[BreachExchange] Are your employees unwittingly invalidating your cyber liability insurance?

[Audrey McNeil]

https://www.csoonline.com/article/3262551/data-
protection/are-your-employees-unwittingly-invalidating-your-
cyber-liability-insurance.html

Just because you have home insurance it does not mean you should stop
locking your front door.

Equally travel insurance does not give you free rein to leave your
valuables scattered around the hotel pool. All insurance policies expect
the holder to take reasonable care to reduce risk – indeed not doing so can
often invalidate the policy – and cyber liability insurance is no different.

Businesses are seeing an increase in cyber threats with attacks rising by
164%in 2017 compared with 2016. Skilful hackers armed with a broadening
array of advanced persistent threat (APT) tools are increasing the severity
of cyber security breaches. In response, the use of cyber liability
insurance as a safety net and risk transfer mechanism is growing, with
annual gross premiums expected to reach $7.5 billion by 2020.

However, business employees are failing to act with ‘reasonable care’,
often due to a lack of understanding of cyber security and may be
unwittingly invalidating their employer’s policy. Let us explore how this
might manifest within the workplace and outline the measures businesses can
take to mitigate the risk.

Poor understanding of data practices

Data is now an essential ingredient to ensure business success, but it is
also a valuable commodity for cyber criminals. All too often, organizations
lose sight of the data they collect, what it is used for, or how it is
stored and shared. Given Privacy Shield has recently come into force and
the EU’s General Data Protection Regulation is due to be implemented in
May, the data landscape is starting to evolve.

Employees need to effectively communicate the information they are
collecting and using –names, addresses, and financial information for
instance – to the CISO, as well as detailing how that data is subsequently
shared. In doing so, the CISO can ensure this activity falls within the
perimeters of an insurance policy. Employees also need to inform the CISO
if they are automating or digitalizing processes, as this could bring
increased cyber security risks which will need to be evaluated by the
insurer.

Finally, staff should pay attention to where the data are stored, as an
insurance policy protecting storage on business servers is worthless if the
data are actually stored in the cloud. In addition to checking the Service
Level Agreement with a cloud provider, it can also be worth taking out
cloud-specific policies from an insurer.

Use of mobile devices and BYOD

As the workforce becomes more digitalized, the use of mobile devices – such
as smartphones, tablets, and laptops – accessing business networks is
becoming commonplace. These devices could belong to the business itself –
for example, water and electrical companies use mobile devices to enable
remote monitoring – or could be employees’ personal devices.

Remote devices might not be protected to the same degree as central company
network and could offer an easier route of entry to potential hackers.
Mobile apps that are used to control internet-connected monitoring systems
were recently discovered to contain significant security weaknesses that,
if exploited, could allow attackers to damage critical infrastructure.

CISOs and business employees need to understand to what extent their cyber
insurance policies cover mobile devices – both business and personal – and
how they must be used to ensure cover is not nullified.

Unauthorised ransom payments

Extortion-based cybercrime is on the rise, with ransomware payments hitting
a record $2 billion last year as companies paid up to recover locked or
stolen data. While some cyber liability insurance policies do cover the
cost of such payments, it is often limited. For example, insurers are
expected to pay Merck & Co $275 million following an attack by the NotPetya
ransomware, when they were only covered for a fraction of that cost.

Most insurance companies have specific terms regarding extortion, for
instance they require immediate notification of threats or ransom demands
so they can authorise payment, or they will only cover payments made in
certain cryptocurrencies.

Amidst the panic of a ransomware-style attack, employees understandably
want to act quickly and make the payment, especially if they think their
insurance will cover it, but incidents must always be reported to the CISO
and insurer first. In some cases, paying a ransom can entirely invalidate a
cyber insurance policy, meaning the business will not be compensated for
associated costs.

Preventing insurance invalidation

While employee education is an important element in maintaining the
validity of cyber liability insurance, internal policies and procedures –
aligned with the term of the policy – must be carefully communicated to
all. Any amendments made to the policy, and the consequent impact on
day-to-day activities, should also be clearly explained.

Education, on its own, is not enough. According to Bruce Hallas, founder of
the Analogies Project, “The assumption we make is that if we give people
information, if we educate people on their roles and responsibilities,
people will process that information in a logical way. This isn't the
case....in the heat of the moment, in a situation they are not familiar
with, they will make an irrational choice even though they know they should
be complying [with policies and procedures].”

In addition to the provision of adequate training, businesses must balance
the transfer of risk via insurance with improvement in internal security
measures and systems. Given constant connectivity, device multiplicity, and
increasingly edgeless networks, old-style firewall-based systems are a
thing of the past and detection-based cyber security solutions are the way
forward.

CISOs should work alongside their insurer to find out which products they
recommend, as they have a wealth of cyber security expertise, and
businesses that implement recommended solutions may well benefit from
policy cost reductions. For instance, using a platform that provides a
single point of access to all possible threats could be linked to the
insurance policy as a tech add-on to ensure compliance.

Cyber liability insurance is increasingly important to businesses in a
world where cyberattacks can disrupt operations and incur enormous costs.
To prevent unintentional invalidation of their policies, businesses must
educate employees on issues such as data processing, remote device usage
and ransom payments, as well as balancing risk transfer with up-to-date
security measures.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180312/8cacfe15/attachment.html>