Cyber insurance between the lines

Close call

  • alert
  • submit to reddit

Security for virtualized datacentres

It's a security professional's nightmare. Not a new virus or worm. Not a hacker from outside trying to penetrate perimeter defenses. Not even an attempted denial of service attack. The nightmare scenario is the "Jayson Blair" syndrome -- the trusted insider gone bad.

That can mean stealing information, destroying files, or virtually shutting down an entire company through the use of a Trojan horse or logic bomb. There are some attacks for which there is no perfect defense. Perimeter defenses don't work against insiders. Validation procedures may not work where the user can legitimately log in as root. Checks and balances, such as the "two person" rule, work only when properly implemented and rigorously adhered to.

So, we prevent the harm we can prevent, and insure against the harm we cannot prevent -- right? Do "computer crime" insurance policies make sense? The answer is, it depends.

Consider this cautionary tale from the United States Court of Appeals for the Fourth Circuit in Richmond, Virginia in late April illustrates this problem. Like most companies, NMS Services Inc., a software development company, had insurance. It had the kinds of insurance typical companies have; but like most companies, it did not have special "cyber insurance."

They hadn't counted on their systems administrator, John Powell. While still an employee of NMS, Powell wrote a series of "back door" programs that allowed him access to the NMS systems and decrypted passwords. You already know what happens next. After being fired from NMS, Powell accessed the NMS computer systems and deleted and destroyed data.

When the smoke cleared from the cyber sabotage, NMS dusted off their general liability insurance policy, and filed a claim against the Hartford Insurance company. Hartford, who also sold special computer crime policies that NMS had not bought, refused to pay. Lawsuits and appeals followed, and the lawyers descended.

The Devil in the Details

For decades the standard batch of insurance policies a company would purchase remained mostly unchanged: a typical portfolio would include employee dishonesty, general liability, fire and casualty, director and officer.

But with the advent of the Internet, companies were suddenly engaged in a brand new form of risky behavior. Virtually all of their critical information and data was now accessible by not only all of their employees, but also potentially to the world. E-commerce posed new risks of fraud, dishonesty, identity theft, destruction of property, theft of information, electronic espionage.

But insurance companies have been slow to respond to these new threats, principally because they had very little empirical data from which to generate underwriting criteria: how much to charge for insurance, what to cover, what kinds of losses are subject to claims, and what mitigation procedures would entitle clients to discounts on such insurance.

But here's a secret: most companies already have cyber insurance -- they just don't know it.

For years companies have been purchasing insurance policies to protect themselves against all kinds of fraud or theft -- whether committed on paper, or through computers. For cyber insurance to be worthwhile from the insurance company's standpoint, the company not only has to develop underwriting criteria, but more importantly, it must exclude claims related to computer attacks from existing insurance policies.

Reducing the scope of insurance policies is not always an easy thing to do. Astute customers will balk -- either insisting on a reduction of premiums, or insisting that the cost of both regular and cyber insurance be no greater than what they were paying before. The trick is in deciding what is and what is not covered in the general liability insurance policy.

The Lawyers Descend

NMS had a general liability insurance policy which excluded dishonest acts of employees, but did not exclude "acts of destruction" committed by employees. Powell inserted his back doors while he was an employee, but deleted the files after he was terminated. The insertion of the back doors and password crackers was an act of dishonesty by an employee that was not covered by the insurance policy, but caused no immediate damage or loss. The exploitation of these back doors caused loss, but may or may not have constituted an "act of destruction" and may or may not have been attributable to an "employee."

It is on such details that lawsuits are made.

In this case, the victim of the cyber attack won. The federal appeals court found that NMS did have insurance that covered not only the losses resulting from Powell's exploitation of the back door, but also covered the costs of responding to the incident and the losses resulting from lost profits and business income during the downtime. The court concluded that the attack constituted a "direct physical loss of or damage to property" and covering the cost of restoring "valuable business papers or documents."

"The substantial portion of Powell's actions took place while he was still an NMS employee, making Powell, for purposes of the dishonesty exclusion . . . an employee who committed a dishonest or criminal act," the court wrote. "However, NMS's property was not only damaged, but was completely destroyed by an employee, Powell, which triggers the exception to the dishonesty exclusion."

But it was a close call, this ruling. NMS's insurance policy included a specific endorsement addressing coverage for "computers and media." The endorsement modified the underlying policy and indicated that coverage for losses involving computers must be provided under the endorsement. The computer endorsement specifically excluded coverage of any loss "caused by or resulting from [the] dishonest or criminal acts by ... any of your ... employees ... or anyone to whom you entrust the property." At the time of the destruction of the files, Powell was either an employee or a person to whom NMS had "entrusted" its property. One of the three judges deciding the case dissented in the opinion based upon this language.

Either way, the lesson from the NMS case, and the fact that it was litigated to begin with, is that companies should carefully review all of their current insurance policies.

Insurance policies typically have limitations, exclusions, inclusions and endorsements that are confusing and in some cases mutually contradictory. When we do risk assessments, we determine the most likely scenarios of attack, and the potential damages or losses resulting from these attacks. The basic rule of thumb is to first identify the risks associated with a business or process, mitigate or eliminate those risks that it is cost-effective to mitigate or eliminate (there is no such thing as zero risk), and finally, insure against those risks that it is not cost-effective to eliminate.

Find out now if you have insurance that covers both insider and outsider attack. Does it cover lost profits? Does it cover cost of reconstruction and response? Do newer policies exclude from coverage anything that is relevant to your business, and do you need more comprehensive insurance?

In this case, the court bent over backwards to read the insurance policy in a way that would give NMS the coverage that it likely thought it had. In future cases, victims of computer crime may not be so lucky. The time to prepare is now -- before the lawyers descend.

© SecurityFocus.com

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related story

'No fuss' e-risk cover for SMEs

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Forget silly privacy worries - help biometrics firms make MILLIONS
Beancounter reckons dabs-scanning tech is the next big moneypit
Microsoft's Office Delve wants work to be more like being on Facebook
Office Graph, social features for Office 365 going public
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.