Cyber Liability: SD&I Cover Story June 2015

June 9, 2015
As the risk landscape rapidly changes for security integrators, a two-pronged approach can help them mitigate their vulnerability

Have you ever heard of Fazio Mechanical Services? Even if you aren’t sure, chances are, the name rings a bell. Why? Because Fazio was the catalyst for what will surely be looked back on as one of the watershed moments for the security industry — right up there with the launch of the first network camera: The Target breach.

Fazio was the provider of refrigeration and HVAC systems that was given access to a Target database so the company could remotely login and perform efficiency updates. Hackers were able to steal these credentials and used that digital pathway to insert destructive malware that ended up stealing credit card data for millions of customers.

The event sent shockwaves throughout the security industry ecosystem. End-users who often took the “it won’t happen to me” mentality when it came to cyber security not only started looking into their own protections and best practices, but into their third-party providers’ as well. That meant that security integrators — many of whom also shared their customers’ apathy toward cyber security — have been put on notice. While Fazio Mechanical is still in business, the name lives in infamy in the world of security...Heaven forbid your company suffers the same fate.

Cyber liability has many definitions, depending on who you are talking to — an end-user, or an insurance company or a security integrator — but one thing is clear: it should be near the top of your radar. “This is probably the biggest concern you should have right now,” Jay Hauhn, CSAA executive director, said during a session at last year’s ASIS conference. “The contracts you get from end-users are going to get really strict around data breaches — they will require unlimited liability. If you haven’t seen it yet, you will be soon.”

Added Honeywell’s Gordon Hope at the same panel discussion: “It is worse than what he’s saying — it is the No. 1 challenge for the integrators in this room. As service-level components start to dominate and take control, it is going to be on breach liability and indemnification. (Integrators) need to protect themselves from the liability, and they cannot be the weak link.”

Cyber Liability from your Customers’ Perspective

If you think Target is a horror story for service providers, imagine how the end-user community feels. From Target, to Sony, to Anthem and beyond, they are on the front lines of the cyber war with hackers. As the breach news keeps pouring in, they are forced to adjust and re-adjust their strategies — and many of them concern third-party service providers such as security integrators.

In March, a federal judge in the District of Minnesota preliminarily approved a settlement between Target Corp. and a class of consumers in litigation arising from the breach of Target’s computer network in late 2013, under which Target will pay $10 million to consumers “whose credit or debit card information and/or whose personal information was compromised as a result of the data breach.”

According to Trustwave 2013 Global Security Report, 63 percent of data breaches were linked to third parties. In its analysis of the Target case, international law firm Simpson Thacher recommends to its clients the eight steps below to mitigate third-party cyber security risks. These requirements will undoubtedly apply to security integrators, and truly illustrate the impact of the Target breach on future contracts and procedures with end-user clients:

  1. Limit the amount of publicly available information regarding third-party vendors and requiring, to the extent possible, that such vendors be similarly discreet.
  2. Ensure that third-party vendors are aware of the company’s information security policies and agree to adhere to them.
  3. Restrict access of third parties only to the servers/information they need in order to do their job.
  4. Ensure that third-party vendors properly handle and secure shared sensitive information, e.g., by reviewing vendors’ security policies (such as those pertaining to employee background screenings and data management) and defining data security standards and expectations with third-party vendors (such as requiring monitoring of their networks’ integrity and specifying anti-malware software).
  5. Ensure that agreements with third parties clearly identify whether and how the service provider will safeguard the organization’s sensitive data and whether the service provider will notify the organization in case of a breach.
  6. Ensure that agreements with third-party vendors address whether any services will be subcontracted to other vendors and, if so, requiring minimum data security standards and expectations to be set.
  7. Require two-factor authentication for vendors to access the company’s network, which would include “a regular password system augmented by a second step, such as providing a code sent to the vendor’s mobile phone or answering extra security questions.”
  8. Ensure proper segmentation between the parts of the network accessible to vendors and those that house payment or other sensitive data to which the vendors do not need access.

Beyond your customers’ internal policies and procedures, external laws and standards are also contributing to cyber liability. “Within HIPAA and HITECH, for example, you have the covered entity — in this case, the security integrator’s client — but that also covers anybody in the chain outside of the client,” explains Michael Bruemmer, vice president of Consumer Protection at Experian Consumer Services. “Anyone that provides services and is handling any PII (personally identifiable information) or PHI (protected health information) has an indirect liability. The client has the ultimate liability, but everybody in the chain carries responsibility.

Bruemmer adds that he has not come across any major company that has not at least considered writing liability for data breach clauses into their service provider contracts. “That is a huge push — especially because of the watershed moment like Target,” he says. “It is required by law for HIPAA and HITECH, and that model is being cascaded out across many vertical markets, particularly retail. Unless they have the protection and the contracts in place with their third parties, they are putting themselves at risk.”

The Integrator’s Cyber Liability

Clearly, cyber liability has multiple, in-depth meanings for a security integrator’s clients; however, it also has a few meanings for the integrators themselves. For an integrator, cyber liability means allocating risk. How much do you protect yourself? How much risk are you willing to take on in order to land that big service contract? Should my company be insured against this risk?

“Integrators take a different approach to risk allocation than alarm companies do,” explains SD&I legal expert Eric Pritchard, a partner in Kleinbard Bell & Brecker LLP of Philadelphia. “Integrators tend to use the construction industry risk allocation scheme, which is to just push it down to the next guy. The problem is, as the integrator, you are often the last guy in the loop.

“If you did a comprehensive survey of agreements for integrators in America, you would find that in 85 percent of those agreements, they agree to indemnify their customer for things that go wrong,” Pritchard continues. “There’s no limitation of liability clause, no risk allocation, no exculpatory clause — nothing that would protect them.”

If security integrators are taking on all of the liability, it makes sense that they should somehow pass some of that risk on to another party. In this case, the primary option is insurance. As SD&I readers know, one of Pritchard’s favorite mantras is: "Insure ‘til it hurts, and then do it a little more."

Cyber Liability Insurance

In the insurance industry, when you talk about “cyber liability insurance,” you are generally talking about first-party policies that protect the enterprise end-user. “In 2014, according to industry standards, about a third of companies with more than a billion in sales had cyber liability policy in place,” Bruemmer says. “That number is expected to grow by another third in the next 12 months. Cyber liability is something that more companies are realizing that they need as part of their risk mitigation strategy. The policy will generally pay for the services of outside legal counsel, forensics, call center, identity theft protection services, as well as expenses related to any class-action or civil suits.”

Beyond first-party policies, according to Sylvia B. Menetre, Vice President of BB&T Insurance Services, and Steve Haase, president of cyber liability insurance specialist INSUREtrust, there are multiple options available to third parties to help mitigate their risk in addition to the traditional Errors & Omissions (E&O) coverage.

“We know of very few security firms that don’t buy both E&O and cyber coverage,” Menetre and Haase say. “In many cases, the cyber is blended with the E&O coverage. Companies have a breach exposure to PII of all current, past and future employees; further, the confidential information of their clients’ or vendors’ corporate information is also at risk of being breached.”

Thus, a security services firm should supplement to its E&O coverage to protect itself against potential cyber breaches to its customers. “The E&O policy is designed to respond to your failure to provide the professional services as contractually committed. What if this failure to deliver services is caused by a breach of your network? An unendorsed technology E&O policy would likely not be triggered by this cause of loss,” Menetre and Haase explain. “While you can write the cyber coverage separately, we recommend trying to blend it with the E&O so there is not finger pointing in the event of a claim falling in a grey area. If not, a stand-alone cyber policy can be considered. This policy should be designed to include both third-party liability and first-party expenses to deal with the crisis management expenses of a third-party breach.”

The amount of coverage needed, of course, will vary depending on the size of your own firm and the amount of risk taken on behalf of the client. Keep in mind that in the Ponemon Institute’s 2014 Cost of Data Breach Study, it was determined that the average cost of a data breach to an end-user company was $3.5 million — 15 percent more than it was in the previous year.

“E&O covers you if a breach arises out of your services. We would need to know more about the size of your company and your job sizes in order to recommend a combined limit for E&O and Cyber,” Menetre and Haase say. “The policy would typically have a General Aggregate limit that would apply to both coverage parts combined, so you would want to make sure this aggregate or total policy limit is adequate to fulfill all contractual commitments.”

Internal Controls and Best Practices

Perhaps the most important aspect of mitigating cyber liability is a security integrator’s own internal policies and controls. In the case of Fazio Mechanical, the credentials stolen to break into the Target systems were reportedly obtained via an email malware attack at Fazio.

“The primary attack we are seeing that results in major losses is from spear-phishing,” Menetre and Haase report. “Virtually all PII and other corporate info that we insure comes through email and is often stored in email; so, the leading exposure today is email and email addresses.”

After email policies, an integrator must have best practices for attaching potentially vulnerable devices to a client’s network. That means changing default passwords and taking other important cyber security steps on IP video surveillance cameras (see the sidebar at the end of this article), developing encryption standards for network-based installations, and adhering to your customer’s internal security policies and best practices.

“We have internal standards that we ensure our technology manufacturers and our sister businesses all meet so we can provide the highest level of encryption,” explains Hank Monaco, vice president of marketing for Tyco Integrated Security. “We recognize that even though we are on the physical security side, we are riding on their networks, and we take that very seriously. We work closely with our customers around that as well — many of our very large customers are acutely aware of that and we are partnered with them to make sure we have the best systems and the best encryption and security protocols available.”

In the end, the two-pronged approach of insurance and internal security controls should be enough to at least manage the inherent cyber risks in today’s security landscape. For those security integrators without a plan, Pritchard has this advice: “Get ready to file for bankruptcy,” he says.

Paul Rothman is Editor-in-Chief of Security Dealer & Integrator (SD&I) magazine - www.secdealer.com.

SIDEBAR: Video Surveillance Cyber Best Practices

10 ways to secure camera networks against hacker attacks

By Joel Griffin, Editor, SecurityInfoWatch.com

The growing concern surrounding the cyber security of video cameras and other physical security tools has prompted cloud-based VMS provider Eagle Eye Networks to list best practices that organizations can adopt to help mitigate these threats in a new whitepaper. “Our physical security systems — access control, fire alarms and video surveillance systems — have quietly become internet-connected,” says Dean Drako, president and CEO of Eagle Eye. “In addition to being internet-connected, these systems are also connected to the local network in the majority of situations. What that means is that physical security systems are now smack dab in the middle of the cyber security world and it is a serious problem.”

Here is a look at 10 of the best practice topics and how organizations can go about shoring up their safeguards in each of these areas (read the full article with a link to the whitepaper at www.securityinfowatch.com/12070169):

1. Camera Passwords: The security industry has been notorious for leaving default usernames and passwords in place on cameras when they are installed. The problem with this practice is that these usernames and passwords can be easily discovered with a simple internet search which makes them easy prey for hackers. Ideally, Drako says those with a small system in place should use a different strong password for each camera on the network. However, in a larger network where that may not be feasible, he said that organizations should use a VLAN or a private network and have the same strong password for all the cameras on the network.

2. Port Forwarding: In order to give users remote access to their video systems, an HTTP server must be exposed to the internet to be able to serve up those video feeds. This opens machines up to threats from cyberspace, one of the most notable of which was the recent Heartbleed Open SSL exploit. The best practice to prevent against threats posed by port forwarding really depends on the architecture of the network. If it is a traditional system with an NVR, only the minimum number of ports should be forwarded and the organization should implement some type of next-generation firewall.  

3. Firewalls: Firewalls are one of the most complex and misunderstood mechanisms for protecting any network – security or otherwise –from threats that lurk in cyberspace. For this reason, those with traditional surveillance system architectures should consult a professional network security expert to verify and configure their firewall and make sure there is clear documentation on firewall configuration.

4. Network Topology: Mixing surveillance camera systems with a standard corporate IT network can be a recipe for disaster, as it creates doorways for hackers to enter into the main network. The best practice is to place the camera network on a physically separate network from everything else; or use a VLAN.

5. Operating Systems: Surveillance systems run on Windows or Linux in most cases. Due to the number of exploits that exist, it is critical that organizations know the operating system their network runs on as well as the version used so that their IT team can track, monitor and patch against vulnerabilities as they become known.

6. Operating System Passwords: As with cameras, there are a large number of users that use weak passwords for gaining access to their operating system. Organizations should set long, high-quality passwords for the operating system and establish password policies and procedures for changes in personnel.

7. Connection Encryption: A surprising number of DVRs, NVRs and VMS solutions use internet connections not encrypted with SSL (Secure Socket Layer) protection or an equivalent due primarily to cost. Without this protection, passwords are essentially going over the internet in clear text.

8. Video Encryption: Video data should not only be encrypted at rest but also in transit.

9. Mobile Access: The same best practices should be used for mobile surveillance apps, including an encrypted connection and high-quality passwords.

10. Physical Access: Cabinets and cables should be kept secure, along with rooms that house various components of the security system.

About the Author

Paul Rothman | Editor-in-Chief/Security Business

Paul Rothman is Editor-in-Chief of Security Business magazine. Email him your comments and questions at [email protected]. Access the current issue, full archives and apply for a free subscription at www.securitybusinessmag.com.