Reliance on information technology exposes companies to numerous risks, and all firms are vulnerable to the threat of cyber crime. In recent years, sophisticated targeted attacks such as spear fishing, social engineering and advanced persistent threats have become more widespread and far more dangerous. Given that regulators are on the offensive and customer awareness is growing, boards and management teams need to accept data security is an important issue. Many, however, still do not understand the threat or its severity.
FW: In your opinion, what are the major cyber security threats in today’s business environment? What types of companies seem to be most vulnerable to cyber crime, and could you comment on any recent attacks or high profile cases?
Raether: Big data is the popular topic of the day. While what is meant by ‘big data’ varies, for most companies it means keeping data that previously was discarded, keeping data from various sources for possible aggregation at a later date and retaining data often without a known immediate and intended use. We have worked for years with companies that collect, store and use vast amounts of data, often referred to as data aggregators. With more data comes heightened visibility to data thieves and other criminals, and so more threats. Businesses new to the big data environment can learn from these companies, which have employed privacy by design and have also recognised that security does not stop at protecting and monitoring the perimeter.
Bhatia: At the macro and micro level, everyone is vulnerable and a target. Small companies may have intellectual property or financial data while mid-size and larger companies have a larger trove of secrets. Cyber criminals steal data that can be sold or used for financial gain. What is your trading algorithm worth? What is your client, or prospect, list worth? How about the latest financial product designs and executives’ private data? Cybercrime is the fastest growing crime, globally. Today’s primary cyber threats encroach on people’s emotions through social engineering, phishing and identity theft attacks, and through breaches of physical security.
Reetz: There still seems to be a significant gap in terms of managing personnel or staff in coordination with the available technology. Companies large and small continue to struggle with access and the level of responsibility in a given workforce, either because of the necessity to allow BYODs – bring your own devices – or ensuring compliance with standing policies and procedures. The smaller entities still appear to have a significant learning curve when it comes to implementing prudent security precautions. That said, many of the larger entities appear to be vigilant when it comes to software updates and password protection and less vigilant when it comes to restricting access to sensitive information.
Rains: Over the past year we have seen the top threats detected in enterprise environments shift from network worms to drive-by download attacks. Organisations that don’t practice basic computer hygiene are most at risk. Some of the most effective mitigations include things such as keeping software from all vendors up-to-date, running antivirus software from a vendor you trust, and enforcing a complex password policy in your environment. Another example of an increasingly prevalent threat to businesses that we are seeing more of is ransomware. This type of malware infection could encrypt your files and demand a ransom to get them back. If the business isn’t aware of this risk and prepared, it could be disastrous if the risk is realised.
Shepherd: In today’s business environment we find quite a few cyber security threats. There are the bad actors motivated solely by financial gain. These are usually third parties trying to obtain valuable data for its monetary value such as credit and debit card numbers, financial account information and social security numbers. There have been some recent reports that hackers seem to be targeting small to mid-sized enterprises (SME) with the expectation that they lack the general security measures of larger organisations. There is also a subset of bad actors commonly known as ‘hacktivists’ who can be either misguided vigilantes or driven by political motivation. A hacktivist’s primary goal is to disrupt the day to day activities of a business for as long as possible and can include the added bonus of leaking sensitive information.
Wirtz: We see that sophisticated targeted attacks such as spear fishing, social engineering and APTs are become more and more dangerous, and are replacing common general attacks such as worms, mass phishing and viruses. From our point of view, all companies, governments, NGOs and other organisations are vulnerable to cyber attack.
Perkins: Certainly, malware and DDoS attacks are major concerns for businesses and continue to be the most common and costly cyber security issues. However, there is a growing concern with BYOD in the workplace, cloud services providers and electronic health records (EHR). Many companies allow employees to use their own smartphone, tablet or portable device for both work and personal usage. With a lack of conformity to data protection standards, portable devices can become a nightmare for IT security. There continues to be an alarming number of data breaches caused by lost or stolen laptops, smartphones and tablets, and other portable media. In addition, the increasing use of cloud providers is a concern for cyber security.
Schnur: Social engineering risk has been one of the largest concerns for our clients over the past year or so. These attacks are well thought out, targeting specific individuals within the organisation. It only takes the employee once to ‘click on the right link’. Employees, regardless of the level of their training in cyber security, may mistakenly or deliberately take action exposing the firm to cyber security threats – be that downloading documents, opening suspicious emails or using insecure passwords. Employee risks such as these are outside the realm of technology and are not easily controlled.
FW: Given the risks, do you believe today’s companies place enough importance on data security? How committed are boards and management to combating cyber crime – or even taking the issue seriously?
Bhatia: Believe it or not, many companies still don’t understand the threat or its severity, and have an ‘it can’t happen to us’ mindset. This is simply not realistic in today’s cyber environment. Boards of directors need to be placing a high priority on cyber crime for several reasons, not the least of which is that both shareholders and the law are holding the board members responsible for breaches. Board members are beginning to realise that information security is a strategic component and the reward for ignoring data security is a high-profile exposure that negatively impacts both the bottom line and the company’s image.
Reetz: Boards and management teams seem as committed as they can be to delegating the issue to an IT or HR person but less committed to identifying the so-called enterprise risks. IT staff are relied upon to provide critical upgrades and the emphasis is on getting everything up and running, but is there time built into that procedure for a security or privacy audit? One recent matter involved a breach that occurred as a result of such an upgrade, and the IT person did a great job in getting the entity back online as quickly as possible, without interruptions in service, but they probably could have benefited from having an outside security firm audit the system.
Rains: Many of the enterprise customers I talk to have chief information security officers (CISOs) and professional risk managers that evaluate and manage risk for their organisations. Many of the businesses that they support have embraced the BYOD trend. Because of the security challenges related to the BYOD model, many of these CISOs are increasingly focusing on data security instead of device security.
Shepherd: Although data security concerns have increased among executive management members, it does not appear to be a top priority. In many organisations the task of data security falls solely within the IT department, which is increasingly faced with budgetary constraints. Viewing data security solely as an IT issue is a grave error. Unfortunately, rarely does an organisation properly budget for all the costs incurred after a breach. Organisations must recognise there will be a significant impact to a business when data security is breached and a well constructed incident response plan supported fully from the executive level is key to minimising the impact.
Wirtz: Due to the recent public discussion about information security, many companies now understand the importance of data security. Boards and management are very committed to protecting their respective critical assets. Our top management is kept well-informed about the current risk situation and counter measures to be taken.
Perkins: Companies are becoming more aware of data security and state that they are making data security a priority, when, in fact, they are not adequately informed or prepared. According to a joint study by The Corporate Board Member and FTI Consulting, Inc., 48 percent of corporate directors rated data security as a major concern. Yet only 42 percent of corporate boards say that their company has a formal, written business disaster plan for a cyber attack or data breach.
Schnur: Companies are doing a much better job now compared to a few years ago, both technologically and in terms of communication, between the C-suite and other risk management and IT employees. But is it enough? More is always better and needed. As companies continue to revise their policies, procedures and priorities, they will do a better job. The last thing you want is all of these positions sitting in a room for the first time together, after the breach event has occurred. Unfortunately, it has been my experience that in many circumstances, the heightened awareness within the organisation does not rise to the level it should until after the first breach event occurs. Boards and management are taking cyber crime seriously, but sometimes it takes a breach event to really bring home the message.
Raether: Most companies do not dedicate sufficient resources to data security, both in manpower or in security tools. For some, including start-ups, security is an issue to address only if the business becomes successful. For other companies, security is seen as a cost centre and insufficient resources are applied. Companies in highly regulated industries, such as the financial sector, have learned to apply the proper resources and build security into the early design of products. Avoiding an event and building the proper security has become part of the culture of these businesses to maintain company goodwill. Other companies would do well to adopt this same culture.
FW: To what extent have data security laws and regulations changed in recent years? Is it becoming more difficult for companies to maintain legal and regulatory compliance?
Reetz: Data breach notification laws in recent years have gone ‘viral’, as it were, on the US state level and the states continue to be the driver in terms of new privacy and security laws. For instance, recently, California took a step into the Do-Not-Track arena. The legislation does not go as far as EU regulations but it is a start in addressing mobile app tracking and providing notices to consumers that an entity is gathering information from a website user. Following in that trend, some federal legislators recently proposed ‘Do Not Track Kids’ legislation, with the aim being to provide some protection to minors. The legislation appears to be in response to news reports that websites targeting kids are more likely to use tracking tools.
Shepherd: Most privacy laws focus on the security of personal information. In the US, 46 states, the District of Columbia, Puerto Rico and the US Virgin Islands have all enacted data breach laws requiring notification to a consumer whose personal information has been breached. It seems as though many states revise or amend privacy laws on an annual basis. The US Department of Health and Human Services released the Health Insurance Portability and Accountability Act Final Rule in January 2013, designed to further enhance the security of patients’ health information. The European Union Data Protection Derivative was established to provide a regulatory framework for its member states in regards to the storage, transmittal or processing of personal data.
Wirtz: Legal and regulatory compliance is very important for us in both internal and product-related IT. As a global player we are constantly monitoring local regulations and have implemented a process to make sure that all products and services we sell, as well as all applications we use internally, comply with local security laws.
Perkins: On a global scale, data security regulation has become a priority for many countries and in the US on a state-by-state level. In many cases, data security regulation changes in many levels of government, as well as on constant pace. In the US, for example, there are currently 46 different state data breach notification laws – not including several other federal data breach notification laws. California and several other states have made multiple changes in their data security and privacy laws in just the last year. The legal landscape is changing at an alarming rate. With myriad laws, it is difficult even for small businesses to be compliant in this regulatory environment.
Schnur: It is certainly becoming more challenging to maintain compliance. On the state level, California leads the pack in the US as always; it has stricter laws pertaining to health information and certain time periods for notification which are extremely stringent. There is a wealth of consumer protection litigation. In 2010, Massachusetts passed a specific ordinance which mandates that any company with customers or employees residing in the state, to have a proactive identity theft plan in place prior to the breach event. Other states are trying to jump on board with proactive measures. Overall, most state laws have a lot in common; but in the past two years, certain states have started to branch out, integrating more stringent responsibilities both pre and post-breach.
Bhatia: Corporate management needs to understand that regulatory compliance has little to do with actual information security. It is too easy for a company to find a security firm that will check off all the boxes on the compliance forms without helping the company reduce cyber risk. Recent federal healthcare regulations now impose far larger financial consequences for companies that have lax security. We expect to see more companies increase their budgets so they become more secure rather than simply meeting regulatory compliance. Remember that companies such as Chase, RSA, PayPal, Citigroup, Heartland Payments, TJ Maxx and other big-name corporations were compliant when they were breached.
FW: Many firms are not aware they have already been hacked. What mechanisms can companies implement to monitor their network and quickly identify a breach?
Rains: The traditional approach has been based on prevention and recovery, resulting in the so-called ‘hard outer shell with a soft gooey centre’. It might not be obvious to the organisation when prevention fails, allowing attackers to stay in their environment unnoticed for long periods of time. A more holistic approach is needed today, based on the assumption that the organisation will have intrusions and attackers will be successful if they are determined. Using an approach that includes prevention, detection and recovery will help organisations manage the risk in a more holistic way.
Shepherd: There are quite a few mechanisms a company can implement to help identify breaches quickly, including an intrusion detection system designed to monitor networks for outside threats. A company should monitor networks in real time to detect possible intrusions or abnormalities. Some other mechanisms are multi-layered firewall protection, encryption of wireless routers and the use of antivirus software with regular updates.
Wirtz: Companies should be aware that there is an ongoing threat of cyber attacks. Security Information and Event Management (SIEM) systems can help detect cyber attacks. Protection measures such as antivirus solutions, firewalls and web-filters, and detection measures including SIEM, Intrusion Detection Systems and so on, need to be aligned very well in an overall IT architecture to be able to recognise and eliminate sophisticated cyber attacks.
Perkins: According to the Verizon Data Breach Investigations Report, only 13 percent of data breaches are discovered by internal sources. It often takes months before a company discovers that there has been a breach at all. It is imperative that businesses improve their employee training on data security ‘best practices’ and breach detection. In addition, businesses should partner with strong third party vendors to monitor and detect possible breaches.
Schnur: While there are various technologies and risk management techniques a company can use to prevent and detect events, what has not been mentioned is that many of the insurers in this area are starting to offer free tools as well. These tools can consist of an extra layer of protection for example, assisting in ‘shunning’ bad IP addresses. Others will offer employee training modules to employers that can co-exist with the training programs already instituted internally. For many of the smaller to mid-sized organisations that can use the extra layer of security, these tools are effective, not to mention the cost savings involved.
Raether: Many companies have placed too much emphasis on preventing an intruder from entering their networks, thinking in terms of perimeter security, firewalls and penetration testing. Initially, firewalls are often misunderstood. Hacker’s can emulate the packet and pass the network access controls; known users – such as a bad employee – can get into the system with their login credentials. It is the extraction of the data which ultimately should be stopped, not just preventing the criminal from getting into the environment. Understanding what data you have and where it is located in the system is critical.
Bhatia: We believe that companies must proceed under the premise that they already have attackers’ malicious code within their networks. Determining the company’s risk is a three-stage process: enterprise wide assessment; responding to the assessment by implementing proactive and reactive response processes, for example policies, procedures and response plans; then continuous monitoring, and reduction, of the identified risks. This is never a one-time function but an ongoing process that requires continuous care and feeding to root out vulnerabilities and ensure that proprietary data is not leaving their network. Many companies might have a strong first line of defence at the perimeter and might even collate security event logs. The key, however, is to document a business-relevant baseline and then use technology to identify the anomalies, not the other way around. Mapping the business to cyber risks is a crucial first step.
Reetz: Most privacy professionals suggest using a privacy impact assessment or checklist to help entities identify vulnerabilities. Obviously, these checklists vary a great deal depending upon the size of an entity and the type of data it may handle or house. However, if an entity can implement even a basic assessment, this can go a long way toward identifying unauthorised access, system or usage vulnerabilities or in the worst case, a breach. Not all breaches require a significant response. In one recent incident the potential impacted users could have been in excess of 500 million – the good news was that the breached database only held non-personally identifiable information, or publicly available information.
FW: For some businesses, there is no room for error – once a security breach occurs, it is game over. What steps can companies take to avoid potential security breaches that could mean the end of their business? Can all attacks be eliminated?
Shepherd: If a company has sensitive data – either confidential corporate data or personally identifiable data – they need to face the fact that it is not a matter of if a data breach occurs but when. Whether data is breached by a malicious person, lost or stolen mobile computing devices, or just good old fashioned employee mistakes, for most companies a data breach is inevitable. There are steps companies can take to mitigate the impact of a breach, including damage to its reputation. A company should have a data inventory plan which accounts for the amount and the type of data a company has, where the data is stored, who has access to the data and a plan for elimination of data when it is no longer needed.
Wirtz: No business can be 100 percent secure. A professional risk management process can help identify the most critical assets and the respective adequate protection measures. Every organisation needs a risk-based approach to individually adapt information security to its needs.
Perkins: Besides improving technology to thwart potential security breaches, it is imperative to have strong policies and procedures implemented across all business segments within the organisation to minimise the overall risk of a security breach. It is not just the IT department that needs to have procedures in place to protect the organisation. It starts with the board and trickles down from the top. Implementing a comprehensive, written information security program is imperative for business. Having a business continuity plan, data breach response team, and written procedures in the event of a breach, will significantly reduce the costs associated with a data breach.
Schnur: Attacks cannot and will not be eliminated entirely. If I had to pick the three main concepts to focus on, they would be technology, incident response and breach team communication. First, as mentioned in many of the other sections, firms must keep up with technology and ensure their environment is as protected and buttoned-up as much as it can possibly be – although any CISO or CIO will tell you networks can never be 100 percent protected. Second, firms must employ a solid incident response plan that has been tested, not once, but consistently throughout the year. Tabletop exercises are extremely helpful. Finally, organisations must have a comprehensive breach team in place prior to any breach event – including employees from IT, legal and compliance, C-level executives, and external advisers such as a forensic firm, privacy attorney and public relations company.
Raether: All businesses must have room for error as attacks cannot be eliminated and events will occur. The ultimate issue is mitigating the harm from any intrusion, which could include preventing critical information from being extracted from the system. The ISO/OSI model defines the seven layers of encapsulation: physical, data link, network, transport, session, presentation and application. Security must be considered and applied in all these layers and defences built commensurate with the data at risk and the threat level in general – defence in depth. Data categorisation and mapping remains critical. Likewise, companies need to consider the appropriate mix of intrusion detection and protection systems, personnel identity management, hardening, egress detection systems and strong audit controls.
Bhatia: For small and mid-size companies, a breach of the corporate network often compromises the owners’ and employees’ personal data as well. This is underscored by the fact that these SMBs have the least amount of technical and financial resources to defend themselves. We have worked with SMB clients who have lost laptops or had confidential data stolen by former employees. It doesn’t take a massive breach to put a company out of business; it only takes the loss of enough data to eliminate the company’s competitiveness. Is it possible to eliminate all attacks? No one can do that, not even defence agencies or large financials. However, it is possible for an SMB or an enterprise to develop an ongoing cyber security program that significantly protects the company from losing its valuable corporate information.
Reetz: Segregation of the data, the employees managing the data and the systems in use are typical approaches to providing comprehensive security; likewise, limiting access to certain types of data can also be helpful. Encouraging entities to think with a global approach to managing the data or information may be prudent – who can access our information, physically, electronically, authorised and unauthorised? All attacks may not be eliminated but not all attacks are fatal or even critical. Some attacks help focus the areas of concern and obviously, the entities for whom it is ‘game over’ likely seek the assistance of a ‘white-hat’ hacker to give their systems and personnel a thorough going-over.
Rains: It’s important to note that there really is no silver bullet to security; it’s really a question of risk management. It is important for organisations to identify the risks to their businesses and prioritise them, typically based on probability and potential impact. Then they can decide which risks are most important to mitigate and the best way to do that for the organisation.
FW: Do you think cyber security is a technology issue or a financial issue? What company risk management structure is optimal to handle the threat of network security risks?
Shepherd: Cyber security is both a technology issue as well as a financial one. The rise in the use and the level of sophistication in malware and social engineering techniques are undeniable. Businesses often struggle to keep up with the fast changing technology landscape rapidly embraced by the ‘bad guys’. Unfortunately, budgetary constraints have made technology innovations difficult for organisations to implement. There are not many tested methods or tools to aide decision makers in choosing between the multiple security technology products and services. Many businesses struggle in defining a reasonable level of cyber security for their organisation and how to measure the return on investment for increased cyber security budgets.
Wirtz: Even though cyber security risks are often financial risks, the required solutions are often based on technology. Implementation of this technology is, of course, a financial issue – the more technical a solution is, the more money is needed. But if investment priorities are set appropriately, the funds needed for information security should only be a small portion of the overall IT budget. However, money and technology are not everything – we see information security awareness among employees as important as well. The optimal organisational structure depends on the company. We have a central information security (infosec) department which is responsible for strategy, governance and for provisioning of central protection services. The local infosec organisation supports the implementation in their respective area of responsibility. More important is a constant good cooperation between the business and the infosec organisations, with clear roles and responsibilities.
Perkins: Technology investment can help close many of the gaps in security, but alone it fails to prevent all attacks or breaches. Implementation of strong internal and external policies and procedures can help businesses prevent attacks or breaches. Having strong internal controls, employee training and pre- and post-breach written plans, can help companies create a strong defence against security breaches. People are the wild card in data security. External threats are not caused by technology failure; it is a person with the intention of getting into your network. Internal threats are increasingly becoming a concern for companies and, of course, human error is a factor.
Schnur: Cyber security is a financial, technological and legal issue. It’s a balance. An organisation needs to have the right people running the ship, and even when they do, those people all need to be communicating. As mentioned previously, you do not want a breach event to be the first time the legal & compliance department, the technology experts and the C-suite are sitting in the same room together. However, for many firms, a board-level network security meeting, with all of these departments present, is simply unheard of. In addition, the breach team should include the external advisers mentioned in the prior question as their judgment will not be clouded.
Raether: Sound cyber security is achieved with a balance of technology and financial issues. In technology, everything is possible with enough resources, time and money. Ultimately, cyber security is risk management. What data is critical? What data is at risk? What is the value of losing that data? For example, the costs of losing customer credit card numbers will be different from losing the file containing past product catalogues. Likewise, certain security tools can affect the performance of an application and the roll out of new functionality. For example, if an intrusion detection system has a white list of all permitted executable files, that list must be maintained and changed when new functionality is released.
Bhatia: Cyber security is neither strictly a technical nor a financial issue. It is a business issue that encompasses a variety of disciplines, including information technology, finance, audit, risk management, legal, human resources and corporate management. There is no one-size-fits-all solution when it comes to security. Every company needs to identify its own risk profile and perform its own risk assessment. Attacks don’t come just from thieves, hacktivists and foreign nation states. They also come from internal sources who think they’re doing something good, from simple negligence by either IT staff or an employee who clicks on the wrong link, and from disgruntled employees.
Reetz: Cyber security is a people issue. I once had someone comment to me, “Why would someone buy insurance for this? Isn’t technology going to take care of all of these problems?” It is unlikely in our generation or the next – or the generation beyond most sci-fi writers’ imaginations – there will be a technological or financial solution to these risks. Since there is a human fingertip at the other end of all decision-making involving cyber security, the threats are managed at the limit of a human being’s imagination. Having said that, obviously having a high-level manager or staff member designated with real privacy or security responsibilities is important for even the most modest sized entities.
Rains: If managed well, cyber security can be a major enabler for business operations and innovation, but if poorly managed it can be a serious liability. People, process and technology are all involved. Public policy is also a component in the risk management structure. From a high level perspective, organisations can use a quantitative or qualitative approach to risk management, or a combination of the two. Risk management is an organisation-centric process – most customers I talk to use an approach that works best for their organisation’s unique culture and situation.
FW: What particular challenges are posed by information-sharing arrangements between companies, and between companies and governments, especially when data is transferred across borders? Is the process of moving and protecting data becoming more hazardous? Further, what can companies do to ensure that the organisations with which they share information have appropriate processes in place to protect that information?
Wirtz: The main challenge between companies, and between companies and governments – especially when data is transferred across borders – are local laws and regulations. Wherever possible, end-to-end encrypted transfer of information and respective internal information security mechanisms are the best methods to protect critical information.
Schnur: The cloud happens to be the hot topic of the day, so let’s comment on that. The internal challenge or question has been determining whether an organisation is comfortable with the cloud service, period. The second challenge is contractual. Once comfortable with the concept, contracts are often one way and cloud providers tend to push back as much liability as possible. Traditional professional and technology service contracts may include broad hold harmless agreements, and larger limitations of liability with some room for negotiation. By nature, due to the possible aggregation issue, cloud providers tend to be less flexible when negotiating contractual language.
Raether: Companies need to first affirm that they have the rights and authority to share the information at issue. Companies considering ‘downstream’ uses of information need to always look ‘upstream’ to the data source to ensure they are not violating their commitments to individuals or companies providing them the information. One common issue we see is that many companies collect information en masse, under one or many agreements with differing terms, yet treat the information in the same way. Most companies understand you cannot sell the information you collect from consumers without permission, but they fail to understand that sharing the information with third parties without getting consent to do so can expose them, as well.
Bhatia: The obvious concerns for information sharing deal with confidentiality and competitive advantage. However, we are seeing many instances where companies in a common industry can successfully share sanitised data with others in their industry and various levels of the US and state governments. The industry-focused Information Sharing and Analysis Centres (ISACs) are an excellent way for members of a common community, such as critical infrastructure or finance, to share data about common risks. ISACs were created by President Bill Clinton in 1998. The system works very well, is quite secure, and is not subject to laws that would otherwise stop companies from sharing such information.
Reetz: Before there is information sharing, there should be knowledge sharing. If a company begins to engage with a new vendor, or even old vendors who may have access to old information but are subject to new levels of regulation or scrutiny, the company should have a discussion or dialogue regarding its expectations, or requirements, as to how information will be managed. There may be contractual issues that address how these expectations will be carried out. There may be limitations on how a company can or should share information with an outside entity. If a vendor is appropriate to perform a certain set of tasks for a company but cannot ensure HIPAA compliance, for example, it is unlikely a ‘covered entity’ under HIPAA would engage with such a vendor for anything but the most basic services.
Shepherd: Companies use consumer information to process orders and advertise their products, services or promotions. Depending upon the structure of the company, information may be shared with other companies in order to accomplish these tasks. Companies also are required to comply with governmental requests to share consumer data. Sharing information between companies and government does present some challenges such as differing technologies between organisations, maintaining accuracy of information and preserving confidentiality of the information. When data is transferred across borders, the list of challenges grows.
FW: Is cyber-terrorism or even cyber-war a real threat? Can or should the public sector and private sector work together to combat this issue?
Perkins: With increased government sponsored cyber attacks and the increase in hacktivism, cyber-terrorism is a growing threat. There is growing concern in the US with regards to cyber-terrorism targeting infrastructure businesses, such as utilities, financial services and national defence. In these cases, the hackers are not searching for data to steal; rather, they are seeking to destroy or seriously interrupt the soft underbelly of our key resources. For example, there have been a number of attacks on water and electric utilities. The systems that control the operation and maintenance of the physical plant or equipment are extremely vulnerable to security failures. The compromise of these systems could wreak havoc on the health and welfare of the general population.
Raether: Whether you call it ‘cyber-terrorism’ or ‘cyber-war’ or any other term conveying the image of internet battles, clashes between individuals, companies and governments will increase in number each year. All we need to do is look at the news over the past year in which countries allegedly hacked each other’s information security systems to do anything from disable weapons-making capabilities to stealing secrets. Countries have even attacked the corporate sector, including the press, in order to access both corporate and national secrets. Any forward-thinking company has to assume their competitors are, or will, attempt to gain a competitive advantage via the collection of inside information, whether legally or otherwise.
Bhatia: We have seen numerous cyber attacks on critical infrastructure from nation states and from individuals. However, we have to keep everything in perspective. While these threats are real, we already are seeing joint private-public sector work on defending against these attacks. Governments have yet to announce focused, concerted attacks on national infrastructure resources, but it would be naive to assume this has not happened. That is why a strong cyber defence is required just as a strong military defence is required, and why ISACs are an effective way for the public and private sectors to work together to combat the problem.
Reetz: Cyber-terrorism is happening and is certainly of concern to governments, in particular the US government, which has a significant reliance on contractors in critical areas. President Obama issued an executive order in February 2013 on the issue of improving critical infrastructure related to cyber-security. Typically, we think utilities and telecommunications industries would be most affected by these reviews. However, as the National Institute of Standards and Technology (NIST) seeks comments on a draft framework, the focus is broader – the review would also include aerospace, finance and energy sectors. Basically, the public-private partnerships are underway and it is just a matter of identifying how far down the food chain the reach may be.
Shepherd: As technology continues to power the nucleus of our global infrastructure, cyber-terrorism and cyber-war are methods of attack many nations are vulnerable to. It is essential for the public and private sectors to work together to combat this issue and protect critical assets. Standards should be set to help govern information sharing and a cyber security framework should be developed to address risks faced by government and business sectors. It is imperative that both work towards finding solutions which improve security without compromising privacy.
Wirtz: Cyber-war is a real threat. An increasing number of attackers are professionals who are increasingly connected with each other. The public and private sectors should work together to combat this issue.
FW: As cyber risk gains an increasingly high profile, and major security breaches occur with greater frequency, how are insurance providers adjusting or enhancing their insurance solutions to meet market demands? What types of policies are available to help manage the downside?
Schnur: The evolution of cyber insurance products began in the 1990s. The policies offered today are called network security and privacy liability policies, although insurers may name them differently. The first such product was issued in 1998, but wasn’t really adopted until 2002-03. At that time, only a few insurers were offering this type of coverage and financial institutions were the first purchasers. Due to the technology boom in the early 2000s, we experienced increasing risks to information, money and securities online between 2003 and 2005. The regulatory reaction started to blossom as well during this period. In 2005, there were 17 US states with privacy breach notification laws – today there are 46. From the mid- to late-2000s, we started to experience large scale breach events that were highly publicised including TJ Maxx and Heartland Payment Systems. By 2010 there were 20+ insurance companies offering network security and privacy liability insurance policies. Throughout this evolution, all the carriers have continued to update their policies, to the point where policies written prior to 2009, would not be worth the purchase today, given the change in required coverage to match the evolving exposures.
Raether: Generally, coverage addresses two areas; first party coverage or direct expenses, and third party coverage – payments to cover costs of customers, consumers and others. Companies should look at the first party coverage to determine whether it includes notification expenses to alert stakeholders of a breach and provide them, when necessary, with credit monitoring services. Third party coverage might include court imposed damages, regulatory penalties and defence costs associated with lawsuits alleging the disclosure of customers’ personally identifiable information or harm to business partners’ systems. Some firms are offering risk management advice from their panel experts in addition to just loss coverage. In sum, the details are important, so make sure whoever provides advice in the space is knowledgeable.
Bhatia: Cyber attack insurance is certainly a useful tool for offsetting losses, but can never be a tool to defend against a loss. One can recover some financial losses from insurance, but if the attacker is stealing trading algorithms or cutting-edge scientific research, the harm can be irreparable and the data irreplaceable. Cyber insurance could help offset some losses but is never a panacea. That is one reason why understanding one’s risk profile is so important. There are no insurance policies that can put the proverbial genie back in the bottle if private data is stolen.
Reetz: More and more insurers are providing products that address some kind of data or information security, network security or privacy protection. Just as significant, there are exclusions to be found in policies that previously would have been silent or seemingly not impacted given the type of coverage – for instance, some types of professional liability policies. Insurance providers are thinking at the broadest scope of managing these risks when providing breach response toolkits, risk management services, and loss mitigation resources as part of a policy package. In addition, most insurers are quite conscious that the security or privacy risk is a reputational risk in addition to posing a direct financial cost threat.
Shepherd: Today there is no shortage of carriers providing cyber risk insurance, both in the US and the London marketplace. Policies include multiple third party liability coverage parts as well as first party loss coverage parts, all of which are designed to protect an organisation for the costs associated with a network security or privacy breach. Unfortunately, there is no conformity in these policies and language varies from carrier to carrier. No two forms are alike and may contain restrictive definitions, exclusions or policy conditions, so it is important to rely on someone well versed in cyber risk insurance to assist in securing the best product for a particular organisation. As the theories of cyber risk liability continue to evolve, so too will the policy forms.
Perkins: The insurance industry has been responding by providing innovate new products to address the exposures to security breaches. Cyber insurance products have evolved to provide protection for many of the risks associated with a data breach. Typical cyber insurance products include coverage for several third party exposures – including network security liability, privacy liability, regulatory actions and media liability; and first party exposures, including breach response costs, crisis management and forensic expenses, data restoration costs and cyber extortion. Of particular concern for most cyber insurance buyers are the breach response costs, including crisis management and forensics. The post-breach costs and expenses can cripple a company that has not prepared for these unseen costs.
FW: What prescriptive guidance can you give to companies to avoid cyber criminal activity? What questions should companies ask before choosing a technology vendor to ensure their data will remain secure?
Bhatia: Cyber attacks will happen. It’s not a question of ‘if’ but rather ‘how have you handled it already?’ Before a company begins to look at specific vendors to provide security products, the company first has to assess its own risk profile and discover all of the places its data exists. This includes in the cloud, on employees’ personal devices, and throughout the company’s known and unknown network – devices that the company might not realise hold valuable data. Once all data and stakeholders are identified, the company needs to determine the value of its assets. Next the company needs to make decisions on its risk acceptance for the assets. The ‘assess, respond, monitor’ model will help dictate which products and vendors should be included in the final analysis of the security shield.
Reetz: Most ‘criminal’ activity is a test of a company’s security best practices. In that regard, if the systems are up-to-minute, the vulnerability may lie with whether the company has employees following its most secure protocol. When choosing a technology vendor, a company should treat the vendor like any other high-level professional service – typically, like choosing a doctor or a lawyer – on a referral basis or trusted resource. Sometimes the company may have limited choices given the type of industry. Mostly, a referral would be the most effective way to engage the vendor but like any other high-level service, it would be important to get a feel for working with the vendor.
Rains: Organisations should demand software from their vendors that has been developed using a security development lifecycle. Ideally this will help minimise vulnerabilities in the software they procure and make it harder for attackers to exploit vulnerabilities that remain. An easy way to have this conversation with vendors is to ask them if they meet the guidelines defined in the international standard for secure development: ISO/IEC 27034-1.
Shepherd: Companies can minimise the impact cyber criminal activity will have by developing, testing, updating and auditing their policies and procedures designed to protect data, which should address data inventory, data retention, data storage and data access. Before choosing a technology vendor, a company should assess the vendor’s experience in providing the type of technology service being sought, including reference checks. Once a vendor is chosen the company should have a contract with that vendor describing the services to be provided, the timeframe to provide services and how change orders will be handled. The contract should also address confidentiality of the company’s data, data security requirements for the vendor, cyber risk insurance requirements and indemnification provisions in favour of the company in the event the vendor, its employees or subcontractors cause a data breach.
Wirtz: Firms must analyse their risk scenarios and identify potential suppliers. Advice and intelligence on cyber crime can be gleaned by talking to peers and attending infosec conferences.
Schnur: From my point of view, it’s important to employ vendors that are financially stable, have a good business reputation, and to interview a range of different providers before making a decision on the purchase of any service or product. Experience is key, and if you are dealing with a foreign entity hacking situation, wouldn’t you rather work with a firm that specialises in that area? Especially one who has handled breach events similar to the one you are experiencing? For proactive measures, this is just as important – a company that provides network and privacy assessments or audit services isn’t necessarily the right firm to provide forensic services.
Raether: Companies are not giving this area enough attention, choosing often to focus more on the terms of the agreement than actual performance. Obviously it is critical to have an agreement that secures the necessary rights and assurances, but having the right paper is only one component of a multi-component program. Under many regulations, companies are accountable for the security of their downstream partners. There are more opportunities for things to break. Logistics, accountability and compliance issues increase in complexity exponentially when you add another company. For healthcare in the US, these issues take on greater importance with the recent need to comply with the final rules on HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH).
FW: Going forward, what are your predictions for cyber crime and data security over the next few years? How do you expect the inherent risks, and companies’ response to them, to evolve through 2014 and beyond?
Reetz: Of course, we expect to hear and read more about cyber and data risks as the use of devices and the reach of applications become ubiquitous in our society. The trend for the last few years has been to talk about the ‘cloud’ and ‘software-as-a-service’. But, the ‘cloud’, in a way, has been around for some time and it is just the level of data now in the hands of ‘others’ that has drawn attention to these issues. I was a bit alarmed recently to see a professional organisation send me an email that showed my user name and password encouraging me to sign up for a program. Since I am human, of course, the log-in information, unfortunately, was not unique to that entity. I quickly changed my info but I still think there is a great deal of tension over what some entities consider ‘private’ or ‘confidential’ as these entities try to gain an advantage with targeted advertising or marketing.
Rains: Organisations should make the assumption that they will be targeted and the attackers will be successful if they are determined. Doing this will help them plan for such an event, even if it never happens, to help minimise disruption to their business if the risk is realised. I see organisations increasingly taking a more holistic and mature approach to risk management instead of approaching security as purely an IT issue. Looking at security as a corporate risk issue, companies will have a better chance of maximising the ROI of their security investments and minimising costly disruptions to their business.
Shepherd: Although we have not heard of many breaches in the cloud to date, I suspect that will change. Cyber criminals will continue to exploit the weakest links within the data exchange process, including vendors, consultants and rogue employees. The use of malware targeted to mobile devices will grow as the convenience and popularity of such devices continue to grow. Companies need to recognise there is more at risk with a breach of data security than personal data and identity theft. Corporate secrets and disruption of critical infrastructure are two of the most significant threats an organisation can face with a breach in data security.
Wirtz: We expect ongoing competition between attackers and industry, which will require constant vigilance. Firms need to react quickly to changing threat scenarios and monitor instances of cyber crime.
Perkins: Cyber security will continue to be a major concern for corporations and their senior management. As the number of attacks increase and the sophistication attacks change, we will see new threats and new exposures in the coming years. I predict that we will see major changes in privacy and data security laws globally that will continue to burden businesses with new legislative compliance challenges. The pace of change in the legal landscape for data privacy and security is changing at the speed of light. In addition, with the proliferation in mobile device usage, such as smartphones and tablets, expect to see more privacy issues and cyber attacks targeted specifically at mobile applications and hardware. Finally, expect to hear about massive data breaches in healthcare data with the upcoming increase in electronic health records. We are just scratching the services in the area of electronic data transfers.
Schnur: Risks will continue to intensify as threats become more sophisticated, as the regulatory environment evolves, and as cyber related litigation becomes more commonplace. Four or five years ago, if a firm experienced a breach event, where data was compromised but no misuse of the data occurred, the defendants would often be granted a motion to dismiss. This occurs much less frequently today. Many more actions survive a motion to dismiss because of the broadening regulatory environment. The risks are going to evolve, and companies will often find themselves behind the curve, but awareness is growing and executives will continue to learn from future events.
Raether: We will continue to see the same sources of risk as in the past and some new ones. Unfortunately, many companies still have not embraced privacy by design – that is, baking security and privacy into product development and organisational practices. Likewise, employees will continue to be the weakest link in most security programs. Having good written policies and procedures is not enough. Education, awareness, and audit compliance are essential but often ignored components of good security practices. This risk will be heightened by the introduction of employee-owned devices. Many companies have been allowing this practice without modifying their policies and procedures – a big mistake.
Bhatia: As we speak, millions of cyber attacks are happening concurrently throughout the US and the world. The risk is real but the response often is inadequate. While companies recognise the need for cyber security, many still assign that function to the IT staff if they assign it to anyone at all. I expect to see greater separation of the security and IT functions in future years because these disciplines are, in many ways, at odds with each other. IT’s role is operational and to empower the workforce. Security’s role is to ensure that corporate and personal information is kept from prying eyes, even if it means accessing the data is less convenient for the workforce.
Ron Raether is a partner at Faruki Ireland & Cox P.L.L. Mr Raether’s experience with technology-related issues has spanned a broad array of substantive legal areas, including patent, antitrust, licensing and contracts, employment, trademark, domain name disputes, and federal and state privacy statutes. He not only works as a data breach coach and defending companies in class actions and before regulators, but also advises companies in proactively developing data security practices and policies.
Vikas Bhatia is a recognised certified chief information security officer (CISO). As a trusted adviser to his clients of all sizes in the financial services, healthcare and legal industries, he has a proven track record in delivering transformational information risk assessment, response and monitoring strategies supported by process re-engineering and complex enterprise technology and security solutions. Recognising flaws in compliance driven security Mr Bhatia founded Kalki Consulting, a dedicated global cyber security risk management consultancy, in 2012.
Margaret A. Reetz has over 25 years worth of experience in the insurance and commercial dispute fields. With a concentration in complex and novel risk and loss control issues, she has a broad range of skills and experience in advising clients with respect to data security and privacy risks, consumer class action litigation, intellectual property disputes and media/social media issues. Ms Reetz has been admitted to practice law in Illinois, California and New York.
Tim Rains is a director in Microsoft’s Trustworthy Computing Group, responsible for managing communications that span Microsoft’s boxed and cloud products as they relate to security and reliability. Mr Rains has worked in roles including senior public relations manager of security response, senior product manager of the Microsoft Malware Protection Center and more recently the director of Product Management within Trustworthy Computing.
Betty Shepherd, an established Cyber, Security & Privacy expert, serves as vice president for RT ProExec, the Professional Liability division of R-T Specialty, LLC, in the Hartford, CT office. Ms Shepherd has over two decades of underwriting experience. In 2012, she launched the Cyber Security blog ‘CyberBytes’, to honour her commitment of keeping the insurance industry informed about the ever-changing world of cyber risk insurance.
Udo Wirtz is Siemens’ Chief Information Security Officer. He is responsible for the implementation the Siemens’ PR!O (Priority Roadmap for Infosec Objectives) Program. Mr Wirtz has served in executive positions within the IT sector for 15 years. He has previously worked as Cluster CIO for Russia and Central Asia (RCA) in Moscow, CIO of Flender AG in Bocholt, and head of IT for the former Siemens Business Unit A&D EA (Electronics Assembly Systems) in Munich.
Dave Perkins has over 22 years of insurance experience and is a Registered Professional Liability Underwriter (RPLU). Mr Perkins’ expertise extends to the areas of Cyber/Privacy Coverage, Management Liability, Employment Practices Liability, Professional Liability, Medical Malpractice and other specialty insurance products. He has specific industry expertise with Public & Private Companies, Financial Institutions, Technology & Media, Healthcare and Education.
Meredith Schnur serves as an in house resource for all professional liability, technology errors and omissions, media liability, network security and privacy related lines of coverage. Ms Schnur has 19 years of experience in the insurance industry, the last 10 as a broker in the Professional Risk Group. Prior to joining Wells Fargo Insurance Services, she was an underwriter at Royal & Sun Alliance and American International Group.
© Financier Worldwide
Faruki Ireland & Cox P.L.L.
Margaret A. Reetz
Kerns, Frost & Pearlman, LLC
R-T Specialty, LLC
US Risk Brokers, Inc.
Wells Fargo Insurance Services USA, Inc.