cyber decoder - JLT Specialty

CYBER DECODER FINANCIAL LINES GROUP NEWSLETTER ISSUE 18

CYBER COVER

RANDOM ATTACKS

US ELECTIONS

ALSO IN THIS ISSUE

New guidance from the Bank of England’s PRA means insurers can no longer ignore cyber risks.

Businesses don’t need to hold information that foreign governments want to be cyber attacked.

The US election is revealing a new area of potential systemic risk from cyber.

Cyber threat intelligence6 The cyber risk paradigm for 20177 Big data

Page 3

Page 4

7

Awards & Events 8

Page 5

9

Top Tweets 10

Tesco Bank mass online fraud The recent Tesco Bank mass online fraud incident has put the focus on theft and fraud. For businesses, this should be a reminder to be clear what is – and what isn’t – covered by their corporate insurance. The recent Tesco Bank cyber theft

has been some speculation that it could

criminals to work out the card number,

was “serious” and “unprecedented”,

have been linked to the rising prevalence

expiry date and security code of any

according to the Financial Conduct

of the Retefe malware targeting banking

Visa credit or debit card in as little as six

Authority (FCA) chairman Andrew Bailey,

customers in Sweden, Switzerland, Japan,

seconds using software that automatically

quizzed about the incident by the

and the UK. This particular type of malware

generates different variations of this data.

Treasury Select Committee. A month

has affected numerous banks around the

on, the “UK’s worst cyber theft” looks

world since February.

unlikely to remain unique.

Exploiting weaknesses in websites’ pages for entering card details, is “frighteningly

Academics at Newcastle University,

easy”, the academics wrote. The

Full details of the incident, which saw

meanwhile, have pointed to a wider

Newcastle team itself found 342 out of

£2.5 million stolen from 9,000 customer

weakness in the Visa card payment system

400 websites it looked at, were vulnerable

accounts, have yet to become clear. There

as the likely culprit. This, they say, enables Continued on page 2 

2

FINANCIAL LINES GROUP NEWSLETTER | Cyber Decoder | December 2016

to such a “distributed guessing attack.” Tesco Bank, most likely under the advice of legal counsel, has neither confirmed nor denied that these issues or any other type of cyber attack caused the theft.

CYBER CRIME: TWO THINGS, NOT ONE In any case, the Tesco Bank incident should be a reminder that cyber risk is very real, and that businesses have to double check the terms of their insurance. Always remember that just because someone tricked you using a computer, doesn’t mean a cyber policy is the only source of reimbursement. To retain customer confidence, Tesco quickly reimbursed its customers for the lost funds. This piece of the loss would be covered under a crime or bankers blanket bond insurance policy, not under a typical cyber policy. Cyber insurance policies normally contain a theft of funds

exclusion, and as long as appropriate

the costs of compensating customers

cover exists under other policies, there’s

who have lost their funds). A cyber

nothing wrong with that. As technology

policy, meanwhile, will pick up the other

and digital communication underpin all

(potentially substantial) costs, such as

aspects of business, it’s not sustainable

those for incident response, investigations

to assume that cyber insurance can

and customer notifications of data

absorb every possible consequence.

breaches.

In the US, we’ve seen different

To ensure they’re adequately covered

interpretations from the courts on

from not only a Tesco-type attack but

coverage. The issue at question, though,

any number of other online thefts and

is often whether or not a crime policy

frauds, businesses, particularly financial

will cover an incident; traditional cyber

institutions, need both.

policies almost never do. Cyber policies are focussed on the costs associated with data or IT security breaches, not unauthorised transfers of funds.

In such cases there may be some overlap, and it is worth working with a broker at the outset to help avoid disputes and passing the buck when it comes to a claim. But

Good cover is available. There’s just no

duplications in cover are preferable to

single, silver bullet. A modern, properly

gaps. For many who find themselves

drafted crime policy will usually cover the

victims of fraudsters and thieves in future,

direct losses from theft and fraud, whether

being over-insured will be a problem they

online or offline. This will reimburse the

will wish they had. 

money stolen (and a combined crime and professional indemnity (PI) policy will cover

www.jltspecialty.com

| Cyber Decoder

3

Clarity coming to cyber cover New guidance from the Bank of England’s Prudential Regulation Authority (PRA) means insurers can no longer just ignore cyber risks. In November, the PRA wrote to insurers

traditional insurance policies by virtue of

attack could cause losses to hundreds

following meetings with stakeholders

not being excluded.

of thousands of companies. Assessing

in the last quarter of 2015 and first half of 2016. Its letter, confirming the rapid growth of cyber insurance, also noted it had brought risks to the industry.

Worried about competition, many insurers have failed to introduce clear exclusions in non-cyber insurance policies. Instead some have relied on

these aggregate risks across their portfolio of business is a challenge for insurers.

“The prudential risks emanating from this

trying to later deny coverage only when

INTO THE LIGHT

fast-evolving field, if not managed well,

there is a claim. Sometimes they’ve been

It’s a challenge the PRA wants

are potentially significant to the viability of

unsuccessful and courts have ordered

insurers to address, however. It

the firms involved and the reputation of

them to pay out. In other cases, insureds

expects businesses to have clear

the UK insurance industry as a centre of

have found they’re not covered. Even

strategies for managing cyber risks,

excellence and innovation,” it stated.

if insurers do pay, exclusions can be

and proposes insurers explicitly state,

introduced at the next renewal.

quantify and consider the potential

Many firms, “do not currently have

for losses from their cyber cover.

clear strategies and risk appetites for

In many such cases where cyber is

managing cyber risk.”

included by default, no underwriting of

In time this will mean the industry goes

the risks has occurred, nor modelling of

one of two ways: either traditional

the potential losses. As a result, insurers

insurance policies will explicitly exclude

may not fully understand the scale of the

cyber risks, leaving insureds to use a

potential loss.

cyber policy to fill the gap; or these risks

The PRA went on to set out proposals (out for consultation until February) for its requirements of firms to illustrate they’re managing such cyber risks intelligently. If they go ahead, the proposals will,

The PRA also worries this may be

ultimately, be good news for buyers.

the case even where insurers provide affirmative (explicit) cover for cyber risks.

A SILENT KILLER The PRA has concerns around two areas where it thinks cumulative risks from cyber exposure could cause insurers problems. The first is “silent” cover, where cyber risks are covered in

will be included, but insureds will have to pay higher premiums and provide cyberrelated underwriting information.

Insured’s costs and liability where a

Either way, insurers will no longer be able

vendor is the source of a security breach

to stay silent on cyber; and, either way,

are a critical element of cyber cover, for

businesses will have greater certainty that

example. Given the reliance of much

any cyber cover they are relying on will

IT outsourcing on relatively few large

actually be there when they need it. 

providers, such as big cloud-computing service providers, a single successful

4


A sign of the times Sometimes it is a teenager in a bedroom: Sentencing of the 17-year-old who admitted responsibility for last year’s data breach affecting 156,000 TalkTalk customers took place on December 13. The boy, who was 16 at the time of the attack, told magistrates in November he had just been “showing off.” The case illustrates a number of points.

sources contribute to the frequency

There is actually little evidence telecoms

First, it can fairly be seen to have

and scale of risk businesses face.

providers are particularly under threat.

highlighted the weakness of TalkTalk’s controls at the time. That’s also reflected in its record £400,000 fine handed down by the Information Commissioner’s Office (ICO) in November.

Such attacks also ensure there will always be a degree of randomness in the businesses that are attacked; businesses don’t actually need to hold information that foreign governments

The company’s security failings allowed

want – or even that is valuable

the attacker to access customer data

to criminals – to be targeted.

“with ease,” the ICO found.

What is unique about them, however, is that they already have a statutory duty to notify customers of any data breaches – the same sort of duty that will apply generally under the General Data Protection Regulation (GDPR). The frequency of such stories from the telecoms sector therefore perhaps

Finally, the TalkTalk case is just one of

gives us an indication of what we

The attack also illustrates the challenge

a number of recent cases concerning

can expect when the new regime

facing businesses, however. For all

telecoms providers. November also

comes into effect in May 2018. 

the hype about cyber terrorism and

saw mobile provider Three reveal that

foreign governments with unlimited

security may have been compromised

resources (blamed for, among others,

for as many as two thirds of its nine

the recent attack on Yahoo), it remains

million customers, for example. And

surprisingly simple for anyone from

TalkTalk, together with the Post Office’s

petty criminals to bored teenagers to

broadband business, was again in the

allowed the attacker to access

get hold of tools to mount an attack.

news in December after customers’

customer data “with ease”

Foreign powers may present a more

routers were targeted.

sophisticated risk, but these other

The company’s security failings

www.jltspecialty.com

| Cyber Decoder

Cyber risks where it counts The US election is revealing a whole new area of potential systemic risk from cyber. In the run-up to the US election

It’s unlikely to change the outcome.

enemy looking to sway an election. It’s

there were concerns cyber attacks

Concerns before the election may have

much more likely that a variety of what

would attempt to derail electronic

been overstated; and claims cyber

Interpol calls cyber-enabled crimes

voting. This was not without cause,

attacks swayed the result have been

would be employed, and recent US

given the role hackers had already

described as “far fetched” by election

intelligence reports have shed light on

played in the campaign, revealing

officials. However, the controversy does

this very possibility.

confidential emails from Hilary Clinton’s

reflect real concern over voting systems.

campaign team, and the attacks on

What is being called for in the US is not

state election database systems.

so much a recount as an audit.

IT experts fretted that attackers could

The potential for hacking electronic

for disruption they bring that is

sabotage the election day by targeting

voting machine is plainly not science

well outside their control. 

voting machines, many of them reliant on

fiction, and cyber security is now a key

out-dated software. Even after the day

topic in debates over electronic voting,

seemed to pass without incident, some

not just in the US, but everywhere from

In the run-up to the US election

continue to question whether hacking

Australia to Argentina.

there were concerns cyber

Of course, it’s becoming clearer that

attacks would attempt to derail

influenced the results, with computer scientists at the University of Michigan supporting calls for a recount.

simply hacking voting machines is unlikely to be the tool of choice for an

For businesses, it is perhaps just another example of the pervasiveness of cyber risks – and the potential

electronic voting.

5

6


Cyber threat intelligence Brought to you in partnership with JLT Specialty’s Cyber Risk Consortium Partner CSC In November German telecoms

However, as the number of devices

business giant Deutsche Telekom,

that are compromised due to lack of

which owns T-Mobile, revealed in a blog

updating or patching grows, there is

that it had been attacked, with about

the potential these devices may be

900,000 of its users affected. This saw

used in denial of service (DoS) attacks

those users’ suffer from an exploit of

directed at larger businesses.

the “NewNTPServer” feature in their broadband modems.

More generally, this is another attack that’s been blamed on the Mirai worm

For some customers this meant

responsible for Dyn DoS in October,

temporary problems or fluctuations in

which took down sites including Twitter,

quality; for others, no service at all. An

Netflix and Spotify. Criminals are now

update to the initial post, meanwhile,

marketing hundreds of thousands of

confirmed that this was the result of an

compromised hosts for use in attacks for

outside attack: It was trying to infect

low prices and increasing durations.

routers with malware, but failed and in a small proportion of cases caused crashes or restrictions to customer accounts.

No one is immune from attack, and monitoring and planning remain the best defence as other

A reboot was enough to get rid of it.

strategies are developed.

No one is immune from attack,

RECENT VULNERABILITIES

and monitoring and planning

December 6: Security researchers

remain the best defence as other

announced a critical Linux vulnerability

strategies are developed

that could enable an attacker to gain unauthorized root access, giving them full control of the victim’s machine.

NOTHING TO WORRY ABOUT? The vulnerability seems to be closely related to ports 7547 and 5555, which have seen a spike in traffic, and are usually used by ISPs to remotely manage modems. The exploit itself is unlikely to affect that many business networks. Businesses with DSL modems should

This vulnerability is present in the

TOR features enabling anonymous

kernel of nearly every current Linux

browsing. The same vulnerability exists

distribution, meaning the vulnerability

in the widely used Firefox browser,

is very widespread. So far it is not

however, and has the potential to be

easily exploited, but awareness of the

targeted on Windows, Mac and Linux.

vulnerability is likely to result in new

The vulnerability is likely to be quickly

threats. Those with affected systems

incorporated into exploit kits and

should patch them as soon as possible

commodity hacking tools. To protect

with the patch released the same day.

themselves, users should both enable

check their provider for any updates and

November 29: A new critical vulnerability

install patches where required. That’s

in Firefox and the Firefox-based

because the vulnerability is actually a

“Anonymity Online” TOR browser is being

variant of one – “Misfortune Cookie”,

actively exploited, according to reports.

CVE 2014-9222 – discovered a few

The exploitation of the vulnerability was

years ago.

observed attempting to circumvent

the “NoScript” JavaScript blocker as a Firefox add-on and patch all vulnerable products as soon as possible. 

www.jltspecialty.com | Cyber Decoder

7

The cyber risk paradigm for 2017 Cyber security in today’s world is a misnomer. Our government agencies, businesses, and personal lives are irreversibly connected to the worldwide web that provides enormous opportunity and convenience. However, success in this “connected”

security firms, such as Dynetics, have

Boards are advised to actively promote

world requires organizations sacrifice

little trouble in breaching even the most

cyber risk management and review

absolute security - and therein lies the

sophisticated company networks; and

performance periodically. Participation

problem. Because being connected

what is found after easily bypassing

and oversight at board level will help

requires some amount of insecurity,

traditional perimeter defenses should be

ensure communication voids between

the same worldwide web that creates

alarming to businesses executives.

IT and non IT functions are bridged and

opportunity and convenience, also gives rise to sophisticated, dynamic cyber threats motivated by financial gain, activism and state-sponsored espionage.

Most businesses don’t incorporate detection into their cyber security. Without detection, cyber criminals

cyber risk management establishes itself as a core tenant of sound corporate governance.

move freely for as long as necessary to

This article was contributed by JLT Cyber

In traditional cyber security approaches

compromise all key information assets.

Risk Consortium partner Dynetics. For

focused on perimeter protection are

Even with excellent cybersecurity

more information contact

no longer effective. Firewalls that block

controls, the lack of detection ultimately

[email protected]. 

unauthorized connections, must also

leads to significant impacts because a

allow email. Anti-virus tools that detect

motivated, experienced cyber criminal,

known malware, overlook the unknown;

given extended time in a network, has

and intrusion detection systems that

a better chance of finding a vulnerability

examine network traffic are blind to

than a cybersecurity professional has of

encrypted communications. And when

eliminating 100% of vulnerabilities.

security measures are effective, cyber

DYNETICS Dynetics provides responsive,

Therefore, to be successful in 2017,

cost-effective engineering, scientific,

resilience must be the goal, with

and IT solutions to the national

cyber security giving way to cyber risk

security, cybersecurity, satellite,

management. Businesses must assume

launch, automotive, and critical

breaches and ensure their secondary

infrastructure sectors. Their portfolio

protection slows cyber criminals’ access

features highly specialized technical

to key information assets. Cyber security

services and a range of software

professionals can flip the paradigm so that

and hardware products, including

one mistake by the cyber criminal triggers

components, subsystems, and

Digital breaches are inevitable, simply

their detection and allows eradication

complex end-to-end systems.

because well-crafted phishing emails

before key information is compromised.

criminals find new attack vectors. It’s a continuous match of wits between cybersecurity professionals and cyber criminals. However, the very nature of a “connected” society demands we leave openings in our security and, consequently, makes cyber security in today’s world a misnomer.

are still highly effective. Specialist cyber

8


Top cyber broker in the London market Award The Insurance Insider Cyber Rankings survey 2016 named Jack Lyons from our Cyber team as top Cyber broker in the London market. Sarah Stephens, JLT’s Head of Cyber,

maintaining excellent market relationships

comments: “Jack’s tireless dedication

through personal integrity, preparation,

to finding the best possible customised

and excellent technical skills. On top of

coverage for our clients in a dynamic area

that he’s passionate about mentoring our

like cyber is a key reason for our team’s

junior team members, ensuring that JLT’s

success. He’s constantly innovating

cyber practice will grow even stronger in

and pushing the market for the benefit

the future.”

of our clients, but always conscious of

Recent Event BUSINESS RESILIENCE SEMINAR Hosted by Lloyds Bank and Do

more resilient in the face of growing

Different Management Consultancy,

cyber threats. Jack explored the range

Norwich, on the 6th December 2016.

of cyber risks that are currently most

Jack Lyons, Partner in JLT Specialty’s cyber team, was part of a panel discussing how businesses can become

prevalent and afflicting companies nationwide. He was joined by David Higgins of Do Different and Paul Maskall of Norfolk and Suffolk Constabularies.

07

Upcoming Events

MAR

2017

1415

MAR

2017

Co-chairing: Sarah Stephens

Speaking: Florence Levy

Advisen Cyber Risk Insights Conference


London, UK

San Fransico, USA

JLT’s global cyber team are frequent speakers at key industry events. If you would like to hear more of our insights or plan a meeting with us at the following upcoming events please email [email protected]

07

MAR

2017

1415

MAR

2017

2122

MAR

2017

30

MAR

2017

Co-chairing: Sarah Stephens



Speaking: Steve Bridges



ExecuSummit: 6th Annual Cyber Liabilities Insurance Event

ACI Cyber and Data Risk Insurance Conference

London, UK

San Fransico, USA

Uncasville, USA

Chicago, USA

Read more

2122

MAR

2017

Read more

30

MAR

2017


Speaking: Steve Bridges

ExecuSummit: 6th Annual Cyber Liabilities Insurance Event

ACI Cyber and Data Risk Insurance Conference

Uncasville, USA

Chicago, USA

Read more

www.jltspecialty.com | Cyber Decoder

BUZZWORD OF THE MONTH BIG DATA

The analysis of big data has potentially

Big data often means transferring data

infinite applications. For businesses it

to an outsourced provider, for example,

What is it?

may be a source of increased insight

or collecting data from thousands of

into customers’ behaviours and

devices in the field. Connectivity brings

preferences, a route to streamlining

vulnerabilities, and, when these are

processes and operations, or a

successfully exploited, big data can

method to identify theft and fraud.

mean big data breaches, with a mass of

Big data refers to data sets larger than those traditional data processing applications can deal with. The availability of data is fuelled by the digitisation of almost every aspect of modern life, from systems,

personal information potentially exposed. Why should you care?

However, finally, in the cyber and

When it comes to cyber risks, big data

wider insurance industry, big data

is a double-edged sword. On the one

may unlock a big opportunity. For

It is closely related to a number of

hand, big data can help anticipate

insurers to better understand and

other much-discussed technologies.

and respond to cyber threats more

price cyber risk, they must access

The Internet of Things, for example, is

effectively. It may help detect and

new and better data sources from

making a significant contribution to the

anticipate attacks faster, for example,

inside and outside their organisations,

amount of data available. The cloud,

or improve the way staff are alerted to

and we expect a whole new class

meanwhile, gives businesses and

risks, to improve responses.

of service providers will grow up

sensors, phones, and tablets.

others access to storage capabilities and computational power without which they would struggle to make use of the data available. These allow businesses to capture, store and make sense of big data.

On the other hand, as the European

promising to help with just that task.

Network and Information Security

As big data only gets bigger, so will

Agency has warned, big data also

the challenges and opportunities

opens businesses up to big risks.

it brings for businesses and their insurers alike. 

9

JLT Specialty Limited provides insurance broking, risk management and claims JLT Specialty Limited provides insurance consulting services to large and international companies. Our success comes from broking, risk management and claims focusing on sectors where we know we can consulting services to large and international make the greatest difference – using companies. Our success comes frominsight, intelligence and imagination to provide focusing on sectors where we know weexpert can advice and robust difference – often unique – solutions. make the greatest – using insight, We build partner teams to work side-by-side intelligence and imagination to provide expert advice – often unique – solutions. with you,and ourrobust network and the market Wedeliver build partner teams to work side-byto responses which are carefully side with you, our network and the market considered from all angles. to deliver responses which are carefully considered from all angles. Our Cyber, Content and New Technology

Top Tweets

Risks team Technology, delivers bespoke risk Errors Our Cyber, and Media management and insurance solutions to & Omissions team delivers bespoke risk management and solutions to meet meet the needs ofinsurance clients from a variety of the needs of clients a variety of industries. industries. The teamfrom combines experience The talent team combines experience talent with and with a track record ofand delivering a track record of delivering successful results successful results and tangible value for and tangible value for our clients. our clients.

CONTACTS Sarah Stephens Head of Cyber, Content and New Technology Risks, and Media JLT Specialty E&O JLT Specialty +44 (0) 20 7558 3548 [email protected]

Home Depot Data Breach Derivative Lawsuit Dismissed

Hackers are holding San Francisco’s light-rail system for ransom

Jack Lyons Lauren Cisco Partner, JLT Specialty +44 (0) 20 7528 7558 4114 3519 [email protected] [email protected] Jack Lyons Partner, JLT Specialty +44 (0) 20 7528 4114 [email protected]

European Commission gets DDoSed

JLT comments on the Three Mobile cyber incident

This publication is for the benefit of clients and prospective clients of JLT Specialty Limited. It is not legal advice and is intended only to highlight general issues relating to its subject matter but does not necessarily deal with every aspect of the topic. If you intend to take any action or make any decision on the basis of the content of this newsletter, you should first seek specific professional advice. JLT Specialty Limited The St Botolph Building 138 Houndsditch London EC3A 7AW www.jltspecialty.com

Lloyd’s Broker. Authorised and regulated by the Financial Conduct Authority. A member of the Jardine Lloyd Thompson Group. Registered Office: The St Botolph Building, 138 Houndsditch, London EC3A 7AW. Registered in England No. 01536540. VAT No. 244 2321 96. © December July 2016 272327 2016 273500

The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy

The simplest way to reduce ‘silent’ cyber risk in response to PRA concern is clear exclusions...