"Insurers are denying coverage to companies that fail to take even the most obvious security measures. But many businesses don't think about security vulnerabilities with open-source software," says Mike Pittenger, vice president of product strategy for Burlington, Mass.-based Black Duck Software, which helps companies safeguard and manage their use of such tools.

Source of trouble

Open-source software is generally what we think of as "free" software developed by communities, such as open SSL or Mozilla Firefox, Pittenger explains. It's trusted enough that companies use many of these open-source libraries to provide the basic functionality that they need in an application. Then the company provides its own logic code to make the application work the way the developer wants it to. Even large developers such as Microsoft may incorporate some open-source tech into their products.

The problem comes in when open source software is updated or patched, Pittenger says — but companies don't know that the code is buried in the commercial software they're using, which increases their data security risk. As a result, businesses are hiring Black Duck Software and other similar vendors to notify them when new vulnerabilities are discovered, and to help them patch or update the software.

Pittenger provides the following six tips for agents who want to help their clients minimize their software vulnerability.

1. Comply with federal and state regulations.

Depending on what kind of business your clients operate, they also may be responsible for compliance with state and federal laws, Pittenger points out. In addition to the lawsuits by patients, Cottage Health System is facing an investigation by the California Department of Justice. The investigation will determine whether Cottage complied with its HIPAA obligations and any other pertinent state and federal laws. Depending on the investigation, Cottage may face fines, sanctions or penalties.

Agents whose clients include medical or dental offices, pharmacies, or other healthcare providers should always remind them that they must have controls in place to comply with HIPAA statutes and other related laws such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Related: Retail data breaches: 3 lessons companies have learned

2. Secure all devices, including smartphones and tablets.

"Remind your clients to consider handheld devices," Pittenger says, and understand how they connect to corporate networks, and what data is stored on the device.

This advice doesn't just pertain to your clients: Many insurance professionals use mobile devices while working remotely, but those generally don't have the same level of security as corporate laptops or desktops.

Related: Here are 25 tips to both prevent and manage a cyber attack

3. Know where your data is.

"Small retailers or similar businesses often outsource PCI [payment card industry] compliance," Pittenger observes. "When your dry cleaner swipes your credit card, the information often goes to a third-party processor." Other small businesses may use a vendor like Square or PayPal.

Agents should explain to clients that they still have primary liability for the data, even though the outsourcing agreement may include a requirement for the vendor to meet PCI security standards. "Advise your clients to be sure they're not storing credit card numbers on any electronic devices or local computers," Pittenger says. Outsourced data goes into the cloud, and it should be encrypted in transit and at rest.

Businesses also should ask about the physical security at the data storage center as well as information security, he adds. For example, many data centers require a handprint to enter or only allow one person at a time to pass through the door.

Related: The 10 most expensive data breaches to date

(Photo: Thinkstock)

4. Monitor continuously.

When a client purchases Cyber coverage, the policy must meet the minimum required standards. Educate your clients that they are ultimately responsible for meeting those standards — even when they have outsourced their data management, says Pittenger. Just signing a contract isn't enough, as Cottage learned. Its third-party vendor is too small to reimburse Columbia for the cost of the settlement, so Cottage may have to repay $4.1 million if it loses its case.

Educating the buyers of Cyber insurance as to their obligations in meeting the policy's minimum requirements to maintain that insurance is very important, Pittenger says. But before companies can manage their risk, they need controls in place — and your clients must understand the vulnerabilities of their systems.

Ongoing monitoring, which is more than just auditing technology operations once a year, is key, Pittenger explains. Agents should explain to clients that the insurance company will most likely do an audit — a snapshot in time of the security profile of the business — before issuing coverage, but that the client is responsible for monitoring.

Agents also should be aware that their small-business clients are especially vulnerable. "Smaller organizations often use packaged software, and they outsource their IT management," Pittenger notes, "so they don't have a security center that's doing any monitoring — or they don't think about it."

Related: Cyber insurance coverage, its value, limitations and exclusions

(Photo: Thinkstock)

5. Practice more than the basic measures in network security.

Pittenger notes that the minimum security requirements from Columbia were what he characterizes as "basic hygiene." For example, Cottage was required to change the default password that came with its network firewall. If the software that Cottage was using issued a patch or update, Cottage was required install it within 60 days. However, Cottage, like many other organizations, outsourced its technology operations to a third party that didn't follow the policy's minimum requirements. In addition, Cottage didn't have controls in place to ensure that requirements were being met, and consequently they were hacked.

"Cyber coverage requires due diligence on the part of the insured," Pittenger points out, "and agents should be asking their clients how well they're managing the risk of a data breach." At a minimum, most policies include a requirement to install patches as they're issued by the software companies. Failure to install the patches can lead to denial of coverage, as the Cottage case demonstrates.

Related: Pentagon creates cyber security exchange program with industry

(Photo: Shutterstock)

6. Understand the software that you're using.

Business clients must "Understand the software [they're] using, its security measures and vulnerabilities," Pittenger says. As a first step, counsel them to know what information they have, where it is at all times, and what applications control it. This will help your clients prioritize application security efforts.

Next, remind your clients to have policies and procedures to update the software whenever updates are available — and to ensure that those policies and procedures are followed correctly and promptly. If your clients use third parties to manage technology, have them stipulate that their third parties establish policies and procedures as well. "You can outsource the operation, but not the responsibility for the security," Pittenger adds.

Related: Meet the winner of NU's 2015 Excellence in Cyber Security Risk Management Award

Are you following us on Facebook?

________________

How can you transform your risk management preparedness and response strategy into a competitive advantage?

Introducing ALM's cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.