A Defining Year for Cyber Risk

Cyber Risk

2016 has been a defining year for cyber risk….

There have been many events that have contributed towards shaping cyber risk this year however there are a number of stand out “Influencers” that have impacted on businesses during the year and will continue to do so in the future.

This has raised the awareness of cyber risk in the UK and within the business community as a whole.

Such “Influencers” that have had a bearing on cyber risk are the following :-

1.The Threats

Ransomware 

Ransomware is a form of malicious software that a hacker uses to encrypt the hardware of a computer, the hacker then extorts money normally in the form of bitcoins in exchange for the decryption code.

This form of cyber attack is now the most common in the UK with 54% of SME’s experiencing a ransomware attack. Surprisingly this is higher than in the US which is at 47%.

The impact is loss of income as a result of paying the ransom, loss of files, time spent by the business on remediation, downtime and the possible loss of life.

There is no sign of abatement of this form of cyber attack.

Phishing

Phishing is recognized as a method utilized by hackers to gain access to personal or business details in order too commit a crime. This is normally an act of fraud or used to cause disruption to a computer system. It can involve the sending of a bogus invoice sent by e-mail requesting the payment of money to hackers bank account.

The UK is one of the most targeted countries for phishing scams.

https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf

Internet of Things     

The Internet of Things is the internet working of “connected devices”, “smart devices” including buildings via embedded electronics, software or sensors. These then enables these objects to collect and exchange data.

When these devices are infiltrated by a hacker the potential to cause disruption is enormous. The treats are two fold which can result in  denial of service attacks or the compromising of security leading to a breach of privacy.

This year saw a cyber attack on Dyn through the malware strain Mirai which targets vulnerable Internet of Things devices. The botnet used in this attack was possible via a compromised digital video recorder.

These forms of attacks are only likely to increase in the future as “connected devices” do not have adequate security protection in place to prevent such attacks.

2.The Breaches

Yahoo

Yahoo announced in the space of a couple of months two major breaches of their user accounts . One occurred in 2014 and consisted of the theft of half a billion of their user accounts , the other in 2013 thought to believed to be nearer a billion. Both attacks are believed to be state sponsored.

These are two of the largest ever recorded compromises of personal information. It demonstrates that attacks of this nature are getting larger and that high profile companies are still a principal target for hackers.

Banks

Banks were hit hard by a number of cyber attacks this year ……. the list is a long one…..Bangladesh Central Bank where USD850M was stolen, Swift attacks on  banks in the Phillipines and Vietnam and the Banco del Austro, attacks also took place in the Ukraine and a number of US and Canadian banks.

In the UK , Tesco bank , HSBC and NatWest were all subject to cyber attacks but with limited losses to the banks.

Cyber attacks on financial institutions have increased dramatically over the past twelve months and good cyber risk management should be a key consideration for this sector.

SME’s and Public Sector are now a focus for Hackers

This year saw SME’s being the subject of increased cyber attacks and demonstrating that they too have a real cyber risk which cannot be ignored. Ransomware attacks were seen at businesses such as hairdressing salons to florists.

Local authorities and hospital were also targeted, the unluckiest county was probably Lincolnshire…… with the county council being hit by a ransomware attack and various hospitals in Grimsby, Scunthorpe and Goole where their computer network was compromised.

3.The Regulation

The Information Commissioners Office (ICO)

The ICO showed it’s teeth and fined TalkTalk GBP400,000 for various security failings following the cyber attack that took place last year.

It is likely that we will see the ICO exercise these powers more and more in the run up to the General Data Protection Regulations when they come into effect in 2018.

General Data Protection Regulations

These were finally adopted in April this year and will come into force on 25th May 2018

The clock is “ticking” and all business will need to assess what data they have, where it is stored and how they mange it, irrespective as to whether they are a data processor or data controller.

The fines for a breach are 4% of gross annual turnover so non-compliance is not an option.

Privacy Shield

The Privacy Shield is now “live” coming into force on the 1st August replacing the Safe Harbour. There have already been some challenges to this notably by Germany and its current framework maybe subject to change in the coming year.

What Else ….. ?

The Panama Papers, Brexit, Trump, the development of cyber insurance….. the list is endless.

This year has without doubt been a defining year for cyber risk….. 2017 will further shape the exposures and the vulnerabilities that businesses face from cyber risk.

 

Image : Shutterstock

The “Cyber Monday Morning” Feeling…

Cyber Monday

The “Cyber Monday Morning” Feeling..

This year Cyber Monday falls on 28th November, traditionally preceding “Black Friday” which occurs on the 25th November …. it is likely that consumers will have that “Cyber Monday Morning Feeling” ….. keen to make purchases on-line for loved ones that maybe they failed to grab on the Friday.

Cyber Monday represents one of the busiest on-line purchasing days of the year in both the UK and US. Last year according to figures from Experian and IMRG , Cyber Monday was worth £968M to on-line retailers which represented an increase of 34% on the previous year. A further increase is expected this year…. a factor that might influence this is that consumers in the UK experienced issues with crowds and traffic problems and consumers may prefer to shop from the comfort of their own home or office.

The spike in on-line shopping activity on this day does not go unnoticed by the cyber criminals and it is one of the days of the year where consumers may be most vulnerable to scams and fraud.

Keen to grab a deal that may be too good to be true, consumers could be fooled into making purchases without looking too carefully at the website that may not in reality exist or the e-mail that has been sent to them with a special one off deal that day. As a result of this lapse in concentration  cyber criminals can take advantage of this which could lead to them gaining access to personal details such as bank account details, full names & addresses and national insurance numbers.

Not only are there dangers for consumers but businesses will also be a target for cyber criminals who will be shopping for Christmas..!

Here are some cyber security measures that should be focused upon  :-

1.Updating your Software

Whatever device you are using whether it be a smartphone , tablet or desktop it is important that the software is up to date as this helps protect these devices from new viruses and malware that could lead to data being compromised.

2.A Strong Password

The most common password remains 123456 and it is sad reflection that people do not fully realize the dangers that this poses.There are various schools of thought on what makes a good password, CyberAware, the government sponsored website provides some good advice on this.

https://www.cyberaware.gov.uk/software-updates

3.Privacy Settings

Checking of privacy settings on social media to ensure that you only wish to share personal information with persons that you know and are happy to share this with them.

4.Internet Settings

When shopping  on-line ensure that on-line retail sites are secure and that they are what they perceive to be.

5.Human Error

An inadvertent error in pressing the wrong button on a computer or smart phone  could lead to data or information being sent to the incorrect destination causing disclosure of this to a third party or hacker that may use this for ill gains.

To reinforce this there are two excellent websites to guide individuals and businesses on how best to protect their privacy and data :-

CyberStreetwise 

This is a government sponsored initiative that was launched in 2014 to encourage behavioural changes in individuals and the SME business sector in terms of adopting a good cyber security posture.

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/273330/cyber_streetwise_open_for_business.pdf

Get Safe Online

This website provides advice on how individuals and businesses can protect themselves from on-line issues such as fraud , identity theft and virus attacks.  Guidance is also provided on associated subjects relating to good housekeeping of computers and mobile devices.

https://www.getsafeonline.org/about-us/

Cyber Insurance 

For all the cyber security procedures and practices that may be in place Cyber Insurance can provide that “top layer”of coverage as part of the cyber risk management program should there be a compromise of computer systems that results in a data breach or being a victim of cybercrime.

Image : Shutterstock

The Cyber Highway…Supply Chain Essential

Are you on road to the Cyber Highway?

It is unlikely that your supply chain is travelling in this direction yet as this initiative was only launched last month in London by Lord David Blunkett, the chairman of Cyber Essentials Direct Limited.

The concept behind this is to help improve a businesses cyber security posture and to provide reassurances in their supply chain which traditionally can present a significant cyber security threat…… an area which businesses often overlook and who have little or no control over.

What is the Cyber Highway?

It is a user friendly on-line portal certification process aimed at large businesses who rely on their supply chains. Cyber Essentials is the certification process that will be utilized. which is a UK Government Scheme that was launched in 2014 to help businesses protect themselves against mainstream cyber attacks. During this process it will also be possible for businesses to monitor the progress of their suppliers in attaining Cyber Essentials accreditation.

https://www.thecyberhighway.com/welcome

https://www.gov.uk/government/publications/cyber-essentials-scheme-overview

Certain Government departments already require their suppliers bidding for contracts to be Cyber Essentials certified. This requirement is likely to become more widespread in other industries in the future as cyber security becomes an increasing focus in the commercial world.

The Benefits

  • It is designed for all business sizes
  • It is a series of clear self-assessment statements
  • The provision of a comprehensive quality assurance frame -work
  • A user friendly on-line platform
  • A fully integrated and comprehensive cyber security self auditing system
  • Provision of a complete range of accessible tools and solutions

Helping the Cyber Landscape

It assists in securing the supply chain of business

It protects the infrastructure of businesses with whom larger companies trade

Post BritExit it is important that British businesses hold a recognized cyber security certification and this will further highlight.

Cyber Claims in the Supply Chain 

One of the highest profile cyber claims is that of the Target Corporation which took place in 2013 where cyber criminals infiltrated a third party supplier in order to gain access to Target’s data network. This breach costs Target $61M and had a impact on their profits which fell 46% that year.

Stuxnet is a malicious computer worm that is normally introduced to the supply network via an infected USB flash drive and targets automated process that control machinery on factory lines. There have been a number of reported incidents involving Stuxnet.

On-line retailers is another business sector that can be susceptible to compromises due emanating from a supply chain vulnerability. Home Depot suffered a credit data breach in 2014 which was due to stolen credentials from a third party vendor.

Implications for Cyber Insurance

Cyber insurers are likely to favor the instigation of the Cyber Highway as this represents improved risk management to the supply chain of businesses which currently offers concern to them being an avenue for claims that it presents to hackers and the ability to compromise their computer systems that may lead to a data breach or resulting in cyber crime.

The Basics of a Cyber Insurance Policy

Cyber Insurance Policy

What are the basics of a Cyber Insurance Policy?

This specialist form of policy provides coverage for internet based risks and data related exposures of a business.

It consists of third party and first party section where insurers follow a modular format, breadth of coverage varies from insurer to insurer. It is therefore important that you obtain the appropriate coverage once your cyber risks have been identified.

Cyber Insurance should not be considered in isolation and should form part of a businesses cyber risk management program.

The Basics of a Cyber Insurance Policy:-

1. Third Party Section

Network Security Liability

This provides coverage for a businesses liability to a third party as a result of the destruction of a third party’s electronic data. This also encompasses an inadvertent transmission of a computer virus to a third party.

Data Privacy Liability

This relates to liability to a third party which may cause unauthorized disclosure of personally identifiable information or corporate information.

Multimedia Liability

Your liability arising from content on your website as a result of a defamatory comment, infringement of copyright or invasion of privacy.

2. First Party Section

Network Business Interruption

This represents coverage for the interruption or suspension of your computer systems as a result of a network security breach or network failure , the later of which may not be automatically included. Insurers will reimburse a businesses and any expenses incurred in order to mitigate this.

Data Asset Protection

This provides coverage arising out of the corruption or destruction of your computer systems. The loss covered is the replacement and restoration costs.

Cyber Extortion

A threat to the computer network where a ransom has been demanded, this will include negotiation costs.

Crisis Management

Costs associated with responding to a data breach including forensic costs, credit monitoring, call center costs and public relations costs.

Vendors

In addition to the policy coverage , it is important that the insurer is able to provide “vendors” who will manage a data breach , this should include as a minimum a solicitors , a forensic investigation company and a crisis response team.

Possible extensions to a Cyber Insurance Policy:-

Certain extensions are available generally for an additional premium , such as coverage where network interruption that has been caused by an outsourced service provider or that outsourced service provider has suffered a system failure that impacts on a business.

Further extensions can include coverage where there has been a cloud service failure that affects a business and criminal reward fund that allows for a reward for information that leads to the successful conviction of a hacker.

The Policy Limit 

The policy will be on an “aggregate” policy basis, i.e. the total number of claims made in any one policy year will not exceed the annual aggregate.

The Policy Excess 

A self – insured excess will be imposed by insurers which is the first part of any claim that the policyholder will need to pay.

The business interruption module will also be subject to a separate excess which is normally an hourly figure. This section will be subject to an indemnity period , which is the period that the policy will provide coverage for this module.

Does a Professional Indemnity policy provide coverage for Cyber Liability?

Professional indemnity policies have developed in recent years to provide a broad basis of coverage know as “civil liability” It is generally accepted that this type of policy provides elements of coverage that would fall into the third party section of a cyber liability policy and are recognized as the following :-

  • Breach of privacy of third parties personal data or confidential corporate information caused as a result of a compromise of a computer system.
  • Defamatory comments placed on your website as a result of unauthorized access to your computer systems by a hacker.
  • Inadvertent transmission of a computer virus, logic bomb, worm or Trojan horse by an employee that causes damage or loss to third parties computer systems.

Professional indemnity policies have insuring clauses that are tied back to claims being made arising out of the professional business of firm however cyber liability requires a wider policy trigger such as those losses caused as a result of an unauthorized access of a firm’s computer systems.

Cyber Liability Extensions 

An number of professional indemnity insurers will provide various cyber insurance related extensions, such as hacker damage or cyber extortion, these are only normally for small sub-limits of the main policy. One point to bear in mind if cyber extensions are added to a professional indemnity policy which is on an aggregate policy basis, any claims made arising out of cyber claims will go towards the overall erosion of the overall aggregate policy limit.

Limitations

Some exclusions to take into account that may impact on the extent of cyber coverage under a professional indemnity policy are the deliberate acts and terrorism exclusions.

Not a substitute

The coverage for cyber liability under a professional indemnity policy should not be construed as a substitute for a stand alone cyber insurance policy and it is important that you seek proper advice from an insurance broker as to whether you have a requirement to purchase a cyber insurance policy.

 

Rio 2016 – The Cyber Threats

Rio 2016

Rio 2016 is here …..expectations are high for another GB medal haul,  but this major sporting event is inevitably going to be a target for cyber attacks

Some facts that will make Rio 2016 a draw for hackers  …

  • Brazil is already recognized as hub for cybercrime ranking 10th in the Symantec 2015 Internet Security Threat Report
  • London 2012 experienced 165 million attempts to breach cyber security , at Rio 2016 it is anticipated that this could be 4 times this….
  • 5th August to 21st August presents a significant window for hackers to exploit
  • 37 Venues
  • 306 Events
  • 10,500 Athletes
  • 206 Countries participating
  • 7.50M Tickets available for the events
  • 500,000 overseas travelers expected in Rio de Janeiro

Why The Olympics?

Major sporting events grab the attention of the entire world but unfortunately this also attracts elements of the population who perceive this as an opportunity to be exploited  ….. the world of cyber crime.

The threat that cyber crime poses to an event such as this is similar to that which exists for any other business but on a much larger scale and with more dramatic consequences due its high profile and the many threat vectors that exist.

The Cyber Threat Landscape

Some of the targets for cyber criminals are likely to be the following :-

1.The Official Rio 2016 Website

Distributed denial of service (DDoS) attacks preventing access to website by fans.

The accessing of the website by hackers, altering the data such as falsifying the results and interfering with medal tables.

Defacement of the website by a hacktivist.

Spectators and visitors will no doubt access the website via Wi-Fi and vulnerability will exist if they inadvertently log in through a rogue Wi-Fi connection which could lead to the stealing of their personal data.

2.Event Tickets

Ticket fraud with the setting up of bogus websites taking fans money and issuing counterfeit tickets.

Website scamming offering last minute match day tickets for the big events with no ticket actually being produced.

3.The Venues

Technology will be pivotal in all aspects of the running of the 37 venues being used in Rio 2016. Entry to the venues, ticketing processing, management of lighting and associated infrastructure would all be impacted in the event of a cyber attack.

4. Competitors Data 

The event will involve a huge amount of data ranging from credit card data of spectators, athletes confidential information or the database of the organizers which is likely to be targeted by hackers. This could occur through phishing attacks in order to steal personal private information (PPI)and then lead to possible bank fraud of individuals. Brazil does have an established reputation for on-line banking fraud.

5.E-mail Transmission

E-mail scamming could be caused by bogus e-mails set up to obtain athletes and officials personal information that could be disseminated over the internet. The endless sending and exchanging of e-mails also presents an opportunity or spamming.

6.Media Coverage

World wide coverage will be provided to this event by television companies who will be reliant on technology and the service could be interrupted or even blacked out by a hacker wishing to cause transmission downtime. For example a video re-run of the 200 m final could be disrupted by a ransomware attack.

7. Computer Network 

The spreading of a malware attack within the internal computer network and third party providers could cause enormous interruption to the running of the numerous events taking place. The reliance on technology reaches far and wide ranging from the transportation network to close circuit TV surveillance systems.

8. Mobile Applications 

Fake mobile apps devised by developers to give the impression of the official Olympics app. Smartphones area also at risk if stolen and personal data is sourced.

9.Cyber Terrorism

Cyber terrorism could occur in a number of forms. A ransomware attack would limit or entirely restrict the use of computer systems affecting the running of Rio 2016.

There may be political motivation from countries that want to disrupt the Olympics. This could be to make a political stand on an issue or perhaps a country that failed to win an event or perhaps a competitor that was disqualified and the country that was represented takes retaliation.

The threat of remotely controlled drones by cyber terrorist entering an event causing disruption and delay to matches.

10.Social Media

Infiltration of social media websites by hackers of the tournament and personal accounts pose a threat to fans , players and officials privacy.

Cyber Risk Management Program

The International Olympic Committee will no doubt have in place a comprehensive cyber risk management program to manage the programs of events which is likely to be broken down into the following :-

  • Identification of cyber risk vectors
  • The mitigation of cyber risk within the tournament
  • The transfer of residual cyber risks that they are unwilling or unable to manage.

Cyber Insurance

Cyber Insurance can assist with the transfer of cyber risks associated with sporting events by providing the following insurance modules :-

  • Network Security Liability
  • Data Privacy Liability
  • Multimedia Liability
  • Network Business Interruption
  • Data Asset Protection
  • Cyber Extortion
  • Crisis Management

A cyber insurance policy also provides post breach vendor assistance helping with data breach notification , forensic investigation and public relations.

Rio 2016 is global event that is reliant on technology which does make it especially vulnerable to cyber security threats, it is therefore important that these are recognized and measures are put in place to mitigate the potentially severe consequences that could impact on the games.

Image Credit: rvlsoft / Shutterstock.com

EU-US Privacy Shield – En Garde !

EU-US Privacy Shield

EU-US Privacy Shield will come into force on the 1st August and this now replaces the defunct Safe Harbour.

What has caused the delay?

Finally getting this over the line has been frustrating as it has met the resistance of the European Commission whose fault finding Article 29 Working Parties Opinion on this was delaying the final agreement.

This has now been given approval by the Article 31 Committee on 8th July and on 12th July the European Commission issued an “implementing decision” which ratifies that the Privacy Shield will be adopted.

Despite criticism from certain quarters during the negotiation phase this does now provide some certainty on how businesses can legally transfer personal data between the EU and US.

The Background

In February we covered the announcement of the  hotly awaited replacement to the Safe Harbour in our post

EU-US Privacy Shield – Is data safe again?

The main obligations imposed on firms handling Europeans personal data are as follows:-

  • Individual Notification

Businesses must inform individuals of their rights under the US-EU Privacy Shield and what rights they have including specific reference to how their particular data is processed

  • Opt Out

Individuals can object to the disclosure of their personal data to third parties or for specific purposes.

  • Responsibility for movement of personal data

This should be limited and made clear for what purpose this is going to be utilised. The level of protection of the data in this process must be no lesser to that set out under the Privacy Shield.

  • Security Measures

These must be in place commensurate with the type and sensitivity of the data and how this will be processed.

  • Access to Data

This must be possible and if amendments are required to the data then this must be carried out promptly.

  • ƒData Integrity

Data must be set out in accordance to its’ relevance and end use, this must be up to date and accurate in all respects.

  • Consequences of non adherence

Processes to be put in place to ensure that compliance is achieved and a system of redress with options for legal remedies.

A copy of the Framework Principles as issued by the US Department of Commerce is available at the link below

EU-US Privacy Shield Framework Principles

What will the impact of Brexit?

This is going to be one of the many issues that will need to be negotiated with the U.K. leaving the EU. The protection of personal data is a foremost consideration all around the world today and this geographical location is no exception.

Would the UK now need to negotiate a separate Privacy Shield with the US – will we therefore see a US-UK Privacy Shield?

How does this interact with the General Data Protection Regulations that come info force on 25th May 2017? The UK will need to implement similar data protection regulations when dealing with the EU and the personal data of individuals within these European States. Data from the EU may also circulate via the UK to the US which is a further dilemma that will need to be addressed.

Can Cyber Insurance Help?

This form of policy provides protection for loss of personal data for such scenarios as a result of a hacker attack , the inadvertent loss of data by an employee or the destruction of data by a malicious act. The post breach response vendors provided by insurers also provides a significant benefit to businesses.

Cyber Insurance can therefore play a role in mitigating the impact of a data loss irrespective of the changing legal landscape that is evolving.

The underlying message to the business environment is that they must have heighten awareness and be very much ” En Garde” as to the dynamic changes on how data is processed and protected and the pitfalls of non-compliance.