Tag Archives: firewall

Now Is the Time for Cyber to Take Off

Uncertainty about several key variables appears to be causing U.S. businesses and insurance companies to move cautiously into the much-heralded, though still nascent, market for cyber liability policies.

Insurers continue to be reluctant to make policies more broadly available. The big excuse: Industry officials contend there is a relative lack of historical data around cyber incidents, and they bemoan the constantly evolving nature of cyber threats.

This assessment comes in a report from the Deloitte Center for Financial Services titled: Demystifying Cyber Insurance Coverage: Clearing Obstacles in a Problematic but Promising Growth Market

“Insurers don’t have sufficient data to write coverage extensively with confidence,” says Sam Friedman, insurance research leader at Deloitte.

But the train is about to leave the station, and some of the stalwarts who shaped the insurance business into the ultra conservative (read: resistant to change) sector it has become could very well be left standing at the station.

Consider that regulations imposing tighter data handling and privacy protection requirements are coming in waves. Just peek at the New York Department of Financial Services’ newly minted cybersecurity requirements or Europe’s recently revamped General Data Protection Regulation.

With cyber threats on a steadily intensifying curve, other jurisdictions are sure to jump on the regulation bandwagon, which means the impetus to make cyber liability coverage a standard part of everyday business operations will only increase.

Meanwhile, cybersecurity entrepreneurs, backed by savvy venture capitalists, are moving aggressively to eliminate the weak excuse that there isn’t enough data available to triangulate complex cyber risks. In fact, the opposite is true.

Modern-day security systems, such as anti-virus suites, firewalls, intrusion detection systems, malware sandboxes and SIEMS, generate mountains of data about the security health of business networks. And the threat intelligence systems designed to translate this data into useful operational intelligence is getting more sophisticated all the time.

See also: Why Buy Cyber and Privacy Liability. . .  

And while large enterprises tend to have the latest and greatest of everything, in house, even small and medium-size businesses can access cutting-edge security systems through managed security services providers.

Meanwhile, big investments bets are being made in a race to be the first ones to figure out how to direct threat intelligence technologies to the task of deriving the cyber risk actuarial tables that will permit underwriters and insurers to sleep well at night. One cybersecurity vendor to watch in this arena is Tel Aviv, Israel-based InnoSec.

“Cyber insurance policies are being given out using primitive means, and there’s no differentiation between policies,” observes InnoSec CEO Ariel Evans. “It’s completely noncompetitive and solely aimed right now at the Fortune 2000. Once regulation catches up with this, cyber insurance is going to be required. This is around the corner.”

InnoSec was busy developing systems to assess the compliance status and overall network health of companies involved in merger and acquisition deals. It now has shifted to seeking ways to apply those network assessment approaches to the emerging cyber insurance market.

At the moment, according to Deloitte’s report, that market is tepid, at best. While some have predicted U.S. cyber insurance sales will double and even triple over the next few years to reach $20 billion by 2025, cyber policies currently generate only between $1.5 billion and $3 billion in annual premiums.

Those with coverage in minority

As of last October, just 29% of U.S. business had purchased cyber insurance coverage despite the rising profile of cyber risk, according to the Deloitte report. Such policies typically cover first- and third-party claims related to damages caused by a breach of personally identifiable information or some derivative, says Adam Thomas, co-author of the Deloitte report and a principal at the firm. In some cases, such policies also might cover business disruption associated with a cyber incident.

The insurance industry contends it needs more businesses to buy higher-end, standalone cyber insurance policies, until enough claims data can be collected to build reliable models, much as was done with the development of auto, life and natural disaster policies.

But businesses, in turn, aren’t buying cyber policies in enough numbers because insurers are adding restrictions to coverage and putting fairly low limits on policies to keep exposure under control. “It is a vicious cycle,” Friedman says.

“Insurers recognize that there is a growth opportunity, and they don’t want to be left out of it,” he says. “On the other hand, they don’t want to take more risk than they can swallow.”

While the insurance industry gazes at its navel, industry analysts and cybersecurity experts say the big challenge—and opportunity—is for underwriters and insurers to figure how to offer all businesses, especially small- and medium-size companies, more granular kinds of cyber policies that actually account for risk and provide value to the paying customers.

“What they’re doing now is what I call the neighbor method,” InnoSec’s Evans says. “You’re a bank, so I’ll offer you a $100 million policy for $10 million. The next guy, he’s a bank, so I’m going to offer him a $100 million policy for $10 million. It has nothing to do with risk. The only place this is done is with cyber.”

Talk in same terms

This is due, in part, to a lack of standard terminology used to describe cyber insurance-related matters, says Chip Block, vice president of Evolver, a company that provides IT services to the federal government. The SANS Institute, a well-respected cybersecurity think tank and training center, last year put out a report that drills down on the terminology conundrum, including recommendations on how to resolve it, titled Bridging the Insurance/Infosec Gap.

And the policies themselves have been another factor. “If you compare car insurance from Allstate and Geico, a majority of the policies are relatively the same,” Block says. “We haven’t gotten to that point in cyber. If you go from one underwriter to another, there is no common understanding of the terminology.”

Understandably, this has made it hard for the buyer to compare policies or to determine the relative merits of one policy over the other. Block agrees that cyber policies today generally do not differentiate based on risk profile—so a company that practices good cyber hygiene is likely to see no difference in premiums as compared with one that doesn’t.

See also: How Data Breaches Affect More Than Cyberliability  

Industry must get moving

InnoSec’s Evans argues that even though cybersecurity is complex, the technology, as well as best practices policies and procedures, are readily available to solve the baseline challenges. What is lacking is initiative on the part of the insurance industry to bring these components to bear on the emerging market.

“This is absolutely possible to do,” she says. “We understand how to do it.”

Putting technological solutions aside, there is an even more obvious path to take, Friedman argues. Resolve the terminology confusion and there is little stopping underwriters and insurers from crafting and marketing cyber policies based on meeting certain levels of network security best practices standards, Friedman says.

“You look at an organization’s ability to be secure, their ability to detect intrusions, how quickly they can react and how much they can limit their damage,” he says. “In fact, insurers should go beyond just offering a risk-transfer mechanism and be more aggressive in helping customers assess risk and their ability to manage and prevent.”

Thomas pointed to how an insurance company writing a property policy for a commercial building might send an engineering team to inspect the building and make safety recommendations. The same approach needs to be taken for cyber insurance, he says.

“The goal is to make the insured a better risk for me,” he says.

Unlocking the Gate to Open Innovation

Many of the innovations fueling economies in our information age did not require new technologies or scientific feats, but rather depended on arranging and manipulating in a novel manner existing technologies, as well as devising new business methods or applying established ones with an ingenious twist.

These sorts of innovations are in most cases extremely efficient. They are less expensive to benefit from, and the duration between awareness and implementation is relatively short.

Coming up with such innovative ideas and detailed product descriptions relating to the Internet and mobile market does not require any special training or education, and most of the information that is needed for a potential innovator is available in plain sight for all of us.

That doesn’t mean it’s easy to achieve such innovations and creative insights. But It does suggest that the chances of being enlightened with the same innovative concept are similar for both a bright Google employee and a bright and curious Indian or Chinese teenager or an adult with a smartphone.

Of course, when comparing the chances of being enlightened with a true and disruptive innovation on a specific issue, the group of 60,000 Googlers has slim chances of getting there ahead of the billions of teenagers and adults in the world.

You would think that applying open innovation, which gets 3.3 million search results on Google, would direct companies to take advantage of those billions of potential innovators out there. That’s definitely not the case, and I’m guessing that for most companies open innovation involves mainly following and cooperating with external companies and start-ups as well as with relevant academic institutions and individuals.

In fact, most companies discourage potential innovators in the general population from sending anything valuable to them. Have a look at Apple’s policy. The company covers all (contradicting) bases, starting with:

“Apple or any of its employees do not accept or consider unsolicited ideas”

And ending with:

“your submissions will automatically become the property of Apple, without any compensation to you. Apple may use or redistribute the submissions and their contents for any purpose and in any way”

Google appears to be more polite and logical, and so does Amazon, but the bottom line is the same: There are no incentives and only risks for potential innovators from the public to send anything valuable to such companies.

There are certainly legal risks in soliciting detailed concepts and product designs from the public, so I don’t blame companies for being cautious. I do think they can be creative in seriously mitigating those risks.

What can be done?

To start with, companies need to realize they are far less innovative in many areas of their business than they could be. And even hiring thousands of additional geniuses and cooperating with established third parties can’t do much to improve their improbable odds against a competitor that solicits innovation from the general population.

One way to go forward would be to engage trusted third-party professionals (maybe a new company consisting of former executives and employees) that would act as an “innovation firewall” between the public and the company itself (the “trustee”). The rules should be simple. All detailed product description and innovation concepts would be transferred only to the trustee, which would have an obligation of confidentiality both to the claimed innovator and to the company (regarding information the trustee possesses or receives from the company itself).

The trustee would have the hard job of screening the input received from the public, finding the innovation jewels and then verifying as best he can that such innovation does not already exist within the company. Once a true innovation is found, the trustee would make the direct connection between the innovator and the company. A standard nondisclosure agreement would then be executed.

The public should also be educated on how to present concepts, replacing the innovation-suffocating legal text existing in the links provided above.

How to Start Managing Cyber Risk

Hardly a day goes by without a news flash about another cyber breach. Since security breaches have become a daily occurrence, I sat down with Jeremy Henley at ID Experts to discuss the most common ways that companies are being breached and how companies can start to assess their cyber risk profile.

Question: Jeremy, what are the most common ways that you are seeing small to mid-size companies being breached?

Answer: One of the common ways that companies are being breached by hackers is that the hackers exploit vulnerabilities in the company’s security network. This includes the company’s failure to update software or upgrade their systems, as well as the failure to have the appropriate checks and balances in place. Small to mid-sized businesses are particularly vulnerable as they often don’t have the IT staff or budget to continually upgrade and update their systems as their organizations change and grow.

The second most common way companies are breached is through simple employee negligence. This would include a company’s failure to train and educate their employees on basic cyber security. For example, the failure to educate employees on the risks of downloading private data onto a portable device that is not encrypted as well as the failure to educate employees as to how to identify scams that ask them to open suspect emails or attachments. Companies need to educate their employees about the dangers of connecting to unsecured Wi-Fi connections at the airport or Starbucks when they are doing work that includes logging in to sensitive company systems. If someone is spoofing the airport Wi-Fi, you are essentially sharing everything you are doing online with that attacker.

Question: Once clients realize the security risks they face in today’s world, clients often ask where they should start with respect to updating their network security. Do you have any guidance for them?

Answer: I advise our clients to start by asking themselves three questions: 1) What data are we collecting? This is important as it will help them determine what regulations they may need to comply with (HIPAA /HITECH, PCI and 47 state breach notification laws, etc.), 2) How are they managing the data that they have? This includes examining what technology the company is using, if it is creating multiple layers to its security with firewalls and antivirus and if it is creating policies and procedures and training employees as to security safeguards and 3) I would ask the company to examine who they are sharing the data with. Specifically, which vendors or clients have access to its systems, and ask those vendors what security and privacy policies they have in place (if any)? You might consider requiring your vendors to provide proof of a security audit or insurance in the event they are the cause of a breach of info that you were trusted with.

Question: What role does cyber insurance play with your clients?

Answer: Cyber insurance has been invaluable to many of our clients, as most cyber policies include pre-breach education tools and employee training information as well as sample security policies or an incident response plan. Some carriers also work with us to provide risk assessment and penetration testing so that weaknesses can be identified and corrected prior to a breach incident. In my experience, the most valuable part that insurance plays is that the insured is able to fund an appropriate response in the wake of a breach. Clients that do not have cyber insurance usually do not have a budget set aside to deal with this unfortunate event, and after a breach do not have the funding to adequately fund the most appropriate response, therefore limiting their ability to respond to the significant reputational, financial and legal ramifications that such an incident can cause to their organization.

The New Cyberthreat You Face at Work

The latest greatest swindlers in the cybercrime racket know you’re onto their digital three-card monte, and they’ve made a few adjustments, putting yet another wrinkle in the corporate-hacking game by targeting top-level employees for major profits.

These hackers appear to be based in North America or Western Europe, and they know a great deal about the companies and industries they’ve been cracking. They could be “white-collar hackers” or just good studies of character. It really doesn’t matter. Here’s what counts: They are hatching cyberthreats so nuanced you may not see the hack that takes out your company ’til the smoke clears.

These hackers may have worked for your company, or one like it. They are going to know how your teams communicate. They’ll use the lingo and shorthand that you see every day. Emails may be super simple, like, “I need another pair of eyes on this spreadsheet about [term of art only people in your business would know].” They may know what you are likely to be talking about after certain kinds of industry news releases, and they’ll have a good idea of what times of day get busy for you so that you are more distracted and less likely to think before you click.

“The attacks are becoming much more sophisticated than anything we’ve seen before,” says Jen Weedon, a threat intelligence officer at the Silicon Valley-based cybersecurity firm FireEye.

The New York Times reported about one such group of hackers targeting senior executives at biotech companies with a goal of garnering insider information to game the stock market.

FireEye has been tracking the group, which the company calls Fin4, for a year and a half. (The “Fin” designation is assigned by the company to indicate groups where the main goal is to monetize proprietary information.)

“Fin4 has reached a threshold of capability that sets them apart,” Weedon told me during a phone conversation. “They are very thoughtful about who they target. They go after specific companies and are a lot more scoped in their approach.”

Attacks of this kind may start with the studied e-impersonation of trusted colleagues, business associates or anyone from a constellation of contacts—compliance officers, regulators, legal or financial advisers—with the single purpose of getting someone in a senior position to personally, unwittingly hand over the keys to the castle. Once Fin 4 is in, sensitive—potentially lucrative—information can be accessed and put to use.

“They will send a very convincing phishing email,” Weedon said. “It may prompt a link that looks just like Outlook.” The target enters her credentials to see the attachment, not realizing that she was not in Outlook at all. There may even be a legitimate document on the other side of that fake login page, but it’s a trap. Once the hacker gets into a key person’s inbox, Outlook settings have been reset to send any messages containing the words “hacked” or “malware” directly to the user’s trash folder, thereby giving the cyber-ninja more time in the system to collect information about mergers and acquisitions, compliance issues, press releases, non-public market-moving information—anything that can be used to make a smarter stock market trade.

According to Weedon, the group has been able to infiltrate email accounts at the CEO level.

Once they’ve gained access, the hackers may simply collect everything in the CEO’s inbox or take an attachment found there and plant malware that then spreads throughout the company, thereby exposing still more information. The difference here is that the hack relies on legitimate credentials to gain access, so it’s a much lighter touch with potentially much more information being compromised. If the hackers forgo malware, there aren’t necessarily any traces at all of the compromise.

The “old” way these breaches worked—one still very much practiced by Chinese and Russian groups—involved the use of general information, kinda-sorta knowledge of the target’s business and hit-or-miss English. Because there is often less specificity and more variables in these kinds of softer attacks, the dodge is easier to spot. It’s more likely to find a lower-level employee falling for it. In most cases, these targets don’t have the kind of access to information that can cause major damage. Having gained whatever access is possible through their mark, old-school hackers move laterally into the organization’s environment, whether by recording keystrokes to exploit privileged employee credentials or blasting a hole in the company firewall. They might as well be Bonnie and Clyde robbing a bank. The goal is to siphon off information that can be turned into an easy profit, but the process leaves traces.

What’s so worrisome about Fin4 is that the hackers can come and go—gaining access to everything and anything pertaining to your company—and you may never know it. For the numerous healthcare and biotech companies that they targeted, the only real-life consequence could be an advantageous trade that somehow anticipated the announcement of a new drug, or shorted a stock associated with a failed drug trial.

If you are the target of choice, you will have to be exceptionally well trained by a cutting-edge information security professional and completely tuned in to the subtleties of your workflow to avoid getting got. These fraudsters will have at their fingertips the kinds of information that only an insider should know, and the bait they dangle in front of you will be convincing.

While the art is very different, the basic mechanism is the same. Company-killing compromises require human error. While more common hacks rely on a weakest link that can be exploited, the more hackers evolve, the more we all must evolve with them.

Cyber Risk

Understanding your exposure to technology and implementing baseline controls should always come before you consider insuring those risks.

What is a firewall? What would I do with a privacy policy? What is encryption and why would my company need to encrypt any of our data? How would I implement an incident response plan? How many personal health records do we have in our database? Do we do background checks? Who has access to our server room? Why do I need to answer so many questions just to get a proposal for insurance?

These are the types of questions that come up during the cyber insurance application process, and this is often the first time someone outside of the IT department has had to answer them. With the growth of the cyber insurance industry, now estimated to be almost $1,000,000,000 in gross written premium for 20111, risk managers, insurance agents and boards of directors are wondering why they now also have to talk to the IT department when discussing risk management and their insurance renewal.

A vendor mistake, administrator's misconfigured firewall or even an improperly negotiated cloud contract can pose a systemic risk to your corporation.

As regulatory expectations continue to be set higher (due to increased enforcement of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, attention of 46 different state notification laws that are enforced by State Attorney Generals, Fair and Accurate Credit Transactions Act) and consumer opinion is constantly being expressed in the form of class action suits, these situations continue to get more difficult to mine through.

Plaintiff attorneys' allegations addressing monetary damages as a result of privacy or security breaches are consistently being brought. Not having adequate controls is the common focus of such suits that follow a breach. Additionally, the bad actors that are trying to improperly gain access to your information will consistently focus on firms who lack simple/intermediate controls.

According to Verizon, 96% of attacks were not highly difficult and 97% of breaches were avoidable through simple or intermediate controls.2 Your own data (account lists, legal documents, vendor agreements, price lists, R&D information, trade secrets) and client/patient information (personally identifiable information/health records) are what the hackers want.

Implementing baseline controls is the first element of fixing your cyber problems.

Several states have enacted laws that expect these baseline controls to be in place to protect their consumers. In Massachusetts, for example, there is a regulation (WISP3) that expects a legal entity holding personal information about a Massachusetts resident, to develop and implement a written information security program to protect that personal information. If this standard is not met, on top of $5,000 civil penalties of up to $5,000 per violation, the corporation could also encounter negligence based on litigation.

Like every state notification law that exists today, the law is based on the location of the consumer, not the corporation's place of domicile. In Nevada, since 2008, businesses have been required to use encryption when transmitting a customer's personal information externally(aside from fax)4. Additionally, PCI (Payment Card Industry) has required all corporations involved in a credit-card transaction to be compliant with varying degree of requirements based on size. For additional information, refer to https://www.pcisecuritystandards.org/merchants/how_to_be_compliant.php.

This is an important step for those companies dealing with credit cards. The 2012 Verizon Data Breach Investigations Report also found that 96% of victims subject to PCI Data Security Standards had not achieved compliance. This statistic shows the important of security controls being taken seriously.

Once your organization takes cyber security controls seriously and understands even the best controls don't isolate them from the exposures that exist, you should than take the time to discuss the insurance implications. Your insurance agent or broker can provide input on how current insurance coverage(s) could respond but also can get you in touch with over 30 insurance markets' underwriters who have dedicated cyber products and submission processes and are able to design coverage specific to your company. Additionally, most markets can help with loss control and ensure that you stay abreast of the current threat environment.

With adequate controls, a general understanding of the regulatory implications of a privacy breach and knowing the insurance consequences, you will be much better prepared if a problem with your company's technology does happen.

1 Cyber Betterley Report 2012

2 Verizon 2012 Data Breach Investigations Report

3 Massachusetts 201 CMR 17

4 Nev Revised Stat 597.970(1)2005