Beyond the Breach
The old-school protection racket has gone high tech. There’s a whole new crop of criminals threatening businesses — demanding cash in order for the “privilege” of not having their livelihoods destroyed.
The bad guys may have ditched the fedoras and spats in favor of hoodies and Chuck Taylors. But the bottom line remains the same.
It’s all about the Benjamins. Or maybe the Bitcoins, in this case.
Welcome to the new frontier of cyber extortion — the world where a few lines of programming code can take a company hostage — or even shutter it for good.
Sure, the “old-fashioned” data breach is alive and well, but it has declined in profitability as the black market for credit card and Social Security data has become oversaturated. The bad guys, meanwhile, went in search of greener pastures.
Cyber extortion, in the form of distributed denial of service (DDoS) threats with ransom demands, began grabbing the attention of security professionals several years ago. These attacks are designed to cripple victims’ ability to transact any business online until the ransom is paid.
Welcome to the new frontier of cyber extortion — the world where a few lines of programming code can take a company hostage — or even shutter it for good.
The most obvious targets for DDoS attacks, initially, were those that stood to lose the most from a service outage. Payment processing vendors and online gaming sites were early victims.
Podcast: Mother-daughter duo Alina and Inna Simone tell Radiolab about being held hostage by criminals who burrowed into their lives from half a world away.
But the field of targets broke wide open with the birth of automated ransomware — malware that disables a computer system by encrypting data and locking the victim out.
A pop-up window displays a demand for ransom, typically with a threat to delete or publicly share the data if the ransom isn’t paid by a specified time.
Cryptolocker, first appearing in September 2013, netted around $3 million for its operators until it was finally isolated in June 2014. Variants such as Cryptowall, however, were quick to fill the void.
Prior to Cryptolocker, extortion events were somewhat rare and often involved someone with an axe to grind, said Tim Francis, a second vice president with Travelers and the company’s enterprise cyber lead.
“But around two years ago you saw a switch, which was the commoditization of the software that did the extortion for you … . Now it wasn’t somebody who knew anything about your company … it was just somebody out to make a buck.”
Cyber extortion has been propelled into a rather lucrative cottage industry, and potential targets are everywhere.
Reported extortion events have run the gamut from police departments to pizza chains. If criminals cast a wide enough net, they only need a small number of targets to take the email bait in order to collect a respectable payout.
Estimates of the amount being extorted from victims vary wildly. However, in a 2012 report titled “Ransomware: A Growing Menace,” researchers at Symantec were able to estimate the earnings for one particular extortion gang at $394,000 in a single month.
Any current figure would likely be much higher. But the chance of being able to obtain that figure is slim, because no one wants to advertise it.
There are multiple reasons why this type of attack is successful enough to keep criminals engaged.
For one, the rise of Bitcoin and other digital currency has enabled extortionists to operate in a virtually anonymous and untraceable environment.
For another, most criminal actors have shrewdly opted to keep demands modest, increasing the chances that a victim will choose the path of least resistance and simply pay up.
No one is ever eager to capitulate to the demands of an anonymous extortionist. And some have gone to great lengths to avoid giving in. Sometimes, however, that hasn’t been a sound risk management decision.
Code hosting company Code Spaces was hit by a DDoS attack in mid-2014 and refused to give in to ransom demands.
Instead it tried to take back its account by changing passwords. The extortionists, who had created backup logins, retaliated by randomly deleting files.
Most of the company’s data, backups, machine configurations and offsite backups were either partially or completely deleted. The company became a sad statistic — one of the 60 percent of small businesses forced to fold within six months of a serious cyber attack.
Speculation, however, is that many companies opt not to take such a risk, and simply choose the lesser evil and pay off their attackers. The SANS Institute estimated in 2009 that thousands of organizations were quietly paying off cyber extortionists.
“Not disclosing that you’ve been breached, in itself, is one of the main reasons that some decide to pay a cyber extortion threat rather than handling it with assistance from law enforcement,” said Jessica Lindo, vice president, professional lines at Allied World.
Lindo and other experts aren’t quick to opine on whether victims should or shouldn’t pay, because every situation is unique.
“Whether a company decides to pay depends on their assessment of the credibility of the threat,” said Lindo.
“If they are confident … that the threat is legitimate and can be actioned upon, they may be inclined to pay the ransom. … Within the retention it may be solely up to them to decide whether they want to pay the ransom without involving the insurer,” she said.
“Each situation would need to be analyzed on its own merits,” agreed Matt Donovan, national underwriting leader, technology and privacy, with Hiscox USA.
“Many companies are able to thwart ransomware issues if they are able to restore to an earlier backup of the file system. In these instances, the system restoration can potentially be a better option than paying the demand.”
That solution won’t fit every type of threat, however. The very public airing last year of Sony’s dirty laundry understandably rattled plenty of top-level executives. The threat of public exposure rather than outright deletion of data could easily be enough to force the hand of businesses that fear embarrassment or loss of reputational stature.
Lindo noted that in the event an insured is faced with a demand high enough to pierce its retention level, it would be a mistake to assume that an insurer would withhold approval to pay on a ransom demand.
“Once that threat is actioned upon, it could become a much larger cyber loss.” she said.
“And the loss may move from one handled solely by the company within the retention to one involving insurance.”
Cyber, Extortion, or Both?
There are a few gray areas surrounding the question of whether a cyber extortion event would trigger coverage in a typical cyber policy. Some also have questions about whether a kidnap, ransom and extortion policy (KR&E) would exclude a cyber event.
Travelers’ Francis said that as with any policy, it’s going to come down to whether the circumstances of the event align with the wording of the policy.
“Not every K&R policy is the same, not every cyber policy is the same,” he said.
“Like anything else, your agent or the customer needs to make sure their specific policy as written would cover it. … Certainly in any standard cyber policy you should expect to find some degree of coverage. But it would not be unusual for a K&R policy to cover cyber-related events in addition to non-cyber types of extortion events.”
“Having the financial backing of an insurance policy can bring financial security and the breach response expertise needed to navigate the attack when it occurs.” — Matt Donovan, national underwriting leader, technology and privacy, Hiscox USA
Brian Dunphy, senior managing director, management and professional risk group, Crystal & Company, added that because cyber extortion is rarely enacted under a policy, such a policy is fairly easily to obtain.
“But it’s not in many cases a standard grant of cover. It’s one of those things you have to ask for it if you want it.”
Not many are asking though, because they’re not thinking about it as an exposure unless there is a specific reason to consider their data sensitive.
But the bad guys don’t really care who they attack, said Francis, and plenty of organizations simply have no type of coverage in place.
“Cyber policies are still not purchased as frequently as they should be, but still they’re more likely to be purchased than K&R policies generally,” he said.
“Many companies have neither.”
Those companies could easily find themselves in a world of hurt.
“Having the financial backing of an insurance policy can bring financial security and the breach response expertise needed to navigate the attack when it occurs,” said Donovan of Hiscox.
Path of Least Resistance
Most cyber extortion is an opportunistic crime, said Allied World’s Lindo. Organizations with less than adequate security controls are going to be the most vulnerable.
“The controls you implement in a sophisticated security and business continuity program are the same controls that are likely to prevent a cyber extortion threat,” she said.
“So if there’s any good news in cyber, I think it’s that.
“The most important thing [risk managers] can do is to prioritize their assets,” said Lindo.
“Identify the most valuable data, most sensitive data — areas that would give you the greatest financial harm if disclosed, your most critical processes and applications.”
“Segregating the ‘crown jewels’ from the rest of your network can be an easy starting point,” said Donovan.
“You can’t just rip the plug out of the wall and expect the threat to go away.” — Brian Dunphy, senior managing director, management and professional risk group, Crystal & Company
Once you’ve identified those assets, then you can target your resources around preventing access to those assets and ensuring that you’ve built redundant systems around them to ensure business continuity in the event of an attack.
Many of the other precautions that should be in place are the same as those companies employ to protect against other types of network intrusions.
Beyond simple anti-virus software installation, said Donovan, companies should consider penetration testing, bug-bounty programs and data-classification programs.
“Daily backups can help thwart the ransomware attacks as well,” he said.
Travelers’ Francis poses an apt analogy: “There are a dozen houses on the street. One of them is well lit with clear lines of sight, the doors and windows are locked. [Criminals are] going to move on to the other house down the street that doesn’t have lights and leaves the door open; they’re going to take the path of least resistance.
“Lock your doors, turn on your lights. Use firewalls, have a process in place, use the right software, check your logs, have virus detection. It’s not bulletproof, but it may be enough to have the bad guys go after someone else instead of you.”
A far-too-often overlooked piece of the puzzle is having an incident response plan for a cyber extortion event, experts agreed.
“Today, I would say that cyber extortion is probably not a part of [most companies’] incident response plans,” said Lindo. “I’m not sure that most companies have fully considered these type of threats.”
Without a plan in place, there’s little chance for an organization to address an extortion event effectively, or prevent it from escalating.
“You can’t just rip the plug out of the wall and expect the threat to go away,” added Dunphy of Crystal & Company.
“There’s a lot that needs to be addressed. … It’s like practicing a fire drill for kids in school — when the alarm sounds, does everybody know what their roles and responsibilities are? Cyber extortion is just like that. Do you know what to do? Who to contact? The steps in which things are supposed to take place?”
When faced with a threat, said Lindo, you never want that to be “the first time you’re discussing what you’re going to do and how you’re going to respond.”
The threat of cyber extortion is yet another reason why risk managers must help their organizations understand that data security is an enterprise-level issue.
“It’s important to have a culture that understands the value of the data that they’ve got, and the ramifications financially and reputationally if that data was to go missing or to be made public,” said Francis.
And that culture must be driven from the top of the organization down into every department, so that data security is top priority for all.
“There’s no one weak link,” he said.
Risks in Three Dimensions
Companies are leaving themselves exposed to a host of costly and unexpected risks if they fail to come to grips with the new challenges presented by 3D printing technology.
Industry experts said that businesses need a fundamental review of their risk management processes and controls to deal with the potential problems caused by this new technology or they could find themselves being sued for copyright infringement or, worse still, having to pay out millions in product liability claims.
3D printing or additive printing, as it is commonly known in the industry, is the process of producing solid three-dimensional objects using a digital blueprint. It works by using a computer to send the design to a printer that then builds the product.
PwC estimates that 67 percent of manufacturers already use 3D printing, while NASA has been testing the technology in its space station for years. It is widely used for creating prototypes in the aviation, automotive and medical industries, and applications range from plane engines and car spare parts to surgical implants and prosthetic limbs.
With the industry expected to grow in value by 25 percent to $17.2 billion by 2020, according to consultancy firm A.T. Kearney, the scope for the technology is almost limitless — as are the potential risks, including counterfeiting and the manufacture of illegal drugs.
“The biggest risk of 3D printing is that you can make anything, anywhere in the world and that presents a host of potential problems,” said Mark Schonfeld, a partner at Burns & Levinson LLP.
“Those problems in the main include product liability, intellectual property, and safety and security issues.”
Supply Chain Risks
Schonfeld said that the biggest difference between 3D printing and traditional manufacturing is the complexity of the supply chain and the number of different parties involved.
“With 3D printing, you have more players than you would have in the traditional manufacturing process, where most of the participants work for the same company,” he said.
“So if something goes wrong with the product, who is liable – is it the designer, the supplier, the manufacturer or even the end user?
“Currently there is no legislation governing 3D printing, so it is often very hard to tell who is responsible.”
Rob Gaus, global product risk group leader at Marsh, said there are three key factors affecting any manufacturing process: “It’s about having a clearer focus on the materials that are being used, the financial strength of your supply chain partners, and the quality assurance program and processes that you have in place,” he said.
“Overarching all of those risks is the product risk management process, which revolves around risk assessment and how they apply in foreseeable use and misuse scenarios.”
Robert Weireter, vice president and senior underwriter at Swiss Re, said that increasing the scale of 3D print manufacturing also creates the problem of ensuring the quality and durability of the end product.
“When you print out something in a small-scale environment, you have a lot of control over the process, and therefore over the quality of the finished product,” he said.
“However, with 3D printing, questions arise when you increase the scale to a commercial level. Can you still ensure the quality of the finished product?”
Another key issue with 3D printing is counterfeiting or the illegal copying of products.
Provided you have the right design or blueprint and a 3D printer, it’s easy to quickly produce, for example, your own iPhone at home.
“It’s very easy if you have your own 3D printer at home to scan a design into your printer, print it out and sell it,” said Cindy Slubowski, vice president and head of manufacturing at Zurich North America.
“We have seen some claims, and the real issue is that the original manufacturer who has the rights to that product now has a counterfeit product out there that it knows nothing about and that can cause serious issues in terms of liability, patent and trademark infringement.”
No one is immune from the intellectual property risks associated with 3D printing, said Tom Srail, technology, media and telecommunications industry group leader at Willis North America.
“Intellectual property is a significant risk not only for the organization making the product but also for the supply chain as a whole and for other companies’ copyrights, trademarks and patents in similar types of products and areas,” he said.
“Even if you’re not producing anything using 3D printing, you can still be exposed to risks in the supply chain with other entities using the technology to counterfeit or copy what you are doing.”
Michael Bruch, head of emerging trends/ESG business services and chief underwriting officer, risk consulting, at Allianz Global Corporate and Specialty SE (AGCS), said that the convergence of manufacturing and digital technology also make unauthorized copying of product designs easier to do in the future.
“Because it will be much harder to track these products, traceability will become an even bigger issue than it was before,” he said.
“It will also bring a whole suite of issues such as piracy and copyright infringement to the fore.”
Therefore, it’s important for companies to do due diligence before manufacturing new products, said Shawn Ram, executive managing director and western regional manager at Crystal & Company.
“When manufacturing or technology companies develop a certain product, they have to do due diligence on patents and discovery on trademarks and copyrights, which is often overlooked because of the time and cost involved,” he said.
Security and Privacy Fears
The shadow of cyber risk also lurks around 3D printing. It’s no stretch to imagine someone hacking into a computer system and fundamentally changing the design of a product.
“You have this whole file sharing component in 3D printing that you don’t have in traditional manufacturing and so that automatically becomes a huge potential security and privacy issue,” said Zurich’s Slubowski.
“We are seeing a lot of 3D printing going into hospitals these days and if someone were to hack into their computer system and modify the design of a key component they produce, such as a heart valve for a patient, then the consequences would be unthinkable.”
Ram said that the lack of a strong regulatory environment in 3D printing also makes it much easier to manufacture a product such as a weapon that can cause harm or damage.
“There are still a lot of gray areas because there are so many different parties involved in the process, so it can be hard to create any meaningful regulations,” he said.
AGCS’s Bruch said that like any new technology, 3D printing will have its teething problems at first, but provided it is closely monitored, risks can be eliminated early in the manufacturing process.
“In terms of cyber risks, risk managers will need to review all of their IT risks in both their office computer systems and production lines and throughout the whole digitalized manufacturing chain from the first idea to the final 3D printed end-product,” he said.
3D printing also opens up the possibility of criminals exploiting the technology for their own gain, said Emily Cummins, managing director of tax and risk management at the National Rifle Association.
“Quite simply, any company that uses credit cards to run its business, which is most, carries a potential threat of being exposed to cyber risk,” she said. She cited a recent case where a criminal gang used a 3D printer to produce an ATM skimmer that was used to steal customers’ details.
“The kind of fraud that can be perpetrated from extracting the information on credit cards includes identity theft and financial theft.”
Risk Management Procedures Lag Behind
All of these risks have opened up companies to a host of potential claims running to millions of dollars, particularly on the product liability side.
Slubowski said the biggest danger to companies is failing to understand their exposures.
“If you don’t understand all of the nuances around 3D printing, then you will probably find yourself with claims that you didn’t anticipate you were going to have,” she said.
“We have seen it in the industry before where small companies get hit with large claims and they go out of business because they can’t come back from the reputational and monetary damage they have suffered.”
Despite companies’ best intentions, many are still lagging behind in terms of their risk management procedures for dealing with the risks of 3D printing, experts said.
Willis’ Srail said that the evolving technology of 3D printing means that companies have to continually adapt their risk management models.
“Some companies are well along the way with that,” he said. “However it’s safe to say that most companies are not ready for everything that is coming.
“It’s something that organizations will need to look at internally, externally and throughout their supply chain, and to undergo an ongoing improvement process by reviewing all of these risks on a continual basis.”
Ram went even further to say that 3D printing is still not even on some risk managers’ radar.
“Our general awareness of the value and opportunity of 3D printing is relatively nascent and so many risk managers aren’t prepared for it,” he said.
However, despite all the risks and possible downsides of 3D printing, Cummins is upbeat about the future.
“As an innovation, 3D printing can be managed either as a sustaining innovation that you can use to improve your business or as a disruptive innovation that overtakes an existing market and puts companies out of business,” she said.
“So those companies that get on board early on with the new technology can use it in a sustaining way to enhance their product and become industry leaders.”
6 Truths about Predictive Analytics
Predictive data analytics is coming out of the shadows to change the course of claims management.
But along with the real benefits of this new technology comes a lot of hype and misinformation.
A new approach, ACE 4D, provides the tools and expertise to capture, analyze and leverage both structured and unstructured claims data. The former is what the industry is used to – the traditional line-item views of claims as they progress. The latter, comprises the vital information that does not fit neatly into the rows and columns of a traditional spreadsheet or database, such as claim adjuster notes.
ACE’s recently published whitepaper, “ACE 4D: Power of Predictive Analytics” provides an in-depth perspective on how to leverage predictive analytics to improve claims outcomes.
Below are 6 key insights that are highlighted in the paper:
1) Why is predictive analytics important to claims management?
Because it finds relationships in data that achieve a more complete picture of a claim, guiding better decisions around its management.
The typical workers’ compensation claim involves an enormous volume of disparate data that accumulates as the claim progresses. Making sense of it all for decision-making purposes can be extremely challenging, given the sheer complexity of the data that includes incident descriptions, doctor visits, medications, personal information, medical records, etc.
Predictive analytics alters this paradigm, offering the means to distill and assess all the aforementioned claims information. Such analytical tools can, for instance, identify previously unrecognized potential claims severity and the relevant contributing factors. Having this information in hand early in the claims process, a claims professional can take deliberate actions to more effectively manage the claim and potentially reduce or mitigate the claim exposures.
2) Unstructured data is vital
The industry has long relied on structured data to make business decisions. But, unstructured data like claim adjuster notes can be an equally important source of claims intelligence. The difficulty in the past has been the preparation and analysis of this fast-growing source of information.
Often buried within a claim adjuster’s notes are nuggets of information that can guide better treatment of the claimant or suggest actions that might lower associated claim costs. Adjusters routinely compile these notes from the initial investigation of the claim through subsequent medical reports, legal notifications, and conversations with the employer and claimant. This unstructured data, for example, may indicate that a claimant continually comments about a high level of pain.
With ACE 4D, the model determines the relationship between the number of times the word appears and the likely severity of the claim. Similarly, the notes may disclose a claimant’s diabetic condition (or other health-related issue), unknown at the time of the claim filing but voluntarily disclosed by the claimant in conversation with the adjuster. These insights are vital to evolving management strategies and improving a claim’s outcome.
3) Insights come from careful analysis
Predictive analytics will help identify claim characteristics that drive exposure. These characteristics coupled with claims handling experience create the opportunity to change the course of a claim.
To test the efficacy of the actions implemented, a before-after impact assessment serves as a measurement tool. Otherwise, how else can program stakeholders be sure that the actions that were taken actually achieved the desired effects?
Say certain claim management interventions are proposed to reduce the duration of a particular claim. One way to test this hypothesis is to go back in time and evaluate the interventions against previous claim experience. In other words, how does the intervention group of claims compare to the claims that would have been intervened on in the past had the model been in place?
An analogy to this past-present analysis is the insight that a pharmaceutical trial captures through the use of a placebo and an actual drug, but instead of the two approaches running at the same time, the placebo group is based on historical experience.
4) Making data actionable
Information is everything in business. But, unless it is given to applicable decision-makers on a timely basis for purposeful actions, information becomes stale and of little utility. Even worse, it may direct bad decisions.
For claims data to have value as actionable information, it must be accessible to prompt dialogue among those involved in the claims process. Although a model may capture reams of structured and unstructured data, these intricate data sets must be distilled into a comprehensible collection of usable information.
To simplify client understanding, ACE 4D produces a model score illustrating the relative severity of a claim, a percentage chance of a claim breaching a certain financial threshold or retention level depending on the model and program. The tool then documents the top factors feeding into these scores.
5) Balancing action with metrics
The capacity to mine, process, and analyze both structured and unstructured data together enhances the predictability of a model. But, there is risk in not carefully weighing the value and import of each type of data. Overdependence on text, for instance, or undervaluing such structured information as the type of injury or the claimant’s age, can result in inferior deductions.
A major modeling pitfall is measurement as an afterthought. Frequently this is caused by a rush to implement the model, which results in a failure to record relevant data concerning the actions that were taken over time to affect outcomes.
For modeling to be effective, actions must be translated into metrics and then monitored to ensure their consistent application. Prior to implementing the model, insurers need to establish clear processes and metrics as part of planning. Otherwise, they are flying blind, hoping their deliberate actions achieve the desired outcomes.
6) The bottom line
While the science of data analytics continues to improve, predictive modeling is not a replacement for experience. Seasoned claims professionals and risk managers will always be relied upon to evaluate the mathematical conclusions produced by the models, and base their actions on this guidance and their seasoned knowledge.
The reason is – like people – predictive models cannot know everything. There will always be nuances, subtle shifts in direction, or data that has not been captured in the model requiring careful consideration and judgment. People must take the science of predictive data analytics and apply their intellect and imagination to make more informed decisions.
Please download the whitepaper, “ACE 4D: Power of Predictive Analytics” to learn more about how predictive analytics can help you reduce costs and increase efficiencies.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with ACE Group. The editorial staff of Risk & Insurance had no role in its preparation.