Ammunition in the Battle against Cybercrime

Q (gtnews): While cybercrime has been on the corporate risk agenda for some years, it appears to have steadily risen to the top. Just how big has the problem become internationally and which regions have been hit the hardest?

A (Paul Bantick):
Beazley works with a firm called CSID, a leading provider of identity and fraud detection solutions and technologies, which monitors the ‘dark web’ to assess the quantity of compromised customer and employee ‘credentials’ – personal data that has been stolen and offered for sale by hackers and criminals. Its statistics make alarming reading. In the past 12 months they found more than 74m records; including credit card information, social security details, medical records, email addresses, bank account numbers and drivers’ licenses, and the problem of harvested data is increasing year-on-year.

In 2013, which information protection specialist
named ‘the year of the mega breach’, it estimated more than 552m identities were exposed. So the scale of the problem is immense, and not restricted to any one region. However, in the US there are strict notification regulations for a data breaches in most states that have resulted in greater awareness of the problem. Our message to any firm which holds personal identifiable customer or employee data, is to be prepared, as it is no longer the case of ‘if’ but ‘when’ a data breach will happen.

Reports suggest that the problem has been intensified by the reluctance of many companies to admit they have been the target of a cyber-attack. Does experience bear this theory out and, if so, are victims becoming more willing to share their experiences?

In the US most states have laws that force a company to notify impacted customers or employees of any data breach, no matter how big or small. This is currently not the case in the UK and Europe, but the European Union (EU) is proposing new data privacy laws that will force similar notification requirements. They will impose breach notification requirements and heavily fine any company found not to be effectively protecting personal data. Other countries are planning on introducing similar data privacy laws, so the legal pressure is building across the world on firms to better protect customer and employee data.

In terms of victims wanting to share their experiences this tends not to happen. However, you only have to read the newspapers to realise that major hacks of high street retailers and international companies are becoming a regular occurrence, and to see the knock-on impact on their share price, brand reputation and consumer confidence if the breach is not handled appropriately. In our experience as insurer, having a data breach isn’t always a disaster but mishandling it is.

Cyber criminals obviously employ a variety of techniques, but which ones do they most often use against businesses?

I am not an expert in hacking techniques, but there are is a vast range of ways in which cyber criminals get through company firewalls and steal personally identifiable information. Unfortunately any security measures tend to be reactive, which means that the criminals are always one step ahead. However, firms also need to be aware that their data is not just at risk from criminals, as careless mistakes and human error are a major cause of data breaches too.

Cyber-attacks against retailers frequently make the headlines. Which other sectors have proved particularly vulnerable and have any security initiatives been launched in response?

In addition to retailers, that industry sectors that are most at risk of falling victim to a significant data breach or cyberattack are: financial institutions, educational establishments, hospitality companies, healthcare and utility companies. However, this is not an exclusive list, and any firm that keeps personal data on employees and customers – either on its own or outsourced systems – potentially is at risk of becoming a victim of a cyberattack.

There are a number of IT firewalls and security measures used by companies, but our advice is to ensure that an attack is planned for, and robust risk management plans that are regularly tested are put in place. These plans should include any supplier or a partner company that holds data or has links to a company’s IT system.

In addition, we recommend that companies take out specific data breach insurance, which provides more than just a cheque at the time of a claim. This is a new service-driven form of insurance, which provides insureds with access to a pre-approved panel of experts from legal, IT forensic, client communication and credit monitoring and crisis PR, who are made immediately available to the client in the instance of a breach. This ‘hands-on’ assistance is invaluable as companies that handle a breach swiftly and professionally, in line with their legal requirements, and offer their customers immediate help and assistance, are the ones that are likely to emerge from the incident unscathed.

Could you briefly outline what policies the insurance industry has launched for companies that seek protection against the cost of cybercrime?

There are a number of policies available that cover a range of first or third party losses or a combination of the two. Some are more traditional in their approach and provide financial assistance at the point of a claim. Others, like those mentioned above, provide a new service-driven approach which provides access to a pre-approved panel of experts who can assist the company in dealing with the various elements of a breach.

For bigger firms with in-house risk management teams the traditional options work well. However, for those without the luxury of dedicated in-house risk management expertise, the management time required to identify and fix a breach can prove overwhelming and the service-based insurance option is ideal for them. The wording of policies can also vary and it is important that clients use a broker with the relevant experience to help advise them on the cover they require, and ensure access to the leading insurers in this class of insurance.

Why and how should treasurers, CFOs and other financial professionals get involved in the war against cybercrime?

By ensuring that they take the risk of cybercrime seriously, and are prepared for a data breach by having comprehensive, well-documented and rehearsed risk management plans in place.

Are there any new trends developing- both from the threat posed by cybercrime and the response to it? What main developments do you anticipate over the next five years?

The risk of cybercrime is only likely to grow, in line with the increasing use of online retailing and our reliance on technology. When proposed European Union (EU) data privacy legislation comes into force, it is likely to drive demand for data breach/cyber liability insurance from companies across the EU.

There is also a need to better understand the cross border nature of data breaches, and the ability to respond to this risk. For example, a retailer might outsource its data management to a company based elsewhere in the world, and at the same time suppliers also often have access to retailer systems – so the risks are numerous and geographically diverse. Hackers too can be based anywhere. For example in February 2013, a hacking group based in the Ukraine harvested a few million credit cards details and then put them on a file share site and announced it on Twitter!

Customer passwords are also a major risk, as most customers use poor password protocols and this puts them at greater risk of being hacked. Often companies are blamed by customers when their accounts are compromised, but often it is down to poor online practice – such as using the same password across multiple online accounts, or using obvious passwords such as birthdays. So there is a need to educate both companies and their customers on how to take even basic measures to try and protect their data online.

In short, data is valuable and data risk omnipresent – so be prepared!


Related reading