CYBERSECURITY FRAUD LOSS ISSUES & HOW TO ADDRESS RISKS IN TODAY'S INSURANCE MARKETPLACE 12/16/2015. December 17, 2015

Transcription

1 12/16/2015 CYBERSECURITY FRAUD LOSS ISSUES & HOW TO ADDRESS RISKS IN TODAY'S INSURANCE MARKETPLACE December 17, 2015 Angela R. Morelock, CPA, CFE, CFF, ABV Partner, BKD, LLP Jeff Eiserman Business Risk Advisor Ollis/Akers/Arney 1

2 TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided If you are viewing this webinar in a group Complete group attendance form with Title & date of live webinar Your company name Your printed name, signature & address All group attendance sheets must be submitted to training@bkd.com within 24 hours of live webinar Answer polls when they are provided If all eligibility requirements are met, each participant will be ed their CPE certificates within 15 business days of live webinar C ber$ecurit fraud lo$$ issu s 2

3 AGENDA Historical perspective on fraud & cybercrime schemes 2015 cyber threat landscape Recent developments & case studies Credit/debit breaches at retailers Wire/ACH fraud loss Business compromise Cyber insurance issues HISTORICAL PERSPECTIVE 3

4 EVOLUTION OF CYBER THREATS Actors Thrill seekers Pioneers Teenagers Organized crime rings State sponsored CHARACTERISTICS OF CYBERCRIMINALS Skilled Persistent Sophisticated Tactical Well funded Difficult to detect Evolving Technical attacks not needed Can use deceivingly simple methods (K.I.S.S) Use of social engineering e.g., Business Compromise 4

5 EVOLUTION OF CYBER THREATS Targets Businesses Financial institutions/banks Insurance companies Retailers Health care providers Manufacturers Critical industries Governments Law firms Individuals Everyone Key executives & decision makers Accounting & finance Privileged users CYBERSECURITY NOT JUST A BANK ISSUE Banks are not the focus of the simpler schemes Not the only deep pockets anymore Impostors focusing more on accounting or financial departments of companies, regardless of size From October 2013 to December 2014, nonbank businesses lost $215 million through compromised attacks From January 2015 to August 2015, business losses due to business compromise increased to $800 million (of which $747 million in the U.S.) Combined worldwide losses due to BEC exceed $1.2 billion 5

6 EVOLUTION OF CYBER THREATS Approach Viruses Trojans account hijacking Social engineering End Result Disruption Identity theft Loss of public trust Loss of proprietary information Monetary gain/loss 2015 CYBER THREAT LANDSCAPE 6

7 CURRENT CYBER THREAT LANDSCAPE There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again. Robert Mueller, FBI Director DATA AT RISK Credit/debit card information via POS systems Potential Protected Health Information (PHI) Employee data (PII) Social Security numbers Connectivity to health provider networks via pharmacies User names & passwords Intellectual property Blueprints Business plans Trade secrets, etc. 7

8 RECENT DEVELOPMENTS & CASE STUDIES Data breaches 8

9 TARGET BREACH NOVEMBER 2013 Largest data security breach in the U.S. at the time Approximately 110 million credit & debit card exposure Infected by a malware strain ( BlackPOS ) designed to siphon data from cards when swiped Hackers commandeered Target server to store card info Infected POS system running on Microsoft Windows Hackers uploaded exfiltration malware to remove data from server Target had recently spent $1.6 million for a malware detection tool Detection company caught exfiltration malware & reported to security team at Target HQ Target HQ did nothing in response TARGET BREACH NOVEMBER 2013 Target initial cost: $252 million (insurance paid: $90 million) Card issuer reimbursement Target & Visa agree to approximately $67 million settlement Target & Mastercard may reach similar per card settlement Additional costs to reimburse issuers for any fraud losses related to certain debit transactions that resulted from the breach Class action suit still active with other issuers Changed landscape regarding per card amounts in future settlements from data breaches, i.e., was $2.50/card standard before 9

10 HOME DEPOT AUGUST 2014 Approximately 56 million credit & debit card exposure Exposure included approximately 53 million addresses Breach likely lasted more than four months Much longer than the three-week breach at Target Store registers infected with new variant of BlackPOS Some credit cards appeared in the underground marketplace after the breach Cost the company more than $43 million by end of 2014 Another $7 million spent in 1Q 2015 Only $15 million believed recoverable by insurance policy UNDERGROUND MARKETPLACES Hackers sell information packages containing Verified health insurance credentials Bank account numbers/logins SSNs Other personally identifiable information on victims Sold as kitz with counterfeit physical documents such as Credit cards Social Security cards Driver s license Insurance cards 10

11 UNDERGROUND MARKETPLACES Kitz can sell for between $1,200 & $1,300 each Additional fees for adding items, such as US credit card with CVV code Online bank account Game accounts Paypal, verified balance EMV CHIP TECHNOLOGY Will reduce fraud from credit card data EMV uses dynamic cryptogram validation Changes for every transaction This data is useless if obtained by bad guys Dependent upon merchants having EMV-compliant terminals Fraud liability shift 11

12 WIRE & ACH FRAUD LOSSES BUSINESS COMPROMISE 12

13 FIRST EXAMPLE OF CYBER ATTACK WIRE FRAUD Israeli bank U.S. bank Israeli manufacturer Product U.S. wholesaler FIRST EXAMPLE OF CYBER ATTACK WIRE FRAUD Total loss almost $400,000 One from the impostor came 15 minutes after legitimate retailer sent purchase order, with same purchase order information (in different format) Numerous grammatical & spelling errors in communications from impostor, including first name of retailer representative Impostor was through a Yahoo account, yet initial communication between vendor & retailer representative was via company-specific address 13

14 FIRST EXAMPLE OF CYBER ATTACK WIRE FRAUD Israeli bank What money?? U.S. bank Kuala Lumpur bank Got it Where is my money?!? Sent it, I thought?? Impostor Israeli manufacturer U.S. wholesaler Product SECOND EXAMPLE OF CYBER ATTACK WIRE FRAUD Accounting department receives requesting change in bank account information was believed to be from customer Receive an additional requesting release of cash collateral Collateral wire transferred Receiving bank rejects wire due to an issue with receiving account number/name 14

15 UBIQUITI NETWORKS 2015 Accounting department receives s requesting wire transfers s came from an impersonator, acting as an executive Transfer of funds requested held by company subsidiary in Hong Kong to accounts held by impersonator(s) Potentially more than $40 million loss Around $14 million currently expected to be recovered through legal proceedings in foreign jurisdictions No insurance recovery available EASY STEPS TO PROTECT YOUR ORGANIZATION FROM BEC SCHEMES Increase training & awareness Have some form of verification process For example, call the customer/vendor to verify change in account info or wire transfer instructions Double check addresses In previous examples, instructions involved or came from a different provider or domain than legitimate s Do not open messages or attachments from unknown individuals Especially zip files Or links embedded in suspicious looking s 15

16 EASY STEPS TO PROTECT YOUR ORGANIZATION FROM BEC SCHEMES Know the habits of your customers, including the details of, reasons behind & amount of payments Maintain a file, preferably in nonelectronic form, of vendor contact information for those who are authorized to approve changes in payment instructions Limit the number of employees within a business who have the authority to approve &/or conduct wire transfers RESOURCES FTC s Start with Security Guide Best Practices for Victim Response & Reporting of Cyber Incidents drafted by the Cybersecurity Unit of the U.S. Department of Justice (Computer Crime & Intellectual Property Section) National Institute of Standards & Technology s Framework for Improving Critical Infrastructure Cybersecurity Internet Crime Complaint Center Secret Service Electronic Crimes Task Force 16

17 FTC ENFORCEMENT Section 5 (a) of FTC Act main provision for enforcement Unfair trade practice or deceptive acts More than 40 data security enforcement actions since 2000 In FTC v. Wyndham Worldwide, et al. & at least one other case, defendants have argued for dismissal arguing lack of statutory enforcement by the FTC Courts & appellate courts have continued to uphold FTC s authority, even though other laws exist, e.g., Gramm-Leach-Bliley FTC ENFORCEMENT Reasonableness approach to enforcement Focus on representations to consumers 17

18 WHAT IS YOUR EXPOSURE? Credit card data Employee information, HIPAA & PII Third-party data you have authorized access to Network disruption from cyber attack or malicious code Regulatory defense, fines & penalties Damage to your reputation/brand 18

19 WHAT HAPPENS IF YOU HAVE A BREACH? 1. Notify your insurance provider 2. How will you protect your reputation/brand? 3. How will you investigate the source, extent and who was compromised? 4. How will you get your system operational? 5. Do you have any legal responsibilities? 6. How will you establish a call center, notification plan and monitoring plan? 7. Have you lost any income? 8. Wait for the lawsuits and/or regulatory hearings WHERE DO YOU START? Review contracts with third-party vendors Determine your potential specific exposure Take an active role in the buying process Consider developing a Data Breach Response Plan 19

20 QUESTIONS? CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: The information in BKD webinars is presented by BKD professionals, but applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered in these webinars. 20

21 CPE CREDIT CPE credit may be awarded upon verification of participant attendance For questions, concerns or comments regarding CPE credit, please the BKD Learning & Development Department at THANK YOU! FOR MORE INFORMATION Angela Morelock Jeff Eiserman 21

22 22