Verisk Review Expert Panel: Cybersecurity
By Prashant Pai, Eric Schneider, and Scott Stransky
It’s a crime wave without borders. With reports of hacks of corporate and government databases increasing across the globe—introducing viruses, ransomware, denial of service, and theft of personal information—a new field known as cybersecurity is emerging in defense.
Through targeted training, use of software, and simulated responses, businesses are beginning to combat cybercrime and its multibillion-dollar onslaught. Many are moving their operations in the cloud, attempting to reduce risks and gain the security protections of major cloud providers.
But can the cloud be hacked? And how effective are defensive software patches? The editors of Verisk Review spoke with three cyber experts and discussed the impact of global data and cyber breaches. In the United States, adequate insurance coverage likely will remain key to any successful cyber strategy, with many businesses potentially bearing costs for breach notification and damage to reputation.
What follows is a discussion of how data and analytics can be used to better define risks online and respond to cybercrime. The panel included Prashant Pai, vice president of cyber strategy for Verisk; Eric Schneider, Verisk’s chief technology officer; and Scott Stransky, assistant vice president of research at AIR Worldwide, a Verisk business.
How big a business is hacking?
Prashant Pai: It’s estimated that the global cost of cybercrime is $500 billion a year. That’s around 1 percent of the global gross domestic product, and it’s only expected to grow. Also, there’s a quite mature cottage industry around hacking, with customer service that would put some legitimate businesses to shame.
Eric Schneider: I agree—it’s huge. Hacking cost companies, all together, hundreds of billions of dollars a year, and many hackers can earn lucrative incomes through the illegal economy that exists on the dark web.
Are hackers mainly individuals, or is there such a thing as “organized cybercrime”?
Scott Stransky: Hackers come in many forms. Sure, there are individuals sitting in their basements who hack for the glory and pride. We also know that some nations are involved in state-sponsored hacking. And yes, organized cybercrime groups are quite prevalent too.
Pai: Absolutely, there’s organized cybercrime. Social engineering and technical hacking go completely hand in hand for cybercrime. Many petty criminals and gangs that used to deal in drugs, kidnappings, et cetera, have realized that they can take their talents to the cyber world and earn far more money with much less risk of being apprehended and charged. It’s quickly becoming the hottest crime industry.
Given the growing numbers of global hacks, how can businesses better prepare for cyber threats?
Schneider: Awareness, training, and simulation are the three key elements here. Creating awareness of the risks inherent in one’s business practices is the foundation that will very often drive the appropriate investment in people, process, and tools that make up a quality cybersecurity program. Training employees, both business and technology, regarding the risk and regulatory landscapes they operate in is also fundamental to have the proper technology platform and process in place to protect and respond in the event of an incident. Finally, practice is key in my opinion. Like everything else, the more you practice, the better prepared you’ll likely become. There are many ways to simulate threats and attacks—drills facilitated by third parties that simulate an attack and all facets of responding to an attack—that are very authentic and often instrumental in improving a cybersecurity program.
Pai: This really starts with evolving the security culture of the business. Every employee has to be made aware that they are part of the security apparatus. Cyber incidents occur involving people, process, and/or technology. The human element is extremely important. In addition, the security culture needs to evolve from prevention to management. Security incidents are going to happen; businesses that prepare and plan their response and recovery will likely emerge better and stronger than others.
So how effective is cybersecurity software?
Stransky: Cybersecurity software is important, although people tend to be the weakest link in an organization. A company can have the best software, but a single employee can expose the business to phishing by simply clicking a link in an e-mail.
Pai: Yes, it’s a good deterrent. But to expect cybersecurity software to prevent every cyber attack is not rational. As the NIST (National Institute of Standards and Testing) framework lays out, response and recovery from cyber incidents are just as important as detection and prevention.
Schneider: I’d add that software can be highly effective when properly implemented and maintained, but it’s only part of the solution.
Many businesses are moving their computing to the cloud. But can the cloud be hacked?
Stransky: I don’t think the cloud’s susceptibility to hacking is the big issue here or the most likely issue related to the cloud. It’s much more about the potential business interruption that could occur if the cloud goes down. We saw Amazon Web Services’ (AWS) multihour failure in February 2017 from a simple typo that an AWS employee made when trying to resolve a billing problem. Imagine what a coordinated group of attackers could do. Several major cloud providers have large enough market shares that a failure of any of them could lead to severe economic and insurance losses.
Schneider: Anything can be hacked. There’s no such thing as an impenetrable computing environment. Even in extreme cases where systems are isolated from a company’s own internal network, there are vulnerabilities. In an “air-gapped” environment, people still touch systems and PCs, and servers still need to be installed, maintained, and updated. And in all those cases, the opportunity for exposure exists.
How do ransomware and other malicious software work (for example, WannaCry), and what would be the best defense?
Stransky: In a ransomware attack, criminals encrypt the contents of your computer. To recover the contents, a ransom is required—usually around $300 to $500, payable in an online currency like Bitcoin. Most ransomware attackers have good customer support and will help get your data back if you do pay. The ransom is insurable, and many cyber policies tend to include coverage with respect to it. With WannaCry, very few companies ended up paying the ransom, though many of them suffered business interruption while their systems were down. WannaCry only encrypted computers that were not up to date with Windows updates. In addition, those companies that have current offline backup of their files could restore their systems without paying a ransom.
Pai: We find that some of the best defenses are sometimes the most basic: software patching and upgrades, for example. The largest software manufacturers have gotten much better at releasing new patches as soon as they’re aware of existing vulnerabilities. Ransomware such as WannaCry and Petya/NotPetya spreads from one computer to the next when it finds another machine on the network with a vulnerability left unpatched. Another piece of sound advice would be running virus scans and not connecting to any open public WiFi networks. Cyber pandemics have many analogies to several human health emergencies. We can’t stress basic health and hygiene habits enough.
It’s been said that companies are far more likely to buy fire insurance than cyber insurance. Should businesses take threats to their privacy and intellectual property as seriously as exposures to physical property and equipment? If so, why?
Schneider: I think they should take cyber threats more seriously. The reputational damage resulting from a breach can be far more lasting than the disruption that a fire may cause. In addition, the fines that regulators can levy regarding data breaches can be enormous. If I had to choose between having our office building burn down versus having our data stolen, it would be an easy decision: I’d undoubtedly choose the former, provided no individual was harmed in the fire.
Stransky: Yes, especially as laws around the world evolve, purchasing cyber insurance will become even more critical. Today, breach notification is required in 48 states, and the associated costs of notification (forensics, credit monitoring, setting up a call center, and so forth) are insurable. In May 2018, the European General Data Protection Regulation (GDPR) will take effect, requiring even stricter notification when data on European citizens is lost or stolen. If a small business suffers a breach and doesn’t have cyber insurance, it’s very likely it will go out of business due to the costs associated with the breach.
Pai: Over the last couple of decades, our society has become more and more dependent on computers. In fact, a smartphone today has more storage and computing resources than the most powerful supercomputers of only 20 years ago. It’s difficult to imagine an industry that’s not dependent on its IT resources. Estimates say that 60 percent of small businesses in the U.S. that suffer a cyber breach go out of business. If they don’t have cyber insurance already, I would highly encourage every business out there to consider obtaining coverage.
Has underwriting for cyber risks changed over the past decade?
Pai: We do see the market starting to consider alternative data and analytics to better inform decision making. However, we’re really looking at two mutually exclusive skill sets, cybersecurity and insurance underwriting. While the industry has access to cybersecurity data, the challenge is that many underwriters are not sure how to incorporate it into their decision making. Verisk is looking to lead on this front by making cyber risk data and analytics relevant and actionable for underwriters.
Stransky: In the past, the biggest threat was data breach. While data breach is still important to consider, the much bigger concern today is business interruption and contingent business interruption. While many insurers are often prepared to handle one-off data breaches (for example, by offering relatively low limits), they may not be prepared for large aggregation events—for example, a major cloud or DNS (domain name service) provider failure that takes down numerous insureds at the same time. More attention is being paid to contingent business interruption today than in the past.
Is there adequate exposure information available to accurately insure cyber risks? If not, what might be needed for better underwriting?
Schneider: I believe one of the biggest challenges lies with both the honesty of the proposed insured and its level of awareness of its own business model, data, and risks. Many companies are simply uncomfortable sharing the full details of their cyber program for fear that they may not be doing enough, and what they share is only effective if they’re aware. Without an understanding of those two factors the insurer is challenged to make an informed decision.
Stransky: Today, two key factors for underwriting risks are the industry and the revenue of the organization. While that’s clearly not enough to get a good understanding of the risk, those two factors do explain a great deal of the variance in the losses we’ve seen. Other very relevant factors include employee count, third-party vendor usage (such as clouds, DNS providers, or payment processors), types of encryption used, and measures of employee training. Today’s cyber insurance market is so competitive that most of these factors cannot be determined directly from the insured at the time of underwriting. If asked more questions, the insured will often look to a different, possibly less invasive insurance company.
Do conventional property/casualty policies tend to cover hacks and/or data breaches?
Stransky: Many in the industry refer to “silent cyber”—the possibility of having to pay out cyber-related losses under non-cyber policies. In the aftermath of an event, insureds might seek coverage under cyber liability policies that underwriters may not have taken into consideration when pricing these insurance products. If an insured has a loss, it may also try to “find” coverage under other traditional policies, such as (but not limited to) errors & omissions (E&O), directors & officers (D&O), commercial crime, or commercial general liability (CGL). With cyber policy language largely untested in the courts, with different jurisdictions possibly taking different approaches to coverage disputes, and with cyber-related losses and claims accelerating, insurers and reinsurers are well advised to take a very close look at how they manage the cyber risk that they intend to insure, as well as cyber risks that they don’t intend to insure.
Pai: Many of the conventional property/casualty policies were designed before cyber risk became such an important factor. Just as Verisk/ISO has done, insurers need to review and evaluate how cyber risk will affect the policies they have.
Is there a typical method of attack (for example, phishing) that businesses can prepare for?
Schneider: Social engineering is one of the most common defenses. Businesses can implement programs that teach employees what to look for to avoid falling victim to such hacks, and we have such a program at Verisk. The other all too common, but often easily avoidable, exposure comes from failure to keep computer systems up to date with known security vulnerabilities. So, establishing and maintaining a program in this regard is key.
Pai: Businesses should prepare for data and privacy breaches, ransomware, and denial-of-service (DoS) attacks. Phishing—especially spear phishing (that is, targeted phishing)—through e-mail attachments is one of the most common methods by which intruders get in. It’s essential to regularly train your staff so that they know better than to automatically click on links and open attachments in e-mails. A trained and aware staff is one of the best cyber defenses an organization can erect.
Stransky: I agree. I think employee training is one of the most critical measures a business can take to prepare for cyber attacks. If employees are vigilant and always have some degree of suspicion when they receive an unexpected e-mail, many attacks could be prevented.
Should companies be concerned about the exposure of their business partners—in other words, infection from another innocent party?
Pai: Absolutely. The Target hack showed us how cybercriminals first hacked into an HVAC vendor and then, when the vendor connected into the Target firewall, moved laterally through to the point-of-sale infrastructure, from where they stole millions of records. From a cyber perspective, organizations should consider vendors part of their extended ecosystem. It’s key to provide incentives to your vendors to help ensure good cyber posture.
Schneider: Whether those partners are contractors or customers, any time you engage with a partner and they connect or handle your data, their risk becomes yours.
What kinds of issues and costs for companies are typical following a high-profile breach?
Pai: Following a Target-like breach, there are incident response costs to contain the breach, evict the intruders, and recover operations quickly. Following this, companies that have been breached (often with the help of breach coaches) are required to chart a course of action to support affected consumers (and/or employees). They must determine which consumers were affected, notify them, provide them with credit monitoring costs, and cover fraudulent transactions. There may be liability issues forthcoming from consumers, their card issuers, and so forth. An event such as this may also cause substantial business interruption or disruption. And then there are the potential reputational impact and public relations expense that may be needed to repair brand and image.
Schneider: In legal terms, fines tend to vary according to jurisdiction, type of data breach, and resultant damage. But in my opinion, the far more damaging impact from a data breach is the potential loss of customer confidence and associated reputational damage.
Stransky: I agree. There are often “fuzzier” costs to consider. A company’s reputation is at risk. Also, C-level executives tend to be ousted or resign after a major incident. Their cyber insurers will likely charge them more to renew their cyber insurance policies. But speaking of cyber insurance, most policies today don’t have limits high enough to deal with a major incident. In the Target breach, the company had an insurance tower with a total limit of $100 million, but the direct costs of the data breach were several times greater than that.
And finally, where do you see cyber going in the next few years?
Stransky: I think business interruption will likely be the key driver of loss in the next few years. We’ve seen incidents like the AWS outage this year and the Dyn DDOS attack in October 2016. Both were shorter in duration than the typical cyber insurance waiting period (time deductible). But it’s probably only a matter of time before we see an aggregation event that exceeds the waiting period.