Heading Off ‘Cybergeddon’
In April’s R&I cover story, Cyber: The New CAT, experts called catastrophic cyber attacks “inevitable” and the prevailing attitude in the C-Suite “denial.”
Jason Healey, director, Atlantic Council’s Cyber Statecraft Initiative, says that in order for organizations to weather the inevitable attacks, the key will be resiliency. “The organizations that fare best,” he said, “will be those that have the size, agility and resilience to bounce back as quickly as possible.” Healey is also author of Beyond Data Breaches: Global Interconnections of Cyber Risk, commissioned by Zurich Insurance Company Ltd. and published in April 2014.
Developing resilience would include conducting exercises, developing response playbooks, increasing funding and grants for large-scale crisis management and developing redundant data storage in case one is compromised.
The tangle of Internet information that companies and countries depend on to function is now so complex, Healey said, that companies and governments can’t manage the risk from within their own four walls. Beyond Data Breaches notes that Internet failures could cascade directly to Internet-connected banks, water systems, cars, medical devices, hydroelectric dams, transformers and power stations.
Like superstorms such as Hurricane Sandy, cyber risks are inevitable and unstoppable, and like the financial crisis of 2008, they can’t be contained, because of organizations’ interconnection and interdependency. The worst-case scenario, stemming from the principle that everything is connected to the Internet and everything connected to the Internet can be hacked, is “Cybergeddon,” where attackers have an overwhelming, dominant and lasting advantage over defenders.
Even now, Healey said, attackers have the advantage. The Internet’s original weakness — that it was built for trust, not security — perpetuates defenders’ vulnerability. “Some ‘serious’ thinkers suggest we should start over” rather than try to retrofit an Internet so flawed by weak security as to threaten every user, he said, despite the impracticality of a do-over.
Second, Healey said, defenders have to be right every time, and attackers have to be right only once.
Third, technology evolves very quickly, and most people don’t understand it well enough to lock out intruders. “Every time we figure out what we’re supposed to be doing right, the technology has moved on and once again we don’t know how to properly secure our data,” Healey said.
Software is still poorly written and so insecure that “a couple of kids in a garage” can hack into corporate and government systems just for a naughty thrill. “Bad guys” with theft or sabotage on their minds can work their mischief behind a veil of anonymity. “The Internet almost encourages bad behavior because of the anonymity involved,” Healey said.
Companies, governments and risk managers should shift the drumbeat from resistance to resilience, and to expand cyber risk management from individual organizations to a resilient and responsive Internet system, Healey said. For systemic risk management, Beyond Data Breaches recommends:
- Putting the private sector at the center, not the periphery, of cyber risk efforts, since they have the advantage in agility and subject matter expertise.
- Using monetary or in-kind grants to fund effective but underfunded non-government groups already involved in minimizing the frequency and intensity of attacks. Governments and others with system-wide concerns (such as internet service providers and software and hardware vendors) should advocate for this research.
- Borrowing ideas from the finance sector. This could include examination of “too big to fail” issues of governance and recognition of global significantly important internet organizations.
FTC Taking Action on Cyber Security
In April, a federal court sent a clear if unintended message to the business community when it permitted the Federal Trade Commission to proceed with a lawsuit against Wyndham Worldwide Corp., alleging the hotel giant failed to make reasonable efforts to protect consumer information.
“The ruling will probably — and properly — drive more companies to the cyber insurance market,” said Thomas Caswell III, partner, Zelle Hofmann in Minneapolis, who specializes in insurance coverage litigation.
“They’ll see the exposures and their potential costs for themselves. The pure threat will push them to buy cyber insurance, just as they buy general liability insurance,” he said.
With the ruling in its favor, the FTC may become more active in pursuing regulatory actions, said Rene Siemens, partner, Pillsbury Law in Los Angeles, who represents policyholders in connection with coverage claims for privacy matters.
The types of breaches the FTC may pursue include identity theft, theft of credit card information, and improper access to protected access to health information.
The likelihood that the FTC will assume more responsibility for policing cyber security isn’t necessarily a bad thing for insurance companies or their clients, said Matt Wolfe, vice president for state relations and assistant general counsel, Reinsurance Association of America.
The current voluntary standards leave companies “shooting a bit blind regarding how to protect data and the consequences for not doing so,” he said. “Enforceable standards could actually help companies know how to prepare.”
Insurance industry observers expect carriers to introduce broad standard exclusions for privacy claims, but it’s yet to be seen how broadly they will be adopted and if carriers will adopt variations on exclusions.
“The insurance industry,” Siemens said, “is focused on limiting coverage for privacy claims under conventional coverage.”
“If the FTC pursued action for violating some rule or standard of practice … most cyber liability policies insure for that,” Caswell said. “Most traditional liability coverage doesn’t.”
Getting hacked alone won’t invite a lawsuit from the FTC, said Kevin LaCroix, attorney and executive vice president, RT ProExec, an insurance intermediary focused on management liability.
“But if you are the target of a breach and fail to take corrective action, you’re subject to subsequent breaches due to the same vulnerability, and that could attract regulators’ attention.”
The FTC alleges Wyndham suffered three similar data breaches that compromised consumer information.
All companies that conduct business over the Internet, or that do business with other companies that do, are vulnerable to data breaches, said Siemens. The Gramm-Leach-Bliley Act already requires financial institutions to implement and maintain administrative, technical and physical safeguards for customer information.
“If the Department of Defense is vulnerable to hackers,” LaCroix said, “everybody’s vulnerable.”
Hackers’ motivations run the gamut from spite to greed to terrorism. “Still,” he said, “some multinational companies I’d consider high-risk targets don’t yet have privacy and network security insurance.”
Companies should also make sure their vendors and other third-party partners have sound security practices, and that they are insured against breaches they may cause, said Siemens.
That was the vulnerability for Target, when hackers broke into the retailer’s network last year using login credentials stolen from a heating, ventilation and air conditioning company that does work for a number of Target locations. It created the largest data security breach in retail history.
Increasingly, Siemens said, companies outsource data management to companies that specialize in running server farms and storing and processing data. “As that trend continues, risk managers need to be more careful about who they hire.”
LaCroix admitted to having personal experience with such woes. A “tiny” nonprofit school of which he was a board member was hacked through a vendor’s portal, costing $40,000 in notification costs alone. “That would have paid for the premium on cyber insurance for multiple years,” he said.
The take-home lesson for risk managers? Prevention and cyber insurance, said LaCroix, but if there is a breach, demonstrate a vigorous response to minimize risk of regulatory action.
3D Printing Offers New Risk Challenges
As commercial 3D printing advances from occasional to routine use, the product liability landscape will shift around it. Defective and counterfeit product exposures, among others, will arise for all participants along the manufacturing continuum, industry experts said.
In an adverse incident, said Rob Gaus, product risk leader, Marsh, liability will be apportioned among participants in the manufacturing and distribution stream: product manufacturer, printer manufacturer, software designer, feedstock supplier, distributor (especially if it modifies the product) and retailer (if the manufacturer is not well capitalized). No case law exists yet.
In 3D printing, a computer sends the software containing a product design to one or more printers, which builds the product, layer by layer, from many kinds of materials — plastics, metals, drugs, paints and even human tissue.
David Carlson, U.S. manufacturing and automotive practice leader, Marsh, said 3D-printed products are treated the same as any other new operation that poses new risks.
Underwriters and brokers must first assess the company’s risk management profile and risk appetite. When production, research and development teams look at technology, “they should loop in risk management. Risk management should be part of the continuum, or the company could get into sticky situations.”
The emerging risks include unregulated manufacturing, said Mark Schonfeld, a partner at Burns & Levinson LLP in Boston specializing in business and intellectual property law.
If 3D printing enables production of, say, just 100 hip implants or 100 hearing aids, such work will generally take place outside of a traditional mass-production factory, which is subject to government regulation and inspection.
“Insurance companies like FDA oversight of manufacturing because it makes products safer and helps identify responsibility when things go wrong,” Schonfeld said.
To protect themselves and their clients, Schonfeld advises insurers to keep abreast of technological developments, consult with a creative and knowledgeable attorney about how to address liability exposure, and adjust existing policies to be fair to consumers and prevent injury to the insurance company.
3D printing also raises the risk of counterfeit products, said Peter Dion, line of business director-product liability, Zurich Insurance. The digital “recipe” in the software design, and is vulnerable to capture, he said.
Although there is no encryption mechanism for the software, one solution might be to transfer the digital file in pieces only as they are needed by the printer to prevent capture of the entire design signature, Dion said.
Manufacturers have always struggled with counterfeit products, but 3D printing magnifies the risks because it can slash the time from product development to market-ready product to a matter of hours and requires no molds or prototypes. “Hackers can take the proprietary blueprint or software, send it to a third-world country, and have the product ready for market tomorrow,” said Carlson. “That’s a business disruption issue. Counterfeiters can put a company out of business.”
Drug manufacturers may subvert counterfeiters by adding tracer elements and watermarks to their formulations, which protects their reputations, profits and public health. “If the counterfeiters get the recipe wrong, they might not produce high-quality drugs for public consumption,” Carlson said.
Other manufacturers can also use watermarks and digital rights management (DRM) software to prevent file sharing. Still, Carlson said, counterfeiting is an old problem. “Bad guys have always exploited new technologies for their personal gain.”
The materials used by manufacturers present a greater potential loss exposure than the 3D printer itself, said Dion, noting that it is just another piece of equipment, like a pencil or a lathe.
For example, if a 3D printer is used to replicate a cupcake, the manufacturer should be as careful of contaminants in the mix as traditional bakers need to be. “When 3D printer manufacturers purchase materials from suppliers, they need to perform due diligence on their supplier’s products also.”