[00:00:19] Gia Snape: Welcome, everyone, and thank you for joining us for today’s webinar, Inside a Cyber Attack, Real Lessons for Insurance Leaders. I’m Gia Snape, I’ll be your host today. In today’s digital-first world, cyber attacks are not a question of if, but when these events are now boardroom-level risks, with implications that go far beyond IT. And as cyber incidents rise across North America Insurance professionals are being called upon not just to respond, but to lead. During this session, we’ll take you behind the scenes of a real cyber event. You’ll hear directly from industry experts who have navigated high-pressure breaches, managed client expectations, activated response protocols, and seen firsthand the financial, legal, and reputational fallout. Whether your role is in underwriting, broking, claims, risk management, or advising clients at the strategic level, this webinar is designed to equip you with the knowledge to act decisively when it matters most.
[00:01:27] Gia Snape: Let’s meet today’s expert panelists, who will bring unparalleled experience from across the cyber ecosystem. First, we have James Rizzo, product leader, USD&O at Beazley. James has 17 years of underwriting experience and specializes in directors and officers and employment practices liability for both public and large private companies. Since joining Beazley in 2010, he has been deeply engaged in helping organizations navigate executive risk at the board level. We also have Catherine Heaton, focus group leader, Cyber Large Risk and Middle Market Claims at Beazley. Catherine leads Beazley’s Wrongful Collection Working Group, and manages claims related to pixels, privacy breaches, and class actions. Previously a class-action defense attorney at a Top 50 law firm, she brings legal precision to every claim she touches. Francisco Donoso, Chief Product and Technology Officer at Beazley Security. He leads product and technology strategy for Beazley Security. With a career at the forefront of major global cyber incident response, Francisco has deep expertise in threat intelligence and breach mitigation. He is widely recognized for his research into advanced cyber threats, including the Equation Group’s tools, and he has presented at leading cybersecurity conferences, such as Derbycon, Microsoft Blue Hat, and ThoughtCon. Francisco’s focus is on making cyber defense practical, proactive, and automated. And last but not least, we have Craig Linton. Head of U.S. Underwriting Management for Cyber Risk at Beazley. He leads initiatives to enhance risk management and leverage technology for improved underwriting. With over a decade of experience in the cyber insurance industry, Craig has held various roles in cyber, including at Beazley and the Hartford. He began his career as an attorney, eventually focusing on insurance coverage disputes. So we have an all-star panel today, but before we get started, I want to test everyone’s awareness and knowledge.
[00:03:43] Gia Snape: We have a poll… Ready for the audience. And so, what is the percentage of global executives that felt their business was prepared, very or moderately, for a cyber incident? Is it 67% of global executives? 74%? or 83%. Please make a single choice. And I’m excited to see what the answer is. Right. So, most folks have answered 67% of global executives. Followed by 74%, followed by 83%. So, I’m gonna hand it over to our panel. What do you make of these answers?
[00:04:51] James Rizzo: Well, the correct answer was actually 83%, which I personally find to be very ambitious. Considering the complexity and number of cyber events we hear about, and how poorly so many are managed. I do find that to be an ambitious number, and maybe indicative of some denial. That we see amongst the… those that were polled. I’m curious what our colleagues think about that. Catherine, what are your thoughts on this?
[00:05:23] Katherine Heaton: I think there’s a difference between feeling prepared and actually being prepared when the moment hits. I think you can do prep, and you can, feel like you’ve got everything lined up, and then it is… sometimes just feels like pure chaos in the moment, especially when something is large, and it never happens exactly how you think it’s gonna happen. So I think… I think I would put the emphasis here on 83% feeling this way. Luckily, you’ve got insurance to help guide you through the process.
[00:05:51] James Rizzo: What about you, Francisco?
[00:05:54] Francisco Donoso: Yeah, thanks, James. I couldn’t agree with Catherine and you more. The number seems exceedingly high to me, given my experience responding to incidents, both large and small. I think a lot of organizations underestimate the chaos and disruption that a lot of attacks cause, and every part of the business is involved in responding in one way or another, if it’s a large enough incident. So, yeah, I was surprised as well.
[00:06:20] James Rizzo: And Mr. Craig? Linton?
[00:06:22] Craig Linton: I’m curious how the number would break down if we were asking those who have had a large cyber incident and those who have had not. And those who have had a large cyber incident, maybe they might come back from that experience thinking, I’m less prepared than I thought I was. And even having gone through an experience, I know that I have a lot to learn. So, I kind of echo everyone’s belief that, you know, this probably represents a lot of overconfidence. Yeah, I think especially once we get in and talk a little bit about the cyber landscape, that that’ll be more evident to those that are viewing as well. Which comes into our first question, what is the current cyber risk landscape like?
[00:07:03] James Rizzo: And I would describe it as asymmetrical warfare. Global cybercrime is reaching record levels. I saw one number. put out by Berenberg Research that $10.5 trillion in cybercrime cost in 2025 is the estimate, which is a 13% CAGR every year since 2015. Some sources are saying greater than a 50% surge in cyber attacks, averaging Just under $2,000 per week. As of stats out of Q1 2025, You know, the perpetrators are very sophisticated, and they take advantage of systemic vulnerabilities. The digital supply chain, vendor weaknesses, internal control weaknesses. They have the tools of advanced technology and AI, and, you know, it’s really becoming its…its own industry for organized crime and state actors. And no industry seems to be immune. Certain industries are certainly more exposed if you have a lot of personal data, such as healthcare, but we’re seeing oil and gas, donut manufacturers, chemical manufacturers, logistics companies, power generation companies, banking, financial services, telecom. Like I said, no industry seems to be immune. You know, we’ve popular on-site search engines have had mega losses in this regard, as well as credit reporting companies, and dozens of companies are citing third-party vendor system shutdowns that are resulting in financial loss affecting all industries. you know, it’s a complex landscape. It involves regulatory challenges, legal challenges, public scrutiny, operational challenges, you know, from a legal perspective. There’s a cottage industry of plaintiffs that are chasing alleged damages in this area for both corporate and personal liability, spanning from privacy-related matters, employment-related matters. Loss of financial opportunity or other damages that include securities class actions that can come out of these, an alleged breach of fiduciary duty or care. The public scrutiny media loves the subject. They enjoy sensationalizing it, and bad news travels faster than ever. And, you know, from an operational point of view, organizations are globally complex, and, you know, the challenges are going to vary tremendously by industry type, for example. A tech manufacturer’s gonna have a very different posture to stand up their operations versus a software-as-a-service company.
[00:09:36] Katherine Heaton: There’s a lot of personal considerations that organizations need to make when they’re evaluating their cyber posture.
[00:09:42] James Rizzo: Francisco, anything you want to add to this, please?
[00:09:46] Francisco Donoso: Yeah, thanks, James. Look, as the resident nerd, I just want to say that the last few Years, and particularly the last year, 2024, late 2024 to 2025, Have been a little bit outstanding to me in terms of all of the things that have happened in the threat landscape. For context, here at Beazley Security, we have a team called Beazley Security Labs. Their job is to keep up with what’s happening on the threat landscape and keep Beazley, as well as our clients and my team, informed. And it’s just crazy to see all of the things that have just happened in the last few months. If we look at attackers targeting SaaS applications that are heavily interconnected and stealing the credentials, the identities that these SaaS applications use to break into other SaaS applications, it’s… it’s now becoming insane. If you look at some of the recent Salesforce breaches, it wasn’t because Salesforce themselves had a problem, but applications that plug into the Salesforce ecosystem were being compromised en masse by attackers. So we’re now seeing attackers shift from targeting on-premise technology, like what we saw previously, to targeting SaaS vendors, because the opportunity for downstream incidents is so much greater, and you have the ability to hack one company, compromise thousands or tens of thousands of organizations. What we’re also seeing in the last few months is a lot of attacks against the developer or software engineering ecosystem, and if you’re not a technology person, you may be asking, like, why does that matter?Well, these are the people who build the SaaS software that ultimately hosts all of this critical infrastructure and tooling that these organizations use, and what we’re seeing is attackers launch really intricate, interesting. complex attacks against the people who make the software, and an attempt to infect them and the systems that are running the worldwide ecosystem. So I think what we’re seeing in the last few months, and throughout the last few years, is just compounding this asymmetrical warfare that you mentioned, James, and making it, hard to keep up, to be honest. Even as somebody who’s been doing this my entire professional career, things are accelerating at a rate I’ve never seen before. So, yeah, things are crazy, I would say.
[00:12:13] Katherine Heaton: I would completely agree with you, Fran. I think that the… what we’re seeing on the claims side is, every quarter now, there’s some large-scale downstream events, and then even beyond the large-scale ones, you have smaller shops that lead to smaller downstreams, and then the downstream impact is enormous, right? You can have hundreds, thousands of companies are all dependent on one vendor, which is why it’s such a rich target for threat actors, right? And we see threat actors, I think, specifically going after these. They can get very large extortion payments because there’s so much data, and it’s having such high impact on the companies. If we think about the change healthcare example, I think that impacted most healthcare providers in the country, or at least a large section of It was enormously disruptive to these companies. And this is a newer trend. I mean, downstreams have always been there a little bit, but it’s only in the last year that we’ve seen it. I think almost every quarter, there has been one really significant one. I think the other thing to think about with these is, you know, I think companies do a lot of investment in their own infrastructure and trying to protect their assets, and that’s great, but with the rise of the downstreams, you really have to focus, too, on who your vendors are, who has your data, what is the impact, whose systems are intertwined with your own so that it gives access to your systems. It’s just a lot more looking outside and not just at your little closed system. And then the final thing I want to mention is that there’s also been now a rise of class actions falling out of this. So we didn’t used to see very many class actions coming out of the downstream. Usually, if there was a class action, it was only against the entity that was targeted at the outset, and plaintiffs Council have discovered that they can go after everybody. Sometimes we get classes where it wasn’t even your vendor, it was your vendor’s vendor that had the breach. But if they’ve got your data, you were still a target for a class action, so you have to think a lot more about the long tail, not even just the short-term disruption of it.
[00:14:14] James Rizzo: Any comments from you on this?
[00:14:15] Craig Linton: Yeah, just to kind of piggyback on Catherine’s comments, I think supply chain attacks are just increasingly common, and they’re not all the same. Some of them are manageable with planning, you can avoid them. If there is… if you’re reliant on one data center, if that data center goes down, can you have a backup data center that can fail over? You know, that may be an option. On the other hand, there are some instances where, you know, the failure of a critical supplier is not something you can really manage, because that supplier is someone you depend on, and, like the change healthcare, example that Catherine gave, in the automotive, services space, there was a vendor, who had an outage, named CDK, and it, was a vendor who, You know, every… not every, but a large portion of auto dealers relied upon, and there’s no, you know, realistic, you know, failover mechanism for… for that type of… of reliance. So, I think there… those are things that are… that have to be investigated and managed, on an individual account holder, individual, basis. But, yeah, what can companies do to mitigate that? I think, first, it’s plan and investigate. I think a lot of… we’re still seeing a lot of, you know, on the non-supply chain side of things, ransomware remains very common. Pulse Hilder’s a lot better equipped nowadays than they were maybe 3, 4, 5 years ago. They have, more layered defenses, they have backups, but Despite all these improvements, breaches still happen, they still cause major losses that we see, on a regular basis, and you know, we… continue to advise our policyholders, you know, what you can do is take a look at our application questions, and you can download them from our website before you even submit an application, and you can use that as a checklist to go through and, you know, see where You… how you stack up. People ask us, you know, how… how does…what are you looking for as an insurance company for us to do? Well, it’s right there on our application, so I would encourage policyholders and those who are looking for cyber insurance, and actually anyone, to look at our application for a list of things that they can do that we feel are important to avoid and mitigate losses.
[00:16:44] James Rizzo: Very helpful.
[00:16:46] Francisco Donoso: Yeah, thanks, thanks, everybody. I, you know, it’s… it’s funny, we here at Beazley Security are a forensics and incident response provider as well, and that means after somebody calls, the… their carrier, and somebody like Breach Council is engaged, often we are brought in. To help organizations respond and recover. So I’ve been thinking a lot about the first 24 to 48 hours and incidents that I’ve seen, and what I think a lot about is the unfortunate confusion and panic. That I see for a lot of organizations, which goes back to how we all started this, which is 83% is an exceedingly high overconfident number. What I have seen consistently during the first 24 or 48 hours. Regardless of the size of organization, is that there’s a lot of confusion and lack of communication. Often tempers are really flaring because, you know, folks are not aware of, hey, who should be providing updates to an incident response committee? who should be providing updates to a executive committee? How are we communicating that to our employees? Or how are we communicating that to the public, or our clients, our stakeholders? And what I often see is A lot of this is sometimes prescribed in a really long incident response document that somebody drafted, like, 5 years ago and nobody has looked at or touched. And… and often, those incident response documents are, quite frankly, so long that nobody has time to even look at them during an incident. So, a lot of organizations who feel prepared because they have this 85-page incident response document, when things happen. nobody’s sitting there reading that document to understand exactly how to respond. And often, what we also see is some of the most important parts of how to respond to an incident are often left out from those response documents, and for that, I mean understanding business-critical applications. Part of our job when we engage with an organization that’s had an incident is not only understand how it happened, not only help kick out an attacker if they’re still in the environment, but help them recover their IT systems.And one of the first questions you need to ask yourself is. what do I recover first? Are there dependencies? Does this system need to come up before this system? What drives most of our revenue? How do we communicate with our clients or vendors? So having a list of the most critical systems in an order that you need to bring them up. seems like a no-brainer to a lot of folks who are doing this all day, every day, like myself, but that’s often not included in an incident response plan. So, in the first 24, 48 hours, I just see a lot of confusion and, unfortunately. you know, frustration with organizations, and it often impedes our ability to restore and respond for organizations. I’m curious what you think here, James.
[00:19:57] James Rizzo: Yeah, well, echoing your comments, you know. These are all hands-on-deck moments where a lot of things can go wrong. An organization is required to govern itself on all fronts, and that includes standing up its operations and its operational recovery, getting back to business as usual. dealing with their cybersecurity posture and remedying the issues that it found, as well as disclosure of the event, whether that’s to those that are immediately impacted or your regulators. If you’re publicly traded, there’s a whole other host of regulatory considerations. The SEC came out with Regulation SK Item 106, which went effective in December of 23, and that requires the registrants to explicitly describe their cyber posture, their process, their board oversight, and their ability to assess, identify, manage, and remedy a cyber event. And with that comes with, you know, a lot of specific rules on how they need to disclose the recovery. You know, in a very short period of time, which they have 4 days from the time they determine materiality, they have to…They have to disclose the impact, challenges, and risk associated with that, which involves a materiality assessment, which is exceptionally complex to describe, depending on your organization. You have to, you know, fully detail the nature and the scope of the incident. And the impact of the incident on the operation and financial condition. And those… those events are exceptionally complex. The technology that is helping to perpetrate these events are complex, and 4 days isn’t a lot of time to determine. And, you know, it’s a heavy burden, particularly for our smaller insureds or pre-revenue insurers that don’t have, you know, exceptionally robust risk management teams. There’s quite a bit to go in there, and, you know, a firm has to be readied to file their AK, as well as get their operational up and running, and it’s an exceptionally complex challenge for our clients.
[00:21:59] Francisco Donoso: James, can I just cut in on that for a brief second? You mentioned this 4-hour, or this 4-day time period. Another thing that we’re starting to see, actually, is A lot of organizations are asking us to notify them within 24 hours of an incident that we have as a third-party provider. We ask that of our third parties, because we just talked about the impact of all these third-party ecosystems. So often. sure, you may have a legal requirement to notify the SEC, but also you have a requirement contractually with some of your clients, at least I know for sure we do, and we keep track of who we have to notify within 24 hours if there is an incident. So I think… you know. Being prepared to understand the impact and communicate that clearly to clients, stakeholders, the public is exceedingly important. Sorry, James, I just wanted to mention that.
[00:22:54] James Rizzo: I appreciate that.
[00:23:00] Craig Linton: So what’s the best practice for how we can prepare for operational, for legal, for reputational fallout from a cyber incident? And I guess I’ll offer my… my first thoughts One thing, I think, is to think like an attacker. You know, most organizations should not be focusing on the nation-state attacker, shouldn’t be focusing on the most sophisticated attack. Instead, they should be focusing on things like, how are attackers going to bypass multi-factor authentication? Maybe because it’s not configured everywhere? Or how am I going to deal with just a phishing incident? You know, we want employees not to click links, but, what if they do? What are the layers of security that prevent a phishing attack from actually being successful? And then, other things, like VPN and firewall vulnerabilities. You know, VPNs are the way that remote workers and other people outside of the physical premises of the organization get in. Well, that includes hackers, and so how can we make sure that those defenses are fortified and that there are layers of security there as well? And I think all of those things, all those things that are, like, high on the list of things that can go wrong and allow an attacker inside an organization, they highlight the importance of planning. And really, those who have planned for an attack. have much, much better outcomes. And that’s why, getting a little into the insurance side of things, this is why we want policyholders to take advantage of our risk management offerings, the things, the services that we provide, because we realize that Insurance, yeah, we want to sell you an insurance policy, but also, we think that these things are, important, like, tabletop exercises, going through a plan.With your incident response provider, with your chosen choice of counsel. You know, the first time you talk to those folks should not be when you have an incident. It should be in the planning stages. So, I’m curious, Catherine, what are your thoughts on that?
[00:25:02] Katherine Heaton: Yeah, I think my number one best tip is work with your carrier. We have insureds most of the time that work with us very well, right? They come in, they report early, they’re making sure that they’re talking to us, and that really lets us help steer and guide them. We’re working very closely with their counsel, we’re working with their forensics provider and making sure that they’re maximizing coverage, but also understand all the tools and resources that are available, right? the policy goes beyond just your legal and forensics. We can help if you need PR, crisis management, things like that, but it really helps to integrate with us. We can give you tips, we can give you advice about which people to go with for restoration, for all of that. And so when people work with us, I think they really get a better experience. I think when it doesn’t go well is when somebody decides they want to do it themselves. Usually, it’s with legal counsel guiding things who aren’t as experienced in this space, really don’t know what they’re doing, and lead them astray. I even had some where they were relying on, like, local IT vendor who’d never handled an incident. They were really there to sell computers, and what IT vendor told them was, there’s no way to recover, you need to just get rid of everything, lose all your data, and buy this whole new suite of computers, which you know, then there’s… then you’ve got coverage issues. That cost is not necessarily gonna… gonna come through. So, we’d much rather, be a long step with you, in sync with you, and, and help you manage this process, so… best advice for you all is, just reach out to us. We’re friendly, we will get on the phone very quickly, we’ll turn things around quickly, and just, just really help you. Jim, what do you… do you have anything to add to that?
[00:26:36] James Rizzo: Well, I fully agree with both of you. I mean, really, the…the forefront of protecting yourself from a best practice perspective is to partner with your carrier. I mean, the reality is, is the companies that are covering these exposures have the most experience in dealing with them. You are the tip of the sword, seeing all these events from a broad spectrum of industries and actors, and you have an experience level that nobody else does. That’s exceptionally valuable for our clients and managing these events, you know, it has to be a part of your own cyber resilience strategy, and you have to factor that into your assessment, because these are such complex events that come with a massive administrative burden that will dramatically vary by operation type. You know, and so the better you know thyself, and the better you partner with your carrier, the better your risk management is going to be. And, you know, the one thing to remember. Is that carriers don’t love spending their money on losses, and all these risk… all these risk management practices are there to save you on your damages, as well as our own, because we are there to transfer risk, but if we can help you mitigate the risk, your posture’s just going to be that much better. And, you know, and it’s not just getting the operations up and running, and getting your IT systems back going. There’s a whole host of regulatory, legal, and compliance things that come along with this. You know, they’re, you know, for example, sanctions checked, and you know, these things involve inside counsel, outside counsel. compliance, you know, if you’re a federal contractor, you’re now involving federal agencies and national security. The FBI and all the three-letter agencies can get involved, as well as state, local, and federal law enforcement. There’s a lot to navigate, and you can’t just pay anybody a ransomware without some potential recourse on a… on a legal level, so having a carrier that’s experienced with dealing with these events. That can navigate the legal landscape and really help you, you know, get back up and running is essential.
[00:28:49] Francisco Donoso: Yeah, thanks, James. I’ll add to that a little bit. You mentioned the sanctions check, and this is particularly interesting as an incident responder and somebody who just kind of follows along with this threat actor landscape. It’s particularly hard Because often, you know, the name of the ransomware group is sanctioned. Sometimes it’s individuals, but most of the time it’s such and such Ransomware group has been sanctioned, you cannot pay them. what happens is the ransomware groups obviously know that, so they just rebrand, but you don’t… they’re not putting out a statement that says Group X is now Group Y, because that would make it hard to evade the sanctions. So something that you mentioned is these sanctions checks, and that’s where, like, a lot of that complexity comes in, and there’s organizations like Visa Security or others who are tracking, like, hey, this threat actor group has now rebranded to this threat actor group, so if you pay them. You may run afoul of some sanctions. What also, I think, is super important to me to consider, and I know that it’s hard to look at it in the micro level when you are the company that is involved in the ransomware, right? Is every time we pay these ransomware operators, we are enabling them to reinvest in what is realistically a business. And what we have seen is this ransomware investment life cycle is what has led to these increasingly more and more complex and more and more impactful ransomware attacks. So I like to think about, from a response perspective. Here at Beazley Security or other companies, how do we make sure we never have to pay the ransom?What does that mean to us? How do we make sure that we’re able to recover our business and protect our client data in such a way where we don’t have to pay a ransom? Because that just enables the ransomware ecosystem even further. And I, I always think a little bit about What we’re seeing today from an attacker perspective, you know, a few years ago, they were just encrypting all of our computers, because people didn’t have great backups. We then got pretty okay at backups, and the ransomware actors recognized that, so they started stealing all of the data so that they could, you know, extract money that way. So I think what we’re seeing is every time we get decently okay at responding and thinking about how we would prevent one type of attack. we’re seeing another type of attack pop up because of these financially motivated threat actors treat this like a business and are constantly innovating. So, I’m curious what Craig thinks.
[00:31:27] Craig Linton: You know, I…I do think that the thing you said about the backup, so it rings particularly true, you know. I think in the past few years, a lot of organizations have really done a lot better job, at doing the basics, like having backups, but that… that exfiltration element, you know, adds another layer of complexity. The attackers are trying to stay ahead of the ball, and, you know, we’ve not…Done a great job of data minimization, and of course, every organization needs to hang on to data, just for their operational purposes, so that there’s really no way to, there’s… it’s very difficult to mitigate that, that exposure. So, yeah, I think that, you know, largely comports with my thinking. And, you know, there’s… the other fallout from all of this is, of course, you have an insurance renewal. Hopefully you have insurance, and you have an insurance renewal, and we certainly, Our underwriters certainly consider what is… how did this…policyholder respond to the incident? Did they have a good incident response plan? Did they work well with the vendors that they chose? Did they do things with, you know, do dispatch, or did they put in a claim on a Friday and then wait till Monday to start, to start dealing with it? you know, I think those things do come in… come into play, and we do take a look at the policyholders who do the right thing, and there’s also the policyholders who may have dropped the ball, and that all factors into an underwriter’s thinking on, you know, what are the best terms for this renewal.
[00:33:06] Katherine Heaton: One of those Friday night special things is we frequently see when IT has tried to work with, like, their local vendor who doesn’t actually handle these. And they’ve worked all week, and then…the weekend’s coming up, and it’s in total panic, and something that, you know, if it had been reported right away, it was pre-encryption and would have been a lot easier to resolve. By Friday afternoon, when they finally report it, it’s now turned into a much bigger deal. So, if we call that the Friday night special, we frequently get noticed. It’s almost like clockwork on a Friday.
[00:33:36] James Rizzo: Do you think that Actors actually plan attacks around difficult times.
[00:33:41] Francisco Donoso: Absolutely, 100%. There’s literally.
[00:33:43] James Rizzo: Holiday. They loved holidays.
[00:33:45] Francisco Donoso: Thanks… Thanksgiving? the 4th of July, at least in the US, any of those, like, country-specific holidays, they absolutely stage attacks on Friday evenings, Saturday mornings, when there’s less folks watching, or during holidays.
[00:34:02] Craig Linton: Yeah.
[00:34:02] Francisco Donoso: Another thing… oh, go ahead, Craig, please.
[00:34:04] Craig Linton: I was just gonna say, we see it in our data, August is quiet, because they go on vacation, too. They’re human, too. So, yeah, they know what they’re doing.
[00:34:17] Francisco Donoso: Yeah, and just to add to Catherine’s point on the Friday night special, something that we often see Which is really detrimental to resolving issues, is, folks who work with their, like, IT managed service providers to recover often don’t think about.the forensic data that we, as responders, need to understand how did this even happen in the first place? And the reason that that’s so important is because it helps us prevent it from happening again in the future. And often, when organizations go in and, like, recover stuff in a panic. Maybe they’re restoring a system that had critical forensic data that told us, here’s how the attacker got in and moved to this system. So I think what’s really important is once again, it goes back to preparation and that incident response plan. Not only are you recovering the system, but how are you keeping the forensically relevant data that’s super important for us to help you figure out how this shouldn’t happen again. Alive and viable, so that we can give you those answers, and make sure that the attacker’s still not in the environment, because that also happens very often.
[00:35:23] Katherine Heaton: Yeah. Yeah.
[00:35:24] Craig Linton: When the attacker gets in a second time, the same way as the first, that raises a lot of eyebrows when it comes up for renewal.
[00:35:34] James Rizzo: Incredible. You know, that takes us to our next topic, is what lessons can we learn from some of these high-profile cases? And I’ll start off with certainly the…Chance favors the prepared. You know, if you seek out the appropriate fit-for-purpose protections and certifications for your organization, you’re going to be better off. If you partner with experts, you’re going to be better off. If you document your business judgment and why you govern the way you do, you’re going to be that much more defendable if things go wrong. And if you actually practice tabletop instrument… tabletop exercises, and you know how to notice your carriers, and you know how to engage your crisis management. partners, and you have some procedural resilience through these tabletop drills, you’re just gonna be better… a better actor. And from You know, from a liability perspective, that the plaintiff’s bar has the benefit of hindsight being 20-20. So you’re going to be judged on everything. You’re going to be judged on the quality of your disclosures, about your cyber posture, you’re going to be judged on your ability to deal with the cyber event itself, you’re going to be judged with the ability to recover from such cyber event. you’re gonna be judged on any business damages or loss of financial opportunity that came out of that event. And again, hindsight being 20-20, it’s really easy to find. A flaw, or a chink in the armor, and and the plaintiff’s bar eat that up, and sensationalize it, and really pray. On what… on a client that is already a victim of a different form of attack.
[00:37:13] Francisco Donoso: Thanks, James. I’ll also mention the value of those tabletop incidents. Look, again, I’m your resident nerd. I apologize. This is my new entry into insurance. I’ve been in the cybersecurity space a ton of the time, but what’s always been so intriguing to me, participating in some of those tabletop incidents. is, again, as a nerd, all of the non-technology things that I hadn’t considered, particularly around hey, how are you notifying employees and making sure that when it gets leaked to the media, that you notify to your employees that there’s an incident, that you’ve got the ability to communicate clearly with the media about the status of the incident? Or how are you engaging not just plaintiff’s counsel, but how are you working with that team? To make sure that you’re filing all the appropriate disclosures at every place where you may have users who were impacted, either employees or those folks. I’ll just echo the value of that from just my perspective, seeing the non-tech side of the incident has been really eye-opening to me, and I can’t highlight the value of those enough. All right. I did want to, touch on something that Craig mentioned earlier and that we’ve been talking about, which is attackers constantly innovating and moving as, you know, we get okay. I’m not gonna say anything in cybersecurity is good, but as we get okay at securing stuff in cybersecurity, we see attackers shift Once again, and what we’ve seen recently with AI is particularly interesting to me. I know Craig and I have actually spent a fair amount of time talking and thinking about this AI landscape and how it changes, but you know, in the last few, just, weeks, we’ve seen some really interesting announcement from some of these really large vendors. Anthropic, that’s a competitor to OpenAI, actually released an interesting report essentially saying, look, Chinese nation-state attackers, so spies, used our anthropic models, our AI models, to target a bunch of organizations, and in some cases, they were successful.
[00:39:25] Francisco Donoso: The thing that’s interesting to me about that is we all knew this was coming. I knew this was coming, Greg knew this was coming, the security industry knew this was coming. I personally did not know that it would be this soon. It is way earlier than I expected around orchestrating attacks, leveraging these large language models, these AI platforms, and seeing success. We’ve started to see a lot of investment in cybersecurity and what we call penetration testing, which is, like, automatically attacking and, you know, kind of working to make organizations better by helping them understand how an attacker could attack. We’ve seen a lot of AI investment in this area in particular. And, that’s because… There’s less penalty for being wrong. If you’re wronging in attacking a system, the AI can just try again, and again, and again, and again, and again, until it gets it right. On the defensive side. Being wrong can be really detrimental. And the problem that we see with AI right now is that it’s got a tendency of being wrong decently enough. So attackers have this asymmetrical advantage of, like, yeah, just deploy AI at it, they’ll get it right eventually. And defenders have this challenge where it’s like, well, we gotta be correct more often than not. So I think we’re seeing some really big changes in the AI-specific threat landscape, and Right now, we’re at an asymmetrical disadvantage, to be very, very honest. And, I’m…Quite curious and a little bit terrified as to what the future holds as these attackers leverage these models and capabilities more and more. What we’re seeing also is You know, organizations in the defensive side are basically saying, look. The only way we’re going to keep up, not win, but keep up, is by employing what we call preemptive security. So, using AI tooling to identify issues that could be abused by attackers. Before they’re abused, and then automating the resolution of it. Before they’re abused. Not necessarily automatically responding to AI attacks with AI, it’s not going to be robots fighting each other, but robot trying to prevent another robot from even figuring out how to break in. So I’m curious, Craig, in particular you, what you think about some of the recent developments.
[00:41:56] Craig Linton: Well, I think earlier this year, we were discussing this internally, and we were… we were asking ourselves the question, have we seen hackers use AI to accelerate their attacks or make them more efficient? And the answer was no. No, we hadn’t seen them do that. Had… did we suspect that they were? Yes. Because they’re nerds like we are. They use computers, they use ChatGPT just like we do. So, the answer was yes, we thought that they were doing it, and now, this recent report from Anthropic I think just validates that, yeah, of course they’re using, the tools that we use as well. So I, I…I’m concerned for the future, if organizations don’t, start thinking about, you know, how an attacker thinks. If you think about how an attacker thinks, they use AI to, you know, scan and look for vulnerabilities in your system and pivot quickly. Well, an organization can also do the same thing against its, you know, employee Automated processes to discover vulnerabilities and try to exploit them, and once exploited, report that and patch it. I think there’s… there’s opportunity there to kind of step in the shoes of a hacker, to identify and remediate vulnerabilities, rather than identify and attack, and exploit vulnerabilities, so…Kind of optimistic, and pessimistic at the same time.
[00:43:29] Katherine Heaton: I’ll jump in. I think, we’ve been talking a lot about the, sort of, the chaos and frenzy of the incident as it’s happening right now, but one of the things that we see having huge impact is that long-tail consequence. So there’s a lot more than just the initial incident response that happens with these. And so, you know, wanted to address a little bit about what are some of the overlooked consequences months later after the attack that we see. The one that I focus on most is, class actions, and data breach class actions in particular. We used to, I would say a couple years ago, you would only get a data breach class action if, you had something like 500,000 or more people whose data was impacted. We now see data breach class actions rising out of, you know, only a few hundred people. And I think what’s really happened is this whole cottage industry for plaintiffs Council has emerged. They are making so much money on these class actions, they bring what I perceive as fairly frivolous claims, so it’s literally just data was impacted almost regardless of whether the company actually did anything wrong. Like I said, sometimes it’s your vendor’s vendor that was impacted, and you’ll still get a class action filed against you. So we’re seeing a lot more of these, a lot smaller classes. It’s becoming almost guaranteed that if you have an obligation to notify almost anybody, you’re going to get a class action. So I think it’s good for companies to think proactively about that. That, because the cost of the class actions and selling them, even when they’re small, is surprisingly large. The way that we’re now seeing it It used to be, and the way it should flow, is that company notifies people that their data has been impacted, and then somebody gets upset, or is worried about the security, and they reach out to a lawyer, and they find, then they sue the company that had the attack. the way it’s working nowadays is it’s really plaintiff’s counsel driven, so they are trolling, like, the Attorney General websites or the OCR’s websites. When you… there’s these regulatory obligations that require you to notify regulators, sometimes very early days, before you’ve notified anybody else, so sometimes within just a couple days. They troll those websites before anybody’s been notified or even know the size of the class, and then they will go out and they solicit for plaintiffs, so they’llthey’ll put up, like, Facebook ads for people in the area and say, oh, are you a patient at this hospital? If so, I’ve got, you know, some juicy cash that you can get, for no work at all. Do all the work and you’ll just get the money and, you know, let’s not worry about it. And so, you get, much faster class actions. Often now, they’re being filed before we’ve notified people. It’s totally nuts.
[00:46:02] Katherine Heaton: And, And so I think it’s good to, at the instant response stage, really be thinking about the fact that that is likely coming, Down the pipe, if it is not early days. I think one of the most common mistakes I see is companies who think that if they notify everybody that something’s happened without first doing analysis of who they actually have to notify, they’ll get a better result. Or people who think, if we just throw credit monitoring at everybody, this incident response stage, that’s gonna prevent a claim. That is the opposite. Plaintiff’s counsel see that as in the water, it gets them very excited about the amount of money they can get for this class action. And so, when you’ve notified everybody and not just that select group that actually had data impacted, suddenly the class that you’re settling is everybody. And that can be enormously large, even if you’re only doing a couple dollars a person because somebody’s data wasn’t actually impacted. If it’s, you know, you’ve got millions of people that you’ve notified, that is a very large settlement. Same thing with credit monitoring. If you provide it proactively at the incident response stage, you have to then provide it again at the settlement stage, right? That’s going to be the main form of relief that plaintiff’s counsel wants, so you’ve really just increased your settlement cost. This is why it’s really helpful to talk to people like your insurance company, who sees the whole thing, and we can help you navigate some of those things where, you know, your gut instinct is that you’re doing the right thing, and what you’re actually doing is Setting yourself up for a much more expensive class action down the road. Jim, you deal with a lot of class actions on the D&O side. What do you see with this?
[00:47:29] James Rizzo: We get the securities class actions that are typically born out of either the business disruption or the value of the disclosures that surrounded the event. You know, when these events happen, there’s often work slippage. If you’re, complex manufacturing that’s, you know, the sophisticated processing, you can have quality assurance issues, customer acceptance issues, these can lead to long-tail exposures where maybe you had a formulation that wasn’t quite right because of the disruption that happened in your factory, and then you have customer acceptance issues. You know, and then this ultimately leads to financial write-downs, your stock takes a dive, which, you know, impairs your goodwill, where you miss your financial projections, or even sometimes, you know, if the cyber event results in a factory explosion. or some other thing, you deal with potential, you know, personal injury and death, pollution events, property destruction, a whole host of things that can come out of this nexus, and And then you’re dealing with the subsequent securities class action, or environmental litigation, or reputational harm. you know, and all of these allegations, as I mentioned before, come with the benefit of hindsight being 20-20. If you overstated your cyber posture or downplayed the cyber event, you’re accused of cyberwashing. Even if it was an honest misjudgment of how severe the event was, you’ll be criticized on your initial assessment, and then the actual handling of it, as we mentioned before. There’s so many ways that the plaintiff spark gonna allege a breach of fiduciary duty, or allegation of missed opportunity, and… and there is, you know, this sort of victim-shaming event that happens. You’re held accountable, and you will be held accountable for your actions. Fran, anything to add in here?
[00:49:24] Francisco Donoso: Yeah, look, I’ll come at it from a technical perspective. Sorry, I’ll mention that often what happens is…You know, these attackers stole data that’s really critical, and in a lot of these recent third-party breaches that we’ve seen, as an example, the Salesforce breach, where, again, Salesforce was not breached, but applications that had access to Salesforce data were. We saw attackers look in Salesforce for sensitive data, like support tickets that had credentials, or had usernames, or had insight, and then abuse that data to break into other accounts. So often what I like to think about is. From an incident response perspective, and the long-tail impact of an attack. How can the data that was stolen be used against us in the future? And how can we make sure that we’re prepared for that and preempting any potential attack? I also would caution a lot of these Ransomware groups, when they steal data. You know, they promise. They really triple dog promise that they’re gonna delete your data. Once you pay the ransom. These guys are criminals, you know? The promises don’t really mean much. They don’t really delete the data. So think about what data they stole, and what’s gonna happen with it. Even if they promised you, they deleted it. Craig?
[00:50:45] Craig Linton: Yeah, I’ll try to tie a bow on this by kind of going back to something that Catherine was talking about. And basically, the idea is that an ounce of prevention is worth a pound of cure. An ounce of breach response is worth a pound of class action defense, and we really designed our Beazley Breach Response Policy, which is our flagship insurance policy, around the idea that you handle the breach well. And you get the services, not just the financial compensation for us, but also the services from our claims managers and our cyber services managers, who can advise you on what’s the best course of action, which may be a little bit counterintuitive, like the credit monitoring example. And that will ultimately mitigate your, the incident, the effectiveness of the incident, the impact of the incident on the organization, you know, months and perhaps years down the road. So, I think that’s important to keep in mind. We handle, you know, thousands of incidents, and we are…we’re seeing things from, like, a 40,000-foot view, where we see things over the long horizon, and we’re not just seeing things from the perspective of, say, an incident response vendor who’s in for 30, 60, 90 days, and then leaves. We see things over the long term, so you can really rely on andGet, get some good insight from the experience that we have. So I think now, we are going to…Go to a poll.
[00:52:24] Gia Snape: Some really interesting insights, from our panelists today, and we have a second poll for our audience. What percentage of firms plan to invest in improved cybersecurity this year? Do you think it’s 55% of firms, 37%, or 26%? We’d love to get your thoughts on how You believe organizations are preparing To be more cyber-ready. It was such an interesting discussion. Thank you so much to everyone who has stayed, and we have the results. So, 54% believe that 55% of firms plan to invest in cybersecurity. Followed by 37%, followed by 26%. So, to our panel, what do you think is… the correct percentage.
[00:53:25] James Rizzo: The results we’d gotten from our risk managers surveyed were 37%, which, you know, dovetailing with the first statistic we threw out there at the beginning of this presentation. Seems awfully low. Again, I just think, you know, people tend to be a little bit overconfident in their posture. And maybe live in denial about how vulnerable they are, and I think these statistics certainly support that. Curious what the other panelists think.
[00:53:56] Craig Linton: just one comment on that. I think, you know, we use the word invest, and invest can mean, you know, throwing money at a problem, but I think there are a lot of cybersecurity problems that aren’t necessarily money problems, they are, process and procedure and policy problems that, organizations just need to get their hands around, and they take time and the investment of, human capital rather than, you know, dollars to buy an outside vendor’s, product. So I think There is a lot of, there’s need for That human investment in practices, policies, procedure, just as much as there is often to spend money on vendors.
[00:54:34] Gia Snape: Alright, and we have time for some questions. I’m curious what the panel thinks about how boards should measure their cyber resilience in practical, non-technical terms.
[00:54:53] James Rizzo: Whoa. I’ll start off, like, keeping track. Tracking the number of breaches and security incidents that you have, monitoring your critical services, and really what your objectives are, having your objectives set for what a reasonable recovery is. You know, you need to measure these things, you need to quantify your exposures, and you need to have a plan.I mean, really, the best thing a company can do is, you know, and I’ve said this before, chance favors the prepared. So, engage your experts, use your brokers, your carriers, your information security partners to evaluate. Remediate and fortify your posture. And don’t just do that, document your findings. You know, there is a… there are protections for business under the business judgment rule that work to your favor, and if you document your diligence, your findings, and you show a deliberate plan of action and protection and remediation. then you’re going to be that much more defendable if things go sideways. One is not required to be perfect, but one is required to have a plan that is thoughtful and fit for purpose. Anything fellow panelists want to add?
[00:56:15] Francisco Donoso: Yeah, I’ll add… I’ll add something briefly. One of the best chief information security officers I’ve ever worked with in my career used happy face, frowny face, to cover in some particular areas. There’s a framework in NIST called CSF, which is the Cybersecurity Framework. That is what it stands for. And there’s some really easy-to-understand categories, like Protect or Detect, Respond, in that framework.And the CISO literally just did happy face, crowdy face, or, like, moderate face for each one of those phases when reporting to the board, and said, look, here’s where we are. Here’s what we need to do to get to a happy face. And what I see often is a lot of technical people like me love to throw a bunch of technical mumbo-jumbo at bored people who frankly don’t care. So I think one thing I would consider for security folks or, you know, risk managers is clearly communicate where you are. in strengthening your defenses, mapped to a common framework that’s supported in the industry, like NIST CSF, and communicate what you need to do to get to that happy face.It’s just one of the most successful CISOs I’ve ever seen in my career, so…
[00:57:34] Gia Snape: Great, and we have an interesting question from Our participants. Curious about the panel’s experiences, impressions on authorities and regulators reacting to these situations. Using a property analogy, e.g. a warehouse man, liability for property being stolen seems to be a straightforward test of reasonableness, i.e. negligence, in terms of the warehouse man’s efforts or measures. In the case of cyber, it’s seeming more and more like authorities or regulators are aiming towards perfection rather than a reasonableness. slash negligence test, to a degree, starts to feel like victim blaming of a sort. Any thoughts or comments on this, or am I just being uncharitable?
[00:58:15] James Rizzo: No, I would agree with that assessment. You know, we’ve recently seen a phenomenon where regulators are explicitly going after the CISO, or folks in charge of cyber incidents and publicly traded companies. And when it was historically an entity matter, they’re now bringing in the individuals and holding them personally accountable. We’ve seen that in other industries as well, where there seems to be a federal… angle to going after individuals and not just corporate entities in these, you know, the Attorney Generals have spoken of that. I think it’s easier to hold people accountable, and when you make Humans, in fear, they tend to act differently, and particularly if they can’t hide behind that corporate entity. Panelists, any comments on here?
[00:59:03] Katherine Heaton: I would say we do see that. We do see a lot of regulatory activity, but a lot of what we’re seeing in the most instances is just some back-and-forth discourse, and it doesn’t often lead to penalties. It sometimes does, but I think most of the time it’s just a lot of questioning. and then you can get to a place where there’s a comfort level that, where they don’t… regulators don’t feel like they need to go further. I think that the real disconnect is that, with the rise of the class actions, plaintiffs counsel are the ones trying to hold companies to a perfect standard, and that’s significantly more costly. I mean, even when we see regulatory penalties, for the most part, with some, you know, notable recent exceptions. it’s fairly minimal as compared to the cost of settling a class action, and so I think it’s that drive, which is more…Plannings Council trying to get money, less about companies actually falling down on the job and not doing the right thing, that’s driving up the cost of these.
[01:00:04] Francisco Donoso: I’ll… maybe I’ll buck the trend slightly. I don’t know that I agree that some of the proposed regulation or requirements that I’ve seen are unreasonable or achieving or aiming for perfection. I think that this is maybe just my view from a, you know, long-term security professional perspective. A lot of it seems… very reasonable to me, and not necessarily bare minimum, but reasonable requirements and suggestions as to how to defend your organization. I think what we’ve just seen is Chronic underinvestment and chronic underpreparedness. And what a lot of these requirements are aiming to achieve is, like, just do good enough.
[01:00:49] Francisco Donoso: At least that’s my perspective.
[01:00:52] Gia Snape: Oh, I hope you’re right. Right, well, we’re walking on the subject. Compliance. Do you think the focus on compliance That’s fine. Genuine cyber resilience.
[01:01:09] James Rizzo: I could take this. You know…I think compliance frameworks are helpful, and that they give folks a guideline, but I also think that they can potentially limit the assessment to just checking the boxes of what the compliance framework requires. And on top of that, the compliance frameworks are… not homogenized. You know, there’s a huge variation in state privacy laws, there’s a huge level of variation in industry requirements,The federal requirements, multinational requirements, so that is a… That is a tricky…That is a very tricky path to navigate, because not all of these… Laws, rules, and frameworks are, you know. They’re not without conflict, so good luck. And I worry that, when you go through that check exercise, you maybe are a little too narrowed focused on the regulatory framework, and you may miss some obvious breach in the donut, whether it’s an internal exposure, and these frameworks tend to be more externally focused. It can hurt, you know, and if you’re just dealing with the privacy laws, well, then you’re dealing with, A selection of experts that may be fairly limited in their scope and not understand the full framework, so… While compliance frameworks are there to ensure a minimum standard. I don’t think it should be your sole source. Phone. Fostering a strong cyber posture.
[01:02:51 ] Francisco Donoso: I..
[01:02:52] Gia Snape: And with that, we will wrap up today’s webinar.
[01:02:56] James Rizzo: Thank you.
[01:02:57] Gia Snape: Sorry, Fran. Don’t mean to interrupt you.
[01:03:00] Francisco Donoso: No, no, you’re fine. I was just gonna add, I… often I see organizations focus…significantly on compliance and under-focus on actual security, and it’s detrimental to their security posture. I see that quite often, actually. Sorry. Thanks, Gia.
[01:03:18] Gia Snape: Thanks for that final word. I’m sure we could talk about this in so much more depth, but what an incredible session. Thank you to our panelists from Beazley for their expertise, and to all of you for joining today’s conversation. We cover the full life cycle of a cyber event, from the initial breach to the boardroom implications. We explored real-world response tactics, emerging threats, and the critical role of insurance professionals in guiding clients through crisis. So now it’s time to turn those insights into action. Before you go, a replay of today’s webinar and additional resources will be emailed to you. You can also connect with our speakers or your account representatives for deeper guidance. You can use QR codes on the screen to get more information about Beazley’s data and research. Thank you again for your time and engagement. Stay vigilant, stay informed, and we look forward to seeing you at our next session. Thank you, everyone.
