Cyber Risk Insurance: What's the Buzz?

Cyber Risk, as anyone with a television is aware, is growing at a mind-boggling pace.  In a recent presentation, former Homeland Security Secretary Tom Ridge said, "The cyber world presents the greatest threat to U.S. security and economic well-being. Our infrastructure generally is exposed, raising the possibility of a catastrophe affecting millions of people."

High-profile breaches are an almost every-day occurrence. From the highest level of government, through small businesses, to the largest companies - it seems nothing is safe. The United States Office of Personnel Management, SonyPlayStation, NASA, TJ Maxx and Google – to name just a few –have all been stung.  Recently my wife's small business was hit with a "ransomware" attack.

It's just plain scarey.

Just this week, a member of the Federal Bureau of Investigations (FBI)  recommended that ransomware victims “just pay the ransom” if no other option exists and if they need access to their encrypted data.

Last Wednesday, during Cyber Security Summit 2015 at Boston’s Back Bay Events Center, Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in the Boston office, observed that as the encryption standards protecting most ransomware samples, including Cryptolocker and Cryptowall, are so strong, the FBI generally advises victims to pay the ransom payments.

That can be cost serious money.  Usually, between $500 and $2000 - per machine.

Cyber risk can either continue to be seen as a negative – as another potential set of costs, complicated procedures and incoming legislative demands – or firms can use good cyber risk management as a differentiator from their competitors, as a selling point to clients, and as a measure of reassurance to stakeholders. 

One new option, still being worked toward maturity, is Cyber Risk Insurance.  Many companies are offering it, but the details of which is best are still being resolved.  As always - Caveat Emptor!

The choice is yours - learn, plan and protect - or wait for that pit-in-your-stomach feeling, when you turn on your system and see that you've been hit.

It's not a good feeling.

Tabletop Exercises: What's up with that?

A tabletop exercise is a great way to get business continuity plans off the written page without the interruption of a full-scale drill. Rather than actually simulating a disaster, the crisis management group gathers for three hours to talk through a simulated disaster. The exercise planning process determines the participants, exercise scenario, injects and the execution order for the course of the exercise. A group of exercise planners focused on the objectives selects the best means to reach those objectives and develops a complete exercise plan known as the master scenario event list (MSEL). The MSEL serves as the script for the execution of the exercise; it includes the ordering of injects, time of execution, and the expected reactions from the training audience. It can be a full-scale production that involves local first responders and professional moderators, or it can be a simple affair conducted by in-house disaster planners. The idea is to have an escalating scenario that unfolds in several segments. After each segment, small working groups discuss how they would respond, then report back to each other before hearing from moderators about what happens next. Tips for an Effective Tabletop Decide how much gloom and doom you want. When planning a tabletop, ask: "Do you want this to be a physical event with assets damaged and destroyed, or do you just want those things inaccessible? Do you want death and injuries, or just to test the ability to get work up and going someplace else?" It’s sensible to ask your delegates to suspend their disbelief if you’re running a scenario-based exercise. It’s useful to ask them to remember you’re testing the plan, not the scenario. You can also suggest that they make reasonable assumptions regarding any issues or holes they spot. But none of this takes away from the fact that you should aim to make any scenario as realistic as possible. Test how quickly you can pull together key players. To be realistic, the crisis management team doesn't always know when a tabletop will occur. Instead, the company tests how quickly it could reach all those individuals. Specialized software pings team members' phone numbers and communications devices, alerting them that the crisis management team is assembling. Involve everyone. Make sure each person has a role. If one person answers all the questions, have others enact how they would respond if that person were unavailable. Acknowledge that first-timers may be nervous. Some business managers don't want to show that they may not know how to respond to a certain issue. To make them more comfortable, consider holding an hour-long orientation, well prior to an actual exercise. Later, work your way up to a three-hour exercise. Consider inviting local law enforcement and first responders to participate. Encourage misinformation – and add “surprises” (AKA: Injects). During a crisis, you're always asked to make timely decisions based on incomplete and inaccurate information. Also, you can be sure that there will be crises within the crisis. You can simulate the confusion this causes by giving the groups handouts containing different information. Take the lessons with you. A designated note-taker should keep track of what happens; always leave time for lessons learned.

HPAI (Bird Flu) in the USA - 2015

Highly Pathogenic Avian Influenza - 2015 Since it was first identified in the United States in December 2014 in the Pacific Northwest, highly pathogenic avian influenza (HPAI) has been detected in commercial and backyard poultry flocks, wild birds, or captive wild birds in 21 States. With the last case of the spring outbreak identified in June, 2015, a total of 211 commercial and 21 backyard poultry premises had been affected. This resulted in the depopulation of 7.5 million turkeys and 42.1 million egg-layer and pullet chickens, with devastating effects on these businesses, and a cost to Federal taxpayers of over $950 million. Genetic analysis has shown that a comingling of migratory birds between northeast Asia and Alaska allowed for re-assortment of Asian HPAI strains with North American low pathogenic avian influenza (LPAI) viruses. The resulting Eurasian-American (EA/AM) HPAI viruses that infected wild birds and domestic poultry earlier in 2015 serve as a potential threat to poultry this fall and winter. Wild birds, particularly resident and migratory dabbling ducks, appear to be the reservoir for these viruses. To prepare for additional outbreaks that could occur this fall or later, USDA planning activities assumed a worst-case scenario beginning in September 2015, with HPAI occurring simultaneously in multiple sectors of the poultry industry throughout the nation. Under this scenario, 500 or more commercial establishments of various sizes across a large geographical area could be affected. The USDA plan for preventing and responding to future HPAI cases, in collaboration with industry and State partners, includes: Promoting improved on-farm biosecurity practices in order to prevent future HPAI cases to the greatest extent possible; Improving HPAI surveillance in wild birds as a means to provide “early warning” risk information to States and industry; Expanding Federal, State and industry response capabilities, including availability of personnel, equipment, and depopulation, disposal and recovery options; Improving our capabilities to rapidly detect HPAI in domestic poultry and to depopulate affected flocks within 24 hours to reduce the environmental load of HPAI viruses and their subsequent spread; Streamlining the processes for payment of indemnity and the cost of eliminating viruses so that producers receive a fair amount quickly, to assist them in returning to production; Enhancing our ability to communicate in a timely and effective way with producers, consumers, legislators, media, and others regarding outbreaks and other information; and Making preparations to identify and deploy effective AI vaccines should they be a cost beneficial addition to the eradication efforts in a future HPAI outbreak. A document was published in August 2015 entitled: USDA APHIS HPAI Response Plan: The Red Book (Draft August 2015) which reflects the knowledge and lessons learned during the spring 2015 outbreak event. Importantly, while HPAI is zoonotic, and while it appears to have a relatively high species-specific transmission barrier, it also can be fatal for humans. Animal health officials should and do coordinate with public health officials in the event that HPAI is identified in the United States; appropriate health and safety measures should always be observed when conducting HPAI response activities. Bottom line is, there is a high probability that the HPAI is coming back, this fall. The time to consider preventative and mitigation activities is NOW.

Command & Control - Who's in Charge Here?

Over the course of the years, it's been shown that most crises situations typically involve a chronology of events, each requiring somewhat distinct knowledge, skills, training, and decision-making to minimize harm and damage. Planners in California have articulated the following typical stages of a crisis: 1. - Observance of threatening conditions or events, becoming aware that a crisis may be commencing, and escalating awareness up the chain of command to an appropriate level of authority; 2. - Emergency responses, to minimize loss of lives, injuries to humans and animals, and damage to customers, property, reputation, or public trust; 3. - Assessment of damages and, if sufficiently severe, strategic decisions for significant actions to thwart long term damage; 4. - Activation of alternate or temporary facility operations to minimize disruptions to valuable operations; 5. - Repair or replacement of damaged capabilities; and 6. - Migration or return from temporary operations to the long term “permanent” or “normal” environment. Fact is, most crises are small - they happen every day. Usually, management can undertake these steps as needed within normal capabilities. The larger ones, however (think major earthquakes, terrorist attacks, major hurricanes), require activation of a pre-defined team of senior leaders and operators - a Senior Activation Team (SAT) - trained in a crisis management methodology. As should be pre-defined in a Business Continuity Plan or continuity of operations plan, high-value / time-sensitive operations will have pre-determined strategies for stage 4 above. The senior activation team will also find itself addressing all disrupted operations requiring stage 4, not just those covered by a continuity plan. Most executives on the SAT will also retain their normal responsibilities for oversight of operations that are not affected by the crisis. Depending on the nature of the crisis, a senior executive activation team may convene and be also be involved in stages 1, 2, 3, or 4. This raises the important question of how a senior activation team is activated and empowered, if it is in fact different from the senior executive team that is normally in charge. Waiting until the stuff is in the fan is the wrong way to go. Criteria must be pre-established and procedures pre-developed and well-practiced so that all involved understand how executive authority is transferred or transformed as a crisis unfolds. The "Alexander Haig scenario of, "I’m in charge!" is not the way to go. Figure it out early. That is all...

Plan, Do, Check, Act (repeat) - Getting it Done with Business Continuity Planning

The Plan, Do, Check, Act (PDCA) Cycle are the four stages of problem resolution. The concept is also referred to as `the Shewhart Cycle'. It was originally developed by Walter Shewhart, the pioneering statistician who developed statistical process control in the Bell Laboratories in the US during the 1930's. The concept was taken up by W. Edwards Deming, the famous Quality Management authority, and is consequently known by many as `the Deming Wheel'. Properly applied, the PDCA Cycle is used to coordinate continuous improvement efforts. The concept demonstrates that improvement programs must start with careful planning, leading to effective action, then move again to careful planning in a continuous cycle. There are a wealth of resources available to guide in the use of the PDCA Cycle and it is an integral part of the Business Continuity Planning (BCP) process. Nearly every emerging standard is following this approach, including the newest, ISO 22301. One of the best things about using PDCA in the realm of BCP is pretty straight forward: it's language senior management already understands! Possibly the greatest challenges in BCP are gaining executive sponsorship, then creating a culture-shift in the organization. The last part is tricky - you can't dictate culture change, it must be LED by leaders. The best way to get leaders involved is to speak a language they already understand. Most good leaders in business today have studied Deming. Ergo: PDCA. If you need help with all this, shoot me a note!

Cyber Preparedness

Cyber Security in the Smart Grid. "Is that a real problem," you might ask? Well, yes...yes it is. A very real problem. Here's a bit of a blurb from today's news: The man in charge of America's cyber operations said that on a scale of one to 10, the nation's preparedness to deal with a major cyber attack on critical infrastructure sits at a dismal three. "Somebody who finds vulnerability in our infrastructure could cause tremendous problems," Army Gen. Keith Alexander, Director of the National Security Agency and chief of U.S. Cyber Command, told audience members at the Aspen Institute's annual security forum. Alexander said that since 2009, attempted cyber attacks on the nation's infrastructure systems have risen seventeen-fold. "I'm worried most about power. I'm worried about water. I think those are the ones that need the most help," he said. As emergency managers, we need to question those who run our power grids. Sure, they own the infrastructure, but lives depend on how well they are controlling it! I prefer to think of the power companies as "custodians" of the critical infrastructure, rather than "owners." My advice to the EM Community - take those custodians to task. Ask them to produce their cyber security plans and their business continuity plans. Your constituents will be grateful.

Don't Get Complacent!

I continually write and speak about the dangers of complacency. More people have died because they refused to recognize the dangers around them than can be counted. All year, the weather prognosticators have been calling for a "less than normal" hurricane season, mostly because of an expected El Nino event. Well, I read the following editorial today: Forecasters were right about an El Nino this year. The weather phenomenon warms the eastern Pacific Ocean and generates strong wind shear that cuts the top off thunderstorms and stops them from developing. The odds of a major hurricane making U.S. landfall are 27 percent in an El Nino year, compared to 45 percent in a neutral year, according to Colorado Sate University climatologist Phil Klotzbach. It seems to be doing it's job, so far this year. In the meantime, Gulf Coast residents shouldn't count on El Nino or the initial forecast for a less-than-average season to protect them. Sound familiar? Wake up. Smell the Starbucks. Get a plan. Be Prepared!