“The recent hack against Sony over its comical film about North Korean dictator Kim Jong-un has been a disaster,” said McGowan in his address at the International Underwriting Association’s (IUA) meeting in the City of London on 16 January.
Thousands of confidential files, marketing plans and other valuable material was leaked, causing financial and reputational damage to the company. It is the latest in a long line of data breaches, with the ex-UK communications spying agency employee citing US financial giant JP Morgan Chase and retailers eBay, Home Depot and Target among other recent corporate victims. As McGowan noted “the latter two respectively had 53m and 70m customers adversely affected and the attack cost Target hundreds of millions of dollars.”
This in the week when US Central Command’s twitter account had been hacked by jihadists and the UK and US governments have indicated how seriously they take the cyber-threat by announcing ‘war game’ hack attacks on each other as part of a new joint defence exercise against online criminals.
Data breaches are the primary corporate concern and there is a developed insurance market for it, particularly in the US, explained IUA chair Paul Skinner, a senior technology underwriter with Chubb Insurance. It’s a market that is now being copied elsewhere in the world.
Standalone or packaged cyber-insurance products from IUA members and others are also now emerging that are designed to protect against regulatory fines, reputational damage and loss of business due to distributed denial of services (DDoS) ransom attacks or other cyber threat; sometimes offering recovery assistance too. These can mitigate the financial consequences of an attack if deployed by corporate treasurers and other risk professionals.
Additional threat vectors outlined by the IUA’s star speaker, McGowan, emanate from hacktivists such as Anonymous, which famously targeted Visa when they stopped taking WikiLeaks payments; to banking fraud and mobile/social media malware; Trojans such as Zeus; ID theft; rootkit attacks, such as the Stuxnet hack that downed the centrifuges in Iran’s nuclear programme; cloud computing storage issues and botnets.
“The world’s largest cloud user isn’t Microsoft, Google or Amazon. It’s the ringleaders of the Conflickr botnet with more than 4.6m infected computers under their control through the cloud,” said McGowan. “Personally, I don’t store all my data in the cloud.”
He also advises his corporate clients (McGowan is now a consultant with security consultancy Optimal Risk), to avoid open WiFi with no passwords and so forth. “For instance, do we have a UP24 Bluetooth user in the room,” he asked the 200-strong audience of finance professionals at the IUA London meeting? “Well, I’ve just taken over your phone via an open Bluetooth link.”
Assessing The Cyber-threat
UK Cabinet Office minister, Francis Maude, has stated that “93% of large corporations and 76% of small businesses have reported a cyber-breach” and the World Economic Forum (WEF) 2015 Global Risks report once again includes cyber-attacks in its top 10 risks facing the global economy this year.
Lost data and DDoS attacks are the prime corporate concerns for McGowan. He highlighted the scale of the problem by pointing to his latest ‘Cyber Secure’ research with the London Chamber of Commerce and Industry (LCCI), published late last year, which showed that:
- £1 in every £5 in the UK is now made through the internet economy.
- Cyber-crime costs UK business an estimated £21bn a year.
- Fifty-four per cent of London businesses have been a victim of cyber-crime in the past 12 months.
- Survey responses show the main barriers to improved protection are the perceived high cost of cyber-security measures (34%), which may be alleviated by insurance, and a lack of awareness about cyber threats (30%).
Source: LCCI Cyber Secure – Making London business safe against online crime (2014 report).
“London is a growing technology hub – with firms congregating at its so-called ‘tech roundabout’ in East London – so it is an increasingly high profile target for cyber-criminals,” said McGowan.
Turning next to what future threats he thinks corporates and governments should look out for, McGowan advised IUA seminar attendees to guard against advance persistent threats (APTs), which blend a number of the attack vectors already mentioned.
“APT is the next generation threat where multiple online attacks are launched simultaneously against you,” he said, before highlighting his concerns about the ‘dark web’. This does not use browsers and was illustrated by The Silk Road website dealing in drugs, guns and other criminal activity and IS terrorist funding websites.
The so-called ‘internet of things’, whereby more and more devices from your fridge, to your pacemaker or building management system are connected to the web, was also identified as a future threat. “If your car manufacture if done by robots, for instance, and you lost control over that due to a rootkit attack such as Stuxnet, then it could do real damage to your firm,” McGowan said.
The cyber-security threats out there in the corporeal and virtual worlds are growing. Senior managers, finance and risk professionals would be well advised to insurance themselves as much as is possible against malicious attacks against their customers, themselves and their supply chain by releasing budget for good staff training, access controls, security procedures and – if need be – insurance, recovery and risk mitigation products.
2015 is likely to see numerous hack attacks against firms and national infrastructure, just as last year did, so ignoring the threat in our increasingly digitalised world is no longer an option.
Tim de Knegt, treasurer for the Port of Rotterdam, discusses how he is looking to bring more value to the Port's clients using blockchain.
Regulation technology is fast gaining currency by transforming how financial institutions can tackle compliance in a swift, comprehensive and less expensive manner.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.