Computer Hacks. In 60 percent of cases, attackers are able to compromise an organization within minutes, according to the Verizon 2015 Data Breach Investigations Report.

Data Loss.Forty-three percent of companies were immediately put out of business by a “major loss” of computer records, and 51 percent permanently closed their doors within two years, a 2010 report by Gartner Group revealed.

Dwell Time.The average dwell time—the time it takes to identify an attacker—is 98 days for financial service firms and 197 days for retail firms, according to a 2015 Ponemon Institute Survey, sponsored by Arbor Networks.

Statistics like these explain why we believe that investment in loss prevention is better than trying to recover from a data breach—and why Ironshore introduced Ironshore Highly Protected Information (HPI) endorsement for middle-market companies to its network security and privacy insurance policies (Enterprise PrivaProtector 9.0 and TechDefender). The endorsement is specifically designed to provide comprehensive pre-breach expertise and loss control services to policyholders—in particular, Cyber Monitoring and Alerting Service (CMAS) provided by BorderHawk, an Atlanta-based cybersecurity firm.

CMAS can alert policyholders to unknown data compromises, cutting the dwell time from weeks and months to days and allowing them to take action more quickly than they have in the past.

The CMAS Concept

Similarly, CMAS looks across the Internet to find instances where information associated with your organization may be associated with sites or situations that suggest potential for a problem. CMAS does not watch your network, inside or out. It simply looks for references to your organization in potentially threatening situations.

Anatomy of an Insurance Policy Innovation

Ironshore and BorderHawk executives first connected through mutual participation in Infragard, a partnership between the FBI and the private sector dedicated to sharing information and intelligence to prevent hostile acts against the United States. Together, we brainstormed how we could help policyholders given our common understanding of the changing world of information security.

It used to be that you could lock down a data center and pretty much guarantee who had access to that data center, what applications could run and what data could be shared. That’s not the world we live in anymore.

Today, data is capable of moving. Moreover, in some industries like health care, it is necessary that information be moveable and shareable. By the very nature of today’s evolving Internet technology, data networks are becoming seemingly more “connectible.“

The question becomes, how do you detect information risk?

BorderHawk zeroed in on some signs when they started building CMAS—an idea that resonated with Ironshore underwriters. CMAS was designed to reduce dwell times by alerting that potentially malicious activity might be underway within a client environment.

Bad Guys Leave Their Mark

For BorderHawk, the concept of such an alert service was conceived during a client support effort. The client, an essential part of America’s critical infrastructure, was repeatedly hit by cyber attacks—by both nation states and bad actors trying to disrupt operations or steal information from its production facilities.

In the process of investigating one of these incidents, Matt Caldwell, BorderHawk’s chief security researcher, discovered misdirected data traffic transiting the client’s network. Subsequently, he isolated an innocuous network device that had apparently been compromised prior to introduction to the network. He was eventually able to analyze the device and its data delivery process.

Working from the premise that a compromised device will ultimately communicate with some third-party device outside of the compromised organization’s network, he started analyzing all devices within the network that were attempting to connect outside of the organization’s network. Ultimately, he concluded that the vast majority of traffic was legitimate. Nevertheless, after isolating legitimate traffic from all else, he realized he was essentially looking for connections to the Dark Web or other locations specifically designed for malevolent activity.

As a result of Caldwell’s discovery and subsequent efforts, a method for identifying potentially compromised machines from the Internet was developed.

The process involves BorderHawk extracting threat intelligence from a variety of Internet sources. Then, data from those Internet sources is examined to detect interactions with client information. Where potentially risky data associations are detected, alerts are dynamically generated to the client.

Where Is That Data Headed?

When BorderHawk’s CMAS detects client information having been associated with risky Internet addresses or behavior, CMAS sends an email to the client’s point of contact recommending incident analysis. BorderHawk’s CMAS does not conduct analysis; it only generates alerts indicating the client should conduct analysis to determine if a threat or vulnerability might exist.

Time is the clear enemy here, as illustrated by the Anthem breach, which reportedly had a six-month dwell time. The more quickly an organization can respond once it has detected an event, the greater the likelihood that it can decrease potential damage.

An Insurance Enhancement for Middle-Market Insureds

In addition to agreeing to use the CMAS tool powered by BorderHawk (and to take action to mitigate the risks generating alerts), Ironshore insureds can voluntarily achieve HPI status by also doing the following within a three-year period:

• Having at least one third-party vulnerability assessment conducted by an independent third-party information security firm or U.S. Department of Homeland Security and remediating any high- and medium-risk vulnerabilities identified. (BorderHawk can be available to conduct third-party information risk assessments.)

• Using one free hour of telephone consultation provided by a third-party on-call chief security officer. (Ironshore works with three security companies available for the on-call consultation; BorderHawk is one of those three.)

Because HPI status means a better collection of risks for Ironshore, it also means lower annual premium rates for insureds. They are eligible for a discount of up to 20 percent every third year. The overriding idea is to create better risks and long-term partners with Ironshore.

BorderHawk alerts for HPI policyholders communicate two potential bits of information: threat warnings or vulnerability warnings.

• Threat warnings indicate that a computer from within the client’s IP address range is sending spam, signaling that the insured likely has a compromised machine behind its firewall.

• Vulnerability warnings indicate an Internet-wide awareness of a specific vulnerability in the insured’s system—the critical information that opens a door for bad actors to attack.

CMAS Alerts go out to the insured and the insurer, with the alert to Ironshore constituting a notice of a potential claim under the policy. Policyholders don’t have to worry about late-notice reporting.

When five or more alerts come to the desk of an Ironshore underwriter for a single insured, the multiple warnings will likely trigger a call from Ironshore to the broker to request a voluntary meeting with the client and BorderHawk to understand the insured’s response. The goal is always to cut the dwell time by not letting situations linger.

Middle-market companies generally have some level of sophistication in terms of risk and security management, whether they’re outsourcing security services or doing everything in house. But even the best-managed companies still get compromised. Bottom line: If state-sponsored actors want to get into a network, they can.

While cyber insurance policies exclude acts of war, Ironshore’s cyber policies are triggered whenever a foreign country sponsors cyber actors to attack the U.S. company insured. By targeting the middle market, Ironshore can manage the costs associated with breaches on a better cost basis even as threats proliferate—and as detection rather than prevention becomes the only way to handle information security.