Health, Higher Ed Most Vulnerable to Cyber Attacks
As cyber risk management comes of age, more data and better analysis are leading to new realizations. One is that health care and higher education are the most vulnerable sectors, followed closely by financial services.
Another is that the vast majority of security breaches could be forestalled using simple measures, such as ensuring all updates and patches to software are installed and tested.
However, studies are starting to show that cheap, low-tech email attacks remain stubbornly effective despite expensive, high-tech protections.
All of those ideas were advanced and detailed at a fast-moving panel discussion May 11 in New York, sponsored by brokerage Crystal & Company.
Actuarial data is still thin in cyber, but Christopher Liu, head of cyber risk in the financial institutions group at AIG, said that “institutions in health care and higher education are the most hazardous classes of insureds. That is because they have the most sensitive information and that there is high turnover. Also, they usually do not have big budgets, so security is often not well supported.”
Financial institutions, especially asset managers, are the second-most hazardous class, Liu added.
“They have the same attractive information, plus they have money.”
Mitigating that, they also tend to have better funded and supported security, and they have heavy government regulation. That both keeps them on their toes, and also means greater external surveillance. Several panel members noted that firms became aware of breaches when regulators noticed unusual activity.
“We find that we deal primarily with three areas,” said Austin Berglas, senior managing director at K2 Intelligence.
“Those are: unpatched vulnerabilities in software, misconfiguration of internal systems, and misplaced trust by employees. We get called in to handle a breach, and 99 percent of the time we find the vulnerability is unpatched.”
Berglas explained that the software companies race each other to send out new versions that often are not completely functional or secure. So they send out patches. “Windows does it every week on ‘patch Tuesday.’ But users don’t have any regular schedule or system for installing and testing patches. We find unpatched vulnerabilities dating back as far as 1999.”
“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.” — John F. Mullen, managing partner, Lewis Brisbois Bisgaard & Smith
The challenge of unsecured configurations between systems was dramatically demonstrated with the infamous attack on retailer Target, which came through the air-conditioning vendor. But Berglas emphasized the persistent and pernicious problem of simple phishing.
“It is estimated that 30 percent of individuals within a company will open an email, and 13 percent will click on an attachment, even if they have been warned not to,” Berglas warned.
“You spent half a billion dollars on security systems and firewalls, and one click on one phishing email by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense. Now they are inside, with credentials, and you can’t detect them.”
The quickest and easiest thing that any company can do, “is to look for unpatched vulnerabilities in public-facing systems,” Berglas urged.
On the same theme, John F. Mullen, managing partner of the law firm Lewis Brisbois Bisgaard & Smith, stressed that “security goes way beyond IT.
“This is not just about the tech guys. Cyber security tends to get pushed downhill.” And that tends to mean lack of coordination on all fronts.
“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.”
Similarly, “insureds have to know the coverage that they have bought. Is there a mandated forensics group? Outside counsel? If so, go meet with them. If you have options, vet them,” Mullen exhorted.
“You spent half a billion dollars on security systems and firewalls, and one click on one phishing e-mail by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense.” — Austin Berglas, senior managing director, K2 Intelligence
He expects the cyber insurance business to triple or quadruple in the next five years, in terms of premium spending.
Cycling back to the theme of internal responsibility, Paul Miskovich, senior vice president and global practice leader of cyber and technology errors and omissions coverage at Axis, said that 67 percent of cyber claims presented to his firm involved insider activity of some kind: clicking on a phishing email or failing to install a patch or use a firewall. Further, 25 percent of claims involved third parties such as vendors.
For all the focus on the breach itself, Miskovich added that “regulatory costs can be more than the costs of the breach, especially if you don’t have documentation of your security policies and protocols.” That includes documentation that the policies are in place and are rehearsed.
Noting previous comments that many losses are traced to breaches that have gone undetected for years, Miskovich said that a new area within cyber insurance is full coverage for prior acts.