Overview
Cyber risk and threat is all around us! While writing my chapters for this book and editing it, I had a phishing scam attack on my computer bombarding it with bogus emails. It was disruptive to my work and ironical as contributors were writing about this very type of cyber attack. However, this was a very small attack as chapters in this book underscore the enormity of damage both cyber risk and attack can cause at every level of the economy, business and society.
The financial sector was chosen along with data and medical data because the volume of such threats and attacks is expanding dramatically in these sectors and, until recently, has been largely underreported. This has been due mainly to fears that customers will lose confidence in the financial sectors as ever more personal data is hacked into and used for fraudulent and malicious purposes.
Is cyber threat and attack just an extension of ordinary criminal activities but in cyberspace as some argue, or is this a new form of attack crime that has its own peculiarities and cultural expression in different countries as others will put forward in this book?
Damage from cyber attack can range from business interruption, financial loss on a small or large scale, loss of reputation and even destruction of physical infrastructure through the hacking of smart machines. This book will cover the varied forms of possible cyber attack, explaining them, from where such attacks emanate and who is behind them.
Managing the risk of cyber threat and attack is central to this book as many of the technological-based âsolutionsâ are inadequate to deal with the ever-increasing volume of such attacks and all their many permutations. Managing risk can range from education of those in the company of how to spot it and deal with it to adequate insurance coverage to understanding who within the company would be prone to engaging in internal hacking and maybe even working with external collaborators.
It becomes clear from the subsequent analyses that effective internal company-based risk management must be multidisciplinary including in-house legal departments, finance, sales, traders in the banking sector and underwriters in the insurance sector. Human-resources input could also be invaluable in finding the disgruntled or revenge-bound employee or the employee with financial problems or a taste for luxury that their salary will not afford them.
In relation to the regional focus of this book, Asia, especially East Asia including Japan, China and South Korea, is an area of booming economies and also thriving communities of hackers. North Korea is not a thriving economy but has been politically implicated in numerous cyber attacks against South Korea, Japan and America. Japan has been using advanced technology to try and stop or manage cyber attacks while China holds hackers often sanctioned by the government to carry out external attacks and domestic hackers who are responsible for a good deal of damage within China.
Europe as an economic bloc is both wealthy and includes Eastern Europe where a good deal of cyber threat and attack emanates, especially from Russia whose hackers have been at the forefront of large financial and politically motivated attacks. Italy, for example, is a European country in which financially targeted cyber crime is soaring. A report that was published by DAS of the Generali Group stated that 22.3 per cent of Italians claimed to have been victims of cyber attack with 13.3 per cent having been victims of identity theft through social networks such as Facebook and Twitter. The report also highlighted that 70 per cent of users experienced cyber threat to their identity through social networks while 44 per cent feared that their financial data were being accessed for the purposes of illegal online purchases through their accounts and 38 per cent believed that hackers were using their personal information to commit fraud.1
The US, being a wealthy country, has experienced a great amount of financial cyber attack and medical-data hacking. Both banking and retail have seen millions of customer accounts hacked into and substantial damages paid out to victims. There has also been some reputational damage with the purported North Korean-derived hacking into Sony studios to damage reputations and relationships through email leaks in retaliation for the portrayal of the North Korean dictator Kim Jung Un as a buffoon who should be assassinated.
Recent phenomena
Awareness of cyber risk and management especially in the financial and medical-data sectors is so recent that much of the information that forms the basis of analysis is not derived from an extensive literature review but recent reports, newspapers, specialist cyber-risk companies and financial service associations including their briefing meetings and conferences. Experts from East Asia, Western and Eastern Europe and the US are also a unique and fresh source of information as they have been involved first-hand or in studies related to cyber risk.
As mentioned, the financial sector has been reluctant to divulge the extent of how much fraud and business interruption it has experienced because of fear of losing customer confidence and trust. Yet, the extent of this due to hacking is phenomenally high.
The Financial Times 2 noted that in summer 2014 JPMorgan Chase experienced a cyber attack compromising the personal account data of 76 million domestic users and roughly 2 million businesses. It was such a severe hacking that JPMorgan Chase doubled its spending on cyber defence.
The same article further reported that a leading bank in the UK was found to have 22 critical flaws, which could have given unhindered access to customer accounts. One of the major vulnerabilities would allow a hacker to take a userâs identity and break in through the front door using âcross site request forgeryâ by circumventing the bankâs security procedures. The bank would see a normal transaction while the customer would be totally unaware of any malicious interference. Bronzeye, a cyber security company, had warned the Financial Conduct Authority of this loophole in July 2014. This flaw involved a hitherto unidentified problem of a two-step verification process of the bank in which customers received changing codes by mobile phone used in tandem with their passwords.
The changing mobile-phone code used for financial transactions is very popular in Eastern Europe where the Russian cyber security firm Kaspersky found that 100 mainly Eastern European banks had been subject to such attacks because of this cyber flaw, which could have lost the banks up to US$1 billion. It seems that such cyber-risk threat and attack is the tip of the iceberg in global financial sectors.
The insurance industry has only recently realised the importance of its role in managing the threat and attack of cyber risk. In a report published in March 2015 entitled âUK cyber security: the role of insurance in managing and mitigating the riskâ,3 former MP Francis Maude notes in the Foreword that 81 per cent of large businesses and 60 per cent of small businesses were the target of cyber attacks last year and the number of such cyber attacks has doubled since 2013. He highlights several important points concerning cyber risk and the need for more comprehensive insurance to deal with it. One is the need to value more accurately the cost of cyber risk and the real value of losses because of it. For years my books4 have been arguing for a process of valuation of intellectual property intangible assets. In this report the first category requiring cyber-risk insurance protection is intellectual property. The ongoing problem with intellectual property is that although it is a lucrative target for global government and other business-derived hacking in particular, companies underestimate the value of their intellectual property and overestimate the coverage of their insurance policies. The above-mentioned report reflects the same problems that intellectual property insurance has faced over the years in that only 2 per cent of companies hold full cyber-risk insurance. This lack of take up of intellectual property insurance is as remarkable as the lack of demand for full cyber-risk insurance despite the growing amount of high-cost litigation in intellectual property and the increasing amount of high-value loss due to catastrophic single or multiple event cyber attack. The other salient point made in this report is that because most businesses do not fully understand cyber risk they have not put into place accountability or management structures to mitigate such cyber risk. In this book we will not only explain all manner of cyber risk but also how to manage it.
As we will discuss in this book, banks and particularly insurance companies cannot understand the amount of loss from cyber attack they are able to withstand because they are often unaware of the amount or variety of data they hold and therefore cannot understand the value of it and what value it can accrue to hackers. This is especially true in the City of London where many insurance companies still have paper archives and do not know the value of this information let alone what they hold in great volume in their internet-based records. I have been an observer of this after working for many years in the City of London.
This report chronicles many of the loss categories that businesses face and require insurance cover for.5 They include: intellectual property theft; business interruption; data and software loss; cyber extortion; cyber crime/fraud; breach of privacy; information technology (IT) network failures; reputational risk/attack; damage to physical property; death and bodily injury; incident investigation; and response loss. Therefore referring to cyber risk in the financial sector as cyber crime shows an inadequacy of definition. Cyber threat and attack, which comprise the two main aspects of cyber risk, can cover all the above and more types of risk.
In this book we explore how as volumes of personal-data retention grow in banking and insurance coupled with the insurance sector becoming more integrally involved with providing coverage for cyber threat and attack, the more these sectors will become direct targets themselves of these attacks. This means that methods of risk management will need to change and grow with the cyber-risk threat and adapt to it. This has not occurred to date to any significant degree.
Insurance companies, in fact, while not being completely sure of the nature of the data they currently hold, are requesting even more data concerning their clientsâ health records. The Medical Protection Society, for example, which represents 290,000 medical professionals, said it discovered a sharp rise in concerns about data requests by insurers, with about 2,300 calls from doctors over the past year on the subject.
Medical records risk
Medical records are protected by strict privacy laws in Europe and the US but, despite this, hackers view such personal health information as a treasure trove. David Dimond, the Chief Technology Officer of EMC Healthcare based in Massachusetts, USA, noted that it is relatively easy for hackers using a birth date, health history and a social security number to open credit accounts. Using this information such thieves can then invoice US government healthcare programmes or insurance companies for fictitious medical care. He further pointed out that the value to unscrupulous hackers of personal health records and finances is three times that of financial information only.6
High tech leads to more healthcare hacking
The more healthcare relies on advances in high technology the greater the opportunities for hackers to steal and misuse medical information. Perry Hutton, a regional director of network security company Fortinet Africa, noted that the black-market value for healthcare personal patient data is 20 times higher than credit-card details stolen from mainly data lists of retail outlets. Cyber criminals are also aware that algorithms used in the credit-card financial industry make risk managers much more aware quickly of unusual activity taking place, which can be investigated immediately often through automated systems. The insurance sector of the financial services holds the majority of healthcare details for medical insurance but is less protected than banking with fewer internal risk-management strategies. He further adds that it can take up to a year for patients to realise that their personal healthcare information has been breached.
A recent study by Gemalto, a digital security company in the US, found that no other industry experienced so many data breaches as the healthcare sector with 391 incidents recorded for the year 2014. This accounted for one-quarter of all breaches for the year. In real terms this means healthcare organisations last year had 29.4 million data records compromised in these attacks, and the average records lost per breach for the healthcare industry was 75,152, up from 49,000 in 2013.
Gemalto listed that among the top data breaches in the healthcare sector in 2014 in relation to identity theft were the Korean Medical Association, with 17 million records; Community Health Systems, with 4.5 million records; and the State of Texas Department of Health and Human Services, with 2 million records exposed to identity theft.7
Data breaches in relation to medical records are growing steadily, especially in the US where healthcare and pharmaceuticals are big business. In 2011 and 2012 there were 458 big breaches of health data in total involving 14.7 million people, according to the federal Department of Health and Human Services. In 2013 and 2014, there were 528 involving 19 million people. A rough breakdown of stolen data showed that 10 per cent of breaches stem from hacking, while approximately half are physical thefts of records or computers. The rest are either inadvertent losses, disclosures without official authorisation or improper disposals of medical-record information.
As mentioned above it can often be the employees of a company who are the ones stealing internal company data. For example, in November 2013, an employee at US-based UPMC McKeesport was caught rifling through the electronic health records of 1,279 patients. Subsequently, the errant employee was dismissed, and hospital staff were retrained.
UPMC devised a management solution by programming its computer systems to monitor employee interest in patient health records, Therefore, if normal patterns of employees looking at medical records changes dramatically, perhaps rising, computers alert the employers about such unusual activity that often leads to evidence of hacking.
However, as data is spread further afield, managing cyber risk becomes more complicated. UPMCâs security personnel are stretched as data are sent out to centres where clinicians can have access to the data through smartphones and tablets, which can be more easily accessed by hackers. To deal with hackers creating ever more sophisticated imitations of UPMCâs web pages to âphishâ passwords from employees or even patients who use the online patient portal, the company uses fake phishing to test whether employees are careless with passwords.8
In March 2015 80 million p...