The recent PLUS Webinar “The Rising Specter of Cyber Risk for Directors & Officers” was very popular and generated a number of audience questions, several of which were not able to be addressed during the live event. But fear not! PLUS staff forwarded the questions to the panelists, who submitted the following responses.
If you’re looking for answers to your Cyber Liability market questions you’ll definitely want to attend the 2015 PLUS Cyber Liability Symposium, September 17 in Chicago. Registration fees increase on Wednesday of this week, so register right now and save $125!
Question 1: While there are troubled classes that have a reduction in capacity and increase in rate, isn’t every industry that holds onto information a target still? Do you think the market will start to catch up to these other industries that aren’t “high profile” targets currently?
Mark Mao (Kaufman Dolowich & Voluck): It is correct every business holds information. Whether something is “protected” and/or “personal” information is a different matter. Some industries have protected information that is not necessarily personal, such as those in utilities in California. (See CC Section 1798.98 [definition of “data”].)
There is also the danger that new law can hold businesses liable for “inaccurate privacy policies,” like the FTC does, on some theory like a “fraudulent inducement to buy products” theory. You see that going on in the Neiman Marcus case. But these theories may be shot down as well.
So the answer is yes, and maybe.
Emy Donavan (Axis Capital): Relative to whether or not the market will start to catch up with other industries that aren’t currently high-profile targets, there are a few ways to answer the question.
Certain data are more valuable than other data. One of the consistent themes we’ve seen in breaches/hacks is that those clients with “less valuable” data (and just less data generally) are targeted less frequently. For example, payment card information is much easier to monetize than would an email address be. That’s why the retail sector (among others) has been so heavily targeted; it necessarily touches and/or maintains a significant volume of easily monetizable data.
This does not make clients holding “less valuable” information (PII/PCI/PHI) impervious to a breach that could result in some form of loss. For example, many companies maintain username/password combinations in unencrypted format; a breach of this data can be easily used to fraudulently access money in a bank account – assuming the customer uses the same username/password combination for accounts, which many unfortunately do. However, such scenarios are more of account-by-account underwriting issues than systemic industry-specific issues. Because of this, I don’t think that new attacks on industries not currently targeted will be the trigger for a firming of pricing or reduction in limit available for such industries – at least in the short-term. There’s still a significant question of how hackers will attempt to exploit the Internet of Things (IoT) as companies become more reliant on smart-devices – which may begin to drive business income interruption and other losses in traditionally non-targeted industries, such as manufacturing and agriculture. My guess is that such issues are not going to play out for another several years based on the current adoption rates of such technologies.
What would concern me more would be significant additional losses in known “troubled classes”, which – if sufficiently common and severe – could cause various insurance companies to withdraw from the cyber marketplace due to inadequate return on equity or unacceptable loss ratios on a book basis. Such a reduction in available capacity could harden the market to the point where even historically profitable classes of business are forced to pay higher rates. Whether or not this happens depends much on the way individual insurers build their cyber books, and how quickly loss payments associated with breaches in troubled industries are realized.
Question 2: NIST standard seems to be the default judicial standard…
Mark Mao: There is no current “de facto” judicial standards for FIPPs, but the standard applied will vary based upon jurisdiction (eg. Japan, UK have different standards), information (HIPAA) as well as industry and regulator.
- OECD’s principals is still considered the “original standard,” although with the advent of tracking some of those had to evolve as well. Compare that to APEC’s, which is considered more advanced, but still was based on OECD’s.
- The FTC, DOJ, FCC, and etc., all published their own standards as well. Then there is HIPAA.
- The trend seems to be to follow FTC’s FIPP currently.
Question 3: On presentation slide 7- -what does severity represent in this slide? Number of records?
Mark Mao: Breadth of information.
Slide #7 from August 3 PLUS Webinar
Question 4: What is SIEM?
Patrick Bedwell (AlienVault): SIEM stands for Security Information and Event Management. SIEM is the security industry term for an event management platform that correlates security events from a range of data sources. It analyzes log files from firewalls, anti-malware, intrusion detection systems, applications, and so forth, and identifies related security events or patterns of malicious behavior that would be difficult or impossible for a security analyst to spot.
For example, with the right correlation rules, a SIEM could link a user’s multiple failed login attempts, followed by a successful login (a sign of potential password cracking), followed by that user escalating his access privileges on a server containing customer data (to gain access to the file containing the regulated data), followed by that user copying the customer data and then attempting to communicate with a known malicious host (to harvest and exfiltrate the data). Taken in isolation, each of those events are suspicious but not necessarily indicative of a breach. Taken together they represent an obvious breach scenario.
The SIEM correlates those events only after sifting through potentially millions of normal network events collected (normal network operations can generate hundreds or thousands of events per second) to find those few indicators of compromise.
Question 5: What is DLP technology?
Patrick Bedwell: DLP stands for Data Leak Prevention. DLP is a technology that detects and blocks sensitive data (such as credit card numbers, IP, and so forth) being sent outside of a network. This technology is used to meet regulatory requirements for data privacy as well as best practices for reducing the potential for a data breach. Depending on the sophistication of the technology, DLP can use a wide range of rules (such as pattern matching, statistical analysis, regular expressions, meta data tags, and so forth) to detect content in a wide range of data formats.