Ransomware Attacks Seen Driving Telecom Insurance Complications
It’s getting more difficult for telecom companies to maintain cybersecurity insurance due to the constant barrage of ransomware attacks, NTCA General Counsel Jill Canfield said Tuesday. She highlighted some of the cyber hurdles telecoms face, during an FCBA webinar. If a company has more than one insurance claim a year, the insurance provider will start denying claims, and it’s not easy to find a new provider, she said. Itron Privacy Counsel Nicole Thomas agreed, saying threat actors are going to continue to attack due to the profitability of ransomware efforts.
Companies should verify they actually need the insurance before they notify the provider, said Canfield: It’s not an easy judgment call because if a company waits too long to notify the provider, the provider can deny the claim, but sometimes a company prematurely notifies a provider when the insurance wasn’t necessary. She warned IT staff against immediately firing off company emails when a breach is suspected. Staff should know that’s not appropriate because response plans include very specific details about who's called and when, she said.
Many companies, large and small, have been hit by ransomware attacks that result in big insurance payouts, said Canfield. She noted insurance policy applications are constantly expanding to include new types of information to make sure companies are securing their networks as much as possible.
It’s important for attorneys to understand the severity of a breach, related regulations and potential changes to regulations from state to state, said Thomas. In addition to state regulations, cyber professionals need to stay up to date on regulations from federal agencies like the FCC and the Cybersecurity and Infrastructure Security Agency, said Canfield. CISA discovers more than 30,000 vulnerabilities per year, said CISA Senior Adviser Allan Friedman, noting the agency’s collaboration with the FCC. Canfield highlighted the FCC’s customer proprietary network information (CPNI) rules for breach notifications, saying there’s no question there will be further regulation in that area.
The FCC periodically issues new regulations to ensure national defense and public safety aren’t compromised, often at the direction of Congress, said Debra Jordan, chief-FCC Public Safety and Homeland Security Bureau. The agency wants to accomplish two things on the cyber regulation front, she said: make national communications infrastructure more secure and lessen the burden on regulated entities. She noted the agency’s NPRM proposing new rules to make the emergency alert system and wireless emergency alerts more secure (see 2210270058). She said the FCC is still reviewing the record for proposed changes that will have implications for broadcast, cable and satellite providers.
Canfield highlighted some specifics for companies going through cyber checklists after an attack. Companies should decide whether they’re prepared to pay for creditor monitoring for customers when there’s a data breach involving personally identifiable information. Staffers should know they shouldn’t be informally answering questions about a breach, and there should be one point of contact within the company to answer questions about incidents, she said.