Cyber Risk Insurance: What's the Buzz?

Cyber Risk, as anyone with a television is aware, is growing at a mind-boggling pace.  In a recent presentation, former Homeland Security Secretary Tom Ridge said, "The cyber world presents the greatest threat to U.S. security and economic well-being. Our infrastructure generally is exposed, raising the possibility of a catastrophe affecting millions of people."

High-profile breaches are an almost every-day occurrence. From the highest level of government, through small businesses, to the largest companies - it seems nothing is safe. The United States Office of Personnel Management, SonyPlayStation, NASA, TJ Maxx and Google – to name just a few –have all been stung.  Recently my wife's small business was hit with a "ransomware" attack.

It's just plain scarey.

Just this week, a member of the Federal Bureau of Investigations (FBI)  recommended that ransomware victims “just pay the ransom” if no other option exists and if they need access to their encrypted data.

Last Wednesday, during Cyber Security Summit 2015 at Boston’s Back Bay Events Center, Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in the Boston office, observed that as the encryption standards protecting most ransomware samples, including Cryptolocker and Cryptowall, are so strong, the FBI generally advises victims to pay the ransom payments.

That can be cost serious money.  Usually, between $500 and $2000 - per machine.

Cyber risk can either continue to be seen as a negative – as another potential set of costs, complicated procedures and incoming legislative demands – or firms can use good cyber risk management as a differentiator from their competitors, as a selling point to clients, and as a measure of reassurance to stakeholders. 

One new option, still being worked toward maturity, is Cyber Risk Insurance.  Many companies are offering it, but the details of which is best are still being resolved.  As always - Caveat Emptor!

The choice is yours - learn, plan and protect - or wait for that pit-in-your-stomach feeling, when you turn on your system and see that you've been hit.

It's not a good feeling.

Tabletop Exercises: What's up with that?

A tabletop exercise is a great way to get business continuity plans off the written page without the interruption of a full-scale drill. Rather than actually simulating a disaster, the crisis management group gathers for three hours to talk through a simulated disaster. The exercise planning process determines the participants, exercise scenario, injects and the execution order for the course of the exercise. A group of exercise planners focused on the objectives selects the best means to reach those objectives and develops a complete exercise plan known as the master scenario event list (MSEL). The MSEL serves as the script for the execution of the exercise; it includes the ordering of injects, time of execution, and the expected reactions from the training audience. It can be a full-scale production that involves local first responders and professional moderators, or it can be a simple affair conducted by in-house disaster planners. The idea is to have an escalating scenario that unfolds in several segments. After each segment, small working groups discuss how they would respond, then report back to each other before hearing from moderators about what happens next. Tips for an Effective Tabletop Decide how much gloom and doom you want. When planning a tabletop, ask: "Do you want this to be a physical event with assets damaged and destroyed, or do you just want those things inaccessible? Do you want death and injuries, or just to test the ability to get work up and going someplace else?" It’s sensible to ask your delegates to suspend their disbelief if you’re running a scenario-based exercise. It’s useful to ask them to remember you’re testing the plan, not the scenario. You can also suggest that they make reasonable assumptions regarding any issues or holes they spot. But none of this takes away from the fact that you should aim to make any scenario as realistic as possible. Test how quickly you can pull together key players. To be realistic, the crisis management team doesn't always know when a tabletop will occur. Instead, the company tests how quickly it could reach all those individuals. Specialized software pings team members' phone numbers and communications devices, alerting them that the crisis management team is assembling. Involve everyone. Make sure each person has a role. If one person answers all the questions, have others enact how they would respond if that person were unavailable. Acknowledge that first-timers may be nervous. Some business managers don't want to show that they may not know how to respond to a certain issue. To make them more comfortable, consider holding an hour-long orientation, well prior to an actual exercise. Later, work your way up to a three-hour exercise. Consider inviting local law enforcement and first responders to participate. Encourage misinformation – and add “surprises” (AKA: Injects). During a crisis, you're always asked to make timely decisions based on incomplete and inaccurate information. Also, you can be sure that there will be crises within the crisis. You can simulate the confusion this causes by giving the groups handouts containing different information. Take the lessons with you. A designated note-taker should keep track of what happens; always leave time for lessons learned.

HPAI (Bird Flu) in the USA - 2015

Highly Pathogenic Avian Influenza - 2015 Since it was first identified in the United States in December 2014 in the Pacific Northwest, highly pathogenic avian influenza (HPAI) has been detected in commercial and backyard poultry flocks, wild birds, or captive wild birds in 21 States. With the last case of the spring outbreak identified in June, 2015, a total of 211 commercial and 21 backyard poultry premises had been affected. This resulted in the depopulation of 7.5 million turkeys and 42.1 million egg-layer and pullet chickens, with devastating effects on these businesses, and a cost to Federal taxpayers of over $950 million. Genetic analysis has shown that a comingling of migratory birds between northeast Asia and Alaska allowed for re-assortment of Asian HPAI strains with North American low pathogenic avian influenza (LPAI) viruses. The resulting Eurasian-American (EA/AM) HPAI viruses that infected wild birds and domestic poultry earlier in 2015 serve as a potential threat to poultry this fall and winter. Wild birds, particularly resident and migratory dabbling ducks, appear to be the reservoir for these viruses. To prepare for additional outbreaks that could occur this fall or later, USDA planning activities assumed a worst-case scenario beginning in September 2015, with HPAI occurring simultaneously in multiple sectors of the poultry industry throughout the nation. Under this scenario, 500 or more commercial establishments of various sizes across a large geographical area could be affected. The USDA plan for preventing and responding to future HPAI cases, in collaboration with industry and State partners, includes: Promoting improved on-farm biosecurity practices in order to prevent future HPAI cases to the greatest extent possible; Improving HPAI surveillance in wild birds as a means to provide “early warning” risk information to States and industry; Expanding Federal, State and industry response capabilities, including availability of personnel, equipment, and depopulation, disposal and recovery options; Improving our capabilities to rapidly detect HPAI in domestic poultry and to depopulate affected flocks within 24 hours to reduce the environmental load of HPAI viruses and their subsequent spread; Streamlining the processes for payment of indemnity and the cost of eliminating viruses so that producers receive a fair amount quickly, to assist them in returning to production; Enhancing our ability to communicate in a timely and effective way with producers, consumers, legislators, media, and others regarding outbreaks and other information; and Making preparations to identify and deploy effective AI vaccines should they be a cost beneficial addition to the eradication efforts in a future HPAI outbreak. A document was published in August 2015 entitled: USDA APHIS HPAI Response Plan: The Red Book (Draft August 2015) which reflects the knowledge and lessons learned during the spring 2015 outbreak event. Importantly, while HPAI is zoonotic, and while it appears to have a relatively high species-specific transmission barrier, it also can be fatal for humans. Animal health officials should and do coordinate with public health officials in the event that HPAI is identified in the United States; appropriate health and safety measures should always be observed when conducting HPAI response activities. Bottom line is, there is a high probability that the HPAI is coming back, this fall. The time to consider preventative and mitigation activities is NOW.