Pay Now or Pay Later

Small and midsize businesses are in the cyber crime bullseye.

The majority of all cyber attacks happen to small and midsize businesses (SMBs, with revenues up to $1 billion), according to a 2018 Vistage report by Cisco and the National Center for the Middle Market.

Debunking the myth that cyber attacks usually hit large companies, the report calls SMBs “soft targets,” reasoning that these companies have valuable data but lack effective cyber-security controls and trained cyber-security personnel. 

SMBs are also good targets for ransomware because they are more likely to pay ransoms since they have not invested in offsite backups or developed and tested backup and recovery plans, which would allow them to simply restore their systems. 

Ponemon’s 2018 report on SMB cyber security analyzed companies in the United States and United Kingdom with the number of employees ranging from less than 100 to 1,000. The report found 67% of the respondents had suffered a cyber incident in the past year and 70% had paid ransoms. In general, SMBs do not know how to address cyber security, or they are overwhelmed by the requirements and financial resources needed to establish a full enterprise security program. When asked what kept them from having an effective IT security posture, 47% of the Ponemon respondents said they had no understanding of how to protect against cyber attacks, 74% cited insufficient personnel, and 55% said they had insufficient financial resources. 

Why are SMBs in this position? Many typically struggle with expanding their IT capabilities to keep pace with growth. Small businesses often begin with an outside consultant who periodically comes in and resolves issues or sets up a new capability. As they grow, they may expand IT capabilities by hiring a small internal IT team and using cloud services, software-as-a-service enterprise applications, and business process outsourcing (BPO) vendors. Thus, the “IT team” may be a mix of internal and external personnel, which increases complexity in cyber risk management, especially incident response. 

In fact, a 2018 report by the National Center for the Middle Market reported that the IT department is responsible for cyber security in 61% of SMBs. And the 2018 Vistage report found that 67% of SMBs use an external partner to manage cyber security. 

The unwillingness of SMB CEOs and CFOs to invest in dedicated personnel and enterprise cyber-security programs makes little sense when one considers the cost of cyber attacks. The Ponemon report calculated the average cost per attack due to compromise of employees’ passwords was $383,365, the average cost of recovery from damage or theft of IT assets was $1.43 million, and the average cost from disruption of operations was $1.56 million. The cost per incident had increased 33% and disruption to operations had increased 25% since 2017 due to damage or theft of IT assets. 

The Ponemon report found that companies that claimed to be effective at mitigating cyber risks and attacks have significantly lower costs related to cyber incidents than other SMB respondents. In fact, the difference in one incident is enough to pay for a strong cyber-security program consistent with best practices and standards. 

The table below illustrates that companies with effective cyber-security programs had an average cost from disruption of operations of $1.06 million—about $500,000 less than other SMBs. Their cost from damage or theft of IT assets or infrastructure was about $330,000 less than other SMBs, and the cost per incident was $88,465 less. That in itself is adequate justification for funding an enterprise security program. 

In 2018, Hiscox commissioned Forrester Consulting to assess the cyber readiness of organizations and noted that seven out of 10 businesses are not prepared for a cyber attack. Forrester concluded, “While big firms incur the highest costs in the aggregate, the financial impact of cyber-attacks is disproportionately greater for small businesses.”

Attacks today are complicated and often multipronged. SMBs need to understand their cyber risks and develop strategies to manage and transfer these risks. Just like any large business, SMBs need to conduct periodic cyber risk assessments, perform regular vulnerability scans and penetration testing, restrict access and require multifactor authentication, have dedicated personnel, and exercise cyber governance. The cyber-security labor market is tight, making it harder for SMBs to find qualified personnel to perform these tasks. Although consultants and managed security service providers can help with these activities, the company is responsible to its customers, shareholders and the larger cyber community to manage its cyber risks. 

One way for SMBs to manage cyber risk is to purchase cyber insurance. In analyzing market data, CyberPolicy noted a steep rise in SMBs buying cyber insurance, with an average quarterly growth rate of 34% over the past year. One factor in this is the affordability of cyber policies. The price for $1 million in cyber coverage dropped from $270 in April 2017 to $77 in June 2018. Other drivers are compliance and contractual requirements. 

The cyber-security labor market is tight, making it harder for SMBs to find qualified personnel to perform these tasks.

Cyber risk management, however, is not as simple as buying a cyber policy. First, SMBs will need the expertise of their agents and brokers to help guide them through the maze of which types of policies will cover various aspects of a cyber event. For example, depending on the circumstances, a cyber event may trigger clauses in numerous policies, such as property and casualty, cyber, director and officer liability, and errors and omissions. 

Second, SMBs need to understand that buying a policy will not relieve them of the obligation to establish a strong security program. Not only do some laws and regulations require it, but customers and business partners will demand it. A company that values privacy and cyber security, establishes a strong cyber-security program, and transfers some of its risk through insurance will have a competitive advantage in the marketplace, and it will be better prepared when it suffers a cyber attack.

The Insider Threat

Expand your view to include poor decision makers.

The insider threat has long been recognized as a major factor in cyber-criminal activity.

The Insider Threat 2018 Report stated that 90% of respondents felt vulnerable to an insider attack and 53% confirmed an insider attack in the previous 12 months.

Insiders have traditionally been thought of as current or former employees or contractors who use their authorized access to an organization’s system and data to conduct or assist cyber-criminal activity. But employees who make poor decisions about the organization’s cyber-security program can also dramatically increase the risk of attack. They may not be considered insiders in the traditional sense, but these bad decision-makers can be just as risky as nefarious insiders wishing to harm the company.

Cyber attacks are no longer just about data breaches. Over the past two years, attacks have involved encryption of data and ransom demands, zeroing out servers, exploiting unpatched or unsupported software, and causing massive business interruption, denial of service attacks (including via internet of things (IoT) devices), and sophisticated social engineering attacks for credentials. A report by Positive Technologies—Cybersecurity threatscape Q2 2018—noted the number of unique cyber incidents grew by 47% over the previous year. Cyber criminals are expected to make $1.8 trillion off their criminal behavior. The problem is that a number of these attacks could have been avoided if employees had made better decisions about preventive actions.

The impact of bad cyber-security decisions by internal personnel becomes glaringly apparent when one considers how their decisions contributed to the severity of the attack and its cost to the company. An Advisen report found cyber-related business interruption losses increased 30% between 2016 and 2017. Losses from the NotPetya malware alone are estimated to range between $4 billion and $8 billion (the White House estimate was $10 billion).

In the Crosshairs of Blame

Decisions made by personnel in the C-suite and management frequently result in a failure to take actions that are commonly known to help prevent attacks. Although top executives are not typically considered to be insider threats, they play a critical role in enabling attackers when they make or participate in decisions that cause an organization to become more vulnerable to attack. 

Failure to Act

The failure of top managers to take the preventive actions listed below just might enable a devastating cyber attack:

  • Failure by the IT or security teams to implement critical patches
  • Failure by the CFO or chief information officer (CIO) to fund the replacement of out-of-support hardware and software or purchase additional vendor support at an increased price (if available)
  • Failure by the CFO or CIO/CISO to fund denial-of-service prevention services
  • Failure by the CFO or CIO/CISO to fund critical cyber-security program activities
  • Failure by the CFO or business unit lead to replace a favorite legacy application that requires an out-of-support operating system (this may be why patching is not performed on some systems; if patched, the system won’t support the legacy app)
  • Failure by the CIO to segment and firewall off portions of the network
  • Failure by general counsel to ensure their privacy and security requirements are actually integrated into cyber-security controls
  • Failure by the CISO to have a tested backup and recovery program
    Failure by the C-suite and board to ensure a CISO is responsible for the cyber-security program
  • Failure by the C-suite and board to ensure annual cyber-risk assessments are conducted and funding is allocated to close gaps and deficiencies
  • Failure by the CISO, business executives and board to develop a robust incident-response plan and participate in at least one tabletop annually
  • Failure by the risk manager to engage with the CISO and CIO to develop a cyber-risk strategy and ensure insurance coverage is adequate.

On the other hand, when companies do take the necessary preventive steps, they can be better protected and recover more quickly if an event does occur.

  • Companies that have a fully tested backup and recovery plan are able to restore their data in the event of ransomware, continue operations and avoid paying a ransom.
  • Companies that have denial of service overflow capabilities are usually able to maintain operations during a DDoS attack.
  • Companies that have all their hardware and software patched and within vendor support are able to avoid exploits, such as WannaCry and NotPetya, that target these known vulnerabilities.
  • Companies that segment and firewall their network can prevent an attack from traversing the entire network and stealing or damaging the system as it goes.
  • Companies that ensure their privacy and security compliance requirements are integrated into cyber-security policies and procedures are better positioned with regulators after a breach.
  • Companies that conduct annual cyber-risk assessments are more likely to have appropriate types and levels of insurance.

What’s more, companies that have not hired a chief information security officer are unlikely to have a mature cyber-security program in place or the ability to effectively respond to an attack. Target, for example, did not have CISO when its notable breach occurred in 2014, and its failure to segment and firewall its network played a major role in the event.

Board members also are not exempted from blame. In 2014, Institutional Shareholders Service (ISS) called for seven of the 10 Target board members not to be reelected, stating it believed the directors “failed to exercise adequate risk oversight.” They were ultimately reelected, but their action sent shivers through boardrooms.

Four years later, ISS called for five Equifax board members, including the chairman, not to be reelected over their failure to exercise their “responsibility for risk management related to technology security.”

Following the Equifax breach, in 2018, the SEC issued guidance for publicly traded companies to inform investors about material cyber security risks. It specifically noted, “Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cyber-security risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures.”

Executives and board members who fail to understand they have particular responsibilities for cyber-security may well be more dangerous insiders than the traditional hostile insider.

The New York Department of Financial Services’ cyber-security regulation became effective on March 19. Three months earlier, the agency’s superintendent issued a memorandum to remind all covered institutions that department-regulated entities are required “to adopt the core requirements of a cybersecurity program, including a cybersecurity policy, effective access privileges, cybersecurity risk assessments, and training and monitoring for all authorized users…. The regulation also requires the establishment of governance processes to ensure senior attention to these important protections.”

Health providers and government contractors already have requirements for cyber-security programs and governance compliance. The Federal Trade Commission’s proposed revisions to the Safeguard Rule, which was released on April 4, also has increased requirements for cyber-risk assessments, vulnerability, and penetration testing and governance.

Executives and board members who fail to understand they have particular responsibilities for cyber-security may well be more dangerous insiders than the traditional hostile insider. If correct decisions are not made internally about cyber security, the consequences can be painful and expensive, as the NotPetya attacks so clearly demonstrated.

Spend the Money

The primary reason most companies do not conduct regular risk assessments, perform vital cyber-security actions, or hire chief information security officers is because they don’t want to spend the money. That thinking is penny wise and pound foolish, and it fails to take into consideration how expensive cyber attacks are, how much forensic and regulatory investigations cost, and what the potential hit on reputation and market share may look like.

Customers are truly beginning to care about doing business with companies that are trustworthy. A 2017 report on consumer intelligence by PwC indicated that “87% of consumers say they will take their business elsewhere if they don’t trust a company is handling their data responsibly.”

Companies that have not hired a chief information security officer are unlikely to have a mature cyber-security program in place or the ability to effectively respond to an attack.

This concern represents an enormous opportunity for insurance agents and brokers to meet with clients and discuss their cyber-security programs, help them understand where they might be deficient, and encourage them to conduct regular cyber assessments so they can develop an appropriate risk-transfer strategy. The large business interruption claims over the past couple of years reminds us that a robust cyber-security program consists of more than blaming criminals, including insider criminals. Increasingly, cyber-security attacks can also be blamed on poor decision-making by management.

“Understanding this issue begins by focusing on the risk, without insurance being a driving thought,” says Max Perkins, senior vice president for global cyber and technology, global professional and financial risks with Lockton Companies. “Once the risk is understood, only then can proper governance procedures be continued, strengthened or implemented. Risk management includes the hardening of security controls, user awareness and training, and risk financing/transfer. We find that clients whom we lead or who have been through this process are best positioned to negotiate with insurers and, more importantly, to respond to the underlying incident.”

Be Careful Not to Make a Bad Deal

Failing to conduct a thorough review of the cyber risks associated with an acquisition target is inexcusable.

Companies are starting to learn that it is very important to pay attention to privacy and cyber risks when conducting M&A due diligence.

In 2017, Verizon became the M&A cyber risk poster child when it learned shortly before its purchase of Yahoo that Yahoo had suffered two of the largest data breaches in history, in 2013 and 2014, affecting 1.5 billion users. Ultimately, Verizon shaved $350 million off the purchase price.

Yahoo had not told Verizon of the breaches. Concerned that Yahoo might have misled investors, the SEC opened an investigation into the matter. The SEC recently settled with Altaba for $35 million for the 2014 breach, the first such fine it has imposed for failure to report a cyber-security breach. (Altaba holds the remaining shares of Yahoo that were not purchased by Verizon.)

The SEC settlement agreement with Altaba noted, “Yahoo’s risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches…without disclosing that a massive data breach had in fact already occurred…In response to queries regarding past data breaches by Verizon during due diligence, Yahoo created a spreadsheet that falsely represented to Verizon that it was only aware of four minor breaches in which users’ identifying information was exposed, but did not disclose the 2014 theft of hundreds of millions of users’ personal data in its response.”

After the close of the acquisition, Verizon revealed that three billion user accounts actually had been breached instead of the 1.5 billion reported by Yahoo. The lesson here is that companies must do their own due diligence on cyber risks. They must demand full access to technical data and reports to ensure they understand the security maturity of the acquisition target’s cyber-security program and have a clear picture of prior incidents.

What You Inherit

An acquirer should not look merely for past incidents, however, because serious cyber events can occur after an acquisition due to unknown vulnerabilities—and the blame and expense will lie at the feet of the acquirer. For example, Marriott acquired Starwood Hotels & Resorts in 2016. In November 2018, Marriott disclosed that Starwood’s hotel guest database had been compromised and highly sensitive personal data on approximately 500 million guests had been exposed. The data included names, addresses, phone numbers, credit card information, passport numbers, family member information, and travel itineraries and dates. In a statement, Marriott said its investigation of the hack revealed that Marriott had learned “there had been unauthorized access to the Starwood network since 2014.”

Wow. The obvious questions are what cyber due diligence did Marriott do and why wasn’t this uncovered before the acquisition. Within a day, Marriott was hit with a securities class action suit alleging that investors had been harmed due to public misrepresentations, failure to disclose material facts, and material omissions and misrepresentations.

Similarly, PayPal uncovered cyber problems after it acquired TIO Networks in July 2017. A few months after acquisition, PayPal notified TIO customers it was suspending service because it had discovered “security vulnerabilities on the TIO platform and issues with TIO’s data security program that do not adhere to PayPal’s information security standards.” PayPal then issued another statement a few weeks later announcing it had “identified a potential compromise” of TIO’s systems “of personally identifiable information for approximately 1.6 million customers.”

Not surprisingly, a securities class action lawsuit was filed against PayPal a few days later. The suit claims PayPal failed to disclose that TIO’s data security program was not adequately protecting users’ personally identifiable information and that those vulnerabilities “threatened continued operation of TIO’s platform,” making revenues derived from TIO services “unsustainable.” The suit also alleges PayPal “overstated the benefits of the TIO acquisition” and investors were harmed by PayPal’s “materially false and misleading” statements.

Not every vulnerability nor every past or potential breach can be detected, but failing to conduct a thorough review of the cyber risks associated with an acquisition target is inexcusable.

The case, which is ongoing, begs the question: what due diligence did PayPal do on TIO’s cyber-security program prior to its purchase of the company for $233 million?

The possibility of breaches occurring after an acquisition is a risk that companies buy if they blindly acquire targets without conducting good cyber due diligence. Depending on the circumstances, the costs associated with a breach could exceed the purchase price.

In addition to data breaches, it is important for acquirers to investigate whether any of the target company’s confidential or proprietary data may have been stolen or exposed through a cyber attack. This could include pricing and customer lists, intellectual property or trade secrets, strategic information, marketing plans, personnel data or other sensitive information. These data usually represent a significant amount of the value of a company. It is possible, through good cyber due diligence, to uncover breaches, including the theft of data, that had not previously been detected.

Regulatory Costs

Privacy violations and associated investigations are now costing companies serious money. It is crucial that acquirers examine whether there have been prior privacy violations or whether there is the potential for one, which could result in large fines. Such violations may not yet have been detected by the target or reported to authorities. With the May 2018 implementation of the European Union’s General Data Protection Regulation, followed by Facebook’s Cambridge Analytica data scandal, privacy regulators around the globe have their antennae up, and violations can be hefty, far exceeding the paltry $35 million SEC settlement with Altaba.

In January this year, for example, French regulators fined Google $57 million for failing to clearly inform users how the company was collecting data across about 20 Google services, including Google Maps and YouTube, and using it for advertising. In February, British members of Parliament accused Facebook of “intentionally and knowingly” violating privacy laws and called for investigations and increased regulation of tech companies. Later in February, The Washington Post reported the Federal Trade Commission and Facebook were negotiating a multibillion-dollar fine for privacy infringements at the social media giant that potentially violated its 2011 consent order with the FTC.

The bottom line here is that the green shades in M&A due diligence need to bring in some privacy and cyber-security experts to conduct a thorough assessment of the maturity of the target’s cyber-security program, including technical data and reports that could reveal prior incidents. Breaches, class action lawsuits, regulatory fines and investigations can pull millions—if not billions—from the bottom line of the acquirer.

Not every vulnerability nor every past or potential breach can be detected, but failing to conduct a thorough review of the cyber risks associated with an acquisition target is inexcusable. The information gathered can be used to estimate the costs associated with strengthening a weak cyber-security program, defending against prior breaches or lawsuits, or estimating potential penalties. It’s far better to consider these costs in the purchase price than to hope for the best afterward.

Insurance professionals also should work with their clients to help them manage the cyber risks associated with mergers and acquisitions. Agencies and brokerages can leverage the information obtained through the cyber due diligence process to review policies and ensure their clients have appropriate coverage post acquisition.

Privacy’s Perilous Path

Legal use does not always equate to ethical use.

Lots of things happened in 2018 that focused our attention on privacy.

Facebook got everyone’s attention in March when The New York Times and The Guardian revealed that Cambridge Analytica used the personal data of more than 50 million Facebook subscribers to help the Trump campaign.

A former-employee-turned-whistleblower revealed that Facebook never audited the application developers it allowed to access its data to confirm they were using the data according to terms. Facebook subsequently announced it would conduct a thorough review of all application developer use of its data.

The drumbeat on privacy in the United States was enhanced with congressional hearings that probed Facebook on its data-sharing practices. The controversy revealed how 126 million Facebook users might have been played by Russians in an attempt to influence the 2016 presidential election. A few months later, the Times reported that Facebook had allowed numerous device manufacturers, including Amazon, Apple and Samsung, access to user data without Facebook users’ explicit consent, an apparent violation of a Federal Trade Commission consent decree. Then, late last year, the Times obtained documents indicating that Facebook had entered into agreements with at least 150 companies to share its data, including Amazon and Microsoft.

Companies face real risks and perhaps internal disagreement when trying to balance their customers’ privacy expectations and maximize profits.

All the attention fueled investigations over how much of Facebook’s data—and other social media data—are shared with third parties. It also raised questions on what and when Facebook knew about Russia’s manipulation of its platform and users. The Times reported in late November that Facebook’s senior leaders were deliberately trying to keep what it knew about Russia’s tactics under wraps. The company’s directors pushed back on that report, claiming they pressed CEO Mark Zuckerberg and COO Sheryl Sandberg to speed up its Russia investigation and calling allegations that the two executives ignored or hindered investigations as “grossly unfair.”

By mid-2018, online users (that is, all of us) were finally beginning to understand the power of big data. Yet they also realized they really had no idea how every digital fingerprint they leave in texts, emails, Facebook posts, tweets, Google searches, etc., was being shared with others. A Pew Center report in September indicated that more than half of Facebook users changed their privacy settings, 40% took a break from Facebook, and 25% deleted the Facebook app on their phone.

Important lesson: privacy expectations can be more powerful than laws, because its hammer is market forces, not fines or penalties. After the Cambridge Analytica scandal, Facebook was forced to report lower-than-expected earnings. Within hours, Facebook lost $130 billion in market value.

Meanwhile, on May 25, 2018, the European Union’s General Data Protection Regulation took effect, forcing companies to focus on what data they have, where they get it and who accesses it. Shortly thereafter, California enacted the California Consumer Privacy Act of 2018, which takes effect next Jan. 1. The law is similar to the European Union’s data protection regulation, but there are key differences. For example, the California law does not require consent to process personal information and does not include the right to be forgotten or to have data corrected—two important features of the EU regulation. Nevertheless, California’s law is as close as any U.S. law has come to emulating EU privacy requirements, a development that thrilled privacy advocates and scared companies.

Ethics of Data Sharing

Another topic that emerged last year was the ethics of data sharing. Wired ran a story last July headlined “Was It Ethical for Dropbox to Share Customer Data with Scientists?” In a Harvard Business Review article, Northwestern University researchers revealed they obtained data from Dropbox and analyzed the data-sharing and collaboration activities of tens of thousands of scientists from over 1,000 universities. Dropbox justified its sharing of this data by relying on its privacy policy and terms of use. The ensuing uproar caused Dropbox and the researchers to clarify that the data had been anonymized and aggregated prior to their obtaining it. Others, however, pointed out how folder structures and file names could still be used to identify individuals. Dropbox was in the hot seat.

The Cybersecurity Division of the Homeland Security Advanced Research Projects Agency funded a multi-year project examining the ethics associated with the use of communications traffic data by cyber-security researchers. The resulting report, known as The Menlo Report, published in 2012, was an early attempt to establish parameters for the ethical use of personal data in cyber-security research projects.

In 2019, organizations would be wise to analyze the data they buy, share, use and store, to examine their legal basis to do so, and to consider that their customers might have contrary privacy expectations.

The ethics of data sharing is not always consistent. When a researcher finds a trove of data in a cyber criminal’s online cache, the temptation to use the data is probably no less compelling than when Uber was offered Lyft customer receipts in 2017 by A privacy policy or terms-of-use statement might give you legal cover for data sharing, but the users whose data you share—or buy—might question your ethics.

Accenture has studied the ethics of digital data and developed 12 “universal principles.” These include:

  • Maintain respect for the people who are behind the data.
  • Create metadata to enable tracking of context of collection, consent, data integrity, etc.
  • Attempt to match privacy expectations with privacy controls.
  • Do not collect data simply to have more data.
  • Listen to concerned stakeholders and minimize impacts.
  • Practice transparency, configurability and accountability.

Companies face real risks and perhaps internal disagreement when trying to balance their customers’ privacy expectations and maximize profits. Remember that Sheryl Sandberg was reported to favor keeping quiet the discoveries of Russian interference and the exploitation of user data while the chief information security officer at the time favored more public disclosure. Two University of Colorado researchers studied the public reactions to the sale of Lyft customer receipts to Uber and WhatsApp’s announcement in 2016 that it would share data with Facebook to improve Facebook ads and user experience. Their conclusion is noteworthy.

Our findings also point to the importance of understanding user expectations when it comes to privacy; whether most users agree that it’s okay to be the product or not, shaping expectations with more transparency could help reduce the frequency of these kinds of privacy controversies.

But relying on privacy policies or terms of service can be a perilous path. User expectations of privacy will often prevail over legalese. And no one can really keep a straight face and say they believe their users actually read their privacy policy or terms of service. The events of 2018 struck a note of outrage in online users, and legislators, regulators and plaintiff’s attorneys are paying close attention.

In 2019, organizations would be wise to analyze the data they buy, share, use and store, to examine their legal basis to do so, and to consider that their customers might have contrary privacy expectations. Legal use may still violate a person’s expectation of privacy and thus be viewed as an unethical use. Agents and brokers should encourage their clients to be forward thinking on this issue and proactively manage potential privacy risks associated with their data or the data they may obtain from third parties.

Preparing for New Cyber Threats

What’s on the horizon in 2019? Make sure you’ve got a comprehensive and tested plan.

As companies look to the year ahead, they should make sure they are prepared for the types of cyber attacks they might encounter in 2019.

The cyber threat environment is more sophisticated than ever, and nation-states have increasingly played a role, often in coordination with other actors. Even the best chief information security officers are evaluating their programs against current threats and beefing up.

Many companies, however, have inadequate cyber-security programs and are not prepared for multipronged attacks or those that could create significant business interruption. For example, in nearly every cyber-risk assessment we conduct, the two lowest-scoring areas are incident response and business continuity/disaster recovery. In addition, many organizations have not identified mission-critical functions, do not have current or adequate inventories of their applications and data, and have not assigned ownership to these assets. When trouble hits, these gaps make for a pretty hot mess.

So it’s a two-pronged problem: an organization must first understand its assets and what they are used for and then understand the types of attacks that could hit them. When an organization has not paid attention to its assets, chances are it is clueless about its threat environment, its preparedness to counter an attack, and its ability to keep functioning.

Engage Business Units

Internally, many organizations still tend to view IT and cyber security in a silo and try to be involved as little as possible with them. They just want the systems—and business—to keep running. That attitude ignores the accepted best practice that business units should “own”—and be responsible for—the data and systems they use to perform their business functions. Business owners should approve access to their applications and data and authorize a system to operate, thereby taking responsibility for the risks the system and data bring to an organization. This is how risk management is spread across an organization.

In reality, however, managers somewhere in the organization usually request access to applications or data for new hires and send the request to IT, which then implements access. Business owner approval is not a common practice.

If business owners are not engaged in controlling access to their systems and data, they are likely not very involved in what happens during incident response or disaster recovery. Thus, a major incident sends IT and security teams scrambling to identify critical applications, their dependencies and the business functions that have been affected.

Test Your Plans

Well developed disaster recovery plans, based on an analysis of the impact on business, are an essential element of cyber-security programs, but they must be tested. Consider the company whose IT team confidently told management it did not need to pay a ransom because the company could simply restore the data—except that the company hadn’t tested its plan and ended up losing six months of data. Or consider the companies that thought they had it made in the shade with constant replication from one site to another, enabling them to switch to the alternate site at any moment. Those companies forgot about ransomware, which ran through their systems encrypting all their data—and their replicated site data (because they forgot about needing an offsite backup).

New Threats

Now, consider the new threat environment, which utilizes the treasure trove of NSA cyber tools and zero-day exploits that were released in 2016 by the hacking group Shadow Brokers. Portions of these were used in the severe WannaCry, Petya, and NotPetya attacks in 2017. Projections on 2019 cyber attacks continue to list malware, ransomware, botnets, denial of service, website “drive-by campaigns” (which infect when you visit a website), phishing attacks, and advanced persistent threats (malware that lurks inside your system and stealthily attacks).

The exploitation of internet of things devices has been behind several of the worst cyber attacks in the past couple years, such as Stuxnet (and its offspring), which attacked programmable logic controllers in industrial control systems, and the Mirai botnet and similar bots, which attacked IoT devices and used them to cause huge denial of service attacks, shutting down major websites and turning off heating in buildings.

Expect more IoT attacks in 2019.

“…on average it takes an adversary one hour and 58 minutes to … get deeply embedded into the network. This means that the best organizations should strive to detect intrusions within one minute, investigate within 10 and eject the adversary within the hour to stay ahead of the threats.”

– Dmitri Alperovitch, co-founder and CTO, Crowdstrike

An estimated 23 billion IoT devices are connected to the internet now—everything from appliances to thermostats to building monitors and controls—with growth expected to reach 31 billion by 2020. Many of these devices are not patchable, were not built with embedded security, and are not included within the inventories of hardware in many cyber-security programs.

In 2019, we also will see more “clickless” attacks that exploit vulnerabilities in out-of-support hardware and software, such as WannaCry and NotPetya. This type of malware presents a major risk to the many organizations that have hung on to old equipment and applications.

Dmitri Alperovitch, co-founder and CTO of CrowdStrike, investigated and brought to light some of the most serious cyber-espionage attacks. Regarding the current threat environment, he said: “CrowdStrike research indicates that on average it takes an adversary one hour and 58 minutes to break outside of the initial point of intrusion and get deeply embedded into the network. This means that the best organizations should strive to detect intrusions within one minute, investigate within 10 and eject the adversary within the hour to stay ahead of the threats.” That’s a tall order, but it underscores the severity of attacks we are facing in 2019.

When organizations consider their cyber coverage in 2019, they would be well advised to think beyond breaches of personally identifiable information and look under the hood to see if some of the basics in their cyber-security program—such as asset inventories, incident response and business continuity and disaster recovery—are well developed and tested. The threat environment sets the pace, and companies that do not keep up with mature cyber-security programs and test their data recovery capabilities will be the easiest targets and suffer the biggest losses. Brokers and agents will do well to help their clients assess their vulnerabilities and the maturity of their cyber-security programs and develop a coverage plan to match.

Benefits Data Bullseye

Healthcare and employee benefits data are gold for cyber criminals.

The HITECH Act requires covered entities to report breaches of unsecured protected health information affecting 500 or more individuals to the U.S. Health and Human Services Office for Civil Rights.

This includes health plans, group plans and employee benefit plans subject to HIPAA, including self-insured group health, dental, vision, pharmacy benefits, healthcare reimbursement spending accounts, employee assistance programs, health reimbursement arrangements and long-term care plans.

By September, the civil rights office had more than 400 such cases under investigation, with more than 200 reported thus far in 2018. The office lists the types of breaches as hacking/IT incident, unauthorized access/disclosure, theft, loss and improper disclosure. The location of the breached electronic data includes email, network server, desktop computer, electronic medical record, laptop and other portable electronic devices.

Cyber criminals go after the gold. Electronic medical records can contain a vast amount of personal information, including address, phone, email, Social Security number, birth date, banking information, medical visits and diagnoses. Healthcare and employee benefits data, especially electronic health record data, are much more valuable on the black market than credit card numbers. That’s because the data usually contain static information and can be used in fraudulent operations longer than credit card numbers that are invalidated shortly after a breach.

Although the value of breached data can vary widely, in 2017 Forbes claimed Social Security numbers are worth 10 cents and credit card numbers are worth 25 cents, while electronic medical records can bring hundreds or thousands of dollars when sold to cyber criminals. The Forbes article noted that, in 2016, 65% of the 450 breaches of health data that year were not caused by external hackers but by insider actions.

In early September, Marsh & McLennan published a report on cyber risks in the healthcare industry that indicated healthcare was one of the most vulnerable industries for high-profile cyber attacks. The report noted that healthcare “is the only industry that has more internal threat actors behind data breaches than external.”

Even if a hacker has not broken into a system or an insider has not committed an action to disclose personal data, malware attacks can cause equivalent or greater damage. Malware today is sophisticated and can change internal system settings, turn off anti-virus software, allow remote access and export data. These attacks can also trigger breach notification laws, increasing reputational risk. In 2016, Deven McGraw, then the privacy chief at the Office for Civil Rights, noted, “If the breach definition is met, which in many times in a ransomware attack it would be, then the presumption is to notify.”

Cylance’s 2017 Threat Report noted healthcare was the most impacted industry sector by ransomware in both 2016 (34%) and 2017 (58%). It’s vital to note that, although the healthcare industry is in the bullseye, so are all organizations that store and process employee benefit data. Even though some benefit data may not be protected under HIPAA, the data held in an organization’s benefit program can contain a lot of personally identifiable information about employees and their dependents, a rich repository for cyber criminals.

Data Protection

Companies are struggling to keep pace with an increasingly sophisticated threat environment, and gaps in the maturity of their cyber-security programs are easily exploited. The Cylance Threat Report declared that, “many of the attacks we saw in 2017 were initiated by exploiting vulnerabilities that were reported more than nine months before the attack was detected and blocked.”

A steep increase in the sheer amount of malware identified is also a factor. This includes polymorphic malware, which constantly changes its identifiable features to enable it to avoid detection, and single-use malware, which is custom-built for one-time use against a specific organization. In his security blog GData, Ralf Benzmüller noted an average of 959 new malware specimens per hour in 2017, a 63-fold increase since 2007. It is difficult for any organization to hold the line against such an army of malware.

So what can companies do to protect their benefit data from being compromised? The best defense is a strong security program that has integrated controls for privacy compliance requirements. This includes having a data inventory, assigned data ownership, restrictions on access, system monitoring, and policies and procedures for handling, storing, and sharing personally identifiable information, protected health information and benefit data.

Additionally, it is very important to remember that privacy compliance requirements remain a responsibility of the organization that owns them. “The organization is ultimately responsible for its compliance requirements, even if it involves outsourcing the administration of its health benefits plan,” says Philip Gordon, head of Littler Mendelson’s privacy practice. “In the contracting process, the company needs to be sure it is protecting itself in the event the provider has a breach.”

Organizations also have to remember that U.S. privacy laws are fluid. The expansion of privacy laws in several states, including Arizona, Colorado and Oregon, sweeps in some personal data that was not previously within the scope of the law. Under Colorado’s new privacy law, effective Sept. 1, Colorado’s definition of “covered entity” is so broad that it effectively covers every business “that maintains, owns or licenses personal identifying information in the course of the person’s business, vocation, or occupation.”

As Gordon notes, “Employee benefit data outside the scope of HIPAA may qualify as protected data under many of these new laws.”

A company should also ensure that proper cyber governance is in place at the board and executive levels. The Marsh report indicated that 83% of healthcare respondents relegated responsibility for cyber risk management to the IT department. Across industry sectors, only 70% assign cyber risk management to IT, which indicates the sector with the highest risk—healthcare—has the poorest cyber governance practices.

A key component of cyber risk management involves purchasing adequate cyber insurance to transfer risks associated with an attack. Less than half of Marsh healthcare respondents indicated they have cyber insurance coverage, while the industry average is only 34% (by contrast, 52% of the financial industry reports having cyber insurance).

All too often, the risks associated with benefit data are not adequately factored into cyber risk management. Agents and brokers should work with their clients to evaluate the benefit data they have and conduct risk assessments to determine their loss exposure and the types of cyber coverage that will best protect them.

Cyber Property

How much risk do you want to keep in-house?

Not so long ago, as outsourcing, co-location facilities and cloud services began to take hold, risk managers and information security personnel scrambled to manage vendor cyber-security risks.

Everyone was afraid of what could happen to company data or operations in the hands of a third-party provider. Today, however, these vendors seem like a safe haven compared to the risks and costs associated with running an in-house data center and cyber-security program.

Attacks no longer require someone to click on a link or open an attachment. In the past year, large global companies have been hit by malware that exploited out-of-support equipment and unpatched software and crippled operations for weeks. Maersk, Merck and Federal Express were three of the most visible companies hit. Maersk’s chairman, Jim Hagemann Snabe, told World Economic Forum leaders that the company had to reinstall its “entire infrastructure,” consisting of 4,000 servers, 45,000 workstations and 2,500 applications. Business interruption losses at the companies ranged from $300 million to $670 million each.

In this environment, companies that have been scrimping on IT budgets and stalling on replacing legacy apps are now in the bull’s-eye. Why? Because hardware companies continually patch vulnerabilities and update their products and they eventually stop supporting older equipment. Even though the older servers may still run just fine, their known vulnerabilities can be exploited by criminals. Out-of-support software can be just as bad. CFOs know how expensive it can be to move to a new enterprise application, and business units are famous for refusing to give up favored legacy apps. These apps usually run on older versions of operating systems. Thus, companies end up with Windows XP or other out-of-support operating platforms that enable these legacy apps to be operational, but they bring risk to the organization in the process. The WannaCry malware that infected 230,000 computers in more than 150 countries exploited unpatched Windows systems, many of which were out-of-support.

Maintaining a cyber-security program requires a team of personnel with appropriate education, certifications and experience. Some companies have pinched pennies on security staff, and others simply cannot find suitable candidates to hire in this tight job market. Security architects and network engineers play an important in-house role in designing the system architecture and determining configuration settings and security controls that help protect the system and data. Without an adequately staffed team of IT and security personnel, critical activities either do not get completed on time or they are not performed at all. This includes patching of software, particularly non-Windows software, because these patches have to be specially applied outside of the regular Windows “push patch” cycle. Since patches fix vulnerabilities, every instance of unpatched software creates an opportunity for exploitation.

Security programs also require a suite of security tools, which often demand training and expertise to deploy and use them. When security tools are installed but the staff does not know how to use them, the license fees are wasted, and the ability to identify risks or attacks decreases. Logging, incident response, and backup and recovery are also commonly given less than full attention when resources are thin. The consequences can be particularly painful when an attack hits. Without logs, in many instances it is difficult to conduct an adequate forensic investigation. Tested backup and recovery plans are critical, particularly in attacks of ransomware that encrypt a company’s data or malware that zeroes out servers and computers.

Farm It Out

Handing off an organization’s hardware, software, network and staffing issues to a vendor is an increasingly attractive option. Major vendors today have sophisticated system architectures, hardware that is within vendor support, strong controls, a full security program, and highly experienced IT and security personnel. In addition, they generally have excellent physical security, good surveillance and monitoring systems, more-than-adequate HVAC systems, back-up generators and resilience in connectivity. Many cloud providers also offer a suite of services and tools to assist with incident response, logging, backup and recovery on the client side.

The trust a company places in a vendor hinges on the vendor’s reputation for protecting the client’s systems and data. Therefore, these service organizations devote considerable attention to securing their network, applications, data, people and processes. Most vendors have an annual security audit performed in line with standards from the American Institute of CPAs, which produces what is known as a SOC-2 report. According to the AICPA, “These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”

Companies do not have to farm out all operations to vendors, however, as they may choose to keep their data centers and outsource just the security activities. Many companies that have their own data centers are looking to managed-security service providers to take on some of the load of the security program. These providers are capable of taking over most of the activities of an enterprise cyber-security program, enabling companies that choose to keep their IT operations to have robust security capabilities performed and maintained by a third party. These services are particularly attractive to small and midsize companies that use technology extensively and need to protect their data and systems but find it financially prohibitive to develop and maintain a strong enterprise security program.

Cloud offerings, such as Microsoft’s Office 365 and Azure environments, are enabling companies to free themselves from maintaining a data center. Software as a service (SaaS) and outsourced enterprise application providers are freeing organizations from patching and application maintenance.

Antares Capital—one of my clients—is an example of an organization that chose to move in a futuristic direction (in this case, after it was spun off by GE). Instead of taking legacy apps and aging equipment with it, its chief information officer, Mary Cecola, chose to stand up entirely new IT operations by leveraging the Microsoft Azure and Office 365 environments and utilizing enterprise applications that are SaaS or vendor hosted.

The organization now has all thin clients (monitors and keyboards without hard drives or memory) and a few closets with routers. All other infrastructure and equipment are owned by Microsoft and are in the Azure environment. Antares is able to properly manage operations with a smaller IT and security staff. The security team has established a security operations center that monitors system activity and interfaces with the vendors.

“We are sharing risk with our vendors, saving financial resources and better managing the risk of attack,” Cecola notes. “We hired excellent personnel with expertise in cloud and vendor environments and IT and security management and are now able to devote resources to the specific IT and security needs of the business while leaving a lot of the nitty-gritty technical activities and issues to the vendors. We developed an incident response plan and recovery strategy that dovetails with our vendors and leverages their capabilities. While my peers still struggle with many of the issues of in-house shops, going with the Azure cloud and SaaS providers was probably the best decision of my career.”

“We are sharing risk with our vendors, saving financial resources and better managing the risk of attack.”

Mary Cecola, CIO, Antares Capital

Agents and brokers will serve their clients well if they help them examine the risks associated with their IT operations and discuss risk-transfer options, including the use of third-party providers.