no single answer: balancing cybersecurity insurance and a strong security program
TRANSCRIPT
![Page 1: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/1.jpg)
No Single AnswerBalancing cybersecurity insurance and a
strong security program
Mark StanislavProduct Security Officer, Philips
Nick Merker, CISSP, CIPTPartner, Ice Miller LLP
![Page 2: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/2.jpg)
Insurance
![Page 3: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/3.jpg)
Insurance
![Page 4: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/4.jpg)
Insurance
![Page 5: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/5.jpg)
Insurance
![Page 6: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/6.jpg)
Basic “Cyber” or “Tech” Insurance
![Page 7: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/7.jpg)
Basic “Cyber” or “Tech” Insurance
![Page 8: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/8.jpg)
Basic “Cyber” or “Tech” Insurance
![Page 9: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/9.jpg)
Basic “Cyber” or “Tech” Insurance
![Page 10: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/10.jpg)
Disconnect between the business and IT/Security“Insurance? That’s up to finance & lawyers, we don’t know.”“We have a policy, but no clue on our requirements for it…”“It’s never come up until today. We could have it? Maybe?”
Out of a sampling of ten prior clients, 7 had a policy, but only 2 of those clients knew the answer when I asked it.Of those 7, only 1 client had any clue about policy details…
On the Ground
![Page 11: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/11.jpg)
P.F. Chang’s had 60k credit cards stolen in 2013 and received ~$1.7M for claims from their cyber policy, on a $134k/year premium.An additional $2M was requested to cover fees and assessments, but was denied
The court ultimately sided with the insurer
Why? Because P.F. Chang’s was unaware of the appropriate scoping of the policy…
P.F. Chang’s vs. Federal Insurance Company
![Page 12: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/12.jpg)
AFGlobal - $480k loss via a scam that targeted the accounting director, yielding a wire transfer“the scam did not involve forgery of a financial instrument
or a hacking event, and the instructions to wire the funds were issued by AFGlobal itself, rather than a third party posing as AFGlobal”
Medidata Solutions - $4.8m loss, also from a wire transfer that was executed by finance…“is not covered because, among other things, there was
no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds.”
Oh and Federal Insurance also went to court for…
https://www.huntoninsurancerecoveryblog.com/2016/08/articles/cyber/insurers-continue-to-contend-cybercrime-losses-are-not-covered/
![Page 13: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/13.jpg)
Covered?
![Page 14: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/14.jpg)
Choosing the Right Specialty Data Breach PolicyThe types of data included in the coverageForensic Investigation costsWhether coverage is provided for data in the hands of third partiesRegulatory coverageBusiness interruption coverageRemediation coverages, including:
Crisis ManagementCredit MonitoringPublic Relations Expenses
Limits and controlExclusions and retroactive dates
![Page 15: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/15.jpg)
Choosing the Right Specialty Data Breach PolicyThe types of data included in the coverageForensic Investigation costsWhether coverage is provided for data in the hands of third partiesRegulatory coverageBusiness interruption coverageRemediation coverages, including:
Crisis ManagementCredit MonitoringPublic Relations Expenses
Limits and controlExclusions and retroactive dates
![Page 16: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/16.jpg)
Choosing the Right Specialty Data Breach PolicyThe types of data included in the coverageForensic Investigation costsWhether coverage is provided for data in the hands of third partiesRegulatory coverageBusiness interruption coverageRemediation coverages, including:
Crisis ManagementCredit MonitoringPublic Relations Expenses
Limits and controlExclusions and retroactive dates
![Page 17: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/17.jpg)
Basic “Cyber” or “Tech” Insurance
![Page 18: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/18.jpg)
Basic “Cyber” or “Tech” Insurance
![Page 19: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/19.jpg)
Basic “Cyber” or “Tech” Insurance
THINK IN TERMS OF “LOSS” NOT “CAUSE”
![Page 20: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/20.jpg)
Basic “Cyber” or “Tech” Insurance
![Page 21: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/21.jpg)
Basic “Cyber” or “Tech” Insurance
![Page 22: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/22.jpg)
Basic “Cyber” or “Tech” Insurance
![Page 23: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/23.jpg)
Underwriting Process
![Page 24: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/24.jpg)
A Security Program, Not a PrayerMost people wouldn’t drive around recklessly because they have car insurance — they know it’s both dumb & unlikely to result in insurance covering their actionsCyber insurance is a last-ditch safety net, not a plan
Human errors (ask Medidata & AFGlobal) are not likely to be covered under such a policy, even if computers happen to be involved in the process of a ‘theft’
![Page 25: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/25.jpg)
Security Program Reality CheckNobody follows their data classification — if it exists…Networks are flat with no thought of security designPasswords still suck & two factor is not used enoughPatching? Still slow, still incomplete, and often “too late”EMET, SELinux, & GRSecurity? “Too hard, turn it off!”Principle of Least Privilege are just words in a policyAuditing? Oh, syslog was really noisy, so that stoppedWeb Apps: We should really just give up on the web ;)
![Page 26: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/26.jpg)
via Jeremiah Grossman, Black Hat 2016https://www.blackhat.com/docs/us-16/materials/us-16-Grossman-An-Insiders-Guide-To-Cyber-Insurance-And-Security-Guarantees.pdf
![Page 27: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/27.jpg)
$100,000 Premium? I’d rather spend it doing…Write, maintain, and follow a data classification policyUse the data classification to design & secure networksImplement LAPS and leverage an SSO provider with 2FASegment users who aren’t patching high & critical issuesUse basic EMET, SELinux, and GRSecurity policiesUse granular GPOs to provide users privilege they needHire someone to connect, tune, and audit key log sourcesTreat your entire web application infrastructure as hostile
![Page 28: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/28.jpg)
Underwriting Problems
![Page 29: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/29.jpg)
Underwriting Problems
![Page 30: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/30.jpg)
Underwriting Problems
![Page 31: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/31.jpg)
Underwriting Problems
![Page 32: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/32.jpg)
Underwriting Problems
![Page 33: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/33.jpg)
TakeawaysInformation security stakeholders need to be directly involved in the cyber-risk insurance procurement process to provide valid guidance and context to security risks
Blending of insurance policies to cover what otherwise may be perceived as a single ‘risk’ is often the right path
Investment in a maturing security program can involve insurance policies, but should not only rely on them alone
Be sure information is accurate during the underwriting policy – don’t think you’re tricking anyone
![Page 34: No Single Answer: Balancing Cybersecurity Insurance and a Strong Security Program](https://reader035.vdocuments.site/reader035/viewer/2022070600/589b1a411a28abc1148b6129/html5/thumbnails/34.jpg)
Thanks!
Mark StanislavProduct Security Officer, Philips
Nick Merker, CISSP, CIPTPartner, Ice Miller LLP