A Senate Commerce Committee staff report charged that retailer Target “possibly failed” to take advantage of several opportunities to prevent the massive data breach in 2013 when cyber criminals stole the financial and personal information of as many as 110 million consumers.
Committee Chairman John D. Rockefeller IV, D-W.Va., released the staff report, adding at the Marc hearing that the event needs to be a “clarion call to businesses, both large and small, that it’s time to invest in some changes.”
“With the benefit of hindsight and new information, we are now asking hard questions regarding the judgments that were made at that time and assessing whether different judgments may have led to different outcomes,” John Mulligan, Target executive vice president and CFO, told the committee.
It appears a structure is emerging to deal with–and to the extent possible–limit or perhaps thwart, cyber attacks. According to the committee report, the structure includes use of an “intrusion kill chain” framework created by Lockheed Martin security researchers in 2011. It is designed to alert institutions to new cyber attacks.
The report said that this tool suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.
Key points at which Target apparently failed to detect and stop the attack include, but are not limited to, the fact that Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information-security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.
Moreover, the report said, based on the Lockheed Martin tool, Target looks to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.
The report concluded attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network.
In his testimony, Mulligan said Target earlier this month became the first retailer to join the Financial Services Information Sharing and Analysis Center (FS-ISAC), an initiative developed by the financial services industry to help facilitate the detection, prevention, and response to cyber attacks and fraud activity.
“Joining the FS-ISAC underscores Target’s position that the retail and financial industries have a shared responsibility to collaborate and strengthen protection for American consumers.
He also said that Target is accelerating its $100 million investment in the adoption of chip technology because “we believe it is critical to enhancing consumer protections.”
He said Target has already installed approximately 10,000 chip-enabled payment devices in Target stores and expect to complete the installation in all Target stores by this September, six months ahead of schedule.
Mulligan also said Target expects to begin to issue chip-enabled Target REDcards and accept all chip-enabled cards by early 2015.
An insurance industry official testified that even as the number of attacks grow, and as more and more companies devote resources to deal with them, the cost of cyber insurance is not rising because more players are coming into the market.
Because of the growing interest, Marsh & McLennan, the nation’s largest insurance broker, has developed a proprietary Information Security and Privacy Self-Assessment, which is based on international information security management standards known as ISO 27001, Peter Beshar, Marsh executive vice president and general counsel, testified.
Using the assessment, Marsh brokers perform a high-level review of information security management protocols with respect to access control, physical security, incident response and business continuity planning, Beshar said. He said the assessment focuses on the strength of a company’s governance procedures regarding cyber practices to understand how insurance carriers will view the company’s risk profile.
“Importantly, a number of cyber coverages also provide access to experts who are available to monitor the client’s information security and assist the client to restore operations in the event of a network attack,” Beshar testified. He said these services include technical advice from on-call consultants, vulnerability detection to examine network devices.
Beshar said interest in cyber insurance is expanding rapidly. He said the number of Marsh clients purchasing stand-alone cyber insurance increased more than 20 percent in just the past year.
Kevin Kalinich, the global practice leader for cyber/network risk at Aon Risk Solutions said, “The reality is that the high profile, large company breaches have received most of the publicity, but there are a lot of small and medium size companies that do not purchase cyber insurance — yet.”
According to Aon Global Risk Insight Platform, Aon’s internal global repository of risk and insurance placement information, annual premiums for cyberspecific coverage in 2013 totaled about $1 billion, compared to $675 million in 2012. This is based on Aon Global Risk Insight Platform data as extrapolated for the entire industry.
Consistent with Beshar’s testimony, Aon officials said more than 50 insurers sell the coverage.
Cyber policies cost between $5,000 to $35,000 a year per $1 million of coverage, according to Kalinich.
In the area of cyber security, “offense is a lot easier than defense,” Beshar said. That is, companies should be aggressive in taking steps to head off cyber securities breaches.
“There is no silver bullet or panacea that will eliminate this risk,” he added.
Rather, he said, it will take a “collaborative effort between government and business and among professionals in different disciplines — IT, HR, Legal and Compliance — to assess vulnerabilities and link arms to confront this risk head-on.”
Arthur D. Postal is a veteran reporter covering Washington, D.C. and federal insurance regulation, with more than 30 years of experience in financial journalism.
