Read More - NTT Security

Thought Leadership
Cybercrime – do you have it covered?
Navigating the complex business of
cybercrime insurance
Overview
It’s estimated that cybercrime now costs
the global economy more than $400bn
each year – and it’s growing year on year.
The threat landscape is becoming ever
more complex with a broadening footprint
that includes cloud-based services, mobile
devices, big data, and the Internet of
Things. And the fear of a costly breach
is driving an increasing number of
businesses towards taking out cyber
insurance policies.
The market for cyber insurance is
potentially huge, with some estimating
that annual gross written premiums could
grow from around $2.5bn¹ to $7.5bn² by
the end of the decade. And premiums
are becoming prohibitively expensive,
following high profile attacks in 2015 and
a nervousness in the sector due to the lack
of historical claims and a shortage of skilled
underwriters.
“Cybercrime is a costly, hard to detect
and difficult to combat threat. From an
insurance perspective, while analogies
are often made with terrorism or
catastrophe risks, cyber risk is in many
ways a risk like no other.”
Insurance 2020 & beyond: Reaping the
dividends of cyber resilience, ©PWC
As with all types of risk, organizations
often look for ways to minimize their
financial exposure should the worst
happen – and cyber insurance policies
seem a logical step. But insurers will be
less likely in the future to impose blanket
terms and conditions. Instead, they will
require a much fuller assessment of the
policyholder’s vulnerabilities, processes
and response plans.
This paper looks at the cyber insurance
market, the need for expert advice and the
steps that organizations can take to ensure
that they fully understand their own data
risks and security vulnerabilities before
taking out a policy.
companies have taken out standalone
cyber insurance.
It’s a minefield of ambiguity and there
are many examples of insurers failing
to pay out based on small print and
complex policy interpretation. Inaccurate
information can void a policy, and
claims continue to be denied where the
information supplied has proven to be
inaccurate.
“We expect full and complete
answers to our questions on the
measures the firm has taken to
mitigate a potential data breach,
including its culture, training
of employees, technology and
procedures in the event of a breach.”
Steven Goldman, ACE Group
A complex threat landscape
Cyber criminals are continuously discovering
new ways to exploit vulnerabilities, and
technology. Although researchers and
companies are working hard to remain one
step ahead of attackers, we will never prevent
all potential attacks. We’re living in a world
where new threats are developing faster than
An organization must demonstrate to the
technologies.
insurer the protective steps it has taken –
As a result, many organizations take out
both to assess and reduce the risk in the
cyber insurance policies to transfer the
first place – and then the steps it is taking
financial risks associated with attacks, and
to continuously monitor these risks. Only
insurers are challenged to underwrite these then can an insurance company begin to
understand its exposure.
policies and provide recommendations.
Cyber insurance is growing, but it’s still
a relatively untapped opportunity for
insurers with maturity levels varying
across the globe. Some markets are more
mature than others – approximately 90%
of all cyber insurance is purchased by US
organizations3, whereas only 2% of UK
Organizations considering taking out
cybercrime insurance should think carefully
about what they expect the policy to deliver.
How do you know if you are adequately
covered? Could your policy be invalidated?
And what cybercrime safety measures
would insurers expect you to have in place?
1. Speech by John Nelson, Lloyd’s Chairman, at the AAMGA, 28 May 2015 2. ©PwC, Insurance 2020 & beyond: Reaping the dividends of cyber resilience 3. Fortune, 23 January 2015
Copyright© NTT Security 2016
Don’t ignore the small print
Far too often, organizations take out cyber
insurance without checking the small
print. Many policies are taken out without
sufficient research into what’s available,
what they cost and what they cover. Policy
terms are not dictated by regulators and no
standard language has yet been adopted
by the industry. And policies vary too, with
some very well publicized disagreements
where insurance providers have rejected
claims based on their own interpretation of
the fine print.
Protection is key – but whose
responsibility is it?
Rather than relying solely on an insurance
policy to cover all losses, businesses need
a different game plan: by all means buy
insurance to cover some of the losses, but
at the same time, take measures to reduce
the potential for loss.
Many organizations will lay the
responsibility firmly at the door of the
IT department, yet IT security should be
about more than just the hardware and
software. It needs to be embedded in the
culture of the organization, championed
by the CEO, designed and executed by the
“No insurance policy will protect an
CISO and communicated effectively so
organization’s brand or reputation.”
that every employee takes responsibility
Garry Sidaway, NTT Security
for ensuring that good practices are
followed. And if your organization relies
For example, does the policy cover data if
on the services of third party contractors
it’s held by a third party or in the cloud?
and suppliers, you need clear guidelines
Will the policy pay out if your organization
to ensure that all third parties are aware
has failed to keep up-to-date with security
of your security policies and practices.
updates? How about if former employees
This may not prevent a third-party related
still have access to your systems? Are
security incident, but it would be good
you covered if the breach came via an
practice to ensure that everyone is at least
employee’s own device? And what happens aware of what is expected of them.
if the original breach pre-dates your
Choose your policy with care
policy, yet you were unaware that your
systems had been infiltrated some months Businesses of all sizes will rely on their IT
infrastructure to some degree, exposing
previously? A recent report4 reveals that
themselves to the risks of business
nearly 21% of vulnerabilities detected in
interruption, income loss, plummeting
client networks were more than three
share prices and reputational damage
years old and over 5% were more than 10
if systems fail or are interrupted. Yet
years old.
organizations are not adequately insuring
It’s all but impossible to cover yourself
themselves against attacks and in recent
100%. If you’re unsure about the fine print years, we’ve seen a number of high profile
– seek legal counsel.
court cases with insurers rejecting cyberrelated claims under more traditional
policies. When contested, the courts have,
Risk:Value 2016 research findings5
in the majority of cases, sided with the
insurers. General professional indemnity
• 75% of people do not believe that
policies don’t usually provide any of
all their business data is secure
the first-party cover offered by a cyber
• 48% of respondents don’t have a
insurance policy and it’s this first-party
full information security policy in
cover that will include loss of business
place
income as well as crisis management
• 51% of respondents do not have a
support (PR, legal advice, forensic
full disaster recovery plan in place
investigators, IT specialists) to minimize the
• 65% of organizations do not have a
impact of the breach. Don’t assume that
cyber insurance policy in place
your public liability insurance will cover all
the costs associated with a data breach – it
Of those organizations with a cyber
almost certainly won’t.
insurance policy in place:
Assess your risk exposure
• 50% think that lack of compliance
would invalidate their policy
What is important to insurers is that clients
have a complete understanding of their
• 43% believe that their lack of an
risk exposure. Without this, it’s impossible
incident response plan would
to create a policy that is relevant for your
invalidate their policy
business.
• 43% think that lack of employee
care and attention would invalidate
A first step in protecting your organization
their policy
against potential threats is to fully
understand your risk exposure across all
4. NTT Group Security Global Threat Intelligence Report 2016
Cybercrime protection, best practice
1. Understand your risk – conduct an
annual risk assessment exercise
to understand your current risk
exposure. Maintain the Board’s
engagement with cyber risk
2. Secure configuration – keep
hardware and software protections
up to date – persistence pays off
for the cyber criminal. Stay on top
of basic protection
3. Home and mobile working –
set robust guidelines for data
access. User-owned devices are
increasingly being used to for
day–to-day business. Protect your
network regardless of the access
device
4. Education and training – ensure
your employees know your policies
and incident response processes
by implementing a full security
awareness program including,
where practical, poster campaigns,
regular advisory emails, new
starter security inductions and
annual computer-based training
5. Incident management – establish,
produce and routinely test incident
management plans
6. Monitoring – continuously monitor
all ICT systems and associated logs
to spot and act upon potential
attacks
7. Secure network – manage the
network perimeter and filter out
unauthorized access
8. Malware protection - establish
anti-malware defenses and
continuously scan for malware
9. Manage user privileges – limit user
privileges and monitor user activity
10.Establish employee ground rules
for use of social media – social
media is becoming a primary
path for cyber criminals. Give
your employees the ground
rules for acceptable use at work
and guidance on secure online
behavior outside of work
11.Perform security assessments
on third parties during the
procurement process and at least
annually, to monitor compliance
to your organization’s security
requirements, as well as legislative
and regulatory controls
12.Establish and maintain a formal
risk management process – ideally
adopting an internationallyrecognized standard
5. NTT Security Risk:Value 2016 Report
Copyright© NTT Security 2016
2
areas of the organization, ensuring industry
best practice is considered. There’s a
growing global shortage of cybersecurity
skills, so if you don’t have the skills inhouse, take expert advice and consider
a comprehensive evaluation of your
company. This will highlight areas of risk,
make recommendations, prioritize actions
and help you build a strategic roadmap
for continuous risk management. A full
assessment would highlight gaps in your
IT security armor and show you the critical
areas that need immediate attention.
And an evaluation summary would give
a timeline for carrying out any remedial
actions required. This could then be shared
with your insurer as evidence that you are
taking security seriously.
Understand your risk – see yourself as an
attacker sees you
Threats are constantly changing and so
should your defensive testing. Stealthy and
continuous hacking processes or Advanced
Persistent Threats (APTs) employ a high
degree of covertness over a long period of
time, and many high profile attacks have
bypassed traditional company defenses.
If you can see yourself as an attacker sees
you, you’ll be a step closer to protecting
your information assets and again, you
will demonstrate to your insurer that you
have robust security measures in place.
APT Simulation is a good place to start. APT
attacks require a different form of testing
to traditional assessments like penetration
testing, which focus on a particular area of
infrastructure or web application. This is
why APT Simulation is regularly deployed by
organizations to help mitigate this risk.
APT Simulation follows the steps that an
attacker would take when profiling your
organization in order to try and breach its
defenses, often through malicious email
links and attachments. From gathering
personal and business information,
through to attacking via the path of least
resistance and finally to penetrating the
organization and covertly extracting data.
Following the APT Simulation, you will
have a full understanding of any security
vulnerabilities relating to process, people
and technology that could be open to
attack. You’ll be able to test your incident
response procedures and implement
suitable systems to minimize the risk of a
successful attack.
Be proactive
The risk of attack will never diminish and
the sophistication and frequency of attacks
is growing.
For example, recent research6 indicates
that all of the top 10 vulnerabilities
targeted by exploit kits during 2015 are
related to Adobe Flash, and the number of
publicized Flash vulnerabilities jumped by
almost 312 percent from 2014 levels. Spear
phishing attacks accounted for 17% of all
incident response activities in 2015. And
brute force attacks jumped 135 percent
from 2014 levels.
General liability insurance has been proven
time and again to be insufficient to cover
cybercrime attacks, yet the impact on
your organization in terms of damaged
reputation, lost customers and financial
losses, could be significant. This is a risk
your business can’t afford to ignore.
If you do decide to take out a cyber
insurance policy, you are making a
commitment to transfer risk and ultimately,
reduce any costs associated with as yet
unknown attacks. Yet, underwriting these
policies is still a challenge for insurers and
organizations must do everything possible
to understand their exposure and take
appropriate steps to mitigate risk, and to
demonstrate to insurers that information
security and risk management is top of
the agenda.
Conclusion
Insurance policies are not a licence to be
reckless and it shouldn’t be surprising that
policies are written in such a way as to
avoid covering high-impact scenarios that
could be easily prevented, like someone
willingly sending a large amount of money
without any secondary verification.
Similar to home insurance, coverage
against cybercrime does not replace
preventative measures to secure your
home – such as locking the doors and
windows before you leave the house.
A smart business will implement a security
framework that includes both technological
and process controls to prevent breaches
and consider an insurance policy only as a
supplement to their own solid risk-based
security program, not a replacement for it.
Organizations need to invest in both
protecting assets in the first instance,
and also in transferring any risks via
appropriate insurance cover should an
attack occur. These are not mutually
exclusive requirements: it’s important to
have prevention measures in place before
you go on to insure your assets.
Companies that want to transfer some of
the risk of a breach will increasingly turn
to cyber insurance. Unfortunately, they will
not always get what they think they’re
paying for.
Case Study:
Bitcoin provider. v. US Insurance
Company7
• December 2014 – an unknown
hacker, hacked the computer of a
third-party associate of a bitcoin
provider company
• This attack on the third party
enabled the spear phishing of the
bitcoin provider’s CFO
• The hacked email account was
then used to trick the bitcoin
provider into making three bitcoin
transactions over two days to the
value of $1.85m
• The insurance claim was that
the hacking of the account had
fraudulently resulted in the bitcoin
transfer and therefore the loss of
$1.85m
• The insurance company refused
to pay out, due to the wording of
the policy – as far as they were
concerned, it was the computer
system of the third party that had
been compromised and he was not
the insured party
Commentary
This type of attack is known as
‘Business Email Compromise’ (BEC) or
simply ‘CEO Fraud’. Computers may
have been used to send the email and
transfer money but this breach, if it
can be called that, was fundamentally
a failure of people and processes
rather than anything technological and
it would be hard to call this a cyber
attack.
There is no technical solution for
spear phishing and IT personnel rarely
have the knowledge or authority to
implement the organization-wide
process controls that would be a more
appropriate defense against this type
of attack. In order to be effective,
real security responsibility belongs at
the executive level, where policy and
process changes can be implemented
with IT playing a part in the overall risk
management strategy.
Businesses should be aware of this
type of attack by now and have
implemented proper financial controls
around large transactions. As the
insurance company in this case is
pointing out, there is a big difference
between falling for a convincing forged
financial document, versus a sketchy
email purporting to be from
an executive.
6. NTT Group Security Global Threat Intelligence Report 2016 7. The full story can be found at networkworld.com
Copyright© NTT Security 2016
3
About NTT Security
NTT Security seamlessly delivers cyber
resilience by enabling organizations
to build high-performing and effective
security, and risk management programs
with controls that enable the increasingly
connected world and digital economy to
overcome constantly changing security
challenges. Through the Full Security Life
Cycle, we ensure that scarce resources
are used effectively by providing the right
mix of integrated consulting, managed,
cloud, and hybrid services – delivered
by local resources and leveraging our
global capabilities. NTT Security is part
of the NTT Group (Nippon Telegraph
and Telephone Corporation), one of the
largest information and communications
technology (ICT) companies in the world.
To learn more about NTT Security
and our unique services for information
security and risk management, please
speak to your account representative.
Copyright© NTT Security 2016
4