The New Wolves of Wall Street
Cyber security measures advanced by leaps and bounds over the past decade. Unfortunately, cyber criminals sharpened their game even more.
As it gets tougher each day to slip in through back doors, hackers turned their talents toward carving out side windows. They adapted, developing new business models and finding smarter ways to profit off of the backs of organizations.
Credit card information, personally identifiable information and protected health information are all still in demand, but they’re no longer the only treasures that cyber criminals are after.
“It is no longer hacking merely for a quick payout. It is hacking as a business model.” — Preet Bharara, U.S. attorney
They want your trade secrets. They want your intellectual property. They want to eavesdrop on your most sensitive financial activities so they can leverage that information on the stock market — shorting stock, investing in stock, timing stock to their advantage.
The cyber security challenge is intense, because it’s hard to get a handle on. These crimes are being perpetrated by various groups of actors with different motivations. They’re being executed using a broad array of techniques that include any combination of malware, phishing and social engineering.
They could be coming at you from anywhere in the world. And it’s not even necessarily your systems that are being attacked directly. It could be your vendors, your partners — any organization that has a connection to your confidential information.
Last August, the SEC filed charges in a fraud scheme involving two Ukrainian hackers who broke into multiple newswire services to steal unreleased corporate earnings announcements. The hackers shared the information with 30 people who traded on it, generating more than $100 million in illegal profits.
The following November, federal prosecutors disclosed the existence of a sizable worldwide hacking scheme, involving more than 100 people in a dozen countries.
Among the other offenses listed in the 68-page indictment, the crime ring orchestrated elaborate pump-and-dump stock schemes and traded on stolen corporate information, pocketing hundreds of millions along the way.
“It is no longer hacking merely for a quick payout,” U.S. Attorney Preet Bharara said in announcing the indictment.
“It is hacking as a business model.”
M&As Increase Vulnerabilities
The rise of worldwide M&A activity turned the stock market into a profitable playground for hackers — those working for either side of the transaction or outside parties looking for a way to profit illegally from the transaction.
2015 was record-breaking year for M&As, topping $5 trillion in volume globally for the first time. Half of the targeted companies were based in the U.S.
2016 is expected to see continued high level of activity. That leaves plenty of opportunities for illegal gains.
“If outsiders are aware of the negotiations going on, they can put upward pressure on the stock.” — Bill Sweeney, chief technology officer, BAE Systems Applied Intelligence
“You can disrupt an M&A a lot of different ways,” said Bill Sweeney, chief technology officer at BAE Systems Applied Intelligence.
“One way is you can publicize that it’s going on sooner than people would like.
“M&A is a very sensitive topic because it’s very price dependent. Companies will walk away from deals because they can’t narrow the gap between $25 and $30 dollars a share.
“If outsiders are aware of the negotiations going on, they can put upward pressure on the stock. So when somebody thought they were going to be getting a 25 percent premium [against their stock], but now because of the upward pressure, they’re only getting a 15 percent, why would they sell?”
During a “Cyber Security: The Achilles Heel of M&A Due Diligence,” webinar in April, Brian Finch, a partner with Pillsbury Winthrop Shaw Pittman LLP, outlined the recent case of a company that was courted by international suitors.
The company was certain that it was healthy, but repeated audits showed it operated at a loss. An investigation revealed that the company was under attack, with hackers corrupting information to decrease the value of the company.
When the company value bottomed out, a foreign investor swooped in with a lowball offer.
Even if hackers don’t outright alter the data, they’re still finding ways to leverage it.
“We’ve seen China-based groups … compromising companies across various industries, stealing information that would give them insight into what the best price for the company might be,” said Will Glass, threat intelligence analyst at FireEye.
“We’ve seen groups that are sponsored by nation states — or that we believe are sponsored by nation states — conducting activity leading up to and even during mergers and acquisitions.”
One high-profile case traced to China was the attempted $40-billion takeover of Canada’s Potash Corp. by Australian natural resources company BHP Billiton.
While the deal fell through for apparently unrelated reasons, an investigation revealed that a Chinese effort to derail the deal involved attacks on seven law firms, as well as Canada’s Finance Ministry and the Treasury Board.
Those third-party attacks are an area of serious concern in terms of intellectual property and M&As, said Kevin Kalinich, global practice leader, cyber/network risk, Aon Risk Solutions.
“The accounting firms and financial advisers are above average in IT security and protection of confidential information,” he said.
“But law firms, surprisingly enough, are below average.”
The Human Element
What’s complicating matters from a risk management standpoint is that attacks take various forms and are typically multi-layered. Spearphishing and social engineering often play a major role because they are consistently successful, despite companies’ attempts to alert employees to the dangers.
“The way of the hacker has always been to go after the industry or the exposure where there’s the lowest hanging fruit,” said Toby Merrill, leader of Chubb’s global cyber risk practice.
And in many companies, that means employees. Even a staffer savvy enough to question a wire transfer request might still be duped by a login scheme that looks innocuous or seems relevant to his job.
“What’s happening is that hackers are spoofing emails,” said Sweeney.
“They’re spoofing CFOs and they’re spoofing other C-level executives and pretending to be either a consultant or part of the review process … trying to extract that sensitive information by [sending] an email that looks like it’s from the CEO, that says, ‘Hey what’s the latest on our deal with company X?’ And the guy [replies] but it’s not going to the CEO; it’s going to the guy who spoofed it.”
It’s not easy to spot spoofed email, he added.
“It looks like an email from your company, with your header. It looks like it’s from your domain. It’s only if you open it up and look at the source code that you can see what’s being shown is not the actual domain its coming from and if you hit reply it’s going to go to somewhere else.”
It also works because it’s not random. Hackers do their homework and understand how their targets operate. They know when to send emails and who to send them to, and what internal procedures are in place so that they can get around them.
FIN4, a large cyber crime ring tracked extensively by FireEye, was so good at duping people that it didn’t even bother using malware.
It focused on capturing usernames and passwords to email accounts. FIN4 would craft convincing phishing lures, most often sent from other victims’ email accounts and through hijacked email threads.
Spoofing emails have successfully snared some risk managers, CTOs and CFOs.
According to FireEye’s Glass, the group would “send an email to someone in a target company and it would say, ‘Hey check out this financial investment forum — there’s some guy on here badmouthing the company. You might want to take a look.’ ”
Hackers set it up so that when the link was clicked, it would request their email login and password in order to view the content. The hackers could then take those login credentials and continue their campaign, both within the organization and laterally to external organizations.
It’s worth noting that risk management is directly in the crosshairs for this kind of attack.
C-suite executives, legal counsel and anyone involved in the risk, regulatory or compliance functions of a company are prime targets. If you have any connection to sensitive information, they’re looking for a way to get their hands on it.
And experts say that such attacks have successfully snared some risk managers, CTOs and CFOs.
There is plenty that still needs sorting out in terms of the coverage options available to insure against such losses. The toughest pill to swallow, said Kalinich, is that the loss of value is not covered by cyber insurance, nor is it covered by any other type of insurance.
“That’s a really important factor,” he said.
“The actual value of a trade secret, the actual value of a patent, the actual value of intellectual property, is not covered. [In the case of an M&A loss,] not even a crime policy would cover that.”
A D&O policy might be triggered if the stock dropped following a failed M&A, but a company would be challenged to relate the event to a cyber hack, or to quantify the impact of the hack on the failed transaction, experts said.
Still, said Kalinich, there are certainly losses that could be covered by cyber insurance, especially if an attack were to result in business interruption, or if it caused damage to the system that required remediation, or forensic investigation.
Culture of Awareness
At a minimum, any company engaging in mergers or acquisitions activity should separate that information from the rest of the corporate environment, said experts. M&A activity should have a segmented network and a dedicated file server, and all documents should be encrypted.
BAE’s Sweeney also recommended that related communications with people outside of the organization be restricted to a VPN for added security.
Additionally, all third-party involvement should receive a high level of scrutiny.
Said Sweeney, “You’ve got to look at everybody who’s going to have access to the information, and say, ‘When was the last time you had a cyber assessment? How can we make sure that you’re not going to be the conduit through which people find out this information?’
“That’s where people are getting hacked,” he said. “They’re not getting hacked right in the center. They’re getting hacked by the people on the periphery who are trying to do their best.”
Internally, Glass said, it’s a good practice to follow the law of least access — give people access to the information that they need to do their jobs and nothing more. But that’s just a start.
Hackers figured out that humans are easier to crack than code, so comprehensive staff training should be the foundation of a solid cyber security strategy.
Some companies use internal phishing campaigns to help manage the human side of the risk. Employees who are duped and click on bogus links are redirected to a page revealing their mistake and letting them know they’ll be required to do mandatory extra training.
Experts universally agreed that these risks cannot be foisted onto the laps of IT or risk management alone. Boards must be educated and involved, and there must be enterprise-wide collaboration for a company to develop any level of effective defense against cyber espionage.
Make sure you’re speaking the board’s language, said Nick Rossman, senior program manager, threat intelligence with FireEye. “They don’t care about malware, they just want to know what you’re asking them to invest.
“So I think it’s easiest when you have a big scope of data and a partner who can get you a strategy forecast” to help justify decisions about investments, he said.
“In the past, [IT and data systems] were considered kind of a back-office priority, kind of like having enough printer toner or enough chairs,” said FireEye’s Glass.
“It was an enabling function of the company but not really core to the business. Now every company is an IT company whether they realize it or not.
“Maybe Coca-Cola keeps its recipe in a safe somewhere, but everybody else, for the most part, is keeping their information online or in databases or even in the cloud, because the efficiencies that can be derived from that model are so great.
“In order to make sure that those efficiencies continue, we’ve got to make sure that companies are looking at all the risks inherent with putting all of that information online.” &
Cyber Vulnerabilities Threaten 2016 Election
Nearly two-thirds (64 percent) of registered voters believe the 2016 presidential campaign will be compromised by a cyber breach in some way, according to a poll conducted by data security firm PKWARE and Wakefield Research.
Their concerns are not unwarranted; at a time when breaches and data theft make headlines on a regular basis, much of the voting process remains unprotected.
“There is a lot of vulnerability in paperless voting systems, whether they are direct reporting electronic machines, or email return ballots,” said Pamela Smith, president of Verified Voting, a nonprofit organization that advocates for accuracy, transparency and verifiability of elections.
Most polling places use paper ballots that are tabulated by a scanner. Even if the scanner goes haywire, there is a paper record of voters’ intent and officials can take a manual count. In fully paperless systems, no such backup exists.
“In a situation like that, there’s no way to demonstrate that the software is working properly. If something seems amiss or there is an unexpected outcome, you really wouldn’t have a way to go back and correct it because you don’t have an independent record of voter intent,” Smith said.
Electronic systems, then, offer a prime target for hackers looking to influence elections.
A few years ago, Smith said, Washington D.C. ran a pilot program of an online voting system that would enable overseas military personnel and other expats to cast their ballots remotely. It opened up a test version of the system to the public, inviting hackers to try and breach the system.
“If organizations the size of Google and Sony can get hacked, how can small townships without even an IT staff prevent a breach?” — Pamela Smith, president, Verified Voting
“Within 36 hours, some white hat hackers from the University of Michigan were able to fully breach the server. They could change votes; they had access to the PIN numbers assigned to the intended users. Nobody even knew they were in there,” Smith said.
“And while they were in there, they noticed the server was being pinged by IP addresses from places as far away as Iran and China, so they set up a firewall while they were at it.”
After the hackers confirmed the ease with which they were able to hack and manipulate the system, D.C. bagged the program.
Most jurisdictions, though, don’t run such tests. Standard polling place equipment undergoes federal testing and certification before jurisdictions can buy them, but online and email systems do not have to meet any federal or state standards.
Often, the counties and townships managing the voting process in their areas do not have the resources to test or fully protect their systems.
“If organizations the size of Google and Sony can get hacked, how can small townships without even an IT staff prevent a breach?” Smith said.
DOS attacks could also directly hit the online voting portals. While deadlines for registration could be extended, changing voting time frames on Election Day would likely not be possible.
In addition, more states are turning to email attachments and online portals as a way for absentee voters to return ballots.
“These methods are not secure. And it may be, overall, a very small number of ballots, but there are any number of contests in any number of states that are decided by a small proportion of the vote, and the inability to conduct a legitimate recount or audit on votes returned in this manner could become a significant issue,” Smith said.
Voter registration records are another probable target for a breach. A denial-of-service attack could crash registration sites right before deadline, blocking last-minute voters from the process. Records could also be hacked to change voter status or delete records altogether.
DOS attacks could also directly hit the online voting portals. While deadlines for registration could be extended, changing voting time frames on Election Day would likely not be possible.
“In the last 12 months, we’ve seen one of the biggest breaches of a federal government agency in the breach of the Office of Personnel Management, when millions of security clearance documents were stolen,” said Miller Newton, president and CEO of PKWARE.
“If those documents are vulnerable, then voter registration is absolutely vulnerable.”
Using Cyber for Smear Campaigns
In addition to breaches of electronic voting systems and registration records, hackers could also compromise the election by targeting candidates’ email servers or other vulnerable campaign platforms, and publicizing confidential information.
“We could see some very damaging personal or campaign-related information revealed.” — Miller Newton, president and CEO, PKWARE
“It’s inevitable,” Newton said. “In this environment, with the mudslinging between candidates like we haven’t seen in years, it seems like the perfect recipe for disaster.
“We could see some very damaging personal or campaign-related information revealed.”
Bad press could potentially remove a candidate from the race. Newton offered the example of former Sen. Gary Hart, who was in the midst of a strong run for president in the 1988 election when proof of an affair became public, essentially removing him from the race in the face of public disdain.
“Depending on how severe the personal information is, it could definitely take down a candidate and throw off the whole campaign, which ultimately impacts the election,” Newton said.
Theft of candidates’ private information, he said, is more likely than a direct attack on voting systems.
The root of election-related cyber vulnerability lies in old, out-of-date technology.
“The government is wrought with antiquated technology,” Newton said. “Budgets are tight. The government does not spend as much on IT as the private sector does. As a result, the information in these systems is not properly protected.”
When the federal government sought their insight on the development of a cyber security framework, Pamela Smith and Verified Voting proposed including elections as a part of critical infrastructure. This way, more resources would be targeted for system updates.
Newton said the problem is solvable as long as government officials have a “paradigm shift in thinking” about cyber security. Once they accept that their systems will inevitably be breached by adversaries, they will approach the problem more rigorously.
The solution, he said, lies in the encryption of confidential data so that even if it falls into the wrong hand, it will be useless.
While debate remains active over the privacy and transparency implications of encrypting government information, it may be more secure and less expensive to “approach the problem from the information out, rather than from the network in,” Newton said.
As the presidential election draws closer, the time to make these changes is running out.
Electronic Waste Risks Piling Up
The latest electronic devices today may be obsolete by tomorrow. Outdated electronics pose a rapidly growing problem for risk managers. Telecommunications equipment, computers, printers, copiers, mobile devices and other electronics often contain toxic metals such as mercury and lead. Improper disposal of this electronic waste not only harms the environment, it can lead to heavy fines and reputation-damaging publicity.
Federal and state regulators are increasingly concerned about e-waste. Settlements in improper disposal cases have reached into the millions of dollars. Fines aren’t the only risk. Sensitive data inadvertently left on discarded equipment can lead to data breaches.
To avoid potentially serious claims and legal action, risk managers need to understand the risks of e-waste and to develop a strategy for recycling and disposal that complies with local, state and federal regulations.
The Risks Are Rising
E-waste has been piling up at a rate that’s two to three times faster than any other waste stream, according to U.S Environmental Protection Agency estimates. Any product that contains electronic circuitry can eventually become e-waste, and the range of products with embedded electronics grows every day. Because of the toxic materials involved, special care must be taken in disposing of unwanted equipment. Broken devices can leach hazardous materials into the ground and water, creating health risks on the site and neighboring properties.
Despite the environmental dangers, much of our outdated electronics still end up in landfills. Only about 40 percent of consumer electronics were recycled in 2013, according to the EPA. Yet for every million cellphones that are recycled, the EPA estimates that about 35,000 pounds of copper, 772 pounds of silver, 75 pounds of gold and 33 pounds of palladium can be recovered.
While consumers may bring unwanted electronics to local collection sites, corporations must comply with stringent guidelines. The waste must be disposed of properly using vendors with the requisite expertise, certifications and permits. The risk doesn’t end when e-waste is turned over to a disposal vendor. Liabilities for contamination can extend back from the disposal site to the company that discarded the equipment.
Reuse and Recycle
To cut down on e-waste, more companies are seeking to adapt older equipment for reuse. New products feature designs that make it easier to recycle materials and to remove heavy metals for reuse. These strategies conserve valuable resources, reduce the amount of waste and lessen the amount of new equipment that must be purchased.
Effective risk management should focus on minimizing waste, reusing and recycling electronics, managing disposal and complying with regulations at all levels.
For equipment that cannot be reused, companies should work with a disposal vendor that can make sure that their data is protected and that all the applicable environmental regulations are met. Vendors should present evidence of the required permits and certifications. Companies seeking disposal vendors may want to look for two voluntary certifications: the Responsible Recycling (R2) Standard, and the e-Stewards certification.
The U.S. EPA also provides guidance and technical support for firms seeking to implement best practices for e-waste. Under EPA rules for the disposal of items such as batteries, mercury-containing equipment and lamps, e-waste waste typically falls under the category of “universal waste.”
About half the states have enacted their own e-waste laws, and companies that do business in multiple states may have to comply with varying regulations that cover a wider list of materials. Some materials may require handling as hazardous waste according to federal, state and local requirements. U.S. businesses may also be subject to international treaties.
Developing E-Waste Strategies
Companies of all sizes and in all industries should implement e-waste strategies. Effective risk management should focus on minimizing waste, reusing and recycling electronics, managing disposal and complying with regulations at all levels. That’s a complex task that requires understanding which laws and treaties apply to a particular type of waste, keeping proper records and meeting permitting requirements. As part of their insurance program, companies may want to work with an insurer that offers auditing, training and other risk management services tailored for e-waste.
Insurance is an essential part of e-waste risk management. Premises pollution liability policies can provide coverage for environmental risks on a particular site, including remediation when necessary, as well as for exposures arising from transportation of e-waste and disposal at third-party sites. Companies may want to consider policies that provide coverage for their entire business operations, whether on their own premises or at third-party locations. Firms involved in e-waste management may want to consider contractor’s pollution liability coverage for environmental risks at project sites owned by other entities.
The growing challenges of managing e-waste are not only financial but also reputational. Companies that operate in a sustainable manner lower the risks of pollution and associated liabilities, avoid negative publicity stemming from missteps, while building reputations as responsible environmental stewards. Effective electronic waste management strategies help to protect the environment and the company.
This article is an annotated version of the new Chubb advisory, “Electronic Waste: Managing the Environmental and Regulatory Challenges.” To learn more about how to manage and prioritize e-waste risks, download the full advisory on the Chubb website.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Chubb. The editorial staff of Risk & Insurance had no role in its preparation.