|Issue:||North America I 2015|
|Topic:||Exploring the motivations behind cyber crimes and how the US is responding|
|Title:||Head of Cyber Division|
Dan Trueman joined Novae from ANVwhere he was the Lead Underwriter for their Enterprise Risk Division. Prior to this he spent ten years at Kiln, most recently as Active Underwriter of the Enterprise Risk Division of Syndicate 510, a division he formed and which underwent 350% growth in two years. Other roles included developing Kiln’s Cyber and Reputation Risks account and writing Political Risk and Trade Disruption Insurance within the Marine and Special Risks Division. At Novae, Dan will be responsible for leading the Cyber Division and overseeing business development for this portfolio.
The growing attraction and motivation for cyber criminals seems to be the deniability of involvement and the ability for one attack to have a far greater impact than traditional physical crimes. Criminals and hackers can compromise the servers in target countries to obtain reliable hosting, making it challenging for officials to identify where they are based and this anonymity empowers criminals.
Cyber crime is evolving at an alarming rate with the methods used appearing to be more advanced, more complex and more serious with every attack, yet worryingly US organisations do not seem to be keeping pace. A survey conducted by PwC in June 2014 concluded thatconcluded that the cyber security programs of US organisations do not rival the tactical skills, persistence and technological capabilities of their potential cyber adversaries. This is a serious cause for concern as it is no longer a case of ‘if’ an attack will occur but ‘when’ but recent announcements from President Obama and his administration, including Obama declaring that cyber security is at the top of his agenda for 2015 and the formation of the Cyber Threat Intelligence Integration Centre (CTIIC), demonstrate that the severity of the threat is being felt across all sectors in America. It is vital that businesses focus their efforts on analysing the information they hold to understand what is at risk, then review their cyber security strategies work with insurers and other businesses to manage these risks effectively and help prevent against malicious attacks.
As with physical criminal attacks, there isn’t one all encompassing motivation and reasons can vary from political motives and corporate espionage through to employee discontent, stealing information to sell and shaming companies .companies. However the growing attraction and motivation for cyber criminals seems to be the deniability of involvement and the ability for one attack to have a far greater impact than traditional physical crimes. Criminals and hackers can compromise the servers in target countries to obtain reliable hosting, making it challenging for officials to identify where they are based and this anonymity empowers criminals. Additionally, cyber crime produces high returns for a disproportionate amount of risk and the barriers to engaging in cybercrime have decreased thereby revolutionising the speed and scale of criminal activity. This was emphasised by an FBI report in 2012 which found that there was a decline in physical crimes such as bank robberies and burglaries but a rise in cybercrime.
Cyber criminals are rapidly upgrading their tactics both to recruit other like minded individuals and to maintain an advantage against security safeguards. For example in Brazil, there are training services available for those wishing to engage in cyber crime. Malware and criminal tactics are advancing rapidly as exemplified by the latest distributed denial of services (DDoS) attacks, which had the ability to generate traffic rated at a phenomenal 400 gigabits per second making it the most powerful DDoS assault to date. Similarly, there have been developments in the malware deployed in Point of Sale (PoS) attacks. Black PoS version 2.0 assumes the form of an anti-virus product which is then installed on an operating system to avoid suspicion. This malware is believed to have been the cause of the Target and Home Depot attacks in late 2013 and September 2014 respectively, in which an estimated 127 million credit card numbers were stolen. The sheer number of details stolen and the ease in which this was possible, exemplifies why cyber crime is on the rise.
In the past criminals used physical skimmers to rub payment cards and steal data but this meant that they needed to be in close proximity (physically) to the machines. The malware has evolved quickly enabling criminals to distance themselves from the crime and target the operating systems of large companies anywhere in the world. This means one hack enables them to obtain enormous amounts of data. The concern now is the next stage of the malware’s evolution; it used to be confined to retailers and merchants but recent evidence suggested that the malware is expanding its scope and targeting travellers, for example targeting the e-service kiosks in airports and on trains.
There are of course other motivations behind cyber attacks and nation state actors are a continual threat, particularly as they tend to target financial services and critical infrastructure. The latter of which is particularly vulnerable because of the age of the systems. In November 2014 Michael Rogers, director of the National Security Agency and Head of US Cyber Command, openly named China as a country capable of mounting cyber attacks that would shut down the electric grid and other critical systems in parts of the US. China’s cyber espionage against US businesses poses a significant threat to its competitiveness in key industries and it would be a mistake to think that it is only the large multinationals that are at risk. A report from McAfee discovered that nearly 90% of small-and medium sized businesses in the US do not use data protection for company and customer information, which is a very expensive mistake.
The growing financial costs associated with the fall out from an cyber attack is part of the impetus prompting organisations to review their risk management strategies and insurance options. PwC’s 2014 Global Economic Crime Survey found that 7% of US organizations lost US$1 million or more due to cybercrime incidents in 2013, Additionally the recent high profile data breaches, have lead to a growing prediction that there will be an increase in the number of costly lawsuits involved for companies. Avivah Litan, a fraud analyst with Gartner Inc, estimates that Target could be facing losses of up to US$420million, including the reimbursement, the cost of reissuing millions of cards, legal fees and credit monitoring for millions of customers and the recent attack on Anthem saw the loss of 80million records with the financial consequences yet to be quantified. This is why organisations are turning to insurers for guidance on how to reduce the risk of attacks and fortify cyber security defences.
Insurance has been around as a market for over 300 years insuring tangible risks such as a ship, an oil refinery or piece of artwork but the development of cyber has required insurers to consider the unknown and create products for intangible risks. There are two strands that assureds and potential assureds focus on: the privacy aspect (breaches of privacy and data) and the business interruption and first party risk aspect, which includes the loss of revenue caused by interruption to a supply chain and the subsequent reputational damage.
Historically the market has focused on the privacy risk aspect. This largely reflects the obligations placed on US firms to maintain the privacy of Personally Identifiable Information (PII) and Protected Health Information (PHI) following legislation such ast the 1996 Health Insurance Portability & Accountability Act (HIPAA) and the privacy rules of the Gramm–Leach–Bliley Act (GLB) of 1999, as well as subsequent state legislation in the US. The development has been for insurers to look at the notification costs that those businesses would incur in offering additional services following a breach, whether it be credit monitoring, operating a call centre or reprinting bank cards, as well as the costs incurred by the business in keeping that data safe.
However the other side of the risk is the business interruption angle and the loss of revenue caused by an attack. Cybercrime damages innovation and competitiveness as hackers are frequently targeting intellectual property which has a long term impact on that business’s growth and stability. The threat is not just loosing customers’ data but the criminal’s ability to prevent the use of computer systems and/or the ability to operate as a business in its usual way. According to The Ponemon Institute’s 2013 Cost of Cyber Study, the average time to resolve a cyber attack is 32 days and the average cost to the organisation is US$1,035,769 during that time period – this means businesses are threatened with potentially irreparable losses. However this is where insurers have been able to create products that help combat the tangible and intangible threats. There are policies with the ability to indemnify an organisation for a loss of income incurred during any period of downtime, or the extra costs and expenses paid for either circumventing the problem or recovering from system failure.
In January 2014 the US Director of National Intelligence listed cybercrime as the top national security threat, higher than espionage, terrorism and weapons of mass destruction. In all echelons of US business, cyber attacks are being taken more seriously as the financial and reputational repercussions are played out in the media and people recognise how damaging cyber crime is to US trade, innovation, competitiveness and economic growth. Creating global partnerships to share technical knowledge and resources is the first stepping stone in strengthening cyber defences, as highlighted by the recent announcement of a joint cyber games war test between the US and the UK, and exploring the protection that insurance provides will help businesses create a culture of resilience, which is vital in combating this ever growing threat.