U.S. businesses focused on addressing crisis management in the event of an on-premise terrorist attack may be leaving their information systems vulnerable to a cyber attack.
According to The Global Risks Report 2016, compiled through a strategic partnership between Marsh & McLennan Cos. and Zurich Insurance Group, cyber attacks are expected to be the top tech risk most likely to occur in the U.S. Meanwhile, the World Economic Forum’s “2016 Global Risk Report” identifies terrorism as one of the top three risk concerns for companies doing business here.
Defining what constitutes cyber terrorism can be difficult, said Matthew McCabe, senior vice president of Marsh’s Cyber Practice, who spoke during a recent New Reality of Risk webcast on managing terrorism risk hosted by Marsh.
“Under U.S. law, generally speaking, there are three major elements to a terrorist’s act. First, it’s an act that is violent or potentially jeopardizes human life. Second, the act will violate criminal law in the United States…And third, the act is motivated by some ideological basis,” McCabe said.
He explained that a hacker from Kosovo was charged with accessing personal information of more than a thousand U.S. service members and federal employees and releasing the information to a terrorist group.
“The Justice Department confirmed that this was the first case in which a hacker has been prosecuted in the U.S. on terrorism charges. Physical consequence is not a prerequisite for an act of terrorism,” McCabe said.
Disruption of a computer system is enough to constitute cyber terrorism, according to some cyber insurance policies.
“If you look for the definition of cyber terrorism under a cyber insurance policy, the standard changes significantly. Instead of a violent or potentially life-threatening act, cyber policy generally applies to disruptive activities against a computer system, McCabe said.
“That is a much broader standard. Acts that might fall into the definition of cyber terrorism under an insurance policy may not meet the federal definition of terrorism.”
He provided the example of the Syrian Electronic Army (SEA), who identified themselves as a nonaffiliated group of computer hackers who want to attack and support Syrian’s current leadership. McCabe said they have denied any relationship with the Syrian government, preferring to identify themselves as just a group of hackers.
“The SEA has been known to deface websites and media outlets in the U.S., U.K., France and elsewhere. Often this type of attack is referred to as the hacking of a network, which is an underlying crime, but it’s not violent or deadly in its purpose,” McCabe explained.
It’s unlikely that that type of an attack would qualify as terrorism under the federal law, but it could qualify as cyber terrorism under an insurance policy, he said.
Cyber War vs. Cyber Terrorism
“I would say right out of the box that cyber war is proving more difficult to define than cyber terrorism,” McCabe explained. “Right now, there’s proposed legislation in the senate that would require the Department of Defense to provide a definition of cyber warfare. Under the law…acts of war or hostile activities typically require certain characteristics. One, the actor would be a foreign sovereign nation, or at least exhibit characteristics of a sovereign nation. Two, there should be a degree of severity to it and, perhaps as a rule of thumb, the act should be severe enough that it could require kinetic response of traditional warfare.”
McCabe explained that not all war exclusions are created equally. He suggested businesses should be particularly vigilant for language that would apply the exclusion to any act of a foreign nation state.
“‘We know that there are nation states already involved in cyber attacks against private companies,’ and other broad language,” McCabe said.
According to McCabe, the bottom line is that “cyber terrorism causes and cyber insurance policies are meant to clarify that a broad range of events will be covered regardless of motive or ideological purpose. A motive on why a hacker targeted a company should be completely irrelevant to your coverage. The more crucial point for insurers is the…application of the war exclusion should depend on who conducted the attack and the severity of the attack. Potentially, a cyber terrorism cause can be used to narrow that exclusion.”
Protecting Against Cyber Terrorism
According to McCabe, companies can remain cyber-resilient by utilizing catastrophic scenarios.
“Planning should include anticipating the effects or response for an enterprise event where a network is disabled,” McCabe said. “This may also include a systemic event that more broadly targets critical infrastructure.”
Questions to ask include:
- Have the most vital cyber assets been identified, and is there a higher level of protection for those assets?\
- Does your organization have relationships within its sector and also with federal authorities to share information on cyber threats so that malicious activity can be detected more quickly?
- Is there a cyber incident response plan in place, and has that response plan been practiced?
- Does your incident response planning account for supply-chain risk that might result from the failure of a vendor or a critical infrastructure?
- How resilient is your company to a cyber attack? If you lose your network to a cyber attack, have redundancies been built in? Do you have an expected recovery period for bringing your systems back online?
- Has insurance, in terms of limits and retention and coverage of terms and conditions, been reviewed?
- If the organization’s most important cyber assets have been compromised, what is the effect on core operations and the financial impact?
In addition, McCabe suggested businesses explore the value of a Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY) certification. He said the SAFETY Act allows companies to submit to the Department of Homeland Security (DHS) products and services designed for security purposes.
“DHS assesses the effectiveness of the technologies and designates SAFETY Act protections to successful applicants. Designations under the SAFETY Acts will limit the legal damages resulting from a potential terrorist event, thereby shielding the approved organization from greater liability,” McCabe said.
Modeling Cyber Terrorism
One method for modeling catastrophic risk is by security, according to McCabe, which relies on a simple equation:
risk = your vulnerabilities x your threats x your consequences
He said that calculating risk begins with identifying a company’s most valuable cyber assets. They may be owned by the organization or provided by a vendor. Next, he said, an organization should assess vulnerabilities to critical assets.
“This is the impetus behind the development of the next cybersecurity framework pursuant to a presidential order,” McCabe said.
Organizations should be aware of the potential threats against those assets and share that information, he said.
“Last year, this need for greater information-sharing on cyber threats spurred Congress and the White House to collaborate on federal legislation designed to promote the sharing of cyber-threat indicators,” McCabe said. “The overall consensus is that cyber as a pervasive and escalating risk will not be solved within our lifetime. Bad actors are not only increasing in sophistication, but there is a dangerous trend that bad actors can fight their capabilities on the black market often referred to as the Dark Web.”
According to Charlene Chia, a senior risk consultant with AIR Worldwide, the risk modeling firm is developing a cyber model for release in 2018. Currently, the firm has a set of cyber deterministic scenarios that are available for companies that wish to get a handle on their cyber risk right away.
“This is actually free to download from our website. Up to this point, our focus has been on traditional cyber risk such as data fast blackout and denial of cyber attacks,” explained Chia. “This primarily results in financial losses or business interruption. If cyber terrorism were treated in the same way as traditional terrorism, then it would include cyber attacks such as attacks that cause physical property damage…the disruption of infrastructure such as a large power grid, monetary systems as well as dams.”
Chia agreed that it is a difficult peril to model because there haven’t been many cyber terrorist attacks in the U.S. to date.