Risk

10/12/2015
12:00 PM
Ilia Kolochenko
Ilia Kolochenko
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Cybersecurity Insurance: 4 Practical Considerations

There can't be reliable cybersecurity insurance until companies can identify who is responsible for the continuous exploitation of stolen data, long-lasting attacks, and hardly-detectable APTs.

According to PwC’s Global State of Information Security Survey 2016 of more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security practices from 127 countries, six out of 10 respondents report that they purchased cybersecurity insurance in 2015, up from a little more than half one year earlier. That’s on the heels of Security Exchange Commission guidance from the Office of Compliance Inspections and Examinations that financial organizations consider cyber insurance as a part of their cyber-risk management strategy.

Cybersecurity insurance is also portrayed by the media as an important element of corporate cybersecurity defense in order to minimize the losses caused by growing cybercrime that organizations cannot entirely prevent in advance.

Still, there are many complicated and not particularly obvious questions about the practical implementation of cybersecurity insurance. The first, and probably the biggest, question is how long an insurance company will cover the ongoing consequences of a security incident. Once a system is compromised, it’s impossible to predict the duration of a breach’s exploitation by cybercriminals.

For example, let’s look at the recent hack of the Ashley Madison dating website: hackers still have the entire database in their hands, and they will most likely continue exploiting it in the near future. Hackers will quite probably try to reuse victims’ passwords and try to login to all their personal and corporate resources/accounts, creating new financial and reputational losses.

Hackers may also conduct highly sophisticated spear-phishing campaigns to get control over the victims’ machines or mobile phones. Once they get as much sensitive data as possible, they will either resell it on the black market, or blackmail the victims. This may happen months after the original breach or even later. So the burning question is: will the insurance provider agree and accept its liability to pay the damage related to continuous exploitation of stolen data, such as continuous loss of customers, brand deprecation, or future lawsuits?

If I were an insurer, I’d not take on the risk because the process could last forever, until the totally depreciated database ends up in Pastebin, just for fun. Therefore, until insurance companies and their clients are able to clearly define who should be responsible for continuous exploitation of stolen data or for long lasting attacks, such as RansomWeb, or hardly-detectable APTs, we won’t have a reliable cybersecurity insurance industry.

Finding the bad guy

The second major consideration is finding the guilty party for a breach in order to compensate the insured customer. In today’s interconnected world, when the same data or piece of code may be handled and stored in dozens of different datacenters worldwide, it quite often becomes almost impossible to detect who is responsible for the data breach. Similarly, controlling the information security of third-party suppliers is becoming a very difficult task for CISO these days, and in some cases remains technically and practically impossible.

At High-Tech Bridge, where I am CEO, we recently had a case of a European financial institution that was mysteriously compromised: the logs remained intact and didn’t show any suspicious activity at all. Finally, we discovered that a [non-encrypted] backup was outsourced to a third-party company where it was “securely” stored. After long negotiations, we managed to access and investigate their systems as well, but again in vain; there was no single sign of the attack.

Eventually, we found that the backup provider had its own backups stored externally and it was the fourth-party IT company that was hacked with all the subsequent consequences. Who is liable for those risks? Theoretically speaking, all companies should select secure third-party providers, but practically it won’t be possible to verify every point of failure even within the insured company, not to mention any third-party or fourth-party providers or consultants.

The third major consideration in cyber insurance is human weakness. It’s not a secret that the biggest risk to any system is the human factor. In case of intentional and well-prepared sabotage, it may be very difficult to trace and prove insider activities.

Moreover, smart (and evil) employees may try to simulate a hacker attack on systems to cover their own criminal activities. Imagine a small group of two- to three IT people from a bank who have privileged access to the core banking database. Because members of the group possess different access level, unique identifiers, proper system logging and correct privilege segregation, it’s unlikely that an insurance company will consider them non-compliant to the information security best practices. Yet, they can easily steal the data, clean, or tamper the logs, sell the data to a competitor, and then post it in the Dark Web simulating activities of Russian/Chinese hackers or Anonymous hacktivists. Who will dare to accuse them when starting the investigation? Moreover, it’s likely that they will be a part of the investigating team. Such plans offer a great opportunity to defraud an insurance company.

I remember an investigation case we performed for a bank. A malicious employee used his corporate notebook to send out some sensitive data, and in order to clear traces he managed to disable his AV protection and started surfing on various pornographic websites. Obviously he got infected pretty quickly, and when after the weekend his notebook was confiscated for an investigation he warned us that he was hacked, and something was going on with his PC. Finally, we managed to prove what really happened, but if the employee was a technical expert, even our team would not be helpful in the investigation process.

Last, but not least, is it even possible for insurance companies to verify in a reliable and holistic manner that their customers are taking every appropriate measure to mitigate the insured cyber risks? The use of third party assessors is one possible approach. For instance, for PCI DSS compliance QSA companies can continuously verify, validate, and assure a certain level of security. However, cyberattacks often go way beyond the realms of PCI DSS audit scope. Are insurance companies ready to verify how well their clients are protected in a technically competent, continuous and holistic way?

The bottom line is that when it comes to cybersecurity insurance, there are many more questions than answers. And until the security industry has a clear understanding of these issues, it will be next to impossible to have a substantive discussion about its value. 

Ilia Kolochenko is a Swiss application security expert and entrepreneur. Starting his career as a penetration tester, Ilia founded High-Tech Bridge to incarnate his application security ideas. Ilia invented the concept of hybrid security assessment for Web applications that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UTIWARI
50%
50%
UTIWARI,
User Rank: Apprentice
10/16/2015 | 9:00:41 PM
Re: Weak Cyber Insurance Foundations
Insurers are commercial enterprises too. They won't or can't provide coverage without reasonable understanding of the risk involved. There is unfortunately no incentive for the people suffering from the losses to actually quantify and publish the losses incurred. It is going to be a long time before this field matures enough for the actuaries to reasonably cover all possible potential scenarios and still have buyers ready to pay the premium for the coverage. Cyber has to almost become a utility that is uniform for all (like electricity) before that happens. 
EinavN331
100%
0%
EinavN331,
User Rank: Apprentice
10/16/2015 | 3:06:13 AM
The right Cyber Crime Insurance can literally save your business
No doubt that cyber crime reveal many unresolved problematic issues, even for the most secure bodies is a challenge. This is why cyber insurance CAN save you business, if only you are wise to purchase it via professionals. I can advise that insurance wise the attacked entity do not need to prove the cause of the loss (to data etc.) neither the identity of the attackers. Moreover, referring the Ashley Madison case, it doesn't matter that the attackers still hold the data and can use it as they wish, there is a solution called "identity theft cover" offers policies to the third parties. In addition the right insurance obviously funds the insured`s regulatory expenses that can reach to hundreds of millions of dollars, as well as legal expenses and other experts to recover your system & restore the lost data. This is on a nutshell. Of course that since all of the cyber crime is relatively new, the insurance market always keeps growing and developing in order to extend and fit the existing offered covers to the risk your business is facing with.
oneilldon
0%
100%
oneilldon,
User Rank: Guru
10/13/2015 | 10:20:50 AM
Weak Cyber Insurance Foundations
 

Cyber Insurance is stalled because of a lack of actuarial data. This stems from the unwillingness of industry to participate in incident data and information sharing made impossible by Congress's unwillingness to provide indemnification for participants. 

Beyond that, the uncertainties associated with a useful and credible Cyber Insurance market are wide ranging and depend on Cyber Security theory and foundations, reduction of theory to practice, the collection and use of empirical practice data, the validation of actual practices against the theory based on empirical data, information sharing, realistic premium setting, informed and trustworthy coverage, and straightforward dollar convertible Cyber consequences. These uncertainties have not yet been reduced to calculated risks.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.