igor - Fotolia
Cyber liability has been a big topic in the infosec world recently. It took center stage at the Black Hat 2015 keynote, and according to a new survey, cyber liability is top of mind for IT board members.
A survey of 276 board members was conducted by a joint venture between Veracode Inc., based in Burlington, Mass., and New York Stock Exchange (NYSE) Governance Services. The survey found that 60% of directors and officers expect an increase in shareholder lawsuits because of heightened corporate cybersecurity liability. As a result, most enterprises already have various kinds of cyber liability insurance.
According to the data, 91% of respondents have business interruption and data restoration protection; 54% have coverage for expense reimbursement -- PCI fines, breach remediation/notification and extortion, among others; 52% have employee or insider threat liability coverage; and 35% are seeking coverage against loss of sensitive data caused by software coding and human errors.
Additionally, the vast majority of respondents (90%) believed companies that do not make reasonable efforts to secure their data should be held liable by regulators, and third-party software providers should be held liable when vulnerabilities are found in their packaged software.
Sam King, chief strategy officer at Veracode, said lawsuits and cyber liability insurance should improve overall information security practices.
"Just as the evolution of fire insurance drove the creation and enforcement of minimum standards in the way buildings are constructed and protected, cyber liability insurance may soon establish a new baseline for cybersecurity best practices," King said. "As insurance providers tighten requirements for claims payouts, companies will be forced to meet a minimum standard of acceptable practices, thereby improving their overall security posture."
Mari Frank, Esq., certified information privacy professional and privacy expert, said that so far, courts have been relatively lenient in data breach cases, but that will change.
"The courts just don't know how to deal with all this. The federal courts have been, I would say, 'user-friendly' to companies, kind of giving them a break," Frank said, describing how courts have not issued penalties in cases of data breaches because no identity theft or other damages had been incurred at the time of trial, but that fines from the Federal Trade Commission (FTC) have led to changes. "What seems to have happened is that the more companies are fined or are sued and have to pay, the more likely they will take better precautions with security."
Frank said that because lawsuits will likely also target third-party providers, the improvements to cybersecurity should be seen there as well.
"When you're developing software, the Federal Trade Commission has recommended that you do privacy by design and security by design, which means that as you are developing this great software, you build into the architecture of the software the privacy and security issues instead of as an afterthought," Frank said. "It's going to be on their minds."
Frank said the courts are likely to be more lenient when it comes to human error in cases of data breaches, and the FTC will likely be more lenient when a company has done everything it could to prevent a breach. But she advised companies to make sure that cyber liability insurance policy guidelines are created as achievable security goals.
Third-party suppliers are expected to be the targets of lawsuits, but publisher liability for vulnerabilities that have been patched will likely be a tricky situation. Joe Pizzo, field engineer at Norse Corp., in Foster City, Calif., said enterprises still need to patch vulnerabilities in a timely manner.
"Third-party publishers address and release patches and bug fixes, especially for critical security vulnerabilities, very quickly," Pizzo said. "If a publisher releases a patch to fix the problem and the customer or user of that product waits for an extended period of time to update, and is then compromised, the liability falls on the user or customer."
Chris Wysopal, co-founder, CISO and CTO for Veracode, said cases of zero-day exploits likely wouldn't lead to third-party publishers being liable -- assuming a patch is released fast enough -- but there will be more complex situations where liability is hard to place.
"Android Stagefright is a good example of the complexity of this issue," Wysopal said. "Where does the liability land when there's a complicated -- yet very common -- chain that the patch needs to travel, and time becomes a real factor? Is it reasonable that a telco carrier wait 30 to 60 days after Google to issue a patch?"
Frank said the question of liability would also depend on when a publisher first learns about a vulnerability, and not in terms of when it was first exploited or patched.
"If you didn't know about it and you quickly addressed it, that's what a reasonable company would do," Frank said. "If you knew about it and you hid it because you wanted to avoid the embarrassment, or you lie about it, yes, you could be held liable. But there would be less liability if you address the issue immediately."
Wysopal said there will be a number of questions that need to be answered regarding when third-party developers and publishers can be held liable.
"There will likely be a greater question of what defines 'due care,' and whether companies are willing to accept a much more specific refinement of this language as part of standard license agreements or if regulators will need to step in and enforce it," Wysopal said. "We're at a really interesting point in the evolution of cybersecurity and corporate liability where these conversations are beginning in earnest, and I think it will take some time to work out how to handle various scenarios."
Frank said that, in most cases, the issues regarding liability for corporate breaches and when an organization or third-party supplier can be considered negligent will be determined by the facts of each case being tried, but there needs to be clarity in whether best practices are based on regulatory compliance or more strict security guidelines.
"In California, we have certain guidelines for what you should do to protect sensitive data of customers, and the FTC has guidelines," Frank said. "There are guidelines in a lot of different places, and I think certain things off the top, like not encrypting sensitive data, is going to be considered negligent. But the law is going to be interpreted according to the facts of the case."
Learn some social media best practices for CISOs.
Learn some network security best practices.