Seth P. Berman leads Nutter’s Privacy and Data Security practice group and is a member of the firm’s White Collar Defense practice group. As a data privacy attorney, corporations and their boards engage Berman to address the legal, technical and strategic aspects of data privacy laws and cybersecurity risk, and to prepare for and respond to data breaches, cybercrime, and other cyberattacks. In addition to being a cybersecurity attorney, Berman also represents clients in white-collar criminal matters and has particular expertise in conducting cross-border internal investigations and in the data privacy implications of such matters.
In an exclusive interview with Augustin Kurian of CISO MAG, Berman shares his thoughts on several things including the landscape of cyber insurance, cyberattacks on the health care industry, and data protection laws like CCPA.
Tell us a bit about your journey from becoming an Assistant United States Attorney in the District of Massachusetts, where you investigated and prosecuted economic and computer crimes — to now at Nutter.
I have had an atypical career as a lawyer in the years since I left the US Attorney’s office in 2007. At that time, very few firms had lawyers devoted to privacy and cybersecurity issues – there simply wasn’t enough business in the area for firms to hire lawyers who were so specialized. Thus, instead of going to a law firm, I joined a digital forensics consulting company that specialized in helping lawyers and their clients respond to computer crime and hacking incidents. I eventually moved to London with that consulting company and oversaw their expansion into European and Asian markets, advising international corporations on preparing for and responding to hacking and data breaches. After I returned to Boston, I decided to join a law firm – Nutter – once the market had grown to the point that it was possible to practice as a lawyer specializing in cybercrime, privacy, and data security.
In the years since you first started prosecuting computer crimes, how has the industry evolved?
I first started prosecuting computer crime cases more than 20 years ago. In that time, computer crime has gone from a niche concern to one of the most common types of non-violent criminal activity today. When I first entered the private sector in 2007, IT departments were focused on cybersecurity, but CEOs and General Counsels did not view it as a significant concern. Nowadays not only do CEOs and GCs routinely list cybersecurity as, among their biggest worries, but the issue is also widely considered one that requires board-level oversight. As a result, a whole industry of technical experts, consultants, and lawyers has grown up to assist corporations in navigating these issues.
The cyber insurance landscape is booming and constantly changing. However, there is a complexity that still makes cyber insurance coverage intimidating to many. What are the key obstacles to writing and issuing cyber insurance?
Cyber insurance is still a relatively new product. As a result, there is an unusually high number of uncertainties for all players in the market. For example, there are well over 100 years of claims history for fire insurance, making it relatively easy to determine the likelihood of loss, the amount of coverage needed and the typical issues that might arise later impacting coverage. By contrast, there is a very little history of cyber insurance claims. Thus, it is not clear how much cyber coverage a company needs; how likely it is that a company will suffer a breach; or even whether an as-yet-unthought-of new type of attack will even be covered by a cyber insurance policy. The limited claims history is compounded by an even bigger problem – there is little reason to believe that past experience with cyberattacks is predictive of the scope or severity of cyber claims in the future. Given the continued rapid increase in the sophistication and scope of cyberattacks, it is likely that the next few years will see much larger claims than the last few – perhaps even a storm of claims impacting many companies all at the same time.
There seems to be an increasing number of cyberattacks in the health care industry. What is driving this trend?
The health care industry presents a tempting target for at least two reasons. First, health insurance information is currently more valuable on the black market than credit card information, which means that health care companies hold a valuable asset that hackers are trying to steal. Second, because doctors and hospitals are routinely dealing with life-threatening situations, a computer failure that impacts basic patient care can quickly lead to a life-threatening emergency. This real-world urgency makes hospitals and health care entities very tempting targets for attackers, who want to leverage these dire consequences for their extortionate demands.
How do you see the uptick in ransomware, as compared to, say, two years ago?
Ransomware has become a particularly easy way for hackers to quickly make money. Indeed, ransomware doesn’t even require any real hacking expertise anymore. Ransomware can now be purchased on the dark web just like any other software. There are even ransomware-as-a-service providers who will provide the software and technical services and split the proceeds with the individuals who select the targets and send the phishing emails that initiate a ransomware attack. The attackers have also gotten more discerning about their targets and changed their business model. A few years ago, it was common for a vast number of individuals to be targeted at random and asked for small ransoms – often only a few hundred dollars – to recover their personal computers. Now, ransomware attackers are more typically targeting large organizations such as cities, towns, or hospitals – and demanding much greater ransoms, knowing that many of the attacked entities will find it far cheaper to pay hundreds of thousands or even millions of dollars in ransom than to go dark while attempt to recover their data and systems on their own. Until society figures out how to cut off the flow of money to ransomware attackers, this problem is only going to get worse.
From which types of businesses (small, medium, large) do you see the most increase in awareness of the need for improved cybersecurity? (Nearly half of all cyberattacks in the U.S. target SMBs).
The initial wave of well-publicized corporate hacking targeted very large companies. Sometimes hackers sought to steal credit card data, sometimes they sought merely to disrupt a company, and sometimes they were seeking valuable intellectual property. Regardless of their goal, the hacks that became public almost invariably targeted large companies. This led to a popular perception which was common as a few years back had been that only large companies had to worry about hackers. That perception has changed dramatically in the last few years. Companies of all sizes now recognize that they are potential targets. As a result, small and medium-sized businesses are now beginning to invest in cybersecurity, and – at least as importantly – starting to establish the governance and management structures necessary to ensure that cybersecurity is taken seriously.
What kinds of policies should companies devise so that they are better prepared for cyberattacks?
Too many people think of cybersecurity as a purely technical problem – one that can be solved with better firewalls, better threat detection, or some other new tool. Though all of those things are in fact crucial to good security, tools alone are not the answer. Governance is at least as important as new tools – after all, if the CISO isn’t getting the budget and attention needed from senior management and the board, the new tools either won’t be bought or won’t be fully implemented for fear of “breaking” IT. In the end, good planning, testing, employee education, as well as a culture of security all the way to the CEO is as important to improving cybersecurity as the latest firewall, SIEM, PAM or DAM.
What do you think is the next trend in the industry?
I fully expect hacking and other cyber threats will continue to grow and evolve, and I expect security rules and regulations to continue to evolve with them. Additionally, I am keeping my eye on another trend – the increasing number of jurisdictions that have privacy laws – laws that limit what companies can do with personal data they hold – in addition to the more traditional security rules and regulations. Europe led the way in this with its General Data Protection Regulation (GDPR), and the baton has now been taken up here in the US by California with its California Consumer Protection Act (CCPA). Several other state legislatures are considering similar legislation, and there are competing proposals in Congress addressing some of the same issues. As a result, I expect that over the next few years those of us in the industry will be spending almost as much time thinking through privacy issues – whether governance and systems are designed to comply with privacy laws – as we do thinking about security – how to prevent others from stealing or corrupting that data.
About the Interviewer
Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.
CISO MAG’s March issue on Women in Cybersecurity is out. Preview here. Subscribe now!