Protecting His Company
Few, if any, risk managers actually want to simulate a distributed denial of service or persistent attack on their computer systems, but Thomas Dunbar at XL Group plc in Stamford, Conn., wanted to see how his internal staff and outside vendors would react.
After all, the cyber risk insurer has to set an example of online security best practices.
Dunbar, XL’s chief information risk officer, contracted with Secure Network Technologies in Syracuse, N.Y., to conduct a DDoS attack against the firm’s externally facing websites, unbeknownst to XL’s internal security team and service provider.
Dunbar also had Secure simulate an advanced persistent attack, in which it entered and quietly remained within XL’s systems to conduct a “reconnaissance” on any vulnerabilities that could be exploited to gain access to customer information or proprietary data.
“It’s good to run these tests for a longer period of time, because infrastructure might change when we deploy a new business application or launch a new line of business,” Dunbar said. “We can see how our network and colleagues react to the changes and determine the prolonged strength of the program.”
Secure’s Chief Executive Officer Steve Stasiukonis said that Dunbar doesn’t just want to protect the company, he also wants to understand “the enemy to the Nth degree.”
“In all of the years that I’ve worked with companies, nobody ever really wants to simulate a DDoS attack to understand their weaknesses, but him,” Stasiukonis said. “Tom is a pioneer — he wants to see how his people will really react.”
Dunbar leads a six-person cyber risk team that works with XL’s business units and information technology department to identify and remediate cyber risks.
To combat identified threats and vulnerabilities, they have built a strong technological structure that monitors, prevents, detects and responds to security events.
They have deployed an advanced data loss protection infrastructure to ensure that XL’s data — particularly confidential customer information — are contained within the XL network.
“These tools have really resonated with our colleagues and have clearly raised the level of XL’s cyber security awareness and preparedness.” — Jacob D. Rosengarten, executive vice president and chief enterprise risk officer, XL Group
Overall, Dunbar has taken “a very holistic approach” toward minimizing cyber attacks, said Jacob D. Rosengarten, XL’s executive vice president and chief enterprise risk officer.
For example, Dunbar and his team have taken a leadership role in educating XL’s employees about cyber security “by harnessing innovative and creative communications media that capture the imagination” — whether through posters in lunchrooms, short webinars or contests that test password security, Rosengarten said.
“These tools have really resonated with our colleagues and have clearly raised the level of XL’s cyber security awareness and preparedness,” he said.
Dunbar said his team focuses on education to drive behavioral change, as employees are often “the weakest link.”
“We encourage people to use the ‘see something, say something’ philosophy,” Dunbar said. “We want them to speak up if they see something strange in their email inbox, or if they see something unusual going on in the system, and to also give feedback to make security stronger.”
“We want to make our colleagues one of the strongest links,” Dunbar said.
Risk All Stars stand out from their peers by overcoming challenges through exceptional problem solving, creativity, perseverance and/or passion.
Banks Face New Threat
Banks have been caught off guard by what experts say is the first major mobile banking security threat to hit the United States.
It is a modification of the mobile Trojan called Svpeng, which has been used to steal money from Russian mobile bank accounts, said Dmitry Bestuzhev, head of the global research and analysis team, Latin America, at Kaspersky Lab, the Woburn, Mass.-based antivirus software company that discovered the malware.
The malware, which emanates from Russia, has been termed “ransomware,” because the hackers demand payment in exchange for not destroying the victim’s reputation, claiming there is child pornography and other prohibited content on the cell phone.
“It takes a picture of the victim and then says it will send it with the child pornography findings to all of the victim’s contacts,” Bestuzhev said.
“Nobody wants to be a victim of such reputation damage.”
This new malware is deeply integrated and is almost impossible to remove from an infected device, he added.
Better software is needed to protect against malware, said Chris Keegan, a managing director at Beecher Carlson in New York.
For now, banks rely on warning their customers against social engineering attempts by fraudsters, and usually that means, “Don’t press the button or answer the email.” Banks must warn their customers not to download any applications not found on verified websites, he said.
Banks Ran Out of Time
Avivah Litan, a Gartner Inc. vice president and analyst in Potomac, Md., said the malware should serve as a wake-up call for many banks, as a fair number of them have not developed security measures for mobile banking that are as robust as those used in online banking.
Ensuring that customers use secured browsers doesn’t apply when they use mobile apps.
Giants like Chase Bank, U.S. Bank and others are developing tougher measures specific to mobile, but the industry as a whole needs to step it up, Litan said.
“They’ve just been slow to put measures in place specific to mobile because there hasn’t been any mobile malware,” she said. “Everybody knew it was coming, but they thought they had more time.”
Matt Krogstad, head of mobile banking at Bank of the West in San Francisco, said the bank’s fraud prevention department works with his department to combat mobile malware and other types of mobile banking fraud.
“It’s an ongoing process since the mobile security space is constantly evolving,” Krogstad said.
Bank of the West diligently educates customers about the latest threats, Krogstad said. In cases like Heartbleed, communications to customers were to reassure them that the bank had done its due diligence to ensure that their accounts were safe.
“With other malware like this randomware, it’s more about reinforcing certain behaviors, such as not downloading apps from unofficial app stores or not clicking on links from people you don’t know,” he said. “Don’t jailbreak your phone or put your banking passwords in your contacts.”
Keeping up with all types of cyber crime continues to challenge the industry. Indeed, computer crime and malicious codes rank as No. 5 as a top risk for banks, according to Aon’s “2014 U.S. Industry Report: Financial Institutions.”
However, there is a disconnect at most banks that hampers risk mitigation, said Michael O’Connell, managing director, financial institutions practice at Aon Risk Solutions.
The disconnect occurs because one group traditionally is responsible for purchasing insurance, while another group is responsible for assessing exposures, including technology that may pose an operational enterprise risk, said O’Connell.
“We strongly recommend linking the two groups together, to assess ‘what-if’ scenarios and develop mitigation strategies that include insurance,” he said.
Kevin Kalinich, Aon’s global practice leader for cyber/network risk, said that recent court decisions have ruled that if fraudsters are able to steal customer identities or money, it is the bank’s obligation to help their customers, even if the fraud is out of the bank’s control.
“So if a customer gets fooled on their mobile devices, then the bank has the responsibility to monitor usage of their bank accounts,” Kalinich said.
A Dreaming Team
Chris Thorn is known as one of the most creative risk managers in the business. After all, his risk management program hit the cover of Risk & Insurance® in March, 2012.
Now the senior manager, payments and risk, for Southwest Airlines is working with Riskonnect, a technology partner that he thinks can take his program to new heights.
“For us, it’s a platform that gives you so many different tools that if you can dream it, you can build it,” said Thorn.
Thorn ditched his legacy risk management information system in 2012 and started working with Riskonnect, initially using the platform solely for liability claims management.
But the system’s “do-it-yourself” accessibility almost immediately caught the eye of Thorn’s colleagues managing safety risk and workers’ compensation.
“They were seeking a software solution at the time and said, ‘Hey, we want to join the party,” Thorn recalls of his friends in safety and workers’ compensation.
“For us, it’s a platform that gives you so many different tools that if you can dream it, you can build it.”
–Chris Thorn, senior manager, payments and risk, Southwest Airlines
What was making Thorn’s colleagues so jealous was the system’s “smart question” process which allows any supervisor in the company to enter a claim, while at the same time freeing those supervisors from being claims adjusters.
The Riskonnect platform asks questions that direct the claim to the appropriate category without the supervisor having to take on the burden of performing that triage.
“They love it because all of the redundant questions are gone,” Thorn said.
The added beauty of the system, Thorn said, is that allows carriers and TPAs to work right alongside the Southwest team in claims files while maintaining rock-solid cyber security.
“This has sped up the process,” Thorn said.
“Any time you can speed up the process, the more success you’re going to have when you make offers to settle claims,” he said.
Since that initial splash in claims management, the Riskonnect platform has gone on to become a rock star at Southwest in a number of other areas. And as Thorn suggests, the possibilities of the system are limited only by the user’s imagination.
With a little creativity and help from Riskonnect as needed, a risk manager can add on system capabilities without having to go on bended knee to his own information technology department.
In the area of insurance policy management, for example, the Riskonnect platform as built by Thorn now holds data on all property values and exposures that can in turn be downloaded for use by underwriters.
Every time Southwest buys a new airplane, the enterprise platform sends out a notice to the airlines insurance broker, who in turn notifies the 16 or 17 carriers that are on the hull program.
Again, in that “anything’s possible” vein, the system has the capability of notifying the carriers, directly, a tool Thorn said he’s flirting with.
“It is capable of doing that,” he said.
“We’re testing out this functionality before we turn on it loose directly to the insurance companies.”
In alignment with the platform’s muscle in documenting, storing and reporting liability and property exposures, the system monitors and reports on insurance carrier financial strength.
If a rating agency downgrades a Southwest program carrier’s financial strength, for example, the system “pings” Thorn and his colleagues.
“Not only will we know about it, but we will also know all programs, present and past that they participated on, what the open reserves are for those policy years and policies,” Thorn said.
“That gives us even more comfort that we have good, solid financial backing of the insurance policies that are protecting us,” Thorn said.
Like many of us, Chris Thorn didn’t set out to work in risk management and insurance. Thorn is a Certified Public Accountant, and it’s that background that allows him to take creative advantage of the Riskonnect platform’s malleability in yet another way.
With the help of the Riskonnect customer service team, Thorn added a function to the platform that allows him to calculate the cost of insurance policies on a monthly basis, enter them into a general ledger and send them over to his colleagues in accounting.
“It’s very robust on handling financial information, date information, or anything with that much granularity,” Thorn said.
The sky is the limit
Thorn and Southwest are only two years into their relationship with Riskonnect and there are a number of places Thorn thinks the platform can take him that have yet to be explored, but certainly will be.
“It’s basically a repository of anything that’s risk-related, it continues to grow,” Thorn said.
“This has sped up the process. Any time you can speed up the process, the more success you’re going to have when you make offers to settle claims.”
–Chris Thorn, senior manager, payments and risk, Southwest Airlines
Not only have Southwest’s safety and workers’ compensation managers joined Thorn in his work with Riskonnect, business continuity has come knocking as well.
Thorn met in July with members of Southwest Airline’s business continuity team, which has a whole host of concerns, ranging from pandemics to cyber-attacks that it needs help in documenting the exposures and resiliency options for.
That Enterprise Risk Management approach will in the future also involve the system’s capability to provide risk alerts, telling Thorn and his team for example, that a hurricane or fast moving wildfire is threatening one of the company’s facilities.
Supply chain resiliency and managing certificates of insurance for foreign vendors are other areas where Thorn and his team plan to put the Riskonnect platform to good use.
“That’s all stuff that’s being worked on by us,” Thorn said.
“They’ve given us the tools, but we’re trying to develop how we’re going to use it,” he said.