Tag Archives: hacker

How Safe Is Your Data — Really?

The number and the potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014. And the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before—and a total expected to reach 50 billion by 2020 —there are more potential targets for attackers, and there is more potential for accidental breaches.

What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the 2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon.

So, how do you keep your organization’s data—and that of your clients and customers—safe?

It’s not just a matter of investing in better technology and more robust systems, according to Aon cyber insurance expert Stephanie Snyder Tomlinson, who says, “A lot of companies find that the weakest link is their employees. You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-It note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.”

From intern to CEO: Simple steps everyone can take

It’s easy for individuals to become complacent about data security, says Aon’s global chief privacy officer, Brad Bryant. But, with cyber threats increasing, it’s more important than ever to be aware of seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization.

According to Bryant, there are four key things that everyone can do to help protect themselves and their organizations from the rising cyber threat:

  • Be alert to impersonators. Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
  • Don’t overshare. If you give out details about your personal life, hackers may be able to use them to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
  • Safely dispose of personal information. A surprising amount of information can be retained by devices, even after wiping hard drives or performing factory resets. To be certain that your information is destroyed, you may need to seek expert advice or device-specific instructions.
  • Encrypt your data. Keeping your software up to date and password-protecting your devices may not be enough to stop hackers, should your devices fall into the wrong hands. The more security, the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data

To protect your, your customers’ and your and clients’ information, investing in better cyber security is one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right.

Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations pursue to limit the risk and make sure they’re getting the basics right:

  • Build awareness. Educate employees on what social engineering fraud is, especially those in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
  • Be cautious. Always verify the authenticity of requests for changes in money-related instructions, and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin and destination.
  • Be organized. Develop a list of pre-approved vendors and ensure employees are aware. Review and customize crime insurance—when it comes to coverage or denial, the devil is in the details.
  • Develop a system. Institute a password procedure to verify the authenticity of any wire transfer requests, and always verify the validity of an incoming email or phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new, but the scale of the threat is increasing, making following this advice more important than ever. Fitzgerald warns, “Social engineering fraud is one of the greatest security threats companies can encounter today. … This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites, to impersonating an IT engineer, to baiting with a USB drive.”

How governments are driving data protection

The potential consequences of inadequate data security are becoming more serious, and courts and regulators are focusing on this issue globally.

The European Union is considering a Data Protection Directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on the protection of customers data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and U.S.

Bryant warns: “Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction. … Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.”

Changing E.U. rules aren’t the only thing that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of Internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations.

Why getting the basics right is critical

As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever.

Bryant says, “Given the large scope and impact of the various changes in data protection law—coupled with the drastic increase in fines—becoming educated on how to protect our data is more business-critical now than ever before.”

Has an International Cyber War Begun?

Cyber attacks were once on the periphery of American business consciousness. That mindset changed over the past two years. A series of devastating events, including the 2014 cyber attack against Sony, catapulted cyber liability concerns from an IT department issue to a major priority for boardrooms across America. As U.S. government officials concluded that North Korea was behind the attack, many C-suite executives suddenly found themselves asking questions. Is this the start of a cyber war? Could we be the next victim? If we are, how will it affect our operations and our bottom line? Do our insurance policies cover any of these costs?

g1

Today, many insurance buyers look to their cyber insurance policies to fill coverage gaps that often exist in other policies. For example, a property policy may respond to physical damage from a named peril, but it will likely exclude loss for non-tangible assets as a result of a cyber attack. Similarly, a commercial general liability policy will likely provide liability coverage for causing bodily injury because of negligence but exclude coverage for liability because of a failure to secure sensitive data from hackers.

Many policyholders may be unaware that some, though not all, of these cyber policies contain specific terrorism and war exclusions. As a result, gaps in cyber insurance coverage can exist in cases like the Sony breach, where government agencies, like the FBI, conclude that a foreign government or terrorist organization is responsible for the attack.

Is a Cyber Attack “Terrorism” or “War”?

Immediately following the Sony attack, President Obama referred to it by saying, “I don’t think it was an act of war . . . but cyber vandalism.” Then, on April 1, 2015, President Obama signed the Executive Order on Cybersecurity with the goal of protecting the private sector against hackers and thereby bolstering national security. The order seeks to identify and punish individuals behind attacks, but it could also lead some to categorize an apparent hacking event or act of cyber terrorism as an “act of war.”

Changes in government definitions trickle down into coverage disputes because many policies that exclude or include “war,” “terrorism” or “cyber terrorism” either fail to define those terms or define them by referring to standard government definitions.

Government Definitions of Terrorism, Cyber Terrorism and War

THE TERRORISM RISK INSURANCE ACT (TRIA)

“Act of terrorism” is defined as any act certified by the secretary of the Treasury in concurrence with the secretary of State and the attorney general of the U.S. to be:

» an act of terrorism

» a violent act or an act that is dangerous to human life, property or infrastructure

» an act resulting in damage within the United States or Outside (on a U.S.-flagged vessel, aircraft or U.S. mission)

» an act committed by an individual or individuals acting on behalf of any foreign person or foreign interest, as part of an effort to coerce the civilian population, U.S. policy or the U.S. government.

The secretary of the Treasury may not delegate his certification authority, and his decision to certify an act or not is not subject to judicial review.

DEPARTMENT OF DEFENSE (DOD)

The DOD defines “terrorism” as “the unlawful use of violence or threat of violence, often motivated by religious, political or other ideological beliefs, to instill fear and coerce governments or societies in pursuit of goals that are usually political.” The term “act of war” is understood to mean “a use of force [that may] invoke a state’s inherent right to lawful self-defense.”

DEPARTMENT OF JUSTICE (DOJ)/FEDERAL BUREAU OF INVESTIGATION (FBI)

The FBI defines “cyber terrorism” as “the premeditated, politically motivated attack against information, computer systems, computer programs and data [that] results in violence against non-combatant targets by subnational groups or clandestine agents.”

DEPARTMENT OF HOMELAND SECURITY (DHS)

The National Infrastructure Protection Center (NIPC), (formally a branch of DHS), defines “cyber terrorism” as “a criminal act perpetrated through computers resulting in violence, death and/or destruction and creating terror for the purpose of coercing a government to change its policies.”

Cyber Terrorism and the ‘Act of War’ Exclusion

Cyber policies are relatively new and manuscript products; as such, the wording varies significantly. Many policies contain a standard exclusion for “war, invasion, acts of foreign enemies, hostilities (whether war is declared or not), civil war, rebellion, revolution, insurrection, military or usurped power, confiscation, nationalization, requisition, or destruction of, or damage to, property by or under the order of any government, public or local authority…” An attack by the Taliban, for example, would probably fit within the exclusion as an act sponsored by a “public or local authority.”

Traditionally, war exclusions were relatively narrow; they required an actual war or, at the very least, “warlike operations”; “for there to be a ‘war,’ a sovereign or quasi-sovereign must engage in hostilities.” Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 505 F.2d 989, 1005 (2d Cir. 1974) (finding that a Jordanian terrorist group that hijacked a plane was not a de facto government for the purposes of applying the war exception).

However, the events of Sept. 11, 2001, changed the way certain events and groups were perceived and classified, ultimately leading many to label the 2014 cyber attack on Sony an “act of war.”

Screen Shot 2015-12-22 at 1.53.07 PM

Litigation surrounding the Sept. 11 attacks led directly to an expanded view of the war exclusion. For one thing, the Second Circuit Court of Appeals ruled that the attacks were an “act of war.” In re Sept. 11 Litig., 931 F. Supp. 2d 496, 512 (S.D.N.Y. 2013), an owner of a building near the site of the World Trade Center attacks sought to recover cleanup and abatement expenses for removing pulverized dust that infiltrated into the owner’s building after the collapse of the Twin Towers. He sued under the Comprehensive Environmental Response, Compensation, and Liability Act [CERCLA], which allows strict liability claims in pollution cases, but the court applied CERCLA’s “act of war” exception to strict liability.

In concluding that the attacks were an act of war, the court commented that “Al Qaeda’s leadership declared war on the United States, and organized a sophisticated, coordinated, and well-financed set of attacks intended to bring down the leading commercial and political institutions of the United States,” id. at 509, and that “as we learned in the twentieth century, and as has been true throughout history, war can take on a formal structure of armies in contrasting uniforms confronting each other on battlefields, and war can persist for years, fought by irregular, insurgent forces and capable of causing extraordinary damage,” id. at 511.

This expansion of the legal definition of “act of war” to include acts by “irregular, insurgent forces and capable of causing extraordinary damage” could lead to attacks by hacktivist groups or foreign intelligence services being considered acts of war and therefore excluded from cyber policies.

Cyber Insurance and TRIA

The Terrorism Risk Insurance Act (TRIA) is a government program designed to provide a backstop for reinsurers in the event of large terrorism-related losses (more than $100 million). There is debate over whether TRIA applies to cyber policies at all. TRIA applies to commercial property and casualty insurance coverage, but some cyber policies are written as another line of coverage, such as professional liability, which is not included in TRIA.

Even assuming that TRIA would apply to cyber insurance, for TRIA coverage to be in effect, (1) there must be losses, resulting from property damage, exceeding $100 million; and (2) they must be caused by a certified terrorism event:

(1) Property Damage: For TRIA to apply, physical property damage must occur, and what constitutes “physical damage” in the context of a cyber attack remains an open question. What we do know is that TRIA will probably not cover business interruption or reductions in business income absent some physical loss or property damage. Many cyber attacks do not involve any physical damage, which would exclude TRIA coverage.

(2) A Certified Terrorism Event: For TRIA to apply to any event, the event would need to be certified as an act of terrorism. This onerous and political certification process requires the secretary of the Treasury, secretary of State and attorney general to agree that an incident was an “act of terrorism.” Many political and economic issues factor into certifying a terrorism event, which can lead to counterintuitive results. For instance, as of the date of this publication, the April 2013 Boston Marathon bombing has not been certified as a terrorist act.

Conclusion

To ensure coverage for cyber terrorism and cyber warfare, buyers of cyber insurance will need to seek out a cyber risk insurance policy that explicitly includes this coverage in the broadest terms possible. As more insurance carriers enter the cyber insurance market, one must be wary that policy terms will vary from one policy form to the next, and some will have coverage terms superior to others.

ID Theft: A Danger Even After Death

Take your driver’s license out of your wallet. Flip it over. Now look carefully at the back of it. There’s no box to check for “identity donor.” Yet when it comes to identity-related crimes, one of the greatest times of vulnerability is immediately after you die.

You can do everything right. You can use long and strong passwords and account-unique user names. You can check your financial accounts and monitor your credit on a regular basis, you can set up transaction alerts on your credit cards – even order a credit freeze – and then you die. Well, not entirely…

Include Identity in Your Estate Planning

A good identity thief can undo all your fraud precautions with a few phone calls. Most people don’t think about this, because it’s a wee bit late to refinance the family homestead – much less worry about interest rates – when you’re dead. Regardless, the recently deceased continue to exist on paper, and this may be the case for some time. Meanwhile, many bankable facts – key among them your Social Security number and personally identifiable information – are just sort of there in the form of “zombie” purchasing power. An identity thief can use that purchasing power to drain your bank accounts, open new credit in your name and perpetrate all sorts of fraud that can harm your family and heirs.

Think of your post-mortem identity as a would-be extra on “The Shopping Dead.” Now that you have that image in your head, take the time to arrange for the deactivation of your identity by making it part of your estate planning. This will mostly take the form of a to-do list for whomever will be handling your affairs, because nothing can be done till…well, you know, after the fact. There are many good resources, including this list from IDT911.

There are many different scams out there, ranging from the misappropriation of Social Security payments to the more old-fashioned practice of ghosting, whereby a person of approximately the same age assumes the identity of the deceased. In keeping with the proliferation of possible crimes, there are plenty of criminals out there who make a living in this post-mortem niche. They scan death notices in the local paper, read obituaries, even attend funerals and, make no mistake about it, can get a lot of shopping done with your available credit before the three credit reporting agencies and your current and future potential creditors are notified of your demise. Those same bad guys may also use your Social Security number to grab a big fat tax refund (if you’re lucky enough to pass away during tax filing season).

How will they get the information needed to commit fraud? Sometimes the perpetrator is a family member, so he already has access. But more often, family members are distracted and distraught. There are visitors who come and go, unchecked, and of course the numerous demands of making final arrangements and dealing with matters of the estate. If there was a long illness, unsupervised healthcare workers may have had the run of the deceased’s domicile – including the owner’s most sensitive information. Maybe the wake was at the deceased’s home, or people sat shiva there. The opportunities for fraud abound. Funerals, of course, provide a thief with a precise time to get what he or she wants. But instead of grabbing the television or the silver (too easy to miss), an envelope containing a financial statement or a copy of last year’s tax return might go walkabout. From there, it’s a race to apply for as much credit and buy as many pricy things for resale as possible before the money spigot coughs credit dust.

The Bigger Picture

Government agencies are famously slow to get the news of a person’s undoing.

An audit of the Social Security Administration conducted by the Office of the Inspector General found approximately 6.5 million Social Security numbers belonging to people aged 112 or older whose death information wasn’t in the system. Of those numberholders, only 13 people were still receiving payments; the rest consisted of “numberholders who exceeded maximum reasonable life expectancies and were likely deceased.” The fact that their deaths were not recorded in Numident (the SSA’s numerical identification system), and thus are also missing on the Master Death List, leaves plenty of runway for misconduct. According to the audit report, the “SSA received 4,024 E-Verify inquiries using the SSNs of 3,873 numberholders born before June 16, 1901.”

On the off chance you missed the memo while diving for sunken treasure at the bottom of Loon Lake: Identity theft is now the third certainty in life, right behind death and taxes. When a loved one passes, there is a trifecta, which is why it’s trebly important to protect against the threat of a different kind of life everlasting.

Cyber Risk: The Expanding Threat

Summary

— Interest in cyber insurance and risk has grown beyond expectations in 2014 and 2015 as a result of high-profile data breaches, including a massive data breach at health insurer Anthem that exposed data on 78.8 million customers and employees and another at Premera Blue Cross that compromised the records of 11 million customers. The U.S. government has also been targeted by hackers in two separate attacks in May 2015 that compromised personnel records on as many as 14 million current and former civilian government employees. A state-sponsored attack against Sony Pictures Entertainment, allegedly by North Korea, made headlines in late 2014.

— Cyber attacks and breaches have grown in frequency, and loss costs are on the rise. In 2014, the number of U.S. data breaches tracked hit a record 783, with 85.6 million records exposed. In the first half of 2015, some 400 data breach events have been publicly disclosed as of June 30, with 117.6 million records exposed. These figures do not include the many attacks that go unreported. In addition, many attacks go undetected. Despite conflicting analyses, the costs associated with these losses are increasing. McAfee and CSIS estimated the likely cost to the global economy from cyber crime is $445 billion a year, with a range of between $375 billion and $575 billion.

–Insurers are issuing an increasing number of cyber insurance policies and becoming more skilled and experienced at underwriting and pricing this rapidly evolving risk. More than 60 carriers now offer stand-alone cyber insurance policies and insurance broker Marsh estimates the U.S. cyber insurance market was worth more than $2 billion in gross written premiums in 2014, with some estimates suggesting it has the potential to grow to $5 billion by 2018 and $7.5 billion by 2020. Industry experts indicate rates are rising, especially in business segments hit hard by breaches over the past two years.

— Some observers believe that cyber exposure is greater than the insurance industry’s ability to adequately underwrite the risk. Cyberattacks have the potential to be massive and wide-ranging because of the connected nature of this risk, which can make it difficult for insurers to assess the likely severity. Several insurers have warned that the scope of the exposures is too broad to be covered by the private sector alone, and a few observers see a need for government coverage akin to the terrorism risk insurance programs in place in several countries.

See the full white paper here.

Was Your Data Taken in Experian Breach?

A breach to one of Experian‘s servers – discovered on Sept. 15 – has resulted in 15 million compromised records with personal information like names and Social Security numbers. The breach included information about T-Mobile customers from as far back as 2013. Here are the details and action steps you can take if you think you’re a victim.

The server that was attacked housed records of those who applied for T-Mobile’s services between Sept. 1, 2013, and Sept. 16, 2015. Overall, the compromised information included…

  • Names
  • Addresses
  • Dates of birth
  • Driver’s license numbers
  • Social Security numbers
  • Passport IDs

The affected server was not part of Experian’s consumer credit bureau; nevertheless, a data breach is good reason to check your defenses when it comes protecting your personal information, and there are plenty of ways you can protect yourself.

Make sure hackers didn’t steal your information and use it for their advantage. Annually check your credit reports and bank statements for suspicious activity, like a new line of credit or purchases you didn’t make.

Be cautious! When a breach like this occurs, fraudsters may call the victims and say they’re from the affected companies. They may ask you for your personal information, so they can “help” you. Keep in mind that T-Mobile and Experian made it clear that they will not send a message or call and ask for personal information connected with the incident.

Consider some of the major data breaches we’ve had in the past couple years:

  • JP Morgan Chase – 76 million customer records
  • Anthem – 87.6 million
  • Home Depot – 56 million
  • Target – 110 million

Whether or not you think you’re a victim, employing an identity theft protection plan is relevant and important.

Ironically, T-Mobile is offering resolution services through Experian’s ProtectMyID, for those who were affected by the data breach; however, full, continuing coverage demands an identity protection service that has more robust features than those provided through the complimentary membership.

ProtectMyID’s complimentary membership includes SSN and credit-card monitoring, but you also need monitoring for high-risk transactions and data sweeps. ProtectMyID includes credit monitoring and an Experian credit report upon entry, but you also need your credit score and identity risk score (showing how vulnerable you are to identity theft). ProtectMyID has lost wallet/purse assistance and alerts for suspicious activity, which is good. It is backed by $1 million identity theft insurance coverage, too, but you also need coverage that will reimburse you for the expenses you incur while returning your life to normal. ProtectMyID has fraud resolution agents who can offer assistance to victims, but you also need a financial consultation, a legal consultation and more.

You need stronger layers of protection against identity theft, help creating an action plan and professional assistance with addressing compromised information and accounts.

The Experian data breach is a big reminder of how a robust identity theft protection plan is absolutely necessary.