Category Archives: Compliance

Lloyd’s Tries to Define Acts of Cyberwar

Or at least standardized policy language on the subject.

Cyber insurance policies have always had language excluding “hostile and warlike actions”, whatever the hell that means. What it means is full employment for lawyers. And a long time before you get paid.

The Lloyd’s Market Association, the syndicate that drives Lloyd’s backed policies, has created four model clauses to replace that vague and outdated language.

Lloyd’s Market Association offered four model clauses that could be used in whole or part in insurance policies, offering a range of different coverages for state activity. In the broadest sense, they cover operations carried out during war, states retaliating for other cyber activity, or for cyber operations that impact national or homeland security as a whole. The least restrictive language carves out an exemption for that last clause when the operation is against a system covered by the insurance policy; more restrictive wordings do not.

As a major insurer lifts the fog of cyberwar coverage, new definitions emerge | SC Media (scmagazine.com)

At least one piece of good news exists – the burden in the new Lloyd’s wording is placed on the insurer to prove the attack was a state action.

What is unclear at this point is whether this means that insurance companies will be more aggressive about enforcing that language. That will be the biggest question with the new wording.

This is on top of the rising insurance prices and declining coverage maximums that many companies are seeing when they renew their policies.

Reuters reported that Lloyd’s had “discouraged its 100-odd syndicate members from taking on cyber business next year”. LMA’s underwriting director says that it makes no sense for syndicate members with a good track record to refrain from writing new business. In fact, he said, he anticipated their business going up in 2022.

All that being said, the market has to change.

What we are seeing is the underwriting conditions getting more strict. Many clients are telling us that their underwriter is requiring very specific security measures like MFA on all systems or a certain kind of endpoint protection. ASSUME THAT IS GOING TO CONTINUE.

Moody’s just invested a quarter billion dollars in Bitsight, a company who creates security scores for businesses. My suspicion is that once this investment is complete, expect the result to be factored into your Moody’s risk rating. Bitsight and its competitors already work with multiple insurance carriers to score prospects. If your score is too low, you will not get insurance. Period.

This means that if companies do not want to be self insured, they are going to have to increase their investment in protecting themselves. It is going to be forced on you by the insurance carriers, state laws and industry regulators. Credit: SC Magazine and Threatpost

Privacy and China – In the Same Sentence?

China’s residents are not used to online privacy – from one of the world’s most repressive and invasive regimes, but there is now an online privacy law called PIPL (Personal Information Protection Law).

It went into effect on November 1 and it will change how companies do business in China – but it won’t change a thing about how the government snoops.

While it may affect local Chinese companies like WeChat, TikTok and others, it will also affect how foreign companies do business in China.

Overseas companies may be blacklisted, which of course could escalate tensions.

Already Yahoo announced it was leaving China and Microsoft’s LinkedIn said it was replacing what we think of LinkedIn with a vanilla job board.

There are a lot of similarities between GDPR and PIPL. In some cases the language was lifted. Right to access your information. Right to correct. Right to Delete. Right to withdraw consent.

Fines can be as high as 50 million yuan ($7.8 million) or 5 percent of annual revenue.

The PIPL regulator is a state agency – the Cyberspace Administration of China. Not exactly independent. Or neutral.

The law now requires companies that collect a lot of data (amount undefined) must store their data in China.

Now that Microsoft and Yahoo have left, who remains is Apple. Apple has created a reality distortion field to keep doing business in China. Possibly this is because of all the manufacturing that it does there and the rare earth minerals it needs from China. In any case, they already conceded the privacy of Apple users years ago.

Companies that want to export data have to go through a security review.

One thing that may be a result of China’s law is that other countries, particularly those in Asia, may also decide that companies have to keep data locally. Vietnam and India are already considering similar rules. Maybe others will follow.

For foreign companies (such as U.S. ones), that could mean changing their business models, their technology stack or even their algorithms.

Or, they may choose to not do business in some countries.

The result could turn the world into a bunch of data islands. Do I care if I don’t see data from people in China? I don’t think so. Not sure that is a horrible result but for some companies it messes with their revenue. Worse yet, it makes them make really hard choices like Apple did. Or it can cause other countries to retaliate. Stay tuned, this battle is far from over. Credit: Wired

Minimum Viable Secure Product (MVSP)

Vendor risk must be a core part of every company’s cybersecurity program, but it is hard.

Especially when the company is a tech company, developing software that you use.

The term Minimum Viable Product or MVP is a term marketing folks have used for years to describe creating a version 1 product that has the minimum set of features that a customer will be willing to use or buy.

Add another letter and you have another acronym to remember – MVSP – Minimum Viable Secure Product. This is YOU defining what you consider the MINIMUM set of security features that you require in order to buy or use a vendor’s product.

With a little work, this could become a standard.

In part, because this MVSP checklist is based on the checklists already used by two small companies named GOOGLE and DROPBOX.

Rather that having to create your own set of “standards”, one has already been created for you based on what Google and Dropbox require of their vendors.

And it is licensed under the Creative Commons 1.0 license (free for any use).

And it will be updated as needed.

Who should use it?

Proposal teams should use it in RFPs.

Anyone can use it for self assessments.

And vendor management teams can use it as their standard vendor cybersecurity questionnaire.

What is in it?

It contains 4 major sections: Business controls, application design controls. application implementation controls and operational controls.

Section 1 contains eight controls, section 2 contains nine controls, section 3 four controls and section 4 contains three controls.

Alternatively, you can create this yourself. I am sure that you will do a better job than Google and Dropbox.

In fairness, you can tweak it for your own needs.

Credit: Helpnet Security

The MVSP project

The MVSP questionnaire

CISA Issues Cyber Goals & Objectives for Critical Infrastructure Control Systems

While goals are CURRENTLY voluntary, CISA issued guidelines for what it expects from pipelines and other critical infrastructure in light of the Colonial Pipeline attack. While it appears that the hackers were not able to take over the control systems in that attack, they did take over the control systems in the Florida and Kansas water system attacks.

And, while this legally only applies to critical infrastructure, if it makes sense, you might want to do it also.

Here are some highlights.

CISA already has a raft of documents, so they reviewed and harmonized them and came up with a single list. See the link at the end for more information. Here are some of the highlights. Each goal comes with a rationale and objectives.

RISK MANAGEMENT AND CYBERSECURITY GOVERNANCE

GOAL: Identify and document cybersecurity risks to control systems using established recommended practices (e.g., NIST Cybersecurity Framework, NIST Risk Management Framework, International Society of Automation/International Electrotechnical Commission (ISA/IEC) 62443, NIST Special Publication (SP) 800-53, NIST SP 800-30, NIST SP 800-82) and provide dedicated resources to address cybersecurity risk and resiliency through planning, policies, funding, and trained personnel.

ARCHITECTURE AND DESIGN

GOAL: Integrate cybersecurity and resilience into system architecture and design in accordance with established recommended practices for segmentation, zoning, and isolating critical systems (e.g., Industrial Control Systems-Computer Emergency Response Team Defense in Depth guide, Purdue Diagram) and review and update annually to include, as appropriate, any lessons learned from operating experience consistent with industry and federal recommendations.

CONFIGURATION AND CHANGE MANAGEMENT

GOAL: Document and control hardware and software inventory, system settings, configurations, and network traffic flows throughout control system hardware and software lifecycles.

PHYSICAL SECURITY

GOAL: Physical access to systems, facilities, equipment, and other infrastructure assets, including new or replacement resources in transit, is limited to authorized users and are secured against risks associated with the physical environment.

SYSTEM AND DATA INTEGRITY, AVAILABILITY AND CONFIDENTIALITY

GOAL: Protect the control system and its data against corruption, compromise, or loss.

CONTINUOUS MONITORING AND VULNERABILITY MANAGEMENT

GOAL: Implement and perform continuous monitoring of control systems cybersecurity threats and vulnerabilities.

TRAINING AND AWARENESS

GOAL: Train personnel to have the fundamental knowledge and skills necessary to recognize control system cybersecurity risks and understand their roles and responsibilities within established cybersecurity policies, procedures, and practices.

INCIDENT RESPONSE AND RECOVERY

GOAL: Implement and test control system response and recovery plans with clearly defined roles and responsibilities.

SUPPLY CHAIN RISK MANAGEMENT

GOAL: Risks associated with control system hardware, software, and managed services are identified and policies and procedures are in place to prevent the exploitation of systems through effective supply chain risk management consistent with best practices (e.g. NIST SP 800-161).

For more details go to this CISA web site here.

Be Careful What Contracts You Sign

While the details of this are interesting, what is more important is thinking about all of the contracts that you sign.

This is a legal battle that goes back several years.

In one corner is Fiserv, the Fortune 200 +/- financial services software behemouth.

In the other corner is Bessemer System Federal Credit Union, a small community credit union in Pennsylvania.

In 2018 Brian Krebs reported bugs in Fiserv’s platform that allowed one customer to see another customer’s name, address, bank account number and phone number.

So Bessemer FCU did some more testing and found more bugs – security holes.

According to the credit union, Fiserv responded with an aggressive notice of claims, attempting to silence Bessemer if they discussed these security bugs with third parties, including other Fiserv customers.

In the end Bessemer sued Fiserv and Fiserv counterclaimed.

Fiserv said Bessemer breached its contract, among other things, and wanted attorney fees.

Much of the argument seems to be around the security review, which, if accurate, shows that Fiserv’s software is not secure, something other Fiserv customers might want to know about.

Fiserv says that Bessemer just wants to embarrass Fiserv and get out of paying some bills.

Without spending a lot of time reviewing legal documents, it appears that Bessemer was not happy with Fiserv’s response to being notified about the bugs (like in fixing them, soon) and wants to terminate the contract.

Fiserv, appears to want to silence a critic (boy is that failing) and doesn’t want to let the customer out of its contract.

So what does that mean for you if you sign a contract with a vendor? Here are some thoughts.

  • The vendor is going to want you to sign as long a contract as possible and will usually offer you a price incentive to do so. If this is a new vendor, that is likely not a good deal for you. Shorter might make more sense.
  • You should review the reasons that you can terminate the contract and what that termination will cost you.
  • You should look for any clauses that stop you from talking about the vendor’s product quality. This is different than disclosing secrets. While bugs and security flaws may be secret, they should not be covered by these types of contract restrictions.
  • Vendors should have a fixed amount of time to fix serious bugs or you should be able to terminate your contract.
  • The contract should spell out that the vendor is liable for your losses as a result of security bugs. Software vendors will resist this like the plague, but why should you be responsible for their bad software.

The lawsuit is ongoing. It will be interesting to see how this works out. Given this is now in the news, Fiserv might be smart to try and make it go away. Quietly. A trial could be ugly. On the other hand, Fiserv has a lot more money than Bessemer does.

Stay tuned.

But think about those contracts you signed and how you would fare in a similar situation.

On the other side, if you are a software vendor, how would you handle this situation.

Credit: Security Week

Are You Ready for the Next Supply Chain Attack?

On Friday Title industry software and consulting provider was hit by a ransomware attack. Cloudstar operates 6 data centers and supports over 40,000 customer users. Now those customers are wondering what are they going to do.

Cloudstar users who close real estate sales are dependent on Cloudstar’s systems being up.

Cloudstar has been down since Friday. Their CEO says he doesn’t know when the systems will be back operational.

Cloudstar’s customers are scrambling today to be able to close loans.

In the meantime Cloudstar has brought in third party experts to help them.

While it is possible that Cloudstar was specifically targeted as suggested in a Housing Wire article, no one knows if that is true or not. It is certainly possible that there were just another random victim after an employee clicked on a malicious link.

This particular software is core to the title business so it is not like a title company can do a Google search and replace it. Cloudstar’s competing service providers are circling like vultures, offering free setup and who knows what else, but the problem is that the companies that use Cloudstar’s services do not have access to the forms and client data that lives on Cloudstar’s platform, which is now encrypted. Credit: ALTA

Title companies who are affected by this attack likely must report this to their regulator as the assumption by the federal government is that ransomware equals data compromise. They also likely have to tell customers that their loan or other data may have been compromised.

Some of Cloudstar’s customers may go out of business, depending on how long Cloudstar is down. It could anywhere from a few days to a month. Or more.

In helping our clients respond to Fannie Mae audits (MORA), Fannie seems to be much more interested in regulated entitys’ ability to respond to a ransomware attack and continue to support their customers. This is yet another concern that companies need to be concerned about.

But take a step back from from the specifics of this supply chain attack. You likely have vendors that are critical to your business and which are also a single point of failure that cannot be easily or quickly replaced. Given the number of ransomware and other cyber breach attacks against service providers, companies need to prepare themselves for the possibility that they will be in the same boat as the customers of Cloudstar are today. The alternative is that you lose access to your data, your business comes to a complete standstill, you have to report to regulators and customers that you lost control of your data and potentially, face significant expenses.

Are you ready?

Additional info credit: The Title Report