People who purchase life insurance don’t usually sit around waiting to die. They probably exercise and eat healthy, for example, in order to prolong their life. Similarly, “Cyber Liability/Data Breach” insurance policyholders should not sit around waiting to get “hacked”.
Having a stand-alone “cyber policy” is not a replacement for sound technology risk management and operational best-practices. Even worse, having a standalone cyber policy that isn’t understood will give your organization a false sense of security.
Case in point, BitPay. The CEO of BitPay handed over close to US$1.8 million in bitcoins to an attacker before realizing the attacker’s requests were fraudulent. According to court filings, the attack on the CEO was a social engineering attack spread across multiple email messages. The loss was subsequently spread across three separate transactions performed by the CEO. The emails, sent from the compromised email account of the BitPay CFO, plainly instructed the CEO on how to perform the fraudulent transfers, and he complied.
Most would agree that this was a classic “phishing attack” and would expect it to be covered by BitPay’s “cyber” policy. However, the carrier deemed it a social engineering attack, as opposed to a direct compromise of a BitPay system, and the loss was not covered. I’ve since learned that social engineering can be covered through an endorsement on a generic crime policy.
At one of the first presentations I attended regarding cyber liability coverage, a broker revealed an “exclusion” he found when reviewing a client’s stand-alone cyber policy. In insurance-speak, an exclusion is basically an “out” the carrier uses to avoid having to honor a claim. The substance of the exclusion was that attacks requiring a user to click on a link in an email would NOT be covered by the policy. In other words, phishing attacks were not covered by the stand-alone cyber security policy.
This post is not the place to argue the difference between “phishing” and “social engineering” attacks. The point I’m making is that appropriate insurance coverage, including stand-alone cyber and appropriately endorsed crime policies, should be the finishing touches on your risk management strategy, and not the strategy itself.
Sound technology risk management begins with establishing a tech risk management leadership role. It also includes performing a threat modeling exercise and risk assessment specific to your organization. A threat model identifies the variety of ways a criminal may attack you, as well as other technology failures that can impact your organization. A risk assessment helps quantify the impact these incidents will have on your business if they happen.
Purchasing a cyber policy without first performing a risk assessment independent of the insurance underwriting process is like painting a room in the dark. You’ll get some paint on the walls, but you will probably miss some critical areas of coverage.
In a future post, I’ll talk about how we help mid-sized organizations improve their often non-existent technology risk management process. In the mean time, if you have questions or concerns about your own technology risk exposure or insurance coverage, reach out to me and let’s talk.
You can view the court filings for yourself at the below locations:
Mike Zusman is the founder of Carve Systems, an information security consultancy.