post

Cyber Insurance – Will it pay off?
October 15, 2012 Written by: JustASC

One of the more recent trends in the fight against cyber is insurance. Insurance has its place and can be useful, but with an area such as cyber, it’s a minefield of small print that weasels its way through the immaturity of the market and vagueness of the threats. It’s hard enough trying to explain what the word “cyber” really means in the global security community let alone trying to justify that a) you have had a “cyber-breach”, and b) it was covered by your policy, to an insurance company that is in no rush to pay out.

More and more, when I meet a prospective client, their opening standpoint for our discussion is “I have insurance that covers that”. This position is precarious at best, which we typically get to after a few more minutes of conversation. To explain why, I will use some freely available policies that I have found. I am not going to name names here, but getting hold of a cyber-liability policy document isn’t as easy as you would think, and after an extensive search I found two good examples of good and bad ones, which I will use extracts from for this article. I would at this point like to say I am not a lawyer, nor have I had legal training, but I know the problem, the industry and can read legal jargon and apply common sense, which is what I have done here.

To offer some more colour around these documents, the “good one” is a policy from the US that’s been around for a few years and has naturally become quite mature as a result. It’s also very expensive as you would expect. The “bad one” is reasonably new and a UK insurer that you will have heard of. It’s a cheap off the shelf product, that is “bundled” with other typical business insurance policies as a “you really should consider our cyber-liability policy…”

We will start with the “good” policy…

What I will start by saying is that it had a very good, broad definition of what IS covered, and included cover for many attacks you would likely be exposed to which was a refreshing change. At this stage, I thought this was the one perfect policy that I would recommend to people, but then I found what I was looking for, the get out of jail free card! It was this simple statement:

The Company will only indemnify the Insured in respect of losses where there is clear evidence that they resulted from an insured event. The Insured is obliged to provide the necessary proof.”

Pure genius. But why? Quite simply, the organisations most likely to take up a policy such as this would not be using it to compliment a solid approach to security, but instead to avoid having to spend money on security. As a result of this, it’s unlikely that that company would have the necessary intelligence logging, system information and even exposure that an issue had occurred, all of which would be required to meet this clause in any level of appropriate detail. That said, even if the organisation had implemented some basic logging and could provide some string of log entries that could be considered loosely connected to the event, the insurance company could easily argue that it is not “clear evidence” and class the event as uninsured. In reality unless you have a solid chain of evidence showing a step by step attack structure leading to a loss event, you’re going to end up in an argument with your insurer about your cover.

This particular policy went on to further state some very key responsibilities that the insured company would have to ensure for the policy to be valid. One of these was:

“the Insured’s IT security policies are fit for purpose/complies with industry best practice”

This one was of particular interest as again, it’s buried in the small print, and essentially states that you must secure your systems against potential breach, applying industry best practice and ensuring they are fit for purpose. While it may sound like a harmless statement the first point to raise is what exactly is “industry best practice” and how do you measure yourself against it to know you have attained it? I have spent years working within global consultancies that use that statement as a catch all for “we google’d what you should do and that’s what we found”.

The second key part of that statement is at what point does your insurance company agree that your security is “fit for purpose” and that you are covered? Statements like this just give the company yet another exit strategy as your ability to prove you are secure is difficult to achieve.

The third and most important point about this statement is that, as I said at the start of this article, the people most likely to buy this insurance policy consider it a solution to the problem of being secure, and consider it a complete “risk transference” strategy so that they do not have to invest in the actual process of being secure. This approach as you can see would actually lead to the policy being completely void.

The final point I wanted to make on this particular policy was one that is overlooked by many and that is, in my opinion, the absolute icing on the cake:

“Fraud and Dishonesty Any wilful, deliberate, malicious, criminal, dishonest or fraudulent act or omission by the Insured or any Employee”

The key point here is the clause, and section it came from, essentially states that they will not cover any deliberate acts of an employee. Most security surveys and research articles will tell you that the “insider threat” i.e. the threat of one of your employees becoming disgruntled and doing something bad, is the number one most likely and most common form of attack out there, and here we have the policy saying, nope, that one is out of scope!

So, the “good policy”, the one that had the best cover I could find, actually doesn’t cover the most likely form of attack, would be very hard to invoke and still requires you spend a significant amount of your budget on security.

Now let’s look at the “bad policy”…

This one is just unreal, but I can guarantee that quite a few people are currently relying on it for a peaceful night’s sleep and will soon no doubt be very unhappy. Let’s start with the terms this policy sets out.

“Hacker: Anyone who specifically and maliciously targets you and gains access to the website via the internet or other external electronic link, solely by circumventing electronically the security systems in place to protect against such access.”

According to this statement a “hacker” must be external to your organisation and targeting your website, (further defined to include your intranet or extranet). This is further backed up by a definition of what a hacker is not:

“any director or partner of yours or any sub-contractor, self-employed freelancer or third party on your premises without permission;”

So this additional statement makes sure that hackers must be external to you and can’t be anyone you have had dealings with, who have gained unauthorised access to your premises, which actually, is a pretty common form of attack.

“anyone who gains access directly through either any computer, computer system of yours or the physical possession of any password or other security code.”

It goes onto state that a hacker is not someone that gains access to your computer systems and networks, or someone that has got hold of a password or other authentication device. That is a bit of joke to be honest as most breaches that are going to cause you serious issues are actually going to be targeted at your computer systems and networks not your public website. Equally, most attacks will go after the valid credentials of users via the desktop/laptop/personal computer devices, also known as “client side attacks” and use these credentials and your authorised, typical access to gain easy access to the data you had access to, so according to these statements so far, this policy is only good for protecting your website from a defacement, but is sold as a complete “e” risk policy.

A further point of pure comedy in this particular policy was a complete contradiction that demonstrates that the person who wrote it has no idea what they are talking about:

“If during the period of insurance, your business suffers a loss arising from: damage to your computer system or website as a result of a computer virus, worm, logic bomb or Trojan horse. We will pay to repair your computer system or website and restore your data”

Obviously this contradicts the point made earlier for a start as a “hacker” would probably make use of these tools during their attack, but then in the next section it contradicts itself again:

“We will not make any payment for any claim or loss directly or indirectly due to: any self-replicating., malicious code that was not specifically targeted to your system.”

The contradiction here is that the phrase “self-replicating., malicious code” is the very definition of a “worm” that in the prior section was defined as covered? As stated, this was the “bad policy” for a reason, and the shear contradictions alone were enough to gain it that title, without analysing the likelihood of a successful claim under it.

The final icing on the cake here was common to the “good policy” also, but in this case, even more blatant:

“If a problem arises We will not make any payment under this section: unless you notify us promptly of the following within the period of insurance or at the latest within 14 days after it expires for any problem you first become aware of in the seven days before expiry: /and/ If we accept your notification we will regard any subsequent claim as notified to this insurance.”

So, what you’re saying is, I have to notify you within 14 days, and you may choose not to accept or acknowledge my notification? Interesting statement, I am no legal expert but I think that is a clear example of why not to buy this particular policy!

The common issues

What’s becoming apparent for the more of these policies I see is:

  1. The level of what is and is not covered can vary wildly from policy to policy, so you really do need to read the small print to make sure your actually getting some relevant and useful cover for your business.
  2. The good policies will require you to be secure to mitigate their likelihood of paying out, but, if you’re adequately approaching security from a verifiable perspective, you’re likely to be able to make a claim and use the policy to support you.
  3. The bad policies are just that, very bad, they cover very little, and are pretty much a waste of money, and offer nothing more than a false sense of security.
  4. You really need expert support and advice on the policy itself, as well as the approach to security, so consider the policy part of the approach, not the alternative to the approach.
  5. You need to be able to detect an issue quickly and in sufficient detail to prove it to the insurer such that they will accept the claim.

So what is the point?

I am not, by any stretch of the imagination, saying don’t buy these policies (with the exception of the bad policy I used as an example), but, what I am saying is that an insurance policy DOES NOT REPLACE the need to be secure. Being secure enough to have one of these policies pay out and give you the added funds you may need to recover from a serious incident is a good idea, so they have to go hand in hand. Of course the real issue is what is “secure enough”.

Security in itself is like perfection, the pursuit of it is ludicrous, expensive and unattainable; however, it is possible to be “secure enough”. What that looks like for your organisation will be different to every other organisation on the planet, so first things first, you can’t buy a shiny box with pretty flashing lights on it from “trusted cyber vendor X”, install it and say “we’re good” it just doesn’t work like that.

What you need to do is:

  • Understand the threats relevant to your business
  • Map these threats into tangible risks you can mitigate, accept or transfer
  • Accept the risks you can &  mitigate the rest as best you can with appropriate controls and governance
  • Monitor the on-going threats to stay one step ahead
  • Monitor the technology systems you use so you can detect and defend
  • Educate your people to make them part of the solution
  • Detect, respond and recover from issues as and when they occur

…and I wouldn’t expect you to be able to do it on your own either. You need expert help, support and a partner willing to work with your business and help you on this journey. That’s where we come in.

Get secure, just ASC.

Web:    www.justasc.net
email:  consulting@ justasc.net
Tel:      08456 437406

Join Peterborough's Bondholder Network
Grants and Funding