U.S. tech execs, lawmakers suggest hack reporting requirement

Microsoft’s CEO said before Congress that it is time to impose a cyberattack ‘notification obligation on entities in the private sector.’

Senators and tech leaders are calling for the U.S. to require companies to disclose when they’ve experienced a data breach.

(Bloomberg) — A bipartisan group of senators on Tuesday, Feb 23, recommended that the U.S. consider requiring companies to disclose when they have been hacked.

At the first public hearing before Congress since a massive cyberattack by suspected Russian hackers was disclosed in December, Senate Intelligence Committee Chairman Mark Warner (D-Va.) was joined by the vice-chairman of the committee, Senator Marco Rubio (R-Fla.), in calling for the measure. Several others, including Senator Angus King, an independent from Maine, also voiced their support, as did several of the tech executives who were testifying.

There is currently no federal data breach notification law.

“It is time not only to talk about but to find a way to take action to impose in an appropriate manner some kind of notification obligation on entities in the private sector,” said Microsoft Corp. President Brad Smith. “I think it is the only way we’re going to protect the country, and I think it is the only way we’re going to protect the world.”

FireEye Inc. Chief Executive Officer Kevin Mandia said he supported a requirement that companies notify an appropriate government agency about being hacked. But he urged that it be confidential to encourage companies to participate amid liability concerns.

Tech executives speak out

The hearing before Warner’s committee on Tuesday included Sudhakar Ramakrishna, the CEO of SolarWinds Corp., the Texas-based software firm that the hackers compromised as part of the attack. He told the committee that the tool hackers used to compromise the company’s software “poses a grave risk of automated supply chain attacks” across the software industry.

The senators mostly used a light touch in questioning Ramakrishna — who started at SolarWinds in January after the hack was disclosed — about his company’s responsibility in the massive cyberattack. He said his company is investigating three possible ways the attackers may have used to gain access to the company’s networks but haven’t reached a conclusion.

The senators were much tougher on Amazon Web Services for not appearing at the hearing despite an invitation. According to SolarWinds, its Orion software platform, which was compromised by the hackers, could be deployed by customers on AWS among other cloud platforms.

“The operation we will be discussing today used their infrastructure, at least in part,” Rubio said. “Apparently, they were too busy to discuss that here today.”

Amazon.com Inc. didn’t immediately respond to a request for comment.

The hackers responsible for the incident inserted malicious code into SolarWinds’s software, which was delivered to as many as 18,000 customers through software updates, though fewer are believed to have been targeted with additional hacking.

The White House has confirmed that the hackers leveraged this access to breach more than 100 companies and nine U.S. agencies with follow-on hacking aimed at espionage.

Mandia, of FireEye, said the attackers were “exceptionally hard to detect.” He added that the hackers appeared to be highly concerned with remaining hidden. “The minute you could detect these folks and stopped them breaking through the door, they sort of evaporated like ghosts until their next operation.”

FireEye discovered the hacking campaign while investigating a breach of its own networks. Mandia said in his prepared remarks that the company found an intrusion in late November and determined that a third-party had accessed their network without authorization. FireEye disclosed the cyberattack in December.

Smith told the committee that Microsoft’s threat hunters and engineers analyzed the attack and estimated there were 1,000 developers who worked on the attack. “It is the largest and most sophisticated operation of this sort that we’ve seen,” he said.

Another witness at the hearing, George Kurtz, the co-founder and CEO of Crowdstrike, the cybersecurity firm hired by SolarWinds for incident response, called for improvements to federal cybersecurity. He said old computer systems and compliance rules “detract from their core security work.”

While a mandatory data breach notification law is one mechanism by which Congress could improve U.S. cybersecurity, the prospects of passing such a law in 2021 are slim given competing COVID-19 relief priorities, according to Dominique Shelton Leipzig, a privacy and cybersecurity attorney at Perkins Coie LLP.

“Realistically, the chances of getting a federal omnibus privacy and data security law are looking more likely to happen next year,” she said.

Businesses want a federal law since they currently have to comply with differing data breach notification laws in all 50 states, she said. “This is the perfect example where companies are calling out for guidance both on the privacy and data security side,” she said.

Specific Technologies Driving Insurtech Investment in 2024

Understanding the Funding Decline The decrease in funding does not necessarily spell trouble for the insurance sector but instead highlights a strategic shift, the report suggests. “The insurance industry, like many sectors, is focusing on the most promising ventures with substantial insurance potential,” the report explains. “Insurers are directing their investments toward key areas and current trends such as embedded insurance, employee benefits, and cyber risk management. This strategic investment approach signals a forward-looking mindset within the industry.” Three Key Insurtech Trends for 2024 The report identifies three major trends shaping insurtech investments in 2024: Public Insurtech Companies: Financial and Growth Strategies The report also notes that public insurtech companies are prioritizing revenue growth as their main goal. These firms are restructuring their financial strategies to boost cash flow and capitalize on rising revenue streams. Their growth prospects are supported by expanding asset portfolios and strong market demand. “Public insurtech companies are focusing on revenue growth and optimizing their financial frameworks to increase cash flow,” the report states. “The growth potential for these companies is driven by increasing revenue opportunities, broadening asset bases, and a robust market for their services.” In summary, while global insurtech funding saw a decline in 2023, the industry’s focus on GenAI, digital process management, and connected insurance technologies is setting the stage for a dynamic and forward-looking 2024.

Business

Insurer Secures Unanimous Supreme Court Victory in New York Choice of Law Dispute

In the world of sports, a clean sweep, a shutout, or a perfect game is the ultimate achievement. In the legal arena, a unanimous decision from the U.S. Supreme Court is equally rare and significant. In a notable legal triumph, Great Lakes Insurance SE achieved a unanimous 9-0 victory in the Supreme Court on February 21, 2024. This victory follows a protracted legal battle that began in the District Court of Pennsylvania, advanced to the U.S. Court of Appeals for the Third Circuit, and culminated in the Supreme Court’s decisive ruling. Background of the Case: Great Lakes Insurance SE v. Raiders Retreat Realty Company The heart of the dispute was the insurance contract’s clause selecting New York law to govern any future legal conflicts. Although the financial implications of this case were relatively minor compared to the broader marine insurance industry, the insurer’s determination to uphold a crucial maritime legal principle has significant long-term implications for marine insurance. Faced with the insured’s counterclaims—including allegations of breach of fiduciary duty, insurance bad faith, and violations of Pennsylvania’s Unfair Trade Practices Law—the insurer was confronted with serious risks. Such claims could lead to the shifting of attorney’s fees, treble damages, and more, which might normally encourage insurers to settle rather than risk pursuing justice. However, Great Lakes Insurance, supported by The Goldman Maritime Law Group, opted to challenge the Third Circuit’s decision and seek clarity from the Supreme Court. Supreme Court Ruling: A Landmark Decision In a landmark ruling, Justice Brett Kavanaugh affirmed that choice of law provisions in maritime contracts should be upheld by default. This ruling is a major victory for establishing a consistent federal standard in maritime law and avoiding a patchwork of state laws that could complicate marine insurance disputes. The Supreme Court’s decision overturned the Third Circuit’s earlier judgment, which had questioned whether Pennsylvania’s public policy concerns might override the insurance contract’s choice of New York law. By upholding the New York choice of law clause, the Supreme Court eliminated the extra-contractual bad faith claims under Pennsylvania law, thereby ensuring that the dispute could be resolved based on the merits of the insurance claim itself. Significance of the Supreme Court’s Decision This ruling represents a significant advancement in maritime law, affirming that choice of law clauses in maritime contracts are generally enforceable. The decision establishes a clear, uniform legal framework for resolving maritime contract disputes, which will streamline the process and ensure fair adjudication of future insurance claims. Justice Clarence Thomas’s concurring opinion was particularly notable for its criticism of the 1955 Wilburn Boat v. Fireman’s Fund Insurance decision, which had previously influenced maritime insurance law. Thomas argued that Wilburn Boat was incorrectly decided and stressed that a uniform and enforceable set of rules is essential for the development of maritime law. Impact on the Marine Insurance Industry The Supreme Court’s decision sets a “bright-line” rule affirming that choice of law clauses are valid unless there is a strong argument against the selected jurisdiction. By endorsing New York’s insurance laws as a reasonable choice, the ruling supports a more consistent and predictable legal environment for marine insurers. This decision represents a major step forward in maritime law, helping insurers better assess risks, determine premiums, and ensure fair and efficient resolution of maritime insurance disputes.

U.S. tech execs, lawmakers suggest hack reporting requirement