CYBER DECODER

8 downloads 256 Views 1MB Size Report
FINANCIAL LINES GROUP NEWSLETTER ISSUE 10. ALSO IN THIS ... Top tweets. 8. No port in .... the director of accounting an
CYBER DECODER FINANCIAL LINES GROUP NEWSLETTER ISSUE 10

DO CYBER INSURERS PAY?

FITNESS DEVICE COMPANY HACKED

Stories of cyber insurers refusing to pay claims are rarely what they seem

Criminals fraudulently claimed on warranties for a replacement device

Page 3

Page 4

THE PHYSICAL DAMAGE OF CYBER ATTACKS

ALSO IN THIS ISSUE

Cyber attacks can sabotage control of major industry security systems

Cyber threat intelligence

6

Top tweets

8

Agreeing terms

5

Buzzword of the month

5

Page 7

No port in a storm: Safe Harbour 2 Despite the new deal between the US and EU, data transfers between the two are now a lot more uncertain. The last minute deal to replace Safe Harbour has been welcomed by groups such as the International Chamber of Commerce. The Commission says the deal “will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses”. That might overstate it, however.

TIME TO BREATHE The deal addresses uncertainty

fuelled the underlying case leading to invalidation of the agreement.

following the EU Court of Justice (ECJ)

Following the October ruling, EU data

ruling last October overturning Safe

protection watchdogs, such as the

Harbour. Used by an estimated 5,000

UK’s Information Commissioner’s

US businesses, Safe Harbour effectively

Office (ICO), agreed to hold off on any

enabled them to self-certify their

enforcement action against companies

compliance with the EU Data Protection

relying on Safe Harbour. It was

Directive, so EU companies could

hoped this would give time for a new

legally transfer data to them. Then came

agreement between the EU and US to

Edward Snowden’s revelations, which

be reached.

2 FINANCIAL LINES GROUP | CYBER DECODER | Issue 10

A BIT OF A WORRY

WHAT DOES IT MEAN?

Despite the new deal, EU businesses

Ultimately, the issue is far from resolved,

transferring data to the US (perhaps

and will grow more pressing with

by using a cloud provider based

the introduction of the General Data

there, for example) face a number of

Protection Regulation (see the last issue

uncertainties.

of Cyber Decoder, for the latest on that).

One is that, at the time of writing, the details of the new deal have yet to be worked out. It is less a replacement for Safe Harbour than a “placeholder” for one. The grace period given by regulators to those continuing to use Safe Harbour, meanwhile, has now expired: In February, French data protection regulator CNIL took action against Facebook (the subject of original ECJ case), which it accuses of still relying on

“In many cases policies are drafted only to trigger if a data breach occurs, leading to a follow-on regulatory investigation, rather than an inadvertent violation of data handling obligations.”

Safe Harbour. The regulator has given the company three months to comply with French law.

For now, companies need to ensure, first, that they know where their data is being sent, with particular care

“When you look at the grounds the court used to invalidate Safe Harbour, you could apply more or less verbatim the same reasons to invalidate the alternative methods.”

regarding outsourced and cloud-based service providers; and, second, ask what those in the US and elsewhere handling customer data are doing to ensure compliance with EU law. It’s also important to review your cyber insurance coverage for the scope of cover for violations of privacy regulations.

For now, EU data protection bodies have agreed companies can use alternative arrangements, such as model contract clauses. As some point out, these are widely used for sending data elsewhere in the world. But, first, this can be complex and expensive; and, second, it may not prove a permanent solution. “When you look at the grounds the court used to invalidate Safe Harbour, you could apply more or less verbatim the same reasons to invalidate the alternative methods,” notes one lawyer.

In many cases policies are drafted

Many also question whether the new

only to trigger if a data breach occurs,

agreement will ultimately stand up to

leading to a follow-on regulatory

legal scrutiny, including the campaigner

investigation, rather than an inadvertent

who brought the original ECJ case

violation of data handling obligations. 

against Facebook, Max Schrems.

www.jltspecialty.com   | CYBER DECODER 3

Do cyber insurers pay? Stories of cyber insurers refusing to pay claims are rarely what they seem. “A Texas manufacturing firm is suing its cyber insurance provider for refusing to cover a USD480,000 loss following an email [phishing] scam that impersonated the firm’s chief executive,” a story on wellread US blog KrebsOnSecurity.com reported in February.

USED IN THE MAKING OF THIS CASE The interesting aspect about this case, however, is that it does not concern a cyber insurance policy. Instead, this claim was tendered to AFGlobal’s crime policy. In reality, there have only been a limited number of cyber claims that resulted in

“There is a persistent belief driven by sensationalised headlines that cyber policies don’t pay claims, and it’s clear that many companies fear insurers won’t pay for legitimate cyber claims.”

Krebs, who broke the story of

coverage litigation under a cyber policy.

the Target data breach in 2013,

The two most significant cases focus on

summarised the legal claim filed by

the interpretation of exclusionary language

Texas-based manufacturing firm

concerning the insured’s own negligence,

AFGlobal Corp after its insurer refused

and the scope of a sub-limited cover for

to pay when the company was

payment card industry assessments.

That is not to say that every cyber policy

hoodwinked by a ‘fake president’

In the former case, in which the court

(or crime policy for that matter) will cover

scam: a fraudster posing as the

granted a motion to dismiss almost

every instance of social engineering fraud:

company’s CEO supposedly sent

immediately, the parties are in the

a cyber policy is not an all risks insurance

the director of accounting an email

process of trying to resolve the claim

for anything that relates to a computer. As

asking him to wire USD480,000 to the

under the ‘alternative dispute resolution’

we write, innovation is happening in the

Agriculture Bank of China.

clause in the policy. This case serves as

marketplace between cyber and crime

a good example of a problematic type

wordings, and it is important to verify

of conditional language in some cyber

where coverage might attach.

The insurer denied the claim, arguing the fraud did not meet the policy’s definition of ‘computer fraud.’

policies that seeks to exclude coverage for issues which should be addressed in an underwriting context. The latter case, involves a clear difference of expectation versus reality in the cover that would be granted when the various fines and assessments related to payment card industry data were resolved. It is an issue that will continue to be debated in and out of the court system.

NO CYBER POLICIES WERE

MIND THE GAP

There is a persistent belief driven by sensationalised headlines that cyber policies don’t pay claims, and it’s clear that many companies fear insurers won’t pay for legitimate cyber claims. Those fears, however, generally don’t mesh with reality. In fact, cyber insurance, which has been around and paying claims for more than fifteen years, does perform. 

4 FINANCIAL LINES GROUP | CYBER DECODER | Issue 10

Fitness device company hacked The fitness device company Fitbit had to cope with hacking of a number of its users accounts to perpetrate warranty fraud recently. After user accounts were compromised, they were then used to call and claim replacements for defective products.

“For the insurance industry and its customers, the growth of connected devices will bring a number of challenges – not least the prospects of gaps in cover and crossovers between general and product liability cover, product recall cover, and cyber insurance, as we’ve noted before.”

Criminals were hijacking users’

For the insurance industry and its

accounts after cracking their

customers, the growth of connected

passwords and then fraudulently

devices will bring a number of challenges

claiming on warranties for a

– not least the prospects of gaps in

replacement device. The fact that the device requires an online account to enable full functionality, like most connected devices, means that many

cover and crossovers between general and product liability cover, product recall cover, and cyber insurance, as we’ve noted before.

other companies could face similar

For companies who manufacture or

risks.

distribute connected devices there is

More widely, the story illustrates the diverse range of risks that will develop as the Internet of Things continues to grow. Although in this case the devices weren’t actually hacked, the accounts included personal data uploaded by the devices, such as Global Positioning System data showing users’ paths for runs or cycle rides.

overlap with traditional and newer cyber insurance policies. For example, if a product recall is initiated due to a data privacy risk (rather than a risk of bodily injury), will recall insurance policies respond? Insurers will continue to grapple with the right way to underwrite the risks posed by the Internet of Things, as well as where coverage should sit. 

www.jltspecialty.com   | CYBER DECODER 5

Agreeing terms The industry is working hard to develop understanding of cyber risks. In January, Lloyd’s of London

better data on exposures and risks for

announced an agreement with risk

modelling and underwriting. Eventually,

modelling specialists AIR Worldwide

for larger businesses, it will even mean

and Risk Management Solutions

tools to model and assess their cyber

(RMS) for a common approach to collecting cyber exposure data. The agreement means that the key data and definitions used by

risks more accurately in-house. (JLT itself is working on a tool to allow companies to benchmark their risk against others.)

the companies in their new data

In the meantime, however, it’s another

schemes launched last month to

example of the improvements in cyber

help insurers model exposures will

risks data that we highlighted last month

be consistent.

and, as ever, the result is the same: an

The agreement will give insurers and

understand the risks, and better placed

modellers access to increased and

to insure more of them. 

insurance industry that is better able to

BUZZWORD OF THE MONTH THREAT INTELLIGENCE

online communities, associations or

This is why there is strong demand

groups, to company’s own in-house

for Cyber Threat Intelligence (CTI).

IT functions and paid-for services from

Security and Risk professionals (S&R

What is it?

commercial providers.

Pros) want as much warning as

In one sense, this is – the Cyber

From USD250 million in 2013, Gartner

Decoder. Cyber threat intelligence

has forecast the Threat Intelligence

is information, analysis and advice

services market will be worth USD1.5

concerning the risks and trends that

billion in 2018. Others go even further.

organisations face in the cyber realm. It is data-driven, extracting useful information, observation and analysis from the data on cyber attacks (like our monthly threat intelligence extract from CSC). As Gartner puts is: “Threat intelligence

possible of threat actors targeting their region, industry, or, specifically, their firm,” its report reads. With that knowledge they can adjust their security accordingly. It can help

Why should you care? Because without it, you’re flying blind. At its best threat intelligence tells you where the key threats are, who is being targeted and how that is changing.

tell them which alarms coming from the IT systems to focus on, and what defence strategy will best mitigate the risk. If threat intelligence shows a trend towards attacks aimed at destroying or corrupting data rather than stealing

As researchers Forester note, threats

it, for example, the negative impacts

are not randomly or evenly distributed:

of the risk might be better mitigated by

just five large data breaches accounted

more frequent backups or segregation

for more than 90% of customer records

of data rather than stronger intrusion

exposed in the year to November 2015.

detection and prevention.

inform decisions regarding the subject’s

“Attackers are carefully picking

Fundamentally, the rising popularity of

response to that menace or hazard.”

their victim organisation, learning

threat intelligence is based on a simple,

its business, understanding its

obvious truth: Risk professionals can better

partner relationships, and testing for

protect the company if they understand

weaknesses and vulnerabilities.

what the threat they face looks like.

is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to

Threat intelligence can come from a wide variety of sources: from information in the public domain and

6 FINANCIAL LINES GROUP | CYBER DECODER | Issue 10

Cyber threat intelligence BROUGHT TO YOU IN PARTNERSHIP WITH CSC Does it matter where cyber attacks originate? After catching up China at the end of last year, the US remains a consistent contender for the most common host for attacks. In one week in mid January, it was responsible for more than double the number of attacks as China – 37% of all attacks globally against 17%. Since then, the figures have

The only note of caution is in taking

normalised, with the US either a

this too far. Some organisations

Florida announced that its systems

little behind (as in the last week of

completely block traffic from risky

had been hacked and 63,000 social

January) or a little ahead of China

regions they do not conduct business

security numbers for faculty, staff,

in. Yet this is a drastic step, and

and students were compromised.

potentially risky in the absence of a full

IT staff first detected the intrusion in

assessment of the business impact.

January, and the Jacksonville office

(as in early February). The two together account for about 40% of all attacks. In some ways, geographical attribution has lost much of its meaning in recent years. Importantly, the US is such a popular host for attackers partly because they can rent the required resources from web hosting companies based there more cheaply and easily than setting up infrastructure domestically. However, geographical attribution remains crucial for government intelligence agencies. Moreover, even for commercial entities a geographic view can be useful: It may inform where businesses choose to locate critical information assets, for example; it may also affect travel policies, with many US-based organisations now requiring employees traveling to China to bring only loaner computers or cell phones with no company data on them.

Given that China and the US are not just major sources of attacks, but also economic powerhouses, most must settle for being aware of where attacks come from and mitigating the risks as far as possible, but also learning to live with them.

TOP SECURITY INCIDENTS TO FEBRUARY 5 • Feb 4: Hackers gained access

• Feb 4: The University of Central

of the FBI is investigating. • Jan 29: A distributed denial of service attack caused a temporary shutdown of HSBC UK’s personal banking websites. According to tweets from the bank, it successfully defended its systems, however, and IT staff restored services within three hours. The group New World Hacktivists claimed responsibility. 
 • Jan 26: Israel’s energy minister reported it was battling a “severe”

to nearly 21 million accounts of

attack from a virus requiring it to

Taobao.com – “China’s eBay”,

“paralyse” many of the Electricity

owned by online giant Alibaba.

Authority’s computers. It followed

The parent company’s officials

soon after the attack on the Ukraine’s

insist the credentials were obtained

power supply, but was in fact

through other sites with no

ransomware introduced from a spear

connection to either Alibaba or

phishing attack into the systems of

Taobao, and that their systems

the Electric Authority, which does not

have not been breached.

control the public electricity supply. 

www.jltspecialty.com   | CYBER DECODER 7

The physical damage of cyber attacks Cyber attacks can sabotage control of major industrial security systems, causing substantial physical damage and business interruption. Is your company prepared? Much of the focus on cyber

Second, unlike data breaches, there is

The only reason to gather that

risks from businesses and

no regulation to compel businesses to

information is to give someone a

their insurers has been on data

publicise incidents, which means that

strategic advantage at some point in

protection, particularly protecting

many cases are likely to be unreported.

the future.”

consumer details. This focus is likely to increase in Europe as the forthcoming European Union (EU)

It is not the kind incident that companies like to publicise.

WHY YOU’RE EXPOSED Both the threat and the range of

General Data Protection regulation

WHO’S EXPOSED?

nears implementation.

Much of the attention on the physical

to grow. The availability of viruses and

damage caused by cyber-attacks has

other malware that specifically target

focused on the power and energy sectors.

ICSs. Once developed and released onto

But other cyber risks are being ignored by many firms. Privacy breaches and consumer data losses are just one small

But the vulnerabilities stretch across

element of cyber-risk. The prospect of

utilities, telecommunications, oil and

cyber-attacks causing physical damage is

gas, petrochemicals, mining and

significant, yet it has been largely ignored.

manufacturing – any industry where Industrial Control Systems (ICS’s –

“Lloyd’s Business Blackout report estimated the economic impact from the scenarios it examined would be from $243 billion to $1 trillion, with insured losses estimated between $21.4 billion and $71.1 billion.” UNREPORTED LOSSES This relative neglect is partly due to

threat seriously. First, the potential impact is huge. Lloyd’s Business Blackout report estimated the economic impact from

accessed, modified and used by future potential attackers.

connectivity, with ICSs increasingly put

In the US, 245 cyber-incidents were reported on ICSs in the 12 months up to 30 September 2014, according to figures from the Department of Homeland Security. 65 of the attaks targeted manaufacturers.

on-line to allow remote monitoring and control to drive operational efficiencies. Much of the software that underlies the ICS infrastructure was never designed to be connected to anything, so it was not built with security in mind.

GROWING LIABILITIES “Surveillance-style attacks, using malicious software are designed to gather information about the ICS.” “That’s a large number, especially since there is no legal requirement for incidents to be reported,” says David White, Chief Knowledge Officer at Axio Global, a cyber-risk specialist serving critical

from USD243 billion to USD1 trillion,

Many attacks will not have resulted in

(The report describes all such theoretical

BalckEnergy, are all now available to be

Furthermore, the continuing drive towards

infrastructure owners and operators.

USD21.4 billion and USD71.1 billion.

recent discoveries such as Havex and

control physical processes) are found.

the scenarios it examined would be with insured losses estimated between

the dark web, Stuxnet, as well as more

computer systems used to monitor and

the small number of reported losses. Yet there are good reasons to take the

businesses with vulnerabilities are likely

The growth of the ‘internet of things’ will also increase companies’ potential cyber-vulnerabilities, with the number of connected devices expected to triple by 2020, according to consultants Juniper Research. Understanding the online connections within an organisation is therefore essential to improving security. An inventory of your devices and systems, and what they communicate with, is the first step to determining your vulnerabilities. 

physical damage, admits White, but that provides little reassurance.

scenarios as realistic, although some

“Surveillance-style attacks, using

parties have queried this.)

malicious software are designed to gather information about the ICS.

Watch Cyber risks get physical video

JLT Specialty Limited provides insurance broking, risk management and claims consulting services to large and international companies. Our success comes from focusing on sectors where we know we can make the greatest difference – using insight, intelligence and imagination to provide expert advice and robust – often unique – solutions. We build partner teams to work side-byside with you, our network and the market to deliver responses which are carefully considered from all angles.

8 FINANCIAL LINES GROUP | CYBER DECODER | Issue 10

TOP TWEETS

Our Cyber, Technology, and Media Errors & Omissions team delivers bespoke risk management and insurance solutions to meet the needs of clients from a variety of industries. The team combines experience and talent with a track record of delivering successful results and tangible value for our clients.

CONTACTS

Don’t sleep on new data privacy regulations

When the data breach clock starts ticking

HSBC online banking is ‘attacked’

Sarah Stephens Head of Cyber, Technology and Media E&O JLT Specialty +44 (0) 20 7558 3548 [email protected] Lauren Cisco Partner, JLT Specialty +44 (0) 20 7558 3519 [email protected]

Even ‘one-man band’ SMEs will be hit

Jack Lyons Partner, JLT Specialty +44 (0) 20 7528 4114 [email protected]

This newsletter is published for the benefit of clients and prospective clients of JLT Specialty Limited. It is intended only to highlight general issues relating to the subject matter which may be of interest and does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. If you intend to take any action or make any decision on the basis of the content of this newsletter, you should first seek specific professional advice. JLT Specialty Limited The St Botolph Building 138 Houndsditch London EC3A 7AW www.jltspecialty.com Lloyd’s Broker. Authorised and regulated by the Financial Conduct Authority. A member of the Jardine Lloyd Thompson Group. Registered Office: The St Botolph Building, 138 Houndsditch, London EC3A 7AW. Registered in England No. 01536540. VAT No. 244 2321 96. © February 2016 271573

Are firewalls still relevant to security?

Forget power stations, worry about toasters, cyber experts say