Chinese hackers attack US govt and what it means for insurance
Hackers with links to China accessed information submitted to US intelligence and military personnel on the mental illnesses, drug and alcohol use, past arrests, bankruptcies and other sensitive material of nearly anyone who has applied for or received security clearance from the government.
Officials confirmed the June 8 breach of the Office of Personnel Management late last week, saying there was “a high degree of confidence that…systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated.”
The White House confirmed that the hackers were tied to China, which could compromise the victims’ ability to continue in their positions.
“[The Chinese hack] makes it very hard for any of those people to function as an intelligence officer,” Joel Brenner, a former US counterintelligence official told the Associated Press. “The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That’s a gold mine. It helps you approach and recruit spies.”
More than 4 million people had been investigated for a security clearance as of October 2014, according to government records, and officials believe nearly everyone had their data exposed in the breach. The White House is currently putting the number of compromised records at between 9 million and 14 million, going back to the 1980s.
For insurance industry professionals, the breach of the US federal government was not entirely unexpected. However, it helps underline a point that many proponents of cyber liability insurance and other security policies have tried to make repeatedly: no one is safe, and public entities and small private businesses are particularly at risk.
“What this shows is that no one organisation can be fully immune to cyber risk – whether they are a public or private sector body,” said Jack Elliott-Frey, a broker with SafeOnline LLP.
“Public sector bodies often have smaller budgets than private businesses of the same size, and due to that are forced to spread it across more sectors of the business.
“Ultimately this means that security spending can take a backseat, and with public sector bodies such as local governments or healthcare providers, this can prove to be problematic as they hold plenty of valuable personally identifiable information.”
Personally identifiable information is the most frequently exposed data in a breach, according to a recent study performed by security firm NetDiligence, and healthcare and small businesses make up the bulk of firms breached.
These are also firms most likely to cite price as a reason not to purchase a cyber policy. However, while cyber insurance premiums can be expensive, they are typically much less costly than many clients believe. In general, product premiums are commensurate with client risk, said Michael Palotay, senior vice president of underwriting at NAS Insurance Services.
“I think [potential clients] would be surprised at how cheap it is,” Palotay told Insurance Business
. “When the coverage is properly discussed and their exposure is explained in a real-world scenario, it’s usually a no-brainer for the insured.”
Specifically speaking, if each compromised record costs US$10 to remediate and 100,000 records are breached, the firm is looking at US$100,000 just to meet regulatory standards of reporting and addressing the damage.
In comparison to a $4,000 annual policy, that’s a good deal indeed.
NIBA issues insurance reminder
With the end of financial year just around the corner, NIBA have issued a warning to businesses that now is the time to update their insurance arrangements.
In a warning which can be used by brokers to spur interest in updated insurance, NIBA CEO Dallas Booth
said that the end of the financial year offers a perfect time to review insurance documents and update coverage.
“There are three key things business owners need to ask when end of financial year and insurance renewal time approaches,” Booth said.
“Firstly, every business owner should ask whether they have the right insurance cover for the business they are operating.
“Secondly, do they have enough insurance cover to protect their business if something goes wrong?
“And thirdly, has anything changed since the last insurance renewal? Have they added a new line of business that was not there last year? Do they have valuable new equipment, tools, or other assets that need to be fully insured?
“The last question is particularly relevant this year after the Federal Government
announced in the Budget that businesses with an annual turnover of less than $2m can claim immediate tax deductions for every purchase of an asset worth less than $20,000.”
Industry body updates certification structure
The Risk Management Institution of Australasia
(RMIA) has upgraded its professional risk manager certification, it has been announced.
RMIA said that they have now implemented a three level structure to their certification to replace the former two level system.
The new levels are Certified Practising Risk Associate (CPRA), Certified Practising Risk Manager (CPRM), and Certified Chief Risk Officer (CCRO).
RMIA general manager, Suzanne Cureton, said that the changes were undertaken thanks to feedback from existing members and she hopes the new system will offer clearer pathways to progression.
“We listened to feedback from the membership, particularly from a September 2014 survey and during a CPRM Masterclass at the November 2014 National Conference,” Cureton said.
“The majority of members saw value in certification, but there was a perception the existing structure of CRMT and CPRM did not offer clear pathways for risk management practitioners to escalate their careers.”
Existing certified risk management technicians will automatically become CPRAs while existing CPRMs can further their certification and apply for CCRO status.
There is a six month transition period as current RMIA members are moved onto the new system as the CPRA certification will be launched on July 1 with CPRM and CCRO launching later in 2015.