Specialty Podcast: The Massive Red Cross Breach - Proof a Cyber Attack Could Happen to Any Organization

Intro (00:00):
You're listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today. Here is your host, Lorraine Lewis.

Lorraine Lewis (00:15):
Hey everybody. This is Lorraine Lewis and welcome to another Alliant Specialty Podcast. Today, I've got with me David Finz, who is our cyber claims and coverage guru. David, I was hoping that you could talk to us a little bit about a recent cyber-attack that impacted the Red Cross. I know that a lot of our healthcare clients and other, non-profit organizations know there's probably a lot that they're going to be able to do from that event.

David Finz (00:42):
Sure. Well, first of all, Lorraine, thanks for having me on. This is a really tragic event that has happened. So, what the Red Cross has announced is that there was an attack, on their network that affected the personal information of over half a million people that they were providing services to. And very often these people were quite vulnerable. Many of them were refugees from war or migrants from, other circumstances, fleeing persecution, and their sensitive information has been compromised as a result of this attack. Additionally, roughly 2000 staff and volunteers at the Red Cross had their login credentials compromised as well. What's not clear at this point is whether reports that this information is being sold on the dark web is to be believed. The Red Cross has been very transparent about the incident. They have a release on their website describing what they know about what has occurred. They are aware of the reports that this information is being exchanged on the dark web and they have engaged cybersecurity professionals to help determine what exactly transpired and to put these individuals on notice that their information has been compromised. And as a result of this, they've had to scale back their operations, helping those most in need.

Lorraine Lewis (02:10):
Wow. I hadn't thought about how vulnerable some of those folks might be, with nefarious individuals, potentially really looking to find out where folks are, as a senior claims guy, you've seen lots of complexity with claims. Talk to me about how you feel the Red Cross has responded to this incident from a claims perspective and in communicating with the public.

David Finz (02:33):
Right. Well, as I mentioned, I mean, Red Cross is not a client of ours. However, they have been very public and very transparent in terms of sharing information with their donors, with their recipients and with the public in general regarding what they have done. They have engaged service providers to help get to the bottom of what has transpired, figuring out what they can do to remediate, to shore up their own network. And they have committed to continuing to provide updates to the public as more information becomes available. So, in terms of the messaging and the crisis management response they've been very forthcoming. And I think that goes a long way towards restoring confidence in the Red Cross for both donors and for recipients of their services.

Lorraine Lewis (03:23):
That's great feedback. So, definitely it sounds like transparency and good communication are really important. What’s striking to me about that breach, is that it is such a large, sophisticated organization, and we've worked on together some really large clients that have set for breaches. So how does that happen and what some of the challenges that you see with managing cyber risk? Generally? Because, like I said, some of our most sophisticated large clients or large organizations, they're struggling with it, right?

David Finz (03:51):
I mean, the fact that this happened to an organization as large and as resourceful as the Red Cross, shows you that it can have happen to any organization, whether they're for profit or not for profit in healthcare or in other industries, no one is immune from, this sort of attack. It's not even clear that the threat actors, whoever they may be aware that the organization they were attacking was engaged in humanitarian work. Typically they're very mercenary and we'll just go after any vulnerability that they see in a network to exploit it. The bottom line is that organizations of all sizes need to be aware of the importance of good cyber hygiene, but it's particularly challenging for not for profits, because their effectiveness is often measured by what percentage of their resources go to providing services directly to those in need. And so, there is an imperative, if you will, to keep overhead low and that sort of runs key counter to the need to devote adequate resources to cybersecurity. Which of course, in this current job market come at a premium because cybersecurity professionals are in high demand.

Lorraine Lewis (05:11):
Yeah, that's a great point. So now, if you are a smaller organization, like you acknowledge, I think the larger institutions are able to devote some resources of their tax status, because of the sheer size of the organization, but for smaller organizations, given the environment that we're in, what should they do to recognize the constraints that they face?

David Finz (05:34):
So, with the understanding that there are plenty of charitable organizations out there, and also healthcare providers that may not have the resources to hire an information security, professional, full time, what they might wish to consider doing is investing in a virtual or fractional chief information security officer, also known as a VCSO. And what that does is to connect them with a professional who will be devoted essentially part-time to their network on a 24/7 basis. If that makes any sense. In other words, they have several clients, that they're responsible for. But at the same time that gives the smaller organization access to top talent, that they might not be able to afford to bring in house.

Lorraine Lewis (06:27):
That's a great suggestion. I honestly really didn't know that that was a thing now, but it makes perfect sense. You handled some claims for me that were fairly high profile, and I know you've operated at very high level with lots of high-profile claims. What are some lessons learned, from your perspective, having had that opportunity to work on so many large claims?

David Finz (06:50):
So, recognizing that no organization is going to be 100% immune to a cyber-attack. I think the great danger is one of overconfidence. If you will, we actually have put together a list of the kinds of good practices that will minimize the possibility that they will be a victim of an attack, or at least minimize the damage that would result. And recognizing also that the types of things that we're talking about, these are the things that move the needle for the underwriters as well. They want to see that cyber hygiene is permeated through an organization's culture. It's not a check the box exercise or a once-a-year audit, but it's really something that is taken to heart. And that really requires a shift in mindset more than the latest, shiny bell and whistle or firewall, to a company's network. It really requires, changing an organizational culture and we can in helping our clients find a more rewarding way to manage risk, help them get on that path towards making that a cultural mindset.

Lorraine Lewis (08:01):
No, I love that. It's funny from a healthcare perspective, of course that sector is so vulnerable to cyber risk, and it's one of the key industries under attack. It is the boardroom issue, and one of the things we've been doing to your point, David, is having our clients and their IT guys directly engage six months in advance of expiration with underwriters, so that underwriters can be engaging and having dialogue with our clients. And so, our clients can know what do they need to fix from a cyber hygiene perspective? So, as we wrap up, I would like to thank everybody for their time. David, how do we contact you?

David Finz (08:40):
So, folks can DM me on LinkedIn, or you can email me at David.Finz@alliant.com, and we'll be happy to get a copy of that list out to you right away.

Lorraine Lewis (08:51):
Awesome. Again, everybody, this is Lorraine Lewis, and until next time, thanks so much for listening. Take care.