Your weakest cyber security leak may be outside your own network. In another demonstration of how an organization can face significant financial and reputational exposure from another’s failure of cyber security, Massachusetts General Hospital announced on this week that one of its vendors suffered a cyber breach — on the vendor’s own network — that exposed more than 4,000 records of MGH patients. Some of the compromised information may have included patient names, dates of birth and Social Security numbers.
In a day and age when hackers are persistently attempting to break into networks, an organization that fails to encrypt its sensitive data is taking a huge risk with both its financial resources and reputation. Unprotected data is a legitimate business problem that is no longer confined to IT, especially when it comes to healthcare organizations where the loss of sensitive unprotected data can result in fraud, identity theft, and stolen financial resources from employees and customers. In these cases the burden or blame ultimately falls upon the most senior executive leaders at an organization. And when it comes to the senior teams knowing their areas of risk, encrypting data and building protections have become the latest concern in evaluating them. Read more…
Cyber risk for most organizations has a focus on the personal data of customers. Primarily this means social security numbers, date of birth, address, credit card numbers and the like. All of that is bad enough when lost in connection with a data breach, but companies must now also be aware of growing threats of cyber extortion schemes.
The recent announcement that Ashley Madison, the marital-affair-promoting website, has been hacked and subject to extortion takes these problems to a new level. Disapproving hackers have told Ashley Madison to shut down the site or the extortionists will release customer data. Reports say that despite Ashley Madison’s policy that private data can be scrubbed from the site for $19, the data is still available to hackers. The motives of the hackers are still unclear, but what is unusual is that it is not a demand for money. Read more…
Most people were relieved when investigators determined that the recent electronic disruptions at the New York Stock Exchange and United Airlines were caused by internal glitches and not by hackers. The NYSE system crash, caused by a faulty software upgrade, and the United Airlines outage, caused by a faulty router, received great attention as pictures of (and tweets by) idle traders and travelers appeared seemingly everywhere.
Because they involved computers and networks, these outages were discussed by the media with the vocabulary normally used to describe “cyber” events. That’s not surprising, given the initial fear that the NYSE crash in particular was caused by hacking. Read more…
It was reported earlier this month in the Wall Street Journal that many Corporate Information Security Officers (CISOs) are turning to the insurance sector for assistance and guidance when it comes to understanding cyber security.
Normally late to the party, insurance carriers tend to thoroughly examine years and years of loss experience in order for actuaries to set the rates for new areas of risk. But it is not the case when it comes to the rapidly developing area of cyber threats. Instead it is the insurance sector that many are turning to for guidance on how to deal with the uncertainty of cyber security. Read more…
The President, industry leaders, and lawmakers visited the tech-hub of Stanford University earlier this month for an official White House Summit on Cybersecurity and Consumer Protection. The discussions focused on increasing collaboration between the government and the private sector in order to prevent potentially crippling data breaches. The administration hopes that this will encourage Congress to pass cybersecurity legislation. Here are a few key takeaways from the summit:
- Cybersecurity is an issue for all sectors of the economy.
The Identity Theft Resource Center found that 85 million records were exposed last year both in the public and private sectors. Cyber attackers trumped terrorists as the #1 threat to national security last year while data breaches on companies such as Sony Pictures Entertainment, Target, Home Depot, and most recently, insurance giant Anthem Inc., resulted in costly losses.
In a sluggish world economy, hacking has unfortunately been a robust business. Recent reports issued by the Ponemon Institute, Symantec and others have detailed the stunning growth in cybersecurity breaches (such as a greater than 60% increase in breaches in 2013) and given vivid support to the now-common warning about breaches: “It’s not if, it’s when.”
The avalanche of cyber breaches has alarmed companies — and insurers. Cyber liability exposures include the following, among others:
- First-party costs incurred in dealing with the breach (forensics, legal, notification, credit monitoring, call center, etc.)
- Third-party exposures to individuals and entities affected by the breach
- Regulatory enforcement (SEC, FTC)
- Intellectual property exposures (often via corporate espionage)
- Reputational exposures
- Extortion exposures
- Theft exposures (such as hacks of bank accounts or phishing-induced erroneous transfers of money)
- Business interruption costs
- Data restoration costs