The New Wolves of Wall Street
Cyber security measures advanced by leaps and bounds over the past decade. Unfortunately, cyber criminals sharpened their game even more.
As it gets tougher each day to slip in through back doors, hackers turned their talents toward carving out side windows. They adapted, developing new business models and finding smarter ways to profit off of the backs of organizations.
Credit card information, personally identifiable information and protected health information are all still in demand, but they’re no longer the only treasures that cyber criminals are after.
“It is no longer hacking merely for a quick payout. It is hacking as a business model.” — Preet Bharara, U.S. attorney
They want your trade secrets. They want your intellectual property. They want to eavesdrop on your most sensitive financial activities so they can leverage that information on the stock market — shorting stock, investing in stock, timing stock to their advantage.
The cyber security challenge is intense, because it’s hard to get a handle on. These crimes are being perpetrated by various groups of actors with different motivations. They’re being executed using a broad array of techniques that include any combination of malware, phishing and social engineering.
They could be coming at you from anywhere in the world. And it’s not even necessarily your systems that are being attacked directly. It could be your vendors, your partners — any organization that has a connection to your confidential information.
Last August, the SEC filed charges in a fraud scheme involving two Ukrainian hackers who broke into multiple newswire services to steal unreleased corporate earnings announcements. The hackers shared the information with 30 people who traded on it, generating more than $100 million in illegal profits.
The following November, federal prosecutors disclosed the existence of a sizable worldwide hacking scheme, involving more than 100 people in a dozen countries.
Among the other offenses listed in the 68-page indictment, the crime ring orchestrated elaborate pump-and-dump stock schemes and traded on stolen corporate information, pocketing hundreds of millions along the way.
“It is no longer hacking merely for a quick payout,” U.S. Attorney Preet Bharara said in announcing the indictment.
“It is hacking as a business model.”
M&As Increase Vulnerabilities
The rise of worldwide M&A activity turned the stock market into a profitable playground for hackers — those working for either side of the transaction or outside parties looking for a way to profit illegally from the transaction.
2015 was record-breaking year for M&As, topping $5 trillion in volume globally for the first time. Half of the targeted companies were based in the U.S.
2016 is expected to see continued high level of activity. That leaves plenty of opportunities for illegal gains.
“If outsiders are aware of the negotiations going on, they can put upward pressure on the stock.” — Bill Sweeney, chief technology officer, BAE Systems Applied Intelligence
“You can disrupt an M&A a lot of different ways,” said Bill Sweeney, chief technology officer at BAE Systems Applied Intelligence.
“One way is you can publicize that it’s going on sooner than people would like.
“M&A is a very sensitive topic because it’s very price dependent. Companies will walk away from deals because they can’t narrow the gap between $25 and $30 dollars a share.
“If outsiders are aware of the negotiations going on, they can put upward pressure on the stock. So when somebody thought they were going to be getting a 25 percent premium [against their stock], but now because of the upward pressure, they’re only getting a 15 percent, why would they sell?”
During a “Cyber Security: The Achilles Heel of M&A Due Diligence,” webinar in April, Brian Finch, a partner with Pillsbury Winthrop Shaw Pittman LLP, outlined the recent case of a company that was courted by international suitors.
The company was certain that it was healthy, but repeated audits showed it operated at a loss. An investigation revealed that the company was under attack, with hackers corrupting information to decrease the value of the company.
When the company value bottomed out, a foreign investor swooped in with a lowball offer.
Even if hackers don’t outright alter the data, they’re still finding ways to leverage it.
“We’ve seen China-based groups … compromising companies across various industries, stealing information that would give them insight into what the best price for the company might be,” said Will Glass, threat intelligence analyst at FireEye.
“We’ve seen groups that are sponsored by nation states — or that we believe are sponsored by nation states — conducting activity leading up to and even during mergers and acquisitions.”
One high-profile case traced to China was the attempted $40-billion takeover of Canada’s Potash Corp. by Australian natural resources company BHP Billiton.
While the deal fell through for apparently unrelated reasons, an investigation revealed that a Chinese effort to derail the deal involved attacks on seven law firms, as well as Canada’s Finance Ministry and the Treasury Board.
Those third-party attacks are an area of serious concern in terms of intellectual property and M&As, said Kevin Kalinich, global practice leader, cyber/network risk, Aon Risk Solutions.
“The accounting firms and financial advisers are above average in IT security and protection of confidential information,” he said.
“But law firms, surprisingly enough, are below average.”
The Human Element
What’s complicating matters from a risk management standpoint is that attacks take various forms and are typically multi-layered. Spearphishing and social engineering often play a major role because they are consistently successful, despite companies’ attempts to alert employees to the dangers.
“The way of the hacker has always been to go after the industry or the exposure where there’s the lowest hanging fruit,” said Toby Merrill, leader of Chubb’s global cyber risk practice.
And in many companies, that means employees. Even a staffer savvy enough to question a wire transfer request might still be duped by a login scheme that looks innocuous or seems relevant to his job.
“What’s happening is that hackers are spoofing emails,” said Sweeney.
“They’re spoofing CFOs and they’re spoofing other C-level executives and pretending to be either a consultant or part of the review process … trying to extract that sensitive information by [sending] an email that looks like it’s from the CEO, that says, ‘Hey what’s the latest on our deal with company X?’ And the guy [replies] but it’s not going to the CEO; it’s going to the guy who spoofed it.”
It’s not easy to spot spoofed email, he added.
“It looks like an email from your company, with your header. It looks like it’s from your domain. It’s only if you open it up and look at the source code that you can see what’s being shown is not the actual domain its coming from and if you hit reply it’s going to go to somewhere else.”
It also works because it’s not random. Hackers do their homework and understand how their targets operate. They know when to send emails and who to send them to, and what internal procedures are in place so that they can get around them.
FIN4, a large cyber crime ring tracked extensively by FireEye, was so good at duping people that it didn’t even bother using malware.
It focused on capturing usernames and passwords to email accounts. FIN4 would craft convincing phishing lures, most often sent from other victims’ email accounts and through hijacked email threads.
Spoofing emails have successfully snared some risk managers, CTOs and CFOs.
According to FireEye’s Glass, the group would “send an email to someone in a target company and it would say, ‘Hey check out this financial investment forum — there’s some guy on here badmouthing the company. You might want to take a look.’ ”
Hackers set it up so that when the link was clicked, it would request their email login and password in order to view the content. The hackers could then take those login credentials and continue their campaign, both within the organization and laterally to external organizations.
It’s worth noting that risk management is directly in the crosshairs for this kind of attack.
C-suite executives, legal counsel and anyone involved in the risk, regulatory or compliance functions of a company are prime targets. If you have any connection to sensitive information, they’re looking for a way to get their hands on it.
And experts say that such attacks have successfully snared some risk managers, CTOs and CFOs.
There is plenty that still needs sorting out in terms of the coverage options available to insure against such losses. The toughest pill to swallow, said Kalinich, is that the loss of value is not covered by cyber insurance, nor is it covered by any other type of insurance.
“That’s a really important factor,” he said.
“The actual value of a trade secret, the actual value of a patent, the actual value of intellectual property, is not covered. [In the case of an M&A loss,] not even a crime policy would cover that.”
A D&O policy might be triggered if the stock dropped following a failed M&A, but a company would be challenged to relate the event to a cyber hack, or to quantify the impact of the hack on the failed transaction, experts said.
Still, said Kalinich, there are certainly losses that could be covered by cyber insurance, especially if an attack were to result in business interruption, or if it caused damage to the system that required remediation, or forensic investigation.
Culture of Awareness
At a minimum, any company engaging in mergers or acquisitions activity should separate that information from the rest of the corporate environment, said experts. M&A activity should have a segmented network and a dedicated file server, and all documents should be encrypted.
BAE’s Sweeney also recommended that related communications with people outside of the organization be restricted to a VPN for added security.
Additionally, all third-party involvement should receive a high level of scrutiny.
Said Sweeney, “You’ve got to look at everybody who’s going to have access to the information, and say, ‘When was the last time you had a cyber assessment? How can we make sure that you’re not going to be the conduit through which people find out this information?’
“That’s where people are getting hacked,” he said. “They’re not getting hacked right in the center. They’re getting hacked by the people on the periphery who are trying to do their best.”
Internally, Glass said, it’s a good practice to follow the law of least access — give people access to the information that they need to do their jobs and nothing more. But that’s just a start.
Hackers figured out that humans are easier to crack than code, so comprehensive staff training should be the foundation of a solid cyber security strategy.
Some companies use internal phishing campaigns to help manage the human side of the risk. Employees who are duped and click on bogus links are redirected to a page revealing their mistake and letting them know they’ll be required to do mandatory extra training.
Experts universally agreed that these risks cannot be foisted onto the laps of IT or risk management alone. Boards must be educated and involved, and there must be enterprise-wide collaboration for a company to develop any level of effective defense against cyber espionage.
Make sure you’re speaking the board’s language, said Nick Rossman, senior program manager, threat intelligence with FireEye. “They don’t care about malware, they just want to know what you’re asking them to invest.
“So I think it’s easiest when you have a big scope of data and a partner who can get you a strategy forecast” to help justify decisions about investments, he said.
“In the past, [IT and data systems] were considered kind of a back-office priority, kind of like having enough printer toner or enough chairs,” said FireEye’s Glass.
“It was an enabling function of the company but not really core to the business. Now every company is an IT company whether they realize it or not.
“Maybe Coca-Cola keeps its recipe in a safe somewhere, but everybody else, for the most part, is keeping their information online or in databases or even in the cloud, because the efficiencies that can be derived from that model are so great.
“In order to make sure that those efficiencies continue, we’ve got to make sure that companies are looking at all the risks inherent with putting all of that information online.” &
To Shrink the Talent Gap, Elevate the Profession
By the end of 2018, it’s estimated that nearly 25 percent of the insurance industry’s current workforce will have retired. Upwards of 40 percent are expected to retire in the next 10 years — taking their collective knowledge and experience with them.
The industry has been aware of its talent shortfall for a long time. Carrier and brokerage executives spoke openly about the issue at the recent RIMS conference in San Diego. The workers’ compensation community is also feeling that pain, and looking for answers.
A group of industry leaders came together on May 10 to explore both obstacles and solutions during the Out Front Ideas webinar “The Changing Face of Insurance: Talent Attraction, Retention & Training,” hosted by Mark Walls, vice president, Communications & Strategic Analysis with Safety National, and Kimberly George, senior vice president of Corporate Development, M&A and Healthcare at Sedgwick.
A ‘Necessary Evil’
Many of the difficulties in attracting talent are the same as those the industry has always faced, said panelists. People still tend to stumble into insurance and workers’ comp — only a rare few take a direct path into the industry.
The problem is a deeply rooted one. Although it isn’t really a talent problem as much as it is an image problem. Children aren’t raised to be aware of insurance professionals at all, let alone aspire to be them someday. And once they do become aware, the impression they get is rarely good.
“Oftentimes it is viewed as a necessary evil” rather than a societal good, said Angela Schaefer, vice president of Human Resources & Employee Engagement with Safety National.
That image problem is particularly acute in workers’ comp, said David DePaolo, president of WorkCompCentral. The industry has worked hard to cultivate an image of being tough on fraud, widely publicizing victories against fraudsters in order to discourage other would-be criminals.
As necessary as those tactics may be, they don’t win the industry any points in the recruiting department. Neither does the media’s recent obsession with vilifying the workers’ comp profession as a whole.
And while the image problem is not new, is has grown especially pointed since millennials began entering the workforce. A study by the Pew Research Center in 2010 found that millennials place a higher priority on helping people than having a high-paying career, and numerous other researchers have arrived at the same conclusion — young talent is drawn toward occupations where they feel they can make a difference for their communities.
Helping injured workers get back on their feet is a powerful way to make a difference. But that message isn’t getting across.
“Everything that they’re looking for is available through the insurance industry — they just don’t know it,” said Jessie Gaudio, director of MyPath at The Institutes.
“Let’s not be embarrassed about workers’ comp. When people ask you about [your job], be proud of it — tell them what you do.” — David DePaolo, president, WorkCompCentral
That disconnect is exactly why all members of the workers’ comp community need to make a conscious effort to put out positive messages about the industry, said panelists, not just at a corporate level but at a personal level too.
“Let’s not be embarrassed about workers’ comp,” said DePaolo. “When people ask you about [your job], be proud of it — tell them what you do. … It’s really all about generating a positive message.”
DePaolo said it’s a useful exercise to develop an elevator pitch that will help explain the positives of what workers’ comp means and what it does.
Walls offered the succinct, “We help people.”
“Workers’ comp has been under the cloud of an inferiority complex,” said DePaolo. “It affects the psyche of everyone in the business and that’s not right.”
College campuses present an important opportunity for professionals to elevate the industry’s image. But that doesn’t just mean just sending out recruiters, said Terri Browne, Chief People Officer at Sedgwick. It means looking for opportunities to have a presence on campus, and to “educate students and faculty about what we do.”
Internships are another way that companies can educate students about the industry. And companies shouldn’t be reluctant to offer internship programs just because they don’t plan to hire from them, said Schaefer. The skills that students stand to gain from internship experiences can help build goodwill, and students are likely to share their positive impressions with their fellow students.
Attracting young talent is one thing. Keeping it is another. At an executive panel discussion at the recent RIMS conference in San Diego, Steven McGill, group president, Aon plc, noted that 60 percent of those coming into the industry are leaving after two years.
Companies need to take a closer look at whether their company cultures are aligned with the priorities of younger employees, panelists said.
“Salary doesn’t always rank as the first priority,” said Jessie Gaudio, director of MyPath at The Institutes. “Benefits are key, and work culture and work-life balance.”
Job flexibility is also on the top of the list. “It’s one of the key things we’re asked about,” said Browne, noting that more people are dealing with complex personal issues and family situations than ever before.
“With technology today, it’s easier to [accommodate],” she said.
“We need to start at home,” said Schaefer. That means having an inclusive work environment, and a culture where young talent can contribute in a meaningful way, right from the start. Too often, young employees leave a company because they feel underutilized.
Companies should also consider job rotation as a way to expose people to all of the opportunities available to them, said Schaefer, and support them if they express an interest in switching departments.
Young employees also value training opportunities, and that’s something that has declined over time, said DePaolo. Employers would invest in training people only to have them poached by other companies.
But that training provides value on a broader scale if it helps ensure that the young talent remains in the industry.
“Eventually that training is going to come back,” said DePaolo.
Out of Control in the Driver’s Seat
You’re tooling down the highway when suddenly your car’s A/C turns on to full blast. Then the radio fires up and switches to a Hip-Hop station.
You’re startled when the wipers turn on, wiper fluid obscuring your view of the road for a moment.
You’re frantically trying to turn it all off when your car loses power completely, leaving you stranded on a busy stretch of road with no shoulder, a semi closing in fast from behind you.
That sounds a little a scene from a spy thriller or maybe even the “X-Files,” but it happened to the driver of a 2014 Jeep Cherokee as researchers Charlie Miller and Chris Valasek hacked into and took control of it.
The duo found a way to hack in wirelessly, exploiting a widely used onboard entertainment system to take over a vehicle’s dashboard functions, brakes, steering and transmission.
Miller and Valasek first made headlines in 2013, when they publicized their success hacking into Ford and Toyota models. At that time, they only managed to accomplish the attacks while their PC was plugged into the vehicles’ diagnostic ports.
Only two years later, the duo found a way to hack in wirelessly, exploiting a widely used onboard entertainment system to take over a vehicle’s dashboard functions, brakes, steering and transmission.
They found they could do it from absolutely anywhere, so long as they had an internet connection. Most disturbing of all, they identified a loophole that could be used to attack multiple cars at once — creating a wirelessly controlled automotive botnet encompassing hundreds of thousands of vehicles.
The team published part of the project online and later demonstrated their “progress” at the 2015 Black Hat conference.
Without question, the more technologically sophisticated and connected vehicles become, the more vulnerable they get.
After Miller and Valasek published their results, Fiat Chrysler issued a recall for 1.4 million vehicles affected by the vulnerability exploited by the team. The automotive industry has been on high alert ever since, even while they simultaneously boast about models equipped with more and better technology.
Without question, the more technologically sophisticated and connected vehicles become, the more vulnerable they get. The push toward autonomous vehicles will only increase those vulnerabilities.
“We are a long way from securing the non-autonomous vehicles, let alone the autonomous ones,” said Stefan Savage, a computer science professor at the University of California, San Diego, during an Enigma security conference early this year.
Autonomous isn’t necessarily synonymous with “connected,” however, even for early entrants to the commercial autonomous vehicle space.
Daimler’s Freightliner Inspiration, the world’s first road-ready self-driving truck, “doesn’t rely on ‘connectivity’ or wireless communication to/from the outside world to drive itself,” said Dan Holden, manager of corporate risk and insurance for Daimler Trucks North America.
“Rather, the system is self-contained, meaning it uses production cameras and radars as inputs to determine the vehicle position and keep it centered in its lane. Therefore the Inspiration truck is as secure from a cyber perspective as production vehicles today.”
More Frightening Than Fiction
Until cyber vulnerabilities can be addressed, it doesn’t take a broad stretch of the imagination to see what the future implications could be for this type of attack. Consider a few scenarios:
- The vehicle of a courier transporting sensitive documents is disabled in a remote location, where armed thieves are waiting to steal the documents.
- A high-level executive receives a message alerting him that ransomers have control of his teen daughter’s car — with her in it — and will drive it off of a bridge if he doesn’t pay $10 million in Bitcoin.
- A ring of thieves finds a way into the systems of a trucking fleet’s rigs through its onboard camera system, enabling it to stop the trucks remotely so teams can hijack the cargo.
- An extreme hactivist group decides to “brick” every car in Los Angeles, disrupting businesses and lives until its demands are met.
- An attacker hacking into a commercial truck’s system disables the brakes, sending the truck careening into a school bus in the middle of an intersection.
Keep in mind that even less extreme types of hacking could create vulnerabilities for both individuals and businesses.
Miller and Valasek proved their ability to wirelessly hack a vehicle for surveillance, tracking GPS coordinates, measuring speed, and tracing routes. When a vehicle’s onboard systems are connected to the driver’s smartphone, the smartphone is also at risk for attack, and any data stored in it is fair game, including passwords and credit card information.
Government and Industry Respond
Miller and Valasek’s work is part of what inspired the drafting of an automotive security bill introduced last year. The Security and Privacy In Your Car Act (the SPY Car Act) would require cars sold in the U.S. to meet certain standards of protection against digital attacks and privacy.
The bill’s creators surveyed 20 carmakers and discovered that only seven used independent security testing to check their vehicles’ security, and only two had tools in place to stop a hacker intrusion.
Several Japanese companies are working on automotive cyber security technology.
In March, the FBI, along with the Department of Transportation and the National Highway Traffic and Safety Administration, published an advisory on the realities of hackable vehicles and making recommendations to increase security.
Several Japanese companies are working on automotive cyber security technology. Panasonic is developing a device that can detect unauthorized network signals and cancel them out. Fujitsu Laboratories and a researcher from Yokohama National University are developing technology that detect an attack, notify the driver, and encrypt signals to allow the vehicle to be stopped safely.
However these technologies are still five years away from commercial availability, as are fully encrypted next-generation automotive networks.
Transportation companies, their clients and every organization with a fleet of its own should be asking questions about the security of the vehicles that are used in the course of their daily operations — and whether they have cover that will respond if their vehicles fall prey to cyber tampering.
“Having insurance coverage in place that would address bodily injury and property damage is something companies should seriously consider as this risk matures,” said William A. Boeck, senior vice president. and insurance and claims counsel for Lockton’s cyber risk practice.