The day after President Barack Obama declared cybercrime a “national emergency”, senior executives from AIG and Verizon admitted that corporate boards and management often don't know enough about the risks that cyber breaches pose.
Companies around the world increasingly rely upon each other to insure that they don't compromise each other's data—but often fail to grasp the financial risks associated with interconnectivity, Peter Hancock, President and CEO of AIG, said yesterday.
Hancock, who delivered the keynote speech to a meeting of experts and top corporate officials at the New York University Polytechnic School of Engineering, in Brooklyn, N.Y., pointed to the largest retail data breach in history, the 2013 attack on Target, as an example of the inadequate defenses common to many companies.
The Target incident was the result of a failure to recognize and protect the many access points that make troves of data susceptible to criminals, he said.
“When you look at the Target breach, who would have thought that the air conditioning system would have been the way in?” Hancock said, referring to the vulnerable third-party-run system that allowed hackers to access information related to millions of Target customers.
On Wednesday, the White House announced an executive order authorizing the Treasury Department to impose sanctions against individuals or entities, in particular those located in other countries, who launch cyber attacks.
“From now on, we have the power to freeze their assets, make it harder for them to do business with U.S. companies, and limit their ability to profit from their misdeeds,” Obama wrote in a blog post that accompanied the order and declaration of a “national emergency.”
A series of massive and costly attacks on national retailers in the last 18 months — including on Neiman Marcus, Home Depot and the arts and crafts chain Michaels — have caused the federal government and many large companies to reassess their vulnerabilities to cyber-sabotage.
Tom Finan, a senior cybersecurity strategist for the U.S. Department of Homeland Security (DHS), told a panel following Hancock's speech that it was “surprising” to discover how many companies hadn't factored the threat of cyberattacks into their emergency risk management plans.
Corporations have been forced to come to grips with the fact that they've had flawed understandings of their own vulnerabilities, said Randal Milch, an executive vice president of Verizon, during the panel.
He said Fortune 500 companies — whose board members are predominantly older than 65 — often invest in pricey risk-prevention tools, without actually identifying what needs to be fixed.
“Self-deception is the most expensive thing you're going to be dealing with,” Milch said. “So if you have a good idea of what your threat vectors are then you can start making a business decision about what you're going to spend.”
As a recently galvanized corporate America begins to assess the collective threats against it, Hancock — who said AIG provides stand-alone cyber risk policies to 20,000 companies — argued it should begin examining fundamental assumptions about how they store and access information about their customers and operations.
“There's an important data architecture question that's also a business question: Does data need to be centralized?” asked Hancock.
Companies need to figure out whether to pool seemingly unrelated data “in a big lake” or keep disparate information separated and therefore harder to compromise through individual attacks.
“We insure thousands of cows in India, with micro-insurance, but we also insure satellites,” he said. “I'm not sure the cow and satellite data need to be integrated.”
Graham Kates is deputy managing editor of The Crime Report. He can be found on Twitter, @GrahamKates. He welcomes comments from readers.