Printed from BusinessInsurance.com

WikiLeaks’ release of CIA trove a wake-up call for cyber security

Posted On: Mar. 14, 2017 4:00 AM CST

The release by WikiLeaks of some 8,000 Central Intelligence Agency documents showing the agency found flaws in many internet devices should serve as a warning to firms about keeping up-to-date on cyber security measures, although is unlikely to have a direct impact on commercial policyholders or insurers, experts say.

In what WikiLeaks founder Julian Assange said was the first of future releases, his organization released data that shows the agency had found security flaws in iPhones, Android phones, office software and even internet-connected TV sets.

Mr. Assange offered to help firms fix their security software problems last week.

Experts say the situation would have been more serious had WikiLeaks released the actual code, which it has not done — at least to date.

There is “minor comfort” to be taken from that, said Alan Brill, senior managing director at Kroll Associates Inc. in Secaucus, New Jersey. But Mr. Brill said the situation still leaves open the question of who else has access to this information.

“It’s still out there, somewhere, and the people who have it are probably not thinking about an insurer’s or an insured’s best interests,” he said.

“I want to make sure my clients are now very watchful both for security updates” and for any incidents that may occur, he said. 

Robert B. Milligan, a partner with Seyfarth Shaw L.L.P. in Los Angeles, said: “Sophisticated companies that have used private investigative firms and computer forensics specialists are probably aware, at least in part, that these types of tools are available,” although “it’s a wake-up call, and it’s sort of a reminder that companies need to invest in their security infrastructure” so they’re not vulnerable to attack.

“The main takeaway here is that employee training is paramount, and oftentimes companies do not invest enough time, attention and energy into providing that type of training to employees about keeping company information confidential,” he added.

Companies have to encourage employees to be more vigilant in security measures, including changing passwords and making sure they are not inadvertently activating microphones and cameras on their devices, said Joseph J. Lazzarotti, a principal with Jackson Lewis P.C. in Morristown, New Jersey.

Roberta Anderson, a partner with Cohen & Grigsby P.C. in Pittsburgh, said the release “tends to shine a spotlight on serious systemic flaws in many consumer products.” It suggests that companies “deploy greater resources towards selling and marketing than researching and patching vulnerabilities in their products.”

“On the other hand, many companies simply lack the resources to engage in the kind of proactive research that would be required to discover vulnerabilities and avoid this kind of hacking. At the end of the day, I think it’s unlikely there will be substantial legal or other implications for the companies involved,” Ms. Anderson said.

John Mullen, a partner with Mullen Coughlin L.L.C. in Wayne, Pennsylvania, said: “Honestly, I don’t think it’s terribly significant to our business, unless the actual tools were released.”

“I don’t see it significantly impacting the way policies are written or underwritten or priced, the caveat being if a treasure trove of actual hacking tools were to be released, that could change.”

If you “flood the bad guys with a bunch of new tools they didn’t have previously then, sure, you could expect a noticeable uptick in attacks on companies and people,” Mr. Mullen said. 

Ben Beeson, Washington-based cyber risk practice leader at Lockton Cos. L.L.C., said the implication of the WikiLeaks release is that “we’re potentially all vulnerable to these types of weapons, but there’s no proof the (CIA’s) motivation is anything other than to protect us at this juncture.”