Stabbed in the Back
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
Part One: Opportunity Knocks
Jack Fisk, nice and warm in the comfort of his study in Fort Collins, Colorado, sat and stared at the message in his personal email account inbox. He sat and stared at it for a long time.
Jack took a sip of herbal tea and a nibble of the lemon cookie at his elbow. Then he went back to staring at the message. There it was in black and white, an offer from a Chinese national — an offer he felt he couldn’t refuse.
As a lead engineer with Super Diamond, a manufacturer of mining and drilling equipment, Jack was an integral part of a team that developed one of the most effective drilling bits ever made. The bit, used in gold mining and deep-sea oil extraction, was helping to push Super Diamond into record-breaking revenue territory.
There was only one problem and it was a very big one, for Jack at least. Super Diamond’s top line was breaking records, but Jack Fisk felt left out. Where were his millions, he wondered.
Well here they were. He didn’t know how they found him, but they found him.
The deal was this. Hand over some of Super Diamond’s top-secret product information and receive a seven-figure reward.
As Jack considered the offer, he felt entirely justified in taking it. It was his creativity and knowledge, more than anyone else’s, which led to the product breakthrough. He was sure of it. He knew it in his gut.
Here’s what Jack didn’t know. Another employee of Super Diamond, an IT executive based in Mumbai, was looking at a very similar email. This employee, Vijay Bhakta, enjoyed super-user status within Super Diamond’s computer networks, with access to all of its servers.
The Chinese had done their homework. Jack, married with two children, lived a pretty straight life. The lure of a big paycheck was more than enough for him.
Vijay enjoyed a riskier lifestyle. Money was a good motivator for him, but just as compelling were the offers of drugs and prostitutes the Chinese were dangling in front of him.
In approaching Vijay, the Chinese were after more than product information. They wanted access to Super Diamond’s customer list and information on its entire product line, not just the drilling bits that Jack helped develop.
Both executives, unbeknownst to the other, took the bait.
For the next 18 months, Jack used the time-honored method of downloading proprietary information onto a thumb drive, walking out the door with it, and painstakingly sending it to his Chinese contact using his personal email address in the quiet comfort of his study at home.
The Bitcoin payments from the Chinese, amounting to $2.7 million in 18 months, arrive faithfully. Jack uploads his company’s precious trade secrets just as faithfully.
Vijay is introduced to a hacker who, armed with the IT exec’s user information and passcodes, invades Super Diamond’s system at will over the same time period.
Vijay is also faithfully compensated, with cash drops and services meeting his other needs, under the terms of his agreement with the Chinese.
At the end of 18 months, fully exploiting their two points of entry, the Chinese own the keys to the Super Diamond kingdom. They know how to make a number of Super Diamond’s products and they know exactly who to sell them to and at what price.
Part Two: A Chilling Recognition
Super Diamond’s risk manager, Cathleen Sunbury, is enjoying an invigorating game of tennis with a friend on a sunlit court in San Diego, when she gets an urgent text from the company’s COO.
“Please get to the office, ASAP,” says the message. “Urgent.”
A chill runs through Cathleen.
“Uh oh,” she says, as she and her friend grab a water break courtside.
“What is it?” her friend says.
“I don’t know what it is, but it doesn’t look good,” Cathleen says. “I gotta go.”
“Is this because I was winning?” her friend asks.
That would normally be a funny jibe between friends. It’s not today.
At the office, other company executives share with Cathleen what they know. Sales in several of Super Diamond’s key Asian markets have suddenly softened.
There is also an indication that the company suffered an IT breach, but the extent of it is difficult to ascertain. Whoever broke in did a great job of covering their tracks. What was accessed and what was taken appear to be unknowns. The company’s IT department is at a loss.
“I know who to call,” Sunbury says, banking on a conversation she had with a former higher-up in the FBI who now works for a cyber forensics firm in Philadelphia.
The Super Diamond CEO and CFO initially balk at the forensic firm’s price tag.
The vice president of the forensic firm, who led key cyber investigations for the FBI before entering the private sector, snorts in derision.
“Your company is horrible at this,” the forensics VP says.
“Your IT department has no idea what happened and it will take them months to figure it out,” he says.
“It’s looking like you have an internal perpetrator, possibly more than one. How much longer can you afford to wait to determine what’s going on?”
The phrase “possibly more than one” overwhelms any resistance on the part of the CFO and the CEO. They sign on the dotted line with the forensics firm.
The forensic firm gets right to work. To connect the dots they pull records from a number of departments, including Human Resources and Security.
They also have their own cyber security specialist take a look at the Super Diamond network to see who might have compromised it.
It takes the forensics firm two days to come up with two names: Jack Fisk and Vijay Bhakta.
Part Three: Gone, Gone, Gone
Jack Fisk and Vijay Bhakta are dismissed and face criminal charges. As painful as that is for company executives, that’s the easy part.
What comes next for Cathleen Sunbury in her role as risk manager is far more painstaking, and far more painful.
The forensics team is able to match up human resources records, including data on when Vijay Bhakta and Jack Fisk were in the office, against data on computer use, including when an outside device was connected to Jack Fisk’s computer.
That left no doubt that the product information and additional company information that was taken from Super Diamond was the work of inside perpetrators.
The “good” news is that Super Diamond executives now understand what happened. The bad news is that their insurance policies are inadequate to cover the loss.
Determining the value of what was taken, including the cost of lost sales, is difficult, but Super Diamond executives settle on a figure of $200 million.
The company’s cyber breach policy, though, covers an occurrence in the event of a breach from an outside hacker. Bhakta and Fisk are internal perpetrators, and thus the company is not covered, its carrier says.
Compounding the pain, Super Diamond shareholders file suit against Super Diamond executives and board members. The shareholders argue that the board and the C-suites failed to take adequate measures to protect proprietary company information.
The company’s E&O and D&O policies respond to the costs of the lawsuits. But the company faces punishing premium increases for both E&O and D&O coverage going forward.
Sales are depressed, due to the theft of key intellectual property, and getting good cyber coverage at a reasonable price is flat-out impossible.
Super Diamond settles for a premium increase to cover both external and internal hacks that is 400 percent more than it faced the previous year.
Worn out by the process of determining the loss and trying to get coverage for a company that is bleeding money; Cathleen Sunbury resigns.
“I don’t know who we’re going to get to replace you,” the CEO says.
“I don’t know either,” Sunbury says, meaning no disrespect but feeling utterly defeated.
Risk & Insurance® partnered with Swiss Re Corporate Solutions to produce this scenario. Below are Swiss Re Corporate Solutions’ recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.
Super Diamond’s Cathleen Sunbury might still have her job and her company would be in much better shape had she partnered with Swiss Re Corporate Solutions.
Swiss Re, in addition to offering cyber insurance coverage that would have covered an internal perpetrator incident such as the one detailed in “Stabbed in the Back,” would also advise Sunbury and her fellow executives at Super Diamond on being much better prepared to defend against and respond to it.
Having a forensics team, a crisis (breach) communications partner and the right law firm lined up ahead of time would have saved the company a lot of time and trouble. Swiss Re offers all of that as part of its coverage.
In just one example, imagine the costs that Super Diamond will incur if it has to go after Vijay Bhakta and Jack Fisk in civil court, or what it’s going to spend defending itself against shareholder lawsuits.
Swiss Re Corporate Solutions would have paid for Super Diamond’s legal defense, compensated it for lost revenue, and paid for data reconstitution and additional legal costs as part of its CyberSolutions product.
The lost sales in Asia that Super Diamond experiences when Jack Fisk sells its intellectual property to a Chinese national would also be covered under that policy.
On the front end, Swiss Re would work with Super Diamond to identify which of its mining or drilling technologies were most valuable; in other words, naming the “crown jewels” that the company absolutely could not afford to lose control of. That would also involve ascertaining where those “jewels” are stored and who has access to them.
The upfront work would also include the services of experts with IBM who can conduct penetration tests of the company’s IT systems.
In essence, companies everywhere need to understand that any gap in its preparedness or ability to respond creates liability. There is not only the initial liability of a loss or a penetration, there is the multiplying liability of shareholders, or regulators, holding the company responsible for its negligence.
By partnering with Swiss Re Corporate Solutions and picking up its CyberSolutions product, Super Diamond would have bolstered its risk mitigation and vastly improved the efficiency of its response.
No company is safe from a cyber penetration; the record is clear on that. But experts say many companies have a lot of ground to make up to become more vigilant and better coordinated to bounce back when an incident occurs.
No entity can do this on its own. Pick the right partner(s).
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
Bright Shiny Objects
As the plane touches down, Meredith Fiers feels the butterflies in her belly. The risk manager for semiconductor manufacturer Bluepoint is now on the ground for her first big overseas assignment.
Her task? Visit the site of a proposed Bluepoint plant outside of Chandigarh, India, the provincial capital of Haryana. Officials in Haryana are offering generous tax breaks, a prime location and help accessing an educated, modestly compensated local workforce.
But there are still some issues to work out. Fiers needs to help determine how exposed the plant is to flood and other hazards.
Her first meeting with government engineers in Chandigarh leaves her feeling that she has her work cut out for her.
“These flood maps leave a lot to be desired,” she says to herself as she reviews a set of plans and elevations with local officials.
Something pings in her gut.
“I need to get out in the country and meet with some locals,” she thinks.
The next morning Fiers and an interpreter hop into a taxi and headed to the local village that is closest to where the Bluepoint plant will be built.
Fiers keeps her eyes peeled as the taxi driver navigates a bumpy provincial town road into the village. Out of the corner of her eye, she notices a group of older men gathered under the canopy of a Jujube tree.
“Stop! Here!” she says and the interpreter, in rapidly delivered Hindi, delivers the message to the driver.
“Ask them! Ask them,” she says excitedly.
“Ask them what?” says the interpreter, beginning to show signs of trepidation in the face of the forward manner of his American client.
“Ask them about flood,” Fiers says. “What’s the worst flood they remember?”
At the center of the group of villagers is an old man. Part of his white beard is stained by nicotine to a goldfinch yellow.
He nurses a glass of tea and the smoldering hand-rolled cigarette in his fingers seems like a natural extension of his anatomy. His dark eyes sparkled brilliantly though and he smiles as the interpreter approaches him.
The interpreter pops the question.
“Old man,” he says with a bit of cheek. “What is the worst flood you remember?”
The old man strokes his white-yellow beard and his smile fades as the memory hits him. Suddenly excited, he turns, jumps up and points with a trembling hand at a nearby temple wall.
Fiers turns and looks with him. She sees it immediately, a faint division in the shading of the stones. The stones to a certain point darker from the ground up, then lighter above. A highwater mark.
The man speaks excitedly to the interpreter in Hindi. But once he begins speaking, other members of the group started to engage and argue with one another. One pointing further up the hill; another pointing downhill. The argument soon becomes quite heated.
The interpreter turns to Fiers, surprised at the detail he just picked up. He just ignores the growing chaos behind him.
“1945,” he says. “That was the high point right there. In 1945.”
The village elder argument dies down and the old man sits down and takers a sip of tea; subdued again.
That night Fiers leaves an excited voicemail with Bluepoint’s CFO.
“Our proposed site is 1.5 meters higher in elevation than the worst flooding Haryana has ever seen,” she says.
“Let’s do this.”
Monsoon Season in Haryana
By August of 2018, the Bluepoint semiconductor plant near Chandigarh is everything company executives thought it would be. The local workforce and management team are delivering like a dream.
Part of Bluepoint’s confidence in the Chandigarh operation is that it is armed with a contract from Todah. Todah, one of the largest auto manufacturers in the world, is grabbing large chunks of market share with its hybrid vehicles.
This very month, Bluepoint wins yet another enormous contract, this time with a U.S.-based car maker.
Bluepoint’s leaders though, are keeping a close eye on a German competitor, Tek-Kraft. Tek-Kraft also used government incentives to build a semiconductor plant nearby. Bluepoint seems to be in a budding talent war with Tek-Kraft.
But as monsoon season builds to a peak, Bluepoint finds it has something else to worry about. The rain is coming down like no one in Haryana has ever seen.
“It’s Superstorm Sandy all over again,” says an engineering consultant that works with Bluepoint, on a call with Fiers and other executives as flood waters begin to overwhelm the lower elevations.
“What do you mean?” says Fiers, with some irritation in her voice. She doesn’t initially get the connection.
“I mean that a couple of underlying factors are producing flooding like this area has never seen before,” he says patiently.
“One, climate change is increasing the intensity of storms and other climactic actors like monsoons. This area has probably never seen such moisture.”
“And the second?” Fiers says. Panic is causing her to lose her composure.
“The second is that there is no way local flood maps could take into account the rapid increase in development which has sealed off the soil with concrete, asphalt and business parks,” the consultant says.
“There’s nowhere for all this water to go.”
The image of the old man pointing to the temple wall flashes in front of Fiers’ eyes. How high up that wall will this flood go? The answer is … high enough.
Bluepoint’s Chandigarh location is devastated by three days of flooding. The old man Meredith Fiers interviewed never thought he’d see the day when that 1945 flood is eclipsed. Well that day is here.
Nothing to do for it but get on the phone with her broker and her carriers. Fiers takes a deep breath and starts dialing.
Goodbye Local Workforce
“You’re in good shape from a coverage standpoint,” her broker tells Fiers when they connect and go over the policies two days after the plant is so severely damaged.
“You’ve got robust property coverage. You’ve got business interruption coverage as part of your property policy. No issues there given how long we think it will take the plant to get back up to speed, which I think is about nine months,” he says.
“True,” Fiers says.
“Of course we have some work to do to make sure we don’t get hurt at renewals,” he added. “But with your loss run, you should be okay,” he added.
But Fiers isn’t convinced that all is well. She’s right.
Six months later, with the re-opening of the Bluepoint Chandigarh plant a mere three months away, the company is buffeted by a different kind of flood; a wave of bad news.
The first blow is that Bluepoint loses Todah as a customer. The superstar hybrid maker picked up a new supplier while Bluepoint was down. Guess who? Yes, it’s Tek-Kraft.
Then Bluepoint loses the contract with the U.S. hybrid maker. Semiconductor makers with locations in China and Thailand were only too happy to pick up that business.
Still, Bluepoint executives push on to open the Chandigarh plant. Their sales people are begging other customers to stay with them until they can open again.
Their pleas may be in vain. Bluepoint puts out the word that it is hiring again at the Chandigarh plant. Unfortunately very few answer the call.
Local officials indicate that much of Bluepoint’s work force is now working for the Tek-Kraft plant.
“We’re none too happy with how your company has managed things here,” a Haryana economic development official tells a Bluepoint manager.
“So now it’s our fault?” the manager says.
Politics being politics, somebody’s got to take the blame for squandered tax breaks that in the end, failed to create long-lasting jobs. In these parts, Bluepoint is now the bad guy.
Bluepoint is rocked by the events in Haryana.
One day, just to escape the tension of what has become a daily work nightmare, Meredith Fiers takes a walk on the outskirts of the local village.
Coming up to the Jujube tree, she sees the village elder, the one that pointed to portentiously to the temple wall’s high water mark.
With his ever-present cigarette he looks sadly to the damaged temple, where there is a new high water mark. Fiers’ gaze follows his.
“If I only knew,” she says to herself.
Risk & Insurance® partnered with FM Global to produce this scenario. Below are FM Global’s recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.
Do not underestimate the impact you can have on reducing the potential damage and disruption to your business if flooding occurs. It all starts with a clear understanding of the risk, flood maps, onsite engineering expertise, local knowledge and a flood emergency response plan.
At important facilities, an onsite engineer is crucial to evaluating factors such as changes in terrain and infrastructure, impediments to water flow and other factors. Ideally, the facility should lie outside of a flood zone. Flood maps and onsite engineers are your best defense to mitigating flood exposure.
Regional and global mapping capabilities represent a unique blend of scientific knowledge, local expertise and technology to ensure you have the most comprehensive, up-to-date information to help you make informed risk improvement decisions.
But, if your facility is flood exposed, an engineer can look at opportunities to provide fixed or temporary flood protection, such as flood barriers or elevating critical assets.
A flood emergency response plan (FERP) can help you:
- Gain a thorough understanding of how a potential flood event could affect your facility;
- Make your emergency response team aware of their roles during such an event; and
- Ensure you have adequate resources on hand.
Consider taking the following steps:
- Make sure you understand the potential flood events to which your site is exposed. It is critical to know how much time you will have to put your plan in place. Important aspects include warning time, how fast the water will rise and how long it will last. This is where an onsite engineer can help you.
- Ensure you have a reliable method of flood warning.
- Establish the potential impact to your business (what operations will be affected, what level of damage will be involved – an engineer can provide assistance in assessing)
Taking action against flood can lead to disruption. After all, there always is the chance that predictions are wrong and the flood may not occur. By truly understanding the potential flood event, as well as the nature of the warning and timing, you will be able to determine a “point of no return,” after which your plan will not have time to work. This may be the most critical part of the plan, so it’s essential that your entire team is aware of the implications, supports the plan and agrees to who has the authority to put the plan into place—regardless of the immediate business implications.
Hot Hacks That Leave You Cold
Thousands of dollars lost at the blink of an eye, and systems shut down for weeks. It might sound like something out of a movie, but it’s becoming more and more of a reality thanks to modern hackers. As technology evolves and becomes more sophisticated, so do the occurrence of cyber breaches.
“The more we rely on technology, the more everything becomes interconnected,” said Jackie Lee, associate vice president, Cyber Liability at Nationwide. “We are in an age where our car is a giant computer, and we can turn on our air conditioners with our phones. Everyone holds data. It’s everywhere.”
Phishing Out Fraud
According to Lee, phishing is on the rise as one of the most common forms of cyber attacks. What used to be easy to identify as fraudulent has become harder to distinguish. Gone are the days of the emails from the Nigerian prince, which have been replaced with much more sophisticated—and tricky—techniques that could extort millions.
“A typical phishing email is much more legitimate and plausible,” Lee said. “It could be an email appearing to be from human resources at annual benefits enrollment or it could be a seemingly authentic message from the CFO asking to release an invoice.”
According to Lee, the root of phishing is behavior and analytics. “Hackers can pick out so much from a person’s behavior, whether it’s a key word in an engagement survey or certain times when they are logging onto VPN.”
On the flip side, behavior also helps determine the best course of action to prevent phishing.
“When we send an exercise email to test how associates respond to phishing, we monitor who has clicked the first round, then a second round,” she said. “We look at repeat offenders and also determine if there is one exercise that is more susceptible. Once we understand that, we can take the right steps to make sure employees are trained to be more aware and recognize a potentially fraudulent email.”
Lee stressed that phishing can affect employees at all levels.
“When the exercise is sent out, we find that 20 percent of the opens are from employees at the executive level,” she said. “It’s just as important they are taking the right steps to ensure they are practicing what they are preaching.”
Locking Down Ransomware
Another hot hacking ploy is ransomware, a type of property-related cyber attack that prevents or limits users from accessing their system unless a ransom is paid. The average ransom request for a business is around $10,000. According to the FBI, there were 2,400 ransomware complaints in 2015, resulting in total estimated losses of more than $24 million. These threats are expected to increase by 300% this year alone.
“These events are happening, and businesses aren’t reporting them,” Lee said.
In the last five years, government entities saw the largest amount of ransomware attacks. Lee added that another popular target is hospitals.
After a recent cyber attack, a hospital in Los Angeles was without its crucial computer programs until it paid the hackers $17,000 to restore its systems.
Lee said there is beginning to be more industry-wide awareness around ransomware, and many healthcare organizations are starting to buy cyber insurance and are taking steps to safeguard their electronic files.
“A hospital holds an enormous amount of data, but there is so much more at stake than just the computer systems,” Lee said. “All their medical systems are technology-based. To lose those would be catastrophic.”
And though not all situations are life-or-death, Lee does emphasize that any kind of property loss could be crippling. “On a granular scale, you look at everything from your car to your security system. All data storage points could be controlled and compromised at some point.”
The Future of Cyber Liability
According to Lee, the Cyber product, which is still in its infancy, is poised to affect every line of business. She foresees underwriting offering more expertise in crime and becoming more segmented into areas of engineering, property, and automotive to address ongoing growing concerns.”
“Cyber coverage will become more than a one-dimensional product,” she said. “I see a large gap in coverage. Consistency is evolving, and as technology evolves, we are beginning to touch other lines. It’s no longer about if a breach will happen. It’s when.”
About Nationwide’s Cyber Solutions
Nationwide’s cyber liability coverage includes a service-based solution that helps mitigate losses. Whether it’s loss prevention resources, breach response and remediation expertise, or an experienced claim team, Nationwide’s comprehensive package of services will complement and enhance an organization’s cyber risk profile.
Nationwide currently offers up to $15 million in limits for Network Security, Data Privacy, Technology E&O, and First Party Business Interruption.
Products underwritten by Nationwide Mutual Insurance Company and Affiliated Companies. Not all Nationwide affiliated companies are mutual companies, and not all Nationwide members are insured by a mutual company. Subject to underwriting guidelines, review, and approval. Products and discounts not available to all persons in all states. Home Office: One Nationwide Plaza, Columbus, OH. Nationwide, the Nationwide N and Eagle, and other marks displayed on this page are service marks of Nationwide Mutual Insurance Company, unless otherwise disclosed. © 2016 Nationwide Mutual Insurance Company.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Nationwide. The editorial staff of Risk & Insurance had no role in its preparation.