No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program

Transcript

1. No Single Answer Balancing cybersecurity insurance and a strong security

   program Mark Stanislav
 Product Security Officer, Philips Nick Merker, CISSP, CIPT
 Partner, Ice Miller LLP

2. Insurance

3. Insurance

4. Insurance

5. Insurance

6. Basic “Cyber” or “Tech” Insurance

7. Basic “Cyber” or “Tech” Insurance

8. Basic “Cyber” or “Tech” Insurance

9. Basic “Cyber” or “Tech” Insurance

10. ▪Disconnect between the business and IT/Security ▪“Insurance? That’s up to

    finance & lawyers, we don’t know.” ▪“We have a policy, but no clue on our requirements for it…” ▪“It’s never come up until today. We could have it? Maybe?” ▪Out of a sampling of ten prior clients, 7 had a policy, but only 2 of those clients knew the answer when I asked it. ▪Of those 7, only 1 client had any clue about policy details… On the Ground

11. ▪P.F. Chang’s had 60k credit cards stolen in 2013 and

    received ~$1.7M for claims from their cyber policy, on a $134k/year premium. ▪An additional $2M was requested to cover fees and assessments, but was denied ▪The court ultimately sided with the insurer ▪Why? Because P.F. Chang’s was unaware of the appropriate scoping of the policy… P.F. Chang’s vs. Federal Insurance Company

12. ▪AFGlobal - $480k loss via a scam that targeted the

    accounting director, yielding a wire transfer ▪“the scam did not involve forgery of a financial instrument or a hacking event, and the instructions to wire the funds were issued by AFGlobal itself, rather than a third party posing as AFGlobal” ▪Medidata Solutions - $4.8m loss, also from a wire transfer that was executed by finance… ▪“is not covered because, among other things, there was no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds.” Oh and Federal Insurance also went to court for… https://www.huntoninsurancerecoveryblog.com/2016/08/articles/cyber/insurers-continue-to-contend-cybercrime-losses-are-not-covered/

13. Covered?

14. Choosing the Right Specialty Data Breach Policy ▪ The types

    of data included in the coverage ▪ Forensic Investigation costs ▪ Whether coverage is provided for data in the hands of third parties ▪ Regulatory coverage ▪ Business interruption coverage ▪ Remediation coverages, including: ▪ Crisis Management ▪ Credit Monitoring ▪ Public Relations Expenses ▪ Limits and control ▪ Exclusions and retroactive dates

15. Choosing the Right Specialty Data Breach Policy ▪ The types

    of data included in the coverage ▪ Forensic Investigation costs ▪ Whether coverage is provided for data in the hands of third parties ▪ Regulatory coverage ▪ Business interruption coverage ▪ Remediation coverages, including: ▪ Crisis Management ▪ Credit Monitoring ▪ Public Relations Expenses ▪ Limits and control ▪ Exclusions and retroactive dates

16. Choosing the Right Specialty Data Breach Policy ▪ The types

    of data included in the coverage ▪ Forensic Investigation costs ▪ Whether coverage is provided for data in the hands of third parties ▪ Regulatory coverage ▪ Business interruption coverage ▪ Remediation coverages, including: ▪ Crisis Management ▪ Credit Monitoring ▪ Public Relations Expenses ▪ Limits and control ▪ Exclusions and retroactive dates

17. Basic “Cyber” or “Tech” Insurance

18. Basic “Cyber” or “Tech” Insurance

19. Basic “Cyber” or “Tech” Insurance THINK IN TERMS OF “LOSS”

    NOT “CAUSE”

20. Basic “Cyber” or “Tech” Insurance

21. Basic “Cyber” or “Tech” Insurance

22. Basic “Cyber” or “Tech” Insurance

23. Underwriting Process

24. A Security Program, Not a Prayer ▪Most people wouldn’t drive

    around recklessly because they have car insurance — they know it’s both dumb & unlikely to result in insurance covering their actions ▪Cyber insurance is a last-ditch safety net, not a plan ▪Human errors (ask Medidata & AFGlobal) are not likely to be covered under such a policy, even if computers happen to be involved in the process of a ‘theft’

25. Security Program Reality Check ▪Nobody follows their data classification —

    if it exists… ▪Networks are flat with no thought of security design ▪Passwords still suck & two factor is not used enough ▪Patching? Still slow, still incomplete, and often “too late” ▪EMET, SELinux, & GRSecurity? “Too hard, turn it off!” ▪Principle of Least Privilege are just words in a policy ▪Auditing? Oh, syslog was really noisy, so that stopped ▪Web Apps: We should really just give up on the web ;)

26. via Jeremiah Grossman, Black Hat 2016 https://www.blackhat.com/docs/us-16/materials/us-16-Grossman-An-Insiders-Guide-To-Cyber-Insurance-And-Security-Guarantees.pdf

27. $100,000 Premium? I’d rather spend it doing… ▪Write, maintain, and

    follow a data classification policy ▪Use the data classification to design & secure networks ▪Implement LAPS and leverage an SSO provider with 2FA ▪Segment users who aren’t patching high & critical issues ▪Use basic EMET, SELinux, and GRSecurity policies ▪Use granular GPOs to provide users privilege they need ▪Hire someone to connect, tune, and audit key log sources ▪Treat your entire web application infrastructure as hostile

28. Underwriting Problems

29. Underwriting Problems

30. Underwriting Problems

31. Underwriting Problems

32. Underwriting Problems

33. Takeaways ▪Information security stakeholders need to be directly involved in

    the cyber-risk insurance procurement process to provide valid guidance and context to security risks ▪Blending of insurance policies to cover what otherwise may be perceived as a single ‘risk’ is often the right path ▪Investment in a maturing security program can involve insurance policies, but should not only rely on them alone ▪Be sure information is accurate during the underwriting policy – don’t think you’re tricking anyone ☺

34. Thanks! Mark Stanislav
 Product Security Officer, Philips [email protected] Nick Merker,

    CISSP, CIPT
 Partner, Ice Miller LLP [email protected]