Tag Archives: IDT911

New Approach to Cyber Insurance

The most active players in the fledgling but fast-growing cyber insurance market are hustling to differentiate themselves.

The early adopters and innovators are doing so by accelerating the promotion of value-added services—tools and systems that can help companies improve their security postures and thus reduce the likelihood of ever filing a cyber damages claim.

As more businesses look to purchase cyber liability policies, insurance sellers are striving to dial up the right mix of such services, a blend that can help them profitably meet this pent-up demand without taking on too much risk.

The incentive is compelling: Consultancy PricewaterhouseCoopers estimates that the cyber insurance market will grow from about $2.5 billion in 2014 to $7.5 billion by 2020. European financial services giant Allianz goes a step further with its prediction that cyber insurance sales will top $20 billion by 2025.

This anticipated growth in demand for cyber liability coverage—coupled with the comparatively low level of loss claims—has created strong competition in this nascent market.

The Insurance Information Institute estimated last year that about 60 companies offered standalone cyber liability policies. In total, more than 500 insurers provide some form of cyber risk coverage, according to a recent analysis by the National Association of Insurance Commissioners.

“There are quite a few players, so they are looking for ways to differentiate themselves and find competitive edges,” says David K. Bradford, co-founder and chief strategy officer for Advisen, an insurance research and analysis company.

Insurance companies make adjustments

Insurance carriers hot after a piece of this burgeoning market are beginning to offer value-added services to make their cyber offerings stand out.

See also: 8 Points to Consider on Cyber Insurance  

Rather than growing these services in-house, most are partnering with vendors and consultants that specialize in awareness training, network security and data protection. Services that boost the value of cyber policies are being supplied for free, or offered at a discount.  Typical cyber insurance valued-added services include:

  • Phishing and cyber hygiene awareness training
  • Incidence response planning
  • Security risk assessments
  • Best practices web portals and software-as-a-service tools
  • Threat detection services
  • Employee and customer identity theft coverage
  • Breach response services

One measure of value-added services gaining traction comes from the Betterley Report, which recently surveyed 31 carriers that offer cyber policies. Betterley found that about half offered “active avoidance services,” while nearly all offered some sort of pre-breach planning tools.

Rick Betterley, president of Betterley Risk Consultants, which publishes the Betterley Report, says there is still a long way to go. “There’s much more that can be done to help the insureds be better protected,” he says.

Betterley is a big proponent of adding risk-management services to cyber policies. He calls the approach Cyber 3.0, adding that it’s akin to the notion of insuring a highly protected risk in a property insurance policy. Cyber value-added services, he says, are the equivalent of fire insurance companies requiring sprinklers.

“It’s not required that insurance companies provide the services, but it’s required that they help insureds identify what services are likely to generate a reduction in premiums,” Betterley says.

Sector faces new challenges

That said, the cyber insurance sector is still finding its way. With auto crashes, fire or natural disasters, losses are well defined and fully understood. Cyber exposures, by contrast, are hard to pin down. Network vulnerabilities are extremely complex and continually evolving. And historic data on insurance claims related to data breaches remains, at least for the moment, in short supply.

An added challenge, Betterley says, is that insurance companies are unable to satisfactorily measure the effectiveness of security technologies and services in preventing a data breach.

Advisen’s Bradford agrees. “It’s a rapidly evolving area that changes day to day, and underwriters are definitely wary of recommending a particular vendor or approach,” he says.

Eventually, the insurance industry will figure out how to make meaningful correlations and separate the wheat from the chaff.

“In bringing in these value-added services, we can help shore up some of those areas where we’re seeing human error,” observes Dave Wasson, cyber liability practice leader at Hays Cos., a commercial insurance brokerage and risk management consultancy. “We’ll be at a point where we’ll know what makes a difference, and we can put our money, time and efforts into those solutions.”

Eric Hodge, director of consulting at IDT911 Consulting, part of IDT911, which underwrites ThirdCertainty.com, concurs. One ironic result of the recent spike of ransomware attacks aimed at businesses, Hodge says, is that more hard data is getting generated that is useful for calculating loss profiles.

See also: Another Reason to Consider Cyber Insurance  

Along the same lines, settlements of class-action lawsuits related to breaches of high-profile retailers, such as Target and Sony, is helping amass data that will help the industry flesh out evolving actuarial tables.

“Losses from cyber attacks and data breaches are becoming easier to quantify,” Hodge says. “And market forces are absolutely lining up to reward the wider use of these activities. It’s harder to ignore the fiscal argument for an insurer to go the extra mile in helping the insured organizations make sure that a costly breach doesn’t occur.”

AIG blazes trail

One notable proponent leading the way is multinational insurance giant AIG, which is nurturing partnerships with about a half-dozen cybersecurity vendors.

AIG services—some of which are offered to policyholders at no cost—range from threat intelligence and cyber risk maturity assessments to active detection and vulnerabilities assessments.

RiskAnalytics, one of AIG’s partner vendors, provides threat intelligence services, including a service that detects and shuns blacklisted IP addresses. Any AIG insured with a minimum $5,000 policy can participate at no additional cost.

The company’s partnership is exclusive to AIG, and appears to be very popular.

“We’re bringing in multiyear contracts, and the average sales price is on an impressive trajectory,” says RiskAnalytics Chief Operative Officer Kurt Lee. “It’s all born out of (customers) using that (introductory) service through the policy.”

Recognizing the trend, more vendors are seizing the opportunity to market their services to insurance carriers.

Vendors are willing to jump through the many hoops because a partnership with an insurance company is an opportunity to get a soft introduction to a potential client, says Mike Patterson, vice president of strategy at Rook Security, a managed security services provider (MSSP) that is reaching out to carriers.

Dismantling roadblocks

As with any new approach, broad adoption of cyber insurance value-added services isn’t without hurdles. One major obstacle is the “’this-isn’t-how-we’ve-always-done-it’ way of thinking,” says IDT911’s Hodge. “It’s like trying to change our election processes—people resist altering a system that has been in place for a couple hundred years.”

Another barrier is cost. Insurance companies tend to reserve free or discounted added services for heavyweight clients that spend small fortunes on annual premiums, says John Farley, vice president and cyber risk practice leader at insurance brokerage HUB International.

“Carriers can’t give away a lot of resources, so the smaller premium payers are not getting a lot of these services,” Farley says. “But if they can streamline and automate resources and figure out how to get customizable, usable information to the insurance buyer, that insurance carrier will probably stand out.”

Brian Branner, RiskAnalytics’ executive vice president, says that’s exactly one of the benefits that AIG derives from their partnership.

“If we can get the insureds to use the services we provide, we should lower AIG’s loss ratio because they’ll be safer organizations, and AIG should receive less claims,” he says.

Hidden costs of a breach can affect a large enterprise for years, and prove catastrophic to a small business. So insurance companies in the vanguard are looking to find business clients that are taking information security seriously.

See also: The State of Cyber Insurance  

As more companies buy cyber policies, and use any attendant services, the result could be a halo effect, says IDT911’s Hodge.

“This is certainly something that the insurers are counting on,” Hodge says. “A more secure buyer is a lower actuarial risk to the insurer.”

Meanwhile, policyholders should steadily become better equipped to securely do business in an internet-centric economy riddled with evolving exposures.

Hodge says: “In my experience, the buyer is often pleasantly surprised by the improvement that can come about quickly in terms of knowing their risk, being compliant with their industry standards and being able to indicate to the marketplace that they are taking good care of their customer’s information.”

This post originally appeared on ThirdCertainty. It was written by Rodika Tollefson.

New Attack Vector for Cyber Thieves

It has become commonplace for senior executives to use free Web mail, especially Gmail, interchangeably with corporate email. This has given rise to a type of scam in which a thief manipulates email accounts. The goal: impersonate an authority figure to get a subordinate to do something quickly, without asking questions. The FBI calls this “CEO fraud,” and a surge of these capers has resulted in scammers stealing a stunning $750 million from more than 7,000 U.S. companies from October 2013 through August 2015.

Here is an example where the scammer targets an attorney from a big city in the Northeast.

Attack vector: The scammer gathers intelligence about real estate transactions handled by an attorney and drills down on a specific deal in which the law firm is handling the purchase of a $450,000 home for a client. The scammer learns this attorney is in the habit of using his personal Gmail account interchangeably with his law firm’s email. As the transaction approaches the final step, the attorney’s paralegal receives a spoofed email that appears to come from her boss. She instantly follows a directive to cancel a check for $450,000 that she is about to mail and instead wires the funds into an account designated by the scammer.

More video: Scammers exploit trust in Google’s platform

Distinctive technique: The funds initially get routed to another law firm in the Southwest. A subordinate in this law firm also appears to have been spoofed by the scammer to be prepared to move funds once again, this time into an account set up in a U.S. branch office of Sumitomo Bank, a giant global institution with headquarters in Tokyo. “At this point, it is not likely the $450,000 will ever be recovered,” says IDT911 Chief Privacy Officer Eduard Goodman. “Once a transfer like this is made, you can’t really unring that bell.”

Wider implications: U.S. consumers are well protected by federal law, and banks usually will reimburse individual consumers victimized by cyber criminals. However, banks are under no legal obligation to offer any relief to businesses, large or small, that have been tricked like this. Most of the $750 million lost in documented cases of CEO fraud has most likely been absorbed by the duped business entities.

Infographic: More Americans living with data insecurity

Excerpts from ThirdCertainty’s interview with Goodman. (Answers edited for length and clarity.)

3C: Businesses are losing one heck of a lot of money to CEO fraud.

Eduard Goodman, IDT911 chief privacy officer

Goodman: Yeah, absolutely. This one was for about $450,000. There is another woman with a ballet company who recently lost about $100,000. It’s significant chunks, let’s put it that way. And because this is happening in a business setting, it’s a little bit different in that your bank won’t stand behind you. It’s caveat emptor. There is no consumer protection. When something like this happens to your business, you’re out of luck.

3C: Why aren’t suspicious transactions flagged more often?

Goodman: The government will tend to go after companies for anything that may have to do with consumer violations. But when businesses impact other businesses, the government doesn’t do a damn thing, even if the victim is a really small business and they’re essentially consumers in and of themselves. Banks have that unfair advantage to say, ‘Well, sorry, should have flagged it, but we just process it for you.’

3C: So by using free Web mail this attorney sort of invited spoofing?

Goodman: He kind of comingled accounts, that’s the thing. He had his law firm’s email, and he also had a personal Gmail account. He would send emails from both accounts. That is something that has become a very common practice. He probably had previously emailed himself something from his actual work account into his Gmail account. This scammer probably got into his Gmail account, and then made the connection to his law firm account.

Then it was off to the races. The paralegal gets the wire transfer request from an email that’s very close to an authentic law firm email except there’s an extra letter in the domain name. It looks very credible.

3C: Could this have been avoided?

Goodman. Yes, by taking the extra 45 seconds to make a phone call. Pick up the phone and verify things instead of getting caught up in the workday.

Expect More Cyber Turbulence in 2016

In February 2015, Anthem, the nation’s second-largest health care insurer, disclosed losing records for 80 million employees, customers and partners. That was followed a few weeks later by Premera Blue Cross admitting it lost records for 11 million people.

Then in July 2015, the U.S. Office of Personnel Management began a series of mea culpas. OPM ultimately conceded that hackers swiped sensitive personnel records for 21.5 million federal employees, contractors and their family members. Anthem, Premera Blue Cross and OPM were among the high-profile breaches in a year when the Identity Theft Resource Center counted more than 750 publicly disclosed data leaks.

ThirdCertainty asked three IDT911 experts — Brian Huntley, Eduard Goodman and Victor Searcy — for their 2016 prognostications. (Full disclosure: IDT911 underwrites ThirdCertainty.)

Wire fraud and politics 

Brian Huntley, IDT911 Chief Information Security Officer
Brian Huntley, IDT911 Chief Information Security Officer

 

Huntley: In the coming year, fraud and theft will plague the merchant payments and ACH wire transfer systems. Small and medium-size businesses are especially vulnerable. If enough SMBs get victimized, it could result in a public outcry about the inherent vulnerabilities in these systems, especially as consumers and small business owners come to realize there is minimal regulatory protections in these types of cases.

This being an election year, U.S. presidential candidates will focus on cyber war strategy and armament. Armchair quarterbacking of the 2015 U.S.-China cybersecurity agreement will arise as the centerpiece of this debate. We could see the U.S.-China cyber accord ascend as the basis for peer agreements between other nation states.

Meanwhile, the search will continue in different industries for an information security control framework that is akin to what the financial services sector has in the Federal Financial Institutions Examination Council’s (FFIEC) Information Security Guidelines and the health care sector has in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Data tranfers and children’s privacy

Eduard Goodman, IDT911 Chief Privacy Officer
Eduard Goodman, IDT911 Chief Privacy Officer

 

Goodman: U.S. companies with a European presence will encounter a tremendous amount of uncertainty in 2016 with respect to Europe’s stricter Safe Harbor data privacy rules, relating to the sensitive data transfers to businesses in the U.S.

European regulators can be expected to harass the likes of Facebook and Google. And the threat of sanctions for noncompliance with Europe’s tougher Safe Harbor standards could easily filter down to many smaller companies, as well.

In another area, the recent hacking of toy maker VTech and Hello Kitty parent company SanrioTown.com signals that the theft of children’s information could become a worrisome new trend. As children obtain earlier access to social media, smartphones and Web-enabled toys, details of their personal information and preferences are rapidly becoming part of the greater data ecosystem.

As a result, we will see more breaches that involve the theft of information for individuals under the age of 18. Hopefully, we also will see more public dialogue about the concept of preserving children’s privacy, whether it be school record data, health information or data files containing images, video and audio recordings.

Taxpayers targeted—once again

Victor Searcy, IDT911 Director of Fraud Operations
Victor Searcy, IDT911 Director of Fraud Operations

 

Searcy: One of the most pervasive identity theft scams involves the filing of a faked federal tax return using an ill-gotten Social Security number. Sadly, this will continue to be true again in 2016.

In the 2010 and 2011 tax seasons, the Internal Revenue Service paid out $8.8 billion of taxpayer money to identity thieves. And statistics pulled from a sampling of customers assisted through IDT911’s Resolution Center in 2014 show a 120% increase in tax fraud victims in 2014 and another 134% increase in 2015.

We expect this number to grow again in 2016. It can take months for a victim to sort out the mess with the IRS. Worse, there is little stopping criminals from using a victim’s Social Security number and other personal information in other scams.

IDT911 stats show that 16% of tax fraud victims also were victims of financial identity theft; 12% of customers experienced multiyear tax fraud; and 16% were victims of both federal and state tax fraud.

Unclaimed Funds Can Lead to Data Breaches

When it comes to privacy, not all states are alike. This was confirmed yet again in the 50 State Compendium of Unclaimed Property Practices we compiled. The compendium ranks the amount of personal data that state treasuries expose during the process by which individuals can collect unclaimed funds. The data exposed can provide fraudsters with a crime exacta: claiming money that no one will ever miss and gathering various nuggets of personal data that can help facilitate other types of identity theft. The takeaway: Some states provide way too much data to anyone who is in the business of exploiting consumer information.

For those who take their privacy seriously, the baseline of our compendium—inclusion in a list of people with unclaimed funds or property—may in itself be unacceptable. For others, finding their name on an unclaimed property list isn’t a huge deal. In fact, two people on our team found unclaimed property in the New York database (I was one of them) while putting together the 50-state compendium, and there were no panic attacks.

Free IDT911 white paper: Breach, Privacy and Cyber Coverages: Fact and Fiction

That said, there is a reason to feel uncomfortable—or even outright concerned—to find your name on a list of people with unclaimed property. After all, you didn’t give anyone permission to put it there. The way a person manages her affairs (or doesn’t) should not be searchable on a public database like a scarlet letter just waiting to be publicized.

Then there’s the more practical reason that it matters. Identity thieves rely on sloppiness. Scams thrive where there is a lack of vigilance (lamentably, a lifestyle choice for many Americans despite the rise of identity-related crimes). The crux of the problem when it comes to reporting unclaimed property: It’s impossible to be guarded and careful about something you don’t even know exists, and, of course, it’s much easier to steal something if you know that it does.

The worst of the state unclaimed property databases provide a target-rich environment for thieves interested in grabbing the more than $58 billion in unclaimed funds held by agencies at the state level across the country.

States’ response to questions about public database

When we asked for comment from the eight states that received the worst rating in our compendium—California, Hawaii, Indiana, Iowa, Nevada, South Dakota, Texas and Wisconsin—five replied. In an effort to continue the dialogue around this all-too-important topic, here are a few of the responses from the states:

— California said: “The California state controller has a fraud detection unit that takes proactive measures to ensure property is returned to the rightful owners. We have no evidence that the limited online information leads to fraud.”

The “limited online information” available to the public on the California database provides name, street addresses, the company that held the unclaimed funds and the exact amount owed unless the property is something with a movable valuation like equity or commodities. To give just one example, we found a $50 credit at Tiffany associated with a very public figure. We were able to verify it because the address listed in the California database had been referenced in a New York Times article about the person of interest. Just those data points could be used by a scammer to trick Tiffany or the owner of the unclaimed property (or the owner’s representatives) into handing over more information (to be used elsewhere in the commission of fraud) or money (a finder’s fee is a common ruse) or both.

This policy seems somewhat at odds with California’s well-earned reputation as one of the most consumer-friendly states in the nation when it comes to data privacy and security.

— Hawaii’s response: “We carefully evaluated the amount and type of information to be provided and consulted with our legal counsel to ensure that no sensitive personal information was being provided.”

My response: Define “sensitive.” These days, name, address and email address (reflect upon the millions of these that are “out there” in the wake of the Target and Home Depot breaches) are all scammers need to start exploiting your identity. The more information they have, the more opportunities they can create, leveraging that information, to get more until they have enough to access your available credit or financial accounts.

— Indiana’s response was thoughtful. “By providing the public record, initially we are hoping to eliminate the use of a finder, which can charge up to 10% of the property amount. Providing the claimant the information up front, they are more likely to use our service for free. That being said, we are highly aware of the fraud issue and, as you may know, Indiana is the only state in which the Unclaimed Property Division falls under the Attorney General’s office. This works to our advantage in that we have an entire investigative division in-house and specific to unclaimed property. In addition, we also have a proactive team that works to reach out to rightful owners directly on higher-dollar claims to reduce fraud and to ensure those large dollar amounts are reaching the rightful owners.”

Protect and serve should be the goal

While Indiana has the right idea, the state still provides too much information. The concept here is to protect and serve—something the current system of unclaimed property databases currently does not do.

The methodology used in the compendium was quite simple: The less information a state provided, the better its ranking. Four stars was the best rating—it went to states that provided only a name and city or ZIP code—and one star was the worst, awarded to states that disclosed name, street address, property type, property holder and exact amount owed.

In the majority of states in the U.S., the current approach to unclaimed funds doesn’t appear to be calibrated to protect consumers during this ever-growing epidemic of identity theft and cyber fraud. The hit parade of data breaches over the past few years—Target, Home Depot, Sony Pictures, Anthem and, most recently, the Office of Personnel Management—provides a case-by-case view of the evolution of cybercrime. Whether access was achieved by malware embedded in a spear-phishing email or came by way of an intentionally infected vendor, the ingenuity of fraudsters continues apace, and it doesn’t apply solely to mega databases. Identity thieves make a living looking for exploitable mistakes. The 50 State Compendium provides a state-by-state look at mistakes just waiting to be converted by fraudsters into crimes.

The best way to keep your name off those lists: Stay on top of your finances, cash your checks and keep tabs on your assets. (And check your credit reports regularly to spot signs of identity fraud. You can get your free credit reports every year from the major credit reporting agencies, and you can get a free credit report summary from Credit.com every month for a more frequent overview.) In the meantime, states need to re-evaluate the best practices for getting unclaimed funds to consumers. One possibility may be to create a search process that can only be initiated by the consumer submitting his name and city (or cities) on a secure government website.

Data Security Critical as IoT Multiplies

When this century commenced, delivering new technology as quickly as possible, with scant concerns about quality, became standard practice. Consumers snookered into buying version 1.0 of anything were essentially quality-control testers.

How soon we forget. As we enter the age of the Internet of Things, companies are pushing out computing devices optimized to connect to the Web with little thought to security implications.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

ESET security researcher Cameron Camp has been paying close attention to data security. He recently sat down with ThirdCertainty to share his observations (answers edited for clarity and length):

3C: New devices with the capacity to link to the Internet seem to hit the market every day, and eager early adopters snatch them up. Why should they slow down?

Camp: Companies are going to live and die on whether they get to market fast. I think security tends to be an afterthought, and I’m concerned that some of the manufacturers don’t really have a solid way forward right now.

3C: That sounds ominous. What can and should we be doing?

Camp: We have to think about security in new ways. We have to secure the person, the experience and the data in rest and in motion at all times, and that’s not going to be done with a PC attitude toward security.

We don’t understand how to protect that data at all times and on a multitude of platforms. If you’re working on machines at home, and a lot of them are connected, and you have a breach on one, you have a breach on lots of them. All hackers need is a toehold into your system.

3C: What if someone doesn’t buy every new gizmo that comes along? Are they safe?

Camp: Hackers are finding interesting and novel ways to break into all kinds of things. Routers are one of the first things that really need security to be dealt with, because everyone has one. If your router is one to three years old, it is a gateway to get into everything you own.

3C: Why don’t routers get patched like PCs?

Camp: The manufacturer will be notified that these things are wide open to attacks, and they don’t seem to want to do anything; they’re more interested in the next product cycle. People replace a router when it dies after five years. In the meantime, if four of those years they’re vulnerable, we have a big problem.

Manufacturers have to keep the revenue up; they don’t do that by supporting their routers forever, especially low-cost routers. In the Internet of Things, if you have many sensors around the house, and you raise the cost of those sensors by $1, it makes your system cost too much. Nobody’s going to buy it, and you’re going to be out of business.

3C: Everyone is worried about their routers now; anything else consumers need to be concerned about?

Camp: The people who are good at breaking into Internet of Things devices may not be good at exploiting them, but they are good at entry, and they’re going to sell that to the highest bidder.

Many of these devices run a full Linux operating system; that means they are a server. You can load things on them and exfiltrate data, because Linux was always built to be networked; it was built to be in a server environment.

3C: Is there some good news on the horizon?

Camp: I think there’s going to be a standardization around operating system ecosystems. We’re going to see default operating systems used on the Internet of Things so a manufacturer can focus on their own sensor, their own technology, and just drop in a secure operating system. Right now, there’s many different permutations. In five years, we’re not going to see that, we’re going to see just a few that everyone uses, so if there’s a security issue, people will understand more how to patch them.