By Paul Vachon
Special to Crain’s Detroit Business
Most businesses and people are inextricably connected to the digital world, from desktop PCs and the servers they link with to tablets, smartphones, smartwatches and a litany of other gadgets.
And don’t forget today’s high-tech cars.
One characteristic all these devices share is connectivity, their link to the outside world. All this integration comes at a price: the threat of data breaches by nefarious hackers.
Since digital technology is so new — and its capabilities so amazing — the vulnerability to attack at the corporate level may not be so evident. But, as technical experts and local insurance experts attest, the risk is all too real, making effective preparedness a necessity, not a luxury.
How to minimize cyber risk
Passwords should be “long and strong,” according to the National Cyber Security Alliance. This means, despite the inconvenience, using creative mixtures of uppercase and lowercase letters, numerals and symbols. Be certain that passwords do not include personal information about an employee. For example, the name of the street she may live on. Require that employees change passwords according to a predetermined schedule, and that they are securely stored offline.
Train employees to recognize links contained in emails, attachments or online ads and how to properly delete them. Make certain that staff know how to effectively use email spam filters.
Emphasize to employees the importance of backing up their work and its role in protecting the company’s intellectual property. But don’t retain personal data on clients or employees that is no longer needed; it can cause unnecessary risk.
Encourage staff to remain ever watchful and to alert IT teams if something out of the ordinary appears on their computer or in their email. And, obviously, if a suspicious or unfamiliar individual is physically spotted near the company’s workstations or servers.
Source: National Cyber Security Alliance, local insurance brokers
Report: Cyberattacks cause collateral damage
A new report by Hewlett-Packard Co. describes a year of collateral damage with respect to cyber risks, with attacks touching people “who never dreamed they might be involved in a security breach.” Read story.
The business threat is best managed by reviewing the level of specialty insurance needed — and weighing whether more than traditional business security IT systems and protocols are needed. The right answers will depend on the industry served, client data stored and other theft risks, which will vary by business.
The state of cyberattacks
Intrusions into a company’s network can take on several forms. “The hackers today are both more creative and more technologically sophisticated,” said Jim Giszczak, member at McDonald Hopkins, a business law firm with offices in Bloomfield Hills.
“One common technique they employ is something called ‘spear phishing.’ This happens when a hacker penetrates a company’s system and sends a fraudulent email to an unsuspecting employee, asking for sensitive information. Assuming the request is legitimate, the employee complies, compromising the information.” That data can be later used to assist in future attacks.
And once a hacker invades a system, they often have the opportunity to steal more information than they originally intended. “A bad guy may be after a company’s trade secrets, but since many systems don’t segregate their departments’ information, he might also get personal data on employees,” Giszczak said.
An example occurred in February 2015 when Indianapolis-based Anthem Inc., a large, for-profit health insurer, suffered a cyberattack affecting its entire organization, compromising both general company data and medical information of some 80 million members. Despite having security protocols in place, the company described the attack as very sophisticated. It was unable to determine the precise origin of the attack.
Experts continue to advocate for companies to use aggressive measures to prevent hacking on the front end, such as system encryption, redundant firewalls and cryptic passwords. But as Brian Lapidus, a managing director at New York-based Kroll Inc. explained, implementing these measures is like aiming at a moving target.
“I think organizations are getting better with their protection,” Lapidus said. “But at the same time, the criminals are getting better and better with their methods, so it’s a vicious circle.”
Lapidus is managing director of identity theft and breach notification; Kroll performs risk analysis as well as cybersecurity, incident response and consumer remediation.
Liability: Coverage gaps
Further complicating matters is the issue of liability. In the absence of any insurance coverage, Lapidus said, each company is on its own.
“Forty-eight states have their own breach notification laws,” he said. “So when data is compromised, the location of the employees involved will determine how a company must respond. Each state’s laws are different, but all list specific rules by how affected parties are notified and what remedy the company will provide.”
Lapidus cited an example of a situation where his company’s services were needed. A client financial institution suffered the theft of 15 laptop computers that contained customer financial data. Kroll used investigators to locate the laptops and assess the damage. It then informed the client of the resulting customer notification and remediation requirements.
Given these potentially steep financial consequences, a new frontier in the insurance industry is emerging. While evolving and proactive security measures should always be the first line of defense, growing awareness of the risks has given rise to cyber insurance products.
Although major incidents, such as those involving big retailers such as Target and Home Depot, have involved considerable liability on the companies’ part, recent court precedent has provided liability relief for retailers. A 2015 U.S. District Court ruling in Suffolk County, N.Y., dismissed a suit filed by a customer of Michaels Stores, the arts and crafts retailer.
The plaintiff, in what eventually became a class-action suit, was one of several thousand customers whose credit card information was stolen in December 2013 due to malware that had infected the store’s point-of-sale system.
Two fraudulent purchases were subsequently made, both of which were later detected and removed from the customer’s account. In dismissing the case, the court rejected the plaintiff’s claim of pain and suffering stemming from having to closely monitor her credit in the months following the incident.
Court rulings like this therefore tend to argue against the need for cyber insurance aimed at consumers, since an individual’s losses can usually be remediated by the retailer involved.
Business-to-business cyber insurance, by contrast, is concerned with much more complex scenarios, but is very much an industry in its infancy. Until very recently, there were no statistical models that underwriters could use to assess risk and develop policies.
This changed in January when Lloyd’s of London released a set of “core data requirements,” which accomplish two things, according to Mary Jane Grandinetti, managing editor of Business Insurance. “The Lloyd’s model codifies precisely the specific cyber damages that need to be addressed in this type of coverage. It also sets standardized methods of assessing potential risks and developing appropriate levels of coverage.”
This key development will undoubtedly lead to more providers entering the field.
But the ever-increasing complexity of this emerging field can prove overwhelming to the business owner.
David Derigiotis, senior vice president of Farmington Hills-based Burns & Wilcox, cites this as one reason why hiring an expert specialized broker or agent is important.
“Buying cyber insurance is unlike purchasing a general liability policy,” he said. Business owners “really need an expert you can lean on who appreciates and understands the complexity of your specific situation.”
Too many people don’t understand all the details of these policies — the available coverage, the optional enhancements and a number of other features, he said.
When an agent doesn’t understand it, the client will have too much uncertainty to make a purchase. And they may put it off and put their company at risk. Right now, cyber insurance is a $2.5 billion per year industry.
“If everyone involved — retail agents, wholesale brokers and carriers — better understood these policies, that volume could be double or triple what it currently is,” he said. Derigiotis attributes this knowledge deficit to the fact that the worlds of high technology and insurance have traditionally had little in common. Until now.
Derigiotis stresses that the fields currently in greatest need for cyber coverage are those that deal with highly sensitive or confidential information, such as financial services or health care. In addition to customer liability, data breaches in these industries can trigger fines imposed for regulatory or HIPAA (Health Insurance Portability and Accountability Act) violations.
Cyber policies are also being written to cover companies from losses caused by cyberterrorism, such as business interruption when a website is disabled, or extortion. An example of cyber extortion: When a company’s entire system is “held hostage” by an outside party unwilling to release it until a ransom is paid.
Derigiotis and other experts argue that in the future all businesses will eventually need some type of cyber coverage. The coming of the Internet of Things — the connection of virtually all digital devices so that they may work together seamlessly to drive more efficiency — will open exciting new possibilities, but also a multitude of new opportunities for the bad guys.
Reducing risk also comes by way of continuously refining and strengthening security protocols. And beyond insurance products, there also are specialty vendors, technical experts, when it comes to blocking out the ever-increasing sophistication of cyber hackers.
Ash Devata, vice president of products at Ann Arbor based Duo Security, explains his company’s “two-factor authentication” protocol as an extra layer of security against hackers.
“Ninety-five percent of all cyber breaches involve compromised sign-in credentials,” Devata said. “With our system, two independent channels are utilized to assure someone attempting to log on is who they say they are.”
“As an example, after a user’s password is entered, a private message is sent to their cellphone asking if she or he is in fact attempting to access the system. Their affirmative response proves that they are, and access is granted.”
Duo’s Platform Edition takes this protection to the next level. “Platform assesses the characteristics of the wireless devices used by all of an organization’s employees. If it determines that some have outdated software and are thus more vulnerable, it recommends corrective actions be taken so the security of this separate channel is preserved.”
Yet another innovative (and amazingly low-tech) security-enhancing move is to put the organization on what Lapidus calls a “data diet.” He advises clients to delete old information that will never be legitimately needed.
“If you’re holding on to data from 30 years ago — customer Social Security numbers, dates of birth and the like, holding onto that serves no realistic business purpose and poses a significant liability risk,” Lapidus said.
“Get rid of it.”