Edward Gately

With cybercrime at an all-time high, cyber insurance is a hot topic. It’s used to protect businesses and individual users from internet-based risks and, more generally, from risks relating to IT infrastructure and activities.

Allianz recently introduced a new cyber-risk management service for businesses that includes options not only for enhanced cyber-insurance coverage from Allianz, but also cyber-resilience evaluation services from Aon, and secure technology from Cisco and Apple. And similar partnerships are likely to come about as cybersecurity increasingly is top of mind with enterprises and organizations of all sizes.

SecurityScorecard’s Alex Heid

To get the lowdown on cyber insurance, Channel Partners spoke with Alex Heid, chief research officer at SecurityScorecard, and Ryan Collier, chief digital officer at Risk Placement Services (RPS). SecurityScorecard provides security ratings and continuous risk monitoring for vendor and third-party risk management, while RPS is one of the nation’s largest distributors of cyber insurance, with more than 20,000 cyber policies.

Heid says partnerships like the one between Cisco, Apple, Alliance and Aon look “quite advantageous because anytime you have the vendors who are willing to work with their customers, and even more than that, work with the customers of their customers for some kind of a higher-level principle of overall security, that’s a good thing.”

“If a company is using the most updated Cisco appliances and it’s vouched for by the vendor themselves … and they would get a cut on their insurance rate, it seems to be a very promising opportunity from just the standpoints of marketing, brand awareness, reputation management and also revenue generation,” he said.

There are many types of cyber policies, including those for data breaches, ones that cover forensics and others that cover reputation management, Heid said.

RPS’ Ryan Collier

“Depending on [which] industry it is and what the need is, and what the risk is, then basically there’s a niche of cyber insurance that would be applicable to them,” he said. “But I would be cautious to recommend that everyone just get blanket insurance coverage, because it’s not necessary. For example, a data center would benefit more from a policy that covers maybe incident response, data breaches and service outages, whereas a financial-services provider might be interested in one that covers losses due to fraud, reputation management and theft. It depends what the company does, what’s their role within the business ecosystem and what are their crown jewels.”

Collier says U.S. businesses of all sizes “in any industry and at any sophistication level” need a cyber policy. Also, it is important for them to buy a “very broad” policy that includes a breach-response team provided by the insurer that’s activated when a breach is reported, he said.

“One of the stats that I think really clarifies the thinking on that is any business that is in business has about a 5 percent chance for a slip-and-fall to implicate their general liability policy, and any business in the United States has a 43 percent chance of withstanding a cyberattack in any given year,” he said. “Those stats to me are alarming.”

Before an organization approaches cyber-insurance companies for coverage, they should pull their …

… cybersecurity score, if not from SecurityScorecard then from one of its competitors, Heid said.

“It’s the concept of looking at what your credit score is before applying for a loan and then you can fix those items before you even fill out the applications,” he said. “So if you know what your score is [and] where your weaknesses are, you can get those patched up. If you check your score, see the issues and then fix [them], and then apply for coverage, the first time the insurance company looks at your score, they’re not going to see your unclean profile.”

Collier disagrees.

“If a customer, a small business with $1 million to $3 million in sales, has to go out and spend $10,000, $20,000 or $30,000 to do testing and remediation, and put all the proper processes in place, then they’re going to say, ‘I don’t really need insurance because I feel safe — and they’re not,” he said. “Even with the best protections, with hundreds of millions of dollars of budget for IT security, you can still be T.J. Maxx, JP Morgan Chase, Home Depot or an Equifax.”

Cyber-insurance providers already are being hit with claims from businesses that suffered a breach, Heid said. Some people are getting paid out and some claims are getting “pushed back” because of a lack of coverage or a related issue, he said.

“As far as which incidents and which companies got paid out and which one’s didn’t, that information is usually held pretty close to the vest by the insurance companies themselves and the claimant,” he said. “But it is definitely going on … and we have several insurance companies using our platform for that purpose.”

RPS has had “hundreds and hundreds” of claims, Collier said.

“In the event that you have a breach, you call your breach coach, and we have found that by jumping on these breaches very quickly and professionally, we’re able to limit the amount of money that has to be spent,” he said. “We are experts at making sure the claim gets handled professionally and expeditiously, and that helps drive down the the total cost of the claim.”

In the meantime, Colliier says what’s “nerve-wracking” is knowing that “there [are] still 65 out of 100 people” who don’t feel they need cyber insurance.

“Statistically, if a company has a breach, they’re out of business in six months 60 percent of the time,” he said.

Comodo Report: Malware Attackers Seize on Elections, World Events

Major geopolitical events and crises correlated with major malware spikes last year, according to Comodo‘s Global Malware Report for 2017. For example, on Oct. 24, 2017, in the United States, Comodo detected a massive spike in Kryptik trojan malware, totaling nearly 300,000, with more than 94 percent located in Virginia, where a close gubernatorial election took place.

And in terms of world events, there was a spike of viruses …

… totaling nearly 20,000 when China’s President Xi visited Mar-a-Lago, and North Korea fired test missiles.

Trojans, often disguised as legitimate software, dominated the malware landscape, with 41 percent of Comodo detections. Applications exhibiting malicious, unsafe or undesirable behavior came in second place at nearly 25 percent. And backdoors were the third-most detected form of malware at slightly more than 10 percent.

“The challenge for the IT channel is that it sits in the middle of the supply chain, not in the most enviable position to wield leverage in pursuit of making IT less vulnerable to these wide-ranging types of malware,” Carlos Solari, Comodo’s vice president of cybersecurity services, tells Channel Partners. “The channel is neither the OEM nor the large enterprise that can wield the power of large purchasing capacity. The opportunity is to find leverage. The goal is to make IT less susceptible to the malware in its many forms (virus/worm/trojan/RAT/package). Consider the idea that recycling old and often EOL (meaning unpatched) software is an opportunity to remove the target.”

Entry-Level Employees Pose Security Risk

Nearly half of entry-level employees don’t know if their company has a cybersecurity policy, and employees at all levels likely are unaware of the IT security threats their companies potentially face, according to a new survey by Clutch. The company polled 1,000 full-time employees to understand how companies invest in IT security and how well employees understand and follow their companies’ IT security policies.

Nearly two-thirds (63 percent) said they don’t know if the quantity of IT security threats their companies face will increase or decrease over the next year. Also, among entry-level employees, 87 percent said they don’t know if the number of threats will shift in the next year.

IT security experts are quick to point out that employees’ lack of awareness puts companies at risk for breaches.

“Attacks will be more frequent, more voracious and more sophisticated in breaking through any protection you can put in place,” said Steve Scott-Douglas, CIO of Ciklum, a global software engineering and solutions company.

The survey also found that employees are less likely to recognize IT services as the primary area of security vulnerability at their companies; instead, they cited theft of company property as the primary threat to company security, ahead of unauthorized information and email phishing scams.

One way companies can drive awareness is through …

… security training during new employee on-boarding.

Companies tend to offer IT security on-boarding programs to higher-level employees only, which might account for the greater awareness and feeling of preparedness this group has regarding IT security threats, Clutch said.

NTT and ThreatQuotient Announce New Security Partnership

NTT Security, the specialized security company of NTT Group, and ThreatQuotient are collaborating to deliver enhanced threat intelligence capabilities to managed security clients globally. ThreatQuotient’s threat intelligence platform (TIP), ThreatQ, will serve as the cornerstone of NTT’s new threat intelligence services offering.

“NTT Security’s global managed security services and channel program is exactly the type of model that we strive to be part of as we work to reach more organizations that need deeper support to get a threat-intelligence program off the ground, or get more value out of existing strategies,” said Matt McCormick, ThreatQuotient’s senior vice president of business and corporate development.

The platform’s flexible architecture for aggregating and correlating threat data will enhance NTT Security’s capabilities for bringing detailed, relevant threat intelligence to NTT Group clients through MSPs globally, the companies said.

Analysts from NTT Security’s global threat intelligence centers (GTIC) will be using ThreatQ to process data and turn it into threat intelligence that can benefit its consulting and managed services clients. NTT Security also will be using ThreatQ to enhance its consulting services.