Tag Archives: cyberliability

How to Keep Malware in Check

Firewalls are superb at deflecting obvious network attacks. And intrusion detection systems continue to make remarkable advances. So why are network breaches continuing at an unprecedented scale?

One reason is the bad guys are adept at leveraging a work tool we all use intensively every day: the Web browser. Microsoft Explorer, Mozilla Firefox, Google Chrome and Apple Safari by design execute myriad tiny programs over which network administrators have zero control. Most of this code execution occurs with no action required by the user. That’s what makes browsers so nifty.

A blessing and a curse

But that architecture is also what makes browsers a godsend for intruders. All a criminal hacker has to do is slip malicious code into the mix of legit browser executable code. And, as bad guys are fully aware, there are endless ways to do that.

Stay informed with a free subscription to SPWNR

The result: The majority of malware seeping into company networks today arrives via infectious code lurking on legit, high-traffic websites. The hackers’ game often boils down to luring victims to click to an infected site, or simply just waiting to see who shows up and gets infected.

So if browsers represent a wide open sieve to company networks, could inoculating browsers be something of a security silver bullet? A cadre of security start-ups laser-focused on boosting browser security is testing that notion. The trick, of course, is to do it without undermining usability.

spike

Branden Spikes, Spikes Security founder and CEO

ThirdCertainty recently sat down with one of these security innovators, Branden Spikes, to discuss the progress and promise of improving Web browser security. Spikes left his job as CIO of SpaceX, where he was responsible for securing the browsers of company owner Elon Musk’s team of rocket scientists, to launch an eponymous start-up, Spikes Security. (Answers edited for clarity and length.)

3C: The idea of making Web browsing more secure certainly isn’t new.

Spikes: Let me break it down by drawing a line between detection and isolation. Browser security has been attempted with detection for many, many years, and it’s proven to not work. McAfee, Symantec, Sophos, Kaspersky and all the anti-virus applications that might run on your computer became Web-aware a while back. They all try to use detection mechanisms to prevent you from going to bad places on the Web.

Then you have detection that takes place at secure Web gateways. Websense, Ironport (now part of Cisco), Blue Coat, Zscaler and numerous Web proxies out there have security features based on the concept of preventing you from going to places that look malicious or that are known to be bad. Well, hackers have figured out how to evade detection, so that battle has been lost.

3C: Okay, so you and other start-ups are waging the browser battle on a different front?

Spikes: When you realize that detection doesn’t work, now you have to isolate. You have to say, :You know, I don’t trust browsers anymore. Therefore, I’m not going to let my stuff interact with the Web directly.” In the past five years, newer products have started to offer browser isolation technology. We’ve taken a very no-compromise approach to isolation technology.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

3C: So instead of detecting and blocking you’re isolating, and sort of cleansing, browser interactions?

Spikes: Yes, and much like with detection technology, isolation can exist in either the endpoint or on the network. Some examples of endpoint isolation might be Invincea or Bromium, where you’ve got your sandboxes that do isolation on the endpoint. I applaud all the efforts out there. It spreads the whole gamut from minimal amount of isolation to sandbox technologies built into browsers. There’s quite a bit of investment going into this.

3C: Your approach is to intercept browser activity before it can execute on the worker’s computer.

Spikes: If you come at the problem from the assumption that all Web browsers are fundamentally malware, you can understand our technology. We essentially take the malware off the endpoint entirely, and we isolate the execution of Web pages on a purpose-built appliance. What goes to the end user is a very benign stream of images and sound. There’s really no way for malware to get across that channel.

3C: If browser security gets much better, at least in the workplace, how much will that help?

Spikes: If we successfully solve the browser malware problem, we could, I think, allow for more strategically important things to occur in cybersecurity. We could watch the other entry points that are less obvious. This sort of rampant problem with the browser may have taken some very important attention away from other entry points into the network: physical entry points, social engineering and some of the more dynamic and challenging types of attacks.

How Data Breaches Affect More Than Cyberliability

You’ve probably seen the recent headlines about the Target retail chain being hacked, resulting in approximately 40 million customer credit and debit card numbers being stolen by hackers. It would be easy to write another article about the importance of cyberliability insurance, but we’d like to go a step further. While it is true that a breach of this magnitude will be incredibly expensive and could strain the total limit capacity available in the cyber insurance marketplace, other insurance products that could possibly be triggered shouldn’t be ignored.

On October 13, 2011, the Securities and Exchange Commission’s (SEC) Division of Corporate Finance published the Cybersecurity Disclosure Guidance. Among other recommendations, the guide contained the SEC’s views on the type and extent of cyberliability risks and exposures that public companies should consider disclosing to investors. The guidance was issued to help investors understand the nature of a company’s cybersecurity risks. In quarterly and annual filings with the SEC, companies disclose risk factors that can have a material impact on their operations. When investors sue a corporation for actions that have harmed the company, and in turn their investments, that is a claim typically addressed by a Directors and Officers (D&O) Liability policy. In certain instances, they also might be covered by a dedicated cyber insurance policy or a Side-A excess policy (or both), to the extent the company has purchased such products, which are separate and distinct from a D&O form.

Like other public companies, Target has sought to abide by the SEC’s cybersecurity disclosure recommendations, most recently including cyber risk as one of 17 risk factors in the MD&A section of its February 2013 10-K:

If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.

The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant. If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.

State attorneys general have already initiated demands for information and protection for state residents. The Connecticut attorney general is asking for two years of credit monitoring and identity theft protection for state residents, along with more details on the breach and security protocols. Not surprisingly, there have been threats of consumer class actions against Target. It will also be interesting to see if shareholders, or more importantly the plaintiffs bar, think that the disclosure of the risk was adequate. Given the size of the breach, it would not be surprising to see any number of such suits filed against Target.

In the meantime, certain banks are advising consumers that the consumer will not be held responsible for fraudulent charges on their credit cards.

If we look back at the 2007 breach at TJ Maxx (TJX), which affected more than 90 million credit cards, we could gain insight into how MasterCard and Visa might respond to the Target breach. They sued TJX and collectively recovered over $60 million. Other banks, such as Fifth Third Bancorp, Amerifirst Bank, Eagle Bank and SaugusBank, also made claims against TJX. Media reports indicate that TJX paid in excess of $250 million to resolve the myriad claims against it as a result of the 2007 breach. We would expect that number includes crisis management expenses, such the costs of forensic analyses, public relations expenses, notification expenses and other remedial costs. It also likely accounts for regulatory fines and penalties from the government, PCI fines paid to credit card companies, damages paid to both credit card companies and banks, cash and merchandise vouchers for harmed customers, and probably even credit monitoring. It would be challenging to quantify the lost revenue from jilted customers who chose to shop elsewhere following the breach, but we suspect it was meaningful.

Impact on Investors

A key question is, can investors still sue if the stock doesn’t have a precipitous drop? The answer is probably yes. Typical allegations in a securities claim allege that: 1) the management misled investors; 2) the truth came out; 3) the stock dropped as a result; and 4) the investors suffered financial loss. The damage valuation might be determined by comparing the price of the stock prior to the date the “truth” came out and the price after it had been disclosed. That’s an oversimplification of a securities claim, but still reflects the typical pattern.  For something like the Target breach, shareholders could argue that Target failed to fully disclose the potential cyber-related problems, lost business opportunities which kept the stock from rising and therefore caused the loss of future gains, mismanaged and failed to properly oversee its cybersecurity protection program, and other assorted alleged improprieties.

Other Claims

Apart from securities-related disclosure lawsuits, a company like Target also will likely be subject to consumer class actions and regulatory actions. Such lawsuits could lead to sizeable settlements, which could have an impact on the stock price and raise investor concerns. Target’s earnings similarly could be impacted by the costs of breach remediation and associated expenses. It also stands to lose significant opportunity costs, to the extent its management and staff becomes distracted by the post-breach activities. Whatever surfaces will require a lot of money spent in legal and forensic bills.

It is well-known that litigation naming a company’s directors and officers can arise from a variety of alleged misdeeds. Like other entrepreneurs, the plaintiffs are always exploring new legal theories to establish liability and recover damages in order to collect higher fees. When that happens, you can bet those defendants will quickly be looking to their D&O policy for assistance. For every cyberliability underwriter expressing relief that they aren’t insuring Target for this breach, there are likely two D&O underwriters concerned about their policy limit – assuming, of course, that Target has a sizeable D&O insurance tower in place.

Companies like Target likely employ a robust cybersecurity program to protect consumers’ personal and financial information.  But breaches aren’t limited to large multinational operations. According to cyberlaw expert Richard J. Bortnick of Christie Pabarue and Young, and publisher of the blog Cyberinquirer.com, small- and medium-sized public companies are just as much at risk, perhaps even more at risk, than companies like Target. “Every company of every size is at risk,” Bortnick said. “And if you think of it logically, small- and medium-sized companies are likely more at risk, and subject to greater residual financial harm, than the bigger firms. And in the cyber realm, that means small- and medium-sized companies that almost certainly have not invested the resources necessary for proper cybersecurity.” According to Bortnick, “regrettably, oftentimes clients call me in after a breach, not before. And on each occasion, I tell them that the cost to remediate a breach can be multiples of what it would have cost if I had been brought in before the breach and been able to work with the company to plan and implement a cost-effective, best practices cybersecurity regime. Not only does this approach discourage or even prevent hackers, it provides a company with a ‘best practices’ defense to a privacy suit and, potentially, to a shareholder lawsuit.”

As mentioned in the introduction of this advisory, the risks facing your clients following a data breach go beyond the obvious cyberliability insurance policy. How a company has prepared for a breach, what steps have been taken to prevent a breach and what plans are in place to deal with a breach are all executive-level decisions. Regardless of the size of the company, a data breach can be a significant threat to the survival of a company. Companies should buy a cyberliability policy to help respond to a data breach and a D&O policy to protect the management and board for their plans and decisions.

Am I Covered For Cyber-Terrorism?

Are you covered for cyber-terrorism? If you have not purchased Cyberliability insurance, the answer is likely no. A General Liability policy needs bodily injury, property damage or possibly an advertising injury to respond. Property insurers don't view data as tangible property, and a property policy needs a peril like wind, fire or hail to respond to a loss. Crime policies cover embezzlement by employees. In the event of a cyber-terrorism loss, you can look to all of these policies for coverage, but there is only one policy that is designed specifically for this type of exposure — Cyberliability.

The next question is, what constitutes cyber-terrorism? When you think of activities committed by a terrorist, your first thoughts might be actions that lead to death or destruction of property. There are other ways terrorists can inflict harm, including through electronic means.

Below are scenarios that might be covered by a properly structured Cyberliability policy:

Sadly, the array of bad things for a terrorist to try extends far beyond the items listed above. They are out there working on ways to cause mayhem without leaving the comfort of wherever they may call home.

  1. Hackers funded by a foreign government get into your insured's network and cause private information to be leaked into the public domain.
  2. Hackers funded by a hostile party hijack an insured's network and computers and use them to cause a denial of service attack against other third parties, who then sue the insured for not preventing such an event.
  3. Unnamed hackers from a foreign nation deliver a virus to an insured's network and wipe out 30,000 company laptops causing a business interruption loss.
  4. Foreign-sponsored hackers launch denial of service attacks at everyone in the insured's industry in retaliation for some action taken by our own government. The business interruption may be covered, as well as a security breach arising from the attack.
  5. Hackers penetrate the control system for a manufacturing client's assembly line and prevent them from producing their product.
  6. Hackers replace a client's website with offensive or politically motivated content that causes people to sue for emotional distress, libel or slander.
  7. Hackers penetrate an insured's network and threaten to release private records or intellectual property.

To most insurers, it won't matter who is behind the security breach. The hackers can be foreign-sponsored, the kid next door, a disgruntled former employee or an organized crime gang. Coverage should apply regardless of who funded the attack. Cyberliability insurance policies are there to respond to liability claims arising from a security breach as well as some first-party expenses. There are also policies that include coverage for data restoration expenses and business interruption losses.

You probably won't see a policy that states, “You are covered for cyber-terrorism;” however, you should look for any definition of what constitutes a hacker. We have yet to see any definition that differentiates between prankster hackers, criminal hackers, political hackers, organized crime hackers or any other group. It is in the policyholder's favor that the definition isn't limited by a detailed description.

Most policies will be silent regarding the origin of the network attack; it remains your responsibility to be vigilant for any terrorism exclusion as well as acts of war exclusions. If you have been reading the newspapers lately, you have seen articles alleging that other nations have sponsored network attacks against companies and defense contractors in the United States. Some of those alleged foreign nations include Iran, China and North Korea. Our government hasn't classified those as acts of war, but at some point those actions could be deemed a precursor to war. A declaration of war usually requires a vote by Congress, which could take months, meaning that an insurer would likely have to wait to respond until the point a formal declaration of war is made. Insurers aren't intending to cover an aspect of war between two countries, but if an insured's computer network is collateral damage, they should provide coverage for the damages and liability.

A commonly asked Cyberliability question concerns the theft of intellectual property by a foreign nation, company or other party. Unfortunately that first-party loss is not contemplated in current Cyberliability insurance policies. There are intellectual property policies out there designed to defend and enforce patents, but it can be challenging to prove who took the information and how to find them. Those policies usually respond to claims once a competing product with the same or similar design(s) is sold on the open market. The theft of digital blueprints may not be enough to trigger these policies. There are also issues regarding the enforceability of intellectual property rights outside the United States.

A quick search of our major metropolitan newspapers shows that a number of industries are in the sights of a variety of hacker groups. The current list of primary targets includes financial institutions, power companies and defense contractors. In light of these ongoing activities of terrorists and state-sponsored hackers, it remains a good time to look at Cyberliability insurance. Your clients may not specifically be targeted by cyber-terrorists, but their network could suffer collateral damage or be used to inflict damage upon others.

Navigating School Board And Educators Legal Liability Policies

Brokers who place School Board and Educators Legal Liability insurance are beginning to notice that the marketplace has gotten more difficult. Layoffs from budget cuts have triggered an increase in Employment Practices Liability (EPL) claims, while the tough job market has led to an increased amount of “failure to educate” claims.

The very public proceedings involving Penn State University have recently reminded us that sexual abuse and molestation are critical claim issues for schools. Any article written about a class of business that touches Personally Identifiable Information (PII) and doesn't mention Cyberliability fails to address another major source of trouble.

Based on these and other factors, insurers are either non-renewing business or re-underwriting their book, which leads to a restriction in terms.

The typical School Board or Educators Legal Liability policy is designed to protect not only teachers, but also school board members, administrators, volunteers, student teachers and various other members of the educational staff. In a standard policy, the definition of “Wrongful Act” includes coverage for an actual or alleged breach of duty, neglect, misleading statement and other errors or omissions of an insured educator in their capacity or scope of employment on behalf of the educational institution. Most policies also include coverage for Employment Practices Liability (EPL) claims, which tend to be the most frequent cause of loss.

Typical allegations found in claims include:

  • Failure to educate
  • Failure to supervise a classroom
  • Loss of accreditation
  • Employment-related lawsuits claiming sexual harassment, wrongful termination or discrimination
  • Misstatements, misleading statements, breaches of duty, neglect, errors or omissions made by a paid or volunteer board member who assists the school in making critical decisions about operations and economic survival
  • Failure to respond to or prevent bullying activities of the students

Market Commentary
Below are examples of the additional claim scenarios that insurers are seeing in this class of business.

“We are seeing the severity of educators' claims increase dramatically.” — Stephanie Gardner, RSUI

“The biggest issue that we have seen regarding Educators Legal Liability is on the EPL side. This has historically been a frequency-driven class and we have seen an even larger increase in frequency. We have also seen frequency develop into severity, which we had not seen to this extent before. There doesn't seem to be any new trend in the type of EPL claims, just more of them. I believe a lot of this is just a function of the economy and the pressure on school districts to reduce their budgets.” — Matthew Cibulskas, Westchester Specialty

“Bullying claims are being litigated under a 'failure to supervise' accusation. The financial damages to the parents are that they had to pay private school tuition because they had to leave the public school system after nothing was done to stop the bullying. And redistricting claims — many institutions have budget issues and, as a result, are closing schools and consolidating. This has triggered a lot of claims against the school boards.” — Steve Krusko, AIG

“I have seen issues with the for-profit educational segment regarding the federal tuition funding (loans/scholarships) as well as issues with dismal graduation rates and failure to educate allegations.” — Roy Huelsebusch, Crum & Forster

“Unfair competition and misrepresentation during the admissions process, as well as admissions to programs that don't have full accreditation yet (nursing programs seem to be frequent offenders here). Regulatory interest — a high percentage of tuition comes from Pell Grants so state Attorneys General have been pursuing litigation for unfair/deceptive trade practices.” — Rob Faber, AIG

If there was just one area of concern, underwriters could manage that risk with exclusions, sublimits, higher retentions or other means of mitigation. However, with severity increasing and claims coming from many directions, the marketplace has to respond. Underwriters can either withdraw from the marketplace or attempt to work around the hot spots. As mentioned earlier in this article, many insurers have moved away from this class while others are indeed revising their pricing, retentions and coverage terms.

With many schools having renewals on or around July 1, now is the time to formulate your renewal strategy, communicate the conditions of the market to your insured, and begin discussions with your current and prospective insurers.