We just finished National Cyber Security Awareness Month. I was fortunate enough to attend CLM’s Cyber Security Summit in New York. The summit provided information on current and future trends, best practices in utilizing insurance, and some scary reminders that the threats are all around us.
Cyber Trends for 2017
Ransomware and phishing scams continue to be the buzz words for corporations. Professional services firms such as law firms, accounting firms and consulting firms are high on hackers’ target lists. These firms remain a gold mine for hackers who seek to use, sell, or ransom highly sensitive client information. The reasons behind some ransomware attacks are now morphing as well. There have been cases of holding data ransom in exchange for an admission of wrongdoing or in exchange for confidential or proprietary information.
Also trending is the malware and ransomware-as-a-service business model. Essentially cybercriminals pay a fee for the propagation of malware or promise a percentage of the ransom paid by an infected user. It also allows almost anyone to infect a system.
International businesses will continue to struggle in the upcoming year with the complex, and sometimes conflicting, data privacy and cyber security requirements around the world. The intensified U.S. regulatory activity is also cause for concern. Business will continue to struggle due to the variances in each state’s privacy notification laws and compliance with regulatory investigations.
The value of individual health records continues to increase on the black market, so any company handling that type of data will continue to be at risk.
Also related to the health care industry is the risk to medical devices and their hack-ability. The FDA has recognized the risks and now manufacturers are being asked to “Develop a risk management program that includes a plan for when a vulnerability is discovered; write disclosure policies, so hospitals and patients can understand what aspects of a device may be less secure; and release regular software and hardware updates for medical devices after they are on the market.” 
With the demand for sensitive and confidential information coming from all around the world as companies try to gain a competitive edge in the global market place, hackers are getting smarter and going after intellectual property and proprietary medical research of companies and selling those items on the black market to the highest bidder.
There is also still a fear of the “big event” – a catastrophe-level loss from a wide spread cyberattack affecting companies and insurers at the same time. If you want to read something that will keep you up at night, check out the “Business Blackout” report. It is joint report by Lloyd’s and the University of Cambridge discussing the implications of a cyberattack on the US power grid. The presented cyberattack scenario predicts a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses. Very scary stuff – and all resulting from one piece of malware!
Responding to a Cyber Attack
Incident response teams remain the key for a company to respond to a breach quickly since time and speed are critical. These teams typically consist of a team leader and members of management, information security, IT/MIS, legal, PR, HR and finance. Essentially, a group of people who have the authority to make decisions and take action.
That team should be tasked with doing a risk assessment and creating an incident-response plan that can be used as a roadmap in the event of a breach. One team member should be designated to call your insurance broker (ASAP!). We will engage your carrier and get a breach coach assigned as soon as possible. A breach coach is an attorney that has the skills and expertise to guide a company through a breach or advise on a potential breach. Breach coaches should be the ones to hire computer forensics specialists in order to determine the nature and scope of the breach. They can also assist in hiring vendors for remediation and will advise on compliance with privacy regulations. Breach coaches will also have experience in dealing with the FBI, FTC, attorney generals in each state, OCR, SEC, etc. This becomes extremely important in the event the company is subject to fines and penalties. While almost every law firm now says they have a “cyber specialist” a carrier vetted breach coach can save a company a huge amount of money, and frustration.
Also critical is ongoing education. “Insider threats” are on the rise. This is internal employees unintentionally allowing a hack, typically due to social engineering (in other words, tricking people into breaking normal security procedures). Employees should receive frequent “avoidance training” on the latest scams in order to prevent the introduction of malware or falling for a phishing scheme. Company procedures should also contain guidelines in data preservation for forensic purposes (such as not powering off once you realize there may be malware on your computer, but disconnecting the internet connection). A business continuity plan can also help a company get through a cyberattack. Companies should also create a good data retention (and disposal) policy. There is no reason to keep data if it isn’t needed!
The last piece of advice is best explained with a sport analogy. The best defenses are nimble and can change as the offense changes. In order for a company to best defend itself against cyber threats, it too needs to be nimble and change its defensive strategies. Hackers are constantly finding new innovative offensive attacks, and a company working off of last year’s playbook is an easy score for a hacker.