Friday, June 2, 2023

🤝 Cyber insurers' new friends

Plus: American snooping allegations | Friday, June 02, 2023
 
Axios Open in app View in browser
 
 
Axios Codebook
By Sam Sabin · Jun 02, 2023

😎 TGIF, everyone. Welcome back to Codebook.

  • 📣 Be sure to catch up on the conversation Cybersecurity and Infrastructure Security Agency director Jen Easterly and my colleague Ryan Heath had earlier this week at our Axios News Shapers event.
  • 📬 Have thoughts, feedback or scoops to share? codebook@axios.com.

Today's newsletter is 1,496 words, a 5.5-minute read.

 
 
1 big thing: Breaking down the latest cyber insurance workaround
A gold medal in cyber training

Illustration: Sarah Grillo / Axios

 

Insurers are leaning more on security vendors to make sense of what they need to know about cybersecurity programs before approving new customers' policy applications.

Why it matters: Insurance providers have been scrambling to keep up with rapid changes in the threat landscape, such as increased ransomware attacks and nation-state activity, to make sure their policies are keeping pace.

  • In recent years, insurers have been left with massive payouts as companies have increasingly filed claims after an incident.
  • Despite that, demand for cyber insurance has continued to soar alongside premium costs.
  • Partnering with a security vendor can help insurers stay ahead of threats and create more reasonable requirements for customers to meet before approving their applications.

Driving the news: Earlier this week, IT security management provider Kaseya unveiled a partnership with cyber insurer Cysurance to speed up the approval process and provide discounted rates to Kaseya customers.

  • Under that arrangement, Cysurance will preapprove any customer who has Kaseya's IT Complete Security Suite and push them through a shortened vetting procedure.

The big picture: Insurance providers have increasingly turned to security vendors like Kaseya to help them sort out what data and security information they should collect from customers.

  • Most major insurance providers lack the expertise to properly assess cyber risk, prompting them to lean more on security vendors to act as intermediaries, experts told Axios.

Zoom out: Cyber insurance requires a different calculus given the risks to a business are constantly changing as hackers develop new techniques.

  • Compare that to auto insurance, where driving risks have been studied and understood for decades.

Between the lines: Partnerships between insurers and vendors have been taking a few different forms.

  • The most straightforward looks like Kaseya's new program: An insurer preapproves a customer who has purchased and set up a specific product suite.
  • Some others look like what Google Cloud has set up: Google scans customers' security postures and makes recommendations to help reduce insurance risk. Customers also get specialized insurance offerings from Allianz Global and Munich Re, and Google takes care of sending any necessary data to the insurers.
  • Cyber insurers are also starting to bring these risk assessments in-house: Resilience, a cyber insurance provider, has built out a team that engages with customers and ensures they're staying up to date on their security requirements to keep their policies. Resilience instead partners with vendors to investigate insurance claims.

The intrigue: Insurers and financial officers often struggle to communicate with security teams to figure out the best way to assess their risk, Travis Wong, vice president of customer engagement at Resilience, told Axios.

  • When an insurer is relying on a security vendor to vet customers, it's because "insurers themselves haven't built those capabilities to provide insights," Wong added.

What they're saying: "Because you have a security team and a CISO that is so heavily involved in managing cyber risk, they know the risk in a way that the insurance manager might not always be aware of," Monica Shokrai, head of Google Cloud's business risk and insurance program, told Axios.

  • "Insurance mangers are trained in finance and insurance and risk and risk transfer," she added. "That divide is larger within cyber than other lines of business."

Yes, but: Adding a new vendor to the insurance process brings additional risk, Wong said.

  • "You're introducing a third party whose interest might not be as aligned as your insurer or the organization being insured," Wong said. "They're an independent assessor, for all intents and purposes, and they're trying to sell a technology."
Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
2. Hackers target vulnerable file-transfer tool
Illustration of an unlocked padlock made out of a manila folder.

Illustration: Allie Carl/Axios

 

Progress Software Corp. is warning of a critical software vulnerability in its popular file-transfer software that could give malicious actors unauthorized access to customers' networks.

Why it matters: Roughly 2,500 instances of Progress's MOVEit file-transfer tool are believed to be running online, and malicious hackers are already exploiting the newly discovered security flaw in it.

Threat level: Several companies and cybersecurity investigators are already investigating cases where hackers have exploited the vulnerability.

  • Charles Carmakal, chief technology officer at Google-owned Mandiant, said in a statement that his company is already investigating "several intrusions related to the exploitation" of MOVEit.
  • Huntress, a software vendor popular with small to medium-sized businesses, said in a blog post it's identified fewer than 10 organizations running this tool in its customer base, and one of them has seen a "full attack chain" already.

The big picture: Critical vulnerabilities such as the new MOVEit one are known as "zero days," which means organizations have zero days between their discovery and hackers being able to target them if there's no solution.

  • Organizations that use the tools should be prepared to face potential data extortion and theft, Carmakal added in his statement.

The intrigue: It remains unclear who is behind the attack, and, thus far, no criminal groups have started extorting victims whose data has been stolen on the dark web, according to a BleepingComputer report.

Be smart: Progress has since released fixes for the affected versions of MOVEit, and the company recommends customers disable any web traffic to the program until they're able to apply the patches.

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
3. Russia accuses U.S. of iPhone hacking
Illustration of arrow cursors aimed at Apple's logo.

Illustration: Shoshana Gordon/Axios

 

Russia's top security agency is accusing the U.S. of hacking thousands of iPhones as part of an espionage campaign.

What's happening: Russia's Federal Security Service (FSB) claimed on Thursday that the U.S. intelligence community had created a backdoor into Apple's iPhones.

  • It said it discovered malware on phones registered to Russian nationals, foreign diplomats based in Russia, and others believed to be involved in diplomatic missions in Israel, China, former Soviet states and NATO countries.
  • The FSB also alleged that Apple was in "close cooperation" with the U.S. intelligence community, particularly the National Security Agency.
  • An NSA spokesperson declined to comment. Apple said in a statement to Reuters that the company has "never worked with any government to insert a backdoor into any Apple product and never will."

Yes, but: The Russian government didn't include any technical specs about the malware it said it discovered on compromised devices.

Meanwhile, Moscow-based cybersecurity firm Kaspersky said the same day that it had detected spyware on dozens of its employees' iPhones, including those belonging to top and middle management.

  • Kaspersky found that for years, the spyware had been stealing users' private information from the devices — including microphone recordings, photos sent in messages and geolocation information — and sending it to a remote server, CEO Eugene Kaspersky wrote in a blog post.
  • While the company didn't say who was behind the attack, it said in an email statement to Axios that as of now, it doesn't believe that it's the only one that was targeted: "The company's just first to discover it," Kaspersky's statement said.

Between the lines: The Russian government has previously expressed surveillance concerns about Apple phones, and it can now use these allegations to further restrict iPhone use within the country.

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 

A message from Axios

Your daily news in 10 minutes
 
 

Hear the most important news and interesting stories with the Axios Today podcast.

Host Niala Boodhoo fills you in on what you need to know each weekday morning.

Listen for free in your favorite podcast app.

 
 
4. Catch up quick

@ D.C.

🔍 Special counsel Jack Smith is investigating former President Donald Trump's firing of then-CISA director Chris Krebs. (New York Times)

🎖️ President Joe Biden is reportedly nominating Army Maj. Gen. William Hartman, current leader of the Cyber Command's Cyber National Mission Force, to be the next deputy for the command. (The Record)

👀 A senior State Department official said that a controversial surveillance authority played a role in the U.S.'s recent warning about North Korean hacking and scam operations. (CyberScoop)

@ Industry

📸 Amazon has agreed to pay more than $30 million to settle Federal Trade Commission privacy allegations that its Ring and Alexa departments illegally stored and accessed user data. (Axios)

📈 CrowdStrike beat expectations for its first-quarter earnings, reporting $692.6 million in revenue. (CNBC)

🚙 Toyota has uncovered a second yearslong data leak that exposed data belonging to 260,000 car owners. (TechCrunch)

@ Hackers and hacks

🪙 Several Discord communities focused on cryptocurrencies have been hacked in the last month after someone posing as a reporter tricked administrators into running a malicious JavaScript code. (Krebs on Security)

🩺 A ransomware attack on biotechnology company Enzo Biochem exposed the clinical test information of almost 2.5 million patients. (TechCrunch)

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
5. 1 fun thing
Lola the cat displeased with her current situation in the car.

Lola the cat exploring the car setup before an hourslong car ride. Photos: Sam Sabin/Axios

 

I recently had to bring my two cats with me on a long car ride — trust me, it wasn't our first choice — and I cannot get over these photos of Lola the cat both upset and exploring the new window views.

  • I've learned that Lola needs at least 30 minutes in the car to explore her new surroundings before taking off or else she gets a little too anxious and unsettled during the drive. She's (rightfully) a bit of a diva.
  • And don't worry: She goes back in her carrier before the car starts moving!
Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 

A message from Axios

Your daily news in 10 minutes
 
 

Hear the most important news and interesting stories with the Axios Today podcast.

Host Niala Boodhoo fills you in on what you need to know each weekday morning.

Listen for free in your favorite podcast app.

 

☀️ See y'all on Tuesday!

Thanks to Peter Allen Clark for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.

HQ
Are you a fan of this email format?
Your essential communications — to staff, clients and other stakeholders — can have the same style. Axios HQ, a powerful platform, will help you do it.
 

Axios thanks our partners for supporting our newsletters.
Sponsorship has no influence on editorial content.

Axios, 3100 Clarendon B‌lvd, Arlington VA 22201
 
You received this email because you signed up for newsletters from Axios.
To stop receiving this newsletter, unsubscribe or manage your email preferences.
 
Was this email forwarded to you?
Sign up now to get Axios in your inbox.
 

Follow Axios on social media:

Axios on Facebook Axios on Twitter Axios on Instagram
 
 
                                             

No comments:

Post a Comment

3X More Yield …

This is triple what the best bank CDs are offering ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏...