Tag Archives: Equifax

How to Create Resilient Cybersecurity Model

As data breaches increase in type, severity and number, more companies plan to purchase cyber insurance. While cyber insurance premiums in 2016 in the U.S. were $5 billion, projections indicate they will increase to $20 billion by 2020. Complex cyber crimes mean insurers find themselves facing contentiously complex relationships with their insureds. To create a resilient business model, both of these parties need to communicate effectively and understand the overt and hidden risks they face.

The Underwriting Communication Gap

Information forms the basis of strong underwriting. With traditional general liability policies, insurers can easily gather information on a company’s financial solvency by reviewing publicly available documents such as annual financial reports or credit ratings. With cybersecurity policies, attack vectors extend in a variety of directions, making information less tangible for underwriters.

With a compounded annual growth rate of 41%, cyber insurers need insight into the full range of their insureds’ risks. The present model relies on questionnaires from applicants; however, when insureds misrepresent or misunderstand their risks, insurance companies suffer billions in losses. Often, the cost of a breach exceeds the limits of a policy’s liability, meaning that even those companies with insurance find themselves underinsured. Because courts generally agree that general liability policies do not cover cyber loss, business continuity plans require appropriate insurance aggregates to fully cover losses.

Even the most sophisticated companies find themselves unaware of their biggest cyber risks. When insureds lack data, underwriters cannot effectively write policies. Thus, the communication gap poses a risk for both the insureds that remain underinsured and the insurance companies that may be overextending their books of business. Security ratings act as a tool that allow better communication between insurers and their insureds when establishing a cyber security policy relationship, similar to credit ratings in the general liability arena.

See also: Roadblocks to Good Customer Relations  

The Claims Communication Gap

Insureds use insurance to protect their internal and external stakeholders. However, the communication gap creates a claims problem for insureds. Coverage litigation costs and a sense of betrayal ruin relationships between companies that share the economic ecosystem.

The Equifax breach offers a contemporary example. Most recent estimates place Equifax’s breach costs at $275 million, but the company retained only $75 million in cybersecurity insurance. A single employee’s failure to patch a known vulnerability in the Apache Struts Java application created an opportunity for hackers. Equifax’s failure to understand its own patching cadence led to its underinsured status and, ultimately, its severe losses.

Information Enables Resilience

The information security community focuses on resilience. When a distributed denial of service attack causes a company to shut down services for days or weeks, the company lacks cybersecurity resilience.

An insurance company’s resilience requires setting aside financial reserves to cover claims costs. Because cyber policies often cover business interruption costs, businesses that lack cyber resiliency too often claim losses and file insurance claims. Security ratings provide insight into an insured’s resilience. Because data breaches are inevitable, even companies with strong security ratings may be hacked, but their continued attention to their environments means they will have strong disaster recovery protocols limiting business interruption. To remain financially stable and resilient, insurance companies need to adequately estimate potential losses so that premiums adequately align with their risk acceptance.

Insurance companies and their customers need shared visibility into the protected cyber ecosystem. Otherwise, insurers continue to dissuade financial safety by overestimating premiums while companies risk their solvency by underinsuring their business. This business model promotes neither economic stability nor resiliency.

Continuous Monitoring Builds Continuous Relationships

Remedying the information and communication gap between insurers and insureds provides the only solution to the current resilience problem. Companies often prove, through audit reports, that they engage in information security, yet those documents show proof of only a single moment in time. Insurers need tools providing visibility into their insureds’ ecosystems on a continual basis, such as security ratings.

Organizations face data security threats from both their IT environments and those of their vendors. One breached vendor creates a domino effect of cyber insurance claims as the damage travels through the supply chain. Insurers and insureds need to be able to communicate both visible and hidden cyber risks. Security ratings continuously monitor insureds’ endpoint security, IDS and antivirus, while also providing a shared language so they can effectively communicate with insurers. Insurers, conversely, can use the shared language of security ratings to communicate to insureds the impact that security vulnerabilities have on insurance premiums and coverage.

See also: The New Agent-Customer Relationship  

In the cyber insurance space, increased claim complexity degrades the symbiotic relationship. As insureds shop around for better premiums, insurers lose valuable business. To promote continued business relationships, the two parties can both benefit from automated tools that enable continuous communication about continuous monitoring. Tools to facilitate visibility help establish metrics for the appropriate pricing of risk to cover potential losses and set reasonable premiums.

Insureds must communicate with their insurance companies; however, companies focusing on the daily tasks of conducting business lose track of communication and time. Therefore, insurance companies need to protect themselves by monitoring their insureds. Security ratings are poised to help promote resiliency between, as well as within, industries by offering publicly facing data. With the right continuous monitoring metrics, SaaS platforms can enable continuous relationships that reinvigorate the insurer-insured symbiotic relationship.

The Threat From ‘Security Fatigue’

There is no mistaking that, by now, most consumers have at least a passing awareness of cyber threats.

Two other things also are true: too many people fail to take simple steps to stay safer online; and individuals who become a victim of identity theft, in whatever form, tend to be baffled about what to do about it.

A new survey by the nonprofit Identity Theft Resource Center reinforces these notions. ITRC surveyed 317 people who used the organization’s services in 2017 and had experienced identity theft. The study was sponsored by CyberScout, which also sponsors ThirdCertainty. A few highlights:

  • Nearly half (48%) of data breach victims were confused about what to do.
  • Only 56% took advantage of identity theft protection services offered after a breach.
  • Some 61% declined identity theft services because of lack of understanding or confusion.
  • Some 32% didn’t know where to turn for help in event of a financial loss because of identify theft.

Keep your guard up

These psychological shock waves, no doubt, are coming into play yet again for 143 million consumers who lost sensitive information in the Equifax breach. The ITRC findings suggest that many Equifax victims are likely to be frightened, confused and frustrated — to the point of acquiescence. That’s because the digital lives we lead come with risks no one foresaw at the start of this century. And the reality is that consumers need to be constantly vigilant about their digital life. However, cyber attacks have become so ubiquitous that they’ve become white noise for many people.

See also: Quest for Reliable Cyber Security  

The ITRC study is the second major report showing this to be true. Last fall, a majority of computer users polled by the National Institute of Standards and Technology said they experienced “security fatigue” that often correlates to risky computing behavior they engage in at work and in their personal lives.

The NIST report defines “security fatigue” as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore. … People get weary from being bombarded by ‘watch out for this or watch out for that.’”

Cognitive psychologist, Brian Stanton, who co-wrote the NIST study, observed that “security fatigue … has implications in the workplace and in peoples’ everyday life. It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.”

Make no mistake, identity theft is a huge and growing problem. Some 41 million Americans have already had their identity stolen — and 50 million reported being aware of someone else who was victimized, according to a Bankrate.com survey.

Attacks are multiplying

With sensitive personal data for the clear majority of Americans circulating in the cyber underground, it should come as no surprise that identity fraud is on a rising curve. Between January 2016 and June 2016, identity theft accounted for 64% of all data breaches, according to Breach Level Index. One reason for the rise was a huge jump in internet fraud. Card not present (CNP) fraud leaped by 40% in 2016, while point of sale (POS) fraud remained unchanged.

It’s not just weak passwords and individual errors that are fueling the rise in online fraud. Organizations we all trust with our personal information are being attacked every single day. The massive breach of financial and personal history data for 143 million people from credit bureau Equifax is just the latest example.

Over the past four years, there have been a steady drumbeat of major data breaches: Target, Home Depot, Kmart, Staples, Sony, Yahoo, Anthem, the U.S. Office of Personnel Management and the Republican National Committee, just to name a few. The hundreds of millions of records stolen never perish; they will continue in circulation in the cyber underground, available for sale and/or to be used in the next innovative fraud campaign.

Be safe, not sorry

Protecting yourself online doesn’t have to be difficult or complicated. Here are seven ways to better protect your privacy and your identity today:

  • Freeze your credit rating at the big three rating agencies so scammers can’t use your identity to take out loans or credit cards
  • Add a website grader to your browser to avoid malware
  • Enroll in ID theft coverage with your bank, insurer or employer —it could be free or surprisingly inexpensive
  • Get and use a password vault so you can create and use hard-to-guess passwords
  • Be knowledgeable about common cyber scams
  • Add a verbal password to your bank account login and set up text alerts to unusual activity
  • Come up with a consistent way to decide whether it’s safe to click on something.

There is a bigger implication of losing sensitive information as an individual: it almost certainly will have a negative ripple effect on your family, friends and colleagues. There is a burden on consumers to be more active about cybersecurity, just as there is a burden on companies to make it easier for individuals to do so.

See also: Cybersecurity: Firms Are Just Sloppy  

NIST researcher Stanton describes it this way: “If people can’t use security, they are not going to, and then we and our nation won’t be secure.”

Melanie Grano contributed to this story.

Equifax Breach: The Implications

The massive data breach suffered by Equifax has both serious consequences for consumers and potentially profound long-term implications for commerce and the nascent cyber insurance industry.

In the three days since Equifax’s press release announcing the breach potentially exposing names, addresses, birthdates, Social Security numbers and other information for about 143 million U.S. consumers, both the federal Consumer Financial Protection Bureau and New York State Attorney General Eric Schneiderman have criticized the giant credit bureau’s response and, in particular, an “arbitration clause” that may severely curtail the legal rights of any consumers who take advantage of free credit monitoring offered by Equifax.

The arbitration clause is included in the terms of service for Equifax’s credit monitoring program and, as reported by the Washington Post, bars consumers from participating in class action law suits, requiring instead that all disputes be settled by “binding individual arbitration” and limiting consumers’ rights to discovery and appeal. Equifax has stated the arbitration clause won’t apply in this case, but some have warned that the company’s statement may not be legally binding. Consumer beware.

See also: VPNs: How to Prevent a Data Breach 

The harm to consumers may last a lifetime as people have the same birthdate from cradle to grave, most will have just one Social Security number and many will use but one name. Yet, Equifax is offering just one year of credit monitoring.

For now, it appears that Equifax is failing crisis response 101. Instead of impressing consumers, clients and public officials with its transparency and earnest desire to make things right, the company has attracted criticism that undermines efforts to limit damage to its reputation, rebuild trust and inspire confidence. The gold standard in crisis management remains Johnson & Johnson’s handling of the 1982 Tylenol tampering case that led to seven fatalities in Chicago. That is playbook for business.

But the Equifax breach and its response raise several other critical issues. Most obviously, what should consumers be doing to protect themselves? (See “The Equifax Data Breach: What to Do” at the Federal Trade Commission’s website for a number of useful suggestions, including checking credit reports.)

The less obvious but perhaps more profound issues raised by the massive data breach at Equifax pertain to the future of commerce and cyber insurance. With the breach exposing several of the data elements typically used to verify people’s identities, one must wonder what will happen if businesses and financial institutions lose confidence in their ability to confirm we are who we say we are. Imagine a world in which merchants can no longer accept credit cards. Imagine a world in which banks and credit unions can no longer make loans. Imagine a world in which one can no longer bank or trade securities online. And, lest one succumb to the notion that advanced biometric security measures will save the day, understand that biometric data is stored in computer files that can be hacked just like birthdates, Social Security numbers and the like. Changing stolen user IDs and passwords is easy, but what is the fix when hackers steal retinal scans, fingerprints and the like?

The hope is of course that bright minds will find ways to protect us from criminal hackers and other nefarious parties who would do us harm, and yes — bright minds are already on the case. Witness in particular the rise of cyber insurance, and focus not on the compensation paid by cyber insurers in the wake of cyber incidents but rather on the underwriting done when cyber insurance policies are written and insurers’ work with clients to prevent and control losses. In many ways, this is emblematic of a larger movement in insurance and risk management from indemnification to loss prevention as the application of advanced analytics to big data enables intervention before losses occur. But while this might seem a new model, it is actually one that has been with us for quite a long time. People don’t buy boiler and machinery insurance because they want to be paid after boilers explode. Rather, people would prefer that boilers don’t blow up, and they want the benefit of the engineering and inspection services delivered during the underwriting process.

See also: Aggressive Regulation on Data Breaches  

Nonetheless, there will be times when cyber losses occur, and cyber insurers will be called upon to respond. The Equifax breach provides a mere hint as to the coverage limits insureds may require and the amount of capacity, or capital, cyber insurers may need to cover the risk. Insurers that can figure out how to price and underwrite cyber risk have a tremendous opportunity to do well by doing good. One key will be successfully quantifying and managing aggregation risk (the accumulation of risk as a result of covering multiple insureds using the same or similar systems, etc.).

The Next Step in Underwriting

When a person applies for a mortgage in the U.S., credit reports are pulled from all three bureaus — Equifax, Experian and TransUnion. Why? Because a single bureau does not provide the whole story. When you’re lending hundreds of thousands or millions of dollars it makes sense to find out as much as you can about the people borrowing the money. The lender wants the whole story.

When you’re underwriting the property, doesn’t it make sense to get more than one perspective on its risk exposure? Everyone in the natural hazard risk exposure business collects different data, models that data differently, projects that data in different ways and scores the information uniquely. While most companies start with similar base data, how it gets treated from there varies greatly.

When it comes to hazard data there are also three primary providers, HazardHub, CoreLogic and Verisk. Each company has its team of hazard scientists and its own way of providing an answer to whatever risk underwriting and actuarial could be concerned with. While there are similarities in the answers provided, there are also enough differences — usually in properties with questionable risk exposure — that it makes sense to mitigate your risk by looking at multiple answers. Like the credit bureaus, each company provides a good picture of risk exposure, but, when you combine the data, you get as complete a picture as possible.

See also: Next Generation of Underwriting Is Here  

Looking at risk data is becoming more commonplace for insurers. However, if you are looking at a single source of data, it is much more difficult to use hazard risk data to limit your risk and provide competitive advantage. Advances in technology (including HazardHub’s incredibly robust APIs) make it easier than ever to incorporate multi-sourced hazard data into your manual and automated underwriting processes.

As an insurer, your risk is enormous. Using hazard data — especially multi-sourced hazard data — provides you with a significantly more robust risk picture than a single source.

At HazardHub, we believe in the power of hazard information and the benefits of multi-sourcing. Through the end of July, we’ll append our hazard data onto a file of your choice absolutely free, to let you see for yourself the value of adding HazardHub data to your underwriting efforts.

For more information, please contact us.

Be on the Lookout for Tax Scams

Las fall, authorities in India busted nine — yes, nine — bogus IRS call centers, arresting 70 people on suspicion of tricking (and often scaring) Americans into sending money to settle “pressing” but nonexistent tax bills.

You receive a call from a purported IRS agent claiming you owe money and must pay it immediately. If you can’t (or don’t) come up with the money pronto, well, you can expect a police officer or U.S. marshal at your door, and you will be arrested and thrown in jail. In a 21st-century version of this scheme, you receive a robocall where an automated voice directs you to call a specific number to settle your debts with Uncle Sam. If you don’t call back right away, you could be anything from sued to arrested to deported, or maybe you’ll just have your driver’s license revoked.

It’s an inelegant ruse, of course. The prize? Your hard-earned cash and, for good measure, some of your personally identifiable information (PII).

See also: Implications for Insurance Taxation?  

I probably don’t have to explain this hot-and-heavy approach because you’ve probably been on the receiving end of one of these phone calls. IRS scams are so prevalent they topped the Better Business Bureau’s top scams of 2015 by a mile — and that was well before the IRS itself issued a warning to taxpayers saying there was a “summer surge” last year in IRS impersonation scams, with a new variant asking poor, unsuspecting taxpayers to fork over payment on iTunes gift cards.

A sigh of relief?

If you think the major bust in India means you can breathe a little easier every time your phone rings, unfortunately, you’re wrong.

Make no mistake, those nine phony call centers represent only a small fraction of all the nefarious enterprises out there. Consider the latest stats from the U.S. Treasury Inspector General for Tax Administration published in The Wall Street Journal: 8,000 victims have paid more than $47 million because of these completely phony “IRS agents.”

Scams are akin to the old whack-a-mole game or, to put an even finer point on it, a Lernaean hydra — cut one of them down, and two more will spring forth. In fact, around the same time police were raiding the bogus call centers, reports had surfaced that there was a new IRS scam in town: Fraudsters have started to send out notices about fake IRS tax bills related to the Affordable Care Act via email and traditional snail mail in an effort to meet their, ahem, sales goals.

What you can do

You should stay vigilant because it’s about to get significantly more difficult to avoid getting got. The IRS announced it’s going to begin using private collection firms to handle overdue federal tax debt, a change that could effectively throw the one-step method of avoiding phony IRS agents — hang up the phone! — out the window.

The IRS has yet to make it completely clear whether it’s going to allow the collection firms it’s hired to call debtors directly. But even with this significant change, there will be a few dead giveaways that there’s a scammer on the other end of the line.

  1. If you do owe Uncle Sam, you’ll have received a bill in the mail, and should you be one of the more unfortunate ones turned over to a legitimate collector, you’ll also get written notice that your debt has been transferred over to one of its collection firms: CBE Group, Conserve, Performant and Pioneer.
  2. You’ll be allowed to make your payments online at IRS.gov/PayYourTaxBill, so, if you’re not being told about this option, hang up and notify the IRS.
  3. Payments by check should be made to the “U.S. Treasury.” If you’re being asked to write one made payable to the collector or even the IRS (which can easily be altered to read “MRS.”), hang up the phone.
  4. There will never be any threat involving police or marshals or prison.

Other ways to protect yourself

Here is the toll-free number for the IRS: 800-829-1040. If you get even the slightest inkling that someone is trying to swindle you, hang up and immediately call the agency.

See also: New Worry on ID Theft: Tax Fraud  

If you get an email that looks like it is coming from the IRS about a tax bill, do not click on any links (which could be malware designed to infect and infiltrate your computer system and steal any payment or personal information it can get its hands on). Instead, forward the email to phishing@irs.gov and wait patiently for someone to contact you about its validity.

What to do if you’re a victim

If you think you’ve already been had, well, then you’ve got some work to do. Report the crime to your local police, file a complaint with the Federal Trade Commission and call the IRS at the number provided above to find out if you really owe them money. Contact TIGTA to report the call either at 800-366-4484 or by using its IRS Impersonation Scam Reporting website. And then rely heavily on the three Ms I outline in my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves:

  1. Minimize your exposure to fraud: If you did turn over your most sensitive personal information, request that a fraud alert be put on your credit file by all three credit bureaus — Equifax, Experian and TransUnion. You need only contact one, and it will electronically notify the other two. You might also consider a credit freeze, which is more comprehensive but cumbersome because you need to notify each credit bureau individually; lockdown of your credit report prevents thieves from opening new accounts in your name.
  2. Monitor your accounts. You might wish to purchase a combination credit and fraud monitoring service, which provides instant alerts if someone tries to open up lines of credit. You also may consider enrolling in transactional monitoring programs offered for free by banks, credit unions and credit card companies that notify you of any activity in your accounts. At the very least, keep an eye on your credit yourself. You can do this by pulling your credit reports for free each year at AnnualCreditReport.com and viewing two of your credit scores for free, updated every two weeks on Credit.com.
  3. Manage the damage. Close any account that has been tampered with or opened by a fraudster without your permission. And if you gave them the veritable skeleton key to your finances — your Social Security number — be sure to notify the IRS, do all of the above and file your taxes as early as possible next year to preclude anyone from getting their grubby little fingers on your refund.

Remember, it’s not just the phony taxman you have to worry about whenever you pick up the phone. Fraudsters come in all shapes and sizes, and, no matter how many scam centers authorities put out of business, the ultimate guardian of the consumer is the consumer (i.e., you)! Stay vigilant. While identity theft may be the third certainty in life, with a little luck you can make it that much harder for fraudsters to get you in their maw.

This post originally appeared on ThirdCertainty.

Full disclosure: IDT911 sponsors ThirdCertainty. This story originated as an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on identity theft:
Identity Theft: What You Need to Know
3 Dumb Things You Can Do With Email
How Can You Tell If Your Identity Has Been Stolen?