Newsletter Sign-up

By DAVE LENCKUS, who has covered the insurance industry for more than two decades

Scenario: The hackers behind the Night Dragon cyberattacks against the world's largest energy companies are breathing even hotter flames of corporate espionage these days.

The attacks, discovered in July 2010, still continue.

Now, the same attackers have incorporated into their assault a weaponized computer worm widely believed to have been first used by an unidentified country's military against an enemy state.

The worm, known as Stuxnet, sabotaged Iran's controversial uranium enrichment program in October 2010.

According to cyberexperts, the deployment of the Stuxnet worm was the first time that malware not only spied on its target but also interfered with its operations.

When Stuxnet was launched against Iran, cyberexperts hoped the worm would not crawl into the corporate espionage world, but many feared it would eventually.

Those fears became legitimate risk management concerns in February 2011. That's when Anonymous--an Internet coalition known for its web-based attacks against numerous targets, including Sarah Palin's websites and credit card companies that cut ties with Wikileaks--announced it had possession of the worm.

With one group of what has become known as "political hacktavists" in possession of the worm, cyberexperts warned it was only a matter of time before other politically motivated groups also would add the tool to their cyberattack arsenal.

Sources report that those behind the Night Dragon cyberattacks now have obtained the Stuxnet worm. With it, the attackers are not only stealing information from their targets but seriously and often dangerously disrupting their operations, including oil drilling and pipelines.

In several cases, the energy companies barely prevented what could have been disastrous explosions at drilling rigs and where pipelines connected with refineries.

Analysis: The Night Dragon attacks and the computer worm, known as Stuxnet, are real. Anonymous announced in February it had obtained the worm.

The worm has not been turned loose on industry yet--or at least publicly acknowledged--but experts fear that hackers with either social agendas or profit motives will not hesitate to do so, if it suits their agenda.

"I don't know that there's a company, a business out there than can address that type of threat," said Nalneesh Gaur, a Dallas-based director with the Diamond Advisory Services unit of PricewaterhouseCoopers LLP.

Even if the worm is kept out of civilian hackers' tackle box, cyberrisk is worsening.

Since 2005, almost 517 million records have been compromised in more than 2,400 known data security breaches, according to the Privacy Rights Clearinghouse.

A 2009 McAfee study found that cybercrime costs businesses worldwide $1 trillion annually in lost intellectual property and related expenditures.

For U.S. companies, the latest survey by the Ponemon Institute LLC and Symantec Corp. found that data-breach costs grew for the fifth consecutive year to $7.2 million per incident in 2010. The average cost per compromised record also increased to $214 from $204 in 2009.

A hacker, however, can cause far greater loss. For example, it cost $256 million for TJX Cos. Inc. after 94 million electronic customer records were breached in 2007, and $139 million for Heartland Payments Systems Inc., after records related to 130 million credit cards it was processing were pilfered in 2009.

Experts say every organization should be on guard.

"CEOs tell us they get hundreds or thousands of pings per day from hackers trying to hit them," said former risk manager Chris Mandel, president of consultant Excellence in Risk Management L.L.C. in San Antonio. Mandel also writes a risk innovation column for Risk & Insurance®.

Ponemon reported in October 2008 that 80 percent of 819 survey respondents reported at least one data security breach within the past year, 51 percent involving electronic data.

Numerous factors are driving the risk.

"One of the main factors is the huge jump in the adoption of technology by businesses of all sizes and scopes, as well as the adoption of technology by all age and social demographics," said Eduard Goodman, Scottsdale, Ariz.-based chief privacy officer at data security consultant Identity Theft 911. Neither group is managing the associated risk properly, Goodman said.

Julian James, chief executive officer of broker Lockton Cos. LLP in London, agrees.

"For example, many businesses have recognized cloud computing as an opportunity to achieve cost efficiencies without realizing the risks associated with this move to virtual servers. It is crucial to understand that outsourcing data management gives third parties access to confidential information and may open the door to a serious threat to the network or a breach in data security, James said.

"Wherever there is a disconnect between technological innovation and the security to protect it, there is an opportunity for disaffected individuals to leak intellectual property, disrupt operations or commit crime," he said. "The economic downturn has undoubtedly increased the 'people risk' as individuals use the Internet to vent their frustration on former employers or seek to plug a gap in their finances."

Cybercriminals have become more sophisticated, too, and hackers have better tools, including some that are available online, said Larry Collins, the New York-based head of E-Solutions for Zurich Services Corp., the risk management arm of Zurich Financial Services Group.

Insurance, particularly cyberrisk policies, can offer some measure of protection. Cyberpolicies typically cover: the cost of customer notifications and subsequent credit monitoring; third-party liability; forensic services to both determine how the breach occurred and to prevent future breaches; the restoration of lost data; and public relations services. Buyers can pull together about $150 million of limits, said Corey Gooch, Chicago-based senior enterprise risk management consultant at Towers Watson & Co.

Most property and general liability policies, however, do not provide much, if any, coverage, brokers and insurers say. Still, some coverage could be available under those and professional liability and employment practices policies, said Goodman of Identity Theft.

But loss prevention is far more critical than insurance, experts say. In fact, good cyberrisk management practices are imperative when seeking affordable cyberrisk coverage, said Kevin Kalinich, the Chicago-based managing director of Aon Risk Solutions' Financial Services Group.

To be effective, however, the effort has to be cross-functional and not rely solely on risk management and information technology, Gooch said.

In addition, companies have to plan how they will respond to a data breach, said Tracey Vispoli, Warren, N.J.- based senior vice president and worldwide cybersecurity manager for the Chubb Group of Insurance Cos., which writes cybersecurity coverage.

"Without a plan, you don't know what to do in a timely fashion," Vispoli said. "A kneejerk reaction will be more costly,'' because the company that has been victimized will be at the mercy of various service providers it will need to retain to respond to the situation, she said. The company also will be scrambling for information on which state and federal laws, which are not consistent with each other, are applicable.

When you're under a cyberattack, especially an anticipated assault, it's not the optimal time to begin forming a battle plan.

(Read about our eighth emerging risk, social media threats.)

May 1, 2011

Copyright 2011© LRP Publications