Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Sales of Cyber insurance policies grow by 400% after ransomware attacks- soon to be as common as fire insurance!

Posted in Cyber, eCommerce

Reuters reported that Danish insurance company Tryg issued a second quarter report that it “sold 2,800 cyber insurance policies in the quarter, up from 700 between January and March.”   The July 11, 2017 report entitled “Tryg sees rapid rise in cyber insurance sales after Wannacry” included this comment from Tryg chief executive Morten Hubbe:

We think that for both big and small businesses it will become just as normal to have a cyber insurance as it is to have a fire insurance.

Reuters also include these observations:

The rapid rise in demand was prompted by the ransomware attack, named “Wannacry”, that infected more than 300,000 computers in May and last month’s global cyber attack that hit across Russia, Ukraine and multinational firms.

Do you have cyber insurance yet?  If not, why not?

10 Questions you should ask about SLAs (Service Level Agreements) -which aren’t really Agreements!

Posted in eCommerce

Many cloud agreements I negotiate fail to include any details about SLAs, so you may want to look at the CIO.com article about the details about SLAs which are general performance levels for IT services, but not an Agreement rather a SLA “is simply a document describing the level of service expected by a customer from a supplier, laying out the metrics by which that service is measured, and the remedies or penalties, if any, should the agreed-upon levels not be achieved.”  The June 26, 2017 article entitled “SLA definitions, solutions and best practices” included these 10 questions to ask about SLAs:

  1. What is an SLA?
  2. Why do I need an SLA?
  3. Who provides the SLA?
  4. What’s in an SLA?
  5. What are key components of an SLA?
  6. What is an indemnification clause?
  7. Is an SLA transferable?
  8. How can I verify service levels?
  9. What kind of metrics should be monitored?
  10. What should I consider when selecting metrics for my SLA?

Since SLAs are critical to cloud operations everyone needs to know more about SLAs.

Cyber insurance premiums grew 35% in 2016 -over $1.3 Billion!

Posted in Cyber, eCommerce

A.M. Best reported that the top “cyber insurance writers have shifted away from writing packaged policies to standalone coverage by nearly a 70-30 split on the $1.3 billion of direct premiums written in 2016,…and this shift mainly results from many insurance companies realizing that tailored coverage forms addressing cyber liability risks separate from traditional insurance products, such as commercial general liability, business interruption or directors and officers policies, were more efficient and effective.”  The June 26, 2017 report entitled “A.M. Best Special Report: U.S. Cyber Insurance Market Topped $1 Billion in 2016; More Writers Move to Standalone Policies” included these comments:

Overall, cyber insurance for the majority of this universe of companies was profitable, and the direct loss ratio decreased by 4.5 percentage points to 46.9% in 2016 from 51.4% in 2015.

The decline in direct loss ratio for 2016 is partially attributed to the majority of reported cyber-attacks being related to ransomware heists.

In almost all ransomware cases, the losses were well below the deductible and a simple backup recovery resolved and remedied any negative long-term effect of the attacks.

Additionally, due to the general language of packaged polices, insurance companies have faced expensive litigation in cases where such policies did not include exclusory language.

Many businesses have not purchased cyber insurance and need to investigate sooner rather than later.

Google fined $2.7 BILLION!

Posted in eCommerce

The NPR reported that Google violated EU antitrust laws as it “denied other companies the chance to compete on the merits and to innovate. And most importantly, it denied European consumers a genuine choice of services and the full benefits of innovation.”  The June 27, 2017 article entitled “Google Hit With $2.7 Billion Fine By European Antitrust Monitor” included these comments from European Commissioner for Competition Margrethe Vestager that Google “abused its market dominance … by promoting its own comparison shopping service in its search results, and demoting those of competitors” and the following:

While acknowledging that Google’s strategy included a plan to make its shopping product better than anyone else’s, she said that the way the company treated its rivals and “systematically” ranked its own service at or near the top of the rankings went beyond the normal scope of competition.

Google adopted the same practice in all 13 EU countries where it unveiled its shopping service, the European Commission says, starting with Germany and the United Kingdom in 2008 and, most recently, with Austria, Belgium, Denmark, Norway, Poland and Sweden in late 2013.

As for the effects of Google’s strategy, the commission says that traffic to Google’s comparison shopping service rose “45-fold in the United Kingdom, 35-fold in Germany, 19-fold in France, 29-fold in the Netherlands, 17-fold in Spain and 14-fold in Italy.”

The commission says that Google’s rivals saw their traffic plummet — by 85 percent in the United Kingdom, 92 percent in Germany and 80 percent in France.

Kent Walker, Google General Counsel responded:

We believe the European Commission’s online shopping decision underestimates the value of those kinds of fast and easy connections. While some comparison shopping sites naturally want Google to show them more prominently, our data shows that people usually prefer links that take them directly to the products they want, not to websites where they have to repeat their searches.

The New York Times made these comments that Google will have to:

….focus will most likely shift quickly to the changes that Google will have to make to comply with the antitrust decision, potentially leaving it vulnerable to regular monitoring of its closely guarded search algorithm.

Stay tuned as the appellate process will be interesting to follow Google.

Anthem agrees to pay $115 million for 2015 cyber intrusion to settle litigation!

Posted in Cyber, eCommerce, Internet Privacy

BusinessInsurance.com reported that “Anthem Inc., the largest U.S. health insurance company, has agreed to settle litigation over a hacking in 2015 that compromised about 79 million people’s personal health information for $115 million, which lawyers said would be the largest settlement ever for a data breach.”  The June 26, 2017 report entitled “Anthem to pay record $115M to settle lawsuits over data breach” included these details:

The money will be used to pay for two years of credit monitoring for people affected by the hack, the lawyers said.

Victims are believed to include current and former customers of Anthem and of other insurers affiliated with Anthem through the national Blue Cross Blue Shield Association.

People who are already enrolled in credit monitoring may choose to receive cash instead, which may be up to $50 per person, according to a motion filed in California federal court Friday.

American International Group Inc. leads Anthem’s cyber insurance coverage.

I’m sure the record $115 million settlement will be exceeded before we know it!

Honda plant halted operations because of WannaCry Ransonware!

Posted in Cyber, eCommerce

The Financial Times reported that the “Japanese carmaker revealed that it temporarily halted production at its Sayama plant, northwest of Tokyo, after it discovered that some of its computers were affected by the ransomware late on Sunday.”  The June 21, 2017 Financial Times report entitled “Honda plant hit by WannaCry ransomware attack” included a confession from Honda that the:

…security measures were not sufficient for older versions of its computers such as the ones that were installed at the Sayama plant. The company is also continuing to examine whether any of its computers located overseas had been affected.

Also the report included these comments about Nissan:

Elsewhere in Japan, carmaker Nissan, which has an alliance with France’s Renault, last month suffered a similar attack on some of its units, including its plant in Sunderland in the UK.

With all the ransomware attacks going It’s clearly time replace older computers which are ransomware targets.

7 Flavors of CyberCrimeware as a Service (CaaS) includes Ransomware as a Service (RaaS)!

Posted in Cyber, eCommerce

Darkreading reported that inexpensive CaaS include malware “botnets, phishing and backdoors are all offered on the cheap as subscription. These days even crime is in the cloud.”  The June 13, 2017 Darkreading report was entitled “The Rising Tide of Crimeware-as-a-Service” included these comments about RaaS:

The incipient rise of ransomware has occurred in lockstep with the increasing occurrence of ransomware-as-a-service. One of the first cropped up in 2015; Tox was remarkable for its unique business model. It was offered up on a profit-sharing basis. Its writers asked no up-front fee but did request 20% for any ransom paid by victims to its users. Tox dropped off the scene fairly early on, but its been followed by plenty of copycats. The profit-sharing must be lucrative for everyone involved because malware writers have significantly upped their vig. According to reports last summer, Cerber authors were charging a 40% cut in ransoms paid to users of their services.

Here are all 7 CaaS flavors:

  1. Shadow Broker Service
  2. Services Costs Meet Market Demands
  3. IoT Botnet Rental
  4. Modularized Malware Services
  5. Ransomware-as-a-service
  6. Phishing-as-a-Service
  7. Backdoor-as-a-Service

No doubt cybercriminals will continue to proliferate versions of CaaS  so watch out!

IBM Blockchain & AIG team up for “Smart Insurance”

Posted in eCommerce

Reuters reported that “AIG and IBM completed a pilot of a so-called “smart contract” multi-national policy for Standard Chartered Bank PLC which the companies said is the first of its kind using blockchain’s digital ledger technology.” The June 15, 2017 report entitled “AIG teams with IBM to use blockchain for ‘smart’ insurance policy” included this explanation:

The Standard Chartered policy uses blockchain to facilitate sharing of real-time information for a main policy written in the United Kingdom, where the bank is headquartered, and three local policies in the United States, Singapore and Kenya.

Surely we will see more Blockchain insurance as Blockchain becomes more mainstream!

GUEST BLOG: Pacemakers (Think IoT) are not Cybersecure, does that bother you?

Posted in Cyber

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

Eddie Block Dec 2 2016

We have to do better: Pacemaker security

Last week Billy Rios and Jonathan Butts published a research on the security of pacemakers.  In all they identified over 8000 vulnerabilities in third-party components within the subsystems of 4 major vendors’ physician programming and home monitoring devices.

These vulnerabilities exist primarily because vendors are able to cut development time by using commonly available libraries.  While the libraries may be considered secure when initially deployed, over time new vulnerabilities are discovered.  Unfortunately the patches for these vulnerabilities are not uniformly applied.

This is a common problem with embedded devices, internet-of-things things, and industrial control systems.  The use of public libraries makes sense to get a product to market, but many vendors don’t account for the update and patch process.

Additionally, as I’ve written about before, many vendors still use hardcoded or backdoor passwords.  The researches have been able to verify hardcoded credentials in three of the four devices tested.

We have to demand better from the vendors selling critical information technology, whether it is an industrial control system or medical equipment.  Simple vulnerabilities like insecure libraries, the inability to patch, and hardcoded credentials must be addressed by vendors.

No surprise about cyber risks in V2V (Vehicle to Vehicle) – Think “Driverless Cars”!

Posted in Cyber

A New York Times report that protecting driverless cars from cyber attacks is the “primary challenge will be preventing hackers from getting into the heart of the car’s crucial computing system, called a CAN (or computer area network).” The June 7, 2017 report entitled “Electronic Setups of Driverless Cars Vulnerable to Hackers” included this proposal from the National Highway Traffic Safety Administration

…that V2V equipment be installed in all cars in the future. But that channel, and all the equipment involved, open millions more access points for would-be attackers.

Also the New York Times made these predictions:

It will be five to 10 years — or even more — before a truly driverless car, without a steering wheel, hits the market. In the meantime, digital automobile security experts will have to solve problems that the cybersecurity industry still has not quite figured out.

Protecting V2V from cyber attacks will clearly be a challenge!