Is the Insurance Loophole the Newest Threat Vector?

Is cyber insurance worth the money, and should organizations rely on it as a line of defense?

Being a Seattle resident, I occasionally find myself in some interesting “what if” conversations about the next really big one: the gargantuan-sized earthquake predicted to wipe out a portion of the Pacific Northwest. While we have no control over the shifting of tectonic plates, looking back on recent seismic history can help us prepare, not only for future earthquakes but also for future cybersecurity events.

Remember the San Francisco earthquake of 1906? Neither do I, but you don’t have to search hard to learn its catastrophic impact: a fire that resulted due to broken gas mains and the risky decision to dynamite the Victorian mansions down Van Ness Avenue to save the rest of the city from the inferno coming from downtown. After the earthquake, insurers paid out not against an earthquake claim, but against the fire that resulted. According to the Insurance Information Institute:

The earthquake and fire that devastated San Francisco on April 18, 1906 was one of the most significant natural disasters in the United States, as well as in the history of insurance. It produced insured losses of $235 million at the time, equivalent to $6.3 billion in 2018 dollars. In 1906, just as today, shake damage from earthquakes was excluded from standard property insurance policies. Damage from the fire which followed the earthquake was covered and constituted the vast majority of insured losses.

Today’s big earthquake is a cyberattack, and there’s a big, related debate about cyber insurance—what’s covered and which policy is triggered. The recent court case involving Mondelez, the manufacturer of Cadbury and Oreo, has security practitioners and executives now questioning how much protection insurance offers as lawyers dispute whether NotPetya, a global ransomware attack, constitutes a “hostile warlike action” and thus lies outside what’s “covered.”

At issue isn’t just dedicated cyber insurance or riders, it’s the umbrella and “all risk” insurance that can be asked to cover collateral damage. Ultimately, malware will cause physical damage. When that happens, who pays for the business outage? In an industry where we know you can’t mitigate all the risk, insurance is a nice but clearly a weak hedge. It likely will take years for the courts to determine the right interpretation of rules and exceptions governing cyber coverage in insurance policies. (Note to self: “Low-and-slow” is neither what you want in an attack nor with an insurance payout.) Yet, one firm says the cyber insurance market is expected to grow to $23.07 billion by 2025—nearly six times larger than its market size in 2017—as companies pour money into this last line of defense.

Just like any multi-layered defense-in-depth strategy, you can’t put too much trust in any single layer—not your cloud providers, not your vendors and no, not even your insurers. Enterprises need to have a better emergency response plan. They need to unify their operational teams to detect and respond earlier, better and more effectively, and this means having full-spectrum, 360-degree visibility into what’s happening in their businesses and an effective rapid response program. To do this, enterprises will need to marry their IT operations and security operations teams to share data, integrate policies and processes, and practice and execute firefighting operations, so they are ready for that earthquake.

The time is right for this marriage. Most companies have begun to rebel against the complexity and cost of dozens of security tools. IT already has racks and closets filled with products that they want to “sunset” as they shift operations to the cloud. Begin with the systems that are most financially critical. What does an hour of downtime cost? One sandwich retailer estimates it’s $15,000 per minute when their ordering app goes down. It could be millions of dollars an hour if you are selling stocks. Map out all the parts of each service involved in keeping it available. It can get messy, fast; an e-commerce app also relies on billing, account information, credit history, inventory databases, web servers, admin systems, etc. Some of these are in the cloud, some are on-premises. And don’t forget the network and shared service components that all those app communications rely on.

Then step back to consider what the likely attack vectors are for each component—and what the weak link in the chain might be. Assume elaborate endpoint technology will be bypassed by social engineering or physical access. Then what? How quickly would you notice a new device on your network? If the attacker is inside, using an approved user’s login, would anything flag traffic to an unusual address? Is anything monitoring your database for unusual logins from within your user community? What if there’s a DoS attack from the inside?

A central theme in these examples is new behavior. What’s new, and how is it different from what you expected? IT may have some of the information about what is normal, and the security team needs to see it, monitor it and understand the implications when things start to go sideways. Data sharing is one example of collaboration. Another is approved policies that automate workflows across tools to cut out time and debate when the fire is spreading. Plan ahead, considering the risk and the reward:

  • What conditions permit automated isolation or quarantine of a host?
  • If that host is a database or web server, who else might need to be involved before a change or action is taken?
  • How do you reach them when needed?
  • How much authority can you push to a Tier 1 analyst to make a decision? After the fact, what can you learn to prevent another incident?
  • Can you dig into details to get to the true root cause, find the associated events and actions, and fully eradicate the artifacts of an attack?

Since security teams often don’t own the rights to implement the interventions required to put out the fire, security has a vested interest in teaming with IT up front, during and after an incident. Working together, they can use tools to share data, integrate workflows and perform double duty. (“Hey, I can use that DNS/Citrix/IOC visibility, too, and do you need packets? Trade you!”)

We will never successfully block every incident that threatens the enterprise, and we can’t guarantee that insurance won’t find a loophole. Let’s choose a new approach. Working from the inside out, protecting what matters, and uniting security and IT operations to rise above whatever comes at us.

Jeff Costlow

Avatar photo

Jeff Costlow

Jeff Costlow is the CISO at ExtraHop. He started his career in computer security in 1997. As a security technologist and leader for over 20 years, Jeff’s deep experience securing information and technology assets as well as years of successful engineering leadership have resulted in secure product deployments to thousands of customers.

jeff-costlow has 2 posts and counting.See all posts by jeff-costlow