cyber

Should we share Cyber Security information ?

by
cyber security

Should we share cyber security information ?

Is this a good idea… there are very good reasons why we should share cyber security information and there are also reasons that perhaps it may not be such a good idea.

The current landscape seems to be moving towards the sharing of this confidential and sensitive information with regulation being imposed on both sides of the Atlantic in recent months to promote and encourage the sharing of cyber security information.

At the end of last year  the EEC announced The Network and Information Security Directive (NIS) which is a security and reporting directive for companies in critical business sectors , namely transport , energy , health and finance. This is also applicable to the businesses such as Google and Amazon.

This Directive includes a requirement to report cyber security breaches which is aimed to encourage greater visibility of cyber crime and data breaches within companies and for companies to address their own cyber security.

It is anticipated that this will be ratified in the Spring, with implementation anticipated within the next two years.

In the US , also at the end of last year, the Cybersecurity Information Sharing Act (CISA) was passed by the Senate which allows companies to share cybersecurity threat data with the Department of Homeland Security (DHS) and other federal agencies. A number of bodies that already exist in the US which include the sharing of cybersecurity information . These include Enhanced Cybersecurity Services (ECS) which is a  voluntary information sharing program and whose aim is to help better protect busineses customers and the National Cybersecurity and Communications Integration Centre (NCCIC) which shares  information with public and private sector partners.

In the UK the Cyber-security Information Sharing Partnership (CiSP) exists which is part of CERT-UK . This is a joint industry government initiative set up to share cyber threat and vulnerability information in order to increase overall awareness of cyber threats and help mitigate the impact this may have on UK businesses.

The British Insurance Brokers Association ( BIBA) have recently endorsed (CiSP) to encourage insurance brokers to join CiSP to share the knowledge of over 4000 cyber-security professionals from over 1500 organisations. The government is also very keen that the insurance industry works closer with cyber security professionals and it is likely that we will see evidence of this in the future via associations and collaborations.

Let’s now review the positives and negatives of sharing cyber security information :-

Positives

  • It provides information to business on the latest forms of malware, spear phishing campaigns, and known malicious domains
  • Improvement in technology to combat the latest forms of security threats
  • Information derived from claims that insurers can assess / rate and improve the coverage under cyber insurance policies.
  • Assessment of insurers aggregation
  • Information to help insurers analyse cyber catastrophe models
  • Provision of knowledge to help anticipate future terrorists lead cyber attacks

Negatives

  • Possible release of confidential information of cyber attacks and data breaches to third parties
  • The information provided may impact on a company to carry out businesses with existing customers being concerned with poor cyber security measures.
  • Collateral damage to reputation of a business and impact on stock market share price
  • Hackers gain access to extremely sensitive data bases
  • Perceived by some that “big brother” is spying and will encourage surveillance of businesses
  • Inadvertent sharing of personally identifiable information

The cyber security industry also has an important role to play as they are arguably possess the greatest amount of cyber security data, this is no doubt considered valuable intellectual property and there would be a reluctance to readily share this to a wider audience without distribution to secure destinations.

The sharing of cyber security information is more advanced in the US than the EEC / Rest of the World and is reflective of two very differing cyber landscapes , with the US being more mature in terms of number and size of cyber security breaches and the existing litigation that helps drives notification.

The sharing of cybersecurity information definitely has a role to play in the development of the improvement of cyber security and the defence of cyber attacks that can threaten a business……  how it is shared is perhaps the current dilemma facing governments and regulators.

EU – US Privacy Shield – is data safe again?

by
Privacy

The privacy of the transfer of data between the UK and US received a boost this week when the European Commission announced that political agreement had been reached on what is effectively a replacement of the Safe Harbor, known as the “Shield Decision”. A Working Party has subsequently published their initial reactions which the European Commission must take into account if the Working Party does not agree with “The Shield Decision”. In the event that that national data protection authorities refuse transfers on the basis of this decision this will be raised to the European Court of Justice.

This is the result of three months of negotiations between the EU and US  after the fall of the Safe Harbor agreement that existing up until October last year. The deadline of 31st January was missed as negotiations over run with both parties failing to agree new privacy boundaries.

In the meantime it is understood that local data protection authorities will continue to accept standard contractual clauses and binding corporate rules for transfers  of data to the US, providing privacy protection between these countries.

The main obligations imposed on firms handling Europeans personal data are as follows:-

  • US firms will need to commit to “robust obligations”  on how personal data is processed and individual rights guaranteed . This will be monitored by the US Department of Commerce.
  • Clear safeguards and transparency obligations will be imposed on the US Government which will set out specific limitations for law enforcement and national security reasons
  • There will be protection for EU citizens rights with options for redress. This will include avenues for citizens who feel the privacy of their data has been misused with strict guidelines for response to complaints

It is by no means “home and dry” , in addition to the Working Party involvement , Europe’s national privacy agencies meet to pass their own judgement on how data can be safely moved from the EU.

How does this impact on the cyber insurance market and insurers perception of data being at risk ?

It is too early to assess the impact of this decision , especially as the “Privacy Shield” has some way to go before being fully ratified , but any privacy protection laws and regulations assists cyber insurers in being more comfortable with the associated risks of loss of personal data and individuals privacy.

Cyber Insurance – The Moody Teenager

by
cyber insurance

Cyber Insurance in its current format can be likened to a “moody teenager” – it is going through some growing pains , searching for an identity and not yet attractive to the opposite sex !  In insurance terms , cyber insurance is still evolving, the policy coverage is still developing and it is still not recognized as an essential insurance policy that a business should purchase. So why is this…. ?

The cyber insurance market has seen it’s profile increased significantly over the last few months. A number of factors have contributed  to this such as the TalkTalk breach, together with a number of other high profile data breaches and the increase in social engineering cyber crime. The Information Security Breaches carried out by pwc last year indicated that security breaches were on the increase. 90% ( 80% 2014) of large organisations and 74% ( 60% 2014) of small businesses suffered a security breach.

This “moody teenager ” however does not seem to be ready for the big wide world and is being held back by a number of factors :-

1.Knowledge

Businesses do still not possess the knowledge to have the confidence to purchase this form of policy due to a lack of education by the insurance industry and associated professions. Some businesses are under the impression that they already have adequate cyber coverage within their professional  indemnity or property insurance policies.This is also not helped by the lack of consistence terminology and of coverage within the policy wordings provided by insurers and makes assessment of the purchase difficult , even with the guidance of an insurance broker.

2. Policy Coverage

The cyber insurance policy in the UK is still very much at an embryonic stage , the policy coverage offered is still developing and not yet fully responding to certain areas such as reputational damage , property and bodily injury cyber related incidents. There is however the availability of “gap policies” provided by certain insurers , but no “one stop” solution.

3. Cost Prohibitive

The cost of cyber insurance in many quarters is still considered expensive to a business and if a business does not consider it “fit for purpose ” then they will be reluctant to take out this form of insurance. Insurers are however attempting to reduce premiums to attract policyholders but this tends to be where perceived exposures are much lower.

4. IT Reluctance

The IT team within a business is a stakeholder in the purchase of cyber insurance and it can be seen on many occasions that they are a reluctant purchaser of this form of insurance, as they feel that the business has the required technology and security to combat a cyber attack. This is borne out by the Wallix.com survey carried out last year with IT professionals whereby 47% of the profession thought that there was ‘insufficient need’ to invest in cyber insurance.

5. Data & Privacy Laws

There is no compulsory data notification laws in the UK and therefore businesses do not feel that there is a need to purchase cyber insurance . This is a common misconception as cyber is a modular policy and offers a number of other areas of coverage such as business interruption , cyber extortion and website damage.

6.Maturity of Market

The UK cyber insurance market is behind the US equivalent by a number of years which is due to the fact that compulsory data notification laws has been in existence in many states for some time and also the US has a much more mature claims experience in a highly litigious climate. The UK cyber insurance will therefore always be at a different stage of development that its US counterpart, this could however in the long term could be to their advantage with advanced analysis and technological advancements available to insurers to develop this specialized insurance product.

Increased collaboration between insurers, insurance brokers and the cyber security sector is a way forward and there are definitive signs that this is happening which will improve the current dynamics of cyber insurance , after all cyber insurance is only part of risk management armory that a business should have in place to combat cyber security threats.

 

Data Breach – is the Healthcare Sector next?

by
Data Breach

Is the healthcare sector the next target in the UK for hackers to bring about a major data breach?

In the US over the past year there have been a number of high profile and costly data breaches, the largest of which was suffered by the health insurer , Anthem Inc where 80 million personal records were stolen, in addition to this there were four other known multi-million record data breaches in this sector. In the UK the number of data breaches so far have been small in comparison and have been limited to loss of laptops and USB’s causing minor data breaches.

According to the 2015 Global Ponemon Institute Study on data breaches there are signs of a significant increase in cyber attacks in the healthcare industry . The study identified that 91% of healthcare organizations have been subject to one data breach. Cyber attacks in this sector were also up by 125% from 2010 to 2015.

The healthcare sector in the UK data extends to many establishments , the foremost being hospitals , clinics, health insurers , care & retirement homes , universities and colleges.

So what types of data are stored by these bodies that would make them attractive to a hacker ?

Patient Information

  • Medical records
  • Test Records
  • Appointment information
  • Medical insurance details
  • Credit card and bank card details

Employee Information

  • National Insurance records
  • Salary details
  • Bank details
  • e-mail addresses
  • telephone numbers

In addition to this these bodies are likely to be dependent on third parties who may provide or store some of this data.

Where would a possible threat come from that might cause a data breach ?

Insider Threats

Employee negligence where as a  result of an error causes a security failure or they carelessly leave a lap top on a train

Employee  ignorance where inadvertent disposal of personal data occurs or perhaps a lack of training and awareness

A malicious employee who may be unhappy and wishes to cause disruption

Outsider Threats 

Hacker attack which can take the form of many methods such as by the injection of malware into a computer system or the bringing a phishing attack.

Theft being caused as a result of social engineering tool to disguise e-mails that may lead to an extortion threat in an effort to release data.

Third party vendors who may have been breached themselves and caused a subsequent data breach to the primary entity.

Why are healthcare records being targeted by hackers?

  • Healthcare records are worth 5 times more than the value of credit cards
  • Credit cards can be cancelled
  • The value of healthcare data can be utilized for a wider variety of purposes

What are the end use for healthcare records?

  • Personal Identity Theft
  • Financial Identity Theft
  • Various forms of insurance fraud
  • The falsifying of prescriptions

The Healthcare sector in general has a number of challenges including the management of on-going conversion from paper records to digital files and maintaining of computer security that constantly require updating to keep pace with the technology that hackers now possess.

Aside the threat of a data breach is the threat that more medical devices are connected to the network and the ensuing connection to IP networks which exposes devices to more cyber attacks. The “Internet of Things” is also a real threat to this sector and more so to patients where there is an ability to hack medical devices like insulin pumps or pacemakers.

Cyber liability insurance can play an important role to help mitigate a serious data breach and should be a important consideration by organizations in this industry. This sector is perceived to be in a high risk category by the insurance market and it is therefore an area that cyber security consultants can add considerable value here to help insurers assess the relative exposures and offer commensurate premium and terms.

Cyber Insurance – 2016

by
Cyber Insurance

2015 was a pivotable year for cyber insurance , with a number of high profile incidents involving cyber crime and data breaches occurring around the world. This tested policy wordings and provided a perspective of how such claims will be managed by insurers.

The topic of cyber insurance is now firmly on the agenda’s of many businesses and rates high on risk registers , how this exposure is managed is very much down to the individual approach of a business and how their perceive a cyber threat would impact.

The need for cyber insurance will be determined by the risk landscape which operates in a dynamic technological environment.

Some of the factors that may influence the growth of this specialist form of insurance  are likely to be the following :-

  • A cyber security breach is almost inevitable and more emphasis will be placed on CEO’s and CISO’s to become responsible for data breaches and how they are able to mitigate such cyber risks within a business.
  • The threat of cyber attacks to critical infrastructure , whether this be of a political or criminal nature.
  • The “Internet of Things” , as electronic devices become inter connected , this increases the opportunity for cyber crime and data breaches to take place.
  • Cyber security businesses will be in increasing demand as insurers will depend more and more on their expertise in the assessment and management of cyber risks.
  • The increase in ransomware gangs as they utilise more sophisticated malware which businesses may fail to recognise should they not maintain the latest cyber security methodology .
  • Cloud security is perceived as a larger than life threat as many businesses now rely to a certain extent on this form of developing technology for storing data. How safe this technology has not yet really been been subject to hackers focus and presents a real threat to the safeguard of data.
  • Certain businesses sectors remain a high risk, such as health , finance and on-line retailers. This are the sectors where there is the highest take up of cyber insurance and it is conceivable that this will continue.
  • The growing threat of cyber terrorism will remain with terrorist groups targeting government, military and critical infrastructures.

It will be fascinating to see how these factors do influence the rise of cyber insurance , in the course of events insurers will need to develop their products to respond to the evolving cyber risks that will unfold this year.

Read more

Cyber Liability – The Internet of Things

by
Cyber Liability - The Internet of Things

The “Internet of Things” is the product of the increasing connectivity of corporate computing infrastructures, industrial machinery and electronic consumer devices.

This provides new cyber threats to businesses which will need to be managed through a combination of robust cyber security measures and cyber liability insurance.

The phase, the “Internet of Things” is associated with devices that are capable of communicating via the internet through programmed commands or by “learning “patterns of behaviour and activity so as to recognize common occurrences  in our daily lives and communicating with other devices accordingly

With more devices and people being connected to the internet in the coming years, this will produce a global impact with the estimated market for the “Internet of Things”thought to be $66 billion between now and 2019.

From a business and consumer perspective this has many advantages , whether it be controlling an industrial process remotely to switching on your central heating whilst you are on the way home on a train, it does however come with very real cyber related threats.

The main threat bought by the “Internet of Things” is the vulnerability of the loss of data and the compromising of personal information as devices will have access to such information about a business or individual . This scenario makes it a prime target for a security breach from a targeted hacker attack.

Examples of recent attacks this year :-

  • Hacking attack of a German steel mill where hackers gained control of a smelting furnace and caused it to over heat resulting in damage to the furnace and interruption to the business.
  • Hackers took remote control of cars steering , braking and acceleration
  • Baby monitors being hacked allowing third parties to control the monitors

This year Lloyd’s of London commissioned a report where a hypothetical attack was carried on the  electricity grid of the Eastern US. It was calculated that the loss could equate to $2 trillion which would not all be covered by insurance.

A cyber liability insurance policy will provide coverage for both third party and first party losses. This encompasses a businesses third party liability and first party exposures resulting from a data security breach , the response and associated investigation costs . It can also respond to business interruption loss  and damage to a businesses computer systems and it’s data. The policy however is unlikely to respond to all first party damage and claims involving bodily injury . It will therefore be necessary for other insurance policies to be reviewed by your insurance broker to ensure that an any gaps in coverage are appropriately addressed.