Tag Archives: Farley

Cyber Threats: Big One Is Out There

Approximately a year after the zombie malware Marai took some major websites off-line for much a day, cybersecurity researchers recently identified a potentially more potent threat called Reaper. Experts warn that Reaper has the capability to take down the entire internet.

Marai Zombie Malware

In late 2016, an online infrastructure firm called Dyn was the victim of a massive distributed denial of service (DDoS) attack attributed to Marai, an IoT attack malware. The DDoS attacker deliberately overloads a target server with an abnormal amount of traffic, using an army of infected computers, known as a “botnets,” to carry out the information requests. This often results in a crashed server, knocking the target website offline, effectively disrupting normal business. As more and more common household devices become connected to the internet, attackers are able to leverage an ever-growing army of devices to carry out these attacks.

Marai weaponized IoT devices, such as digital video recorders (DVRs), wireless routers and CCTV cameras, by exploiting factory-default or hard-coded usernames and passwords. A number of Dyn’s high-profile clients, including Twitter, Amazon and Netflix, were taken offline.

The Grim News About Reaper

CheckPoint, an Israeli cybersecurity firm, has said that the Reaper IoT malware is “forming to create a cyber-storm that could take down the internet.” Reaper is exponentially more dangerous than Marai because it exploits at least nine security vulnerabilities across a wider range of devices. Those vulnerabilities are identified on the CheckPoint website.

CheckPoint warned that Reaper is expanding “at a far greater pace and with more potential damage than the Marai botnet of 2016,” and it estimated that more than a million organizations worldwide already have been affected. Noted cyber security reporter Brian Krebs further noted: “It’s a safe bet that whoever is responsible for building this new Reaper IoT botnet will have more than enough firepower capable of executing Dyn-like attacks at internet pressure points. Attacks like these can cause widespread internet disruption because they target virtual gateways where third-party infrastructure providers communicate with hordes of customer Web sites, which in turn feed the online habits of countless internet users.”

See also: How to Keep Malware in Check  

Cost of a DDoS Attack

For many victims of a DDoS attack, lost internet traffic can equate to staggering costs and lost revenue. According to a survey Dyn sponsored and published in August 2016, the majority of companies surveyed calculate that an internet outage costs them a minimum of $1,000 per minute.

Protective Measures

Today’s connected enterprises definitely should fear the Reaper (apologies to 1970s rock band Blue Oyster Cult). But there are a number of steps companies can take to mitigate the risk of being taken offline by Reaper or other IoT attack malware. And because 100% prevention against the risk is impossible, companies also should consider transferring the residual risk through insurance.

Avoid or Mitigate the Impact of a DDoS Attack

There are several strategies an organization can deploy to prevent a DDoS attack or at least mitigate the effects of one, including:

  • Set traffic thresholds: Companies can track how many users typically visit their website on any given day, hour and minute. Volume can change based on a number of factors. By having this historical knowledge, thresholds can be installed and real-time alerts can be generated to advise of abnormal traffic.
  • Blacklist and whitelist: Control who can and cannot access your network with whitelists and blacklists for specific IP addresses. However, be mindful that certain IP addresses may generate false positives and be blacklisted when they are in fact legitimate traffic. By temporarily blocking traffic, a business can see how it responds. Legitimate users usually try again after a few minutes. Illegitimate traffic tends to switch IP addresses. A good resource to help begin the process of whitelisting and blacklisting can be found on the DNS whitelist. Here you will find IP addresses, domain names and e-mail contact addresses. Each IP address is given a trustworthiness level score.
  • Reroute traffic with additional servers. By having additional servers on standby to handle an abnormal increase in traffic, a business can improve the odds against one server being overwhelmed. While this is likely the most cost-effective method, it is difficult to tell how many might be needed because the size of the attack can vary.
  • Consider using content-delivery networks (CDN). This method involves using external resources to identify illegitimate traffic and diverting it to a cloud-based infrastructure.
  • There may be contractual obligations that are affected during and after a DDoS attack. As such it is important to review contractual liability implications with customers and business partners. Review contracts with an eye toward the following:
    Revise unfavorable service-guarantee language due to downtime resulting from a DDoS attack. Allocate liability for potential outages as appropriate. Clauses that require security-incident notification under contract may be detrimental, especially when not required by law. Be sure your attorney reviews language related to this specific issue.
  • Terminate traffic as soon as a DDoS attack starts. Terminate unwanted connections or processes on servers and routers and tune their TCP/IP settings. If the bottleneck is a particular feature of an application, temporarily disable that feature.
  • Analyze traffic and adjust defenses. If possible, use a network-analyzer tool to review the traffic. Create a network-intrusion-detection system signature to differentiate between benign and malicious traffic. If adjusting defenses, make one change at a time, so you know the cause of the changes you may observe. Configure egress filters to block the traffic your systems may send in response to DDoS traffic, to avoid adding unnecessary packets to the network.
  • Notify and activate your incident-response team, if one is already in place. Contact the company’s executive and legal teams. Upon their direction, consider involving law enforcement and collaborate with your business-continuity/disaster-recovery team.
  • Create a communication plan. A company can easily become overwhelmed with inquiries from customers, business partners and media during a DDoS attack. Create a status page with a statement explaining the circumstances of the event. In addition, a template letter can be created to automatically respond to customers that contact a business for information.
  • During a DDoS attack, immediate efforts should be made to document facts in an incident report. It should be used to document what happened, why it happened, decisions made and how the organization will prevent future attacks. Review and document the load and logs of servers, routers, firewalls, applications and other affected infrastructure. The incident report may be read by a wide audience, and it is therefore important that it’s written in a language that is not overly technical.

Insurance Issues

For companies that are either the direct target of a DDoS attack or that are indirectly affected by an attack on a third party, significant business interruption costs, including lost income and other expenses, can be incurred. Consequently, affected companies should scrutinize their insurance policies to determine if they have coverage under either scenario.

Because there is no standard cyber insurance policy form, it is important for the insured to review its specific policy form and determine whether it provides coverage for a DDoS attack. Here are some issues to consider in that regard:

  • DDoS Provisions.
    • Is there an exclusion for DDoS attacks;
    • Is coverage limited to attacks targeted at the insured’s network;
    • Is there broader coverage for an attack that indirectly affects the insured;
    • Does the definition of “security event,” “security failure” or any relevant similar term include or exclude a DDoS attack?
  • Business Interruption Coverage.
    • Is coverage triggered only following a direct attack on the insured company;
    • Is contingent business interruption coverage available;
    • How long is the business interruption waiting period;
    • Is coverage triggered only by a complete business interruption or also by a degradation in business operations caused by the DDoS attack;
    • Is there coverage for professionals, including accountants retained by the policyholder, required to calculate and submit the claim?

Insureds are urged to consult with experienced insurance brokers and advisers to ensure that they obtain appropriate coverage for losses resulting from a DDoS attack. Cyber insurers often are open to negotiation of their policy forms, so insureds are encouraged to work with their insurance professionals to optimize coverage.

See also: How to Immunize Against Cyber Attacks  

Further, business interruption insurance may not be made available for every company. Companies can make themselves a better candidate for coverage by implementing a strong disaster recovery/business continuity plan.

Aggressive Regulation on Data Breaches

Below is an excerpt from John Farley’s new book: “Online and Under Attack: What Every Business Needs To Do Now To Manage Cyber Risk and Win Its Cyber War.

The Internet of Things

Every one of us lives in a brave new connected world. For most of us, our first foray into the online world occurred at work, as business discovered the internet provided a means to efficiencies that made them more competitive. The convenience of the internet has spilled over in dramatic fashion into our personal lives. The average home contains 13 internet-connected devices, and that number is growing fast. It has given birth to the term we know today as the Internet of Things (IoT). According to the FTC’s 2015 staff report “Internet of Things: Privacy and Security in an Interconnected World,” the number of internet-connected devices surpassed the number of people living on the earth several years ago. As of 2015, there were an estimated 25 internet-connected devices. The FTC estimates that this number will double to 50 billion by 2020.

Consumers love the convenience that these products bring, and manufacturers recognize this. There has been a tremendous rush to the market, as everything from security cameras, DVRs, routers, TVs, cars, thermostats and children’s toys are being designed to connect to the internet. The list grows daily. Unfortunately, recent history has shown that as manufacturers hurry to capture their share of the market for these devices, many have ignored the concept of security at the design stage. Instead, the focus was to get products manufactured quickly and economically. Extra steps in the product design stage, such as addressing security, would likely increase design time, make them more difficult for the consumer to set up and ultimately increase cost. As a result, many products in our homes lack basic cybersecurity controls and are subject to online threats as demonstrated earlier in this book in the Dynamic Network Systems attack in October 2016. Many products come with easily guessed passwords or none at all. When security flaws are recognized by manufacturers, they are often not easily patchable.

See also: Firms Ally to Respond to Data Breaches  

The FTC has taken notice and made its concerns heard in January 2017 by filing a lawsuit against Taiwanese D-Link and its U.S. subsidiary, D-Link Systems. In the complaint, the FTC alleges the company made deceptive claims about the security of its products and engaged in unfair practices that put U.S. consumers’ privacy at risk. D-Link sells networking equipment that integrates consumers’ home networks, such as routers, internet protocol (IP) cameras, baby monitors and home security cameras. These devices allow consumers to do things like monitor their homes and children in real time. Consumers simply access the live feeds from their home cameras using their mobile devices or any computer.

The crux of the lawsuit alleges that D-Link failed to protect consumers from “widely known and reasonably foreseeable risks of unauthorized access.” There are several allegations made by the FTC where it alleges D-Link failed to do the following:

  • Take reasonable software testing and remediation measures to protect its routers and IP cameras against well-known and easily preventable software security flaws that would potentially allow remote attackers to gain control of consumers’ devices.
  • Take reasonable steps to maintain the confidentiality of the “signature” key that D-Link used, which resulted in the exposure of the private key on a public website for approximately six months.
  • Use free software, available since at least 2008, to secure users’ mobile app login credentials, instead storing those credentials in clear, readable text on users’ mobile devices.

The case is especially noteworthy because it is not alleging a known breach of security in D-Link devices. Instead, the FTC appears to be taking measures against the company, and not waiting for a successful cyberattack to occur before acting. So we may refer back to the FTC 2015 staff report “Internet of Things: Privacy and Security in an Interconnected World” for guidance. In that report, the following recommendations are made by the FTC:

  • Build security measures into devices from the outset and at every stage of development—don’t wait to implement retroactive security measures after the devices have already been produced and sold.
  • Consistently maintain up-to-date software to secure consumer personal information, and ensure regular software testing. Any identified vulnerabilities should be remediated promptly; connected devices should be monitored throughout their life cycles; and security patches should be issued to cover known risks.
  • Take steps to implement reasonable access-control measures for IoT devices, including making sure proprietary device signatures remain confidential.
  • Accurately describe the products’ safety and security features in marketing and promotional materials.

See also: Data Breach Law Could Hurt Consumer

When Hackers Take the Wheel

Operator errors, driving under the influence, and product defects have long been blamed for catastrophic accidents in the transportation industry. However, recent headlines revealed how cyber risk has emerged as a new and disturbing threat to airlines, railways, auto manufacturers and ocean cargo carriers.

Those in the transportation sector have embraced the “Internet of Things” and transformed what were once far-reaching concepts into some of the most common components of the cars they manufacture and the planes they fly. They often rely on a secure internet connection to function safely and efficiently. Recent headlines, however, raised concern and started a debate: Can the transportation sector be hacked? If so, what are the consequences?

Automobiles

In July 2015, Fiat Chrysler announced a recall of 1.4 million vehicles after white hat hackers demonstrated that they could take control of a Jeep Cherokee’s braking systems, change vehicle speed and affect operation of the transmission, air conditioning and radio controls. Hackers gained remote access by exploiting a software vulnerability in the vehicle’s Uconnect entertainment system.

The stakes have been raised even higher with recent advances made in the development of driverless cars, as more vehicles will become completely reliant on secure technology. Safety concerns were raised after a series of crashes allegedly caused by the failures of Tesla’s Autopilot technology, resulting in the death of a passenger. This prompted Tesla to announce efforts to improve its Autopilot software, including “advanced processing of radar signals.”

See also: How to Measure ‘Vital Signs’ for Cyber Risk  

The Department of Transportation has also recognized the risks associated with technology. In January 2016, the department entered into an agreement with 17 major automakers to enhance driver safety, including information sharing to prevent cyberattacks on vehicles. According to the agreement, the National Highway Traffic Safety Administration will propose industry guidance for safe operation for fully autonomous vehicles.

Planes

Boeing recently became the subject of a hacker demonstration when a security researcher accessed the entertainment systems of one of the company’s planes in mid-flight. Boeing was adamant that the hacker could not have gained access to the aircraft’s critical functions due to segregation of the two networks. However, the incident raised concerns throughout the airline industry, and an FBI investigation followed.

Railway Systems

German security researchers SCADA Strangelove demonstrated, without naming the rail systems in question, that they, too, are vulnerable. Their December 2015 report highlighted vulnerabilities related to outdated software, default passwords and lack of authentication. Moreover, entertainment and engineering systems were operating on the same network, leading to speculation that if one system is compromised hackers could gain access to the other. Because rail switches are automated and dependent on properly operating networks, the theory of a system compromise leading to a head-on collision with another train was explored in the report.

Marine Shipping

An investigation by Verizon Risk concluded that modern-day pirates are increasingly relying on network intrusions as a means to carry out crimes on the high seas. Verizon concluded that an unidentified shipping company’s networks were penetrated by hackers, giving them precise information on which ships were carrying the most valuable contents. Hackers then targeted their attacks on specific vessels, using bar codes to focus on individual shipping containers.

As of this writing, we have not seen any incidents of bodily injury or loss of life in the transportation sector directly attributed to a deliberate network compromise. Yet the findings of various researchers across multiple transportation sectors lead to some alarming conclusions. Law enforcement and transportation safety regulators have taken these findings seriously and conducted investigations of their own.

We can therefore expect with some degree of certainty that the transportation sector may be held to higher cybersecurity standards and will see increased regulatory scrutiny that has been witnessed in other industries, such as healthcare and financial services. When networks containing sensitive data may be compromised, regulators that oversee that industry often propose protection standards that ultimately become mandates. Failure to comply often leads to lawsuits, settlements, fines and significant reputational harm.

See also: Protecting Institutions From Cyber Risks  

Until then, the transportation sector can start by following the best practices as outlined in the National Highway Traffic Safety Administration’s “A Summary of Cybersecurity Best Practices,” published in October 2014 . Key observations and recommendations include:

  • Cybersecurity is a life-cycle process that includes elements of assessment, design, implementation and operations as well as an effective testing and certification program.
  • The aviation industry has many parallels to the automotive industry in the area of cybersecurity.
  • Strong leadership from the federal government could help the development of industry-specific cybersecurity standards, guidelines and best practices.
  • Sharing learning with other federal agencies is beneficial.
  • Use of the NIST cybersecurity standards as a baseline is a way to accelerate development of industry-specific cybersecurity guidelines.
  • International cybersecurity efforts are a key source of information.
  • Consider developing a cybersecurity simulator. It could facilitate identification of vulnerabilities and risk mitigation strategies and can be used for collaborative learning (government, academia, private sector, international).
  • Cybersecurity standards for the entire supply chain are important.
  • Foster industry cybersecurity groups for exchange of cybersecurity information.
  • Use professional capacity building to address and develop cybersecurity skill sets, system designers and engineers.
  • Connected vehicle security should be end-to-end; vehicles, infrastructure and V2X communication should all be secure.

The transportation sector is yet another industry that must learn to adapt to the systemic nature of cyber risk. Because of ever-increasing reliance on evolving technology, cyber risk will certainly begin to move toward the top of the list of transportation safety concerns. The captains of this industry can no longer claim ignorance to cybersecurity issues or completely delegate responsibility. They owe a duty to safeguard the flow of information that effectively keeps our planes airborne and our cars on the road. Failure to do so could be catastrophic.

Hacking the Human: Social Engineering

Virtually every business relies on a network to conduct its daily operations. This often involves the collection, storage, transfer and eventual disposal of sensitive data. Securing that data continues to be a challenge for organizations of all sizes and across multiple business sectors. Social Security numbers, W-2 forms, payment cards and intellectual property have significant value on the black market and provide motivation for hackers to steal.

Many corporate IT departments respond to these threats by devoting vast amounts of resources to technological defenses. Criminal perpetrators, however, seem to remain one step ahead of even the best cybersecurity efforts. They have altered their strategies by perpetrating human-based fraud. One emerging tactic involves what we have come to know as “social engineering.” This type of fraud occurs in a multi-stage process. Criminals first gather information, form relationships with key people and finally execute their plan.

By exploiting our natural tendencies to trust others, criminals have been highly successful in convincing people to hand over some of their most valuable data assets. In fact, according to the FBI, from October 2013 to August 2015, more than 8,000 social engineering victims from across the U.S. were defrauded of almost $800 million (the average loss amounted to $130,000.)

See also: Dark Web and Other Scary Cyber Trends

There are several methods of social engineering that are seen frequently, including the following seven:

  • ­Bogus Invoice: A business that has a long-standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to one from a legitimate account and would need scrutiny to determine if it was fraudulent.
  • ­Business Executive Fraud/Email Phishing: The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A request for a wire transfer or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time-sensitive manner.
  • ­Interactive Voice Response/Phone Phishing (aka “vishing”): Using automation to replicate a legitimate-sounding message that appears to come from a bank or other financial institution and directs the recipient to respond to “verify” confidential information.
  • ­Dumpster Diving and Forensic Recovery: Sensitive information is collected from discarded materials — such as old computer equipment, printers, paper files, etc.
  • ­Baiting: Malware-infected removable media, such as USB drives, are left at a location where an employee may find them. When an employee attaches the USB to her computer, criminals can ex-filtrate valuable data.
  • ­Tailgating: Criminals gain unauthorized access to company premises by following closely behind an employee entering a facility or by presenting themselves as someone who has official business with the company.
  • ­Diversion: Misdirecting a courier or transport company and arranging for a package/delivery to be taken to another location.

How to avoid being defrauded in the first place:

Given the rising incidence of social engineering fraud, all companies should implement basic risk avoidance measures, including these eight:

  • Educate your employees so they can learn to be vigilant and recognize fraudulent behavior;
  • Establish a procedure requiring any request for funds or information transfer to be confirmed in person or via phone by the individual supposedly making the request.
  • Consider two-factor authorization for high-level IT and financial security functions and dual signatures on wire transfers greater than a certain threshold.
  • Avoid free web-based email and establish a private company domain, and use it to create valid email accounts in lieu of free, web-based accounts.
  • Be careful of what is posted to social media and company websites, especially job duties/descriptions, hierarchical information and out-of-office details.
  • Do not open spam or unsolicited email from unknown parties, and do not click on links in the email. These often contain malware that will give subjects access to your computer system.
  • Do not use the “reply” option to respond to any financial emails. Instead, use the “forward” option and use the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
  • Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via a personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.

Despite these efforts, organizations can still fall victim to a social engineering scheme. These incidents can be reported to the joint FBI/National White Collar Crime Center – Internet Crime Complaint Center (IC3) at www.ic3.gov.

See also: Best Practices in Cyber Security

The initial concern after such an event often focuses on the amount of stolen funds. However, there could be an even greater threat because these incidents often involve the compromise of personally identifiable information, which can later be used for identity thefts from multiple people. This prospect for more theft will often trigger legal obligations to investigate the matter and to communicate to affected individuals and regulators. The thefts often then lead to litigation and significant financial and reputational harm to businesses. Costs can include fines, legal fees, IT forensics costs, credit monitoring services for affected individuals, mailing and call center fees and public relations costs.

Fortunately, the insurance industry has developed insurance policies that can transfer these risks. Crime insurance policies can cover fraudulent funds transfers, while cyber insurance policies may cover costs related to unauthorized access of personally identifiable information. However, the insurance buyer needs to be wary of various policy terms and coverage limitations. For example, some crime policies can contain exclusionary language for cases involving voluntary transfer of funds, even though they were unknowingly transferred to a criminal. Other insurers might add policy language to crime policies to cover this situation.

Cyber insurance policies can be customized to offer coverage for the following:

  • ­Network Security Liability: Liability to a third party as a result of a failure of your network security to protect against destruction, deletion or corruption of a third party’s electronic data; denial of service attacks against Internet sites or computers; or transmission of viruses to third-party computers and systems.
  • Privacy Liability: Liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information that had been entrusted to it in the normal course of business.
  • Electronic Media Content Liability: Coverage for personal injury and trademark and copyright claims arising out of creation and dissemination of electronic content.
  • Regulatory Defense and Penalties: Coverage for costs associated with response to a regulatory proceeding resulting from an alleged violation of privacy law causing a security breach.
  • Breach Event Expenses: Expenses to comply with privacy regulations, such as notification and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm, outside counsel and forensic investigator.
  • Cyber Extortion: Payments made to cybercriminals to decrypt data that has been encrypted by ransomware.
  • Network Business Interruption: Reimbursement of your loss of income or extra expense resulting from an interruption or suspension of computer systems because of a failure of network security or system failure. Includes sub-limited coverage for dependent business interruption.
  • Data Asset Protection: Recovery of costs and expenses you incur to restore, recreate or recollect your data and other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.

In summary, businesses need to be vigilant in addressing the ever-evolving risks related to their most valuable assets. The most effective risk management plans aim to prevent social engineering fraud incidents from happening and to mitigate the damages if they do. Turning your employees from your weakest link into your greatest assets in the battle is one way; risk transfer to insurance products is another.

cyber

Cyber Threats and the Impact to M&A

As investment bankers and their lawyers pore over the details of a potential corporate merger, a new and troubling issue has emerged that could affect the terms of the deal, or even derail it. Cyber risk is now a top agenda item, not only for deal makers but for shareholders, regulators and insurance companies.

While assumption of risk is nothing new when acquiring a company, assuming cyber risk raises a whole new set of concerns that must be addressed early in the M&A process. Specific industries, such as healthcare, financial services and retail might require detailed attention to data risk as it applies to HIPAA (Health Insurance Portability and Accountability Act) standards, financial regulation and PCI (payment card industry) compliance. A thorough analysis of the target company’s network systems needs to be part of the due diligence process and may require the services of a network assessment vendor. Insufficient cyber security and the need for significant remediation of these networks could lead to unforeseen expense and may be a consideration in final negotiations of the target price.

Understanding the evolving face of hackers should also be a consideration. Hackers have traditionally been motivated solely by financial gain. However, as evidenced by recent cyber attacks against Sony, Ashley Madison and the Office of Personnel Management, hackers may be driven by political agendas or moral outrage or may be part of state-sponsored cyber espionage. If the acquired company comes with intellectual property or produces controversial products or services, it could be at higher risk of attack.

Regulatory Issues Affecting M&A

Increased regulatory risk for the acquiring company should also be of concern. Regulators in the U.S. and around the world have had a laser focus on privacy matters and have made their authority known in two recent court decisions.

  • On Aug. 24, 2015, a decision was made that will have profound impact on how the CIO, compliance officers, cyber security officials and others view what is an acceptable level of cyber security. In Federal Trade Commission v. Wyndham Worldwide Corp. et al. No. 14-3514, slip op. at 47 (3rd Cir. Aug. 24, 2015), the FTC alleged Wyndham failed to secure customers’ sensitive data in three separate incidents. As a result, 619,000 customer records were exposed, leading to $10.6 million in fraudulent charges. The Third Circuit Appeals Court affirmed the FTC’s authority to regulate cyber security standards under the “unfair practices” of the Federal Trade Commission Act. Therefore, key stakeholders in the acquiring and target companies need to come to terms regarding acceptable levels of cyber security before the deal is closed.
  • On Oct. 5, 2015, the European Union’s Court of Justice declared the U.S. and E.U. Safe Harbor framework invalid. The ruling abolishes an agreement that once allowed U.S. companies to move E.U. residents’ digital data from the E.U. to the U.S., and it will affect approximately 4,000 companies. For some companies, the ruling could drastically alter their business models. Therefore, an acquisition of any of these companies will require careful consideration as to how the company collects and uses the online information of the residents in the 28 countries that make up the E.U. An acquiring company could face regulatory scrutiny and costly litigation for noncompliance of their newly acquired entity.

Transferring Your Cyber Risk

One method to provide protection for the acquiring company would be to enter into a cyber security indemnity agreement with the targeted company. The agreement can exist for a period after closing, but there should be an expectation that—after a specified length of time long enough to remediate and integrate the target company’s IT networks—the agreement will expire. The liability protections should be as broad as possible and should include all directors and officers, who are often named in derivative lawsuits in the aftermath of a data breach. The agreement should address the many different actions that might be required after an unauthorized network intrusion of the target company. Costs related to defense attorneys, IT forensics firms, credit monitoring vendors, call centers, public relations companies and settlements should be anticipated. The firms to be hired, the rates they will charge and the terms of reimbursement to the acquiring company should be outlined in the agreement.

Many businesses have also turned to cyber insurance as a means to transfer cyber risk. In fact, the cyber insurance industry has grown to $2 billion in written premiums, with some expecting it to double by 2020. Cyber policies typically cover a named insured and any subsidiaries at the time of policy inception. Parties in a merger should be aware that M&A activity will likely have an impact on existing cyber insurance policies and often require engagement with insurance companies. When an insured makes an acquisition during the policy term, the insurance carrier often requires notification of the transaction pursuant to policy terms specifically outlined in the policy. Because cyber insurance policies are written on manuscript forms, there is no one standard notification requirement, and compliance terms will vary from insurance company to insurance company. If the target company has revenue or assets over a certain threshold, the named insured may be required to:

  • ƒProvide written notice to the insurance carrier before closing;
  • Include detailed information of the newly acquired entity;
  • Obtain the insurer’s written consent for coverage under the policy;
  • Agree to pay additional premium;
  • Be subject to additional policy terms.

Cyber risk can have a huge impact on any M&A activity. Legal liability and the means to transfer it should be a top priority during the transaction. There likely will be a big impact on existing insurance coverage. All parties need to focus on their rights and responsibilities and must engage the right experts to maximize protections in the process.