Tag Archives: technology

Immediate Vault Immediate Access

Is outside-in the “Next Gen” of Continuous Monitoring?

Posted on by

In late 2002, the U.S. Government enacted a new law that was designed to hold each federal agency accountable to develop, document, and implement an agency-wide information security program, including for its contractors. The Federal Information Security Management Act (FISMA), was one of the first information security laws to require agencies to perform continuous assessments and develop procedures for detecting, reporting, and responding to security incidents.

With limited technological resources available for monitoring and assessing performance over time, however, agencies struggled to adhere to the law’s goals and intent. Ironically, although FISMA’s goal was to improve oversight of security performance, early implementation resulted in annual reviews of document based practices and policies. Large amounts of money were spent bringing in external audit firms to perform these assessments, producing more paper-based reports that, although useful for examining a wide set of criteria, failed to verify the effectiveness of security controls, focusing instead on their existence.

John Streufert, a leading advocate of performance monitoring at the State Department and later at DHS, estimated that by 2009, more than $440 million dollars per year was being spent on these paper-based assessments, with findings and recommendations becoming out of date before they could be implemented. Clearly, this risk assessment methodology was not yielding the outcomes the authors had in mind and in time, agencies began to look for solutions that could actually monitor their networks and provide real-time results.

Thanks to efforts by Streufert and others, it wasn’t long before “continuous monitoring” solutions existed. But, just as with all breakthrough technologies, early attempts at continuous monitoring were limited by high costs, difficult implementations and a lack of staffing resources. As continuous monitoring solutions made it into IT security budgets, organizations and agencies were challenged to make optimal use of tools that required tuning and constant maintenance to show value. False positives and missed signals led many IT teams to feel like they were drinking from a fire hose of data and the value of continuous monitoring in many cases was lost.

However, solutions today offer a number of benefits including easy operationalization, lower costs and reduced resource requirements.

buy stromectol online blockdrugstores.com/wp-content/uploads/2023/10/jpg/stromectol.html no prescription pharmacy

Many options, such as outside-in performance rating solutions, require no hardware or software installation and have been shown to produce immediate results. These tools continuously analyze vast amounts of external data on security behaviors and generate daily ratings for the network being monitored, with alerts and detailed analytics available to identify and remediate security issues.

buy tobradex online blockdrugstores.com/wp-content/uploads/2023/10/jpg/tobradex.html no prescription pharmacy

The ratings are objective measures of security performance, with higher ratings equaling a stronger security posture.

Used in conjunction with other assessment methods, organizations can use ratings to get a more comprehensive view of security posture, especially as they provide ongoing visibility over time instead of being based on a point in time result. The fidelity of “outside-in” assessments is very good when compared to the results of manual questionnaires and assessments because outside-in solutions eliminate some of the bias and confusion that may be seen in personnel responses. Additionally, outside-in performance monitoring can be used to quickly and easily verify effectiveness of controls, not just the existence of policies and procedures that may or may not be properly implemented.

These changes have made continuous performance monitoring and security ratings more appealing to organizations across the commercial and government space.  Organizations have learned that real-time, continuous performance monitoring can allow them to immediately identify and respond to issues and possibly avoid truly catastrophic events, as research has shown a strong correlation between performance ratings and significant breach events. Furthermore, as it becomes easier to monitor internal networks, organizations are beginning to realize the security benefits that can be gained through monitoring vendors and other third parties that are part of the business ecosystem.

buy inderal online blockdrugstores.com/wp-content/uploads/2023/10/jpg/inderal.html no prescription pharmacy

Being able to monitor and address third party risk puts us squarely in the realm of next generation continuous monitoring, something many regulators are pushing to see addressed in current risk management strategies.

FAA Announces Drone Testing Partnerships Beyond Current Regulations

Posted on by

Drone regulations FAA

Yesterday, the Federal Aviation Administration announced three partnerships with companies to expand the operation of unmanned aerial vehicles (UAVs) in an initiative the agency is calling the Pathfinder program.

U.S.-based drone maker PrecisionHawk will be exploring the possibilities of flights over agriculture while testing tracking and a system for drones and planes to remain aware of each other in flight to avoid collisions. CNN will be testing the use of drones for newsgathering in urban areas where drones will remain in the line of sight of operators. BNSF Railroad, owned by Warren Buffet’s Berkshire Hathaway, received permission to test drone operations outside of the operator’s visual line of sight. The company will “explore command-and-control challenges of using UAS to inspect rail system infrastructure,” the FAA reported.

“Government has some of the best and brightest minds in aviation, but we can’t operate in a vacuum,” said U.S. Transportation Secretary Anthony Foxx. “This is a big job, and we’ll get to our goal of safe, widespread UAS integration more quickly by leveraging the resources and expertise of the industry.”

To that end, Pathfinder will allow these corporate entities to research operations that push the boundaries of the recent draft rules released regarding small unmanned aircraft, namely by operating both within and without the visual line of sight requirements currently mandated by the FAA.

“Even as we pursue our current rulemaking effort for small unmanned aircraft, we must continue to actively look for future ways to expand non-recreational UAS uses,” said FAA Administrator Michael Huerta, who announced the initiative at a conference held Wednesday by the Association for Unmanned Vehicle Systems International. “This new initiative involving three leading U.S. companies will help us anticipate and address the needs of the evolving UAS industry.”

This effort is also the first step in realizing some companies’ grander aspirations for drone use, such as the package delivery applications being pursued by Amazon. That being said, the information gathered by these companies will merely provide data to inform future FAA regulations, which are still pending and may only approve broader operations in a few years. Other companies looking into similar applications that are beyond the scope of current draft regulations would still need to apply for and receive a Section 333 exemption from the FAA. While about 300 of these requests have been granted, the agency has received repeated criticism for an exceptionally slow and sometimes mystifying review process.

“The impact of the Pathfinder Program could be profound for several reasons — perhaps most importantly, it shows the FAA is serious about moving quickly to safely and practically integrate commercial drone use in the U.S.,” said Anthony Mormino, senior legal counsel at Swiss Re. “Allowing drone flights beyond the sight of a drone operator is considered the key to unlocking the true potential of commercial drone use.  This collaboration could impact the future rules promulgated by the FAA regarding the line of sight requirement for commercial drones.”

Such developments could also significantly impact insurers. As discussed in “Drones Take Flight,” the April cover story of Risk Management magazine, one of the most promising near-future applications for UAVs could be in the insurance industry in the wake of natural catastrophes or other major claim events. “Reducing or eliminating the visual line of sight limitation on commercial drone use will allow insurance companies to employ UAVs to their fullest extent in insurance underwriting and claims management,” Mormino said. “Consider that the FAA has already granted a number of insurance companies permission to test and use UAVs for insurance inspection purposes. These companies include AIG, State Farm, Erie Insurance Group, and USAA.

buy pepcid online www.gcbhllc.org/scripts/html/pepcid.html no prescription pharmacy

They plan to use UAVs, for example, to more quickly process insurance claims after natural disasters by allowing them to inspect damage —especially in remote locations—in real time.

buy zestril online www.gcbhllc.org/scripts/html/zestril.html no prescription pharmacy

Insurers also plan to use UAVs to obtain imagery and data for use in underwriting, such as roof inspections. Until the FAA mitigates the visual line of sight limitation, however, the foregoing insurance uses for UAVs will remain drastically limited. Success for the FAA’s new Pathfinder program would open the door to potentially even larger scale use of UAVs by insurance companies.”

The implications for insurers also extend to the products and pricing offered. “First, the current dearth of UAS loss data makes it difficult for insurance companies to properly price insurance policies covering drone use,” said Carol Kreiling, senior claim manager at Swiss Re. “It is therefore no surprise that only a handful of insurers actually issue stand alone drone insurance coverage, such as Zurich Insurance in Canada, and Tokio Marine in the Lloyd’s of London market. An increase in commercial use of drones in the US could provide a steady flow of data that would allow more insurers to price and issue coverage for use of UAS. On the other hand, if the Pathfinder program’s goals are fulfilled—to find ways to safely use UAVs outside a pilot’s visual line of sight—increased remote use of drones could raise risk profiles for insurance coverage.

buy tobrex online www.gcbhllc.org/scripts/html/tobrex.html no prescription pharmacy

At the conference, Huerta also announced a new smartphone app called B4UFLY, designed to help model aircraft and UAS users know if it is safe and legal to fly in their current or planned location by pairing geolocations with the relevant restrictions and requirements.

For more about drones, UAV regulations, and the potential impact these machines may have on the insurance industry, check out “Drones Take Flight,” the April cover story of Risk Management magazine.

The Impact of Collaboration in Cyber Risk Insurance

Posted on by

Former FBI Director Robert Mueller once said, “There are only two types of companies: those that have been hacked and those that will be. Even that is merging into one category: those that have been hacked and will be again.” This is the environment in which risk managers must protect their businesses, and it isn’t easy.

Cyber risk is not an IT issue; it’s a business problem. As such, risk management strategies must include cyber risk insurance protection. Until recently, cyber insurance was considered a nice-to-have supplement to existing insurance coverage. However, following in the wake of numerous, high-profile data breaches, cyber coverage is fast becoming a must-have. In fact, new data from The Ponemon Institute indicates that policy purchases have more than doubled in the past year, and insiders estimate U.S. premiums at around $1 billion today and rising.

But is a cyber policy really necessary? In short, yes. As P.F. Chang’s China Bistro recently discovered, commercial general liability (CGL) policies generally do not include liability coverage to protect against cyber-related losses. CGL policies are intended to provide broad coverage, not necessarily deep coverage. Considering the complexity of cyber risks, there is a real and legitimate need for specialized policies that indemnify the insured against cyber-related loss and liability.

The fact is, cyber risk is a problem all its own.

buy rybelsus online thecifhw.com/wp-content/uploads/2023/10/jpg/rybelsus.html no prescription pharmacy

The cyber threat is pervasive, and attacks are increasing exponentially. Cyberattack trends are also shifting constantly. An attack can come from multiple directions and in multiple forms, targeting different information and outcomes: an attack launched by a hacker group intent on making a political statement, malware that enters the network through a third-party service provider to steal credit card information, or a data breach perpetrated by a trusted insider seeking competitive intellectual property (IP).

In this complex, dynamic threat landscape, the ability to accurately assess risk becomes a monumental undertaking. If we accept that every organization has been hacked or will be again, it’s clear that prior incidents are no longer relevant or legitimate indicators of a company’s risk. Similarly, stagnant security checklists required by many insurers are hardly representative of actual, ever-changing cyber risk. Traditional risk assessment methodologies that rely on these elements to determine pre-binding risk simply have no place in today’s world.

Risk Assessment for the Cyber Era

The industry needs assessment methods consistent with the changing threat landscape. That means real-time, active assessment of an entity’s entire business ecosystem including upstream and downstream threats, as well as the often overlooked insider threat. What this provides is a holistic understanding of an entity’s vulnerabilities, high priority risks and security maturity.

In the current cyber environment, it’s implicit that every organization will be the victim of a cyberattack and that there will be some cyber loss as a result. Thus, savvy underwriters are looking beyond mere ticks on a checklist to determine insurability; rather, they’re looking for security maturity and cyber resilience.

The more cyber resilient an organization, the faster it can identify a cyberattack, stop it and recover from the impact. Data loss is expected. It’s the severity of the data loss that will impact the company’s business, damage its brand and customer loyalty and erode investor confidence.

buy advair online thecifhw.com/wp-content/uploads/2023/10/jpg/advair.html no prescription pharmacy

Those organizations that can quickly and effectively minimize the risk and get back to business are generally considered a safer bet.

buy paxil online thecifhw.com/wp-content/uploads/2023/10/jpg/paxil.html no prescription pharmacy

This is where organizations can realize the benefits of holistic cyber insurance assessment. All too often, critical data is uncovered after a breach occurs. By implementing a proactive risk assessment before an attack occurs, the organization can gain in-depth intelligence about its highest priority risks before an incident, not years later when it’s too late to do anything about it. A pre-binding assessment provides the right data at the right time to inform risk management decisions and align resources with an organization’s highest priority risks.

Additionally, organizations that adopt continuous proactive assessment and ongoing risk mitigation demonstrate mature security practices, which indicate an organization’s ability to return to regular operations faster following a cyber incident.

Partners Against Cybercrime

Historically, there has been an antagonistic relationship between the insurer and client, but in the wake of catastrophic data breaches, these two sides are now finding common ground. For instance, several insurance brokers today are requiring a holistic, pre-binding risk assessment before a company can receive a policy. This benefits both the insurer and the pre-insured by providing invaluable insights about the company’s security, often revealing unexpected weaknesses and new priorities. Some policies also tie risk assessment to financial incentive to encourage ongoing risk mitigation. This becomes a virtuous circle situation for the insured, as it gets the benefit of reduced premiums after risk maturity has been measured, which allows the company greater insight and the ability to be proactive about reducing security risks.

For decades, the bargaining power has been with the insurer. With a revised approach, and in keeping with the demands of today’s cyber landscape, the relationship between insurer and insured has become collaborative as both sides work together to identify and mitigate risk. In this way, cyber insurance becomes an avenue for companies to improve cybersecurity, not to simply offset risk.

U.S. Insurers Gearing up For Tech Growth

Posted on by

A study by Xchanging plc found that technology was the highest priority for 60% of respondents and an overwhelming majority, 86%, ranked it as their first or second priority.

The survey also found that 67% of insurers believe their company’s IT budget will increase this year, with 44% saying it would increase significantly.

The study, conducted at the Acord Loma Forum in May, found that 36% of respondents said it was most likely that big data would see an increase.