Cyber-hacking bust shows need for liability coverage

Protecting personal information and insuring it against computer hackers is becoming big business, making cyber liability a definite growth product in the insurance industry.

Risk Management News

By

A B.C.-born computer security expert is being recognized by the Federal Bureau of Investigation for exposing the world’s largest-ever so-called botnet that was designed to hijack more than 15 million PCs, including major corporations and most Canadian banks.

Protecting personal information and insuring it against computer hackers is becoming big business, making cyber liability a definite growth product in the insurance industry.

“Cyber liability insurance is now where Directors & Officers insurance was 15 years ago,” says Matthew Davies, manager of cyber liability with Chubb Insurance Company of Canada. “At one time only large publicly traded corporations were buying D&O insurance, but now small private companies purchase D&O. It is no longer a discretionary buy. I see cyber liability insurance going that way as companies see the value in it.”

Davies, who specializes in cyber liability insurance at Chubb Canada, says cyber liability policies can help fill a gap in coverage that traditional liability policies may not cover. (continued.)

#pb#

“The industry is seeing more case law developing and more claims from network security or privacy breach losses are being reported to traditional policies, and those policies don’t necessarily have a fulsome response, because they weren’t crafted for these types of exposures,” Davies told InsuranceBusiness.ca. “The cyber liability policy is constructed to respond to a wide range of possible losses including first party coverage for expenses such as hiring a crisis management firm a forensic computer consultant or  legal counsel and the costs incurred to notify customers or employees whose personal information has been breached.

“First party coverage is the most interesting aspect of cyber liability, as that part is the ‘gap filler’ in insurance coverage.  Cyber is designed to mitigate these exposures, and reduce the potential for downstream losses,” Davies pointed out.

The B.C. man, Chris Davis, who played a lead role in the investigation and eventual prosecution of two Spaniards and a Slovenian who masterminded the scheme, will likely be the only Canadian and one of the few non-BI employees to receive an FBI Director’s Award.

“The Director’s Awards are the highest honour employees may receive, and they recognize outstanding contributions and exceptional service to the FBI and its mission,” the agency said in an emailed statement. “The Butterfly Botnet investigative team involved foreign law enforcement and private sector partners; their efforts were critical to the success of the investigation.” (continued.)

#pb#

Davis, a director of partnerships at CrowdStrike based in Irvine, Calif., will receive the award in the fall.

Botnets are designed to steal passwords, credit card numbers and other personal data and funnel that information back to the criminals without the victim ever realizing it is happening

Although the botnet scheme was an example of a malicious criminal operation designed to hack and steal information, cyber liability coverage can provide protection against less sinister acts as well, said Davies.

“Cyber liability coverage will cover damages resulting from criminal hacking or malicious activity, but it will also cover negligence,” he said. “Negligence can include losing a laptop or smartphone with confidential information on it – or if the user is using an unsecured WiFi and corporate information is put at risk. And it doesn’t have to be strictly electronic – it can be extended to include a loss of paper files too.”

The botnet Davis discovered in 2009 was malware created by an IT specialist at a telecom company (his day job) in Slovenia, who sold copies for what amounted to a paltry $1,000. (continued.)

#pb#

The cybercriminals who hatched the scheme began using the product to infect and hijack other computers on the Internet.

“The stuff was very sophisticated,” Davis told the Financial Post in a telephone interview. “When they arrested the guys in Spain, the police recovered, like, millions of stolen credit card numbers. They were supposed to be unemployed, but they had nice apartments, new cars, flat-screen TVs. I mean, they were high school dropouts. One of them, when he went on vacation, he chartered a yacht.”

Davis’ contribution to the arrests is being recognized for the fact that he was able to uncover evidence to nail the malware author. Typically police charge the middlemen when botnet schemes are brought down (the criminals who bought the malware), but they fail to get the malware author for lack of evidence. Davis – in concert with other security officials at other organizations who worked with law enforcement officials were able to uncover details of the scheme.

Slovene police charged Dejan Janžekovic, a former computer technology student in his early 20s, with computer crime two years ago. Although granted bail, he immediately went back to selling his malware kits – which resulted in a second visit from the police and further charges.

 

Keep up with the latest news and events

Join our mailing list, it’s free!