CYBER INSURANCE

Lloyd’s of London has announced that its insurance policies will no longer cover losses resulting from certain nation-state cyber attacks or acts of war.

This could be soon followed by other insurers. In fact a similar stand was taken by Zurich American that had insured Mondolez in 2019.

Cyber Insurers are grappling with the risk of these cyber threats become more widespread, and having bigger impact, as such the policies could “expose the market to systemic risks that syndicates could struggle to manage”. 

The current war between Russia and Ukraine, is a case in point.

Given the scale of these attacks, Lloyd’s said that policies that don’t already have a war exclusion must not cover – at a minimum – losses arising from war, whether one has been declared or not.

Policies must also exclude nation-state cyber attacks that “significantly impair the ability of a state to function or that significantly impair the security capabilities of a state”.

These changes will take effect from 31 March 2023, and will become binding at the inception or renewal of each policy.

But the bigger question here being about Attribution!
It has been difficult and will remain so in the near future, how will the cyber insurance industry grapple with this?

Would love to hear from my connects in the IH & DF domain.
#cyber #cyberwars #attribution #cyberincident #cyberinsurance #actofwar #Security #risktransfer #incidenthandling #digitalforensics

Cyberbiosecurity

Cyberbiosecurity is an emerging discipline and a complex subject. Through this post, I hope to make the readers aware about this complex concept and attempt to simplify it for their understanding. 

This is a very high-level overview and the objective is to create a general awareness and interest in the subject.

So today we will discuss “Cyberbiosecurity, a.k.a. Cyber-Bio-Security”.
As you can understand it is a combination of Cybersecurity and Bio Science.

Now most of us know and understand cybersecurity, it has dominated the headlines, has topped the risk charts globally, and has impacted almost everything that we know of, our personal data, individuals, small and medium businesses, major enterprises, governments, industries, hospitals, online businesses and what not…

It has also weaponized itself and we know of state actors using it against each other, the current Ukraine-Russia conflict is seeing a lot of what we call “Cyber Wars”

In principle everything that is digitized or is connected/automated through computer systems or is connected to the internet, carries a risk of being compromised through a cyber-attack.

Bio Science is no different, with technology (Biotechnology) permeating the domain, we have seen amazing revolutions. But Bio Science using Biotechnology is now dependent on cyberphysical systems, digital data, interconnected software platforms, automation, and instruments, sensors, and devices connected to the internet.  

Any digital device is at cyber risk, an internet connection on such a device only amplifies the risk manifold. 

However, what makes this worse is that any cyber risk realized on a Bioscience / Biotechnology system raises the risk to human lives, depending on the attack, the threat could endanger millions of human lives. As we saw during the pandemic, when hackers targeted cyber-attacks on organizations that were involved in the research and production of vaccines.
This is an area of big concern!

To address these risks, we need to start by understanding Cyberbiosecurity.
Cyberbiosecurity is an evolving discipline that brings together cybersecurity, biosecurity, and biosafety with the objective to prevent malicious activities on Biotechnologies and protect the bioeconomy[1]. This domain is concerned with:
1. Risk Assessment of cyber threats to life sciences, bioeconomy, and biotechnology,
2. Risk Management by implementing suitable controls and safeguards,
3. Understanding the impact of these risks,

This is an evolving discipline, as countries globally become aware of the threat it is important that universities (academia), industry, government, and non-profits (including policy think tanks, regulatory and legal experts) come together and begin to communicate and collaborate with each other.

[1] Bioeconomy is defined as “economic activity that is fueled by research and innovation in the biological sciences.

#cybersecurity #cyberrisk #Biolifescience #biotechnology #Biosecurity #Cyberbiosecurity

EU Cyber Resilience Act – A Step towards securing Supply Chain

Supply Chain is increasingly becoming a major point of failure when it comes to cyber attacks. Over the years we have seen several critical vulnerabilities in products that have jeopardized security gloabally.

The EU Cyber Resilience Act is a step in this direction. The act aims to bolster cybersecurity rules to ensure more secure hardware and software products.

Four specific objectives were set out:
1. Ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
2. Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
3. Enhance the transparency of security properties of products with digital elements, and
4. Enable businesses and consumers to use products with digital elements securely.

The details about the act can be downloaded from the link shared in comments section.

But, Question that I have is, how many more regulations will we require before businesses really start building products that are secure by design, that incorporate principles of privacy by design?

There are already enough regulations out there in the market, and the burden of compliance is ever increasing, Industry needs to understand that although the pressure to go to market is huge, unless we mend our ways this is not going to end in a good way for any of the stakeholders….

Just my thoughts. What do you think?

#cybersecurity #compliance#privacy #regulations #regulatoryaffairs #SecuritybyDesign #PrivacybyDesign #Industry#customers

Communicating Cybersecurity with the Board and Executive Management

In the digital world that we live in today, cybersecurity has managed to grab the headlines time and again. Hacks, data breaches, ransomware, denial of service attacks, and what not. Furthermore, cybersecurity has consistently been ranked in the top 5 global risks by the World Economic Forum, World Bank, Big 4s, and various cybersecurity organizations.

It would be difficult to believe if somebody says that they do not know about cybersecurity. Yet, the irony of today’s world is that not many people understand cybersecurity. As a cybersecurity professional, it pains me to no end trying to understand what can be done better to change this situation, and how we can communicate effectively with our stakeholders. Today, let us look at how we can effectively communicate cybersecurity with our board and executive management.

I invite you to read my views on https://cyberstartupobservatory.com/communicating-cybersecurity-with-the-board-and-executive-management/

India releases guideline for the Cyber Security in Power Sector

CEA under the provision of Section 3(10) on Cyber Security in the “Central Electricity Authority (Technical Standards for Connectivity to the Grid) (Amendment) Regulations, 2019” has framed Guideline on Cyber Security in Power Sector to be adhered by all Power Sector utilities to create cyber secure eco system. This is the first time that a comprehensive guideline has been formulated on cyber security in power sector. The guideline lays down required actions for cyber security preparedness across various utilities in power sector so as to raise the level of cyber security preparedness for power sector.

The Guideline have been issued with the objective of creating a cyber secure ecosystem.  It lays down a cyber assurance framework, the strengthens the regulatory framework, puts in place mechanisms for security threat early warning, vulnerability management and response to security threats, securing remote operations and services, protection and resilience of critical information infrastructure, reducing cyber supply chain risks, encouraging use of open standards, promotion of research and development in cyber security, human resource development in the domain of Cyber Security, Developing effective public private partnerships and information sharing and cooperation.

Guideline are applicable to all Responsible Entities as well as System Integrators, Equipment Manufacturers, Suppliers/Vendors, Service Providers, IT Hardware and Software OEMs engaged in the Indian Power Supply System for protection of Control Systems for System Operation and Operation Management, Communication System and SecondaryAutomation and Tele control technologies.

These Guideline are mandatory requirements to be met by all stakeholders and lay emphasis on establishing cyber hygiene, training of all IT as well OT Personnel on Cyber Security, designating of Cyber Security Training Institutes as well as Cyber Testing labs in the Country. The Guideline mandates ICT based procurement from identified “Trusted Sources” and identified “Trusted Products” or else the product has to be tested for Malware/Hardware Trojan before deployment for use in power supply system network when system for trusted product and service is in place. It will promote research and development in cyber security and open up market for setting up Cyber Testing Infra in Public as well as Private Sector in the country.

CEA is also working on cyber security regulations. This Cyber Security guideline is precursor to the same.

The guideline is available the website of CEA for downloading (https://cea.nic.in/wp-content/uploads/notification/2021/10/Guidelines_on_Cyber_Security_in_Power_Sector_2021-2.pdf)

Cybersecurity fault lines in Supply Chain

Yet another Security Product compromised…

Yet another fault line in the Supply Chain

This time it is Mimecast !

#infrastructure #supplychainsecurity #cybersecurity #CIIP #databreach

https://ciso.economictimes.indiatimes.com/news/email-security-firm-mimecast-says-hackers-hijacked-its-products-to-spy-on-customers/80239656

Guidance on Cyber Insurance from NCSC, UK

Cyber Insurance is still an ambiguous subject for many cyber and legal professionals around the world. There are a number of interesting discussions in favor and against the subject.

IMHO, there have been many misconceptions surrounding the subject especially after the malware incident NotPetya that brought several big conglomerates on their news.

Mondelez, one such company has now gone to court after its insurer Zurich Insurance said “It was an Act of War” and not covered in the Policy and refused to pay the damages.

One key thing to be understood here is that, in the case of Mondelez, it had a regular insurance policy that was updated in 2016 to include losses caused by “the malicious introduction of a machine code or instruction.” The policy in its fine print had exclusions for acts of war.

Since the American government had tied the attack to Russia and its conflict with Ukraine, it provided a leverage to Insurance companies to invoke the “Act of War” clause.

Mondelez has challenged this assertion by their insurance company.

The case is now being closely watched world over….

Nevertheless, a key learning lesson from this incident, is that organizations should not mistake chalk with cheese, regular insurance policies with a specific clause on damage due to malicious programs is not CYBER INSURANCE.

Cyber Insurance needs to be looked at holistically.

Below is quite pragmatic guidance and advice from NCSC, UK on how to choose Cyber Insurance.

https://www.ncsc.gov.uk/guidance/cyber-insurance-guidance

I hope the guidance will help the fraternity.

1st GCC Cyber Security Observatory

The first Global Cyber-security Observatory launched its inaugural GCC edition last week.

Having worked in the region for over two decades, it made me real happy to see a GCC region focused observatory.

I am glad to have contributed to this initiative along with Dominic Schonken Venu Sriraj Anshul Srivastav

Thank You #CyberStartupObservatory
Thank You Team Jose Monteagudo Maite Ortega David Bailey
https://lnkd.in/daypQKm

#GCC #Cybersecurity_in_GCC #Cybersecurity_Observatory #Startups_in_Cybersecyrity

The Cyber security Challenge in the age of Digital Transformation

My article on the topic “The Cyber security Challenge in the age of Digital Transformation” was recently published in the Cybernomics journal.

Attached here2.2 ABC Samir Pawaskar_The Cybersecurity Challenge in the Age of Digital Transformation– for your easy reference. Would love to hear your feedback.

Assessing GDPR Compliance Readiness in the Middle East

Assessing GDPR Compliance Readiness in the Middle East
Qatar-based Privacy Practitioner Samir Pawaskar on the Essential Action Items

With the enforcement of the European Union’s General Data Protection Regulation beginning on May 25, many Middle Eastern organizations are still scrambling to achieve compliance, says Qatar-based Samir Pawaskar, a cybersecurity and data privacy practitioner.

“A few organizations in telecom, finance and aviation are taking steps for compliance, but a major part of the local businesses, including those trading with EU countries, are not yet ready,” he says. “Worse, most are probably still unaware whether they must do something.”
In an interview with Information Security Media Group (see edited transcript below), Pawaskar offers insights on:
1. Distinguishing between information security and privacy programs;
2. The importance of data governance under GDPR;
3. Critical compliance steps

Samir is a cybersecurity and privacy expert based in Qatar who has over 20 years’ experience.

Sizing up the Impact
GEETHA NANDIKOTKUR: How does GDPR impact Middle East organizations? What must be done to brace up for it?
SAMIR PAWASKAR: The Middle East does a huge amount of business with the EU region. Just the trade between EU and the GCC [Gulf Cooperation Council] region for 2016 was over 138 billion Euros. There will definitely be implications and impact of GDPR on businesses in the region.
The major sectors include aviation, telecom, hospitality, finance and retail. Also, the region sources a huge workforce from across the world, including the EU as well, and is a major tourist and sports destination.
A few organizations in telecom, finance and aviation are taking steps for compliance, but a major part of the local businesses, including those trading with EU countries are not yet ready. Worse, most are probably still unaware whether they must do something.
Organizations should by now have conducted a gap assessment to ensure what their liabilities toward GDPR are, followed by a comprehensive privacy program to ensure compliance. Besides user awareness, organizations are reviewing processes and technology to understand data flows within. What’s critical now is to identify what kind of personal data is collected and generated, where it gets stored and processed, who has access to it or who it’s shared with.
Awareness is necessary; we have probably missed the bus, with GDPR being enforced May 25. However, it’s never too late.

Privacy Challenges
NANDIKOTKUR: GDPR bestows unprecedented powers on regulators to impose fines. How do you see this affecting organizations?
PAWASKAR: EU has taken a strict approach in terms of huge fines to ensure compliance. This will drive organizations to ensure effective privacy programs. However, there are many challenges, and everyone’s eyes will be on the EU to see how it enforces GDPR.
For example, a privacy compliance will require that certain organizations appoint a data protection officer. However, it’s recommended that large and medium organizations not mandated to appoint a DPO appoint somebody to manage and own the privacy program within the organization. We are already overwhelmed with the lack of desired cybersecurity skills in the market. Privacy being a new subject in that context, there will be a dearth of qualified professionals.
Another challenge is awareness and cultural change. For example, while sharing credit card PIN numbers with strangers, like restaurant staff, may be unthinkable in the West, it’s common out here. Organizations must ensure employees are sensitized to such nuances and understand the importance of PII.
Also, they must look at some of the rights GDPR bestows on its data subjects: the right to delete, the right to know, the right to transfer, the right to be forgotten, etc. Now, the way many organizations have grown organically over the years, building diverse business systems as required, it may be challenging for them to meet the requirements.
Organizations will have to rely on tools to meet privacy requirements. Alternatively, in the long run, organizations must either re-engineer their existing systems or where possible design new systems for GDPR compliance.

Information Security vs. Privacy
NANDIKOTKUR: Analysts say some companies have an overall information security strategy while a majority still require employee training on privacy policy and practices. What are your observations?
PAWASKAR: There’s a subtle difference between information security and privacy. Information security is built on confidentiality, integrity and availability. Confidentiality deals with securing critical or confidential information. PII, depending on the business, may or not be confidential. However, in the context of privacy, ensuring compliance requires appropriate controls to be secured. Maturity and understanding in terms of privacy and PII must be built up. I believe it’s the same situation in the GCC region.

Data Governance
NANDIKOTKUR: How important is data governance GDPR compliance? Do most companies possess an accurate inventory of personal data?
PAWASKAR: Definitely, data governance is very important. GDPR places much importance on that – the detailed guidelines produced by GDPR for data protection officers is testimony.
I believe most organizations don’t have an accurate inventory of personal data. One reason is the fluidity of the definition of PII.

Data Protection
NANDIKOTKUR: What security control frameworks and standards prevail in the region to manage privacy and security of data?
PAWASKAR: Qatar issued a Personal Data Protection Act in 2016. I am not aware of any other legislations in the region, although certain regulatory bodies such as QFC in Qatar and DIFC in Dubai had some provisions as part of their regulatory mandate for organizations operating within their regulatory umbrella.

Action Steps
NANDIKOTKUR: What critical, immediate steps are needed for compliance with GDPR?
PAWASKAR: Organizations should begin with a gap assessment to ensure their liabilities toward GDPR and local privacy laws.
They should appoint a DPO or somebody to own the privacy program within the enterprise. In case the responsibility is added to an existing role, the concerned personnel should be adequately skilled.

Organizations must develop a comprehensive user awareness program to ensure the required compliance. The should also identify and classify personal data collected or generated by the organization, where it gets stored or processed, who all have access to this data or is shared with.
For businesses not mandated to appoint a DPO, a CISO role reporting to the board may be most appropriate.
However, I recommend that medium and large organizations appoint a chief privacy officer on the lines of guidance provided for a DPO to manage the enterprise privacy program.