Heading Off ‘Cybergeddon’
In April’s R&I cover story, Cyber: The New CAT, experts called catastrophic cyber attacks “inevitable” and the prevailing attitude in the C-Suite “denial.”
Jason Healey, director, Atlantic Council’s Cyber Statecraft Initiative, says that in order for organizations to weather the inevitable attacks, the key will be resiliency. “The organizations that fare best,” he said, “will be those that have the size, agility and resilience to bounce back as quickly as possible.” Healey is also author of Beyond Data Breaches: Global Interconnections of Cyber Risk, commissioned by Zurich Insurance Company Ltd. and published in April 2014.
Developing resilience would include conducting exercises, developing response playbooks, increasing funding and grants for large-scale crisis management and developing redundant data storage in case one is compromised.
The tangle of Internet information that companies and countries depend on to function is now so complex, Healey said, that companies and governments can’t manage the risk from within their own four walls. Beyond Data Breaches notes that Internet failures could cascade directly to Internet-connected banks, water systems, cars, medical devices, hydroelectric dams, transformers and power stations.
Like superstorms such as Hurricane Sandy, cyber risks are inevitable and unstoppable, and like the financial crisis of 2008, they can’t be contained, because of organizations’ interconnection and interdependency. The worst-case scenario, stemming from the principle that everything is connected to the Internet and everything connected to the Internet can be hacked, is “Cybergeddon,” where attackers have an overwhelming, dominant and lasting advantage over defenders.
Even now, Healey said, attackers have the advantage. The Internet’s original weakness — that it was built for trust, not security — perpetuates defenders’ vulnerability. “Some ‘serious’ thinkers suggest we should start over” rather than try to retrofit an Internet so flawed by weak security as to threaten every user, he said, despite the impracticality of a do-over.
Second, Healey said, defenders have to be right every time, and attackers have to be right only once.
Third, technology evolves very quickly, and most people don’t understand it well enough to lock out intruders. “Every time we figure out what we’re supposed to be doing right, the technology has moved on and once again we don’t know how to properly secure our data,” Healey said.
Software is still poorly written and so insecure that “a couple of kids in a garage” can hack into corporate and government systems just for a naughty thrill. “Bad guys” with theft or sabotage on their minds can work their mischief behind a veil of anonymity. “The Internet almost encourages bad behavior because of the anonymity involved,” Healey said.
Companies, governments and risk managers should shift the drumbeat from resistance to resilience, and to expand cyber risk management from individual organizations to a resilient and responsive Internet system, Healey said. For systemic risk management, Beyond Data Breaches recommends:
- Putting the private sector at the center, not the periphery, of cyber risk efforts, since they have the advantage in agility and subject matter expertise.
- Using monetary or in-kind grants to fund effective but underfunded non-government groups already involved in minimizing the frequency and intensity of attacks. Governments and others with system-wide concerns (such as internet service providers and software and hardware vendors) should advocate for this research.
- Borrowing ideas from the finance sector. This could include examination of “too big to fail” issues of governance and recognition of global significantly important internet organizations.
Protecting His Company
Few, if any, risk managers actually want to simulate a distributed denial of service or persistent attack on their computer systems, but Thomas Dunbar at XL Group plc in Stamford, Conn., wanted to see how his internal staff and outside vendors would react.
After all, the cyber risk insurer has to set an example of online security best practices.
Dunbar, XL’s chief information risk officer, contracted with Secure Network Technologies in Syracuse, N.Y., to conduct a DDoS attack against the firm’s externally facing websites, unbeknownst to XL’s internal security team and service provider.
Dunbar also had Secure simulate an advanced persistent attack, in which it entered and quietly remained within XL’s systems to conduct a “reconnaissance” on any vulnerabilities that could be exploited to gain access to customer information or proprietary data.
“It’s good to run these tests for a longer period of time, because infrastructure might change when we deploy a new business application or launch a new line of business,” Dunbar said. “We can see how our network and colleagues react to the changes and determine the prolonged strength of the program.”
Secure’s Chief Executive Officer Steve Stasiukonis said that Dunbar doesn’t just want to protect the company, he also wants to understand “the enemy to the Nth degree.”
“In all of the years that I’ve worked with companies, nobody ever really wants to simulate a DDoS attack to understand their weaknesses, but him,” Stasiukonis said. “Tom is a pioneer — he wants to see how his people will really react.”
Dunbar leads a six-person cyber risk team that works with XL’s business units and information technology department to identify and remediate cyber risks.
To combat identified threats and vulnerabilities, they have built a strong technological structure that monitors, prevents, detects and responds to security events.
They have deployed an advanced data loss protection infrastructure to ensure that XL’s data — particularly confidential customer information — are contained within the XL network.
“These tools have really resonated with our colleagues and have clearly raised the level of XL’s cyber security awareness and preparedness.” — Jacob D. Rosengarten, executive vice president and chief enterprise risk officer, XL Group
Overall, Dunbar has taken “a very holistic approach” toward minimizing cyber attacks, said Jacob D. Rosengarten, XL’s executive vice president and chief enterprise risk officer.
For example, Dunbar and his team have taken a leadership role in educating XL’s employees about cyber security “by harnessing innovative and creative communications media that capture the imagination” — whether through posters in lunchrooms, short webinars or contests that test password security, Rosengarten said.
“These tools have really resonated with our colleagues and have clearly raised the level of XL’s cyber security awareness and preparedness,” he said.
Dunbar said his team focuses on education to drive behavioral change, as employees are often “the weakest link.”
“We encourage people to use the ‘see something, say something’ philosophy,” Dunbar said. “We want them to speak up if they see something strange in their email inbox, or if they see something unusual going on in the system, and to also give feedback to make security stronger.”
“We want to make our colleagues one of the strongest links,” Dunbar said.
Risk All Stars stand out from their peers by overcoming challenges through exceptional problem solving, creativity, perseverance and/or passion.
A Dreaming Team
Chris Thorn is known as one of the most creative risk managers in the business. After all, his risk management program hit the cover of Risk & Insurance® in March, 2012.
Now the senior manager, payments and risk, for Southwest Airlines is working with Riskonnect, a technology partner that he thinks can take his program to new heights.
“For us, it’s a platform that gives you so many different tools that if you can dream it, you can build it,” said Thorn.
Thorn ditched his legacy risk management information system in 2012 and started working with Riskonnect, initially using the platform solely for liability claims management.
But the system’s “do-it-yourself” accessibility almost immediately caught the eye of Thorn’s colleagues managing safety risk and workers’ compensation.
“They were seeking a software solution at the time and said, ‘Hey, we want to join the party,” Thorn recalls of his friends in safety and workers’ compensation.
“For us, it’s a platform that gives you so many different tools that if you can dream it, you can build it.”
–Chris Thorn, senior manager, payments and risk, Southwest Airlines
What was making Thorn’s colleagues so jealous was the system’s “smart question” process which allows any supervisor in the company to enter a claim, while at the same time freeing those supervisors from being claims adjusters.
The Riskonnect platform asks questions that direct the claim to the appropriate category without the supervisor having to take on the burden of performing that triage.
“They love it because all of the redundant questions are gone,” Thorn said.
The added beauty of the system, Thorn said, is that allows carriers and TPAs to work right alongside the Southwest team in claims files while maintaining rock-solid cyber security.
“This has sped up the process,” Thorn said.
“Any time you can speed up the process, the more success you’re going to have when you make offers to settle claims,” he said.
Since that initial splash in claims management, the Riskonnect platform has gone on to become a rock star at Southwest in a number of other areas. And as Thorn suggests, the possibilities of the system are limited only by the user’s imagination.
With a little creativity and help from Riskonnect as needed, a risk manager can add on system capabilities without having to go on bended knee to his own information technology department.
In the area of insurance policy management, for example, the Riskonnect platform as built by Thorn now holds data on all property values and exposures that can in turn be downloaded for use by underwriters.
Every time Southwest buys a new airplane, the enterprise platform sends out a notice to the airlines insurance broker, who in turn notifies the 16 or 17 carriers that are on the hull program.
Again, in that “anything’s possible” vein, the system has the capability of notifying the carriers, directly, a tool Thorn said he’s flirting with.
“It is capable of doing that,” he said.
“We’re testing out this functionality before we turn on it loose directly to the insurance companies.”
In alignment with the platform’s muscle in documenting, storing and reporting liability and property exposures, the system monitors and reports on insurance carrier financial strength.
If a rating agency downgrades a Southwest program carrier’s financial strength, for example, the system “pings” Thorn and his colleagues.
“Not only will we know about it, but we will also know all programs, present and past that they participated on, what the open reserves are for those policy years and policies,” Thorn said.
“That gives us even more comfort that we have good, solid financial backing of the insurance policies that are protecting us,” Thorn said.
Like many of us, Chris Thorn didn’t set out to work in risk management and insurance. Thorn is a Certified Public Accountant, and it’s that background that allows him to take creative advantage of the Riskonnect platform’s malleability in yet another way.
With the help of the Riskonnect customer service team, Thorn added a function to the platform that allows him to calculate the cost of insurance policies on a monthly basis, enter them into a general ledger and send them over to his colleagues in accounting.
“It’s very robust on handling financial information, date information, or anything with that much granularity,” Thorn said.
The sky is the limit
Thorn and Southwest are only two years into their relationship with Riskonnect and there are a number of places Thorn thinks the platform can take him that have yet to be explored, but certainly will be.
“It’s basically a repository of anything that’s risk-related, it continues to grow,” Thorn said.
“This has sped up the process. Any time you can speed up the process, the more success you’re going to have when you make offers to settle claims.”
–Chris Thorn, senior manager, payments and risk, Southwest Airlines
Not only have Southwest’s safety and workers’ compensation managers joined Thorn in his work with Riskonnect, business continuity has come knocking as well.
Thorn met in July with members of Southwest Airline’s business continuity team, which has a whole host of concerns, ranging from pandemics to cyber-attacks that it needs help in documenting the exposures and resiliency options for.
That Enterprise Risk Management approach will in the future also involve the system’s capability to provide risk alerts, telling Thorn and his team for example, that a hurricane or fast moving wildfire is threatening one of the company’s facilities.
Supply chain resiliency and managing certificates of insurance for foreign vendors are other areas where Thorn and his team plan to put the Riskonnect platform to good use.
“That’s all stuff that’s being worked on by us,” Thorn said.
“They’ve given us the tools, but we’re trying to develop how we’re going to use it,” he said.