Heading Off ‘Cybergeddon’
In April’s R&I cover story, Cyber: The New CAT, experts called catastrophic cyber attacks “inevitable” and the prevailing attitude in the C-Suite “denial.”
Jason Healey, director, Atlantic Council’s Cyber Statecraft Initiative, says that in order for organizations to weather the inevitable attacks, the key will be resiliency. “The organizations that fare best,” he said, “will be those that have the size, agility and resilience to bounce back as quickly as possible.” Healey is also author of Beyond Data Breaches: Global Interconnections of Cyber Risk, commissioned by Zurich Insurance Company Ltd. and published in April 2014.
Developing resilience would include conducting exercises, developing response playbooks, increasing funding and grants for large-scale crisis management and developing redundant data storage in case one is compromised.
The tangle of Internet information that companies and countries depend on to function is now so complex, Healey said, that companies and governments can’t manage the risk from within their own four walls. Beyond Data Breaches notes that Internet failures could cascade directly to Internet-connected banks, water systems, cars, medical devices, hydroelectric dams, transformers and power stations.
Like superstorms such as Hurricane Sandy, cyber risks are inevitable and unstoppable, and like the financial crisis of 2008, they can’t be contained, because of organizations’ interconnection and interdependency. The worst-case scenario, stemming from the principle that everything is connected to the Internet and everything connected to the Internet can be hacked, is “Cybergeddon,” where attackers have an overwhelming, dominant and lasting advantage over defenders.
Even now, Healey said, attackers have the advantage. The Internet’s original weakness — that it was built for trust, not security — perpetuates defenders’ vulnerability. “Some ‘serious’ thinkers suggest we should start over” rather than try to retrofit an Internet so flawed by weak security as to threaten every user, he said, despite the impracticality of a do-over.
Second, Healey said, defenders have to be right every time, and attackers have to be right only once.
Third, technology evolves very quickly, and most people don’t understand it well enough to lock out intruders. “Every time we figure out what we’re supposed to be doing right, the technology has moved on and once again we don’t know how to properly secure our data,” Healey said.
Software is still poorly written and so insecure that “a couple of kids in a garage” can hack into corporate and government systems just for a naughty thrill. “Bad guys” with theft or sabotage on their minds can work their mischief behind a veil of anonymity. “The Internet almost encourages bad behavior because of the anonymity involved,” Healey said.
Companies, governments and risk managers should shift the drumbeat from resistance to resilience, and to expand cyber risk management from individual organizations to a resilient and responsive Internet system, Healey said. For systemic risk management, Beyond Data Breaches recommends:
- Putting the private sector at the center, not the periphery, of cyber risk efforts, since they have the advantage in agility and subject matter expertise.
- Using monetary or in-kind grants to fund effective but underfunded non-government groups already involved in minimizing the frequency and intensity of attacks. Governments and others with system-wide concerns (such as internet service providers and software and hardware vendors) should advocate for this research.
- Borrowing ideas from the finance sector. This could include examination of “too big to fail” issues of governance and recognition of global significantly important internet organizations.
Covering Fraudulent Impersonation
Impersonating a supervisor in order to fraudulently convince a subordinate to transfer funds is one of a bevy of emerging cyber risks. Getting cover for a loss stemming from the practice is still a dicey business.
Many cyber policies might not cover such a loss, and underwriters disagree on whether more traditional crime/fidelity coverages do either. But attempts are underway to bridge the gap.
Beazley’s new fraudulent instruction endorsement, for example, gives existing commercial crime policyholders up to $250,000 cover against the transfer of funds as a result of instructions from a person purporting to be a vendor, client or authorized employee.
“Fraudulent instruction scams are so sophisticated that basically any business that transfers funds is vulnerable,” said Bill Jennings, who heads the Financial Fidelity/Commercial Crime Unit for Beazley in New York.
“Existing cyber and crime policies — which cover theft of data and theft of funds respectively — may not cover losses from these masqueraders, who may use authority or endearment to perpetrate a fraud,” he explained.
“Quite frankly, many companies need more than $250,000 of this coverage.” — Kevin Guillet, FINPRO Fraud Advisory Practice Leader, Marsh
This increasingly prevalent type of scam relies on an employee failing to notice a very small error in an email address, as well as their natural eagerness to please and be responsive to a superior or a client.
Victims are often tricked that the instruction is either urgent or confidential, and the instruction usually contains personal information gathered from social media or hacking in order to make it seem believable. Once the transferred funds leave the United States, they are rarely recoverable.
While the perpetrators often use cyber hacking to identify and trick their targets, cyber policies are typically focused on the theft of data rather than money.
That’s why, according to Bob Parisi, cyber product leader at Marsh, it is crime/fidelity underwriters who are “bridging the gap more aggressively” when it comes to covering fraudulent impersonations.
“The cyber markets tend to take a ‘hands-off’ position on crime-related losses as they view cyber coverage as more akin to ‘virtual’ property casualty coverage,” he said.
“However, there is some potential overlap between cyber and crime/fidelity, especially in the financial institution space where insureds can enhance their crime/fidelity coverage with damage by hacker or virus endorsements that provide an element of cyber coverage.”
Kevin Guillet, Marsh’s FINPRO Fraud Advisory Practice Leader, praised Beazley for including impersonation of clients, vendors and employees under its coverage.
“Not every form covers all those constituents,” he noted, adding that while he believes certain standard industry forms do already cover against ‘employee’-to-employee instruction, this is often disputed by underwriters.
In an attempt to help protect its clients, Marsh has developed proprietary language introducing ‘computer and telephonic misuse coverage’ — which includes coverage for fraudulent impersonation — into its crime policy standard wordings in London and Europe, and continues to push for acceptance of this wording by U.S. underwriters.
“While subject to underwriting and additional premium charge, another attractive feature of Beazley’s endorsement is that can provide coverage up to $250,000 without requiring ‘out-of-band authentification’ [challenging the instruction through a means other than that by which the instruction was received, such as email verification of a phone instruction],” Guillet added.
“When underwriters build in a warranty whereby there is no coverage unless all procedures are correctly followed, we question the value of that coverage because these scams typically succeed by convincing people to ignore established protocols.”
According to an Internet Crime Complaint Center (IC3) June 2014 “Scam Report,” the average amount lost in frauds of this nature is $55,000. However, IC3 claimed there has been one report of $800,000 lost, and experts said they have seen losses run into the tens of millions. The total cost to corporate America is unknown.
“Quite frankly, many companies need more than $250,000 of this coverage,” said Guillet. However, he conceded, “there is real exposure here, so you can understand why Beazley and other underwriters are approaching cautiously,” noting that while there are some underwriters who offer higher limits, some don’t want to cover fraudulent impersonation risk at all.
Beazley’s Jennings recommended that, in addition to buying insurance, companies implement staff training as well as “strong internal controls requiring call-back verification and periodic white-hat testing to confirm that controls are being followed.”
Pathogens, Allergens and Globalization – Oh My!
In 2014, a particular brand of cumin was used by dozens of food manufacturers to produce everything from spice mixes, hummus and bread crumbs to seasoned beef, poultry and pork products.
Yet, unbeknownst to these manufacturers, a potentially deadly contaminant was lurking…
What followed was the largest allergy-related recall since the U.S. Food Allergen Labeling and Consumer Protection Act became law in 2006. Retailers pulled 600,000 pounds of meat off the market, as well as hundreds of other products. As of May 2015, reports of peanut contaminated cumin were still being posted by FDA.
Food manufacturing executives have long known that a product contamination event is a looming risk to their business. While pathogens remain a threat, the dramatic increase in food allergen recalls coupled with distant, global supply chains creates an even more unpredictable and perilous exposure.
Recently peanut, an allergen in cumin, has joined the increasing list of unlikely contaminants, taking its place among a growing list that includes melamine, mineral oil, Sudan red and others.
“I have seen bacterial contaminations that are more damaging to a company’s finances than if a fire burnt down the entire plant.”
— Nicky Alexandru, global head of Crisis Management at AIG
“An event such as the cumin contamination has a domino effect in the supply chain,” said Nicky Alexandru, global head of Crisis Management at AIG, which was the first company to provide contaminated product coverage almost 30 years ago. “With an ingredient like the cumin being used in hundreds of products, the third party damages add up quickly and may bankrupt the supplier. This leaves manufacturers with no ability to recoup their losses.”
“The result is that a single contaminated ingredient may cause damage on a global scale,” added Robert Nevin, vice president at Lexington Insurance Company, an AIG company.
Quality and food safety professionals are able to drive product safety in their own manufacturing operations utilizing processes like kill steps and foreign material detection. But such measures are ineffective against an unexpected contaminant. “Food and beverage manufacturers are constantly challenged to anticipate and foresee unlikely sources of potential contamination leading to product recall,” said Alexandru. “They understandably have more control over their own manufacturing environment but can’t always predict a distant supply chain failure.”
And while companies of various sizes are impacted by a contamination, small to medium size manufacturers are at particular risk. With less of a capital cushion, many of these companies could be forced out of business.
Historically, manufacturing executives were hindered in their risk mitigation efforts by a perceived inability to quantify the exposure. After all, one can’t manage what one can’t measure. But AIG has developed a new approach to calculate the monetary exposure for the individual analysis of the three major elements of a product contamination event: product recall and replacement, restoring a safe manufacturing environment and loss of market. With this more precise cost calculation in hand, risk managers and brokers can pursue more successful risk mitigation and management strategies.
Product Recall and Replacement
Whether the contamination is a microorganism or an allergen, the immediate steps are always the same. The affected products are identified, recalled and destroyed. New product has to be manufactured and shipped to fill the void created by the recall.
The recall and replacement element can be estimated using company data or models, such as NOVI. Most companies can estimate the maximum amount of product available in the stream of commerce at any point in time. NOVI, a free online tool provided by AIG, estimates the recall exposures associated with a contamination event.
Restore a Safe Manufacturing Environment
Once the recall is underway, concurrent resources are focused on removing the contamination from the manufacturing process, and restarting production.
“Unfortunately, this phase often results in shell-shocked managers,” said Nevin. “Most contingency planning focuses on the costs associated with the recall but fail to adequately plan for cleanup and downtime.”
“The losses associated with this phase can be similar to a fire or other property loss that causes the operation to shut down. The consequential financial loss is the same whether the plant is shut down due to a fire or a pathogen contamination.” added Alexandru. “And then you have to factor in the clean-up costs.”
Locating the source of pathogen contamination can make disinfecting a plant after a contamination event more difficult. A single microorganism living in a pipe or in a crevice can create an ongoing contamination.
“I have seen microbial contaminations that are more damaging to a company’s finances than if a fire burnt down the entire plant,” observed Alexandru.
Handling an allergen contamination can be more straightforward because it may be restricted to a single batch. That is, unless there is ingredient used across multiple batches and products that contains an unknown allergen, like peanut residual in cumin.
Supply chain investigation and testing associated with identifying a cross-contaminated ingredient is complicated, costly and time consuming. Again, the supplier can be rendered bankrupt leaving them unable to provide financial reimbursement to client manufacturers.
“Until companies recognize the true magnitude of the financial risk and account for each of three components of a contamination, they can’t effectively protect their balance sheet. Businesses can end up buying too little or no coverage at all, and before they know it, their business is gone.”
— Robert Nevin, vice president at Lexington Insurance, an AIG company
Loss of Market
While the manufacturer is focused on recall and cleanup, the world of commerce continues without them. Customers shift to new suppliers or brands, often resulting in permanent damage to the manufacturer’s market share.
For manufacturers providing private label products to large retailers or grocers, the loss of a single client can be catastrophic.
“Often the customer will deem continuing the relationship as too risky and will switch to another supplier, or redistribute the business to existing suppliers” said Alexandru. “The manufacturer simply cannot find a replacement client; after all, there are a limited number of national retailers.”
On the consumer front, buyers may decide to switch brands based on the negative publicity or simply shift allegiance to another product. Given the competitiveness of the food business, it’s very difficult and costly to get consumers to come back.
“It’s a sad fact that by the time a manufacturer completes a recall, cleans up the plant and gets the product back on the shelf, some people may be hesitant to buy it.” said Nevin.
A complicating factor not always planned for by small and mid-sized companies, is publicity.
The recent incident surrounding a serious ice cream contamination forced both regulatory agencies and the manufacturer to be aggressive in remedial actions. The details of this incident and other contamination events were swiftly and highly publicized. This can be as damaging as the contamination itself and may exacerbate any or all of the three elements discussed above.
Estimating the Financial Risk May Save Your Company
“In our experience, most companies retain product contamination losses within their own balance sheet.” Nevin said. “But in reality, they rarely do a thorough evaluation of the financial risk and sometimes the company simply cannot absorb the financial consequences of a contamination. Potential for loss is much greater when factoring in all three components of a contamination event.”
This brief video provides a concise overview of the three elements of the product contamination event and the NOVI tool and benefits:
“Until companies recognize the true magnitude of the financial risk and account for each of three components of a contamination, they can’t effectively protect their balance sheet,” he said. “Businesses can end up buying too little or no coverage at all, and before they know it, their business is gone.”
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Lexington Insurance. The editorial staff of Risk & Insurance had no role in its preparation.