No Single Answer Balancing cybersecurity insurance and a strong security program Mark Stanislav
 Product Security Officer, Philips Nick Merker, CISSP, CIPT
 Partner, Ice Miller LLP 

Insurance 

Insurance 

Insurance 

Insurance 

Basic “Cyber” or “Tech” Insurance 

Basic “Cyber” or “Tech” Insurance 

Basic “Cyber” or “Tech” Insurance 

Basic “Cyber” or “Tech” Insurance 

▪Disconnect between the business and IT/Security ▪“Insurance? That’s up to finance & lawyers, we don’t know.” ▪“We have a policy, but no clue on our requirements for it…” ▪“It’s never come up until today. We could have it? Maybe?” ▪Out of a sampling of ten prior clients, 7 had a policy, but only 2 of those clients knew the answer when I asked it. ▪Of those 7, only 1 client had any clue about policy details… On the Ground 

▪P.F. Chang’s had 60k credit cards stolen in 2013 and received ~$1.7M for claims from their cyber policy, on a $134k/year premium. ▪An additional $2M was requested to cover fees and assessments, but was denied ▪The court ultimately sided with the insurer ▪Why? Because P.F. Chang’s was unaware of the appropriate scoping of the policy… P.F. Chang’s vs. Federal Insurance Company 

▪AFGlobal - $480k loss via a scam that targeted the accounting director, yielding a wire transfer ▪“the scam did not involve forgery of a financial instrument or a hacking event, and the instructions to wire the funds were issued by AFGlobal itself, rather than a third party posing as AFGlobal” ▪Medidata Solutions - $4.8m loss, also from a wire transfer that was executed by finance… ▪“is not covered because, among other things, there was no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds.” Oh and Federal Insurance also went to court for… https://www.huntoninsurancerecoveryblog.com/2016/08/articles/cyber/insurers-continue-to-contend-cybercrime-losses-are-not-covered/ 

Covered? 

Choosing the Right Specialty Data Breach Policy ▪ The types of data included in the coverage ▪ Forensic Investigation costs ▪ Whether coverage is provided for data in the hands of third parties ▪ Regulatory coverage ▪ Business interruption coverage ▪ Remediation coverages, including: ▪ Crisis Management ▪ Credit Monitoring ▪ Public Relations Expenses ▪ Limits and control ▪ Exclusions and retroactive dates 

Choosing the Right Specialty Data Breach Policy ▪ The types of data included in the coverage ▪ Forensic Investigation costs ▪ Whether coverage is provided for data in the hands of third parties ▪ Regulatory coverage ▪ Business interruption coverage ▪ Remediation coverages, including: ▪ Crisis Management ▪ Credit Monitoring ▪ Public Relations Expenses ▪ Limits and control ▪ Exclusions and retroactive dates 

Choosing the Right Specialty Data Breach Policy ▪ The types of data included in the coverage ▪ Forensic Investigation costs ▪ Whether coverage is provided for data in the hands of third parties ▪ Regulatory coverage ▪ Business interruption coverage ▪ Remediation coverages, including: ▪ Crisis Management ▪ Credit Monitoring ▪ Public Relations Expenses ▪ Limits and control ▪ Exclusions and retroactive dates 

Basic “Cyber” or “Tech” Insurance 

Basic “Cyber” or “Tech” Insurance 

Basic “Cyber” or “Tech” Insurance THINK IN TERMS OF “LOSS” NOT “CAUSE” 

Basic “Cyber” or “Tech” Insurance 

Basic “Cyber” or “Tech” Insurance 

Basic “Cyber” or “Tech” Insurance 

Underwriting Process 

A Security Program, Not a Prayer ▪Most people wouldn’t drive around recklessly because they have car insurance — they know it’s both dumb & unlikely to result in insurance covering their actions ▪Cyber insurance is a last-ditch safety net, not a plan ▪Human errors (ask Medidata & AFGlobal) are not likely to be covered under such a policy, even if computers happen to be involved in the process of a ‘theft’ 

Security Program Reality Check ▪Nobody follows their data classification — if it exists… ▪Networks are flat with no thought of security design ▪Passwords still suck & two factor is not used enough ▪Patching? Still slow, still incomplete, and often “too late” ▪EMET, SELinux, & GRSecurity? “Too hard, turn it off!” ▪Principle of Least Privilege are just words in a policy ▪Auditing? Oh, syslog was really noisy, so that stopped ▪Web Apps: We should really just give up on the web ;) 

via Jeremiah Grossman, Black Hat 2016 https://www.blackhat.com/docs/us-16/materials/us-16-Grossman-An-Insiders-Guide-To-Cyber-Insurance-And-Security-Guarantees.pdf 

$100,000 Premium? I’d rather spend it doing… ▪Write, maintain, and follow a data classification policy ▪Use the data classification to design & secure networks ▪Implement LAPS and leverage an SSO provider with 2FA ▪Segment users who aren’t patching high & critical issues ▪Use basic EMET, SELinux, and GRSecurity policies ▪Use granular GPOs to provide users privilege they need ▪Hire someone to connect, tune, and audit key log sources ▪Treat your entire web application infrastructure as hostile 

Underwriting Problems 

Underwriting Problems 

Underwriting Problems 

Underwriting Problems 

Underwriting Problems 

Takeaways ▪Information security stakeholders need to be directly involved in the cyber-risk insurance procurement process to provide valid guidance and context to security risks ▪Blending of insurance policies to cover what otherwise may be perceived as a single ‘risk’ is often the right path ▪Investment in a maturing security program can involve insurance policies, but should not only rely on them alone ▪Be sure information is accurate during the underwriting policy – don’t think you’re tricking anyone ☺ 

Thanks! Mark Stanislav
 Product Security Officer, Philips [email protected] Nick Merker, CISSP, CIPT
 Partner, Ice Miller LLP [email protected]