Advisen FPN

Advisen Cyber FPN - Friday, May 8, 2020

This week in cyber risk: How to build a better cyber model; too-smart cars; and the latest in cyber hacktivism


This week in cyber risk: How to build a better cyber model; too-smart cars; and the latest in cyber hacktivism

By Erin Ayers, Advisen

Having a full understanding of the many ways that cyber threats can present themselves helps the insurance industry guard itself and its clients against financial loss, reputational damage, or worse. Our Cyber Front Page News feature “This Week in Cyber Risk” offers analysis and insight into the unexpected ways technology, security, and risk intersect.

Modeling by the minute

How to model cyber risk continues to be of particular interest to the cyber insurance sector. Coming up with a solid cyber scenario to stress test cybers insurers’ resilience against both present and future cyberattacks requires the right blend of expertise and imagination, according to the researchers at CyberCube, who recently shared the thought process behind their modeling.

“The creation of risk scenarios is one of the most important and complex aspects of risk management in the insurance sector. It’s not a perfect means of testing an insurance portfolio but it’s a highly effective tool for insurers to deploy,” said Darren Thomson, CyberCube’s head of cyber security strategy.

The report covers the factors CyberCube takes into account when modeling cyber risk, including threat actors, targets, and vulnerabilities. Capturing a wide variety of dimensions makes the model more realistic, while still being forward-looking.

“This is challenging in cyber,” said CyberCube researchers. “’Realistic’ does not necessarily mean that we have seen this event before. Cyber is a nascent risk in comparison to the traditional insurance domains, so there is not a lot of loss and claims precedence. Moreover, the precedence that exists must be viewed as likely to evolve. We need to exercise our imagination but, in parallel, use existing knowledge, experience, precedences and professional judgment to strike the right balance and bridge the gap.”

Not-so-smart cars

A recent story on Ars Technica detailed the case of a “tinkerer” who snagged a load of used Tesla car parts on eBay. Rather than old transmissions and wiper blades, this haul included Tesla media control units – a treasure trove of personal data from the devices’ erstwhile owners. As it turns out, Tesla “infotainment” systems remember more log-ins than you do and that sensitive data lives on after repairs are done. The units all appeared to come from a Tesla service center and were likely faulty equipment that needed to be replaced.

While it doesn’t appear to be Tesla policy to encourage side hustles selling old equipment online to the highest bidder, the event offers a reminder to fully delete all information on devices of any kind. This applies not only to individuals with “smart” vehicle systems, but also to device users who forget that factory reset before reselling a phone, game console, or laptop; rental car companies, hotels that invite guests to sign into their Netflix during their stay. You never know where the next breach will arise – or how.

If it seems too good to be true…

….it might lead to a data breach. Researchers at the University of Notre Dame found that organizations that pat themselves on the back too vociferously via social media for “doing good” are more likely to become data breach victims – if it seems to hackers as though the “corporate social performance” is disingenuous.

Data breaches by any name are still breaches, but those perpetrated in the name of hacktivism appear not to be financially motivated, according to Corey Angst, professor of IT, analytics, and operations at Notre Dame's Mendoza College of Business. Instead, some hackers target organizations that they just dislike.

"Recent hacking activity, including 25,000 email addresses and passwords allegedly from the National Institutes of Health, WHO, Gates Foundation and others being posted online, is supported by our findings," Angst said. "What is most surprising is that firms that are 'bad actors' regarding corporate social responsibility are generally no more likely to be breached than firms that are good. In fact, the opposite is true."

Hackers’ hackles appear to be raised most significantly by organizations that widely tout social responsibility efforts that are deemed superficial, ie, making a big deal out of recycling cafeteria spoons while engaging in fracking, for instance.

"Corporate leaders need to understand that hackers are seeing through weak attempts at CSR," Angst said. "They are taking matters into their own hands and acting as corporate disciplinarians by breaching the technology infrastructure of firms that they deem to be promoting themselves as good corporate citizens when in fact there are blemishes under the surface. When firms portray themselves as 'holier-than-thou,' any small misstep could trigger an attack."

Editor Erin Ayers can be reached at

Safety National
Guidewire Cyence™ Risk Analytics