly TCPA, would also apply to PIPA or other similar claims. Moreover, the BIPA also allows a private right to action, which means you can individually sue people for violations. Peter explains this by breaking down Six Flags’ fingerprint scan privacy issue, for which the entertainment corporation was slammed $36 million by the plaintiff as settlement despite having refused any fault or liability.

Bigger privacy violation claims can have a twofold benefit from insurance – helping with the defense of the claim and indemnity or the settlement of a potential class of action. A recent decision by the Eastern District of North Carolina has brought into light the importance of having your risk coverage neatly handled under a cyber policy.

In conclusion, Peter explains why it helps to have a broker to assess your policy – the more expressed the coverage, the better informed you are of the risks. Additionally, having the right policy can reduce the liability and defence costs on your side.


“The interesting thing, I think that we’re seeing, too, is a lot of litigation about whether or not insurance should respond. But I caution that most of those cases involve general liability, or business owners policies, and not cyber insurance.”

“An exclusion based on the distribution of materials in violation of a statute, particularly TCPA, would also apply to PIPA or other similar claims. ”

“I think that the main thing that people need to keep in mind is just when you’re doing policy reviews, and when you’re working with your broker to assess your policy, the more expressed the coverage can be for something like that. I think the better to know exactly what is and what isn’t covered when you’re buying your policy so that you can really understand the risks associated with what you’re doing, then to try to have to figure it out after the fact.”

“If you’re working with your insurer and your insurance providing coverage is that they may see a lot of these claims for a lot of their clients. And so panel counsel or counsel that is pre-approved may have a lot of experience by doing these things. And it may even help reduce liability and perhaps defense costs on that on that side, too. ”


[01:51] – Peter talks about his work and involvement with cyber insurance

[03:03] – Exploring the BIPA in detail

[07:27] – Does the BIPA have a private right to action?

[09:53] – The role of insurance in bigger privacy claims

















Exploring Fraud Resolution, Identity Theft Protection, And Security Incident Notifications With Michael Bruemmer

In this episode of CHATTINN CYBER, Marc Schein interviews Michael Bruemmer, VP of Consumer Protection and Global Data Breach at Experian Consumer Services, CA. Marc and Michael discuss the latter’s education, upbringing, unexpected journey into cyberspace, and unique business model and services.

Michael entered the cyber industry fifteen years ago, after quitting working on the tech side for Dell and Lenovo. After returning to Austin, he joined CSIdentity, leading the sales, data breach, and identity theft departments, and hasn’t looked back since.

Michael attributes Experian’s success in insurance cybersecurity with three things — their Program and Events Manager, their family of forensics experts, privacy attorneys, data analysts, and notification vendors (among many others), and the powerful brand and community they’ve created within the organization. Their notification industry work includes fraud resolution, offline enrollment, and identity theft protection.

Michael explains that the foundation of his work hasn’t altered in the past three years and continues to focus on consistently delivering incident notification services, meeting deadlines, and ensuring customer satisfaction. He discusses Experian’s unique business model that provides an ongoing fraud resolution, using which clients can get a year’s worth of credit monitoring. Michael also touches on Experian’s plans of rolling out crisis management response services soon.

The best practice to mitigate cyber risks at any company is to consult with cybersecurity experts before a potentially harmful incident has already occurred. Even if you haven’t had an event, Michael explains that you should always have a private attorney and a cyber insurance provider at the ready. In the event of a suspected breach, you need to reach out to them quickly.

Towards the close of the episode, Michael also talks about ransomware attacks and the percentage of companies giving in to such threats today. Tune in to this episode to learn in better detail about thriving in the cybersecurity industry.


“We value our relationships with people that refer us, that don’t refer us, because it’s such a small community. If your reputation is good in that community, it goes a long way but it only takes one bad event, one dissatisfied customer and then things don’t go so well after that.”

“What I suggest is that you have a privacy attorney, you’re also able to operate under privilege as you if you so choose to. And we’re always encouraging that with any client.”

“The survey that ZD net said was that, in actuality, 83% (of companies) paid the ransomware, which I found was really interesting, despite the FBI, despite the other regulatory agencies, they don’t pay, you’re probably going to get it dumped on the dark web, let alone your brand is going to be exposed. Let alone you’ll never get the encryption key.”

“About 50% of the events that we get contacted in become never notifiable. So in other words, we don’t even go into action, but we still get a heads up so that we can prepare.”


[00:43] – Michael talks about his upbringing

[04:38] – About the cybersecurity services provided at Experian

[05:58] – The notification practice at Experian

[10:21] – Why you need legal counsel before a potential cybersecurity breach/ threat

Connect with Michael:

Website: www.experian.com/databreach

LinkedIn: https://www.linkedin.com/in/michaelbruemmer/



Driving Innovation Using Simple Secret Management With Brian Vallelunga

In this episode of CHATTINN CYBER, Marc Schein interviews Brian Vallelunga, CEO of Doppler, a San Francisco-based company that provides secrets management software for developers. Brian has been featured in the Forbes 30 under 30 for enterprise technology experts for his outstanding achievements with Doppler. In addition, he has attracted the likes of Sequoia, Google Ventures, Kleiner Perkins, and Peter Thiel to invest in his startup.
Brian worked at Uber which gave him the needed experience and stability to help launch his own business. He founded Doppler to make secrets management easy for developers, which would increase a company’s security further.
A significant challenge Brian and his team faced with their company was fundraising — almost all the investors they came across were a bad fit for their company. It led them to join Y Combinator, a startup accelerator that has helped launch over 3000 companies to date.

From Insurance to Crypto – Understanding The Trends in Law with Stephen Palley

In this episode of CHATTINNCYBER, our host Marc Schein interviews Stephen Palley, partner at Anderson Kill. He chairs the Technology, Media and Distributed Systems group of the organization. Stephen is also a regular speaker and prolific writer on insurance, construction, and technology. He is the lead editor and contributing author to the ABA Forum on the Construction Industry’s best-selling treatise on construction insurance.

When in law school, Stephen had planned on becoming a technology lawyer. In a few years, Stephen had learned programming, found a new method for settling cases, and turned it into a software program! He then came across Bitcoin and Ethereum – two branches of crypto assets, and started working for crypto clients both on the front end regulatory compliance and handling disputes. Hence, interestingly, Stephen had set his career as a successful crypto lawyer at a firm best known for representing policy holders.

Stephen speaks on regulatory crackdowns within crypto in the U.S. and China. The crackdown in China has impacted Bitcoin miners, and a lot of that impact has moved to the U.S. But Stephen firmly believes that a similar crackdown cannot happen in the U.S. Stephen also comments on recent guidance from the OFAC around Bitcoin and the facilitation of ransomware payments. He says the guidance puts victims in between a rock and a hard place.

Stephen also gives guidance for millennials and Gen Z’ers who are fascinated by cryptocurrency. He says no matter what new thing is brought up, you need to remember that regulators and law enforcement judges will have access to it. Also, this is never quick money without effort – risks exist.


“We already have a fairly well-developed regulatory framework and a way of understanding crypto. I think it is too deeply embedded in our business at this point for it to disappear.”

“What we do tell people is that when faced with a conundrum, we definitely want you to be in touch with law enforcement.”

“If you are expressing a favorable opinion publicly about a security and you have a stake or position, and if you are being paid to promote it, under federal law, you have to disclose that.”

“Just because you gave something a new name doesn’t mean that regulators and law enforcement judges won’t be able to deal with it and address it.”

“One of the reasons for the fascination with space is pure and simple: the promise of hope for quick profits with not much work. I’m sorry, but it comes from somewhere, there’s always a risk, and somebody always pays.”

“What people don’t know is what’s happening behind the scenes. Most regulatory enforcement actions are confidential. You have no idea what the competitor is dealing with.”


[01:03] – Stephen reveals his story of getting into insurance law and crypto.

[04:21] – Stephen comments on the regulatory crackdown in crypto in the U.S. and China.

[08:30] – Guidance from OFAC on Bitcoins and facilitation of ransomware payment.

[12:47] – Advice for the millennials and Gen Z who have a fascination with cryptocurrency.

[14:33] – Risk management and insurance policies.

Connect with Stephen:

Email spalley@andersonkill.com

LinkedIn  https://www.linkedin.com/in/stephendpalley