Managing and transferring cyber risk: the 7th Annual Virtual Cybersecurity Conference for Executives.

Organizations managing risk usually adopt some mix of mitigation and transfer, with transferal of risk typically involving insurance. The Conference's second session, on March 17th, 2021, took up both.

The complicated relationship between patching and risk.

In the second session of the 7th Annual Virtual Cybersecurity Conference for Executives, hosted by Ankura and Johns Hopkins University Information Security Institute, Avi Rubin, Technical Director of the JHU Information Security Institute, discussed controls that can reduce an organization’s risk.

Rubin emphasized the importance of timely patching by reviewing the risk associated with a given vulnerability over time. The risk is very low before the vulnerability has been discovered by anyone, 

Ironically, the risk associated with a vulnerability rises significantly after a patch has been released, since the patch allows attackers to hone in on the vulnerability and create an exploit.“There’s a race against time as to when the patch is distributed – if you don’t apply that patch, you’re much more vulnerable than before it was even patched in the first place,” Rubin said.

Cognitive narrowing and increased vulnerability to social engineering.

Rubin also discussed social engineering tactics and how attackers rely on “cognitive narrowing” to trick people who might otherwise recognize phishing emails.

“You might get a phishing email, and perhaps you know better, and because you’re fooled by this phishing email, you have this cognitive narrowing and you’re not able to step outside and realize that this is in fact a dangerous email,” he said. “And different phishing attacks can appeal to different things in different people. For example, they may make you think that there’s something that you need to help someone who’s in trouble.”

Attackers use various techniques to induce cognitive narrowing, including by playing on fear or greed, introducing artificial time constraints, or by making the victim feel isolated and afraid to ask others for help. “It’s okay to slow down and process what’s happening,” Rubin said.

“Another thing to do is look at your life and see, did something happen that you didn’t expect?” Rubin added. “For example, if you get an email saying that you changed your payment method for some site, for Amazon or something like that, and you didn’t initiate that, then you need to follow through, you need to make sure your passwords are good. I’ve seen several times myself that I get a link saying, ‘Click this to confirm the payment transfer request.’ So, definitely not something I’m going to click on, because I didn’t make a payment transfer request. And these are the kind of things to be alert for.”

For organizations, Rubin recommended simulated phishing tests against employees and scenario-based planning and preparations.

Three areas of risk transference: insurance and assignment of liability.

Michele L. Cohen, Principal at Miles & Stockbridge, also spoke at the event, covering ways to transfer risk to other parties. Cohen discussed three areas of risk transference: customers, vendors and service providers, and insurance.

For customers, Cohen said it’s important to be clear and unambiguous in the risks that the customers will be assuming and those the business will be responsible for.

“When you are engaged in selling products or services to customers, there are things that you can do to carefully explain how risk works in connection with your contract relationship and who’s responsible for what,” she said.

These include signing physical and digital written contracts or terms and conditions documents.

“These documents describe liability and allocate who’s going to be responsible for them,” Cohen said. “And some of the types of liability that can be addressed...are warranties – what commitments and promises are you making to your customers about your product and service and the way you conduct your business. Whatever you are not specifically committing to should be specifically disclaimed.”

Driving down third-party risk.

For third-party vendors, organizations should first conduct an internal review that assesses all the departments that will be involved with the vendor, and where confidential or sensitive information will be involved. 

“You want to make sure that you understand, what is this vendor going to have access to?” Cohen said. “Is it just the vendor? Is the vendor going to be using subcontractors or third-party providers?” She added, “One question you have to ask is whether your vendor is doing similar due diligence on the companies that it hires to provide assistance.”

Cohen added that provider maturity is a key trait to look for when assessing a vendor.

“Does the vendor have its own WISP?” she said. “Does the vendor do its own diligence on subcontractors? What’s the vendor’s employee management practice? Do they provide training to their employees? Do they do background checks on employees who are involved in sensitive data situations? Do they have a risk management program? References – always a good idea to talk to people who have actually worked with this vendor and can tell you if they’re comfortable with the quality.”

Know what your cyber insurance policy covers.

The third area of risk transference is insurance, and Cohen said organizations need to ensure that they know the scope of their insurance coverage.

“There are two types of coverage: first and third party, and it’s important to know what you’ve got and does it cover,” she said. “So, first-party coverage is internal to you – it covers your losses and costs. And that could be investigation expenses, restoration of data, notice costs if you’ve got a data breach have to send notices out to affected individuals, maybe business interruption insurance, PR expenses, media expenses, things like that. Third-party coverage is the coverage that covers claims brought by third parties. So, if you are sued, it would cover damage awards to third parties. It could include litigation defense costs. It might include fines or penalties. And it’s important to know specifically what those coverages will include.”

But note: risk can't be completely transferred.

Cohen also noted that organizations will ultimately have to take on some level of risk themselves. 

“Not all risk can be transferred to a third party,” Cohen said. “In many cases, your best offense is a strong defense – maintaining the risk internally....From a legal and compliance perspective, some of the internal protections to address risk management that you can and should be doing are the use of corporate practices and policies. So for example, you would want to have a WISP in place to address data security risk, data mapping and data minimization plans and policies to address privacy compliance issues, disaster recovery planning to address physical risk, and also business risk related issues so your business operations are up and running on a continuing basis.”