Underwriters must know how cyber events are found, reported

Wouldn’t you like to find out about your company’s cybersecurity vulnerability before the public or the media?

In this age of complex, multi-level corporate IT systems and web apps, missing vulnerabilities should not just be a worry, it should be expected. (iStock)

It was recently discovered that the direct to consumer identity theft service provider Lifelock had a vulnerability on its websites. The issue was reported by security blogger Brian Krebs at the end of July, and was called out by a former Lifelock customer and security researcher.

While the vulnerability was limited to potential exposure of users’ e-mail addresses, it could have been ugly had it been misappropriated by fraudsters looking to launch a directed phishing campaign on Lifelock customers. Fortunately, after learning about the vulnerability, Lifelock acted quickly to fix it.

But there is actually a lot to unpack here, and most of it has little to do with the actual vulnerability itself, though it is a good enough place to start.

See also: How to respond and recover quickly from a cyber event

What was the vulnerability all about?

The problem at Lifelock had to do with the ‘unsubscribe feature’ found in customer e-mails. Clicking the unsubscribe link in an e-mail would bring consumers to a page with their subscriber key in the URL. When the security researcher discovered this, he coded a script that could be used to sequence subscriber key numbers and extract the connected e-mail addresses. The script pulled down about 70 e-mails, and the coder hoped to avoid triggering any alarms. However, it became obvious that the website had been mis-configured, allowing a potential data leakage to occur.

Mis-configured websites and portals are both easily preventable and extremely common ways that companies leak personal data. It’s quite easy to find other examples illustrating both the good and bad ways to respond to common website vulnerabilities based on flawed design. Two similar vulnerabilities were reported publicly in the last year or so: True Health Diagnostics and Panera Bread Company both experienced similar but unique circumstances.

Like Lifelock, when True Health Diagnostics was made aware of their web vulnerability, they immediately worked to correct the issue and minimize the potential harm. They took down their website, then made the necessary changes very quickly once being appraised of the situation. The company undertook a reasonable and positive PR approach, assured everyone that the problem had been fixed, and soon it was business as usual.

This, however, is in stark contrast to Panera Bread Company, which blatantly ignored notice by a third-party security researcher who spotted their web vulnerability. After 8 months of informing Panera of the vulnerability and documenting interactions with Panera’s head of IT security — and getting nowhere — the cybersecurity consultant engaged in a public shaming of the company to effect recognition of the issue.

In fact, not only did Panera fail to respond when the problem was initially reported to them, they claimed it was fixed only to find that their B2B portal was also vulnerable and potentially compromised. To add insult to injury, the company mis-represented the actual number of impacted parties and botched the response from both a security and PR perspective.

See also: Examining cyber risks and coverage options

Taking swift action

What is not clear is whether the Lifelock flaw was ever directly reported to the company. Though it seems that Lifelock attempted to remediate the issue immediately, it is important to note that Lifelock’s website does have a place for outsiders to submit security vulnerabilities that they notice. This is probably something that most businesses should consider having themselves.

But why wasn’t the vulnerability detected through standard security and due diligence?

When conducting an initial design review, web developers generally don’t ‘throw systems together’ without at least describing the sets of interactions between them, such as how they reference databases. Even if the problem was not flagged in the design phase, it probably should have been detected by a standard web app security assessment. This is important for underwriters and brokers to understand: No matter how tight the ship, there’s always water seeping in somewhere. That’s why even well-built ships have bilge pumps.

The takeaway for brokers, insurers

In this age of complex of multi-level corporate IT systems and web apps, missing vulnerabilities should not just be a worry, it should be expected. Regardless of whether your business is owned by an antivirus company or you simply sell ham and cheese sandwiches on ciabatta rolls, human error is the true key weakness in IT infrastructure.

What about how the vulnerability was actually discovered/reported?

Organizations need to accept that its more likely than not that a vulnerability or breach will be pointed out by someone outside of your organization. Both the recent Lifelock situation and the True Health Diagnostics scenarios demonstrated model corporate reactions that:

  1. Acknowledge the issue;
  2. Immediately work to remediate the issue; and
  3. Communicate about the issue with the public.

However, the Panera Bread company example is also a good illustration of how a corporate information security office’s hubris and ego can compound the delayed recognition of an issue that was politely pointed out to them, leading to an eight-month slow exposure of millions of people’s and company information.

Study after study finds that the majority of data breaches aren’t actually discovered by the entity itself but by a third party like a customer, vendor, law enforcement, or activist security researcher/blogger.

Underwriters and brokers should look at an organization’s external security reporting protocols to understand how a third-party reporting a vulnerability/ breach can get to the right person. Recent studies show that as much as 80% of vulnerabilities and security breaches are discovered by third parties, according to the Verizon 2016 Data Breach Investigations Report. Failing to have a proper process in place and denying the problem casts you’re a business in a much worse light for both regulators and public opinion if something happens.

Lessons for cyber insurers

It’s important not just to understand how cyber events occur, but it is becoming equally important to understand how they’re discovered, reported and disclosed to the public.

Organizations need have a process for vulnerabilities/breaches reported by customers, vendors, law enforcement or InfoSec folks, since it’s the only way organizations can take control of the messaging. Neglecting this aspect of cyber risk management can be dangerous, not just under U.S. breach and security regulations but also extraterritorial exposures like Europe’s GDPR and Canada’s Federal breach notification requirement.

Wouldn’t you like to find out about your company’s vulnerability or data breach before a blogger, the public and the regulators do?

Eduard Goodman is the global privacy officer at CyberScout. He can be reached by sending email to lclark@cyberscout.com.

The opinions expressed here are the author’s own.

See also:

5 things to know about the NAIC’s new cybersecurity model law

6 ways cybersecurity changed in 2017