At the End of the Beginning
I woke up one morning to these Washington Post front-page headlines: “Chinese Charged with Hacking; U.S. Firms Lost Trade Secrets” and “Dozens Charged in Malware Crackdown.”
The truth is this could be any morning—and more and more it appears it is every morning. Cyber threats are real, and they are growing. Last year alone, the FBI informed more than 3,000 U.S. businesses they were victims of cyber attacks. Most did not even know it.
In response to these growing threats, President Obama issued an executive order in February 2013 directing the National Institute of Standards and Technology (NIST) to develop a cybersecurity framework to serve as a launch pad for industry-specific risk mitigation and planned response efforts. Throughout the process, NIST and other administration officials have spoken of the possibility that insurance-driven risk-mitigation programs could serve as a cornerstone in the broader effort to combat cyber threats.
For threats that extend beyond consumer data, the insurance industry is still at the bottom of the learning curve. But for consumer data breaches, such as last year’s Target credit card information breach at the height of the holiday shopping season, the exposure is well understood and coverage appears to be widely available.
The other cyber attacks are not as well understood, and neither is the potential risk exposure. One reason appears to be the absence of data. If your company experiences a material data breach of consumer information, the laws of virtually every state require notice to the affected consumers as well as to the authorities. If your company’s breach does not involve consumer data, you have no obligation. (If you are a publicly traded company, you arguably do have a duty to disclose under guidance issued by the Securities and Exchange Commission in 2011, but it doesn’t appear the guidance is attracting adherents.) So it appears coverage for these non-privacy-related cyber risks is limited at best and effective strategies for mitigating risk are only in their nascent stages.
The NIST effort was intended as a foundational framework, especially for those new to thinking about cyber threats. It succeeds in outlining the basics and identifies five concurrent functions common across all critical infrastructure entities. It recommends all such entities develop the ability to:
- Identify cybersecurity risks and vulnerabilities
- Protect critical infrastructure assets
- Detect the occurrence of a cyber event
- Respond to a detected event
- Recover from a cyber event.
Zurich outlined seven core aggregations of cyber risk in an April report titled “Beyond data breaches: global interconnections of cyber risk.” They are:
- Internal IT enterprise risk
- Counterparties and partners risk (risk from dependence on or direct interconnection—usually non-contractual—with an outside organization)
- Outsourced/contract risk (usually from contractual relationships with service suppliers, HR, legal, and IT or cloud providers)
- Supply chain risk (includes cyber risks to traditional supply chains and logistics)
- Disruptive technologies risk
- Upstream infrastructure (especially electricity, financial systems and telecom)
- External shocks (outside the control of the enterprise).
Not surprisingly, IT systems remain every company’s primary line of cyber threat exposure. One way companies create their own vulnerability is by acquiring and using pirated software. A 2014 study by International Data Corporation (IDC) found that “consumers and enterprises have a 33% chance of encountering malware when they obtain a pirated software package or buy a PC with pirated software on it.” A 2013 report by IDC found “42% of all PC software packages installed in the world in 2011 were pirated.” IDC projects that in 2014 corporations will lose $491 billion from pirated software malware and more than two thirds of these losses will be caused by criminal organizations.
Use of unlicensed software also precludes the opportunity to receive access to security updates and patches developed and distributed by the vendor to its licensed customers. And even if your company has properly licensed software, you will not be able to take advantage of the security updates and patches designed in part to combat cyber exposures if they are not installed. IDC reports that 43% of companies routinely fail to install these updates and patches.
For those reasons, Zurich’s basic recommendations focus in part on better enterprise control of properly licensed software on their systems (and the systems of their partners, counterparties and supply chain providers):
- Application whitelisting (permit users to run only a limited set of standard apps)
- Use of standard secure system configurations (less expensive and easier to defend)
- Patch both application and system software within 48 hours (a “window of vulnerability” opens when a patch comes out; reducing your system fix to 48 hours or less closes that window)
- Reduce the number of users with administrative privileges.
A complete cyber risk mitigation effort will engage corporate leadership in an enterprise-wide process and ensure the enterprise is resilient to the (inevitable) cyber attack that cannot be prevented by having in place:
- Redundant systems (power, telecom, data, etc.)
- Incident response and business continuity planning
- Scenario planning and exercises.
Like participants in a 12-step program, we know we have a problem, and we are starting to know how we can assist our clients in combating cyber threats and dealing with them when they happen. And, of course, they need to buy cyber insurance (if you can find it for them).