This week’s article, which is part of our ongoing weekly series, “Cyber Insurance Compliance Insights from FTC Investigations” will reflect on why it is important for companies to apply sound security practices when developing new products.
Our weekly blog series is a spinoff of the new “Stick with Security: Insights into FTC Investigations”. This new weekly blog article series provides a recap of the FTC’s new weekly blog insights on data security and how these measures can help companies demonstrate cyber insurance compliance. For companies looking to obtain cyber insurance, it is essential to be able to effectively demonstrate that they have implemented baseline security measures.
Based on FTC cases, closed investigations, and questions posed by businesses, below are examples illustrating why it is crucial to implement sound security practices when developing new products.
Any entity that a company does business with can make them vulnerable, and as a result companies must make security a top criteria when choosing the partners and suppliers with which they’ll do business.
Update and Patch Software
There is certainly no shortage of recent data breaches that have occurred due to a network or software vulnerability or outdated software. For instance, the former Equifax CEO testified to Congress that the data breach was a result of two things. First, the scanning software that Equifax used to detect vulnerabilities failed to find the unpatched hole, and secondly, the employee that was responsible for ensuring an email communication got to the right person to manually patch the application failed to do so. Nonetheless, the combination of these two things led to the data breach of 145M individuals. In this case, the Equifax data breach was a result of technology failure and human error.
Besides internal vulnerabilities that go unaddressed that lead to data breaches, new types of threats expose companies to new vulnerabilities that often go unaddressed or unexposed until a data breach is discovered.
Nonetheless, the FTC advises that whether it is an internal or external vulnerability, companies must act accordingly and take steps to correct the problem with an update or a patch and move quickly to let customers know about remedial steps they should take.
Plan how you will Deliver Security Updates for your Product’s Software
No matter how secure your company may be today, you cannot become complacent in your security mindset. If you’re foolish enough to think your security is 100% foolproof, you’re closed off to addressing and learning about new threats that could leave your company vulnerable, which opens up the question “How and when will your data breach happen” not if it will happen. Security is not something you set and forget and never look back at.
This quote is a good example:
Success breeds complacency. Complacency breeds failure. Only the paranoid survive.” ~ Andy Grove
Security-savvy companies have a plan in place to issue timely security updates. While the method will depend on the nature of the product, the FTC states that it’s wise to build those contingencies in before you go to market.
A perfect example of how a company addresses their security updates for their product’s software is Microsoft. Microsoft releases security updates on the second Tuesday at 10AM (US Pacific Standard Time) of every month. The monthly release cycle provides a predictable schedule that helps customers plan for deployment of security updates.
What’s your Company’s security update strategy?
Heed Credible Security Warnings and Move Quickly to Fix the Problem
The FTC advises for companies to pay attention when you get wind of security warnings that could affect your network or your product.
If experts are trying to reach your company to sound a particular alarm, will their messages get to the right people quickly? ~ FTC
Indeed, Equifax is a prime example here, as Equifax failed to heed warnings when in early March, the Department of Homeland Security sent Equifax and other companies an alert about a critical vulnerability in software that Equifax used in an online portal for recording customer disputes. Whilst Equifax CEO stated that there was an internal email requesting that its technical staff fix the software, this request fell into a big black hole. The employee responsible for ensuring communication got to the right person to manually patch the application, forgot to follow-through. Equifax certainly failed the security test on many levels.
Cyber Insurance Compliance Insights: Put procedures in place to keep your security current and address vulnerabilities that may arise
It’s certainly true that cyber insurance policies vary greatly and that companies cannot use a cyber insurance policy to mitigate 100% of their cyber risk. One example is the End-of-Life Software/Outdated Software policy exclusion that tends to be uniform amongst the many cyber insurance policies available today. Whether it is proprietary software that was created specifically for the Company but never updated or outdated software that is no longer receiving regular maintenance and upgrades, these vulnerabilities cannot be mitigated or covered by a cyber insurance policy. In addition, when a security update or patch becomes available, companies are expected to be responsible and update accordingly.
Those companies that continue to use outdated software no longer maintained by a vendor and/or fail to update their systems or software when a patch or update is available, may find themselves locked out of their cyber insurance policy should a data breach occur due to the carrier’s expectations and policy exclusions.
Please be sure to check back next week for more Cyber Insurance Compliance Insights from FTC Investigations.