“The first thing the CFO should do is not speak to Tom Ridge,” Suni Munshani advises.
Referring to the former director of the Department of Homeland Security, who launched a cyber-insurance firm in October, Munshani is making the point that finance chiefs should immerse themselves in the details of their companies’ information systems and develop a loss-control plan long before even thinking about buying insurance.
Faced with the rapidly advancing techniques of hackers and fraudsters, senior corporate executives have tended to “upstream” cyber-risk management to insurance companies rather than do the hard work of developing a strong defense against data breaches, according to Munshani, who is CEO of Protegrity, a firm that encrypts corporate data in an attempt to foil hackers.
To be sure, advocating for such a strategy is very much in Munshani’s self-interest. Yet even those who feel that cyber insurance can play a significant part in loss control agree that its role should be limited. “The transference element of risk management can only be effective when there is an appropriate risk mitigation approach in place,” says Dan Schroeder, a partner in charge of information assurance services at Habif, Arogeti & Wynne, an accounting firm.
Shifting cyber risk to an insurer only makes sense for “less likely, but big-impact items,” such as an attack that takes down a company’s information systems and interrupts its business for days or weeks, according to Schroeder. Indeed, in the recent data breaches at Target and Home Depot, insurance will likely help soften the blow of the retailers’ huge financial losses. The $27 million that Home Depot expects to get from its insurers would partly offset the $62 million it expects to pay out in attack-related costs, while the $90 million Target anticipates receiving would take a chunk out of its estimated $236 million loss.
But insurance payouts come after the fact, representing loss mitigation, not loss prevention. They’re not likely to cover the cost of Home Depot’s recently completed security improvement project. Nor will they go toward funding the $100 million that Target plans to invest in placing antifraud, “chip-enabled smart-card technology” in its stores by the first quarter of 2015.
Perhaps more importantly, insurance offers little consolation when a massive cyber attack threatens a company’s ability to continue as a going concern. Says Kray Kibler, CFO and chief operating officer of Scrip Cos.: “I don’t even know how to begin to think about insuring the economic loss that would happen to the company for breach of customer data. It could literally change the long-term financial profile of the business.”
The almost daily news reports of household-name cyber invasions are driving the CFOs of smaller firms to get more directly involved in loss control. “This is a middle-market, privately held company,” Kibler says of Scrip, a distributor of chiropractic, physical therapy, massage and other home health supplies and equipment. “And we are very aware that very well run, well known companies with huge IT budgets have been the victims of these attacks, and so by no stretch do we think we are immune.”
Although Scrip hasn’t yet experienced a customer-data breach, “we won’t assume that we won’t,” Kibler says. He notes that he and his finance team expend a great deal of effort in discussing how to protect the personal and financial information of the chiropractors, massage therapists, and regular consumers who buy Scrip’s products.
Particularly worrisome is the risk that hackers will penetrate company databases via unexpected pathways. In one such episode, Scrip’s office-copier vendor asked to install software on one of the companies’ computer servers to keep track of such things as when a service call or toner might be needed for a copier in its Bolingbrook, Ill., headquarters facility.
Scrip agreed to the installation, but a few months after the software was installed, “out of the blue we [received] a proposal for toner and supplies for all of the networked printers in our facility,” recalls John Matusiewicz, Scrip’s vice president of IT. “I was a bit surprised by this, as we were never told about the software’s capability to scan our entire network and e-mail that information back to the copier company, nor had we asked them to provide any type of pricing for other services,” says Matusiewicz, who informed Kibler about the situation and immediately removed the software.
Had the vendor turned out to be a hacker, for those few months Scrip would have faced the risk that customer information could be breached, since the software could be used for that purpose. Even though the vendor was honest, Kibler says that during that period he couldn’t have vouched for its security protocols—which, for all he knew, could be vulnerable to a breach by others with access to the vendor’s system. The CFO says that he had “a very direct discussion” with the vendor after turning the software off, although “they still don’t understand why I was angry.”
Other unexpected routes to customer data increasingly available to hackers are smartphone applications, says Alan Peck, CFO of BrandProtect, a firm that detects online threats to corporations. One avenue is for a fraudster to copy a company’s application and use the counterfeit app to gobble up log-in information or personal data sent and received by the user’s phone, according to Peck. Noting that people tend to trust requests for information that appear on their cell phones, he observes that they routinely tap out “agree, agree, agree” to conditions that in the wrong hands can lead to thefts of their identity.
Fraudsters can use app-related malware to gain access to user address books and notes, which in turn may contain the passwords and log-in information of other individuals and companies. Peck recommends that finance chiefs adopt a “granular” approach to loss control when their companies adopt new cellular applications—for example, vetting the credentials of the people designing the security specification of the app.
The soaring growth of mobile payments is also driving company loss potentials skyward, suggests a recent study by LexisNexis Risk Solutions, a firm that provides identity verification services. Mobile-channel frauds end up costing merchants $3.34 per dollar of the actual fraud losses, while “other” channels (including mail and telephone) paid out $3.29, according to the online survey of 1,142 retail risk and fraud officials.
One way mobile payments increase the risk of fraud is by spawning “an added layer of complexity,” says Aaron Press, director of e-commerce and risk solutions at LexisNexis Risk Solutions. Customers can buy goods and services via a growing variety of mobile browsers, devices, and apps, he notes. The “wallet” payment system Apple introduced as part of iPhone 6 in September, for example, entered a crowded mobile-payments field already populated by services provided by Google, PayPal and a number of large banks.
Whether such payment systems will aid or hinder overall data security remains to be seen. Currently, however, “device identification may be difficult because it’s difficult to get certain signals coming from a mobile device,” Press says. “There are a lot of new layers of information that tend to obfuscate what’s coming in.”
At Scrip, Kibler and his finance team are racing to keep ahead of fraudsters, who seem able to devise novel forms of online theft whenever the company has blocked their efforts. “We see new schemes every week designed to place orders with us using various attempted forms of payment, by which the perpetrator hopes to get the product before we figure out there isn’t anyone to pay the bill,” he says.
On a whiteboard in Kibler’s office, members of the finance team trace the methods of newly attempted frauds step by step via a flow chart in order to identify appropriate controls. Working in this way, they found that fraudsters almost always select the more costly overnight shipping option. “They don’t give a damn about the expense because they’re not going to pay for it anyway, and the expedited shipping is an attempt to get [the product] shipped from us before we realize that this is a fraudulent order,” the CFO says.
Besides products that can be shipped quickly, high-value items like diabetes test strips, which can be sold in the “huge black market” aimed at the world’s 200 million diabetics, are particularly alluring to cyber thieves, says Kibler. Scrip, which takes in $100 million to $200 million in annual revenue, experiences fraud losses of “six figures” per year in fraudulent purchases. The losses would be even higher if the company didn’t prevent from $20,000 to $50,000 in theft through its loss-control efforts.
In one type of fraud that Scrip has successfully curbed, the fraudster repeatedly and rapidly enters fake credit card numbers in the hopes of hitting on a valid one. After Kibler and his team plotted out on a flow chart the way the fraud works, he had Matusiewicz, the IT vice president, install programming in Scrip’s billing system that shuts down an account after a given number of attempts to enter a credit card number. Then the system puts the account on hold, designating it for human review. Since online criminals are wary of risking encounters with company employees, the method can prove effective.
“That’s the kind of thing we have to do in the trenches, order by order, to mitigate this risk,” says Kibler.