Does Your Vehicle Insurance also provide you Cyber Insurance?

Cyber Security specialists have recently demonstrated how a commercially sold car can be effectively taken control of by a remote “Hacker” leading to disastrous consequences.

This article in Washington Post graphically sketches how a hacker can cut off the engine or disable the brakes or even turn the steering wheel by hacking in to the Jeep Cherokee marketed by Chrysler. What is more alarming is that this is not a “Google Car” meant to be remotely driven but a conventional car with the infotainment connected to the internet and perhaps independent subsystems that are managed by electronic sub systems in the car.

Apparently, the hackers have gained access to the infotainment system through the internet and once into the subsystem within the Car’s electronic system was able to jump across to other subsystems taking control of each one of them.

It is obvious that malicious hackers can exploit similar vulnerabilities and cause death and mayhem on the roads.

While Chrysler in response has reportedly recalled about 1.4  million vehicles and also issued a patch to plug the vulnerability, the risk of cars being vulnerable to hackers is staring all Car manufacturers as well as Car users.

india_insurance_logo_2

The biggest beneficiary of this demonstration is however the info-sec community as it opens up more critical job opportunities for them in the automobile sector. But the automobile users will now remain under constant threat of being exposed not only to risks of mechanical failures but also the technological failures and additionally, the cyber criminals.

In the context of Cyber Insurance that we are discussing through these columns, it now appears that a Car accident can happen due to such hacking incidents and the Insurance companies may have to deal with claims of accidents that cannot be logically attributed either to a driver’s mistake or to any identifiable external reasons. The claimants will have a lot of difficult to explain the cause of an accident as finding evidence will be extremely difficult. Perhaps the damage assessers need to be not only mechanical engineers who check the mechanical failures but also “Cyber Forensic” specialists who will check the log records of all electronic systems in the Car.

The question that arises in settlement of the claim is whether the policy which covers “Mechanical Failures” will also cover “Electronic Failures” and “Cyber Crimes”. Ideally the current policy should cover damages occurring due to malfunction of a mechanical part whether it is because of internal defect or an external hacking, unless the risk is specifically excluded.

The publicity now generated to the hacking event should be sufficient to consider that the Insurance company is aware of such risks and hence if the risk is not specifically excluded, it should be considered as “Included”. In other words, the Insurance companies will have to accept the  uncomfortable truth that  the current Vehicle insurance policies are also “Cyber Insurance Policies”

The problem demonstrated in respect of the Chrysler automobile is also relevant to the managers of Digital India who need to manage an environment which includes “Internet of Things”.  With a similar argument we can say that the current insurance policies that insure damages of white goods or other properties should be also considered as covering risks arising out of electronic component failure either due to natural causes or through hacking.

While the manufacturers of internet exposed devices need to worry about the information security aspects, the Insurers need to worry about how they would cover these risks.

The future of the Cyber Insurance industry appears to be exciting.

Naavi

Related Article:

In USA today

In Cnet.com

If you have not yet responded to the online India Cyber Insurance Survey 2015, please do so now.

 


Why We cannot spare 20 minutes for a cause?

P.S: This is a reproduction of what I posted today at Linkedin.

Cyber Crimes is accepted as a big concern for all of us. When there is a phishing attack that wipes out the bank account of a victim or a cloned credit card is swiped to hoist a person with a crippling debt, we all bemoan about the risks of Cyber space. However, we the professionals think that we are immune to such attacks and think that it only affects our neighbor.

However a normal risk analysis indicates that since we the professionals use more of IT, app banking, app payments, e-retail purchases etc., we are more vulnerable than those who seldom use credit cards or e-banking and whom we dub as the digital illiterates who respond to phishing emails. Also with the growing use of malware to intrude our systems the traditional mode of stealing identity information by social engineering is only one method against which we may be immune. More breaches occur through simply being present on Cyber space…all of us are at higher risk on this account since we spend 18 hours of the day in Cyber space.

Further, in our professional environment, most of us have responsibilities to protect information of our company. We know that “Data Breach Risk” is very much present in our environment. Each day we feel lucky that yet another day has passed without a major information security issue in our midst. Many of us thank our stars that Indian public are unaware of their rights to demand compensation when their personal data is not protected by us as required under law. Otherwise incidents such as Anthem data breach can wipe out even our IT majors in a single data breach incident.  Despite this, at the organizational level we have not factored “Potential Third party Liability Risk” as a part of our dashboard.

In these circumstances, a group of professionals like me thought it necessary to wake up the Cyber Insurance Industry in India and in the process have undertaken an India Cyber Insurance Survey 2015 . 

The objective of this survey is to capture the perception of the user industry on what they expect  from a Cyber Insurance product.

Information about this survey with a request for participation has been sent to most of the Information Security professionals in India. However the response to participating in the survey is pathetic. The survey which takes hardly 20 minutes to complete (More if one wants to understand the questions and the import of each question) has seen very few information security professionals responding.

This apathy amongst informed professionals who should be able to appreciate the importance of Cyber Insurance for their own profession and the community in general raises an important issue of human behaviour which is important for all Information Security professionals.

The key here is “Motivation”. Obviousy, our IS friends are not motivated enough to participate in the survey. I am trying to analyze why there is this reluctance to participate in the survey and here are some of my thoughts drawn from my earlier observations  on the “Behavioral Aspects of Information Security” expressed at naavi.org.

In the “Theory of Information Security Motivation” that I have propounded, I have identified 5 elements to be managed for successful implementation of Cyber Security in an organization. I have also propounded that these five elements are like five walls of the security pentagon as shown below and have to be simultaneously managed for successful implementation of information security through management of people.

This theory may explain why our staff does not follow the policy guidelines even after a training (creating awareness) and what more needs to be done.

Applying this principle, I am trying to understand why the Information Security professionals are not responding to participating in the Insurance survey and would like to share my views in this forum so that readers can respond.

Through various forums such as email groups, and articles on naavi.org, enough awareness has been created on the survey, its purposes and benefits.

The next question is…Can this awareness be converted into “acceptance”?. In an organizational environment, “acceptance” can be achieved through “Ethical declarations”. But in a loosely connected social media network, “acceptance” has to come only out of self motivation. I however make an attempt by making this request to all my friends in this forum, at least those who are in India to take a vow today to complete the survey questionnaire during this week end and be part of the larger cause to start a national debate on Cyber Insurance. (More of my views on this can be seen at www.naavi.org)

The third element of the TISM pentagon is “Availability”. In the IS implementation context this represents the provision of technology tools to the employees by the organization. In the context of this survey, we have the tool as an online form easy to access through a single click.

Mandate represents the policy in the organizational context and cyber laws in the national context. Obviously, this cannot be used by us on the prospective survey respondents. Let’s agree to leave this wall open.

Inspiration represents the element which goes beyond the efforts of a CISO to push implementation and represents the self motivation instincts present in all professionals. Most of the members of this forum have an element of self motivation which has enabled them reach certain levels of professional excellence. Even those who have not yet reached professional high points, have come to this platform only to prepare themselves in the future.

I therefore see that out of the 5 elements of the pentagon, we have Awareness, Availability and Inspiration covered in our reach out to this forum. “Mandate” is out of the way and “Acceptance” is a shadow of “Inspiration”. With three and half walls covered, there is a interest leak in the other one and half walls that is perhaps delaying the professionals from responding to the survey.

I hope after reading this post, every one of this forum would complete the survey. I even invite my foreign friends to participate so that we do get a perspective different from the Indian friends.

So…the link to the survey form is : here: Click Now

Naavi

cyber_law_guruAndroid App available on Google Playstore

 


Hanover Survey on Cyber Insurance

india_insurance_logo_2

In November 2014, on online research was conducted by Hanover Research to understand the market for Cyber Insurance. (A Copy of the published Report is available here). The survey is supposed to have gathered information from 271 respondents, most of whom are from insurance underwriters in USA.

In the context of the first India Cyber Insurance Survey 2015 undertaken by the undersigned along with a group of IS professionals, the key findings of the Hanover survey is presented here for general information.

The Hanover survey focuses on capturing data on current prevalance of cyber security insurance and the policy forms it takes. Since Indian Cyber Insurance industry is in nascent form, the policy structuring used here is a replica of the forms used in USA and hence this survey findings have some indirect relevance to India as an influencer of what types of policies are made available by the Insurance companies here. On the other hand, the India Cyber Insurance Survey is attempting to capture the views of the prospective Insurance buyers and understanding what types of risks they would like to be covered in their perception of Cyber Insurance.

(P.S: The India Cyber Insurance survey is presently on and we are requesting as many respondents as possible to participate in it by completing the questionnaire available here  If you are reading this article, I request you to take 20 minutes off your weekend to complete this questionnaire)

One of the key findings of Hanover research is that even in US, only 46% of the Insurance underwriters have a Cyber Insurance practice, though 11% more intend to offer such services in the coming year.

Nearly 91% of the companies presently offering Cyber Insurance, appear to be providing the services only to an “admitted market” which we believe represents customers to whom other services are already being provided. In a way there is an attempt to limit the risk based on the “Known Client” rather than “Known Risk”. This is consistent with the hypothesis that Insurers are yet to understand the risks and cover it based on their perception of risk.

There is a general consensus that the market is set to grow though the expectation of around 25% is very small compared to what the Indian Insurers seem to be expecting which is in excess of 50%.

Interestingly the insurers appear to think that Data Breach is a risk different from Cyber Crimes and over a third of the respondents believe Cyber Crimes are more dangerous than data breaches. We suspect that the distinction is being made on the basis of whether a risk is triggered by an external attack (Cyber Crime) or through technology failure (errors and omissions which may include employee negligence).

The survey confirms that most of the prospective customers (40%) believe that they donot need cyber insurance and this is the biggest challenge faced by the insurance companies. An additional 30% feel that some form insurance against risks is already present in their systems. The apathy of 70% of the market is what is noted as a concern of the insurance industry. We hope to capture a more reliable information on this from the prospective insurance seekers in the India Cyber Insurance survey.

The survey also records that 69% of the underwriters donot have a dedicated staff to underwrite cyber security insurance and only 30% appear to have 11 or more persons working directly on drafting cyber insurance policies.  This supports the view that Insurance companies donot make a customized evaluation of risks and write policies and are not equipped to make such assessments.

The India Cyber Insurance Survey 2015 will be able to throw more light on the way Cyber Insurance should be structured based on the marker expectations.

We request all the readers to make a success of the survey by contributing their views and also persuading their friends to provide their views on the subject by participating in the survey.

Kindly circulate the survey form to all your collegues and friends and ensure large participation.

Naavi


The Zero-Day Market.. Some insights

india_insurance_logo_2

Zero-Day vulnerabilities are a category of software flaws that are exploited by cyber criminals before the software developer comes to know of it and fixes it through a bug fixing patch or upgradation. Since such vulnerabilities are not known to security companies such as the anti virus or anti malware software providers, the criminals have the maximum productivity for such tools.

Honest citizens would find it disgusting to know that there is a thriving market for exploits where the “Zero Day” tag provides carries a premium. As long as this market thrives, control of Cyber Crimes becomes difficult. Unfortunately, even some law enforcement agencies appear to be buying these tools for surveillance purpose legitimizing these criminal operations. This is similar to the arms trade in the physical market where there are countries which thrive by supplying arms to terrorist organizations and rogue nations.

Recently one of these underground operators in Italy called the “Hacking Team” which was a supplier of “exploits” was exposed. This was a typical inter-gang war type of operations where another hacker hacked into the Hacking Team resources and placed voluminous data in public domain. This not only revealed the customer list of this company which called itself a “Security Company” but also revealed how the company marketed its capability to supply Zero Day exploits, how it priced these services, the kind of warranties it provided to its customers etc.

A Case Study on the information now available in public domain is now available here.

One of the interesting aspects is an observation that the Zero Day exploits have a price of around $45000/- per month and the Hacking Team has even provided free replacement of exploits which were patched quickly by the software vendor as a part of its “Warranty”. It is also to be noted that the Italian Government was aware of the operations of the Company and did not think it was against either immoral or illegal. It is also depressing to note that many law enforcement agencies have been customers of this “Cyber Arms Supplier”.

It has been reported that US is considering a new law that may classify Information Security products as  “Cyber War Tools”. If this happens then the activities of Hacker Team and similar outfits will actually become outlawed.

It is time we as a society think how we react to such developments in the interest of the citizens. India being a major victim of Terrorism and an economy dependent on IT, needs to take up this issue with the UNO to formulate a strategy of dealing with  “Cyber Arm Dealers”. Perhaps there should be an international treaty sponsored by UNO which prevents Governmental patronage to such hacking outfits who will find their illegal activities rewarded in monetary terms. The public on the other hand will be the victims of the experimentation of these Cyber War tools development sponsored by state actors. Environmentalists who fight against nuclear testing need to turn their attention on the damage to the E-Ecosystem with the testing and development of hacking tools by organizations with their supporting state actors.

Naavi

cyber_law_guru

An Android App in Google Play Store


Do You Have a Question on Cyber Law?

cyber_law_guru

Spreading the knowledge of Cyber Law has been a mission for Naavi. In continuation of this effort, Naavi has launched an Android App which can be used for sending questions on Cyber Law to Naavi.

The App titled “Cyber Law Guru” is available on Google App Store.

This app is meant to answer general questions on Cyber Law as an educative exercise and not meant for legal consultancy. If you have any questions which you want to ask Naavi outside the App, please send an e-mail.

Naavi

en_app_rgb_wo_60


Should IS community be bearish on Cyber Insurance?

india_insurance_logo_2

Information Security Professionals think that all the talk of Cyber Insurance is nonsense since the risks are so huge that any company that insures Cyber risks is doomed to fail. Is this negative thinking justified?.. Let’s explore

Cyber Insurance is a concept where an insured person or organization looks to claim recovery of loss suffered by him on account of an adverse cyber event. The adverse cyber event could be a financial fraud in case of an individual who loses money in his bank account. In an organization, it could be a denial of service attack that causes business loss or a hacking/data theft that leads to reduction in business competitiveness. In the case of “Intermediaries” who process third party data, the adverse event could be also a theft or compromise of customer data leading to liabilities payable to customers.

While an individual will be happy if some body can provide insurance cover against losses on account of Banking frauds, he does not know if such policies are available and if available, what is the cost. Some Banks are persuading their credit card customers to take such fraud insurance but the costs are unreasonably high and are meant to cover the liabilities that the Banks are expected to legally bear. Why should a customer bear the cost if the Bank makes a payment against a forgery?. So the individual does not know how he should approach the Cyber insurance. But he does expect the Government and the regulators who are keen on digital India, to do some thing to ensure that financial risks of common day to day activities does not increase.  Hence there is a need for pushing the Government for a Cyber Fraud Prevention policy. Insurance companies are also not very keen on the retail market since it may be uneconomical for them to manage the business from the point of view of the administrative cost.

At the same time providing Cyber Insurance to corporate is considered a lucrative business for the Cyber Insurance Companies and this market is in a take off stage. There is however lack of statistical data of risks and hence the Cyber Insurance companies try to cap their liabilities by imposing several restrictions on the claims.

In fact the Information Security professionals generally dismiss the talk of Cyber Insurance since they think that the threats are so great that any body thinking of providing insurance to this sector is foolish. The more they know about the threats, vulnerabilities and the risks, the less confidence that they have on the feasibility of the Cyber Insurance proposition.

But what the IS professionals are not aware of is that the Insurance industry has seen risks of many types and devised its own ingenious ways of providing an insurance cover in an environment of uncertainty and still manage the risks.

For example, one way by which the Cyber Insurance companies manage their risks is to put a cap on their liability per claim or per incident with sub-limits of various types. Accordingly, in a DDOS liability, the Cyber Insurance  may place a limit on loss per hour of disruption and total loss to not more than say 1 day disruption etc. (This may vary from industry to industry). Similarly, in the case of data loss situation there can be a loss per data limit and a total data loss in a single event and in multiple events during the policy period etc.

As a result even if there is a loss of Rs 5 crores as estimated in a data loss situation, and the Company has a policy of say 25 lakhs, the actual loss reimbursed in a given data loss or a given DDOS disruption incident may be only say Rs 5 lakhs. Thus the risk of 25 lakhs that the company has underwritten is spread over 5 incidents in an year and if not the first, the subsequent losses can be attributed to the insured not taking adequate security measures despite an earlier warning which may be a reason for rejecting a claim. As a result, despite underwriting a policy of Rs 25 lakhs and despite the insured suffering a loss of more than Rs 25 lakhs, the Insurance company may not really lose Rs 25 lakhs.

Some may jump to a conclusion that this is not fair. But what the insured need to understand that just as an IS professional manages his technology risks, the Cyber Insurance professional manages the financial risks and he has to have his shields. In the process, it becomes necessary for the IS professional to ensure that “Similar” security breach incidents donot occur repeatedly in his company and “Each security Breach” does not result in a run away loss and it is his responsibility to ensure that the company returns to its normal business within a short time. Essentially, having an Insurance does not allow the IS professional to be complacent. He has to be more responsible.

The Information Security Professional therefore have to appreciate that Cyber Insurers are ingenious enough to take only such risks that they can bear. In fact, it is the best of the Information Security professionals who will be assisting the Cyber Insurance companies in formulating policy conditions, conducting a pre-insurance evaluation and claim assessment. The best of the forensic professionals are engaged by the industry to find out the root cause of an incident and whether there is any ground to attribute the loss to the negligence of the Company. So, the Cyber Insurers are fully aware of the risks they are underwriting and taken necessary steps to meet their liabilities even when a Zero day attack creates havoc in the insured company.

It is clear therefore that the Information Security Professionals need to shed their bearish outlook on Cyber Insurance industry and appreciate that this is an industry which is set to grow rapidly in the coming years. In fact, Information Security professionals should be excited about the new career opportunities that the Cyber Insurance industry is opening up both in the prospective users of the Cyber Insurance products as well as the Cyber Insurance industry itself.

Naavi