Entries tagged with “Cyber Risks”.


There’s an interesting moment in a report on the current state of cyber security leadership from International Business Machines Corp (IBM).

For those who haven’t seen it yet, the report identifies growing concerns over cyber security with almost 60 percent of Chief Information Security Officers (CISOs) saying the sophistication of attackers is outstripping the sophistication of their organization’s defenses.

But as security leaders and their organizations attempt to fight what many feel is a losing battle against hackers and other cyber criminals, there is growing awareness that greater collaboration is necessary.

As IBM puts it: “Protection through isolation is less and less realistic in today’s world.”

Consider this: some 62 percent of security leaders strongly agreed that the risk level to their organization was increasing due to the number of interactions and connections with customers, suppliers and partners.

Despite this widespread interconnectivity that drives modern business, security leaders themselves aren’t sufficiently collaborative, IBM says.

Just 42 percent of organizations that IBM interviewed are members of a formal industry-related security group. However, 86 percent think those groups will become more necessary in the next three to five years.

Instead of focusing on just their own organizations, security leaders need to take a “secure the ecosystem” approach, IBM concludes.

A sidebar highlights one company’s experience and approach to collaboration and how the key to being more secure is being more open.

For some practical strategies to address cyber risk in your business check out this I.I.I. presentation.

More news keeps tumbling in the wake of the recent cyber attack at Sony Pictures Entertainment—Sony’s second major hacker attack in three years—and it’s not good.

The fact that the breach has exposed employee information ranging from salaries to medical records to social security numbers to home addresses, not to mention five yet-to-be-released Sony movies, causing a major shutdown of the company’s computer systems, appears to break new ground.

First up, the Wall Street Journal says the attack revealed far more personal information than previously believed, including the social security numbers of more than 47,000 former employees along with Hollywood celebrities like Sylvester Stallone.

According to the WSJ:

An analysis of 33,000 Sony documents by data security firm Identity Finder LLC found personal data, including salaries and home addresses, posted online for people who stopped working at Sony Pictures as far back as 2000 and one who started in 1955.”

And:

Much of the data analyzed by Identity Finder was stored in Microsoft Excel files without password protection.”

Aren’t most businesses run in Excel?

A well-timed piece over at the New York Times Bits Blog makes the point that companies that continue to rely on prevention and detection technologies, such as firewalls and antivirus products, are considered sitting ducks for cyber attacks.

Bits Blog cites Richard A. Clarke, the first cybersecurity czar at the White House, who says:

It’s almost impossible to think of a company that hasn’t been hacked—the Pentagon’s secret network, the White House, JPMorgan—it is pretty obvious that prevention and detection technologies are broken.”

So what approaches are working?

According to the Bits Blog post, experts say the companies best prepared for online attacks are those that have identified their most valuable assets, like Boeing’s blueprints to the next generation of stealth bomber or Target’s customer data.

Those companies take additional steps to protect that data by isolating it from the rest of their networks and encrypting it.”

Breach detection plans and more secure authentication schemes, in addition to existing technologies, are the key to being better prepared.

Insurance too, is seen as a vital preparedness step.

Earlier this week, a top U.S. regulator said banks should consider cyber insurance to protect themselves from the growing financial impact in the wake of cyber attacks.

Let’s hope companies take heed.

As of December 2, the Identity Theft Resource Center (ITRC) reports that 2014 has seen 708 data breaches, exposing 85.1 million records (this list includes the Sony attack, listing the number of records exposed at 7,500).

Those figures are even higher than 2013, when the total number of data breaches and records exposed, soared.

More on the potential fallout and growing identity theft threat facing consumers here.

As the number of companies suffering a data breach continues to grow – with U.S. retailer Staples now reported to be investigating a breach – so do the legal developments arising out of these incidents.

While companies that have suffered a data breach look to their insurance policies for coverage to help mitigate some of the enormous costs, recent legal developments underscore the fact that reliance on traditional insurance policies is not enough, notes the I.I.I. white paper Cyber Risks: The Growing Threat.

A post in today’s Wall Street Journal Morning Risk Report, echoes this point, noting that a lawsuit between restaurant chain P.F. Chang’s and its insurance company Travelers Indemnity Co. of Connecticut could further define how much, if any, cyber liability coverage is included in a company’s CGL policy.

Collin Hite, partner and leader of the insurance recovery group at law firm Hirschler Fleischer tells the WSJ that whatever the outcome of this case, companies that want to be sure they are protected against cyber-related losses may have to purchase separate cyber liability policies—and make sure those policies are broad enough to encompass the myriad ways an attack could cost the firm money.

P.F. Chang’s confirmed in June that it had suffered a data breach in which data from credit and debit cards used at its restaurants was stolen.

An earlier post in the Hartford Courant Insurance Capital blog by Matthew Sturdevant has the details on the legal action between Travelers and P.F. Chang’s.

To-date the application of standard form commercial general liability (CGL) policies to data breach incidents has led to various legal actions and differing opinions, according to the I.I.I. paper on cyber risks.

One recent high profile – and oft-cited case – followed the April 2011 data breach at Sony Corp. in which hackers stole personal information from tens of millions of Sony PlayStation Network users.

A New York trial court ruled that Zurich American Insurance Co. owed no defense coverage to Sony Corp. or Sony Computer Entertainment America LLC.

In his ruling, New York Supreme Court Justice Jeffrey K. Oing said acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich.

Further expertise and analysis on cyber risks and insurance is available from the I.I.I.

A second annual survey from Experian and the Ponemon Institute appears to show that more companies are prepared for a data breach, and that cyber insurance policies are becoming a more important part of those preparedness plans.

The study, which surveyed 567 executives in the United States, found that 73 percent of companies now have data breach response plans in place, up from 61 percent in 2013. Similarly, 72 percent of companies now have a data breach response team, up from 67 percent last year.

In the last year the purchase of cyber insurance by those companies has more than doubled, with 26 percent now saying they have a data breach or cyber policy, up from just 10 percent in 2013.

However, this means that two-thirds of respondents – 68 percent – are still not buying cyber policies. (Six percent of respondents are also unsure whether their company has cyber insurance.)

Interestingly, the fact that more companies have data breach response plans in place does not appear to instill greater confidence that they are effective.

Despite the existence of plans, only 30 percent of respondents say their companies are effective or very effective in developing and executing a data breach plan, the survey found.

Why are the plans not effective?

The survey indicates that in many cases a breach response plan is largely ignored after being prepared.

Some 41 percent of respondents say there is no set time for reviewing and updating the plan, while 37 percent say they have not reviewed or updated the plan since it was put in place.

All of this comes as the frequency of data breaches is accelerating. Some 60 percent of respondents say their company experienced more than one data breach in the past two years, up from 52 percent in 2013. And 43 percent say their company had a data breach in the last year, up from 33 percent in 2013.

Check out the latest I.I.I. white paper on this topic Cyber Risks: The Growing Threat.

More on this story from the Wall Street Journal’s Risk & Compliance Report.

The recent disclosure of a major data breach at retailer Home Depot has once again put the spotlight on the increasing vulnerability of businesses to cyber threats and the need for cyber insurance.

But companies are uncertain of how much insurance coverage to acquire and whether their current policies provide them with protection, according to a new report by Guy Carpenter.

It speculates that one of the roots of the uncertainty stems from the difficulty in quantifying potential losses because of the dearth of historical data for actuaries and underwriters to model cyber-related losses.

Furthermore, traditional general liability policies do not always cover cyber risk, Guy Carpenter says.

It notes that in the United States, ISO’s revisions to its general liability policy form consist primarily of a mandatory exclusion of coverage for personal and advertising injury claims arising from the access or disclosure of confidential information.

Though still in its infancy the cyber insurance market potential is vast, Guy Carpenter reports. It cites Marsh statistics estimating that the U.S. cyber insurance market was worth $1 billion in gross written premiums in 2013 and could reach as much as $2 billion this year.

The European market is currently a fraction of that, at approximately $150 million, but could reach as high as EUR900 million by 2018, according to some estimates.

Guy Carpenter also warns that cyber attacks are now top of mind for governments, utilities, individuals, medical and academic institutions and companies of all sizes, noting:

Because of increasing global interconnectedness and explosive use of mobile devices and social media, the risk of cyber attacks and data breaches have increased exponentially.”

Cyber attacks also present a set of aggregations/accumulations of risk that spread beyond the corporation to affiliates, counterparties and supply chains, it adds.

Check out the I.I.I. paper on this topic: Cyber Threats: The Growing Risk.

Companies large and small appear to have been targeted in what is being described as the largest known data breach to date.

As first reported by The New York Times, a Russian crime ring amassed billions of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses.

The NYT said it had a security expert not affiliated with Hold Security analyze the database of stolen credentials and confirm its authenticity.

The records, discovered by security experts Hold Security, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites.

According to Hold Security’s own report, the hackers didn’t just target large companies. They targeted every site that their victims visited:

With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”

The NYT said so far the criminals have not sold many of the records online, but appear to be using it to send spam on social networks.

If ever there was a reason to research – and buy – cyber insurance, this would be it.

In its recently published paper Cyber Risks: The Growing Threat, the Insurance Information Institute (I.I.I.) notes that reliance on traditional insurance policies is not enough, as companies face growing liabilities in this fast-evolving area.

Following the Target data breach and other high profile breaches, the I.I.I. said the number of specialist cyber insurance policies is increasing, and that insurance has a key role to play as companies and individuals look to better manage and reduce their potential financial losses from cyber risks.

It cited data from broker Marsh showing a 21 percent increase in the number of clients purchasing cyber insurance from 2012 to 2013. That growth is accelerating in 2014.

Meanwhile, a new report from PwC US and the Investor Responsibility Research Center Institute (IRRCi) indicates that while companies must disclose significant cyber risks, those disclosures rarely provide differentiated or actionable information.

According to the report’s authors:

The consequences of poor security include lost revenue, compromised intellectual property, increases in costs, impact to customer retention, and can even contribute to C-level executives leaving companies.”

It suggests that investors focus on corporate preparedness for cyber attacks, and then engage with highly-likely targets to better understand corporate preparedness and to demand better and more actionable disclosures (though not at a level that would provide a cyber-attacker a roadmap to make those attacks).

No industry sector is immune from cyber threats, and a round-up of recent headlines and reports underscores the increasing risk and cost businesses face.

Just this week, U.S. Treasury Secretary Jacob Lew urged financial institutions and firms to redouble their efforts against cyber threats and said information-sharing and collaboration among businesses and with government is key.

Speaking at a conference in New York, Secretary Lew noted that the consequences of cyber incidents are serious and our cyber defenses are not yet where they need to be:

Far too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more. In particular, it is imperative that firms collaborate with government agencies and with other firms. Disclosing security breaches is often perceived as something that could harm a firm’s reputation. This has made many businesses reluctant to reveal information about cyber incidents. But this reluctance has to be put aside.”

Secretary Lew noted that some banks are already spending as much as $250 million a year to strengthen their cyber security. (Note: this is a cost borne by businesses).

Meanwhile, a new report from the New York attorney general’s office revealed that the number of reported data security breaches in the state more than tripled between 2006 and 2013, with some 22.8 million personal records of New Yorkers exposed in nearly 5,000 data breaches.

The cost to the public and private sectors in New York? In 2013 alone, upward of $1.37 billion, according to the report’s findings.

The Insurance Information Institute’s (I.I.I.) newly updated report Cyber Risks: The Growing Threat (of which I am a co-author) sheds light on the specialist cyber insurance policies developed by insurers to help businesses and individuals protect themselves from the cyber threat.

Market intelligence suggests that the types of specialized cyber coverage being offered by insurers are expanding rapidly in response to this fast-growing market need.

I.I.I. facts and stats on identity theft and cyber security are available here.

U.S. businesses are losing more financially from cybercrime, compared to their global peers, but are generally less aware of the cost, according to PWC’s 2014 Global Economic Crime Survey.

As cybercrime continues to increase in volume, frequency and sophistication, PWC’s findings suggest that U.S. organizations are more at risk of suffering financial losses in excess of $1 million due to cybercrime.

According to the study, some 7 percent of U.S. companies lost $1 million or more, compared to just 3 percent of global organizations.

In addition, 19 percent of U.S. organizations lost $50,000 to $1 million, compared to 8 percent of global respondents.

PWC doesn’t elaborate on the reasons for this discrepancy, but other studies have noted that the types and frequencies of attacks vary from country to country.

U.S. companies are also more likely to experience the most expensive types of cyber attacks, such as malicious insiders, malicious code, and web-based incidents, the research suggests.

Despite having more to lose, some 42 percent of U.S. companies were unaware of cybercrime’s cost to their organizations, compared to 33 percent of global respondents, according to PWC.

Yet, overall U.S. companies appear to have a greater understanding of the risk of cybercrime than their global peers.

PWC notes that U.S. organizations’ perception of the risks of cybercrime exceeded the global average by 23 percent.

Also, 71 percent of U.S. respondents indicated their perception of the risks of cybercrime increased over the past 24 months, rising 10 percent since 2011.

Hat tip to CNBC.com which reports on this story here.

Some 5,128 executives from 99 countries responded to the survey, of which 50 percent were senior executives of their respective companies. Some 35 percent represented listed companies and 54 percent represented organizations with more than 1,000 employees.

Cyber security and data breaches remain front and center on the Congressional radar as the Senate Commerce Committee today holds a hearing on protecting consumers from data breaches.

The witness list includes John Mulligan, vice president and chief financial officer at Target, and Dr. Wallace Loh, president, University of Maryland. There’s an insurance industry witness too, with Peter Beshar, executive vice president and general counsel, Marsh & McLennan giving testimony.

Recent data breaches at Target and the University of Maryland highlight the fact that organizations across many different business sectors are vulnerable to cyber attacks.

The February 18, 2014 UMD data breach compromised an estimated 309,079 student, faculty and staff records, including names, birth dates, university ID numbers and social security numbers.

The massive 2013 data breach at Target during the holiday season exposed the financial and personal information of as many as 110 million consumers.

A report released yesterday by the U.S. Senate Commerce, Science and Transportation Committee suggests that Target missed a number of opportunities to prevent the massive data breach. Hat tip to Reuters via Huffington Post which reports on the findings here.

The Senate staffers report, titled “A Kill Chain Analysis of the 2013 Target Data Breach” says key points at which Target apparently failed to detect and stop the attack include:

● Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.

● Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s systems.

● Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting Target failed to properly isolate its most sensitive network assets.

● Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network.

The report analyzes what has been reported to date about the Target data breach, using the “intrusion kill chain” framework, an analytical tool introduced by Lockheed Martin security researchers in 2011, and widely used by information security professionals today.

This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.”

Check out an I.I.I. whitepaper on cyber risks and insurance here.

Emerging risks that risk managers expect to have the greatest impact on business in the coming years could be on the cusp of a changing of the guard, according to an annual survey released by the Society of Actuaries.

It found that the risk of cyber attacks and rapidly changing regulations are of growing concern to risk managers around the world, and may be slowly replacing the risk of oil price shock and other economic risks which were of major concern just six years ago.

Some 47 percent of risk managers saw cyber security as a significant emerging risk in 2013, up seven points from 40 percent in 2012.

The SOA noted that this perceived risk predates recent cyber security events (read: the December 2013 Target breach) that have opened up new corporate data security vulnerabilities. The online survey of 223 risk managers was conducted in October 2013.

Regulatory framework/liability regimes was also perceived to be an emerging risk of impact by 23 percent of risk managers, an increase of 15 points from just eight percent in 2012.

The survey noted that as the regulatory framework takes shape post-financial crisis, risk managers are currently trying to implement voluminous and changing regulations on short time frames with: limited additions to staff; and regulators who often have limited understanding of risk tools.

Just 33 percent of risk managers said economic risks – such as oil price shock, devaluing of the U.S. dollar, and financial volatility – will have the greatest impact over the next few years, versus an all-time high of 47 percent in 2009.

In fact, the economic risk category is at an all-time low in 2013, the SOA said.

Hat tip to The Wall Street Journal’s CFO Report which reported on the survey here.