no single answer: balancing cybersecurity insurance and a strong security program
TRANSCRIPT
No Single AnswerBalancing cybersecurity insurance and a
strong security program
Mark StanislavProduct Security Officer, Philips
Nick Merker, CISSP, CIPTPartner, Ice Miller LLP
Insurance
Insurance
Insurance
Insurance
Basic “Cyber” or “Tech” Insurance
Basic “Cyber” or “Tech” Insurance
Basic “Cyber” or “Tech” Insurance
Basic “Cyber” or “Tech” Insurance
Disconnect between the business and IT/Security“Insurance? That’s up to finance & lawyers, we don’t know.”“We have a policy, but no clue on our requirements for it…”“It’s never come up until today. We could have it? Maybe?”
Out of a sampling of ten prior clients, 7 had a policy, but only 2 of those clients knew the answer when I asked it.Of those 7, only 1 client had any clue about policy details…
On the Ground
P.F. Chang’s had 60k credit cards stolen in 2013 and received ~$1.7M for claims from their cyber policy, on a $134k/year premium.An additional $2M was requested to cover fees and assessments, but was denied
The court ultimately sided with the insurer
Why? Because P.F. Chang’s was unaware of the appropriate scoping of the policy…
P.F. Chang’s vs. Federal Insurance Company
AFGlobal - $480k loss via a scam that targeted the accounting director, yielding a wire transfer“the scam did not involve forgery of a financial instrument
or a hacking event, and the instructions to wire the funds were issued by AFGlobal itself, rather than a third party posing as AFGlobal”
Medidata Solutions - $4.8m loss, also from a wire transfer that was executed by finance…“is not covered because, among other things, there was
no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds.”
Oh and Federal Insurance also went to court for…
https://www.huntoninsurancerecoveryblog.com/2016/08/articles/cyber/insurers-continue-to-contend-cybercrime-losses-are-not-covered/
Covered?
Choosing the Right Specialty Data Breach PolicyThe types of data included in the coverageForensic Investigation costsWhether coverage is provided for data in the hands of third partiesRegulatory coverageBusiness interruption coverageRemediation coverages, including:
Crisis ManagementCredit MonitoringPublic Relations Expenses
Limits and controlExclusions and retroactive dates
Choosing the Right Specialty Data Breach PolicyThe types of data included in the coverageForensic Investigation costsWhether coverage is provided for data in the hands of third partiesRegulatory coverageBusiness interruption coverageRemediation coverages, including:
Crisis ManagementCredit MonitoringPublic Relations Expenses
Limits and controlExclusions and retroactive dates
Choosing the Right Specialty Data Breach PolicyThe types of data included in the coverageForensic Investigation costsWhether coverage is provided for data in the hands of third partiesRegulatory coverageBusiness interruption coverageRemediation coverages, including:
Crisis ManagementCredit MonitoringPublic Relations Expenses
Limits and controlExclusions and retroactive dates
Basic “Cyber” or “Tech” Insurance
Basic “Cyber” or “Tech” Insurance
Basic “Cyber” or “Tech” Insurance
THINK IN TERMS OF “LOSS” NOT “CAUSE”
Basic “Cyber” or “Tech” Insurance
Basic “Cyber” or “Tech” Insurance
Basic “Cyber” or “Tech” Insurance
Underwriting Process
A Security Program, Not a PrayerMost people wouldn’t drive around recklessly because they have car insurance — they know it’s both dumb & unlikely to result in insurance covering their actionsCyber insurance is a last-ditch safety net, not a plan
Human errors (ask Medidata & AFGlobal) are not likely to be covered under such a policy, even if computers happen to be involved in the process of a ‘theft’
Security Program Reality CheckNobody follows their data classification — if it exists…Networks are flat with no thought of security designPasswords still suck & two factor is not used enoughPatching? Still slow, still incomplete, and often “too late”EMET, SELinux, & GRSecurity? “Too hard, turn it off!”Principle of Least Privilege are just words in a policyAuditing? Oh, syslog was really noisy, so that stoppedWeb Apps: We should really just give up on the web ;)
via Jeremiah Grossman, Black Hat 2016https://www.blackhat.com/docs/us-16/materials/us-16-Grossman-An-Insiders-Guide-To-Cyber-Insurance-And-Security-Guarantees.pdf
$100,000 Premium? I’d rather spend it doing…Write, maintain, and follow a data classification policyUse the data classification to design & secure networksImplement LAPS and leverage an SSO provider with 2FASegment users who aren’t patching high & critical issuesUse basic EMET, SELinux, and GRSecurity policiesUse granular GPOs to provide users privilege they needHire someone to connect, tune, and audit key log sourcesTreat your entire web application infrastructure as hostile
Underwriting Problems
Underwriting Problems
Underwriting Problems
Underwriting Problems
Underwriting Problems
TakeawaysInformation security stakeholders need to be directly involved in the cyber-risk insurance procurement process to provide valid guidance and context to security risks
Blending of insurance policies to cover what otherwise may be perceived as a single ‘risk’ is often the right path
Investment in a maturing security program can involve insurance policies, but should not only rely on them alone
Be sure information is accurate during the underwriting policy – don’t think you’re tricking anyone
Thanks!
Mark StanislavProduct Security Officer, Philips
Nick Merker, CISSP, CIPTPartner, Ice Miller LLP