FINANCIAL LINES GROUP NEWSLETTER ISSUE 10. ALSO IN THIS ... Top tweets. 8. No port in .... the director of accounting an
CYBER DECODER FINANCIAL LINES GROUP NEWSLETTER ISSUE 10
DO CYBER INSURERS PAY?
FITNESS DEVICE COMPANY HACKED
Stories of cyber insurers refusing to pay claims are rarely what they seem
Criminals fraudulently claimed on warranties for a replacement device
Page 3
Page 4
THE PHYSICAL DAMAGE OF CYBER ATTACKS
ALSO IN THIS ISSUE
Cyber attacks can sabotage control of major industry security systems
Cyber threat intelligence
6
Top tweets
8
Agreeing terms
5
Buzzword of the month
5
Page 7
No port in a storm: Safe Harbour 2 Despite the new deal between the US and EU, data transfers between the two are now a lot more uncertain. The last minute deal to replace Safe Harbour has been welcomed by groups such as the International Chamber of Commerce. The Commission says the deal “will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses”. That might overstate it, however.
TIME TO BREATHE The deal addresses uncertainty
fuelled the underlying case leading to invalidation of the agreement.
following the EU Court of Justice (ECJ)
Following the October ruling, EU data
ruling last October overturning Safe
protection watchdogs, such as the
Harbour. Used by an estimated 5,000
UK’s Information Commissioner’s
US businesses, Safe Harbour effectively
Office (ICO), agreed to hold off on any
enabled them to self-certify their
enforcement action against companies
compliance with the EU Data Protection
relying on Safe Harbour. It was
Directive, so EU companies could
hoped this would give time for a new
legally transfer data to them. Then came
agreement between the EU and US to
Edward Snowden’s revelations, which
be reached.
2 FINANCIAL LINES GROUP | CYBER DECODER | Issue 10
A BIT OF A WORRY
WHAT DOES IT MEAN?
Despite the new deal, EU businesses
Ultimately, the issue is far from resolved,
transferring data to the US (perhaps
and will grow more pressing with
by using a cloud provider based
the introduction of the General Data
there, for example) face a number of
Protection Regulation (see the last issue
uncertainties.
of Cyber Decoder, for the latest on that).
One is that, at the time of writing, the details of the new deal have yet to be worked out. It is less a replacement for Safe Harbour than a “placeholder” for one. The grace period given by regulators to those continuing to use Safe Harbour, meanwhile, has now expired: In February, French data protection regulator CNIL took action against Facebook (the subject of original ECJ case), which it accuses of still relying on
“In many cases policies are drafted only to trigger if a data breach occurs, leading to a follow-on regulatory investigation, rather than an inadvertent violation of data handling obligations.”
Safe Harbour. The regulator has given the company three months to comply with French law.
For now, companies need to ensure, first, that they know where their data is being sent, with particular care
“When you look at the grounds the court used to invalidate Safe Harbour, you could apply more or less verbatim the same reasons to invalidate the alternative methods.”
regarding outsourced and cloud-based service providers; and, second, ask what those in the US and elsewhere handling customer data are doing to ensure compliance with EU law. It’s also important to review your cyber insurance coverage for the scope of cover for violations of privacy regulations.
For now, EU data protection bodies have agreed companies can use alternative arrangements, such as model contract clauses. As some point out, these are widely used for sending data elsewhere in the world. But, first, this can be complex and expensive; and, second, it may not prove a permanent solution. “When you look at the grounds the court used to invalidate Safe Harbour, you could apply more or less verbatim the same reasons to invalidate the alternative methods,” notes one lawyer.
In many cases policies are drafted
Many also question whether the new
only to trigger if a data breach occurs,
agreement will ultimately stand up to
leading to a follow-on regulatory
legal scrutiny, including the campaigner
investigation, rather than an inadvertent
who brought the original ECJ case
violation of data handling obligations.
against Facebook, Max Schrems.
www.jltspecialty.com | CYBER DECODER 3
Do cyber insurers pay? Stories of cyber insurers refusing to pay claims are rarely what they seem. “A Texas manufacturing firm is suing its cyber insurance provider for refusing to cover a USD480,000 loss following an email [phishing] scam that impersonated the firm’s chief executive,” a story on wellread US blog KrebsOnSecurity.com reported in February.
USED IN THE MAKING OF THIS CASE The interesting aspect about this case, however, is that it does not concern a cyber insurance policy. Instead, this claim was tendered to AFGlobal’s crime policy. In reality, there have only been a limited number of cyber claims that resulted in
“There is a persistent belief driven by sensationalised headlines that cyber policies don’t pay claims, and it’s clear that many companies fear insurers won’t pay for legitimate cyber claims.”
Krebs, who broke the story of
coverage litigation under a cyber policy.
the Target data breach in 2013,
The two most significant cases focus on
summarised the legal claim filed by
the interpretation of exclusionary language
Texas-based manufacturing firm
concerning the insured’s own negligence,
AFGlobal Corp after its insurer refused
and the scope of a sub-limited cover for
to pay when the company was
payment card industry assessments.
That is not to say that every cyber policy
hoodwinked by a ‘fake president’
In the former case, in which the court
(or crime policy for that matter) will cover
scam: a fraudster posing as the
granted a motion to dismiss almost
every instance of social engineering fraud:
company’s CEO supposedly sent
immediately, the parties are in the
a cyber policy is not an all risks insurance
the director of accounting an email
process of trying to resolve the claim
for anything that relates to a computer. As
asking him to wire USD480,000 to the
under the ‘alternative dispute resolution’
we write, innovation is happening in the
Agriculture Bank of China.
clause in the policy. This case serves as
marketplace between cyber and crime
a good example of a problematic type
wordings, and it is important to verify
of conditional language in some cyber
where coverage might attach.
The insurer denied the claim, arguing the fraud did not meet the policy’s definition of ‘computer fraud.’
policies that seeks to exclude coverage for issues which should be addressed in an underwriting context. The latter case, involves a clear difference of expectation versus reality in the cover that would be granted when the various fines and assessments related to payment card industry data were resolved. It is an issue that will continue to be debated in and out of the court system.
NO CYBER POLICIES WERE
MIND THE GAP
There is a persistent belief driven by sensationalised headlines that cyber policies don’t pay claims, and it’s clear that many companies fear insurers won’t pay for legitimate cyber claims. Those fears, however, generally don’t mesh with reality. In fact, cyber insurance, which has been around and paying claims for more than fifteen years, does perform.
4 FINANCIAL LINES GROUP | CYBER DECODER | Issue 10
Fitness device company hacked The fitness device company Fitbit had to cope with hacking of a number of its users accounts to perpetrate warranty fraud recently. After user accounts were compromised, they were then used to call and claim replacements for defective products.
“For the insurance industry and its customers, the growth of connected devices will bring a number of challenges – not least the prospects of gaps in cover and crossovers between general and product liability cover, product recall cover, and cyber insurance, as we’ve noted before.”
Criminals were hijacking users’
For the insurance industry and its
accounts after cracking their
customers, the growth of connected
passwords and then fraudulently
devices will bring a number of challenges
claiming on warranties for a
– not least the prospects of gaps in
replacement device. The fact that the device requires an online account to enable full functionality, like most connected devices, means that many
cover and crossovers between general and product liability cover, product recall cover, and cyber insurance, as we’ve noted before.
other companies could face similar
For companies who manufacture or
risks.
distribute connected devices there is
More widely, the story illustrates the diverse range of risks that will develop as the Internet of Things continues to grow. Although in this case the devices weren’t actually hacked, the accounts included personal data uploaded by the devices, such as Global Positioning System data showing users’ paths for runs or cycle rides.
overlap with traditional and newer cyber insurance policies. For example, if a product recall is initiated due to a data privacy risk (rather than a risk of bodily injury), will recall insurance policies respond? Insurers will continue to grapple with the right way to underwrite the risks posed by the Internet of Things, as well as where coverage should sit.
www.jltspecialty.com | CYBER DECODER 5
Agreeing terms The industry is working hard to develop understanding of cyber risks. In January, Lloyd’s of London
better data on exposures and risks for
announced an agreement with risk
modelling and underwriting. Eventually,
modelling specialists AIR Worldwide
for larger businesses, it will even mean
and Risk Management Solutions
tools to model and assess their cyber
(RMS) for a common approach to collecting cyber exposure data. The agreement means that the key data and definitions used by
risks more accurately in-house. (JLT itself is working on a tool to allow companies to benchmark their risk against others.)
the companies in their new data
In the meantime, however, it’s another
schemes launched last month to
example of the improvements in cyber
help insurers model exposures will
risks data that we highlighted last month
be consistent.
and, as ever, the result is the same: an
The agreement will give insurers and
understand the risks, and better placed
modellers access to increased and
to insure more of them.
insurance industry that is better able to
BUZZWORD OF THE MONTH THREAT INTELLIGENCE
online communities, associations or
This is why there is strong demand
groups, to company’s own in-house
for Cyber Threat Intelligence (CTI).
IT functions and paid-for services from
Security and Risk professionals (S&R
What is it?
commercial providers.
Pros) want as much warning as
In one sense, this is – the Cyber
From USD250 million in 2013, Gartner
Decoder. Cyber threat intelligence
has forecast the Threat Intelligence
is information, analysis and advice
services market will be worth USD1.5
concerning the risks and trends that
billion in 2018. Others go even further.
organisations face in the cyber realm. It is data-driven, extracting useful information, observation and analysis from the data on cyber attacks (like our monthly threat intelligence extract from CSC). As Gartner puts is: “Threat intelligence
possible of threat actors targeting their region, industry, or, specifically, their firm,” its report reads. With that knowledge they can adjust their security accordingly. It can help
Why should you care? Because without it, you’re flying blind. At its best threat intelligence tells you where the key threats are, who is being targeted and how that is changing.
tell them which alarms coming from the IT systems to focus on, and what defence strategy will best mitigate the risk. If threat intelligence shows a trend towards attacks aimed at destroying or corrupting data rather than stealing
As researchers Forester note, threats
it, for example, the negative impacts
are not randomly or evenly distributed:
of the risk might be better mitigated by
just five large data breaches accounted
more frequent backups or segregation
for more than 90% of customer records
of data rather than stronger intrusion
exposed in the year to November 2015.
detection and prevention.
inform decisions regarding the subject’s
“Attackers are carefully picking
Fundamentally, the rising popularity of
response to that menace or hazard.”
their victim organisation, learning
threat intelligence is based on a simple,
its business, understanding its
obvious truth: Risk professionals can better
partner relationships, and testing for
protect the company if they understand
weaknesses and vulnerabilities.
what the threat they face looks like.
is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to
Threat intelligence can come from a wide variety of sources: from information in the public domain and
6 FINANCIAL LINES GROUP | CYBER DECODER | Issue 10
Cyber threat intelligence BROUGHT TO YOU IN PARTNERSHIP WITH CSC Does it matter where cyber attacks originate? After catching up China at the end of last year, the US remains a consistent contender for the most common host for attacks. In one week in mid January, it was responsible for more than double the number of attacks as China – 37% of all attacks globally against 17%. Since then, the figures have
The only note of caution is in taking
normalised, with the US either a
this too far. Some organisations
Florida announced that its systems
little behind (as in the last week of
completely block traffic from risky
had been hacked and 63,000 social
January) or a little ahead of China
regions they do not conduct business
security numbers for faculty, staff,
in. Yet this is a drastic step, and
and students were compromised.
potentially risky in the absence of a full
IT staff first detected the intrusion in
assessment of the business impact.
January, and the Jacksonville office
(as in early February). The two together account for about 40% of all attacks. In some ways, geographical attribution has lost much of its meaning in recent years. Importantly, the US is such a popular host for attackers partly because they can rent the required resources from web hosting companies based there more cheaply and easily than setting up infrastructure domestically. However, geographical attribution remains crucial for government intelligence agencies. Moreover, even for commercial entities a geographic view can be useful: It may inform where businesses choose to locate critical information assets, for example; it may also affect travel policies, with many US-based organisations now requiring employees traveling to China to bring only loaner computers or cell phones with no company data on them.
Given that China and the US are not just major sources of attacks, but also economic powerhouses, most must settle for being aware of where attacks come from and mitigating the risks as far as possible, but also learning to live with them.
TOP SECURITY INCIDENTS TO FEBRUARY 5 • Feb 4: Hackers gained access
• Feb 4: The University of Central
of the FBI is investigating. • Jan 29: A distributed denial of service attack caused a temporary shutdown of HSBC UK’s personal banking websites. According to tweets from the bank, it successfully defended its systems, however, and IT staff restored services within three hours. The group New World Hacktivists claimed responsibility.
• Jan 26: Israel’s energy minister reported it was battling a “severe”
to nearly 21 million accounts of
attack from a virus requiring it to
Taobao.com – “China’s eBay”,
“paralyse” many of the Electricity
owned by online giant Alibaba.
Authority’s computers. It followed
The parent company’s officials
soon after the attack on the Ukraine’s
insist the credentials were obtained
power supply, but was in fact
through other sites with no
ransomware introduced from a spear
connection to either Alibaba or
phishing attack into the systems of
Taobao, and that their systems
the Electric Authority, which does not
have not been breached.
control the public electricity supply.
www.jltspecialty.com | CYBER DECODER 7
The physical damage of cyber attacks Cyber attacks can sabotage control of major industrial security systems, causing substantial physical damage and business interruption. Is your company prepared? Much of the focus on cyber
Second, unlike data breaches, there is
The only reason to gather that
risks from businesses and
no regulation to compel businesses to
information is to give someone a
their insurers has been on data
publicise incidents, which means that
strategic advantage at some point in
protection, particularly protecting
many cases are likely to be unreported.
the future.”
consumer details. This focus is likely to increase in Europe as the forthcoming European Union (EU)
It is not the kind incident that companies like to publicise.
WHY YOU’RE EXPOSED Both the threat and the range of
General Data Protection regulation
WHO’S EXPOSED?
nears implementation.
Much of the attention on the physical
to grow. The availability of viruses and
damage caused by cyber-attacks has
other malware that specifically target
focused on the power and energy sectors.
ICSs. Once developed and released onto
But other cyber risks are being ignored by many firms. Privacy breaches and consumer data losses are just one small
But the vulnerabilities stretch across
element of cyber-risk. The prospect of
utilities, telecommunications, oil and
cyber-attacks causing physical damage is
gas, petrochemicals, mining and
significant, yet it has been largely ignored.
manufacturing – any industry where Industrial Control Systems (ICS’s –
“Lloyd’s Business Blackout report estimated the economic impact from the scenarios it examined would be from $243 billion to $1 trillion, with insured losses estimated between $21.4 billion and $71.1 billion.” UNREPORTED LOSSES This relative neglect is partly due to
threat seriously. First, the potential impact is huge. Lloyd’s Business Blackout report estimated the economic impact from
accessed, modified and used by future potential attackers.
connectivity, with ICSs increasingly put
In the US, 245 cyber-incidents were reported on ICSs in the 12 months up to 30 September 2014, according to figures from the Department of Homeland Security. 65 of the attaks targeted manaufacturers.
on-line to allow remote monitoring and control to drive operational efficiencies. Much of the software that underlies the ICS infrastructure was never designed to be connected to anything, so it was not built with security in mind.
GROWING LIABILITIES “Surveillance-style attacks, using malicious software are designed to gather information about the ICS.” “That’s a large number, especially since there is no legal requirement for incidents to be reported,” says David White, Chief Knowledge Officer at Axio Global, a cyber-risk specialist serving critical
from USD243 billion to USD1 trillion,
Many attacks will not have resulted in
(The report describes all such theoretical
BalckEnergy, are all now available to be
Furthermore, the continuing drive towards
infrastructure owners and operators.
USD21.4 billion and USD71.1 billion.
recent discoveries such as Havex and
control physical processes) are found.
the scenarios it examined would be with insured losses estimated between
the dark web, Stuxnet, as well as more
computer systems used to monitor and
the small number of reported losses. Yet there are good reasons to take the
businesses with vulnerabilities are likely
The growth of the ‘internet of things’ will also increase companies’ potential cyber-vulnerabilities, with the number of connected devices expected to triple by 2020, according to consultants Juniper Research. Understanding the online connections within an organisation is therefore essential to improving security. An inventory of your devices and systems, and what they communicate with, is the first step to determining your vulnerabilities.
physical damage, admits White, but that provides little reassurance.
scenarios as realistic, although some
“Surveillance-style attacks, using
parties have queried this.)
malicious software are designed to gather information about the ICS.
Watch Cyber risks get physical video
JLT Specialty Limited provides insurance broking, risk management and claims consulting services to large and international companies. Our success comes from focusing on sectors where we know we can make the greatest difference – using insight, intelligence and imagination to provide expert advice and robust – often unique – solutions. We build partner teams to work side-byside with you, our network and the market to deliver responses which are carefully considered from all angles.
8 FINANCIAL LINES GROUP | CYBER DECODER | Issue 10
TOP TWEETS
Our Cyber, Technology, and Media Errors & Omissions team delivers bespoke risk management and insurance solutions to meet the needs of clients from a variety of industries. The team combines experience and talent with a track record of delivering successful results and tangible value for our clients.
CONTACTS
Don’t sleep on new data privacy regulations
When the data breach clock starts ticking
HSBC online banking is ‘attacked’
Sarah Stephens Head of Cyber, Technology and Media E&O JLT Specialty +44 (0) 20 7558 3548
[email protected] Lauren Cisco Partner, JLT Specialty +44 (0) 20 7558 3519
[email protected]
Even ‘one-man band’ SMEs will be hit
Jack Lyons Partner, JLT Specialty +44 (0) 20 7528 4114
[email protected]
This newsletter is published for the benefit of clients and prospective clients of JLT Specialty Limited. It is intended only to highlight general issues relating to the subject matter which may be of interest and does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. If you intend to take any action or make any decision on the basis of the content of this newsletter, you should first seek specific professional advice. JLT Specialty Limited The St Botolph Building 138 Houndsditch London EC3A 7AW www.jltspecialty.com Lloyd’s Broker. Authorised and regulated by the Financial Conduct Authority. A member of the Jardine Lloyd Thompson Group. Registered Office: The St Botolph Building, 138 Houndsditch, London EC3A 7AW. Registered in England No. 01536540. VAT No. 244 2321 96. © February 2016 271573
Are firewalls still relevant to security?
Forget power stations, worry about toasters, cyber experts say