The events of September 11, 2001, brutally forced upon companies an awareness of a hitherto almost unthinkable possibility: the deliberate, malicious destruction of their facilities, with intent to harm people as well as property. That terrorists could attack from the air suggested the possibility that terrorists could seek to wreak economic havoc through the information highway. But whether companies have an adequate appreciation of such threats is open to question.
There is reason to consider insurance companies as a potential target of cyber-terrorism because of their financial assets and "the fact that they run somewhat weaker legacy systems that have not been brought up to full scope with respect to security issues," opines Jim Tucker, home office computer security specialist at Chubb Corp. in Warren, NJ.
Tucker, whose responsibilities include evaluating the risks of financial services companies that are potential clients, says his experience leads him to conclude that companies could benefit from a heightened appreciation of the risk of cyber-terrorism. "I think there's a mentality that it's always going to be the other guy that's hit, or that we won't be one of a number" of companies that might be hit simultaneously, he says.
There are more attractive targets than insurance companies both within financial services and outside, according to Tucker. For example, bringing down power generation facilities would be a more efficient way of pursuing a "denial-of-service" objective, because it would simultaneously affect a multitude of companies. But since strategy counsels doing the unexpected, insurance companies are wise to prepare for possible attacks. These could include DDoS (distributed denial-of-service) attacks, which prevent the transaction of business by blocking ways information is sent and received; and viruses that serve as delivery mechanisms for malicious, or "mal," code that could wreak havoc on the financial processes of an organization without actually taking them down, Tucker explains.
To be prepared for attacks, companies have "got to determine what exposures you have and develop 'triage' procedures," he says. Firms need to entertain scenarios such as, "What would we do if we were totally taken down in five minutes? What do we do next?" he says. But prevention measures are the most urgent concern, he hastens to add. The first step in addressing cyber-risk is to establish a security policy creating a model that addresses confidentiality, integrity and availability, according to Tucker. "Any threat would fit within those three areas," he says.
Much security vulnerability can be traced to lack of rigor in updating software patches and failure to properly educate staff about tactics used in attacks and secure uses of company technology, according to Tucker. But even when problems are detected, there is often no enterprise policy to guide an appropriate solution. "Without that staff is stumbling in the dark," Tucker asserts.
While in the wake of September 11, 2001, it is not hard to imagine malicious attacks with catastrophic outcomes, making the business case for adequate cyber-protection can still be a challenge, Tucker claims. Since ROI for cyber-countermeasures is difficult to quantify, obtaining support from senior leadership for such initiatives can be difficult. But it is from the technology ranks that the threat can be most immediately perceived, and where the case is more likely to be urged. "The issue is from the bottom to the top, getting the senior leadership convinced that some funding is needed to put things in place to prevent the firm from losing a lot more money" than defensive measures would cost, Tucker says. While in the field, Tucker relates, "IT managers have said to me things like, 'Would you make sure that a security vulnerability gets into the report? I'm trying to get something done here.'"
Chubb's Loss Control Division advocates the following 10 ways insurers and other organizations can mitigate cyber threats:
1. Appoint a senior executive who will be responsible and accountable for the assessment and development of a security plan.
2. Acknowledge that the cyber-terrorist threat exists and prepare for cyber warfare.
3. Assess corporate cyber-risk management. Review information and network security procedures and include representatives from around the company, not just information technology employees.
4. Emphasize prevention in enterprise-wide cyber-security plans.
5. Protect critical servers. The Internet may provide easy and unwelcome access from outsiders.
6. Once you have formalized your response and reinforced you security against cyber risk, then hire an independent cyber-security expert to test and validate the company's security systems.
7. When you review your protection during a cyber-risk assessment, be sure to include your supply chain and the company's ISP and its business partners and vendors. Require that the security in place adequately protects the company's systems.
8. Senior executives should evaluate both functionality and security. Some decisions and purchases will require selecting protection that is less than ideal due to cost constraints during the cyber-risk assessment. Evaluate the trade-offs between functionality and security.
9. Set up an internal information security education, training and awareness process.
10. Initiate security auditing, validation and measurement processes and metrics. Report all security violations, not just the major ones.
Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio