As businesses look to manage their cybersecurity risk, many have turned to insurance to cover the financial implications of a successful breach.
However, insurers naturally want to limit their own exposure to risk and the small print of the policy may limit some claims. In particular this can apply to IoT devices which represent a major unprotected attack surface in corporate networks.
We spoke to John Gallagher, VP of Viakoo Labs at security platform Viakoo, to find out more about IoT risks and how organizations can ensure that their security policy is acceptable to insurers.
BN: Why do IoT devices present such a major risk?
JG: IoT/OT devices in particular present an increasing risk to most organizations because of how challenging they’ve been to keep patched and secured, combined with their sprawl and scale in the organizations that use them (there are often 10x or more the number of IoT devices than IT devices, and they can literally be anywhere and not just in data centers). Despite being network connected like IT devices, IoT/OT devices are usually managed outside of the IT organization, such as in manufacturing, facilities, and physical security teams. These teams are often measured on factors other than cybersecurity, and therefore don’t have the skillset or motivation to keep up with the patching, password rotations, and certificate management to keep them secure. As a consequence, IoT devices now present the largest unsecure attack surface for most organizations. The good news is that with agentless, automated firmware patching/password rotation, and certificate management solutions, organizations have an exceedingly efficient way to reduce their attack surface in this area.
BN: How can enterprises ensure that these devices are safely added and maintained on the network?
JG: While all the standard best practices about modern cybersecurity hygiene do apply, the key to ensuring these devices are safely added and maintained on the network is automation. This is undeniably a greater challenge with IoT devices, which typically lack the same type of sophisticated and continuous management as normal IT systems. They cannot use agent-based patching solutions, and until recently, could only be updated manually. For this reason, organizations must take advantage of the latest developments in IoT security, namely agentless solutions that can support all types of IoT/OT devices as well as understand the relationship between the devices and their connected apps, as well as how they interact with the greater network. The scale of modern IoT systems requires that solution to be automated to act as a force multiplier for already resource-strapped security teams.
BN: How much will your insurer need to know about your cybersecurity policy?
JG: Think of it this way; insurers have a massive amount of historical data to base underwriting decisions for life, home, or auto insurance policies, and because of that policies can be issued and claims settled very quickly. For cyber insurance there is very limited data, and because threat vectors are constantly evolving in such a way that historical data might not be relevant to base underwriting decisions on. Therefore, insurers need to know details about internal cybersecurity procedures, cyber training, if you have automated threat detection and vulnerability remediation in place, number of incidents over time, and many other details. Expect this list to both grow over time and become more specific to your business – for example, if your company’s revenues and profits are based on IoT/OT devices you should expect a heavy focus on those systems in order to underwrite a policy related to them.
BN: Are there any particular policy exclusions that businesses need to be aware of?
JG: For cyber insurance there are a variety of exclusions, depending on what type of business it is and their cyber exposure. Prior knowledge exclusions in particular can impact an organization that already knows it is vulnerable or likely to be vulnerable to cyber attacks. Keeping track of prior incidents and risks can help you to work with your insurer with respect to prior knowledge. Recently insurers have tried to use War and Terrorism exclusions to prevent paying out claims for cyber breaches resulting from malware developed for warfare/terrorism purposes, but courts have found that once these exploits go into general use they cannot be excluded as acts of war or terrorism. Also worth noting are exclusions around unencrypted data; many insurers will require reasonable security measures be used such as encrypting data. Given the variety of systems and data (for example, video footage streaming from an IP surveillance camera) organizations need to ensure that all systems (not just core IT systems) have a security strategy to protect the data they are generating, processing, or transmitting.
BN: How often do you need to review your policy and what changes require you to inform your insurer?
JG: When it comes to cyber insurance there are very few cases where there will be a ‘SALY’ (same as last year) renewal. The cyber threat landscape is constantly changing, and both new forms of threats and new threat targets will change the underwriting decisions. Likewise the amount of documentation required by insurers continues to increase. These factors mean that time spent on policy renewals and dialogues with insurers on obtaining insurance are year-round events. In part this is because of the governance role that insurers play — rather than the government putting mandates and requirements in front of private businesses, they are having a private sector entity (insurers) take on that role. By working closely with your cyber insurance provider it helps them to understand the business realities, and it provides you with insight as to where governance is headed. It also can save you money by providing the right kind of data to your insurer in order to help reduce premiums and tailor the insurance to your specific needs. As the need to find and remediate vulnerabilities is now continuous, working closely with your insurer can help to guide overall risk assessment and measurement requirements within your organization.