Tag Archives: ciso

Insurance Occurrence Assurance?

You may have seen our friend Brian Krebs’ post regarding the lawsuit filed last month in the Western District of Virginia after $2.4 million was stolen from The National Bank of Blacksburg from two separate breaches over an eight-month period. Though the breaches are concerning, the real story is that the financial institution suing its insurance provider for refusing to fully cover the losses.

From the article:

In its lawsuit (PDF), National Bank says it had an insurance policy with Everest National Insurance Company for two types of coverage or “riders” to protect it against cybercrime losses. The first was a “computer and electronic crime” (C&E) rider that had a single loss limit liability of $8 million, with a $125,000 deductible.

The second was a “debit card rider” which provided coverage for losses which result directly from the use of lost, stolen or altered debit cards or counterfeit cards. That policy has a single loss limit of liability of $50,000, with a $25,000 deductible and an aggregate limit of $250,000.

According to the lawsuit, in June 2018 Everest determined both the 2016 and 2017 breaches were covered exclusively by the debit card rider, and not the $8 million C&E rider. The insurance company said the bank could not recover lost funds under the C&E rider because of two “exclusions” in that rider which spell out circumstances under which the insurer will not provide reimbursement.

Cyber security insurance is still in its infancy and issues with claims that could potentially span multiple policies and riders will continue to happen – think of the stories of health insurance claims being denied for pre-existing conditions and other loopholes. This, unfortunately, is the nature of insurance. Legal precedent, litigation, and insurance claim issues aside, your organization needs to understand that cyber security insurance is but one tool to reduce the financial impact on your organization when faced with a breach.

Cyber security insurance cannot and should not, however, be viewed as your primary means of defending against an attack.

The best way to maintain a defensible security posture is to have an information security program that is current, robust, and measurable. An effective information security program will provide far more protection for the operational state of your organization than cyber security insurance alone. To put it another way, insurance is a reactive measure whereas an effective security program is a proactive measure.

If you were in a fight, would you want to wait and see what happens after a punch is thrown to the bridge of your nose? Perhaps you would like to train to dodge or block that punch instead? Something to think about.

Need some help evaluating your information security program’s effectiveness? Reach out to LEO Cyber Security today to chat with one of our expert Chief Information Security Officers (CISOs).

Andrew Hay is an information security industry veteran with close to 20 years of experience as a security practitioner, industry analyst, and executive. As the Co-Founder & Chief Technology Officer (CTO) for LEO Cyber Security, he is a member of the senior executive leadership team responsible for the creation and driving of the strategic vision for the company. One of his primary responsibilities is the development and delivery of the company’s comprehensive cyber security, digital forensics, incident response, cloud architecture, and advanced research centers of excellence.

The 8 Principles of Cyber Security Laws

By Seth Jaffe.

The United States has yet to promulgate a comprehensive federal cyber security law aimed at improving the cyber hygiene of companies serving its citizens. But a collation of industry-specific laws (both federal and state), proposed bills, guidance documents, and cyber strategies yields a fair indication of where our nation is headed. This article attempts to distill the aforementioned into a list of eight principles that will likely find their way into forthcoming federal or state cyber security law.

Principle 1: Conduct a Risk Assessment

As far back as at least the Graham-Leach-Bliley act in 1999, authorities recognized the difficulty in designing a comprehensive cyber program without first identifying assets, understanding vulnerabilities, and forecasting attack vectors. For this reason, cyber laws will undoubtedly require a company to conduct a comprehensive risk assessment at periodic intervals.

For example, the Graham-Leach-Bliley safeguards rule requires a covered entity to “identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks.”

Additional legislation and regulations that include this principle can be found here.

Principle 2: Implement an Information Security Program

Upon completion of the risk assessment, companies will have to fashion an information security program designed to mitigate those risks. This includes authorship and maintenance of a Written Information Security Plan (“WISP”).

As an example, the Colorado Securities Act 3 CCR 704-1 states “A broker-dealer must establish and maintain written procedures reasonably designed to ensure cybersecurity.”

Additional legislation and regulations that include this principle can be found here.

Principle 3: Involve the Board of Directors in Cyber Security Management

Without buy-in from senior management, companies may find themselves culturally constrained when it comes to cyber security. Board of Director involvement can usually be satisfied through implementation of a process to percolate relevant cyber security information to the Board, as well as push decisions down to the company. The Board should have the ability to digest the information, which can be difficult if no members are conversant in cyber security technology; many Boards form a cyber security committee for this purpose.

The proposed Federal Cyber Regulation for Financial Institutions law provides a good example: “The board of directors, or an appropriate board committee, of a covered entity must be responsible for approving the entity’s cyber risk management strategy and holding senior management accountable for establishing and implementing appropriate policies consistent with the strategy.”

Additional legislation and regulations that include this principle can be found here.

Principle 4: Designate an Individual in Charge of Cyber Security

Often referred to as a Chief Information Security Officer (“CISO”), a company must designate an individual with the authority to oversee the security program and the accountability should incidents occur. This CISO need not be an employee of the company, but can be contracted from a third-party provider, such as LEO Cyber Security.

The New York Department of Financial Services Part 500.04 is instructive: “Chief Information Security Officer. Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”).”

Additional legislation and regulations that include this principle can be found here.

Principle 5: Maintain an Incident Response Program

Organizations in the midst of an incident are notoriously terrible at improvising. Without a comprehensive enterprise cyber crisis management plan, mistakes will be made. Cyber laws will dictate that a company maintains an incident response plan, periodically updates the plan, and tests against the plan at least annually.

South Carolina’s Insurance Data Security Act (following the NAIC model law) states: “As part of its information security program, a licensee must establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event.”

Additional legislation and regulations that include this principle can be found here.

Principle 6: Manage Cyber Security of Third-Party Vendors

A recent Soho study concluded that 63% of all data breaches involved the supply chain. Even if that number seems a bit high, regulating authorities are taking note as is evident from two recent settlements related to data breaches caused by a third-party.

Massachusetts 201 CMR 17.03(2)(f) requires companies to “Tak[e] reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations.”

A number of laws are requiring companies to push cyber obligations on third parties. You can find a list of them here.

Principle 7: Conduct Routine Security Training

A company’s cyber program is oftentimes only as robust as the employees implementing it. A number of statistics put insider threats as a leading cause of data breaches. Whether it is because employees invariably click on suspicious links in emails, use easily defeatable passwords, fail to report malicious or accidental cyber issues, or simply do not practice good cyber hygiene, poorly trained employees are often the weakest link in a cyber security program.

The HIPAA security rule (see page 8377) requires covered entities to “implement a security awareness and training program for all members of its workforce (including management).”

Additional legislation and regulations that include this principle can be found here.

Principle 8: Regularly Update the Program

Authorities recognize that cyber security is a living program, requiring continuous modifications as new threats arise, infrastructure changes, and reorganizations occur. Companies are instructed to modify the program accordingly, but at the very least, it should be reviewed and updated annually.

PCI-DSS 12.1.1 requires entities to “review the security policy at least annually and update the policy when the environment changes.”

Additional legislation and regulations that include this principle can be found here.

As expected, laws and regs change all the time (as an example, there were 244 state cyber bills introduced in 2017 and already 233 as of August 2018), so check the Trello board often and follow my LinkedIn page where I will notify of updates.

Seth is our official rocket scientist in residence. Hailing from NASA’s Mission Control Center, Seth brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to twenty-plus years’ of technical experience, Seth was previously a member of the data protection task force at a large law firm, and served as the lead Legal team member of an incident response team at a major U.S. airline. Seth is a certified business continuity professional, and he holds a juris doctorate, which is why he also wears the General Counsel hat at LEO.

Just How Prolific is Ransomware?

Our friends over at Bromium recently published a study entitled “into the web of profit” that focussed on revenue flow and profit distribution as it pertains to ransomware. The annual revenue from the ransomware supply chain – $1.5 trillion (no, this isn’t a typo).

The amount of money involved is staggering when you consider that the average ransomware demand-per-incident is roughly $2,500 but can go as high as $50,000 (or higher) depending on the affected organization and its perceived worth to the attacker. According to Bromium $1 billion was obtained from ransomware, $160 billion was made from data trading, $500 billion from trade secrets, $860 billion from illegal goods and services online, and $1.6 billion on crime-ware.

If you’ve been putting off updating your information security program documentation to include ransomware mitigation and response procedures it may be time to block off some calendar spots in your day to make it happen. If you’re unsure as to how you should update your program to incorporate ransomware risk tolerances, mitigation, and response activities, please reach out to LEO Cyber Security today and speak with one of our experienced CISOs.

Andrew Hay is an information security industry veteran with close to 20 years of experience as a security practitioner, industry analyst, and executive. As the Co-Founder & Chief Technology Officer (CTO) for LEO Cyber Security, he is a member of the senior executive leadership team responsible for the creation and driving of the strategic vision for the company. One of his primary responsibilities is the development and delivery of the company’s comprehensive cyber security, digital forensics, incident response, cloud architecture, and advanced research centers of excellence.