Cyber crime is one of the fastest growing areas of crime in the world. Modern day criminals are exploiting the speed and the convenience of the worldwide web to attack businesses on a global basis, resulting in losses that, according to a recent Symantec report, topped over $388 billion in 2011. It is clear that in 2013 this is a risk that cannot be ignored.
Executive SummaryIT security is too important to be left to the IT department, especially at p/c insurance companies, which are entirely reliant of systems and data, says CFC Underwriting’s Graeme Newman. He provides three glaring examples of actual data losses and systems breakdowns at major financial services firms.
Worth almost as much as the global drugs trade, cyber crime affects every industry and market sector. Deloitte’s recent security survey revealed that in 2012 almost 25 percent of financial services firms experienced some form of security breach. More importantly, 40 percent of the 46 insurance carriers interviewed for the survey had experienced one or more breaches in the previous 12 months, according to the survey (2012 Global Financial Services Industry Security Study, Breaking Barriers, published in September 2012).
Insurance companies are increasingly reliant on technology for their day-to-day operations. From back office processing and workflow automation through to front-end sales and extranets, without technology modern insurance carriers would rapidly grind to a halt. Likewise, businesses are also storing and sharing more data than ever before. We can carry the equivalent of over 800 filing cabinets worth of data on a single portable USB stick, and email allows us to transfer enormous volumes of data around the world in mere seconds.
Data and systems are constantly at risk. Customer information—including names, addresses, social security numbers, and dates of birth—is incredibly lucrative for cyber criminals who can easily convert data into cash on underground trading exchanges. Customer lists, including premiums, expiration dates and coverage information, are all highly valuable to departing employees who can easily conceal large volumes of confidential data in private email inboxes, hidden away from the prying eyes of corporate security. Disgruntled employees equipped with only a small amount of technical knowledge can easily bring a company to its knees by issuing a denial of service attack against servers at the heart of an organization’s operations. Or alternatively hold a company to ransom by threatening to reveal corporate secrets across global social media channels.
But in IT security terms all these threats can be distilled into three simple risks: loss of data confidentiality, loss of system availability, or loss of data and system integrity.
Loss Of Data Confidentiality
In October of last year, Nationwide Mutual Insurance experienced a major loss of confidentiality when hackers infiltrated their internal networks and stole data belonging to approximately 1.1 million customers and potential customers, including names, addresses and social security numbers. The loss of this highly sensitive data, which can easily be used by hackers for identity theft, triggered statutory breach notification laws in 46 different states and multiple regulatory investigations.
Responding appropriately to data breaches can be exceptionally complex and expensive. A forensic audit of all systems is often required to identify both the source and the scale of the breach. Notification letters must be legally drafted so they conform with state regulations, otherwise the company risks exposing itself to further losses through fines and potential civil liability. Although provisions exist in most state laws for substitute notices—an advertisement in statewide media— most victims choose to notify through physical post. When the cost of printing and posting is added to the overall sum incurred in offering 12 months credit monitoring to all affected individuals, the price tag can easily escalate to over $60 per record.
Breach notification requirements can even be triggered by something as simple as a lost laptop or USB stick containing personal information, which under certain laws can be as little as just a name accompanied by an address. Only by encrypting all personal information, both on portable devices and corporate networks, can businesses protect themselves against this expensive notification requirement. With many legacy insurance management systems not supporting encryption, however, this essential form of protection is not always easy to implement.
Loss Of System Availability
In an alarming demonstration of how even a simple software upgrade can give rise to a major loss of system availability, the systems of one of the UK’s largest banks were taken entirely offline for over four days in June last year when an IT upgrade went spectacularly wrong—with some media reports tracing the problem to an outsourced centre in India. Customers of NatWest Bank were unable to make or receive payments, access their accounts, pay bills, or even receive their pay checks. This caused major disruption across the entire UK banking system, resulting in not only a significant loss of revenue for the bank and potentially serious regulatory action, but also a huge impact upon NatWest’s brand and reputation.
By designing and regularly testing robust disaster recovery (DR) plans, it is possible to manage the risk of system availability. However, most systems that are designed have at least one single point of failure. Even when full DR sites are located many miles away from the primary site and provided with constant data updates, there is often a single point of weakness. This may come from a crucial third-party data link, a critical piece of routing equipment or a long since forgotten piece of legacy kit. Identifying and eliminating single points of failure should be a top priority for all CTOs (chief technology officers). Duplicating infrastructure and resources, however, comes at a high cost.
Loss of Data & System Integrity
Although the world’s media tends to focus on organized criminal gangs or high profile hacking groups, such as Anonymous, as the major perpetrators of these crimes, in reality the percentage of cyber incidents caused by third parties are just tip of the iceberg and by far the biggest cyber threat any organization faces today is from its own employees. Why? Because humans make more errors than computers!
In a staggering display of what can go wrong if a system’s integrity is compromised, in 2007 Moody’s, a major credit rating agency, incorrectly awarded its top credit rating to $4 billion of risky debt due to a software bug in the company’s mathematical models. Many investors were convinced that they could earn exceptional returns for very little risk, yet as a direct result of the software gremlin some of them lost over 60 percent of their initial investment, according to a 2008 investigatory report by the Financial Times (May 20, 2008, “Moody’s error gave top ratings to debt products”).
This situation is a clear reminder that small software bugs can have a dramatic effect when magnified by the speed and scale with which technology works in the modern world.
System integrity issues can only be managed by providing adequate resources into the design, development and testing processes. Ensuring that testing is built into every element of the process is critical. However, mistakes will happen. Appropriate and responsible management policies and overall governance is critical to ensure that when they do, the impact on customers is minimized.
All too often, however, the responsibility for managing these business-critical risks is left to IT departments. IT security budgets are often reduced as they fail to deliver quantifiable business returns or a compelling fact-based return on investment model. Responsibility for technology risk management should be driven by the Board and increasingly companies must view the new role of Chief Privacy Officer as integral to their day-to-day operations.
Although many different options are available to help manage these risks, it is impossible eliminate them entirely. Hackers continue to find ways around new security technologies and employees continue to find increasingly ridiculous ways to lose data. Many of the risks outlined so far are readily insurable and at increasingly competitive rates. With over 50 markets now writing cyber insurance, it should come as little surprise that this is the fastest growing line of insurance in the United States.
Cyber insurance policies were originally designed to cater for the early dot-com companies. However, as the world becomes increasingly interconnected, insurance companies have expanded their products to cater for more traditional bricks-and-mortar companies. Although coverage varies widely across the market, most products now offer broad cover for privacy breach notification and liability, computer crime, data damage and restoration, systems business interruption, and extortion. Increasingly, innovative carriers are also looking to extend policies to provide real cover for the loss of brand value and reputation that may stem from a serious privacy breach or sustained systems outage.
With the potential risks from the use or misuse of technology being so large, it is perhaps surprising that less than 5 percent of companies actually choose to purchase standalone insurance for many of these perils. However, with recent SEC guidance requiring public companies to disclose cyber risks and any relevant insurance cover that is in place to protect against them, it is highly likely that in 2013 we will see this number increase significantly.
Insurance companies work in an industry that is entirely reliant upon systems and data. The threats against the technology that underpin these businesses are growing every day and simply cannot be ignored. IT security is too important to be left to the IT department.