Wednesday, June 22, 2016

The Unexpected Strategic Benefits of Cyber Insurance

James McFarlin

Managing any organization's cybersecurity risk in today's environment of rampant cybercrime has become a critical management responsibility in organizations of all sizes.

Recent organizations experiencing major losses from cybercrime include the IRS (700,000 tax returns), Anthem Healthcare (100 million+ health records), even the NY Federal Reserve, which had $81,000,000 stolen from its customer's accounts in February.

According to the US Chamber of Commerce, businesses with fewer than 100 employees experience 71% of all cybercrime attacks. This is due to the relative ease of breaching organizations that many times do not make the investment in cyber defenses and employee training.

Ransomware, the current cybercrime method of choice, is up ten-fold in the first quarter of 2016 over the 2015 period. Recent ransomware targets include hospitals such as Hollywood Presbyterian in Los Angeles, city governments and even police departments.

Protection comes with a cost. But the consequences from a breach or scam can be vastly greater and can place the viability of the business in jeopardy.

For perspective on this topic, I turned to Cybersecurity insurance expert Roberta Anderson, partner and head of the cybersecurity practice in the Pittsburgh office of the global law firm K&L Gates.

"Recovery from data breaches is a time-intensive, distracting and resource-consuming process that impacts not only the operation of the organization but potentially its relationships with customers, suppliers and financial partners.

"Every organization has its crown information jewels, whether it be customer data, financial records, or proprietary business tools. These must be protected. Seeking to limit their losses following attacks, many organizations are investigating cyber insurance as a means to help them recover and to maintain financial viability.

"Cybersecurity is becoming increasingly recognized as more of a management and organizational cultural issue than a technology issue. The four words that cause cyber vulnerability more than anything else are 'Cybersecurity is IT's problem.'"

Clearly, cybersecurity events will happen. What is essential is to plan for them so they do not take you down if they occur.

Ms. Anderson added, "One of the true values of evaluating cyber insurance is that it causes the organization to look at cybersecurity practices, network protections, data backup and employee training - which in turn actually reduces their risks because of the increased awareness and planning. Management ends up with a roadmap for improved cyber security. This alone is worth the cost of the insurance."

Smaller firms, she emphasized, should sit down with their insurance agent, look beyond their general liability policies and evaluate cyber coverage: "The risks of not providing financial cushion from cyber intrusions are simply too high for most small organizations to deal with successfully."

The net-net of the conversation with Ms. Anderson: "Those with cyber insurance benefit from both a greater peace of mind and improved cybersecurity practices. These are gifts most do not expect but which many receive."

Tuesday, May 10, 2016

Cyberwarfare Goes Mainstream

James D McFarlin

After years of operating in the shadows, cyber weapons are making their presence known in conflicts across the globe.

An NSA-provided map of the United States depicts more the 600 cyberattacks from China over the past five years, making the nation look like a well-hit target from the shooting range.

On December 23, 2015, presumably Russian-led cyberattacks against Ukraine's electric grid took out power to 230,000 citizens in the dead of winter.

The U.S. Navy is concerned enough about China's aggressive moves in the South China Sea to resume training its sailors in navigation using the sextant after a 25 years absence, all in the case of Chinese-led cyberattacks which disable shipboard digital navigation systems.

What is going on here?

Offensive cyberweapons have become increasingly recognized as a must-have capability for protecting and advancing national interests. The result, according to a recent report in The Wall Street Journal, is a "near-frantic and destabilizing global digital arms race" with more than two dozen countries actively building their cyber caches.

Iran's cyber strategies are of particular concern. Whether it be the destruction of some 30,000 Saudi Arabia national oil company computers which came closing to bringing the organization to collapse or continuing attacks against U.S. banking online networks and most recently the breaching of the Bowman Avenue Dam in New York, Iran makes little secret of its cyber reach or ambitions.

As stated recently in the Financial Times, Iran's cyber capabilities have matured from just one more option in their toolkit to a strategic military capability for projecting power. Iran, the article states, is "poised to do something with cyber that will change the way the world looks at it."

How are these escalating global cybersecurity risks going to play out? We don't know. But we do know there is little sense of urgency and even less tangible U.S. strategy to deal with such imminent threats.

In a recent U.S. Senate testimony, asked if he were concerned enough about potential cyber grid attacks to categorize them as acts of war, Lt. Gen. Vincent Stuart replied that if the military had a "much fuller definition of the range of threats in cyberspace it could then begin thinking (emphasis mine) about such consequences."

Homeland Security secretary Jeh Johnson stated his lack of concern when quoted in Ted Koppel's book "Lights Out" as saying that he just doesn't believe such (cyber) attacks will happen.

With this level of denial in full force, the next depiction of attacks against the United States may well be that of a tattered, empty shell, hollowed out from sea to shining sea.

Thursday, April 21, 2016

A New Paradigm in Cybersecurity

James McFarlin

The wide majority of networks and applications powering American businesses, government agencies and military services are aging legacy systems in which security was not a primary design criteria - perhaps not a criteria at all.

With the massive worldwide growth of the Internet and the security risks which accompany this global net mean that we are now paying the price for this design omission.

Cybersecurity for these legacy systems is largely 'bolted on,' an arrangement which provides security ranging from marginally adequate to nonexistent - think the massive Office of Personnel Management (OPM) personnel information misappropriation and Sony Pictures Entertainment theft, system destruction and threats of extortion.

But technology is not the only force in cyber secure operations. Misdirected or lack of executive oversight is a major factor. A recent study, The Accountability Gap: Cybersecurity and Building a Culture of Responsibility, found that while chief information security officers are spending more time in front of boards, information exchange is too often truncated by both the lack of cyber knowledge among board members and the communication ineffectiveness on the part of the technical officers.

The study found the "inability of technical officers to quantify and convey the actual impact of a breach," which limits its importance to the C-suite executives making decisions on cybersecurity budgets and staffing.

Accountancy and consulting firm Deloitte believes the issue to be even deeper. With cybersecurity now affecting virtually all aspects of the organization,"increased focus must be given to addressing a cultural change in the organization." In this new paradigm, "An integrated risk philosophy is mandatory, where cyber risk management and technology must be on an equal footing."

Some organizations, however, have begun top define cybersecurity as a risk management function, thus forcing the viewing of cyber risks into business terms. For many, this is a major transformation which will not come easily.

How long will such alterations take? Cultural change is difficult. But the reality of today's world means cyber breaches will deliver not only financial costs, but risks in customer retention, potential damage to reputation, brands, and in some cases, interruption of business operations.

Addressed in this view, implementing a mindset which incorporates a paradigm shift in organization thinking has become essential and increasingly, urgent.

A recent cybersecurity assessment from accountancy EY placed the issue in perspective, advising that, in cybersecurity, "High alert must be your constant state."