Obama Cyber Commission Sets Final Public Meeting in Preparing Advice for President-Elect Trump

President Obama’s Commission on Enhancing National Cybersecurity will hold its final public meeting this month, which will prepare policy recommendations for the transition to the new Trump administration.  President Obama created the Commission to improve the nation’s cybersecurity posture with both short and long-term strategies in mind, including an industry-government partnership on voluntary standards. The presidential group has also been working hard to finish the Cybersecurity National Action Plan (CNAP) which includes a government-coordinated response plan for significant cyber-attacks.

President Obama has been vocal about his pledge of a peaceful transition, something he credits the Bush administration with mastering in his first days in office. They “could have not been more professional or gracious” in assisting the Obama team during the transition.  While President-elect Trump has promised to undo many of Obama’s major policies, both the President and President-elect have stressed the need for better cybersecurity practices and more funding for the federal government regarding cyber. As a result, the White House hopes it can help “guide the incoming Trump administration on advancing cybersecurity polices that build on the progress of an industry-government partnership on voluntary standards, while going further to address emerging and evolving threats,” according to a recent Inside Cybersecurity article. The Commission on Enhancing National Cybersecurity will hold a call-in meeting on November 21 asking for public input and will address their progress on developing policy recommendations for the transition.

FBI Warns Internet Online Attacks on Private Industry Will Continue

The recent distributed denial of service (DDoS) attack on internet service provider Dynamic Network Services Inc. (Dyn), which disabled the websites for major corporations such as Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, The New York Times and many others, not only serves as a wake-up call for organizations of all sizes, but a warning as well, according to the FBI. The agency has warned private companies that cyber-attacks through thousands of connected devices, known as the Internet of Things (IoT), will only increase in number. “The exploitation of the IoT to conduct small-to-large scale attacks on the private industry will very likely continue,” explained the FBI in an October 26 bulletin to private organizations.

Further, an FBI spokeswoman explained, “In furtherance of public-private partnerships, the FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cybercriminals.” The reason this threat will remain, the FBI explained, is because the source code used in the attack, known as Mirai, is publically available. Anyone with technical skills can set up their own “botnet” of hacked IoT devices to overload websites with tens of thousands of IP addresses. Director of National Intelligence James Clapper said Russia is not believed to be the culprit, as the attacks do not appear to be government-based.

Los Angeles: Warm Weather, Movie Stars — and 100 Million Monthly Cyber Attacks

Los Angeles, a target for movie stars and warm weather, is also one of the largest for cyber-attacks in the world. Being the second largest city in the nation, L.A.’s massive data responsibilities create an enormity of security challenges. “We receive a massive amount of automated cyber-attacks every month, about 100 million,” said Ted Ross, the city’s CIO. To combat this issue, Ross reports that the city has made significant improvements to its cybersecurity in the last two years, such as the construction of a $1.8 million Integrated Security Operations Center which consolidates threat intelligence. Consolidation has helped to speed up threat response and coordination. L.A. is sharing their findings with the FBI, Homeland Security, and the Secret Service in efforts of unifying with other governments and cyber professionals. The issue of ransomware remains at the top of the list of L.A.’s worries, but they do feel confident in their security behind their internet of things infrastructure.

Madison County Government Pays Ransom with Insurance Cash

Ransomware attacks are on the rise across the country, with hackers reportedly extracting $209 million in ransom payments in the first three months of 2016. Madison County fell victim to a ransomware attack on Saturday, shutting down nearly all country services. Following the attack, commissioners gathered in an emergency session to discuss their options. Although the full implications of the attack remain unknown, and no personal information appears to have been released, the commissioners issued a unanimous vote to pay the ransom, but they are still hoping to find way to fight back. “We’re following the directions of our insurance carrier,” said Madison County Commissioner, John Richwine. While he did not reveal the amount paid to the cybercriminals, Richwine explained that it was not as much as one might think, and is covered by the county’s cyber insurance policy with Travelers after a deductible is paid.

Selling Cyber Policies to Small Businesses

According to Symantec’s 2016 Internet Security Threat Report, 43 percent of phishing attempts targeted small businesses in 2015. Despite this figure, only five percent of small and medium-sized enterprises (SMEs) are believed to have a cyber insurance policy in place. While businesses of all sizes are aware of the potential impact cyber-risk has on the organization, decision makers choose not to purchase cyber insurance for a variety of reasons. To help small businesses make the decision to purchase cyber insurance, a PropertyCasualty360 article explains there are a number of things a broker can do to help SMEs offset that risk.

IBM’s 2016 Cost of Data Breach Study puts the average cost of a data breach at about $4 million, with the average stolen recording costing about $221. With the increasing number of cyber-threats in the United States, a cyber-attack falling on your organization is almost inevitable. Compared to the potential loss following a data breach, the decision to purchase cyber insurance may ultimately be the reason an organization is still functioning. Not to mention, cyber liability insurance is not nearly as expensive as many perceive – relative to other lines of insurance, basic cyber liability coverage is actually fairly inexpensive. Brokers must also explain to SMEs that data on the cloud does not guarantee safety. Cloud providers often have hold-harmless agreements, meaning the provider is exempt from any liability accusations if all or any data is lost from a data breach. Lastly, while data breaches making headlines usually involve large corporations or government entities, cyber-attacks are happening on SMEs every day, in every city. Small businesses owners must understand they are just, if not more likely to be the target of an attack, primarily due to inadequate cybersecurity practices. Cyber insurance can not only help mitigate the risk on the back-end, but it can also ramp up cybersecurity practices on the front-end due to employee training opportunities and mandatory cybersecurity requirements. While it is important that organizations of all sizes strive to protect their data and stop a breach before it occurs, a cyber liability policy can at the very least, help hedge the costs of a data breach if one were to occur.

Your Cyber Insurance Isn’t Protecting You from Elite Hackers

Although cyber insurance is generally written via manuscript policies and thus, are unique in nature, cyber polices are becoming more robust and encompassing. However, one particular exclusion exists in the overwhelming majority of cyber insurance policies: cyber-attacks involving nation state hackers. While government-affiliated cybercriminals have been at the crux of recent cyber-talk, cyber insurance policies often “explicitly exclude acts of war and ‘warlike operations.’” Many policies “also exclude acts of broadly defined foreign enemies, government actors and terrorism,” said Robert Morgus, a policy analyst in New America’s International Security Program. This begs the question – who then, is responsible for attributing the cyber-attack following a cyber insurance claim?

A recent CyberScoop article suggests that carriers will likely avoid taking the insured to court over attribution regarding a cyber-attack. “Generally speaking, liability exclusion details are difficult to study because most cyber insurance contracts are confidential in nature,” Morgus explained. “Legal experts say there has yet to be a case where the insurance company or a breach victim have specifically challenged the attribution of an attack in court.” Nonetheless, exclusions regarding “acts of war,” from “nation state hackers” are common and in order to attribute the attack to the cybercriminal(s), the insurer will ultimately have to bear the costs of a digital forensic investigation. As a result, it is believed that carriers will continue to avoid such a potentially messy legal battle over attribution.

Gaps Starting to Close in Cyber Insurance Policies

Insurance Attorney Scott Godes warns businesses to make sure they’re covered in the gray areas – referring to the rift between cyber policies and traditional crime coverage. However, some insurance companies, such as Willis Towers Watson, are looking to fill those gaps. Willis  recently announced its CyFi plan – short for cyber insurance and fidelity. The new plan is intended to fill the gap and will serve excess over the crime policy and cyber policy, and will also be available to industries outside of the financial field. Godes notes that the new CyFi plan goes further than any other to date, and makes several recommendations of things to look for when buying policies.

Aon Beefs Up its Cyber Insurance Portfolio with Acquisition

In order to meet the newfound corporate demand following cyber-attacks against Target, Home Depot, and Sony, Aon last month acquired Stroz Friedberg – best known for helping the likes of Sony and Yahoo mitigate damage from breaches. Although 60 vendors offer cyber insurance of some kind, none currently account for every type of contingency associated with a cyber-attack. This acquisition intends to fill some of Aon’s own gaps. This opportunity will further add incident response and other capabilities to Aon’s portfolio of cybersecurity assessment and risk transfer services. Aon’s CIO says Stroz will help clients mitigate cyber incidents more rapidly, which has a direct correlation on reducing claims. Bruno also adds that Aon may acquire more companies as it seeks to add real-time data analytics capabilities, something that will become more critical as the Internet of Things (IoT) expands to more industries.