Many breaches in data security may be going unreported by American businesses.
That’s according to Kirk Arthur, supervisory special agent for the U.S. Secret Service’s San Francisco field office.
“Businesses simply don’t report it,” said Arthur, who was speaking in front of a crowd of insurance professionals on Thursday at the behest of the Golden Gate Chapter of the Chartered Property Casualty Underwriters Society during the group’s “All Industry Day.”
Arthur was among a group of people addressing the topic of cyber security, covering topics like Target Corp.’s recent multi-million customer data breach and the newly issued Executive Order 13636, which Grace Crickett, senior vice president and chief risk and compliance officer of AAA Northern California, Nevada and Utah, said has garnered increasingly more attention from the nation’s ranks of chief information security officers.
“The CISO community is taking it very seriously and is really reacting as if it’s mandatory,” Crickett said.
The order is voluntary, but it does have some good suggestions, including compliance and risk practices, she added.
The order, titled “Improving Critical Infrastructure Cybersecurity,” was issued in February by the office of the president. It also deals with cybersecurity information sharing, privacy and it offers a framework to reduce cyber risk.
With that in mind, Crickett posed the first question that companies, and underwriters, should be asking IT executives:
“Is there an increase in attacks on your system?”
The answer’s likely to be “Yes” in light of what Jim Patterson, western zone network security and privacy specialist for AIG had to share.
According to Patterson, the number of cyber breaches that AIG’s clients experienced in 2013 was up 73 percent from the year prior.
“Either we’re doing a terrible job of underwriting risk or breaches are going up,” he said.
Patterson said AIG has been writing cyber risk for more than 15 years, and that the amount of coverage they write has been growing every year.
And when you add up paying to inform customers of breaches, investigating and fixing the breaches, and other measures that are required of a paying insurer, the claims from breaches are considerable, he said.
The average breach for AIG’s mid-market clients, those companies with between $10 million and $500 million in annual revenue, costs AIG roughly $500,000, he said.
“We’re not talking about a small amount when we have a breach,” he said.
But the most vulnerable of the nations’ businesses may be those that are the smallest and least capable, or willing, to take steps to protect their data, according to Arthur.
Arthur noted that more than 80 percent of U.S. businesses have 20 or fewer employees, and that such businesses typically are technologically unsophisticated, they often set up their point of sale system and forget about it and many of them neglect to update or even buy anti-virus software.
“At lot of it is negligence,” Arthur said.
Compounding this issue is that many of those companies then fail to report their breaches, either fearing negative publicity or because of the belief nothing can be done about it, he said.
“Target happens every day to businesses across the country,” he said.
While Arthur shared several success stories in which data thieves were caught in rings that stretched from the U.S. to the Ukraine and back, he said that government cuts in personnel have made it tougher to detect and catch the growing number of cyber criminals.
“We can’t catch every breach that happens,” he said.
The Secret Service had an ongoing hiring freeze for the last several years and has only recently begun to hire agents again, while during the recession deep cuts were made to key links along the justice chain from Department of Justice through the rest of the U.S. penal system, he added.
“At the end of the day you need people investigating this and you need people going to jail,” Arthur said.
That point was driven home by David Lewison, national co-practice leader for financial service practice for AmWins Group Inc., who later highlighted the fact that many of these breaches are being carried about by lone hackers on $400 laptops.
“You don’t have to be a big, bad shoot ’em up guy to steal data,” he said.
See related story from CPCU’s All Industry Day: Cost Savings in California Workers’ Comp Reform May Fall Short