How Much Should You Pay For Cyber Insurance?

The cyber insur­ance mar­ket is boom­ing. Seems like every­one wants to get a pol­i­cy to trans­fer risk. And why not? Insur­ance is a use­ful risk man­age­ment tool in so many oth­er sit­u­a­tions: Gen­er­al lia­bil­i­ty, prop­er­ty dam­age, errors and omis­sions, etc. The ques­tion on every­one’s mind is: How much for a cyber pol­i­cy?


How big is the mar­ket get­ting? Accord­ing to David Brad­ford, co-founder and chief strat­e­gy offi­cer at Advisens, an advi­sor to the insur­ance indus­try:

The mar­ket for cyber insur­ance in 2015 was $2.5 bil­lion. For 2020 it’s esti­mat­ed any­where between $5 bil­lion and $10 bil­lion. By com­par­i­son, work­ers’ com­pen­sa­tion insur­ance is a $55 bil­lion mar­ket.

Brad­ford says this is rough­ly what you can expect to pay for a year of cov­er­age:

  • For com­pa­nies with less than $500 mil­lion in rev­enue, poli­cies with lim­its of between $1 mil­lion and $5 mil­lion cost between $2,000 and $5,000.
  • For com­pa­nies with more than $500 mil­lion in rev­enue, for a pol­i­cy with lim­its of $5 mil­lion to $20 mil­lion, pre­mi­ums will range from $100,000 to $500,000.

There’s a big caveat, though: Even though about 60 com­pa­nies are writ­ing cyber insur­ance poli­cies today, in my expe­ri­ence many are mak­ing it up as they go along. Terms, con­di­tions, cov­er­ages, exclu­sions, and risk assess­ments are all over the place. Unlike a com­mer­cial fire pol­i­cy, there’s almost no stan­dard­iza­tion.

Insur­ance com­pa­nies aren’t even in agree­ment about what fac­tors indi­cate a decreased risk of pol­i­cy hold­er fil­ing a claim. And that can trans­late to high­er (or low­er) pre­mi­ums than required to cov­er the risks. At this point, it’s rea­son­able to won­der if your claim will be paid at all. The lit­i­ga­tion over cyber cov­er­ages is just get­ting start­ed.

If you want to go for­ward with buy­ing a pol­i­cy, get your­self a reli­able bro­ker and get ready to do some seri­ous com­par­a­tive shop­ping. Buy­er beware!

77 Percent of Businesses Have No Cyberattack Response Capability

Did you know that lean­ing into your cyber risks can be a source of com­pet­i­tive advan­tage? Here’s a stun­ning data point that makes my case.

The NTT Group (Japan­ese AT&T) recent­ly released their 4th annu­al Glob­al Threat Intel­li­gence Report (GTIR). Sim­i­lar to the recent­ly released Ver­i­zon Data Breach Inci­dent Report, the NTT report…

…ana­lyzes attacks, threats and trends from the pre­vi­ous year, pulling infor­ma­tion from 24 secu­ri­ty oper­a­tions cen­ters, sev­en R&D cen­ters, 3.5 tril­lion logs, 6.2 bil­lion attacks and near­ly 8,000 secu­ri­ty clients across six con­ti­nents.

Here’s one of their most strik­ing find­ings for 2015:

Trend data over the last 3 years illus­trates on aver­age only 23 per­cent of orga­ni­za­tions are capa­ble of respond­ing effec­tive­ly to a cyber inci­dent. 77 per­cent have no capa­bil­i­ty to respond to crit­i­cal inci­dents and often pur­chase inci­dent response sup­port ser­vices after an inci­dent has occurred.

You can find this sup­port­ing chart on page 47:

Screenshot 2016-05-02 07.50.21

My ini­tial reac­tion is that exec­u­tives are plan­ning for cyber attacks as they do for 100-year floods: We’ll deal with it, if it ever hap­pens.

Giv­en the fre­quen­cy and sever­i­ty of the attacks doc­u­ment­ed in the rest of the report, and all over the news media, that’s not lined up at all with the real­i­ty of today’s cyber risks!

But back to the oppor­tu­ni­ty for com­pet­i­tive advan­tage: What if your fiercest com­peti­tor was a mem­ber of the 77% and was cyber-attacked? They could expect to bleed cash and be dis­tract­ed for months. Now what if you were one of the 23% able to effec­tive­ly respond to a major cyber­se­cu­ri­ty inci­dent? How would that boost dig­i­tal trust with your cus­tomers and part­ners? How much rep­u­ta­tion would you save by hav­ing your experts get out in front of the sto­ry? And, how much more quick­ly could you get back to work­ing on what’s most impor­tant to your busi­ness?

By the way, if you want a glimpse at data breach response done very well, check out this cri­tique of Anthem Blue­Cross BlueShield­’s 2015 data breach. If you want to see a poor­ly done exam­ple, here’s a cri­tique of Talk­Talk’s slow, awk­ward response.

Which one would you rather be?

Lean Into Your Cyber Risks To Thrive In The New Normal

How do you lean in? By pur­su­ing cyber resilience through mea­sure­ment, smart pri­or­i­ti­za­tion of future spend­ing, and con­tin­u­ous improve­ment. Let’s quick­ly step through the plan right now, at a high lev­el…

The rest of my blog post for today appears over at my good friend Mike Hamil­ton’s Crit­i­cal Infor­mat­ics web site.


Mike and I were chief infor­ma­tion secu­ri­ty offi­cers (CISO) at about the same time a few years ago. He was at the City of Seat­tle while I was a cou­ple miles away at PEMCO Insur­ance.

Like me, Mike and his team pro­vide cyber­se­cu­ri­ty con­sult­ing ser­vices. But what makes his team dif­fer­ent is their net­work secu­ri­ty man­aged ser­vice, called Crit­i­cal Insight. I’ve learned how they serve their cus­tomers with it and I wish I had it when I was CISO. Check it out! (After you read my post for today, of course.)

Any­way, here’s the link to my week­ly post. You’ll find plen­ty of insights and action­able tips on how to thrive in The New Nor­mal.

Why You Should Pay Ransom For Your Data

A few weeks ago I talked about why pay­ing ran­som to get your data or com­put­ers back online was a bad idea: Like any bul­ly, once they suc­ceed in get­ting your mon­ey it will embold­en them to demand more and from more peo­ple.

But it turns out that at least one ven­er­a­ble Amer­i­can insti­tu­tion thinks you should pay: The Fed­er­al Bureau of Inves­ti­ga­tion.


Yep, the FBI says you should pay up. They are, in fact, on record (Octo­ber 22, 2015) telling peo­ple to pay the ran­som:

Joseph Bonavolon­ta, the Assis­tant Spe­cial Agent who over­sees the FBI’s CYBER and Coun­ter­in­tel­li­gence Pro­gram in Boston, spoke at the 2015 Cyber Secu­ri­ty Sum­mit and advised that com­pa­nies infect­ed with ran­somware may want to give in to the criminal’s demands.

After my post went online, I heard from a col­league who told me:

I was pre­sent­ing in an Infra­gard brief­ing at the FBI office, and they basi­cal­ly told every­one there was noth­ing they could do if it hap­pened, that they were pret­ty much on their own. There is also no telling what the ran­somware left behind for anoth­er go-round, or con­tin­ued sur­veil­lance while it held the sys­tem cap­tive. Mere­ly breath­ing a sigh of relief and think­ing you are in the clear a real­ly bad idea.

Although it’s still the right thing to do, I know that not pay­ing the ran­som is dif­fi­cult, even if you have good back­ups. It’s not as fast as just pay­ing because it takes a lot of time to restore and you’ll still lose some data. And, whether you pay or not, there’s a good chance you will get hit again with a new strain of ran­somware, so why fight it?

I won­der what the dom­i­nant type of back­lash will be as more US cit­i­zens wake up to the fact that law enforce­ment can’t help them pre­vent or recov­er from these new cyber crimes? Anger? Fear? Vig­i­lan­tism?

What do you think is most like­ly?

Banking Malware Generates $800K Per Campaign

What moti­vates online crim­i­nals? Mon­ey, of course. Based on recent research by cyber intel­li­gence firm buguroo, you can make a lot of mon­ey spread­ing mali­cious code around the Inter­net. The crooks who dis­trib­ute the bank­ing Tro­jan Dridex make about US$800,000 for every 16,000 stolen cre­den­tials. Based on the num­ber of cam­paigns they are able to con­duct, they’re steal­ing over US$50 mil­lion per year.

Here’s how their illic­it busi­ness works:


Cred­it: buguroo

What exact­ly is Dridex? Webo­pe­dia explains:

Dridex is a strain of bank­ing mal­ware that lever­ages macros in Microsoft Office to infect sys­tems. Once a com­put­er has been infect­ed, Dridex attack­ers can steal bank­ing cre­den­tials and oth­er per­son­al infor­ma­tion on the sys­tem to gain access to the finan­cial records of a user.

Won­der­ing what it looks like to be a tar­get of a Dridex infes­ta­tion?

Dridex oper­ates by first arriv­ing on a user’s com­put­er as a mali­cious spam e‑mail with a Microsoft Word doc­u­ment attached to the mes­sage. If the user opens the doc­u­ment, a macro embed­ded in the doc­u­ment sur­rep­ti­tious­ly trig­gers a down­load of the Dridex bank­ing mal­ware, enabling it to first steal bank­ing cre­den­tials and then attempt to gen­er­ate fraud­u­lent finan­cial trans­ac­tions.

Here’s a screen shot of an infect­ed email:

Dridex screen shot

Cred­it: buguroo

Would you open this attach­ment and enable the macros? Would your CFO? We know plen­ty of peo­ple are open­ing it, oth­er­wise the crim­i­nals would switch to anoth­er line of attack.

Your best defense is to train your peo­ple to be skep­ti­cal of unex­pect­ed emails. Pick up the phone and ver­i­fy or ask a co-work­er to give it a sec­ond look. You could also strip such attach­ments from inbound email, but that might cause too much trou­ble for your busi­ness.

What are you doing to pro­tect your­self? To detect Dridex infes­ta­tions?

What To Do About Reputable Websites Delivering Malware?

Did you know that rep­utable web­sites (like Forbes, The New York Times, and oth­ershave been caught try­ing to install mal­ware on their vis­i­tors com­put­ers and smart­phones?  This isn’t new, but it’s a trend that’s been get­ting worse when it should be get­ting bet­ter.

NYT tweet

These rep­utable web­sites are not delib­er­ate­ly try­ing to hijack your com­put­ers, of course. It’s the net­works that serve up the ads that have been com­pro­mised. Known as malver­tis­ing (mali­cious adver­tis­ing), it is, accord­ing to cyber­se­cu­ri­ty expert Lenny Zeltser:

…attrac­tive to attack­ers because they can be eas­i­ly spread across a large num­ber of legit­i­mate web­sites with­out direct­ly com­pro­mis­ing those web­sites.

This type of attack relies on Adobe Flash and Microsoft Sil­verlight con­fig­ured in your brows­er to auto play the ads. This has been going on since at least 2007 but it got much worse in 2015 and con­tin­ues to get big­ger. And, it appears to be cross­ing over to mobile devices.

The recent arti­cle in The Reg­is­ter did­n’t say it, but I will: Why should­n’t orga­ni­za­tions of all sizes install an ad-block­er (I sug­gest uBlock Ori­gin) across all desk­tops and mobile devices? At least until this ad-net­work mess gets cleaned up.

Is there some oth­er, eas­i­er thing we should be doing?

Boeing Supplier Lost $54 Million to CEO Fraud

Did you know that Busi­ness Email Com­pro­mise (BEC), also known as CEO Fraud, is still a threat? And, it’s not just the stolen mon­ey that caus­es exec­u­tive headaches. It can dam­age your stock price and rep­u­ta­tion with major cus­tomers. And, in the case of FACC, it cost the CFO, Min­fen Gu, her job.


Here’s what Com­put­er Week­ly said about the fraud, announced on Jan­u­ary 19th:

A $54m cyber fraud against Austria’s FACC has sent the air­craft supplier’s share price reel­ing. The company’s share price fell near­ly 17% in response to news of the company’s loss, which is one of the great­est loss­es to date caused by cyber fraud, accord­ing to Bloomberg. The loss report­ed by the sup­pli­er to com­pa­nies such as Boe­ing and Air­bus is way above the aver­age cost of the worst breach­es in the UK of between$1.9m and $4.4m, report­ed by Price­wa­ter­house­C­oop­ers (PWC) in 2015.

So, how do you pre­vent these attacks from suc­ceed­ing?

In my expe­ri­ence, most com­pa­nies are over spend­ing on tech­nol­o­gy to pre­vent data and mon­ey theft while down­play­ing the peo­ple, process, and man­age­ment aspects. As with FACC, the recent theft of W‑2 infor­ma­tion from Mon­eytree was suc­cess­ful most­ly because of weak inter­nal process­es and poor­ly trained peo­ple. And there’s a lot you can do in these areas for lit­tle or no added expense.

Train­ing peo­ple to detect and resist attempts to trick them into send­ing mon­ey (or sen­si­tive data) to crim­i­nals is a top action every­one should be tak­ing right now. A good approach is to com­bine a strong inter­nal com­mu­ni­ca­tions cam­paign in con­junc­tion with a soft­ware-as-a-ser­vice anti-phish­ing test­ing ser­vice, such as PhishMe or one of its com­peti­tors. Expect to pay about $20 per user, per year.

On that note, orga­ni­za­tions need to make sure their man­age­ment team ful­ly sup­ports their cyber­se­cu­ri­ty pro­gram, espe­cial­ly first line super­vi­sors. Why? When peo­ple hear about their respon­si­bil­i­ty to pre­vent cyber crime, their first ques­tion will be “is this for real?” and then they will won­der “how will this affect me?” Their super­vi­sor will either encour­age peo­ple to join the pro­gram, or kill it, depend­ing on how they answer.

Final­ly, peo­ple have to feel safe to respect­ful­ly chal­lenge any sus­pi­cious requests. Oth­er­wise, they will be stuck between the fear of being fired for not imme­di­ate­ly com­ply­ing with the request and the fear of mak­ing a big mis­take.

What else would you do to pro­tect your orga­ni­za­tion from CEO Fraud?

HIPAA Settlement Costs At Least $163 Per Record

Here’s an announce­ment that should have any HIPAA-cov­ered orga­ni­za­tion sit­ting straight up! Espe­cial­ly busi­ness asso­ciates because this is going to affect their agree­ments with HIPAA cov­ered enti­ties.

From the Office of Civ­il Rights (OCR): $1.55 mil­lion set­tle­ment under­scores the impor­tance of exe­cut­ing HIPAA busi­ness asso­ciate agree­ments.


Here’s their abstract of the set­tle­ment:

North Memo­r­i­al Health Care has agreed to set­tle charges that it poten­tial­ly vio­lat­ed the Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act of 1996 (HIPAA) Pri­va­cy and Secu­ri­ty Rules by fail­ing to imple­ment a busi­ness asso­ciate agree­ment with a major con­trac­tor and fail­ing to insti­tute an orga­ni­za­tion-wide risk analy­sis to address risks and vul­ner­a­bil­i­ties to its patient infor­ma­tion. North Memo­r­i­al is a com­pre­hen­sive, not-for-prof­it health care sys­tem in Min­neso­ta that serves the Twin Cities and sur­round­ing com­mu­ni­ties. The set­tle­ment includes a mon­e­tary pay­ment of $1,550,000 and a robust cor­rec­tive action plan.

It all start­ed in 2011 with a stolen lap­top from an employ­ee of North Memo­ri­al’s busi­ness asso­ciate, Accre­tive Health. The lap­top was in the employ­ee’s locked car with ~9,500 unen­crypt­ed ePHI records on it.

North Memo­r­i­al is required to com­plete the fol­low­ing cor­rec­tive actions:

  • Devel­op Poli­cies and Pro­ce­dures Relat­ed to Busi­ness Asso­ciate Rela­tion­ships (90 days from set­tle­ment)
  • Mod­i­fy Exist­ing Risk Analy­sis Process (180 days from set­tle­ment)
  • Devel­op and Imple­ment a Risk Man­age­ment Plan
  • Train­ing (60 days from HHS approval of North Memo­ri­al’s new poli­cies)
  • Prompt­ly File Reportable Events and Annu­al Reports

Con­sid­er­ing only the fine, North Memo­r­i­al set­tled with OCR at just over $163 per record. It’s a chill­ing way for exec­u­tives to learn a les­son about where cyber­se­cu­ri­ty should fit in their pri­or­i­ties.

Here’s anoth­er angle on this sto­ry: The var­i­ous Pomem­on “costs of a data breach” stud­ies sets the amount at about $145 per record. The fine alone exceeds that bench­mark. Once all the extra costs are tal­lied, I won­der what the final cost per record will be?

Can You Steal $1 Billion Using Malware?

Based on recent reports out of Bangladesh, it looks like mal­ware can steal at least $80 mil­lion. Appar­ent­ly, a mere typo by the thieves pre­vent­ed the loss of much more. Some peo­ple find it hard to believe that such large sums can be stolen with­out any overt insid­er assis­tance.


Source: Kasper­sky Labs

After read­ing this sto­ry, a friend said to me “This is crazy. What per­cent­age would you say start off as ‘inside’ jobs? To me a major­i­ty start from with­in.”

A 2013 report by Clear­swift said

…more than half of all secu­ri­ty inci­dents (58%) can be attrib­uted to the wider insid­er fam­i­ly: employ­ees (33%), ex-employ­ees (7%) and cus­tomers, part­ners or sup­pli­ers (18%).

So, my friend is right.

But to sug­gest that mal­ware alone could­n’t help a gang steal $1 bil­lion is old think­ing. Stuxnet and Car­banak are two high-pro­file exam­ples of doing great dam­age from a dis­tance. And both of them start­ed by using social engi­neer­ing to pierce the human fire­wall.

Some peo­ple say the human fire­wall is irrepara­bly bro­ken. While I would­n’t exclu­sive­ly rely on it, there’s no need to give up on your peo­ple com­plete­ly. A good blend of coun­ter­mea­sures across the peo­ple, process, tech­nol­o­gy, and man­age­ment dimen­sions is the best approach. And using the NIST Cyber­se­cu­ri­ty Frame­work (CSF) to orga­nize your­self makes great sense.

Not sure where to begin? Drop me a note and I’ll be glad to point you in the right direc­tion.

You Need A New Strategy on Malware

IT secu­ri­ty firm Web­root just released their 2016 Threat Brief. One of the high­lights was that:

…97 per­cent of the mal­ware encoun­tered by its user base in 2015 was unique.

That means hack­ers are rely­ing almost exclu­sive­ly on mal­ware that is con­stant­ly cre­at­ing new vari­ants to avoid detec­tion by sig­na­ture based anti-virus tools.

Source: Wikipedia

Source: Wikipedia

Web­root said the num­ber of mal­ware fam­i­ly vari­ants sky­rock­et­ed from 14,000 in 2014 to 130,000 in 2015. Sim­i­lar­ly, the num­ber of observed fam­i­ly vari­ants of adware, spy­ware and oth­er unwant­ed non-mal­ware apps jumped from 1,000 in 2014 to 90,000 in 2015. 

This sug­gests attack­ers are mak­ing their code:

…more dif­fi­cult to detect, using poly­mor­phic dis­tri­b­u­tion mod­els and rapid new vari­ant gen­er­a­tion to cir­cum­vent tra­di­tion­al detec­tion meth­ods…

Mean­ing, the bad guys are work­ing real­ly hard to bypass end­point secu­ri­ty prod­ucts to phish, social engi­neer, and oth­er­wise exploit your end-user.

What’s the big take­away? Detect­ing mal­ware on your end­points is almost a lost bat­tle. It’s still worth doing, but your best next move is to get very good at detect­ing the con­se­quences of bad infec­tions: The attempt­ed theft of mon­ey or data BEFORE it gets tak­en.

Ask your­self: What are the indi­ca­tors of com­pro­mise? How can I detect them? Am I ready to respond at a moments notice?

If you don’t have these answers, you need to get them. Soon.