How to Approach Maritime Cyber Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.marinelink.com/news/approach-maritime389087.aspx

Maritime security professionals understand the value of a layered approach
to risk management. Cyber security posture continues to develop as a
critical component of a maritime security strategy, and cyber security
insurance has become a valuable layer of protection that risk managers must
consider.
While the insurance industry has decades or more of actuarial data on
various kinds of risk (typhoons, tornados, earthquakes, etc.), no such
substantive data exists yet for cyber risk.
In June 2014, the Center for Strategic and International Studies [CSIS]
cited statistics that should get any risk manager’s attention in the
maritime industry: at least 3,000 U.S. companies were the victims of some
kind of cyber crime last year, and the global cost of this problem is
estimated to exceed $400 billion. The bad news is that in reality, these
numbers are likely higher, since some of these costs are difficult to
measure. The good news, if there is any, is that C-Suite executives and
corporate boards are beginning to focus on cyber risk management in a
meaningful way. Since the maritime industry is truly a data-driven
environment, cyber security has to be part of the risk management equation.

The Three Things
The basic approach to incorporating cyber security insurance into any
maritime risk management portfolio has three primary components. These
essential elements are:

INFORM   When the right questions are asked, and intelligence resources are
tailored to a firm’s discreet business profile, those resources can expose
and illuminate weaknesses and vulnerabilities. Significant capabilities are
currently available to risk managers to manage security intelligence
through world-class field operators. The best front-end information
management solutions will provide firms with the input required to identify
and respond to actual global threat activity. When cyber threat responses
are tailored by specific intelligence relevant to a particular business,
maritime security executives can optimize the impact of their security
operations and cyber risk management programs.

ASSESS There are multiple assessment tools and methodologies being offered
in the marketplace which can come bundled with a virtually endless
combination of deliverables and assessment output. This has caused some
confusion with regard to what constitutes an appropriate cyber security
assessment. Unfortunately, the current approach to risk assessment often
gets reduced to a “check-the-box” exercise. Firms are better served to
assess actual versus general risk. Reviews of internal policies,
governance, and operations, as well as a gap analysis focused on accepted
industry standards and best practices should be included in any assessment.
Additionally, it is important that firms evaluate all network endpoints to
look for exposures. It is important to include a firm’s technology team as
a risk assessment partner. Including key stakeholders directly into the
assessment process enhances the results. The CISO / CTO, or equivalent, are
often armed with the best possible real-time data and informed business
cases that are directly relevant to C-Suite executives and other key
corporate leaders. Once the entire network is evaluated, expert assessors
can determine whether companies are prepared to deal with the specific
threats and risks that are likely to impact the firm.

ACT    By using assessment output as a risk management work list, firms can
work with their insurers to directly manage their specific risk profile
and, subsequently, lower their premiums. Risk managers should suggest this
kind of collaborative effort to their insurers. Because a world-class
assessment process will typically identify actual vulnerabilities,
exposures, and potential network problems, this information can also be
used to inform an insurance underwriting decision. When a collaborative
effort is made to assess vulnerabilities, firms can begin to immediately
work with their insurer to take action focused on risk mitigation. Like in
other maritime insurance specialties, the cyber liability insurance carrier
will demand that both parties work together in this way. Establishing a
regular and open dialogue, allows for ideas to be shared, and actively
builds on mutual trust.

Manage Risk Before it Manages You
The goal should not be to completely eliminate cyber security risk, because
that isn’t possible. A realistic objective is to manage risk rather than to
eliminate it. This means that cyber risk management initiatives start with
leadership. Many firms lack the time and resources to study the profiles,
capabilities and motivations of all potential adversaries. But resources
are available in the security market to help corporate leaders of any sized
organization prepare for disruptive events. By working with experts to
understand risk appetite (tolerance for risk), and the corresponding level
of preparedness, maritime industry leaders can make informed risk
management decisions about cyber security.
In the maritime industry, intellectual property and proprietary data about
shippers, carries, commodity types and consignees can truly be a firm’s
crown jewels – their prized possession that ensures a competitive advantage
and anchors their ability to survive disruptive events. So what does it
mean in terms of corporate viability when those crown jewels are at risk?
There are numerous, recent examples where a single cyber security-related
incident proved to be catastrophic.
Insurers need to understand the risk profile of a particular candidate
insured in order to inform their underwriting decisions. But how do they
predict the unpredictable? Cyber threats are developing and being
identified at a very rapid pace. And inherently unpredictable behavior
presents a dilemma for most insurance companies as they try to evaluate
cyber risk in the maritime industry. Insurers and insureds who place
emphasis on cyber security intelligence, and assessment data, are best
positioned to collaboratively mitigate risk. Firms that subscribe to this
Intelligent Cyber Insurance approach have the greatest potential for
success.
Corporate Boards and Chief Executives should be asking the hard questions:
If a cyber security breach does occur, is the firm prepared to rapidly
remediate and re-constitute business operations? Who will be the lead agent
in charge of the various aspects of the response and remediation? Which
executive has been assigned to provide timely and accurate information to
employees, customers, and to the press? Is the firm prepared for the
various legal and regulatory compliance tasks that may result from a
breach? And when was the last time that the IT, security, legal, and human
resources teams met to plan for contingencies? Cyber security should not be
treated as just another Information Technology [IT] challenge in the
maritime industry. That approach over-simplifies and under-estimates the
threat…and has a high probability of failure. Maritime firms are better
served to cultivate a culture of security and resiliency and to counter
cyber threats by investing in a layered approach to risk management.

Dress for Success
A “well-dressed” risk manager should be looking to include as many of the
following cyber security insurance policy features and benefits into their
risk management approach as possible:
General protections: Do you have coverage for loss in profits as a result
of negative press? Is the jurisdiction of your policy worldwide, with a
provision that claims can be brought outside of the U.S.? Does your policy
include coverage for accidental damage or destruction, and administrative
mistakes? If your reporting period doesn’t extend to 3 years, you should
think about re-negotiating your coverage.
Regulatory and Compliance Coverage: Are you covered for expenses related to
voluntary customer notifications? Can you claim losses related to exposure
of commercial, corporate and employee confidential information?
Business Interruption Coverage: Does your policy cover privacy liability
and losses related to cyber extortion? Can you claim expenses related to
crisis event management, and dependent business income lass? Can you get
reimbursed for digital asset restoration expenses? Are security breach
response costs covered?
Collaborative risk partnership: Are you and your insurance carrier in
consistent dialogue over Cyber Liability issues? Is the carrier assisting
you in driving the firm’s culture towards active cyber security.
Exclusions: Finally, what is truly covered and what is excluded in your
policy? Many policies exclude Terrorism, Acts of War, and State-Sponsored
Criminal Activity. Does the Cyber policy you currently have or do the
policies you are currently considering cover these emerging and destructive
risks? Risks driven by a “Lone Wolf” hacker are now a small portion of
cyber criminality. Sophisticated, “state-sponsored” cyber attacks have
become increasingly more common and devastating to global businesses.
Commercial survival may depend upon the ability to rapidly reconstitute
business operations following a major disruptive event. If your insurance
broker hasn’t already provided you with cyber coverage that facilitates
follow-up procedures for discovered threats; access to rapid, post-incident
response resources; implementation/integration of monitoring and enterprise
forensic tools; and regular analysis of security policies including
physical security, internal controls, and data backup, then you may need to
reconsider your coverage options.

Be the Hammer
While short-term consequences of a breach are usually fairly obvious, the
long-term consequences are not as clear. According to the U.S. House of
Representatives, Small Business Sub-Committee on Health and Technology,
approximately 60% of small businesses close their doors within half a year
of being victimized by cyber crime. Costs associated with finding & fixing
vulnerabilities, updating systems, as well as public relations expenses and
legal fees, can conspire to destroy previously viable enterprises.
There are four words that no corporate executive wants to hear: “the
network is down.” Stakes may have never been higher related to the
financial and reputational risk tied to cyber security threats. Target’s
fourth-quarter earnings release in February 2014, revealed that it incurred
$61 million in breach-related expenses following their very public cyber
problem. After the company received insurance payments, its net expenses
for the hacking incident still totaled approximately $17 million. Few
companies can afford this type of “shock” loss and must look to the
insurance industry in order to transfer some of their risk, and to tap into
industry expertise that can provide risk mitigation support.
Maritime professionals will continue to be held accountable by customers,
shareholders, and the general public for their security decisions. A
comprehensive cyber insurance program can serve as focal-point for closing
cyber security gaps, and investing in resiliency. The right underwriting
process can lead to assessing, correcting, and even predicting cyber
exposures and their potential business impact in the maritime industry. In
order to position their firm to be insurable, risk managers must have
access to the requisite cyber risk mitigation expertise, be able to
identify and understand cyber risk profiles, and be familiar with existing
cyber security insurance coverages and exclusions. Deciding how much cyber
liability insurance to invest in, prior to experiencing a significant
breach, requires informed and inspired leadership. Corporate risk
management policies, plans, procedures and governance are incomplete
without a consideration for cyber security insurance. Be the hammer, not
the nail.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!