Cyber Insurance Coverage: a Brave, Uncertain New World for Insurers and Policyholders

Despite the escalating intensity and frequency of cyber attacks, fewer than 1/3 of U.S. businesses have purchased cyber insurance policies. A recent report by Deloitte provides insight into why organizations are deciding to go without cyber coverage, as well as why many insurers are hesitant to offer the coverage on a large-scale basis.

According to a recent report by Deloitte, Demystifying Cyber Insurance Coverage, cyber insurance policies represented only $1.5 to $3 billion out of a total of $505.8 billion in premium revenues generated by U.S. carriers in 2015. Further, only about 29% of organizations had even purchased a policy as of October 2016. Just 40% of Fortune 500 companies have coverage. Even companies that do have policies may have “skinny” coverage that will leave them high and dry if they ever do file a claim; just ask fast-casual restaurant chain P.F. Chang’s, which found out the hard way that its cyber insurance policy did not cover millions of dollars in liabilities to credit card issuers in the wake of a POS breach.

Why is cyber coverage so spotty? It’s easy to point fingers at insurers, policyholders, or both. After all, insurance companies do not make money from paying claims; they make money from collecting premiums and paying claims only rarely. When a policyholder files a claim, whether it’s for a roof repair or a ransomware attack, the insurer will look for every reason not to pay out. At the same time, both the public and private sector are guilty of not taking cyber security seriously; from Yahoo to Major League Baseball to the U.S. Secret Service, organizations keep getting breached, yet they also keep behaving as though a major cyber attack will never happen to them.

While these are valid issues, the cyber insurance situation is not that simple. Deloitte’s report identified numerous obstacles in the path of both insurance companies that wish to sell policies and organizations that wish to buy them. Specifically, insurers struggle with:

• A lack of historical data, making it difficult or impossible to build reliable predictive models.
• The dynamic nature of cyber security, where brand-new threats are emerging literally daily.
• The potential for “catastrophic accumulation” of claims if a nationwide or worldwide cyber attack brings down hundreds or thousands of claimants simultaneously; for example, if cyber terrorists were to strike the nation’s power grid, or a major website host is taken down.
• “Tunnel vision,” which causes insurers to primarily focus on policies that protect insureds against the theft of personal identifying information (PII); not all organizations handle PII, and the threat landscape includes DDoS attacks, ransomware, and other attacks that can cripple an organization but do not involve the compromise of PII.

On the other side, policyholders are plagued by:

• Not fully understanding their cyber risks or insurance options; similar to the situation with health insurance, many organizations feel they don’t “need” cyber insurance or require only bare-bones policies.
• Erroneously thinking that they are already covered because another insurance policy, such as a general liability or business interruption policy, does cover some degree of cyber risk.
• An inability to effectively compare policies due to a lack of standardization, another issue that seen in the individual health insurance market; buyers are unable to make “apples to apples” comparisons.
• A legal landscape that is as dynamic as the threat environment; what is and isn’t covered by an insurance policy can be hard to determine, and insureds fear having to duke it out with insurance companies in court.

Cyber Insurance Is Not a Replacement for Proactive Cyber Security

Organizations that wish to purchase cyber insurance policies cannot go it alone. They must enlist expert help from cyber security professionals, not only to make sense of potential policies but also to evaluate their risk environments and determine what type of coverage they need. Because the cyber risk environment is continually evolving and changing, cyber coverage should be reviewed annually; a policy an organization purchased two years ago may no longer meet its needs.

Just as homeowners’ insurance is not an excuse to keep your doors unlocked or leave food cooking on the stove unattended, even a robust cyber insurance policy is not a replacement for proactive cyber security measures. Insurance policies will always contain exclusions, especially in cases where the insured was negligent in some manner, claim payouts will never be immediate, and insurance policies cannot repair damage to an organization’s reputation.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Doxware Leaks Your Private Data if You Don’t Pay the Ransom

Ransomware began grabbing headlines about a year ago, after Hollywood Presbyterian Medical Center paid hackers thousands of dollars in ransom after it got locked out of its systems. This large payday apparently encouraged hackers to keep going; a recent survey showed that about half of all businesses reported being victimized by ransomware at least once in the previous 12 months, and a stunning 85% had been hit three or more times. Because ransomware is now ubiquitous, organizations have learned to fight back by restoring their systems from backup drives, thus avoiding having to pay a ransom. Unfortunately,

A doxware attack unfolds similarly to ransomware: Victims attempt to log on to their computers and are greeted by a screen notifying them that their system has been locked down and demanding that a ransom be paid, usually in Bitcoin, for the code to get back in. However, doxware goes a step further, not only locking the system down but also threatening to expose the user’s private or sensitive data. This renders restoring the system from a backup ineffective because it will solve only half the problem.

One known doxware strain notifies users that it has compromised all of their login credentials, contacts, and Skype history onto a server and threatens to forward it to all of the user’s contacts unless the ransom is paid. Other variants are programmed to search the user’s system for files containing keywords that might indicate embarrassing content, such as “nude” or “sex.” In a unique twist aimed at self-propagation, a variant called Popcorn Time gives victims an alternate to paying the ransom: Infecting two of their friends with the malware.

As both Sony Pictures and the Democratic National Committee learned the hard way after their corporate emails were hacked and published on WikiLeaks, having embarrassing information go public can ruin reputations and derail careers. Additionally, the release of scandalous material isn’t the only thing organizations need to worry about; doxware could be set up to target trade secrets, intellectual property, and other confidential information that could be ruinous to a business if it were released. For hackers, this represents the “value proposition” of doxware over ransomware: The fear of financial ruin makes it far more likely that doxware victims will cave in to hackers’ ransom demands or even agree to infect their friends in order to get off the hook. Of course, there is no guarantee that the criminals demanding the ransom will keep their word and not release the information, anyway.

How serious is the doxware threat?

Right now, doxware is a new threat, and attacks have been confined to Windows computers and laptops, but this particular attack vector is so potentially lucrative, there’s no reason to think that cyber criminals will stop there. Doxware would lend very well to mobile devices, where it could be set up to send photos, videos, and text messages to all of the user’s contacts.

The bright side is that since doxware isn’t yet at epidemic levels, organizations have a chance to get ahead of the game and take proactive cyber security measures before it becomes as common as ransomware. Methods to prevent a doxware attack are essentially the same as those used to fend off ransomware: training employees on how to spot phishing emails and other cyber security best practices, deploying antivirus packages that protect against ransomware strains, and maintaining regular system backups. Organizations should also air-gap intellectual property, employee tax data, and other highly sensitive information to make it more difficult for hackers to access, and encrypt the data so that it is useless even if they do manage to get at it.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

Smart toys were a popular gift item this holiday season, but they present serious cyber security vulnerabilities.

Cyber criminals don’t care who they hurt. This was made obvious during the rash of ransomware attacks on healthcare facilities this year, where hackers locked down electronic health records systems, putting patients at grave risk. There is great concern that the proliferation of Internet of Things (IoT) medical devices, such as smart insulin pumps, will enable hackers to go after patients directly, demanding that they pay a ransom to keep their lifesaving devices working. Now, a new threat is emerging: The opportunity for hackers to target children for identity theft by exploiting vulnerabilities in internet-connected smart toys, which were all the rage this holiday season.

Smart Toys and Child Identity Theft

When most people think of identity theft, they imagine hackers stealing adults’ personal data. However, child identity theft is a serious and growing problem that existed even before the introduction of smart toys. A study commissioned by the Identity Theft Assistance Center in 2012 found that 1 in 40 U.S. households with minor children (under age 18) have at least one child whose personal data has been compromised.

Child identity theft is particularly insidious. Child identities can be worth more than adult identities on the black market because thieves can operate under them for years before being detected. An adult may discover that their information has been compromised fairly quickly; say, after their credit card company flags suspicious activity on their card. Child victims, on the other hand, may have no idea their identities have been stolen until they apply for their first job, try to obtain a college scholarship, or attempt to rent their first apartment, only to find that their credit has been ruined before they can even begin building it.

The attraction of smart toys is that they offer a personalized interactive experience, such as dolls that can talk to children by name and remember their birthdays. However, this interaction is made possible by the toy connecting to the internet, just like all other IoT devices, so any information the child or parent gives to the toy – the child’s name, address, and birth date, or the parents’ credit card information – is transmitted over the internet. And, just like all other IoT devices, there are serious questions as to the security of the information smart toys collect and store.

These concerns are not hypothetical. In 2015, hackers breached servers owned by VTech, a manufacturer of smart toys and baby monitors, compromising the personal data of over 5 million parents and about 200,000 children. Senator Bill Nelson (D-FL) cited the VTech breach, as well as security vulnerabilities in other children’s IoT devices, when he called on the Federal Trade Commission to “carefully monitor” smart toys and demanded that manufacturers of these devices properly secure them.

Securing Smart Toys

Some consumer groups are advising that parents steer clear of smart toys until manufacturers can ensure they are secure. In the meantime, if you have purchased a smart toy for your child, you should take the following precautions:

• Immediately change the toy’s default login credentials.
• Limit the amount of information the toy can collect on your child – and on you, as parents’ data is also at risk. Do not give the toy any sensitive personal data, such as addresses or birth dates, and turn off geo-tracking features.
• Do an internet search on the toy’s manufacturer. If they have already experienced a data breach, consider returning the toy to the store.

Smart toy manufacturers have a responsibility to their customers and the public at large to prevent their products from becoming vehicles for child identity theft. Lazarus Alliance agrees with Senator Nelson’s suggestions for smart toy manufacturers, which include the following proactive measures:

• Build strong cyber security into smart toys from the start. Cyber security should be an integral part of a smart toy’s software development lifecycle, not an afterthought.
• Limit the amount of data smart toys collect to only that which is necessary for the toy to operate.
• Retain customers’ personal data only for as long as absolutely necessary.
• Continually reassess the threat landscape and reevaluate the cyber security of individual toys, as cyber threats morph and change over time.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.