There are four key areas through which you can mitigate the risks of cloud computing:

1. The contract: make sure you have meaningful liability terms, with each party’s duties carefully articulated – otherwise the contract could prove ineffective.  The most important terms in contract are those which establish which party bears the loss if service provider suffers a security breach.   Ask the provider to indemnify you for losses as a result of a data security breach.  These costs might include breach notices, attorney fees, mailing costs, credit monitoring expenses and call center expenses. Look closely and modify if necessary clauses that limit the provider’s liability and consequential damage disclaimers.  The contract also needs clear exit terms in case of the provider becoming insolvent, with provision for you to get your data back or transferred to an alternative provider (including from third parties).

2. Due diligence: make sure your provider can deliver on their promises. The Cloud Security Alliance provides a framework of security concepts and principles designed to help you assess the overall security risk of a cloud provider.

3. Incident response procedures: try to lock your provider into incident response procedures that dovetail with your own.  Stipulate:

  1. immediate investigation after a breach
  2. mitigating, remediating and notifying you promptly
  3. providing written reports and status reports after breach
  4. retaining information relevant to the breach: logs, planning documents, audit trails, records and reports
  5. an obligation for the provider to preserve data (and initiate a ‘litigation hold’) and allow your own forensic investigation and preservation process; permission to conduct your own forensic assessment of a breach – or for them to undertake it, providing reporting and information
  6. limited use of third parties to handle data without your consent, and a requirement to conduct full due diligence on third parties and impose contract terms similar to your own terms with the provider.

4. Good insurance: the fourth emergency service is of course a good insurance policy: don’t under-estimate the costs associated with an incident such as a data breach.  The language used in policies varies widely – make sure yours covers your real exposures.

Buying cloud is a leap of faith.  Before making the decision to move your data to the cloud, work through the potential risks, and make sure you control the risks through the contract.  In choosing a provider you may be offsetting price against safety and control – so your choice will depend on the sensitivity of your data.

Though the attack was stopped within a few days, it affected over 300,000 computers across 150 countries, with the hardest hit being the National Health Service in the United Kingdom.

When faced with a ransomware attack, companies have two choices: pay a cryptocurrency ransom to regain control of their data or face the expense of having to recover their data and rebuild their computer infrastructure. Many companies struck by Wannacry simply paid the ransom, calculating that the $300 ransom was far easier to deal with than the alternative, but they did so with the knowledge that they were relying on the promises of criminal hackers, who are definitely ramping up their level of activity, as well as their demands. The ransom being demanded has been increasing over the last couple of years, and even when companies are paying the ransom only two thirds have been able to recover the files that had been impacted.

A prime example of the threats posed by ransomware can be seen in what has happened to the world’s medical institutions. In 2017, cyberattacks on the healthcare industry began turning away from large institutions which had invested in better technological protections to smaller facilities, including surgical centers and physician practices. According to Michael Simon, president and CEO of Cryptonite, “Cyberattackers target healthcare networks primarily for two reasons – to steal the medical records they contain or to extort ransom payments. Medical records are the targets of choice, as this data is highly prized to support identity theft and financial fraud.”

Another growing concern is the vulnerability and exposure of companies that are increasingly reliant on the Internet of Things (IoT). These devices and objects that communicate with each other, and the Internet, have introduced a sea change for both business logistics and consumer convenience: according to Gartner, there are 5.5 million new connected things each day, and Cisco estimates that IoT’s value will be 50 billion dollars by the year 2020. Unfortunately, very few IoT devices are properly secured, and a study by Hewlett Packard determined that 70% of Internet of Things devices are vulnerable to attack.

Whether a cyber attack’s target is a health institution, a credit bureau, or any other type of organization, the damage can be far reaching and expensive. Denial of service attacks can impact companies’ operations and leave customer data vulnerable to compromise, and hackers are getting more sophisticated, changing their ransom demands once they realize the value of what they have impacted. The costs are enormous, with ransomware attacks costing businesses well over $1 billion in 2016, an estimated $5 billion in 2017 and an anticipated $11.5 billion by 2019. These costs include:

Some companies are purchasing Bitcoin in preparation for ransomware attacks, despite warnings against rewarding bad behavior. To prevent attacks, companies should introduce employee education programs regarding cyber threats and phishing, as well as in IT protections such as secure backups and more sophisticated detection technology. If attacked companies should report what has happened, even if they pay the ransom, and communicate with customers. One way or another, it is expected that the attacks will continue.

Ransomware attacks can leave media and tech companies vulnerable to theft, cyber liability, reputational damage and personal liability for board members. It’s vital that you not only purchase Cyber Insurance, but that you buy the right size and shape of insurance. La Playa’s Cyber Insurance Policies are custom built for your individual business after a careful analysis of your activities and risk exposures. Contact us today to speak to an experienced representative about how to secure your organization.

It’s cryptomining, a nearly effortless tool that hackers are now able to use, thanks to a new and more anonymous form of cryptocurrency known as Monero and hidden cryptocurrency processing software that invisibly infiltrates Microsoft Windows on everything from servers to android and IoT devices. The system relies on a previously unknown NSA hack and the fact that any organization that uses blockchain technology necessarily connects through a transaction processor known as a miner. Chinese and Russian crime syndicates have weaponized all of these factors to invisibly attack I.T. systems.

Unlike previous hacker tools, which deny service and demand payment in big, bold, apparent strokes, cryptomining installs individual bots that operate independently and that steal on such a small scale that they go unnoticed.  By itself, each infection amounts to little of concern, and that means that it is low on a priority list for fixes: this is a mistake. When combined with all of the other systems that a single cryptomining operation infiltrates, it adds up to big business and big money. It is also nearly impossible to detect, and could lead to big losses.

So far, experts have found numerous methods by which cryptomining enters a system. Infected Microsoft Word file attachments can execute a Visual Basic script upon being opened, then move on to target Windows Management Infrastructure. Other methods involve a worm called WannaMine, tools that scan open debugging ports, and vulnerabilities in Microsoft SQL Server and Oracle WebLogic.

Unlike ransomware and other malware attacks, cryptomining requires no action on the part of an end-user: there is no email link or pdf file that users click on and are notified of their infection. What makes it so dangerous is the way it is impacting systems. Instead of demanding ransom or stealing data, the damage is done by infecting millions of systems and stealing their computer power, and therefore the electricity that it relies upon. Though the theft may be so insignificant that it goes without notice, resulting only in higher electrical bills and slower computer performance, the hacker can choose to escalate their usage of the mining bots, using energy to an extent so great that it depletes entire systems and leaves companies without integral resources for extended periods of time.

Because cryptomining installs invisibly and is almost completely detection proof, it can easily spread throughout an organization unchecked until it is completely compromised, and the crime is quickly becoming so popular that there is a real risk that a single organization could be contaminated by multiple bad actors whose individual small-scale infiltrations could result in major slow-downs and enterprise-wide shut-downs.

In the face of ever-changing risks, it is important that you make sure that you have a clear view of what’s at risk and comprehensive insurance policy that provides you with the protection you need. La Playa’s Insurance Policies are tailored to your business, to meet its unique and specific needs. Contact us today to speak to an experienced representative about how to secure your organization.

Author: Nic Muturniuc

As a young business pioneering in cryptocurrency, it’s vital that you can reassure your investors and stakeholders that your business – and their cash – has the best possible financial protection. But, while insurance for Fintech businesses is increasingly available, insurance for Cryptocurrency businesses can be less easy to secure.

 

                                                     

 

The advent of Fintech, and especially Cryptocurrency, has disrupted archaic markets, flustered regulators and created a brave new world of risk for its participants. There’s still an element of Wild West in the sector, and many insurers remain shy of the risk involved. While the insurers’ position is absolutely understandable, it’s up to the insurance broker or agency to educate and provide the necessary reassurances to get insurers engaged.

Heavy reliance on data, technology and infrastructure, evolving regulatory structures and the shadowy threat of cyber risks heap unpredictability and uncertainty on any new entrant to this space.

With headlines like “SEC says bitcoin funds raise ‘investor protection issues’ (Reuters Jan 19 2018) highlighting the risks of cryptocurrency investments, the insurance implications are huge and underwriters are wary:

“Bitcoin’s 1,500 percent surge last year stoked investor demand for any product with exposure to the red-hot asset. A host of companies are jostling to launch exchange-traded funds which would open up the cryptocurrency to a broad retail market” – Reuters.

Macro influencers like governments will no doubt heavily impact the rate of growth in the sector – and its eventual regulatory structure. Bitcoin is especially popular in Asia, and governments’ positions there have had a very significant impact on the price of BTC. A recent ban by South Korea and the Chinese government halted trade due to a perceived lack of centralised control, while the Japanese authorities were actively encouraging the sector, until recent events with Coincheck, which are likely to push regulators to reconsider. In this context, western regulators are taking an equally conservative approach. While not faced with actual losses, regulators seem to be taking a preventive approach to protect vulnerable investors.

Taming the Wild West? Bitcoin meets the regulators

Regulation is a key chapter in the story of cryptocurrency. What position will regulators take?

While the philosophy of cryptocurrency and all derivative technologies and related applications is deeply rooted in libertarian principles, ultimately these ‘products’ will need to get sign-off from governmental regulators if they’re ever to take off. Regulatory principles like Know Your Customer (KYC), Anti-Money-Laundering (AML) and consumer protection are the main concerns of regulators. In many cases, cryptocurrencies – and especially blockchain technology, can ease rather than heighten regulators’ concerns. And generally the crypto, blockchain, libertarian community will most likely agree with these principles. You’ll find that regulators and the community share the same goals – it’s just a matter of agreeing on the means of getting there.

Insurance for Cryptocurrency Businesses

Meanwhile, it’s critical that you can reassure your clients that:

As a specialist Fintech insurance broker, La Playa can help you identify and mitigate your business risk, and structure insurance protection, backed by A rated insures, to help generate the confidence of your clients and other stakeholders.

  1. supervision would give underwriters a framework to be able to offer coverage terms to protect your business and your customers. The London and Lloyd’s insurance markets, to which La Playa has access, has historically specialised in emerging risks, and as much as insurers would want to cover your business, the argument for ‘Why?’ needs to outweigh the argument for ‘Why Not?’. And while that’s the best part of my job, I need you to help me…

4 Key Pillars of Cryptocurrency Insurance

1. Errors & Omissions Insurance
In a sector which evolves daily, even a well-managed business can find itself in dispute with a client over an error, a delay or alleged breach of contract. Errors & Omissions Insurance (E&O Insurance) provides indemnity for losses you are legally liable for if you make a mistake or are negligent, or if your product or service is defective, inadequate or fails to perform.

Failure to defend your business adequately could cause irreparable reputational damage – not to mention the financial implications.

We can help you review your contractual obligations to identify the extent of indemnities that your clients require.

2. Directors & Officers Insurance

Directors & Officers Liability Insurance (D&O) is now considered a crucial form of protection for all businesses, and is often a requirement before investors and board members risk their personal assets to serve your company.

Legally, the directors of a company and the company itself are separate entities and so may both be defendants, separately or jointly, in any legal action or prosecution. D&O can help to protect the personal assets of individuals and, crucially, to cover the costs of their defense.

Directors of all companies are now held, at an unprecedented level, to be personally responsible for actions and decisions they make on behalf of the company – putting their personal assets at risk if those decisions are tested in the courts.

3. Crime Insurance
Have you considered the risk of fraud in your organization? It pays to think through the risks of fraud at work and check you’ve got the right insurance protection in place.

Crime Insurance protects your business from losses that are a direct result of employee or third party dishonesty.

4. Cyber & Privacy Insurance

The invisible threat of cyber-crime, combined with the potential for tech infrastructure to fail, and the ever-evolving regulatory landscape, represents a new minefield for modern crypto business. Unless your organization carries specialist cyber insurance coverage against such perils, you won’t be protected against the unusual risks that arise in cyberspace.

In the wake of numerous high-profile cyber-crime cases, including network and data breaches, businesses globally are shoring themselves up against a range of new global tech and cyber risks.

As experts in customized insurance for Fintech businesses, La Playa is the ideal partner to design a watertight insurance solution for your business risks in Cryptocurrency.

To talk through your Cryptocurrency risks and for a free review of your insurance needs, just email me – Nic Muturniuc [email protected]

La Playa Science & Technology: Insurance with Intelligence®

People like you like us. Passionate. Discerning. Independent.

 

Further reading:

Tales from the crypto: the rise and fall of bitcoin – The Economist

Greater fool theory: The bitcoin bubble – The Economist

Beyond bitcoin: Bitcoin is no longer the only game in crypto-currency town – The Economist

Unless you live in Atlanta, Georgia, you might have missed the news that a good part of the city’s administration was reduced to old-fashioned longhand reporting and take-a-number, stand-in-line customer service last week. The reason? A ransomware attack demanding $51,000 in bitcoin.

If it sounds crazy to have policeman and sewer department officials writing up arrests and requests using pen and paper, then consider this: Atlanta was far from alone. At the same time that the southern city was struggling, the city of Baltimore’s essential 9-1-1 system had to turn to manual dispatch for almost 24 hours and the tiny town of Leeds, Alabama (pop. 11,700) had to pay hackers $12,000 to get their computers up and operating again.

A 2017 survey conducted by the International City/County Management Association showed that, as well as private businesses,  almost half of local governments admit to experiencing cyberattacks on a regular basis. Many have no idea how often they are attacked, and even more admit to having no idea whether their system has been breached or not. This level of vulnerability appears to be matched by a level of apathy: more than half of those who are attacked don’t even bother keeping track, and Atlanta officials admit that they were warned a year earlier of the weakness of their cyber defenses, yet they did little or nothing to protect themselves. An intelligence expert who previously directed Israel’s Mossad refers to cyberattacks as “soft nuclear weapons” that are aimed at organizations — public and private — around the world.

Whether the target is a government or a private entity, prevention of attack and mitigating damages starts with a recognition of the threat. Internal users need to be made aware of risk and trained on appropriate actions, and funding for cybersecurity as well as persistent data capture and storage need to be increased. Though storage costs will grow, failure to store clean backups on a regular basis will mean long periods of blackouts. One week after Atlanta was attacked, only a few employees had been given permission to even turn their computers back on, and a spokesperson for the city said, “It will take some time to work through and rebuild our systems and infrastructure.” That means that almost half a million citizens have been impacted, and the city’s government will bear the financial brunt.

Ransomware attacks demand payment in cryptocurrencies specifically because they are considered virtually untrackable while remaining easily traded. Interestingly, the blockchain technology that enables cryptocurrencies may also hold the answer to prevention, as using the technology within an organization renders it “virtually impenetrable.”

Whether your organization is able to enact the appropriate safeguards and technologies to protect itself before a major attack is a matter of finances and motivation, as well as a bit of luck.

Having a comprehensive insurance policy that anticipates and mitigates the impact of cybercrime should be an essential element of your risk planning. For more information on how we can help safegaurd your organization from the financial impact of ransomware, contact us today. Email us here, or call us on 646-665-7737.

La Playa Logo