Cyber Vulnerability Report 2015

Cyber Vulnerability Report 2015

Executive Summary

In only the last decade it has become far more apparent that we now frequently engage in a series of interconnected electronic worlds linking our work to emails and mobile apps, trading on the Web, which is also a place where currency in bitcoins is now being used and criminalized, actions which do not register on government crime statistics. There are also social media sites that have globalised community gossip and the Web that allows you to buy, sell, research and email. All of which has reduced face-to-face communication to a series of texts and screen views. 

Everyone from governments to corporates and individuals, whether they understand or not, now rely on cyber computer codes and cyber systems for many functions and connections for many aspects of life and work. Systems from power grids to satellites use electronic networks that enable and control their processes. And everything from the Internet to email, mobile phones and social networks engage with most people’s lives on a daily basis. 

Recently, the growing tide of cyber attacks has begun to spawn a new awareness of the current cyber risks to business. This awareness is growing because of the news of attacks on corporates like Sony to JP Morgan to hacks on different government IT systems. And these attacks have affected everything from intelligence systems to health care records. And hackers have also attacked most corporates and more recently thousands of SMEs across the US and EU and this process is increasing.

These types of attacks and threats include the theft of intellectual property, data hacking, serious media communications and Public Relations issues, customer data theft, operational impairment, disgruntled employee hackers as well as external hacks and the systematic exploitations of system vulnerabilities.

And in the last few months it has now become very apparent that all companies of all sizes need to take a new approach to their cyber vulnerability. And they can do so by looking at themselves through the eyes of their attackers. 
In the Military this is known as turning the map around. The point is to get inside the mind of the hackers, and to see the situation as they do, in order to anticipate and prepare for what’s to come. To do this, businesses could use White Hat External Hackers (WHETs) to irregularly hack their systems and then use the information gained to continually secure and improve their cyber security and to engage with the opportunities that the hackers also see as being unused.
Recently it has become clear that cyber hacks can be undetected for weeks or even months giving the hackers time to move about with your systems architecture and to understand other vulnerable aspects of the cyber systems. Perimeter security at this point have become irrelevant and useless from a control perspective however the malware being used by the hackers has to communicate back to the attackers and monitoring tools have recently become more sophisticated and can be used to monitor the different types of systems traffic and this can be used to identify hacks.
Changes in enterprise IT over the past decade mean that every company is now at least partially a technology company. By the end of the decade, there will be 50 billion devices connected to the Internet that will complicate networks and generate petabytes of data. To add to this, the cloud revolution has finally dissolved some of the secure perimeters that companies had constructed. Now some companies use the benefits of a cloud infrastructure as a service but they then must depend upon the security of separate networks and systems, which are beyond their direct control.
Most companies try to deal with this chaos by building walled castles around their most precious assets, but unfortunately perimeters now often don’t matter as these systems are often infiltrated by using changes to the systems connections, software and more sophisticated malware that can be launch into a system by someone on the inside just opening an email.  
We are in a new future where most CEOs and CIOs are still endangering their businesses by not engaging with and understanding the commercial risks of cyber security. They therefore do not properly engage and focusing on IT security and opportunities and thereby they are not helping to ensure that the company is continuously monitored for electronic opportunities or securely supervised and has its cyber insurance cover updated and checked.

Cyber security has in a very few years expanded from an apparent narrow IT problem into a very broad area of growing tactical and strategic risk which now requires senior management’s full engagement and understanding. 

Protection of internal IT, commercial activities, media and customer relations and the effects of potentially negative media stories on customers and clients now requires forward looking strategies and effective cyber insurance security. 

Cyber insurance is offered for financial protection on some electronic risks apparently everything from systems failure through to hacking attacks, but it is often not clear what is actually protected and what areas of current and potential attacks are uninsured. 

The problem from an insurers perspective is that the definitions of cyber attack/risk have grow significantly and the areas that the concepts cover are now too broad to be adequately covered by one comprehensive cyber insurance policy.

Therefore there is now a real requirement both from the client and the insurers view point to clarify and understand what internal security is required and what the different types of cyber insurance actually cover.

Many companies are now struggling with the insurability of their cyber exposure. And the broadening of the risk spectrum has made cyber risk a game-changing phenomenon for both business and the insurance industry. The risk spectrum can now affect numerous lines of insurance coverage as well as escalate costs and losses far beyond those of a typical recent but now historic privacy breach. 

Despite increasing professional awareness, the insurance industry’s response to date has largely been directed at data-breach risk. Although these developments have been positive, and some firms have been at least partially protected by their insurance policies when breaches have occurred, however for most operations the current data protection and privacy is only a fraction of cyber risk. 
The more positive developments are that more comprehensive coverage maybe getting closer, since the insurance industry has signaled that it is willing to deploy its risk-financing capacity behind the right framework. This potentially will give CFOs and financial risk managers some of the appropriate strategic tools to use in tandem with tactical controls that are being deployed by their operational managers.
However what is clear is that much more work and understanding is required by the individual business about their internal IT structure, media communications and Public Relations (PR) exposure, employees training and security and the cyber issues within the industries and services that the business is working across. 
It is now apparent that current insurance policies do not adequately cover cyber risks. Recent work in cyber security is often aimed at detection, reduction and elimination of current cyber attacks however it should also analyse the broader industry potential risks and understand the changes taking place. This should now be considered a major strategic agenda issue that senior management should take full control of. 

Current cyber-insurance is used to protect businesses and individual users from Internet-based risks and is related to information technology infrastructures and activities. Risks of this nature are typically excluded from traditional liability policies and so it has become very important to understand what you and your organisation’s cyber risks are and what specific threats your insurance coverers. 
In a business environment that seems chronically susceptible to breaches, purchasing cyber-risk insurance may sound like common sense. Yet despite the historic increase in data breaches in 2014, less than fifty percent of corporates have adequate cyber cover in the US and EU. Often the cyber cover taken by corporations does not cover the full extent of their risk and liability. This is particularly in the case of their client’s data liability, media exposure and PR damage.  
In the broader commercial arena more than two-thirds (67%) of small and medium-sized businesses (SMBs) are often unaware that dedicated cyber-insurance exists. And so currently only 2% of SMBs surveyed actually hold cyber-insurance.
These results come even as it has often been shown that SMBs are sometimes even more at risk than large companies to the after-effects of a data breach. SMBs have fewer resources to handle the media and PR fallout and an attack, as have often been seen recently, can put them out of business. 
However, juggling the demands of already-small budgets and narrow profit margins can discourage the purchase of potentially expensive cyber insurance. Plus, cyber-insurance products are often complex and expensive, and can contain many threat exclusions.
The area of greatest concern for small, medium and large businesses is still the need for strategic understanding of the business’s liability if a cyber breach takes place. 
Any real knowledge of insurance premium costs by SM/LBs is relatively distant, while factors such as understanding the likelihood of a breach or knowing exactly what the policy would cover lag even further behind. And almost one-fifth of SMBs have said that they would never purchase cyber-insurance, unless required to by law.
However what has become clear is that the current process alone will not produce a secure electronic-space for any organisation looking for cyber insurance. 

We now believe that cyber insurance needs to be connected to secure irregular but controlled White Hat Cyber Hacking Audits that specifically review an organisation’s IT systems for its security systems and hacking vulnerabilities and this process will be reviewed along with cyber history, types of cyber threats, effects and future outcomes.

Current News from Lloyd’s on Cyber Insurance

The head of Lloyd's of London, one of the biggest insurance markets in the world, has urged business chiefs to put safeguards against cyber attacks at the top of their agendas, in the wake of recent reports about a two-year Russian hacking fraud, which netted £650m from global banks.
What has been said to be one of the largest cybercrimes to date, Lloyd’s of London chief executive Inga Beale believes the fraud highlights the seriousness of the threats posed to globally connected businesses and says her organisation is preparing its clients for the new challenges ahead.
UK companies lose up to £268m a year through cybercrimes. This includes the damage caused by the attack itself and the ensuing internal and media/PR chaos and believes the situation is only going to get worse. 
Since 2011, Beale says the size of the market for insurance contingencies has more than doubled, from less than £672m worldwide to nearly £1.6bn, however, many UK firms are leaving themselves exposed as the bulk of cyber insurance is still sold to US companies. 
Last month, a Government commissioned report showed 81% of large UK businesses had suffered an online security breach in the past year, yet 98% had failed to take out insurance that could help them recover. 
A separate study by financial giant Allianz claimed that Europe’s cyber-insurance market alone could be worth more than £670m by 2018.
In an interview with the Daily Telegraph, Beale said: “Cyber risk poses the most serious threat to businesses and national economies, and it’s an issue that’s not going to go away. The London market has a long, proud history of finding innovative solutions to insuring large, complex risks that are challenging to underwrite locally.”
Lloyd’s Insurer Says Cyber Risks Too Big to Cover
However the head of the largest Lloyd’s of London insurer has called for governments to cover the risks of cyber attacks, saying the potential liabilities are too large for insurers to cover.
Stephen Catlin, founder of Catlin Group, said cyber security presented the “biggest, most systemic risk” he had encountered in his 42-year career in insurance, in part because a vulnerability in widely-used software or internet architecture can affect systems globally, putting the industry on the hook for simultaneous, multibillion-dollar payouts.
“Our balance sheets are not large enough to pay for that,” Catlin told the Insurance Insider London conference on Thursday, according to The Financial Times.
In the latest cyber attack against a major US firm, health insurer Anthem reported that hackers stole the account information of as many as 80 million customers. 
Such electronic incursions present an opportunity for the insurance industry to sell more coverage. Policies are designed to help companies meet costs including mounting forensic investigations and defending lawsuits.
But Catlin stressed that cyber attacks are unusually systemic, rather than, for example, a natural disaster that affects only one specific region. “It’s possible that you can have the same loss happening around the globe,” he explained.
Governments have already established state-backed schemes to provide coverage for acts of terrorism — such as Pool Re in the United Kingdom and the Terrorism Risk Insurance program in the US because the insurance market was unwilling to do so. But Catlin said cyber security posed an even bigger threat than terrorism.
“He’s got a valid point,” Andrew Horton, chief executive of Beazley, a rival Lloyd’s insurer, told the FT. “We’re very mindful of the potential aggregation impact. It’s something governments should be putting a lot of thought into.”
Rob Lay, a security expert at Fujitsu, said businesses should not rely on insurance to protect themselves from a cyber attack. “While insurance may help mitigate some of the financial impact of a security incident or breach, the reputational impact and the impact to the business operation cannot be mitigated with insurance in the same way,” he said in a news release.

Background to Cyber Insurance

Early works in the 1990s focused on the general merits of cyber-insurance, or protocols borrowed from digital cash. 
In the late 1990s, when the business perspective of information and data security became more prominent, visions of cyber-insurance as risk management tool were formulated. 
Although its roots in the 1980s looked promising, battered by events such as Y2K and 9/11, the market for cyber-insurance failed to thrive and remained in a niche for unusual demands. 
From an insurance industry perspective even a conservative forecast made in 2002, which predicted a global market for cyber-insurance worth $2.5 billion in 2005, turned out to be over five times too high. 
Overall, in relative terms, the market for cyber-insurance shrank as the Internet economy grew. In practice, a number of obstacles have prevented the market for cyber-insurance from achieving maturity. 
Absence of reliable actuarial data to calculate insurance premiums, a lack of awareness among senior decision-makers, as well as legal and procedural hurdles have all contributed to little properly focused insurance demand. 
However now in 2015 there is a growing need for cyber insurance policies even if this requirement has not been clearly reviewed and understood in most commercial operations and businesses.  

Current Market Overview 

The infrastructure, the users, and the services offered on computer networks today are all subject to a wide variety of risks posed by threats that include distributed denial of service attacks, PR and negative media stories, which have already severely affect the status of businesses in their marketplaces and severely damaged their client relationships. The range of threats and attacks has grown significantly and now includes data intrusions of various kinds, eavesdropping, hacking, phishing, worms, viruses and spams. 
In order to counter the risk posed by these threats, network users have traditionally resorted to antivirus and anti-spam software, firewalls, intrusion-detection systems, (IDSs), to reduce the prospect of being affected by threats. 
In the most basic terms, security risk is the product of the cost or financial impact of a security breach and the likelihood that a breach occurs. In other words, Risk = Cost and Media/Market-place/Client Impact x Rising Likelihood of Cyber Breach.
In practice considerable research efforts are currently centered on developing and deploying tools and techniques to detect threats and anomalies in order to protect the cyber infrastructure and its users from the resulting negative impact of the anomalies and a relatively few number of operations are now engaging with the more focused processes. 
And yet in spite of improvements in risk protection techniques over the last decade due to hardware, software and cryptographic methodologies, it is still very difficult to achieve annual on-going perfect/near-perfect cyber-security protection. The impossibility arises due to a number of reasons – such as these three:

1.    There is a distinct lack of industry specific IT solutions.

2.    Difficulty in designing solutions for the varied intentions behind network attacks.

3.    Misaligned incentives and lack of agreement between network users, security product suppliers and the regulatory authorities when it comes to protecting networks.

In view of these and other industry specific critical issues inevitably the barriers to near 100% risk mitigation still do not exist.
Cyber-insurance should be a risk management technique via which network user risks are transferred to an insurance company, in return for the insurance premium. 
Proponents of cyber-insurance believe that cyber-insurance would lead to the design of insurance contracts that would shift appropriate amounts of self-defense liability to the clients, thereby making the cyberspace more robust. Here the term ‘self-defense' implies the efforts by a network user to secure their system through technical solutions such as anti-virus and anti-spam software, firewalls, using secure operating systems. 
Cyber-insurance has also the potential to be a market solution that can align with economic incentives of cyber-insurers, users policy makers, and security software vendors.
Empirical data about the different types of cyber risk is relatively limited and very focused. Almost all data published in the sphere of cyber risk provide only broad indications of total cyber risk in that they deal in averages for specific market segments.
 
Market commercial property and liability insurance is available in most insurance markets worldwide. However, property policies typically only cover damage to physical assets such as production facilities, and exclude cyber risk. 

A specialized market providing coverage for cyber risks has emerged in recent years, most prominently in the United States. As yet, however, market coverage is relatively small. Moreover, outside the United States, insurance coverage for cyber risk is not well known and not much used. 

In Europe, for example, only about 25% of corporations are aware that this type of insurance exists and only 10% have purchased cyber risk coverage. 

Figures for the United States show a similarly low average level of coverage, but large variations between industries among the Fortune 1000 companies. 

Current annual gross premiums for cyber insurance in the United States are thought to be US$ 1.3 billion and growing 10–25% on average per year. Continental Europe is estimated to generate premiums of only around US$ 192 million, but this figure is expected to reach US$ 1.1 billion by 2018.

Owing to the new and evolving nature of the market, products and coverage change rapidly, and exclusions as well as terms and definitions vary significantly between competitors and so a more detailed analysis of the threat sources is required.

Threat Sources

A cyber-attack may involve an external or internal hacker, a virus, malware, phishing or other activity on your computer system. Attacks that come from outside your company can be such things as a virus attached to an email entering your system or a specific computer code used by a hacking group to access your computer. Attacks can also come from within by illegal or thoughtless employees. The effects of such attacks can be devastating and widespread. 
A single event may result in any of the following:
1.    Loss or Damage to Electronic Data 
A cyber-attack can damage electronic data stored on your computers. For example, a virus damages your sales records, rendering them unusable. The problem then of recreating them is a time-consuming process that involves reviewing all old invoices.
2.    Damage to Your Reputation 

A cyber-attack can seriously damage your company’s reputation. Potential customers may avoid doing business with you because they think you are careless, your internal controls are weak or that an association with you will damage their reputation.

3.    Extra Expenses 
A cyber-attack may cause you to incur extra expenses to keep your business operating. For instance, after a hacker damages your computers, you are forced to rent laptops for your employees to use while your computers are being repaired.

4.    Loss of income
An attack may also cause you to lose sales. For instance, a denial of service attack makes your computer system unavailable to customers for days, shutting down your business. During the shutdown, your customers go to your competitors, causing you to lose income.
5.    Network Security and Privacy Lawsuits 
A cyber thief may steal data stored on your computer system that belongs to customers, vendors and other parties. These parties may sue your firm. For example, a cyber-thief hacks into a medical system and steals a customer's confidential file that reveals his sexual orientation. The hacker makes that information public and your customer sues you for invasion of privacy. Alternatively, a hacker steals information about a customer's upcoming merger. Because of the theft of the data, the merger falls through. The customer sues you claiming your failure to protect its data caused your customer to incur a financial loss.
6.    Extortion Losses 
A hacker steals sensitive data (yours or someone else's) and then threatens to post it on the Internet unless you pay a ransom.
7.    Notification Costs 
The best example of Notification Costs is the United States, where 46 of the 50 States have mandatory requirements for data breach notification. In the UK, the impending draft EU Data Protection Regulation includes mandatory notification of breaches, but the scale and timing of this new regulation is still to be determined.

Threat Protection

The infrastructure, the users, and the services offered on computer networks today are all subject to a wide variety of risks posed by threats that include distributed denial of service attacks, intrusions of various kinds, eavesdropping, hacking, phishing, worms, viruses, spams, etc. 
In order to counter the risk posed by these threats, network users have traditionally resorted to antivirus and anti-spam software, firewalls, intrusion-detection systems (IDSs), and other add-ons to reduce the likelihood of being affected by threats. 
In spite of improvements in risk protection techniques over the last decade due to hardware, software and cryptographic methodologies, it is impossible to achieve perfect/near-perfect cyber-security protection. 
Proponents of cyber-insurance believe that cyber-insurance would lead to the design of insurance contracts that would shift appropriate amounts of self-defense liability to the clients, thereby making the cyberspace more robust. 
Here the term ‘self-defense' implies the efforts by a network user to secure their system through technical solutions such as anti-virus and anti-spam software, firewalls, using secure operating systems. 

For many insurers and brokers, the technicalities of information security and the details of how to deal with a data breach are still a mystery. 
A good starting point is to determine what costs or expenses you would like to have covered and what types of incidents you want cover for. Circulate and discuss this list with all the relevant people, not forgetting to get all the information you need from third-party suppliers and partners. List both your own costs (known as first-party costs) and the costs that others may attempt to claim from you as a result of the incident (known as third-party costs).
Then every business should have an independent cyber audit review that analyses the specific business cyber security protection methods/systems. The staff training and engagement should be monitored and all should be measures it against the current and potential relevant industry models. 
And then businesses consider these three important insurance steps: 

1. The Broker
Getting the right broker is important. A good specialist broker will save you time in determining what is right for your business, remembering that this may not be the broker you are currently using for your non-cyber risks. Share your list of estimated expenses and costs with your broker and talk through the different exclusions that might stop you from making a claim.
2. Insurance Company
Apart from obviously being responsible for the product, insurance companies are responsible for providing support to your broker about the products. In addition, they will decide if they are willing to take on your risks according to your completed proposal form and what premium you will need to pay. Choosing the right insurer can be the difference between paying little for cover that you will never be able to utilise in the event of an incident or having cost-effective cover where the insurer understands the implications of a breach and the costs associated with it.
4.    Policy
Selecting the right policy for your business, business model, industry, size, exposures and so forth is a complex exercise, which is why a specialist broker is important, as they are likely to know the best products to suit your needs.
It is important to understand the support you receive as part of the cover. Some policies provide a point of contact who will handle everything from the moment the insurer has agreed the claim, whereas others will let you manage the incident and decide which services you want to use from their list of suppliers.
Remember that your organisation may not have the people or experience to manage a data-breach incident and so some forms of third-party analysis can be of real commercial and financial benefit.
For small and medium-sized enterprises (SMEs) there are very simple policies available, but sometimes these policies raise more questions than they answer as they do not always provide a long list of exclusions or terms and definitions.
Current and Future Threats and Solutions

We are seeing the rise of security breaches that are costing millions of dollars to companies, and for the first time in 2013 losing millions of identities too.
When a business strives so hard to build a loyal customer base, the last thing it needs to happen is for your customer base to be put at risk. And hackers are now changing their methods of attack. 
Where e-mails were the prime focus in 2012, now it is through downloads and the move to mobile devices that has provided another route for infestation. Wherever personal information is stored, it’s an opportunity for hacking. With more mobile devices and apps connecting electronic accessories, the individual needs to consider the safety of the data they are capturing as part of their lifestyle everyday.
As well as two major hacks last year, a number of other threats show that data breaches can have a significant impact to the bottom line of business. Here are three from 2014:
Heartbleed (April 2014) – When encrypting data, a number of website use the software OpenSSL. This is often personal and sensitive identity data that can include usernames, passwords, credit card details etc., and put personal, customer and government data at risk. The way the Heartbleed bug works is that it ‘bleeds’ the server of data that has been encrypted in OpenSSL in 64 kilobytes of information at a time. It can do this over and over again without anyone realising the server has been hacked. It is both difficult to find, and difficult to patch.

Shellshock (September 2014) – This virus is anticipated to be worse than Heartbleed, and hits typically on Mac, Linux or Unix or if you run the Apache software. In simple terms, it’s a bug in the software knows as Bash that launches applications by typing text commands. A malicious code extension takes over the operating system, giving access to data. Bash has been around for more than 25 years, and the threat is real for every version. Once access is gained, hackers can enter any area of a machine.

Poodle (October 2014) – Padding Oracle On Downloaded Legacy Encryption (Poodle) 

A smaller threat than Heartbleed and Shellshock, security experts have said that hackers could steal browser ‘cookies’ in Poodle attacks, potentially taking control of email, banking, and social networking accounts.

Future hacking attacks
Future attacks lie within the technological systems that are commonplace in business, or are now used as commonplace personal lifestyle accessories. These may come from increased access to the Internet and with new technological advancements from cognitive computing to the Internet of Things, all of these become points for additional cybercrime that can steal data, interrupt connection, or cause financial devastation.
The future of hacking will continue to see the realisation of significant disruption for maximum impact. And unfortunately, with technological advancement comes the pitfalls of this progress.

Conclusions

It is clear that now cyber security, and cyber opportunities, needs to be an understanding at the highest levels of all organisations and should be considered as a significant strategic concern. 
To help counter the attacks and threats Security Risks Teams should be formed that include the CIO, Strategy, Security, IT and Development Directors and a team of independent analysts who should regularly report about cyber directly to the CEO and Main Board. 
Cyber security therefore needs to be a Main Board strategic concern and a team that includes the CIO/IT Director must report directly to the main board. An independent team must also be used to review and randomly check processes and procedures and data on a regular basis and this team should be independent of the IT department and its day-to-day operations. It should act as an independent audit team. 
From a security viewpoint the independent external team must also be used to review and randomly check processes and procedures and data on a regular basis. 
The teams used would be similar to the Annual Financial Audits and this Cyber Security Audits Team should be independent of the IT department and its day-to-day operations.
 It should act as an independent audit team on an irregular basis throughout the year and it should use White Hat Hackers to delve deep into the electronic systems looking for current and potential problems. 
This team should frequently report to IT, senior management and the Board on changes of security and should produce current Cyber Reports. 
The Board, IT and Communications/PR should be registered and receive weekly Cyber News that is specific to the issues relating to the their industry and services to ensure they are fully aware of the issues that are affecting their industry, marketplace and clients.
This independent team should be reviewed by the Board and by internal IT management and the changes should be incorporated within the strategy and tactics.
And importantly these internal and external product/service development teams should frequently review cyber opportunities and these should be reported to the Board and changes incorporated within the organisation’s strategy and tactics.
The Board should also separately discuss worst-case scenarios with the CIO/IT Director and reviews should independently take place using the outside consultant teams as cyber crime is costing businesses around the world over $300 billion a year and the opportunities for business development are also being missed.    

For an Independent Cyber Vulnerability Report contact: info@cybersecurityintelligence.com