Articles Posted in News and Policy

On April 28, 2016, Angie Singer Keating (CEO of IT security firm Reclamere), Renee Martin (a true HIPAA expert) and little old me will be presenting the first of a three-part series on data breach preparedness, response and mitigation for companies that maintain personal health information.  It’s a breakfast series, so we’ll start early, with bagels and coffee (and something healthy I’m sure) at 7:30 AM and the presentation going from 8 AM – 9 AM.

To get the nitty-gritty details and RSVP, follow this link.  Hope to see you there!

Most of you are probably aware of the Hollywood Presbyterian Medical Center data breach.  On February 5, 2016, hackers froze the hospital out of its electronic patient records.  Reports have indicated that the hospital had no access to those records until it paid a $17,000 ransom almost two weeks later.  Over the past month, there have been at least 14 similar attacks reported by hospitals in California, Kentucky, D.C. and Maryland.  The critical nature of data security for heavily regulated healthcare institutions is nothing new, but the threat that hackers will encrypt health records for ransom – sort of the opposite of the more traditional threat of improper disclosure – is a relatively new risk.  It is one, however, that a cyberinsurance can cover.

“Can.”  Not necessarily “does.”

Policies have drawn a distinction between cyber extortion and other types of network security breaches.  At the most general level, there seems to be little difference.  It all starts with unauthorized access.  A “ransomware” attack, one form of cyber extortion, is different only with respect to what the hacker does after gaining network access – the hacker encrypts the data and demands payment to “unlock” the records.  Up until that payment demand, the event would likely fit within almost any cyberinsurance policy’s definition of a network security claim, or whatever term the policy uses to describe first party coverage for data breach response and remediation.

Maybe, but they’ll probably be much less controversial than the last big insurance mandate – er, tax.  There is a growing consensus that the Securities and Exchange Commission is inching toward a cyberinsurance requirement for institutional money managers.  Many think that this is a move in the right direction.

In a recent article, Rick Baert discussed the increasing frequency with which money managers are purchasing cyber security insurance, with the percentage of managers carrying the coverage growing from 5% in 2014 to 30% in 2015.  At the same time, the SEC has been conducting more frequent manager reviews under its Regulation Systems Compliance and Integrity Rule.  In those reviews, the SEC has consistently asked whether managers have cyber coverage and, if so, in what amount.  Some see the question simply being posed as the writing on the wall – cyberinsurance will soon become mandatory for money managers.

What about everyone else?

Hollywood Presbyterian Medical Center recently made headlines when cyber-extortionists prevented access to all electronic patient files for 10 days.  Reports of the hackers demands ranged from $3.4 million dollars to 3.4 million bitcoin (over $1.4 billion).  In the end, a $17,000 ransom unlocked the files.  One has to wonder, however, what type of threat to patient well-being persisted during the intervening week and a half due to this historic disruption of a business charged with keeping us healthy, and, in some cases, alive.

A few days ago, the New York Times ran an article by Fred Kaplan about another Hollywood hack – the one in the 1983 film “War Games,” where Matthew Broderick hacked into the United States Military’s defense command system.  The article reports that President Ronald Reagan saw the movie, and it prompted him to pose a question to his highest-ranking advisors: “Could this really happen?”

After General John Vessey, Jr. reported back, “the problem is actually much worse than you think,” Reagan issued the first official U.S. policy statement on cybersecurity…in 1984.  Though Congress overrode the directive due to privacy concerns (30 years ago, they didn’t want the NSA spying on Americans…now…), research leading to the directive revealed that hacking was a known threat as far back as the 1960’s.

I’m pleased to announce that Louis Guard, Counsel and Chief of Staff at Hobart and Smith Colleges, and I will be presenting at the University Risk Management and Insurance Association’s Western Regional Conference on February 17, 2016 in Denver, Colorado.  The presentation, “Cyber 2.0: What We’ve Learned So Far and What We Haven’t,” will discuss the need for cyberinsurance in the higher education industry, the critical elements of coverage and several specific, complex issues faced by schools in this context.  Whether your school is considering procuring cyberinsurance for the first time or is looking to identify key issues in the renewal process, we’ll give you concrete take-aways to facilitate a more informed and more up-to-date analysis.  Plus, we’re hilarious.  See you in Denver!

The Target data breach reportedly impacted over 100 million people.  The Anthem breach, approximately 80 million.  And the Ashley Madison hack made almost 40 million users nibble their nails while the world skimmed that now infamous “list.” But one of the most notable cyberinsurance developments of 2015 was the introduction of a policy designed to protect just one person.

The big retailers, financial institutions and healthcare organizations dominate the data breach headlines, but high-net-worth individuals have exposure to the same types of cyber security issues more typically associated with large corporations.  For obvious reasons, hackers have begun to turn their attention to the theft of high-net-worth individuals’ financial data and account information.  Hackers have also begun to cause considerable trouble by digging into high-profile individuals’ healthcare records, and by posing as these individuals on social media platforms.  And without IT departments protecting networks and responding to threats, the rich and the famous have become a fairly enticing target for cyber crime.

In 2015, Privilege Underwriters Reciprocal Exchange (PURE) introduced CyberSafe Solutions, a cyberinsurance policy for high-net-worth individuals.  The policy covers identity theft, unauthorized financial transactions and liability for cyber-related actions and damages.  With the policy, PURE also provides cybersecurity educational resources, a help line and a ten-point cyber risk assessment of the policy holder’s home network.  Through its partnership with Concentric Advisors, PURE is also offering a more in-depth home cyber security audit, a detailed analysis of policyholders’ web profiles to gauge type and scope of security exposure and “CyberShield,” a product that is basically an alarm system/emergency responder for your home network.  These risks are not likely covered by homeowner’s or any other insurance, and yet they are becoming among the most likely to manifest, particularly for individual’s whose personal data is the most valuable.

There are Chinese websites offering distributed-denial-of-service (“DDoS”) attacks for sale.  Reminder: DDoS attacks generally involve a hacker taking control of a bunch of internet connected computers, or botnets, and telling them to flood a webserver with enough activity to crash the system.  While Chinese sites get a lot press, there are plenty of other places to purchase botnet attacks. You can even specify how many botnets you want flooding a particular system and for how long.  I read on a web forum that you can rent 1,000 botnets for an hour for as little as $25.

And for that, I’m thankful.

What? You heard me.

I frequently hear that cyberinsurance decisions are made solely by Risk Managers.  In the typical circumstance, that makes sense.  Risk Managers manage risk.  But cyberliability, at this stage, is not a universe of typical circumstances.

The nature of the risk is new and rapidly changing.  Actuarial data is sparse.  Carriers and Risk Managers frequently have incomplete understandings of insureds’ IT infrastructure and exposure.  As a result, unlike the standard policy forms that have evolved over decades in other contexts, cyberinsurance policies are all over the place in terms of coverage grants and exclusions.  Amid this lack of uniformity, many insureds likely have coverage that is inappropriate or incomplete.

There is good news.

Let’s play a word association game.  What is the first word that comes to mind when I say the phrase, “data breach”?  If you thought, “hacking,” you’re not the only one.  But according to many accounts, hacking accounts for only about a third of data breaches.

Plain old theft, in its more traditional, purse snatching form, accounts for another ten percent of breaches.  While laptop theft is the most common cause in this context, there have been many data breaches in the past year caused by the theft of desktop computers, thumb drivers and, of course, smart phones.  Obviously, thumb drives and phones are the easiest to snatch.  They are also increasingly becoming key operational elements in nearly every industry, and I expect the number of breaches caused by their theft to likewise trend upward.  Another ten percent of breaches are caused by “malicious insiders,” disgruntled current or former employees who damage or sell data for all of the obvious reasons.

You probably haven’t raised an eyebrow yet.  But we’ve only covered the causes of about half of data breaches.  What about the other half?

Some have called higher education institutions the “center of the bulls-eye” when it comes to data breach targets.  That’s probably a bit too dramatic.  Just a bit.

Higher ed institutions need their networks to be accessible by large numbers of students and faculty members across a broad range of locations.  Students and professors produce and consume an enormous volume of electronic data.  And schools store the good stuff – think financial, medical and personally identifiable information.  The combination of perceived vulnerability and valuable information is kind of a perfect storm.

And the storm has officially made landfall.  Richard Perez-Pena, of the New York Times, did a nice job covering this climate change in his 2013 article, “Universities Face a Rising Barrage of Cyberattacks.”  Perez-Pena reported that the University of Wisconsin was seeing 90,000 – 100,000 hacking attempts per day.  Berkeley reported millions of attempts per week.  He notes that these institutions, between student and faculty data and research, are “among the most open and robust centers of information exchange in the world.”  Open and robust is a good thing, right?