Ashley Madison attack shows evolving risksReprints
The cyber attack on the Ashley Madison website, reportedly insured by American International Group Inc. and Axis Capital Holdings Ltd., shows the evolving, escalating and expensive nature of cyber risk.
The mid-July hack of the extramarital affair website, in which the hackers reportedly demanded ransom to keep the users' information secret, has already led to litigation seeking more than $500 million from the website owner, Toronto-based Avid Life Media Inc., and reportedly resulted in at least two suicides.
AIG reportedly provided directors and officers coverage for the website, while Bermuda-based Axis provided cyber coverage. Both insurers declined comment.
The case has raised awareness that hacking is evolving into a more sophisticated crime, causing cyber risk experts to look for ways that companies can protect their business, and their data.
A lot is at risk, Zurich Insurance Group Ltd. and the international think tank Atlantic Council said last week in an analysis of how cyber costs and benefits affect gross domestic product. While the report said cyber business could result in a “Cyber Shangri-La” cumulative net gain of $190 trillion by 2030, the worst-case “Clockwork Orange Internet” projection is that cyber crime could sap $30 trillion globally in net economic benefits if cyber security fails to keep up.
“Over the past five years, we've gone from hobbyist hackers breaking into networks for notoriety to an environment where organized crime, both in Eastern Europe and the U.S., is aggressively monetizing their hacking,” said Brad Gow, a New-York-based senior vice president with Endurance Insurance, a unit of Endurance Specialty Holdings Ltd. “That's a dynamic that has changed the game for companies, as well as the insurance carriers who are trying to cover them.”
“We haven't seen a lot of instances like Ashley Madison where they try to extort to not release information. That was more prevalent five or even 10 years ago,” said Nick Economidis, a technology underwriter at London-based Beazley P.L.C. Today, “it's more targeting and theft of credit card information rather than to extort for money to not disclose business information,” or “crypto locker” attacks where hackers take control of a business system and demand ransom to unencrypt the data.
Gamelah Palagonia, New York-based senior vice president and cyber risk specialist at Willis North America Inc.'s FINEX unit, said the Ashley Madison case was an unusual attack because of the threat to shut the business down.
“Reports by security experts indicate their data was already posted to online forums before the formal threat was made anyway. If Ashley Madison had cyber coverage, the policy trigger would be unauthorized access,” Ms. Palagonia said.
There are best practices companies can follow to mitigate the risk, Mr. Gow said. They include being vigilant about backing up data, ensuring that servers and endpoints are updated regularly and — most importantly — training employees to use safe email practices and not browse the wrong websites.
“A company can have the best protection in the world, but if an employee clicks on a bad link, the system is compromised,” Mr. Gow said.
Cyber insurance also is a way to mitigate such risks, with more insurers offering the coverage and more companies buying it in the wake of a series of high-profile hacks in recent years.
“All businesses need (cyber) coverage, because you don't know what's going to happen in the future. You can't regulate the criminal mind. All you can do is secure your systems, train your employees and have the proper procedures and privacy policies in place. Insurance is a great tool to finance a cyber claim, but it shouldn't be your first line of defense,” Ms. Palagonia said.
“We know (companies) have certain delicious data that is highly valuable, such as law firms, accounting firms — all those firms that have other people's data, that's all delicious data,” said Jody Westby, CEO of Washington-based consultant Global Cyber Risk L.L.C. “If a company has delicious data, they need to decide what they would be willing to pay.”
“If (a company's) data gets posted like the Ashley Madison database was, then competitors can use that data to lure customers away or undercut them in price,” Ms. Westby said.
“Hackers are smart, and they will find a way into the system; detecting hackers quickly is the key,” said David Maimon, Baltimore-based associate professor of criminology and criminal justice at University of Maryland. “It will take some time for the hacker to find what they are looking for. If we can come up with a solution to quickly detect and identify a hacker, then having a hacker is not a problem.
“This should be the premise on which all computer scientists, cyber security professionals and criminologists should work on. At some point, you will have a hacker on the system no matter what you do, but the question is how soon you can respond to a hacker,” Mr. Maimon said.