He’s on to Something.

He’s on to Something.


He’s on to Something.

Dedicated Threat Hunting Investigations

I always enjoy reading an article from someone who truly gets it. This particular article was a preview of a forthcoming ebook from SC Media titled “All about MDR: What it is and how to optimize it.” The article describes managed detection and response (MDR) services as when a “vendor performs dedicated threat hunting investigations and incident response on behalf of a customer.” [The analysts at Gartner would properly add that the vendor needs to bring their own technology to the table as part of the service as well.] The article emphasizes the following key prerequisites for anything called “MDR”:
  • Access to real human threat hunters – a truly rare breed.
  • Specific focus on threat detection and threat response.
  • Continuous monitoring and scanning.
  • Guided remediation and prioritization.
  • Working partnership built on shared and non-shared responsibilities.

Proactively Fight the Fire

The article goes on to distance MDR from (M)EDR, XDR, MSSP and SIEM/SOC services. Providers of these services often say they are performing “MDR Services” when they are just slapping a new label on their old MSSP services or selling products. MSSPs are more focused on the administration of alerts (reactive) than (proactive) threat hunting, threat intelligence and incident response. The later three skills define what you should look for in a MDR provider. When an MSSP, EDR, XDR or SIEM/SOC provider calls themselves an MDR provider, it’s akin to a Fire Department radio dispatcher saying they put out fires. A bit of a stretch. You want the people that actually fight the fire on scene with your team.

Dedicated Threat Hunting Investigations | PacketWatch

A Passion for Eliminating Threats

MDR is when a…

“vendor performs dedicated threat hunting investigations and incident response on behalf of a customer.”

Daniel Thomas SC Media

At PacketWatch, we employ dedicated threat hunters whose passion and sole occupation is to hunt and eliminate threats. That’s it – nothing else. Their vernacular is formed by the incidents they respond to each week. Our PacketWatch platform is the ultimate threat-hunting tool because it is designed by and for threat hunters. It provides the additional detailed visibility into the network and context that EDR, XDR, and SIEM lack. Our threat hunting team knows what to prioritize and how to kill it. That’s what hunters do.

So, good for the folks at SC media!  I look forward to reading the rest of their ebook. In speaking recently with the Gartner analysts, we expect they will be reinforcing many of the same points in their upcoming revised MDR Market Guide too.  The reason you want an MDR provider is for the quality and experience of the people you will be working with, not just another technology.  So, if you are considering Managed Detection and Response services (or want to upgrade from your current provider), please give us a call today at 1.800.864.4667.  We’ll be happy to show you what outcomes a real MDR provider can provide your firm.

There’s Your Sign.

There’s Your Sign.


There’s Your Sign.

Tools don’t Save the Day, People Do.

Swinging Pendulum

I think you’d agree with me that the pendulum swings too far in one direction sometimes. Over the past decade, we’ve watched the security pendulum swing from one tool to the next. Next-Gen Firewalls to Next-Gen AV to SIEM to EDR to Cloud to AI and now to XDR. While all these tools have been helpful in some regard (some more than others), you may have noticed the security problem has only worsened. A tool is meant to empower a human being to perform at a higher or more efficient level. But only if they are properly configured and monitored.

Here’s What I Mean

“On 31 March 2021, the HSE’s antivirus software detected the execution of two software tools commonly used by ransomware groups: Cobalt Strike and Mimikatz, on the patient zero’s workstation. The antivirus software was set to monitor mode, so it did not block the malicious commands.”

– Excerpt from Conti Cyberattack on the HSE Independent Post Incident Review

Consider this stunning example found in the Independent Post Incident Report covering the 2021 Conti Ransomware attack on the Irish Health Service Executive (or “HSE”).  [Hat’s off to the HSE for releasing it to the public.] The massive breach at the HSE disrupted the operations of some 4,000 locations, 54 acute hospitals and over 70,000 devices. Turns out patient zero was infected by a simple phishing email with an infected Microsoft Office Excel document.

Any good antivirus should have stopped it at that point. Two weeks later the antivirus tool alerted that Cobalt Strike and Mimikatz had been executed. Yikes. The execution of two well-known penetration testing tools should have been stopped by the antivirus and set off the equivalent of a ‘Mariachi Band’ in the SOC.

They didn’t have one. However, the report goes on to say that the antivirus tool was deployed in an ad-hoc fashion (i.e., not thoughtfully) and was configured only to monitor, not block. Plus no one was monitoring it. Ouch. There’s your sign! Their tools were useless without the proper people to architect, configure and monitor them. The event cost the HSE an estimated $600 million.

Experienced People

I like the first recommendation listed in the report: “Appoint an interim senior leader for cybersecurity (a CISO) who has experience rapidly reducing an organisation’s vulnerability to threats and designing cyber security transformation programmes.” I read that as a polite way of saying: Get someone in here who knows what the hell they are doing!

In other words, the security pendulum needs to swing back towards experienced human beings. We need to focus more on making more experienced people! Tools can never replace them. If you need some experienced human threat hunters to help you ensure this doesn’t happen to your organization, give us a call at 1-800-864-4667, or reach out via our Contact Us form.


Maybe, with a Little Practice.

Maybe, with a Little Practice.


Maybe, with a Little Practice.

Let Me Explain Why

Since our PacketWatch team performs complex incident response around breaches, we are often asked: “What are the most important things for us to do in the first 10 minutes of an incident? It’s hard not to chuckle when you hear that question. It most likely means it’s not going to go well for that client unless they make some changes. Let me explain why.

A Football Analogy

It’s football season, so we’ll pick an analogy from there. Imagine the Offensive Coach has an idea for a new play and jots it down on his playboard. It’s a great play against a particular defensive formation. He’s shown it to a few people, and they agree. Say it’s now game day and he sees the telltale defensive formation on the field. Time to run the play! Except not everyone on the field has seen the play, much less practiced it. The General Manager and the Head Coach certainly didn’t know that was going to happen. None the less, you send in the play to the quarterback and tell him to execute. I think we can safely say that it’s not going to work well. If, by some chance it does, its only because of the shear athleticism of the team members. More likely it’s going to be chaotic, disorganized, and potentially disastrous. Most of the team will have no idea what to do and may not even recognize the call for the snap. The General Manager and the Head Coach will not be happy and be looking to blame you for the disaster. They’ll let you face the press at the after-game conference. If you’d only had time to practice it and put the play through the paces with the team, it could have been stellar. But it’s too late now.

Incident Response Plan

So it is with incident response (IR). Typically, a document (IR Policy/Plan) is created by someone in the compliance department [because you needed to have one for your cyber insurance application]. Customers and partners have also been asking if you had one. Few internal people have seen it. Truth is, you copied it from someone else’s plan and put it in the policy binder. No one has ever evaluated the plan, worked through the processes, or developed playbooks for common scenarios. The folks on your team are not the most experienced and they probably can’t save you from disaster.  If an incident were to happen today, the result would be like the infamous play above. Likely complete chaos and an expensive failure. Perhaps even a “resume generating event” for you.

Practice, Practice, Practice

“A winning effort begins with preparation”

– Coach Joe Gibbs

The solution is just as the coach should have done above. The coach should have walked the team through the play and each player’s role. He should have made sure communications were clear and who was authorized to make decisions on the fly. He should have told the “head shed” to make sure they have the right players on the field and what they should expect. What could go right and what could go wrong. He should have taught the team to anticipate the unexpected. Train some more and then do it all over again. Once they have rehearsed it a few times, the likelihood of success jumps exponentially.

The Tabletop Exercise

A Incident Response Tabletop Exercise (TTX) can accomplish just that for your organization. A TTX should be performed at least once a year. We recommend breaking them into a technical track and an executive track. Different topics, different personalities. The technical track focuses on the security team and their response processes and capabilities. The executive track focuses on the legal, communication and crisis response elements of an incident. The PacketWatch TTX is run by experienced responders who have seen it all – good and bad. With an emphasis for a few days on each track, your organization can be better prepared to respond quickly. As Coach Joe Gibbs said: “A winning effort begins with preparation.” Contact us today to scope and schedule an IR TTX for your organization.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.


Don’t Just Go With The Flow…

Don’t Just Go With The Flow…


Don’t Just Go With The Flow…

Full Packet Capture (FPC)

One of the key features of the PacketWatch technology is continuous Full Packet Capture (FPC). FPC constantly records the individual network packets into files called PCAPs (Packet Capture). Collecting PCAPs over time allows retrospective and time series analysis. Many security vendors have chosen to provide only “flow”-based network information (e.g., NetFlow, IPFIX, sFlow, etc.).

Full Packet Capture (FPC)

“Allows retrospective and time series analysis.”

80% isn’t Good Enough in Security

Flow-based Data

“Is a summary or just a sampling of what happened.”

Flow-based data is a summary or, in some cases, just a sampling of what happened on the network. Details are removed to reduce overhead and simplify processing. For instance, flow data does not permit you to analyze the actual packet payload for specific data. That would be akin to noting a truck going down the street from point A to point B but not being able to see what it is carrying inside. Afterall, NetFlow was created by Cisco for network performance monitoring, not security uses. Flow data can be beneficial in presenting summary information about conversations and provide a quick, high-level context, but it lacks details to allow conclusive determination of what is happening. As such, Gartner sees most organizations implementing a dual approach with flow data used perhaps 80% of the time and packet-level data from key network locations for the critical 20% remainder. Having both flow and PCAP data is key to a threat hunter’s success and why PacketWatch is such a favorite of experienced hunters.

Here’s Why

With the massive increase in zero-day attacks, lingering advanced persistent threats, mutable malware, and ransomware attacks, organizations are realizing that investigating threats with their NetFlow-based tools alone leaves them unable to draw definitive conclusions about what’s happened. Last year 80 zero-days were reportedly exploited in the wild before patches existed.  That is more than double the volume in 2019, the prior record. The average time to patch a vulnerability (MTTP) is between 60 and 150 days. So, the ability to look back and conclusively identify the potential exploit of a zero-day vulnerability is key. Having full PCAPs and the high-level flow data for that period permits a threat hunter to look back in time and conclusively identify a successful exploit of that zero-day vulnerability.

Combine the Data

Further, to understand a network or application performance problem, flow data, while useful, often isn’t sufficient. Again, combining flow data and recorded PCAPs provides a definitive record for network operations personnel. The combination of Flow and FPC/PCAPs gives both your NetOps and SecOps teams the ability to monitor the network for problems, and the detailed packet information needed to reconstruct precisely what happened. Ask us how you can easily add flow data, FPC and PCAPs to your security toolset today with PacketWatch. Even better, ask us how we can provide a fully managed MDR solution, including PacketWatch.

Remember, 80% isn’t good enough when it comes to your security! Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

Why am I Paying for Cyber Insurance?

Why am I Paying for Cyber Insurance?


Why am I Paying for Cyber Insurance?


Since its origins in the mid-2000s, cyber insurance has become a staple for transferring financial risks arising from information technology assets and operations. The risk of loss from malware, unauthorized access, email compromise, ransomware, and other threats is difficult to quantify. For most of that period, cyber insurance was a relatively cheap and abundant way to insure against loss from these risks. That’s no longer the case. Huge hikes in premiums, reduced capacity, increased retentions, and constantly changing underwriting requirements are the game today. What you have today, you may not get next year.

The Industry

“For the past two years, the cyber insurance market has been characterized by a high volume of claims, severe losses, climbing rates, reduced insurer appetite, and an increased focus on accumulation risks.”

Marsh McLennan, 2022

New Exclusions

Lloyds Exclusions

“We are therefore requiring that all standalone cyber-attack policies… must include… a suitable clause excluding liability for losses arising from any state-backed cyber-attack…”

Lloyds, 2022

Adding to the concern, Lloyds’ new exclusions for state-backed cyber-attacks in standalone cyber policies are making buyers think twice. AXA dropped coverage for ransom payments in 2021. Beazley now has multiple addenda to its cyber applications covering details down to specific vulnerabilities (e.g., Log4j). So, if the policy is expensive, hard to get, and doesn’t cover significant risks like ransomware and state-backed actors – why buy it at all? 

Why buy it at all?

That’s a good question, and one echoing around risk managers’ offices throughout the world. By its very nature, cyber insurance can only lessen the impact of a major event. It does nothing to stop it. Yet thousands of CEOs think they are protected simply because they have cyber insurance. Nothing could be farther from the truth. Buying a cyber insurance policy for pre-breach services is no longer necessary, in fact it’s pointless. The offerings are typically limited and not very helpful. You can find a dozen vendors offering every imaginable service directly without the encumbrance of the insurer.

To make matters even more confusing, you may even need to hire your separate legal counsel in addition to the one provided by the cyber insurer just to make sure you are treated properly. The “tripartite relationship” among an insured, the legal counsel appointed under the policy, and the insurer can lead to conflicts and ethical dilemmas necessitating additional counsel for you, the insured. Consider that the legal counsel appointed by the insurer may have more loyalty to the insurer than to you. They may have hundreds of cases at stake. Be mindful of potential conflicts and carefully review any coverage letters or reservation of rights letters.  

Remember that insurers have cut deals with their “panel” legal counsel providers. That means they have negotiated reduced rates. Law firms may respond by using their least expensive resources. Make sure the legal counsel provided by the insurer is not a junior associate. Your entire organization is at stake!

Be aware that you may also need to hire a separate incident response firm to make sure the one provided by the insurance company properly eradicated the threat from your computing environment. One method insurers have used to cut response costs is to hire cheaper, less experienced responders. It may be cheaper by the hour, but the quality and timeliness of the service suffers significantly. (The jury is still out on whether these low-cost providers actually save the insurer any money.)  PacketWatch has had to ride shotgun and clean up problems from insurer-provided response firms on multiple occasions. Pro tip: Avoid hiring response firms that derive most of their revenue from participating in insurance panels. Guess where their loyalties lie.

The Shift to Proactive and Preventative

Given all of the problems noted above, astute organizations are shifting more spend to proactive and preventative services. By engaging a managed detection and response (MDR) provider to proactively hunt for threats and engaging in common sense security hygiene practices (MFA, patching, email filtering, etc.) the risk of a significant incident is greatly diminished. Some organizations are forgoing traditional cyber insurance and self-insuring at least some of the risk. They are setting up their own retainers with specialized legal counsel and incident response firms like PacketWatch. They are rehearsing incident response plans, testing protective tools, and pre-deploying response tools — ready to roll in the event of any type of incident. Compare that to waiting for your insurer to appoint someone you may not want to use anyway.

Refine Your Strategy

With tumultuous conditions in the cyber insurance markets and the problems noted above, now is the perfect time to revisit how you use cyber insurance. Ask yourself, why am I paying for this and what do I get out of it anyway? You may just find that the strategy you’ve used over the past several years is no longer workable and needs to be refined. You may find that shifting more spend to proactive and preventative services is a better strategy for your organization. If you’d like to discuss the specifics of how a more proactive and preventative strategy can benefit your organization, call us today. We don’t sell insurance and we are not attorneys, but we have cleaned up dozens of messes created by them. Our mission is to help you avoid similar problems.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.


Well, that was Awkward.

Well, that was Awkward.


Well, that was Awkward.

Finding Risks others may Miss

It wasn’t the call we wanted to make to a new enterprise client on a holiday weekend. After all, they had an Information Security Department larger than our entire company. The CISO had an alphabet of certifications following his name. They had more than 50 different security tools. But there it was, plain as day. Bad guys are sending data to Russia from their production network. This can’t be good. Gulp. Here goes. Ring. Ring.

The Issue

“Bad guys are sending data to Russia from their production network. “

The first call we made to our technical contact a few days earlier fell on deaf ears. Our team had seen evidence of a remote access tool (Team Viewer) running in their network. They told us we had to be mistaken because that wasn’t allowed by policy. Well, here’s a packet capture of the traffic, we said. Nothing came back from the client. We tried several times. Each day the activity was getting louder. The same internal IP address and host were involved somewhere in the corporate office. The client had top-of-the-line Endpoint Detection and Response (EDR) tools deployed, an expensive Security Information and Event Management (SIEM) platform, and state-of-the-art firewalls, along with a fleet of guys from one of the big advisory firms watching and monitoring everything. Why couldn’t they see it? What was this anomaly inside the client’s otherwise relatively clean production network?

We came in to provide a Proof of Concept (POC) of services using our PacketWatch full-packet capture platform. The POC was a joint project between the Information Security Team and the Network Department. Information Security wanted better visibility on the network, and the Network guys needed a tool to help diagnose application performance and configuration problems. A perfect fit for us to join the team and show them what we could do. We had the CIO and the CISO in the room together. We were on our best behavior. Our devices were installed only a week prior, but we already had tons of data collected. What was going to happen to the POC now, though?

We called in again. No answer. Shoot. Got his voicemail again. We left an urgent message and called everyone else we had met. “Please call back. This is urgent! We have exfil activity originating from the host we identified earlier. It’s also beginning to scan that network segment.” Danger. Danger. It was our best effort to ring the fire bell, but we were just the new guys. About an hour later, our senior project lead received a call from the client’s technical contact. It seems they had just declared an incident and enacted their Incident Response (IR) protocols. He couldn’t talk but would share the details later. Yes, we had seen something! Something big.

A few hours later, the contact told us that the offending device we had seen was a self-service Human Resources (HR) kiosk from a new vendor which had been installed in the corporate cafeteria. It was there to capture employees’ enrollment data for an employee benefits campaign. The device had been installed on the wrong network segment in a rush to get it operational. Since it wasn’t a company device, no EDR was installed. The vendor’s 3rd party IT company managed the kiosk remotely (using TeamViewer). Unfortunately, the vendor’s IT company experienced a breach the week prior. The bad guys used the open TeamViewer connection to access the kiosk. Using the kiosk’s network connection, they were now performing active reconnaissance on our client’s production network. They were also actively exfilling the employee data captured by the kiosk—what a mess. The lawyers will surely get rich on this one. Internal Audit will also document the “multiple cascading control failures stemming from a supply chain partner breach.” Ouch. And our contact admitted, “Yes, you had seen it first!”

Although that initial assignment was not exactly what we expected, it allowed us to show the strength of the PacketWatch platform in providing visibility to the network and the benefit of having a different vantage point from their library of other tools. It also showcased the ability of our team to see what others miss. We earned our spot on the team on that occasion. A relationship we treasure to this day.

A Change in Perspective

PacketWatch can help you get a better perspective on your organization’s cybersecurity risks, too. An Enterprise Security Assessment using the PacketWatch platform will tell you more about what’s hiding in your network – especially things from your vendors. Our team of experts is here to help, and we’d enjoy the opportunity to earn a spot on your team. However, if possible, we’d prefer something a bit less dramatic to get started.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

N.B. The names were changed, and certain facts were modified, in an effort to preserve our client’s confidentiality yet share the story.

Yes, But Does It Actually Work?

Yes, But Does It Actually Work?


Yes, But Does It Actually Work?

Comparing and Choosing Cybersecurity Tools

RSA Conference Survey

A survey conducted at this year’s RSA conference summed up a looming problem in the cybersecurity realm. Forbes reported that:

  • 53% of the responding businesses feel they have wasted more than 50% of their cybersecurity budget and still cannot remediate threats
  • 43% of survey respondents say their number one challenge in threat detection and remediation is an overabundance of tools
  • 10% of organizations lack effective tools for remediating cybersecurity threats

Conglomeration of Tools

As we enter a time of economic slowdown and rising threats, now is not the ideal time to reduce cybersecurity budgets. Rather, you need to ensure that every dollar you spend leads to real measurable results. The typical midsized company has 50 to 60 security tools, and enterprises can have up to 130, according to Anomali. The best way to evaluate your unique conglomeration of tools, people, and practices is to look at how effectively it stops attacks. Ideally, this testing would also serve as a training opportunity for your security team. That’s where PacketWatch’s Active Security team comes in.

An Example

I recently spoke with a CEO who completed a merger with a competitor. He assumed the other company had spent as much on their cybersecurity tools as he had. The challenge he faced was how to sort out the tools they would use going forward in the new organization. He just wants it to work.

Opinions abounded from team members about which tools to keep and which to retire. Tempers flared when each team member’s ‘sacred cow’ was placed on the chopping block. I suggested he consider a slightly different approach. I advocated that he set forth a simple goal to the team — keep the set of tools that performs the best in stopping or detecting likely attackers from getting to the crown jewels. Hard to object to that.

Simple Goal

“Keep the set of tools that performs the best in stopping or detecting likely attackers from getting to the crown jewels.”

To make this happen, I suggested he bring in an outside “Red Team” (PacketWatch in this case) to work side-by-side with his internal defenders – creating a custom “Purple Team” exercise. With PacketWatch’s Red Team members emulating the Tactics, Techniques, and Procedures (TTPs) of identified threat actors, the participants could objectively say which tools could best detect, deter, or defeat the threat actor.

The ineffective tools could be retired and/or processes modified. Another benefit of Purple Teaming is the experience the internal team members would gain from seeing an attacker’s behavior and learning how to react quickly using the tools. That turned out to be a winner for the CEO, and it can be for you too.

Next Steps

Your cybersecurity budget will likely face scrutiny from your CFO this year. Why not arm yourself with a proven methodology for optimizing your security tools and retiring any ineffective ones? The result will be a more efficient use of your security budget and some real-world experience defending your network from adversaries for your team. If you’d like to Learn More about a PacketWatch Purple Team engagement, call us at 800-864-4667. Our team of Active Security experts will scope a custom exercise for your organization.


Higher Cyber Insurance Loss Rates Mean Big Changes for Businesses

Higher Cyber Insurance Loss Rates Mean Big Changes for Businesses

Blog | Event

Higher Cyber Insurance Loss Rates Mean Big Changes for Businesses

On July 12th, The Arizona Tech Council convened a panel of experts for a forthright discussion about cyber insurance. The panel, moderated by PacketWatch’s CEO, Chuck Matthews, included industry experts Anthony Dagostino, CEO & Founder of Converge Insurance; Chris Branch, Chairman of ATS Underwriting; Wes Gates, CIO of the Arizona School Risk Retention Trust (the Trust), and Tracy Foss, Senior Program Director, Risk Program Administrators, a division of Arthur J. Gallagher. The specialist panel explored current market dynamics, discussed changes in underwriting practices, and shared experiences with the claims process. The goal of the discussion was to help member businesses understand how to effectively use cyber insurance in their arsenal of risk management tools and avoid common pitfalls.

Recent estimates show that the $4.8 billion cyber insurance market is growing at a rapid 25% compound annual growth rate (CAGR) and is expected to triple in the coming years. However, as a result of poor underwriting, direct loss ratios have ballooned to unsustainable numbers. Over the past two years, nearly 70¢ of every dollar in premium went to cover losses from claims involving ransomware, funds transfer loss, and business email compromise-related claims.

The resultant impact on businesses as insurers seek to stem losses is huge and wide-reaching. Smaller businesses are reportedly being priced out of the market entirely. For others, cyber insurance premiums are skyrocketing with an average 97% increase in 2021. Some companies experienced up to 300% increases. Businesses lacking key cyber controls were not even renewed. Panel members said they expect that trend to continue. In the first quarter of 2022 premiums for the top 25% of businesses increased an average 83.3%. Companies experienced other impacts from loss mitigation methods employed by the insurers including:

Key Takeaways

  • Read the Policy! Make sure you understand what you are getting and the requirements you are obligated to follow.
  • Make sure you know the Insurer’s Panel Providers which you are required to use in the event of a claim!
  • Expect more changes to coverages, policy language, premium increases, and underwriting practices.
  • Consider preventing losses with additional controls or self-insuring some 1st party risks to reduce premiums.
Cyber Insurance Lost Rates Mean Big Changes
  • Reduced Policy Limits – Policy amounts were reduced by a third or half as industry capacity dropped
  • Increased Deductibles or Retentions – for one small business going from $25k to $150k
  • Coverage limitations – including new coinsurance provisions for ransomware; new exclusions of certain types of losses, and new sublimits for others
  • Greater underwriting scrutiny – multiple applications and technical addenda focused on the existence of key vulnerabilities
  • Tougher claims management practices – strict use of panel providers, denial of claims based on application deficiencies.

Shared Experiences

The panel explored and shared experiences on several other topics impacting the use of cyber insurance including:

  1. The applicability of “Act of War” and “Terrorism” policy exclusions in light of nation-state and state-sponsored malware campaigns given recent “special military actions’ with Russia and Ukraine
  2. Conflicts in legal representation and the insured’s loss of control when panel legal counsel and responders are involved
  3. The vicious cycle of ransom payments by insurers creating the need for more cyber insurance to cover ever larger ransoms to criminal organizations
  4. The impact of non-standardized policy language and definitions hindering coverage comparisons for those actively shopping policies
  5. The risk of paying ransoms to potentially (OFAC) sanctioned entities/affiliates given warnings from the US Treasury and others
  6. Small businesses are being priced out of the market or excluded because they lack some protective controls of larger organizations
  7. Recent litigation surrounding voiding policies due to inaccurate application materials submitted by the insured
  8. The practical impact of insurers underwriting at the time of claim rather than at the time of application and the resultant uncertainty created
  9. The difficulty in managing overlap between conflicting or duplicate provisions in other insurance policies (e.g., crime coverage in a package policy vs. stand-alone cyber policies)
  10. Obligations to use Insurance Panel Counsel and Responders with Reservation of Rights and very large deductibles
  11. Whether policies offering bundled pre-breach, response, and post-breach services were beneficial to the insured vs. managing the effort internally
  12. The necessity to quantify potential 1st- and 3rd-party liability before selecting a policy and limits
  13. The need for a government backstop for systemic risk and terrorist activity to promote additional capital necessary for market growth

Final Thoughts

The panel concluded that ultimately businesses must carefully read every word of the policy being offered, shop around to the myriad of insurers, obtain expert help where needed and judiciously consider what they are purchasing. Five years ago, cyber insurance was relatively inexpensive, and its promises seemed relatively clear and simple. The panel concluded that is no longer the case and businesses can expect more change in the cyber insurance marketplace in the coming years.

If you are considering cyber insurance and would like to discuss the alternatives for your organization, give us a call.


Let’s Create a New Standard for Cyber Due Diligence

Let’s Create a New Standard for Cyber Due Diligence


Let’s Create a New Standard for Cyber Due Diligence

“The result of a flexible and extensible cyber due diligence process is less regret across the board.”

M&A Cybersecurity Concerns

Recently, I was in a meeting with a friend who’s a top Corporate Attorney here in town. He was lamenting a recent sizable Mergers and Acquisitions (M&A) deal that left a bad taste with the buyer. Following the transaction’s closing, the buyer uncovered a host of significant IT security concerns, one of which turned out to be remnants of a prior intrusion. So, the buyer’s legal counsel went back to the Purchase Agreement to see what warranties were made by the seller and whether any remedies were available. It turns out the seller had no “actual knowledge” of a problem because they never looked. The buyer never looked either because the seller wouldn’t cooperate. That meant a dispute and likely litigation. There’s got to be a better way.

Way back when…

In a prior life, I was a commercial real estate lender. I know, I’m mostly recovered now, thank you. Back in the day, the environmental clean-up movement was in high gear. The impacts of liability arising from CERCLA (think “Superfund”) were reverberating down the halls of all real estate developers and lenders. If you entered the title chain of a contaminated property, you were potentially liable for a massively expensive clean-up of something you didn’t even do. What came to bear was a new method for conducting due diligence—an Environmental Site Assessment or ESA. A Phase I ESA conducted by an environmental professional (engineer) consisted of a site study and review of current and historical records, adjacent land uses, public agency records, aerial photographs, and interviews with knowledgeable people. If something of concern like suspected soil contamination was noted, a Phase II study would be required. A Phase II study consisted of more intensive study, testing, and analysis to get to the details of the suspected hazard. A Phase III ESA, if needed, would get to the remediation plans, alternate methods for containment, logistics, how the cleanup was done, and outlined the process for follow-up monitoring. That progression of environmental due diligence has been successfully used since the 1980s. Today every transaction has at least a Phase I ESA as part of the process.

A new way forward…

We can use this example as an analogue for a new and improved cyber due diligence process. Let’s even borrow their “ESA” acronym for our Enterprise Security Assessment.

So, in this context, a Phase I ESA might encompass a comparison with a recognized regulatory or industry-accepted security framework (such as NIST or CIS-CSC). The purpose is to find gaps, prove levels of maturity, and supply an industry benchmark comparison of the target organization. An independent security professional or security engineer would perform the Phase I ESA. Phase I might also look at the Dark Web for compromised credentials or stolen data, examine select logs, look for signs of existing vulnerabilities, analyze the external attack surface, and scan threat intelligence sources.

If something of concern appears, a major gap is exposed, or a significant variance from similarly situated organizations is identified, you can move on to a Phase II study with independent data collection, analysis and testing, controls validation, and an expert threat hunt to look for malicious activity as well. If the suspected problem is verified, you can move into a Phase III ESA to remediate the threat and/or close the gap. Follow with monitoring to ensure the situation is adequately resolved and confirm that no advanced persistent threats remain.

Less Regret

The cooperation between the parties is enhanced by a predictable independent process conducted under the supervision of Counsel.  It’s not a fishing expedition but a defined, repeatable process. This flexible, extensible due diligence process for cyber makes much more sense than the current ad hoc model and will result in less regret across the board.  

Less regret equals happier clients. 

Give us a call at 1-800-864-4667 or Contact Us to find out how your practice can partner with PacketWatch to begin implementing a Phased-ESA Cyber Due Diligence program today.

Editor’s Note: We have refined and expanded this phased approach for M&A clients. The public launch of PacketWatch M&A, our suite of M&A Cyber Due Diligence Services, was on November 7, 2022.