This week’s article, which is part of our ongoing weekly series, “Cyber Insurance Compliance Insights from FTC Investigations” will reflect on why it is important for companies to apply sound security practices when developing new products.
Our weekly blog series is a spinoff of the new “Stick with Security: Insights into FTC Investigations”. This new weekly blog article series provides a recap of the FTC’s new weekly blog insights on data security and how these measures can help companies demonstrate cyber insurance compliance. For companies looking to obtain cyber insurance, it is essential to be able to effectively demonstrate that they have implemented baseline security measures.
Based on FTC cases, closed investigations, and questions posed by businesses, below are examples illustrating why it is crucial to implement sound security practices when developing new products.
Train Your Engineers in Secure Coding
When developing new products today, all companies need to develop their security by design and not by chance. Generally accepted software engineering principles hold that software flaws are less expensive to fix early in the development process, rather than after launching a new product.
Furthermore, the FTC recommends that companies create a work environment where your staff is encouraged at every stage to factor security into product development. Security needs to be incorporated into the process, right from the start or be prepared to suffer the consequences for failing to do so.
FTC Provided Example: A company launching a new software product emphasizes to its software engineers the importance of coding quickly to ensure that the product reaches the market as soon as possible – and the engineers meet in-house coding deadlines. But only after the product is in consumers’ hands does the company discover that the engineers have repeatedly created code that is susceptible to common, well-known security vulnerabilities for which there are available solutions. To correct the problem, the company has to implement an expensive after-the-fact fix. The more efficient – and ultimately, more cost-effective – practice would have been for the company to emphasize to its software engineers the importance of secure coding throughout the development process and to provide them with the training necessary to meet that expectation.
Follow Platform Guidelines for Security
When developing new software, security does not need to be started from scratch. Almost every major platform today has guidelines for developers to help keep sensitive data secure. Make sure your engineers take that advice into account when designing new products.
Verify that Security Features Work
And, nonetheless, before you launch your software. Long gone are the days in which you could develop a new product, and get it launched very quickly without security even being considered or thought about.
Test for Common Vulnerabilities
Test early, and test often. While today, it may be recognized that security is not 100% secure, or hack-proof, there are steps you can take to protect your customers from well-known vulnerabilities that are preventable with tried-and-true security tools. Many of these tools and resources are available for free today. For instance, the OWASP Testing Framework helps organizations test their web applications in order to build reliable and secure software. The framework encourages developers to measure security throughout the entire development process, and then relate the cost of insecure software to the impact it has on the business, and consequently develop appropriate business processes and assign resources to manage the risk.
Cyber Insurance Compliance Insights: Apply sound security and privacy practices when developing new products
It is crucial to infuse security and privacy throughout every point in your business solutions’ lifecycle to protect your most sensitive data and customer information. By not doing so, it’s just a matter of when your cyber insurance claim will happen. While cyber insurance can certainly be a safety net, if it can be proven that intentional negligence was involved, this will most likely result in a denied cyber insurance claim. A denied cyber insurance claim = unlimited liability to the company for intentionally ignoring security best practices when designing its product and incorporating security throughout its lifecycle. Indeed, this is not a wise business practice and will result in the demise of your company’s brand and reputation.
Let’s for a moment, compare the above scenario, to an automobile manufacturer intentionally leaving seatbelts out of vehicles. Eventually, and it will only be a matter of time before one of the automobile manufacturer vehicle’s customers are involved in an accident that leaves the auto manufacturer open to unlimited liability and intentional negligence for failing to incorporate a simple and secure(ity) measure, such as a safety belt into its design.
Today, its just a matter of incorporating security by design or suffering unlimited liability due to intentional negligence for ignoring security best practices that should have been implemented from the start.
To further back up this point, in May 2015, in the case involving, Travelers Property Casualty, et al. v. Federal Recovery Services, Inc., et al., No. 2:14-CV-170, while the issue was not a data breach or cybersecurity liability claim, it is an important step in understanding how a court may approach this issue. In this case, the insured sought coverage through an E&O policy that provided coverage for “any error, omission, or negligent act.” The plaintiff alleged, however, that the insured acted with “knowledge, willfulness, and malice.” The court held that because the complaint alleged intentional, instead of negligent misconduct, the insurer did not have a duty to defend. Needless to say, the claim was denied.
When a security incident occurs, you want your cyber insurance premium investment to work for you and not against you.
Please be sure to check back next week for more Cyber Insurance Compliance Insights from FTC Investigations.