DENVER — Critical threats risk managers face from disruptive cyber attacks surged to the forefront Monday as insurance and cyber experts urged companies to rethink their planning and responses to these costly exposures.
Clearly, it appears mounting concerns over these rapidly spreading risks are dominating the discussion among attendees at the Risk & Insurance Management Society Inc.'s annual conference and exhibition.
Christopher J. Giovino, Wilton, Conn.-based director with Aon Risk Solutions, said his company has charted an increase in instances of cyber extortion, where a company's data is compromised and held for ransom by hackers. While cyber extortion can happen to organizations ranging from small nonprofits to Fortune 100 companies, the risks are especially dangerous for smaller and midsize companies, he said. “Cyber loss knows no bounds and doesn't respect your business size,” he said in an interview during the RIMS conference.
Indeed, later during a panel discussion about cyber risks and liabilities, experts said hackers continually change tactics and strategies to extract information and money from companies.
Panelist Steve Visser, Denver-based managing director of disputes and investigations for Navigant Consulting Inc., said crooks have begun to put devious spins on timeworn tricks such as email phishing attacks.
“We are seeing changes in the threat landscape,” he said. “While phishing-type attacks have been going on for a while, what we are seeing more lately is perpetrators using stolen credentials to get into payroll systems or benefits management websites in order to divert payrolls.”
While cyber risks vary according to the organization and type of data it manages, fellow panelist Katherine Keefe, Philadelphia-based head of Breach Response Services for Beazley P.L.C., said companies in the health care industry hold data particularly coveted by thieves.
Even though the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 have given the health care industry a great deal of experience handling sensitive patient data, the recent push to convert patient information into electronic health records has provided a target-rich environment for hackers looking to obtain Social Security numbers in order to file fraudulent tax returns. “The vulnerabilities of this industry are well-known by data thieves,” Ms. Keefe said.
How should companies respond when subjected to cyber crime? Panelist Theodore J. Kobus III, New York-based partner with Baker & Hostetler L.L.P., recommended companies take a measured response. For example, a company that immediately calls in law enforcement officials before conducting a thorough internal forensic examination of the breach may find its computers seized by law enforcement officials. Accordingly, Mr. Kobus suggested companies craft a simple, relatively short incident-response plan that can be easily digested and referred to in dealing with a cyber attack.
Separately, a cyber security expert urged companies to broaden their thinking about cyber security defense.
At the RIMS conference Monday, the Atlantic Council unveiled a report on cyber risk produced in conjunction with Zurich Insurance Group Ltd. Jason Healey, director of the council's Cyber Statecraft Initiative, said while risk managers are familiar with threats ranging from data breach, identify theft and corporate espionage, the recent discovery of the Heartbleed vulnerability reinforced the notion that the scope of the cyber challenges facing risk managers changes daily.
Even the most conscientious risk managers were caught flatfooted by the Heartbleed bug, which defeated a popular encryption method used to secure Web communications, Mr. Healey said during a press briefing.
“Heartbleed showed that we were all critically vulnerable to something that we hadn't even heard about,” he said.
“Attackers will always have the high ground, because we have to defend everywhere all the time and they only have to get it right once.”