including its culture, training of employees, technology .... on secure online behaviour outside of work .... exploit ki
In View
Cybercrime – do you have it covered? Navigating the complex business of cybercrime insurance Overview It’s estimated that cybercrime now costs the global economy more than $400bn each year – and it’s growing year on year. The threat landscape is becoming ever more complex with a broadening footprint that includes cloud-based services, mobile devices, big data, and the Internet of Things. And the fear of a costly breach is driving an increasing number of businesses towards taking out cyber insurance policies. The market for cyber insurance is potentially huge, with some estimating that annual gross written premiums could grow from around $2.5bn¹ to $7.5bn² by the end of the decade. And premiums are becoming prohibitively expensive, following high profile attacks in 2015 and a nervousness in the sector due to the lack of historical claims and a shortage of skilled underwriters. “Cybercrime is a costly, hard to detect and difficult to combat threat. From an insurance perspective, while analogies are often made with terrorism or catastrophe risks, cyber risk is in many ways a risk like no other.” Insurance 2020 & beyond: Reaping the dividends of cyber resilience, ©PWC As with all types of risk, organisations often look for ways to minimise their financial exposure should the worst
happen – and cyber insurance policies seem a logical step. But insurers will be less likely in the future to impose blanket terms and conditions. Instead, they will require a much fuller assessment of the policyholder’s vulnerabilities, processes and response plans. This paper looks at the cyber insurance market, the need for expert advice and the steps that organisations can take to ensure that they fully understand their own data risks and security vulnerabilities before taking out a policy.
It’s a minefield of ambiguity and there are many examples of insurers failing to pay out based on small print and complex policy interpretation. Inaccurate information can void a policy, and claims continue to be denied where the information supplied has been proven to be inaccurate. “We expect full and complete answers to our questions on the measures the firm has taken to mitigate a potential data breach, including its culture, training of employees, technology and procedures in the event of a breach.” Steven Goldman, ACE Group
A complex threat landscape Cyber criminals are continuously discovering new ways to exploit vulnerabilities, and technology, although working hard to remain one step ahead of attackers, will never prevent all potential attacks. We’re living in An organisation must demonstrate to the a world where new threats are developing insurer the protective steps it has taken – faster than technologies. both to assess and reduce the risk in the first place – and then the steps it is taking As a result, many organisations take out to continuously monitor these risks. Only cyber insurance policies to transfer the then can an insurance company begin to financial risks associated with attacks, and understand its exposure. insurers are challenged to underwrite these policies and provide recommendations. Organisations considering taking out cybercrime insurance should think carefully Cyber insurance is growing, but it’s still a relatively untapped opportunity for insurers about what they expect the policy to deliver. How do you know if you are adequately with maturity levels varying across the covered? Could your policy be invalidated? globe. Some markets are more mature than And what cybercrime safety measures would others – approximately 90% of all cyber 3 insurance is purchased by US organisations , insurers expect you to have in place? whereas only 2% of UK companies have taken out standalone cyber insurance.
1. Speech by John Nelson, Lloyd’s Chairman, at the AAMGA, 28 May 2015 2. ©PwC, Insurance 2020 & beyond: Reaping the dividends of cyber resilience 3. Fortune, 23 January 2015
www.nttcomsecurity.com
Copyright© NTT Com Security 2016
Don’t ignore the small print Far too often, organisations take out cyber insurance without checking the small print. Many policies are taken out without sufficient research into what’s available, what they cost and what they cover. Policy terms are not dictated by regulators and no standard language has yet been adopted by the industry. And policies vary too, with some very well publicised disagreements where insurance providers have rejected claims based on their own interpretation of the fine print. “No insurance policy will protect an organisation’s brand or reputation.” Garry Sidaway, NTT Com Security For example, does the policy cover data if it’s held by a third party or in the cloud? Will the policy pay out if your organisation has failed to keep up-to-date with security updates? How about if former employees still have access to your systems? Are you covered if the breach came via an employee’s own device? And what happens if the original breach pre-dates your policy, yet you were unaware that your systems had been infiltrated some months previously? A recent report4 reveals that nearly 21% of vulnerabilities detected in client networks were more than three years old and over 5% were more than 10 years old. It’s all but impossible to cover yourself 100%. If you’re unsure about the fine print – seek legal counsel.
Risk:Value 2016 research findings5 > 75% of people do not believe that all their business data is secure > 48% of respondents don’t have a full information security policy in place > 51% of respondents do not have a full disaster recovery plan in place > 65% of organisations do not have a cyber insurance policy in place Of those organisations with a cyber insurance policy in place: > 50% think that lack of compliance would invalidate their policy > 43% believe that their lack of an incident response plan would invalidate the policy > 43% think that lack of employee care and attention would invalidate the policy
Protection is key – but whose responsibility is it? Rather than relying solely on an insurance policy to cover all losses, businesses need a different game plan: by all means buy insurance to cover some of the losses, but at the same time, take measures to reduce the potential for loss. Many organisations will lay the responsibility firmly at the door of the IT department, yet IT security should be about more than just the hardware and software. It needs to be embedded in the culture of the organisation, championed by the CEO, designed and executed by the CISO and communicated effectively so that every employee takes responsibility for ensuring that good practices are followed. And if your organisation relies on the services of third party contractors and suppliers, you need clear guidelines to ensure that all third parties are aware of your security policies and practices. This may not prevent a thirdparty related security incident, but it would be good practice to ensure that everyone is at least aware of what is expected of them. Choose your policy with care Businesses of all sizes will rely on their IT infrastructure to some degree, exposing themselves to the risks of business interruption, income loss, plummeting share prices and reputational damage if systems fail or are interrupted. Yet organisations are not adequately insuring themselves against attacks and in recent years, we’ve seen a number of high profile court cases with insurers rejecting cyber-related claims under more traditional policies. When contested, the courts have, in the majority of cases, sided with the insurers. General professional indemnity policies don’t usually provide any of the first-party cover offered by a cyber insurance policy and it’s this first-party cover that will include loss of business income as well as crisis management support (PR, legal advice, forensic investigators, IT specialists) to minimise the impact of the breach. Don’t assume that your public liability insurance will cover all the costs associated with a data breach – it almost certainly won’t. Assess your risk exposure What is important to insurers is that clients have a complete understanding of their risk exposure. Without this, it’s impossible to create a policy that is relevant for your business. A first step in protecting your organisation against potential threats is to fully understand your risk exposure across all areas of the organisation, ensuring industry best practice is considered. There’s a growing global shortage of cyber security skills, so if you don’t have the skills in-
Cybercrime protection, best practice 1 Understand your risk – conduct an annual risk assessment exercise to understand your current risk exposure. Maintain the Board’s engagement with cyber risk 2 Secure configuration – keep hardware and software protections up to date – persistence pays off for the cyber criminal. Stay on top of basic protection 3 Home and mobile working – set robust guidelines for data access. User-owned devices are increasingly being used to for day–to-day business. Protect your network regardless of the access device 4 Education and training – ensure your employees know your policies and incident response processes by implementing a full security awareness programme including, where practical, poster campaigns, regular advisory emails, new starter security inductions and annual computer-based training 5 Incident management – establish, produce and routinely test incident management plans 6 Monitoring – continuously monitor all ICT systems and associated logs to spot and act upon potential attacks 7 Secure network – manage the network perimeter and filter out unauthorised access 8 Malware protectionprocess establish anti-malware defences and continuously scan for malware 9 Manage user privileges – limit user privileges and monitor user activity 10 Establish employee ground rules for use of social media – social media is becoming a primary path for cyber criminals. Give your employees the ground rules for acceptable use at work and guidance on secure online behaviour outside of work 11 Perform security assessments on third parties during the procurement process and at least annually, to monitor compliance to your organisation’s security requirements, as well as legislative and regulatory controls 12 Establish and maintain a formal risk management process – ideally adopting an internationallyrecognised standard
4. Global Threat Intelligence Report 2016 5. NTT Com Security Risk:Value 2016 Report
www.nttcomsecurity.com
Copyright© NTT Com Security 2016
2
house, take expert advice and consider a comprehensive evaluation of your company. This will highlight areas of risk, make recommendations, prioritise actions and help you build a strategic roadmap for continuous risk management. A full assessment would highlight gaps in your IT security armour and show you the critical areas that need immediate attention. And an evaluation summary would give a timeline for carrying out any remedial actions required. This could then be shared with your insurer as evidence that you are taking security seriously. Understand your risk – see yourself as an attacker sees you Threats are constantly changing and so should your defensive testing. Stealthy and continuous hacking processes or Advanced Persistent Threats (APTs) employ a high degree of covertness over a long period of time, and many high profile attacks have bypassed traditional company defences. If you can see yourself as an attacker sees you, you’ll be a step closer to protecting your information assets and again, you will demonstrate to your insurer that you have robust security measures in place. APT Simulation is a good place to start. APT attacks require a different form of testing to traditional assessments like penetration testing, which focus on a particular area of infrastructure or web application. This is why APT Simulation is regularly deployed by organisations to help mitigate this risk. APT Simulation follows the steps that an attacker would take when profiling your organisation in order to try and breach its defences, often through malicious email links and attachments. From gathering personal and business information, through to attacking via the path of least resistance and finally to penetrating the organisation and covertly extracting data. Following the APT Simulation, you will have a full understanding of any security vulnerabilities relating to process, people and technology that could be open to attack. You’ll be able to test your incident response procedures and implement suitable systems to minimise the risk of a successful attack. Be proactive The risk of attack will never diminish and the sophistication and frequency of attacks is growing. For example, recent research6 indicates that all of the top 10 vulnerabilities targeted by exploit kits during 2015 are related to Adobe Flash, and the number of publicised Flash
vulnerabilities jumped by almost 312 percent from 2014 levels. Spear phishing attacks accounted for 17% of all incident response activities in 2015. And brute force attacks jumped 135 percent from 2014 levels. General liability insurance has been proven time and again to be insufficient to cover cybercrime attacks, yet the impact on your organisation in terms of damaged reputation, lost customers and financial losses, could be significant. This is a risk your business can’t afford to ignore. If you do decide to take out a cyber insurance policy, you are making a commitment to transfer risk and ultimately, reduce any costs associated with as yet unknown attacks. Yet, underwriting these policies is still a challenge for insurers and organisations must do everything possible to understand their exposure and take appropriate steps to mitigate risk, and to demonstrate to insurers that information security and risk management is top of the agenda. Conclusion Insurance policies are not a licence to be reckless and it shouldn’t be surprising that policies are written in such a way as to avoid covering high-impact scenarios that could be easily prevented, like someone willingly sending a large amount of money without any secondary verification. Similar to home insurance, coverage against cybercrime does not replace preventative measures to secure your home – such as locking the doors and windows before you leave the house. A smart business will implement a security framework that includes both technological and process controls to prevent breaches and consider an insurance policy only as a supplement to their own solid risk-based security programme, not a replacement for it. Organisations need to invest in both protecting assets in the first instance, and also in transferring any risks via appropriate insurance cover should an attack occur. These are not mutually exclusive requirements: it’s important to have prevention measures in place before you go on to insure your assets. Companies that want to transfer some of the risk of a breach will increasingly turn to cyber insurance. Unfortunately, they will not always get what they think they’re paying for.
Case Study: Bitcoin provider. v. US Insurance Company7 > December 2014 – an unknown hacker, hacked the computer of a third-party associate of a bitcoin provider company > This attack on the third party enabled the spear phishing of the bitcoin provider’s CFO > The hacked email account was then used to trick the bitcoin provider into making three bitcoin transactions over two days to the value of $1.85m > The insurance claim was that the hacking of the account had fraudulently resulted in the bitcoin transfer and therefore the loss of $1.85m > The insurance company refused to pay out, due to the wording of the policy – as far as they were concerned, it was the computer system of the third party that had been compromised and he was not the insured party Commentary This type of attack is known as ‘Business Email Compromise’ (BEC) or simply ‘CEO Fraud’. Computers may have been used to send the email and transfer money but this breach, if it can be called that, was fundamentally a failure of people and processes rather than anything technological and it would be hard to call this a cyber attack. There is no technical solution for spear phishing and IT personnel rarely have the knowledge or authority to implement the organisation-wide process controls that would be a more appropriate defence against this type of attack. In order to be effective, real security responsibility belongs at the executive level, where policy and process changes can be implemented with IT playing a part in the overall risk management strategy. Businesses should be aware of this type of attack by now and have implemented proper financial controls around large transactions. As the insurance company in this case is pointing out, there is a big difference between falling for a convincing forged financial document, versus a sketchy email purporting to be from an executive.
6. Global Threat Intelligence Report 2016 7. The full story can be found at networkworld.com
www.nttcomsecurity.com
Copyright© NTT Com Security 2016
3
We see a more secure world NTT Com Security is in the business of information security and risk management. By choosing our WideAngle consulting, managed security and technology services, our customers are free to focus on business opportunities while we focus on managing risk. The breadth of our Governance, Risk and Compliance (GRC) engagements, innovative managed security services and pragmatic technology implementations, means we can share a unique perspective with our customers – helping them to prioritise projects and drive standards. We want to give the right objective advice every time.
Our global approach is designed to drive out cost and complexity – recognising the growing value of information security and risk management as a differentiator in high-performing businesses. Innovative and independent, NTT Com Security has offices spanning the Americas, Europe, and APAC (Asia Pacific) and is part of the NTT Group, owned by NTT (Nippon Telegraph and Telephone Corporation), one of the largest telecommunications companies in the world.
To learn more about NTT Com Security and our unique WideAngle services for information security and risk management, please speak to your account representative or visit: www.nttcomsecurity.com for regional contact information.
www.nttcomsecurity.com
Copyright© NTT Com Security 2016
4