By Jonah Papesh, Senior Underwriter, Cyber & Technology, AXA XL
In a world in which cyber attacks are increasing in frequency and severity, companies rely heavily on technology to secure their data and systems. But what if your company is a tech company? What are the risks if your business model is to create business applications, cloud services, or even cyber security products?
Cyber attacks are increasingly targeting the technology sector. In February of 2019, Deputy Attorney General Rod Rosenstein announced the criminal indictment of two hackers associated with the Chinese government. The hackers were charged with conspiracy to commit computer intrusions against dozens of global and US-based companies, targeting managed service providers (MSP). Because MSPs store and manage data and other intellectual property for companies, the threat extended to potential loss of proprietary data from all sectors of business, and possibly governments, across the globe.
Cloud storage providers, Cloud computing services, Developers of cyber security software, or a file-sharing solution provider, are often the targets of cyber attacks. The damage such attacks can inflict go far beyond the cost of recovering compromised data.
In large part, technology companies are at the forefront in the development of cybersecurity risks from the development of products and services to combat these risks to focusing daily on the trends and emerging risks.
In spite of this, tech companies lay vulnerable to cyberattack. In 2014, 3 billion Yahoo! users experienced account breaches. Over 500 million users had their names, emails, dates of birth, and phone numbers compromised in the attack. Unfortunately, it was the second large breach in a year for the company – in 2013, another 3 billion accounts had been compromised by another group of hackers. In March, the Asus’ software update system was hacked and used to distribute malware to about 1 million Windows computers. According to cybersecurity firm Kaspersky Lab, the malware was disguised as a “critical” software update, , distributed from Asus’ servers, and signed using a real Asus certificate that made it appear to be valid. Recently, after security researchers uncovered vulnerabilities that could allow hackers to take over the devices, Verizon sent out an update for millions of its routers. Since routers serve as the central point of any individual’s online activities, a hacked router could lead to significant abuse. For example, in 2018, Russian hackers infected more than 500,000 routers in 54 countries with malware that could cut off internet access and steal login credentials.
The complexity of a tech company’s risks depends on the type of products and services the company provides. Some companies may be required to store large amounts of sensitive data, while other companies need only maintain smaller amounts of information on their customers. Still, any stored data is a vulnerability, and any security incident can result in negative press, a potential stock devaluation and an overall lack of trust in the company holding or servicing your data.
Such was the case for a large online textbook rental and tutorial company when its systems were breached by hackers in September 2018. Hackers walked away with the names, emails, addresses, and passwords of the company’s 40 million registered users. Stock prices plunged, and the company had to shift its focus to securing their customers’ data and recovering from the impact to its reputation, not to mention business interruption losses.
Because the technology industry is comprised of so many different business operations and product types, exposures can vary wildly. The good news is that as attacks occur, tech companies are tightening controls. For example, there is a conscious effort to design products with security built-in not bolted on. Also, companies are moving to next generation firewalls with built in security and threat detection software that utilizes artificial intelligence.
Still, that just means hackers find new ways into a company’s network, develop new attack methods, and the success of those methods is evident in how such attacks trend. Five years ago, we saw a trend of hackers targeting retail because Point of Sale systems provided easy access. But as retailers boosted their security, hackers looked elsewhere. Currently, ransomware attacks are the ever-increasing method of hacking. With each new layer of security thwarting bad actors comes another successful way that hackers are able to gain access.
The weak link
As the hackers’ methods change, technology companies are adjusting their approach to cyber security. Established companies in particular are handling much of the innovation in cyber protection and prevention. Even tech startup companies with limited cybersecurity budgets, have been diligent about building their business operations around solid cyber security processes.
While some threats may emanate from inside the company, from employees’ actions, a major vulnerability lies with the vendor. This threat is very real for the tech startups that may not have the internal staff or the funding to handle its entire operations in-house. They turn to outsourcing portions of their operations. Yet many tech startup companies are missing a critical step – vetting the vendor’s cyber security posture.
For example, an alternative asset management firm that allows investors to buy repackaged home loans. The company gathers and stores investors’ personal and financial data, as well as financial data provided by banks and financial institutions. However, the company lacked the ability to easily access and search loan information. They contracted with a tech startup that had the technology to filter the data.
The vendor, however, was a two person start up with limited resources and security controls in place. When the breach occurred, the vendor revealed to the tech company that it had no cyber coverage. Although they were responsible for the data, the company hiring them owned the data, which meant they too were liable.
It is not just smaller technology vendors who can put your company at risk. On April 15th, 2019 Brian Krebs reported that the $8B IT outsourcing and consulting firm Wipro had its own systems hacked and were being used to launch attacks against some of the company’s customers. Wipro’s customers include firms across numerous industries including multiple Fortune 500 companies. It is important to remember that just because you are hiring a large IT vendor doesn’t mean they will have the best security, and just because you are outsourcing IT professionals it does not mean they are professionals in information security.
From an underwriting perspective, it is imperative for your tech company to know how your vendors are addressing cyber risks. That allows underwriters to put proper coverage in place. Likewise, your company should be examining more closely the controls each of your vendors are using.
Your company should be reviewing its own vetting processes:
Your company should be reviewing its own vetting processes:
• Who is the vendor?
• What is our process for selecting a vendor? What does our due diligence look like?
• How often have we reevaluated our vendor selection process? How often are we reviewing our vendors?
• Are we reviewing contracts to determine liability prior to hiring vendors?
In addition, tech companies should be addressing data exposure liabilities by working with their customers and their internal staff to put proper controls in place. In a number of cases, system breaches are coming from the customer side, and savvy tech companies are putting controls in place to minimize breach damage. Some of those controls include:
• Segmenting data – each customer account is stored separate from other customer accounts;
• Requiring at least two-factor authentication;
• Requiring password changes regularly;
• Educating customers on how to keep their systems and information secure; and
• Regularly reviewing the company’s exposure picture and amending or addressing any changes to the risk portfolio.
Staying ahead of bad actors
Cyber risks are a continuously evolving exposure that all companies face. For tech companies, their role in keeping both their operations and the operations of their customers secure is paramount to their business success.
Security Incidents and data breaches provide a lesson on what hackers are targeting, but also on how to protect systems and data from attacks. Technology companies lead the way in helping all businesses address the very real threat of cyberattack.
As cyberattacks increase in frequency and severity, tech companies must continue to innovate and lead the way in cyber security. As the first line of defense for all businesses, tech companies have a duty to get ahead of cyber risk and make sure their own security is the most comprehensive available.