• Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions
Flyy Tech
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs
  • Camera
  • Audio
No Result
View All Result
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs
  • Camera
  • Audio
No Result
View All Result
Flyy Tech
No Result
View All Result

D&O insurance not yet a priority despite criminal trial of Uber’s former CISO

flyytech by flyytech
September 25, 2022
Home Security
Share on FacebookShare on Twitter


The trial of former Uber CISO Joe Sullivan marks the first time a cybersecurity chief has faced potential criminal liability. Sullivan is charged with trying to conceal from federal investigators the details of a 2016 hack at Uber that exposed the email addresses and phone numbers of 57 million drivers and passengers. The two charges against Sullivan, obstruction of justice and failure to report a crime, carry potential jail time of five and three years, respectively, in a watershed case that has drawn the attention of security professionals.

In a sardonic coincidence, Sullivan’s trial began days before news broke that Uber had been hacked again. Uber says that a hacking group run by teenagers called LAPSUS$ likely stole an employee’s credential to gain wide-ranging access to Uber’s internal systems including the company’s Amazon Web Services console, VMware vSphere/ESXi virtual machines, Google Workspace admin dashboard for managing the Uber email accounts, Slack server, and bug bounty program portal. Uber confirmed the breach and claimed it has no evidence that the hacker gained access to sensitive user data. 

The latest Uber breach doesn’t appear to involve any malfeasance on the part of Uber’s security team. Nonetheless, its timing underscores that corporate cybersecurity chiefs remain in uncertain legal territory regarding significant hacks. Although the issue of some form of personal liability insurance, or directors-and-officers (D&O) insurance, for CISOs has been raised in the context of Sullivan’s woes, experts say they aren’t seeing demand for it yet.

Sullivan’s attorneys argue he’s not responsible

The 2016 breach involved admitted hackers Vasile Mereacre, who went by the name John Doughs, and Brandon Glover hacking into an Uber S3 folder containing more than 200 users’ private data files. They stole the names, email addresses, and phone numbers of 57 million app users, along with 600,000 driver’s license numbers. They then contacted Uber seeking a ransom payment. The hackers mostly communicated with Rob Fletcher, a company security response team member, although they also contacted Sullivan.

Uber ultimately agreed to pay the pair $100,000 to delete the data as a “bug bounty” and asked them to sign a non-disclosure agreement (NDA), allegedly to conceal the whole affair from the public and regulators. The incident remained under wraps until 2017, when Dara Khosrowshahi became Uber’s new chief executive and fired Sullivan. 

This past summer, Uber entered a non-prosecution agreement with federal prosecutors to resolve a criminal investigation into the cover-up of the 2016 breach, given that the Federal Trade Commission (FTC) had a pending investigation into the company’s data security practices at the time. Prosecutors contend that as the security chief for Uber, Sullivan was obligated to disclose the breach to the FTC. Sullivan’s attorneys argue that Uber’s legal team and not Sullivan was obliged to report the breach to the FTC.

Andrew Dawson, an assistant US attorney, said, “This is a case about a cover-up, about payoffs and about lies. The evidence will show that Mr. Sullivan paid for the hackers’ silence because Uber was being investigated by the FTC.”

Gray areas such as ransomware could leave CISOs responsible

Given the rapid spike in ransomware attacks over the past three years, many organizations have chosen to pay the ransom to attackers in a manner not dissimilar to what Sullivan did. Even Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger has said, despite the FBI’s advice never to pay a ransom, “We recognize…that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data. And that is why — given the rise in ransomware and given, frankly, the troubling trend we see of often targeting companies who have insurance and maybe richer targets — that we need to look thoughtfully at this area.”

Although most organizations are not under investigation by the FTC and wouldn’t go to the lengths that Uber did to conceal a payment to hackers, gray areas could conceivably emerge, depending on the circumstances, that could leave a CISOs vulnerable to subsequent legal actions, and potentially costly legal bills, if they participated in a decision to pay a ransom or deal with a cybersecurity incident in an unconventional way.

CISOs don’t seem to be seeking additional insurance

While CISOs are no doubt watching Sullivan’s trial nervously to determine whether they should demand D&O insurance, the same kind of liability protection that corporate directors and officers receive at significant corporations, “right now the primary focus for CISOs is on the general cyber liability insurance front,” Steven Aiello, security practice director at Ahead, tells CSO. “With the CISOs that I’m having conversations with, the additional forms of insurance are not something they’re bringing up as a point of concern right now. I’m not saying that they shouldn’t have it. What I’m saying is that the CISOs that I’m having discussions with, that’s definitely not something that they’re bringing to the table as a concern.”

It’s no surprise that general cybersecurity insurance is a current focus of attention, given that policies written in the insurance market are becoming increasingly precarious. One leading underwriter, Lloyds of London, will soon exempt state-backed attacks from their coverage. Moreover, some companies are ditching the coverage altogether following a 74% spike in cyber insurance premiums.

D&O insurance could also be overkill for most CISOs because, “When you look at an organizational structure, the CISO’s role is still really more of a VP, SVP position than a true C-level position,” Aiello says. “It’s, unfortunately, still not a true C-level position. If you look at the organizational structures, a lot of CSOs either roll up to a CFO or a CIO.”

Yet as cybersecurity becomes more sophisticated and government agencies spell out more guidance on achieving security and resiliency in their organizations, CISOs have a right to be nervous, given possible accusations that might crop up in the future if they fail to follow the emerging guidance today. “Take the case with Uber. That happened post-attack, what we call, right of boom. If you covered it up, that seems to be something that, of course, gets you exposed,” Ian Bramson, global head of industrial cybersecurity at compliance firm ABSG Consulting, tells CSO.

“But as regulations come in and say you have to report an incident in X amount of time, or you have to do X, Y, and Z. When they start being more prescriptive, and companies aren’t following that, then the executives will be more exposed as they go along,” Bramson says. “There’s an overall impact dimension, meaning what did you do to prepare? Did you not prepare well enough? Then you might be liable for that.”

Bramson thinks CISOs on the OT side of the business might face more significant risks than pure IT cybersecurity leaders because liability protection is less mature in industrial environments, and “I can shut stuff down. I can blow stuff up on the OT side.”

The best bet for CISOs is protective governance policy

Aiello thinks that most organizations won’t pay for D&O insurance, or any other kind of professional liability insurance, for their CISOs because those policies can cost $100,000 or more per year. CISOs are unlikely to pay for that kind of insurance out of their own pockets “to absolve themselves of some personal risk.” If that were the case, most CISOs wouldn’t take the job, “because you can be a lower level resource and make just as much money and not have to carry that risk and not have to carry that cost,” says Aiello.

The better bet for CISOs is to ensure that corporate governance policies provide them with protection. “I would absolutely make sure that when the organization chose to accept a risk by not getting cyber liability insurance or by failing to fund a project, it should be documented that it wasn’t the CSO that chose to accept this risk; it was the CEO or the CFO or the COO that chose to accept that risk.”

Copyright © 2022 IDG Communications, Inc.



Source_link

flyytech

flyytech

Next Post
How to activate and set up eSIM on iPhone 14 – Phandroid

How to activate and set up eSIM on iPhone 14 – Phandroid

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

6 Power Tips for CLA MixHub

6 Power Tips for CLA MixHub

January 4, 2023
‘Toy Soldiers HD’, Plus Sales on ‘Samurai Shodown’ and More – TouchArcade

‘Toy Soldiers HD’, Plus Sales on ‘Samurai Shodown’ and More – TouchArcade

December 31, 2022

Trending.

Image Creator now live in select countries for Microsoft Bing and coming soon in Microsoft Edge

Image Creator now live in select countries for Microsoft Bing and coming soon in Microsoft Edge

October 23, 2022
Review: Zoom ZPC-1

Review: Zoom ZPC-1

January 28, 2023
Allen Parr’s false teaching examined. Why you should unfollow him.

Allen Parr’s false teaching examined. Why you should unfollow him.

September 24, 2022
Elden Ring best spells 1.08: Tier lists, sorceries, incantations, and locations

Elden Ring best spells 1.08: Tier lists, sorceries, incantations, and locations

January 14, 2023
Monitor Events and Function Calls via Console

Set Brave as Default Browser from Command Line

September 29, 2022

Flyy Tech

Welcome to Flyy Tech The goal of Flyy Tech is to give you the absolute best news sources for any topic! Our topics are carefully curated and constantly updated as we know the web moves fast so we try to as well.

Follow Us

Categories

  • Apple
  • Applications
  • Audio
  • Camera
  • Computers
  • Cooking
  • Entertainment
  • Fitness
  • Gaming
  • Laptop
  • lifestyle
  • Literature
  • Microsoft
  • Music
  • Podcasts
  • Review
  • Security
  • Smartphone
  • Travel
  • Uncategorized
  • Vlogs

Site Links

  • Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions

Recent News

April Fools’ Day 2023: The Best Video Game Pranks on the Internet

April Fools’ Day 2023: The Best Video Game Pranks on the Internet

April 1, 2023
Ukrainian Police Bust Multimillion-Dollar Phishing Gang

Ukrainian Police Bust Multimillion-Dollar Phishing Gang

April 1, 2023

Copyright © 2022 Flyytech.com | All Rights Reserved.

No Result
View All Result
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs

Copyright © 2022 Flyytech.com | All Rights Reserved.

What Are Cookies
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
Cookie SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT