Risk Scenario

Undercut

A social engineering cyber attack results in a massive loss of medical records, a reputational hit and a merger gone bad.
By: | October 20, 2015 • 7 min read
Risk Scenarios are created by Risk & Insurance editors along with leading industry partners. The hypothetical, yet realistic stories, showcase emerging risks that can result in significant losses if not properly addressed.

Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.

Engineer This

This was so much easier than hacking a system by harnessing software technology and using multiple computers and proxy servers. Still, it took a little bit of phone work.

Scenario_Undercut

A member of SubPrime OverKill, a group of financially motivated hackers going by the acronym SPOK, called the headquarters of Atlas Health Systems on the morning of Monday, July 1.

“Hi,” the hacker said in a friendly voice, when an operator answered the phone. “Can I please have the name of your head of Information Technology?”

“I’m not authorized to give that out,” the national hospital system operator said.

“OK,” the hacker said and hung up before the operator could ask him why he was calling.

It took him six more calls to get what he needed. He didn’t get the name of the head of IT, but he finally got the name of someone else in that department.

The hacker’s next call was to that office.

“Keith Duvall, please,” the hacker said in a much sterner voice when Duvall’s assistant answered.

“Who may I say is calling please?” Duvall’s assistant said.

Partner

Partner

“This is Special Agent Frank Dermont of the Federal Bureau of Investigation’s Cyber Security Bureau. We’ve confirmed that your computer system has been hacked and we need to access it immediately,” the hacker said.

The ruse was working so far. The assistant got flustered.

“Well, Keith’s not in right now, he’s…he’s in Kansas City,” she said.

“We need his username and password! Your system is under attack right now and crucial life-saving machinery in your hospitals’ neo-natal and intensive care units could be shut off within minutes,” the hacker said.

“Give me the username and password now or face obstruction of justice charges!” the hacker said.

“Wait, wait just a second, I have it here,” the assistant said, the thought of infants and the critically ill dying by the dozens overwhelming her.

The flustered assistant then gave the phony FBI agent a super administrator password and username.

And SPOK was in the hen house.

Over the next four months, unknown to hospital administrators, the hackers siphoned off hundreds of thousands of medical records from the large hospital system’s computer system.

At $80 per medical record, the thieves were making millions selling the records on the black market. And no one within the Atlas Health System administration had any notion of what they were up to.
[poll id=”170″]

Merging Blind

Two months after the hack, Dale Reed, director of risk management for a smaller hospital system, The Magnolia Group, received information that Atlas was planning to buy Magnolia and merge the two hospital systems.

Scenario_Undercut

There was already plenty on Reed’s plate. The demands of the Affordable Care Act and the escalating number of cyber attacks on not only health insurers, but health care providers, was causing him great concern.

“Now this,” Reed said as he looked over an email from the Magnolia Group CFO, outlining the ways in which the terms of the Atlas deal were projected to impact various departments.

The good news for Reed was that it appeared his job was safe.

The challenge for Reed was that he was going to have to work hand in hand with the IT professionals and risk management team at Atlas in building a secure information technology system.

The deal was set to close in November and the C-suites with both hospital groups were expecting the systems to be fully integrated and secure by the end of the year.

“Don’t expect to see much of me,” Reed told his wife. “I’ve got some long work days ahead of me.”

In mid-October, as the merger moved closer to becoming a reality, Reed sought clearance for and obtained permission from higher-ups to begin conversations with the IT and risk management departments at Atlas to discuss systems integration and security.

Advertisement




In conversations with Atlas officials, Reed took away two things that concerned him. One, it appeared Atlas did not use a two-factor authorization system to gain access to the hospital’s IT system.

If a hacker chose to target Atlas, Reed thought, all they’d have to do is get an IT administrator’s username and a password and they were in.

Two, in discussions with Atlas’ risk management department, it appeared that a cyber-attack incident response plan, while being developed, was not yet in place at Atlas.

Working late one night in the office, Reed deduced that he couldn’t be passive. He needed to take steps to make sure the combined hospital system’s IT system was not only integrated but secure.

The Atlas/Magnolia merger closed as expected Nov. 16. The Magnolia name would go away and the system would keep the name Atlas.

The following day Reed asked for and received permission to hire an IT audit firm that he’d worked with before to examine the Atlas system, which was now in the process of being integrated with the Magnolia system.

The audit team was two days into its three-month contract when Reed got a call from the audit team’s chief examiner.

“The Atlas Health System network was breached back in July,” the examiner said.

“What?” was all Reed could say.

“We estimate hundreds of thousands of medical records have been stolen by a group that goes by the acronym SPOK. They might have taken as many as a million records.”

“You’ve got to be kidding me,” Reed said.

“We’re not kidding you, Dale,” the examiner said. “And it looks like some former Magnolia Group records might already have been lifted,” the examiner said.

The news that Atlas was four months into a massive cyber attack and that close to a million records were pilfered was of course very painful for Keith Duvall and his superiors in the IT department and treasury.

When it became known that it was the IT department’s very own super administrator username and password that were used to breach the system, the head of Atlas IT resigned.

Dale Reed had taken the initiative and hired the IT audit team that found the breach. Now he would have the added responsibility of cleaning up the mess. Or trying to.
[poll id=”171″]

Pain. No Gain.

The next day, Reed was back on the phone, this time with the IT audit team’s chief examiner and his insurance broker.

Scenario_Undercut

“These aren’t like credit card numbers,” the broker was saying, as Reed felt sharp anxiety pains in his abdomen.

“It could take months to figure out what services, pharmaceutical, whatever, are being ordered with this stolen information. This medical information can go for $80 per record on the black market, it’s much more valuable than a credit card number and much harder to shut down,” the broker said.

The next morning’s newspaper told Reed and the rest of the Atlas executives a story they never thought they would read and would never want to read again.

SPOK sold information about the embarrassing medical conditions of a number of regional business, political and other public sector leaders to unscrupulous bloggers and those details were published online.

Examples included a local school superintendent with a sexually transmitted disease, the CEO of a local company who had bariatric surgery but didn’t want the information publicly disclosed, and the wife of a local pastor who was suffering from complications from breast implants.

“Did you see this?” came the panicked email from the Atlas CFO, including a link to the story.

“Saw it,” was Reed’s only response.

A class action lawsuit soon followed. The plaintiffs alleged that the combined company failed to conduct ample due diligence into the vulnerabilities of its IT system.

The reputational damage from the lost and sold medical records spurred Atlas executives to accelerate planned upgrades to their IT system. Millions in IT expenditures they’d expected to spread over 10 years were compressed to a two-year spend.

Add to that the notification costs and legal expenses connected to the breach and the defense of the class actions, and it became painfully clear that Magnolia and Atlas should never have merged at all.
[poll id=”172″]

Bar-Lessons-Learned---Partner's-Content-V1b

Risk & Insurance® partnered with Swiss Re Corporate Solutions to produce this scenario. Below are Swiss Re Corporate Solutions’ recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.

Even the best-trained employees click on 2% of spam phishing emails. Once a hacker has access to your network, the ramifications are endless. The monetary costs of a breach can be in the billions of dollars, but losses aren’t just financial. After a cyber attack, companies face reputational and legal consequences, as well.

In our increasingly digitized world, computer hacks aren’t just the stuff of fiction. They’re a very real part of doing business. And almost all companies – large or small, public or private – are at risk. So when an attack does occur, you don’t want to be alone. You want a teammate you can depend on to mitigate your losses.

Swiss Re Corporate Solutions understands the threats you’re facing. That’s why we’ve enlisted the very best partners to help you protect your business after a breach. Our on-call vendors are elite forensics firms, law firms, breach notification firms, and call centers, so you can rest easy when the worst happens.

Swiss Re Corporate Solutions means knowledge, experience, financial and global reach. Let our experts create customized solutions that are right for your business. Visit www.swissre.com/cyber.




Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Alternative Energy

A Shift in the Wind

As warranties run out on wind turbines, underwriters gain insight into their long-term costs.
By: | September 12, 2017 • 6 min read

Wind energy is all grown up. It is no longer an alternative, but in some wholesale markets has set the incremental cost of generation.

As the industry has grown, turbine towers have as well. And as the older ones roll out of their warranty periods, there are more claims.

This is a bit of a pinch in a soft market, but it gives underwriters new insight into performance over time — insight not available while manufacturers were repairing or replacing components.

Charles Long, area SVP, renewable energy, Arthur J. Gallagher

“There is a lot of capacity in the wind market,” said Charles Long, area senior vice president for renewable energy at broker Arthur J. Gallagher.

“The segment is still very soft. What we are not seeing is any major change in forms from the major underwriters. They still have 280-page forms. The specialty underwriters have a 48-page form. The larger carriers need to get away from a standard form with multiple endorsements and move to a form designed for wind, or solar, or storage. It is starting to become apparent to the clients that the firms have not kept up with construction or operations,” at renewable energy facilities, he said.

Third-party liability also remains competitive, Long noted.

“The traditional markets are doing liability very well. There are opportunities for us to market to multiple carriers. There is a lot of generation out there, but the bulk of the writing is by a handful of insurers.”

Broadly the market is “still softish,” said Jatin Sharma, head of business development for specialty underwriter G-Cube.

“There has been an increase in some distressed areas, but there has also been some regional firming. Our focus is very much on the technical underwriting. We are also emphasizing standardization, clean contracts. That extends to business interruption, marine transit, and other covers.”

The Blade Problem

“Gear-box maintenance has been a significant issue for a long time, and now with bigger and bigger blades, leading-edge erosion has become a big topic,” said Sharma. “Others include cracking and lightning and even catastrophic blade loss.”

Long, at Gallagher, noted that operationally, gear boxes have been getting significantly better. “Now it is blades that have become a concern,” he said. “Problems include cracking, fraying, splitting.

Advertisement




“In response, operators are using more sophisticated inspection techniques, including flying drones. Those reduce the amount of climbing necessary, reducing risk to personnel as well.”

Underwriters certainly like that, and it is a huge cost saver to the owners, however, “we are not yet seeing that credited in the underwriting,” said Long.

He added that insurance is playing an important role in the development of renewable energy beyond the traditional property, casualty, and liability coverages.

“Most projects operate at lower capacity than anticipated. But they can purchase coverage for when the wind won’t blow or the sun won’t shine. Weather risk coverage can be done in multiple ways, or there can be an actual put, up to a fixed portion of capacity, plus or minus 20 percent, like a collar; a straight over/under.”

As useful as those financial instruments are, the first priority is to get power into the grid. And for that, Long anticipates “aggressive forward moves around storage. Spikes into the system are not good. Grid storage is not just a way of providing power when the wind is not blowing; it also acts as a shock absorber for times when the wind blows too hard. There are ebbs and flows in wind and solar so we really need that surge capacity.”

Long noted that there are some companies that are storage only.

“That is really what the utilities are seeking. The storage company becomes, in effect, just another generator. It has its own [power purchase agreement] and its own interconnect.”

“Most projects operate at lower capacity than anticipated. But they can purchase coverage for when the wind won’t blow or the sun won’t shine.”  —Charles Long, area senior vice president for renewable energy, Arthur J. Gallagher

Another trend is co-location, with wind and solar, as well as grid-storage or auxiliary generation, on the same site.

“Investors like it because it boosts internal rates of return on the equity side,” said Sharma. “But while it increases revenue, it also increases exposure. … You may have a $400 million wind farm, plus a $150 million solar array on the same substation.”

In the beginning, wind turbines did not generate much power, explained Rob Battenfield, senior vice president and head of downstream at JLT Specialty USA.

“As turbines developed, they got higher and higher, with bigger blades. They became more economically viable. There are still subsidies, and at present those subsidies drive the investment decisions.”

For example, some non-tax paying utilities are not eligible for the tax credits, so they don’t invest in new wind power. But once smaller companies or private investors have made use of the credits, the big utilities are likely to provide a ready secondary market for the builders to recoup their capital.

That structure also affects insurance. More PPAs mandate grid storage for intermittent generators such as wind and solar. State of the art for such storage is lithium-ion batteries, which have been prone to fires if damaged or if they malfunction.

“Grid storage is getting larger,” said Battenfield. “If you have variable generation you need to balance that. Most underwriters insure generation and storage together. Project leaders may need to have that because of non-recourse debt financing. On the other side, insurers may be syndicating the battery risk, but to the insured it is all together.”

“Grid storage is getting larger. If you have variable generation you need to balance that.” — Rob Battenfield, senior vice president, head of downstream, JLT Specialty USA

There has also been a mechanical and maintenance evolution along the way. “The early-generation short turbines were throwing gears all the time,” said Battenfield.

But now, he said, with fewer manufacturers in play, “the blades, gears, nacelles, and generators are much more mechanically sound and much more standardized. Carriers are more willing to write that risk.”

There is also more operational and maintenance data now as warranties roll off. Battenfield suggested that the door started to open on that data three or four years ago, but it won’t stay open forever.

“When the equipment was under warranty, it would just be repaired or replaced by the manufacturer,” he said.

“Now there’s more equipment out of warranty, there are more claims. However, if the big utilities start to aggregate wind farms, claims are likely to drop again. That is because the utilities have large retentions, often about $5 million. Claims and premiums are likely to go down for wind equipment.”

Advertisement




Repair costs are also dropping, said Battenfield.

“An out-of-warranty blade set replacement can cost $300,000. But if it is repairable by a third party, it could cost as little as $30,000 to have a specialist in fiberglass do it in a few days.”

As that approach becomes more prevalent, business interruption (BI) coverage comes to the fore. Battenfield stressed that it is important for owners to understand their PPA obligations, as well as BI triggers and waiting periods.

“The BI challenge can be bigger than the property loss,” said Battenfield. “It is important that coverage dovetails into the operator’s contractual obligations.” &

Gregory DL Morris is an independent business journalist based in New York with 25 years’ experience in industry, energy, finance and transportation. He can be reached at [email protected]