Tough talk about cybersecurity insurance and ransomware incidents

I discuss converting the hearsay from some reported incidents into tangible, actionable intelligence. A ransomware remediator initially reported some really high level unusable data. I pushed for more details, and got them, but immense questions remained.

I help you understand what you can do from a process and systems perspective in order to have provable, attestable, non-tamperable proof about the status of your systems. And I am including a list of questions below for you to ask your cybersecurity insurance provider.

 

Scenario:

Customer of IT service provider has their own insurance policy.

They get a business email compromise event. Insurer for the customer denies the claim on the basis that the IT service provider (MSP) was not using an email security service that was known to then security expert of the insurer. Further investigation reveals that the MSP was providing their own EDR service with hundreds of whitelists in place. (Whitelists are exceptions to security scanning, which is an extremely bad practice.)

The security expert for the insurer effectively claimed that the BEC occurred because they did not know who the email security service provider was, and they concluded that the EDR/EPP could not have been effective becuase the software was not known to them.

The distillation is that the product could not have possibly had security efficacy if it was unknown to the security expert.

 

There was no discussion about provable, non-tamperable, attestable configuration proof. It was around how that security product was not on Gartner and Forrester reports, the security expert thought that the IT service provider should not have using that tool. So they claimed that due care was not exercised and the claim was denied.

I find this quite suspect because the insurance company in question was insuring the customer of the MSP, yet the insurance company required no attestable proof of efficacy of security solution prior to issuing a policy. Nor did the insurance company require an assessment prior to issuance of a policy. 

 

The additional outcome of that was that the security expert for the insurer claimed that the IT service provider was asked how they validated their claim that the product was effective when it supposedly had no industry vetting. Industry vetting in this context simply means that the software/hardware company has engaged in a pay to play evaluation scheme known as Gartner and Forrester. 

Simply buying a product that has been rated in a pay to play scheme as effective has no bearing on its configuration in a particular environment or context. NONE. Therefore, it should not be of any bearing in an evaluation of coverage. If the facts of this case as reported on a forum were true, then the insurance company sure needs to get its act together and require attestable proof of configuration efficacy before issuing a policy.

 

The BEC customer is then suing the MSP (IT service provider).

 

Some of the data we do not have is the content of the contract for service between the MSP and their customer.

I also do not know what security coverage the customer declined but that the MSP offered.

We do not know what other security measures were or were not involved.

We do not know if the customer was offered phishing testing and cybersecurity awareness training and then declined it. Ultimately, it was the action of one of the users at the customer's site that caused the BEC and ransomware incident to occur. Negligence or responsibility is not knowable to us based upon the limited information.

However, I think we can all agree that all parties involved would have been much better off if a viable ongoing configuration validation testing system would have been in place.

 

Let's ask some questions of the insurance providers.

• In the mind of the security expert for the insurer, what qualifies as “industry vetting”?
• What evaluation criteria is being used to determine if it is a covered event or not?
• What criteria do they have for software and hardware vendor selection by IT service providers?
• What configuration attestation do they require?

 

• What constitutes an incident that the insurer is comfortable with the IT service provider responding to, versus what they deem the entire environment must be put in stasis for?
• If this BEC scenario occurs and causes ransomware on endpoints, for example, what is the procedure that the insurer requires?

 

I have heard that the insurer requires that the IT services company do nothing. The covered party is supposed to call the insurer and then the insurer will send their incident response team.

• How long will that take? Is the internet connection supposed to stay on the entire time?
• When can a recovery from backups process start?

 

If the insurer requires systems be frozen in time and that no one touch them, does the covered party have to acquire all new computer equipment and start the recovery process to their new computer equipment because the insurer will not allow them to touch their current equipment?

If the insurer’s incident response team takes a week to get there and another week to do their analysis, this is at least two weeks where recovery cannot even start.

For most businesses, this would mean that they are out of business if they cannot conduct for two weeks, but more likely four because of the time needed for recovery.

 

• What pre-planning does the insurer want the covered party to do in terms of incident response planning with the insurer?
• What reports or attestation of state of what assets does the insurer want?
• Does the insurer require 365 days of log data from all assets and will that need to be made available to the incident response team?
• Where can this data be stored assuming that the on-device storage is contaminated by the breach?

 

And finally:

• What certification or credentialization on the part of the staff at the IT service provider is the insurance company going to presume is adequate for them to be considered experts in the stated technology or security strategies?