Fear Takes No Holiday
In April 2013, an explosion rocked the street in front of the Charlesmark Hotel, a boutique property on Boylston Street in Boston that overlooked the finish line of the Boston marathon. In the chaos that ensued, the FBI closed a 12-block radius around the blast scene. Five hotels were completely locked down, including the Charlesmark, Mandarin and Lenox hotels.
Strictly from an insurance standpoint, the hotels, restaurants and businesses in that 12-block radius may have been the lucky ones. Direct impact to their operations would have at least given them access to insurance recovery for physical damage or for business interruption due to civil authority action, assuming they had the right coverages in place.
But what about the businesses outside that radius? No doubt their revenues suffered in the days and weeks that followed, as media coverage fanned the flames of fear, keeping Boston’s terrorism connection alive in the minds of the public.
It’s likely that few, if any of them, had language in their insurance policies that would help offset their losses while Boston struggled to regain some normalcy.
The volume of terror attacks has increased worldwide in a short period of time. At the time of this writing, three U.S. attacks with potential connections to terrorist organizations took place within a single 12-hour span on Sept. 17.
Fear has become one of the most challenging market conditions facing business that rely on travel and tourism. Gaps in coverage can take companies by surprise when high-profile events suppress travel, tourism and the general flow of commerce.
“There’s no question that the hospitality industry is affected by fear, as much or more than the event itself,” said Chad Callaghan, principal of Premises Liability Experts, based in Atlanta. Callaghan served Marriott International Inc. for 35 years, as vice president of safety and security.
Business hubs rebound more quickly, because business travelers can’t stay away for long. But companies dependent on leisure travelers for revenue can take heavy hits, depending on the nature and severity of an attack in their vicinity. It’s hard to calculate what the financial impact would be of a major attack at Disney World, or at the primary airport of the host city of the Super Bowl a week before the event.
“Terrorism is the thing that scares everybody,” said Joe Addison, executive vice president at JLT Specialty USA, “People don’t want to walk down Las Vegas Boulevard when two weeks ago there was a truck bomb there, and every time they look at a truck they’re going to worry, ‘Is there one in there?’ ”
Following the November 2015 terrorist attacks in Paris, bookings at luxury hotels in the city fell by 50 percent. Within days of the Brussels terror attack, hotel occupancy plunged from 82 percent to 25 percent across the city.
“Acts of terrorism have a lingering negative impact on revenue that simply can’t be recovered,” said Jan Schnabel, managing director and director of risk management with HUB International’s hospitality practice.
“The hundreds of billions of dollars that are lost in overall revenue in the tourism and hospitality world following an attack is inconceivable.”
The World Travel & Tourism Council estimates that it takes a region, on average, about 13 months to get back to normal following a terrorist attack. In the grand scheme of things, that’s not long. But it can still take a mighty toll.
And booking and cancellation stats don’t really give a complete picture of what hotels may face in the immediate wake of a terrorist attack, when trying to serve the limited guests they do have.
“It’s a tough thing for risk managers to really wrap their minds around,” said Sheri Wilson, national property claims director for Lockton.
“What if I can’t get laundry? What if the roads are closed so I can’t get the people in? What if I can’t get fresh fruit in?” Hotels may need to spend a considerable amount to get the goods and services they need.
Terrorism coverage for such losses and unexpected expenses is a tricky beast. Coverage under standard property policies is typically limited to property damage and business interruption related to property damage. It also relies upon the event to be certified as an act of terrorism by the U.S. Secretary of the Treasury.
“If you elect coverage through TRIPRA, or one of the other national terrorism pools, there may be limited or no cover depending on your underlying property policy and how the terrorism ‘pool’ ultimately responds,” said Steve Truono, vice president of global risk management and insurance for Starwood Hotels & Resorts.
Business interruption (BI), or time element coverage, can be triggered by other situations such as evacuation orders, transportation interruptions or power outages. Contingent BI can come into play as well, in some cases.
“I rely on housekeeping to keep my hotel open but if housekeeping [can’t get to work] because of a terrorist attack, I could, as a hotel owner, have [CBI] coverage,” said Wilson.
“Once the terrorism is certified, all of the coverages in the policy come into play.”
Consider the Boston marathon incident, said Christian Waeldner, vice president, crisis management and political risk at Starr Cos.
“You had a bunch of restaurants and hotels in close proximity to the finish line who were indirectly impacted by the bombing. … It took a quite some time for life to get back to normal in the city center after the bombing and that’s a huge financial impact.”
Waeldner said Starr Cos.’ cyber and terror response product includes contingent BI that can be triggered by a terrorist event within two miles of an insured’s property, even if they are not directly impacted.
But it’s important to remember that the Boston bombing was never declared a terrorist act. Products such as Starr’s or Lockton’s new terrorism crisis solutions offer more comprehensive coverage that doesn’t require the Secretary of the Treasury to certify an act of terrorism.
Stand-alone terrorism policies often have a distinct advantages for insureds, said John Welty, practice leader for SUITELIFE from program administrator Venture Insurance Programs.
“The hundreds of billions of dollars that are lost in overall revenue in the tourism and hospitality world following an attack is inconceivable.” — Jan Schnabel, managing director and director of risk management with HUB International’s Hospitality Practice
“A stand-alone terrorism insurance program can help to reduce the gray areas of where our standard insurance policies are providing coverage,” he said.
“Depending on the policy form obtained, you may find some coverage for cancellation of booking or non-physical damage,” added Truono, but “a lot depends on your business exposures, what markets you buy from, and how much you’re willing or able to spend.”
Even in cases where one has cancellation of booking included in their terrorism policy, it is very likely that the coverage is sublimited, well below the several hundred million dollars of limits you may have for direct property damage, he said.
Loss of attraction is a specialized time element coverage that may provide some relief. But like cancellation of booking, the coverage is typically subject to low sublimits and is often subject to annual aggregate, not per occurrence, limits as well.
Risk managers should keep in mind that it can be complicated to prove a loss, said Turono.
“As risk managers, we have to be able to support the loss and demonstrate that the loss of net income was a result of the terrorist act, despite no physical damage to one’s own property.
“For example, in the hospitality industry, we would need to show that the reduction in room occupancy, RevPAR and ultimately net income, is a direct result of the terrorist act which results in interruption of our business due to guests’ or customers’ inability to freely and safely access the hotel.
“Likewise, loss emanating from leader property interruption (airport, convention center, etc.) ingress-egress, and/or military-civil authority may also support the basis for a claim.”
“The terrorism policies are pretty staid and strict and there’s a lot that they don’t cover,” said a Western U.S. risk management professional for a large resort and casino operator.
That can potentially leave risk managers on the hot seat if the C-suite assumes that buying any kind of terrorism policy means the company will be covered no matter what the circumstances.
“The worst thing is to have your boss think that, ‘oh we have terrorism coverage so anything that happens around here might be covered,’ because that’s not necessarily the case,” the risk manager said.
But the marketplace is changing for the better.
We’ve gone from basic terrorism add-ons that most owners didn’t even look twice at [to] new offerings in the marketplace that are more comprehensive because of events such as [those in] Orlando and San Bernardino,” said Sean Spagnoli, vice president and client executive for HUB International’s hospitality practice.
“The notable changes are the new contingent products where you don’t have to have damage just to your location. It can be an event that happens anywhere from a 5 to a 50 mile radius.”
One such product from Florida-based New Paradigm provides parametric and contingent terrorism coverage for business income, extra expense, loss of attraction and brand protection. Coverage triggers can include terrorism occurring within a predetermined radius from insured locations, or occurring at other predetermined locations that could cause a loss.
“It will allow you to pick and choose different hotels and different scenarios,” said the Western U.S. risk professional, and it also offers the kind of capacity he needs for a large organization.
For many companies, said Addison, that kind of capacity is the key.
“Someone like MGM or Caesars … the amount of money going through those facilities a day — $10 million in coverage isn’t going to cut it. If they were to have a substantial event in Vegas and people just cancelled their reservations and were scared to go there, they’re going to need more like a quarter billion, half a billion.
“If they go from a 90 percent occupancy down to 60, that’s a lot of revenue because they’re making money from the food, they’re making money from the gambling. Then the question is — how long does it take before it comes back? Before people feel safe again?”
“Imagine if you were a company in Las Vegas and [after a terrorist event] you had to tell your shareholders that you didn’t have coverage for that, and your share price drops 20 percent.” — Joe Addison, executive vice president, JLT Specialty
These conversations need to happen with the CFO, experts agreed.
Finance and risk management need to look closely at what could make people afraid to come to your properties and how it would affect the balance sheet, or significantly impact share price or investor ownership value or dividends.
“Imagine if you were a company in Las Vegas and [after a terrorist event] you had to tell your shareholders that you didn’t have coverage for that, and your share price drops 20 percent,” said Addison.
When you look at what companies pay in property insurance, the potential financial exposure to non-physical could be so much bigger, he added. “You could lose a lot more by having occupancy at your hotel drop by 50 percent for three months.
“At the end of the day, the idea of something out of your control affecting your business scares the crap out of people.”
Decisions about terrorism coverage, said experts, should be part of a larger process that includes a detailed risk assessment, the creation of a comprehensive crisis management plan specific to acts of terrorism, and simple measures to reduce the likelihood of becoming a target.
A good risk assessment doesn’t have to be expensive, time-consuming or interfere with operations, said Peter DiDomenica, former director of security policy at Boston’s Logan International airport, and president of security firm Quantum Innovation Corp. It can be as straightforward as reviewing the geography and physical layout of the property and evaluating existing training and security measures.
“It’s going to give you a road map for everything else.”
Most U.S. hotels and resorts haven’t undergone the level of “hardening” common in many other countries, but it’s important to take all reasonable measures, experts said.
“We have hundreds of thousands of people at a hotel,” said the resort and casino risk manager. “If someone just starts shooting, you can have a huge loss of life that impacts your property, your workers’ comp, your liability and your reputation worse than anything else.
“The reputation is the thing that is very difficult to do anything with. So it makes sense to do as much as you can on the front end because you’re limited in what you can do after something happens.”
That said, most U.S. property owners are reluctant to anything that might appear extreme.
You want to “harden your properties, but do it in a soft way,” said Tarique Nageer, leader for U.S. property terrorism placements with Marsh USA. “By the nature of hotels, you can only do so much because they’re free-flowing places so you don’t want to impede guests or visitors … so you’ve got to weigh those needs.”
There are surprisingly simple ways to improve a property’s risk profile, said DiDomenica. Just trimming the hedges could be enough to “make it less inviting in terms of the physical environment for someone who’s going to do surveillance or plan an attack,” he said.
Staff members can also play a key role in helping to thwart an imminent attack, said Reggie Gibbs, senior underwriter and product manager with Starr Cos. In hotels, for example, they have the best handle on typical guest behavior and what might constitute a red flag.
“They can spot when a car is parked in an unusual place,” he said. “They know when a guest has been in a room for an extended amount of time and for some reason isn’t letting housekeeping in to clean.”
Brokers and insurers are key partners throughout the process. They have the experience to help insureds assess and quantify risks and coverage parameters. Truono, for instance, asks brokers to explain coverage through hypothetical claim scenarios.
“I don’t want to solely focus on coverage terms, but I also want to understand how the policy will be interpreted in the event of a claim. I want to understand how and if a claim will be covered, because in the end, that’s the inherent risk transfer value and what we are buying.”
An Evolving Risk
The forms and manifestations of terrorism keep changing, said Truono, and risk managers must continue to ensure their prevention and risk mitigation strategies evolve as well.
“A truck bomb is one type of an event with specific control countermeasures,” he said. “A lone-wolf or individuals who enter a hotel with IEDs [improvised explosive devices] or automatic weapons, however — that’s a totally different type of event requiring specialized tactics and controls, and it’s necessarily more difficult to manage.”
“How do you protect yourself against situations where someone just wants to kill people rather than destroy a building?” asked Nageer.
The harsh reality is that no one and no place is immune from terrorism acts.
“We must remain vigilant, aware and informed,” said Truono. “We need to continue to educate our people and enhance our prevention and response strategies. Our practices, processes, priorities and physical plants must be dynamic and continually adapt to ever-changing landscape and information.”
Investing in a Safer Future
The Ohio Bureau of Workers’ Compensation made plenty of headlines with its billion-dollar rebates to employers. But few are aware of how the BWC is also giving back to its employees — by investing heavily in their long-term health and safety.
Part of that effort is the establishment of a research grant program, funding short-term projects that identify practical solutions to workplace hazards.
The BWC created partnerships with educational and research facilities across the state in an effort to find solutions for some of the most intractable worker health and safety problems.
“I wanted to get on the offensive side of safety and not just respond to accidents or injury types,” said former BWC Administrator and CEO Stephen Buehrer, who launched the research grant program.
“We believe these dollars are well invested in fostering research at world class institutions that could shed light on how injuries may be prevented in the future,” said the BWC’s current Administrator and CEO, Sarah Morrison.
“There is no place better than Ohio to conduct innovative research that could have an impact in workplaces across the country.”
The BWC sent out an RFP to research institutions throughout Ohio, seeking projects that could be completed in 12 to 18 months within a budget of $250,000. With input from the National Institutes for Occupational Safety and Health, they ultimately selected nine projects to fund, for a total just topping $2 million.
“These researchers are working directly with employers in Ohio, and we expect that there will be some direct benefit in preventing occupational injuries and illnesses as a result of [these projects],” said Abe Al-Tarawneh, BWC’s superintendent of the Division of Safety and Hygiene.
In addition, he said, each research team will disseminate its findings, results and recommendations, and make them available to employers throughout their respective industries.
Focus on Health Care
A sizable chunk of the $2 million for research was earmarked for projects related to health care fields. Injuries to health care workers, particularly those working in long-term care facilities, are of grave concern in Ohio and nationwide. Ohio has approximately 1,000 nursing homes, serving more than 80,000 residents.
“When we put out the request for proposal, addressing the health care industry was a priority,” said Al-Tarawneh.
Two of the selected proposals target safe patient handling practices. Al-Tarawneh said that in many cases, even in facilities that have sufficient patient handling equipment, workers tend not to use it because they perceive that it will slow them down or be inefficient.
A $250,000 grant to the University of Cincinnati will enable researchers to study the application of a training model that has been used extensively in Europe, particularly in the UK, with strong results. The model ties together cultural and behavioral issues, with a focus on hazard awareness and planning.
“They’re going to take it and essentially redesign it in a way that matches the standards that we have for health care in Ohio, and they’re applying it with 30 different nursing homes in the state,” said Al-Tarawneh.
Researchers will assess the existing training and equipment at those facilities, and customize the new training module for each one. They will then administer the training to employees at every facility, and follow up in six months to assess the effectiveness of the training. Based on those assessments, they’ll provide a new set of recommendations.
The resulting training program will be made available online.
Cleveland State University College of Science and Health Professions will also receive $244,000 to help faculty from four disciplines at CSU develop an innovative approach to prevent back injuries among nurse aides.
The Case Western School of Medicine will receive $250,000.00 to study the development of a Total Worker Health approach to addressing the socioeconomic factors impacting worker health and safety, particularly low-wage and job-insecure employees working in long-term health care facilities.
“Low wage and job-insecure employees tend to have a higher rate of occupational injuries and they tend to [have poor] health care and more prevalent chronic health issues,” said Al-Tarawneh.
Case Western researchers will work with 10 or 12 groups of people, providing training on healthy behaviors. They’ll follow up over the course of a year, and assess progress via an app designed for the purpose.
Bowling Green State University’s Psychology Department was awarded a $250,000 grant for research into preventing injuries, assault and abuse of nurse aides working in long-term residential settings.
The project will target nurse aides in four facilities, implementing mindfulness-based interventions. Researchers will teach employees to use mindfulness techniques to handle the stressors of their jobs.
“There is a direct association between the job demands and the rate of injury,” said Al-Tarawneh. “So if you get workers to better understand how to cope with the stresses of their job demands, you can improve their well-being, which will result in reducing the propensity for them to get injured.”
Part of the project will involve teaching workers to use the same mindfulness techniques to de-escalate situations that lead to assault or abuse by residents.
“When you think about these different projects, each of them handles the [industry] from a different angle,” said Al-Tarawneh.
“So in two or three years, when our consultants are working with a health care facility or a nursing home, they’re going to be able to provide them with better training modules, with better understanding of the issues, with better tools so they can engage their employees and empower them.
“We’re hoping by the time we’re done that it will benefit the industry across the country.”
Benefits for Numerous Industries
Other BWC grants are exploring a variety of challenges for workers and employers.
Using sensors embedded in the insoles of shoes, researchers are recording data on balance and gait, and relating it to specific tasks, to assess at what point being unbalanced results in a fall. In the future.
The Ohio University College of Engineering and Technology received $245,000 to measure the impact of integrating safety and ergonomics into lean and Six Sigma processes already in place at Ohio manufacturers.
“One of the things that’s happened over the years of introducing lean concepts and Six Sigma concepts in manufacturing as well as other industrial sectors is they tend to eliminate waste,” said Al-Tarawneh.
“That can result in improving safety for employees, but it can also result in improving productivity to a level that sometimes employees cannot keep up with. So the idea is to bring in ergonomic concepts and embedding them into Six Sigma and lean manufacturing concepts.”
Researchers are working with 15 manufacturing firms across Ohio, stratified between small and large firms, and a final report will be available across the country.
The Case Western School of Engineering received a $250,000 grant to study the prevention of slips, trips and falls using wearable technology.
Using sensors embedded in the insoles of shoes, researchers are recording data on balance and gait, and relating it to specific tasks, to assess at what point being unbalanced results in a fall. In the future, explained Al-Tarawneh, “the system can communicate via something like an iWatch and warn the person that the way they’re doing things will result in slipping or tripping.”
Ohio State University has been awarded three grants totaling $577,595 to study diverse areas.
OSU’s Department of Integrated Systems Engineering is using a wearable quantifying tool called a lumbar motion monitor to gather real data about the forces exerted on the spine during pushing and pulling tasks.
Researchers will be developing a web-based tool that employers can use to assess the pushing and pulling tasks used at their facilities.
Subjects will simulate tasks common to workers in various industries, said Al-Tarawneh. The lumbar motion monitor and 42 sensor cameras are used to establish every movement in every direction to establish the stress of each movement on the spine. The results are compared to injury threshold data and will be used to create streamlined ergonomic standards for pushing and pulling tasks.
“It’s an amazing project,” said Al-Tarawneh. “It’s going to be an excellent advancement in the science.”
Researchers will be developing a web-based tool that employers can use to assess the pushing and pulling tasks used at their facilities.
In the lab next door, researchers are studying powered torque wrenches, and the impact of the force and vibration of torque tools on the hands and arms of the user.
“Those forces, over time, can be really detrimental to the tissues and the nerves of the worker,” said Al-Tarawneh. “There is no specific standard for these torque tools to account for how the force of the tool transfers to the body of the user.”
The team will develop a dynamic rig for assessing powered torque tools as they are brought to market. Industry partners include Stanley Assembly Technologies, Honda North America, Inc. and General Motors.
A third project at OSU involves hazards in grain bin facilities on Ohio farms, assessing the training and PPE provided to workers, and identifying gaps that can be addressed. Al-Tarawneh said this project is an important way that BWC can reach out and work with smaller farmers to help prevent the kind of injuries that are sometimes overlooked.
“We’re going to fund this kind of thing every year,” former Administrator Buehrer told Risk & Insurance during a September 2015 interview.
“Our hope is that each year we’ll be rolling out a half dozen to a dozen sets of results that we can share with employers. Ohio BWC considers it a key part of its mission to take on some of the problematic workers’ comp challenges and really get ahead of the issues rather than just reacting to the injury type.”
The New Wolves of Wall Street
Cyber security measures advanced by leaps and bounds over the past decade. Unfortunately, cyber criminals sharpened their game even more.
As it gets tougher each day to slip in through back doors, hackers turned their talents toward carving out side windows. They adapted, developing new business models and finding smarter ways to profit off of the backs of organizations.
Credit card information, personally identifiable information and protected health information are all still in demand, but they’re no longer the only treasures that cyber criminals are after.
“It is no longer hacking merely for a quick payout. It is hacking as a business model.” — Preet Bharara, U.S. attorney
They want your trade secrets. They want your intellectual property. They want to eavesdrop on your most sensitive financial activities so they can leverage that information on the stock market — shorting stock, investing in stock, timing stock to their advantage.
The cyber security challenge is intense, because it’s hard to get a handle on. These crimes are being perpetrated by various groups of actors with different motivations. They’re being executed using a broad array of techniques that include any combination of malware, phishing and social engineering.
They could be coming at you from anywhere in the world. And it’s not even necessarily your systems that are being attacked directly. It could be your vendors, your partners — any organization that has a connection to your confidential information.
Last August, the SEC filed charges in a fraud scheme involving two Ukrainian hackers who broke into multiple newswire services to steal unreleased corporate earnings announcements. The hackers shared the information with 30 people who traded on it, generating more than $100 million in illegal profits.
The following November, federal prosecutors disclosed the existence of a sizable worldwide hacking scheme, involving more than 100 people in a dozen countries.
Among the other offenses listed in the 68-page indictment, the crime ring orchestrated elaborate pump-and-dump stock schemes and traded on stolen corporate information, pocketing hundreds of millions along the way.
“It is no longer hacking merely for a quick payout,” U.S. Attorney Preet Bharara said in announcing the indictment.
“It is hacking as a business model.”
M&As Increase Vulnerabilities
The rise of worldwide M&A activity turned the stock market into a profitable playground for hackers — those working for either side of the transaction or outside parties looking for a way to profit illegally from the transaction.
2015 was record-breaking year for M&As, topping $5 trillion in volume globally for the first time. Half of the targeted companies were based in the U.S.
2016 is expected to see continued high level of activity. That leaves plenty of opportunities for illegal gains.
“If outsiders are aware of the negotiations going on, they can put upward pressure on the stock.” — Bill Sweeney, chief technology officer, BAE Systems Applied Intelligence
“You can disrupt an M&A a lot of different ways,” said Bill Sweeney, chief technology officer at BAE Systems Applied Intelligence.
“One way is you can publicize that it’s going on sooner than people would like.
“M&A is a very sensitive topic because it’s very price dependent. Companies will walk away from deals because they can’t narrow the gap between $25 and $30 dollars a share.
“If outsiders are aware of the negotiations going on, they can put upward pressure on the stock. So when somebody thought they were going to be getting a 25 percent premium [against their stock], but now because of the upward pressure, they’re only getting a 15 percent, why would they sell?”
During a “Cyber Security: The Achilles Heel of M&A Due Diligence,” webinar in April, Brian Finch, a partner with Pillsbury Winthrop Shaw Pittman LLP, outlined the recent case of a company that was courted by international suitors.
The company was certain that it was healthy, but repeated audits showed it operated at a loss. An investigation revealed that the company was under attack, with hackers corrupting information to decrease the value of the company.
When the company value bottomed out, a foreign investor swooped in with a lowball offer.
Even if hackers don’t outright alter the data, they’re still finding ways to leverage it.
“We’ve seen China-based groups … compromising companies across various industries, stealing information that would give them insight into what the best price for the company might be,” said Will Glass, threat intelligence analyst at FireEye.
“We’ve seen groups that are sponsored by nation states — or that we believe are sponsored by nation states — conducting activity leading up to and even during mergers and acquisitions.”
One high-profile case traced to China was the attempted $40-billion takeover of Canada’s Potash Corp. by Australian natural resources company BHP Billiton.
While the deal fell through for apparently unrelated reasons, an investigation revealed that a Chinese effort to derail the deal involved attacks on seven law firms, as well as Canada’s Finance Ministry and the Treasury Board.
Those third-party attacks are an area of serious concern in terms of intellectual property and M&As, said Kevin Kalinich, global practice leader, cyber/network risk, Aon Risk Solutions.
“The accounting firms and financial advisers are above average in IT security and protection of confidential information,” he said.
“But law firms, surprisingly enough, are below average.”
The Human Element
What’s complicating matters from a risk management standpoint is that attacks take various forms and are typically multi-layered. Spearphishing and social engineering often play a major role because they are consistently successful, despite companies’ attempts to alert employees to the dangers.
“The way of the hacker has always been to go after the industry or the exposure where there’s the lowest hanging fruit,” said Toby Merrill, leader of Chubb’s global cyber risk practice.
And in many companies, that means employees. Even a staffer savvy enough to question a wire transfer request might still be duped by a login scheme that looks innocuous or seems relevant to his job.
“What’s happening is that hackers are spoofing emails,” said Sweeney.
“They’re spoofing CFOs and they’re spoofing other C-level executives and pretending to be either a consultant or part of the review process … trying to extract that sensitive information by [sending] an email that looks like it’s from the CEO, that says, ‘Hey what’s the latest on our deal with company X?’ And the guy [replies] but it’s not going to the CEO; it’s going to the guy who spoofed it.”
It’s not easy to spot spoofed email, he added.
“It looks like an email from your company, with your header. It looks like it’s from your domain. It’s only if you open it up and look at the source code that you can see what’s being shown is not the actual domain its coming from and if you hit reply it’s going to go to somewhere else.”
It also works because it’s not random. Hackers do their homework and understand how their targets operate. They know when to send emails and who to send them to, and what internal procedures are in place so that they can get around them.
FIN4, a large cyber crime ring tracked extensively by FireEye, was so good at duping people that it didn’t even bother using malware.
It focused on capturing usernames and passwords to email accounts. FIN4 would craft convincing phishing lures, most often sent from other victims’ email accounts and through hijacked email threads.
Spoofing emails have successfully snared some risk managers, CTOs and CFOs.
According to FireEye’s Glass, the group would “send an email to someone in a target company and it would say, ‘Hey check out this financial investment forum — there’s some guy on here badmouthing the company. You might want to take a look.’ ”
Hackers set it up so that when the link was clicked, it would request their email login and password in order to view the content. The hackers could then take those login credentials and continue their campaign, both within the organization and laterally to external organizations.
It’s worth noting that risk management is directly in the crosshairs for this kind of attack.
C-suite executives, legal counsel and anyone involved in the risk, regulatory or compliance functions of a company are prime targets. If you have any connection to sensitive information, they’re looking for a way to get their hands on it.
And experts say that such attacks have successfully snared some risk managers, CTOs and CFOs.
There is plenty that still needs sorting out in terms of the coverage options available to insure against such losses. The toughest pill to swallow, said Kalinich, is that the loss of value is not covered by cyber insurance, nor is it covered by any other type of insurance.
“That’s a really important factor,” he said.
“The actual value of a trade secret, the actual value of a patent, the actual value of intellectual property, is not covered. [In the case of an M&A loss,] not even a crime policy would cover that.”
A D&O policy might be triggered if the stock dropped following a failed M&A, but a company would be challenged to relate the event to a cyber hack, or to quantify the impact of the hack on the failed transaction, experts said.
Still, said Kalinich, there are certainly losses that could be covered by cyber insurance, especially if an attack were to result in business interruption, or if it caused damage to the system that required remediation, or forensic investigation.
Culture of Awareness
At a minimum, any company engaging in mergers or acquisitions activity should separate that information from the rest of the corporate environment, said experts. M&A activity should have a segmented network and a dedicated file server, and all documents should be encrypted.
BAE’s Sweeney also recommended that related communications with people outside of the organization be restricted to a VPN for added security.
Additionally, all third-party involvement should receive a high level of scrutiny.
Said Sweeney, “You’ve got to look at everybody who’s going to have access to the information, and say, ‘When was the last time you had a cyber assessment? How can we make sure that you’re not going to be the conduit through which people find out this information?’
“That’s where people are getting hacked,” he said. “They’re not getting hacked right in the center. They’re getting hacked by the people on the periphery who are trying to do their best.”
Internally, Glass said, it’s a good practice to follow the law of least access — give people access to the information that they need to do their jobs and nothing more. But that’s just a start.
Hackers figured out that humans are easier to crack than code, so comprehensive staff training should be the foundation of a solid cyber security strategy.
Some companies use internal phishing campaigns to help manage the human side of the risk. Employees who are duped and click on bogus links are redirected to a page revealing their mistake and letting them know they’ll be required to do mandatory extra training.
Experts universally agreed that these risks cannot be foisted onto the laps of IT or risk management alone. Boards must be educated and involved, and there must be enterprise-wide collaboration for a company to develop any level of effective defense against cyber espionage.
Make sure you’re speaking the board’s language, said Nick Rossman, senior program manager, threat intelligence with FireEye. “They don’t care about malware, they just want to know what you’re asking them to invest.
“So I think it’s easiest when you have a big scope of data and a partner who can get you a strategy forecast” to help justify decisions about investments, he said.
“In the past, [IT and data systems] were considered kind of a back-office priority, kind of like having enough printer toner or enough chairs,” said FireEye’s Glass.
“It was an enabling function of the company but not really core to the business. Now every company is an IT company whether they realize it or not.
“Maybe Coca-Cola keeps its recipe in a safe somewhere, but everybody else, for the most part, is keeping their information online or in databases or even in the cloud, because the efficiencies that can be derived from that model are so great.
“In order to make sure that those efficiencies continue, we’ve got to make sure that companies are looking at all the risks inherent with putting all of that information online.” &