* Director of Scientific Intelligence, Barraclough NY LLC, 135 East 54th St 4B, New York, N.Y. 10022-4509 USA
1 Source is McCarthy [1] quoting a Europol document EU Serious and Organised Crime Threat Assessment [2].
2 Data is from Verizon, quoted by Ralph [3].
3 Reported by Stern [4] who is quoting a survey taken by PwC.
4 Reported by Scannell [5] which provides details on various clever impersonation techniques used.
5 Adapted from Balkhi [6].
6 Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system’s hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying.
7 Bitcoin is a digital asset and a payment system. The system is peer-to-peer; users can transact directly without an intermediary. Transactions are verified by network nodes and recorded in a public distributed ledger called the block chain. The ledger uses bitcoin as its unit of account. The system works without a central repository or single administrator, which has led the U.S. Treasury to categorize bitcoin as a decentralized virtual currency. (Source: adapted from Wikipedia)
8 Reported by Secureworld [7]. There are also many useful statistics on malware, botnets, Spam, and other problems in a comprehensive OECD document [8].
9 Reported by Ralph [9].
10 Data from Scott and Spaniel [10] at p. 29. See also Kaminska [11] who compares ransomware to a passage in Augustine’s City of God “For what are robberies themselves, but little kingdoms?” (Book IV, Chapter 4.)
11 These government employees were left with no assistance for legal protection against foreign tort and criminal charges, as detailed by Roche [12].
12 A botnet is a number of Internet-connected computers communicating with other similar machines in which components located on networked computers communicate and coordinate their actions by command and control or by passing messages to one another. They have been used many times to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. (Source: Wikipedia)
13 See Messmer [13] who gives examples: a) Zeus, 3.6 million; b) Koobface, 2.9m; c) TidServ, 1.5m; d) Trojan.Fakeavalert, 1.4m;e) TR/Dldr.Agent.JKH, 1.2m;f) Monkif, 520,000; g) Hamweq, 480,000.
14 Reported by Stafford [14].
15 This information is paraphrased from a Ponemon Institue research report [15].
16 In the London financial market, reports of a cyber security problem with a bank had a large enough effect on reputation to lower its stock price enough to allow the bank to be taken over by another. In financial services, the price of shares for a company can be sensitive to cyber-security problems. After all, in banking, reputation for security and reliability is an important part of customer trust.
17 In the Lakisha Pettus case, it was alleged that cyber was used to divert “hundreds of thousands of dollars” of “shipments of luxury goods and jewelry to and from warehouses and stores”. See Vance [16].
18 Gugerli [17] (p. 190) writes that the insurance industry has had a difficult time in assessing the risks of nuclear power. “[I]t was almost impossible to assess their [nuclear power plants] potential risk, because there was (almost) no experience of accidents to fall back on.”
19 One hacking group stole more than $1 billion from 100 banks in a period of two years according to Viebeck [18] quoting Kaspersky Labs.
20 Based on Roche [20], but modified with information from Gerson [21].
21 See, for example, a discussion of the TJX, Inc. case in Bishop [22].
22 According to Batterman [23, p. 6] in the UK, data protection legislation can impose fines of up to £ 500,000. 23 Data is from Romanosky et al. [24]. The consumer loss data is quoting Bureau of Justice Statistics compiled by the U.S. Department of Justice [25].
24 This information is found in a report from Bryan Cave LLP http://www.bryancave.com report [26]. It is interesting to note that Health Insurance Portability and Accountability Act (HIPAA), Fair Debt Collection Practices Act (FDCPA), Electronic Communications Privacy Act (ECPA), Video Privacy Protection Act of 1988 (VPPA), Computer Fraud And Abuse Act Reform (CFAA) and the CAN-SPAM Act of 2003 were the least used theories in these suits.
25 In tort law, the standard of care is the only degree of prudence and caution required of an individual who is under a duty of care. The requirements of the standard are closely dependent on circumstances. In “Baltimore & Ohio R. Co. v. Goodman, 275 U.S. 66”. United States Reports (Supreme Court of the United States) 275: 66. October 31, 1927 it notes that “In an action for negligence, the question of due care is not left to the jury when resolved by a clear standard of conduct which should be laid down by the courts.”
26 There have been more than 70 consent decrees according to S. M. Gerson [21]. Most of the legal and regulatory discussion herein is based on Gerson’s presentation at an Infragard meeting March 21, 2016.
27 A consent decree is an agreement or settlement to resolve a dispute between two parties with- out admission of guilt (in a criminal case) or liability (in a civil case) and most often refers to such a type of settlement in the United States.
28 The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996.
29 The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to ex- plain their information-sharing practices to their customers and to safeguard sensitive data.
30 The Sarbanes–Oxley Act of 2002 (Pub.L. 107–204, 116 Stat. 745, enacted July 30, 2002), also known as the “Public Company Accounting Reform and Investor Protection Act” (in the Sen- ate) and “Corporate and Auditing Accountability and Responsibility Act” (in the House) and more commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. There are also a number of provisions of the Act that also apply to privately held companies, for example the willful destruction of evidence to impede a Federal investigation.
31 The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce. Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Or- der directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure. See http://www.nist.gov/cyberframework/
32 The International Organization for Standardization (ISO) is an independent, non-governmental international organization with a membership of 162 national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus- based, market relevant International Standards that support innovation and provide solutions to global challenges. The Central Secretariat is based in Geneva, Switzerland. See http://www. iso.org
33 Class actions are governed by Rule 23 of the Federal Rules of Civil Procedure. The prerequisites must be met for a class to be certified. “One or more members of a class may sue or be sued as representative parties on behalf of all members only if: (1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class; (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and (4) the representative parties will fairly and adequately protect the interests of the class.” http://www.law.cornell.edu/rules/frcp/rule_23
34 In re Sony Gaming Networks and Customer Data Security Breach Litigation, and St. Joseph Hospital System of California. Cited by Gerson [21].
35 FTC v. Wyndham Worldwide Corp. Third Circuit.
36 Section 5 of the Federal Trade Commission Act (FTC Act), Ch. 311, §5, 38 Stat. 719, codified at 15 U.S.C. §45(a) prohibits entities from engaging in unfair or deceptive acts or practices in interstate commerce. “(1) Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful. (2) The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, [except certain specified financial and industrial sectors] from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” According to the IT Law Wiki “In the data security context, the Commission has challenged the failure to implement reasonable safeguards to protect the privacy of consumer information, where the failure causes substantial injury without offsetting benefits, as an unfair practice.” See http://itlaw.wikia.com/wiki/Section_5_of_the_FTC_Act.
37 The term “circuit court” refers to different appellate courts in the United States. There are 11 circuits and each circuit covers a number of states in a region. If there is disagreement between rulings in different circuits, then eventually the issue will be decided by the Supreme Court.
38 See comments of Patricia M. Wagner of Epstein Becker & Green, PC [23, p. 11] “In terms of damages related to the plantiffs in the litigation, there should be actual demonstrated harm. Theoretical or potential for harm is not sufficient.”
39 The case is In re LabMD, Inc. Observations are from Gerson [21].
40 See Figure 2 in the Global Reinsurance Forum report [27]. 41 Comments from the International Association of Insurance Supervisors [28] who also note that a) there is increased competition; b) premiums have come under pressure for non-life insurers and reinsurers in the commercial lines, property and catastrophe markets; c) investment yields for (re)insurers have declined slightly; d) there has been a “surge of mergers and acquisitions (M&As); “more than 10 percent of the global reinsurance industry is currently involved in major mergers activity”.
42 The newspaper is digitized by the National Endowment for the Humanities; http:// chroniclingamerica.loc.gov/lccn/sn82015732/issues/.
43 See extensive discussion by James [29].
44 According to Swiss Re [30, p. 14].
45 Quoted by Atkins [31] who noted that reinsurance accounts for 85% of Swiss Re’s revenues. Swiss Re has found that “the premium income was not significant” from cyber and recommended being “massively selective” in choosing which policies to write or treaties to accept.
46 Government Communications Headquarters (UK) http://www.gchq.gov.uk/.
47 Reported by Ralph [32]. One motivator for the move was that in January 2016 HSBC’s personal banking and mobile applications were brought down by a cyber attack, raising questions about the entire sector.
48 See details on the GEM initiative in the report of the Global Reinsurance Forum [27, p. 28]. Perhaps a few cyber earthquakes need to occur before the reinsurance industry begins to study the issue in the same level of depth as they do earthquakes.
49 Higgins [34].
50 Similar data is quoted by Ralph [3]. This also is the source of the information on Pool Re mentioned above.
51 Quoted by Ralph [35].
52 Freeman [36, p. 4], “Insurers wrote layers of major retailers at minimum premiums that now look thin to say the least.” Her analysis contains a detailed look at the Target incident. “The company reported $61 million pretax expenses related to the breach, but expected $44 million in cyber insurance payments against this figure. . . . [it is] estimated that the total exposure to Target could be $450–$500”.
53 Data is from Stubel [37] citing a study from Hanover Research [38].
54 See presentation of Saeed [39].
55 Swiss Re writes “A large insurer typically needs to deal with hundreds of third-party partners across dozens of countries, and the IT systems of these partners can be vulnerable to security breaches.” [30, p. 24].
56 An endorsement is a written document attached to an insurance policy that modifies the policy by changing the coverage afforded under the policy. Insurance endorsements are important additions to an insurance policy.
57 This data comes from a survey done by PartnerRe [40].
58 Naughton [41] who writes “There is another, deeper, fear – that the mysterious botnets that have been assembled by the merchants of malware may one day be used in some co-ordinated way to engineer a massive global event — cyberspace’s equivalent of 9/11, if you will.”
59 See comments of Ben Lawsky, head of the New York Department of Financial Services, quoted by Viebeck [18].
60 See David Gugerli’s discussion [17] of the effects on the insurance industry of the 1906 earthquake.
References
[1] Thomas McCarthy. Briefing on cyber security. Private briefing for Infragard, March 21 2016. McCarthy is the Principal Security Consultant for Nuix.com nuix.com.
[2] European Policy Office. The eu serious and organised crime threat assessment (socta). Technical report, Europol, The Hague, Netherlands, 2013.
[3] Oliver Ralph. Pool Re should ‘evolve’ to cover cyber attacks and pandemics. Financial Times, February 22 2016.
[4] Stefan Stern. Ceo email scam is wake-up call for boards. Financial Times, March 16 2016.
[5] Kara Scannell. Cyber crime: How companies are hit by email scams. Financial Times, February 24 2016.
[6] Syed Balkhi. 25 biggest cyber attacks in history. List 25 Blog, May 6 2013.
[7] SecureWorld Post. Fbi warns of increasing ransomware attacks. Databreach Today Reports, March 13 2016. https://www. secureworldexpo.com/fbi- warns- increasing- ransomware- attacks.
[8] OECD Working Party on Information Security and Privacy (WPISP). Computer viruses and other malicious software – a threat to the internet economy. Technical report, Organisation for Economic Co- operation and Development, Paris, 2009.
[9] Oliver Ralph. Malicious attacks account for bulk of data loss. Financial Times, March 8 2016.
[10] James Scott and Drew Spaniel. The ICIT ransomware report – 2016 will be the year ransomware holds America hostage. Technical report, Institute for Critical Infrastructure Technology, Washington, D.C., 2016. http://www.icitech.org.
[11] Izabella Kaminska. On the economic power of ransom. Financial Times, March 9 2016. FTAlphaville Blog.
[12] Edward M. Roche. When the intelligence community is exposed – the U.S. must protect its employees from foreign lawsuits. The Washington Times, August 31 2015.
[13] Ellen Messmer. America’s 10 most wanted botnets. Network World, July 22 2009.
[14] Philip Stafford. BoE set to review market risk managers. Financial Times, March 6 2016.
[15] Ponemon Institute LLC. Is your company ready for a big data breach? Second Annual Study on Data Breach Preparedness, September 2014. http://www.experian.com/assets/data-breach/brochures/ 2014- ponemon- 2nd- annual- preparedness.pdf.
[16] Cyrus R. Vance Jr. Lakisha Pettus indicted for intercepting deliveries of designer clothes and products. Press Release from the New York County District Attorney, January 7 2016.
[17] David Gugerli. The Value of Risk: Swiss Re and the History of Reinsurance, chapter Reinsurance Comes into Its Own 1860-1960, pages 147–236. Oxford University Press, Oxford, United Kingdom, first edition, 2013. See pps. 168-171 for details on the San Francisco earthquake of 1906.
[18] Elise Viebeck. Wall street regulator warns of ‘cyber 9/11’. The Hill, February 26 2015.
[19] Scott Flaherty. Cyber litigation: The next big thing? The American Lawyer, January 1 2016.
[20] Edward M. Roche. Internet and computer related crime: Economic and other harms to organizational entities. Mississippi Law Journal, 76:639– 665, 2006-2007.
[21] Stuart M. Gerson. Legal aspects of cyber insurance. Private briefing for Infragard, March 21 2016. The author is at the law firm Epstein Becker & Green, P.C. in Washington, D.C. and New York City.
[22] Derek A. Bishop. No harm no foul: Limits on damages awards for individuals subject to a data breach. Shidler Journal of Law Communications and Technology, 2008.
[23] Herbert Smith Freehill. Data protection and cyber security litigation. Corporate Disputes, October-December 2015.
[24] Sasha Romanosky, David Hoffman, and Alessandro Acquisti. Empirical analysis of data breach litigation. Journal of Empirical Legal Studies, 11(1):74–104, March 2014.
[25] Bureau of Justice Statistics. Identity theft reported by households, 2005– 2010. Technical report, U.S. Department of Justice, Washington, D.C., 2011.
[26] Josh Zeetoony, David; James. 2015 data breach litigation report. Technical report, Bryan Cave LLP, n.d. references 19
[27] Global Reinsurance Forum. Global reinsurance: strengthening disaster risk resilience. Technical report, The Geneva Association, Basel, September 2014. http://www.grf.info.
[28] Macroprudential Policy and Surveillance Working Group (MPSWG). 2015 global insurance market report (gimar). Technical report, International Association of Insurance Supervisors, Basel, January 6 2016.
[29] Robert A. James. Six bits or bust: Insurance litigation over the 1906 San Francisco earthquake and fire. Western Legal History, 24(2):1– 39, Summer/Fall 2011. Available at https://www.pillsburylaw.com/ siteFiles/Publications/SixBitsorBustInsuranceLitigation.pdf.
[30] Kurt Karl, Thomas Holzheu, Clarence Wong, and Paul Ronke. Global insurance review 2015 and outlook 2016/17. Technical report, Swiss Re, Zurich, 2015.
[31] Ralph Atkins. Swiss Re chief cautions on cyber security risks. Financial Times, February 23 2016.
[32] Oliver Ralph. Former spymaster to help fight City cyber crime. Financial Times, February 11 2016.
[33] Loren Nickel. Cyber risk analytics. In Miscellaneous Papers. Southern California Casualty Actuarial Club, May 15 2014.
[34] Kelly Jackson Higgins. Cyberinsurance resurges in the wake of mega-breaches. Information Week Dark Reading, October 2 2014.
[35] Oliver Ralph. Safe drivers offered pizza and films by insurers. Financial Times, February 22 2016.
[36] Emily Freeman. State of the cyber insurance market – ten lessons learned from major retailer breaches. Technical report, Lockton Companies, San Francisco, August 2014.
[37] Shiela Strubel. Here’s why you arn’t selling more cyber insurance. Weekly Industry News blog, November 12 2014. http://www.piawest.com/ blogpost/1199781/202434/.
[38] Market Insight Center. Cyber insurance survey prepared for iso. Technical report, Hanover Research, November 2014. http://www.verisk. com/downloads/emerging- issues/cyber- survey.pdf.
[39] Shiraz Saeed. Briefing on cyber insurance. Private briefing for Infragard, March 21 2016. The presenter is a product specialist for cyber liability at AIG Property Casualty.
[40] Advisen Ltd. Cyber liability insurance market trends: survey. White Paper, October 2015. partnerre.com.
[41] John Naughton. The cyberplague that threatens an internet armageddon. The Guardian, April 30 2011.