Things to identify for cyber related risks | Lucideus

Insurance has long existed as a mechanism for the transfer of risk to a third party, particularly for the risks that an organisation cannot control itself. Recently, the most noteworthy dangers that have come to light and threatened to destroy a company overnight have emerged within the cyber security sphere. This has been a reason for the growing interest in cyber liability insurance.

Since cyber liability insurance is a relatively new type of coverage, it is therefore often misunderstood. Companies need to consider the basics and specifics of their cyber-related liabilities and exposures. They must be clear with the likely threats in order to be able to identify those parts in which insurance is required the most. This way, companies can be better at protecting the return on their insurance investment. Following are 3 major categories of threats one should be aware of before indulging in cyber liability insurance:

1. THREAT ACTORS

A threat actor also called a malicious actor, is an entity that is partially or wholly responsible for an incident that impacts – or has the potential to impact – an organisation's security.  

Identifying a threat actor can be done by knowing the motive behind an attack, the type of loss (monetary/life/reputation), the size of the loss, etc. Following are some examples of threat actors:

• Extortionists - They attack an enterprise along with a demand or request for money to avert or stop the attack, eg. Ransomware
  Motivation - Extortion
• Information Brokers - They trade (stolen) information in the world of cybercrime.
  Motivation - Information theft
• Crime Facilitators - They provide technical support to the attacks of other criminal actors
  Motivation - Crime facilitation
• Digital Robbers - They target financial services used by citizens and enterprises.
  Motivation - Robbery
• Scammers and Fraudsters - They employ social engineering in their attacks or targets
  Motivation - Scams and Frauds
• Crackers - They are motivated by the fun of attacking    and want to display their capabilities as a hacker
  Motivation - Pranking and infamy
• Insiders - They target the organisation they’re working in, which could be private or public
  Motivation - Revenge
• Terrorists - They use the internet to conduct violent acts that result in, or threaten, loss of life or significant bodily harm
  Motivation - Ideological (Negative)
• Hacktivists - They are ideologically motivated to punish the wrongdoings of an organisation harming nature or human rights.
  Motivation - Ideological (Positive)
• Nation State actors - They have a ‘Licence to Hack’. They work for a government to disrupt or compromise target organisations or individuals to gain access to valuable data
  Motivation - Nationalism
   

2. THREAT TARGETS
   Anything that is of value to the above mentioned threat actors may be a target, such as the following:
   • Bank accounts - An obvious one. One of the greatest motives for an attacker is financial gain, hence, bank accounts are being increasingly attacked. 
   • Personal Identifiable Information (PII) - Information that can be used to identify, contact, or locate a single person. PII may be obtained through social engineering and may cause threat to life. 
   • Confidential Business Information (CBI) - any valuable secret business information such as trade secrets, that is identified as confidential at the time of the disclosure. Attackers may sell CBI or expose it to cause major reputation and financial loss to an organisation. 
   • Intellectual Property (IP) - IP is protected in law by patents, copyright and trademarks, which enable people to earn recognition or financial benefit from what they invent or create, and lose the same things if their IP is stolen or breached.
   • Computers/Mobiles/Computing devices/Hardware - A major and most common target for the attackers, all these devices are full of information, be it personal or work-related. Malware may be easily induced in such devices thereby compromising the data in them.
   • Wearables - The best example of IoTs, wearables are smart electronic devices that can be incorporated into clothing or worn on the body as implants or accessories. And as is the case with IoTs, wearables may be miscontrolled and misused for malicious purposes.
   • Cloud Services - Although cloud storage providers implement rigorous security measures, the same threats that impact traditional storage networks also threaten the cloud world.
   • Autonomous vehicles - Such vehicles will be vulnerable to those that regularly disrupt computer networks, like data thieves of personal and financial information, and denial-of-service attacks that may move from shutting down computers to shutting down cars.
   • Mass Transportation - Cyber threats to this sector are of concern because of the growing reliance on cyber-based control, navigation, tracking, positioning, and communications systems, as well as the ease with which malicious actors can exploit cyber systems serving transportation. Cyber-terrorist attacks can significantly disrupt vital transportation services and cause long-term sociological and economic consequences.
   • Telecommunications - Due to the breadth and depth of services offered by telecom companies, there is an increased risk of security threats. Phone service interruption may affect countless subscribers, internet outage may impact millions of customers, and there is potential to permanently harm businesses.
   • Energy grids - A well-constructed cyberattack against the grid might not do as much physical damage as bombs, but it has the ability to cut the supply of electricity to hospitals, banks, factories and other critical assets.
    
3. THREAT VECTORS
   These are paths, tools or ways in which a threat actor may attack the targets. While there are thousands of attack vectors, most of them are known only to the skilled attackers. A few common threat vectors are as follows:
   
   • Malware - A software that can severely affect anything from mobiles to computers and other computing devices. A popular one these days is Ransomware - aimed at blocking access to a computer system unless money is paid.
   • Phishing emails - We’ve all received such emails with senders posing as legitimate members of an organisation, trying to lure the receivers into sharing personal information. A targeted form of phishing is known as spear phishing, and if the target is big, like a high-ranking banker and others in powerful positions, it is known as whaling.
   • Unsecured wireless hotspots - If there is one thing we all love about public places, it is the open wireless networks. However, it is easy for attackers to get into such a network that is not properly secured. It also provides the attacker with a large target base.
   • Mobile devices/USBs - These devices are increasingly being used for sharing files. Malicious apps and files may be transferred from one device to another, making such devices a common threat vector.
   • Social networking sites - Since the number of social networks users are increasing day by day, it becomes a hub for attackers to steal personal information which can be used for purposes such as sending unauthorised messages (spam) and stealing money from victim's accounts.
   • Social engineering - It is the use of deception to manipulate users into revealing confidential information that may be used for fraudulent purposes. With attackers devising ever-more clever methods for fooling employees and individuals into handing over valuable company data, social engineering attacks are becoming more sophisticated.
   • Big Data warehouses - Typically, a data warehouse is a relational database housed on an enterprise mainframe server or, increasingly, in the cloud. It stores current and historical data in one single place that are used for creating analytical reports for workers throughout the enterprise. With big data comes big chances of attack!
   • IoTs - As IoT is still in its nascent stage, it majorly attracts the attacker community. Since mobile malware is already an acknowledged threat, there seems a high likelihood of things like wearable devices becoming attack vectors too.

NOTE

Apart from keeping the aforementioned threats in mind, one should also consider gaining knowledge of the various types of first and third party losses and expenses that they may incur in the event of an attack. It is advisable to also know about the different types of insurance coverages available in the marketplace, how to obtain and negotiate cyber insurance policies, the steps to be taken a post a cyber incident and to learn to properly communicate with the cyber insurer.

REFERENCES

Bloomberg Law Practice Suite - Cyber Insurance
- Walter J. Andrews, Sergio F. Oehninger, Patrick M. McDermott

https://www.securitymagazine.com/articles/88785-cyber-liability-insurance-what-you-need-to-know

https://en.wikipedia.org/wiki/Personally_identifiable_information

https://whatis.techtarget.com/definition/threat-actor

https://definedterm.com/confidential_business_information

http://www.wipo.int/about-ip/en/

https://en.wikipedia.org/wiki/Wearable_technology

https://blog.panoply.io/top-cloud-security-threats-risks-and-concerns

https://mcity.umich.edu/cybersecurity-self-driving-cars-u-m-releases-threat-identification-tool/

https://www.securityinfowatch.com/article/12386915/cyber-attacks-present-a-clear-and-present-danger-to-the-transportation-sector

https://blog.css-security.com/blog/cyber-threats-to-telecom

https://www.forbes.com/sites/constancedouris/2018/01/16/as-cyber-threats-to-the-electric-grid-rise-utilities-regulators-seek-solutions/#74494d9f343e

https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack

https://searchdatamanagement.techtarget.com/definition/data-warehouse