When thinking about cyber risks, most companies envision external bad actors trying to hack into their systems or disrupt their operations. They’re half right.
Carnegie Mellon University’s Computer Emergency Response Team found nearly half (47%) of the respondents to its 2016 Annual State of Cybercrime survey reported an insider breach, and insiders were responsible for 50% of the breaches of private or sensitive information.
Brokers and agents need to be aware of the types of crimes committed by insiders and understand the differences in coverage. “It is important to determine when cyber is not cyber,” says Chris Giovino, Aon’s managing director of forensic analysis and crime claims. “Not all cyber acts are covered by cyber insurance. For example, collusion by an insider with an external cyber criminal would most likely be covered under a crime or fidelity policy, not wholly under cyber insurance.”
The Sony hack, which resulted in the theft of movies, emails and sensitive internal communications and zeroed out large amounts of data on Sony’s servers, was initially blamed on North Korea. Subsequent reports by security experts claimed the attack was perpetrated with insider assistance.
Employers, agents and brokers should consider the range of attacks that might be committed by employees or trusted insiders, such as contractors or business partners with system access. For example, the theft of confidential information, such as pricing and sales data, can lead to the loss of market share if the information should fall into the hands of a competitor who leverages it in the marketplace or if the disclosure results in damage to a company’s reputation. This information often is used by a highly mobile workforce and stored on laptops, where it is easily accessible to sales and account personnel. The theft of this sort of data might result from a lost or stolen laptop, or an insider might sell data to a willing buyer.
The theft of highly valuable proprietary data by an insider is usually easier to detect, since these assets are commonly stored in designated repositories with restricted access and user logs. Nevertheless, insiders often commit serious economic espionage. Google’s spinoff company Waymo, which specializes in self-driving vehicles, has been in the headlines recently over public allegations that one of its top engineers downloaded 14,000 proprietary files and trade secrets and took them with him to his new position at Uber. Waymo has sued Uber for violations of the federal Defense of Trade Secrets Act and the California Uniform Trade Secrets Act and infringement of patent rights.
One is reminded in this context of Edward Snowden, the federal contractor who downloaded millions of files from the National Security Agency without being detected. Without good log analysis, monitoring and strict access controls, employees can do the same within any company.
Other highly valued types of data that are susceptible to insider theft, misuse or unauthorized disclosure include employee information, health and benefits data, transactional information, strategic plans and customer data. These data have a strong market value and are easily traded in underground markets. Compared to external cyber attacks, breaches involving insiders can have a higher financial impact. In fact, 30% of the Carnegie Mellon survey respondents said cyber breaches caused by insiders were more costly than external attacks.
Customer data held in company systems also can put a company in the bull’s eye for attack. Manufacturing companies that offer products and services to critical infrastructure industries may have plans of customer facilities, custom specifications, and critical data related to the operation of industrial control systems stored in their computer systems. Often, these data are not encrypted, and the company may not be aware of how much or what types of data it has on its servers or employee laptops. Rather than target multiple critical infrastructure organizations, terrorists and nation-states desiring this information may seek out a vulnerable employee who is willing to obtain it for them.
Not all insider cyber events are nefariously motivated. Insiders also make mistakes or unintentionally cause a cyber incident. For example, companies commonly allow employees to use their own devices, such as laptops, iPads, smart phones and USB thumb drives for business purposes. The use of these devices, however, increases the risk that the device will infect the corporate system with malware. Certain types of applications installed on personal devices, such as peer-to-peer software, could enable unauthorized access to company data. Employees might fall prey to social engineering or fraud tactics and be tricked into emailing personally identifiable information, such as employee W-2 files, to criminals. Again, what many might perceive as a cyber crime may actually be deemed computer fraud by insurance carriers.
An employee’s loss of a laptop, CD, thumb drive or smart phone containing personally identifiable information may require a forensic investigation and trigger breach notification laws. This type of loss is covered by most cyber policies. If the employee intentionally provided the data to a third party, however, that could fall under a crime or fidelity policy.
Aon’s Giovino offers a tip from experience: “One of the most important steps any company can take when dealing with a cyber event is to have an internal triage of potential events,” Giovino says, “and then work with the broker to place all insurance carriers on notice: cyber, fidelity, crime, property and business interruption.”
Cyber events, particularly those involving insiders, often unfold in unexpected ways. For example, it is not uncommon for companies to be so disabled from a cyber intrusion that it requires the shutdown of operations to enable a full forensic investigation and system cleanup to be performed. This might trigger cyber and business interruption coverage, as well as property claims.
Brokers and agents face a continuing challenge to stay abreast of the current threat environment and understand the types of insider threats their clients might face. This requires understanding clients’ operations and learning about their cyber security program, including policies and procedures, security controls, use of encryption, restrictions on the use of removable media and personal devices, and logging and monitoring. Companies that think through the insider threat and mitigate these risks through a strong security posture and well-considered coverage will have the best cyber risk management strategies.
Jody Westby is CEO of Global Cyber Risk. firstname.lastname@example.org