Insuring against data breaches

FEATURE The goal is to be able to identify individuals, verify their identities, and track their activity across the network, all the way up the level of activity in the application itself, and there are many fraud control functions that can be incorporated, such as the requirement for multiple individuals to authorise the creation of an account or payee.

“Organisations need to go back to basics, understand the risks, which applications could be targeted, what the vulnerabilities are, and what people, process and technology controls should be put in place” While IT security technology controls are crucial, the increasing ingenuity of fraudsters means that very little is 100% fraud proof. On the other hand, treating employees with respect, and remunerating them properly can help reduce the motivation and rationalisation for fraud, but will not eradicate it entirely.

A holistic approach In summary, security requires a holistic approach. Organisations need to go back to basics, understand the risks that each aspect of the business is facing, which applications could be targeted, what the vulnerabilities are, and what people, process and technology controls should be put in place. The next steps are to ensure there’s a proper audit function that makes sure controls are in place and working as intended. Also there should be some form of automated analysis in place that looks for inappropriate activity, and either blocks or flags it for further investigation. While fraud comes in many guises, as a society, in general, big business is more afraid of the impact of external threats than internal threats. With the Internet just over 25 years old, hacking is still a comparatively new attack vector. In line with the rush to get everything online, external fraud becomes hard to control: indeed, one rarely sees it coming. On the other hand, internal fraud is as old as the art of doing business.

Furthermore, it’s a much slower moving target and more easily understood – but that doesn’t mean it can’t make a big impact. So, while it’s vital for organisations to make sure their assets are adequately protected from the potentially devastating repercussions of an outside attack, it’s critical they don’t overlook the risk factors that could be lurking considerably closer to home.

About the author Anna Watson is general manager security solutions, Europe at Dimension Data. She joined Dimension Data in 2005 having previously held sales and marketing roles with RSA in the Nordic countries and across Europe. During her time with RSA, Anna was involved in and responsible for numerous product launches as well as management of the RSA Conference in Europe. With more than 10 years’ experience in the IT security market from various roles with a system integrator as well as a technology vendor, Watson is a passionate advocate of the need for security in any IT solution – through consulting and risk assessments, end user policies and training, and technology solutions.

Insuring against data breaches Danny Bradbury, freelance journalist

Danny Bradbury

We live in an increasingly uncertain world. Organisations are having to cope with unpredictable events such as extreme weather incidents, and geopolitical strife. Insurance companies have been quick to point out the challenges of managing climate change-related risk. But not all of the new risks are physical. There are other perils that are driving the need for a relatively new type of insurance. Cyber-risk insurance policies are still young in the insurance industry, and insurance companies are working hard to thrash out the details of these complex and difficult contracts. How do they work, and what should February 2013

organisations consider when negotiating a policy?

A short and turbulent history Steve Haase, president of insurance wholesaler InsureTrust, recalls the first

policies appearing in the late 1990s. “They were not very popular because companies were spending money on the Y2K problem at the time,” he says. In any case, insurance companies – who move a little more conservatively than many – were still trying to figure out if this Internet thing would be a big deal.” Things changed in the early 2000s, however, when insurance firms realised that the Internet was probably going Computer Fraud & Security

11

FEATURE to stick around. At the same time, cybercrime became a far bigger issue, especially after botnets were created and became a large trend. Larger data breaches with far-reaching financial consequences attracted insurance firms, which smelled an opportunity. Disasters such as Heartland Payment Systems and Sony’s PlayStation Network intrusion made major news, and had a marked financial effect on the companies involved. The cost of the Heartland breach was last pegged at $140m, and counting, while Sony forked out $171m for its intrusion.1,2 Who wouldn’t want protection against that?

“Insurance companies – who move a little more conservatively than many – were still trying to figure out if this Internet thing would be a big deal” Another driver was the introduction of data breach notification requirements, which began in 2002 in California.3 “At this point, most [US] states have statutory schemes that create liability for privacy breaches,” says Reynold (René) Siemens, a partner at legal firm Pillsbury Winthrop Shaw Pittman and an expert on cyber-risk insurance contracts. “Both litigation and regulatory investigations have become common,” he says. “As the liability has expanded,

the insurance industry has decided to step into that gap and fill it with a new insurance product.” And companies also explicitly excluded this kind of coverage from any other kind of policy, leading to its consolidation as a new, separate insurance product. More carriers entered the market. John Correlli, privacy counsel and president of the JMC Privacy Consulting Group, estimates that there are roughly 30 companies offering policies.

Adoption Haase estimates that around 20% of the potential market for cyber-risk insurance has been penetrated. “We’re seeing growth rates in this product line north of 20% per year, which is significant for insurance companies,” he adds. The early adopters are those companies most prone to adverse effects from data breaches, such as financial institutions and healthcare organisations. Another sector that became interested early on was the software industry, adds Haase, presumably thanks to the danger of intellectual property theft, and entertainment companies, for the same reasons. “Online retailers are big buyers too,” he says. Most of the growth in the sector is in the middle market, according to Siemens. Larger enterprises often already have the financial side of cyber-risk under control. “The largest clients tend to be ahead of the curve on this,” he says.

and the deductibles for third-party contracts can be huge. Although people talk about cyber-risk insurance, the risks are far broaderranging, say experts. Hasse cites content and domain name disputes, and disruption of service thanks to malware that may not steal, for example. And Correlli points out that the electronic risk is only the half of it. “Data breach, a lot of times, deals with information that has never been in the cyber world,” he says, pointing to insiders snooping through paper records, unshredded documents discarded in the garbage, and unwiped hardware. “I think they just used cyber-risk insurance as a standard term, but data breach is better.”

An uneven landscape Insurance is a slow, conservative industry that stretches back to the start of the modern money economy, and beyond. It is no wonder, then, that a 15 year-old concept for an insurance product is still unstandardised, with provisions and clauses that vary widely between different providers. Some insurers focus on specific industries such as finance or healthcare, while others are more generic. This diversity in pricing and policy structure stems from market dynamics rather than flaws in actuarial science, say experts. It is constantly shifting in line with quickly evolving technological,

“The electronic risk is only the half of it. Data breach, a lot of times, deals with information that has never been in the cyber world”

René Siemens, Pillsbury Winthrop Shaw Pittman: “As the liability has expanded, the insurance industry has decided to step into that gap.”

12

Computer Fraud & Security

In some cases, that is because they selfinsure, paying out of their own pocket rather than passing it onto another firm. Self-insurance becomes an option for firms with large, strong balance sheets. Self-insurance also often makes sense for these firms because their risk is greater,

John Correlli, JMC Privacy Consulting Group: “We’re seeing growth rates in this product line north of 20% per year, which is significant for insurance companies.”

February 2013

FEATURE regulatory and commercial environments. It is also affected in part by what reinsurers will allow. “Companies are also a bit hesitant to share information,” says Christine Marciano, president of Cyber Data Risk Managers, an independent insurance agency specialising in data privacy, cyber-liability risk and intellectual property protection. Because the field is highly competitive and the parameters are still not entirely understood, data used to arrive at premiums and contract structures is less transparent than in other insurance fields. Unfortunately, all of these factors have led to a fractured industry that goes against what insured companies generally need, says Haase. “A mature market was when there was an okay number of players with similar broad coverage mostly competing on price. We’re not there, but that’s what buyers like,” he says.

“A mature market was when there was an OK number of players with similar broad coverage mostly competing on price” Because the cyber-risk industry is not that evolved, it is important for companies taking out cyber-insurance to understand what they’re getting. The nuances are subtle, and companies must understand what questions to ask. Correlli points out that the cost of a breach could be so high that it transcends mere out-of-pocket costs. If a company’s stock price falls, then can this be insured against? Choicepoint, which suffered a major data breach in 2005, lost around 10% of its share price in the five days following the breach announcement. Researchers Carnegie Mellon and Harvard argue that, “there exists a negative and statistically significant impact of data breaches on a company’s market value on the announcement day for the breach.”5 Should this be covered in a cyber-risk insurance policy? February 2013

Per capita costs of data breaches by industry. Source: Ponemon/Symantec.

Some policies will not provide coverage for a contractual liability, where you are the vendor, providing services for other parties. Conversely, some won’t support data for which the insured company is the controller, if it is being handled by a third party. In some cases, insurance contracts may stipulate that the insured has to pay the deductible from its own pocket, rather than recovering the money from a liable vendor. Siemens advises organisations seeking insurance to dovetail cyber-risk insurance with vendor indemnity agreements, so that it can recover costs from its own third-party service providers where appropriate. Ideally, an organisation would require its own third-party service providers to insure themselves against claims made as the result of a data breach, so that they are able to pay damages to the organisation if they lose its data.

Coverage What types of coverage should organisations consider when applying for cyber-risk insurance? Correlli identifies three general areas: response costs; regulatory finds; and civil suits.

When an organisation suffers an incident or breach, it will have to go through several steps to respond responsibly. Forensic analysis can be expensive, especially if network intrusion detection and Security Incident and Event Management (SIEM) tools have not been deployed. A company may need to bring in a third party to examine the infrastructure and determine the scope of the breach. Then, notification may be may be required by law to alert the victims. This will involve several subcosts, but overall, the per-breach cost is expensive. In its 2011 Annual Cost of a Data Breach report, the Ponemon Institute pegged the average cost of notification per breach at $561,495.6 These notification costs may include mailing letters, operating a call centre, and paying for credit monitoring for those affected. Other coverage may not even legally be available, says Correlli. Regulatory fines are a case in point. “Sometimes the law doesn’t let you insure against this. Sometimes a public policy position is that they don’t just want organisations to pay for insurance while wilfully violating the law.” Computer Fraud & Security

13

FEATURE

Direct and indirect per capita data breach cost over seven years. Source: Ponemon/Symantec.

Siemens warns that business interruption losses are probably the most difficult to ensure. “There is business interruption coverage available on the market, but it tends to be limited, and it tends to have restrictions that impair its value,” he warns. “Most companies don’t buy it because it isn’t worthwhile.” With these considerations in mind, it is important to buy only what is necessary. Understanding the limits of your insurance liability is key, and it is also important to ascertain early on which legal defence costs the insurer is willing to pay. A civil suit against the insured company could cover some areas of a claim that are insured, and some that are not. How much of the legal cost will the insurer be willing to cover, and how easy will this be to separate?

Premiums Then, the insured will need to negotiate the premiums with the insurer. Correlli says that there is no industry-wide standard for assessing exposure. “It isn’t like car insurance. It depends on the organisation,” he explains. The sector in which the insured operates will be a factor, along with many of the other parameters mentioned, and of course, the size of the deductible (the amount that 14

Computer Fraud & Security

the insured must pay itself before making a claim) will be of significant influence.

“But companies with a heavy reliance on data processing and a bank of sensitive customer data or other valuable intellectual property would do well to consider cyber-risk insurance as an option” Insurance firms may also lower premiums based on how much the insured allows them to be involved in the security process. Allowing an insurance firm to create a response team can help with some contracts, just as allowing the insurer to choose from a list of approved repair and renovation companies can help to lower the premium on home insurance. The insurance company’s response team may dictate how notifications are carried out and how forensic analysis is conducted. “For some organisations, this may make sense,” Correlli says. “But for some, it would take more time for the outside vendor to get up to speed than the insurance company dictates.” Premiums will naturally be lower for companies with lower revenues, explains Marciano, because the losses from a data

breach are likely to be lower. A company earning under $1m could face premiums of $1,000 or less, depending on how it conducts itself. There are some ways to help reduce the premiums. Practising what Marciano calls ‘cyber-hygiene’ is important, but this needs to be proven. Insurance companies used to rely heavily on security audits when putting together contracts, but Haase says that this practice largely died out after 2001 and is now conducted only for the largest risks. Instead, applications are filled out on an application form that could be as little as five pages long, or as long as 20. “The application form is taken at a moment in time,” he says. The application will ask a range of questions, such as whether a firewall is used, and how employees are trained in security awareness. Siemens recommends getting competitive bids from several different insurers and then comparing the policies line by line to see which offers the most favourable coverage. Cyber-risk insurance is fraught with uncertainties, perils, and challenges, but companies with a heavy reliance on data processing and a bank of sensitive customer data or other valuable intellectual property would do well to consider it as an option. If hackers come calling and gain the keys to the kingdom, the consequences of inaction could be grave indeed.

About the author Danny Bradbury is a freelance technology writer with over 20 years’ experience. He has written extensively for publications including the Guardian, the Independent, the Financial Times, and the National Post. He also works as a documentary film maker and writing coach.

References 1. Vijayan, Jaikumar. ‘Heartland breach expenses pegged at $140M – so far’. Computerworld, 10 May 2010. Accessed Feb 2013. www.computerworld.com/s/ article/9176507/Heartland_breach_ expenses_pegged_at_140M_so_far. February 2013

FEATURE 2. Schwartz, Mathew. ‘Sony Data Breach Cleanup To Cost $171 Million’. Information Week, 23 May 2011. Accessed Jan 2013. www. informationweek.com/security/ attacks/sony-data-breach-cleanup-tocost-171-mil/229625379. 3. Stevens, Gina. ‘Data Security Breach Notification Laws’. Congressional Research Service, April 2012. Accessed Feb 2013. www.fas.org/sgp/crs/misc/ R42475.pdf.

4. Kark, Khalid. ‘The cost of data breaches: Looking at the hard numbers’. TechTarget, March 2007. Accessed Feb 2013. http:// searchsecurity.techtarget.com/tip/ The-cost-of-data-breaches-Lookingat-the-hard-numbers. 5. Acquisti, Alessandro; Friedman, Allan; Telang, Rahul. ‘Is there a cost to privacy breaches? An event study’. Twenty Seventh International Conference on

Open source as the secure alternative: a case study

Information Systems, Milwaukee, 2006. Accessed Feb 2013. http:// citeseerx.ist.psu.edu/viewdoc/ summary?doi=10.1.1.207.1470. 6. ‘2011 Cost of Data Breach Study’. Symantec and Ponemon Institute, March 2012. Accessed Feb 2013. www.symantec.com/content/en/ us/about/media/pdfs/b-ponemon2011-cost-of-data-breach-us.en-us. pdf.

Kate Craig-Wood

Kate Craig-Wood, Memset Open source is actually more secure and reliable than the alternatives. This is a conclusion based on the experience of creating a hosting/cloud Infrastructure as a Service (IaaS) company using entirely open source software and an ‘automate everything’ philosophy.

UK-based Memset turned to open source for a number of reasons: UÊ *ÀˆVi\ you don’t need to pay for proprietary software anymore, simply download the open source software and install it, and don’t pay a penny. Furthermore, you usually get unrestricted access to the source code, enabling you to modify it to suit your requirements. UÊ i݈LˆˆÌÞ\ once you have the software installed you are free to host your applications wherever you like. This means you no longer need to put all your information in one basket, say with Google, so instead you’re able to separate the software from the host and own February 2013

your own data. A good example of how to achieve that would be Zimbra, an open source, web-based Software as a Service (SaaS) suite of office applications that can be hosted by any managed hosting provider. UÊ vvˆVˆi˜ÌÊÃÞÃÌi“Ãʈ˜Ìi}À>̈œ˜\ by using open source software and adapting it to suit the company’s needs, with fairly minimal development effort, Memset has been able to build on those foundations to automate a large number of its processes, such as account billing, administration, provisioning, maintenance and monitoring activities so that they require very little staff input. Memset’s preferred core tools are: Python (programming language);

MySQL or SQlite (databases); Django (application framework); and Ngnix and Apache (web servers). A key part of the firm’s approach is ‘one database to rule them all’. Thus, its database handling configuration management, billing, and everything else (dubbed ‘The Database of Doom’) was custombuilt by Memset using the above tools. As with most development approaches the starting point was an object model provided to Django to turn into a database structure and provide hooks for other code. The in-house stuff takes care of the following: UÊ ˆÀiÜ>ÊÀՏiÃʓ>˜>}i“i˜Ì° UÊ
ÃÃiÌʓ>˜>}i“i˜Ì° UÊ *Ê>``ÀiÃÃʓ>˜>}i“i˜Ì° UÊ œ“>ˆ˜Ê >“iÊ-iÀÛiÀÃÊ­ -®° UÊ 6
ÃÊ>˜`ÊÃ܈ÌV…Êv>LÀˆVÊ management. UÊ iÌܜÀŽÊVœ˜˜iV̈ۈÌÞÉL>˜`܈`Ì…Ê regulation, shaping and accounting. UÊ
Õ̜“>Ìi`Ê«ÀœÛˆÃˆœ˜ˆ˜}ʜvÊ>>-° UÊ ÕÃ̜“iÀÊ>VVœÕ˜ÌÃÊ>˜`Ê`iÌ>ˆÃ° UÊ ˆˆ˜}Ɉ˜ÛœˆVˆ˜}°

Computer Fraud & Security

15