CYBER DECODER

FINANCIAL LINES GROUP NEWSLETTER ISSUE 40

RED FLAGS RULE CYBER SECURITY PORTS TARGETED ALSO IN THIS ISSUE
Voya agrees USD 1 million Regulators have been Ports of Barcelona and Cyber insurance guide 7
settlement with the SEC issuing large fines for San Diego fell victim to
Digital transformation 9
over charges of deficient data breaches and cyber attacks in September
cyber security lapses in cyber security this year Cyber war games 11
Top tweets 12

Page 3 Page 4 Page 5

Canada’s breach notification regime goes live

Canada is the latest country to roll out a mandatory data breach notification regime, following in
the footsteps of the European Union’s General Data Protection Regulation (GDPR) and Australia’s
Notifiable Data Breaches (NDB) scheme, which were both implemented earlier this year.

Starting on 1 November 2018, private
sector organisations in Canada will
be required to notify the Office of the
Privacy Commissioner of Canada (OPC)
and any affected individuals of any
breach involving personal information
that it believes may create a “real risk of
significant harm”.Organisations must also
maintain records of every detected data
breach and provide it to the OPC upon
request. Failure to report a breach or
maintain records is punishable by a fine
of up to CAD 100,000.
The data breach notification regime was
created via amendments to Canada’s
data protection legislation, the Personal
Information Protection and Electronic
Documents Act (PIPEDA), in 2015.
The requirements of the new regime
were set out in the April 2018 Breach of
Security Safeguards Regulations (BSSR).
According to the OPC’s recently
published annual report, data breaches
have increased in frequency-the number
reported to the regulator has doubled
since 2014. In 2017-18, 116 private
sector breaches were reported to the
OPC, an increase of 22% from the year
before. The majority of incidents related
to theft and unauthorised access (67%),
followed by accidental disclosure (29%).
GUIDANCE
The OPC recently published draft
guidelines on mandatory breach reporting
that are intended to help organisations
comply with breach reporting and
record-keeping obligations under PIPEDA.
Consultation ended in October and the
OPC says it will publish final guidance by
November 1st.

Continued on page 2 
2 FINANCIAL LINES GROUP NEWSLETTER | Cyber Decoder | October 2018
According to law firm Blake, Cassels &
Graydon, much of the information in the
draft guidelines is simply a reiteration of
the legal requirements set out in PIPEDA
and the BSSR. However, the draft
guidelines provide some useful guidance
in certain areas, such as how to assess
the reporting threshold of “real risk of
significant harm”.
According to the OPC, significant harm
would be defined as: bodily harm,
humiliation, damage to reputation or
relationships, loss of employment,
business or professional opportunities,
financial loss, identity theft, negative
effects on the credit record, and
damage to or loss of property.
The guidelines also set out the minimum
information required when recording a
data breach or reporting a breach to
the OPC, the regulator responsible for
enforcing the rules. The regulator has
already published a draft report form that
organisations can use to report a breach.
The OPC says it will pay particular
attention to how organisations address
security vulnerabilities and assess the real
risk of significant harm. It will also monitor
how breach records are maintained by
organisations, a new obligation
under PIPEDA.
While mandatory notification is a move
in the right direction towards enhancing
privacy protection, the OPC said that
it would have liked the regulations go
further. Canada’s mandatory notification
regime is more limited in scope than
the GDPR, and the OPC says that
reporting requirements will not generate
the information it requires to assess the
adequacy of an organisation’s safeguards.
It also says it will receive no additional
funding or resources to enforce the rules.
The OPC added that its powers to levy
sanctions are limited under the notification
rules. An “effective” breach reporting
regime should include financial sanctions
for not having adequate safeguards in the
first place, not only for knowingly failing to
report breaches after they have occurred,
the OPC says in its annual report.
PRIVACY POWERS
In addition to the notification
requirements, Canadian data protection
and privacy laws could soon get even
tougher. At the end of September, the
OPC Commissioner Daniel Therrien
called on the federal government to
give the regulator greater powers to
hold organisations to account.
The Commissioner said that data
breaches at Equifax, Uber and Nissan
Canada Finance, as well as the alleged
misuse of Facebook user data by
Cambridge Analytica, should act as a
‘wake-up call’ to government.
Canada’s privacy legislation gives
companies “wide latitude” to use
personal information for their own benefit,
according to Mr Therrien, who says that
the “time of self-regulation is over”. He
called for the drafting of “stronger privacy
laws,” as well as greater powers and
resources for the OPC to enforce them.
In particular, the OPC needs new powers
to make orders, issue fines and conduct
inspections to ensure businesses respect
the law. The Commissioner also called
for the government to increase the
resources of the OPC, in part to meet
its obligations under the new breach
reporting regulations that come into
force in November.
In February 2018, the Canadian House
of Commons Standing Committee on
Access to Information, Privacy and Ethics
(ETHI), which has been tasked with
reviewing Canada’s privacy laws, called
for changes to PIPEDA as proposed by
the OPC, and even called for additional
measures inspired by Europe’s GDPR.
In June 2018, the Canadian government
responded to ETHI’s recommendations
to amend PIPEDA and conceded that
changes are required to Canada’s privacy
regime pending consultation.
CYBER STATISTICS
The notification regime kicks-in at a
time of heightened cyber risk for
Canadian companies and a potential
lack of preparedness. According to the
Canadian Survey of Cyber Security and
Cybercrime, just over one-fifth (21%)
of Canadian businesses said they were
impacted by a cyber security incident in
2017. More than half (54%) of impacted
businesses reported that cyber security
incidents prevented employees from
carrying out day-to-day work, while over
half (58%) of businesses experienced
some downtime as a result of
an incident.
Worryingly, just 13% of businesses had
a written policy in place to manage or
report cyber security incidents. Only 10%
of businesses impacted by a cyber
security incident reported it to authorities.
While almost all Canadian businesses
surveyed employed some form of cyber
security to protect themselves, many
smaller firms failed to adopt basic cyber
hygiene. Almost a quarter did not use
anti-malware software or email security,
while a third did not have network
security, such as firewalls. 

SEC takes action for breach of ‘red flags rule’
US broker-dealer Voya Financial Advisors (Voya) has agreed a USD 1 million settlement with the
Securities and Exchange Commission (SEC) over charges of deficient cyber security. The settlement
is the first SEC action for a violation of the Identity Theft Red Flags Rule.
The settlement relates to a 2016 data
breach, in which fraudsters accessed
personal identifiable information of at
least 5,600 Voya customers. According
to the SEC, a person impersonating
a contractor representative called a
Voya technical support line in 2016
to successfully request a password
reset, which gave criminals access to a
proprietary web portal holding customer
data. However, the impersonator used
phone numbers that Voya had already
identified as associated with previous
fraudulent activity.
The SEC alleges that Voya breached
its Safeguards Rule, which requires a
regulated entity to protect customer
records and prevent unauthorised
access. It also says Voya breached the
Identity Theft Red Flags Rule, which
requires investment firms to maintain
an up-to-date identity theft prevention
program (ITPP) that uses “red flags” to
warn that hackers might be trying to
steal customer information or identities.
The SEC said the case is its first
enforcement action charging violations
of the Identity Theft Red Flags Rule to
protect customers from identity theft.
Although Voya had established a written
Identity Theft Prevention Program in
2009, it had not reviewed and updated
it in response to changes in risks to its
customers. Voya also failed to include
reasonable policies and procedures to
respond to identity theft red flags, such
as those that were detected during the
April 2016 intrusion.
IMPLICATIONS
According to law firm Katten, the
settlement emphasises just how seriously
the SEC treats firms’ obligations relating
to cyber security procedures. In particular,
the SEC expects an appropriate and
prompt response to red flags. Failure
to identify and respond promptly to red
flags may potentially create significant
regulatory risks, in addition to the
reputational and liability risks from the
firm’s customers, Katten says.
www.jlt.com | Cyber Decoder 3
Red flag procedures are part
of basic cyber hygiene and are
in the interest of banks and
financial advisors to implement
The settlement sends a clear warning to
financial firms and boards of directors
that they need to get their cyber security
programmes in shape or face the
consequences, says law firm Patterson
Belknap Webb & Tyler. The law firm notes
that Voya’s ITPP “languished” in recent
years and fell far below the requirements
of the rule. It also was not approved by
the firm’s board or senior leaders, as is
required by the rule.
The regulatory action against Voya
highlights the need for financial services
firms to have appropriate systems and
procedures in place to prevent fraud,
and the need to regularly review such
processes. Red flag procedures are part
of basic cyber hygiene and are in the
interest of banks and financial advisors
to implement. 
4 FINANCIAL LINES GROUP NEWSLETTER | Cyber Decoder | October 2018
Regulators get serious about cyber security
Regulators have been flexing their muscles in recent months, dishing out some very large fines for
data breaches and lapses in cyber security. The high values are further evidence that regulators are
getting serious about cyber security.
ZERO TOLERANCE
One of the largest penalties came from
the UK’s financial services regulator, the
Financial Conduct Authority (FCA). It fined
Tesco Personal Finance (Tesco Bank)
GBP 16.4 million for failing to exercise
“due skill, care and diligence” in protecting
its personal current account holders.
In November 2016, cyber attackers
exploited deficiencies in Tesco Bank’s
financial crime controls and its financial
crime operations team to steal some GBP
2.4 million over 48 hours.
Mitigating factors led to a discounted fine
for Tesco, including the early settlement
and high level of cooperation, as well
as the bank’s redress programme for
affected customers. Absent the discounts
for mitigating factors, the FCA would have
imposed a penalty of GBP 33.6 million,
it says. Issuing the fine, the regulator
warned that it has “no tolerance” for
banks that fail to protect customers from
foreseeable risks.
The FCA says Tesco had not responded
to the November 2016 cyber-attack with
sufficient rigour, skill and urgency. It also
concluded that Tesco Bank had failed to
take appropriate action to prevent the
foreseeable risk of fraud.
Commenting on the Tesco Bank cyber-
attack, the FCA called on banks to
focus on resilience, reducing the risk of a
successful cyber-attack occurring in the
first place. In July the FCA published a
discussion paper about strengthening the
operational resilience of financial services
firms with regard to cyber-attacks and
other disruptive operational incidents.
The regulator warned that it has
“no tolerance” for banks that
fail to protect customers from
foreseeable risks
UK banks have been plagued by IT
outages, the largest being the weeks of
service disruption suffered by TSB Bank
customers, following a problematic IT
platform migration in April. In September,
a number of UK banks were hit by
unrelated glitches and outages, including
TSB, HSBC, RBS and Barclays. The
FCA discussion paper suggests that the
regulator intends to take a more active
role in driving cyber resilience in the
financial services sector.
MAXIMUM FINES
The UK’s Information Commissioner’s
Office (ICO) has dished-out a number
of large fines in the past few months,
including a (pre-GDPR) maximum fine
for credit monitoring firm Equifax.
On 20 September, the ICO issued
Equifax with a GBP 500,000 fine for
failing to protect personal information
– ranging from names and addresses
to financial information - of up to 15
million UK citizens during a cyber-attack
in 2017. The incident, which happened
between 13 May and 30 July 2017
in the US, affected 146 million
customers globally.
The ICO’s investigation was carried out
under the Data Protection Act 1998 (DPA),
rather than the EU’s GDPR, as the
cyber-attack occurred before the stricter
laws came into force in May 2018. The
fine is the maximum allowed under the
DPA. However, under the GDPR, the ICO
can issue fines of up to Euro 20 million or
4% of annual global turnover, whichever
is highest.
Although the data breach took place in
the US, the ICO concluded that the
UK arm of the company failed to take
appropriate steps to ensure its US parent
Equifax Inc was protecting the information.
The investigation revealed multiple failures
at the credit reference agency that led
to personal information being retained
for longer than necessary and made
vulnerable to unauthorised access.
The Equifax fine is just the latest issued
by the ICO, which earlier indicated that
it would fine Facebook GBP 500,000 for
the alleged misuse of user information by
data analytics firms, including Cambridge
Analytica. It also recently fined health

insurer Bupa GBP 175,000 for “systemic”
failings related to a pre-GDPR data
breach (an employee stole the personal
information of 547,000 Bupa customers
and offered it for sale on the dark web);
while Heathrow Airport was fined
GBP 120,000 for failing to ensure that
personal data was properly secured after
an employee lost a USB stick.
UBER SETTLEMENT
In the US, Uber agreed to pay USD
148 million to settle a legal action
related to its massive 2016 data breach,
Ports targeted in ransomware attacks
The ports of Barcelona and San Diego both fell victim to cyber-attacks in September, as cyber
criminals appear to be targeting the maritime industry.
The Port of Barcelona reported a cyber-
attack on 20 September, although few
details of the attack were made public.
The port had initially warned that cargo
may experience delays, however, the
attack was contained and shipping was
largely unaffected.
Just days later, the Port of San Diego in
California revealed that it had suffered a
ransomware attack. On 25 September,
a cyber-attack disrupted the port’s
information technology systems,
although operations were unaffected.
Public access to some port services was
which exposed the details of 57 million
customers and drivers. Uber was found
to have breached state notification laws
by not reporting or disclosing the data
breach - instead Uber paid hackers
USD 100,000 to destroy the data.
The payment settles legal action brought
by the US government and 50 states
over Uber’s failure to disclose details of
the data loss. The company has yet to
settle legal action brought by drivers,
customers and the cities of Los Angeles
and Chicago over the 2016 data breach.
As part of the settlement, Uber has
affected, including park permits, public
record requests and business services.
The port, which operates cargo and
cruise terminals and is home to hotels,
restaurants, marinas and museums,
confirmed that it had received a ransom
note, although the value of the ransom
demand was not disclosed.
Public access to some port
services was affected, including
park permits, public record
requests and business services
www.jlt.com | Cyber Decoder 5
agreed to put in place more secure
systems and accept greater oversight
of cyber security by the Federal
Trade Commission.
Yahoo also agreed a multi-million dollar
settlement in September for its failure
to disclose a large data breach in 2014.
Altaba Inc, formerly known as Yahoo, said
that it expects to incur a total of USD 47
million in litigation expenses to settle three
class action cases for failing to disclose
the 2014 cyber security breach. The
settlement is said to draw a line under
litigation related to the data breach. 
Both attacks followed a ransomware
attack against shipping company
COSCO in July. The Chinese group
said its vessels were not affected by the
attack, although COSCO’s terminal at
the Port of Long Beach was impacted
and customer communications were
disrupted. Damage from the attack was
reportedly contained because COSCO
isolated its internal networks across
its global operations, and because of
‘work-arounds’ that enabled cargo
handling to continue without allowing
the virus to spread.
6 FINANCIAL LINES GROUP NEWSLETTER | Cyber Decoder | October 2018
Ports were also affected by the global
malware attacks of 2017, which shut
down terminals and disrupted shipping
and cargo operations. Shipping company
Maersk – which operates some 76 ports
and nearly 800 vessels - was forced to
switch off its global IT network. It took 10
days for the company to rebuild its entire
network of 4,000 servers and 45,000
personal computers.
SMART PORTS
Unlike the 2017 attacks, which affected
businesses indiscriminately, those
against the ports of Barcelona and San
Diego appear to have been targeted,
according to Darktrace Industrial, which
provides cyber security to a number of
ports. The company speculates that the
success of last year’s WannaCry and
NotPetya malware attacks may have
inspired attackers to pursue the maritime
sector specifically.
Ports are likely to become more
vulnerable to cyber-attacks with growing
automation. Many ports and shipping
companies are in the midst of a digital
transformation – last year the port of
Barcelona launched its Digital Port
project with 54 initiatives to create digital
applications, products and services.
Shipping companies like Maersk and
Mediterranean Shipping Company are
investing in smart container technology
that enables them to track and monitor
shipments in real-time.
In the past, operating technology (OT),
including industrial control systems,
has been kept separate from wider IT
systems, but it is increasingly becoming
integrated. According to Darktrace,
the creation of ‘smart’ ports and the
convergence of IT and OT systems will
challenge cyber security.
Maritime cyber security consultant Naval
Dome warned that cyber-attacks against
shore-based infrastructure, like that
suffered by COSCO, could easily spread
to ships. Shore-based and ship-based
IT systems are linked, and can act as a
gateway to vessels and leave them highly
susceptible to an attack, it says. Naval
Dome says it is aware of a number of
serious cyber-attacks this year against
companies in the maritime sector that
have not been made public.
AIRPORT ATTACKS
Airports have also been affected by
cyber-attacks in recent months. Bristol
Airport was hit by a ransomware attack
in September that took down departure
and arrival boards for two days. The
airport said it had taken systems offline
as a precautionary measure. Flights were
unaffected, but the airport had to
resort to whiteboards to keep
passengers informed.
A ransomware attack against the city
of Atlanta earlier this year caused the
city’s Hartsfield-Jackson International
airport to take some of its systems
offline. Passengers at London’s Gatwick
airport were also forced to resort to
using whiteboards, after a damaged
communications cable took-out flight
information boards in August. In 2016,
hackers attacked the website of Vietnam
Airlines and the flight information screens
in Hanoi and Ho Chi Minh City airports.
According to a report from PA Consulting
Group, the number of airport-related
cyber threats has grown significantly
in recent years - there are 1,000
cyber-attacks on aviation systems each
month, says the European Aviation Safety
Agency (EASA). Like the maritime sector,
airports and airlines have been affected
by ransomware and other cyber-attacks.
LATAM Airlines had data encrypted
by WannaCry, while Ukraine’s Boryspil
International Airport lost access to its
systems during NotPetya. LOT Polish
Airlines was also affected by a
cyber-attack on its flight planning
computers in 2015. 

Cyber insurance guide to aid discussions
A group of insurance trade bodies has joined forces to produce a guide to buying cyber insurance.
The publication aims to help companies of all sizes work with their broker to prepare their insurance
submissions and evaluate insurers’ cyber insurance offerings.
The guide has been developed by
the Federation of Risk Management
Associations (FERMA), working with
the European Federation of Insurance
Intermediaries (BIPAR) and Insurance
Europe, the European insurance trade
body. It follows FERMA’s 2017 report on
cyber risk governance, which sets out a
framework to identify and quantify cyber
risk in order to weigh-up risk mitigation
strategies and insurance.
OVERCOMING HURDLES
‘Preparing for cyber insurance’ is written
from the insurance buyers’ perspective
and is intended as a practical guide
to help organisations understand their
cyber risks and potential need for cyber
insurance. Recent cyber events have
made organisations much more aware
of the cyber risks they face and more
conscious of the need to manage their
cyber security exposures, yet many
companies still struggle to translate their
cyber security concerns into concrete
action, FERMA said.
An organisation needs to
conduct internal research and
build a picture of its cyber risks
and how it manages them
The market for cyber insurance in the
EU has yet to reach its full potential,
according to the report. One reason
for this is the difficult task insurers face
when quantifying risks that are constantly
evolving and that can rapidly spread
worldwide. Similarly, organisations can
find it hard to accurately assess their
cyber security exposures and how best
to use insurance to mitigate them.
www.jlt.com | Cyber Decoder 7
Any organisation wishing to implement
some form of risk mitigation for its cyber
risks—including insurance—must first
assess as accurately as possible its
exposures and potential vulnerabilities.
As a first step, an organisation needs
to conduct internal research and build
a picture of its cyber risks and how it
manages them. However, conducting
this research can be challenging, the
report says.
TARGETED INFORMATION
The guide gives advice on how companies
can best prepare for discussions with
insurance intermediaries and insurers.
For example, it helps buyers to prepare
the most valuable underwriting information
for insurers; outlining what information is
required, how it is used in underwriting
and where that information is likely to be
found within the organisation.
8 FINANCIAL LINES GROUP NEWSLETTER | Cyber Decoder | October 2018
According to the report, insurers will
need information on general business
risk, corporate culture, information
system security (mobile working policies,
networks, secure administration and
industrial control systems), IT suppliers,
IT update information and personal data.
While compiling this information may be
demanding, it creates a virtuous circle
because it also allows the organisation
to identify where it can strengthen its
policies and procedures, the guide says.
EVALUATING COVER
The report also provides tools to help
organisations evaluate cyber insurance
offers and how they translate in practice.
Insurance solutions proposed by
insurers are not uniform and will depend
on the organisation’s characteristics,
including its size, type, sector and level
of digitalisation. Cyber insurance
solutions typically include prevention
advice and mitigation support in the
event of a cyber-related incident.
The guide sets out the four pillars of cyber
insurance: prevention, assistance,
operations and liability. It then gives a
brief explanation of examples of cyber-
related coverages, a coverage checklist
and scenarios detailing how and when
cyber insurance can be relevant
following a cyber incident.
The scenarios show that many cyber
risks can be insured, while some
elements of coverage could be available
under other lines of insurance. As a
result, buyers need to work with their
intermediaries and insurers to understand
potential cyber coverages and gaps
within their current insurance policies and
evaluate the value of a stand-alone cyber
insurance policy for their organisation.
Cyber insurance solutions
typically include prevention
advice and mitigation
support in the event of a
cyber-related incident
The benefits of good preparation go
beyond informing a discussion with
insurers and intermediaries, according
to the guide. It serves to gauge the
extent to which an organisation is ready
to face cyber risks generally, both in
terms of prevention and response, should
an event occur. Similarly, on the basis of
this information, the insurer will be able
to offer the coverage that is best suited
to the organisation’s needs and, equally
importantly, access to pre- and post-
incident services. 

Avoiding the pitfalls of digital transformation
Special Special feature from Mark Lunt, Managing Director at JOS and Anwar McEntee, Senior
Business Manager at Adura Hong Kong, JLT’s Cyber Consortium Partners.
Once upon a time, there was a
digital transformation (DX) leader.
This transformation leader delivered a
technology project that met objectives,
delivered on schedule and on budget.
Everyone was delighted, until the
company’s corporate data appeared
for sale on a dark web forum.
Sadly, that transformation manager is
no longer with the company. This little
fable is unfortunately a reality for more
companies than the statistics indicate.
We’re going to review a couple of
oversights that largely contribute to
these statistics and how to avoid
going from hero to zero.
Far too often, transformation initiatives,
or just platform upgrades, don’t include
sufficient security risk input throughout
the various project lifecycles. The
business case needs to, not only extol
all the business benefits and competitive
advantages of a new technology, but also
include a comprehensive risk review.
The conversation needs to start with risk
and follow through by identifying assets
and the likelihood and impact of attacks,
including dollar values. The objective is
to simply ensure the company’s (security)
risks are identified and accounted for, by
balancing security controls against the
transformation functions. If this is done
from the beginning of the project plan, the
business can rest assured that they’ve
helped to minimise the impact of attacks
(or system failures) to the business.
Digital transformation is about digitising
processes, services and business
models that yield agility, efficiency and
competitive advantage. Gartner says
by 2020, 60% of digital businesses will
suffer major service failures due to the
inability of IT security teams to manage
digital risk effectively.
This staggering statistic forces the
discussion about balancing digital risk with
sought-after transformational functions.
www.jlt.com | Cyber Decoder 9
If we look at Digital Transformation, we
can start the conversation around three
areas: infrastructure, people and risk/
threat landscape.
We know infrastructure is constantly
changing and evolving. With users,
both internal and external, being the
benefactors of the new technology,
but also a conduit to attacks. Evolving
threat vectors and the actors behind the
threats are currently stepping up their
attacks against both.
We’re getting better at installing
security protection kits, like firewalls
and intrusion prevention systems, but
today’s attacks are focusing more
on people and the transformational
applications they use. Most enterprises
are not going to improve their risk levels
by stacking up more security systems,
when their general staff are inadvertently
installing malicious software anyway.
10 FINANCIAL LINES GROUP NEWSLETTER | Cyber Decoder | October 2018
Moreover, protection devices aren’t
going to stop loss of data if the
transformational applications are not
properly tested. As it stands, the
leading method for extracting data
from organisations is through the very
applications deployed to transform
the business.
Phishing and business email
compromise attacks figure
in over 90% of breaches and
losses today
Security awareness training can
significantly improve an organisation’s
resilience. More than just informative
emails, a training program that integrates
email phishing tests goes a long way
to make the training stick, given the
interaction and educational quizzes.
Phishing and business email compromise
attacks figure in over 90% of breaches resolve the issue before the hackers
and losses today, so it’s a good place took advantage.
to start looking to reduce your risk. In
The lessons here are: Focus on the
terms of attack evolution, this year’s
evolving risks surrounding the people on
trends show that many phishing emails
both sides of your digital systems, internal
don’t include malicious links or feature
and external, including partners and supply
malware infested attachments. Hackers
chain vendors. Second, review and test
are more patient now, they know that
the applications underpinning your digital
with a little more social engineering effort,
transformation programs.
they can obtain the information they need
to advance an attack on the business. As Verizon’s Data Breach Report 2018
has shown, web applications continue
There are well publicised breaches, such
to be the number one method that bad
as Deloitte’s O365 migration project,
that involve hackers accessing emails
actors employ to steal enterprise data.
Frequent web application scanning
using stolen admin credentials. This led
should be adopted, along with an
to the exposure of over 244,000
independent web application penetration
employee email accounts and customer
test that includes the underlying web
communications. Worse yet, a massive
server infrastructure. The objective is not
breach at Equifax exposed private data
to be 100% impenetrable, but just secure
of almost half the US population.
enough to be too difficult and thus costly
An investigation has shown how difficult
for bad actors to make you another
it is to keep all of a company’s systems
updated. The company knew about the breach statistic. 
vulnerability within a particular application,
but didn’t have the resources to

BUZZWORD OF THE MONTH
CYBER WAR GAMES
What does it mean?
Cyber war games simulate the experience of a real
cyber-attack, enabling organisations to test their cyber
response procedures, capabilities and governance in
a safe and controlled environment.
Cyber war games differ from traditional penetration
testing, which typically looks for vulnerabilities in IT
systems, networks and websites. Cyber war games
are a much more involved exercise, aimed at testing
an organisation’s overall response to a cyber incident,
including the decision making of senior managers and
the effectiveness of communications.
War games use specially developed scenarios – like a
malware or spear phishing attack – to simulate an attack.
Simulations can be a simple ‘table top’ exercise or a
full-blown simulation. The former would see participants
briefed on the attack scenario, whereas participants in
a simulation are given very little information and have to
work through problems as they arise.
The exercise should, however, be cross functional,
involving IT, risk management, business continuity, legal,
corporate communications, marketing and customer
care. This helps build relationships in advance of a cyber
incident and tests the flow of information, including an
organisation’s ability to share information effectively and
quickly, both internally and externally.
Companies can employ a third party to design and run
the war game on their behalf. War games can involve
an organisation’s key business partners, suppliers and
contractors; while incorporating third party services,
including breach response, crisis management and
even insurance.
www.jlt.com | Cyber Decoder 11
Why does it matter?
Cyber war games have been of growing interest to
governments and companies.
In Australia, banks and energy companies were among
12 large businesses that joined a government-led cyber
war gaming exercise in September - the companies and
government agencies had to defend a ‘Lego smart city’
model against attack in a three-day simulation. Last year
the US extended its cyber war games for the utility sector
GridEx to include banks and telecoms companies, while
the EU staged its first ever cyber-attack simulation to test
the cyber defences of member states.
Boeing recently joined with other defence contractors
to run its first cyber war game. The day-long exercise
comprised of two scenarios, based on real-world events,
encompassing large-scale ransomware and destructive
attacks. The scenarios included; spear phishing, the
compromise of a supplier, a rogue employee, an
infected update patch, and the theft of sensitive printed
documents. Adding to the realism, the exercise was
modelled on the current geo-political environment and
included social media, news reporting and mounting
customer queries.
The company said that the exercise highlighted the
future focus on executive-level response planning, as
well as the integration of data to reduce response times.
According to Boeing, the war game exercise illustrated the
importance of understanding when to report an incident
and how this can reduce liability.
Cyber war games give organisations the opportunity
to test out and hone their response to a cyber incident,
as well as identify potential gaps in response plans.
In particular, war games allow management to practice
decision making in a high pressured environment and
help build confidence. They can, for example, highlight
unexpected decisions, as well as the consequences and
realities of making certain decisions – such as shutting
down a system. 
JLT provides insurance broking, risk 12 FINANCIAL LINES GROUP NEWSLETTER | Cyber Decoder | October 2018

management and claims consulting

services to large and international
companies. Our success comes from
focusing on sectors where we know we Top Tweets
can make the greatest difference – using
insight, intelligence and imagination to
provide expert advice and robust – often EU considers
unique – solutions. We build partner teams cyber sanction law
to work side-by-side with you, our network
and the market to deliver responses that
which
are carefully considered from all angles.

Our cyber, content and new technology NCSC thwarts

risks team delivers bespoke risk 1,200 attacks over
management and insurance solutions to the last two years
meet the needs of clients from a variety of
industries. The team combines experience
and talent with a track record of delivering
successful results and tangible value for
our clients. California passes
cyber security
law for IoT

Cyber theft and

CONTACTS ransomware account
for over 50% of
Sarah Stephens
CFC’s claims
Head of Cyber, Content and New
Technology Risks, JLT Specialty
cyber@jltgroup.com

Conference app
compromises
personal data

This document is compiled for the benefit of clients

and prospective clients of companies of the JLT
group of companies (“JLT”). It is not legal advice and
is intended only to highlight general issues relating
to its subject matter; it does not necessarily deal
with every aspect of the topic. Views and opinions
expressed in this document are those of JLT unless
specifically stated otherwise. Whilst every effort has
been made to ensure the accuracy of the content of
this document, no JLT entity accepts any responsibility
for any error, or omission or deficiency. If you intend
to take any action or make any decision on the basis
of the content of this document, you should first seek
specific professional advice. The information contained
within this document may not be reproduced and
nothing herein shall be construed as conferring to you
by implication or otherwise any licence or right to use
any JLT intellectual property. If insurance and/or risk
management advice is provided, it will be provided by
one or more of JLT’s regulated companies depending
on the territories requiring insurance and/or risk
management advice. www.jlt.com
© October 2018 278252