Insurance has long existed as a mechanism for transferring risk to a third party, particularly for the risks that an organization cannot control. Recently, the most noteworthy dangers that have come to light and threatened to destroy a company overnight have emerged within the cybersecurity sphere. This has been a reason for the growing interest in cyber liability insurance.
Since cyber liability insurance is a relatively new type of coverage, it is therefore often misunderstood. Companies need to consider the basics and specifics of their cyber-related liabilities and exposures. They must be clear with the likely threats to identify those parts in which insurance is required the most. This way, companies can be better at protecting the return on their insurance investment.
Following are 3 major categories of threats one should be aware of before indulging in cyber liability insurance:
1. THREAT ACTORS
A threat actor, also called a malicious actor, is an entity that is partially or wholly responsible for an incident that impacts – or has the potential to impact – an organization’s security.
Identifying a threat actor can be done by knowing the motive behind an attack, the type of loss (monetary/life/reputation), the loss’s size, etc. Following are some examples of threat actors:
- Extortionists - They attack an enterprise along with a demand or request for money to avert or stop the attack, e.g., Ransomware
- Information Brokers - They trade (stolen) information in the world of cybercrime.
- Crime Facilitators - They provide technical support to the attacks of other criminal actors
- Digital Robbers - They target financial services used by citizens and enterprises.
- Scammers and Fraudsters - They employ social engineering in their attacks or targets
- Crackers - They are motivated by the fun of attacking and want to display their capabilities as a hacker
- Insiders - They target the organization they’re working in, which could be private or public
- Terrorists - They use the internet to conduct violent acts that result in, or threaten, loss of life or significant bodily harm
- Hacktivists - They are ideologically motivated to punish the wrongdoings of an organization harming nature or human rights.
- Nation-State actors - They have a ‘Licence to Hack.’ They work for a government to disrupt or compromise target organizations or individuals to gain access to valuable data
Motivation - Extortion
Motivation - Information theft
Motivation - Crime facilitation
Motivation - Robbery
Motivation - Scams and Frauds
Motivation - Pranking and infamy
Motivation - Revenge
Motivation - Ideological (Negative)
Motivation - Ideological (Positive)
Motivation - Nationalism
2. THREAT TARGETS
Anything that is of value to the threat as mentioned earlier actors may be a target, such as the following:
- Bank accounts - An obvious one. One of the greatest motives for an attacker is financial gain. Hence, bank accounts are being increasingly attacked.
- Personal Identifiable Information (PII) - Information that can be used to identify, contact, or locate a single person. PII may be obtained through social engineering and may cause a threat to life.
- Confidential Business Information (CBI) - Any valuable secret business information such as trade secrets identified as confidential at the disclosure time. Attackers may sell CBI or expose it to cause significant reputation and financial loss to an organization.
- Intellectual Property (IP) - IP is protected in law by patents, copyright, and trademarks, which enable people to earn recognition or financial benefit from what they invent or create and lose the same things if their IP is stolen or breached.
- Computers/Mobiles/Computing devices/Hardware - A primary and most common target for the attackers, all these devices are full of information, be it personal or work-related. Malware may be easily induced in such devices, thereby compromising the data in them.
- Wearables - The best example of IoTs is smart electronic devices incorporated into clothing or worn on the body as implants or accessories. And as is the case with IoTs, wearables may be misused for malicious purposes.
- Cloud Services - Although cloud storage providers implement rigorous security measures, the same threats that impact traditional storage networks also threaten the cloud world.
- Autonomous vehicles - Such vehicles will be vulnerable to those that regularly disrupt computer networks, like data thieves of personal and financial information and denial-of-service attacks that may move from shutting down computers to shutting down cars.
- Mass Transportation - Cyber threats to this sector are of concern because of the growing reliance on cyber-based control, navigation, tracking, positioning, and communications systems, as well as the ease with which malicious actors can exploit cyber systems serving transportation. Cyber-terrorist attacks can significantly disrupt vital transportation services and cause long-term sociological and economic consequences.
- Telecommunications - Due to telecom companies’ breadth and depth of services, there is an increased risk of security threats. Phone service interruption may affect countless subscribers, and internet outages may impact millions of customers and permanently harm businesses.
- Energy grids - A well-constructed cyberattack against the grid might not do as much physical damage as bombs. Still, it can cut the supply of electricity to hospitals, banks, factories, and other critical assets.
3. THREAT VECTORS
These are paths, tools, or ways in which a threat actor may attack the targets. While there are thousands of attack vectors, most of them are known only to skilled attackers. A few common threat vectors are as follows:
- Malware - A software that can severely affect anything from mobiles to computers and other computing devices. These days, a popular one is Ransomware - aimed at blocking access to a computer system unless money is paid.
- Phishing emails - We’ve all received such emails with senders posing as legitimate members of an organization, trying to lure the receivers into sharing personal information. A targeted form of phishing is known as spear phishing, and if the target is big, like a high-ranking banker and others in powerful positions, it is known as whaling.
- Unsecured wireless hotspots - If there is one thing we all love about public places, it is the open wireless networks. However, it is easy for attackers to get into such a network that is not adequately secured. It also provides the attacker with a large target base.
- Mobile devices/USBs - These devices are increasingly being used for sharing files. Malicious apps and files may be transferred from one device to another, making such devices a common threat vector.
- Social networking sites - Since the number of social network users is increasing day by day, it becomes a hub for attackers to steal personal information, which can be used for purposes such as sending unauthorized messages (spam) and stealing money from victim's accounts.
- Social engineering - It uses deception to manipulate users into revealing confidential information that may be used for fraudulent purposes. With attackers devising ever-more ingenious methods for fooling employees and individuals into handing over valuable company data, social engineering attacks become more sophisticated.
- Big Data warehouses - Typically, a data warehouse is a relational database housed on an enterprise mainframe server or, increasingly, in the cloud. It stores current and historical data in one place that is used to create analytical reports for workers throughout the enterprise. With big data comes big chances of attack!
- IoTs - As IoT is still in its nascent stage, it majorly attracts the attacker community. Since mobile malware is already an acknowledged threat, there seems to be a high likelihood of things like wearable devices becoming attack vectors.
Apart from keeping the threats mentioned above in mind, one should also consider gaining knowledge of the various types of first and third-party losses and expenses that they may incur in the event of an attack. It is advisable to also know about the different kinds of insurance coverages available in the marketplace, how to obtain and negotiate cyber insurance policies, the steps to be taken post a cyber incident, and how to communicate with the cyber insurer properly.