According to PwC’s Global State of Information Security Survey 2016 of more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security practices from 127 countries, six out of 10 respondents report that they purchased cybersecurity insurance in 2015, up from a little more than half one year earlier. That’s on the heels of Security Exchange Commission guidance from the Office of Compliance Inspections and Examinations that financial organizations consider cyber insurance as a part of their cyber-risk management strategy.
Cybersecurity insurance is also portrayed by the media as an important element of corporate cybersecurity defense in order to minimize the losses caused by growing cybercrime that organizations cannot entirely prevent in advance.
Still, there are many complicated and not particularly obvious questions about the practical implementation of cybersecurity insurance. The first, and probably the biggest, question is how long an insurance company will cover the ongoing consequences of a security incident. Once a system is compromised, it’s impossible to predict the duration of a breach’s exploitation by cybercriminals.
For example, let’s look at the recent hack of the Ashley Madison dating website: hackers still have the entire database in their hands, and they will most likely continue exploiting it in the near future. Hackers will quite probably try to reuse victims’ passwords and try to login to all their personal and corporate resources/accounts, creating new financial and reputational losses.
Hackers may also conduct highly sophisticated spear-phishing campaigns to get control over the victims’ machines or mobile phones. Once they get as much sensitive data as possible, they will either resell it on the black market, or blackmail the victims. This may happen months after the original breach or even later. So the burning question is: will the insurance provider agree and accept its liability to pay the damage related to continuous exploitation of stolen data, such as continuous loss of customers, brand deprecation, or future lawsuits?
If I were an insurer, I’d not take on the risk because the process could last forever, until the totally depreciated database ends up in Pastebin, just for fun. Therefore, until insurance companies and their clients are able to clearly define who should be responsible for continuous exploitation of stolen data or for long lasting attacks, such as RansomWeb, or hardly-detectable APTs, we won’t have a reliable cybersecurity insurance industry.
Finding the bad guy
The second major consideration is finding the guilty party for a breach in order to compensate the insured customer. In today’s interconnected world, when the same data or piece of code may be handled and stored in dozens of different datacenters worldwide, it quite often becomes almost impossible to detect who is responsible for the data breach. Similarly, controlling the information security of third-party suppliers is becoming a very difficult task for CISO these days, and in some cases remains technically and practically impossible.
At High-Tech Bridge, where I am CEO, we recently had a case of a European financial institution that was mysteriously compromised: the logs remained intact and didn’t show any suspicious activity at all. Finally, we discovered that a [non-encrypted] backup was outsourced to a third-party company where it was “securely” stored. After long negotiations, we managed to access and investigate their systems as well, but again in vain; there was no single sign of the attack.
Eventually, we found that the backup provider had its own backups stored externally and it was the fourth-party IT company that was hacked with all the subsequent consequences. Who is liable for those risks? Theoretically speaking, all companies should select secure third-party providers, but practically it won’t be possible to verify every point of failure even within the insured company, not to mention any third-party or fourth-party providers or consultants.
The third major consideration in cyber insurance is human weakness. It’s not a secret that the biggest risk to any system is the human factor. In case of intentional and well-prepared sabotage, it may be very difficult to trace and prove insider activities.
Moreover, smart (and evil) employees may try to simulate a hacker attack on systems to cover their own criminal activities. Imagine a small group of two- to three IT people from a bank who have privileged access to the core banking database. Because members of the group possess different access level, unique identifiers, proper system logging and correct privilege segregation, it’s unlikely that an insurance company will consider them non-compliant to the information security best practices. Yet, they can easily steal the data, clean, or tamper the logs, sell the data to a competitor, and then post it in the Dark Web simulating activities of Russian/Chinese hackers or Anonymous hacktivists. Who will dare to accuse them when starting the investigation? Moreover, it’s likely that they will be a part of the investigating team. Such plans offer a great opportunity to defraud an insurance company.
I remember an investigation case we performed for a bank. A malicious employee used his corporate notebook to send out some sensitive data, and in order to clear traces he managed to disable his AV protection and started surfing on various pornographic websites. Obviously he got infected pretty quickly, and when after the weekend his notebook was confiscated for an investigation he warned us that he was hacked, and something was going on with his PC. Finally, we managed to prove what really happened, but if the employee was a technical expert, even our team would not be helpful in the investigation process.
Last, but not least, is it even possible for insurance companies to verify in a reliable and holistic manner that their customers are taking every appropriate measure to mitigate the insured cyber risks? The use of third party assessors is one possible approach. For instance, for PCI DSS compliance QSA companies can continuously verify, validate, and assure a certain level of security. However, cyberattacks often go way beyond the realms of PCI DSS audit scope. Are insurance companies ready to verify how well their clients are protected in a technically competent, continuous and holistic way?
The bottom line is that when it comes to cybersecurity insurance, there are many more questions than answers. And until the security industry has a clear understanding of these issues, it will be next to impossible to have a substantive discussion about its value.