calculator_cyber_insurance

This past week was characterized by the business impact behind security. The cost of a breach increases - and so do cyber insurance rates. 

As rates are increasing, this week revealed a few more breaches.  

Highlighting the cyber-security news from the past week in a 120 sec. read. Starting now. 

 

Breaches

Dow Jones, which includes the subscriber customer base for WSJ, was breached sometime between Aug. 2012- July 2015.  According to the CEO, William Lewis states that the information compromised consisted of credit and debit card information with "fewer than 3,500 individuals".

http://www.nbcnews.com/tech/security/dow-jones-says-hack-may-have-exposed-card-info-3-n441886

Why is this signficant?

  1. Considering that they don’t know when exactly the breach took place, it seems to look as if Dow Jones was alerted by the breach from a third party. 
  2. We may be witnessing here just the beginning of a story since according to Lewis, this incident was likely part of a broader campaign involving a number of other victim companies”.
  3. Update, Oct. 24: The FBI confirms a recent breach to the Dow Jones site that also impacted Wall Street Journal subscribers is linked to a Russian ring that infiltrated the site to gain insider knowledge.  Although, Dow Jones reports that they have not formally received confirmation from the authorities about the matter.

 

America’s Thrift Store is under investigation for a breach that occurred from Sept. 1 – Sept. 27, 2015.  The source most likely located in Eastern Europe obtained payment credit card numbers from customers that made purchases in four southern U.S states.

http://www.waaytv.com/appnews/data-breach-at-america-s-thrift-store/article_54d19932-6ee5-11e5-8ff6-9346de8970c3.html

Why is this signficant?

  1. The breach occurred through a third-party service provider. A company outsourcing its customer data to a third party must make sure that the third party is held to a high security standard. For the customer, it doesn’t matter who’s responsible – they entrusted the data with the company under the assumption that their data is secure enough to responsibly handle that data.   
  2. There are too many “may’s” and “potentially” and no actual stats on how much data was stolen, when and who was impacted. These question marks are raised time and again at breaches demonstrating that getting a clear understanding of the amount and type of exfiltrated data has become a task too daunting for most companies to implement. 

 

 

 

 

 

Just a month after Samsung purchased LoopPay in February, Codoso Group/ Sunshock Group associated with the Chinese government compromised LoopPay's computer network in March.  According to LoopPay, the intruders were after the MST, which allows Samsung users to purchase goods using their smartphones.

 http://www.nytimes.com/2015/10/08/technology/chinese-hackers-breached-looppay-a-contributor-to-samsung-pay.html

 

Why is this signficant?

  1. LoopPay claims that the corporate network was infiltrated, but the production network that handles all of the payment information was not compromised.  It seems that the infiltrators were most likely searching for Intellectual Property documents for the MST.
  2. Yet another breach which was not identified internally by an organization. In this case, an organization that was investigating the Codoso Group alerted LoopPay in August of the breach.
  3. Samsung is taking a huge risk by continuing with the release of Samsung Pay just 38 days after being notified of the compromise, on average it takes of 46 days to resolve any issues after such an attack.  The investigation continues and Samsung is downplaying the ordeal saying that all of the compromised machines have been accounted for and that no consumer information was released;  although, the Codoso Group is known for keeping a foothold and subtly hiding within systems.

Security Landscape

Cyber insurance is increasing with health insurers' premiums tripling at renewal time.  For first part of the year, retailers' average rates surged to 32 percent.  Higher deductibles for both retailers and health insurers, together with the difficulty of renewing coverage for some, is all becoming a reality in the cyber insurance world.

http://www.reuters.com/article/2015/10/12/us-cybersecurity-insurance-insight-idUSKCN0S609M20151012

Why is this signficant?

  1. A recent study by PwC has stated that the cyber insurance market is on its way to tripling to about  $7.5 billion over the next 5 years.
  2. The fact that insurers are quick to hop on the cyber-wagon, together with the increasing demand of cyber-insurance by companies, demonstrates that companies of all sizes are now starting to operate under the assumption that an attack is inevitable.
  3. While cyber-insurance will cover some of the associated talks, we need to recognize that it doesn’t solve the problem. Similar to household, car and health insurance, it will help in covering some costs, but it is not a proactive measure that prevents the companies from becoming a headline on front page news.

 

Ponemon Institute published its annual Cost of Cyber Crime Study for 2015. The study is based on data from 52 companies in 7 countries and on 1,928 total attacks used to measure total cost.  $7.7 million is the average annualized cost with a 1.9 % net increase over the past year.

http://www.ponemon.org/library/2015-cost-of-cyber-crime-united-states

Major report highlights include:

1. According to the report, "The cost of cyber crime impacts all industries. The average annualized cost of cyber crime appears to vary by industry segment”. The report continues that “the cost of cyber crime for companies in financial services and utilities & energy experienced the highest annualized cost. In contrast, companies in healthcare, automotive and agriculture incurred a much lower cost on average."

2. The time to resolve or contain cyber crimes increases the cost. “The mean number of days to resolve cyber attacks is 46 with an average cost of $21,155 per day – or a total cost of $973,130 over the 46-day remediation period.” Please note that resolution does not necessarily mean that the attack has been completely stopped. For example, some attacks remain dormant and undetected (i.e., modern day attacks).

3. High cost break-downs:

  • "Business disruption represents the highest external cost (In the context of this study, an external cost is one that is created by external factors such as fines, litigation, marketability of stolen intellectual properties and more, followed by the costs) associated with information loss. On an annualized basis,business disruption accounts for 39 percent of total external costs, which include costs associated with business process failures and lost employee productivity."
  • "Detection is the most costly internal activity followed by recovery. On an annualized basis, detection and recovery costs combined account for 53 percent of the total internal activity cost with productivity loss and direct labor representing the majority of these costs."

4.  "Cyber crime cost varies by organizational size. Results reveal a positive relationship between organizational size (as measured by enterprise seats) and annualized cost.  However based on enterprise seats, we determined that small organizations incur a significantly higher per capita cost than larger organizations ($1,388 versus $431)."