The Ever Looming Nature of Cyber Liability

The Ever Looming Nature of Cyber Liability

The threat of cyber crime continues to grow in the public’s awareness

By: Paul Dzielinski – U.S. RE Corporation

(This article originally appeared in the New York Insurance Association’s Your NY Connection magazine.)

Imagine turning on your work computer tomorrow and all you see is the blue screen of death. Or maybe your boss calls an emergency meeting because overnight hackers got into your database and stole confidential customer data. The growth of cyber crime has been increasing exponentially over the past ten years. No longer is cyber crime the concern of only major international businesses. These days even local, main street companies can be susceptible to an attack by hackers.

Although cyber attacks and cyber crime may seem like recent developments, it’s been a major concern of governments around the world since the early 1970s. What started as those annoying chain emails that promised get rich quick schemes and better sex have evolved into international breaches of security and impressive feats of cyber stealing. Smaller companies are now being targeted because they usually have less sophisticated security and sometimes they can be used as a gateway to access larger companies.

Public awareness about cyber crime threat continues to grow. Google receives more than 25,000 search requests each month for various terms related to cyber liability: cyber crime, hacking, and identity theft.

No one knows the true cost of cyber crime. In the United States, estimates range from a low of $50 billion per year, to more than $400 billion per year as was quoted in a bill introduced by the United States House of Representatives Intelligence Committee. Worldwide, that number jumps to well over $500 billion. Keith Alexander, director general of the National Security Administration has been quoted as saying that cyber crime is the “greatest transfer of wealth in human history.”

According to a recent survey sponsored by Hartford Steam Boiler, more than 50 percent of the companies operating in the United States think cyber risk poses a grave threat. As many as one-third of all small businesses surveyed earlier this year reported some kind of cyber attack. Of those companies attacked, almost three-quarters were unable to restore their computer data. These smaller firms are often easier targets for hackers because they do not have the financial resources to invest in sophisticated security systems.

What exactly is cyber crime? The FBI and CIA classify cyber crime into six general categories:

Fraud

Most cyber frauds are financial in nature and are designed to access funds, either of the enterprise they are attacking, or access to that enterprise’s customers.

Computer Trespassing

Using Trojans and other malware, intruders can gain access to sensitive company files, website browsing history, steal passwords or even save malicious files to your computer’s hard drive.

Hardware Hijacking

Many modern printers update their software periodically through Internet connections to the manufacturer’s website. There is the possibility that hackers could exploit this periodic data transfer to download malware to the printers, the printer network or possibly even the computers connected to the printer network.

Bullying, Harassment, Stalking

Most of these cases involve teenagers bullying other teenagers through the Internet. Many instances involve posting obscene or cruel messages about the target on social media sites like Facebook, Twitter and YouTube.

Sometimes these harassers will steal their victim’s passwords to access their social media accounts and impersonate their victim by posting messages in their victim’s name.

Stalkers benefit greatly through the internet by using various search engines and procedures to track their victim’s whereabouts. Sometimes the open nature of social media sites enables these criminals to obtain sensitive personal information, such as address, place of work, etc.

Spam

Unsolicited bulk emails have been around for a long time. Known by everyone as “spam,” these messages try to trick the recipients into revealing personal or sensitive information, such as Social Security numbers, bank account numbers, passwords, etc. Sometimes spammers will gain access to their victim’s email account and use that access to send out more spam under that person’s email address.

Information Warfare

This type of cyber attack involves large scale attacks on computers, websites and networks.

Hijacked computers can then be converted into “zombies” that spread and distribute malicious code, or crash a website by constantly bombarding it with requests to access the site, creating what is known as “denial of service” attack.

It’s plain to see why the threat of hacking and information security risks are becoming more prominent as a risk management focus at a greater number of companies; and many companies are using insurance as their primary risk management tool.

The major industries affected by cyber exposure are:

1. Healthcare

2. Government and non-profits

3. Industrials

4. Professional services

Cloud computing has gained in popularity as a secure data storage tool because the security gained by moving data off network computers and servers overcomes the security concerns of the data being lost if the cloud provider is ever hacked or goes down.

Hackers are constantly adjusting and honing attacks to exploit the most vulnerable features of a company’s infrastructure. Right now, hackers are focusing on mobile devices because the software of most mobile devices does not incorporate sufficient security protocols, and many of these protocols vary from platform to platform.

Despite the knowledge of these vulnerabilities, many organizations continue to allow the use of mobile devices to access corporate networks. There was a recent study performed on Android apps which found that almost 300,000 apps were unquestionably malicious, and another 150,000 were considered suspect. Since corporate security no longer revolves around a Windows-based platform, company security personnel must follow security protocols for iOS, Windows Mobile, Blackberry, Android and others. Incorporating the variety of protocols necessary can make the task of keeping a company secure even harder.

Vulnerability also includes the housing of sensitive data, such as website hosting, credit card transactions and other technology systems with third-party vendors whose own security systems may not be adequate for the type of data they are storing. This is a supply chain risk that is very real, but frequently overlooked by most organizations. It is key that an organization not only know, monitor and address its own risks, but also those associated with the vendors the company uses.

Because of the interconnectedness of online systems every American who uses digital technologies at home or in the office can and must play a part in cyber security. All citizens need to be educated on this issue that has permeated nearly all aspects of our tech rich society.

This article is the first in a three part series. The property and casualty insurance industry has a unique role in the business community when it comes to cyber liability. The issue impacts us as companies in that we need to ensure the proper protections are in place. We also have an opportunity to develop products that can address this ever-evolving, evermore complex issue.

How should the insurance industry respond to the threat of cyber crime and hacking? The amount of personal customer data stored on insurance industry computers and networks make our industry a “target rich” environment for cyber thieves and hackers. In my next article I’ll write about the steps prudent management should take to protect their data. In my final article I will take a look at cyber liability as a product and delve into the potential for the insurance industry to have an expanded role in helping companies and individuals both protect themselves and recover from cyber attacks.

Paul Dzielinski is senior vice president with U.S. RE Corporation. U.S. RE is an international financial services firm with operations in reinsurance brokerage, consulting, investment banking, underwriting, claims, risk, and captive management. You can reach Paul at 845.920.7155 or pdzielinski@usre.com.