Tag Archives: cybercriminal

The State of Cyber Insurance

Cyber attacks are escalating in their frequency and intensity and pose a growing threat to the business community as well as the national security of countries. High-profile cyber incidents in 2014 reflected the expanding spectrum of cyber threats, from point-of-sale (POS) breaches against customer accounts to targeted denial-of-service (DoS) attacks meant to disable a company’s network. Businesses in ever-greater numbers sought financial protection through insurance, buying coverage for losses from data breaches and business outages.

Boost in Cyber Insurance Demand Drives Insurers’ Response

Healthcare facilities, universities and schools continue to be on cybercriminals’ radar, but attacks in the hospitality and gaming, power and utilities and other sectors reveal that no organization is immune to a cyber attack or failure of technology.

Healthcare and education clients had the highest cyber insurance take-up rates in 2014, followed by hospitality and gaming and services. Universities and schools present attractive targets because they house a vast array of personal information of students, parents, employees, alumni and others: Social Security numbers, healthcare information, financial data and research papers can all be compromised.

The broader scope of hacktivists contributed to the increase in cyber insurance purchases in 2014. Sectors that again showed notable year-over-year increases in the number of clients purchasing cyber coverage included hospitality and gaming and education. Other areas that stood out in 2014 included the power and utilities sector, with more clients buying standalone cyber coverage. Power and utilities companies frequently cite the risks and vulnerabilities associated with the use of supervisory control and data acquisition networks — which control remote equipment — and the cost of regulatory investigations as driving factors behind their cyber coverage purchases.

The reasons for purchasing cyber coverage vary from board mandates seeking to protect corporate reputations to companies looking to mitigate potential revenue loss from cyber-induced interruptions of operations. Insurers responded to this demand by offering broader cyber insurance coverage in 2014, including coverage for contingent business interruption and cyber-induced bodily injury and property damages. They also expanded availability of loss-control services, including risk-assessment tools, breach counseling and event response assistance.

Cyber Limits Rise

Companies with revenues of more than $1 billion have increased their cyber insurance limits worldwide by 42% on average since 2012, according to Marsh Global Analytics estimates. Over the same time period, healthcare companies have bought 178% more cyber insurance, and power and utilities firms have expanded their coverage by 98%.

Rising spending on cyber insurance

Source: Marsh Global Analytics. Percentage increase in spending by companies with more than $1 billion in revenues on cyber-risk insurance from 2012 through 2014.

Cyber Rates and Coverage

Increases in the frequency and severity of losses and near-constant headlines about attacks and outages kept cyber insurance premiums generally volatile in 2014. Average rate increases at renewal for both primary layers and total programs were lower in the fourth quarter than in the first. The increased loss activity prompted pricing challenges for some insureds, particularly retailers, where renewal rates rose 5% on average and as much as 10% for some clients.

Market capacity also varied according to industry. Most industries were able to secure cyber coverage with aggregate limits in excess of $200 million, while the most targeted industries, like retailers and financial institutions, faced a challenging market.

Insureds also face heightened due diligence from underwriters seeking to drill down beyond simple reviews of the company’s general information security policies. For example, insureds in the retail sector are being asked about their deployment of encryption and EMV (credit card) technology. And all insureds are now routinely asked whether they have formal incident response plans in place that outline procedures for protecting data and vendor networks and, more importantly, if such plans have been tested.

A Growing Concern

In 2015, managing cyber risk is clearly a top priority for organizations. For example, business interruption (BI) drew a lot of attention in 2014, a trend likely to continue throughout 2015. While BI has historically been thought of as the effect of a critical system going down for an extended period, technology failures and cyber attacks can create far-reaching outages affecting secondary systems, clients and even vendors. Such events can also lead to higher recovery costs, which are becoming a concern for boards of directors and senior management.

There is also concern stemming from the expansion of regulation and litigation. Regulators were active in policing cyber risks in 2014, and oversight is likely to expand significantly in coming years. With cyber risk seen as a critical issue on both sides of the aisle in Washington, D.C., companies will face regulatory challenges in 2015 and beyond.

Sectors that have already seen significant regulatory activity — for example, healthcare, financial services and education — will likely face more stringent regulations and larger fines. All industries should pay attention to existing and impending regulations, tighten controls and prepare to present and defend their compliance regime. Civil litigation in the wake of a breach or disclosure of a cyber event also escalated in 2014, with class actions at times following the disclosure of a breach by mere hours.

As demand for cyber insurance grows, remember that risk transfer is only part of the solution. Enhanced information sharing between industry and government is another step toward having a comprehensive risk-mitigation strategy. Insurers and brokers are expanding the availability of loss-prevention and risk-mitigation services such as risk-assessment tools, breach preparation counseling and breach response assistance. The expanded roster of services and enhanced coverage can provide additional value from policies, usually without a specific added premium.

The 7 Keys to Strong Passwords

Creating a strong password may seem like a chore, but sometimes it can literally be the only thing standing between a cybercriminal and your personal and financial information or access to your company’s network and intellectual property. Here are some tips for creating a strong password (that you can actually remember):

1) The most important factor in creating a secure password is length. A longer sequence of characters (letters, numbers and possibly punctuation marks) means more possible combinations to help thwart an attacker. The absolute minimum should be 12 characters. If a password has eight characters, for example, modern password cracking software will break it in a matter of hours. A difference of four characters in a password may not seem like much, but there is a huge increase in the number of possible combinations it will yield (and hence attempts that the cracking software will have to make before it can break the password in question). Even if only letters and numbers are allowed, there are 14 million times as many combinations with a 12-character password vs. an eight-character one. If punctuation marks are included, the 12-character password is 81 million times as hard to break. Simply put, longer passwords are always better.

2) Use a nonsensical (or completely personal) passphrase. You can pick a password that is both easy for you to remember and hard for an attacker to figure out. If you really want to, you can mix in random characters like $, @, etc., though hackers are well aware that people try this trick. Truth be told, it’s really the length that makes a passphrase difficult to crack, so the special characters will essentially make the password more difficult to remember while not making it any harder to break.

When creating your phrase, make sure it really is unique to you (or genuinely random). Avoid famous literary quotes and song lyrics – hackers can check for those. A good nonsensical passphrase might be something like: CyanStapleWashingtonBanana44 (don’t use this exact one – or any other suggestion you see online. Hackers can find those, too). A personal phrase can be effective because it relates to something that’s memorable to you. Just make sure it isn’t a widely known event. Perhaps you can use that time you were surprised at the aquarium: “BlueLobstersAreReal!” It’s long enough that a machine won’t break it anytime soon; no one is going to guess it; and you will remember it.

3) Don’t use the same password for multiple sites. Reusing passwords is known as “daisy-chaining.” If one account gets compromised, it will instantly expose others with the same (or a similar) password to attacks.

4) Don’t have a file or email called “passwords” anywhere on your computer (or saved in an email). These are easy for a hacker to find.

5) Change passwords regularly – perhaps every few months. If a database storing a site’s passwords has been compromised (which is often not discovered right away), changing a given password makes it effectively useless to an attacker even if it’s stolen and eventually cracked.

6) Use “multi-factor authentication” whenever it’s available. Additional “authentication factors” are just ways to ensure you are who you say you are. This can mean something like a fingerprint scanner or a code sent to your phone via text message that is then entered in addition to your password. If an attacker only has your password, she still won’t be able to get access. If you’re curious to see what this looks like in practice, Google has a good explanatory video here.

7) Avoid using security questions, if you can. Frequently, these questions are used as a way around the dreaded “I forgot my password” problem. The questions may sound helpful, but they almost always focus on information that can be found elsewhere online (where you went to school, pet’s name, favorite color, etc.). Any hacker will know to look for this information and can use it to get into your account – and potentially lock you out. Unfortunately, some sites require you to use the questions. If possible, try to select questions that don’t have just a few or even a single answer that a hacker can find (your mother’s maiden name, for example).

Remember that there is no such thing as an impervious system, but that doesn’t mean you should make it easy for attackers. If you’re a difficult target, they may well move on to an easier one.