September

Deep Fake – Do You Believe ?

by
Deep Fake

Deep Fake is emerging as a prominent new cyber threat which businesses are now facing and need to implement measures to counteract.

What is Deep Fake?

Deep Fake is a method that combines and superimposes existing images and videos onto source images onto source images and videos using artificial intelligence. It uses a machine learning  technique known as generative adversarial network (GANS)and first emerged towards the end of 2017.

Video content has historically been very difficult to change but with the use of artificial intelligence this has helped make the process easier.

What are the typical threats?

  • Creating an emergency situation that is not real and causing panic.
  • Disruption to an election by false statements
  • The making of a false announcement to directors and shareholders
  • An image of a director requesting the fraudulent transfer of funds.
  • Posing falsely as a partner that may affect a relationship
  • False video of a celebrity in compromising situations.

How are Deep Fakes detected?

Sophisticated deep fakes are difficult to detect where as the more amateurish ones can be spotted quite easily such by a lack of blinking or shadows of individuals that do not seem to be in the correct position.

It is also possible for them to also be trained to avoid detection and is therefore a cyber threat that is hard to combat.

Last week Google released a database of 3,000 deep fakes to alter faces and to make people say things they never said. These were of course actors the purpose of this was to help researchers build tools required to take down harmful fake videos that could cause distress to individuals and harm to businesses.  https://nakedsecurity.sophos.com/2019/09/27/google-made-thousands-of-deepfakes-to-aid-detection-efforts/

Well Known Deep Fakes

Deep fakes have been carried out on many famous individuals from Donald Trump to Tom Cruise and Theresa May.

Here are some examples

https://www.creativebloq.com/features/deepfake-examples

The Future of Deep Fakes

The world of Deep Fakes will no doubt develop beyond a level which makes them impossible to differentiate between what is real and what is not – this is one race that hackers seem to be so far ahead that it will be difficult catch them.

Image : Shutterstock

Sign Of The GDPR Fines To Come…?

by
GDPR Fines

It was announced last week that the credit reference agency Equifax has been fined by the ICO in  the sum  of £500,000 as a result of failing to protect the personal data of 15 million UK citizens and 146 million in the US during the 2017 data breach.

http://cyberbrokers.co.uk/equifax-the-anatomy-of-a-data-breach/

The long awaited ICO report found that the UK arm did not have in place the appropriate steps for processing and protecting the personal information of its data subjects.

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach

The joint ICO and FCA report highlighted the following :-

  • Data was retained for longer than was necessary
  • Inadequate measures were in place to manage personal information
  • IT security was not of the highest standard with the compromise of data being likely.
  • The US Department of Homeland Security had advised Equifax Inc about a critical vulnerability in 2017
  • Customers data should have been treated in a much higher regard.

The investigation was carried out under the 1998 Data Protection Act as opposed to the recent General Data Protection Regulation (GDPR) that came into force on 25th May this year. The ICO imposed the maximum GDPR fine of £500,000 under the previous Act.

Under the GDPR the ICO has the powers to set a maximum possible fine of 4% of Global turnover of a company the consequences therefore of this data breach could have been much higher should this data breach have occurred post 25th May this year.

The approach by the ICO to GDPR fines and the imposing of these to businesses who are responsible for data breach is still very much unknown as the climate remains untested and only time will tell how this is imposed and to its possible severity. The Equifax fine does suggest that the ICO will be treating such data breaches very seriously and will wish to demonstrate that the new legislation does have “teeth” and that they will act accordingly.

 

Image : Shutterstock

Equifax …The Anatomy of a Data Breach

by
Data Breach

Equifax , one of the largest US credit reporting agencies last week suffered a massive data breach, early indications are that it has affected as many as 143 mllion US customers whilst also impacting on individuals in the UK and Canada. This attack has been further compounded by a subsequent attack in Argentina which again targeted the US.

http://cyberbrokers.co.uk/cyber-news-2/

The Facts

The incident occurred between May and July this year involving the compromise of social security numbers , birth dates , addresses and driving licence details. In addition to this it is understood that the hackers managed to access 209,000 credit card numbers and other documents disclosing personal identifiable information relating to a further 182,000 customers of Equifax.

The credit reporting agency looks after the data of 44 million British customers for British Gas , BT and Capital One and it is understood that up to 400,000  may have had their details compromised during the breach.

https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/

The Breach Response 

Forensic Investigation

Cyber security consultants have been appointed in order to carry out a forensic investigation to try and ascertain the scope of the hackers intrusion into their systems and exactly what data has been compromised. Action Fraud in the UK have also posted guidance on their website in the event of possible fraudulent activity on UK citizens accounts following this data breach.

Credit Monitoring

All customers affected have been offered credit monitoring and identity theft protection free of charge.

Data Notification

In the US the average per person cost of a data breach is believed to be $225 , with possibly 143 million individuals affected the financial implications of this are extremely high

Cyber Insurance

It is understood that Equifax did take out cyber insurance and this will go some way to mitigate the financial costs associated with such as breach. Other insurance policies may also be able to respond in relation to this loss.

Notification to Regulatory Bodies

This cyber attack has also been reported to the relevant US law enforcement agencies, in addition to this the ICO in the UK has been alerted to assess the implications for UK citizens.

The Consequences of the Breach

Impact on Share Price

It is too early to assess the ramifications of the data breach on Equifax , however the shares of Equifax dropped nearly 9% equivalent to $3.50 billion of their share value.

Executives depart

A few days after the incident it has been announced that the Chief Information Officer and Chief Security Officer would be departing from the business.

What went wrong ?

It is unclear how the initial breach was caused but it is believed that the hackers exploited a vulnerability in a piece of software that could be used with Apache web server program. A patch had been issued to update the software but it appears that this may not have been updated. The more recent incident is believed, according to various reports to have resulted from an online employee tool that enabled “admin” to be utilized for both login and password which then made it possible to gain access to customers data.

The Equifax Factor

The Equifax data breach should be a warning to UK businesses that that need to have the appropriate procedures in order to manage the data that they hold ahead of the implementation of the GDPR on  25th May 2018 . Should such a data breach occur once the GDPR is in force UK citizens would be able to avail themselves of protection under this forthcoming piece of legislation.

 

The Basics of a Cyber Insurance Policy

by
Cyber Insurance Policy

What are the basics of a Cyber Insurance Policy?

This specialist form of policy provides coverage for internet based risks and data related exposures of a business.

It consists of third party and first party section where insurers follow a modular format, breadth of coverage varies from insurer to insurer. It is therefore important that you obtain the appropriate coverage once your cyber risks have been identified.

Cyber Insurance should not be considered in isolation and should form part of a businesses cyber risk management program.

The Basics of a Cyber Insurance Policy:-

1. Third Party Section

Network Security Liability

This provides coverage for a businesses liability to a third party as a result of the destruction of a third party’s electronic data. This also encompasses an inadvertent transmission of a computer virus to a third party.

Data Privacy Liability

This relates to liability to a third party which may cause unauthorized disclosure of personally identifiable information or corporate information.

Multimedia Liability

Your liability arising from content on your website as a result of a defamatory comment, infringement of copyright or invasion of privacy.

2. First Party Section

Network Business Interruption

This represents coverage for the interruption or suspension of your computer systems as a result of a network security breach or network failure , the later of which may not be automatically included. Insurers will reimburse a businesses and any expenses incurred in order to mitigate this.

Data Asset Protection

This provides coverage arising out of the corruption or destruction of your computer systems. The loss covered is the replacement and restoration costs.

Cyber Extortion

A threat to the computer network where a ransom has been demanded, this will include negotiation costs.

Crisis Management

Costs associated with responding to a data breach including forensic costs, credit monitoring, call center costs and public relations costs.

Vendors

In addition to the policy coverage , it is important that the insurer is able to provide “vendors” who will manage a data breach , this should include as a minimum a solicitors , a forensic investigation company and a crisis response team.

Possible extensions to a Cyber Insurance Policy:-

Certain extensions are available generally for an additional premium , such as coverage where network interruption that has been caused by an outsourced service provider or that outsourced service provider has suffered a system failure that impacts on a business.

Further extensions can include coverage where there has been a cloud service failure that affects a business and criminal reward fund that allows for a reward for information that leads to the successful conviction of a hacker.

The Policy Limit 

The policy will be on an “aggregate” policy basis, i.e. the total number of claims made in any one policy year will not exceed the annual aggregate.

The Policy Excess 

A self – insured excess will be imposed by insurers which is the first part of any claim that the policyholder will need to pay.

The business interruption module will also be subject to a separate excess which is normally an hourly figure. This section will be subject to an indemnity period , which is the period that the policy will provide coverage for this module.

Does a Professional Indemnity policy provide coverage for Cyber Liability?

Professional indemnity policies have developed in recent years to provide a broad basis of coverage know as “civil liability” It is generally accepted that this type of policy provides elements of coverage that would fall into the third party section of a cyber liability policy and are recognized as the following :-

  • Breach of privacy of third parties personal data or confidential corporate information caused as a result of a compromise of a computer system.
  • Defamatory comments placed on your website as a result of unauthorized access to your computer systems by a hacker.
  • Inadvertent transmission of a computer virus, logic bomb, worm or Trojan horse by an employee that causes damage or loss to third parties computer systems.

Professional indemnity policies have insuring clauses that are tied back to claims being made arising out of the professional business of firm however cyber liability requires a wider policy trigger such as those losses caused as a result of an unauthorized access of a firm’s computer systems.

Cyber Liability Extensions 

An number of professional indemnity insurers will provide various cyber insurance related extensions, such as hacker damage or cyber extortion, these are only normally for small sub-limits of the main policy. One point to bear in mind if cyber extensions are added to a professional indemnity policy which is on an aggregate policy basis, any claims made arising out of cyber claims will go towards the overall erosion of the overall aggregate policy limit.

Limitations

Some exclusions to take into account that may impact on the extent of cyber coverage under a professional indemnity policy are the deliberate acts and terrorism exclusions.

Not a substitute

The coverage for cyber liability under a professional indemnity policy should not be construed as a substitute for a stand alone cyber insurance policy and it is important that you seek proper advice from an insurance broker as to whether you have a requirement to purchase a cyber insurance policy.