Cybersecurity Insurance: 4 Practical Considerations

There can't be reliable cybersecurity insurance until companies can identify who is responsible for the continuous exploitation of stolen data, long-lasting attacks, and hardly-detectable APTs.

Ilia Kolochenko, Partner, Platt Law

October 12, 2015

5 Min Read
Dark Reading logo in a gray background | Dark Reading

According to PwC’s Global State of Information Security Survey 2016 of more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security practices from 127 countries, six out of 10 respondents report that they purchased cybersecurity insurance in 2015, up from a little more than half one year earlier. That’s on the heels of Security Exchange Commission guidance from the Office of Compliance Inspections and Examinations that financial organizations consider cyber insurance as a part of their cyber-risk management strategy.

Cybersecurity insurance is also portrayed by the media as an important element of corporate cybersecurity defense in order to minimize the losses caused by growing cybercrime that organizations cannot entirely prevent in advance.

Still, there are many complicated and not particularly obvious questions about the practical implementation of cybersecurity insurance. The first, and probably the biggest, question is how long an insurance company will cover the ongoing consequences of a security incident. Once a system is compromised, it’s impossible to predict the duration of a breach’s exploitation by cybercriminals.

For example, let’s look at the recent hack of the Ashley Madison dating website: hackers still have the entire database in their hands, and they will most likely continue exploiting it in the near future. Hackers will quite probably try to reuse victims’ passwords and try to login to all their personal and corporate resources/accounts, creating new financial and reputational losses.

Hackers may also conduct highly sophisticated spear-phishing campaigns to get control over the victims’ machines or mobile phones. Once they get as much sensitive data as possible, they will either resell it on the black market, or blackmail the victims. This may happen months after the original breach or even later. So the burning question is: will the insurance provider agree and accept its liability to pay the damage related to continuous exploitation of stolen data, such as continuous loss of customers, brand deprecation, or future lawsuits?

If I were an insurer, I’d not take on the risk because the process could last forever, until the totally depreciated database ends up in Pastebin, just for fun. Therefore, until insurance companies and their clients are able to clearly define who should be responsible for continuous exploitation of stolen data or for long lasting attacks, such as RansomWeb, or hardly-detectable APTs, we won’t have a reliable cybersecurity insurance industry.

Finding the bad guy

The second major consideration is finding the guilty party for a breach in order to compensate the insured customer. In today’s interconnected world, when the same data or piece of code may be handled and stored in dozens of different datacenters worldwide, it quite often becomes almost impossible to detect who is responsible for the data breach. Similarly, controlling the information security of third-party suppliers is becoming a very difficult task for CISO these days, and in some cases remains technically and practically impossible.

At High-Tech Bridge, where I am CEO, we recently had a case of a European financial institution that was mysteriously compromised: the logs remained intact and didn’t show any suspicious activity at all. Finally, we discovered that a [non-encrypted] backup was outsourced to a third-party company where it was “securely” stored. After long negotiations, we managed to access and investigate their systems as well, but again in vain; there was no single sign of the attack.

Eventually, we found that the backup provider had its own backups stored externally and it was the fourth-party IT company that was hacked with all the subsequent consequences. Who is liable for those risks? Theoretically speaking, all companies should select secure third-party providers, but practically it won’t be possible to verify every point of failure even within the insured company, not to mention any third-party or fourth-party providers or consultants.

The third major consideration in cyber insurance is human weakness. It’s not a secret that the biggest risk to any system is the human factor. In case of intentional and well-prepared sabotage, it may be very difficult to trace and prove insider activities.

Moreover, smart (and evil) employees may try to simulate a hacker attack on systems to cover their own criminal activities. Imagine a small group of two- to three IT people from a bank who have privileged access to the core banking database. Because members of the group possess different access level, unique identifiers, proper system logging and correct privilege segregation, it’s unlikely that an insurance company will consider them non-compliant to the information security best practices. Yet, they can easily steal the data, clean, or tamper the logs, sell the data to a competitor, and then post it in the Dark Web simulating activities of Russian/Chinese hackers or Anonymous hacktivists. Who will dare to accuse them when starting the investigation? Moreover, it’s likely that they will be a part of the investigating team. Such plans offer a great opportunity to defraud an insurance company.

I remember an investigation case we performed for a bank. A malicious employee used his corporate notebook to send out some sensitive data, and in order to clear traces he managed to disable his AV protection and started surfing on various pornographic websites. Obviously he got infected pretty quickly, and when after the weekend his notebook was confiscated for an investigation he warned us that he was hacked, and something was going on with his PC. Finally, we managed to prove what really happened, but if the employee was a technical expert, even our team would not be helpful in the investigation process.

Last, but not least, is it even possible for insurance companies to verify in a reliable and holistic manner that their customers are taking every appropriate measure to mitigate the insured cyber risks? The use of third party assessors is one possible approach. For instance, for PCI DSS compliance QSA companies can continuously verify, validate, and assure a certain level of security. However, cyberattacks often go way beyond the realms of PCI DSS audit scope. Are insurance companies ready to verify how well their clients are protected in a technically competent, continuous and holistic way?

The bottom line is that when it comes to cybersecurity insurance, there are many more questions than answers. And until the security industry has a clear understanding of these issues, it will be next to impossible to have a substantive discussion about its value. 

About the Author

Ilia Kolochenko

Partner, Platt Law

Dr. Ilia Kolochenko is a Swiss expert in cybersecurity, cybercrime investigation, and cyber law. He is also a lawyer admitted to the DC Bar in Washington, DC. His legal practice is mainly focused on data protection, privacy, and cybersecurity law. Dr. Ilia Kolochenko currently serves as a Chief Architect and CEO at ImmuniWeb, a global application security company headquartered in Geneva, Switzerland. He is also a Partner & Cybersecurity Practice Lead at a US law firm with offices in New York and Washington. As part of his academic activities, Dr. Kolochenko is an Adjunct Professor of Cybersecurity Practice & Cyber Law at Capitol Technology University in Maryland, and a Faculty Member at the DC Bar Continuous Legal Education (CLE) Program, where he teaches a cybersecurity and privacy course for lawyers and other legal and judicial professionals.

Dr. Ilia Kolochenko has an LL.M. (Master of Laws) degree in Information Technology Law from the University of Edinburgh Law School, an M.Sc. in Criminal Justice (Cybercrime Investigations & Cybersecurity) from Boston University, and a Ph.D. in Computer Science from Capitol Technology University. He currently completes an advanced LL.M. in Cyber, Information and National Security (CINS) at George Mason University, Antonin Scalia Law School.

He is a Fellow of Information Privacy (FIP) and a Privacy Law Specialist (PLS) at the International Association of Privacy Professionals (IAPP), two most advanced credentials in privacy practice and privacy law by the IAPP, respectively, while also holding AIGP, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, and CIPT privacy certifications. Additionally, he earned numerous offensive and defensive security certifications by the Global Information Assurance Certification (GIAC) after ongoing training in advanced cloud security, cyber operations, and investigations at SANS Institute.

Dr. Ilia Kolochenko currently serves a Vice-Chair of the Information Security Committee at the American Bar Association (ABA), also being a Fellow at the European Law Institute (ELI) and a Member of the Cybercrime Investigation & Cybersecurity (CIC) Center at Boston University. Additionally, Dr. Kolochenko is part of the Europol's Data Protection Experts Network (EDEN), INTERPOL's Digital Forensics Expert Group (DFEG), National Association of Criminal Defense Lawyers (NACDL), SANS CISO Network, and the EU CyberNet.

Dr. Ilia Kolochenko has authored over 75 articles on cybersecurity, computer crime investigations, cyber law, and artificial intelligence. His interviews and expert comments have been published in over 250 media across Europe and the US; he is also a frequent lecturer at cybersecurity, law enforcement, and legal conferences around the globe.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights