The New York Cybersecurity Rule

In December, the New York State Department of Financial Services (NYSDFS) issued a revised version of its proposed cybersecurity rule. It requires financial services firms that are licensed, or are otherwise granted operating privileges by the NYSDFS (Covered Entities), including the insurance industry, to establish and maintain a cybersecurity program, showcasing the State’s keen focus on cybercrime and security.

The changes reflected in the revised proposal resulted, in part, from the substantial public comments submitted in response to the original proposal issued on September 13, 2016. The Council was among those that submitted feedback.

Although the revised proposal is more closely aligned with a risk-or processed-based approach to cybersecurity, The Council still has concerns. First, the revised proposal retains an extremely short notification window (72 hours) and continues to impose requirements relating to third-party service providers that could be difficult and costly for businesses to implement. Furthermore, the proposal still does not include a HIPAA exemption for businesses that are in compliance with that statute and has not limited the definition of covered entities to exclude captive insurers.

The NYSDFS is accepting comments on the revised proposal only until January 27, 2017. Given the short window, we ask that you provide input and comments to us by January 19. If you plan to submit your own letters, please shoot a note to John Fielding at john.fielding@ciab.com with this information.

This revised proposal will delay both the effective date and the original 180 day transitional period for businesses. Under the revised proposal, the rule will go into effect on March 1, 2017.

Your Cyber Insurance Isn’t Protecting You from Elite Hackers

Although cyber insurance is generally written via manuscript policies and thus, are unique in nature, cyber polices are becoming more robust and encompassing. However, one particular exclusion exists in the overwhelming majority of cyber insurance policies: cyber-attacks involving nation state hackers. While government-affiliated cybercriminals have been at the crux of recent cyber-talk, cyber insurance policies often “explicitly exclude acts of war and ‘warlike operations.’” Many policies “also exclude acts of broadly defined foreign enemies, government actors and terrorism,” said Robert Morgus, a policy analyst in New America’s International Security Program. This begs the question – who then, is responsible for attributing the cyber-attack following a cyber insurance claim?

A recent CyberScoop article suggests that carriers will likely avoid taking the insured to court over attribution regarding a cyber-attack. “Generally speaking, liability exclusion details are difficult to study because most cyber insurance contracts are confidential in nature,” Morgus explained. “Legal experts say there has yet to be a case where the insurance company or a breach victim have specifically challenged the attribution of an attack in court.” Nonetheless, exclusions regarding “acts of war,” from “nation state hackers” are common and in order to attribute the attack to the cybercriminal(s), the insurer will ultimately have to bear the costs of a digital forensic investigation. As a result, it is believed that carriers will continue to avoid such a potentially messy legal battle over attribution.

Hacker Guccifer 2.0 Claims New DNC Data Leak

For the second time in two months, servers affiliated with the Democratic National Committee have reportedly been hacked by an unknown entity calling itself Guccifer 2.0. The motives of the hacker or hackers remain unclear but many sensitive documents were released. This included personal information on high profile DNC donors including Elon Musk, Steven Spielberg, Tom Hanks and Magic Johnson. Guccifer 2.0 also broke into documents detailing Democratic Party strategy in areas such as opposition research, events like the 2015 congressional recess and high profile policy initiatives including the Iran Nuclear Deal. There are suspicions backed up by CrowdStrike, a cyber security firm working on the DNC data breach that the Russian government was involved but the spokesman for the Kremlin, Dmitry Peskov, has denied all Russian involvement thus far.

Homeland Security Committee Meets to Discuss CISA

The House Homeland Security Committee’s subcommittee on cybersecurity met on Wednesday to discuss how the recently passed Cyber Information Sharing Act (CISA) is progressing. The subcommittee discussed information-sharing across the private sector while also critiquing DHS’s recently released guidelines for sharing cyber threat information between the private sector and with the government. On Tuesday, DHS released guidelines offering “assistance to info-sharing stakeholders by outlining protocols for the government to share information to industry, for industry to share with the federal government, for receiving cyber threat indicators from the government and for protecting privacy and civil liberties.” In the hearing, members and the panel agreed that more businesses need to participate in the program. Only 30 organizations are actively participating in the info-sharing portal on a day-to-day basis.

Chairman Michael McCaul (R-TX) began the hearing by explaining that the passing of the legislation is certainly a start, the next phase will be implementation of the program. “The legislation was a major win for security and privacy, allowing companies to secure their networks and keep hackers away from our bank accounts, health records and other sensitive information. But we cannot be satisfied with this progress. We’ve got to be as aggressive as our adversaries, and we should aim to stay a step ahead of them,” said McCaul. While only half of companies believe they are secure from a cyber-attack, organizations still fail to protect their networks, explained one panelist. Americans view cyber threats as the second biggest threat only behind ISIS. This proves the need for organizations and the federal government to work together when sharing cyber threat information. Collaboration is also needed when focusing on the education aspect of fighting cybercrime. The hearing also addressed the difficulty small businesses face when sharing cyber threat information due to a lack of resources and funds on top of the complexity of the program. The full hearing on the Oversight of the Cybersecurity Act of 2015 can be found here.

In other industry news, The Council would like to congratulate Ben Beeson, Cyber Risk Practice Leader at Lockton, for being awarded the 2016 Advisen Cyber Champion of the Year award for his outstanding contributions in cybersecurity.

Data Breach Costs Rise To $7M Per Incident, Study Says

According to a study by IBM and the Ponemon Institute, the average cost of a standard data breach (less than 100,000 records) is now barely over $7 million, with an average cost of $221 per record lost, comprising a two percent increase from last year. Additionally, the global average for a data breach is $4 million. According to the partners, the cost will likely  remain between $5 million and $8 million. Companies should plan permanent data security programs. Of the 64 companies surveyed across 16 sectors, the most prolific and damaging form of breach was a malicious attack. Unfortunately for some, the health care industry is the most costly, with an average cost of $402 per record compromised. In another study, Deloitte says that 95 percent of the damage caused to a company following a breach takes place over the next five years as lost contract revenue and customer relations overshadow the immediate costs of reimbursement and litigation.

Many companies continue to suffer from data breaches, as Wendy’s recently announced that the damage from its data breach is “considerably higher” than previously believed and an Arizona federal court upheld a hole in P.F. Chang’s cybersecurity policy. Additionally, the U.S. Chamber of Congress and others want the FCC to limit the proposed data-privacy guidelines, citing that they go too far or are inconsistent. In March, the FCC proposed rules aimed to regulate what and when ISPs can share customers’ data with third parties. Other rules cover customer opt-ins and opt-outs for data sharing, increased transparency notices, data breach notification policies and steps to strengthen internal data security policies.

FICO to Offer ‘Enterprise Security Scores’

The Fair Isaac Corp, more commonly known as FICO, is on the forefront of revolutionizing the assessment of cybersecurity threats. Known for its FICO credit score, a tool that allows for a universal method for measuring credit risk, the Fair Isaac Corp has recently acquired the cybersecurity startup QuadMetrics in hopes of developing a universal tool to measure cyber threats. QuadMetrics utilizes technology devolved at the University of Michigan. With funding from the Department of Homeland Security, QuadMetrics can analyze key data points from a company’s IT network in order to calculate the risk of a cyber threat.

FICO believes that the implementation of this cybersecurity score could be a great tool for insurance companies that provide cyber insurance. It will allow a quick and universal measurement of the likelihood that a company would be susceptible to a cyber-attack. This will be a great leap forward for the rapidly evolving cyber insurance world because there is no cookie cutter solution to analyze risk. This makes it difficult for providers to gage risks and set prices. Cyber threats are still new so it is important to keep in mind that a solution such as a FICO credit score will not become an end all be all. Companies that score high will not be immune to cyber-attacks.

Smaller Enterprises Still Seeking Help on Cyber Information Sharing

At a House Homeland Security cybersecurity subcommittee hearing on Wednesday, testimony was heard from many leading industry officials on the effects of the Cyber Security Act of 2015 (CISA). The purpose of this hearing was to determine what Congress can do to further assist companies in the buildup of their cyber defenses.

One of the main issues aired in front of the committee was the lack of awareness about this program among SMB’s across the country. According to Ola Sage, founder and CEO of e-Management and CyberRX in Maryland, “In the law itself, there are only two references to small business, which highlights that this law is not directly focused on small businesses.” . In her testimony Sage also raised the issue of the lack of procedural goals that will entice these SMB’s to sign onto what CISA is trying to accomplish.

There was almost unanimous consensus from the panelists that the process of signing up for this program needed to be streamlined so it did not cause problems or discourage smaller entities from signing up. Matthew Eggers of the U.S. Chamber of Commerce emphasized the long term goal of this project which was to create economies of scale with real time sharing so as to allow faster recognition and even defense when it comes to cyber threats. This would replace the human intensive network that is currently slowing down information sharing.

Cyber Insurance is Changing the Way We Look at Risk

In 2011, Sony’s PlayStation network was hacked, with 77 million accounts affected, leaving the company with a final bill of $170 million in damages. Unfortunately for Sony, its general liability insurance didn’t cover the breach, which was later followed up by a court ruling confirming the insurer’s stance. Thankfully, having learned its lesson the hard way, Sony was covered during its 2014 breach. The company had cyber insurance, covering most, if not all, of the $100 million estimated cost.

Major corporations are not the only targeted businesses by cyber criminals; according to the Verizon 2016 Data Breach Investigation Report, 62 percent of all cyber breach victims are small to mid-size businesses, with an average cost of $3.8 million. Recent reports have the average as high as $7 million. In response to the meteoric rise in the threat of data breaches, companies are now developing breach prevention controls, strengthening cyber security and buying cyber insurance.

Cyber insurance policies are split into two coverage groups: first-party coverage and third-party coverage. First-party coverage covers an organization’s direct losses, while third-party coverage covers claims by third parties against the organization, such as customers or partners.

Unfortunately, developing cyber policies has become a challenge, as the criteria for coverage is difficult to quantify (business scale, sensitivity of data, security posture, etc.) and there is very little historical data. These challenges make providers wary and lead to high premiums with little coverage. Some companies are forced to adopt new technologies before covering them. There is no way to know if their coverage will be sufficient. Anthem’s current breach is expected to cost the company $1 billion, greatly dwarfing their estimated $150-200 million policy.

This maelstrom of confusion is ripe for risk assessment tools. Companies like BigSight Technologies, SecurityScorecard and PivotPoint Risk Analytics have begun to develop these tools, while companies like the U.S.-based startup QuadMetrics will begin to work exclusively in the field of helping underwriters assess cyber threats. Established companies will most likely develop cyber security departments or “acqui-hire” current companies, while offering pre-breach and post-breach services.

Note From The Council 4/22/16

This week, we attended the Cyber Incident Data and Analysis Repository (CIDAR) Workshop hosted by the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security (DHS). The workshop was attended by the insurance industry, CISOs, technology experts, critical infrastructure, information sharing organizations and others. Over the course of two days, participants pored through the 16 proposed data points that were identified by Cyber Incident Data and Analysis Working Group (CIDAWG) members in the fall of 2015 for collection in the CIDAR.  DHS facilitators and CIDAWG members went over each data point’s proposed definition, what is meant to be gleaned by collecting that data, who would report the data, who is most interested in the data and the method by which participants will report the data.

There is a strong need and desire for a repository like this in the insurance industry but there are a lot of information sharing mechanisms out there (ISACs, etc) so the framers of this CIDAR have been careful to differentiate this one and carefully outline the unique value proposition of each data point.

We learned a lot from the experts who are trying to take on the daunting task of designing a data repository that can be used by not only the insurance industry – for underwriting and modeling – but also the broader community for risk management and cyber defense.  It has to be easy to use and have the ability to collect data that is either already collected by companies or that can be collected without additional burden.  The data points have to be simple enough to provide, but not so simple that they aren’t useful.  Some data points might give companies heartburn, such as “Internal Skill Sufficiency” – did your company have the necessary skills to stop and prevent future incidents?  If the answer is no, this opens your company up to liability, so you have to trust that your submission will truly be anonymous and that you have legal protection.

 

The work continues – DHS will release its  fourth white paper reporting on this meeting in the coming months and then there will be pilots to test the concept.  At the end of the day, the CIDAWG can design the perfect data repository, but if a private entity doesn’t step forward to set it up, the concept stays on the shelf.