Technology


In what is being described as potentially the largest breach of a health care company to-date, health insurer Anthem has confirmed that it has been targeted in a very sophisticated external cyber attack.

The New York Times reports that hackers were able to breach a company database that contained as many as 80 million records of current and former Anthem customers, as well as employees, including its chief executive officer.

Early reports here and here suggest the attack compromised personal information such as names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.

On a website – www.AnthemFacts.com — set up to respond to questions, Anthem noted that there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.

Anthem said the breach was discovered on January 27 and that the company is fully cooperating with the FBI investigation. The health insurer has been praised for its initial response in promptly notifying the FBI after observing suspicious activity.

An FBI statement quoted in an LA Times article noted:

Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible.”

On the dedicated website, Anthem president and CEO, Joseph R Swedish, offered a personal apology to members. Anthem has also established a toll-free number – 1-877-263-7995 FREE – that both current and former members can call if they have questions related to the breach.

In 2014, the medical/healthcare sector accounted for 42 percent of data breaches – the largest among industry sectors – as reported by the Identity Theft Resource Center (ITRC).

In fact, breaches in the medical/healthcare industry have accounted for the largest percentage of data breaches by industry sector since 2012, which ITRC attributes primarily to the mandatory reporting requirement for healthcare breaches to the Department of Health and Human Services (HHS).

If the estimate of 80 million records compromised holds, this will put the Anthem data breach up there with recent mega breaches of 2014 such as eBay (145 million people affected), JP Morgan (76 million households and 7 million small businesses affected) and Home Depot (56 million unique payment cards).

While 2014 was dubbed the year of the mega breach, the Ponemon Institute recently warned that 2015 is predicted to be as bad or worse as more sensitive and confidential information and transactions are moved to the digital space and become vulnerable to attack.

As of January 27, 2015, some 455,377 records had been exposed in 64 breaches reported to the ITRC. This followed a record high of 783 U.S. data breaches exposing 85.6 million records tracked by the ITRC in 2014.

For an analysis of cyber risk and insurance, download this Insurance Information Institute (I.I.I.) white paper.

Measures and methods widely used in the financial services industry to value and quantify risk could be used by organizations to better quantify cyber risks, according to a new framework and report unveiled at the World Economic Forum annual meeting.

The framework, called “cyber value-at-risk” requires companies to understand key cyber risks and the dependencies between them. It will also help them establish how much of their value they could protect if they were victims of a data breach and for how long they can ensure their cyber protection.

The purpose of the cyber value-at-risk approach is to help organizations make better decisions about investments in cyber security, develop comprehensive risk management strategies and help stimulate the development of global risk transfer markets.

Among the key questions addressed by the cyber value-at-risk model concept are: how vulnerable are organizations to cyberthreats? how valuable are the key assets at stake? and, who might be targeting them?

The proposed framework is part of a new report, Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats, that was created in collaboration with Deloitte and the input of 50 leading organizations around the world.

As the report states:

The financial services industry has used sophisticated quantitative modeling for the past three decades and has a great deal of experience in achieving accurate and reliable risk quantification estimates. To quantify cyber resilience, stakeholders should learn from and adopt such approaches in order to increase awareness and reliability of cyber threat measurements.”

One potential option, it suggests, is to link corporate enterprise risk management models to perspectives and methods for valuing and quantifying “probability of loss” common to capital adequacy assessment exercises in the financial services industry, such as Solvency II, Basel III, albeit customized to recognize cyber resilience as a distinct phenomenon.

The report points out that the goal is not to provide a single model for quantifying risk. Indeed for cyber resilience assurance to be effective, it says participants need to make a concerted effort to develop and validate a shared, standardized cyber threat quantification framework that incorporates diverse but overlapping approaches to modeling cyber risk:

A shared approach to modeling would increase confidence regarding organizational decisions to invest (for risk reduction), distribute, offload and/or retain cyber threat risks. Implicit is the notion that standardizing and quantifying such measures is a prerequisite for the desirable development and smooth operation of cyber risk transfer markets. Such developments require ERM frameworks to merge with insurance and financial valuation perspectives on cyber resilience metrics.”

 

We’re reading that self-driving cars are no longer a thing of the future, but it’s in the subhead of this Time article: how long will it be before your car no longer needs you? where the heart of the story lies.

Jason H. Harper writes of how he earned one of the first new driverless motor licenses – technically known as an “autonomous vehicle testing” permit – from the California DMV.

He then describes his chauffeured ride by a prototype Audi from Silicon Valley to Las Vegas for last week’s Consumer Electronics Show:

The car uses an array of sensors, radars and a front-facing camera to negotiate traffic. At this point, the system works only on the freeway and cannot handle construction zones or areas with poor lane markings. When the car reaches a construction zone or the end of a highway, a voice orders you to take the wheel back.”

Before taking the 550-mile road trip, Harper had to get special instruction on how not to drive, per California regulations:

The training included basics like turning the system on and off and learning the circumstances in which it could be used. The rest was about handling emergencies, such as making lane changes to avoid crashing.”

Harper says the training was far more difficult and involved than a regular driving test. However, average buyers will not need such training.

Why?

Because rollout of this technology is gradual. Audi’s program for example would allow the car to self-drive in stop-and-go highway traffic, but when traffic clears the driver takes the wheel again.

It’s at the very end of the article that a voice from academia reminds us that this approach may be no bad thing as both technology and driver acceptance need time to mature.

Dr. Jeffrey Miller, an associate professor at the University of Southern California, tells Time that in his opinion licenses and drivers will never be obsolete because “the driver will always have to take over in case of a failure.”

It’s an interesting point. From the insurance perspective, too, while self-driving cars are definitely on the way, the implications for insurers are evolving. In its issue update Self-Driving Cars and Insurance, the I.I.I. notes:

Except that the number of crashes will be greatly reduced, the insurance aspects of this gradual transformation are at present unclear. However, as crash avoidance technology gradually becomes standard equipment, insurers will be able to better determine the extent to which these various components reduce the frequency and cost of accidents.”

And:

They will also be able to determine whether the accidents that do occur lead to a higher percentage of product liability claims, as claimants blame the manufacturer or suppliers for what went wrong rather than their own behavior.”

More on auto insurance here.

While the Sony cyber attack has put the spotlight on sophisticated external attacks, a new report suggests that insiders with too much access to sensitive data are a growing risk as well.

According to the survey conducted by the Ponemon Institute, some 71 percent of employees report that they have access to data they should not see, and more than half say this access is frequent or very frequent.

In the words of Dr. Larry Ponemon, chairman and founder of The Ponemon Institute:

This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences.”

While the focus in recent weeks has been on the risk of external attacks, the Ponemon study finds that data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks they present.

Some 50 percent of end users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data.

And only 47 percent of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

In a workplace environment where employees are under pressure to deliver more, faster, cheaper, it’s easy to overlook security risks in the name of efficiency.

Only 22 percent of employees surveyed believe their organizations as a whole place a very high priority on the protection of company data, and less than half believe their companies strictly enforce security policies related to use of and access to company data.

The flip side is that businesses need to be reticent of going to the other extreme, limiting data that their employees or customers need.

Some 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs. And 68 percent say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.

Ponemon interviewed 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees in a range of industries including financial services, public sector, health and pharma, retail, industrial and technology and software.

More on insider threats in this I.I.I. paper on cyber risks.

More news keeps tumbling in the wake of the recent cyber attack at Sony Pictures Entertainment—Sony’s second major hacker attack in three years—and it’s not good.

The fact that the breach has exposed employee information ranging from salaries to medical records to social security numbers to home addresses, not to mention five yet-to-be-released Sony movies, causing a major shutdown of the company’s computer systems, appears to break new ground.

First up, the Wall Street Journal says the attack revealed far more personal information than previously believed, including the social security numbers of more than 47,000 former employees along with Hollywood celebrities like Sylvester Stallone.

According to the WSJ:

An analysis of 33,000 Sony documents by data security firm Identity Finder LLC found personal data, including salaries and home addresses, posted online for people who stopped working at Sony Pictures as far back as 2000 and one who started in 1955.”

And:

Much of the data analyzed by Identity Finder was stored in Microsoft Excel files without password protection.”

Aren’t most businesses run in Excel?

A well-timed piece over at the New York Times Bits Blog makes the point that companies that continue to rely on prevention and detection technologies, such as firewalls and antivirus products, are considered sitting ducks for cyber attacks.

Bits Blog cites Richard A. Clarke, the first cybersecurity czar at the White House, who says:

It’s almost impossible to think of a company that hasn’t been hacked—the Pentagon’s secret network, the White House, JPMorgan—it is pretty obvious that prevention and detection technologies are broken.”

So what approaches are working?

According to the Bits Blog post, experts say the companies best prepared for online attacks are those that have identified their most valuable assets, like Boeing’s blueprints to the next generation of stealth bomber or Target’s customer data.

Those companies take additional steps to protect that data by isolating it from the rest of their networks and encrypting it.”

Breach detection plans and more secure authentication schemes, in addition to existing technologies, are the key to being better prepared.

Insurance too, is seen as a vital preparedness step.

Earlier this week, a top U.S. regulator said banks should consider cyber insurance to protect themselves from the growing financial impact in the wake of cyber attacks.

Let’s hope companies take heed.

As of December 2, the Identity Theft Resource Center (ITRC) reports that 2014 has seen 708 data breaches, exposing 85.1 million records (this list includes the Sony attack, listing the number of records exposed at 7,500).

Those figures are even higher than 2013, when the total number of data breaches and records exposed, soared.

More on the potential fallout and growing identity theft threat facing consumers here.

If you know someone who leads an active lifestyle, you may already know what a Fitbit is. For everyone else, a Fitbit is a wearable device that tracks steps, calories, distance and even sleep.

Now it appears data from wearable devices may be admissible in court.

Forbes.com reports that a law firm in Calgary is working on the first known personal injury case that will use activity data from a Fitbit to help show the effects of an accident on their client.

According to the report, the young woman in question, who used to be a personal trainer, was injured in an accident four years ago. While Fitbits weren’t on the market back then, her lawyers believe they can use data from her Fitbit to show that her activity level has significantly decreased and is now below where it should be for someone of her age and profession.

The article suggests that “cases like this could open the door to wearable device data being used not just in personal injury claims, but in prosecutions.”

The young woman’s lawyer is also quoted saying that such data could be useful to insurers assessing questionable claims and that just as courts requisitioned Facebook for information several years ago a court order could compel disclosure of that data.

Sounds like another case where digital information has an unintended use in the courtroom.

Despite regulatory challenges, privacy concerns and a lack of capabilities that could stall their widespread use, drones could have a significant impact on the property/casualty industry.

recent report from IT firm Cognizant suggests that commercial and personal lines insurers that cover property risks are likely to be early adopters of drone technology. Hat tip to Claims Journal which reports on this story here.

For example, a property adjuster or risk engineer could use a drone to capture details of a location or building, and obtain useful insights during claims processing or risk assessments, Cognizant says.

Drones could also be deployed to enable faster and more effective resolution of claims during catastrophes.

Crop insurance is another area where drones could be used – not only to determine the actual cultivatable land, but also during the claims process to understand the extent of loss and the actual yield, reducing the potential for fraudulent claims.

The findings come amid recent reports that several home and auto insurers are considering the use of UAVs.

The Association for Unmanned Vehicle Systems International predicts that within 10 years (2015 to 2025) drones will create approximately 100,000 new jobs and around $82 billion in economic activity, the report notes.

DronesProjectedSales

Cognizant believes now is the time for insurers to consider the opportunity that drone technology presents, especially in the areas of claims adjudication, risk engineering and catastrophe claims management:

With drones poised for commercial use, insurers could use them specifically to help reduce operational costs and gather better-quality information. This could help improve the productivity, efficiency and effectiveness of field staff (e.g. claims adjusters and risk engineers), and improve the customer experience by resolving claims faster, especially during catastrophic events.”

Cognizant goes on to note that drone enhancements such as artificial intelligence, augmented reality and integrating audio, text and video already exist in some shape or form. Insurance carriers should expect to see the adoption of drones increase significantly as these features are integrated into standard drones, and as regulations for commercial use of drones are defined.

It concludes:

As insurance carriers build business and technology use cases and the necessary architecture and services, they must consider not only how and where drone technology fits into their digital roadmap but also how the operating model can be enhanced to deliver optimal benefits for the business and its customers.”

As the number of companies suffering a data breach continues to grow – with U.S. retailer Staples now reported to be investigating a breach – so do the legal developments arising out of these incidents.

While companies that have suffered a data breach look to their insurance policies for coverage to help mitigate some of the enormous costs, recent legal developments underscore the fact that reliance on traditional insurance policies is not enough, notes the I.I.I. white paper Cyber Risks: The Growing Threat.

A post in today’s Wall Street Journal Morning Risk Report, echoes this point, noting that a lawsuit between restaurant chain P.F. Chang’s and its insurance company Travelers Indemnity Co. of Connecticut could further define how much, if any, cyber liability coverage is included in a company’s CGL policy.

Collin Hite, partner and leader of the insurance recovery group at law firm Hirschler Fleischer tells the WSJ that whatever the outcome of this case, companies that want to be sure they are protected against cyber-related losses may have to purchase separate cyber liability policies—and make sure those policies are broad enough to encompass the myriad ways an attack could cost the firm money.

P.F. Chang’s confirmed in June that it had suffered a data breach in which data from credit and debit cards used at its restaurants was stolen.

An earlier post in the Hartford Courant Insurance Capital blog by Matthew Sturdevant has the details on the legal action between Travelers and P.F. Chang’s.

To-date the application of standard form commercial general liability (CGL) policies to data breach incidents has led to various legal actions and differing opinions, according to the I.I.I. paper on cyber risks.

One recent high profile – and oft-cited case – followed the April 2011 data breach at Sony Corp. in which hackers stole personal information from tens of millions of Sony PlayStation Network users.

A New York trial court ruled that Zurich American Insurance Co. owed no defense coverage to Sony Corp. or Sony Computer Entertainment America LLC.

In his ruling, New York Supreme Court Justice Jeffrey K. Oing said acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich.

Further expertise and analysis on cyber risks and insurance is available from the I.I.I.

Unmanned aerial vehicles (UAV), otherwise known as drones, appear to be moving closer to commercial application, and property/casualty insurers are getting involved.

On the one hand, insurers are looking at ways to use this emerging technology to improve the services they provide to personal policyholders, at the same time they are assessing the potential risks of commercial drone use for the businesses they insure.

The Chicago Tribune this week reported that several home and auto insurers are considering the use of UAVs, and at least one has sought permission from the Federal Aviation Administration (FAA) to research the use of drones in processing disaster claims.

According to Sam Friedman, research team leader at Deloitte, drone aircraft could be the next mobile tech tool in claims management.

In a post on PC360.com, Friedman says that sending a drone into a disaster area would enable insurers to deliver more timely settlements to policyholders and spare adjusters from being exposed to the hazards of inspecting catastrophe claims in disaster areas.

Commercial insurers also have a huge stake in the drone business. In a recent post on WillisWire, Steve Doyle of Willis Aerospace, says businesses need to consider UAV risk issues such as liability and privacy:

Risk managers for organizations that could potentially gain considerable competitive advantage from eyes in the sky should consider the risk issues now so they are ready to advise their organizations as UAV options broaden.”

Insurance is not the only industry eyeing commercial applications. Agriculture, real estate, oil and gas, electric utilities, freight delivery, motion pictures, to name a few are seen as major potential markets for UAVs.

A recent report by IGI Consulting predicts that U.S. sales of UAVs could triple to $15 billion in 2020 from $5 billion in 2013.

However, the broader commercial use of drones in the U.S. will depend on federal regulators developing appropriate rules. In September the Federal Aviation Administration (FAA) gave the go-ahead for six TV and movie production companies to use drones for filming.

In his WillisWire post, Doyle notes that regulation is a key element to the successful widespread development of the drone industry in the U.S. given the complexities of the liability environment, the crowded skies over metropolitan areas, and the variety of UAVs and their uses.

One thing’s for sure, when UAV use takes off in the U.S., insurers are ready to support this emerging technology both as risk takers and risk protectors.

A second annual survey from Experian and the Ponemon Institute appears to show that more companies are prepared for a data breach, and that cyber insurance policies are becoming a more important part of those preparedness plans.

The study, which surveyed 567 executives in the United States, found that 73 percent of companies now have data breach response plans in place, up from 61 percent in 2013. Similarly, 72 percent of companies now have a data breach response team, up from 67 percent last year.

In the last year the purchase of cyber insurance by those companies has more than doubled, with 26 percent now saying they have a data breach or cyber policy, up from just 10 percent in 2013.

However, this means that two-thirds of respondents – 68 percent – are still not buying cyber policies. (Six percent of respondents are also unsure whether their company has cyber insurance.)

Interestingly, the fact that more companies have data breach response plans in place does not appear to instill greater confidence that they are effective.

Despite the existence of plans, only 30 percent of respondents say their companies are effective or very effective in developing and executing a data breach plan, the survey found.

Why are the plans not effective?

The survey indicates that in many cases a breach response plan is largely ignored after being prepared.

Some 41 percent of respondents say there is no set time for reviewing and updating the plan, while 37 percent say they have not reviewed or updated the plan since it was put in place.

All of this comes as the frequency of data breaches is accelerating. Some 60 percent of respondents say their company experienced more than one data breach in the past two years, up from 52 percent in 2013. And 43 percent say their company had a data breach in the last year, up from 33 percent in 2013.

Check out the latest I.I.I. white paper on this topic Cyber Risks: The Growing Threat.

More on this story from the Wall Street Journal’s Risk & Compliance Report.

Next Page »