Dyman Associates Management 5 Things You Need to Know About Cybersecurity Insurance

Cybersecurity insurance transfers some of the financial risk of a security breach to the insurer. But it doesn’t do a good job of covering the reputation damage and business downturn that can be triggered by a security breach.


CIO — Cybersecurity insurance does mitigate some financial damage should you suffer an attack, but it's not a complete solution. Here are five things CIOs need to know.

1. It’s a risk-management strategy. Cybersecurity insurance transfers some of the financial risk of a security breach to the insurer. First-party insurance typically covers damage to digital assets, business interruptions and, sometimes, reputational harm.

Third-party insurance covers liability and the costs of forensic investigations, customer notification, credit monitoring, public relations, legal defense, compensation and regulatory fines. Cyberthreats are so broad that the cost of protecting against them all would be prohibitive. The best approach is to identify and secure the company's digital crown jewels, then quantify and insure the remaining risk, says Daljitt Barn, director of cybersecurity at PricewaterhouseCoopers.

2. American and European markets differ. The cybersecurity insurance market is more mature in the U.S. than in the E.U., primarily because of U.S. states' mandatory data-breach-notification laws. Third-party insurance is more common in the U.S., and first-party is more popular in Europe, but that may change if the E.U. starts requiring breach notifications, Barn says.

The U.S. market is growing about 30 percent per year, says Richard Betterley, president of Betterley Risk Consultants. Some surveys estimate that 30 percent of large U.S. companies have cybersecurity insurance, but among companies of all sizes, Betterley says, the number is probably under 10 percent.

3. Clear wording is essential. Before you buy, investigate what risks are covered by existing insurance packages, because there may be overlaps with a cyber-insurance policy. "Make sure the cyber policy wording covers your true cyber exposure," Barn says. "Challenge your corporate insurance broker to find a policy that provides a multifaceted response, including legal, PR, notification, forensics and cyber incident response."

4. Coverage is inadequate in some areas. Cybersecurity insurance doesn't do a good job of covering intellectual property theft or the reputational damage and business downturn that can be caused by a security breach, Betterley says. Meanwhile, the industry is debating whether state-sponsored cyberattacks, to the extent they can be identified as such, are covered by cybersecurity insurance policies.

5. There's room for improvement. Ideally cybersecurity insurance should encourage companies to improve security so they can negotiate lower premiums. However, insurers don't have enough actuarial data to adjust premiums based on what security controls and products are most effective, says Andrew Braunberg, research director at NSS Labs.

Dyman Associates Management Japan, EU planning cybersecurity summit

(japantimes) - With China a suspected source of cyberattacks, Prime Minister Shinzo Abe and European Union leaders will agree at a summit in Brussels on May 7 to launch a dialogue to boost cybersecurity, according to a draft of a statement to be issued after the meeting.

“Facing more severe, widespread and globalized risks surrounding cyberspace . . . protection of a safe, open and secure cyberspace is needed,” according to the draft, a copy of which was obtained Sunday.

Abe and the EU leaders, European Council President Herman Van Rompuy and European Commission President Jose Manuel Barroso, will also agree to hold an inaugural meeting of a Japan-EU dialogue on the stable use of outer space in the latter half of this year in Tokyo, the draft says.

Tokyo appears poised to proactively contribute to international rule-making over cyberspace. The launch of a Japan-EU dialogue to promote cooperation on cyberspace would follow similar consultations Japan has held with the United States, Britain and other countries.

In recognition of the threat posed to national security, Japan said in its National Security Strategy adopted in December that it will strengthen information sharing and promote cyberspace defense cooperation with relevant countries.

In the first meeting of the Japan-EU Space Policy Dialogue, the two sides are expected to discuss creation of international norms to reduce space debris caused by anti-satellite tests, satellite collisions and other reasons.

“We affirm the importance of safety, security and sustainability of outer space activities,” the draft statement says.

In 2007, China destroyed one of its aging satellites via a missile-driven anti-satellite test, creating a mess of fragments fluttering through space and sparking concern that such debris could seriously damage other satellites nearby.

In the summit, Abe and the EU leaders will reaffirm their shared view that international disputes and issues “should be resolved peacefully and in accordance with international law, not by force or coercion,” the draft says.

The wording apparently refers to the intrusions by Chinese patrol ships into Japanese waters around the Senkaku Islands in the East China Sea in aimed at undermining Japan’s administration of the islets, claimed as Diaoyu by Beijing and Tiaoyutai by Taiwan.

Turning to Ukraine, the Japanese and EU leaders will “strongly condemn” and “will not recognize” Russia’s annexation of Crimea in March, while urging Moscow and other parties concerned to “refrain from any steps to further destabilize Ukraine,” the draft says.

The leaders will call for ensuring freedom of navigation in and flight over the open seas, according to the draft, in an apparent criticism of China’s unilateral declaration in November of an air defense identification zone overlapping Japanese airspace over the Senkaku Islands.

Beijing announced rules requiring aircraft entering the zone — which covers an extensive area above the high seas separating China, Japan, South Korea and Taiwan — to file flight plans in advance and follow instructions of Chinese controllers or face “defensive emergency measures.”

Policymakers and experts outside China, however, say Beijing is not in line with international norms.

Among other issues, the EU leaders will welcome an expanded role for Japan in promoting and sustaining global peace and security, as set out in Abe’s policy of proactively contributing to peace based on the principle of international cooperation, it says.

Japan will study the possibility of participating in EU peace missions in Africa and elsewhere, it says.

Brussels will be the last leg of Abe’s six-nation European tour starting Tuesday, following visits to Germany, Britain, Portugal, Spain and France.

Dyman Associates Management ISACA launches cyber-security skills programme

(computerweekly) - Global IT association ISACA has launched its Cybersecurity Nexus (CSX) programme to help address the global security skills shortage.

According to the Cisco 2014 Annual Security Report, more than one million positions for security professionals remain unfilled around the world.

CSX is aimed at helping IT professionals with security-related responsibilities to “skill up” and providing support through research, guidance and mentoring.

A recent ISACA survey found that 62% of organisations have not increased security training in 2014, despite 20% of enterprises reporting they have been hit by advanced persistent threats.

“Unless the industry moves now to address the cyber-security skills crisis, threats such as major retail data breaches and the Heartbleed bug will continue to outpace the ability of organisations to defend against them,” said Robert Stroud, ISACA international president-elect.

CSX is designed as a comprehensive programme that provides expert-level cyber-security resources tailored to each stage in a cyber-security professional’s career.

The programme includes career development resources, frameworks, community and research guidance, such as Responding to Targeted Cyberattacks and Transforming Cybersecurity Using COBIT 5.

There is also a Cybersecurity Fundamentals Certificate that is aimed at entry level information security professionals with zero to three years of practitioner experience.

The CSX program marks the first time in its 45-year history that ISACA will offer a security-related certificate.

The certificate is for people just coming out of college and for career-changers now getting into IT security. The foundational level is knowledge-based and covers four domains:

• Cybersecurity architecture principles
• Security of networks, systems, applications and data
• Incident response
• Security implications related to adoption of emerging technologies
• The exam will be offered online and at select ISACA conferences and trainingevents beginning this September.
• The content aligns with the US NICE framework and was developed by a team of about 20 cyber-security professionals from around the world.
• ISACA plans to add more to the CSX programme, including: A cybersecurity practitioner-level certification with the first exam in 2015, Cybersecurity Training courses, SCADA guidance and digital forensics guidance.
• A recent global poll of members of ISACA student chapters shows that 88% of the ISACA student members surveyed say they plan to work in a position that requires some level of cybersecurity knowledge.
• A recent global poll of members of ISACA student chapters shows that 88% of the ISACA student members surveyed say they plan to work in a position that requires some level of cybersecurity knowledge.

However, fewer than half say they will have the adequate skills and knowledge they need to do the job when they graduate.

“Security is always one of the top three items on a CIO’s mind, yet IT and computer science courses at university level are not allocating a proportional amount of training to cybersecurity,” said Eddie Schwartz, chair of ISACA’s Cybersecurity Task Force.

“Today, there is a sizeable gap between formal education and real world needs. This, in itself, is an area requiring immediate focus so that the industry can get better at detecting and mitigating cyber threats,” he said.

According to Tony Hayes, ISACA international president, enterprises cannot rely on just a handful of universities to teach cybersecurity.

“With every employee and endpoint at risk of being exploited by cyber criminals, security is everyone’s business. We need to make cybersecurity education as accessible as possible to the next generation of defenders,” he said.

Dyman Associates Management U.S., UK advise avoiding Internet Explorer until bug fixed

The Microsoft logo is seen at their offices in Bucharest March 20, 2013.
CREDIT: REUTERS/BOGDAN CRISTEL

(Reuters) - The U.S. and UK governments on Monday advised computer users to consider using alternatives to Microsoft Corp's Internet Explorer browser until the company fixes a security flaw that hackers used to launch attacks.

The Internet Explorer bug, disclosed over the weekend, is the first high-profile computer threat to emerge since Microsoft stopped providing security updates for Windows XP earlier this month. That means PCs running the 13-year-old operating system will remain unprotected, even after Microsoft releases updates to defend against it.

The Department of Homeland Security's U.S. Computer Emergency Readiness Team said in an advisory released on Monday that the vulnerability in versions 6 to 11 of Internet Explorer could lead to "the complete compromise" of an affected system.

The recently established UK National Computer Emergency Response Team issued similar advice to British computer users, saying that in addition to considering alternative browsers, they should make sure their antivirus software is current and regularly updated.

Versions 6 to 11 of Internet Explorer dominate desktop browsing, accounting for 55 percent of global market share, according to research firm NetMarketShare.

Boldizsár Bencsáth, assistant professor with Hungary's Laboratory of Cryptography and Systems Security, said the best solution was to use another browser such as Google Inc's Chrome or Mozilla's Firefox.

DELAYED UPGRADES

Security experts have long been warning Windows XP users to upgrade to Windows 7 or 8 before Microsoft stopped supporting it at the beginning of this month.

The threat that emerged over the weekend could be the wakeup call that prompts the estimated 15 to 25 percent of PC users who still use XP to dump those systems.

"Everybody should be moving off of it now. They should have done it months ago," said Jeff Williams, director of security strategy with Dell SecureWorks.

Roger Kay, president of Endpoint Technologies, expects several hundred million people running Windows XP to dump those machines for other devices by the end of the year.

They will be looking at Windows machines as well as Apple Inc's Macs and iPads along with Google's Chrome laptops and Android tablets, he said.

"Not everybody will necessarily go to Windows, but Microsoft has a good chance at getting their business," he said. "It's got to be a good stimulus for the year."

News of the vulnerability surfaced over the weekend. Cybersecurity software maker FireEye Inc warned that a sophisticated group of hackers have been exploiting the bug in a campaign dubbed "Operation Clandestine Fox."