Introduction

Cyber attacks

Best practices

NAIC principles for effective cybersecurity

After a breach

Summary

|

Introduction

 Let's start at the beginning. Over the past forty years or so, computers have become a critical part of business and society as a whole. Billions of records are stored in retail, banking, insurance, medical, education, and other systems, and many of these records contain personal information including dates of birth, social security numbers, credit card numbers, bank account numbers, and other identifying or personal information. Social media accounts are popular places for people to post ideas, information, and pictures, some of which may be embarrassing when made known to certain other parties. In the wrong hands, this information can be used to create false identities, steal funds from the owners of the information, and make private, personal information public. Companies could be held for ransom in order to access their own data or prevent proprietary information and trade secrets from being disseminated through the internet.

 There are a variety of ways computers can be attacked. Hacking is a general term used for any attempt to gain unauthorized access to data in a system; once in the system an individual may view, copy, alter, erase, or otherwise manipulate the data stored in the system. The hacker may just steal information or can store a virus that erases information causing significant harm to a company.

 Phishing is often directed towards individuals and is when someone tries to get an individual to voluntarily give up information such as bank account numbers. The Nigerian scam is now well-known but has moved to smart phones now and has changed from someone trying to hide funds from authorities from saying the owner of the account has been robbed in a vacation or foreign locale and needs money wired in order to settle hotel expenses so they can leave. Criminals may install keystroke loggers on computers in cybercafés and then use an individual's account to contact friends with the scam while posing as the person whose information was stolen.

 A data breach is the unintentional disclosure of personal identifying information of customers or clients from loss or theft of digital or printed information. The theft of a company laptop can lead to a data breach, as can improper disposal of records. This unauthorized exposure can lead to identity theft, tax, medical, or financial fraud and theft.

 A security incident is when the company's security system has been compromised. Service may be denied to the owner, intellectual property or corporate information may be stolen or held for ransom, or business may simply be disrupted for a period of time. A disruption of an online retailer over Thanksgiving weekend could cause serious financial losses for the company.

 Privacy violations are a little different. They involve the unauthorized collection, use, or sharing of personal information. Once collected the information may be sold to others to use for unwanted solicitations, mass marketing campaigns, or the creation of fraudulent identities for loans and purchases. Data can be collected from cell phones, GPS devices, cookies, or web tracking.

 Malware is hostile or intrusive software, designed to spread viruses or bad code, steal information, extort payment, or track activity on the sly with malicious intent. It may attach itself to executable files so that it can spread itself through the company's and even customer's systems. Ransomware is a particular type of malware that blocks use of the system until money is paid to the ransomer.

 A botnet is an interconnected network of computers that have been infected with malware unknown to the user's knowledge. The cybercriminal, or botnet herder as they are sometimes called, will use the network of infected computers to send spam emails, transmit viruses, or cause a distributed denial of service attack (DDoS), which targets a specific system, overwhelming it and causing it to malfunction or shut down. In a DDoS millions of systems will try to access a particular site or sites at the same time, causing them to shut down. Because of the Internet of Things, it is possible to connect almost any device to the Internet and help cause a DDoS.

 Cyber Attacks

 There is a wide variety of research showing frequent and expensive cyber attacks. One study shows that one-third of targeted cyber attacks aiming to breach corporate cyber defenses are successful while another study shows that 90 percent of U.S. organizations had one malware-related attack in the past twelve months, and 63 percent had a ransomware attack. Yet another states that an organization will have more than one hundred attacks a year with one in three being successful. Another statistic shows that the average organization receives 1,400 cyber-attacks in one week. Businesses spend approximately $84 billion annually to defend against such attacks that cost $2 trillion. It takes most organizations months to detect such breaches, with 98 percent being discovered by employees outside the security team. Sixty-two percent of all cyber-attacks are targeting small to mid-sized business, at the rate of 4,000 a day. Many small businesses do not survive these attacks. The White House has called such threats "among the gravest national security dangers to the United States."

 A survey of 500 United Kingdom business leaders showed that for the year ending March 2016, cyber incidents had cost companies more than 34 billion pounds. Data theft cost 6.2 billion pounds while malware cost 7.5 billion, and 13 percent stated that their IT infrastructure was harmed by viruses in the past twelve months.

 The average data breach involves between 5,125 and 101,520 records. The average cost of breaches of less than 10,000 records is nearly $5 million, with breaches of over 50,000 records have an average cost of $13 million.

 Anyone can be hacked. In 2014 Target reported a credit card breach of 40 million files, which ultimately ended up being 70 million credit and debit card files. In 2015 Ashley Madison reported a breach of 37 million users, and Anthem, the second largest health insurer, reported a breach of 80 million files; both of these breaches involved identifying personal information. While Yahoo was breached in 2014, it only recently announced that at least 500 million users account credentials, including names, emails, phone numbers, birthdays, hashed passwords, and some security questions and answers were stolen. This makes it the largest breach of all time. There are many, many more breaches. For an infographic, go to: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ to view breaches by date and number of files stolen.

 Best Practices

 A 2013 presidential order included directions to the National Institute for Standards and Technology (NIST) to develop a framework that would act as an authoritative source for information security best practices. This framework is a voluntary, risk-based tool that includes industry standards and best practices to help organizations manage cyber risks. The framework can be applied and used by organizations of any size.

 The framework has three main components: the core, implementation tiers, and a profile. The core has four elements: functions, categories, subcategories, and informative references. Under functions, the high level needs of basic cybersecurity are identified. They are identify, protect, respond, and recover. Once a risk is identified, a method of protection must be put in place; if a breach occurs, there must be a plan as to how to respond and then recover. Proper response can reduce losses and impact on the system as a whole.

 Identification includes asset management, business environment, and risk management. Protection involves access control, awareness and training, data security, maintenance, and protective technology. Detection is just that, detection, where anomalies and events are caught—there is continuous monitoring in order to detect issues, and specific detection processes exist. Under respond there must be plans to respond to any breaches, communications, analysis as to what happened and what was exposed or breached, and mitigation of the situation. Recovery includes recovery planning, improvements, and communications.

 Categories are subdivisions of a function into groups of outcomes tied to programmatic needs and activities. Categories may include asset management, access control, and detection processes. Each element under the core further refines the processes and needs for data security. Asset management will focus on data, personnel, devices, and equipment that allows the business to operate towards its objectives, bearing in mind its risk strategy. The business environment includes the overall mission, objectives, stakeholders, and activities that must be understood and prioritized in order to establish cybersecurity roles, responsibilities, and risk management decisions. Risk assessment allows the organization to review it systems and possible weaknesses and determine what strategy must be used in order to protect data assets.

 Subcategories further divide a category into specific outcomes of technical or management activities, providing a set of results that helps achieve the desired outcomes of the various categories. A subcategory could be that external information systems are cataloged or that data-at-rest is protected; these subcategories function under access control in order to protect the data.

 Informative references are sections of various NIST and other standards, guidelines, and practices common among critical infrastructure sectors that provide a method to achieve the desired outcomes of each subcategory. For details see NIST Cybersecurity Framework. 

 This is somewhat daunting for best practices. There are some succinct best practices that provide a good start to setting up data security. These may be better suited to small or medium sized companies, which also happen to be prime targets for hackers. They do not have extravagant budgets for IT protection, so are considered easy targets. First, corporate security policies need to be established and given to all employees; it is critical that all employees thoroughly understand the policies. Many, many breaches occur due to an employee error.

 Second, train employees in key areas, and retrain periodically. Training should cover acceptable use, password policies, and defenses against social engineering and phishing attacks. Attacks change over time and what was current when training was first conducted is no longer used and a new, different attack method may be prevalent. Employees need to be kept up to date on current system threats. Having passwords that automatically expire ensures that passwords are changed regularly. Most breaches happen behind the firewall, and it is usually an employee mistake. Employees may surf sketchy websites at lunch or open suspect emails. Training on how to detect such suspicious emails, and what sites are allowed, is vital to keeping records and data safe. Employees need to know to delete anything suspicious without opening it. Cyber protection belongs with all employees, not just the IT department. With many breaches stemming from an employee mistake, employee engagement and training is essential. Employees also need to be screened in order to reduce the risk of a malicious insider.

 Records and confidential data should be encrypted in order to keep it secure. Encryption can be hardware or software based. Hardware encryption works by a dedicated processor on the hardware device, while software encryption involves the installation of software onto the system to encrypt and decrypt the data as needed.

 Backups should be performed frequently and regularly; continuous backups are best, but daily backups are the bare minimum. A process to re-image the system should be on hand should the system be attacked and made inaccessible. The reimaging system should be tested with a current backup to ensure that the backup/restore process works. With this, if the system is infected with malware or ransomware the system can be wiped and restored with the latest backup so the insured is not trapped by a cyber-extortionist.

 The network behind the firewall needs to be protected. By using network access control, an insured can block rogue access and manage the dilemma of individuals bringing in other devices and plugging into the network unauthorized, or even using company issued portable devices that may have been corrupted. Mobile devices need to be protected from viruses and malware. The security software should be used to scan all USB and other external devices.

 A business continuity and incident response plan needs to be in place in case of a breach. Security software must be kept current. Insurance is important in order to recover and restore from a cyber attack. More and more policies are available that provide coverage for attacks and expenses in notifying clients that security has been breached, credit monitoring for those exposed, and other services.

These best practices need to be documented. Assessments need to be made so that the organization is aware of where it is performing well and where it needs to shore up its activity in certain areas. An organization may also have to adhere to various state or federal regulations, including reporting of breaches in the system. Practices need to be aligned with these requirements so that an organization is compliant with regulations and properly protected against any attacks.

NAIC Principles for Effective Cybersecurity

 As state regulators are looked to for standardized processes within the insurance industry, cybersecurity issues are only the latest issue to be of concern. The National Association of Insurance Commissioners (NAIC) has developed a set of guiding principles to promote protection of consumer information within the industry. There are a total of twelve principles, and the entire document can be found here.

 The principles identify regulators as having a responsibility to ensure that personally identifiable consumer information held by the insurance industry is protected from cyber risks. Such information should be properly safeguarded, and regulators have a responsibility to protect information collected, stored, and transferred inside or outside of an insurance department or at the NAIC.

The principles highlight that regulatory guidance must be flexible, scalable, and practical, and that guidance must be risk-based and consider the resources available to insurers and producers. They should also be consistent with the NIST framework.

 Included in regulator activities should be risk-based financial examinations and market conduct examinations regarding cybersecurity. Plans for incident response by insurers, producers, and other regulated entities is essential to a complete cyber program. Third parties need to have controls in place to properly protect personally identifiable information.

 Cybersecurity should be part of an insurer's enterprise risk management process, and internal audit findings that present a material risk to an insurer should be reviewed by the board of directors or appropriate committee. Insurers and producers need to stay informed of emerging threats and vulnerabilities, and periodic training with assessment for employee is essential.

 After a Breach

 Even with the best protection, a breach is apt to happen sooner or later. There are certain steps an organization should take to best mitigate and handle such an event. The first is to identify what happened. What was breached and how much data was exposed? The next step is to isolate the system to prevent further damage. If the virus is on a given computer, can it be isolated to protect the rest of the system? If so, those steps should be taken immediately. Law enforcement needs to be notified if criminal activity is suspected. The post breach procedures that have been laid out should immediately be put in force.

 While IT isolates the infected computer, the stolen or corrupted data must be identified, the outside forensics team and vendors must be notified, and vendors and customers must be alerted that a virus may have been transmitted through the organization's computers to theirs. The outside forensics team can perform many of these tasks if desired. It can determine whether encryption measures were enabled when the breach occurred, determine the extent of affected data, and create a list of individuals to be notified. Key personnel need to be interviewed and facts documented, and evidence needs to be preserved such as electronic logs that document the breach itself. Recovery vendors can provide multiple services from forensics and investigation to recovery of data and handling notification of those involved including writing the notification in accordance with state regulations, sending the notices, dealing with returned addresses, maintaining records of such notification for regulators, setting up a call center for customer contact, and handling or working with public relations in order to mitigate losses to the organization's reputation. Offering credit monitoring for customers for six months to a year is recommended.

 When personal identifying information of customers has been compromised, each state has various regulations pertaining to notification of those individuals that the information has been breached. See Data Breach Notification Laws by State 2021.

 Once the crisis is over, a post breach assessment should be performed. The incident plan should be reviewed for gaps and what did and did not work. Necessary changes should be made to the plan and communicated to all, and staff should be trained on any new procedures. The effectiveness of any credit monitoring set up for customers should be monitored. The plan should also be reviewed even when a breach has not occurred; regulatory changes for notification to customers when a data breach occurs must be acknowledged and built into any post breach plans.

 Summary

The risk of cyber attacks is ever present and almost inevitable for many companies. The best strategy is to be prepared; establish procedures for security of data, train all employees, and establish procedures for post breach actions. This is just part of cyber issues in insurance. There are many coverages, and we will provide analysis of those forms as coverages develop and change over time.