The New Wolves of Wall Street
Cyber security measures advanced by leaps and bounds over the past decade. Unfortunately, cyber criminals sharpened their game even more.
As it gets tougher each day to slip in through back doors, hackers turned their talents toward carving out side windows. They adapted, developing new business models and finding smarter ways to profit off of the backs of organizations.
Credit card information, personally identifiable information and protected health information are all still in demand, but they’re no longer the only treasures that cyber criminals are after.
“It is no longer hacking merely for a quick payout. It is hacking as a business model.” — Preet Bharara, U.S. attorney
They want your trade secrets. They want your intellectual property. They want to eavesdrop on your most sensitive financial activities so they can leverage that information on the stock market — shorting stock, investing in stock, timing stock to their advantage.
The cyber security challenge is intense, because it’s hard to get a handle on. These crimes are being perpetrated by various groups of actors with different motivations. They’re being executed using a broad array of techniques that include any combination of malware, phishing and social engineering.
They could be coming at you from anywhere in the world. And it’s not even necessarily your systems that are being attacked directly. It could be your vendors, your partners — any organization that has a connection to your confidential information.
Last August, the SEC filed charges in a fraud scheme involving two Ukrainian hackers who broke into multiple newswire services to steal unreleased corporate earnings announcements. The hackers shared the information with 30 people who traded on it, generating more than $100 million in illegal profits.
The following November, federal prosecutors disclosed the existence of a sizable worldwide hacking scheme, involving more than 100 people in a dozen countries.
Among the other offenses listed in the 68-page indictment, the crime ring orchestrated elaborate pump-and-dump stock schemes and traded on stolen corporate information, pocketing hundreds of millions along the way.
“It is no longer hacking merely for a quick payout,” U.S. Attorney Preet Bharara said in announcing the indictment.
“It is hacking as a business model.”
M&As Increase Vulnerabilities
The rise of worldwide M&A activity turned the stock market into a profitable playground for hackers — those working for either side of the transaction or outside parties looking for a way to profit illegally from the transaction.
2015 was record-breaking year for M&As, topping $5 trillion in volume globally for the first time. Half of the targeted companies were based in the U.S.
2016 is expected to see continued high level of activity. That leaves plenty of opportunities for illegal gains.
“If outsiders are aware of the negotiations going on, they can put upward pressure on the stock.” — Bill Sweeney, chief technology officer, BAE Systems Applied Intelligence
“You can disrupt an M&A a lot of different ways,” said Bill Sweeney, chief technology officer at BAE Systems Applied Intelligence.
“One way is you can publicize that it’s going on sooner than people would like.
“M&A is a very sensitive topic because it’s very price dependent. Companies will walk away from deals because they can’t narrow the gap between $25 and $30 dollars a share.
“If outsiders are aware of the negotiations going on, they can put upward pressure on the stock. So when somebody thought they were going to be getting a 25 percent premium [against their stock], but now because of the upward pressure, they’re only getting a 15 percent, why would they sell?”
During a “Cyber Security: The Achilles Heel of M&A Due Diligence,” webinar in April, Brian Finch, a partner with Pillsbury Winthrop Shaw Pittman LLP, outlined the recent case of a company that was courted by international suitors.
The company was certain that it was healthy, but repeated audits showed it operated at a loss. An investigation revealed that the company was under attack, with hackers corrupting information to decrease the value of the company.
When the company value bottomed out, a foreign investor swooped in with a lowball offer.
Even if hackers don’t outright alter the data, they’re still finding ways to leverage it.
“We’ve seen China-based groups … compromising companies across various industries, stealing information that would give them insight into what the best price for the company might be,” said Will Glass, threat intelligence analyst at FireEye.
“We’ve seen groups that are sponsored by nation states — or that we believe are sponsored by nation states — conducting activity leading up to and even during mergers and acquisitions.”
One high-profile case traced to China was the attempted $40-billion takeover of Canada’s Potash Corp. by Australian natural resources company BHP Billiton.
While the deal fell through for apparently unrelated reasons, an investigation revealed that a Chinese effort to derail the deal involved attacks on seven law firms, as well as Canada’s Finance Ministry and the Treasury Board.
Those third-party attacks are an area of serious concern in terms of intellectual property and M&As, said Kevin Kalinich, global practice leader, cyber/network risk, Aon Risk Solutions.
“The accounting firms and financial advisers are above average in IT security and protection of confidential information,” he said.
“But law firms, surprisingly enough, are below average.”
The Human Element
What’s complicating matters from a risk management standpoint is that attacks take various forms and are typically multi-layered. Spearphishing and social engineering often play a major role because they are consistently successful, despite companies’ attempts to alert employees to the dangers.
“The way of the hacker has always been to go after the industry or the exposure where there’s the lowest hanging fruit,” said Toby Merrill, leader of Chubb’s global cyber risk practice.
And in many companies, that means employees. Even a staffer savvy enough to question a wire transfer request might still be duped by a login scheme that looks innocuous or seems relevant to his job.
“What’s happening is that hackers are spoofing emails,” said Sweeney.
“They’re spoofing CFOs and they’re spoofing other C-level executives and pretending to be either a consultant or part of the review process … trying to extract that sensitive information by [sending] an email that looks like it’s from the CEO, that says, ‘Hey what’s the latest on our deal with company X?’ And the guy [replies] but it’s not going to the CEO; it’s going to the guy who spoofed it.”
It’s not easy to spot spoofed email, he added.
“It looks like an email from your company, with your header. It looks like it’s from your domain. It’s only if you open it up and look at the source code that you can see what’s being shown is not the actual domain its coming from and if you hit reply it’s going to go to somewhere else.”
It also works because it’s not random. Hackers do their homework and understand how their targets operate. They know when to send emails and who to send them to, and what internal procedures are in place so that they can get around them.
FIN4, a large cyber crime ring tracked extensively by FireEye, was so good at duping people that it didn’t even bother using malware.
It focused on capturing usernames and passwords to email accounts. FIN4 would craft convincing phishing lures, most often sent from other victims’ email accounts and through hijacked email threads.
Spoofing emails have successfully snared some risk managers, CTOs and CFOs.
According to FireEye’s Glass, the group would “send an email to someone in a target company and it would say, ‘Hey check out this financial investment forum — there’s some guy on here badmouthing the company. You might want to take a look.’ ”
Hackers set it up so that when the link was clicked, it would request their email login and password in order to view the content. The hackers could then take those login credentials and continue their campaign, both within the organization and laterally to external organizations.
It’s worth noting that risk management is directly in the crosshairs for this kind of attack.
C-suite executives, legal counsel and anyone involved in the risk, regulatory or compliance functions of a company are prime targets. If you have any connection to sensitive information, they’re looking for a way to get their hands on it.
And experts say that such attacks have successfully snared some risk managers, CTOs and CFOs.
There is plenty that still needs sorting out in terms of the coverage options available to insure against such losses. The toughest pill to swallow, said Kalinich, is that the loss of value is not covered by cyber insurance, nor is it covered by any other type of insurance.
“That’s a really important factor,” he said.
“The actual value of a trade secret, the actual value of a patent, the actual value of intellectual property, is not covered. [In the case of an M&A loss,] not even a crime policy would cover that.”
A D&O policy might be triggered if the stock dropped following a failed M&A, but a company would be challenged to relate the event to a cyber hack, or to quantify the impact of the hack on the failed transaction, experts said.
Still, said Kalinich, there are certainly losses that could be covered by cyber insurance, especially if an attack were to result in business interruption, or if it caused damage to the system that required remediation, or forensic investigation.
Culture of Awareness
At a minimum, any company engaging in mergers or acquisitions activity should separate that information from the rest of the corporate environment, said experts. M&A activity should have a segmented network and a dedicated file server, and all documents should be encrypted.
BAE’s Sweeney also recommended that related communications with people outside of the organization be restricted to a VPN for added security.
Additionally, all third-party involvement should receive a high level of scrutiny.
Said Sweeney, “You’ve got to look at everybody who’s going to have access to the information, and say, ‘When was the last time you had a cyber assessment? How can we make sure that you’re not going to be the conduit through which people find out this information?’
“That’s where people are getting hacked,” he said. “They’re not getting hacked right in the center. They’re getting hacked by the people on the periphery who are trying to do their best.”
Internally, Glass said, it’s a good practice to follow the law of least access — give people access to the information that they need to do their jobs and nothing more. But that’s just a start.
Hackers figured out that humans are easier to crack than code, so comprehensive staff training should be the foundation of a solid cyber security strategy.
Some companies use internal phishing campaigns to help manage the human side of the risk. Employees who are duped and click on bogus links are redirected to a page revealing their mistake and letting them know they’ll be required to do mandatory extra training.
Experts universally agreed that these risks cannot be foisted onto the laps of IT or risk management alone. Boards must be educated and involved, and there must be enterprise-wide collaboration for a company to develop any level of effective defense against cyber espionage.
Make sure you’re speaking the board’s language, said Nick Rossman, senior program manager, threat intelligence with FireEye. “They don’t care about malware, they just want to know what you’re asking them to invest.
“So I think it’s easiest when you have a big scope of data and a partner who can get you a strategy forecast” to help justify decisions about investments, he said.
“In the past, [IT and data systems] were considered kind of a back-office priority, kind of like having enough printer toner or enough chairs,” said FireEye’s Glass.
“It was an enabling function of the company but not really core to the business. Now every company is an IT company whether they realize it or not.
“Maybe Coca-Cola keeps its recipe in a safe somewhere, but everybody else, for the most part, is keeping their information online or in databases or even in the cloud, because the efficiencies that can be derived from that model are so great.
“In order to make sure that those efficiencies continue, we’ve got to make sure that companies are looking at all the risks inherent with putting all of that information online.” &
Fraud as a Ticket Out
News stories and press releases from insurance departments nationwide regularly disclose the prosecution of prison guards for workers’ compensation fraud.
I often wondered why guards, obviously familiar with prison horrors, would risk incarceration.
The answer recently came during a conversation with a prosecutor regarding the conviction of Mark Navarrete, whose workers’ comp fraud case offers an extreme example of how work environments impact behavior.
Navarrete, a 12-year Santa Clara County Sheriff’s Office veteran, worked as a correctional deputy. The California county’s beleaguered jail system suffers horrendous problems.
Three of its guards, for example, currently face murder charges for beating a mentally ill inmate to death.
The day after I spoke with Santa Clara County Deputy District Attorney David Soares, video surfaced showing about 20 inmates pummeling each other inside the county’s main jail. The brawl erupted when one inmate brushed against another. The video shows what jail deputies face daily, the county sheriff said at a news conference.
Guards are responsible for policing inmates who grow increasingly volatile every day they are incarcerated. Fifty of them may share a single toilet, Soares said. It’s an awful work environment, leaving jailers desperate for an escape route and time away from the job.
Navarrete’s escape plan had several problems. A co-worker reported seeing a text with Navarrete bragging that a softball injury would become a work accident. A softball field security camera captured video of Navarrete injuring his arm while swinging for an inside pitch, and hospital documents revealed a timeline that refuted his workplace claim.
“I wanted to send a message that if individuals were encouraging the fraud they were going to go down too.” — David Soares, deputy district attorney, Santa Clara County
With widespread problems at the county jail, Soares dug deeper into Navarrete’s case to determine whether other deputies encouraged him in a conspiracy to defraud their employer.
“I saw this as a potentially endemic problem because of the issues within the jails and because we had recently had this homicidal death in the jail,” Soares said. “I wanted to send a message that if individuals were encouraging the fraud they were going to go down too.”
In the end, only Navarrete was prosecuted. He pled no contest, receiving a 120-day jail sentence, but was allowed to serve it at home with electronic monitoring. He must also pay nearly $23,000 in restitution.
Inhospitable work environments don’t encourage claimants to hurry and return to work. As Navarrete showed, they even encourage some workers to rationalize committing insurance fraud.
Navarrete’s work environment, awful as it is, doesn’t justify defrauding his employer. But it does offer an example, albeit an extreme one, of the workplace environment’s potential impact on workers’ comp costs. &
Cyber: The Overlooked Environmental Threat
“Cyber breach” conjures fears of lost or ransomed data, denial of service, leaked corporate secrets and phishing scams.
But in a world where so many physical operations are automated and controlled by digital technologies, the consequences of cyber attacks extend far beyond the digital realm to include property damage, bodily injury, and even environmental pollution.
Industrial companies that deal with hazardous materials — like power plants, refineries, factories, water treatment facilities or pipelines — are heavily dependent on automated technology to maximize their efficiency. Other sectors use technology to control HVAC systems, power and utilities, placing their properties at risk as well.
Cyber risks like theft of personally identifiable data have been highly publicized in recent years, but physical risks like pollution sparked by a cyber breach may not be as obvious.
“It’s significant to lose 100,000 customers’ Social Security numbers,” said William Bell, Senior Vice President, Environmental, Liberty International Underwriters, “but can you imagine if a waste treatment facility’s operations get hacked, gates open, and thousands of tons of raw sewage go flowing down a local river?”
In many industrial complexes, a network of sensors gathers and monitors data around machinery efficiency and the flow of the materials being processed. They send that information to computer terminals that interpret the data into commands for the hardware elements like motors, pumps and valves.
This automation technology can control, for example, the flow of pipelines, the level of water or waste held in a reservoir, or the gates that hold in and control the release of vast quantities of sewage and other process materials. Hackers who want to cause catastrophe could hijack that system and unleash damaging pollutants.
And it’s already happened.
In 2000, a hacker caused 800,000 liters of untreated sewage to flood the waterways of Maroochy Shire, Australia. In 2009, an IT contractor, disgruntled because he was not hired full-time, disabled leak detection alarm systems on three off-shore oil rigs near Long Beach, Calif.
Just last year, cyber attackers infiltrated the network of a German steel mill through a phishing scam, eventually hacking into the production control system and manipulating a blast furnace so it could not be shut down. The incident led to significant property damage.
According to a leading industrial security expert and executive director of the International Society of Automation, “Today’s operational technologies—such as sensors, SCADA systems, software and other controls that drive modern industrial processes—are vulnerable to cyber attack. The risk of serious damage or compromise to power and chemical plants, oil and gas facilities, chemical and water installations and other vital critical infrastructure assets is real.”
“The hacks could come from anywhere: a teenager looking for entertainment, a disgruntled worker, or more sophisticated criminals or terrorists,” Bell said. “There are certainly groups out there with political and ideological motivations to wreak that kind of havoc.”
“We are working to bring the cyber component of environmental risk to the forefront. Cyber security is not just an IT issue. Industry executives need to be aware of the real-world risks and danger associated with an industrial cyber attack as well as the critical differences between cyber security and operational technology security.”
— William Bell, Senior Vice President, Environmental, Liberty International Underwriters
The cleanup cost of an environmental disaster can climb into the hundreds of millions, and even if a cyber breach triggered the event, a cyber policy alone will not cover the physical and environmental damage it caused.
The risk is even more pointed now, as resource conservation becomes increasingly important. Weather related catastrophe modeling is changing as both flooding and drought become more severe and frequent in different regions of the U.S. Pollution of major waterways and watersheds could have severe consequences if it affects drinking water sources, agriculture and other industrial applications that depend on this resource.
Managing the Risk
Unfortunately, major industrial corporations sometimes address their environmental exposure with some hubris. They trust in their engineers to remove the risk by designing airtight systems, to make a disaster next to impossible. The prospect of buying environmental insurance, then, would be superfluous, an expression of doubt in their science-backed systems.
Despite the strongest risk management efforts, though, no disaster is 100 percent avoidable.
“We are working to bring the cyber component of environmental risk to the forefront,” Bell said. “Cyber security is not just an IT issue. Industry executives need to be aware of the real-world risks and danger associated with an industrial cyber attack as well as the critical differences between cyber security and operational technology security.”
The focus on network security and data protection has distracted industry leaders from strengthening operational technology security. Energy, manufacturing and other industrial sectors lack best practice standards when it comes to securing their automated processes.
After the Homeland Security Act of 2002, the Department of Homeland Security began comprehensive assessments of critical infrastructure’s cyber vulnerability, working with owners and operators to develop solutions. It also offers informational guides for private companies to do the same. The National Institute of Standards and Technology also continues work on its cyber security framework for critical infrastructure. Although this helps to establish some best practices, it does not completely mitigate the risk.
Many businesses don’t see themselves as a target, but they need to look beyond their own operations and property lines. They could be an attractive target due to their proximity to densely populated areas or resources such as waterways and highways, or nationally or historically significant areas. The goal of a cyber terrorist is not always to harm the target itself, but the collateral damage.
The Role of Insurance
“Environmental liability is still by and large viewed as a discretionary purchase,” Bell said, “but the threat of a cyber attack that can manipulate those systems and ultimately lead to a pollution incident is added incentive to buy environmental coverage.”
Liberty International Underwriters’ environmental coverage could respond to many pollution conditions set off by a cyber breach event.
“Property damage, bodily injury and cleanup of any pollution at or emanating from a covered property would likely be taken care of,” Bell said. “The risk is not so much the cyber exposure but the consequence of the attack. The resulting claims and degradation to the environment could be severe, especially if the insured was a target chosen because of their unique position to have a large effect on the local population and environment.”
LIU also offers dedicated Cyber Liability insurance solutions designed to manage and mitigate the cost of responding to a cyber attack and any resultant loss of data and associated liability. Coverage includes proactive data breach response services designed to help organizations comply with regulatory requirements and prevent data breaches.
LIU’s loss control managers are also on hand to conduct assessments of insureds’ properties and facilities to examine potential environmental impacts. They can educate brokers on the importance of enhancing cyber security to prevent an environmental accident in the first place.
“People are relying more and more on their systems, automaton is increasing, and the risk is growing,” Bell said. “We’re all focused on protecting data, but the consequences of a cyber breach can be much farther reaching than data alone.”
To learn more about Liberty International Underwriters’ environmental coverages and services, visit www.LIU-USA.com.
Liberty International Underwriters is the marketing name for the broker-distributed specialty lines business operations of Liberty Mutual Insurance. Certain coverage may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds and insureds are therefore not protected by such funds. This literature is a summary only and does not include all terms, conditions, or exclusions of the coverage described. Please refer to the actual policy issued for complete details of coverage and exclusions.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty International Underwriters. The editorial staff of Risk & Insurance had no role in its preparation.