Manufacturers Vulnerable to Cyberrisk

Manufacturing companies face a serious threat from cyber criminals. According to IBM’s latest intelligence index, theirs is now the second-most targeted sector, after attack numbers increased significantly year-on-year. This heightened risk is compounded by increased vulnerability: the connectivity that manufacturers have embraced to bring about greater operational efficiencies is accompanied by significant and largely uninsured exposures, such as physical damage arising from cyber incidents or loss of income due to stolen intellectual property.

Part of the vulnerability lies in process control and supervisory control and data acquisition (SCADA) systems. Previously deemed impenetrable, due to their proprietary and highly customised networks, the convergence of these industrial control systems with enterprise infrastructure, particularly web services and ethernets, has created a potentially catastrophic risk. Such connections and the increasing Industrial Internet of Things (IIoT) can drive through great advantages, but also simultaneously produce weak links that manufacturers can not afford to overlook.

For example, expensive capital assets such as production machines will be retrofitted with technology that allows them to be connected to corporate networks. But they were typically built without the sophisticated measures to afford cyber-protection, or have operating systems that are incompatible with current cyber-security products. All these factors make manufacturers’ industrial control systems particularly vulnerable to cyber-attack.

Physical damage
Physical damage arising from cyberattacks has to date been relatively rare. Early high-profile events, such as claims that Russians hacked into U.S. water treatment facilities to damage pumps, or the Israeli-U.S. ‘Stuxnet’ attack on Iran’s nuclear centrifuges were believed to be state-sponsored.

One of the most underestimated threats to manufacturers is the rogue employee, disillusioned with their employer or falling victim to blackmail. One such attack involved a German steel mill. Hackers, thought to involve a rogue employee, took over its industrial control systems via its enterprise system, preventing employees from shutting down a blast furnace. This caused irreparable damage to expensive equipment and yet physical damage, as well as bodily injury caused by a cyber event, is typically excluded on most policies. The rise of the hackers-for-hire phenomenon further multiplies potential sources of attack, with competing companies looking to use third parties for corporate espionage, for example.

Stolen Innovation
Other rising areas of threat revolve around the significant non-physical assets residing in manufacturers’ information systems. Cyber theft of intellectual property (IP) has been difficult to insure properly, despite the extraordinary value of items such as the technical specifications of a new product, or the composition of a new pharmaceutical. PwC reports that the number of such thefts, notably of product designs, has doubled.

While competition is a big driver of IP cyber theft, risks such as the loss of income due to stolen IP or the legal pursuit of it are not currently insurable. When you consider the degree to which a manufacturer’s value will be directly linked to their IP, this represents a considerable risk but also one where evidencing and quantifying a loss is very difficult.

Cyber attacks are now identified as the leading cause of supply chain stoppages but supply chain risk is also largely uninsured. Some losses, like business interruption arising from a cyber incident on an IT provider’s network, can sometimes be covered but an interruption caused by a product supplier’s cyber-event typically cannot. Upstream supply risk, associated with liabilities arising from failure to supply goods following an attack, is also difficult to insure.

Market developments
According to research by consultancy BDO USA, 92% of manufacturers cited cyber-security among their top 10 risk concerns in 2016, up 44% from 2013. Another study, however, found only 8% of manufacturers “very confident” in their ability to prevent an IT breach.

This rising risk issue demands action from all parties. Manufacturers must invest further in heightened security and control for their operating technologies, while cyber insurance specialists must continue to develop further sophisticated solutions to more effectively transfer manufacturers’ unique exposures. Insurance carriers are starting to work together more effectively across lines to more sufficiently underwrite the complex cyber risks facing the sector. Failure to respond to this new era of cyber threats and vulnerabilities will leave manufacturers exposed to reputation and physical damage, bodily injury, severe business interruption, loss of intellectual property, and significant financial loss.

How Phishing Emails Can Threaten Your Company

Impostor emails, dubbed “business email compromise” by the FBI, are increasing and targeting companies of every size, in every part of the world. Unfortunately, victims often do not realize they have been had until it’s too late. There are no security tool alarms and there is no ransom note. But because systems appear to be running as normal, everything seems like business as usual. And that is the point, according to Proofpoint’s study, “The Imposter in the Machine.”
PP1

From New Zealand to Belgium, companies from every industry have suffered losses, the study found. Here is a small sampling of recent impostor attacks during the last year:

  • A Hong Kong subsidiary at Ubiquiti Networks Inc. discovered that it had made more than $45 million in payments over an extended period to attackers using impostor emails to pose as a supplier.
  • Crelan, a Belgian bank recently lost more than $70 million due to impostor emails, discovering the fraud only after the company conducted an internal audit.
  • In New Zealand, a higher education provider, TWoA, lost more than $100,000 when their CFO fell victim to an impostor email, believing the payment request came from the organization’s president.
  • Luminant Corp., an electric utility company in Dallas, Texas sent a little over $98,000 in response to an email request that they thought was coming from a company executive. Later it was learned that attackers sent an impostor email from a domain name with just two letters transposed.

PP2

Most often, company executives are targeted, with two common angles. In one case, the always-traveling executive is studied by attackers, who use every resource available to understand the target’s schedule, familiar language, peers and direct reports. Because the executive is frequently on the road, direct reports who routinely process payments can easily be victimized.

Another ploy involves suppliers and how they invoice. For example, the supplier’s language, forms and procedures are used to change bank account information for an upcoming payment. If the attackers are successful, a company may find that they have been making payments to them for months without knowing it.

PP3

For more about the risks of phishing, check out “The Devil in the Details” and “6 Tips to Reduce the Risk of Social Engineering Fraud” from Risk Management.

Prosecutors Reveal ‘Securities Fraud on Cyber Steroids’

The investigation into a huge cyberattack on JP Morgan Chase last year has exposed one of the largest computer hacking and fraud schemes to date. According to U.S. prosecutors, Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein, all from Israel, hacked a total of 12 companies to expose the personal information of more than 100 million people, netting hundreds of millions of dollars in profit. The men face 23 criminal counts, including wire fraud, computer hacking, illegal internet gambling and money laundering, with alleged crimes targeting 12 companies, including nine financial services companies and media outlets including the Wall Street Journal. Investigators say their massive criminal empire used 75 shell companies that employed hundreds of people, and hacked seven major banks, ran an online casino, laundered money around the world and set up an illegal Bitcoin trading operation.

“It is hacking in support of a diversified criminal conglomerate,” said Preet Bharara, U.S. attorney for the Southern District of New York. “In short, it is hacking as a business model.”

In addition to the hack of JP Morgan, which U.S. Attorney General Loretta Lynch called “the largest theft of customer data from a U.S. financial institution” and exposed the personal information of 83 million customers, the criminals also attacked E*Trade Financial Corp., TD Ameritrade, Scottrade Inc., Fidelity Investments and News Corp’s Dow Jones, which publishes the Wall Street Journal. The breaches date as far back as 2007.

“By any measure, the data breaches at these firms were breathtaking in scope and in size,” Bharara said. “This showcases a brave new world of hacking for profit.”

Breaking into these financial institutions gave the attackers information to target specific people, and gave them extra insight into the stock market. According to the indictment, they used the customer data to contact individuals and push them to buy stocks in order to manipulate their prices. In addition to the pump-and-dump scheme, sometimes the defendants reportedly engineered mergers with shell companies to create publicly traded stocks that could be manipulated. Bharara called the scheme “securities fraud on cyber steroids.”

Beginning in 2012, in addition to disguising payments and constantly obtaining new bank accounts, the men further tried to evade detection by hacking into a company that assessed merchant risk for credit-card issuers. The breach allowed the defendants to read employees’ emails and figure out how to sidestep the company’s efforts to monitor illegal payments, according to the indictment.

The defendants are also accused of operating at least 12 illegal internet casinos, even launching cyberattacks against rival gambling businesses to review executives’ email and gain a competitive edge. Shalon hacked competitors’ customer databases and directed denial of service attacks to shut down their businesses.

Several compliance officers may soon feel the heat as well: the investigation found that, in operating the online casinos and illegal pharmaceutical payment processing enterprises, the co-conspirators deceived financial institutions into processing and authorizing payments between the casino companies and others. “They colluded with corrupt international bank officials who willfully ignored its criminal nature in order to profit from, as a co-conspirator described it to Shalon, their payment processing ‘casino/software/pharmaceutical cocktail’,” the indictment charges.

According to prosecutors, the case illustrates the growing power of criminals and their tools, and makes such crimes particularly difficult to solve. But it may also highlight one key resource to do so: self-reporting to law enforcement. Officials credited JP Morgan’s early cooperation for helping to uncover the network of criminal activity. The firm came forward early on to share information with the government, a move many forensic investigators encourage. This case provides one of the clearest examples of why: hackers frequently use the same schemes to target a swath of companies in a given industry. While many companies worry about the reputational and regulatory risks of disclosing a breach to law enforcement, as hackers grow more sophisticated in their techniques and complex in their operations, it may prove an ever more critical step in the breach response and investigation process.

“Shalon, Aaron, and their co-conspirators allegedly robbed victim companies, often for months at a time, stealing the contact information of tens of millions of customers,” said FBI Assistant Director-in-Charge Diego Rodriguez. “They cloaked themselves in secrecy, but their methods rivaled those of the traditional masked robber. Today’s indictment sheds light on an increasingly complex threat. But just as criminals continue to develop relationships with one another in order to advance their objectives, the law enforcement community has developed a collaborative approach to fighting these types of crimes.”

Cost of Cyber Crime Up 19% For U.S. Businesses

In its annual Cost of Cyber Crime study, the Ponemon Institute found that the average annual cost of cyber crime per large company is now $15.4 million in the United States. That figure has increased 19% from last year’s $12.7 million, and presents an 82% jump from the institute’s first such study six years ago. This year, losses ranged from $307,800 to $65,047,302.

Globally, the average annual cost of cybercrime is $7.7 million, an increase of 1.9% from last year. The U.S. sample had the highest total average cost, while the Russian sample reported the lowest, with an average cost of $2.5 million. Germany, Japan, Australia, and Russia experienced a slight decrease in the cost of cyber crime over the past year.

To try to benchmark the complete cost of cyber crime, the Ponemon Institute examines the total cost of responding to incidents, including detection, recovery, investigation and incident-response management. While it is virtually impossible to quantify all of the losses due to reputation damage or business interruption, the researchers did look at after-the-fact expenses intended to minimize the potential loss of business or customers.

Check out more of the study’s findings in the infographic below:

global cost of cyber crime ponemon institute