Breaching the Electronic Levees
October 21, 2016.
In what was described as a stunning breach of global Internet stability, a coordinated cyberattack struck online social networking and other systems including Twitter and PayPal.
In a distributed denial-of-service, hackers flooded servers, causing them to collapse under the overload.
Such attacks are common and we are getting used to them. This is not good.
Mounting evidence shows hackers are becoming more powerful, more sophisticated, and increasingly interested in targeting core infrastructure providers.
Yesterday Twitter, tomorrow the electricity grid and nuclear power plants.
We have been there before. The year was 2005. The event was Hurricane Katrina.
Today’s “Katrina” is not a natural disaster. Neither is it limited to the U.S. Gulf Coast. It’s a national or global cyber attack.
Here’s what we knew. Major portions of New Orleans flooded on average every three years for the prior 200 years before Katrina struck in 2005. Even heavy rain exceeded the capabilities of pumps trying to get rid of the water.
Since the early 1800s, the city enforced a code of burial in tombs above ground. Nobody wants flooding to uproot caskets and have them floating in the streets.
The cemeteries, called “cities of the dead,” were a major attraction. Even today you can pay $25 a person and take the whole family on a “2-Hour Cemetery & Voodoo Walking Tour” in New Orleans.
So planners in that city rationally had their eyes on tourism dollars. But what about risk management?
Rain is one thing. Levee breaches are another.
The entire city was protected either by high ground or levees built to withstand a Category 3 storm. Atlantic hurricanes had been growing in intensity.
Katrina was a Category 5 upon arrival in Louisiana. The levees failed.
Katrina should have been seen in advance. Not the exact date. Not the horror. Just the madness of how we often fail to fix the obvious until it’s too late.
Today’s “Katrina” is not a natural disaster. Neither is it limited to the U.S. Gulf Coast. It’s a national or global cyber attack.
The recent attack on Twitter and others did more than disturb our instant messaging. It gave us a glimpse of an impending electronic catastrophe.
We recall automobiles with faulty ignition switches that can kill or injure us. We replace defective smart phones that catch fire or explode, with the potential to take down commercial airliners.
Why do we ignore the fact that we are connecting our entire daily life — emails, phones, cars, appliances, hospitals, electrical networks, and pacemakers — to a single vulnerable system? We need more than electronic “levees” built to withstand a rainfall when we are facing a cyber tropical cyclone.
Does this risk management failure stem from being penny-wise and pound-foolish?
The annual U.S. spending on national defense is $600 billion. The government budget deficit is also $600 billion. Annual social security and disability benefits amount to $930 billion.
How much is too much to reasonably spend to protect us as we stand here, watching these approaching electronic storm clouds?
Spending for personal virus protection? $30 annually per computer.
Spending for business systems? Thousands to millions of dollars.
Spending to stabilize a global communication network that could allow really bad people to cause devastation and calamity? Priceless.
FEMA’s Revisions May Result in Less Flood Protection
No one is more impressed than Susan Williams by the shoring up of 50 levees and rehabilitation of flood walls and pumping stations overwhelmed when Katrina struck New Orleans hit in 2005.
Nor is CoreLogic’s content strategist surprised by the result: FEMA map revisions that removed nearly 60,000 homes from the Special Flood Hazard Areas (SFHA) on Sept. 30, exempting their owners from mandatory compliance with NFIP flood insurance requirements.
But Williams’s buoyant mood comes with a caveat.
“If the lender only follows the government guidelines, homeowners would not be required to obtain flood insurance. But just because they’re not in that flood hazard area anymore because of the new mapping doesn’t mean the flood risk has gone away.”
John Elbl, vice president at AIR Worldwide, agreed with that assessment, fearing individuals still at great risk may elect to drop flood coverage from their policies to save money in the short term.
“We’re hopeful private insurers will step in to help fill this protection gap by charging actuarially sound rates and providing policyholders with more comprehensive coverage options.”
The problem may not be private insurers, however, but the banks. A year ago, Elbl noted the opportunities for insurance industry to provide alternative coverage to the NFIP ran into complications, not the least of which was reluctance on the part of banks to accept policy wording that wasn’t identical to the NFIP’s.
That uncertainty, he said at the time, “restricts the ability of the customer to choose private coverage.”
Today, Elbl said insurers considering entering the market to compete with the NFIP are pinning their hopes on expected NFIP rate increases driven by the program’s $24 billion deficit and its inability to offer more than limited coverage for policy holders.
“NFIP policies do not cover basements, do not include payouts based on loss of use of a property, and only pay actual cash value, less depreciation, as opposed to standard HO3 policies which pay out full replacement costs.”
Another bright sign, added Williams, are for properties in areas of greatest risk and who pay the highest rates.
“The cost of flood insurance should go down and hopefully that will in turn make people more interested in getting coverage. That in turn adds to the resilience of the area.”
Overly Optimistic Message
Dean Basse couldn’t disagree more. The general manager at Dan Burghardt Insurance in New Orleans said an overly optimistic message to cash-starved homeowners about the city’s improved levee system will disincentivize them from obtaining flood insurance when they’re no longer required by federal law to do so.
“We can’t give away a policy unless they’re forced to buy it,” says Basse. “They won’t buy flood insurance voluntarily even at the PRP rate.”
Moreover, the infrastructure rehab along Louisiana’s 300-mile coast line, said Basse, may not be the final answer in flood protection.
“They spent a billion dollars to build this giant rock wall and someone forgot that it’s still built on mud. Our mud is not known for being the most solid thing in the world. And it’s sinking.”
It gets worse, Basse added, the next time another major catastrophe hits New Orleans like Katrina, like Betsy in 1965 or the “thousand-year rain” that dropped onto Louisiana this year.
Jackie Noto’s concerns are more for the NFIP itself, which was intended, the model product manager at Risk Management Solutions said, to support the original charter and objectives of the Flood Protection Act.
Unfortunately, said Noto, “the NFIP is 50 years old and its methodologies and approach haven’t aged gracefully.”
What the NFIP must do, she said, is “move away from this `in or out’ mentality. What matters is the depth, severity and frequency of flood risk for our entire area.”
“That’s also been proven in the recent Louisiana flooding as well where buildings that were damaged weren’t considered on plain and still aren’t as recently as FEMA’S map updates. That’s definitely not an adequate approach.”
To those insurers who believe there is no such thing as a bad risk, only a bad price, Noto said their business actually improves the more they are able to differentiate risk.
“When they have information on the level of protection and probability of flood defense failure, that allows them to price risk to reflect the appropriate risk itself.”
Unfortunately, Noto added, “that’s not something the insurance industry is used to.”
Hot Hacks That Leave You Cold
Thousands of dollars lost at the blink of an eye, and systems shut down for weeks. It might sound like something out of a movie, but it’s becoming more and more of a reality thanks to modern hackers. As technology evolves and becomes more sophisticated, so do the occurrence of cyber breaches.
“The more we rely on technology, the more everything becomes interconnected,” said Jackie Lee, associate vice president, Cyber Liability at Nationwide. “We are in an age where our car is a giant computer, and we can turn on our air conditioners with our phones. Everyone holds data. It’s everywhere.”
Phishing Out Fraud
According to Lee, phishing is on the rise as one of the most common forms of cyber attacks. What used to be easy to identify as fraudulent has become harder to distinguish. Gone are the days of the emails from the Nigerian prince, which have been replaced with much more sophisticated—and tricky—techniques that could extort millions.
“A typical phishing email is much more legitimate and plausible,” Lee said. “It could be an email appearing to be from human resources at annual benefits enrollment or it could be a seemingly authentic message from the CFO asking to release an invoice.”
According to Lee, the root of phishing is behavior and analytics. “Hackers can pick out so much from a person’s behavior, whether it’s a key word in an engagement survey or certain times when they are logging onto VPN.”
On the flip side, behavior also helps determine the best course of action to prevent phishing.
“When we send an exercise email to test how associates respond to phishing, we monitor who has clicked the first round, then a second round,” she said. “We look at repeat offenders and also determine if there is one exercise that is more susceptible. Once we understand that, we can take the right steps to make sure employees are trained to be more aware and recognize a potentially fraudulent email.”
Lee stressed that phishing can affect employees at all levels.
“When the exercise is sent out, we find that 20 percent of the opens are from employees at the executive level,” she said. “It’s just as important they are taking the right steps to ensure they are practicing what they are preaching.”
Locking Down Ransomware
Another hot hacking ploy is ransomware, a type of property-related cyber attack that prevents or limits users from accessing their system unless a ransom is paid. The average ransom request for a business is around $10,000. According to the FBI, there were 2,400 ransomware complaints in 2015, resulting in total estimated losses of more than $24 million. These threats are expected to increase by 300% this year alone.
“These events are happening, and businesses aren’t reporting them,” Lee said.
In the last five years, government entities saw the largest amount of ransomware attacks. Lee added that another popular target is hospitals.
After a recent cyber attack, a hospital in Los Angeles was without its crucial computer programs until it paid the hackers $17,000 to restore its systems.
Lee said there is beginning to be more industry-wide awareness around ransomware, and many healthcare organizations are starting to buy cyber insurance and are taking steps to safeguard their electronic files.
“A hospital holds an enormous amount of data, but there is so much more at stake than just the computer systems,” Lee said. “All their medical systems are technology-based. To lose those would be catastrophic.”
And though not all situations are life-or-death, Lee does emphasize that any kind of property loss could be crippling. “On a granular scale, you look at everything from your car to your security system. All data storage points could be controlled and compromised at some point.”
The Future of Cyber Liability
According to Lee, the Cyber product, which is still in its infancy, is poised to affect every line of business. She foresees underwriting offering more expertise in crime and becoming more segmented into areas of engineering, property, and automotive to address ongoing growing concerns.”
“Cyber coverage will become more than a one-dimensional product,” she said. “I see a large gap in coverage. Consistency is evolving, and as technology evolves, we are beginning to touch other lines. It’s no longer about if a breach will happen. It’s when.”
About Nationwide’s Cyber Solutions
Nationwide’s cyber liability coverage includes a service-based solution that helps mitigate losses. Whether it’s loss prevention resources, breach response and remediation expertise, or an experienced claim team, Nationwide’s comprehensive package of services will complement and enhance an organization’s cyber risk profile.
Nationwide currently offers up to $15 million in limits for Network Security, Data Privacy, Technology E&O, and First Party Business Interruption.
Products underwritten by Nationwide Mutual Insurance Company and Affiliated Companies. Not all Nationwide affiliated companies are mutual companies, and not all Nationwide members are insured by a mutual company. Subject to underwriting guidelines, review, and approval. Products and discounts not available to all persons in all states. Home Office: One Nationwide Plaza, Columbus, OH. Nationwide, the Nationwide N and Eagle, and other marks displayed on this page are service marks of Nationwide Mutual Insurance Company, unless otherwise disclosed. © 2016 Nationwide Mutual Insurance Company.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Nationwide. The editorial staff of Risk & Insurance had no role in its preparation.