As "the best defense is a good offense" many media companies test their IT infrastructure for vulnerabilities by means of a penetration test ("pentest"). Why? To find vulnerabilities that cybercriminals could use for a cyber attack. This is not only important in the context of protection of valuable digital assets, but also in the context of a possible cyber security insurance. A pentest can prevent a lot of damage which is of interest to the insurer too. However, a pentest is not without any danger. Is the damage caused by a failed pentest also part of the coverage? Clear rules in the policy can prevent legal issues in case of a failed pentest.
Necessity of pentesting
Almost every industry is becoming more and more dependent on the digital environment. At the same time the digital environment is vulnerable. The recent big cyber attacks on banks, parcel deliverers and container terminals showed us those vulnerabilities. But you may also remember the 2014 Sony hack and the more recent Netflix "Orange is the New Black" hack in the movie and video production industy, the 2013 Target hack in the retail/hypermarket industry and the very recent hack of credit-reporting agency Equifax. In a recent report consultancy firm Deloitte calculated that Dutch economy yearly loses 10 billion euro due to cybercrime. Remarkable detail: Deloitte was - as one of the biggest cyber security consultancy firms in the world - hacked themselves recently. The growth of cybercrime makes it important to have a good cyber security policy in place. To prevent cyber attacks, pentesting is often a part of such cyber security policy. By entering the systems through the eyes of a cybercriminal, vulnerabilities can be detected in an efficient way. At the same time pentesting is risky.
Risks of pentests
Pentesting carries risks in the field of privacy (possible data breaches), copyright (unlawful circumvention of security measures) and criminal law (intrusion of computer systems). Furthermore, pentests involve risks for business continuity. A failed or bad pentest can crash the IT infrastructure of a whole company - or change or delete valuable data. This might even lead to claims of customers or business partners.
Cyberpolicies often lack specific rules
In the emerging market of cyber security insurances, insurers often do not have specific rules on pentesting. Insured companies who perform pentesting (or have pentests performed) therefore depend on the general provisions of a (cyber security) insurance policy. In practice, the interpretation of these provisions is a grey area. A few examples:
- In many insurance policies a 'cyber incident' is often described as a breach of the protection of personal data or a breach of network security. Both breaches are possible during a pentest, except that with pentesting the breach is caused by the insured itself (or by a third party upon request of the insured). Damage arising out of own fault or intent is not easily covered by (standard) insurance.
- Some insurers only reimburse damage that is caused by cyber incidents as a result of cybercrime. The execution of a pentest does obviously not qualify as cybercrime. On the other hand, the same insurers often also require that insured parties do everything possible to prevent such cyber incidents or damage caused by them, whether or not with the help of the insurer itself. Pentesting is an appropriate method of prevention. But not without risk.
- Insurers generally do not reimburse any damage caused by unauthorized use of software or data. What qualifies as unauthorized use will often depend on the licensing terms associated with the relevant software. Some software vendors prohibit testing with the software they supply, while there are also vendors who encourage pentests to detect vulnerabilities. In short, which situation qualifies as unauthorized use is not always clear.
- Insurers usually only compensate damage caused by subordinates. Regardless of whether the damage qualifies for compensation, the question arises here whether subordinates also include freelancers, independent contractors and seconded staff from a specialized IT company working under the supervision and instruction of the insured party.
Tests by third parties
Insurers will not be happy to pay out in case of failed pentests. In addition, in many cases, a specialized third party will carry out the pentest, which will lead the insurer to point to this third party to recover damages. In practice, however, it is often found that this specialized third party contractually excludes any liability for damage caused by these tests. And that creates a deadlock. The specialized third party will not be inclined to carry out a pentest if it runs a liability risk in the event of a failure of a pentest, while the insured company will have to 'behave like a responsible insured person' and does not want to take risks either. The situation is even more difficult when you involve unknown third parties. In order to improve security and to implement the idea of being a 'responsible insured company', many insured companies have published a Responsible Disclosure Policy on their corporate website. This policy calls on (ethical) hackers to hack their systems and then report their results (in consideration of a reward). As a result a cyber incident may occur, which could even qualify as cybercrime. And the insured has initiated such act of cybercrime itself. Not likely something the insurer would tend to cover. At the same time, finding vulnerabilities and correcting them will significantly reduce the risk of future damage. The latter is a win/win situation for the insured and the insurer.
Pentests are currently very common in the cyber security policy of many companies. Insurers should think about ethical hacking and pentesting within the rules of their cybersecurity policies so they can decide whether it falls within the scope of the insurance coverage they offer. What are the possibilities? These range from a total ban on pentests and other ways of promoting ethical hacking, to a broad coverage for damages as a result of cyber incidents, including as a result of failed pentests. A compromise is of course also possible. For example, pentests that may only be carried out by the insurer's trusted third parties: the insurer can then make arrangements with those trusted third parties about the settlement of any claims as a result of a failed pentest.
More information? Please contact Louis Jonker, member of Van Doorne's TMT Team and Cyber Security Team.