Upgrade to Pro — share decks privately, control downloads, hide ads and more …

No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program

No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program

Information security has now moved beyond compliance and IT due diligence and into the direct concern of top corporate executives and their legal teams. Boards of directors, CEOs, and others are more in tune with the gaps in their organizations’ information security programs than ever before and are looking for ways to mitigate the risk these gaps create.

Insurers have come to the table with a new product to try to fill the market need: cybersecurity insurance. These policies are drafted to cover losses associated with cybersecurity incidents, including forensic costs and legal fees.

While cybersecurity insurance sounds great at a high level, are businesses truly aware of whether or not they provide actual benefit? Do organizations understand how cybersecurity insurance plays with—or doesn’t—contractual obligations pushed down from their customers? Should businesses be focusing more on proactive security safeguards to avoid an incident and less on reactive solutions designed to save cost?

Mark Stanislav and Nick Merker merge the worlds of information security and law to give a direct analysis of what businesses are getting right and wrong when it comes to security programs and how they can be more prepared to succeed—with or without insurance policies on hand. Mark offers his perspective on often overlooked or underutilized defensive techniques that can provide true security value for less than a cybersecurity insurance deductible, gained from helping build security programs for organizations, and explores how his customers deal with the subject of cybersecurity insurance. Nick then speaks to the legal technicalities of cybersecurity insurance, sharing what businesses should know, the pros and cons of these types of policies, and some public stories of coverage success and failures.

Come join Mark and Nick as they dive into the nascent world of cybersecurity insurance, relating stories of success and failure and providing guidance to strengthen organizations, with the goal of making insurance policies your last line of defense.

Mark Stanislav

November 02, 2016
Tweet

More Decks by Mark Stanislav

Other Decks in Technology

Transcript

  1. No Single Answer Balancing cybersecurity insurance and a strong security

    program Mark Stanislav
 Product Security Officer, Philips Nick Merker, CISSP, CIPT
 Partner, Ice Miller LLP
  2. ▪Disconnect between the business and IT/Security ▪“Insurance? That’s up to

    finance & lawyers, we don’t know.” ▪“We have a policy, but no clue on our requirements for it…” ▪“It’s never come up until today. We could have it? Maybe?” ▪Out of a sampling of ten prior clients, 7 had a policy, but only 2 of those clients knew the answer when I asked it. ▪Of those 7, only 1 client had any clue about policy details… On the Ground
  3. ▪P.F. Chang’s had 60k credit cards stolen in 2013 and

    received ~$1.7M for claims from their cyber policy, on a $134k/year premium. ▪An additional $2M was requested to cover fees and assessments, but was denied ▪The court ultimately sided with the insurer ▪Why? Because P.F. Chang’s was unaware of the appropriate scoping of the policy… P.F. Chang’s vs. Federal Insurance Company
  4. ▪AFGlobal - $480k loss via a scam that targeted the

    accounting director, yielding a wire transfer ▪“the scam did not involve forgery of a financial instrument or a hacking event, and the instructions to wire the funds were issued by AFGlobal itself, rather than a third party posing as AFGlobal” ▪Medidata Solutions - $4.8m loss, also from a wire transfer that was executed by finance… ▪“is not covered because, among other things, there was no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds.” Oh and Federal Insurance also went to court for… https://www.huntoninsurancerecoveryblog.com/2016/08/articles/cyber/insurers-continue-to-contend-cybercrime-losses-are-not-covered/
  5. Choosing the Right Specialty Data Breach Policy ▪ The types

    of data included in the coverage ▪ Forensic Investigation costs ▪ Whether coverage is provided for data in the hands of third parties ▪ Regulatory coverage ▪ Business interruption coverage ▪ Remediation coverages, including: ▪ Crisis Management ▪ Credit Monitoring ▪ Public Relations Expenses ▪ Limits and control ▪ Exclusions and retroactive dates
  6. Choosing the Right Specialty Data Breach Policy ▪ The types

    of data included in the coverage ▪ Forensic Investigation costs ▪ Whether coverage is provided for data in the hands of third parties ▪ Regulatory coverage ▪ Business interruption coverage ▪ Remediation coverages, including: ▪ Crisis Management ▪ Credit Monitoring ▪ Public Relations Expenses ▪ Limits and control ▪ Exclusions and retroactive dates
  7. Choosing the Right Specialty Data Breach Policy ▪ The types

    of data included in the coverage ▪ Forensic Investigation costs ▪ Whether coverage is provided for data in the hands of third parties ▪ Regulatory coverage ▪ Business interruption coverage ▪ Remediation coverages, including: ▪ Crisis Management ▪ Credit Monitoring ▪ Public Relations Expenses ▪ Limits and control ▪ Exclusions and retroactive dates
  8. A Security Program, Not a Prayer ▪Most people wouldn’t drive

    around recklessly because they have car insurance — they know it’s both dumb & unlikely to result in insurance covering their actions ▪Cyber insurance is a last-ditch safety net, not a plan ▪Human errors (ask Medidata & AFGlobal) are not likely to be covered under such a policy, even if computers happen to be involved in the process of a ‘theft’
  9. Security Program Reality Check ▪Nobody follows their data classification —

    if it exists… ▪Networks are flat with no thought of security design ▪Passwords still suck & two factor is not used enough ▪Patching? Still slow, still incomplete, and often “too late” ▪EMET, SELinux, & GRSecurity? “Too hard, turn it off!” ▪Principle of Least Privilege are just words in a policy ▪Auditing? Oh, syslog was really noisy, so that stopped ▪Web Apps: We should really just give up on the web ;)
  10. $100,000 Premium? I’d rather spend it doing… ▪Write, maintain, and

    follow a data classification policy ▪Use the data classification to design & secure networks ▪Implement LAPS and leverage an SSO provider with 2FA ▪Segment users who aren’t patching high & critical issues ▪Use basic EMET, SELinux, and GRSecurity policies ▪Use granular GPOs to provide users privilege they need ▪Hire someone to connect, tune, and audit key log sources ▪Treat your entire web application infrastructure as hostile
  11. Takeaways ▪Information security stakeholders need to be directly involved in

    the cyber-risk insurance procurement process to provide valid guidance and context to security risks ▪Blending of insurance policies to cover what otherwise may be perceived as a single ‘risk’ is often the right path ▪Investment in a maturing security program can involve insurance policies, but should not only rely on them alone ▪Be sure information is accurate during the underwriting policy – don’t think you’re tricking anyone ☺