Recently, I had the opportunity to co-present with John Sileo, from www.sileo.com at the 42nd annual seminar of the RIMS Society Minnesota chapter. John kicked off the event with a keynote titled “Data Spies, Hackers, and Online Attackers” which was a great foundation to our session on Cyber Security Fraud. While the audience was a sea of risk management professionals, with insurance acumen, from brokers, to insurance carriers, the dialog was all a reflection of the collective data breach experiences of the past 12 months.
Our interactive breakout session focused on a dialog regarding cybersecurity threats, spikes and scares in identity theft, and the overall theme of the event focused on how organizations and people are changing their approach to cybersecurity simulation planning, and overall maturity of breach readiness.
We started the sessions with three questions for the audience:
1. Has your organization adjusted its approach to breach simulations due to 2014 breaches?
2. Have you been able to leverage their mistakes?
3. Is data breach readiness led by IT or business lines?
There was vast recognition that data breaches are keeping the CEO up at night, but for the risk insurance professionals, they wanted more information on how to quantify and measure the risk – both magnitude and likelihood. When asked 2/3rds of the attendees acknowledged that they had one of their debit or credit cards replaced in the last 12 months; and roughly 1/3rd indicated that multiple cards had been affected. Here were some of the startling facts from the 2014 Javelin ID Fraud Report:
- 33% of data breach victims become victims of ID Fraud
- The # of ID Fraud victims has increased to 13.1 million
- Fraud costs have decreased to $18 Billion
No the math wizards and actuarial wondered if that was new math, but the trends suggest that either having an effect at the consumer level, but not the small business level, or we have not yet seen the full effects of the breach. In fact the potential for latency is high as the fraudsters and hacktivists may get more creative with how they leverage the compromised data. While breach reports are reaching record levels, we can expect a surge in the adoption of cyber insurance. Data breach costs jumped 23% in 2014, but many of the costs have not been seen if future usage creates more fraud or identity theft.
The sources of a potential data breach can come from very disparate types of exposures from malicious insiders, negligent insiders, criminal hackers, hacktivists, and a cloud or third party compromise. The type of data being stolen and the reason behind it was a wake-up call after the Sony breach. Sony’s example brought to light that cyber security readiness is not just about stealing credit cards. The theft of misuse, blackmail, stealing corporate intellectual property and even creating fake identities has reached new levels.
Synthetics ID Fraud
Identify fraud – especially identifies that contain portions or real personally identifiable information, can more easily be used to set up synthetic identities. When using a synthetic identity, the fraudster may take more time to establish accounts, increase credit levels then “take the money and run” for a much higher eventual fraud financial loss. Post the data breaches of 2014, a new type of synthetic ID fraud is emerging. Fraudsters take pieces of stolen identity from multiple sources and sell these new identities on the black market. It takes time to perpetuate these frauds, so consumers need to be vigilant in protecting and monitoring their accounts. Key best practices include putting credit freezes on your accounts and establishing account alerts for changes to your financial accounts. In doing some further research, I learned some new scary factoids on synthetics ID Fraud:
- Synthetics identity fraud makes up 88.3% of all identity fraud and 73.8% of total dollars lost by U.S. businesses based on research completed by ID Analytics.
- According to the FTC, synthetic identity theft account for nearly 85% of the more than 16 million ID Theft in the U.S. each year
Synthetic identities can look very real, and make it more difficult for bank’s internal fraud model to identity suspicious patterns of activities. Fraud models will need to evolve and be enhanced to stay one step ahead of the more creative fraudsters.
Bottom line, the lessons learned is that breach readiness and identity theft prevention is not just about IT Security. Organizations need to communicate all levels from the C-Suite to the front line employee. Breach readiness is like war games for risk and compliance professionals, and to practice for the “big one” before it’s a Real One.
Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs