When I heard that Trustwave was being sued by insurance companies Lexington and Beazley, I was outraged. The implications for the cybersecurity industry, and the separation of responsibility between the end-user, service provider, insurer and governing (compliance) body, were all racing through my head. Even though Trustwave was a competitor, I decided to come to their defense…
…only to discover that they had certified their client as PCI DSS compliant when they shouldn’t have. Pretty unlikely that it’s just a matter of opinion – Visa wrote the book on this, and it was a Visa audit that came to that conclusion.
So, my trust in Trustwave now gone (see what I did there?), those industry implications brought forward with the lawsuit are still top of mind for me. At the core of that lawsuit is the issue of ‘negligence.’ I’m not going to weigh in on whether Trustwave was negligent in their certification or not – that’s for the courts to decide. What I will put forward is that how negligence is defined is critical to how cybersecurity providers, and consumers of their services, will conduct themselves moving forward.
There are two reasons I’m worried about this. The first is that the plaintiffs in the case assert that Trustwave failed to detect malware on their client’s servers. The second is that once an insurer can seek recompense from a cybersecurity service provider, the reasons they might do so become a matter of debate. Whether or not a provider was ‘negligent’ may be the only (legitimate) determining factor.
What do I mean by debatable? Here are three elements of it:
1) Detection and Response is based on the cybersecurity tenet that breaches are unavoidable
Where does that leave our definition of a successful response? Imagine hackers compromise a user profile, and within a period of several seconds access thousands of records from your network. Then imagine that within a few more seconds, a diligent cybersecurity provider blocks the account, blacklists the IP that the ‘user’ signed in from, and notifies the client of exactly which user and records were compromised…
Successful detection and response, right? However, there is still an impact on the client, whose records were stolen. That’s why they had cyber-security insurance. In a world where cyber-insurers have been able to sue a provider, it’s easy to envision a scenario where that insurer can say “Had you detected it sooner, or responded more quickly, we wouldn’t be paying anything.”
The fact is that outcomes differ, even given the exact same actions by a Threat Hunter. Where is the line drawn between ‘performance,’ ‘poor performance’ and ‘negligence’? If a result of the Trustwave lawsuit is “a line drawn,” we in the industry need to react vehemently to whatever it is.
This brings us to our second element:
2) The responsibility for good hygiene and incident response is shared by many parties
Clients know better than anybody that their environments are complicated. That’s why they hire experts to assist in having their IT infrastructure work for them, to deliver the business outcomes they need. When they hire a provider to manage the detection of, and response to, threats, that provider doesn’t operate alone. For example, we provide our clients with a list of prescriptive actions they can take to improve their cybersecurity prevention posture. What if the client doesn’t take those actions? Similarly, clients have other providers managing technology in their data centre; what if those providers aren’t doing their share to keep hygiene up to limit the vulnerabilities available to hackers? What about cloud services providers?
To limit the onus of responsibility on the threat hunter is insufficient – because the other parties need to do their share to limit risk.
3) Cybersecurity changes all the time – does insurance?
We all know cybersecurity changes quickly. The tactics that bad guys are using, the defenses the good guys put forward, always changing, all the time. How quickly are insurers changing? Are their policies changing along with the cybersecurity industry best practices? Would an insurer understand (or, care about) the mitigating circumstances in an attack? Let’s look at the actions available to a cybersecurity-insurance provider, and ask which is easier: perpetual adaptation to an ever-changing set of circumstances in a highly technical and complicated industry? Or suing providers as a matter of course whenever you pay out because you have precedence and ambiguity of responsibility on your side?
At the end of this lawsuit, who wins?
It’s a rhetorical question; independent of who wins the lawsuit, nobody actually wins.
Does Trustwave win? No – they’ve had their compliance snafu called out for all to see. Beyond the consequences that may result from the lawsuit and the penalties that Visa issued ten years ago, they will now suffer the market consequences of public opinion. Perhaps rightly so? I think that depends on the outcome of the lawsuit.
Does the insurer win? Not really – sure, they’ll get their 30 million dollars back (20 and 10 respectively) - but will this story help them acquire new clients? If you read on for whether the client in this situation wins I think the answer will be apparent.
Does the client win? No. They got hacked, after they were told they were compliant, it cost them way more than they were insured for… and once it was forgotten, their insurance provider brings it to court ten years later for the client to have to relive it all over again. You’ll notice I have not mentioned their name.
Whatever the outcome of this lawsuit is, let’s ensure that it doesn’t set a precedent that hinders the ‘good guys’ in the cybersecurity industry. Negligence needs to be a label that is applied very carefully.