WannaCry, healthy paranoia and certificates of insurance

Attention risk managers – do you still think you can dodge the cyber bullet?

When hijacked computers can be frozen with impunity, when the British Health System cannot treat patients, when Russian police forces cannot do their job and Hitachi, Nissan and 40,000 Chinese institutions are held hostage it is inescapable that nothing is beyond the reach of the burgeoning and profitable business of cyber crime.

It's a good time to get a little paranoid.

There are several key issues at play and they are intertwined – what are your internal policies and procedures related to cyber security, how do you handle third-party tech service providers, and how does one affect the other? As the global base of installed software continues to sink and the rate of cloud service adoption reaches the stratosphere the need for an umbrella-like approach to cyber risk control is written plainly on the firewall.

The impact of the WannaCry attack could have been substantially mitigated had more organizations followed Microsoft's advance warning and installed the patch that would have denied access to that particular type of intrusion. The fact that it was so largely ignored squarely places blame on those most affected, so first things first – we need to look in the mirror.

So, how are you doing with this complicated, technical, organizational challenge? Feeling overwhelmed is probably the new normal here. Everyday there's another incoming barrage of bullets, and you may not even have the basic resources or capabilities to avoid being hit.

According to Symantec's annual Internet Security Threat Report, 60% of all cyber-attacks are against small and midsize businesses (SMBs). They make good candidates precisely because of their size – they lack the horsepower of the big firms who can build and maintain a fortress-like environment around the enterprise, and there are a lot of SMBs. That makes for millions of targets with more favorable conditions for a successful attack. The criminals benefit from better odds and economies of scale.

Regardless of size, all companies should have some basic steps in place:

1. Instill cyber-awareness in the organization. Starting with senior management commitment, establish collective buy-in, training and participation throughout the business. Cyber security is not just an issue for the IT department to worry about.
2. Develop a written information security plan. From email to USB drives, file storage, mobile devices and messaging apps, identify and enforce security policies, goals and priorities.
3. Establish boundaries. Define and control access to certain hardware, networks and company information and build appropriate security safeguards.
4. Plan for the worst. Preparedness is key to surviving the fallout from the next criminal effort. Have an incident response team armed with procedures for all the various hostile cyber-events that could affect the business along with methods for eradicating the root cause of the attack.

Risk assessment of cyber problems related to third-parties, such as technology service vendors and providers of cloud-based services, call for a different set of considerations. Contract language is increasingly used as one forms of defense, with buyers calling for proof of specific lines of cyber insurance coverage carried by the vendor, and that this proof be evidenced on the vendor's certificate of insurance.

In cases where sensitive personal or financial data is being handled by the vendor, the right to timely notice in the event of a vendor's security breach and the right to perform a security audit of the vendor's security protocols is now being seen.

Implicit in the movement to vendor security accountability is the need for the buyer to have established certain minimally acceptable vendor security standards, and to make evaluation of those standards part of the selection and contracting process.

 

It is an unfortunate fact of life that risk managers must come to grips with the reality of a permanent and continuous threat to the cyber security of their enterprise. Nevertheless, a security breach is no longer a question of "if" it is a matter of "when," and ultimately only a random handful will ever escape that inevitable bullet.