Cyber Insurance Coverage: a Brave, Uncertain New World for Insurers and Policyholders

Despite the escalating intensity and frequency of cyber attacks, fewer than 1/3 of U.S. businesses have purchased cyber insurance policies. A recent report by Deloitte provides insight into why organizations are deciding to go without cyber coverage, as well as why many insurers are hesitant to offer the coverage on a large-scale basis.

According to a recent report by Deloitte, Demystifying Cyber Insurance Coverage, cyber insurance policies represented only $1.5 to $3 billion out of a total of $505.8 billion in premium revenues generated by U.S. carriers in 2015. Further, only about 29% of organizations had even purchased a policy as of October 2016. Just 40% of Fortune 500 companies have coverage. Even companies that do have policies may have “skinny” coverage that will leave them high and dry if they ever do file a claim; just ask fast-casual restaurant chain P.F. Chang’s, which found out the hard way that its cyber insurance policy did not cover millions of dollars in liabilities to credit card issuers in the wake of a POS breach.

Why is cyber coverage so spotty? It’s easy to point fingers at insurers, policyholders, or both. After all, insurance companies do not make money from paying claims; they make money from collecting premiums and paying claims only rarely. When a policyholder files a claim, whether it’s for a roof repair or a ransomware attack, the insurer will look for every reason not to pay out. At the same time, both the public and private sector are guilty of not taking cyber security seriously; from Yahoo to Major League Baseball to the U.S. Secret Service, organizations keep getting breached, yet they also keep behaving as though a major cyber attack will never happen to them.

While these are valid issues, the cyber insurance situation is not that simple. Deloitte’s report identified numerous obstacles in the path of both insurance companies that wish to sell policies and organizations that wish to buy them. Specifically, insurers struggle with:

• A lack of historical data, making it difficult or impossible to build reliable predictive models.
• The dynamic nature of cyber security, where brand-new threats are emerging literally daily.
• The potential for “catastrophic accumulation” of claims if a nationwide or worldwide cyber attack brings down hundreds or thousands of claimants simultaneously; for example, if cyber terrorists were to strike the nation’s power grid, or a major website host is taken down.
• “Tunnel vision,” which causes insurers to primarily focus on policies that protect insureds against the theft of personal identifying information (PII); not all organizations handle PII, and the threat landscape includes DDoS attacks, ransomware, and other attacks that can cripple an organization but do not involve the compromise of PII.

On the other side, policyholders are plagued by:

• Not fully understanding their cyber risks or insurance options; similar to the situation with health insurance, many organizations feel they don’t “need” cyber insurance or require only bare-bones policies.
• Erroneously thinking that they are already covered because another insurance policy, such as a general liability or business interruption policy, does cover some degree of cyber risk.
• An inability to effectively compare policies due to a lack of standardization, another issue that seen in the individual health insurance market; buyers are unable to make “apples to apples” comparisons.
• A legal landscape that is as dynamic as the threat environment; what is and isn’t covered by an insurance policy can be hard to determine, and insureds fear having to duke it out with insurance companies in court.

Cyber Insurance Is Not a Replacement for Proactive Cyber Security

Organizations that wish to purchase cyber insurance policies cannot go it alone. They must enlist expert help from cyber security professionals, not only to make sense of potential policies but also to evaluate their risk environments and determine what type of coverage they need. Because the cyber risk environment is continually evolving and changing, cyber coverage should be reviewed annually; a policy an organization purchased two years ago may no longer meet its needs.

Just as homeowners’ insurance is not an excuse to keep your doors unlocked or leave food cooking on the stove unattended, even a robust cyber insurance policy is not a replacement for proactive cyber security measures. Insurance policies will always contain exclusions, especially in cases where the insured was negligent in some manner, claim payouts will never be immediate, and insurance policies cannot repair damage to an organization’s reputation.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

As the year comes to a close, we take a look back at six data breaches that dominated the headlines and defined the state of cyber security in 2016.

It could be said that 2016 was the “Year of the Hacker.” From healthcare to politics to adult entertainment, no industry was spared the wrath of cyber criminals. Here, we reflect on six of this year’s most infamous data breaches.

1. The SWIFT Network Attacks

It was a plot that sounded like it came straight out of a Bond movie: A band of international bank robbers stole nearly $100 million from a bank in Bangladesh, spooking finance executives around the world and leaving them wondering where the thieves would strike next. But these robbers didn’t hand a note to a teller or dynamite their way into a vault; they breached the victimized banks’ networks and accessed their accounts on the SWIFT network, a proprietary messaging system that few people outside the finance industry have ever heard of. Once inside SWIFT, they were able to remotely send billions of dollars in fraudulent money transfer requests. Most of these were caught and flagged, but $81 million went through, and the hackers remain at large. These data breaches sent shockwaves through the finance world and threw into question the integrity of what was once thought to be one of the world’s safest networks.

2. The Yahoo Data Breach

The Yahoo data breach, which compromised 500 million user accounts, resulted in at least 23 lawsuits, and put the company’s planned acquisition by Verizon at risk, didn’t happen out of nowhere. It was the result of years of the company putting cyber security on the back burner in the name of not compromising “the user experience.” Other companies should look to Yahoo as an example of what can happen – in fact, what is bound to eventually happen – when information security is not taken seriously. While it’s true that end users of software products can be fickle and impatient, it is far better to risk annoying customers with product security measures than to leave their personal information open to data breaches.

3. The DNC Hack

Cyber security took center stage early on in this year’s contentious U.S. presidential election, and the Democratic National Committee became the poster child for embarrassing email data breaches. In June, WikiLeaks released a number of damaging emails stolen from the DNC’s email server. Among the “highlights” were what appeared to be messages written by high-ranking party officials plotting to smear candidate Bernie Sanders and planning to reward high-dollar DNC donors with federal appointments in an anticipated Hillary Clinton administration. As if that weren’t bad enough, some of the emails compromised these same donors’ private data, with one email attachment containing an un-redacted image of a six-figure check, complete with the donor’s routing and bank account numbers. The hack was so scandalous that the DNC’s chairperson, CEO, and communications director were forced to resign.

4. The FriendFinder Data Breaches

Apparently, last year’s Ashley Madison data breach didn’t teach companies that store sensitive information to be adults about data security. In October, news broke that six sites owned by FriendFinder Networks, Inc., owners of some of the world’s largest adult entertainment sites, had been hacked. Over 412 million user accounts were compromised, most of which came from a site called AdultFriendFinder, which bills itself as the “World’s Largest Sex and Swinger Community.” In addition to users’ email addresses and passwords – which had been stored as plain text or hashed and converted to all lower-case, making them far easier to compromise – hackers also got hold of the company’s source code and private/public key pairs. As of this writing, the FriendFinder hack is set to win the “award” for the largest data breach of 2016.

5. The Wendy’s POS Hack

Where’s the cyber security? Around the same time fast-food chain Wendy’s announced it would be switching from human clerks to automated ordering kiosks, the company was forced to admit that it had been victimized by a massive breach of its existing POS systems, which exposed customer credit card information captured at 1,000 of its locations in the U.S. Rather than taking responsibility for the data breaches, Wendy’s decided to pass the buck, insisting that “only” independently owned franchises, not company-owned locations, had been breached, and further claiming that the breaches were the fault of third-party POS service providers hired by its franchisees. This spin-doctoring didn’t dissuade dozens of credit unions from joining a class-action lawsuit against the chain, alleging that Wendy’s knew that its POS systems were not secure but did nothing to address the problems.

6. The Hollywood Presbyterian Medical Center Ransomware Attack

While it was not technically a data breach, we felt we would be remiss if we did not mention the infamous Hollywood Presbyterian ransomware attack, which happened early in the year and was a harbinger of things to come for the healthcare industry. Hackers managed to lock down the hospital’s entire network, including its electronic health records (EHR) system. Hollywood Presbyterian ended up forking over $17,000 in Bitcoin to get back in – an act which, unfortunately, emboldened hackers, who now knew they could easily extort big paydays from healthcare facilities. A spate of similar attacks hit medical facilities across the U.S., Canada, and even the U.K. As of this writing, Intel estimates that hospitals have paid various hackers nearly $1,000,000 in ransom this year.

Here’s hoping that 2017 is the year the “good guys” finally get the upper hand in the fight against data breaches, ransomware, and other cyber crimes.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

A Proactive Approach Could Have Prevented the DNC Email Hack

The NSA isn’t the only Washington organization being embarrassed by a data breach. The sorry state of cyber security in America has taken center stage in this year’s presidential election. In June, it was discovered that Russian cyber criminals had managed to hack the Democratic National Committee’s email server, stealing over 20,000 emails and sharing them with WikiLeaks. While most of the emails contain mundane correspondence, some of them are quite embarrassing and imply possible ethical violations on the part of DNC insiders, such as emails questioning Bernie Sanders’ religion and implying the party officers wished to derail his campaign. Shortly after the emails were released, the DNC’s chairperson, CEO, and communications director abruptly resigned. Even worse, the New York Times has revealed that the DNC email hack might be much more extensive than originally believed, involving the email accounts of over 100 individuals and groups.

The DNC email hack bears a strong resemblance to the equally scandalous email hack perpetrated on Sony Pictures two years ago, which was believed to have been carried out by North Korean nation-state hackers. That hack involved the release of 170,000 emails, many of them containing negative commentary about major Hollywood stars. Sony’s chairperson was removed, the company ended up being sued, and the emails are still live on WikiLeaks, neatly indexed and searchable.

While the Sony hack and the DNC email hack involved ethical and privacy violations, the release of corporate emails can damage an organization even if the employees in question did nothing wrong. Confidential information about new product launches, marketing strategies, and partnership negotiations are routinely discussed via email, and this information could destroy a company if it fell into the hands of a competitor.

Proactive Ways to Prevent Email Hacks

Both the Sony hack and the DNC email hack could have been prevented using proactive email security measures. Following are three things your company can do to prevent your emails from ending up on WikiLeaks – or in the hands of a competitor.

Train Your Employees How to Spot Spear Phishing

It is believed that the Sony hack and the DNC email hack happened after hackers used a spear-phishing campaign to get hold of legitimate login credentials. Spear phishing has become extremely popular among hackers as end users have become more aware of these scams and as spam filters have gotten better at recognizing and intercepting regular phishing emails. Because spear-phishing emails are sent to only a small group of targets and are carefully researched and crafted to appear legitimate, they tend to pass through spam filters. Therefore, the best defense is employee awareness. See our previous blog for more information on how to spot spear phishing emails.

Set Up Your System to Assign Employee Passwords

Regardless of how many times they are told not to do so, employees frequently choose passwords that are weak, and they tend to use the same password to access multiple systems, including their personal and work accounts. Thus, a hacker may be able to use an employee’s Dropbox password to get into their work email. For this reason, random, strong passwords should be assigned to employees, and the system should be set up to require periodic password changes.

Outsource Your Enterprise Email

In most cases, using a private email server for company email, as the DNC did, is a bad idea. The majority of companies do not have the in-house technical expertise to securely set up an email server, continuously monitor it for unusual user behavior, or maintain up-to-date spam filters. Large enterprise email providers such as Google and Yahoo do. While using one of these providers is not a guarantee that you will not be breached – especially in light of the popularity of social engineering – a third-party provider will offer a higher level of email security than you could achieve in-house.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help secure your organization’s data.