Interview with a Risk Manager: Why the concern about cyber risk?

A Q&A with Emily Cummins, Risk Manager and Chair of the Technology Advisory Council (TAC) of the Risk and Insurance Management Society (RIMS)
Though it may have only captured the public’s attention recently, cyber risk has been an emerging risk management concern for decades. To find out more about what keeps risk managers up at night, I spoke to Emily Cummins, CPA, CPCU, ARM, ARe, risk manager and current chair of the Technology Advisory Council (TAC) of the Risk and Insurance Management Society (RIMS), which has chosen cyber risk as an area of focus for 2012.

“Cyber risk” includes both first-party liability (business interruption; crisis costs) and third-party liability (privacy class action; IP infringements). As a risk manager, what are some of your concerns?
What we see as “cyber risk” is probably only the tip of the iceberg. We are always concerned about the capture of confidential data including PII, PHI and financial information, no matter the cause of the loss or breach (hactivists; malware; rogue employees; or mistakes). For the risk manager, the regulatory burden increases all the time. For example, as of a few months ago, publicly traded companies must now disclose any cybercrime incident that has a financial impact on the company. . Above all, risk managers want to protect customers and members, both ethically and legally. There’s a lot at stake and that’s why it’s critical to have a loss-control plan in place.

Can you speak to any specific threat or risk exposure that’s more of an ongoing or emerging concern? I’m thinking, for instance, of third-party partner and SP mishaps; lack of budgets for IT security; hackers accessing corporate databases; the loss of laptops; and new state or federal regulations such as California’s Song-Beverly Consumer Protection Act that create duties and legal liability.
All of the above are concerns. But in addition, it’s worth pointing out that multichannel retailing is a risky area. On the RIMS TAC, we try to educate members,. Many institutions think they might not have an exposure, but any organization that runs a virtual shop or a retail website, offers smart phone apps or mail order or has any other channels to market products, is carrying more risk. I’d also say in general that social media presents us with great opportunities along with more risks, as does the fact that as a society we have become more dependent on virtual devices.

Can you tell me about the RIMS TAC group?
The RIMS TAC group includes volunteers—risk managers as well as industry partners— and we hope to deliver value in thought leadership. I have been involved in RIMS for six years. As risk managers, we are always looking for good information and we support the NetDiligence® Cyber Liability & Data Breach Insurance Claims study as a valuable resource.

Is there anything else a peer risk manager just beginning to delve into cyber risk issues might want to hear from a pro?
It’s all about education, seeking out resources, taking a holistic view, developing teamwork among departments. Cyber risk is a component of enterprise risk management and it encompasses multiple silos. Part of managing that is breaking down silos and building up partnerships.

In conclusion …
For a CFO or risk manager just starting to study their own cyber risk exposures, one of the best things to do is sit down with the IT team and have a straightforward discussion about safeguards, detailing where the IT staff feels they have reasonable security and privacy practices in place—and where might they have some known weakness. It’s also important to include in this conversation any third-party service providers or contractors who might touch the network or data in any manner as often they are the cause of data breach incidents. In closing, here are a few questions to get the conversation going:

  • Has our organization ever experienced a data breach or system attack event?
    Some studies have shown that 80-100% of executives admit to a recent breach incident—each year.
  • Does our organization collect, store or transact any personal, or financial or health data?
  • Do we outsource any part of computer network operations to a third-party service provider?
    Your security is only as good as their practices and you are still responsible to your customers.
  • Do we use outside contractors to manage our data or network in any way?
    The contractor, service provider or business partner is often the responsible party for data breach events.
  • Do we share data with partners, or do we handle a partner’s data?
    You may be liable for a future breach of their network and business partners often require cyber risk insurance as part of their requirements.
  • Does our posted Privacy Policy actually align with our internal data management and sharing practices?
    If not, you may be facing a deceptive trade practice allegation.
  • Has our organization had a recent cyber risk assessment of security/privacy practices to ensure that they are reasonable and prudent and measure up to our peers?
    Doing nothing is a plaintiff lawyer’s dream. It is vital for the risk manager to know if the company’s practices are reasonable and in line both with peers’ practices and the many regulations concerning data safety.

 

What’s Happening in the World of Data Breach Litigation?

A Q&A with Sasha Romanksy, Ph.D. Candidate, Carnegie Mellon University
For organizations dealing with a data breach, legal liability is one of the first questions that arises. But are some data breaches more likely to result in lawsuits than others? Sasha Romanosky, a Ph.D. candidate at the Heinz College of Information Systems and Public Policy at Carnegie Mellon University, studies the legal and economic issues around data security and consumer privacy. In a recent study he coauthored, “Empirical Analysis of Data Breach Litigation,” he found that breaches resulting from the unauthorized disclosure or disposal of personal information are 6.9% more likely to result in lawsuit, relative to breaches caused by lost or stolen hardware, whereas breaches caused by cyber-attack are only 2.9% more likely to result in lawsuit. We spoke with him about his findings.

Can you explain the importance of your study for a risk manager or an Insurer?
Basically, we were looking at what kind of breaches are being litigated and what kind of variables are strong predictors of lawsuits. The second question is what are the variables and conditions that make a plaintiff more likely to win? This information can help risk managers and insurers have a better sense of how to protect themselves and for assessing and pricing cyber insurance policies.

What were the biggest takeaways from the study?
Very simply it seemed that only 4 percent of reported breaches are being litigated at the federal level—we make a distinction between the federal and the state level. We also found a huge variation in the causes of action, which included unfair business practices, negligence, breach of contract, breach of duty, and various state and federal statutes. A new cause of action is the unauthorized disclosure of personal information.

What you can draw from all of this, it seems to me, is that attorneys are trying different approaches. If there is no evidence of financial loss, the case is usually dismissed. We found that those organizations that offered credit monitoring were 6 times less likely to be sued—those that didn’t were thought to have behaved carelessly. We also found that financial information as opposed to other personal information or medical information is more likely to lead to lawsuits. When individuals suffered financial harm the odds of a firm being sued in federal court were 3.5 times greater. As such, firms dealing in financial information should take more care not to disseminate it.

About half of the cases settle, which is a useful finding, and very often for a nominal fee for the named plaintiff. There can be a substantial award or lump sum for people who suffered identity theft to pay specifically for losses. Defendants settle 30 percent more often when plaintiffs allege financial loss from a data breach or when faced with a certified class action suit.

So far we can’t tell what other factors or characteristics might influence lawsuits and settlements. We need to do more research to find out if the prominence and size of the company, the presence of liability insurance coverage, jurisdiction of event, the timing or quality of notice to victims, and/or media coverage have an impact.

What else do you see on the horizon as far as trends in data breach litigation?
One thing we saw with the Sony breach is that after 30 people filed class action suits, the insurance company would not pay out the damages. In response, Sony changed their end user agreement license to prevent users from suing—instead they must now agree to arbitration. That might be something to keep an eye on going forward—it will be interesting to see if other companies do the same thing.

In conclusion…
This study conducted by Mr. Romanosky and his colleagues (see study) is a great step towards helping corporate insurance risk managers and cyber risk underwriters  better understand the reality of the class action litigation costs exposure that many organizations are facing. Lawsuits can be time consuming and very expensive. The 2011 NetDiligence® Cyber Claims Study found the average loss paid out by insurance carriers for a data breach event was $2.4 million, a good portion of that devoted to legal defense and indemnification. Moreover, we believe that emerging precedents from plaintiff-friendly cases might reduce the number of future cases dismissed for lack of damages, one of those being the RockYou lawsuit (see summary) which found that personally identifiable info has inherent value.

How to Prevent Mistake-Based Data Breaches

A Q&A with Spencer Snedecor, CEO of Palisade Systems
It’s a misconception that most data breach events and losses can be attributed to hackers—in fact, the large majority are caused by human error. Data Loss Prevention (DLP) solutions can help organizations reduce this type of risk exposure. I spoke to Spencer Snedecor, CEO of Palisade Systems, to find out more about DLP solutions.

What type of data leak mistakes do you see most often?
What we see most of all are people sending information out into the world as part of their daily business process—that includes sensitive personal healthcare data or personal identity information or credit card numbers. This is a case of “forgive me father: they know not what they do.” These are employees who are innocently going about their work as they do every day. All of us know now not to leave our mail in the post box or give our social security numbers to strangers but it’s amazing how people forget all of that sense of caution when they’re on a keyboard. They click send and end up emailing out a customer list. Really, the number one problem is ignorance.

What can an organization do if they would like to reduce the chances of personal information being mistakenly leaked, sent or even accessed by unauthorized staff?
Most organizations don’t know what they don’t know. First and foremost, the organization needs a common sense policy that talks at a high level about users and the sensible use of data, and the policy needs to be in line with current regulations. It goes unsaid but it’s usually not reinforced in offices: Not everyone in the organization should have access to the customer database. So it’s important not just to communicate that policy but to set up an expectation that you will enforce it. That’s where a DLP vendor like us can come in and help you monitor what’s going on, including internet access and traffic activity. We can alert you when social security numbers are flying around. In addition to offering people the ability to monitor internet usage, we can also help control access to certain websites that might reduce productivity or pose a security risk. Maybe you don’t want employees to be able to copy files to a flash drive or a DVD. We can monitor that, too. The software can also compile reports based on customer usage and provides “actionable intelligence” so you can continue to stay in front of mistake-based breaches.

In conclusion …
NetDiligence has seen many cases over the past decade in which the client sustained a privacy/data breach incident  due to an innocent mistake by some insider—for instance, a marketing person or service provider that accidentally sent out a mass email with thousands of clients’ PII in the body text. Mitigating this inevitable exposure is important. That is where a DLP solution can be a valuable loss control tool and part of your layered safeguard approach.

Another Malware Variant—Flame

A Q&A with Roger Thompson, Chief Emerging Threats Researcher, ICSA Labs
Every day brings new threats to data security, and in 2012, we’ve seen the rise of Flame malware, which attacks computers running Microsoft Windows and has been used for cyber espionage in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt. To find out more about Flame and its significance for corporate data security, we spoke to Roger Thompson, chief emerging threats researcher of ICSA Labs. For more information, see https://www.icsalabs.com/blogs/countries-rushing-cyber-weapons-first-stuxnet-now-advanced-iran-w32flame-flamer-or-skywiper.

What is Flame?
In the overall scheme of things, W32/Flame.a is a JARAT (Just Another Remote Access Trojan). In other words, in and of itself, it’s not all that special. A RAT (Remote Access Trojan), by definition, gives control of your computer to someone else. This means this other person can siphon off information, and extra programs whenever they want. This is nothing new, but it’s not something you want in your network. Ever. There are, however, two things that are especially alarming about it: 1) The first is where Flame is being discovered. Although it’s being detected in countries as diverse as Hungary, Egypt and Israel, the largest number of detections has been in Iran, which has experienced some high profile and impressive attacks, (Stuxnet and DuQu for example) in recent times. 2) The second issue is that no one knows how long it’s been there. Some antivirus companies are saying that they’ve been seeing traces of similar things for years. If this proves to be correct, this is quite alarming, because we have no way of knowing what it’s been doing for all this time.

How does Flame get inserted into corporate networks?
We have no idea at this point, but this is not really the issue. The issue is that it got in somehow, and was undetected for an unknown amount of time. The worst hack is the one you don’t know about.

What is the ultimate damage that can occur?
Pick a disaster, any disaster. Seriously, though, as I said earlier, a RAT can allow anything to be installed at any time, so anything is possible. If they’re in your system long enough they might know more about it than you do. We have seen water systems and other major industrial systems attacked. And given the breadth and the size of this malware, it could take six months or longer to reverse engineer it. However, it’s important not to overact—it’s not a direct threat to us at this time, but we should understand the potential implications of what could happen. At this time, the understanding is that Flame was a targeted attack against governments and not an attack against US corporations.

How can a company prevent or mitigate something like this?
Unfortunately the main way people defend against this sort of thing is with a scanner but every day, every antivirus software gets 60,000-70,000 unique malware viruses a day, so it can be difficult for the software to detect it. It turns out that there are only three ways to detect malware: The first is a signature scanner, which is what most of the world uses to detect malware. This works great if the malware is known, but misses everything new, until it gets an update. Unfortunately, the bad guys know this, and simply create new malware every day. They know that within a few days to a week, every signature scanner will have been updated, but they don’t care, because they’ll have created a new version by then.

The second way is integrity checking/whitelisting. This is where you know what your system looks like, and you only allow whitelisted applications to run. This works extremely well, but is not popular because it requires discipline on the part of the user/administrator, and requires a high degree of user knowledge when it comes time to install something new.

The third way is behavior monitoring. This is where you watch for malicious behavior. Simple examples would be something that modified another program, or something that installed itself so that it would survive a reboot.

The nice thing about behavior monitoring is that all modern antiviruses do it to one degree or another. The problem is that it’s generally regarded as a second string line of defense, behind various types of signature scanning.

In my opinion, it’s time for antivirus developers to begin focusing on behavior monitoring as the principal line of defense. When an attacker knows that he has only to bypass a signature scanner, it means he has only to come up with something new. In other words, any new bit of malware will probably bypass all the world’s scanners, for at least a few days to a week, or until they all catch up. If, however, every antivirus developer starts to focus on their behavior layer, an attacker is faced with trying to bypass multiple and different behavior strategies. Put another way, each antivirus developer will have their own set of rules and nuances for what constitutes malicious behavior, and this in turn will make the attacker’s job some orders of magnitude harder.

In conclusion …
Whether it’s Flame or Stuxnet or any other latest stealth malware variant wreaking havoc against corporate networks, the fact is that the threats continue to morph and evolve in a manner that allows them to go undetected by businesses (or governments), and defeat the traditional tools of cyber security past. We can expect to see this trend continue.

No more posts.