Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Ilia Kolochenko
Ilia Kolochenko
Connect Directly
E-Mail vvv

Cybersecurity Insurance: 4 Practical Considerations

There can't be reliable cybersecurity insurance until companies can identify who is responsible for the continuous exploitation of stolen data, long-lasting attacks, and hardly-detectable APTs.

According to PwC’s Global State of Information Security Survey 2016 of more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security practices from 127 countries, six out of 10 respondents report that they purchased cybersecurity insurance in 2015, up from a little more than half one year earlier. That’s on the heels of Security Exchange Commission guidance from the Office of Compliance Inspections and Examinations that financial organizations consider cyber insurance as a part of their cyber-risk management strategy.

Cybersecurity insurance is also portrayed by the media as an important element of corporate cybersecurity defense in order to minimize the losses caused by growing cybercrime that organizations cannot entirely prevent in advance.

Still, there are many complicated and not particularly obvious questions about the practical implementation of cybersecurity insurance. The first, and probably the biggest, question is how long an insurance company will cover the ongoing consequences of a security incident. Once a system is compromised, it’s impossible to predict the duration of a breach’s exploitation by cybercriminals.

For example, let’s look at the recent hack of the Ashley Madison dating website: hackers still have the entire database in their hands, and they will most likely continue exploiting it in the near future. Hackers will quite probably try to reuse victims’ passwords and try to login to all their personal and corporate resources/accounts, creating new financial and reputational losses.

Hackers may also conduct highly sophisticated spear-phishing campaigns to get control over the victims’ machines or mobile phones. Once they get as much sensitive data as possible, they will either resell it on the black market, or blackmail the victims. This may happen months after the original breach or even later. So the burning question is: will the insurance provider agree and accept its liability to pay the damage related to continuous exploitation of stolen data, such as continuous loss of customers, brand deprecation, or future lawsuits?

If I were an insurer, I’d not take on the risk because the process could last forever, until the totally depreciated database ends up in Pastebin, just for fun. Therefore, until insurance companies and their clients are able to clearly define who should be responsible for continuous exploitation of stolen data or for long lasting attacks, such as RansomWeb, or hardly-detectable APTs, we won’t have a reliable cybersecurity insurance industry.

Finding the bad guy

The second major consideration is finding the guilty party for a breach in order to compensate the insured customer. In today’s interconnected world, when the same data or piece of code may be handled and stored in dozens of different datacenters worldwide, it quite often becomes almost impossible to detect who is responsible for the data breach. Similarly, controlling the information security of third-party suppliers is becoming a very difficult task for CISO these days, and in some cases remains technically and practically impossible.

At High-Tech Bridge, where I am CEO, we recently had a case of a European financial institution that was mysteriously compromised: the logs remained intact and didn’t show any suspicious activity at all. Finally, we discovered that a [non-encrypted] backup was outsourced to a third-party company where it was “securely” stored. After long negotiations, we managed to access and investigate their systems as well, but again in vain; there was no single sign of the attack.

Eventually, we found that the backup provider had its own backups stored externally and it was the fourth-party IT company that was hacked with all the subsequent consequences. Who is liable for those risks? Theoretically speaking, all companies should select secure third-party providers, but practically it won’t be possible to verify every point of failure even within the insured company, not to mention any third-party or fourth-party providers or consultants.

The third major consideration in cyber insurance is human weakness. It’s not a secret that the biggest risk to any system is the human factor. In case of intentional and well-prepared sabotage, it may be very difficult to trace and prove insider activities.

Moreover, smart (and evil) employees may try to simulate a hacker attack on systems to cover their own criminal activities. Imagine a small group of two- to three IT people from a bank who have privileged access to the core banking database. Because members of the group possess different access level, unique identifiers, proper system logging and correct privilege segregation, it’s unlikely that an insurance company will consider them non-compliant to the information security best practices. Yet, they can easily steal the data, clean, or tamper the logs, sell the data to a competitor, and then post it in the Dark Web simulating activities of Russian/Chinese hackers or Anonymous hacktivists. Who will dare to accuse them when starting the investigation? Moreover, it’s likely that they will be a part of the investigating team. Such plans offer a great opportunity to defraud an insurance company.

I remember an investigation case we performed for a bank. A malicious employee used his corporate notebook to send out some sensitive data, and in order to clear traces he managed to disable his AV protection and started surfing on various pornographic websites. Obviously he got infected pretty quickly, and when after the weekend his notebook was confiscated for an investigation he warned us that he was hacked, and something was going on with his PC. Finally, we managed to prove what really happened, but if the employee was a technical expert, even our team would not be helpful in the investigation process.

Last, but not least, is it even possible for insurance companies to verify in a reliable and holistic manner that their customers are taking every appropriate measure to mitigate the insured cyber risks? The use of third party assessors is one possible approach. For instance, for PCI DSS compliance QSA companies can continuously verify, validate, and assure a certain level of security. However, cyberattacks often go way beyond the realms of PCI DSS audit scope. Are insurance companies ready to verify how well their clients are protected in a technically competent, continuous and holistic way?

The bottom line is that when it comes to cybersecurity insurance, there are many more questions than answers. And until the security industry has a clear understanding of these issues, it will be next to impossible to have a substantive discussion about its value. 

Ilia Kolochenko is a Swiss application security expert and entrepreneur. He started his career as a penetration tester and has 15 years of experience in security auditing and digital forensics. After serving in Swiss artillery troops in 2007, Ilia founded his first pentesting ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/16/2015 | 9:00:41 PM
Re: Weak Cyber Insurance Foundations
Insurers are commercial enterprises too. They won't or can't provide coverage without reasonable understanding of the risk involved. There is unfortunately no incentive for the people suffering from the losses to actually quantify and publish the losses incurred. It is going to be a long time before this field matures enough for the actuaries to reasonably cover all possible potential scenarios and still have buyers ready to pay the premium for the coverage. Cyber has to almost become a utility that is uniform for all (like electricity) before that happens. 
User Rank: Apprentice
10/16/2015 | 3:06:13 AM
The right Cyber Crime Insurance can literally save your business
No doubt that cyber crime reveal many unresolved problematic issues, even for the most secure bodies is a challenge. This is why cyber insurance CAN save you business, if only you are wise to purchase it via professionals. I can advise that insurance wise the attacked entity do not need to prove the cause of the loss (to data etc.) neither the identity of the attackers. Moreover, referring the Ashley Madison case, it doesn't matter that the attackers still hold the data and can use it as they wish, there is a solution called "identity theft cover" offers policies to the third parties. In addition the right insurance obviously funds the insured`s regulatory expenses that can reach to hundreds of millions of dollars, as well as legal expenses and other experts to recover your system & restore the lost data. This is on a nutshell. Of course that since all of the cyber crime is relatively new, the insurance market always keeps growing and developing in order to extend and fit the existing offered covers to the risk your business is facing with.
User Rank: Guru
10/13/2015 | 10:20:50 AM
Weak Cyber Insurance Foundations

Cyber Insurance is stalled because of a lack of actuarial data. This stems from the unwillingness of industry to participate in incident data and information sharing made impossible by Congress's unwillingness to provide indemnification for participants. 

Beyond that, the uncertainties associated with a useful and credible Cyber Insurance market are wide ranging and depend on Cyber Security theory and foundations, reduction of theory to practice, the collection and use of empirical practice data, the validation of actual practices against the theory based on empirical data, information sharing, realistic premium setting, informed and trustworthy coverage, and straightforward dollar convertible Cyber consequences. These uncertainties have not yet been reduced to calculated risks.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
YFCMF v2.3.1 has a Remote Command Execution (RCE) vulnerability in the index.php.
PUBLISHED: 2021-05-14
Unrestricted File Upload in LAOBANCMS v2.0 allows remote attackers to upload arbitrary files by attaching a file with a ".jpg.php" extension to the component "admin/wenjian.php?wj=../templets/pc".
PUBLISHED: 2021-05-14
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Homepage Introduction" field of component "admin/info.php?shuyu".
PUBLISHED: 2021-05-14
In YFCMF v2.3.1, there is a stored XSS vulnerability in the comments section of the news page.
PUBLISHED: 2021-05-14
Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.