[BreachExchange] Cyber insurance offers companies a safety net from online hackers

[Audrey McNeil]

http://www.crainsdetroit.com/article/20160221/NEWS/302219998/cyber-insurance-offers-companies-a-safety-net-from-online-hackers

Most businesses and people are inextricably connected to the digital world,
from desktop PCs and the servers they link with to tablets, smartphones,
smartwatches and a litany of other gadgets.

And don't forget today's high-tech cars.

One characteristic all these devices share is connectivity, their link to
the outside world. All this integration comes at a price: the threat of
data breaches by nefarious hackers.

Since digital technology is so new — and its capabilities so amazing — the
vulnerability to attack at the corporate level may not be so evident. But,
as technical experts and local insurance experts attest, the risk is all
too real, making effective preparedness a necessity, not a luxury.

The business threat is best managed by reviewing the level of specialty
insurance needed — and weighing whether more than traditional business
security IT systems and protocols are needed. The right answers will depend
on the industry served, client data stored and other theft risks, which
will vary by business.

The state of cyberattacks

Intrusions into a company's network can take on several forms. "The hackers
today are both more creative and more technologically sophisticated," said
Jim Giszczak, member at McDonald Hopkins, a business law firm with offices
in Bloomfield Hills.

"One common technique they employ is something called 'spear phishing.'
This happens when a hacker penetrates a company's system and sends a
fraudulent email to an unsuspecting employee, asking for sensitive
information. Assuming the request is legitimate, the employee complies,
compromising the information." That data can be later used to assist in
future attacks.

And once a hacker invades a system, they often have the opportunity to
steal more information than they originally intended. "A bad guy may be
after a company's trade secrets, but since many systems don't segregate
their departments' information, he might also get personal data on
employees," Giszczak said.

An example occurred in February 2015 when Indianapolis-based Anthem Inc., a
large, for-profit health insurer, suffered a cyberattack affecting its
entire organization, compromising both general company data and medical
information of some 80 million members. Despite having security protocols
in place, the company described the attack as very sophisticated. It was
unable to determine the precise origin of the attack.

Experts continue to advocate for companies to use aggressive measures to
prevent hacking on the front end, such as system encryption, redundant
firewalls and cryptic passwords. But as Brian Lapidus, a managing director
at New York-based Kroll Inc. explained, implementing these measures is like
aiming at a moving target.

"I think organizations are getting better with their protection," Lapidus
said. "But at the same time, the criminals are getting better and better
with their methods, so it's a vicious circle."

Lapidus is managing director of identity theft and breach notification;
Kroll performs risk analysis as well as cybersecurity, incident response
and consumer remediation.

Liability: Coverage gaps

Further complicating matters is the issue of liability. In the absence of
any insurance coverage, Lapidus said, each company is on its own.

"Forty-eight states have their own breach notification laws," he said. "So
when data is compromised, the location of the employees involved will
determine how a company must respond. Each state's laws are different, but
all list specific rules by how affected parties are notified and what
remedy the company will provide."

Lapidus cited an example of a situation where his company's services were
needed. A client financial institution suffered the theft of 15 laptop
computers that contained customer financial data. Kroll used investigators
to locate the laptops and assess the damage. It then informed the client of
the resulting customer notification and remediation requirements.

Given these potentially steep financial consequences, a new frontier in the
insurance industry is emerging. While evolving and proactive security
measures should always be the first line of defense, growing awareness of
the risks has given rise to cyber insurance products.

Although major incidents, such as those involving big retailers such as
Target and Home Depot, have involved considerable liability on the
companies' part, recent court precedent has provided liability relief for
retailers. A 2015 U.S. District Court ruling in Suffolk County, N.Y.,
dismissed a suit filed by a customer of Michaels Stores, the arts and
crafts retailer.

The plaintiff, in what eventually became a class-action suit, was one of
several thousand customers whose credit card information was stolen in
December 2013 due to malware that had infected the store's point-of-sale
system.

Two fraudulent purchases were subsequently made, both of which were later
detected and removed from the customer's account. In dismissing the case,
the court rejected the plaintiff's claim of pain and suffering stemming
from having to closely monitor her credit in the months following the
incident.

Court rulings like this therefore tend to argue against the need for cyber
insurance aimed at consumers, since an individual's losses can usually be
remediated by the retailer involved.

New products

Business-to-business cyber insurance, by contrast, is concerned with much
more complex scenarios, but is very much an industry in its infancy. Until
very recently, there were no statistical models that underwriters could use
to assess risk and develop policies.

This changed in January when Lloyd's of London released a set of "core data
requirements," which accomplish two things, according to Mary Jane
Grandinetti, managing editor of Business Insurance. "The Lloyd's model
codifies precisely the specific cyber damages that need to be addressed in
this type of coverage. It also sets standardized methods of assessing
potential risks and developing appropriate levels of coverage."

This key development will undoubtedly lead to more providers entering the
field.

But the ever-increasing complexity of this emerging field can prove
overwhelming to the business owner.

David Derigiotis, senior vice president of Farmington Hills-based Burns &
Wilcox, cites this as one reason why hiring an expert specialized broker or
agent is important.

"Buying cyber insurance is unlike purchasing a general liability policy,"
he said. Business owners "really need an expert you can lean on who
appreciates and understands the complexity of your specific situation."

Too many people don't understand all the details of these policies — the
available coverage, the optional enhancements and a number of other
features, he said.

When an agent doesn't understand it, the client will have too much
uncertainty to make a purchase. And they may put it off and put their
company at risk. Right now, cyber insurance is a $2.5 billion per year
industry.

"If everyone involved — retail agents, wholesale brokers and carriers —
better understood these policies, that volume could be double or triple
what it currently is," he said. Derigiotis attributes this knowledge
deficit to the fact that the worlds of high technology and insurance have
traditionally had little in common. Until now.

At-risk industries

Derigiotis stresses that the fields currently in greatest need for cyber
coverage are those that deal with highly sensitive or confidential
information, such as financial services or health care. In addition to
customer liability, data breaches in these industries can trigger fines
imposed for regulatory or HIPAA (Health Insurance Portability and
Accountability Act) violations.

Cyber policies are also being written to cover companies from losses caused
by cyberterrorism, such as business interruption when a website is
disabled, or extortion. An example of cyber extortion: When a company's
entire system is "held hostage" by an outside party unwilling to release it
until a ransom is paid.

Derigiotis and other experts argue that in the future all businesses will
eventually need some type of cyber coverage. The coming of the Internet of
Things — the connection of virtually all digital devices so that they may
work together seamlessly to drive more efficiency — will open exciting new
possibilities, but also a multitude of new opportunities for the bad guys.

Reducing risk also comes by way of continuously refining and strengthening
security protocols. And beyond insurance products, there also are specialty
vendors, technical experts, when it comes to blocking out the
ever-increasing sophistication of cyber hackers.

Ash Devata, vice president of products at Ann Arbor based Duo Security,
explains his company's "two-factor authentication" protocol as an extra
layer of security against hackers.

"Ninety-five percent of all cyber breaches involve compromised sign-in
credentials," Devata said. "With our system, two independent channels are
utilized to assure someone attempting to log on is who they say they are."

"As an example, after a user's password is entered, a private message is
sent to their cellphone asking if she or he is in fact attempting to access
the system. Their affirmative response proves that they are, and access is
granted."

Duo's Platform Edition takes this protection to the next level. "Platform
assesses the characteristics of the wireless devices used by all of an
organization's employees. If it determines that some have outdated software
and are thus more vulnerable, it recommends corrective actions be taken so
the security of this separate channel is preserved."

Yet another innovative (and amazingly low-tech) security-enhancing move is
to put the organization on what Lapidus calls a "data diet." He advises
clients to delete old information that will never be legitimately needed.

"If you're holding on to data from 30 years ago — customer Social Security
numbers, dates of birth and the like, holding onto that serves no realistic
business purpose and poses a significant liability risk," Lapidus said.

"Get rid of it."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160223/78aefd3e/attachment-0001.html>