Cyber Insurance White Paper

Transcription

1 Cyber Insurance White Paper This document provides an introduction to cyber insurance. This is a modern insurance product in response to modern security problems. Learn how to reduce your premiums. Author: Todd Bey, Managing Consultant

2 Overview When it comes to cyber theft, company size doesn t matter. Even SMBs are vulnerable to attack. Hackers are looking for businesses of any size with valuable customer data they can steal and sell on the black market. This is where cyber insurance helps to bridge the gap. Like other types of insurance, premiums vary. They start at about $900/year for a $1M policy for an SMB. The premiums rise though seven figures for those large enterprises requiring a half-billion dollars in coverage. Companies of all sizes leverage risk assessments and best practices to mature their security program and minimize the cost of their premiums. Categories of Cyber Risks Cyber risks means risks related to information technology infrastructure and activities. This is a fairly wide scope. These types of risks are typically not covered by traditional general liability policies, hence the emergence of this new market. The top 10 categories include: 1. Malicious attacks, i.e., phishing, viruses 2. Unauthorized access (hacker attacks, spyware) 3. Data breach -- loss of customer information 4. Inadequate security and system glitches 5. Employee misconduct -- disgruntled employees 6. Lost or stolen portable devices 7. Carelessness of employees and vendors 8. Destruction 9. Extortion 10. Denial of service attacks Equilibrium IT Solutions Cyber Insurance White Paper EQInc.com 2

3 Cyber Insurance Market The protocols used with the Internet and computer systems were not designed with security in mind from the start. This dates back to when the Internet was invented officially on January 1, 1983 and became more popular in the 1990 s. As computers and networks became faster, more prevalent as easier to use, the number and type of security holes started to increase exponentially. Security was an afterthought. Securing a business requires a defense-in-depth approach. This requires a complex combination and configuration of security software and hardware. The following have been developed to compensate for these security risks: Antivirus software Anti-spam software Firewalls Intrusion-prevention systems (IPS) Web application firewalls Encryption at rest and in transit Despite these security advancements, it is impossible to achieve complete security, even for the organizations with the largest security budgets. This is impossible due to the following examples: Within each family of technology, it is rare to have a completely sound solution. Often, only one or two vendors are most effective compared to their competitors. Expert (and expensive) talent and resources are required to design and implement security solutions. The business users want to complete their job faster, but security policies and technology may slow them down. Low visibility to the organization s actual risk profile. Lack of investment in senior management or consulting for IT security assessment and management. Security vendors are not motivated to completely fix the root security issues so they can sell more products and services. When a security breach does occur, security vendors may point fingers during forensics. Equilibrium IT Solutions Cyber Insurance White Paper EQInc.com 3

4 Even after implementing robust technology, security awareness by the users is difficult, expensive and time consuming to improve. Data Breach Litigation Trends In addition to the trends of the security issues themselves, it is important to realize how trends are evolving with data breach litigation. Below are some of the most common trends: The process of filing a lawsuit is speeding up after a breach since awareness is increasing and professionals are becoming better prepared. The number of lawers supporting data breach litigation is growing. Plaintiffs continuing struggle to allege Fear of identity theft as potential damage claim Class certification issues Statutory violations as potential damages Data Breach Consequences Cyber insurance is meant to compensate for the large costs of these examples related to data breach events. Regulatory Actions, Fines and Penalties Business interruption and supply chain disruption Class action lawsuits, defense costs and legal fees Drop in stock price and loss of market share Breach Notification Costs Post-breach Identity Monitoring Computer forensics after the breach occurs Lost revenue due to lack of operations PR consulting to recover a damaged corporate or product brand Equilibrium IT Solutions Cyber Insurance White Paper EQInc.com 4

5 Specialty Policies The below specialty cyber insurance policies have developed recently as demand has grown. Privacy and Network Security Provides coverage for liability (defense and indemnity) arising out of data breaches, transmission of malicious code, denial of third-party access to the insured s network, and other network security threats Regulatory Liability Provides coverage for liability arising out of administrative or regulatory proceedings, fines and penalties Media Liability Provides coverage for liability (defense and indemnity) for claims alleging infringement of copyright and other intellectual property rights and misappropriation of ideas or media content Be Proactive The mission of Equilibrium s security practice is to reduce the risk of a security breach and a security incident for its clients. Below are some of the proactive measures recommended by the insurance companies: Understand risk profile by going through a security/risk assessment. Review existing coverage and fill in gaps as needed Review limits and sublimits Review existing agreements and contracts with third-parties Consult professionals and embrace a combined team approach to your organization s security. Equilibrium IT Solutions Cyber Insurance White Paper EQInc.com 5

6 Responding to Known Vulnerabilities One of the quick-wins in IT security is running recurring vulnerability scans and responding to new known threats. Vulnerability scan tool databases are updated daily and recurring scans can be run with some tools for no additional charge. The results are very organized and provide clear recommendations. A strong vulnerability management program will help you reducing your technical vulnerabilities, reduce your risk of a breach and reduce your cyber insurance premiums. Security researches love to provide a name to some of the more prevalent and surprising vulnerabilities. For example, the 3 below were making headlines in Instructions and/or patches have been available to fix them for at least one year. Poodle (found: October 2014) The acronym stands for: Padding Oracle On Downloaded Legacy Encryption (POODLE). Security experts have said that hackers could steal browser cookies in Poodle attacks, potentially taking control of , banking, and social networking accounts. Disabling SSL v3.0 and requiring TLS v1.0 or above resolves this vulnerability. Shellshock (found: September 2014) This vulnerability is typically found on Mac, Linux or Unix or if you run the Apache software. In simple terms, it s a bug in the software knows as Bash that launches applications by typing text commands. A malicious code extension takes over the operating system, giving access to data. Bash has been around for more than 25 years, and the threat is in every version. Once access is gained, hackers can enter any area of a machine. Heartbleed (found: April 2014) When encrypting data, a number of website use the software OpenSSL (often used with Apache). This is often personal and sensitive identity data that can include usernames, passwords, credit card details etc., and put personal, customer and government data at risk. The way the Heartbleed bug works is that it bleeds the server of data that has been encrypted in OpenSSL in 64 kilobytes of information at a time. It can do this over and over again without anyone realising the server has been hacked. It is both difficult to find, and difficult to patch. Test your web server for Heartbleed at Equilibrium IT Solutions Cyber Insurance White Paper EQInc.com 6

7 The Financial Management of Cyber Risk The Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) collaborated in 2010 to write a Cyber Risk Implementation Framework for CFOs titled The Financial Management of Cyber Risk. The below six key steps were found to be critical in managing cyber risk: 1. Designating a cross-departmental Executive vested with strategic control of cyber systems 2. Establishing a cross-enterprise Cyber Risk Team to identify cyber risk. 3. Having the Cyber Risk Team meet regularly. 4. Developing and adopting a cyber risk management plan. 5. Developing and adopting an enterprise-wide cyber risk budget. 6. Regularly reviewing the plan, testing it and updating it. Best Practices for Good Cyber Hygiene This report explains that as much as 97% of cyber events could have been prevented, or their damage mitigated, through the use of common best practices. This statistic is a result of the coalition between Verizon and the U.S. Secret Service since Examples of these best practices are below. There are also common controls that should be part of an organization s security controls framework. Eliminate unnecessary data and keep tabs on what is left Ensure essential controls are met and regularly audit in order to assure consistent implementation Change default credentials Avoid shared credentials Implement a firewall or access control list (ACL) on remote access/administration services Utilize IP blacklisting Update anti-virus and other software consistently Audit user accounts Restrict and monitor privileged users Monitor and filter outbound network traffic Equilibrium IT Solutions Cyber Insurance White Paper EQInc.com 7

8 Test applications and review codes Monitor and mine event logs Change the approach to event monitoring and log analysis Define suspicious and anomalous (then look for whatever it is) Increase awareness of social engineering Train employees and customers to look for signs of tampering and fraud Create an incident response plan Engage in mock incident testing Secure business partner connections Mid-Level Strategies to Cyber Health The practices below go beyond the above best practices and are straightforward to implement. There will not protect against Advanced Persistent Threats (APTs), but will help secure an organization against common risks. 1. Application Whitelisting 2. Patch Software (Adobe, Java, etc.) 3. Patch Operating Systems 4. Minimize the number of users with Admin privileges 5. Continuously monitor for risk Cyber Kill Chain The Cyber Kill Chain is a model which recognizes that, in order for most attacks to succeed, an adversary has to proceed through a series of seven steps within three attack phases. These three phases and seven steps are shown below: Equilibrium IT Solutions Cyber Insurance White Paper EQInc.com 8

9 Conclusion Security experts agree that taking a risk-based approach will reduce your risk of a security breach as well as reduce your cyber insurance premiums. A common approach is to leverage third-party experts to guide you through a security assessment and risk analysis. This will provide visibility to your cyber risks. About Equilibrium Founded in 2004, half of Equilibrium is dedicated to providing IT project consulting and the other half dedicated to providing IT services. Equilibrium specializes in IT strategy, security, cloud, datacenter upgrades and ongoing operations. Visit us at EQinc.com Request a Free Consultation: For more information: info@eqinc.com, Equilibrium IT Solutions Cyber Insurance White Paper EQInc.com 9