Open SSL insecurity - can cyber insurance fill the gaps?

Experts argue the need for response over detection - with a large side order of insurance to counter the Open SSL insecurity issue.

Open SSL insecurity - can cyber insurance fill the gaps?
Open SSL insecurity - can cyber insurance fill the gaps?

The rolling saga of OpenSSL vulnerabilities - which kicked off with the Heartbleed problem back in early April - shows no sign of going away, simply because of the open source nature of the security software and its protocols.

Most recently - on June 5 - new OpenSSL vulnerabilities were announced - including one vulnerability that permits man-in-the-middle attacks and another that allows attackers to run arbitrary code on vulnerable devices.

These vulnerabilities, along with the previously discovered Heartbleed bug, show that technological solutions alone may not eliminate cyber risk.

Now a UK and European law firm - with offices in the US - says that cyber security insurance may be a possible solution, since it remediates the problem that OpenSSL code vulnerabilities – including the widely reported Heartbleed bug - show that technological solutions alone may not be capable of eliminating cyber risk.

According to Hunton & Williams LLP, in the same week the early June vulnerabilities were announced, a filing by the US Department of Justice described the damage caused by one version of sophisticated malware.

The DoJ, says the legal firm, estimates that the GameOver Zeus malware has infected between 500,000 and 1,000,000 computers - and so far caused “direct and indirect losses to consumers and businesses exceeding US$ 100 million (£60 million).”

"Antivirus software alone does not always prevent such infection; a leading antivirus developer recently stated that, as a result of advances in malicious code, antivirus software is now dead," says the company in its analysis of the issue.

With technology capable of providing only partial security solutions, Hunton & Williams LLP advises that a pro-active approach to address cyber risk should now include evaluation of risk transfer mechanisms, such as insurance.

David Sandin, product manager with security vendor Clavister, has a different view, saying that one of the best insurance policies for security is to check the code in the security software that's being used.

"OpenSSL has been built into many vendors' networking and security solutions, but in many cases it seems the vendors assumed the code had no vulnerabilities, and assumptions don't make for good security practice. Vendors need to test the code they use in their solutions," he said.

Laurie Mercer, a consultant with Context Information Security, the Canary Wharf-based security consultancy, agreed the need for cyber security insurance, noting that, when talking about cyber risk, it can be useful to use the analogy of a car.

"When a car is built, it must adhere to certain safety standards. In the world of cyber security, this is like using products certified with Commercial Product Assurance (CPA) accreditation. You service a car every six months or so, this is like performing a regular security audit on a Web site or information system," he said.

"At the same time, inside the car a host of buttons and dials, monitoring devices that alert the driver when the car has a problem. This is like having a targeted attack detection system, or cyber-incident response strategy," he added.

Mercer concluded that, if you have a safely made car, which is regularly serviced, with monitoring devices running constantly, you would still need to have car insurance.

At SC Magazine UK's recent SC Congress London, Giles Watkins, KPMG's partner for information protection, said that cyber risk is a “boardroom issue right now”, but added that insurance in this sector has been around for some time.

"Cyber insurance has been around for quite a long time, but there's now quite a big push in that area,” he noted at a recent McAfee event on cyber-crime, adding that, with insurers adding 24/7 phone capabilities, they are getting "smarter in what they're willing to pay-out."

Sarah Stephens, head of cyber & commercial E&O for Aon EMEA, stressed at the recent SC Congress London that cyber insurance is on the rise, but Forrester security analyst Andrew Rose chose the same event to say that a lot of threats can be mitigated with adequate incident response plans.

He too, urged for CISOs to rebalance their budgets from ‘detection to response.'