Insurers may don an ‘ethical’ hat to fight hacking

By Erin Ayers on November 14, 2014

?????????Computer security experts wear a variety of different hats these days – black, grey, and white, depending on their motivation and applications of their skills. And businesses and insurers are finding that the way to beat hackers might be to employ them – the ones with more altruistic motives.

The origins of the term “ethical hacker” are as murky as the field can be – it seems to have been first used in the 1990s by an employee of IBM. And the term hacker has come to represent the more nefarious side of IT expertise, as data breaches and other malicious intrusions increase. In general, hackers exploit their knowledge to access networks and systems without authorization, for personal gain, to steal state secrets or intellectual property, or merely just to cause trouble.

However, the value of understanding how criminal hackers – or “black hat” hackers as they’ve become known – work and the ways they can compromise a network can’t be overstated. If a business can nail down the ways its computer system is vulnerable, it can more effectively protect it. Another class includes the “gray hat” hackers, who might be a bit more flexible in their version of “with permission,” but might also be less likely to dabble in scams and more likely to report their findings to companies with security problems or authorities.

Security firms all over the world offer ways to keep one step ahead via penetration testing – where are the weaknesses that may only be visible to the bad actors of the world. For example, Trustwave launched an “ethical hacking lab” to study the threats on the digital horizon and help businesses fix problems.

“And instead of Bunsen burners and Petri dishes, our lab equipment consists of commonly exploited technologies, such as ATMs, point-of-sale devices and surveillance systems,” stated Abby Ross of Trustwave on the company’s blog. “At the request of businesses that deploy these technologies, our researchers are simulating real-life hackers by attempting to exploit vulnerabilities that may be present. Our hacking of these machines and systems – with permission, of course – enables us to better protect these organizations and their customers.”

Hacking “with permission” has become an excellent working definition for “white hat” hackers. These are usually individuals who contract with organizations to poke around in their systems and report on the true vulnerability – and just as a top underwriter in the insurance world will earn the Chartered Property Casualty Underwriter (CPCU), a Certified Ethical Hacker can gain that designation, most frequently from an organization called International Council of E-Commerce Consultants (EC-Council). The entity offers training and certification for every level of cybersecurity, whether an individual wants to hang their white hat out for hire as a security expert, or merely wants to improve their online safety.

And now, the insurance industry may be poised to harness such capabilities to help customers improve defenses – and offer more customized insurance. At least one insurer is in on this new way of underwriting risks better and assisting its clients in mitigating their cybersecurity risks.

“Headline data breaches continue to spark interest in cyber and technology insurance and this expansion is intended to meet that demand,” stated John Coletti, chief underwriting officer for XL Group’s cyber and technology insurance business, upon the announcement of the firm’s expansion. “Data breaches are becoming increasingly more sophisticated  and in order to properly underwrite these risks, we have added underwriters that possess the necessary technical and legal skills.”

XL Group recently added Sean Donahue, a certified ethical hacker, to its ranks. Donahue came from the IT field and joined XL in order to “bridge the gap” between insurance and the IT departments of insureds. Insurers and brokers approach cyber risk with years of experience addressing the ramifications of professional liability and fiduciary responsibilities and duties. Insight into the IT side of that equation can be helpful for insurers, especially in evaluating past data breaches or cyber losses to see what the true costs are.

“I can help better assess the risk in general,” Donahue told Advisen. A corporation’s IT department might have a hard time conveying the steps taken to safeguard the firm’s data and systems, he explained, noting that technical expertise can help insurers and brokers more fully recognize the difference between a sea of acronyms that indicate whether a company has an intrusion prevention system or an intrusion detection system, or which security functions are in place.

An added value also comes in when businesses and their IT staff better understand the value of transferring risk through cyber insurance.

“It all comes down to ones and zeros whether it’s binary or money. And it helps to be able to explain the language to both sides,” said Donahue.

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].