Insurance companies looking for easy solutions to their cyber security concerns will only be frustrated and end up spending more in the long run.
This was the message of an Israeli cyber security expert to the members of the Philippine Insurers and Reinsurers Association (PIRA) in a recent webinar entitled "Closing The Gap -- Cyber Security and the Insurance Industry."
Mr. Alex Peleg, an award-winning "ethical hacker" and CEO of Cynergy, a cyber security firm based in Tel Aviv, said every company has unique "crown jewels" and vulnerabilities which must be assessed properly to be able to come up with the right cyber security solution.
"There is no plug-and-play security solution that will solve all your problems," he said. "We do an an audit of your company like going into your house, We go from room to room. We look at the identities that you need to manage. Identities are like the keys to your house. You don't want to leave them lying around."
Mr. Peleg said identity theft is the most common form of cyber security breaches in companies they have worked with. However, being most common does not mean that companies already know what to do when such breaches happen. On the contrary, companies, time and again, often fail to prevent identity theft and usually discover the problem only when a major damage has already been done.
"In order to protect the crown jewels in your company, you must plan ahead and prepare to spend. Most often, companies realize this only when they already suffered an attack. They realize that it happened because they lacked awareness and they failed to have the necessary controls. They under-focused on cyber security risks," he said, adding that, "If you would spend money, spend it wisely."
Mr. Peleg noted, though, that companies that experience attacks emerge as much stronger and wiser. He cited major insurance companies in the United States and in Europe that suffered cyber attacks in various forms last year.
Chubb Corporation, the 12th largest property and casualty insurer in the US, suffered a cyberattack in March 2020 that resulted in unauthorized access to data held by a third-party service provider. Though no official details were disclosed, security researchers believe Chubb was hit by a ransomware attack, which encrypts files and exfiltrates the data to the attackers’ servers where it is held for ransom. The attackers claimed to have data stolen from Chubb, including the names and email addresses of senior executives.
About the same time as the Chubb attack came another on Pacific Specialty Insurance Company, an automotive and home insurance provider. It was a phishing attack that resulted in hackers gaining access to employees' and clients' email accounts, social security numbers, government-issued IDs, financial data, and health insurance information.
In the Netherlands, an insurer suffered a breach after falling victim to the “CEO hack,” a phishing attack that impersonates a CEO. Employees of the insurance company received emails from a hacker pretending to be a CEO of a well-known commercial customer, requesting they transfer money into a compromised account.
Mr. Peleg said these attacks are fast becoming commonplace in the industry. And he used the analogy of snowboarding in explaining how executives tend to deal with cyber security breaches.
"It's like surfing on the Black Slope even though you are not completely aware of it. When an avalanche happens, first you experience a time of uncertainty and denial. You ask yourself, 'Is it really happening to us?' Only when the snow begins to pile up and your systems start collapsing and stop functioning, then it is only then that you realize that you are being attacked," he said.
He gave the following advice for companies who might suddenly find themselves confronting a cyber attack:
First is to contact your lawyer. This can be internal or a third party lawyer. You have to protect all the information that comes and goes to your cyber security team. Find out your legal exposure. There is a possibility that you will be sued and the regulator will go after you. Better be ready.
Second is to deploy your Incident Response Team. Companies must have a cyber security Incident Response Team ready because a cyber attack may happen any day.
Third is to review your cyber architecture and repair what needs to be repaired.
And fourth is to not take one's head from the problem until the storm is over. "Even if it's over, don't think it's over. Recovery is a long journey up the hill," he said.
Mr. Peleg stressed that every company must have an Incidence Response Plan for cyber security breaches. This is totally different from a disaster recovery plan. This must be drawn and put in place in advance and must involve the company's CEO, lawyers, marketing officers, and human resources (HR) heads.
"Why do you need HR? You need them because most ransom notes we get come from disgruntled employees," he said.
Ultimately, Mr. Peleg said the direct responsibility falls on the CEO and not on the company's cyber security team. "The CEO must know what to do and what to say if and when the breach happens," he said.