Cyber Security: Using Insurance to Motivate Technology

Episode Notes

Transcript

In-House Legal: Cyber Security: Using Insurance to Motivate Technology – 4/18/2015

Advertiser: Welcome to In-House Legal, where we cover a variety of the issues pertinent to the general counsel and in-house legal departments of small, mid-sized, and large organizations. Join host Randy Milch each month as he discusses the latest developments, trends and best practices for this very busy and often complicated area of law. You’re listening to Legal Talk Network.

Randy Milch: Hello, my name is Randy Milch and I’m the host of In-House Legal on the Legal Talk Network. I‘m honored and happy to have as a guest today, Peter Beshar, executive vice president and general counsel of Marsh & McLennan. Peter has a wealth of experience as a public servant, a prominent big law firm litigator, and is general counsel of a global enterprise, so I know there’s lots to learn from Peter today. Of particular importance to general counsel who may be in the audience is Peter’s experience with the subject of insuring cyber risks, and we’ll get into that later in the show, which is a very topical and timely subject that Peter’s been very involved with. So, Peter, thank you for coming on the show with me today.

Peter Beshar: Randy, with great pleasure.

Randy Milch: Great. I want to start off so that everyone gets grounded; what is Marsh Mc? What does it do?

Peter Beshar: This is a great company, Randy. We are a professional services firm that tries to solve the most complex issues of our time. So how do you respond to a natural catastrophe like an earthquake, or a hurricane? How do you provide retirement security for an aging workforce? Or how do you structure stress tests for banks across the eurozone? Marsh & McLennan does all of that. It’s half of an insurance broking the operations and half of them are consulting. And the company is really made up of 57 thousand talented professionals. PH Ds and actuaries, consultants and brokers, so it’s just an outstanding company.

Randy Milch: It is, and it sounds like it’s a great place to be the general counsel; a lot of people to keep you on your toes, which is always important. Can you give us an idea, Peter, of how you came to Marsh Mc? You had a background in the public service as an assistant attorney general here in New York, you were a big firm litigator. Lead everyone through your bio just for a little while.

Peter Beshar: Absolutely. So I started my career in government service, principally working on the Yugoslavian peace negotiations. So Cyrus Vance was appointed by the UN Secretary General to try to broker peace in Bosnia and Croatia. And secretary Vance took me as his special assistant to Europe. We were based in Geneva at the Palais des Nations, and spent months trying to travel from Belgrade to Zagreb to Sarajevo and across European capitals trying to fashion a peace agreement in Bosnia. Ultimately we failed, we did not achieve the peace in 1992 and 1993 that we had hoped for, but it was an extraordinary experience. I then came back and served, as you indicated, as an assistant attorney general here in New York for attorney general Oliver Koppell, and then spent a decade at Gibson Dunn & Crutcher; just a fabulous firm where I was the co head of the securities litigation practice, advising boards and management teams about how to work their way through a regulatory crisis for a significant litigation. And then in the Fall of 2004, when former attorney general Spitzer sued Marsh & McLennan, I was contacted by the incoming CEO, a gentleman named Mike Cherkasky. And he asked to see me urgently for breakfast at 7AM the next morning, and I thought I was pitching to take over the representation of Marsh & McLennan as a partner at Gibson Dunn. And instead about a minute into the conversation, he said I’d like you to become the general counsel of the company, but I’m offering it to you on two conditions. First, you have to accept within two days, and second, you have to start within seven days.

Randy Milch: And I take it that the rest is history, you both accepted and started within the requisite timeframes.

Peter Beshar: Yeah, I did. It was crazy, but also my partners and the entire firm at Gibson Dunn were extraordinarily supportive with really two a person saying that you should take this challenge on and see whether you can help Marsh & McLennan navigate its way through a pretty dynamic crisis. And then also the clients that I had been working with very closely were extremely supportive and said that they understood that this was an opportunity that you had to reach for and accept.

Randy Milch: So as an incoming general counsel to a firm in crisis, Peter, what did you find there? What was the morale like, what were the issues that immediately confronted you with an attorney general going after you? It tends to clarify the mind of all the business people quite a bit about legal risks and compliance risks. How did you find the atmosphere and the field for working when you got to Marsh Mc in 2004?

Peter Beshar: That’s a great question, Randy. I thought as an advisor to companies from the platform of Gibson Dunn, that I understood what it was like to really go through a crisis type environment. And when you’re actually inside the hurricane, it’s much worse and harder than outside lawyers appreciate, than certainly I appreciate it. So the company was in utter turmoil. There were criminal charges circulating around. 70 different regulatory authorities were launching investigations against the company, the stock had fallen in half, the ratings of the company had been downgraded by four notches, and just everybody is upset, quite frankly. Clients are upset, banks cut off funding for the company, employees are stunned as to what happened that allowed the solvency in my ability of a proud company with 140 year history to suddenly face this type of an existential threat to its existence.

Randy Milch: And you’ve now bidded Marsh Mc for over a decade. I know the stock’s back, it sounds like the ship has been righted, is that your view of it?

Peter Beshar: It is as a result of the efforts of literally thousands of people who helped navigate this company through the crisis in the first year or two coming out of the Fall of 2004. And two elements or pearls of wisdom that I certainly took away from the crisis environment as a general counselor or as an advisor, is first to be relentlessly positive. It truly is a crisis environment where people are uncertain and dazed, and you have to be something of an avenging angel just trying to really bring in a sense of optimism that we’re going to get through this. You have to say that to groups of employees, over and over, we are going to get through this and we are going to emerge on the other side as an even better and an even stronger company. And then you have to be decisive, and this doesn’t necessarily come early to lawyers because we like more information. We like to make sure that we’re making the right decision, and you don’t have the luxury of that choice when you’re really in a crisis environment. You need to make the decisions as best as you can and then move on, quite frankly. And the company has really done that. And over the last five and six years in particular, the financial performance of the company has been extremely strong and it really is a credit to the resilience of the colleagues and the steadfast ends of clients to stick with the company, even as it went through a difficult period.

Randy Milch: I really appreciate those two points that you made there, Peter. You’re absolutely right, there’s no substitute for leading from the front during a crisis situation. And indeed, throughout, I’m sure that you continued that leadership role there. So tell me, what’s your legal department look like these days? What’s within your bailiwick of Marsh Mc and describe it a little bit for us.

Peter Beshar: The first thing that you learn about working at a big company is that individuals accomplish almost nothing, and it is all about the team that if you build and promote a strong team, then you can begin to articulate a set of strategic priorities for the group and then have a credible shot at having that really be conveyed across the organization. And so I had the great privilege here early on. I hired Rich Sullivan, for example, out of the US attorney’s office. He became the general counsel of our Marsh subsidiary, did an extraordinary job. And he’s now a federal judge here on the Southern District bench. Lucy Fato was a partner at Davis Polk and came in as the deputy general counsel and corporate secretary, and from a governance perspective, really did an extraordinary job of overhauling the company’s corporate governance initiatives and the like. She’s now moved on, I’m thrilled to say, as the general counsel of McGraw Hill, and many other people within the department really stepped up. When you’re at a private firm, sometimes the old conventional wisdom was that people who worked in-house were not as strong as some of the people who worked in the law firms. And I found just the opposite here that the quality of the team, the ability to really understand the business as the financial acumen, the communication skills, project management skills; those are things that in-house lawyers in particular, I think those who can exhibit are really outstanding. So within the role, I had the privilege of managing the legal department, as well as the communications group, the government relations group and the risk management group. And so I’ve tried to brand that set of responsibilities as really legal and public affairs. So both the lawyers within the department think of themselves as responsible for reputational issues, and then business leaders within the organization also think to look to the legal department, not simply for legal matters, but also some of the fournier reputation and communications issues.

Randy Milch: That’s an important point. Do you feel as though it’s vital for you to be able to do your job to have all those arrows in your quiver? To have control over both the public and the private and the legal aspects?

Peter Beshar: It’s not vital, Randy, but boy, it’s helpful. And Ben Heineman, the longtime general counsel of GE, and in many ways the architect of the modern corporate GC. He once said that the most important role that a general counsel can play is to serve as a public advocate for the organization. To identify those policy issues that really are important to the broader community, but also important to the underlying business of the organization. And then figure out how you could play effectively at that intersection of the public sector and the private sector.

Randy Milch: I want to go back for a second to your point about that tremendous people you were able to bring on early in your tenure who have since left. There’s many folks who believe that if you don’t hire someone for life, you’ve made a mistake. But it sounds like you’re more than willing to bring on great talent and then applaud them as they move along. Is that your view of how it should work?

Peter Beshar: It is; I think again GE really set this model. It just became an incredibly training ground for people who wanted to have broad in-house experience and then grow to become a public company general counsel in their own right. And the number of alumni from GE who have been in public sector general counsel roles is pretty extraordinary. And I think it’s terrific for any organization to have a group of people coming in pretty steadily, just as there’s a group of people who also leave the organization. I think that’s really what creates the most favourable dynamic within a law department or perhaps within any organization.

Randy Milch: I want to go back also, Peter, to something you pointed out, comparing your in-house time with your outside role as a partner at a major law firm. And it goes to decisiveness. If you had to give some advice to outside counsel on the question of decisiveness, what would it be? I think you and I share a similar view that an outside counsel who’s giving you on the one hand and on the other hand advice in perpetuity is not really advancing the ball too much. What would you tell them?

Peter Beshar: Decidedly so; that this is a job where you’re trying to make good faith practical decisions that are rarely absolutely clear on one end of the spectrum or the other. And therefore, those outside advisors who come in and essentially bring in their experience, their expertise to say, okay, this is a sensitive FCPA matter, and I’ve dealt with a hundred of those; so I know within the continuum where this set of facts roughly falls. That’s when an outside advisor is really giving you a tough-minded practical advice that I’ve come to value greatly.

Randy Milch: You and I are on the same page on that, Peter. It’s amazing how many highly successful outside counsel can’t seem to reach a conclusion. And they tend to have my business once. We’re now going to take a small break and we will return in a minute.

Randy Milch: This is normally the time in our show where we hear a word from our sponsors, and this could potentially represent an opportunity for you. In-House Legal is seeking sponsorship. If you are interested in participating in our programming or would like more information about our rates, please contact the team at Legal Talk Network, at Info.LegalTalkNetwork.com, or go to their website at www.LegalTalkNetwork.com and click on advertise.

Randy Milch: Welcome back to In-House Legal on Legal Talk Network. We’re here with Peter Beshar, the general counsel of Marsh Mc, who’s been telling us about his background and I want to move along, Peter, to an issue that is of such moment at this time, and that is cyber security. And I know that Marsh Mc has a long history of dealing with technological change and trying to ease the introduction of technology. Could you explain how – to our listeners, a consulting firm and an insurance advisory firm – could possibly play that role?

Peter Beshar: Sure, Randy, with pleasure. I’ll tell you an anecdote, it goes back as far as Benjamin Franklin, how about that?

Randy Milch: That’ll do.

Peter Beshar: So in 1730, there was an enormous fire in the city of Philadelphia. Franklin was living in Philadelphia at the time, and he decided that he would really make it his business to try to mitigate the risk of fire, which had been a significant threat to cities like London and other cities around the world. So this extraordinarily talented man made 3 technological innovations. The first was he created the first all-volunteer fire brigade; something that we all take for granted today, but he was the introducer of that. Second, he designed the Franklin Stove, because people were moving the embers from fires to the kitchen, to the bedroom, and in that process, fires would get sparked. And then of course, he invented the lightning rod to reduce the risk of lightning striking buildings. So as if that wasn’t enough, he then took an unusual step and he set up the first insurance company in the colonies. It was called the Philadelphia Contributionship. And what happened was he understood the power of insurance to drive behavioral change. So in order to become a subscriber to the Philadelphia Contributionship, you had to go through a series of best practices. So for example, a lot of fires were caused when embers would come up out of a chimney, onto a vast roof. A fire would start there and nobody had the ability to put it out. So he said if you want to become a subscriber, you have to build a trapdoor from your attic out to the roof. And so what he was engaged then was really – but he didn’t know it – was ERM, or enterprise risk management. Design technological innovations that are a critical part of it, but then couple it with something that will actually drive and modify people’s behaviors across thousands of individuals. And after all these changes, the city of Philadelphia did not have a significant fire after 1730. So we try to embrace the same context on the, as you say, the critical issue of our time; or certainly one of them, cyber security. How can the tools of technological innovation, things Verizon is so familiar with, sophisticated end to end encryption, two-factor authentication, detonation software. Those types of critical aspects of what good risk management is all about, and then couple those together with cyber insurance. And the reason why that matters is because you’re trying to impact the behaviors of large corporates, like Verizon and Marsh & McLennan. But also thousands of thousands of small and medium sized enterprises. And it is through the vehicle of insurance that we have found that many people modify their behavior, conduct benchmarking against industry standards like the missed framework; and to say to position myself as a better risk, to be underwritten on better terms, I better improve some of the protocols. Make sure that I have an incident response plan, for example, make sure I’m doing some of the training for individuals around spearfishing and how not to embrace the traps of malware and the like. So we spent a ton of time talking about that and had the privilege of testifying before the Senate, before various governmental organizations. Because just as the private sector is trying to solve this issue, the public sector is grappling with it equally. And neither one of us alone can actually solve the challenge of cyber security, it’s going to require a collaborative effort.

Randy Milch: Peter, let’s split that up a little bit, because it sounds like your notion of the importance of cyber insurance takes two forms. One is the classic risks spreading aspect of insurance. That is, you have a loss, you look to your insurance company and your insurance company helps you spread the risk away from you via its balance sheet and what it’s taken on. And the second part is the potential for risk reduction. So I want to sort of take those in two flavors because I think that they’re both important. On the risks spreading front, from your vantage point, I know that Marsh Mc is not itself an insurer, but from your vantage point, are there actually policies out there that will absorb the risk? What kind of policies are being written for folks these days and maybe of interest for firms of all sizes?

Peter Beshar: Sure. So there’s two basic types of coverage that you can get on a cyber insurance policy. The first is so-called first party coverage. So that is damage that you, the insurer, might have. So take Verizon. If Verizon has a network disruption where it can’t meet its customers’ needs for a period of time, first party cyber insurance would protect the organization against it. The second type of coverage is called third party coverage. So here at Marsh & McLennan, we have the data from the clients that we work with. And if we had a bad attack in which that data was damaged, then that would be subject to a third party coverage or a third party policy.

Randy Milch: And so does this include, other than losses, it includes litigation losses, potentially?

Peter Beshar: It could cover legal fees, it could certainly cover the cost of notifying customers, the cost of credit monitoring. But then most important, it can over lost profits on a business interruption claim. If your operations are disabled for 3 days or 7 days, then this type of coverage can kick in. So as you say that’s the kind of risk spreading aspect of it which is very important. The piece that we’re actually most focused on is what is the role of cyber insurance to enhance the resilience of all of us against a cyber attack. And there you have the insured, in order to present itself as a good risk, going through a number of steps that already have advanced the cause by simply an awareness that a company needs to improve aspects of its training or aspect of its incident response. And then once the policy is placed, the insurer suddenly has the incentive to either try to avoid a breach or to mitigate the impact of a breach. So you’re starting to have insurers like AIG partnering with firms like IBM to provide monitoring services and rapid response services in the event of a breach. So those two forces coming together are the reason why we think cyber insurance can potentially be one important part of a holistic risk mitigation strategy.

Randy Milch: One of the items that’s recently come down – there was a homeland security committee in the Senate, I believe, dropped a bill that dealt in part with information sharing. Can you describe the importance of information sharing and what we mean by information sharing in the cyber insurance context?

Peter Beshar: We think it’s critical. If you accept the proposition that the public sector alone, the government sector can not solve this issue. It can not provide adequate protection for all of the private sector. Conversely, the private sector can’t solve this issue on its own. It needs to be able to aggregate information, learn from others of the nature of the evolving and dynamic attacks that are literally changing by the day. So the concept behind cyber threat sharing is that the private sector would share cyber threat indicators. So the form of a malware attack, or a known, malicious, IP address, with the government, in difference to privacy considerations to take out any personally identifiable information before the information is provided to, for example, the department of homeland security. The government would then aggregate that information, collectively, and then there would be a reciprocal exchange in which the government would do a stronger job of reaching out to industry and saying based on the data that we’ve received from thousands of sources, here is the latest form of attack that we are seeing. Or here is a type of antivirus protection that companies should be instituting. And I was very heartened, Randy, that the business community is really looking to engage with the Congress and the administration to try to advance this issue, because they believe it’s a question that’s really in everybody’s interest and would enhance our collective resilience. And so there was a letter that was circulated amongst general counsels of 32 prominent companies that came together within a matter of days and was then submitted to the president and the leaders of both houses of Congress, saying we strongly endorse the concept of the sharing of cyber threat indicators.

Randy Milch: I think it’s a great thing and obviously, it’s critically important that there be sufficient information. And as you say at the same time, folks’ private information is protected and they don’t have the concern that the cyber security efforts are a substitute for other forms of information sharing that people are less comfortable with. Let me take one step back though, Peter, because I think it’s of interest to folks in mid sized and smaller firms who may not have considered it cyber insurance. Do you view insurance in this area as being relatively affordable for folks?

Peter Beshar: Randy, in our judgement, it’s surprisingly affordable. And one of the reasons is because in a relatively low growth environment, this is a sector of the market that is growing quite rapidly; by some estimates it’s increasing by 50% per year. So you have a substantial number of insurers who are looking to get a part of that growth and enter this market. And as a result, the pricing is actually quite competitive. A rough frame of mind, obviously this depends upon each sector and each type of business, but 2% or so with 2% rate online. So about $20,000 of premium, you can get a substantial amount, 50 times that, in coverage.

Randy Milch: And I would heartily recommend to folks if they consider this. I think that one of the best ways for a chief information security officer or CIO or whoever is responsible in your company for taking measures to protect the company’s information from cyber attack, to gain information about inexpensive ways to actually improve your protection against threat, is to engage with a reputable insurance company or someone like Marsh Mc to discuss what can be done. Verizon, in fact, has published for many years a data breach investigations report, and one of the most surprising results of that report – which complies all known breaches for a year across the world in conjunction with many third parties and public institutions – is that a very, very high percentage of cyber attacks fall into the so-called simple category, which means they can be prevented with simple cyber hygiene methods. And getting a handle on those simple and inexpensive methods to protect your company’s information and getting the advantage of the risk spreading aspects of insurance, I think is something that people prudently need to take a look at as the caretaker of a company’s reputation and the shareholder’s value. So, Peter, I hope you don’t mind that small advertisement.

Peter Beshar: Absolutely not, Randy. In your point about small and medium enterprises is a critical one. What really has been demonstrated through some of the significant cyber attacks of the past year or two, is that there’s a large network of vendors that surround large institutions. And the resilience of the large institution, in many ways, will be dependant upon the strength of the vendor network. So if password credentials are stolen from an air-conditioning vendor, or a takeout delivery service, two specific examples that have happened in the past year, then that can compromise the integrity of the large institution. So just the way the public and the private sector has to work together, large companies have to be partnering with smaller and medium sized enterprises to enhance the overall resilience as a society.

Randy Milch: Peter, thank you very much for spending time with me today. Ladies and gentlemen, this was Peter Beshar, the general counsel and executive vice president of Marsh Mc. It’s been a hugely informative half hour and I very much appreciate it.

Peter Beshar: And Randy, it’s been so much fun listening to you make the conversion to a radio talk show host.

Randy Milch: Yes, I think everybody needs to be prepared for the future, and very, very afraid. And i want to thank all of you who have listened to our podcast today. For all of you listeners who would like more information about what you’ve heard today, please visit www.LegalTalkNetwork.com. Or you can follow us on iTunes, RSS, Twitter, and Facebook. That brings us to the end of our show. I’m Randy Milch, thank you for listening and please join us next time for another great episode of In-House Legal.

Advertiser: The views expressed by the participants of the program are their own, and do not represent the views of, nor are they endorsed by, Legal Talk Network, it’s officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.