Advances in shared computing infrastructure like cloud computing and the overall commoditization of computing, storage, and networking tools have created a boon for small organizations and start-ups that want to develop new products, rapidly test prototypes to drive iterative value-focused development, or otherwise supplement their existing technology estate either on-prem, in a co-lo data center, or in the cloud. While these advances have proved beneficial for companies and consumers alike, they have also provided a new type of capability to malicious actors and cybercriminals therefore altering the landscape for insureds while increasing the potential for a cyber liability trigger such as a malware or ransomware attack.
Traditionally, complex or resource-intensive cyber-attacks were limited to state-based actors or independently organized groups with access to sophisticated owned enterprise infrastructure – this is no longer the case. Having access to a mix of expertise, capital, and personnel is not a dependency to launch a devastating cyber-attack anymore. Threat actors today need only set up an account with any one of the large cloud providers like AWS, Microsoft Azure, Google Cloud Platform, IBM, etc. and provision a single node or cluster of high-capacity pay-for-use virtual machines to quickly perform complex scans and run analytics-based workloads that can provide the attacker with insight into potential targets.
A recent review of Palo Alto Networks’ 2021 Cortex Xpanse Attack Surface Threat Report noted that “As soon as new vulnerabilities are announced, adversaries rush to take advantage. Scans began within 15 minutes after Common Vulnerabilities and Exposures (CVE) announcements were released between January and March”. We can no longer deny that not only is the attack surface and scale for threat vectors growing across every organization, and in every industry but the ability for even a novice threat actor to identify, analyze, and exploit the attack surface has been democratized and made accessible by the same solutions that the enterprise has used to augment their technology strategies. Threat actors can pay, in most cases, ~$100 or less to “lease” cloud computing infrastructure with a customized blend of the optimum computing, storage, and networking specifications needed to meet their objective that 10-15 years ago would have taken 6-12 months to design, procure, configure, and deploy. The most advantageous part of this action for the threat actor is that when they have completed their objective, they can de-provision the resources, extract the data they have collected, and walk away from the subscription with no commitments, and no long-term liabilities. Per the Xpanse report, most incidents and top vulnerabilities result from “basic hygiene” items like open RDP ports, expired certificates, unencrypted file servers, or poorly maintained routing configuration policies and ACLs (0.0.0.0/0) that publicly expose services never meant to be externally facing like Power BI, and Tableau. As the Xpanse report notes “This means attackers don’t need to be clever. They just have to find the issues. No matter how sophisticated you make your applications, with basic vulnerabilities, enterprises are still at risk”. As computing and infrastructure costs continue to drop, incidents of malicious activity will only continue to increase. As the Xpanse report further notes the “The risk of conducting malicious scanning activity [has] dropped drastically” as attackers no longer have to contend with the consequences of a potential “loss of significant leased infrastructure” and instead now only receive “a “cease and desist” from a CSP that was disposable to the attacker’s end goals”.
External considerations such as these are often an overlooked variable in a holistic risk and needs assessment for cyber liability coverage as either a standalone policy or as part of a packaged offering. When you assess your company’s insurance needs you should not only consider the posture and strength of your internal technology estate and the inherent risk that your industry vertical might be exposed to (do you possess or handle important, and or valuable data about customers, individuals, technology, manufacturing), but also what is an external threat capable of – what tools and techniques do malicious actors have that could be used to exploit your organization and its employees? An organization needs to take both an offensive and defensive approach to protecting their cybersecurity posture.
Ease of access to commercialized, enterprise-level computing products has also increased the likelihood and commonality of internal vulnerabilities for companies both small and large. This is especially true in organizations where there is no tight integration between IT lifecycle policy management and software development functions, in companies that lack CI/CD pipelines, and in organizations that are unaware of shadow IT functions existing within the business. Let’s examine the flip side of easy access to cloud-based solutions not only externally for use by a malicious actor but also for internal employees and whole departments that are not based in tech or engineering. Take for example a hypothetical large, global reinsurance broker with operations in 30+ countries across treaty, and facultative lines with a strong analytics, catastrophe modeling, and market intelligence function that has identified a need for infrastructure to build out a catastrophe modeling tool proof-of-concept that could potentially be poised as an external client offering. Wanting to avoid long lead times associated with requesting, rationalizing, assigning resources to, and executing a project in collaboration with a shared services IT organization the catastrophe modeling group, using their advanced knowledge of systems and software development gained in their day-to-day roles, instead use company-issued equipment, company accounts, and company funding to open an AWS subscription in the name of an individual user within the department. This department commits time, resources, and effort to building out this AWS subscription provisioning the needed infrastructure, and developing and deploying the code to support the software product that is the key deliverable. The team subsequently validates the product by testing it with actual customer data, instead of anonymized or simulated data as would be best practice, to achieve an expected result before releasing the platform externally. In the above scenario members of this department successfully opened an account on a cloud platform, consumed and committed company resources, developed, and published within the confines of the deployment sensitive IP related to the product, and loaded customer data into the tool without the knowledge of the company’s overall IT function. Without oversight from the company’s IT function, the solution, while meeting the needs of the department, was not built with traditional security controls (technology evaluation, risk assessment, onboarding, authentication, RBAC) avoiding key checks and balances along the way. In addition to being misaligned with the company’s defined processes and procedures, the solution was not integrated with the company’s third-party platforms for firewall, network management, and segmentation, security incident and event monitoring, threat detection, intrusion prevention, and a host of other vital services. In this scenario, the shadow deployment would likely be identified before the external release of the platform and subsequently dismantled and rebuilt using a standard deployment model. However, in the event of an incident, or a breach of customer data the company still would have incurred first-party damages, and third-party liability but likely would have been unable to make a claim against its cyber liability coverage if they did maintain a policy, as the circumstances of this specific deployment likely would have been excluded as the lack of controls would have conflicted with the conditions of the policy.
While most companies have identified the importance of having cyber liability coverage to protect against these exposures, there are still too many potential insureds that view cyber liability coverage as an unnecessary expense, or solely as a means to an end with no strategic value – to meet industry, contractual, or RFP requirements. The general sentiment is that “it won’t happen to me or my company”, “we don’t handle sensitive data”, or “we’re not a target”. Realistically, so long as an organization is connected to the internet, they are vulnerable to cybersecurity threats, and could benefit from a cyber insurance policy. To combat this mentality, both insurance professionals and technologists should be speaking to the benefits of maintaining cyber liability coverage not only for organizational protection and risk transfer but as a mechanism to drive operational excellence and ensure a swift response to and recovery from a cyber liability event. Policy conditions and insured responsibilities contained within a cyber liability policy can help an insured company’s technologists obtain internal approval for additional budgetary funding for products and solutions that help the company meet insurability requirements like MFA, SIEM, IPS, firewall solutions, and network analysis and management solutions. In this case, the insurer, company, and IT department benefit mutually from improvements to the company's security posture. Additionally, insurers provide access to “panels” of various external experts that assist with the implementation and management of an incident response plan. The panel’s subject matter experts will either implement the company's IRT or one required to be implemented under the policy, across functions like forensic investigation, cybersecurity engineering and remediation, legal expertise, and litigation that work together to minimize downtime and ensure a smooth return to a business-as-usual run and maintain state. It’s important to understand that there is, and will continue to be, a positively correlated relationship between advances in and ease of access to commercial computing solutions to help your business, and the probability and impact of a cyber-attack. Boards, c-suites, technology executives, and risk managers should be considering and constantly evaluating the threat landscape against existing coverages and asking, “am I doing what is necessary to protect myself, my company, our employees, our customers, our data, and our operations from any and all persistent threats?” If the answer to that question does not come easily, and cannot be backed up by existing coverages, controls, and validation processes your company likely needs to reevaluate its exposure and risk treatment methods.