RISK MANAGEMENT: Cyber Crime: An Evolving Threat
NOW IS THE TIME TO REVISIT THE TOPIC OF CYBERCRIME AS CRIMINALS HAVE ELEVATED THEIR GAME AND CONTINUE TO CARRY OUT MALICIOUS ATTACKS ON AMERICAN BUSINESSES AND INDIVIDUALS
By Kristen Long, Senior Vice President, Arthur J. Gallagher
In September 2014 I wrote an article titled “The Threat Posed by Cyber Criminals.” In the article, I discussed the emerging risk of Cybercrime and the link between main street American businesses and the Fortune 500 company attacks.
Now is the time to revisit this topic because, since that time, cyber criminals have elevated their game and continued to carry out malicious attacks on American businesses and individuals through phishing emails and malware viruses. Several large data breach events have taken place in the mere five months since I last addressed the issue. JP Morgan Chase, Staples, Sony, Michael’s, Home Depot, Albertson’s, Kmart and Dairy Queen have all fallen victim to cyber criminals. Even last month we witnessed possibly the most devastating breach to date – the attack on a health insurance giant, Anthem Inc.
As the level of sophistication and number of attacks continue to increase, it can be overwhelming to attempt to protect your household or your business. In the following article, I am going to share some basic information and tips to help equip you in the fight against cyber perils.
CYBER-ATTACKS ON YOUR HOUSEHOLD
The breach on Anthem Inc., the second largest health insurer in the U.S., compromised the information of over 80 million people or 1 in 4 people in the United States. The attack included spouses, dependents (such as children) and even deceased family members. The information stolen includes the following: social security numbers, DOB’s, addresses, names, phone numbers, email addresses, and even salary information. Having all of this confidential personal information is like giving a criminal or outsider a passkey into your life.
What is concerning is the lack of outcry from the public. Hundreds of millions of people have been affected by the data breaches over the past year and yet there remains no urgency to fend off the hackers. Why is that? Up until now, data breaches have mostly affected credit cards. Credit card companies have provided fraud protection, paying out of their corporate pockets any expenses/damages and replacing credit cards when customers’ information has been compromised.
While these attacks reached a huge number of people, the outcome for most individuals is a minor annoyance rather than a crippling event. Now, imagine instead of merely needing to update your Netflix payment method, you discover that your credit rating has been damaged, your social security number was used by another person to obtain employment, or you are now unable to receive healthcare when needed. Take it one step further, what if somebody stole your child’s identity? That’s the very real possibility and touches on the magnitude of Medical and Social Security Identity Theft.
Monitoring and correcting Medical/ Social Security Identity Theft can be a difficult and time-consuming task. Since this is a new breed of attack, we are just learning the power of these crimes, and it could take years or even decades to understand the true enormity of the events. Below are the definitions and details of Medical/ Social Security Identity Theft:
- Medical Identity Theft occurs when someone steals your personal information (like your name, Social Security number, or Medicare number) to obtain medical care, buy drugs, or submit fake billings to Medicare in your name. The Coalition against Insurance Fraud offered the following warning regarding Medical Identity Theft, “But be warned: Correcting records can be hard. In general, federal law lets patients’ correct medical records created only by the medical provider or insurer that now maintains your information. A hospital or insurer that later receives your information doesn’t have to correct its records— even when they’re wrong. But… you do have the right to have your records state that you disagree with the information, and why. Be sure your complaint is entered into your records”.
- Social Security Identity Theft involves fraudulently using someone’s social security number to get a job, file for governmental benefits, fraudulent
tax returns, credit, and medical care. The Social Security Administration says, “If you have done all you can to fix the problems resulting from misuse of your Social Security number and someone still is using your number, we may assign you a new number”.
According to the Identity Theft Assistance Center (ITAC), “Adults can monitor their own credit reports every few months to see if someone has misused their information, and order a fraud alert or freeze on their credit files to stymie further misuse. But most parents and guardians don’t expect their youngster to have a credit file, and, as a result, rarely request a child’s credit report, let alone review it for accuracy. A thief who steals a child’s information may use it for many years before the crime is discovered. The victim may learn about the theft years later, when applying for a loan, apartment, or job”. Further the ITAC states, “Until recently, very little was known about the scope of the crime and how the stolen information is used. ITAC sponsored the 2012 Child Identity Fraud Report to get verifiable data that can be used to develop solutions to identity theft”. Prior to the current string of data breaches, ITAC conducted a study into Child Identity theft, below are the key findings:
2012 CHILD IDENTITY THEFT KEY FINDINGS
2012 Child Identity Theft Key Findings Social Security numbers are the most commonly used piece of information by identity thieves targeting children. In fact, 56 percent of respondents reported theft or misuse of a child’s SSN.
The most common way criminals use a child’s personal information is to combine a child’s Social Security number with a different date of birth to create a new identity that can be used to commit fraud. Fraud involving “synthetic identity” is especially difficult for victims and industry to detect.
The study found that 2.5 percent of U.S. households with children under age 18 experienced child identity fraud at some point during their child’s lifetime. This equates to 1 in 40 households with minor children being affected by this crime.
Fraud committed by family and friends is to blame in many child identity theft cases. The data shows that 27 percent of respondents reported knowing the individual responsible for the crime.
Low-income households are disproportionately affected by child identity theft. As family income decreases, the risk of child identity fraud increases. While 50 percent of households of child identity theft victims had incomes under $35,000, only ten percent of households of child identity theft victims had incomes of more than $100,000.
Child identity theft is more difficult to detect and resolve than adult identity theft. The survey showed that these crimes took 334 days to detect and 44 hours to resolve, and 17 percent of children were victimized for a year or longer.
If these data breaches have taught us anything, it is that every
American household, child, and business should be taking at a minimum, the following steps to monitor their identity:
- Credit Monitoring/Freezing – Sign up for monitoring with all credit bureaus directly or via a credit monitoring company, remember to include children
- Child Identity Protection – http://www.consumer.ftc.gov/articles/0040-child-identity-theft
- Medical Identity Monitoring – Review health insurer monthly and annual report of charges.
- Review Social Security Activity – http://www.socialsecurity.gov/myaccount/
The opportunity for children to socialize online has risks and rewards. As adults, we must reduce the risks by talking to kids about making safe and responsible decisions. SafeKids.com offers many suggestions on areas of discussion with your children.
CYBER-ATTACKS ON YOUR BUSINESSES
The massive Target attack in late 2013 was a perfect example of how cyber criminals hone in on small businesses to gain access points to larger prey. In that instance, hackers penetrated an HVAC contractor in Pittsburgh that performed contracting work for a local Target. Once the hackers had taken control of the HVAC contractor’s systems, the thieves discovered an online portal that Target used for its vendors for payment and contract delivery. That was all the hackers needed to hit the mother- load. So, how many larger companies do you do business with? Large general contractors, banks, owners, suppliers, etc. could all be targets, and you could unknowingly serve them up on a platter. Does your company execute vendor contracts that allocate liability and indemnification for data breaches? When protecting cyber risks, companies often ignore the risks created by their vendor agreements. Your business partners create exposures outside of your internal IT business network. Cyber breaches involving a 3rd party muddy the waters and spill into complex litigation.
As a first line of defense, every company should establish training and a risk management program for its cyber exposure, including remote access, cell phones, laptops and even tablets. This should include a response plan in the event your company is hacked… who will you call first? Your company IT professional should be included as a strategic partner to help guide your plan and company training. Equally important is the purchasing of Cyber Liability Insurance. Cyber insurance is a continuously developing product that can cover both liability and property damage losses that may result when a business engages in various electronic activities, such as selling on the Internet or collecting data within its internal electronic network (such as payments from clients via credit cards). Cyber insurance policies can cover a business’ liability for a data breach in which customer information, such as social security or credit card numbers, are stolen by a hacker who has gained access to the firm’s electronic network. The policy would cover a variety
of expenses associated with data breaches including: notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and losses resulting from identity theft.
Currently, there is a market for cyber liability insurance, but as the amount of attacks have increased, insurance carriers have tightened up their underwriting guidelines before accepting new policyholders. The insurer will need verification that the company is up to date on firewalls, antivirus, anti-malware, and if it monitors how access is granted to company systems. So, please be aware that bringing you “up to code” in terms of insurability and finding the proper market for your company may require time and effort.
When considering the probability of whether you or your company will suffer a cyber-attack, it is no longer a question of “if” but “when”. In October of 2014, FBI Director James Comey stated in an interview with CBS, “There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese”. As Cybercrime continues to evolve and the stakes become more severe, it is our responsibility as heads of households and professionals to educate ourselves as to how to defend our own information, as well as others’. Kaspersky, Internet Security Company, has an excellent training tool called “Stop Cyber Crime Guide”.
As an insurance professional who specializes in the construction industry, and a victim of identity theft, it troubles me to say that less than five percent of my clients have implemented the security procedures discussed above. I implore each of you to take this issue seriously and to be proactive in protecting your personal, business and client’s information. While the thought and expense of putting a security plan into action may seem daunting, it is a fraction of what you will be forced to deal with if you are attacked without one.