A New Defence

On October 21, 2016, New Hampshire-based cloud services provider Dyn was the victim of a massive distributed denial-of-service (DDoS) attack that would change the way companies, governments and entities across the world think about cybersecurity.

The attack saw Dyn’s popular cloud platforms Twitter, Spotify and Netflix shut down and hundreds of small businesses affected. Unlike usual DDoS attacks, this one didn’t originate from a single source but from guiltless owners of Internet of Things (IoT) devices, like smartphones, routers and webcams. The devices had been infected, undetected, by Mirai Malware, creating a dormant army of botnets that were later awakened by malicious hackers.

“This marked a shift toward a new threat in cybersecurity, one that makes everyone vulnerable,” says Gerry Kane, cybersecurity segment director, risk engineering department at Zurich North America.

The thing about the Internet of Things

The Dyn attacks brought to light how IoT has permeated every aspect of human life. The Mirai malware demonstrates that hackers can now permeate systems through coffee machines, cars or furnaces. Among dozens of copycat attacks since Dyn, is one Miraisourced DDoS strike that hit Russia’s top five financial institutions in November, which originated from 24,000 home routers and webcams in 30 different countries. The ease with which hackers can take over IoT devices to turn them into botnet armies has completely changed the security landscape. According to the Dell Security 2016 Annual Threat Report, malware attacks nearly doubled to 8.19 billion, with Android systems as the primary target.

A new defence

“We must accept that humans cannot keep up with this,” says David Masson, country manager for Canada at cybersecurity firm Darktrace. “We have to allow machines to do the heavy lifting on the defence side as well.”

Darktrace recently launched Antigena, a first-of-its-kind solution that leverages artificial intelligence to fight in-progress cyberattacks. Along with increased frequency and sophistication of attacks, the cyber threat landscape that has emerged over the last eight months reads like a John Grisham novel – corporate espionage, extortion and political manipulation are predominant – triggering a new response among insurers.

The interconnected world in which we live also means a single attack can have a broad impact on third parties. In 2014, Canada’s largest scientific research body, the National Research Council (NRC), was the subject of a major breach by a Chinese state-sponsored firm, that was attempting to steal intellectual property. More than 20,000 private firms in Canada were notified that they may have been affected by the breach. Internally, the NRC was forced to return to paper for everything from documenting work hours to sharing sensitive research information with outside clients for more than six months.

Coverage in the cloud

Cyber policies have come a long way in recent years in response to emerging threats in cybersecurity. First party costs typically include privacy breach remediation coverage, encompassing forensic breach investigation and notification, business interruption, and repairs to software or hardware that occur as a result of an attack. Third-party coverage may include legal costs in the event that a lawsuit occurs when the personal data of a client or customer has been exposed during a breach. There are also a number of specialized policies that are cyber-specific, including errors and omissions cyber liability, directors and officers cyber liability and media cyber liability.

“All of this is relatively new; only in the last five years or so,” says Gordon Payne, commercial lines director at Intact Insurance.

Regardless the extent of the coverage, however, insurers are warning that risk management and risk mitigation is essential in the current cybersecurity environment. When determining whether a company is entitled to claim against cyber policies, underwriters are looking for evidence that the insured has deployed up-to-date and functioning anti-malware and security patches, for example. The insured needs to provide evidence that they have been breached during the policy period, which can be difficult if they don’t have the appropriate and automated oversight into the health of the network.

Insureds also have to demonstrate an appropriate level of knowledge and control over third-party data in their possession. The latter becomes particularly tricky as ever more companies rely on cloud servers and virtualized networks to operate their businesses.

“The challenge with the cloud is that it is very difficult to underwrite the security of it,” says Payne. “And yet it can be a key target for cyber-criminals.”

When it’s not about the money

Moreover, the motivations behind cyberattacks are ever broadening, notes Brian Rosenbaum, senior vice-president, financial services group and the national director, legal and research practice, at Aon Reed Stenhouse Inc.

“The big topic of significance right now is non-monetary cyber extortion, where people are hacking into people’s systems to make them do or not do something,” says Rosenbaum.

He points out the 2015 hack on Ashley Madison, an online dating website promoting extramarital affairs, as a clear example. The hackers weren’t asking for money, but threatened to release the identities of subscribers to the site unless the parent company eliminated a fee requiring customers to pay to delete their profiles.

“I don’t think, in a lot of these cases, these hackers want the information at all – it’s data kidnapping. They’re holding the data hostage to achieve whatever they’re trying to achieve,” he says. “Industries are being forced to their knees to deal with security breaches from an extortion point of view.”

As data theft becomes commonplace, the onus is on organizations to have the capabilities to notify affected parties in a timely fashion in order to trigger insurance coverage. Under a new federal law that’s expected to be implemented this fall, data breaches will have to be reported to the Canadian privacy commissioner when they occur.

“This is the government actually enforcing cyber hygiene on organizations,” says Masson at Darktrace, who notes some provinces have already implemented like-minded laws in their jurisdictions. “Organizations will have to have technology in place that allows them to really know what’s going on inside their networks with 100 percent network visibility, so if something’s going on they know in real time, not in 100 days. Not only will this significantly reduce the likelihood of a breach, it will reduce the impact.”

The intricacies of cyber insurance, and indeed the limitations, mean brokers have to spend a lot more time educating their clients on risk mitigation in this space. Clients need to understand that cyber risk penetrates all aspects of an organization, and should be the consideration of everyone from C-suite executives to front-line employees.

“My job is to tell the client, ‘Here’s where the insurance begins and here’s where it ends,’ says Rosenbaum. “If you truly believe because you’re in a high profile organization that you have this risk, work with IT, work with professionals and throw your money at that to try to mitigate that risk – at least until we can develop an insurance product to deal with it.”

Kane notes that the extent of cyber risk in the current environment means mitigation and protection from cyberattacks must be a central component of enterprise risk management that includes regular employee engagement on the issue.

“This is critically important. If you do an examination of cyber events and data breaches, many, if not most, of them started with an employee doing something that he or she should not have done – responding to a phishing email, an employee user error. It’s a very low-tech, low-cost means to get into a network.”

Last year, the Bank of Canada dealt with 15 million malicious inquiries in a single month, illustrating the need for organizations to have effective monitoring and response systems in place to be proactive, rather than reactive, to threats.

“The bad stuff is going to come in,” says Masson. “You’ve got to accept the intrusion. Automated response stops people from attempting to frantically chase and investigate every breach and every compromise. You have to deal with it inside, with full visibility on the network, so you can see subtle changes and deal with them as they occur.”

Kane says executives have to stop treating IT as a silo issue, and recognize that data breaches have the potential to impact every aspect of an organization.

__________________________________________________________________________
Copyright © 2017 Transcontinental Media G.P. This article first appeared in the April 2017 edition of Canadian Insurance Top Broker magazine

This story was originally published by Canadian Insurance Top Broker.