ACE Group and The Institutes Launch Dedicated Cyber Risk Programs

This week, two major industry players announced the launch of dedicated cyber risk programs. ACE Group, one of the world’s largest multiline property and casualty insurers, announced the launch of its new dedicated cyber risk business unit in response to internal research showing that cyber risk is a “top three” emerging issue among European risk managers.  ACE first established its global cyber practice in 2014, and is seeking to strengthen its leadership in this new risk area with the addition of full-time dedicated cyber underwriting…
Continue reading...

Department of Homeland Security Must Assess Cyber Risks to Building Access and Control Systems

The U.S. Government Accounting Office (GAO) issued a report this month calling on the Department of Homeland Security (DHS) and General Services Administration (GSA) to develop and implement a strategy to address cyber risks to building and access control systems, including the computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning.  As these systems are increasingly connected to other information systems and the Internet, there is greater vulnerability to cyber attacks, which, the report explains, “could…
Continue reading...

Digital Cloning: Hacking Your Fingerprints

While your biometrics may be as unique as a snowflake, they can still be digitally captured, copied and used to gain access to your “secure” computer network and data storage facilities.  Using standard photos taken during a press event in October and commercially available software, a 31-year-old member of Europe’s largest association of hackers successfully re-created a digital fingerprint of German defense minister Ursula von der Leyen.  The digital print could then be used not only to fool security software, but with the increasing sophistication…
Continue reading...

Hacker Gains Control of German Steel Mill Operations

The  German Federal Office for Information Security (BSI) has issued a report revealing that a sophisticated hacker was able to take control of a steel mill’s computerized production system, forcing an unscheduled shut-down that caused “massive damage” to the physical plant. By using targeted emails, known as “spear phishing,” employees were tricked into opening messages that extracted login names and passwords and transmitted that information to the hacker without detection. The hacker, in turn, used the data to gain limited control of the…
Continue reading...

Mandatory Reporting and “Cyber Mission Forces” Created in 2015 National Defense Authorization Act (NDAA)

Beyond appropriating $560,000,000,000 for military spending for 2015, the Defense Authorization Act passed this month expands the role of the military in wide range of areas, including strategic programs in outer space, budgeting and accounting for a new “cyber mission” major force program category, and new mandatory reporting of “cyber incidents” by government contractors and agencies. Title XVI, Subtitle C of the Senate Amendment to H.R. 3979, “Cyber-Related Matters,” first directs the Secretary of Defense to submit with the 2017 budget a new program for…
Continue reading...

Cybsersecurity Starts at the Top

This summer, the Federal Financial Institutions Examination Council (FFIEC), made up of the FED Board of Governors and FDIC, among others, conducted a Cybersecurity Assessment at over 500 community financial institutions to evaluate their ability to handle cyber risks.  While the data is still being analyzed in order to assist with future guidance and regulations, last month the FFIEC Cybersecurity Assessment’s “General Observations” were released. What is striking about the General Observations, which are not to be construed as guidance, is that they call out…
Continue reading...

Are Third-Party Vendors the Weakest Link in your Cyber Security Chain?

So, you’ve invested in a top-rate data security system, and hired the best CISO (Chief Information Security Officer) imaginable, but have you ever audited the security of the computers used by your attorneys and accountants…to whom you disclose your company’s most confidential and sensitive information? Well, you should. As recently reported in the Wall Street Journal, today’s largest financial institutions are now putting law firms to the test when it comes to the security of the information provided to their attorneys. And, rightly so, as…
Continue reading...

Can Companies Pre-Emptively Avoid Class Action Suits from Massive Data Breaches? (A Blog Series)

There’s a constant flow of news about massive data breaches nowadays.  So much so that the question for companies with large amounts of personal data storage is no longer “if” it can happen but “when” it will happen.  In this series, we’re going to discuss one method that larger companies are using to significantly reduce the risk exposure to massive data breaches: click-wrap terms of use that require users to waive participation in class actions and instead only pursue claims by way of arbitration or…
Continue reading...

Breach of U.S. Public Utility

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) advised in its quarterly report that an unnamed public utility was compromised after attackers took advantage of a weak password security system by using brute force techniques by trying on various passwords until they hit the right one. This may come as no surprise to some as the vulnerability of the U.S. power grid to electronic attack has been known since the 1990’s. Factors contributing to this increasing danger include the shift…
Continue reading...

Lawsuits Follow College’s Untimely Notifications – Can’t Blame the Dog…

Last year, the Maricopa County Community College District suffered a data breach in April, but waited until November before advising former students and employees that their academic and/or personal data may have been compromised.  Approximately 2.4 million people were impacted by this breach, or roughly the population of Pittsburgh, Pennsylvania.  Among the data that may have been breached were social security numbers, dates of birth, and bank account numbers. Recently, a current student of Phoenix College sued the College District in Maricopa County Court, making…
Continue reading...