GLOBAL TECHNOLOGY S RISK ADVISOR SERIES TURN RISK INTO ADVANTAGE WHY COMPLACENCY IS UNWARRANTED > WHERE CYBER THREATS COME FROM > THREE STEPS TO MANAGING CYBER THREATS > Cyber threat reality check THE THREAT IS GROWING IGNORING IT CAN BE COSTLY
Stay ahead of risk to turn it to your advantage A story of business success is often told using words like bold, daring and visionary. Industry heros are those who have forged ahead despite being surrounded by naysayers with cautionary advice. When they come out on top, the role model of a fearless risk taker becomes an inspiration for other business leaders. Ignoring risks, however, more often results in something far less heroic: lost revenue, costly mitigation and potential liability. This is especially true when it comes to cybercrime, a threat that is expanding rapidly as more and more business activity goes digital. Data breaches have become so common that few make headlines except when they involve millions of people or afflict renowned companies. Business leaders are well aware of cybercrime our report, The Finance View of Non-Financial Risk for Technology Companies, points to data security as a top concern (/techcforeport). Yet many companies believe they are not likely to be targeted. Our author, Kirstin Simonson Information Technology Insurance Practice Leader, shares her expertise to guide technology companies toward adopting a more expansive view of the new reality of cyber threats than they might already have. Topics covered: Why complacency is unwarranted Where the exposure to cyber threats comes from The costs of complacency Effective strategies for managing cyber risks Often companies that are really successful are not ignoring risk. They are turning it into advantage. Mike Thoma Chief Underwriting Officer of Global Technology at Travelers PAGE 1
Complacency is unwarranted Cybercrime is increasing. That fact seems indisputable, although the statistics offered by different experts often do not match because of different reporting sources and definitions. The Privacy Rights Clearinghouse, for example, reported 272 data breaches affecting at least 18.5 million records during the first six months of 2012. However, datalossdb.org reported 1,621 breaches in 2012. That number comes close to the annual totals logged by datalossdb.org for both 2009 and 2010 combined. At 1,621 breaches, 2012 far exceeded the 1,091 breaches datalossdb.org tracked in 2011. Similarly, different experts offer varying cost estimates for the damage to businesses from data breaches. A data breach can cost your business time, money and your reputation. In fact, a recent study revealed that the cost of a data breach per record is $188, which can add up quickly. For example, a breach involving 10,000 records could cost nearly $2 million Ponemon Institute Research Report: U.S. Cost of a Data Breach Study, 2013. The underlying message is clear. Cybercrime is on the upswing and when it happens, it can be costly. Nonetheless, insurance brokers who talk to clients about cybercrime tell us the reaction is often a denial that their companies are at risk: Our systems for protecting our data are state of the art. Only large organizations are targets of cybercrime. We ve transferred our cyber threats to the firms that store our data. We ve never had an issue. In other words, despite widespread recognition that cybercrime occurs, business leaders seem to believe it will happen to other companies and not theirs. Unfortunately, all of the evidence points to this complacency as unwarranted. For example, as technology rapidly changes, new opportunities open up for cyber intrusions to occur. Data protection solutions that are state of the art when implemented may be completely ineffective against new threats that emerge. Business leaders who believe their companies are protected from cyber threats should consider that many of the largest companies have suffered a data breach at some point. These companies, with their billions of dollars in revenues and the ability to spend whatever is needed to defend their digital assets, have not been able to eliminate the risk of cybercrime. There are pitfalls to the idea that a firm can effectively transfer all of its cyber threats to another company. For example: You probably still have some private information on your computers/networks You still have employees with access to, and use of the data that s being hosted for you. And often it s the employees themselves who are involved with the breach Plaintiffs could allege that you contributed to the breach, or didn t do appropriate due diligence on the vendor Plaintiffs could allege that you didn t have a right to even store certain sensitive data in the first place, let alone entrust it to another company Data hosting vendors may not have the legal or financial capacity to effectively protect your firm Many data hosting firms will provide hold harmless or indemnification agreements for certain types of data breaches, such as those that result from their own sole negligence; but most of those contracts have a lot of exceptions for which the firm accepts no liability You re still likely to be named in a suit, even if a data hosting firm is a co-defendant. And whether or not the co-defendant ends up paying for much or any of the liability, is your firm ready to deal with the time, complexity, and defense of the legal battles? WHY COMPLACENCY IS UNWARRANTED PAGE 2
Can a company take comfort in the thought that most data breaches occur at very large businesses where cyber criminals know they can hit a jackpot of millions of personal financial records? Not according to statistics. As the chart below shows, 31 percent of data breaches in 2012 took place in companies with 1 to 250 employees. In fact, Symantec s Internet Security Threat Report released in April 2013 found a threefold increase in small business attacks from 11 percent of attacks in 2011. More than half of the data breach targets were organizations with fewer than 2,500 employees. Security breaches happen at companies of all sizes. Attackers hone in on small businesses that may often lack adequate security practices and infrastructure. Finally, the fact that a company has not yet had an issue with data theft does not mean one will not occur in the future. As one expert from the University of Pennsylvania s Wharton School noted, information security has been an issue ever since computers started storing data. With the rise of electronic commerce over the past 15 years, there is both far more data to steal and far more ways to steal it, says legal studies and business ethics professor Kevin Werbach. As the Internet becomes more pervasive in daily life and the value of digital transactions increases, the scope of security threats will keep growing. Most companies have not had their building burn to the ground yet they recognize the danger, take safety precautions that are appropriate for their circumstances, install automatic sprinklers and fire extinguishers, educate employees about evacuation procedures, and carry adequate insurance to cover any loss if a fire occurs. Similarly, business leaders need to understand the threat of cybercrime, the risks that their operations are exposed to, and the appropriate steps they can take to protect their assets. Large breaches Zappos, 24 million records accessed by hackers Global Payment Systems, 7 million records hacked LinkedIn, 6.5 million records hacked University of Nebraska, 654,000 records stolen from database University of North Carolina, 350,000 records exposed inadvertently South Carolina Health and Human Services, 228,435 records taken by an insider Adobe, 3 million records breached Figure 4: Organizational size by percent of breaches (number of employees) Over 2,501 251 to 2,500 1 to 250 WHY COMPLACENCY IS UNWARRANTED PAGE 3
Where cyber threats come from At one time, hacking may have been dominated by young technology hot shots and thrill seekers, but today cyber intrusions are more likely to be the work of criminals seeking financial gain. Companies that believe their information would not be of interest to criminals should be aware that a black market exists that makes bulk data valuable. As the illustration below shows, the more specific a data file is, the greater its value but even selling a few thousand unverified credit card numbers will be profitable for a thief. The value of stolen data $800 $50,000 laptops or paper reports that were lost or stolen in transit. Employee theft of data was the third largest cause (13 percent). Similarly, the 2013 Verizon Data Breach Investigations Report found that worldwide, the majority of breaches had external sources. But as the chart below indicates, almost half involved internal people and 10 percent involved business partners. Note: Figures add up to more than 100 percent because breaches can involve both internal and external parties. Threat agents by percentages of breaches 86% $3.00 Complete replicable identity $1.00 Verified bank account with $100,000 $0.20 Accompanying account information Credit: pcpro.co.uk Verified active credit card with owner s city Unverified credit card number 10% 14% The common perception that data breaches are the work of remote hackers who use technology to invade a company s database is only partially correct. Data can be lost in any number of ways, including lost portable storage devices, stolen laptops, inadvertent posting of material online, computer malware infections and improper data disposal. All too often, human error such as misplacing an unencrypted thumb drive or posting information on a Facebook account can be the cause of a breach rather than actual criminal intent, although the data may still find its way into the hands of those who want to misuse it. The Identity Theft Resource Center identified hack attacks as the most common cause (26 percent) for data breaches in the United States. The second largest cause (18 percent) was what they called data on the move data storage devices, Partner Internal External Source: www.verizonbusiness.com/products/security/risk The Verizon report also concluded that most cyber theft (78 percent) does not involve difficult techniques, and 96 percent of breaches are avoidable through simple or intermediate controls. In fact, the Ponemon Institute has reported that negligence accounted for 41 percent of breaches in the United States. Similarly, Ponemon s 2011 Cost of Data Breach Study identified employee or contractor negligence as responsible for 39 percent of data breaches. The bottom line is that anyone who stores information digitally, as almost all businesses today do, may lose data through theft or human error. WHERE CYBER THREATS COME FROM PAGE 4
The cost of complacency The incidence of cybercrime is growing, and companies that suffer data losses may see a direct disruption to their business operations and cash flow, but there are also many other costs associated with a breach. Almost all states now have breach laws that require companies to take specific actions, such as notifying customers, paying for credit monitoring services and/or covering costs for reissuing new credit cards. In addition, there are a variety of other laws about protecting data that may carry financial penalties. These include the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, the Payment Card Industry Data Security Standard, Sarbanes- Oxley and the Federal Information Security Management Act. In fact, the potential cost of having a data breach is so widely recognized as a risk to businesses that the Securities and Exchange Commission has now issued guidance describing when public companies are required to disclose their cyber security risks and cyber incidents that have occurred. The cost of compliance can be expensive. As noted earlier, most studies such as the one from the Ponemon Institute, cite an average cost per record lost in the $200 range. As the illustration indicates, that means the costs can multiply rapidly. Of course costs don t necessarily increase in a linear fashion as represented by this graphic. While the average cost per record may be around $200, it s possible on some breaches of a specific nature, the cost per record could be exponentially higher than that - especially on a breach that involves a lower number of total records - or lower when more records are involved. Among the expenses are: An investigation by a forensics expert to determine the cause of the breach, the extent and the persons who are impacted by the loss of personal data Legal fees to determine the applicable laws, develop materials and defend the company from liability claims Notifying victims of the data breach, which may include mail, email and/or phone calls, depending on applicable laws and the extent of the breach. A call center may need to be set up to answer inquiries Providing credit monitoring services, either required by law or as a public relations effort to restore the company s reputation with customers Compliance with Security Breach Laws is expensive when a breach occurs $200 $2,000 $20,000 10 customers 1 customer Number of impacted customers $200,000 100 customers $2,000,000 1,000 customers Total Cost 10,000 customers Source: Ponemon Institute WHERE CYBER THREATS COME FROM PAGE 5
Three steps for managing cyber threats Most companies undoubtedly have thought about data protection and have put solutions in place. But managing cyber threats is not a one-and-done process. Over time, a business may grow and change; its data may represent new categories of information; its technology hardware and software may be updated or replaced by something entirely new. Even its workforce both the people who use the data and the IT team that is responsible for protecting it may change. The following are three steps that all companies should take annually: 1. Identify your cybercrime exposures. Take an inventory that covers the following aspects: a. Whose sensitive information do you have control of? Data regarding customers, employees, other businesses? b. How sensitive is this data? Does it include Social Security numbers, credit card numbers, health information or other very specific data about individuals? Is there intellectual property or proprietary information that you need to protect? c. How is the data collected, protected, used, shared and destroyed? At each step, who has access to it you, your partners and vendors, or others? d. What sources of cyber infiltration are possible? Virus/malware transmission, social media activities? 2. Create strong policies and procedures and then enforce them. Every company should have written information services policy and procedures that limit internal access to data, block external access and clearly delineate employee responsibility for safeguarding data. These policies should be linked to consequences that are imposed when a violation occurs. A person or department should be charged with responsibility for information security, including the resources necessary to perform audits, monitor data usage and make recommendations about effective data protection solutions. 3. Transfer risk with appropriate insurance. Despite the best protections, a breach may still occur. In that case, you will want to have insurance in place that will cover any liability costs and the expense associated with mitigating the breach. Work closely with a knowledgeable broker to make sure your insurance gives you the coverage you want. In many instances, a cyber endorsement on a general liability policy may be too limited to address the costs you will face. Almost everyone has heard about cybercrime, and all too many companies have had first-hand experience with it. The reality is that the chances of having a data breach is a risk that should be assessed and managed. By understanding your exposures, taking active steps to address them and transferring risk with the appropriate insurance, you can protect your business even when your data goes missing. Cyber insurance coverage options are wide ranging Many cyber insurance policies provide coverage for: Communications and media liability Network and information security liability Expense reimbursement including: Data restoration expense Network impairment/business income (losses to electronic vandalism and denial of service to third parties) Computer fraud Funds transfer fraud Notification expenses Crisis management services Cyber extortion Telecom theft Cyber insurance policies are not standardized. Coverage proposals should be reviewed carefully. THREE STEPS FOR MANAGING CYBER THREATS PAGE 6
THE FOLLOWING ARE SOME ADDITIONAL RESOURCES THAT ARE CITED IN THIS REPORT: The 2014 Data Breach Investigations Report, Verizon http://www.verizonenterprise.com/dbir/ Ponemon Institute Research Report: 2013 Cost of Data Breach Study: Global Analysis Privacy Rights Clearinghouse http://www.privacyrights.org/data-breach/new 2013 Internet Security Threat Report, Symantec http://www.symantec.com/about/news/release/article.jsp?prid=20130415_01 Computer Security Institute National Conference of State Legislatures The Travelers Indemnity Company and its property casualty affiliates. One Tower Square, Hartford, CT 06183 This material is for informational purposes only. All statements herein are subject to the provisions, exclusions and conditions of the applicable policy. For an actual description of all coverages, terms and conditions, refer to the insurance policy. Coverages are subject to individual insureds meeting our underwriting qualifications and to state availability. 2014 The Travelers Indemnity Company. All rights reserved. Travelers and the Travelers Umbrella logo are registered trademarks of The Travelers Indemnity Company in the U.S. and other countries. CP-8202 New 7-14