partner login

BMS News

Cyber Risk – The BMS View

BMS’ Rupert Alabaster, Director Professional & Financial Services, reviews current cyber risk news and gives you the BMS view:

 

Travel Security

The FBI have warned that hackers are targeting guests’ data when they log into hotel Wi-Fi. It warned of corrupt software update pop-ups when using hotel Internet connections overseas. When they clicked on the “update,” malicious software was installed on their computer.

Hotel Wi-Fi connections are especially risky because often they are set up without proper security settings. But all free Wi-Fi internet connections accessed when travelling can the likelihood of private personal or corporate data being compromised.

BMS view – It is important that corporate security procedures are kept up to date to ensure that executives are fully aware of the exposures they face when travelling and what they should do to protect themselves and the company. It is also worth checking the cyber insurances to see if there is any exclusion where such procedures have not been followed.

 

Cyber security for industrial control systems

Joel Langill, Chief Security Officer and Control System Cyber Security Specialist for SCADAHacker, explains how easy it is to hack into most PLCs and provides you with steps to take now to protect your operations. http://www.automationworld.com/security/tac-presentation-cyber-security-industrial-control-systems

BMS view – in this day and age all companies should have a form of cyber insurance in place that will help protect them from such breaches. It should rank up there alongside of buying property and business interruption coverage.

 

Reuters – Scores of U.S. companies have not disclosed breaches of their computer systems, even though eight months have passed since U.S. securities regulators issued guidelines on disclosing cyber attacks, according to leading security experts.

There have been lots of breaches in every industry that have never been publicized,” said Shawn Henry, the FBI’s former top cyber cop, who joined a new cybersecurity company, CrowdStrike, in April.

Henry said the FBI was working on 2,000 active cyber cases when he retired from the agency in March. “There’s only a handful of cases that anybody has ever heard about.” he said.

U.S. government officials and cybersecurity consultants have been raising alarms about the growing sophistication of attacks on private and government computer networks.

Some companies do not disclose cyber breaches because they feel they were not material, said Dmitri Alperovitch, founder and chief technology officer of CrowdStrike. He said he knew of a publicly traded defense contractor that lost intellectual property (IP) to China because of a cyber intrusion.

“The justification they used for not announcing is that they only do business with the U.S. government and it doesn’t really matter that the Chinese stole all their IP because the U.S. government will never buy from China, so it wasn’t really material to them,” said Alperovitch, who declined to name the company.

Henry and other top U.S. officials have underscored the severity of cyber threats by citing a case in which one publicly traded company lost $1 billion of intellectual property in a single intrusion over a weekend.

A Reuters review last winter of more than 2,000 SEC filings that mentioned cyber risks found that some companies revealed significant new information about hacking incidents, but the vast majority merely described a general risk of cyber incidents. Some defense companies and other firms known to have suffered computer breaches did not mention the incidents in their filings at all.

LinkedIn Corp (LNKD.N), a social network for job seekers and professionals, last week became the latest high-profile company to be hacked. It said it was working with the FBI to investigate the loss of millions of member passwords, but has not submitted any SEC filing on the matter

LinkedIn spokesman Hani Durzy said the company had complied with SEC requirements, and had been giving members and the public “ongoing disclosures” and updates on its corporate blog.

BMS view – not only is the scale of cyber crime phenomenal, but the losses involved are serious. All companies need to seriously look at buying appropriate protection, and the insurance market needs to work together to provide relevant cover and higher limits.

Click here to access the full BMS Intangible Asset Protection website, with expert, in-depth videos and case studies.

Data Protection – the growing risk for the Healthcare industry

BMS Professional & Financial Services Director, Phil Murphy, discusses how significant data protection is to the healthcare industry:

Healthcare providers face rising costs and pressures from politicians to cut budgets, while at the same time they are waking up to the significant cost a data breach can have on their business and reputation.

The healthcare industry currently collects and stores massive amounts of private data, from a wide range of individuals, including credit card numbers and social security numbers. This can include details belonging to government officials, politicians and celebrities. This data is easily lost or stolen by individuals seeking to gain financial advancement through the use of this data. This means the healthcare industry now sees this as an additional exposure that needs to be considered when looking at an insurance programme.

It is very much a growing problem. After a few high-profile incidents of breaches publicised in the media and the resultant cost of those profile breaches to the healthcare industry –  has had a massive impact on bottom line revenues.

Hospitals are places where data is often at risk. The physicians within the hospital systems generally use laptops or handheld data palm readers which store a lot of data. They are very easy to lose, and sadly with the laws in the US, once you have lost something like this, you have to then involve the regulators and everyone else in making sure that the data breaches are communicated to the public and that credit monitoring and various steps are put in place to ensure that the data is protected and that affected individuals are recompensed for it.

With the HITECH law that has just been introduced, there are very severe regulatory sanctions and penalties that can be imposed for loss of data. They can fine you up to $25,000 per patient record, plus an additional $100 per day for every individual affected that it goes unreported.

On top of that, there is the reputational risk and harm that you can do to your own goodwill by the loss of data. The attendant crisis management costs associated with that can be quite staggering.

Overall, the need for the insurance industry to offer protection to the healthcare industry in case of a data breach or loss has never been more prominent and it takes the right kind of broker to provide tailored products that will amply cover all areas of potential loss.

Click here to access the full BMS Intangible Asset Protection site and Phil Murphy’s Video discussing Data Protection & the Healthcare Industry.

China’s Cyberwar Skills

Rupert Alabaster, Director BMS Professional & Financial Servicesresponds with his thoughts following  the  US report on China’s cyberwar skills, a risk to military  – profiled by BBC News, 8 March 2012. Rupert will be establishing a regular blog on the themes of Cyber Risk, Intangible assets and the insurance market.

There is more and more talk of the next confrontation being fought in cyberspace rather than with soldiers. Certainly, there is a concern that key infrastructure from utilities and government through to emergency-responder networks and banking systems maybe targeted.

And it will not obviously be one nation state versus another, at least on the surface. Rather all sorts of cyber groups may be at work infiltrating systems, manipulating, stealing and changing data.

As more and more companies become aware that it is not just a lone hacker sitting in their bedroom that could be interested in what is on their servers, there is a much heightened focus on cyber security. In turn, risk managers are being asked to buy cyber insurance as protection against security breaches. But – and it is a big but – cyber insurance policies are not all the same and few, if any, are specifically designed to protect against a coordinated attack on behalf of a State.

The problem is that most cyber policies carry a version of the traditional War/Terrorism exclusion. They vary in their language but generally the intent is not to cover coordinated State or politically motivated attacks. And with the US declaring that State coordinated cyber attacks could constitute an act of war (BBC News, 1 June 2011) you can bet that underwriters will look closely at this exclusion in the event of a big claim.

Cyber is not only the new front for war and criminal activity, it is also at the vanguard of new risks being identified and insurances designed. It is early days and the present crop of coverages have a long way to go before risk managers can sleep easy at night.

Click to view the BMS Wholesale, Professional and Financial Services homepage