Insuring a Cyber 9/11

by edwardmroche

Abstract

Cyber insurance has emerged as a dynamic and growing sector. In the United States alone, it is expected to earn more than $20 billion in premiums by 2020. Almost without exception, cyber insurance is written for individual organizations, usually corporations. There is a growing risk, however, that a giant cyber catastrophe might take place in which the failure of one information system will trigger a chain reaction between firms, leading to a massive systemic breakdown across entire sectors in the economy. If this happens, it will provoke a crisis across the insurance industry, not unlike the effects of the 1906 earthquake in San Francisco.

[These are a set of notes compiled from a recent Infragard meeting. This blog entry is copied from a pdf file, so there may be glitches in the formatting in a few places.]

1 The landscape of cyber risk

By 2013, cybercrime had a global impact of more than $3 trillion dollars, making it larger and more profitable than the world’s drug trade.1 In the UK, 55% of businesses have been hacked, and worldwide, 36% report the same. In 2015 there were around 80,000 cyber security incidents and in 2,100 of those cases, significant amounts of data were either lost or compromised.2

The FBI reports 12,000 corporations have been victim to email money transfer scamming, and the costs to business of this fraud alone is $2 billion a year.3 The corporate controller of an established grain trading and storage company Scoular was tricked by fake emails into wiring $17.2 million into an offshore bank account. In January 2015, Xoom was tricked into transferring $30.8 million into an overseas account. Ubiquiti Networks was tricked into transferring out $46.7 million.4 Table 1 on the following page shows a few of the largest hacks.5

These numbers are suspect, because most corporations never report a cyber incident. Most companies have tremendous incentives not to report because of fear their reputation will be damaged. Since these giant dollar amounts are only for those cyber incidents that are reported, they probably represent less than 1 of the actual problem. Most believe the actual number 4 of serious cyber incidents is much larger, even 2-3 times larger.

Ransomware. There are so many different types of cyber attacks, it is difficult to list them all, and any list soon would be obsolete. One new trend is so-called “ransomeware”, which locks of all of your enterprise data, and then demands money to unlock it.6 Ransomeware is becoming more common, and companies thus far have failed to develop any effective way to defend against it. The recent trend is for the extortion payments to be made in Bitcoin,7 an untraceable virtual currency. It appears that 2,453 ransomeware incidents were reported to the FBI in 2015, and about about $24 million was paid out. This is for the United States alone, and this data only mentions what was reported.8 Ransomware is good business. A full set of stolen medical data on an individual can go for up to $50 dollars on the black market. Hollywood Presbyterian Hospital in Los Angeles paid a ransom of $17,000 in bitcoin to get its data back.9 To create a phishing page and mass spam email costs $150 dollars. Good crypto ransomware costs about $2,000 on the dark net. So only eight users need to be caught to make a profit. The Cryptowall ransomware earned more than $18 million in 2014, but again that is what was reported.10

PII. Loss of personally identifiable information (PII) can have serious consequences. In the Ashley Madison breach, the embarrassment caused two suicides. In the breach of the U.S. Office of Personnel Management by a foreign intelligence service, believed to be the People’s Republic of China, the highly detailed information on all persons with a security clearance in the U.S. government was revealed. The national security consequences are incalculable.11

Botnets.  Botnets12 have shown the ability to compromise millions of computers in a single attack.13

Some organizations have funded serious research to assess cyber risk. For example, cyber is now part of the formal work of risk managers in the London Stock Exchange Group.14 And the same is echoed in other financial centers around the world.

There are many efforts underway to prepare for major data breaches. Companies recognize they are increasing in frequency, but most data breach preparadness programs often fail to deal with all aspects of a cyber incident.

There is little faith companies will be able to to deal the with consequences of a data breach. Plans on the book are not considered to be effective, and one reason is that they are not regularly reviewed. More training and awareness plans are needed, and top management needs to be more involved.

In many companies, a number of different managers are responsible for management of a data breach including a) the Chief Information Security Officer; b) the Compliance Officer; c) The Head of Business Continuity Management; d) the Chief Information Officer; e) the Chief Risk Officer; f) the Chief Security Officer; sometimes g) the Head of PR and communications; h) the General Counsel; i) the Chief Privacy Officer; or j) Human Resources. Around 1 of companies do not have a person designated to handle a major 4 data breach.15

The reality is that no information system is safe. There simply is not a perfect information system anywhere. For those organizations that wish to invest in penetration testing, the results more or less always are the same — every system is vulnerable. If there is a determined effort, then any system can be broken. And since there is no invulnerable information system, and this fact is combined with the regulatory and litigation costs, it is easy to see how it cyber insurance is a boom market. At least for now.

1.1 Classification of Loss

We can divide operational losses into four classes: a)Intangible;b)Tangible; c) Operational; and d) Litigation.

Intangible.  Loss of intellectual property such as a) compromise of patents; b) illegal reproduction of copyrighted matter; or c) theft of trade secrets. These losses can have downstream effects such as competitive displacement (loss of position in the market). There also can be significant compromise of the organization’s reputation. This sometimes can have a disastrous effect on market valuation.16

Tangible.  A cyber attack can result in the real loss of goods and services.17 For example, shipment of goods might be diverted, or money might be stolen. In a more serious light, cyber attacks can compromise the physical infrastructure of a building, or other installation, e.g., nuclear power plant, resulting in extraordinary damage.18 Hacking to steal cash is a major criminal activity in cyberspace.19

Operational.  Any cyber incident is a traumatic event for IT personnel, and can be a career-ender. Systems must be restored back to working condition. There can be a number of costs for this both direct and indirect including: a) diagnosis and forensic investigation for fault- determination; b) restoration of most recent reliable backup; c) replacement of hardware that has been completely disabled; d) preservation of evidence in case of possible investigation by law enforcement; e) hiring of external consultants and others to help with clean up; and f) lost business during interruption. Post-incident actions can take weeks or even months to be finished completely.

litigation In a 15 month period during 2015 and the end of 2014, in the United States, 240 firms filed data privacy law suits and 70 firms filed data breach suits.[19] Organizations face substantial risk of litigation in several dimensions: a)Federal and State regulatory authorities who seek to impose penalties; and b) Consumers or others who file a class action suit in order to recover damages, or even potential damages; and c) Other third parties (not class of plaintiffs) who are damaged by the cyber incident. The Federal and State penalties vary greatly, but if the maximum allowable amount of penalty if reached, the results can be substantial, and even result in bankruptcy. The damages obtained in a class action suit can be devastating, and even if there is no finding of fault, simply the litigation costs in defending against these suits can be very large.

Table 3 on the next page summarizes a few of the calculations that might be made from a cyber incident for a corporation.20 Which costs are the largest will depend on the particular circumstances of the enterprise. For ex- ample, the loss of personal information such as credit card numbers, social security numbers, or addresses on customers easily can trigger a gigantic class action suit that eventually can results in very large damages.21

2 Regulatory Risk

There are three dimensions of risk from a legal and regulatory perspective. First, there is a rising threat of class action suits that attack a cyber crime victim must endure; Second, there are a number of enforcement actions at the Federal level and these actions seek to impose substantial fines;22 and Third, similar regulatory issues are found at the state level. See Table 4 on the following page.

In the past ten years, around 543 million records have been lost from over 2,800 data hacks. Approximately $13.3 billion has been lost by consumers in 2010 alone.23

In the 15 month period from the third quarter of 2013 until the third quarter of 2014, 110 class action suits were filed against 25 unique defendants, which means that companies often face multiple class action suits at the same time. Around 80% of class action suits were aimed at retailers who accounted for only 14.5% of data breaches that were publicly reported. Up to 24 different legal theories were used to justify these suits including a) negligence; b) Unfair, Deceptive or Abusive Acts and Practices (UDAP;  c) breach of contract; d) problems with data breach notification (required by Federal and State statutes); e) unfairness; f) invasion of privacy; g) unjust enrichment; and others.24

Any organization that sustains a cyber attack may find they must respond to all three risks at the same time. They can be facing a class action suit, a Federal investigation with the threat of fines, and also legal and regulatory action at the state level. Any one of these dimensions of risk can lead to debilitating costs, all three simultaneously can be a catastrophe.

It is interesting to note that Health Insurance Portability and Accountability Act (HIPAA), Fair Debt Collection Practices Act (FDCPA), Electronic Communications Privacy Act (ECPA), Video Privacy Protection Act of 1988 (VPPA), Computer Fraud And Abuse Act Reform (CFAA) and the CAN-SPAM Act of 2003 were the least used theories in these suits.

2.1 Standard of Care.

The term “standard of care” is a legal concept that is used in determining whether or not a party of negligent, and thus subject to tort action. In general, if the defendant can show that they have met a reasonable standard of care, then they are not negligent.25

In a number of FTC actions26 have resulted in settlements with corporations, and these settlements are summarized in a consent decree.27 A common element of these settlements is that the corporation recognizes a duty to establish, implement and maintain a “comprehensive privacy program” that is “reasonably designed” to address risk. This program typically includes a) designation of accountable employees; b) identification of fore- seeable risks; c) design and implementation of “reasonable privacy controls and procedures” to address reasonably foreseeable risks; and d) development and use of “reasonable steps” to retain security vendors.

A problem is that there is no clear path an organization may take to meet the necessary “standard of care”. There are a number of standards that may apply. For example, a) there may be specific laws in place that define clearly how information must be handled — examples are the HIPAA28, GLB29, and SOX30 laws in the United States; b) there may be a number of state laws that determine when a consumers or others must be notified of a cyber incident and how consumers and their information must be protected; c) there are numerous other regulations and guidelines; d) companies can use recognized industry standards; e) or they can adopt best practices that are determined by a community of their peers. In addition, there are recognized cyber security frameworks from organizations such as NIST31 and the ISO.32

2.2 Emerging Case Law.

Particularly when faced with the threat of a class action suit, many companies fold. Particularly after the legal fight that leads to a class action being “certified”,33 many companies simply give up the fight and settle. Sony settled for $15 million when its PS2 gaming platform network was compromised. St. Joseph Hospital settled for $28 million.34 Many indus- try observers argue settling is a bad idea because it simply invites further litigation.

Liability without negligence. A number of cases both decided and still sub judicae indicate a mixed message regarding potential risk going for- ward. One important trend is the more active role of the U.S. government in extracting penalties from organizations that are hit by cyber attacks. The company gets blamed. How the Federal Trade Commission (FTC) obtained its statutory authority to go after hacked companies is peculiar. In the Wyndham Worldwide case,35 it was ruled that the FTC has authority to regulate a corporation’s cyber security. This is based on the unfairness language in § 5 of the FTC act.36 At first glance it appears somewhat astounding that vague language such as “unfair” and “deceptive” can be used to open up a gigantic regulatory enforcement area in cyber litigation. In other words, a company engages in “unfair” practices when it is hacked. This appears to be blaming the victim.

There are even more surprises. The law in the United States is not settled. There is currently a disagreement between different circuits37 regarding whether or not identity theft is actionable if the plaintiffs are unable to show any harm. See Table 6. In one Federal Trade Commission (FTC) case, the Administrative Law Judge (ALJ) ruled against imposing penalties on a corporation that had been hacked because the FTC had “failed to demonstrate that consumers had suffered concrete injury from two data breaches”. Although it is a fundamental principle of jurisprudence that penalties should not be imposed if there is no demonstration of harm,38 it appears this case is being appealed, and according to experts, the ruling likely will be over-turned.39 If it is overturned, the result will be that companies will risk having large fines and penalties imposed by the FTC even if there is no showing of harm from the data breach they have suffered.

Cyber risk is challenging to understand because it has a trifecta of dimensions. First, it is based on complex technological systems that can be understood only by teams of highly-trained engineers; Second, there are a number of regulatory rules that bring about severe financial penalties for any organization that may suffer from a cyber incident; Third, the sweep-up operational costs that must be endured by a compromised organization can be vast, and have a very long tail. Losses caused by cyber incident can be substantial, but not necessarily easy to calculate. So given the regulatory and technological uncertainty, understanding the fully-loaded risks in this segment of the insurance market is difficult.

This suggest the following conclusions on the regulatory side:

  • There is a substantial risk of suffering large financial losses from penalties and tort damages even if there was no harm.
  • It might be less expensive to simply settle a suit than to fight it out in the courts and risk an even higher loss.
  • It is not necessary to be negligent or careless in order to face large penalties because there is no clear standard of duty for maintaining information systems and penalties can be imposed regardless of the cause.
  • The trend towards liability without proof of harm is troubling.

3 San Francisco earthquake 1906

The world’s insurance industry has a track record of reasonable management, stability and growth that occasionally is interrupted by surprise, chaos and near collapse. The explanations for this phenomena of always falling into a risk trap vary. But there are two inter-related phenomena that appear to have transformed the risk landscape for the insurance industry.

Urbanization. The gradual concentration of human activity into gigantic urban centers has compressed into relatively small geographic areas multiple institutions, infrastructures, and persons;

Complexity.  This urbanization has been made possible only by stellar advances in technology. But these technologies create a vast web of inter-connections and dependencies between different social and infrastructure systems. And interdependencies can be a platform for a cascade or “chain reaction” of events.

Losses keep getting larger. In 1970 they were only a few billion, but in 2010 there were economic losses of more than $400 billion of which only around $125 billion were insured.40 Nevertheless, during 2015, the insurance industry “has proven to remain functioning and stable in the midst of an often challenging economic and financial environment”.41

The earthquake that destroyed San Francisco in 1906 was a near disaster for the world’s insurance industry. There were hundreds of buildings insured for earthquake coverage. Each owner had a separate policy. Everything was compartmentalized. Like today, residents of San Francisco were prepared for a small tremor once in a while, or even some minor damage. Once in a while owners could expect some damage, but nothing terribly serious. And the insurance policies had been written with this in mind.

But in 1906 the type of event that comes along rarely visited its wrath on that fair city. First, the earthquake was so severe as to collapse both small and medium-sized buildings. Then the earth started to make even larger displacements. San Francisco had invested in much infrastructure. One improvement was the provisioning of natural gas for lighting and heat. But the movement of our earth was too great. The gas mains broke, and it did not take long for fire to break out. Pictures of the time show the horrible scale of the disaster. See Figure 3 on the following page.

Although concrete, bricks, steel and morter were being used in larger structures, the vast majority of buildings were made from the wood found in the generous forests still populating the surrounding countryside. Wood burns. The buildings burned, and burned, and burned. For all practical purposes we can say that most of San Francisco simply burned to the ground. Everything was destroyed, hundreds of dwellings and all their contents. A disaster. One of the great disasters of the century or of all time.

The Call-Chronicle-Examiner newspaper on April 19th, 1906 said it all in its headlines: “Entire City of San Francisco Danger of Being Annihilated”; “Big Business Buildings Already Consumed”; “30,000 Smaller Structures Swept Out and Remainder are Doomed”; “Panic-Stricken People Flee”; “Heartbreaking Scenes at the Pavilion”; “Loss is $200,000,000”; “San Jose is Ruined”; “Earthquake and Fire, San Francisco in Ruins”; “No Hope Left for Safety of Any Buildings”; “Whole City is Ablaze”; “Church of Saint Ignatius is Destroyed”; “Buildings are All Ruined”; “Newspaper Row is Gutted”; “Theaters Ruined”; “Residences Burning”; “Dead in Street”.42

Insurance claims. As the insurance claims started to come in, it quickly became clear that the primary carriers were going to be far over their limit. That is when the reinsurance treaties were activated. The shockwave of liability started to reverberate all the way back along the treaty chain to Munich, and Zurich, and London. The amount of damage was greater than the entire state budget of California.

Something had to be done to limit the liability and reduce the payouts. One of the first responses from the insurance community was to attempt making a distinction between earthquake insurance and fire insurance. Policyholders were told that although their earthquake insurance claims were to be honored, “they were not related to fire insurance, and would not cover damages for fire”. It seems at first the law was on their side in particular Clayburgh v. Agricultural Insurance Company of Watertown, N.Y., and Pacific Heating & Ventilating Company v. Williamsburgh City.

As can be expected, once word got around that the insurance companies were attempting to squelch on their payouts, this caused a public uproar.

The California legislature got involved. Without going into details, we can sum up the situation as follows. It soon became clear that if the involved insurance companies wanted to continue to do business in the United States, then they would have to make the payouts.43

4 Cyber Insurance

Even though premium rates are “firming”,44 the insurance sector is cautious about cyber. Michel Liès who recently retired from being the chief executive of Swiss Re stated that insurance companies were finding it difficult to understand future claims for cyber.45 Julian Enoizi of Pool Re agrees that a better model is needed to under the business of cyber insurance.The insurance broker Marsh, in the UK, has hired the former head of GCHQ46 (the British NSA) to draft a study of cyber resilience of London’s financial community.47 Nickel [33] created a high-level model of cyber risk: L = F × E × S where L is the total cyber risk losses for an insurance client; F is the frequency or number of attacks per unit of exposure; E is exposure, which interestingly is defined as the number of statt with unencrypted access to customer data; and S severity, which is defined as the average size of loss per attack. These values are surmised using a number of different attack types including a) viruses, worms trojans; b) malware; c) stolen & lost devices; d) botnets; e) web-based attacks; f) phishing & social engineering; g) malicious code; h) malicious insiders; or i) denial of service.

But this type of effort does not consider wider system effects. Major reinsurance companies are working on a Global Earthquake Model (GEM) that examines a number of inter-connected effects with “a unified framework for seismic hazard and risk modeling, data collection, and risk assessment at lo- cal to global scales”. There is no evidence of a Global Cyber-incident Model (GCM) being developed.48

Nevertheless, in spite of these cautions, protection from the cost of the effects of cyber attacks is a new form of insurance. By the end of 2014, there were at least 60 companies offering it.49 It is popular primarily in the United States and in 2016 has a gross premium income of between $2 and $3 billions dollars. This is expected to rise to more than $10 billion by 2020, and this growth in premiums represents a CAGR of more than 40% percent.50 Similar optimistic forecasts ($25 billion by 2025) have been stated by Willis Towers Watson insurance brokers.51 There are warnings, however, that many underwriters are writing premiums for cyber insurance that are “very thin”.52

Apart from caution on the part of providers, there are other barriers to cyber insurance. Many businesses state they “don’t need” coverage. Around a third think they are covered already under other policies. A tenth complain about premiums being too high. And the insurance response may not match needs. Only 18% of policies cover cyber extortion, such as through ransomware. More than half insurers and insurance agencies do not have dedicated cyber risk teams. More than ninety percent of companies offer cyber only as an endorsement on existing policies.53 See Table 7 based on Nickel [33].

Identify exposure. According to AIG,54 the first step in considering cyber insurance is identification of possible exposures. Factors to consider include:

  • Handling of confidential information. This is divided into two parts: a) Employee information or other confidential information that concerns the internal operations of the firm; and b) Client information, any information that is confidential, personal or commercial in nature.
  • Storage of information. This includes both paper and electronically-stored information. The corporate information is examined to determine what parts are controlled internally, and what, if any, parts are outsourced to vendor. This is crucial, because if one of your vendors of IT services suffers a breach of your confidential information, your corporation still is held responsible. This type of an event also will raise insurance issues, e.g., coverage for actions of third-parties.
  • The nature of the corporate web site. Content of the web site is examined to find any potential liabilities. Another important factor to examine is whether either a) employees; or b) third parties are able to upload content to the website. This would include information such as blogging, posting of pictures, or making comments on different topics. The reality is that the enterprise can sometimes be held responsible for information uploaded by third parties.

Cyber event scenarios. The compromise of corporate information can arise from either internal or external forces. Internally, your own employees might become involved in theft of information. Card skimming is an example of this type of abuse. There may be instances of negligence, for example, when an employee loses their laptop, smartphone or tablet, which contains sensitive information. And as mentioned earlier, your vendors (considered “internal”), might be the source of a compromise.55 Here a question arises regarding whether or not there is a system of indemnification between your organization and a vendor being relied upon. To determine this, the vendor contracts must be examined. Do not be surprised if the vendor’s contract has excluded the possibility of indemnification.

Externally, the organization faces a number of adversaries including individual hackers, organized crime, and even cyber espionage agents of foreign governments. Much of this activity is concerned with theft of information. Stolen customer or health records can be sold on the black market. Hackers can also send in malware to disrupt system, or to act as hidden agents for later theft of information. In the UK, for example, one satellite TV vendor destroyed the market position of a competitor by breaking their encryption, making it possible for consumers to access the competitor’s signals without paying. But for the most part, viruses and malware do harm, but without any specific benefit to the writer. External hacking can also disrupt a business, and we mentioned elsewhere, ransomware can be used to extort vast sums of money. So considering both internal and external sources of disruption, there are a number of different scenarios that an organization must be prepared for.

Getting insurance for cyber-related business interruption (BI) currently is the strongest driver of increased demand for cyber insurance. Other important coverage drivers of demand include a) Regulatory defense expense; b) Computer fraud; c) Funds transfer fraud; d) Cyber-related contingent business interruption (CBI); e) Cyber extortion; and f) Internet media liability. Insurance carriers sell a) standalone policies; as well as b) endorsement56 policies. Most cyber endorsements are written for Errors & Omissions (E&O). Other endorsements are for a) Other professional; b) Directors and officers liability insurance (D&O); c) Business-owners Policy (BOP); d) Crime; e) General Liability (GL); f) Healthcare medical malpractice; g) Lawyers professional; h) Property; and i) “other”.57

4.1 Types of Cyber Insurance Coverage

There are two types of cyber insurance coverage available: Third party and first party.

Third party. Third party coverage focuses on covering payments that must be made to third parties in case of a cyber incident. Examples of third parties include government agencies, that may impose fines; individuals who may sue in tort for the downstream effects of a cyber incident or other businesses that might be harmed by a cyber incident the organization is responsible for. A good example is a privacy event in which confidential information leaks out. There is a duty of any organization to protect confidential information, whether it is in printed form or online. Failure in this duty can lead to violation of Federal or state statutes. For example, the loss of credit card information on customers would be a violation of the Payment Card Industry Data Security Standard (PCI DSS). And as discussed elsewhere, a single incident can trigger Federal, State and consumer tort actions all at the same time.

First party. First party coverage is aimed to help the organization that has become a victim of a cyber incident. Depending on what is involved, the potential liability of the aggrieved firm might change drastically. Some of the covered items in this line of insurance might include: a) Consultation costs. Experts might be brought in to examine what has happened. Legal experts may be consulted to understand further the potential liability of the firm, and take a leadership role in crisis management. Legal counsel may well be needed to assess liability and to minimize further potential exposure to risk. b) Forensic experts might be brought in to first determine how the cyber incident occurred, and then to advise on what steps need to be taken to recover and restore the system in a way so that further damage is avoided. c) State mandates may compel the organization to notify all parties of what has happened. Depending on the numbers involved, notification can be a giant exercise, and there are many details to manage, including the precise wording of what to say, so that even further liability is not incurred. d) It may be necessary to put in place ID- or Credit-monitoring. e) Recovery must be had for lost data as systems are restored. This sometimes may mean re- creation of lost data form physical records, if there are any that can be used.

Other possible payouts might be triggered by a) Network interruptions that result in loss of income because the transactions processing capabilities of the firm are temporarily suspended. For some firms in financial services, the transactions/second rate is so great than even a few minutes of pro- cessing. b) Cyber extortion is another area where large payouts might be required.

4.2 Revisiting San Francisco

The insurance situation at this time is an exact parallel to what happened at the turn of the last century in San Francisco. Just as at that time each house and building had purchased a separate policy for earthquake insurance, so today each corporation has purchased a separate policy for its cyber insurance.

And so in the same way that the earthquake in 1906 broke the gas mains and caused a city-wide fire that burnt the city to the ground, a major cyber event will be capable of crossing over from one information system to another, and from one company to another and causing a mega-disaster of unprecedented proportions. Technology observers warn of a “cyber 9/11”.58 But they are not alone, key government leaders familiar with the financial services sector echo the same warning.59

There is little indication that chain-reaction type risks such as those encountered in the great earthquake of San Francisco in 1906 are being accounted for.60

So where does that leave us today? If these observers are correct, it suggests the following:

  • Eventually there will be a mega-cyber event that will cause unexpected and severe damage.
  • The damage will spill across into areas that are not insured or foreseen, but there is a likelihood that the insurance industry will be forced to pay out.
  • A prudent strategy would be for the insurance industry to re-check its treaty networks an build in larger payouts as a potential eventuality.
  • Studies should be undertaken to expand the types of coverage offered, and this might produce a new product line for some insurance writers.

NOTES

* Director of Scientific Intelligence, Barraclough NY LLC, 135 East 54th St 4B, New York, N.Y. 10022-4509 USA

1  Source is McCarthy [1] quoting a Europol document EU Serious and Organised Crime Threat Assessment [2].

2  Data is from Verizon, quoted by Ralph [3].

3  Reported by Stern [4] who is quoting a survey taken by PwC.

4  Reported by Scannell [5] which provides details on various clever impersonation techniques used.

5  Adapted from Balkhi [6].

6  Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system’s hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying.

7  Bitcoin is a digital asset and a payment system. The system is peer-to-peer; users can transact directly without an intermediary. Transactions are verified by network nodes and recorded in a public distributed ledger called the block chain. The ledger uses bitcoin as its unit of account. The system works without a central repository or single administrator, which has led the U.S. Treasury to categorize bitcoin as a decentralized virtual currency. (Source: adapted from Wikipedia)

8 Reported by Secureworld [7]. There are also many useful statistics on malware, botnets, Spam, and other problems in a comprehensive OECD document [8].

9 Reported by Ralph [9].

10 Data from Scott and Spaniel [10] at p. 29. See also Kaminska [11] who compares ransomware to a passage in Augustine’s City of God “For what are robberies themselves, but little kingdoms?” (Book IV, Chapter 4.)

11 These government employees were left with no assistance for legal protection against foreign tort and criminal charges, as detailed by Roche [12].

12 A botnet is a number of Internet-connected computers communicating with other similar machines in which components located on networked computers communicate and coordinate their actions by command and control or by passing messages to one another. They have been used many times to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. (Source: Wikipedia)

13 See Messmer [13] who gives examples: a) Zeus, 3.6 million; b) Koobface, 2.9m; c) TidServ, 1.5m; d) Trojan.Fakeavalert, 1.4m;e) TR/Dldr.Agent.JKH, 1.2m;f) Monkif, 520,000; g) Hamweq, 480,000.

14 Reported by Stafford [14].

15 This information is paraphrased from a Ponemon Institue research report [15].

16 In the London financial market, reports of a cyber security problem with a bank had a large enough effect on reputation to lower its stock price enough to allow the bank to be taken over by another. In financial services, the price of shares for a company can be sensitive to cyber-security problems. After all, in banking, reputation for security and reliability is an important part of customer trust.

17 In the Lakisha Pettus case, it was alleged that cyber was used to divert “hundreds of thousands of dollars” of “shipments of luxury goods and jewelry to and from warehouses and stores”. See Vance [16].

18 Gugerli [17] (p. 190) writes that the insurance industry has had a difficult time in assessing the risks of nuclear power. “[I]t was almost impossible to assess their [nuclear power plants] potential risk, because there was (almost) no experience of accidents to fall back on.”

19 One hacking group stole more than $1 billion from 100 banks in a period of two years according to Viebeck [18] quoting Kaspersky Labs.

20 Based on Roche [20], but modified with information from Gerson [21].

21 See, for example, a discussion of the TJX, Inc. case in Bishop [22].

22 According to Batterman [23, p. 6] in the UK, data protection legislation can impose fines of up to £ 500,000. 23 Data is from Romanosky et al. [24]. The consumer loss data is quoting Bureau of Justice Statistics compiled by the U.S. Department of Justice [25].

24 This information is found in a report from Bryan Cave LLP http://www.bryancave.com report [26]. It is interesting to note that Health Insurance Portability and Accountability Act (HIPAA), Fair Debt Collection Practices Act (FDCPA), Electronic Communications Privacy Act (ECPA), Video Privacy Protection Act of 1988 (VPPA), Computer Fraud And Abuse Act Reform (CFAA) and the CAN-SPAM Act of 2003 were the least used theories in these suits.

25 In tort law, the standard of care is the only degree of prudence and caution required of an individual who is under a duty of care. The requirements of the standard are closely dependent on circumstances. In “Baltimore & Ohio R. Co. v. Goodman, 275 U.S. 66”. United States Reports (Supreme Court of the United States) 275: 66. October 31, 1927 it notes that “In an action for negligence, the question of due care is not left to the jury when resolved by a clear standard of conduct which should be laid down by the courts.”

26 There have been more than 70 consent decrees according to S. M. Gerson [21]. Most of the legal and regulatory discussion herein is based on Gerson’s presentation at an Infragard meeting March 21, 2016.

27 A consent decree is an agreement or settlement to resolve a dispute between two parties with- out admission of guilt (in a criminal case) or liability (in a civil case) and most often refers to such a type of settlement in the United States.

28 The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996.

29 The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to ex- plain their information-sharing practices to their customers and to safeguard sensitive data.

30 The Sarbanes–Oxley Act of 2002 (Pub.L. 107–204, 116 Stat. 745, enacted July 30, 2002), also known as the “Public Company Accounting Reform and Investor Protection Act” (in the Sen- ate) and “Corporate and Auditing Accountability and Responsibility Act” (in the House) and more commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. There are also a number of provisions of the Act that also apply to privately held companies, for example the willful destruction of evidence to impede a Federal investigation.

31 The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce. Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Or- der directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure. See http://www.nist.gov/cyberframework/

32 The International Organization for Standardization (ISO) is an independent, non-governmental international organization with a membership of 162 national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus- based, market relevant International Standards that support innovation and provide solutions to global challenges. The Central Secretariat is based in Geneva, Switzerland. See http://www. iso.org

33 Class actions are governed by Rule 23 of the Federal Rules of Civil Procedure. The prerequisites must be met for a class to be certified. “One or more members of a class may sue or be sued as representative parties on behalf of all members only if: (1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class; (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and (4) the representative parties will fairly and adequately protect the interests of the class.” http://www.law.cornell.edu/rules/frcp/rule_23

34 In re Sony Gaming Networks and Customer Data Security Breach Litigation, and St. Joseph Hospital System of California. Cited by Gerson [21].

35 FTC v. Wyndham Worldwide Corp. Third Circuit.

36 Section 5 of the Federal Trade Commission Act (FTC Act), Ch. 311, §5, 38 Stat. 719, codified at 15 U.S.C. §45(a) prohibits entities from engaging in unfair or deceptive acts or practices in interstate commerce. “(1) Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful. (2) The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, [except certain specified financial and industrial sectors] from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” According to the IT Law Wiki “In the data security context, the Commission has challenged the failure to implement reasonable safeguards to protect the privacy of consumer information, where the failure causes substantial injury without offsetting benefits, as an unfair practice.” See http://itlaw.wikia.com/wiki/Section_5_of_the_FTC_Act.

37 The term “circuit court” refers to different appellate courts in the United States. There are 11 circuits and each circuit covers a number of states in a region. If there is disagreement between rulings in different circuits, then eventually the issue will be decided by the Supreme Court.

38 See comments of Patricia M. Wagner of Epstein Becker & Green, PC [23, p. 11] “In terms of damages related to the plantiffs in the litigation, there should be actual demonstrated harm. Theoretical or potential for harm is not sufficient.”

39 The case is In re LabMD, Inc. Observations are from Gerson [21].

40 See Figure 2 in the Global Reinsurance Forum report [27]. 41 Comments from the International Association of Insurance Supervisors [28] who also note that a) there is increased competition; b) premiums have come under pressure for non-life insurers and reinsurers in the commercial lines, property and catastrophe markets; c) investment yields for (re)insurers have declined slightly; d) there has been a “surge of mergers and acquisitions (M&As); “more than 10 percent of the global reinsurance industry is currently involved in major mergers activity”.

42 The newspaper is digitized by the National Endowment for the Humanities; http:// chroniclingamerica.loc.gov/lccn/sn82015732/issues/.

43 See extensive discussion by James [29].

44 According to Swiss Re [30, p. 14].

45 Quoted by Atkins [31] who noted that reinsurance accounts for 85% of Swiss Re’s revenues. Swiss Re has found that “the premium income was not significant” from cyber and recommended being “massively selective” in choosing which policies to write or treaties to accept.

46 Government Communications Headquarters (UK) http://www.gchq.gov.uk/.

47 Reported by Ralph [32]. One motivator for the move was that in January 2016 HSBC’s personal banking and mobile applications were brought down by a cyber attack, raising questions about the entire sector.

48 See details on the GEM initiative in the report of the Global Reinsurance Forum [27, p. 28]. Perhaps a few cyber earthquakes need to occur before the reinsurance industry begins to study the issue in the same level of depth as they do earthquakes.

49 Higgins [34].

50 Similar data is quoted by Ralph [3]. This also is the source of the information on Pool Re mentioned above.

51 Quoted by Ralph [35].

52 Freeman [36, p. 4], “Insurers wrote layers of major retailers at minimum premiums that now look thin to say the least.” Her analysis contains a detailed look at the Target incident. “The company reported $61 million pretax expenses related to the breach, but expected $44 million in cyber insurance payments against this figure. . . . [it is] estimated that the total exposure to Target could be $450–$500”.

53 Data is from Stubel [37] citing a study from Hanover Research [38].

54 See presentation of Saeed [39].

55 Swiss Re writes “A large insurer typically needs to deal with hundreds of third-party partners across dozens of countries, and the IT systems of these partners can be vulnerable to security breaches.” [30, p. 24].

56 An endorsement is a written document attached to an insurance policy that modifies the policy by changing the coverage afforded under the policy. Insurance endorsements are important additions to an insurance policy.

57 This data comes from a survey done by PartnerRe [40].

58 Naughton [41] who writes “There is another, deeper, fear – that the mysterious botnets that have been assembled by the merchants of malware may one day be used in some co-ordinated way to engineer a massive global event — cyberspace’s equivalent of 9/11, if you will.”

59 See comments of Ben Lawsky, head of the New York Department of Financial Services, quoted by Viebeck [18].

60 See David Gugerli’s discussion [17] of the effects on the insurance industry of the 1906 earthquake.

References

[1] Thomas McCarthy. Briefing on cyber security. Private briefing for Infragard, March 21 2016. McCarthy is the Principal Security Consultant for Nuix.com nuix.com.

[2] European Policy Office. The eu serious and organised crime threat assessment (socta). Technical report, Europol, The Hague, Netherlands, 2013.

[3] Oliver Ralph. Pool Re should ‘evolve’ to cover cyber attacks and pandemics. Financial Times, February 22 2016.

[4] Stefan Stern. Ceo email scam is wake-up call for boards. Financial Times, March 16 2016.

[5] Kara Scannell. Cyber crime: How companies are hit by email scams. Financial Times, February 24 2016.

[6] Syed Balkhi. 25 biggest cyber attacks in history. List 25 Blog, May 6 2013.

[7] SecureWorld Post. Fbi warns of increasing ransomware attacks. Databreach Today Reports, March 13 2016. https://www. secureworldexpo.com/fbi- warns- increasing- ransomware- attacks.

[8] OECD Working Party on Information Security and Privacy (WPISP). Computer viruses and other malicious software – a threat to the internet economy. Technical report, Organisation for Economic Co- operation and Development, Paris, 2009.

[9] Oliver Ralph. Malicious attacks account for bulk of data loss. Financial Times, March 8 2016.

[10] James Scott and Drew Spaniel. The ICIT ransomware report – 2016 will be the year ransomware holds America hostage. Technical report, Institute for Critical Infrastructure Technology, Washington, D.C., 2016. http://www.icitech.org.

[11] Izabella Kaminska. On the economic power of ransom. Financial Times, March 9 2016. FTAlphaville Blog.

[12] Edward M. Roche. When the intelligence community is exposed – the U.S. must protect its employees from foreign lawsuits. The Washington Times, August 31 2015.

[13] Ellen Messmer. America’s 10 most wanted botnets. Network World, July 22 2009.

[14] Philip Stafford. BoE set to review market risk managers. Financial Times, March 6 2016.

[15] Ponemon Institute LLC. Is your company ready for a big data breach? Second Annual Study on Data Breach Preparedness, September 2014. http://www.experian.com/assets/data-breach/brochures/ 2014- ponemon- 2nd- annual- preparedness.pdf.

[16] Cyrus R. Vance Jr. Lakisha Pettus indicted for intercepting deliveries of designer clothes and products. Press Release from the New York County District Attorney, January 7 2016.

[17] David Gugerli. The Value of Risk: Swiss Re and the History of Reinsurance, chapter Reinsurance Comes into Its Own 1860-1960, pages 147–236. Oxford University Press, Oxford, United Kingdom, first edition, 2013. See pps. 168-171 for details on the San Francisco earthquake of 1906.

[18] Elise Viebeck. Wall street regulator warns of ‘cyber 9/11’. The Hill, February 26 2015.

[19] Scott Flaherty. Cyber litigation: The next big thing? The American Lawyer, January 1 2016.

[20] Edward M. Roche. Internet and computer related crime: Economic and other harms to organizational entities. Mississippi Law Journal, 76:639– 665, 2006-2007.

[21] Stuart M. Gerson. Legal aspects of cyber insurance. Private briefing for Infragard, March 21 2016. The author is at the law firm Epstein Becker & Green, P.C. in Washington, D.C. and New York City.

[22] Derek A. Bishop. No harm no foul: Limits on damages awards for individuals subject to a data breach. Shidler Journal of Law Communications and Technology, 2008.

[23] Herbert Smith Freehill. Data protection and cyber security litigation. Corporate Disputes, October-December 2015.

[24] Sasha Romanosky, David Hoffman, and Alessandro Acquisti. Empirical analysis of data breach litigation. Journal of Empirical Legal Studies, 11(1):74–104, March 2014.

[25] Bureau of Justice Statistics. Identity theft reported by households, 2005– 2010. Technical report, U.S. Department of Justice, Washington, D.C., 2011.

[26] Josh Zeetoony, David; James. 2015 data breach litigation report. Technical report, Bryan Cave LLP, n.d. references 19

[27] Global Reinsurance Forum. Global reinsurance: strengthening disaster risk resilience. Technical report, The Geneva Association, Basel, September 2014. http://www.grf.info.

[28] Macroprudential Policy and Surveillance Working Group (MPSWG). 2015 global insurance market report (gimar). Technical report, International Association of Insurance Supervisors, Basel, January 6 2016.

[29] Robert A. James. Six bits or bust: Insurance litigation over the 1906 San Francisco earthquake and fire. Western Legal History, 24(2):1– 39, Summer/Fall 2011. Available at https://www.pillsburylaw.com/ siteFiles/Publications/SixBitsorBustInsuranceLitigation.pdf.

[30] Kurt Karl, Thomas Holzheu, Clarence Wong, and Paul Ronke. Global insurance review 2015 and outlook 2016/17. Technical report, Swiss Re, Zurich, 2015.

[31] Ralph Atkins. Swiss Re chief cautions on cyber security risks. Financial Times, February 23 2016.

[32] Oliver Ralph. Former spymaster to help fight City cyber crime. Financial Times, February 11 2016.

[33] Loren Nickel. Cyber risk analytics. In Miscellaneous Papers. Southern California Casualty Actuarial Club, May 15 2014.

[34] Kelly Jackson Higgins. Cyberinsurance resurges in the wake of mega-breaches. Information Week Dark Reading, October 2 2014.

[35] Oliver Ralph. Safe drivers offered pizza and films by insurers. Financial Times, February 22 2016.

[36] Emily Freeman. State of the cyber insurance market – ten lessons learned from major retailer breaches. Technical report, Lockton Companies, San Francisco, August 2014.

[37] Shiela Strubel. Here’s why you arn’t selling more cyber insurance. Weekly Industry News blog, November 12 2014. http://www.piawest.com/ blogpost/1199781/202434/.

[38] Market Insight Center. Cyber insurance survey prepared for iso. Technical report, Hanover Research, November 2014. http://www.verisk. com/downloads/emerging- issues/cyber- survey.pdf.

[39] Shiraz Saeed. Briefing on cyber insurance. Private briefing for Infragard, March 21 2016. The presenter is a product specialist for cyber liability at AIG Property Casualty.

[40] Advisen Ltd. Cyber liability insurance market trends: survey. White Paper, October 2015. partnerre.com.

[41] John Naughton. The cyberplague that threatens an internet armageddon. The Guardian, April 30 2011.

 

Advertisements