Is cyber insurance your last line of defense? by Jeffrey Man
The recent spate of payment card breaches that have plagued the retail industry this year has prompted many merchants to consider investing in cybersecurity liability insurance policies to offset the costs associated with a breach recovery. These companies often make this choice based on the belief that the money they’ve spent to comply with industry security standards has failed to prevent these breaches from occurring, and there seems to be no other alternative. At least one recently filed claim has led to a lawsuit that will put these cybersecurity insurance policies to the test.
The key element of such lawsuits is determining liability -- who is at fault -- to determine whether the claims are justified and if the insurance companies will pay out. Finding a party liable for something means determining if the party was taking reasonable steps to prevent such actions from happening.
For the past ten years, the litmus test to ascertain if retailers (merchants) are taking reasonable steps to provide data security has been the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS provides a baseline of technical and operational requirements designed to protect credit and debit card data. All merchants are expected to adhere to the applicable controls detailed in the PCI DSS, and are responsible for validating compliance with the PCI DSS on an annual basis. The goal of the PCI DSS is to provide basic protections against known vulnerabilities and exploits -- basically, to maintain a secure network and systems -- and to put safeguards in place for detecting new attacks as they occur and for minimizing damage as early as possible.
PCI compliance has helped many merchants improve the overall security of their operations. But for various reasons, too many merchants have taken a bare-minimum, "check-box," cheapest approach to the compliance process. They have not embraced the concept that the PCI DSS is a baseline security framework that must be followed on a continuous basis rather than treating it as an annual audit exercise. But even for those merchants who have made the necessary investments in technology and security solutions, they often make the investment to meet the letter of the requirement without embracing or recognizing the true value of the technologies they’ve deployed.
While these merchants have enjoyed tremendous gains in revenues by embracing technology and the Internet, there seems to be too little understanding that the use of technology comes with the necessary cost of implementing adequate data security protections in their operations. Cybersecurity liability insurance might seem like a reasonable option, but it can become just another "check box" item that is a poor substitute for investing in security operations, resources, and personnel.
What these merchants are missing is a strategy and/or resources to integrate their security practices into business-as-usual activities that occur on an ongoing basis. The key to making this happen, after putting the security technologies and processes in place, is to continuously monitor the network to assure that the technologies and processes are functioning as expected. Continuous monitoring provides assurance that when the unexpected happens -- whether it is an active attack, evidence of malware, or processes that are not followed -- the event triggers an alert, the alert is recognized, and there is an appropriate and timely response. The latest release of the PCI DSS actually provides an outline of what these continuous monitoring activities should entail, including:
- Monitoring of security controls to ensure that they are operating effectively and as intended
- Ensuring that all failures in security controls are detected and responded to in a timely manner
- Reviewing environment changes to evaluate their impact on security operations
- Reviewing organizational structure changes to evaluate their impact on security strategy
- Conducting periodic reviews to confirm that security controls remain in place and personnel are following secure processes
- Reviewing hardware and software technologies (at least annually) to confirm that they are being supported by the vendor and can meet security requirements
Future litigation that determines liability will almost certainly focus on whether the retailer followed these guidelines and performed due diligence by enforcing security on an ongoing, real-time basis. Continuous network monitoring solutions provide evidence that security solutions and processes are followed on a daily basis. This will streamline the compliance validation process and will also substantiate future liability claims.
Jeffrey Man has compiled a rich knowledge base in cryptography, information security, and most recently PCI. With PCI impacting nearly every business vertical, he has served as a QSA and trusted advisor for both VeriSign and AT&T Consulting. As an NSA cryptographer, he oversaw completion of some of the first software-based cryptosystems ever produced for the high-profile government agency. Current Position: As Tenable’s PCI Security Evangelist, Jeff offers years of PCI experience and knowledge to help customers align Tenable products and services with the security best practices that are the foundation of the PCI DSS.