The attackers struck unexpectedly and with devastating results. Earlier this year terrorists disabled the electronic shut-off systems on the furnaces at a steel mill in Germany, shutting down the facility and causing massive damage to a furnace that could not be properly turned off.
At a congressional committee hearing, Peter Beshar, executive vice president and general counsel for Marsh & McLennan Companies, likened the attack to a “Cyber Pearl Harbor.”
There was no warning. It happened so quickly there was no way to defend against it. The terrorists used no guns or explosives. Instead they used their knowledge of the manufacturer’s industrial controls. Their weapon of choice was a computer. Their route of attack wasn’t the sky, but the cloud. And their goal was pure greed.
They sought nothing more than ransom.
Beshar says similar attacks represent a growing global security threat as well as a threat to national infrastructures. And thus we have entered a new era of warfare.
A generation ago, successful hackings were designed to earn hackers “bragging rights,” despite the harm caused to businesses. Identity theft for financial gain was the next phase in this sordid evolution, followed by “distributed denial of service” attacks that shut down a company’s website. The latest stage, reflected in the attack that severely damaged the German steel plant, appears to be a case of so-called spear-phishing, whereby hackers demand a princely sum to restore an organization’s damaged systems and networks.
As cyber attacks evolve and become more threatening, the insurance industry stands to lose the most. Insurers sell a variety of products that absorb a broad range of business losses from cyber attacks. Both insurers and brokerages also provide a wealth of risk management and mitigation services to cyber policyholders, assisting them primarily in the aftermath of a data breach.
Obviously, no one would stick his neck out so far to battle such a Hydra without knowledge, guts and gumption. You remember the mythical Hydra—each time she lost a head, two more grew in its place. It’s a fair description of squaring off against increasingly sophisticated hackers. The insurance industry must be well armed to stand toe-to-toe with such a brilliant adversary. But is it?
“Frankly, I have not seen major insurance companies and brokers suffer a substantial data breach, outside the example of the health insurance industry,” says Larry Ponemon, the founder and chairman of the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices. “That doesn’t mean it hasn’t happened. It could be invisible to the world because insurers and brokers may be good at hiding evidence of a data breach.”
Research into the industry’s data breach cases seems to support Ponemon’s assessment. Privacy Rights Clearinghouse has documented data breaches by industry type over the past 15 years. Sure enough, it was difficult to find evidence of a cyber attack against major brokerages and insurers going back the full 15 years. Other than the massive data breach disclosed by health insurer Anthem earlier this year, the industry was relatively unscathed, despite the wealth of private information it possesses and the financial value this represents to hackers.
It’s easy to draw a conclusion that the industry’s superb underwriting expertise has made it virtually invincible to hackers. But Paul Viollis sees it differently.
“I wouldn’t say the insurance industry has avoided cyber attacks because they’re good at security,” says Viollis, CEO of Risk Control Strategies, a consulting, investigations and crisis management firm specializing in cyber threat management. “It’s because they haven’t been targeted yet. Insurers and brokers just haven’t hit the radar yet. They house significant information, meaning they will be hit, if they haven’t already been hit.”
A Looming Threat
Viollis, whose shaved head, goatee and law enforcement background give him a tough-guy appearance, isn’t winging it here. He has worked with many insurers investigating cyber attacks and the extent of damage suffered by insured clients. Among large insurance companies he’s worked with, Viollis says, only one has adopted what he considers appropriate measures to combat cyber crime.
“The same goes for insurance brokers,” he says. “They all have an IT perspective—how to prevent a loss of connectivity. They fail to have a security perspective—evaluating the next evolution of cyber crimes to prepare for them today. The industry has a target on its back. That’s the unfiltered truth.”
We reached out to a dozen insurance companies and brokerages to determine whether his warnings held water. Were these businesses ill prepared for a cyber-security attack?
Unfortunately, each one declined to discuss its preparedness, saying such a discussion would only incite hackers. But while they couldn’t discuss specific cyber-security tactics, several brokerages provided theories on why the industry seems to have withstood the brunt of cyber attacks.
“Hackers are opportunistic,” says Robert Parisi, managing director and cyber products leader at Marsh. “They want to go where they can get the most for the least. If you view large insurance companies and brokers as Fortune 100 businesses with significant resources to defend themselves, even though these entities have somewhat of a treasure trove [of data], they also have some of the best defenses. This is why SMBs [small and medium-sized businesses] with less capital to invest in security are more often considered targets of opportunity.”
Does the industry in fact have some of the best defenses? Ponemon believes it does, with slight reservations. “We’ve worked with many large brokers and insurers that have wide geographic footprints,” he says. “They’re subject to a wide array of different privacy and data protection rules globally. They’re also in the business of managing risk for clients and, generally speaking, are just better at managing risks in their own organizations. Either that explains why they’ve done so well or they’re lucky.”
He notes the industry tracks about average with what the Ponemon Institute considers to be an important component of overall cyber-security awareness—the appointment of a chief information security officer or chief privacy officer dedicated to ensuring cyber security. Yet no business wants to be known for tracking about average in the aftermath of a cyber attack, not when most industries rate cyber security as one of their top 10 strategic and business risk concerns.
The industries fully recognize a cyber attack can severely damage, if not doom, a company. The Ponemon Institute just released a global study on this subject. Sponsored by Aon Risk Services, the study indicates the potential average loss to a company from a complete meltdown caused by a cyber attack to be in excess of $1.2 billion—$617 million in potential loss of information assets and another $648 million in potential loss related to property, plant and equipment.
“What is most interesting about these findings,” Ponemon says, “is that the respondent organizations’ insurance coverage failed to match up with these exposures. On average, insurance addressed 60% of the complete loss of property, plant and equipment. With regard to information assets, insurance covered just 12%.”
One can only wonder how many insurers and brokerages are close to these averages, failing to follow their own recommendations.
Cracks in the Surface
Thwarting a cyber attack requires a three-pronged defense comprising people, processes and technology. The latter is composed of the traditional weapons like firewalls, data encryption, intrusion notification, system patches and upgrades, and so on—tech tools battling tech tools. Processes are the rules put in place to maintain a high degree of cyber security, from using multiple passwords to restricting access to certain data.
The third leg of this triumvirate of cyber-security defenses is the weakest. That’s because human beings are fallible creatures. Unlike machines that do the same things the same way all the time, people make mistakes. This is most dangerously the case with regard to spear-phishing scams.
In the old days of phishing, a hacker attached a malware-infected document to an email and cleverly persuaded the recipient to download it. The hacker then had an inside view of the organization, worming himself from one region to the next in the hunt for salable data, such as customers’ credit card numbers. Employees were instructed how to detect such schemes and report them.
Spear-phishing, as its name signifies, is a more precise tactic. Hackers have found great success scamming partnering organizations like vendors and suppliers of previously hacked companies. The hacker will leverage one of the hundreds of major businesses publicly revealed to have been victims and then send a sympathetic email purportedly from an actual person at the victimized company to one of its suppliers.
The email will state something like, “As you may know, we recently were the victim of a cyber attack. We are very concerned that your sensitive data may have been at jeopardy. Please fill out the enclosed form so we can better assist you in assuring complete remuneration in the event you experienced a financial loss.”
The well-intentioned employee clicks on the email and all hell breaks loose. That’s just one increasingly common spear-phishing effort. Diana Kelley, executive security advisor at IBM Security, provides another.
“There have been instances where a hacker learns on social media that there was a big office party at a company the night before,” Kelley says. “Acting as if they were actually at this party, the hacker will post on Facebook, ‘What a great party! Check out this fun video of so-and-so.’ The employee can’t resist. She’s sitting at her desktop at the office and clicks on the attachment.”
The link, of course, is infected with malware. “Even if you train your employees the best you can, hackers are incredibly creative and getting more so each day,” Kelley says. “This is not your ‘Nigerian prince looking for help’ phishing of old. They are adept at finding the infiltration points.”
How does a company barricade its virtual doors? Kelley recommends the use of anomaly detection technology to filter questionable email attachments, which are sent to security professionals for a complete once-over before going to the recipient. The attachments are downloaded using dummy computers to determine whether they’re infected.
“Companies that channel registered data through monitored access points will have a far easier time spotting and isolating malware,” Kelley says.
Viollis advises companies to consider creating their own spear-phishing scams and then deploying them on unsuspecting employees. Doing this helps determine the extent of compliance with the organization’s cyber-security rules. The theory behind the approach makes sense—an employee downloading a benevolent virus will be less apt to download the real thing in the future.
A few agencies, brokerages and wholesalers are doing much of the above, trying to batten down the hatches left open by people, processes and technology. “We’ll never get ahead of the bad guys, so we have to have strong technical protections in place like firewalls, monitor the incidence of attacks on a constant basis to know who is knocking on our system, and train users on a consistent basis about these risks, as they are the most vulnerable point,” said Keith Burkhardt, vice president at Kraus-Anderson Insurance in Minneapolis.
The agency appears to follow Viollis’s advice to conduct phishing penetration tests on a regular basis. “Good users send the email to IT immediately,” Burkhardt says. “Poor users open the attachment and when they do, a stern warning appears, saying ‘If this was a real attack, you just shut down our system!’ They then receive a one-page reminder of proper protocols.”
Michael Paulin, vice president and managing director of IT at wholesaler Kaufman Financial Group in Michigan, likens keeping up with hackers to a “footrace where we’re always chasing a moving target.” As Kaufman incorporates more mobile technology to connect its wide-ranging enterprise, the footrace speeds up.
“Mobility is our greatest concern of late, as it creates more touch points and thus more exposure,” Paulin says. “Everybody wants to use their own mobile devices and business efficiency apps. We don’t want to impede their productivity, so it becomes an added challenge to manage, security-wise.”
Paulin echoed others in citing people as the weakest link in the security triumvirate, noting that the firm takes a highly proactive stance with regard to training. “We mandate that employees go through a formal education program as part of the on-boarding process and then continue to receive training on an annual basis,” he says.
At Beazley, which underwrites specialty insurance products for several Lloyd’s syndicates, sensitive data and documents are sequestered to prevent unauthorized access. “We’re also using a tool to ensure employees don’t inadvertently send email to the wrong recipients,” says Ben Spencer, Beazley’s chief information officer. “I’ve certainly received emails intended for other people in the past. The tool helps prevent data leakage—people sending data outside the organization to the wrong address.”
These security measures suggest firms take seriously the risk of a cyber attack. But it’s uncertain whether the measures are making a difference. No business wants to jeopardize its reputation by disclosing it has suffered a cyber attack—unless it has to. “We’ll never know the true cost of this,” Viollis says, “because at the end of the day it will not be reported.”