America under Attack by International Cyber Criminals

From The 2015 Cyber Security Summit, Minneapolis …

It’s conceivable that someday soon, American organizations might post a new kind of safety sign: “X-number of days since our computer network has been hacked.”

Eran Kahana, attorney with Maslon, LLP, opened the Day 2 CEO breakfast, moderatinging a panel of cyber experts who discussed recent cyber incidents and reviewed emerging challenges.

A chief security and information officer (CISO) for a national defense contractor, opened the session with a slice of life. One Saturday when he was on a golf course, his CEO called to say he couldn’t access email. What initially seemed to be a routine problem quickly escalated when the company discovered that hackers had breached sensitive intellectual property. Engineering designs for an innovative system related to national defense had been stolen.

The speaker is no neophyte in cyber security. He currently holds an important government security post. Once the breach was discovered, he had the unenviable task to call clients and inform them of the breach. Those clients included the U.S. Navy and major defense contractors. One message from this story: If an experienced cyber professional at this level could get hacked, is there any organization that could not? The litany of reported hacking incidents related at the summit provided the sobering answer. It underscores America’s broad vulnerability, from small businesses processing payments to suppliers, to major U.S. conglomerates and even critical security agencies of the federal government.

Panel member Keith Burkhardt, Vice-President for Kraus-Anderson Insurance, picked up the narrative, saying that the insurance industry generally is facing new issues in cyber security liability. “Insuring against cyber loss is a case-by-case basis to underwrite – what is the coin of the realm for a given insured’s company?” A typical scenario today is that the insured entity files a claim after an incident, after intellectual property and trade secrets already are gone. Determining loss after the fact is a major disconnect, especially if the insured entity hasn’t clearly defined what was intended to be covered.

Burkhardt added a cautionary note for insurance consumers. “Don’t buy cyber liability insurance,” he warned. “It invites lawsuits.”

“Insurance is slow to adapt to real loss,” said Terrence Newby, panel member and attorney for Maslon, LLP. “If the (hacked) computer still worked, early on, insurance companies didn’t recognize the loss of intellectual property.” Newby cautioned that companies need to actively investigate their cyber insurance coverage in case intellectual property is stolen. He advised companies to “leverage their relationships with their insurance agent before a breach. Know what’s covered, and what you want to protect.”

Such issues are not clear now, and other variables remain to be defined. A now-famous incident, the cyber hacking of Sony Pictures shortly before the company was to release a comedic movie that cast North Korea’s leader in unflattering light, added a foreign country-perpetrator into the mix. The Sony CEO said the breach is covered, but much remains to be defined, said Newby.