It may be time to add a new item to life’s certainties: Death, Taxes and Hackers. Our interconnected, online world continues to push the envelope of productivity and convenience, while at the same time decreasing privacy and security. Our special feature on cyber risk covers not only hacking and electronic threats, it looks at negligence and violations of privacy, breach of corporate information and intellectual property, board level issues, liabilities, regulatory advancements and other challenges for modern businesses.
The risk is no longer avoidable. What began as a niche issue for technology companies, banks, and healthcare firms now creates exposures for all employers, not-for-profit organizations, and even government agencies. With thousands of breaches and losses occurring each year, making cyber risk evaluation a part of your ongoing management process is critical. In this special feature, our practice leaders shine a spotlight on various industry and operational risks in the cyber universe.
Intellectual Property – Risk to Trade Secrets is Growing; Coverage Isn’t
Economic espionage is a crime that affects both corporate and national interest in protecting intellectual property. However, there is a fundamental misunderstanding of the inherent value of trade secrets within the context of risk transfer. Many companies do little to protect their trade secrets. They fail to ask themselves “What information would I not like to have in the hands of my competitors?” If a company does not protect its trade secrets, neither will a court. Companies should craft specific physical, information technology and other security measures and policies to protect trade secrets—just as they do with non-disclosure agreements. While there is tremendous interest from all industries in the loss of value associated with an electronic breach of trade secrets—there is very little insurance coverage currently available. With the well-publicized cases of Google in China, Northrop Grumman, Wikileaks and others in the past three years, the understanding of need to address this risk through insurance is rising and such coverage will continue to evolve.
Employee Benefits – Protected Health Info Increases Employer Risk
Employers are responsible for safeguarding protected health information (PHI) associated with their medical plans. And, given the inherently sensitive nature of this information and its natural appeal to cyber criminals, employers need to be aware of HIPAA privacy and data security requirements. The final HIPAA privacy rules regarding medical records and ongoing migration to electronic record-keeping make business associates directly liable for their mishandling of PHI. Employers may enter into agreements with business associates, which are third-parties that may hold, view, handle, and release PHI. The use of PHI is subject to the terms of business associate agreements (BAAs). These new rules require employers and all business associates to take a more proactive stance. The BAA is now only a baseline requirement, and the existence of a BAA no longer insulates employers from liability for the failures of a business associate. Therefore, employers will need to actively require vendors to certify that their privacy and security measures are appropriate, so that plan sponsors are not liable if vendors’ systems are not adequate. Additionally, the employer must conduct adequate due diligence that a vendor’s privacy and security measures meet HIPAA’s requirements and verify compliance with the terms of the BAA. A failure to comply with the foregoing can result in substantial financial and reputation harm.
Financial Services – Cyber Security for Financial Institutions Finally Gets a Commander-in-Chief
Financial institutions have to contend with myriad regulators and cyber security issues. Multiply numerous regulators by an alarming array of risks and the risk management function becomes almost impossible. The Federal Financial Institutions Examination Council (FFIEC) is working to simplify all that – or at least limit the red tape. The FFIEC is an interagency body of the United States government. Its purpose is to promote harmony, if not uniformity, between the various financial regulators, including the Fed, the FDIC, OCC, the Credit Union Administrator, and the new Consumer Financial Protection Bureau (CFPB). In early June, the FFIEC announced the formation of a working group to promote coordination across the federal and state banking regulatory agencies on critical infrastructure and cyber security issues. Technology committees already exist within the FFIEC, but this new group is intended to help federal and state regulators march in step when it comes to managing cyber risk. It is entirely possible that the working group will be just another layer of bureaucracy, but, at this time, it appears to be an important step in creating consistency within the regulatory community in oversight of cyber security. Ideally, it should ultimately mean that institutions will only have to turn to one source to determine mandatory cyber security requirements from their various regulators. An important step in the right direction.
D&O – Boards Lack Understanding of Vast Cyber Risk
So far as directors’ and officers’ liability is concerned, there is a whole universe of potential cyber risk not understood at board level. The starting point is the same as in any other form of significant business risk, i.e. directors are generally under a duty to gain a basic but sufficient understanding of the nature of all such risks. The need to gain this understanding is a key aspect of a directors’ supervisory function and many courts have held cannot be delegated. In the realm of cyber risk, the particular challenge for boards is that the universe of potential cyber risk is broader than more tangible risks such as health and safety, property damage and supply chain interruption. Moreover, depending on the nature of the company’s activities, serious data breaches can occur either through basic human error and/or as a result of sophisticated hacking activity. Once a board is aware of a cyber security issue, he dilemma is what to do with that knowledge. On the one hand (as SEC guidance issued in 2011 makes clear) there are perils associated with non-disclosure. On the other hand, however, there are risks associated with exposing and disclosing cyber breaches without having first fixed the problem. A company would not wish to provide an invitation or route map to other hackers to have a go. That in itself could lead to additional reputational damage and destruction of shareholder value. Whilst this dilemma is and remains particularly acute in the U.S. (and the SEC guidance underlines this), the basic threat and the various conundrums which it poses remain the same for directors everywhere.
Pension Funds – Must Protect Personally Identifiable Info Too
A few weeks back, we were speaking with the trustees of a large state pension fund, managing tens of billions of dollars for retirees and their beneficiaries, and the topic turned to cyber security. We told them that they have “a substantial asset under management” that they might not even be aware of, and therefore not protecting to the fullest: the private, personally identifiable information (PII) of their plan participants and beneficiaries. While few public pension funds are savvy enough to be purchasing cyber coverage today, this group stepped up to the plate and will soon add insurance to the list of loss control tools that they are implementing to protect the financial assets and PII under their care and control, ensuring that pensions are more fully protected.
Law Firms – Most Major U.S. Law Firms Have Been Victims of Security Breaches
Recently, FBI agent Mary Galligan warned that the FBI knows of hundreds of law firms that have been targeted by hackers. Whether it’s a 12-attorney firm that filed a $2.2 billion lawsuit against the Chinese government, or global AmLaw-100 law firms, lawyers are increasingly the target of hacktivists, cyber criminals, and foreign governments. Why are law firms targeted? Hackers are financially motivated and law firms’ computer systems are perceived as being more easily accessible than those of their clients . More importantly, law firms are a repository of extremely valuable confidential information—information that, in the wrong hands, can be worth billions of dollars. Couple these challenges with pressures to keep current with technology and exchange information effortlessly with clients and you have a recipe for cyber disaster. The expenses in responding to an information security breach can be significant. Moreover, attorneys have ethical, common law and contractual obligations to protect client confidences. Failure of law firms to take appropriate steps to protect client data could have disastrous consequences including malpractice claims, bar complaints, or serious damage to a firm’s reputation.
Energy – Computer Dependence Means Cyber Risk
There’s no doubt that cyber risk has a major impact on the energy industry. Let’s take an example of a natural gas pipeline company with a wide distribution network: Today’s distribution systems are significantly dependent on computer technology to safely and efficiently transport gas to the end user. Although natural gas systems are equipped with safety devices which are manually operable, a cyber-attack can initiate a major loss of system control with profound negative consequences: network downtime means lost revenue. And yet, oddly enough, most energy firms are still uninsured for this kind of loss of revenue.
Life Sciences – Medical Device Hackers: Fact or Fiction?
In a popular television series, a terrorist hacks into the Vice President’s pacemaker software causing it to malfunction and kill him. Is this a real risk, or are we just watching too much television? Well, several government officials are taking the risk seriously. The FDA and ICS-CERT (a liaison organization between private industry and Homeland Security) both published warning notices on the same day this month. Myriad medical devices and surgical devices contain firmware “backdoors” with passcodes that are relatively easily obtainable. These passcodes and backdoors are used by maintenance and service technicians and could allow access to the device’s critical settings or permit modification to its firmware. So the risk is, arguably, real. But the good news is we haven’t heard of any real examples of this hacking actually taking place. And, now that we understand the risk exposure, device manufacturers can redesign the devices and firmware with better security. Also good news: generally speaking the insurance industry’s standard product liability policy should cover this type of loss. But, if you are a medical device manufacturer, expect more questions about device security on your next renewal application.
Utilities – Cyber Attacks Already Target Global Power Infrastructure
There are examples in recent years of cyber attacks on the power industry. In 2010 the Stuxnet computer worm was used to infect the supervisory control and data acquisition (SCADA) systems that control Iran’s uranium enrichment programme (with India and Indonesia reported to be have been more affected by Stuxnet than Iran). A report issued in the U.S. in May this year by Congressmen Ed Markey and Henry Waxman warned that America’s electric grid “is the target of numerous and daily cyber-attacks,” but “[m]ost utilities only comply with mandatory cyber-security standards, and have not implemented voluntary NERC [North American Electric Reliability Corporation] recommendations.” The report notes that cyber attacks can create instant effects at very low cost, and that it can be very difficult to identify the attacker. According to the report, “It has been reported that actors based in China, Russia, and Iran have conducted cyber probes of U.S. grid systems, and that cyber-attacks have been conducted against critical infrastructure in other countries,” citing the example of the 2012 malware attack on Saudi Aramco, Saudi Arabia’s state-run oil company, which infected more than 30,000 computers.
Enterprise Technology – Bring your own Opportunities and Challenges
Bring your own device (BYOD) programs, where employees use their own devices for work purposes, present IT managers with both benefits and challenges. A recent Intel survey of IT managers and end users found widespread support for providing BYOD policies. However, while productivity benefits were seen by respondents as a key driver, costs took a surprising back seat. Nearly all IT managers reported concerns about security for employee-owned devices – from meeting compliance regulations and securing data, to managing lost or stolen devices. In response to this threat, companies need to ensure encryption of employee-owned devices. This—coupled with the wide range of different mobile devices available that might require different servers to operate—could result in additional costs to the employer. A BYOD policy should clearly state the responsibility of the employee to report a lost or stolen device, including procedures for the company to remotely erase data from devices in such an event. In addition, the encryption of mobile devices is a key underwriting rating criteria for a cyber-insurance policy. The absence of such measures, including a robust disaster recovery plan could result in higher premiums for cyber liability cover. Mitigating the additional risks and potential costs of a BYOD policy should be a priority in boardrooms, rather than left to IT departments to deal with in isolation.
Cyber-Terrorism – Turmoil of the Developing World
The probability, nature and impact of cyber attack and/or cyber terrorism (yes, they are different but in many ways similar) are being debated elsewhere here. To date the focus has been on vulnerability of large corporate clients and to a spectrum of threats generated by a broad constituency ranging from the independent hacker in search of kudos to governments attempting to steal information or bring down an enemy’s critical facilities. Corporates will be exhorted by governments to wake up to the threat of business interruption and espionage. Generals will speak of the new battle landscape and their troubles in getting their treasuries to fund research and defensive developments.
But what of the ‘Rest of the World’? Developing countries—autocratic or aspiring to democracy—often exhibit structural and economic weakness and struggle for political legitimacy, sometimes within contested boundaries and often absent a developed IT sector. Such conditions make for poor cyber security. Where recourse to the law is weak, cyber offensives catalysed with influence may combine to a potent degree, leaving multinational companies to worry about:
- critical assets of their supply chains
- vulnerability of their corporate intranets through less robust local offices
- disgruntled employees susceptible to persuasion or coercion
- social media activism
Perhaps, in this “inter-connected world,” it is the weaker states hosting critical corporate assets that represent the “soft underbelly” for cyber warriors.