Businesses Need Cyber Insurance – Now!

Uploaded on 2017-09-07 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

The major risk to businesses victimised by cyber breaches is the reputational damage that can follow, damage that often comes from US government regulators out to make a name for themselves, according to a former FBI agent who works in the private sector now.

Reputational damage is also the area where businesses most need insurance protection, Jason Smolanoff, head of global cyber security at Kroll Associates, told insurance executives attending the Super Regional Property/Casualty Insurer Conference in Lake Geneva, Wis.

“These days, what’s going on is the federal government and local governments are now coming up with cyber security regulatory frameworks, which they are imposing upon companies that do business within their states,” he said.

He said after an incident, government officials will show up to perform an investigation, what he calls a “look-back,” to “see if the company performed reasonable data security measures on the information they had. If they didn’t have reasonable measures, they then get fined.”

He said the fines aren’t limited to just one state. “It’s not like if you have a problem in one state, it obviates, or negates, or cancels all the other states. They can all come after you, individually. The federal government can all come after you,” he said.

The Kroll security expert said he has clients dealing with breach lawsuits from seven different federal and state agencies.

“These are the things that people are going to be looking for coverage on from folks like you,” he told the audience of carrier executives.

“That I think is where the real risk lies. It’s not so much the computer intrusion. It’s not so much on the technical side. The major risk really is coming to a company from a reputational standpoint, from a financial standpoint, from a legal standpoint after the intrusion happens. It’s mostly by our governments who are going after these companies who are victims to begin with,” he said.

Make Their Mark

Smolanoff, whose FBI work encompassed cyber security and, before that, organized crime, maintains that regulators are trying to “make their mark so that they can then jump out into private industry.”

He cited California and Massachusetts as two of the most aggressive states vying to justify the heaviest fines against companies they determine lacked adequate security.

“Whatever side of the fence you’re on in the insurance industry, as you start to write more policies, this is ultimately going to become part of what those payouts are going to be and part of what the claims are going to be. You may not pay them out but they’ll be part of the claim at some point,” he told the insurance audience.

He offered what he acknowledged might be a cynical view of the trend.

“Most of these federal and state agencies are seeing this as a way to generate revenue because of the huge budget, true or false,” he said. “I have seen them staff up state AG offices for cyber compliance at a rate that’s just unbelievable. They’re doing that because they’re seeing there’s huge revenue to be generated here. It’s sad, in my opinion, because it’s after the fact and it’s a victim.”

Simply because a company has been audited or certified for cyber security does not mean it is a better risk, according to Smolanoff. He said most large companies that have suffered breaches have been ones that spent millions of dollars on information security and were audited or certified yet they still became victims.

Defending Against Government

He said his firm is working with clients and insurance underwriters on ways to minimize the risk posed by these government actions, developing questions that can help determine how good or how poor a particular insured’s cyber security posture is.

It comes down to companies being able to demonstrate “reasonable security” so that they can differentiate themselves from other similar firms.

Cyber Security Narrative

Smolanoff recommended that every company prepare a narrative outlining its cyber security, the steps it has taken, and what its response capabilities are.

“When you have a computer intrusion and you go before anybody, whether it’s an insurance company to file a claim, a state AG, a client, a business partner, what you want to be able to say is, ‘We as a company did a threat based analysis and we understand the data that we have would be interesting to the following threats. We took reasonable security measures to protect that data based upon the size of the company we are and the amount of revenue that we’re generating each year. If somebody came in and got to this data, they would have had to have taken extraordinary measures to do so.”

A statement like that can be “very powerful” in helping to “differentiate the company from about 90 percent of the other companies that are out there. It helps to minimise fines.”

He said while there are many theories about information security, the measure of a good information security strategy and program is a “company’s ability to rapidly detect and effectively respond” to an incident. It starts with assuming a breach will happen.

“It’s not really about stopping incidents anymore. It’s about how quickly can you identify when there’s anomalous behavior and do something about that anomalous behavior to stop it,” he said.

“It’s where you assume that an attacker is going to get into your network. They will get in but as a result of that attack, you will be able to detect them and stop them before they get to something that’s important.”

Thus, if an intruder gets into to the executive administrator’s computer but they can’t get any further, that’s fine. “We can deal with that. That’s not a big deal. That’s a low risk. We move on,” he said. However, “if they get in and they’re able to then move to your crown jewels within the network and get there and take the data without anyone knowing, that’s a big problem.”

Pay No Ransom

Should an insured or carrier become a victim of a ransomware attack, the former FBI agent strongly advises against paying any ransom money to the attackers.

“You have about 50 percent chance of getting your data back after you pay. Once you pay, then they know who you are and they know that you have money and they know that you pay. They keep coming after you even more. It’s a vicious cycle,” he warned.

He said Kroll has been asked but refuses to participate when an insurance company decides to pay a ransom on behalf of a client.

“Making the payment is almost assuredly going to some type of criminal organization. It would support anything from drug trafficking to human trafficking to more financial crimes, or something like that,” he said.

“I think it just puts us in a bad place and I think it puts, potentially your insured, and maybe even the insurance company, or anyone who’s in that chain with some type of risk. That’s just our company position that we will not be in escrow and we don’t advise that people make the payments.”

Insurance Journal:      Image: Nick Youngson:

You Might Also Read:

Making Sense Of Cyber Insurance:

Insurers Are Handling 'hundreds' Of Breach Claims:

 

« Trump's Top Cybersecurity Advisors Resign
Uber’s U-Turn On User Watching »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Original Software

Original Software

Original Software offers a test automation solution focused completely on the goal of effective software quality management.

Forcepoint

Forcepoint

Forcepoint provide a unified, cloud-centric platform that safeguards users, networks and data while eliminating the inefficiencies of managing multiple point security products.

CS Group

CS Group

CS Group offers a complete range of security solutions from consultancy to security maintenance and from secure infrastructure design to security governance.

Sangfor Technologies

Sangfor Technologies

Sangfor is a global leader of IT infrastructure, security solutions, and cloud computing.

Medigate

Medigate

Medigate is a dedicated medical device security platform protecting all of the connected medical devices on health care provider networks.

Verafin

Verafin

Verafin is one of the North American leaders in fraud detection and AML software.

Innovent Recycling

Innovent Recycling

Innovent Recycling provides a secure IT recycling & data destruction service to all types of organizations across the UK.

Innova

Innova

Innova is Turkey's leading IT solutions company, providing platform independent solutions to organizations in telecommunication, finance, production, public and service sectors.

CoverWallet

CoverWallet

CoverWallet combines deep analytics, thoughtful design and state of the art technology to help small businesses with all their insurance needs including Cyber Liability.

Wolverhampton Cyber Research Institute (WCRI)

Wolverhampton Cyber Research Institute (WCRI)

Wolverhampton Cyber Research Institute builds on the strength of its members in the area of network and communication security, artificial intelligence, big data and cyber physical systems.

RKVST

RKVST

RKVST is a powerful tool that builds trust in multi-party processes when it’s critical to have high assurance in data for confident decisions.

BrainStorm

BrainStorm

BrainStorm Threat Defense takes a new human-focused approach to security awareness that traditional training lacks. It’s a cutting-edge platform to make your users more security savvy.

Cryptr

Cryptr

Cryptr provides plug and play authentication to manage all your authentication strategies in one place with just a few lines of code.

Trovent Security

Trovent Security

Trovent was founded with a clear goal: to support medium-sized companies in significantly increasing their IT security level.

Yondu

Yondu

Yondu empowers businesses across various industries through a wide array of innovative technology solutions to help them scale in the new digital economy.

Rakuten Maritime

Rakuten Maritime

Rakuten Maritime is your trusted partner in maritime cybersecurity, offering comprehensive and proactive solutions tailored to every stage of a ship’s life cycle.