March 1, 2011

To view the original article please click here.


Chris Costanzo,, 03/01/2011

If directors think about cybercrime at all, they are apt to consider cases like Heartland Payment Systems or TJX Cos., in which hackers exposed millions of customer records. Actually, they should be contemplating Google, which accused an electronic spy ring based in China of unleashing sophisticated cyber attacks against its computer systems early last year.

The Google case is emblematic of a new type of cybercrime that is stealthier and potentially more harmful than the massive data breaches that were front-page news a few years ago. When hackers steal customer data, they do it quickly and move on, leaving companies with the administrative hassle of notifying customers.

But when intruders want to steal a company’s secrets, they settle in for the long haul, establishing a foothold within a company’s network and growing it, undetected, over time. These incidents, known as advanced persistent threats, or APTs, slowly rob companies of their most valuable information. They are not the work of hackers, but of tenacious, well-funded professionals focused on espionage.

While the cost of recovering from a loss of customer data is not trivial, the cost of recovering from an APT is likely to be far more. “The theft of intellectual property from a corporate board perspective is a far more serious bottom-line problem,” according to Larry Clinton, president of the Internet Security Alliance, a trade association based in Arlington, Virginia.

Clinton, who called APTs “rampant,” says their sophistication and real impact on organizations has not yet been recognized at the board level. In fact, many boards have largely failed to recognize the basic existence of cyber risks, much less understand the different types that are out there. “I don’t think it’s a topic that occupies a significant place in board considerations,” agrees Charles M. Elson, the director of the University of Delaware’s corporate governance center and a board member at HealthSouth Corp., a Birmingham, Alabama-based health care provider.

A report released in June by Carnegie Mellon’s CyLab affirms that cyber risks are far from top of mind for board members. CyLab’s survey of executives and board members at companies with between $1 billion and $10 billion in revenues found that 56% considered improving risk management a top priority. At the same time, 0% considered improving computer and data security to be a priority. “They don’t understand that IT risk is part of enterprise risk,” said Jody R. Westby, adjunct distinguished fellow for CyLab and CEO of Global Cyber Risk LLC, a Washington, D.C.-based advisory firm.

Further, only about one-third of the respondents said their boards engage in key oversight activities— such as annually reviewing controls and policies and receiving incident reports—that would help protect their organizations against privacy and security risks. And despite their contention that risk management is a priority, only 14% have a risk committee separate from the audit committee. Finally, in a finding Westby called “stunning,” the survey showed that the majority of companies did not employ executives exclusively focused on security, privacy, or risk.

Constellation Energy may be an exception to the general finding that boards are largely uninformed about cyber risks. The energy and gas company, which operates nuclear and coal-fired power plants, spends heavily on security, as evidenced by its listing in Security Magazine’s 2010 Security 500, which benchmarks security spending. While risk management has always been an emphasis, the Baltimore, Maryland-based company became more attuned than usual to risk following the twin calamities of the BP oil rig disaster and the global financial crisis.

Although the company does not operate oil rigs, BP’s catastrophe, coming on the heels of a liquidity squeeze that Constellation itself experienced during the financial crisis, prompted Mayo A. Shattuck III, the firm’s CEO, to request a “super dive” into the company’s preparedness for disaster, explains Brenda L. Boultwood, a senior vice president and the firm’s chief risk officer. The disaster risk assessment resulted in an October presentation to the board in which cyber risk was covered.

There was a discussion of cyber risk in the broader context of disaster risk,” Boultwood says. A specific discussion about cyber risk also occurred during a July presentation to the board’s audit committee.

These conversations were the first at the board level to cover cyber risk. “This is an era of escalating threats, and the publicity around cyber is very high,” Boultwood notes. She expects the discussions will continue. A cyber risk presentation to the audit committee will soon be scheduled for 2011, and cyber risk may well emerge as one of the key risk topics Boultwood will cover during her ongoing updates of current and emerging risks presented at each board meeting. “One of our goals is to educate board members so there’s a consistent level of knowledge,” Boultwood says.

Of particular interest to board members is the impact that a cyber attack can have on the bottom line. This number varies greatly, depending on the nature of the attack and how many customers are affected. Ironically, when customer data is compromised, it often does not result in any direct harm to customers. But because of notification laws that exist in nearly every state, companies are required to alert customers that an incident occurred. The notification process, especially if millions of customers are involved, can be expensive.

Mark Greisiger, president of NetDiligence, a Philadelphia-based company that performs risk assessments and offers post-incident support, describes a wide range of outlays related to data breach recoveries. Attacked companies often hire computer forensics experts at a cost of $300 to $700 per hour to detect, investigate, and resolve the breach. While an average case runs about $50,000 to $100,000, a company could have variables, such as audio or image files that need to be manually researched, which could push costs “through the roof,” Greisiger says.

Notifying customers by mail and setting up support via phone lines and specialized websites could run as much as $9 per person. In addition to the economic impact of diminished customer trust, companies also often offer customers free credit monitoring services, at a cost of $10 to $60 per year per person, or discounts on other products. Then there are attorney’s fees of about $400 per hour for legal expertise on state-specific privacy and security standards. Separately, there may be the cost of defending any lawsuits.

While breaches of customer data usually generate administrative costs, the newer breed of APT attacks could thwart strategic plans, costing untold amounts. In a 2010 report, Mandiant, a computer security firm, relayed the case study of a Fortune 500 manufacturing company that was forced to give up its plan to acquire a Chinese firm after discovering that details of its pricing and negotiating strategies had been pilfered from its computers. “This intrusion had a significant impact on the victim organization,” the report said. “It was not able to complete the acquisition and accomplish its business objectives.”

Two highly regarded surveys offer proof of the difficulty of nailing down a definite answer on the question of data breach costs. The Ponemon Institute, a privacy and information management research firm based in Traverse City, Michigan, found in a report released in January 2010 that the average organizational cost of a data breach in the U.S. increased slightly in 2009 to $6.75 million. The most expensive breach its survey covered cost $31 million.

Meanwhile, the Computer Security Institute, an organization of security professionals based in New York, found in a report released in December 2009 that average losses from cyber attacks in 2009 were only $234,000 per respondent. The costliest breach it surveyed was only $6 million.

The stark contrast in these survey results can be explained by differences in each organization’s survey pool, according to CSI. Ponemon analyzed the actual data breaches of 45 organizations, while CSI surveyed a much wider pool (443 respondents), only a portion of which had experienced a breach. In addition, as a professional organization, CSI says its pool skews toward executives with an active interest in security.

The two studies are more consistent in the finding that a greater amount of data loss is caused by negligence or systems glitches than by malicious, criminal acts. Even so, malicious attacks are more expensive to remedy. According to Ponemon, malicious attacks accounted for 24% of data breaches in 2009, but their costs averaged $215 per comprised record, compared to $154 for a negligent act and $166 for a systems glitch.

On the bright side, the difficulty and cost of preventing breaches has dropped, according to Verizon’s annual survey of its data breach caseload, which in 2010 also included data from the U.S. Secret Service. Verizon Business determined that 64% of recommended preventive measures were simple and cheap, while only 4% were difficult and expensive. By reconfiguring systems and altering existing practices, companies can fix problems much more often than by redeploying or purchasing new systems, the report said.

Although easy fixes may be available, companies routinely fall short of providing adequate security. “We see weaknesses across all sectors,” Greisiger of NetDiligence says. The three main shortcomings are in detecting intrusions, patching holes in a timely manner, and encrypting data at rest. “If private data resides on a laptop, it should be encrypted,” Greisiger says. “Less than 50% of companies do that.” Of the hundreds of companies that NetDiligence assesses each year, 80% to 90% say they experience breaches. “The frequency is definitely higher [than in the past],” Greisiger says. “The question is whether organizations can control the severity.”

The legal environment is not making it any easier for companies to protect themselves. As cyber incidents increase, lawsuits are expected to multiply in number and type. “Plaintiffs’ lawyers are always looking for new areas of litigation,” says Richard Bortnick, an attorney and chair of the professional liability insurance practice at Cozen O’Connor. “I think the two biggest ones will be cyber and climate change.”

Troubling legal trends are brewing for nearly all types of companies charged with protecting customer data. In the health care field, new provisions under the HITECH Act (aimed at improving health information technology) grant powers to state attorneys general to file enforcement actions against health care providers that fail to respond to breaches in a timely manner. In the credit card industry, the upgrading of PCI (payment card industry) standard requirements to include a thorough assessment of where cardholder data resides is raising the bar on compliance. As the standard of care becomes stricter, class-action lawsuits citing negligence are likely to increase. And for companies that operate internationally, a growing concern is European legislation being proposed that mimics the many strict U.S. state laws on breach notifications.

The growing complexity of the law and the wide range of possible litigants make protecting against cyber risks all the more difficult. “For a big breach, you can have litigants coming at you from multiple angles,” says David Navetta, founding partner of Information Law Group. Consumers, banks, state regulators, shareholders, and federal regulators are all among the parties filing suits, he says.

At the same time, the large number of privacy and security laws being passed at both the state and federal levels creates challenges and uncertainty. “You might think you’ve reduced risk to a certain level, but the reality is things change quickly,” Navetta explains.

Increasingly, companies are turning to cyber risk and privacy insurance to protect themselves. Such policies generally cover damage to a company’s data or lost income resulting from a cyber break-in, as well as liability from any lawsuits.

The most useful aspect of the policies may be coverage for post-breach response costs, as well as services designed to help companies respond.

These prepackaged services could include hiring computer forensics experts, arranging credit monitoring services, or executing a notification plan. Such services are “pretty unusual in insurance, but common with cyber policies now,” says Richard S. Betterley, president of Betterley Risk Consultants, a Sterling, Massachusetts-based research and consulting firm. Offering these services represents a smart move by insurers, he adds. When victims of a breach feel cared for, they are less likely to take action and file a lawsuit.

Few specialty insurance products have gained ground as quickly as cyber, according to Betterley’s September 2010 report on the product. One-third of respondents to Betterley’s survey (including 80% of companies with $250 million to $500 million in revenues) said they currently have cyber insurance. Another 25% said they plan to buy it in the next 18 months.

Lawyers and other experts agree that purchasing a cyber insurance policy is an essential part of defending against attacks. “The threat is real and the threat is growing,” says Cozen O’Connor’s Bortnick of cyber risk. “Premiums are very modest in this economy, and it makes good business sense to have the coverage you need.”

That’s not to say companies shouldn’t explore other options. “If you haven’t bought a cyber policy, you should absolutely look to other policies to see what other coverage could be available there,” says Scott Godes, counsel at Washington, D.C.-based Dickstein Shapiro. Existing case law backs up the use of general liability or errors and omissions policies to cover cyber breaches, Godes says. “But I would be loathe to say, ‘Don’t buy a cyber policy,’ particularly as insurance companies get more savvy,” he adds.

Making sure insurance coverage has been appropriately addressed is not the only action directors should take to prepare their companies against cyber threats. They also need to get fully briefed on the actual material risks of a breach to the organization, including the threat of losing intellectual property, says Clinton of Internet Security Alliance.

Furthermore, they should ensure that the information security function is raised to the highest managerial levels, Clinton continues. “It needs to go to a chief risk officer or someone with a cross-organizational view,” he says. A finding from Ponemon’s survey supports this contention.

It found that companies with a chief information security officer (or equivalent title) experienced far fewer costs when a breach occurred: $157 per record, versus $236 per record for companies without strategic security leadership.

Perhaps the most important action boards can take is to change their frame of reference when it comes to oversight of cyber risk. It is no longer solely the purview of the IT group. “Corporations need to remove information security from the sole control of the CIO,” Clinton says. “It’s not the technology, it’s the integrated nature of the problem.”