A spate of high-profile security incidents over the past few years (and the damaging fallout from those incidents) has caused many enterprises to turn toward cybersecurity insurance for protection against business-damaging scenarios. The problem? Many insurance programs fall short when it comes to one of the riskiest aspects of modern technology: dealing with the software and systems of third parties. Enterprise CISOs have to understand policy exclusions and know how to protect the aspects of their business that these policies won't.
The Emergence of Cyberinsurance
As the number of security incidents rises and their associated costs quickly escalate to millions of dollars, it's not surprising that businesses are turning to insurance to protect themselves. A general liability policy may have sufficed not too long ago, but as Dark Reading points out, those policies weren't written with cybersecurity incidents in mind. Additionally, insurance companies are now writing in exclusions to negate claims against damages caused by the loss or theft of information.
Cybersecurity insurance has risen to fill this gap in coverage, but simply purchasing it is far from enough to protect your business. These policies are rife with exclusions that can leave a business stranded when it needs coverage most, including stolen information that resides in written form, claims brought by the government and unencrypted information.
Perhaps the most costly exclusion, and one all enterprises need to be aware of, is lack of coverage for vicarious liability. This means that if data is lost or stolen while in the hands of a third party, the insurance company is not liable to cover the claim. This makes sense, since it's impossible for an insurance company to correctly gauge the level of risk when third parties are involved — but when you consider just how often third-party software or systems are used in a modern enterprise, it's easy to imagine a situation where very little data is ever fully covered.
The Realities of Third-Party Risk
Cybersecurity insurance is an important factor for enterprises looking to mitigate their risk — but without coverage for third-party software, it can only go so far. Thanks to the popularity of cloud-based solutions, outsourced software and open-source code, third-party software is now an integral part of just about every enterprise IT department. Since insurance companies are unlikely to change the way they do business, enterprise CISOs must find other ways to limit associated risk.
While requiring third-party software vendors to submit security self-assessments and ensuring they adhere to security standards such as PCI DSS or meet with a maturity framework such as vBSIMM is a good start, these things don't provide the assurances CISOs need. True third-party security has to have a more active component, which is where security testing of the software product itself comes in.
A trusted security vendor can assist in ensuring outsourced programs are secure by scanning software for vulnerabilities that are out of line with the security policy of the enterprise that is purchasing the product. Any vulnerabilities found will need to be addresed by the software supplier before the enterprise can safely leverage the software product. By using SaaS vendors for security testing, an enterprise can maxmize the scale of its security testing program and ensure that all third-party code is tested before being released into production.
Enterprises should seriously consider cyberinsurance in a world where the loss of customer information can have expensive and time-consuming fallout. However, CISOs can't just assume that if they're covered, they're protected. There's no avoiding third-party software and systems these days — especially in an enterprise — and very few insurance companies will cover related data loss. To cover these gaps in cybersecurity insurance plans, CISOs have to find a way to secure third-party software.
Photo Source: Flickr