Written for the NetDiligence Cyber Risk & Privacy Liability Forum, Oct. 17-19, 2016, Santa Monica California
Authors & Contributors
Pascal Millaire, Symantec | John Farley, HUB International | Sarah Stephens, JLT | Stuart Kohn, Navigators | Paul Nikhinson, Beazley | Mary Guzman, McGriff, Seibels & Williams | Sudhir Bhatti, Symantec
Cyber insurance is one of the most important new insurance lines to emerge in decades. According to Lloyd’s, each year cyber crime costs business over $400 billion dollars and that number is growing every year. Cyber risk has emerged as one of the top 3 risks that concern Chief Risk Officers and enterprise insurance buyers and over 70 insurance carriers have responded by entering the market with cyber insurance policies.
The complication is that the nature of these risks is constantly changing along with shifts in technology, security vulnerabilities and threat actor motivations. Furthermore, the nature of the risk that affects each industry looks very different given differences in the technologies used by those industries, the data collected and stored, the potential impact of business interruption and property damage from a cyber attack and the focus that malicious individuals and institutions have on those industries.
This article draws on expertise from leaders in the cyber security and cyber insurance industries and is intended to provide an overview of the shifting security landscape over the past ~6 months and the implications for insurance carriers and brokers.
Pascal Millaire, VP & GM, Cyber Insurance, Symantec Corporation
There have been at least 12 ransomware attacks on US healthcare organizations so far in 2016 but cybersecurity investments in the health care industry are still relatively lower. An average security breach costs greater than $1 million to rectify and health care organizations spend just 10% or less of their IT budgets on cybersecurity.
Ransomware is a specific type of malware that is used to encrypt data with a decryption key accessible only to the hacker. The malicious software is designed to block access to a system until a ransom is paid. Hospitals are increasingly becoming a soft target for ransomware. In Feb 2016, Hollywood Presbyterian Medical Center in Los Angeles was attacked by a group of Turkish hackers who locked down hospital’s IT systems for over a week and posted a message “We owned Hollywood hospital” on text sharing site Pastebin. Hospital had to swallow the bitter pill and paid a ransom of about $17,000 bitcoins to restore their systems. The sharp rise of ransomware is pushing organizations to stockpile bitcoins so that they can pay cybercriminals fast if a malware attack blocks access to critical systems or files.
Healthcare organizations are vulnerable to more such hacking attacks as they accelerate their digital transformation. Hackers are also known for selling stolen patient records on black market. In order to help healthcare organizations better understand and respond to the growing threat of ransomware, U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released new HIPAA guidance on ransomware in July 2016. The guidance has a list of HIPAA related measures for organizations to effectively prevent and respond to ransomware attacks. OCR began the “Phase 2” HIPAA audits earlier this year to assess compliance with the rules.
Several vendors offer Dark Web monitoring and alerting services to catch early indicators on stolen data being sold by hackers. Customers can also purchase cyber insurance products to effectively mitigate ransomware losses. Extortion liability coverage reimburses policyholders for losses resulting from ransomware though the limits are typically restricted as fraudulent cyber extortion incidents could occur involving the insured party.
Some insurance products also offer reputation protection and file recovery coverage if the customer decides not to pay the ransom or when the decryption key is not delivered after the ransom payment. It’s also critical for the healthcare organizations to ensure that each and every employee has received phishing and security awareness training.
As digital banking continues to witness tremendous consumer adoption, the financial institutions are trying to evolve, and quickly determine how mobile technology can help them enhance the customer experience. Though the mobile banking usage has catapulted, some consumers are still concerned with security and the lack of data protection on mobile devices.
A series of bank frauds on the Bangladesh Central Bank and Ecuadorian bank Banco del Austro using the SWIFT banking messaging service revealed critical chinks in the highly secure financial institutions that become an easy prey to hackers because of their vulnerable IT infrastructure. The hackers stole credentials and sent seemingly authentic messages to conduct unauthorized transfers followed by installing malicious software on systems to maneuver printers and hide traces of the illicit messages. After the SWIFT attacks, the Federal Financial Institutions Examination Council (FFIEC) issued guidance to banks on the cyber risks associated with interbank messaging and wholesale payment networks.
Blockchain is currently being touted as the next disruptive technology to address a number of security challenges for financial institutions but recent reports have disclosed that blockchain is also susceptible to attacks. In Aug 2016, bitcoin worth $72 million was stolen from the Bitfinex Exchange in Hong Kong, underlining the risks for companies using cryptography for their ledgers. Bitfinex is one of the largest bitcoin exchanges and this bitcoin heist was the second-biggest cyber attack ever of such an exchange.
Such sophisticated breaches have caused financial institutions and banks scrambling to buy cyber coverage. Most financial institutions in the US purchase cyber insurance and other industries are following suit. Several banks purchase standalone cyber insurance coverage in the range of $150 million. But just because someone tricks you using a computer, that does not make it fall under “cyber coverage”. Cyber protection usually covers breaches and notification costs but may exclude fraudulent credit card purchases or social engineering claims.
To accurately assess their cyber coverage needs, financial institutions need to do a gap analysis to understand their risks and come up with a long-term strategy to redesign their internal processes to accelerate their digital journey.
Manufacturing and Transportation
The manufacturing and automotive industries are undergoing a rapid transformation in several sectors of the industry but the growing integration of physical objects and software systems leads to new risks never seen before.
Tesla is the pioneer in the self-driving car space and unveiled its autopilot mode in 2015, which automates steering, braking and lane switching. According to Tesla, the autopilot mode is a voluntary feature and doesn’t make it liable in case of any accidents for accidents as the drivers are warned of the risks. The National Highway Traffic Safety Administration (NHTSA) is investigating the role played by autopilot technology after a fatal collision in Florida between a Tesla Model S and a big rig.
In Jan 2016, the U.S. Transportation Department and 17 automakers entered into an agreement on joint efforts to enhance driver safety, including information sharing to thwart cyber attacks on vehicles. Later in the year, the Obama administration issued new federal guidelines for autonomous cars and trucks to enhance safety standards.
Somali pirates have been frequently attacking commercial ships off Africa’s east coast in the last couple of years. These modern day pirates are leveraging networking intrusions to hack into shipping companies’ systems and target valuable goods on the high seas. According to 2016 Verizon Data Breach Digest Report, security researchers discovered that the hackers uploaded a malicious script to the company’s content management system (CMS) and identified specific shipping containers by searching for particular bar codes associated with high-value cargo items. The company was using a homegrown CMS to manage bills of lading for their cargo ships, which led to this vulnerability.
Airlines are increasingly being targeted by cyber attacks. In 2015, Chris Robert of One World Labs managed to hack into a Boeing’s in-flight entertainment system and caused the plane to move sideways, by manipulating one of the engines to climb on his command. Boeing denied vulnerabilities in the entertainment systems and claimed that the in-flight entertainment system is isolated from the navigation system. However, the incident led to an FBI investigation and served as a wake up call for the entire airline industry.
SCADA Strangelove, a team of white hat security researchers from Germany demonstrated, without naming the rail systems in question, that these systems too are vulnerable. The researchers assessed railways systems and reported in December 2015 that malicious cyber attacks can cause delays and even train-on-train collisions in worst cases. Today’s railway systems have a variety of digital equipment such as traction control systems, automatic train control (ATC) systems, passenger entertainment systems etc. Their findings highlighted vulnerabilities related to dated software, weak passwords, and lack of authentication. Entertainment and engineering systems were not segregated, which implies that if one system is compromised, hackers could gain access to the other.
With all of these possibilities, it is vital to explore a holistic approach to manage risk in the manufacturing and transportation industry. It is mandatory for companies to have a cyber incident response plan and assess the ability to transfer cyber risk through insurance. This clearly demands more cooperation between the various line of businesses e.g. cyber liability and marine insurance.
Most cyber insurance policies do not cover bodily injury or property damage resulting from a cyber attack as an individual cannot be physically injured by having their critical data exposed or IT systems breached. But with the latest advancements in manufacturing and transportation industry, there would be an increasing need for cyber liability policies to provide coverage for bodily injury and physical damage. While purchasing cyber insurance, it’s critical to have an underwriter and broker who understand the industry sector as well as the product. The industry is structured into silos, but cyber isn’t a vertical phenomenon as it is applicable horizontally. Most cyber liability units tend to fall within the Errors & Omissions sector, but it really is not an Errors & Omissions product.
Retailers are confronting daunting challenges to mitigate their increasing risk exposure across emerging technologies, new geographical expansions, and augmented supply chain arms. Some of the largest data breaches targeting US retailers such as have mostly targeted the point-of-sale (POS) systems. Major retailers like Target and Neiman Marcus have been breached. During the Target breach, 40 million credit and debit cars were exposed, and Target suffered losses to the tune of more than $250 million.
For retailers, the key system component being targeted is the point-of-sale (POS) device and not the stored data. In case of both Target and Neiman Marcus, the memory-scraping malware was designed to attack the RAM inside POS system devices. RAM-scraping malware is programmed to act when the information decryption occurs and immediately steals the unencrypted data from memory.
After these high profile breaches, card issuers decided to shift to an EMV, or Chip-and-Pin, system to address the weakness of the existing payment system but the EMV payment system has its own shortcomings as it is vulnerable to POS RAM-scraping. In order to address these issues, retailers need to adopt a multi-tiered approach for securing payment card transactions, which includes implementing end-to-end encryption (E2EE) and tokenization in conjunction with support for EMV.
Payment Card Industry (PCI) standard poses its own set of challenges as retailers have traditionally not fully appreciated, or had difficulties quantifying, their exposure to PCI assessments. Even when a company is declared PCI-compliant, the statement can always be retroactively reversed later. PCI compliance is hard to determine and clients are looking for greater PCI limits.
There are two kinds of costs (fines and assessments) that merchants can be liable for in the case of a payment card breach. Fines are levied if a customer fails to comply with card company guidelines as well as for PCI non-compliance. Assessments are meant to recompense the card issuing banks whose cards have been breached and ultimately incur the loss related to stolen cards. There needs to be a better understanding of PCI “assessments” vs. “fines”.
Utilities and Energy
Concerns about cyber attacks on nuclear power plants have grown in recent years after the emergence of computer malware targeting industrial controls. Supervisory Control and Data Acquisition (SCADA) is an industrial control system used for remote monitoring of industrial processes in the physical world. SCADA systems are vulnerable to attacks as these systems were built years ago when security was not a key priority for developers.
In 2013, Iranian hackers attacked Bowman Avenue, a flood control dam, and got remote access to a computer controlling the dam. This cyber attack could have posed a much greater danger if the dam hadn’t been shut down during the maintenance period. The Energy sector is facing hackers who are financially and politically motivated to undertake these large scale attacks. Evolving smart grid technology introduces a variety of new risks and a large amount of customer and employee data can be affected in case of a breach.
According to the US Department of Homeland Security, the energy sector was ranked second only to manufacturing in cyber-attacks in 2015, reporting 15.5% of cyber incidents responded to by its cyber incident team. Four in five oil and gas companies report that there has been an increase in successful cyber attacks during the last year. Such a cyber incident can cause global business interruption, reputational damage and also lead to bodily injury or property damage.
Despite these growing cyber risks, most energy related insurance policies exclude cyber exposures from insurance coverage. Some policies have evolved to provide coverage for the “gap” created by cyber exclusions. There is an increased customer demand for higher limits and more relevant coverage. At the moment, cyber insurance coverage is limited in the energy sector due to low finances and a lack of understanding of the unique risks. But ignoring these risks could lead to serious implications in the future.