Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
November 8, 2022
Recently, Lloyd’s of London issued a bulletin that will require its insurer groups to separate state-backed cyberattacks from standalone cyber insurance policies. Starting in March 2023, when coverage begins or renews, Lloyd’s global syndicates must exclude attacks involving state actors in policies that protect against physical and digital damage caused by hacks.
This begs the question: If the insurance industry stops covering breaches caused by nation-states, and a significant amount of breaches are suspected to originate from this very source, where does this leave companies? Further, what if the breach source is unknown?
Most, if not all, companies secure a cyber insurance policy to spread out or defer some risk and damage from a cyber breach. Many, however, are likely to start questioning whether the cost of their now-limited insurance policies are worth it. Based on years of cyber investigative experience, I believe Lloyd’s of London’s recent decision will be a difficult one to enforce and nearly impossible to base on unclassified and verifiable data.
The question then comes down to: How do you attribute an attack to a nation-state actor? Attributing back to specific perpetrators is difficult in cyberspace, where identities can be easily disguised by using Tor routers (also known as onion routers), bot networks, and other obfuscation techniques.
Add to this problem the use of initial access brokers, a dark web concept that I call “crowd-sourced hacking.” Here, actors can be found on various marketplaces and employed to conduct various parts of an attack piecemeal. For example, one actor can conduct the initial network access and then sell it to another actor, who moves laterally through the network and sells the access and network map to another actor, who deploys the malware or ransomware payload.
Some dark web vendors even provide a service dedicated to cultivating archives of stolen credentials, and their clients can include nation-states, organized criminal syndicates, or enterprising cybercriminals with pools of victims to compromise. The attribution waters get even muddier when you start to dive into the forensic science side of cyberspace. On any given day, leagues of different attack tools are being deployed by threat actors big and small. That’s a lot of tools to keep track of, even on the best of days, especially when some of them are used by friendly organizations looking for cyber vulnerabilities to close, not exploit.
Even if a computer involved in an attack was traced to an IP address located in a North Korean military base, for instance, it wouldn’t necessarily mean said attack had the knowledge of that government’s authorities. The device could have been compromised by hackers in other countries, as in the case of the Office of Personnel Management hack, where the Federal Bureau of Investigation (FBI) arrested a Chinese national for the attack but couldn’t attribute it to the Chinese government.
And while the specific tactics, techniques, and procedures used by certain nation-states allow for some degree of attribution, only highly sophisticated, investigative methods employed by US law enforcement and intelligence community members such as the FBI, Central Intelligence Agency, or National Security Agency can usually detect them. However, these detection processes aren’t quick ones, sometimes taking months or years. In addition, law enforcement tactics that track such activity are classified and wouldn’t be disclosed to insurance companies seeking to make coverage decisions.
Given the gray area around attribution, there may be a reckoning around the corner for the insurance sector, especially if other providers such as Lloyd’s attempt to unburden themselves from the financial responsibility of state-sponsored attacks. In an industry all about defining, mitigating, or eliminating risk, cyber insurance must establish a clear, accepted definition of its “nation-state” risk. Otherwise, I foresee a long road of litigation ahead between providers, the insured, and the victims arguing about the identity of the attacker.
Regardless of what happens with the cyber insurance market, having a solid cyber program is important to weather any storm. That’s why enterprises should continue to focus on forging resilient environments that start with risk management. Building out from there, organizations can efficiently secure themselves from threats, no matter the origin.
This article originally appeared on the NACD BoardTalk blog. Reprinted with permission.https://blog.nacdonline.org/posts/crossroads-cyber-insurance-covered
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.