Cyber Threats

Health, Higher Ed Most Vulnerable to Cyber Attacks

Unpatched software remains a top cyber vulnerability. Low-tech "phishing" attacks continue to succeed.
By: | May 12, 2016 • 4 min read

As cyber risk management comes of age, more data and better analysis are leading to new realizations. One is that health care and higher education are the most vulnerable sectors, followed closely by financial services.

Advertisement




Another is that the vast majority of security breaches could be forestalled using simple measures, such as ensuring all updates and patches to software are installed and tested.

However, studies are starting to show that cheap, low-tech email attacks remain stubbornly effective despite expensive, high-tech protections.

All of those ideas were advanced and detailed at a fast-moving panel discussion May 11 in New York, sponsored by brokerage Crystal & Company.

Actuarial data is still thin in cyber, but Christopher Liu, head of cyber risk in the financial institutions group at AIG, said that “institutions in health care and higher education are the most hazardous classes of insureds. That is because they have the most sensitive information and that there is high turnover. Also, they usually do not have big budgets, so security is often not well supported.”

Christopher Liu, head of cyber risk, financial institutions group, AIG

Christopher Liu, head of cyber risk, financial institutions group, AIG

Financial institutions, especially asset managers, are the second-most hazardous class, Liu added.

“They have the same attractive information, plus they have money.”

Mitigating that, they also tend to have better funded and supported security, and they have heavy government regulation. That both keeps them on their toes, and also means greater external surveillance. Several panel members noted that firms became aware of breaches when regulators noticed unusual activity.

“We find that we deal primarily with three areas,” said Austin Berglas, senior managing director at K2 Intelligence.

“Those are: unpatched vulnerabilities in software, misconfiguration of internal systems, and misplaced trust by employees. We get called in to handle a breach, and 99 percent of the time we find the vulnerability is unpatched.”

Berglas explained that the software companies race each other to send out new versions that often are not completely functional or secure. So they send out patches. “Windows does it every week on ‘patch Tuesday.’ But users don’t have any regular schedule or system for installing and testing patches. We find unpatched vulnerabilities dating back as far as 1999.”

“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.” — John F. Mullen, managing partner, Lewis Brisbois Bisgaard & Smith

The challenge of unsecured configurations between systems was dramatically demonstrated with the infamous attack on retailer Target, which came through the air-conditioning vendor. But Berglas emphasized the persistent and pernicious problem of simple phishing.

“It is estimated that 30 percent of individuals within a company will open an email, and 13 percent will click on an attachment, even if they have been warned not to,” Berglas warned.

John Mullen, Managing partner of the law firm Lewis Brisbois Bisgaard & Smith

John Mullen, Managing Partner- Lewis, Brisbois, Bisgaard & Smith

“You spent half a billion dollars on security systems and firewalls, and one click on one phishing email by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense. Now they are inside, with credentials, and you can’t detect them.”

The quickest and easiest thing that any company can do, “is to look for unpatched vulnerabilities in public-facing systems,” Berglas urged.

On the same theme, John F. Mullen, managing partner of the law firm Lewis Brisbois Bisgaard & Smith, stressed that “security goes way beyond  IT.

“This is not just about the tech guys. Cyber security tends to get pushed downhill.” And that tends to mean lack of coordination on all fronts.

“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.”

Similarly, “insureds have to know the coverage that they have bought. Is there a mandated forensics group? Outside counsel? If so, go meet with them. If you have options, vet them,” Mullen exhorted.

“You spent half a billion dollars on security systems and firewalls, and one click on one phishing e-mail by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense.” — Austin Berglas, senior managing director, K2 Intelligence

He expects the cyber insurance business to triple or quadruple in the next five years, in terms of premium spending.

Cycling back to the theme of internal responsibility, Paul Miskovich, senior vice president and global practice leader of cyber and technology errors and omissions coverage at Axis, said that 67 percent of cyber claims presented to his firm involved insider activity of some kind: clicking on a phishing email or failing to install a patch or use a firewall. Further, 25 percent of claims involved third parties such as vendors.

Advertisement




For all the focus on the breach itself, Miskovich added that “regulatory costs can be more than the costs of the breach, especially if you don’t have documentation of your security policies and protocols.” That includes documentation that the policies are in place and are rehearsed.

Noting previous comments that many losses are traced to breaches that have gone undetected for years, Miskovich said that a new area within cyber insurance is full coverage for prior acts.

Gregory DL Morris is an independent business journalist based in New York with 25 years’ experience in industry, energy, finance and transportation. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Management

The Profession

Pinnacle Entertainment’s VP of enterprise risk management says he’s inspired by Disney’s approach to risk management.
By: | November 1, 2017 • 4 min read

R&I: What was your first job?

Bus boy at a fine dining restaurant.

R&I: How did you come to work in this industry?

I sent a résumé to Harrah’s Entertainment on a whim. It took over 30 hours of interviewing to get that job, but it was well worth it.

R&I: If the world has a modern hero, who is it and why?

Advertisement




The Chinese citizen (never positively identified) who stood in front of a column of tanks in Tiananmen Square on June 5, 1989. That kind of courage is undeniable, and that image is unforgettable. I hope we can all be that passionate about something at least once in our lives.

R&I: What emerging commercial risk most concerns you?

Cyber risk, but more narrowly, cyber-extortion. I think state sponsored bad actors are getting more and more sophisticated, and the risk is that they find a way to control entire systems.

R&I: What is the riskiest activity you ever engaged in?

Training and breaking horses. When I was in high school, I worked on a lot of farms. I did everything from building fences to putting up hay. It was during this time that I found I had a knack for horses. They would tolerate me getting real close, so it was natural I started working more and more with them.

Eventually, I was putting a saddle on a few and before I knew it I was in that saddle riding a horse that had never been ridden before.

I admit I had some nervous moments, but I was never thrown off. It taught me that developing genuine trust early is very important and is needed by all involved. Nothing of any real value happens without it.

R&I: What about this work do you find the most fulfilling or rewarding?

Advertisement




Setting very aggressive goals and then meeting and exceeding those goals with a team. Sharing team victories is the ultimate reward.

R&I: What is the most unusual/interesting place you have ever visited?

Disney World. The sheer size of the place is awe inspiring. And everything works like a finely tuned clock.

There is a reason that hospitality companies send their people there to be trained on guest service. Disney World does it better than anyone else.

As a hospitality executive, I always learn something new whenever I am there.

James Cunningham, vice president, enterprise risk management, Pinnacle Entertainment, Inc.

The risks that Disney World faces are very similar to mine — on a much larger scale. They are complex and across the board. From liability for the millions of people they host as their guests each year, to the physical location of the park, to their vendor partnerships; their approach to risk management has been and continues to be innovative and a model that I learn from and I think there are lessons there for everybody.

R&I: What is the risk management community doing right?

We are doing a much better job of getting involved in a meaningful way in our daily operations and demonstrating genuine value to our organizations.

R&I: What could the risk management community be doing a better job of?

Educating and promoting the career with young people.

R&I: What have you accomplished that you are proudest of?

Being able to tell the Pinnacle story. It’s a great one and it wasn’t being told. I believe that the insurance markets now understand who we are and what we stand for.

R&I: Who is your mentor and why?

Advertisement




John Matthews, who is now retired, formerly with Aon and Caesar’s Palace. John is an exceptional leader who demonstrated the value of putting a top-shelf team together and then letting them do their best work. I model my management style after him.

R&I: What is your favorite book or movie?

I read mostly biographies and autobiographies. I like to read how successful people became successful by overcoming their own obstacles. Jay Leno, Jack Welch, Bill Harrah, etc. I also enjoyed the book and movie “Money Ball.”

R&I: What is your favorite drink?

Ice water when it’s hot, coffee when it’s cold, and an adult beverage when it’s called for.

R&I: What does your family think you do?

In my family, I’m the “Safety Geek.”

R&I:  What’s your favorite restaurant?

Vegas is a world-class restaurant town. No matter what you are hungry for, you can find it here. I have a few favorites that are my “go-to’s,” depending on the mood and who I am with.

If you’re in town, you should try to have at least one meal off the strip. For that, I would suggest you get reservations (you’ll need them) at Herbs and Rye. It’s a great little restaurant that is always lively. The food is tremendous, and the service is always on point. They make hand-crafted cocktails that are amazing.

My favorite Mexican restaurant is Lindo Michoacan. There are three in town, and I prefer the one in Henderson as it has the best view of the valley. For seafood, you can never go wrong with Joe’s in Caesar’s Palace.




Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]