Corporate

That Time the Entire Cyber Security Exposure Narrative Changed

 The hack attack on Sony Pictures Entertainment was massive, and it had a devastating effect on the company. As detailed in the December 30, 2014 Wall Street Journal article entitled “Behind the Scenes at Sony as Hacking Crisis Unfolded,” (here), the hackers who attacked Sony’s systems didn’t just pilfer the company’s data — they erased the data, rendering the company’s entire computer system and landline phones unusable. The malicious hackers also “created maximum chaos” by leaking five Sony movies onto the Internet, along with thousands of internal documents (including a host of embarrassing emails) and the Social Security numbers and other personal information of over 47,000 people, including current and former employees.

While at one level the Sony attack rightly may be described as unprecedented, it was not even the worst corporate attack in 2014. Bloomberg’s Report on the worst 2014 data breaches (here) reported that Sony had 47,000 records stolen, but 83 million records were stolen from J.P. Morgan, affecting 76 million households and seven million small businesses. The Home Depot hack resulted in the theft of 100 million records, including 56 million credit cards and 53 million email addresses. The data breach at eBay, in which hackers stole email addresses, physical addresses and login credentials, may have affected up to 145 million active users.

However, as unprecedented as the Sony hack attack was, and as massive as the other breaches during 2014 were, none of these represent the “change” to which I was referring in the title of this blog post.

Instead, I as referring to the news about a couple of other cyber incidents that might have been overlooked in all of the hoopla over what a Sony executive may have said about Angela Jolie in an internal email. These two cyber incidents that came to light in December are “downright scary,” in the words of a December 22, 2014 Computerworld article about the incidents and entitled “Cyberwarfare: Digital Weapons Causing Physical Damage” (here), as both incidents resulted in “physical damages in the real world.”  

The first of these two incidents, as reported on in a December 10, 2014 Bloomberg article (here), involved a 2008 cyber attack on a Turkish pipeline. The hackers, believed to be Russian, exploited a vulnerability in the pipeline’s surveillance camera software to infiltrate the pipeline’s internal network. The hackers shut down alarms, cut off communications and super=pressurized the crude oil in the line, resulting in a fiery explosion. The blast managed to put the pipeline out of commission without triggering a single alarm and, resulted in massive losses for the private companies and governments with interests in the pipeline. Among other things, this incident is significant from an historical perspective, as it preceded the 2010 Stuxnet cyber incident in which Iraq’s nuclear centrifuges were damaged.

The second of the two incidents was disclosed in a December 2014 report by Germany’s Federal Office for Information Security. According to the report (here, in German), a German steel factory suffered massive damage when hackers managed to access the factory’s production networks, allowing the hackers to tamper with the controls of a blast furnace. After the system was compromised, individual system components began to fail. As a result of the failures, one of the plant’s blast furnaces could not be shut down, resulting in “massive damage” to the plant. A December 19, 2014 PC World article about the incident can be found here.

As disturbing as the malicious hack attack at Sony was, these physical damage incidents represent an entirely different category of cyber security threat. There are a host of implications from these threats, among which are the problems this type of cyber breach physical damage presents from an insurance perspective. Property insurers are moving quickly to make it clear that they do not intend to provide insurance for property damage arising from this type of peril. For their part, the cyber insurance carriers are not interested in expanding their coverage to pick up this type of exposure either; right now, they are so spooked from the losses associated with the Target and Home Depot breaches that they have little appetite for picking up coverage for an exposure of unknown but potentially devastating scope.

If nothing else, these cyber breach property damage incidents underscore the fact that it is a dangerous world out there. The scope of the threat posed by the possibility of these types of incidents recurring is uncertain, but it certainly doesn’t help that the possible damage that another incident like this might involve may not be insurable in the current insurance marketplace.

One more note about the Sony cyber incident. Sony’s experience following the cyber attack highlights the importance of one aspect of the coverage that privacy and network security policies do offer — that is, the coverage for business interruption following a cyber breach. TheJournal article to which I linked above details the way that Sony’s business processes and operations were completely disrupted by the breach. Among other things, the article (published a month after the attack commenced) states that Sony’s network is “expected to be fully operating again with eight weeks.” Business interruption may be one of the most significant effects of a disruptive cyber attack – in Sony’s case, that may even have been among the objectives of the hackers’ malicious attack on the company.

Mind Blowing Fact of the Day: I thought it was pretty interesting to read in a January 3, 2015 article in The Economist entitled “Robber Barons and Silicon Sultans: Self-Made Wealth in America” (here) that “Each iPhone contains the same amount of computing power as was housed in MIT in 1960.”

But what really blew me away was the following statement in another article in the same issue of the magazine entitled ‘There’s an App for That: The Future of Work” (here): “According to Benedict Evans of Andreessen Horowitz, the new iPhones sold over the weekend of their release in September 2014 contained 25 times more computing power that the whole earth had at its disposal in 1995.”  

All that computing power so phone owners can take selfies, play Candy Crush Saga, and post pictures of their cats on Facebook.

In thinking about the cyber security stories discussed above and about this information about growing availability of computing power, there is much to contemplate concerning the lack of data security over digital domains as our world become increasingly digital.  

 Read other items of interest from the world of directors & officers liability, with occasional commentary, at the D&O Diary, a blog by Kevin LaCroix.

For more information about LexisNexis products and solutions, please connect with us through our corporate site.