STAFFAN TRUVÉ: Thank you. Nice to be here.
ELISABETH BRAW: And Tom Srail, my second guest, is WTW's executive vice president in charge of cyber risk, and he's also a member of the US Department of Treasury's Advisory Committee on Risk-Sharing Mechanisms, a committee that is very busy and is about to become even busier. And Tom is a long-standing executive at WTW, looking after cyber risk. And welcome to you, Tom.
TOM SRAIL: Thank you. My pleasure to be here.
ELISABETH BRAW: Staffan, I'll start with you. You've been monitoring cyberthreats for decades, but the better educated we ordinary citizens and companies have become about cyberthreats, the more advanced the threats have become. And so today, the threats that face us are just miles away from those scam emails long ago, when the internet first became popular.
Now, we also have the scourge of ransomware attacks that even bring down large companies. And so, Stefan, I want to hear from you, what I want to understand from you is, are we stuck in this cycle of better defense, which then leads to better offense from the cyber perpetrators and aggressors out there?
I tend to think of this as a market like anything else. And as a threat actor, if your current repertoire doesn't make you any money anymore, you need to invest in new tools or in new methods. And ransomware, as you mentioned, is a great example of that.
That's a prime example of a business development in the criminal world where they did some innovation, you could say, on the technical side, but mostly what they did was innovate on how to get money out of people. They figured out new means of getting you to pay, but they also figured out a model where they could scale their business more efficiently by having accomplices in which they could recruit, which, today, provides them access. And then they share the loot afterwards.
So again, it's a market like anything else. People evolve, and we have to continue evolving the defenses. And I can definitely, unfortunately, not see any near end to this.
ELISABETH BRAW: Just like traditional arms races, we are in an arms race in cyber, clearly. And, Staffan, I love this idea of business development in the criminal world. Or rather, I don't love it, but I love the label that you put on it.
And, Tom, that brings me to you. Underwriters have been saying for some time that companies need to get better at protecting themselves. But yet, we are in this arms race, and we are in a situation where perpetrators are very good at business development. So is that happening? Are companies getting good enough at defending themselves?
Ransom attacks and cyber extortion has been around for a long, long time, but Bitcoin allowed it to, all of a sudden, become able to be paid very quickly. And then they found the-- they innovated enough to figure out how to do that. And so for last 3 to 4 years, we saw a lot of large organizations, well-defended companies fall victim, because the resilience wasn't there.
Their backups were online and immediately available. Well, when your backup's online and immediately available, it's immediately available to the bad guys as well and so having to rethink how we do some of that, how we rethink our recovery and resilience aspect. And today, fewer companies are actually falling victim to some of that, and we see the bad guys start to innovate again and look more at stealing embarrassing data, rather than just shutting companies down, because again, we've increased the defenses.
ELISABETH BRAW: Now, Tom, you mentioned resilience and recovery, and part of that is having non-digital backups to your digital operations systems, and it seems to me that the companies just don't have that. They went from manual to digital, and then they didn't keep their manual operations or the option to switch to manual operations, because why should you? Digital-based operations are much easier and cheaper and more efficient.
But I remember one large company that was attacked a couple of years ago and this company managed to switch to manual operations because it had a few older employees on its workforce still, and they knew how to essentially operate the systems, the machinery, using pen and paper.
And on the other hand, I recall another company that was recently attacked that had to shut down its operations with disastrous consequences for a number of days because the workers who knew how to run things manually had either retired or died. So should we expect from companies that they should be able to switch to manual? Should they have that sort of backup function, or is that not realistic?
TOM SRAIL: No, it's a great question, and I think it will depend based on industry. When you're talking about critical infrastructure and financial transactions, some of those things, credit card networks, we can't really go back to what I like to call the old chunk-chunk machines underneath the counter, where they run the carbon copies. And we'll explain to our younger listeners what carbon copies are later.
But in some instances, we can go back to manual or offline processing and operations. In other situations and other business and industry sectors, that's not even possible. So, again, I think you hit it on the head there. I can recall a hundred years ago, when I got first out of computer science classes and started in IT, backing up was putting a cartridge, a tape, or some sort of media into a device and pulling it out and sending it on a shelf and, once a week, sending partial backups to another site.
And we did it with the cloud, with the internet, with the speed of hot sites and multiple data centers and failovers. We got to a point a few years back that we didn't need to go through any of those manual processes, and that's what the innovative bad guys took advantage of-- when all of our backups were real-time online sitting on the machine next to my main machine or even sitting in a data center halfway across the country, but they replicate immediately to each other.
You infect or damage this data. It instantly gets damaged over on the other side. So yeah, I think it's a multi-pronged approach. I think it's, obviously, more than just an IT approach too, or a security approach. Operations is involved, definitely board level. It's really a business problem and more, even a society problem that just we need to stay diligent on.
STAFFAN TRUVÉ: And just to add here, I think you're quite right. And I mean-- so companies need to take exactly the same approach as you do to other risks and decide, what's my risk-to-reward ratio? What do I need to invest in? In addition, of course, some businesses will have regulatory requirements as well on what they need to do with their data and backups and things like that. But in the end, you need to decide how many levels of protection you need against this kind of problems.
ELISABETH BRAW: Indeed. And I want to come back to you, Staffan, with a rather sweeping question. But Tom, first, I have a very technical one for you. Do insurance companies cover ransomware payments? And do they cover ransomware payments? And how is that developing? Are they beginning to say, no, this is unsustainable, or is it just seen as an operational expense?
TOM SRAIL: Great question. Cyber insurance, which, of course, most companies buy these days-- majority of companies do buy cyber insurance to protect and recover and financially enable the recovery after a cyber event happens. Cyber extortion, very interesting. That coverage, insurance coverage for an extortion payment, it's been available for over 20 years and up until 4 years ago or so, it was a free throw in. We routinely have clients saying, oh, we're never going to pay a ransom, just take that coverage out. It saves you 0% or 0.5% of your premium. So just leave it in there. Just leave it.
So that was one of the other interesting things when the ransomware scourge turned. When that kind of-- when Bitcoin enabled it, and it started going gangbusters about 4 years ago, every insurance policy was having to pay all these claims. Some insurers have tried to restrict that or limit the coverage. Of course, that's not a good thing from the insurance buyer standpoint. It might be a good thing from the financial institution and insurance company standpoint.
But the short answer-- sorry to give you a long answer-- yes, cyber insurance definitely covers extortion payments, typically, and covers ransomware issues. Again, there's been more restrictions in recent years, especially companies who have fallen victim to that, it's no surprise there.
ELISABETH BRAW: Because that is the case, I wonder, Staffan, if there is a case to be made for some companies, especially large famous ones, if they were to be attacked, if they were to say, we are just not going to pay, somebody has to take a position here, we will take a position and, yes, even though it is the case, that it may be covered by insurance, this is just a silly arms race, it has to end somewhere, we will lead the pack, so to speak, and not pay? Do you think-- would that stop the attackers, or would they just innovate and continue their criminal business development, take it into a different area?
STAFFAN TRUVÉ: Well, I mean, we have definitely seen cases of very big companies under successful attacks who have decided not to pay. There is examples of companies who had to replace thousands of PCs because they were all infected. So clearly, there are a few of those.
Unfortunately, I think many companies make the business decision that it's overall cheaper for them, at least, short-term, to pay the ransomware and carry on their business, rather than having to go through the very hard procedure of actually rebuilding your whole infrastructure. And, of course, if enough companies decide to pay the ransomware, the business is there, and, thus, encouraging and providing means to the attackers not only to continue but also to invest in more advanced methods.
ELISABETH BRAW: It certainly feels like the nuclear arms race during the Cold War where-- and indeed, today, again, when everybody knows what the right thing to do is, but everybody has to do it at the same time. And if that doesn't happen, the arms race won't slow down, let alone-- and, Tom, I just have a quick question on this subject and then want to move on to AI.
But still on the subject of cyber aggression and the expenses associated with it, Lloyd's said last year that it won't cover state-backed cyber aggression. And that's maybe not that surprising considering the expense that that cyber aggression incurs these days. And the question I have for you is, Lloyd's said they won't cover state-backed-- within its system or within its markets, a state-backed cyber aggression won't be covered.
But that raises a question of who will determine what is a state-backed act of cyber aggression, and especially because not every act of cyber aggression is attributed by a Western government to another state. So who is supposed to do the attribution, and how would such a thing work in reality?
TOM SRAIL: It's a great question, and this is a geopolitical podcast. So we can make fun of politicians a little bit here. That is something for years has been an issue across the insurance industry, definitely in cyber insurance. War exclusions have always been a part of insurance policies.
When a war, when-- how you define that, of course, is very, very important. But when that breaks out or occurs and causes losses, insurance companies tend to not want to pay for that, because governments, and things like that, can get involved. So for all the obvious reasons.
Well, now, when we start saying, well, war, it's not our grandparents' wars anymore. The conflicts we see today, there are definitely kinetic physical wars going on around the world. But there's also a lot of cyber wars, and Cold War-ish type of activities, nation states attacking one another, and so on.
And so every time a politician gets up and says, we consider this an act of war, all of us in the insurance industry just get really nervous about it, because that can have implications. So that's a very important part. Ultimately, I think the answer is kind of a nerdy one-- you got to read your insurance policy.
You got to work with your insurance professionals and really understand what is clearly covered, what's clearly not covered, and then what is maybe not completely clear. In some cases, that can work to an insured's advantage. But in some cases, that can work to the insurers' advantage as well.
So that's a big process going on around the world the last year in the cyber insurance world, with Lloyds and other insurance companies and reinsurance companies coming out with new exclusions, new wordings, new red lines that they won't cross, and they will and won't do. But, again, as the market softens, we have competition, thank heavens. And so we do see other insurance companies willing to take some of these war or state-backed issues or even systemic events. Again, cloud outages and big systemic events can even cause more damage than a physical bomb going off or two countries warring against each other. Yeah.
ELISABETH BRAW: That's the thing. We think we know a war when we see it. But war is changing so much that the old definition no longer applies. But we don't have a new definition either. And the way in which aggression is changing involves AI, which is something I want to ask you about, Staffan.
STAFFAN TRUVÉ: Can I actually just say one more thing, since you talked about the arms race? I think it's worth remembering-- I mean, if you look at maybe one single, successful case where actually a nation won an arms race, I mean, if you look at the US versus the Soviet Union, essentially, what they managed to do was, essentially, US managed to outspend the Russians, if you like.
And I think there's absolutely an analogy here. If we're willing to spend enough on cyber defense, that we raise the cost, the complexity of the attackers to enough high of a level, it's going to stop being a profitable business. So I think, unfortunately, of course, it's going to be expensive.
That's the only way we have a chance of really stopping it. It is to really raise the bar of the defenses to where it's just not interesting anymore to do that. And, of course, that requires enough coverage across all companies and organizations and states and so on so that there aren't any cheap targets left around.
ELISABETH BRAW: That's an excellent point and also requires, I would think, more investment in education of cyber experts so that we have a standing force of very highly trained cyber professionals who can defend at the level that then convinces the aggressors that it's just not worth the effort.
STAFFAN TRUVÉ: And it's also going to require collaboration both between different companies and between companies and the public sector.
ELISABETH BRAW: Yeah, Staffan, on the issue of AI, everybody's talking about AI, everybody's asking ChatGPT about themselves and much else. And as we know, AI, I think, it's safe to say, enormous productivity gains and other good things. But it's also something that could become extremely dangerous, and it's a Pandora's box.
And I think one threat that companies should be concerned about is the use of generative AI to harm their reputation. And we can imagine, for example, that criminals and others could pose deepfakes showing a Western CEO saying that his or her company is planning to invest in country X that has a terrible reputation, and then the stock price would plummet, even if for a short period of time. Because then, that company's communication's department would leap into action and deny that such a thing had ever been said.
And that's just one scenario that came to my mind but what other uses of generative AI and other types of AI do you think companies should worry about?
STAFFAN TRUVÉ: Well, I mean, first of all, I mean, it's a similar story here, really. The fact that-- I mean, generative AI and other technologies as well are a tremendous new tool we have for increasing productivity automating and so on. And, again, it's, of course-- since it's available to everyone, it's going to be used both by the good guys to automate business as well as defenses against attacks. But, of course, the bad guys have access to these things as well.
So as you mentioned, the very current example or what we're starting to see now, how generative AI can be used to launch much more targeted, micro-focused phishing campaigns, for example, great example, or deepfakes, as you say, just going after reputation or companies or politicians, for example. That's maybe the biggest threat that people are talking about.
And technology-wise, this is also an arms race. Because just as new AI models allow you to make more sophisticated deepfakes, there's a lot of work going on on building other models to detect just these kinds of fakes.
But, again, it's very, very hard for the good side to take the leading position here. Because I think at the moment, it's fair to say that the volume and the quality of fake generation, which systems are capable of today, are not matched by the corresponding means for identifying them-- at least, not identifying them with AI technologies. I think this is a case where we have to look at other things like adding digital signatures on, essentially, any kind of media.
I think we don't necessarily need to see every time fight AI with AI. There are other means for providing authentication of genuine media, for example. It's a big rewiring of the internet to really take the step over to saying that you should only trust something which is watermarked as being authentic.
ELISABETH BRAW: But I suspect that would become necessary. Just a few days ago, I saw a politician in a country, that shall remain nameless, had tweeted a deepfake of the prime minister in an unflattering pose. And then somebody called him out on it, in fact, quite a few people called this MP out on it. And he said, well, how was I supposed to know? And this is where we are today.
If not even a member of parliament, a generally enlightened person and aware of deepfakes and other risks associated with AI, if even he doesn't manage to identify an obvious deepfake, then how is the rest of society expected to do that? So that's where we are today.
But on the upside, Staffan, defenders should be able to use AI. And you have already outlined how you think we can-- the defenders can outspend the aggressors in the longer run. But in the shorter term, where are we now, and how does AI-aided defense look like? Or how should it look like?
STAFFAN TRUVÉ: So I think there are many ways to answer that. I think, essentially, all-- again, AI is a pretty general mechanism for improving your defenses. What we're working on, for example, is, of course, to help the cyber defenders themselves become more efficient by automating as much as the collection and analysis of intelligence as possible. Essentially, having the machine take over everything that can be automated so that the scarce resource we have here, the cyberthreat analysts, for example, can focus their precious attention on the most important tasks. That's one good example.
But I think in terms of automating other things, like the monitoring of your systems, anomaly detection in your networks to automatically see if there are strange things happening, there's lots of ways in which AI can actually help defending. I'm sure Tom can pith in here as well.
TOM SRAIL: I totally agree. I go back and look at mechanisms and processes we've seen previously. Financial institutions, credit card networks, they've been doing that for years in understanding patterns and behaviors of individual cardholders and when there's those anomalies in there. Again, there's not someone sitting there, a human being watching every transaction, oh, so-and-so never shops here or never travels here.
Those kind of automated-- and I think those can really be-- that concept is what you're talking about, Staffan, is really leveraging those types. But, again, just multiply that not by a 10 million transactions today but billions of data points every second, if you will, and really utilizing really advanced systems to be able to help predict trends and see those types of things and help the defenders get better at what they need to do.
ELISABETH BRAW: And, Tom, I was going to ask you about that, actually. How should the company set itself up to use AI to detect whatever may happen or may come its way that would be harmful to it, be it, for example, suspicious transactions on a customer's bank accounts or suspicious movements on the stock market, suspicious purchases or developments in the purchases of, for example, rare metals that a company may depend on? All of that, obviously, that's something that goes far beyond what human analysts within a company can track. So how can companies set themselves up to use AI to monitor, essentially, an unknown world of threats? Is that even possible?
TOM SRAIL: I think we can move toward it. I don't know-- just like all the other risks we've discussed, we can't eliminate them fully. But we can get better at it. I think the sophisticated clients that I work with more and more are partnering with and leveraging threat intelligence companies who can supply that, partnering with industry associations and others in their sector; working with even law enforcement in various countries, partnering with them, again, to collect that data and see what's going on, more so an individual company. Even very large broad companies only have so much data directly, only see so many attacks.
And that's helpful. But, again, partnering beyond working together and sharing that information, collecting that threat intelligence, I think, can really enable all of us to do a global community watch, if you will, and get better information and protect ourselves more efficiently.
ELISABETH BRAW: Global community watch, I love that, a little bit of collective action and helping one another that, I think, will go a long way in this arms race or at least help slow it down. And now, I have to ask you, Staffan-- we all work from home a lot these days. And so are your devices at home, are they safe?
STAFFAN TRUVÉ: That's always a hard question. I hope so. No, I mean, I think that was interesting. I mean, that's what we saw at the beginning of COVID, for example, that companies who were unprepared say, for example, did not use VPN protection, which opens up for a lot of things like listening in on video conferences, for example.
And what happened then was that companies quickly escalated their defenses. So everyone introduced VPNs. One of the good-- sorry, not good. One of the interesting things you then saw was that we saw an explosion in attacks on VPN servers.
So essentially, what the attackers did was they noticed that they had a hard time by attacking the VPN servers. So they actually efficiently forced people to move away from VPNs, again, being vulnerable. So, again, my wife hates me to say, but the creativity of the bad guys, you have to admire that sometimes.
ELISABETH BRAW: That is I think the lesson learned that criminals operate like traditional businesses just in the realm of illegal action. Tom, are your devices safe?
TOM SRAIL: 100%. I'm just teasing.
ELISABETH BRAW: Oh, excellent.
TOM SRAIL: No, no.
STAFFAN TRUVÉ: Famous last words.
TOM SRAIL: Yeah. No, I'm-- as you might expect, I'm the anti-social media IT security person in my house that drives my family crazy. My favorite T-shirt simply says, change your password, across the front, definitely something that not only companies need to do. We as individuals need to do.
And, again, beyond these nation states, beyond these ransomware, a lot of this starts with simple social engineering, tricking people on their home on clicking on links. There's some great folks fighting against this. Some of those, the folks who pay back these scammers on YouTube channels and things like this, record it.
It's highly encouraged, folks, to go watch those things because they're on the ground level taking it back to these bad guys who steal our data and then sell that and then enable these corporate larger organizations to get in there. Because, again, yeah, Staffan, you mentioned, as we switch to a work from home, folks found ways to get beyond slow or on working VPN connections back to the office.
Very ingenious. We figured out how to work effectively as much as possible. But in some cases, we're sidestepping, and we're allowing those bad actors to gain information that they need and start their scams and start their damage to the organization. So yeah, nobody is completely safe.
I like to say when I'm talking to CISOs and other folks, especially when I'm talking to non-technical folks about the IT security world, I like to have them think of a Homeland Security or national defense. We can triple, quadruple, multiply our expenses. We can't stop every bad thing from happening. So it's all about risk management. It's all about understanding it.
And all pieces are really important even sometimes the pieces that are a little frustrating like waiting in line at the airport or changing our password and making it a little bit more complex, more often than we want to. But those are all very crucial pieces of keeping your home safe and, thereby, keeping our companies and society in general more safe.
STAFFAN TRUVÉ: I think I have to say, one thing I feel I need to do is print a new T-shirt for Tom here saying, don't rely on passwords. So I think that's--
TOM SRAIL: Well, that's very true too.
STAFFAN TRUVÉ: I think one of the big things. We worked on completely, in my company is that everything now requires multi-factor authentication and not only, for example, text message based but actually based on physical tokens. So there are involvements in authentication and authorization technology, which is definitely helping to protect. And it's still the case. The most common attack vector is still someone has stolen an identity and uses that not to break into a system but to unlock the door and just walk in.
ELISABETH BRAW: Indeed, everybody can do their part, whether it's changing their password or whether it's training to become a cybersecurity expert. But we'll have to return to the subject. Because it is an arms race. And there are new developments all the time. So Staffan and Tom, get prepared for another invitation in the near future. But in the meantime, thank you, Staffan Truvé. Thank you, Tom Srail. And thank you to our producer Robin Pegg. And above, thank you all for listening to Geopolcast.
In the upcoming episodes coming your way very soon, we'll examine supply chain risks, sanctions, and much else. To get the episodes as soon as they are released, make sure to subscribe to Geopolcast. You can find us via your usual podcast players. And please recommend us to your friends and colleagues. And remember, update your password.
SPEAKER: Thank you for joining us for this WTW podcast featuring the latest perspectives on the intersection of people, capital, and risk. For more information, visit the Insights section of wtwco.com.
Willis Towers Watson offers insurance-related services through its appropriately licensed and authorized companies in each country in which Willis Towers Watson operates. For further authorization and regulatory details about our Willis Towers Watson legal entities operating in your country, please refer to our Willis Towers Watson website.
It is a regulatory requirement for us to consider our local licensing requirements. The information given in this podcast is believed to be accurate at the date of publication. This information may have subsequently changed or have been superseded and should not be relied upon to be accurate or suitable after this date.
This podcast offers a general overview of its subject matter. It does not necessarily address every aspect of its subject or every product available in the market. And we disclaimer all liability to the fullest extent permitted by law. It is not intended to be and should not be used to replace specific advice relating to individual situations.
And we do not offer, and this should not be seen as legal, accounting, or tax advice. If you intend to take any action or make any decision on the basis of the content of this podcast, you should first seek specific advice from an appropriate professional. Some of the information in this podcast may be compiled from third-party sources we consider to be reliable. However, we do not guarantee and are not responsible for the accuracy of such.
The views expressed are not necessarily those of Willis Towers Watson. Copyright Willis Towers Watson 2023. All rights reserved.
