CYBER: A RISK MANAGEMENT APPROACH

Risk & Insurance Management Society (RIMS) report offers practical steps to take before and after a cyber event occurs

At around 11:20 in the morning, on the last Tuesday of June, a friend and former coworker of mine posted on Facebook: “Massive cyber attack … Freaking.” As a remote worker for a U.S.-based subsidiary of a global industrial firm—a company operating in 43 countries on five continents—she quickly felt the effect of an event that spread, first, across Europe and then around the globe.

The attack, first referred to as “Petya,” because it initially appeared to share a decent amount of code with an older piece of ransomware of the same name, froze access to computers, which the attackers said they’d unlock only after users paid a small ransom using the Bitcoin cryptocurrency. Butin the hours after the outbreak started, The Guardian reports, security research-ers said “the superficial resemblance” to the older Petya was “only skin deep.”

To accentuate the difference, researchers at Russia’s Kaspersky Lab redubbed the malware “Not Petya,” and increasingly tongue-in-cheek variants of that name—Petna, Pnyetya, and so on—began to spread as a result, the U.K. paper stated. Some experts even postulated that it likely was a different kind of cyber attack: a “weapon/wiper masquerading as incompetent ransomware.”

Pnyetya—or whatever you wish to call it—arrived a month and a half after something that definitely was a ransomware attack. Wanna Cry, as the May 2017 event was called, targeted vulnerabilities in computers using the Microsoft Windows operating system. It encrypted data and demanded Bitcoin ransom payments to get the data restored. The attack started on a Friday and, within a day, reportedly infected nearly a quarter-million computers in more than 150 countries.

“The difference between successfully navigating a cyber incident and falling victim to one is preparation.”

—Teri Cotton Santos
Senior Vice President and
Chief Compliance and Risk Officer
The Warranty Group

A source quoted in a July Bloomberg article says the next ransomware attack could cost U.S. insurers big-time. “It would only need a combination of Wanna Cry’s wide reach and Petya’s destructive force to cost cyber insurers something like (U.S.) $2.5 billion, or a full year of gross premium income in the market,” Graeme Newman, chief innovation officer at CFC Underwriting, said in an interview. CFC is a Lloyd’s-backed managing general agent that Bloomberg says underwrites $100 million or so of cyber-insurance premiums.

Universal vulnerability

Ransomware is just one type of cybercrime that businesses face. According to the Verizon 2017 Data Breach Investigations Report, cyberespionage is the most common type of attack seen in manufacturing, the public sector and now education. The report says 51% of data breaches analyzed involved malware, and that ransomware rose to the fifth-most-common specific malware variety. Phishing is still a go-to technique, the report says, and pretexting (see sidebar) is on the rise.

And it’s not just the big guys that have to worry. The Verizon report says that just over six in ten data breach victims analyzed were businesses with fewer than 1,000 employees. A Willis Towers Watson Wire post from June 2017 addresses some of the common cyber-related misconceptions among small and medium-sized businesses (SMBs):

The first is: We’re not a target for attackers because we don’t have valuable data. “Any business that processes data and is connected to the Internet has cyber risk,” the post says. “It’s that simple. While SMBs often don’t have large ‘troves’ of data, they still have data. Attackers view access to SMB networks as a ‘path of least resistance.’ Compared to large publicly traded companies, SMBs may not have significant resources invested and dedicated to protecting their critical assets. As such, it is easier for a hacker to infiltrate a high volume of SMBs than one large organization with stronger controls.”

Misconception number two goes like this: We outsource the storage/processing of data. “Most SMBs think outsourcing data storage and processing will completely transfer their risk and potential liability to the outsource provider,” the authors note. “This is not true. The organization that owns the data ultimately has responsibility for it. While there may be some shared liability with outsource providers, most have limit of liability provisions in their contracts. Further, determining liability is a lengthy process and something an organization will be challenged to devote time to while responding to a breach.”

The third misconception: We have adequate technology security controls. “While technology controls are important and part of the solution, cyber risk at its core is a people risk,” Willis Towers Watson experts say. “According to our research, 69% of cyber breaches are due to an organization’s employees and can stem from a lost laptop, a disgruntled employee, inadequate cyber awareness training or hiring non-qualified employees. Therefore, it is important to also devote attention and resources to people solutions, such as employee engagement, awareness and hiring the appropriate IT talent.”

Managing risk like risk managers

A recent Risk & Insurance Management Society (RIMS) professional report outlines a number of steps that risk managers can take to help prepare for a cyber event, as well as things to do if one occurs. Agents and brokers can deliver value to their customers and prospects by adopting a risk management approach and sharing relevant info. According to the report, a strong partnership among IT, legal, risk management, and public relations is critical for an effective cybersecurity program. And a strong partnership between agents and risk management also is important.

“The difference between successfully navigating a cyber incident and falling victim to one is preparation,” said Teri Cotton Santos, senior vice president and chief compliance and risk officer at Chicago-based The Warranty Group and a RIMS Cyber Security Task Force member, in a release announcing the report’s results. The report is titled “Cyber Protection: What to Do Before and After a Cyber Incident.”

The report points out that, accordingto data released earlier this year by CyberScout and the Identity Theft Resource Center, the number of data breaches reported in the United States in 2016 increased by 40% from the prior year, to a record 1,093 incidents. And these incidents exposed some 36 million records.

Data show that the business sector had the highest number of disclosed breaches, with 494, followed by healthcare at 377, education with 98, government with 72, and financial institutions at 52. A November 2016 SecurityIntelligence.com article says that, globally, the cost of cybercrime is expected to reach $2 trillion by 2019, an increase of 300% from the estimated $500 billion cost in 2015.

Dealing with a cyber event requires a strategic and holistic response. “Risk professionals are in a unique position and are often called upon to foster collaboration between business area leaders,” Santos continued. “As cyber concerns continue to mount, greater expectations will be placed on practitioners and the invaluable role they must play to manage this evolving risk.” Agents and brokers can support risk managers at the larger organizations they serve, and they can help deliver risk management counsel for smaller concerns.

The RIMS report highlights the importance of understanding business strategy and susceptible assets, employee training, cyber insurance, and developing collaborative relationships with internal stakeholders and external partners. It was authored by members of the RIMS External Affairs Cyber Security Task Force, which includes: Santos; Dwayne Eastwood, manager, risk management at McCoy’s Building Supply; Michael Gresham, risk manager, Half Price Books Inc.; and John Hansen, vice president, enterprise risk management at Sprouts Farmers Market.

Power of planning

From an enterprise risk management perspective, RIMS leaders say, there are several protocols that every business should have in place, both for prevention of data incidents and handling an incident if one does occur. Prior to a cyber incident, risk professionals should work with key organizational stakeholders to:

• Understand the risk. It’s important to identify and assess the organization’s risk and exposure to a cyber event. Know what data the organization holds and where it is in the organization to understand its value and vulnerability.
• Know the landscape. Monitor the external environment for emerging threats, including those that may be specific to the organization’s industry. If the organization purchases cyber insurance, the insurance application itself can be a valuable tool for assessing the risk.
• Train and test. Does regular staff training take place? Are employees reminded to be cautious with emails from unfamiliar sources? Are emails originating from outside the firm clearly identified in the message body? Is a process in place to capture “for review” outgoing emails that may, for instance, contain large amounts of employee data or provide wire transfer info?
• Insure the exposure. While insurance isn’t a panacea, the RIMS report says, every organization should consider purchasing a cyber insurance policy. The Ponemon Institute pegs the average cost of a U.S. breach at $7 million. That makes it important to take an active role in the development of a cyber insurance program and understand what is covered. Many policies offer crisis management and response services that can be invaluable if an incident occurs. RIMS sys that insurance “applications can be arduous, but will help identify strengths and weaknesses” in a cybersecurity program.
• Tap insurer resources. Some insurance packages offer risk management tools, such as employee training. Collaboration among IT, risk management, legal, and the insurance broker or agent in evaluating competing programs will help develop a program that is tailored for a firm’s particular situation. Coverage can include the cost for notification of the incident, identity theft protection for affected parties, third-party lawsuits, and extra expenses for public relations work.
• Check for other cover. Look at other policies for cyber coverage. For example, property policies may include coverage for damage caused by machinery malfunction as a result of a system intrusion. Understand what constitutes a coverage trigger under the policies, as well as any exclusions. Identify these before an incident, so the organization is in the best claims posture post-incident.
• Befriend the law. Develop relationships with law enforcement (local police, the FBI, and Secret Service) before they’re engaged in an investigation on the organization’s behalf. Data incidents should be reported and if law enforcement knows the team and its exposures it will make reporting much easier. Law enforcement also can help with employee training and communication.
• Pick a law firm. Work with the insurance carrier to choose, in advance, a law firm with cyber experience. Insureds not only need specific expertise to defend claims arising from an incident, but they also need legal assistance in reporting a cyber incident. There are 49 separate state requirements for breach reporting, addressing things like reporting thresholds, timeframes, forms, and notification requirements. The time to report can be very short, and many states have fines for non-compliance.
• Consider reputation. Line up a public relations firm experienced in crisis response. Most insurers will include the cost of this service in their policy and will have identified reputable firms from which insureds can choose to help with their situation.
• Plan recovery. Have a written IT disaster recovery plan and an organization-wide crisis management plan in place; test them regularly. Plans should provide clear direction on responsibilities for dealing with an incident from a public relations standpoint, as well as technical details. Clear communication is critical; lack of a clear, concise plan for dealing with affected individuals, employees, and the media can have very negative brand and reputation ramifications.

Once an incident occurs, several best practices can help minimize the organizational impact:

• Ensure that IT is containing the issue and executing the disaster recovery plan to minimize the impact on the organization.
• Inform the selected law firm immediately so they can begin review of notification requirements in affected states in a timely manner. One overall best practice: Work with the legal team to protect internal communications under attorney-client privilege, to avoid these from becoming discoverable in the event of litigation.
• Notify law enforcement.
• With help from a public relations team, begin drafting an initial press release, FAQ and Q&A for impacted parties.
• If cyber insurance coverage is in place, notify the carrier and begin working with their team to access resources available under the policy.
• Preserve evidence, but do it safely, and isolate it to prevent further damage. Ensure that all traces of the hacker have been removed, and any security lapses addressed. Emails that may have been the source of the intrusion will be useful in forensic analysis and for law enforcement investigations.
• To respond to questions from impacted stakeholders, activate an inter. nal call center as soon as the plan of action, FAQs and Q&A are ready. Prompt response that includes clear communication and immediate remedies, such as identity theft and credit protection resources, will help preserve brand and reputation

Having a clearly defined strategy to respond to cyber issues that includes both incident prevention and post-loss response will greatly minimize the financial and reputational impact of a data incident on an organization. And it will reinforce the role an agent or broker can play in helping clients protect their businesses.

By Dave Willis, CPIA

The People Factor

The RIMS report cites a Symantec study that says one in 131 emails contains malware; that 400 businesses are targeted each day; and $3 billion has been lost over the past three years. The report says that criminals often use a senior executive’s name associated with an email address very similar to a company’s URL to request wire transfers or employee data, and employees sometimes comply, because they overlooked the different URL.

A recent ECS Insurance Brokers blog points out that employees are the weakest link—and strongest defense—in any organization’s cybersecurity strategy. Agents and brokers can help clients avoid falling prey to pretexting or phishing attacks by properly advising them regarding risk management steps. U.K.-based ECS offers three ideas:

• Increase the level and regularity of employee awareness training. Employees should be trained to review emails closely to make sure they’re from trusted and known senders before clicking on links. “A cyber-savvy workforce holds the key to your enterprise resiliency,” the company says.
• Assess whether the firm’s IT department has the skills needed to effectively handle emerging threats. With WannaCry, ECS says, impacted companies should ask why the available Microsoft patch wasn’t installed in a timely manner. “Was the lag a talent or employee engagement issue?” it asks.
• Evaluate whether the firm’s culture supports cyber awareness and action-oriented behaviors. “For example,” the post says, “do leadersmodel positive behaviors that encourage employees to do the same, and do employees truly know what actions to take to report a cyber incident?”

The RIMS report offers one more tip: “Something as simple as a red banner identifying emails from external sources can be effective inpreventing employees from openingemails containing malware, respond-ing to requests to send money or sensitive employee data to criminals‘phishing’ for information,” it advises.