Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Ilia Kolochenko
Ilia Kolochenko
Connect Directly
E-Mail vvv

Cybersecurity Insurance: 4 Practical Considerations

There can't be reliable cybersecurity insurance until companies can identify who is responsible for the continuous exploitation of stolen data, long-lasting attacks, and hardly-detectable APTs.

According to PwC’s Global State of Information Security Survey 2016 of more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security practices from 127 countries, six out of 10 respondents report that they purchased cybersecurity insurance in 2015, up from a little more than half one year earlier. That’s on the heels of Security Exchange Commission guidance from the Office of Compliance Inspections and Examinations that financial organizations consider cyber insurance as a part of their cyber-risk management strategy.

Cybersecurity insurance is also portrayed by the media as an important element of corporate cybersecurity defense in order to minimize the losses caused by growing cybercrime that organizations cannot entirely prevent in advance.

Still, there are many complicated and not particularly obvious questions about the practical implementation of cybersecurity insurance. The first, and probably the biggest, question is how long an insurance company will cover the ongoing consequences of a security incident. Once a system is compromised, it’s impossible to predict the duration of a breach’s exploitation by cybercriminals.

For example, let’s look at the recent hack of the Ashley Madison dating website: hackers still have the entire database in their hands, and they will most likely continue exploiting it in the near future. Hackers will quite probably try to reuse victims’ passwords and try to login to all their personal and corporate resources/accounts, creating new financial and reputational losses.

Hackers may also conduct highly sophisticated spear-phishing campaigns to get control over the victims’ machines or mobile phones. Once they get as much sensitive data as possible, they will either resell it on the black market, or blackmail the victims. This may happen months after the original breach or even later. So the burning question is: will the insurance provider agree and accept its liability to pay the damage related to continuous exploitation of stolen data, such as continuous loss of customers, brand deprecation, or future lawsuits?

If I were an insurer, I’d not take on the risk because the process could last forever, until the totally depreciated database ends up in Pastebin, just for fun. Therefore, until insurance companies and their clients are able to clearly define who should be responsible for continuous exploitation of stolen data or for long lasting attacks, such as RansomWeb, or hardly-detectable APTs, we won’t have a reliable cybersecurity insurance industry.

Finding the bad guy

The second major consideration is finding the guilty party for a breach in order to compensate the insured customer. In today’s interconnected world, when the same data or piece of code may be handled and stored in dozens of different datacenters worldwide, it quite often becomes almost impossible to detect who is responsible for the data breach. Similarly, controlling the information security of third-party suppliers is becoming a very difficult task for CISO these days, and in some cases remains technically and practically impossible.

At High-Tech Bridge, where I am CEO, we recently had a case of a European financial institution that was mysteriously compromised: the logs remained intact and didn’t show any suspicious activity at all. Finally, we discovered that a [non-encrypted] backup was outsourced to a third-party company where it was “securely” stored. After long negotiations, we managed to access and investigate their systems as well, but again in vain; there was no single sign of the attack.

Eventually, we found that the backup provider had its own backups stored externally and it was the fourth-party IT company that was hacked with all the subsequent consequences. Who is liable for those risks? Theoretically speaking, all companies should select secure third-party providers, but practically it won’t be possible to verify every point of failure even within the insured company, not to mention any third-party or fourth-party providers or consultants.

The third major consideration in cyber insurance is human weakness. It’s not a secret that the biggest risk to any system is the human factor. In case of intentional and well-prepared sabotage, it may be very difficult to trace and prove insider activities.

Moreover, smart (and evil) employees may try to simulate a hacker attack on systems to cover their own criminal activities. Imagine a small group of two- to three IT people from a bank who have privileged access to the core banking database. Because members of the group possess different access level, unique identifiers, proper system logging and correct privilege segregation, it’s unlikely that an insurance company will consider them non-compliant to the information security best practices. Yet, they can easily steal the data, clean, or tamper the logs, sell the data to a competitor, and then post it in the Dark Web simulating activities of Russian/Chinese hackers or Anonymous hacktivists. Who will dare to accuse them when starting the investigation? Moreover, it’s likely that they will be a part of the investigating team. Such plans offer a great opportunity to defraud an insurance company.

I remember an investigation case we performed for a bank. A malicious employee used his corporate notebook to send out some sensitive data, and in order to clear traces he managed to disable his AV protection and started surfing on various pornographic websites. Obviously he got infected pretty quickly, and when after the weekend his notebook was confiscated for an investigation he warned us that he was hacked, and something was going on with his PC. Finally, we managed to prove what really happened, but if the employee was a technical expert, even our team would not be helpful in the investigation process.

Last, but not least, is it even possible for insurance companies to verify in a reliable and holistic manner that their customers are taking every appropriate measure to mitigate the insured cyber risks? The use of third party assessors is one possible approach. For instance, for PCI DSS compliance QSA companies can continuously verify, validate, and assure a certain level of security. However, cyberattacks often go way beyond the realms of PCI DSS audit scope. Are insurance companies ready to verify how well their clients are protected in a technically competent, continuous and holistic way?

The bottom line is that when it comes to cybersecurity insurance, there are many more questions than answers. And until the security industry has a clear understanding of these issues, it will be next to impossible to have a substantive discussion about its value. 

Ilia Kolochenko is a Swiss application security expert and entrepreneur. Starting his career as a penetration tester, Ilia founded High-Tech Bridge to incarnate his application security ideas. Ilia invented the concept of hybrid security assessment for Web applications that ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/16/2015 | 9:00:41 PM
Re: Weak Cyber Insurance Foundations
Insurers are commercial enterprises too. They won't or can't provide coverage without reasonable understanding of the risk involved. There is unfortunately no incentive for the people suffering from the losses to actually quantify and publish the losses incurred. It is going to be a long time before this field matures enough for the actuaries to reasonably cover all possible potential scenarios and still have buyers ready to pay the premium for the coverage. Cyber has to almost become a utility that is uniform for all (like electricity) before that happens. 
User Rank: Apprentice
10/16/2015 | 3:06:13 AM
The right Cyber Crime Insurance can literally save your business
No doubt that cyber crime reveal many unresolved problematic issues, even for the most secure bodies is a challenge. This is why cyber insurance CAN save you business, if only you are wise to purchase it via professionals. I can advise that insurance wise the attacked entity do not need to prove the cause of the loss (to data etc.) neither the identity of the attackers. Moreover, referring the Ashley Madison case, it doesn't matter that the attackers still hold the data and can use it as they wish, there is a solution called "identity theft cover" offers policies to the third parties. In addition the right insurance obviously funds the insured`s regulatory expenses that can reach to hundreds of millions of dollars, as well as legal expenses and other experts to recover your system & restore the lost data. This is on a nutshell. Of course that since all of the cyber crime is relatively new, the insurance market always keeps growing and developing in order to extend and fit the existing offered covers to the risk your business is facing with.
User Rank: Guru
10/13/2015 | 10:20:50 AM
Weak Cyber Insurance Foundations

Cyber Insurance is stalled because of a lack of actuarial data. This stems from the unwillingness of industry to participate in incident data and information sharing made impossible by Congress's unwillingness to provide indemnification for participants. 

Beyond that, the uncertainties associated with a useful and credible Cyber Insurance market are wide ranging and depend on Cyber Security theory and foundations, reduction of theory to practice, the collection and use of empirical practice data, the validation of actual practices against the theory based on empirical data, information sharing, realistic premium setting, informed and trustworthy coverage, and straightforward dollar convertible Cyber consequences. These uncertainties have not yet been reduced to calculated risks.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...