Want stronger cyber security insurance coverage? Get ready for a network audit for applications, usage, inbound, outbound data, and all connections
This story is part I of an ongoing series of reports focusing on the growing issue of insurance and cyber security. Click here to review Part II.
By Bob Felton
Insurers’ need to protect themselves from lax enterprise standards and obstructionist IT departments is driving a new business: Security audits.
Though the mind’s eye needs little imagination to concoct fantastic scenarios of physical and financial ruin in the event of a successful cyber attack against a manufacturing facility, the humdrum truth is most attacks go unnoticed. And when they are noticed, the financial hit may come from an unexpected direction: Maybe from some damage to the facility or a dangerous defect introduced into a product, but also from liability for a compromise of your employee- and client-data under a widely-varying and ever-evolving panoply of state and federal statutes.[private]
Forget about hackers rigging things so the next batch of Sooper Sugary Chews can poison thousands, or setting production lines to lurching and slamming and sending 1-ton machine parts ricocheting around the plant, or whatever else you may have seen in a late-night thriller: The real threat, the one that could really cost you, and the one you may not be insured against, is the surreptitious theft of your customers’ and employees’ confidential information.
Insurance protection against losses from cyber attacks is separate from the familiar insurance coverages, just as theft of artwork and jewelry are separately-purchased riders on your homeowners insurance. The losses may be of several types.
First, you may sustain operational losses if the facility is temporarily disabled and, perhaps, the cost of repairs. Second, you may be exposed to liability to those who rely on you. These are the hazards exploited by television dramas. A second loss, one unlikely to attract immediate attention but triggering potentially huge exposure, is the theft of private employee and customer data.
Data is the Target
Presently, losses of privacy data are addressed by an irregular skein of state and federal laws. The federal government has enacted statutes regulating medical data; virtually all other types of data fall under the purview of state laws. The state laws, predictably enough, range from stringent to non-existent.
In virtually all cases, the entity that collects privacy data is responsible for its security, and never mind that the data management subcontractor a continent away had some unpleasantness with an unhappy or cash-short employee, or that its salesman never mentioned a flourishing organized crime syndicate in his home country. If you collect data – and who doesn’t? – you are responsible for its safety.
We are all familiar with buying homeowners insurance. The agent asks some predictable questions: How far to the nearest fire hydrant? Septic tank, or sewer? Is the house near a flood plain? You give answers, and the agent gives you a price – but comes over and looks around to verify your answers before issuing a policy.
Something similar goes on when purchasing cyber insurance. The insurance company will have a lengthy questionnaire requiring detailed answers but, historically, IT department have been reluctant to let outsiders put their hands on the computer systems in order to verify the answers. That may change, speculates Phoenix Contact’s Dan Schaffer, a former IT manager now working in controls and cyber security, after the discovery in mid-July of a first-of-its-kind Stuxnet worm that targets some Siemens controls: “I’m really interested,” he said, “to see how this changes the relationship between the control guys and the IT guys.” Graham Speake, principal systems architect at Yokagowa, is optimistic: “I’m sure they’ll converge more and more.”
Ultimately, said Schaffer, “There has to be a documented allocation of system ownership.”
Seeking to protect the IT department’s desire for system privacy, while meeting the need of insurance companies for trustworthy system information, some software companies have stepped-in as disinterested third-parties, developing packages that audit entire networks for applications and their usage, inbound and outbound data, all its connections. Those packages can provide only a snapshot of conditions at a particular moment in time, however, and can do nothing to evaluate an attack recovery plan or the personnel who use the systems.
Speake points toward a problem with adding auditing packages to operating control systems: “Nobody wants to put too much on the control network when it’s active, because you don’t want to bring it down.”
Ironically, the insurance company’s questionnaire, or a software-based audit tool, may prove beneficial to companies that have never let an outsider poke around their digital viscera.
George Allport, vice president of Special Insurance at Chubb, tells the story of a hospital his company at first refused to insure because of its questionnaire responses. That led to extensive rethinking of everything from configuration to procedures on the hospital’s part. “A year later,” Allport said, “they came back and we were able to issue them a policy.”
Even so, “You have to rely more than you should on the information coming from the client,” said John Lawson, vice president at Hess Egan Hagerty & L’Hommedieu, a division of M&T Insurance.
Insurance companies are right to be uneasy about insuring a black box they can’t look inside. According to a report in ISSSource from Israel’s Tufin Technologies, 1 in 10 IT professionals acknowledges cheating, or knowing somebody who cheated, to pass an IT security audit.
As more and more personal data whizzes around the Internet and evolving statutes and case-law raise the stakes, auditing network security is becoming a business specialty in its own right, an industrial analog to the termite inspection demanded by the underwriter when you purchase a house. And companies with recalcitrant or dilatory IT departments may find themselves going bare.
That IT department approach would not be wise. According to the 2009 Data Breach Investigations Report by Verizon, “The 90 confirmed breaches within our 2008 caseload encompass an astounding 285 million compromised records.” Worse, 20% of the breaches came from the hands of disaffected insiders, and business partners were implicated in 32% of breaches.
And that’s not the end of the bad news:
• 69% were discovered by a third party (your customer or a business partner, for instance)
• 83% of attacks were not highly difficult
• 87% were considered avoidable through simple or intermediate controls
Though too many companies are all but an open book to the knowledgeable data thief, and would probably be considered a poor risk if not actually uninsurable if properly audited, the Internet continues to race ahead with new data manipulation paradigms. The latest, cloud computing, is especially worrisome: According to a study released just last May by the Ponemon Institute, most IT departments do not have a good inventory of the cloud computing services used in their enterprise, and less than half of the ones they know about have been vetted for security.
The study, entitled “Security of Cloud Computing Users,” reveals more than half of U.S. organizations are adopting cloud services, but only 47 percent of respondents believe cloud services are evaluated for security prior to deployment. Of equal concern, more than 50 percent of respondents in the U.S. say their organization is unaware of all the cloud services deployed in their enterprise today.
Expect insurance companies to crack down, to demand the right to a white-glove inspection of every computer from the plant floor to the corner offices, and expect IT departments to grow more stringent than ever about authorized and unauthorized system usages. The days of checking Facebook during lunch, or transporting files between home and the office on a thumb drive, are coming to an end. The risks, especially for the insurance companies themselves, are just too great.
Bob Felton is a freelance writer based in Wake Forest, NC.