Category Archives: Cyber Risk

Intent and ability distinguish cyberrisk from natural perils

Cyberrisk is often compared with natural catastrophe-related threats, but a recent study by global reinsurer Guy Carpenter and analytics firm CyberCube suggests a better analogy is with terrorism.

“Probability is assessed in terms of intent and capability.”

The report – Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study – quotes Andrew Kwon, lead cyber actuary for Zurich: “Extending the lessons learned from property cats to the cyber space is intuitive and logical, but cyber continues to be a unique force unto itself. A hurricane does not evolve to bypass defenses; an earthquake does not optimize itself for maximum damage.”

This passage resonated as I read it because a few hours earlier I’d been reading a FreightWaves article about risks posed to international shipping by digitalization and pondering the fact that the same technology that helps vessels anticipate and avoid adverse weather also subjects them – and the goods they transport – to a panoply of new risks.

The FreightWaves article quotes U.S. Navy Captain John M. Sanford – who now leads the U.S. Maritime Security Department within the National Maritime Intelligence Integration Office – describing how the NotPetya virus inflicted $10 billion of economic damage across the U.S. and Europe and hobbled company after company, including shipping giant Maersk, in 2017.

Sanford said Russian military intelligence was behind the hacker group that spread NotPetya to damage Ukraine’s economy. The virus raced beyond Ukraine to machines around the world, crippling companies and, according to an article in Wired, inflicting nine-figure costs where it struck.

“Maersk wasn’t a target,” Sanford said. “Just a bystander in a conflict between Ukraine and Russia.”

Collateral damage.

The FreightWaves article describes how supply chains, ports, and ships could be disrupted more intentionally through GPS and Electronic Chart Display and Information System (ECDIS) systems onboard ships, or even via a WiFi-connected printer: “Pirates working with hackers could potentially access a ship’s bridge controls remotely, take control of the rudder, and steer it toward a chosen location, avoiding the expense and danger of attacking a vessel on the high seas.”

The Carpenter/CyberCube report identifies parallels in the deployment of “kill chain” methodologies in both conventional and cyber terrorism: “Considering terrorism risk in terms of probability and consequence, probability is assessed in terms of intent and capability.”

As our work and personal lives become increasingly interconnected through e-commerce and smart thermostats and we look forward to self-driving cars and refrigerators that tell us when the milk is turning sour, these considerations might well give us pause.

Hurricanes, earthquakes, fires, and floods might be scary, but at least we never had to worry that they were out to get us.

 

Hope the (fire)wall is high enough

Getty Images

Fans of Game of Thrones are getting ready to learn the fate of their favorite characters when the final season of the show starts airing on HBO on April 14th. At the same time, security experts are warning that cyber-crooks are ready to take advantage of the show’s popularity to attack people’s computers.

The huge popularity of the show makes illegal download sites, where users can view episodes without the required subscriptions, popular distribution points for malware. In 2018 Game of Thrones accounted for 17 percent of all infected pirated content, according to Kaspersky Labs, even though no new episodes aired that year. This suggests that the coming premiere could be the most dangerous time to be downloading the torrents.

According to Kaspersky, the most popular kind of attack via pirated content was a trojan, a piece of software that is installed on a computer and allows the hacker to take control of that device.

The good news is that, overall, the prevalence of TV show-related malware has been declining. In 2018, the total number of users who encountered this kind of malware was 126,340, a third less than it was the year before. The number of total attempts dropped by 22 percent, to 451,636. Kaspersky said that drop was in line with a reduction in the number of security threats across the internet. But it might also be linked to a drop in the number of people using torrents, as interest in the technology declines.

Reminder: your smart home security system is hackable

Doors that can be locked remotely with a smartphone app. Facial recognition cameras that alert you when certain people arrive at your front door. Motion sensors that trigger video recordings when someone steals your Amazon packages.

If we’re being honest, smart home security systems sound extremely creepy to me.

But I understand the sell: smart home security devices can keep people safe and offer peace of mind – did I remember to lock the door? Doesn’t matter, my phone can lock it.

Nothing in this world is perfect, though. Unlike smart home security systems, you can’t use a computer to hack into and unlock a standard deadbolt.

The Insurance Journal recently ran a piece describing yet another experiment where researchers easily hacked into someone’s smart home security system. In one scenario, a researcher hacked into a person’s phone using a coffee shop’s free WiFi. Once inside, he accessed their smart light switch app, and then jumped from there into the smart home’s security devices. Voila, smart door unlocked. All that’s missing is a red carpet to welcome thieves as they waltz in the front door.

This shouldn’t be news. Here’s a video from 2016 of researchers hacking into a smart lock:

Everything is a trade-off. As informed consumers, we can’t assume that a solution to one security problem (forgetting to lock our doors) will solve every other security problem – or that it won’t create new ones (hacking into our front doors). It’s important to weigh the risks and benefits of smart home security, and to conduct due diligence in researching the cybersecurity protections of each system. It’s also important to consider additional protections, like purchasing cybersecurity insurance coverage, just in case.

If that sounds onerous, it’s nothing compared to dealing with a robbed house.

The Equifax data breach, your credit reports and your insurance policies

Our communications department has gotten calls about the insurance implications of the Equifax breach and what might happen to your rates if you freeze your credit. The answer, for most people, is not much. Insurers, where legal, look at your credit information when you first become a customer – when you first applied for coverage. They don’t re-evaluate unless you ask them to – something to keep in mind if you think your credit has improved. (This last is also subject to state laws – some states require a re-evaluation.) So, if you freeze your credit, there’d typically be no impact with the insurer you already have.

If you are shopping for insurance, the fact that you have applied for a policy, in most states, means that you have given permission that transcends your freeze order. So, the insurer would be able to use the information in its rating (as always, where legal.)
We also got a lot of other good information from Fair Isaac (inventor of the credit score). We will share that in a future post. . .. .

 

 

Data Breach Victims More Likely To Suffer Identity Fraud

Approximately 1.4 million more adults were victimized by identity fraud in 2011, compared to 2010, as the number of fraud incidents increased by 13 percent in the United States.

One of the key factors potentially contributing to the increase in identity fraud was the significant rise in data breaches, according to Javelin Research & Strategy’s just-released 2012 Identity Fraud Report.

It  found that 15 percent of Americans, or about 36 million people, were notified of a data breach in 2011. Those receiving a data breach notification were 9.5 times more likely to become a victim of identity fraud.

The report also found that consumers’ social media and mobile behaviors may be putting them at greater risk of identity fraud.

LinkedIn, Google+, Twitter and Facebook users had the highest incidence of fraud although there is no proof of direct causation.

Despite the warnings, people on social networks are still sharing too much personal information frequently used to authenticate a consumer’s identity.

Specifically, 68 percent of people with public social media profiles share their birthday information (with 45 percent sharing month, date and year); 63 percent shared their high school name; 18 percent shared their phone number; and 12 percent shared their pet’s name.

Smartphone users are also experiencing greater incidence of fraud, Javelin found, with seven percent victims of identity fraud. This is one-third higher incidence rate compared to the general public.

The good news is that despite the increase in identity fraud last year, it is becoming less profitable for fraudsters as the dollar amount stolen remained steady.

In addition, consumer out-of-pocket costs have decreased by 44 percent since 2004. Javelin attributed this to improved prevention and detection tools that have come available as well as fraud alerts leading to reduced detection time.

Check out I.I.I. info on  identity theft.