Insurers Eyeing Cyber Coverage

Insurers are eagerly monitoring exponential growth in the tiny cyber coverage market but their lack of experience and skills handling hackers and data breaches may keep their ambitions in check.

High profile cases of hackers seizing sensitive customer data from companies, such as U.S. retailer Target Corp or e-commerce company eBay Inc, have executives checking their insurance policies.

Increasingly, corporate risk managers are seeing insurance against cyber crime as necessary budget spending rather than just nice to have.

The insurance broking arm of Marsh & McLennan Companies estimates the U.S cyber insurance market was worth $1 billion last year in gross written premiums and could reach as much as $2 billion this year. The European market is currently a fraction of that, at around $150 million, but is growing by 50 to 100 percent annually, according to Marsh.

Those numbers represent a sliver of the overall insurance market, which is growing at a far more sluggish rate. Premiums are set to grow only 2.8 percent this year in inflation-adjusted terms, according to Munich Re, the world’s biggest reinsurer.

The European cyber coverage market could get a big boost from draft EU data protection rules in the works that would force companies to disclose breaches of customer data to them.

“Companies have become aware that the risk of being hacked is unavoidable,” said Andreas Schlayer, responsible for cyber risk insurance at Munich Re. “People are now more aware that hackers can attack and do great damage to central infrastructure, for example in the energy sector.”

Insurers, which have more experience handling risks like hurricanes and fires, are now rushing to gain expertise in cyber technology.

“It is a difficult risk to price by traditional insurance methods as there currently is not statistically significant actuarial data available,” said Robert Parisi, head of cyber products at insurance brokers Marsh.

Andrew Braunbergon, research director at U.S. cybersecurity advisory company NSS Labs, said that some energy companies have trouble persuading insurers to provide them with cyber coverage as the industry is vulnerable to hacking attacks that could trigger disasters like an explosion in a worst-case scenario.

Pricing on policies for retailers has climbed in the wake of recent high-profile breaches at Target, Neiman Marcus, and other merchants, he added.

Source

PoS Cyber Attacks Up In 2013

A third of data intrusion investigated by security firm Trustwave last year involved compromises of point-of-sale (POS) systems and over half of all intrusions targeted payment card data.

Even though POS systems remained a significant target for attackers, as suggested by several high-profile data breaches disclosed by large retailers over the past six months, the largest number of data theft incidents last year actually involved e-commerce sites, Trustwave said Wednesday in a report that compiled data from 691 data breach investigations conducted by the company around the world.

E-commerce intrusions accounted for 54 percent of investigated data breaches and POS system intrusions accounted for 33 percent, Trustwave said. A separate report published by Verizon in April also pointed to Web application and PoS attacks as leading causes of security incidents with confirmed data disclosure last year.

According to Trustwave, over half of intrusions targeted payment-card data, with such data being stolen from e-commerce transactions in 36 percent of incidents and from POS transactions in 19 percent of attacks.

In Western Europe in particular, where countries have rolled out EMV — chip-and-PIN payment card transactions — cybercriminals shifted their focus from POS devices to e-commerce platforms, said John Yeo, EMEA Director at Trustwave. “EMV has changed the pattern of compromises when it comes to payment-card-specific data.”

However, a significant increase in the theft of sensitive, non-payment-card data, was also observed last year. This data includes financial credentials, personally identifiable information, merchant ID numbers and internal company communications, and was stolen in 45 percent of incidents, Trustwave said in the report.

Customer records containing personally identifiable information can possibly be used to perpetrate identity fraud and are sought after on the black market, so that’s why there’s been an uptick in attacks focusing on such data, Yeo said.

Only about a third of victim companies were able to self-detect data breaches, Trustwave found. In 58 percent of cases, breaches were identified by regulatory bodies, the credit card companies or merchant banks.

Source

NSA Developing System To Crack Encryption

The U.S. National Security Agency is working to develop a computer that could ultimately break most encryption programs, whether they are used to protect other nations’ spying programs or consumers’ bank accounts, according to a report by the Washington Post.

The report, which the newspaper said was based on documents leaked by former NSA contractor Edward Snowden, comes amid continuing controversy over the spy agency’s program to collect the phone records Internet communications of private citizens.

In its report, The Washington Post said that the NSA is trying to develop a so-called “quantum computer” that could be used to break encryption codes used to cloak sensitive information.

Such a computer, which would be able to perform several calculations at once instead of in a single stream, could take years to develop, the newspaper said. In addition to being able to break through the cloaks meant to protect private data, such a computer would have implications for such fields as medicine, the newspaper reported.

The research is part of a $79.7 million research program called “Penetrating Hard Targets,” the newspaper said. Other, non-governmental researchers are also trying to develop quantum computers, and it is not clear whether the NSA program lags the private efforts or is ahead of them.

Snowden, living in Russia with temporary asylum, last year leaked documents he collected while working for the NSA. The United States has charged him with espionage, and more charges could follow.

His disclosures have sparked a debate over how much leeway to give the U.S. government in gathering information to protect Americans from terrorism, and have prompted numerous lawsuits.

Last week, a federal judge ruled that the NSA’s collection of phone call records is lawful, while another judge earlier in December questioned the program’s constitutionality. The issue is now more likely to move before the U.S. Supreme Court.

On Thursday, the editorial board of the New York Times said that the U.S. government should grant Snowden clemency or a plea bargain, given the public value of revelations over the National Security Agency’s vast spying programs.

Source

Twitter Tightens Security

Twitter Inc said it has put in place a security technology that makes it harder to spy on its users and called on other Internet firms to do the same, as Web providers look to thwart spying by government intelligence agencies.

The online messaging service, which began scrambling communications in 2011 using traditional HTTPS encryption, said on Friday it has added an advanced layer of protection for HTTPS known as “forward secrecy.”

“A year and a half ago, Twitter was first served completely over HTTPS,” the company said in a blog posting. “Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.”

Twitter’s move is the latest response from U.S. Internet firms following disclosures by former spy agency contractor Edward Snowden about widespread, classified U.S. government surveillance programs.

Facebook Inc, Google Inc, Microsoft Corp and Yahoo Inc have publicly complained that the government does not let them disclose data collection efforts. Some have adopted new privacy technologies to better secure user data.

Forward secrecy prevents attackers from exploiting one potential weakness in HTTPS, which is that large quantities of data can be unscrambled if spies are able to steal a single private “key” that is then used to encrypt all the data, said Dan Kaminsky, a well-known Internet security expert.

The more advanced technique repeatedly creates individual keys as new communications sessions are opened, making it impossible to use a master key to decrypt them, Kaminsky said.

“It is a good thing to do,” he said. “I’m glad this is the direction the industry is taking.”

Source

Is Verizon Interested In Clearwire?

Verizon Wireless reportedly has offered $1 billion to $1.5 billion to acquire some of Clearwire’s spectrum leases, possibly complicating Sprint Nextel’s attempt to buy out the company in conjunction with its acquisition by Softbank.

Clearwire is struggling financially but owns broad swaths of spectrum, the lifeblood of wireless networks. The April 8 bid from “Party J,” which Clearwire disclosed in a Securities and Exchange Commission filing on Friday, is the latest in a series of offers for its spectrum licenses. Unnamed people familiar with the matter identified “Party J” as Verizon Wireless, according to a report in The Wall Street Journal.

Clearwire is a key part of a complicated set of possible transactions that could make a much stronger competitor out of Sprint, the country’s third-largest mobile operator. Sprint already owns roughly half of Clearwire and is bidding about $2.2 billion to buy the rest of its stock. That deal depends on Softbank’s planned $20.1 billion offer for 70% of Sprint, which is still undergoing regulatory review.

Clearwire holds 150MHz of spectrum or more in most major markets of the U.S. Verizon would buy only a portion of that spectrum. “Party J offered to acquire Clearwire spectrum leases generally located in large markets,” Clearwire said in the Friday filing, a proxy statement to shareholders on the Sprint buyout bid. The proposed gross price of $1 billion to $1.5 billion would be reduced by what Clearwire pays for the leases, which could be substantial, according to Clearwire’s filing. The company said it would discuss the offer with “Party J” and Sprint.

Source

Woman Sues LinkedIn

An Illinois woman has filed a $5 million lawsuit against LinkedIn Corp, claiming that the social network violated promises to consumers by not having better security in place when more than 6 million customer passwords were stolen.

The lawsuit, which was introduced in federal court in San Jose, California, on June 15 and seeks class-action status, was filed less than two weeks after the stolen passwords turned up on websites frequented by computer hackers.

The attack on Mountain View, California-based LinkedIn, an employment and professional networking site with more than 160 million members, was the latest massive corporate data breach to have attracted the attention of class-action lawyers.

A federal judicial panel last week consolidated nine proposed class-action lawsuits in Nevada federal court against online shoe retailer Zappos, a unit of Amazon.com, over its January disclosure that hackers had siphoned information affecting 24 million customers.

The LinkedIn lawsuit was filed by Katie Szpyrka, a user of the website from Illinois. In court papers, her Chicago-based law firm, Edelson McGuire, said LinkedIn had “deceived customers” by having a security policy “in clear contradiction of accepted industry standards for database security.”

.

Source…