Endpoint
8/21/2017
10:00 AM
Chris McDaniels
Chris McDaniels
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Pitfalls of Cyber Insurance

Cyber insurance is 'promising' but it won't totally protect your company against hacks.

Imagine an insurance market plagued by eye-popping premiums and deductibles, skimpy coverage, a lack of standards that makes "apples-to-apples" comparisons of policies nearly impossible, and customers who are at a significant disadvantage because they don't fully understand their risks or how much coverage they need.

No, the above isn't a description of the individual health insurance market; it describes the enterprise cyber-insurance market.

What's in Your Policy?
Although the cyberthreat landscape grows more dangerous by the day, half of U.S. firms have no cyber insurance, 27% have no plans to buy coverage, and only 16% report having a policy that covers all of their risks, according to a FICO survey.

While it's true that some organizations refuse to buy cyber insurance out of the misguided notion that they don't "need" to worry about being hacked, this mindset isn't entirely at fault. Just as many individuals have found their "good" health insurance to be useless in the face of a catastrophic illness, many enterprises have been left high and dry by cyber-insurance policies that didn't fully protect them after a major cyber attack.

Ameriforge Group sued its cyber insurer, Chubb Group, when Chubb refused to cover the $480,000 in losses the manufacturer incurred due to a CEO email phishing scam. Chubb paid out on some of the losses P.F. Chang's suffered after a point-of-sale data breach but did not cover the $1.9 million Payment Card Industry Data Security Standard assessment the restaurant chain was slapped with. Sometimes, firms can inadvertently void their policies before an attack happens. Policies that include cyber-extortion clauses prohibit organizations from publicly disclosing that they have purchased this coverage – such as in a security operations center report or a press release.

Cyber Insurance Market “Promising” but Dysfunctional

A report by Deloitte released in February, "Demystifying Cyber Insurance Coverage," describes a market that is "promising" but "problematic" for both insurers and customers. Because cybersecurity is a relatively new field and the threat landscape changes daily, insurers don't have the historical data they need to build reliable predictive models. They fear a catastrophic accumulation of claims if a major attack were to hit multiple insured customers, as happened with WannaCry and NotPetya ransomware. Insurers also tend to offer policies focused on the protection of personally identifiable information (PII), even though many organizations don't handle PII or are more susceptible to ransomware, cyber extortion, or other attacks that don't involve PII.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Customers, meanwhile, many not have a complete grasp of their organizations' vulnerabilities or the threat landscape in general. This results in firms buying "skinny" (but still very expensive) policies that offer scant protection or exclude the threats they're most vulnerable to. Other organizations mistakenly believe that their general business liability or business interruption policies cover cyber attacks.

Cyber Insurance Isn't a Replacement for Cybersecurity
Cyber insurance may promote a moral hazard, where companies feel they don't have to invest in cybersecurity because “the insurance will cover it” if they get hacked. Yet, even the most robust policy will not cover all of a business's losses after an attack. It may not cover regulatory fines, as in P.F. Chang's case, and it won't cover all of the losses incurred if a business has to scale back operations or even temporarily shut down in the wake of an attack. Cyber policies also generally don't cover ransomware attacks that can be traced back to malicious insiders, such as rogue employees or disgruntled third-party vendors.

Other organizational challenges include the need to have a thorough knowledge of the corporate data environment, vulnerabilities, and risks, as well as the overall threat environment, which changes daily. Furthermore, there's a lack of standardization in the insurance market, which makes comparing policies difficult.

Cyber-insurance policies also don't eliminate the need for organizations to take proactive steps to secure their systems. In fact, insured customers are required to do so or their policies will be voided. So, regardless of whether an organization purchases a policy or not, it will still need to do the following:

• Keep all software and operating systems updated (remember, WannaCry and NotPetya both attacked older versions of Windows)

• Run robust, up-to-date antivirus software

• Maintain compliance with industry and regulatory standards like HIPAA and PCI-DSS

• Continually monitor networks for suspicious activity, 24 hours a day, 365 days a year

• Have in-house and/or remote security staff on hand at all times to respond to anomalies and attacks

• Have a comprehensive, written cybersecurity policy that is regularly reviewed and updated

• Train all employees on cybersecurity best practices, such as how to spot phishing emails

• Control physical access to sensitive areas on its premises, such as server rooms

• Utilize other controls, such as firewalls, network segmentation, and encryption as appropriate

• Perform regular backups so that systems can be restored in the event of a ransomware attack, or even a natural disaster like a fire or flood

Related Content:

Chris McDaniels is Chief Information Security Officer of Mosaic451 a cybersecurity service provider and consultancy with expertise in building, operating, and defending some of the most highly secure networks in North America. McDaniels is a US Air Force veteran with over 14 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/25/2017 | 7:34:10 PM
Re: Insurance?
@REISEN: Doctors and lawyers -- even the very best -- typically have malpractice insurance as a matter of course. And most companies have some form of umbrella policy at the very least as a matter of course. Drivers have auto insurance as a matter of course (sometimes as a matter of law, albeit). It's a bit hard for me to agree that cyberinsurance is for cowards just because it goes to things you should be doing anyway.

Bad things happen. That's what insurance is for.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/25/2017 | 7:31:12 PM
Re: Insurance?
@REISEN: To be fair, most if not all of this is exactly what cyberinsurance carriers do. Granted, however, the standards/procedures are way different between small businesses (who typically just have to fill out a form) and large enterprises (which have to undergo actual audits).
mcavanaugh1
50%
50%
mcavanaugh1,
User Rank: Apprentice
8/25/2017 | 8:45:28 AM
Re: Insurance?
While the article is better than most when it comes to the topic the information is still not entirely accurate.  There are carriers that are guilty of providing "skinny" coverage forms however the same can be said for many E&O carriers just trying to get some quick premium.  To generalize the entire marketplace based on a couple cases where coverage was not provided is misguided.  In the case of P.F. Changs, the policy did not include coverage for PCI fines & penalties because the agent/broker that placed the business did not include the coverage when they offered terms from Chubb.  The reference to the Ameriforge case is even worse because the claim involves a crime insurance policy, not a cyber insurance policy! These types of errors fall mostly on the part of the agent & broker that helped place the business for not obtaining or presenting the right coverage to the purchaser of the policy.

From a policy perspective, a comprehensive stand-alone cyber insurance policy will include coverage for the breach of PII/PHI, Cyber Extortion (including ransomware & other extortion events), business interruption & lost income from an event, and lost revenues as a result of your vendor suffering an attack impacting your business all with a minimum premium of $1,000 for a 1M limit.  The rating basis for premiums is a combination of the revenues, operations/industry and (if available) the number of records being stored.  For example, a 100M manufacturer is going to be seen as a lower risk than a 10M healthcare practice because of the nature of information and regulatory environment on the healthcare side.

The fact of the matter is that these policies should not be seen only as an insurance policy.  A good policy should be used as a service to make your company a better risk.  Coverage with the right insurance carrier can include risk management in the form of portals & webinars with others going so far as to offer proactive risk management in the form of consulting, active monitoring, table tops, and pentesting as a part of the policy.  No matter how good an IT department can be there is no way to solve the problem of IT & Cyber security, especially when it comes to the human element, but the problem and risk can be managed.  Similar to having a general liability or E&O policy, a cyber insurance policy should be seen as a way to round out a company's risk management.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/23/2017 | 11:07:58 AM
Re: Insurance?
True - have no idea what current rates are though.  This is a relatively new fad and I think written for cowards in the IT staffing department - when management has zero faith in what they are doing!   How many employers take out insurance, in geneal, to protect employees from failing to do their jobs????
mcdanielsc
50%
50%
mcdanielsc,
User Rank: Apprentice
8/21/2017 | 4:09:00 PM
Re: Insurance?
Insurance premiums would undoubtedly be higher than current rates if underwriters evaluated companies as you're recommending.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
8/21/2017 | 12:43:23 PM
Insurance?
If I was an under-writer evaluating a business for coveage, I would first want to closely examine in detail CURRENT backup plans and disaster continuity plans to ensure that basic, good protocols are being followed.  I would want to know if the network is buttoned up tight - that the servers are secure and that other protocols, such as HIPAA, are being observed.  I would want to see user education plans too.  Only IF the house is locked, tight and solid would I ever CONSIDER writing a policy and that would also be up for review every 3 months.    Knowing standards as they are today, I would probably be writing very FEW policies. 
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.