Tag Archives: cyber liability

Surveying Wreckage of Cybersecurity

On Jan. 1, 2001, it would have been beyond human ability to predict, with precision, most of what has happened in the first 20 years of the 21st century. Certainly, no one was expecting that following September to dramatically alter the geopolitical landscape of the world, nor was anyone expecting the U.S. to use UAVs (unmanned aerial vehicles) to eliminate targets, terrorist or otherwise. Perhaps more crucially, though, people were not expecting to have a substantial chance of having the security of their lives drastically diminished over the course of the following 20 years due to hardware and software engineers, some of whom were “dark knight” software engineers, hackers. However, more than any other occurrence since the start of this century, the cyber realm has, and will continue to have, profound impacts on nearly every aspect of our lives regardless of where we live globally.

It is only fitting then, as we review the lessons we have learned, to examine their inextricable links to and impacts on cyber liability and technology E&O.

Let us start with some numbers. Of breaches that have compromised 30,000 records or more, there have been at least 266 since 2001. Each year since 2001 there have been no fewer than 13 such breaches.

In 2014, the global average cost of a data breach was $3.5 million. Today, the number stands at $3.9 million, based on an average records size of approximately 26,000. In the U.S. in 2018, the average cost of a breach was $7.9 million, and today it stands at $8.2 million.

According to a 2001 CSI/FBI Survey, the aggregate loss for firms reporting data that year was close to $456 million. For mega breaches, the cost of losing 50 million records in 2018 was $350 million; this year to date it stands at $388 million. Essentially, two mega breaches today would likely equate to all of the losses that were sustained in 2001.

In 2014, cybercrime cost the world economy at least $400 billion, and today the figure stands at $600 billion. Calculating the cost of any breach with exactitude is difficult, but the above figures are reasonable cost approximations. Certainly, it is clear from the information available that the cost of a data breach is significant.

More concerning is that there is no foreseeable future in which the cost of a breach decreases. The future is also bleak where the amount of unwanted system intrusions is concerned. After all, as the cost of doing business in countries like China and India increases, those increases will have a direct upward correlation with the cost of data breaches.

Furthermore, the number of people on this planet continues to rise, as does the number of devices connected to the Internet. The passage of privacy laws, like the General Data Protection Rule (GDPR) in the E.U. bloc, will also force the cost of data breaches upward.

The numbers are rising in multiple ways, and they are not in favor of cyber liability and technology E&O insurers or their clients.

Despite the staggering numbers, cyber breaches are treated with an uncommon tolerance. If San Francisco, New York City, London, Dubai, Singapore and Hong Kong all lost power for seven straight days each year, then the energy providers to those areas would be lambasted and perhaps face new, more reliable competition. However, despite all the damage that hackers are causing, not enough resources are being put into place to prevent the next cyber breach. The mega cyber breach of Capital One in 2019 would seem to validate this conclusion.

We have also learned that the rule of law is far less bothered by data breaches than other types of incidents. After the sinking of the Titanic in 1912, governments and shipbuilders enacted major changes to try to ensure that such a disaster would never happen again. After the 1956 sinking of the SS Andrea Doria, training was mandated on the use of radar and a change to radar screens was required. Shipping accidents are now rare. Governments forced changes in the design and operation of nuclear reactors after disasters at Three Mile Island (1979) and Chernobyl (1986), and worldwide energy companies got the message. In contrast, each year since 2005 has included at least one major to moderate data breach somewhere. Some years, like 2013 and 2014, saw at least three major data breaches. Often the worst penalty the exposed organization faced was not levied by any governmental agency but by a private organization like American Express or Visa. (The E.U. has the strongest and most exacting data privacy legislation. The state of California also has admirable privacy laws. Elsewhere, strong data privacy laws are the exception.)

Perhaps one of the most shocking aspects of the first part of the 21st century is the lack of accountability in the private sphere for CEOs, boards of directors and other senior individuals. If an entry-level employee were to take a photograph of a client’s banking records, even by accident, that would be more than enough for dismissal. The employee could even face civil and criminal penalties. In contrast, in the aftermath of the June 2017 NotPetya attack on the international shipper A.P. Moller Maersk, its CEO was not dismissed nor was he criminally charged even though the attack on Maersk cost the organization no less than $300 million. The CEOs of Marriott International and Target also retained their positions despite the data breaches those organizations suffered in 2013 and 2018, respectively.

When a director or officer can neglect the legal duty of care owed to an organization, then the profitability and even the continued existence of the organization is at risk. Such failed diligence constitutes gross negligence!

There is an interesting communication pattern with regard to data breaches as evidenced by Target (2013), Equifax (2017) and Capital One (2019). In this routine, a statement is released by the CEO. The CEO says how she or he understands that the company’s clients may feel frustrated or worried that their data is now in the public domain. Then the CEO expresses a bit of remorse for the breach. Finally, the CEO says that dutiful action will be taken to get to the bottom of things. Next comes the public outcry over how an organization, especially a large one, could be so irresponsible as to not screen its sub-contractors and segment its network (Target), or how an organization could be lax in its security standards, especially as they concern software patches (Equifax).

Usually, the numbers of afflicted customers creeps up over the next few weeks, as was the case with DSW Shoes (2005), LexisNexis (2014). Or, as in the case of Maersk, the severity of the damage done becomes fully apparent over the course of days and weeks. By the time the last of the initial steps occurs, which is the providing of identity theft protection, clients are so numb with pain that the “freebie” of identity theft protection provides next to no solace for the clients.

Still, to this day in the U.S. and many other countries, there is nothing on a national or multinational scale that compares with the E.U’s GDPR to help prevent data breaches and make it clear to organizations what the penalties are for inappropriate security standards.

Another setback is the continued lack of recognition of how the data breach landscape changes with different attacks, or a severely delayed response to that change. To this day, many people are unable to appreciate how much side-channel attacks at the CPU level have altered the landscape, especially because more side-channel attack possibilities are being realized.

When Stuxnet was made public in 2010, it forever changed the cyber breach landscape because it meant that every organization in the world could not only suffer damage in the cyber realm but that computer and networking systems could physically be damaged by a worm or virus, as well. WannaCry and NotPetya (the enhanced Russian strain) have NOT struck so much fear worldwide that organizations of every size are now only using variants of Windows 10, MacOS 10.15 or Fedora version 30. To this day, there are multi- national corporations that have not upgraded to Windows 10, even in the financial services sector. This is not even counting the damage of election interference in the U.S. in 2016 and the political fallout that is still afflicting the U.S.

Also uncounted are the ways social media can be corrupted to negatively influence people. It certainly is possible to continue to list advances in breach technology that have altered the cyber landscape, but suffice it to say the ways in which a breach can occur and the sophistication with which it can happen since 2001 have significantly eroded the security of most people on this planet. Today, for a majority of people around the world, our health, financial, and even electronic identities are all compromised to varying degrees, and our privacy or collective societal independence has further been eroded by companies like Cambridge Analytica.

There are two areas of further concern in the professional sphere, and these segments have grown less secure since 2001: medical data and servers that form the data backbone of organizations. Each year, more and more medical data has been put online, whether by primary care physicians, pharmaceutical companies, insurance companies or other private sector organizations. The vast amount of medical data that has been put online, though, has been done with a focus on ease of access without a similar regard for security, as evidenced in the consistent rise of medical identity theft since at least 2010.

Sometimes, the information comes from a large-scale hack, like that of Anthem (2015), and sometimes it comes from a smaller one such as that made on Sutter Medical Center (2011). On the server side, the hack of Capital One is a reminder that cloud-based data is not beyond the reach of unauthorized users. Furthermore, Spectre and other side-channel attacks on CPUs continue to chip away at the safety of the cloud, as does the illicit alteration to products from a company like Supermicro.

We are clearly not safer, overall, today than we were in January 2001, despite the rise of cybersecurity firms and cybersecurity technology.

lt would be misguided to say that nothing has been done to advance our cybersecurity in the first 20 years of this century. Perhaps our biggest advantage in this century was the creation and success of cybersecurity firms, especially ones that publicly call out bad actors. Today such firms can offer a sorely needed layer of protection in the fight to defeat a cyber breach, and this layer can often be updated each day to account for the knowledge the cybersecurity firm gained in fending off attacks from its various clients.

Advances in quantum encryption are also allowing nearly impenetrable discrete communication even over long distances. Internet browsers, like Chrome, are forcing organizations to have valid and up- to-date security certificates. Otherwise an organization risks being labeled as dangerous to online users. Private sector competition between internet browser makers is helping to advance the creative effectiveness, from a security standpoint, with which internet browsers are created.

Similar competition in the cloud segment is also helping to ensure safety. When the Capital One breach was announced, Amazon was quick to point out that there was no indication that its AWS cloud had been breached, as well.

We also have two-factor authentication for securing our e-mail and even our mobile devices. Card issuers, at least in the U.S., have finally moved almost entirely to cards with chips built into them. Now card users have a more secure method of making a payment than with the magnetic strip on the back of the card. On a much larger scale, Apple Pay, Samsung Pay and contactless technology built into credit and debit cards have been introduced over the past 10 years. They have made POS purchases much safer and easier today compared with 2001.

2016 saw the first mature version of the payment card industry data security standard (PCI DSS) framework, which helped to encourage merchants to install firewalls, segment networks and only retain credit/debit card information when necessary. Furthermore, financial firms often provide the option for a client to be notified in the event of unusual activity on a card or when a large purchase is made with a credit or debit card.

Ultimately, despite all of the cybersecurity advances, the cost and number of cyber breaches has gone up consistently since 2001. Moreover, the ease with which societies and the rule of law accept such breaches remains high. Even today, CEOs are rarely held responsible, legally or otherwise.

Furthermore, people and organizations of all sorts fail to understand how the cyber landscape changes on a continuous basis, and that failure reduces the responsiveness to the altered terrain, which consequently increases the chances of yet another cyber breach.

Globally, almost all of us bear scars in one form or another due to the damage that our lives have suffered over the course of the past 19 years. Time and again, governments have failed to protect their citizens, and organizations often grasp for cybersecurity without the knowledge of what true cybersecurity is.

However, even from this grim landscape we can find hope, direction, and ultimately a reliable path forward, such hope lying with cyber liability and technology E&O insurers.

Psychology’s Relevance in Security

The best way to defeat or at least largely mitigate hackers is with a dynamic defense system. When combined effectively, anti-virus software, NGFWs and the products and services from cybersecurity companies like CyberArk and FireEye can provide an organization with a resilient cybersecurity framework. However, such security measures are expensive and are dependent on companies that employ IT professionals, which is why many organizations try to fend off cyber attacks only with anti-virus software and a NGFW. Yet there is another method with which to mitigate or prevent cyber breaches, and it is a method that cyber liability and technology E&O insurers need to understand and immediately employ: human psychology.

The most common meeting of psychology and the binary world is the door to the binary world: the password. Most, if not all, underwriters have read an article or heard a lecture about how “password” and “123456” are the most frequently used keys when people attach a password to anything. Moreover, the commonality of those two keys has been a fact for decades, but the insecurity of using commonly known passwords as a passport remains virtually immune to change.

The longevity of weak keys is due to many factors, but at the heart of all the factors is human psychology. It is a behavior that does not want to be bothered with memorizing a multitude of passwords, and one that tries to find the easiest way to meet a password requirement instead of trying to create a strong passport. Most importantly, it is risk and reward psychology that governs the creation of any password. Who cares in the professional world what a person’s password is as long as the work gets done and a person gets paid?

Yet current cyber liability and technology E&O wording does not even try to tackle this most basic insecurity, one that costs insurers large amounts of currency time and again. Insurers will continue to lose vast amounts of money due to the insecurity of a key like “123456” until insurers decide to tackle human psychology and work with technology companies to create a safe path forward out of the current mess with which the digital community finds itself.

See also: How to Identify Psychosocial Risks  

If passwords were the only element of enterprise cybersecurity that needed to be reformed, then, to a high degree, the issue would not have far-reaching implications. However, the fact is that the weakness of keys is only a symptom of a larger problem.

Cybersecurity may be a topic that crops up in news headlines on a regular basis, but it is a topic that also is generally viewed as a fringe area of thought. At the enterprise level, this can be seen in one prominent way beyond dysfunctional passports, and that is in individual cybersecurity responsibility. Cyber breaches have cost the global economy no less than $400 billion each year since 2013, have affected essentially every part of the professional sphere, and are bringing governments around the world into conflict with their taxpayers as represented, in one way, when a government, like the U.S. government, tried to force Apple to make its products less secure.

Nonetheless, to this day a majority of the companies around the world do not put part of the onus on individual employees for a company’s cybersecurity posture. Most companies do not include, in annual employee reviews, an area that deals with how the individual contributed to the strength or weakness of the company’s cybersecurity approach.

Did the employee use a strong password over the past year? Did the employee lock her computer each time she stepped away from her desk? Was the employee’s company computer linked to any cyber attacks? If the employee’s computer was linked to a cyber attack, then had the employee shown an appreciable improvement of her cybersecurity awareness?

By not enforcing the need for every employee to contribute to the cyber safety of the company, employees at all levels are allowed to have a carefree outlook, which is clearly detrimental to the cybersecurity posture of every organization. Even potential employees are not vetted for their sense of healthy cybersecurity. Companies ask numerous questions when interviewing a potential candidate, but very few companies try to assess the individual’s sense of responsibility when it comes to cybersecurity. If employees, and even applicants, are not expected to carry part of the responsibility, then what reason does any employee have to be responsible from a cybersecurity standpoint?

Perhaps more disturbing than the previous issues is that cyber liability and technology E&O insurers do not account for how human behavior influences the development of computer hardware and software. From about 1990 to the present, there has been a relentless movement by technology companies to get products to market at breakneck speed.

While a hardware company like Intel has produced some products of dubious quality, like trying to push its Pentium III processor beyond the 1Ghz level and the Rambus fiasco, hardware producers have largely avoided major mistakes. However, software developers are almost entirely responsible for the creation of a binary world where security has almost always been an afterthought, and human psychology is at the heart of this issue as well.

Since 1990, constant pressure has been placed on software engineers to meet deadlines set by a management system that is focused on everything but cybersecurity, which means that quality is almost always sacrificed to include a flashy software feature or simply to get a product to market quickly. Windows Me, Windows Vista, and Windows 8 are the results of a management system that showed great disregard for the safety of the end user.

Moreover, software engineers themselves also have the psychological outlook that, if an issue does comes up after a piece of software is released, it can always be patched at a later date. Perhaps the most obvious example of the patching system in overdrive is that of smartphone operating systems and applications. It is not uncommon for one smartphone application to receive updates two or three times each month. However, the present wording of technology E&O policies and the questions asked in technology E&O applications continues to demonstrate a severe lack of understanding on the part of insurers as to how human behavior gives rise to technology E&O claims.

When it comes to human psychology, it seems that the most egregious lack of understanding by insurers is not comprehending their most prominent adversary: hackers. However, hackers are not all the same, which means that they are driven by different attitudes, thought processes and rewards. More than that, hacking is an art and, just like any other art, there are “newbies,” and there are actual artisans.

In the first of the four hacker tiers are elementary hackers, meaning those people under the age of 14. For the most part, elementary hackers are going to focus on their local geographical community. This is partly due to the experimenting nature of such a young hacker, because a 10- or 12-year-old is still trying to figure out how to hack. Therefore, locally geographical targets present the best chances to hone a person’s skills. After all, the basic educational system, especially in the U/S., but elsewhere, too, spends very little on defensive technologies of any kind.

The local courthouse and sheriff’s office spend only slightly more than the educational system, and local merchants still largely maintain the attitude that they somehow do not appear on the radar of any hacker. Therefore, local venues often are the best targets because they often have the least security, in all forms, and consequently are the easiest ones on which to test a person’s skills.

However, insurers largely ignore this first tier and appear to have the mindset that these hackers are unworthy of recognition and that no solution as to how to engage with this group is needed.

The next tier contains the rookie hackers. These are the hackers who successfully “graduated,” unopposed, from the elementary group and who are generally 14 to 22 years old. For this next tier, the motivation is still whether the individual is capable of a hack, but now the target of the hack is going to extend, with ever greater frequency, beyond the immediate geographical location. It will also increasingly encompass working with and learning from others.

This is often the stage where hacktivists are going to begin to form and where the psychology of the hack is going to extend to obtaining items like currency and prestige. As hackers in this group encounter other hackers, they often start to form a set of ethics that make sense, but that are hard for a majority of people to understand. This same group is also going to start to attack national law enforcement institutions, yet even this tier is largely ignored by insurers around the world even though attacks from this group often involve PII, PHI, and payment card data.

Tier three is the first tier that has widespread acknowledgment from all insurers, and this tier encompasses both artisan and professional hackers. The hackers in this tier are often going to be 23 years old and older. One factor that makes this tier of hackers so effective in entering systems where they are not welcome is that they have been able to hone their skills from the age of 10 to 23.

Most people who build and hone a skill set over the course of 13 years will be fairly capable. Another factor is that this tier is composed of people who have a sense of identity, which means that this group has formed its own moral compass and conforms to ethics and outlooks that often fall outside of the global mainstream. This sense of identity and associated ethics gives rise to groups like the FireEye branded FIN6 group, or the hacktivist group Anonymous.

A group like FIN6 is capable of inflicting hundreds of millions of dollars in damage on the global economy, but, because cyber liability and technology E&O insurers have ignored the first two tiers of
hackers, they are unable to appreciate the depth and abilities of tier three hackers.

The fourth tier of hackers have been known to insurers for years now ,as well as law enforcement organizations around the world. This tier is also composed of hackers who work for effective cybercrime groups, like FIN6, or larger cybercrime groups, hackers who are ardent supporters of a sociological or political philosophy (hackers for ISIS are a current example of this) and hackers who work for nation-states, whether directly employed or occasionally contracted to work.

These hackers have narrow views of the world, their ethics often fall outside of the norm of most hackers, and they are constantly trying to expand ways by which to wage cyber warfare (Stutnex is a recent successful example) and are the embodiment of ghosts in the network. Tier four hackers are almost always the hackers who cause the most damage while leaving virtually no trace of their activities, and they are beyond insurers’ ability to engage with in any reformative manner.

Human behavior is at the core of every single data breach initiated by a human. In perhaps the most recent egregious example, the hacking of Equifax is a foul example of this. The Equifax hack occurred because of a psychological company mindset of complacency as well as the hackers’ own psychological reasons. Complacency is clearly demonstrated in the cybersecurity posture that the company was maintaining: It can be done later.

The hole that allowed the hackers to gain access and successfully acquire copious amounts of non-public data had a fix that was released in March 2017, but by May 2017 Equifax still had not patched the vulnerability. There is also evidence that Equifax was notified as early as December 2016 that its systems were not secure.

With the PII that a credit rating agency has, such a delay in updating critical data is unacceptable. However, with no government or market pressure to behave responsibly, Equifax and its ilk will continue to suffer data breaches time and again, and time and
again consumers, and ironically insurers, will continue to exist in a world of ever-increasing uncertainty as to which direction financial harm will arrive from.

See also: The Costs of Inaction on Encryption  

While the undeniable importance of accounting for human psychology is a severe oversight on the part of insurers, the path forward is equally undeniable: Engage with as many tier one and tier two hackers as possible and ensure that cyber liability and technology E&O applications allow insurers to assess the psychological outlook an applicant has with regard to cybersecurity.

In the April 2016 edition of the PLUS Journal, it was argued that insurers need to work with other companies involved in technology, marketing and lending and in other parts of the private sector to create an international competition. This competition would give students a creative outlet to display their skills whether they be in coding, design or writing. By establishing such a competition and working with educators, world wide insurers and other companies can give potential tier one and two hackers a creative outlet for their skills as well as an affirmation that their skills can lead to healthy career paths.

By finding these individuals through an international competition, not only can insurers reduce the risk to their insureds of being hacked by the reduction in numbers of hackers, but they can also find the people who are capable of creating next-generation products.

Without spending the needed effort, though, insurers will continue to lose money at unsustainable levels to cyber liability and technology E&O claims, claims that could have been avoided by investing in adolescents, who, after all, are the future, but who also are the most vulnerable to negative influences.

By also asking the right questions in a cyber liability and technology E&O application, insurers can assess the psychological outlook of a corporate applicant and make a far more informed decision as to whether to underwrite the risk. Had insurers asked Equifax questions that appropriately gauged its perception of the importance of cybersecurity, they could have avoided the risk of underwriting the firm.

Surely, asking eight psychological questions to save $100 million is better than accepting $300,000 in insurance premium and all the uncertainty attached to that premium.

Over the past four thousand years, battles and wars have often been won by the continued incorporation into the battlefield of new technology, whether the technology was metallurgical or
mechanical, but understanding the psychological mindset of the enemy has also been a determining factor. The ever-present value of human behavior has not been lost on most of the private sector, either. Psychology is at the core of a multibillion-dollar industry like advertising, and it is represented daily in the greed and fear index on Wall Street. Understanding the psychological mindset of a company as it concerns its cybersecurity posture and understanding hackers without question must be embraced by insurers.

However, until insurers realize the virtual relevancy of human psychology they, and their insureds, will continue to lose substantial amounts of currency, time and sense of security, and the stability of the global economy will continue to be destabilized.

The Need to Educate on General Liability

In a perfect world, insurance buyers would understand their products just as well their insurance agents. This would save a few headaches for everyone involved, and it would probably streamline the process on all ends. However, the reality is that most business owners don’t understand the extent of the insurance products they purchase. Then again, no one should expect them to.

Insurance products are highly complex vehicles. Few business owners have the time to invest in becoming experts in the field or in the products they purchase. Even the best insurance agents spend years learning about the products they sell, many of which change frequently as the economy changes.

That being said, no business owner should simply buy a product without understanding the most important aspects regarding what it does and does not cover. In truth, a highly skilled insurance agent should never let them, either. Here’s where there can be a gap between how much insurance a business purchases and how much it actually needs, showing why educating business owners on the extent of their insurance really matters.

False Perceptions of General Liability Are Common

Many customers tend to believe their insurance covers more than it actually does. This situation could probably be applied to any insurance product, but general liability policies are often the most frequently misunderstood by buyers.

See also: What to Expect on Management Liability  

To put it simply, far too many businesses are purchasing less insurance coverage than they should. In a sense, many are taking a huge gamble, believing their risk exposure is less than what it actually is or that their preventative measures, such as employee training, can shield them from those risks. While risk prevention definitely helps, it’s ultimately far from the bulletproof shield many companies think it is. Most companies do it to help themselves get a better rate on their insurance, while maintaining the false perception that their general liability coverage protects them against a multitude of risks not actually defined in the policy.

As a company scales in size, so, too, does its likelihood of experiencing losses related to cyber liability, employee fraud, fiduciary liability, directors and officers (D&O) or workplace violence. Yet many companies seem not to realize their exposure.

This would, of course, be less troubling if companies were purchasing policies that actually covered those kind of risks. Overwhelmingly, they’re choosing to avoid those insurance products altogether. According to Chubb’s survey on private company risk, non-purchasers believed their general liability policy covered:

  • Directors and Officers Liability (65%)
  • Employment Practices Liability (60%)
  • Errors & Omissions Liability (52%)
  • Fiduciary Liability (51%)
  • Cyber Liability (39%)

Businesses aren’t failing to purchase enough liability coverage because they’re unnecessary risk takers. Most, it seems, simply have false perceptions about what their general liability will and won’t do.

A small business may think its general liability policy covers a server hack. Yet, lo and behold, when a server gets hacked and the ensuing liability claims start pouring in, that small business may quickly find itself underwater. In fact, the U.S National Cyber Security Alliance found that the 60% of small companies went out of business within six months of a cyber attack. This seems extreme, but the average cost for a small business to clean up after a hack is $690,000, according to the Ponemon Institute. How many small- or medium-sized businesses can easily absorb that kind of cost without insurance coverage? Not many.

Similarly, mid-sized companies may believe their general liability policy covers directors and officers, leaving the company with unnecessary risk exposures should an incident occur. If, for example, a company begins operating internationally and fails to effectively meet one of the federal regulations governing its industry, a general liability policy won’t help protect the company from impending lawsuits. Any directors held personally responsible may find their own personal assets at risk. Given what we learned from the Chubb survey, it’s quite likely that most directors may think they’re fine with the minimal coverage they receive from a general liability policy. A costly mistake, to be sure.

Who’s to Blame?

We’ll leave the finger pointing aside for now and settle on this: The customer is always right, but he’s not always well-informed. As every insurance agent knows, the amount of time it takes to fully understand an insurance product can be extensive. Business owners, in general, lack the time to invest in fully understanding the products they purchase. It should come as no surprise, then, that misunderstandings arise over what general liability policies actually cover and what risks they simply won’t mitigate.

See also: ISO Form Changes Commercial General Liability  

Insurance agents have a responsibility to use their knowledge to help business owners better understand and sift through those misconceptions. More needs to be done to help decision-makers understand what they are and are not getting from their insurance.

Helping businesses better understand the ins and outs of their general liability policy is a win-win all around.

New Attack Vector for Cyber Thieves

It has become commonplace for senior executives to use free Web mail, especially Gmail, interchangeably with corporate email. This has given rise to a type of scam in which a thief manipulates email accounts. The goal: impersonate an authority figure to get a subordinate to do something quickly, without asking questions. The FBI calls this “CEO fraud,” and a surge of these capers has resulted in scammers stealing a stunning $750 million from more than 7,000 U.S. companies from October 2013 through August 2015.

Here is an example where the scammer targets an attorney from a big city in the Northeast.

Attack vector: The scammer gathers intelligence about real estate transactions handled by an attorney and drills down on a specific deal in which the law firm is handling the purchase of a $450,000 home for a client. The scammer learns this attorney is in the habit of using his personal Gmail account interchangeably with his law firm’s email. As the transaction approaches the final step, the attorney’s paralegal receives a spoofed email that appears to come from her boss. She instantly follows a directive to cancel a check for $450,000 that she is about to mail and instead wires the funds into an account designated by the scammer.

More video: Scammers exploit trust in Google’s platform

Distinctive technique: The funds initially get routed to another law firm in the Southwest. A subordinate in this law firm also appears to have been spoofed by the scammer to be prepared to move funds once again, this time into an account set up in a U.S. branch office of Sumitomo Bank, a giant global institution with headquarters in Tokyo. “At this point, it is not likely the $450,000 will ever be recovered,” says IDT911 Chief Privacy Officer Eduard Goodman. “Once a transfer like this is made, you can’t really unring that bell.”

Wider implications: U.S. consumers are well protected by federal law, and banks usually will reimburse individual consumers victimized by cyber criminals. However, banks are under no legal obligation to offer any relief to businesses, large or small, that have been tricked like this. Most of the $750 million lost in documented cases of CEO fraud has most likely been absorbed by the duped business entities.

Infographic: More Americans living with data insecurity

Excerpts from ThirdCertainty’s interview with Goodman. (Answers edited for length and clarity.)

3C: Businesses are losing one heck of a lot of money to CEO fraud.

Eduard Goodman, IDT911 chief privacy officer

Goodman: Yeah, absolutely. This one was for about $450,000. There is another woman with a ballet company who recently lost about $100,000. It’s significant chunks, let’s put it that way. And because this is happening in a business setting, it’s a little bit different in that your bank won’t stand behind you. It’s caveat emptor. There is no consumer protection. When something like this happens to your business, you’re out of luck.

3C: Why aren’t suspicious transactions flagged more often?

Goodman: The government will tend to go after companies for anything that may have to do with consumer violations. But when businesses impact other businesses, the government doesn’t do a damn thing, even if the victim is a really small business and they’re essentially consumers in and of themselves. Banks have that unfair advantage to say, ‘Well, sorry, should have flagged it, but we just process it for you.’

3C: So by using free Web mail this attorney sort of invited spoofing?

Goodman: He kind of comingled accounts, that’s the thing. He had his law firm’s email, and he also had a personal Gmail account. He would send emails from both accounts. That is something that has become a very common practice. He probably had previously emailed himself something from his actual work account into his Gmail account. This scammer probably got into his Gmail account, and then made the connection to his law firm account.

Then it was off to the races. The paralegal gets the wire transfer request from an email that’s very close to an authentic law firm email except there’s an extra letter in the domain name. It looks very credible.

3C: Could this have been avoided?

Goodman. Yes, by taking the extra 45 seconds to make a phone call. Pick up the phone and verify things instead of getting caught up in the workday.

Protecting Institutions From Cyber Risks

Recently, an email glitch at Florida State University resulted in the accidental emailing of alleged misconduct and housing violations to more than 13,000 current and former students.

The emails may have revealed the personal information of multiple students and may have disclosed confidentially reported information relating to harassment and alleged sexual assaults. The emails were not sent by anyone on campus but were the result of a technical glitch in the university’s database. The glitch left students confused and, in some cases, frightened and concerned for personal safety. University personnel, including FSU’s Title IX Coordinator, moved quickly to address student concerns, but the proverbial cat was already out of the bag. It will likely be some time before the full consequences of the breach will be known or what the final outcomes will be.

In the wake of FSU’s inadvertent disclosure crisis, a review of the privacy procedures in place at an institutional level may be in order to prevent these types of unintended disclosures in the future. It is also important to review the indemnity agreements between the university and third-party service providers such as the database administrator or software provider. Finally, it is important to review how cyber liability insurance may respond in the event of a data breach.

Data Privacy Protocols

When discussing data privacy protocols, there are three primary areas of concerns. They are how to protect:

  1. Information (e.g., personally identifiable data stored on a server)
  2. Mechanisms/systems that make up the physical housing for the information (e.g., the server itself)
  3. Users accessing the information

A breach of confidential information or data loss can occur at any of the three levels in any number of ways. It is impossible to quantify or evaluate every single manner in which a breach may occur—or how data may be lost.

What is important is establishing a protocol that takes into consideration all three areas where a breach may occur. In most cases, it is easy to focus on external threats and user misconduct but overlook the potential for data breach arising from internal system failures or glitches.

See Also: How Colleges Can Work With Insurers

In developing data security protocols, it is important to engage in a comprehensive threat assessment that includes evaluation of user-based or external potential breach areas as well as the possibility of an equipment failure/glitch.

A few areas to consider when reviewing internal data breach/data loss response protocols:

  1. Who is the architect of the protocols? (Are the foxes guarding the hen house?)
  2. Does your protocol comply with statutory requirements and contractual requirements such as PCI compliance, Title IX, HIPAA or other state and federal laws?
  3. Does the protocol specifically address each element of concern identified above? (protection of information, protection of systems, protection of users)
  4. Is there a progressive (tree) notification process? (Do the participants understand where they are in the tree? Does the process include notification to external stakeholders such as legal authorities, insurers, external legal counsel, and crisis management or PR firm?)
  5. Is there strong leadership/executive level buy-in of the protocol?
  6. Is there a training element? (Does it include tabletop or scenario-based practice?)
  7. Is there periodic review of systems and processes to identify and change obsolete protocols and replace key stakeholders in the event of turnover?

Indemnity/Hold Harmless/Limitation of Liability Agreements

Vendor service agreements, user license agreements and even software agreements typically include indemnity terms. In most cases, these terms are one-sided, in favor of the seller or service provider.

Essentially, the purpose of an indemnity agreement is to contractually shift responsibility for loss/damage from one party (seller) to another party (buyer). These types of agreements vary in scope, strength and enforceability but, in most cases, involve a release or limitation of buyer’s claims or potential claims against the seller. In some cases, the buyer may assume full responsibility for any loss, including an affirmative responsibility to protect and defend the seller in the event of third-party claims.

There may also be a limitation on the type and extent of damages a buyer may seek against the seller or service provider—in some cases, the recovery may be limited to the value of contract or agreement. Your institution’s risk management and legal teams should carefully review indemnity terms to fully understand the extent of risk assumed by the institution in executing an agreement with a third party.

As part of a comprehensive risk management process, consider limiting acceptance of comprehensive indemnification terms in a contract. This is especially important where the institution is being asked to waive its legal rights or outright indemnify a vendor for the vendor’s own negligence, misconduct or product/service failure. A few areas to consider in reviewing contract terms:

Indemnity/Hold-Harmless Terms

  1. Who is the indemnitee (recipient of the indemnity) and who is the indemnitor (provider of the indemnity)?
  2. Does the indemnity agreement require one party to indemnify for the other party’s own negligence or misconduct?
  3. Does the indemnity agreement include an obligation to affirmatively defend the indemnitee? Is there is a time limit to accept or reject the defense?
  4. Who is responsible for counsel selection?
  5. Is approval needed to settle claims?

Limitation of Liability

  1. Is there a limitation of liability?
  2. Does the limitation favor the institution or vendor?
  3. Is the limitation reasonable in light of the potential for loss or damage or the nature of the service provided? (Limiting liability to the contract value may not be reasonable if the contract value is low and the risk of loss is high.)
  4. Are there carveouts for negligence or misconduct, or is the limitation of liability intended as the sole remedy?
  5. Does the limitation of liability conflict with the indemnity terms? 

Cyber Liability Insurance

In the past few years, cyber liability insurance has gained significant attention among insurance brokers and clients. Cyber insurance refers to a suite of related insurance products that provide various types and levels of protection to insureds that may suffer from data loss or data breach.

There are three major components of cyber liability insurance:

  1. First-party coverage for loss or damage to or interruption of the institution’s electronic equipment and electronic services
  2. Third-party coverage for the liability imposed upon the institution for loss or exposure of third-party data; coverage for third parties may include costs for notification, credit monitoring and credit restoration services
  3. Coverage for regulatory requirements as well as for fines and penalties assessed against the institution as part of a covered loss

Unlike some property and casualty insurance products such as general liability or auto insurance, cyber liability insurance is not standardized. Instead, each insurance company issues a customized policy. These policies may vary greatly from insurer to insurer and can often include a la carte coverages that may significantly affect the breadth and scope of coverage.

A careful review of institutional and vendor policies is strongly recommended to ensure that the coverage purchased addresses the actual risks of the institution. Some questions to consider when reviewing your cyber liability policy: 

See Also: A Better Way to Assess Cyber Risks?

First-Party Coverage

  1. How does the policy respond to loss or damage to the institution’s own computer equipment, servers or other hardware components?
  2. How does the policy define a physical loss? (does it include loss of Internet-based platforms such as web portals or only loss to physical components)
  3. Is there a waiting period for business or data interruption? 

Third-Party Coverage

  1. How does the policy respond to breach of confidential or personally identifiable information?
  2. Is coverage provided based on a total number of affected persons or provided on a blanket limit basis?
  3. Is there a minimum/maximum affected person limit?
  4. How is a third-party loss defined? Does it include accidental loss, computer glitches or loss of non-electronic information? (e.g., is there coverage if a laptop containing personally identifiable information is lost? Or if physical records are removed or destroyed?)
  5. Is the coverage triggered only when there is a statutory or governmental notification requirement, or does it cover voluntary notification?

Fines/Penalties

  1. Does the policy include coverage for fines/penalties including payment card industry (PCI) data security standards noncompliance?
  2. Is there a sublimit for the coverage?
  3. Are punitive or exemplary damages included? 

Conclusion

It is important to take a thoughtful approach to securing data in all its various forms. An individual protocol alone is not enough to fully secure your institution in the event of a data breach. It is also important to review vendor service agreements, user agreements and software licenses to ensure an understanding of the indemnity/hold-harmless and limitation of liability provisions, which may be present in a current agreement—and which may open up the institution to unintended liability due to the negligence or misconduct of a third party.

Finally, it is important to review and understand the types and scope of the institution’s cyber liability coverage—or to consider purchasing this coverage if the institution does not currently maintain coverage.