About LOMAOnline LearningLOMA International

Customer Assistance
Downloads
Education/Training
LOMA Societies
Life Insurers Council
LOMANET - Online Enrollment, Testing, and More
 Membership
 Committees
Meetings/Events
News Center
Products/Services
Publications
 Research Reports
Resource Magazine
LOMA Technology Directory
The LOMA Store
Search SiteSite Map


E-MAIL 
This page to a friend
Enter recipient's e-mail:

From Resource, May 2004 
Copyright by LOMA

 

Managing Cyber Risk

An AIG eBusiness Risk Solutions® official discusses cyber risk and how to stay afloat in today’s changing business environment.

By Tammy J. McInturff

Security threats keep growing, making it difficult for companies to keep pace with the ever-increasing risks. While these companies might prefer to avoid IT security and privacy risks altogether, that’s extremely difficult, if not impossible. Therefore, having effective risk management strategies in place—including insurance risk transfer—is an important step toward managing the exposures associated with doing business in today’s networked world.

"Even with the best data security, liability risks will never be zero," says Emily Freeman, vice president, Western region and executive director of consulting, AIG eBusiness Risk Solutions, a unit of the property and casualty insurance subsidiaries of American International Group, Inc. Freeman is well aware of the growing cyber risks associated with doing business today. As an expert on e-business risk, she continually educates insurance and financial services companies on the dangers involved with not having a sound risk management plan. Freeman is a frequent speaker on e-business risk and has been an expert guest on CNN’s World News and National Public Radio’s All Things Considered, as well as authored numerous articles on e-business risk management. She also spoke at LOMA’s Distribution Technology conference.

Cyber Risk

The increasing dependence on electronic processes and network-based technology has brought about new challenges for companies of all shapes and sizes. The major challenge is how to manage cyber risk—the risks, liabilities and solutions associated with electronic processes and interactions arising from conducting business activities through computer networks.

Cyber risk exposure impacts virtually every aspect of an organization—assets, operations, finances and brand equity. Cyber risk runs deep into the organization and includes risk to both physical and non-physical assets. "Everyone used to be worried about the hardware," Freeman explains. "The hardware is the easy part of this equation; what matters is the data and the availability of the network. Unfortunately, many companies still think we are involved with physical assets. Whereas, I’m trying to emphasize the importance of your data, which is representative of all the intellectual property of your firms and it represents everything of value that you store in electronic form."

The consequences of a security breach can be financially catastrophic to any organization—including not only loss arising from litigation expenses and fines—but a security breach can also wreak havoc on a company’s operations and cause an interruption of business and loss of income. Since most company operations are now dependent on the availability of electronic data and computer network resources, a failure of security can inhibit the company’s ability to conduct business altogether and materially affect the "bottom line."

Perhaps most importantly, a security attack or breach can ruin a company’s reputation causing it to lose customer trust. "The brand equity of your firm is not insurable," Freeman says. "So as companies evolve into using Internet and network-based technology they have their reputation, image, customer trust and good will on the line." These are important to any business, particularly in the financial services industry. No one wants to deal with a business that has serious problems securing its customers’ privacy.

Financial Consequences

The financial costs associated with unauthorized access and use of a computer network have been enormous. However, obtaining statistics on the cost of information security breaches is difficult. Why? Because companies are reluctant to publicly disclose these occurrences. "The data that is available about security and privacy reaches the tip of the iceberg of what really happens," Freeman says. "People are not willing in some cases to report a breach to law enforcement, let alone have their customers find out about it."

So there is very little credible reporting of unauthorized network access and whether it is law enforcement related or not, it does not provide a clear picture of the total harm associated with these kinds of exposures. However, the Computer Security Institute (CSI) and the San Francisco Federal Bureau of Investigation’s Computer Intrusion Squad conduct a survey every year allowing the respondents to participate under complete anonymity. This CSI/FBI Computer Crime and Security Survey, discloses the scope of what approximately 530 large corporations and public entities think about this risk. It shows that there is a tremendous amount of unauthorized computer use, theft of proprietary information and denial of service attacks that are continuing to be a big problem with financial companies. According to the 2003 CSI/FBI Survey, 56 percent of companies reported some form of unauthorized computer use. Theft of proprietary information caused the greatest financial loss, with the average reported loss being approximately $2.7 million. Other serious losses included denial of service attacks and financial fraud. It also showed that viruses and insider abuse of network access is the most cited form of attack or abuse.

Methods of Attack

There are a number of methods of attack including hacking, malicious code (such as viruses and worms), denial of service attacks, theft of information, fraud, corruption of data and insider exploitation. Defacing home pages is now a hobby of people around the world. It has become a somewhat common attack. Although it is a common occurrence, it does not always impact a company in terms of severity, as many times it is just Web site graffiti.

Cyber terrorism on the other hand is infrequent, but may be severe when it happens, and could result in major losses. "When cyber terrorist attacks happen, they happen big," Freeman explains. "And the board of the company only has two questions. Why did it happen, which they direct to the technology people; and are we insured?"

Hackers and Viruses

There are several different kinds of hackers, with different motivations for attacking a computer network. Some people think the typical perpetrator is a teenager or someone that is bored and is grafting on a version of an already known virus. Hackers like this are not the people to be most concerned with. The greatest concern for companies is hackers involved with financial fraud, theft of proprietary information and personal identity theft. In many cases these are professional thieves who are involved in organized crime. Some thieves have even broken into a company’s office and stolen computers and other property, making it look like a typical robbery. But the perpetrators were actually after the information that was contained on the servers and other equipment that was stolen.

In terms of viruses, worms, denial of service attacks, and other malicious code, the data is again incomplete. Hackers are creating viruses that are smarter, faster, and have multiple means of delivery. "The latest viruses make the ‘Melissa’ virus look like a walk in the park," Freeman says. "If you think they are just involved on target to corrupt your data and destroy the availability of your network, think again; some of them are actually targeting specific vertical industries."

Perhaps the most unsettling type of hacker is the one that works for you. Often it is a company’s own employees who are breaching security and accessing credit card numbers, social security numbers and other data and using the information illegally. The insider threat is definitely a real issue.

Identity Theft

Identity theft is soaring; in fact it is the fastest growing crime in the U.S. According to the FTC (Federal Trade Commission) it is the number one customer complaint. The FTC’s identity theft survey released in September 2003 reported that there have been 27.3 million identity theft victims in the U.S. in the past five years, of which approximately 9.9 million occurred last year alone. The survey also reported that last year’s identity theft losses totaled close to $48 billion for businesses and financial institutions. Consumer ID theft victims reported $5 billion in out-of-pocket expenses.

Additionally, the survey indicated that identity theft is far greater in terms of damages to business consumers than many people actually thought. Identity theft has risen rapidly because companies have moved to larger and larger acquisition of consumer data. This has made it easier for a thief to not only steal one credit card number at a time, but also 300,000 others at the same time.

International Hackers

Information security and privacy is now a government priority in the U.S. Unfortunately with regard to this issue globally, the world at large does not agree about any basic plan or strategy, nor do they have worldwide enforcement able to catch cyber criminals. "In fact, in many parts of the world cyber crime is not considered a crime," Freeman says, "and to extradite someone from those countries is not an option. But in some places, like Western Europe, Asia, Canada and Australia there are laws in place to protect the security and privacy of their citizens’ personal information. Some of these laws overlie well on each other and some do not. For instance, there is a total disconnect between what the European Union and the United States think of as privacy."

Privacy-Related Regulations

Regulations are the reason most companies have begun evaluating cyber risk and spending more on security. Financial services companies and healthcare institutions are at the top of the list when it comes to regulatory priority. Because these organizations hold substantial financial, personal and medical data about their customers, they face an array of privacy-related regulations, including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Gramm-Leach-Bliley is particularly important to banks, credit unions and other companies involved in financial services. As most know, it requires companies to give consumers privacy notices that explain the institution’s information-sharing practices. Customers, in turn, have the right to limit some sharing of their information. It is also being translated in a state-to-state regulation of insurance companies and brokers. It is enforced by banking regulators in the FTC. "Gramm-Leach-Bliley is more than just a little densely worded pamphlet that you got with your bill that said you have the right to opt out," says Freeman. "It definitely carries with it penalties, enforcement actions and the state attorney generals also have an ability to go after this issue. This typically gets companies to take their network security more seriously."

HIPAA is another privacy-related regulation, which is involved with healthcare. HIPAA is concerned with administration simplification of transactions in healthcare organizations. It also deals with the privacy of healthcare information, as well as the security needed to protect it. "A particularly interesting aspect of HIPAA is that it creates concepts to foreign accountability that will put offenders in jail. Ultimately HIPAA can contain criminal fines and criminal actions against the board," Freeman explains. "The hospitals, managed care institutions and physical groups are going to be held accountable for the diminishing of the chain of trust. The chain of trust is the concept that the originators of medical information are responsible for the people who give it to them, whether it is vendors, suppliers or other people in the relationship chain."

California Disclosure Law

Another security related law that is very interesting is the "California Database Protection Act of 2003," previously called SB 1386, which became effective July 1, 2003. "This bill was passed without a lot of political protest in California after several ugly instances involving consumer data which showed up later in the hands of perpetrators involved in identity theft," Freeman says. "Ironically, the last instance before the bill was passed involved the state of California’s own database of employees."

The California Database Protection Act of 2003 requires any business that stores confidential personal information about California residents in electronic form to contact residents upon noticing a breach to its computer systems. The company does not have to be in California, it only has to deal with a California resident. The incident must be reported if unencrypted personal information is involved, information such as name and address associated with a social security number, drivers license number or other data that could be used for identity theft purposes.

"This California law says if you suspect that you have a breach associated with a customer’s electronically stored personal information, as defined by the statute, then you are required to provide notice to each customer whose personal information may have been compromised. This doesn’t mean that you have to prove damage, but that you know of unauthorized accessing use happening to unencrypted data of this type," Freeman explains. "Anyone affected by this has to be notified, not just the individual consumer, but potentially the class. A violation of the statute could subject a company to a private civil action in the state of California brought by an individual or a group. In addition, the state has the ability to look at injunctive relief. So the bill has enormous consequences. It has also been followed by the big three banking regulators—OTS, FCP and FDIC. And there are banking regulations that are set up now to follow this idea of warning consumers." Warning consumers means companies may have some serious liability if they fail to warn in a timely manner.

This law’s reach may not be limited to California companies. According to Freeman, lawyers who have been involved with this are asking questions about the company’s responsibility to notify residents in other states when a breach occurs. For example, if the company has California residents and Utah residents in the same database should the company only notify the California residents? Organizations should keep an eye on this issue because it could be moving on to the federal level.

Deceptive Practices

Inadequate network security has also caught the eye of state and federal regulators. Recently, the FTC was involved in investigating and prosecuting deceptive practices involving network security. According to Freeman, they have already drawn up enforcement actions for several companies. In one recent case, the FTC was interested in a particular company’s security and privacy policy and the promises the policy made about security. The policy was listed on the company’s public Web site. "The FTC compared the company’s privacy statement to its behavior and security procedures," Freeman says, "and found that the company had left an important, known vulnerability open, which led straight to the credit card numbers of its customers." Even though the credit card numbers were not used, the FTC called the company in on an enforcement action after comparing their statements with their practices. The company was fined, and required to undergo ongoing enforcement actions and regulations, as well as network security oversight by the FTC that includes independent assessments on security.

Sarbanes-Oxley

By now most companies have become very familiar with the Sarbanes-Oxley Act of 2002 and the immense amount of paperwork it involves. Simply stated Sarbanes-Oxley is accountability at the board level for your veracity and completeness of your disclosures, particularly involving financial data. It requires that the officers sign financial statements. There are also regulations on the internal controls, that means your IT systems have to be compliant with Sarbanes-Oxley. The company has to have internal controls over its electronic documents as well as its paper records to ensure accuracy and reliability. "If you look at section 404 you would see the connection between IT applications and these internal controls," Freeman says. "It has become a board room issue because if you have systems that provide inaccurate or unreliable data, and that data is put into your financial statements, your financial statements may be incorrect. The trend with all of these regulatory issues is that they now have the ability to really look at reasonable care and industry standards in a much clearer way. They can measure what you say about yourself on your privacy and security statements against your actual behavior. Also, they can look at a series of security regulations and privacy regulations in health care and in the financial services (GLB and HIPAA to be specific) and measure your conduct against that. So it makes it easier for a court to determine a reasonable case against what you did."

So, ultimately security and privacy are boardroom issues. They are serious issues involving risk management. The lack of internal controls on IT security and privacy could lead to serious investor fallout issues. Organizations may also be liable to shareholders or members for failure to report deficiencies in internal controls or for failure to maintain regulatory compliance programs. Companies and officers may even be liable to third parties that they owe the duty of data protection.

Technology Limitations

Contrary to what some might believe, technology cannot eliminate security risk alone. Securing your information is not as simple as buying a security software program. "There are still people at the board level of organizations that think that if they buy something, whatever it is, it is the cure. This is a technology, people and processing issue all wrapped up into one. It is an ever-evolving threat on a day-to-day basis," says Freeman.

But just because buying a technology solution isn’t the magic cure, that doesn’t mean companies should put security as a low priority in their IT budget. "It is alarming how little companies actually spend of their IT budget on security in particular—some spending far less than ten percent," Freeman says. "Other organizations have told me that they spend more on bagels and coffee than they spend on IT security. We have a tremendous problem in how much is actually spent on this kind of risk in the organization." Since having a security program is not viewed as a revenue generator it often gets passed over in favor of other IT projects with ROI potential.

Application Development

Another issue is how applications are developed. Not all applications have the risk management of IT security and privacy built into them and in some cases they are baked in after the fact. "I have seen applications that have been launched that did what they were supposed to do, but when they did what they are supposed to do customers were looking at social security numbers or credit card numbers of other customers," Freeman says. "In other words, no one had really done the kind of beta testing that they needed to do on this issue; or built into the business requirements to look at IT security and privacy as part of the business case and the business requirements. Unfortunately, I have seen applications that have been launched without the best care and standards of testing built in. Of course once something goes wrong then the application is pulled back and looked at from this perspective a lot more deeply. You don’t want to learn about security problems this way, particularly if you are involved in financial services."

Freeman suggested that companies answer the following basic risk questions to help with risk management planning.

* How does your organization identify critical information assets and risks to those assets?

* Is the frequency and scope of your risk evaluation sufficient to take evolving threats into account?

* Are risks to critical assets managed in a similar fashion to other key business risks?

* What are your due diligence and financial responsibility (insurance) requirements for other companies that connect to your network or provide technology services?

* Do you have a mission assurance plan in place that addresses business continuity? Is it regularly tested and found effective? Is there a single point of failure?

It is essential that you know where your critical assets are and to keep track of what information is stored on what piece of equipment. "I have seen companies lose track of their trade secrets and have no idea where they all are, in what files, in what database," Freeman says. "It can happen easier than you might realize."

Working with Vendors

Companies also need to evaluate the potential risks and liability issues involved with using a particular vendor. Vendors help ease some of the risk for those who are not specialists in a certain area of development. However, there are issues associated with vendors from a risk management perspective. In today’s networked world, organizations are surrounded by vendors, suppliers, customers, remote offices, independent agents, etc. However, when you have interdependencies of business processes and you use outside vendors, suppliers and a lot of people that access your network, your risk of a security breach increases. The organization that owns the system, Web site and network is responsible for it. "Whether or not the company outsources the authorization development or other things associated with the network, is not terribly relevant to a court of law," Freeman explains. "The plaintiff is interested in going after a company that owns this network, who originated the data and had a responsibility of storing the data and who made certain promises about security and privacy. It can be difficult to hold the vendors, suppliers, call centers and others who had confidential access to certain files contractually accountable."

Freeman explained what she calls the ‘have a nice day contract,’ which is basically a contract saying that the vendor does not accept consequential damages if something happens. By not accepting consequential damages then there is no transfer of risk. In other words, the owner of the network retains the risk given the functions performed by outside companies.The contract may say that the vendor owes the company penalties related to the contract if they do not accomplish what the company has contracted them to do, but that has nothing to do with the consequential damages that can happen from security and privacy violations.

Managing Cyber Risk

There are several things that can help a company manage network security risk. According to Freeman, any risk management plan first has to have senior management support. Like all best practices, if you don’t get senior management buy in, nothing is going to happen. Second, there needs to be a team approach. Having a team approach is important because everyone has a stake in this security and privacy risk; operations, IT, finance, internal audit, the lawyers, etc, all have a vested interest. "There isn’t one aspect of this risk that can be operated without the others. I have seen lawyers write beautiful privacy statements explaining that you can opt out but no one is following it," Freeman says. "In other words, when customers opt out nothing happens. The IT people have no way of locking the data of the customers that opt out so that the information doesn’t go anywhere."

So these privacy and security statements sometimes only create a standard by which the judge can measure the company’s actual behavior. This is why you need people communicating and working together. Unfortunately, in some companies there is often a lack of communication between the finance department, legal staff and the technology department. This absence of contact can cause the technology department to believe that they are solely responsible for managing this risk, which as IT staff they may have neither the background nor expertise to handle security and privacy issues.

Freeman also advises companies to spend capital wisely on managing risk. "You could spend a lot of money on things that don’t make you any safer," Freeman explains. "Also, applications evaluations should be done regularly. I know one company that actually goes through an analysis of risks as part of their business case for new applications. They go through and put risks up along with the rewards and then talk about building certain safeguards in them. The application itself does not go live until the risk committee of their organization says it can go live. That is one end of the scale, there are a whole lot of people in the middle and a lot who aren’t in there."

According to Freeman, the following list of risk management activities can help a company begin developing a solid risk management plan:

* Outline the existing and emerging applications and activities

* Review the company’s perspective of risks and controls across business units

* Identify key/priority risks

* Assess security and privacy risk controls with security specialists

* Review disaster recovery/continuity planning for networks

* Assist in developing insurance requirements for third party vendors

* Evaluate present insurance relative to the risk

* Consider insurance products that are available for network security risks from a first and third party perspective

Gaining Control

Risk control is a people, processes and technology problem all built into one. You can’t fully prevent something from happening, but you need to design mitigation strategies that are workable for your applications. "It is not just about total prevention, but how to design something that gets itself back up in the timeframe that works for the company, which could be anywhere from five minutes to a week," Freeman says. Individual applications have different critical time windows relative to the value of those applications in the system. The key is to design a business recovery strategy that works for your company.

Financial Responsibility

Since the ideal combination of people, processes and technology may not completely eliminate cyber risks, companies may want to consider buying cyber insurance as traditional insurance policies may not address the risks associated with security and privacy very well, if at all. "The cyber market was created in reaction to all of these world events," Freeman says. "I think there have been about 63,000 viruses already and counting."

Viruses are not just innocuous forms of vandalism. "Up to this point everyone felt that in property policies viruses were just a malicious initiative or vandalism comparable to a rock being thrown through a building," Freeman says. "Unfortunately, viruses are nothing like a rock being thrown in a building—not if it goes around the world in eight seconds and can infect thousands of systems in that period of time. In addition, the damage caused by viruses and other malicious code is typically damage to intangible property—data. Since traditional property policies typically only cover damage to tangible property such as buildings, from perils like floods or fires, a gap in coverage exists."

When a virus takes down your computer system, most traditional insurance is not going to pay loss of income, extra expense, damage or cost to restore. So a company’s loss exposure under a normal property policy could be enormous, uncalculated and unpaid for. IT professionals need to understand that if your system is shut down, due to a virus or denial of service attack, the standard property insurance does not address this loss.

The second big issue is what happens to lawsuits involving identity theft and consumer data. Most crime insurance has nothing to do with stealing information. It only has to do with stealing things—money, securities and tangible property. Most traditional insurance policies do not cover information theft.

AIG eBusiness Risk Solutions

Cyber and network liability insurance is one way to address these risks and it is becoming more popular. AIG eBusiness Risk Solutions (AIG eBRS), as well as a few other companies, have created insurance specifically designed to address network security liability and first party loss. AIG eBRS was formed in January of 2000 to evaluate the risks associated with the Internet/computer networks and to design solutions combing risk management advice, technology and insurance. "We felt that with the growth of the Internet, business and network-based technology, we could not afford to ignore these risks," Freeman explains. "We needed to set up a specialist group to take on these risks around the world." AIG eBRS is made up of about 50 people, which includes lawyers, technology specialists and underwriters. The group offers a comprehensive suite of insurance products and risk management services.

Security threats are continually evolving, so developing a security program is not a one-time occurrence. Security must involve more than just technology; it must be included in your business planning and processes; and it must be communicated to the entire organization. Having effective IT security means securing your policies, infrastructure and administration.

Spending just enough on security to comply with regulations may leave you with a weak security program. It only takes one vulnerability to allow a hacker access to your network. Having a solid cyber risk management plan means knowing how to identify and control cyber risk. That means performing periodic security assessments and having a business continuity plan in place. Companies also need to understand the risks involved with using vendors. If your insurance doesn’t cover information theft, you might want to consider the alternatives. 


Contact Resource:
resource@loma.org

 


Advertise with us...Your Financial Services Customers are here.
Download LOMA's 2009 Products and Services Catalog here

Chinese | Español | Français | Português | About LOMA | Banking | Healthcare Management | Members OnlyWhat's New
 Customer Assistance | Downloads | Education/Training | FLMI Program/Societies | InternationalLife Insurers Council
 LOMANET | Meetings/EventsNews Center | Online Learning | Products/Services | Publications  
  Research Reports | Resource Magazine | Technology Directory | The LOMA Store | Search Site | Site Map | Privacy Policy

Write us at: LOMA, 2300 Windy Ridge Parkway, Suite 600, Atlanta, GA 30339-8443
Phone: 770-951-1770  or  In the U.S. and Canada: 1-800-ASK LOMA (1-800-275-5662) 
Fax: 770-984-0441         E-mail: Askloma@loma.org

 
Copyright © 2009 LOMA. All rights reserved.

For technical assistance or to report problems, contact: webmaster@loma.org