Merger & Acquisitions (M&A) involve businesses of all sizes and span all industry sectors. It is currently booming, with Pitchbook reporting 4,754 deals closing worth $849.7 billion in 1H of 2019. We expect to read about deals like Abbvie/Allergan, as drug companies look for the next blockbuster drug, or UTX/Raytheon and Oxy Petroleum/Anadarko, where economies of scale will improve financial performance or provide access to much needed technologies or resources. But M&A more often involves mid-market companies that rely heavily on suppliers and partners, possibly with large consumer client bases, that have developed valuable IP that will propel them into competitive environments.
And for these transactions, what cybersecurity due diligence is conducted prior, during and post close of the M&A transaction? You only have to consider the Verizon/Yahoo and Marriott/SPG mergers to wonder what surprises await the buyer of a seemingly well run enterprise. M&A is a complex, lengthy courtship process that should bring two entities closer together, and cybersecurity has emerged as a core element in the process. Consider the regulatory environment around data breaches. With both the delayed reporting and heightened fine structure under FTC or the GDPR, it’s very easy to imagine acquiring a company that will trigger a violation post close and thereby damage the reputation or security posture of the acquiring entity… at significant expense.
The malware and ransomware epidemics continue to have wide impact, both on under resourced government entities and large entities with significant cyber capability. Business interruption is the major concern for all companies. If you look at Maersk’s statement from 2016, they understood the risk but still suffered from Notpetya. “The risk is managed through close monitoring and enhancements of cyber resilience and focus on business continuity management in the event that IT systems, despite their efforts, are affected.” How can you filter out the risky acquisitions from seemingly positive disclosure?
As many companies have recently completed a merger or may be contemplating an M&A transaction, I interviewed three leading practitioners to better understand the most important components of a cyber M&A due diligence. I spoke with Luke Dembosky, partner and co-chair of the Cybersecurity & Data Privacy for Debevoise Plimpton; Chris Keegan, senior managing director of the Cyber Liability practice at Beecher Carlson; and James Arnold, principal at KPMG Cyber Security. What follows is not an exhaustive list of steps but definitely some valuable insights and pointers to potential issues. Our discussion flowed from the early stages of a transaction through to completion and then to ‘post deal,’ and includes general guidance as well as pointed replies to questions.
Early Stages of Transaction
BARNABY: How do you go about initiating M&A cyber due diligence?
LUKE: “We are most commonly asked to be involved where the target holds a large store of valuable data or the crown jewel is a particular item of IP that if it were exposed by hackers or others would significantly devalue the target. There is a growing realization that you can’t just cover yourself with representations and warranties, and the data for many targets is the primary asset, such that the whole purpose of the acquisition is in jeopardy if that has been breached or exposed in any significant way.
“The liability that the purchaser made / incurs / inherits that flows from that is added insult to injury. Not only do you lose the value of what you are buying, but you find yourself defending privacy lawsuits and regulatory enforcement proceedings in the United States and abroad, and you bought yourself a very big mess that was not your creation, but that you failed to detect with your diligence efforts.
JIM: “Both Sellers and Buyers are beginning to realize the importance of cyber security and how it effects the valuation of a transaction. Sellers are completing Cyber Maturity Assessments and related activities prior to starting the sales process to help ensure no cyber security issues arise during the sales process. Buyers are realizing that when they make an acquisition they are not only acquiring the financial benefits of the business they are taking on the financial and reputational liability of the targets cyber security, data management and data privacy programs.
BARNABY: What is your initial guidance on insurance actions?
CHRIS: “M&A participants are increasingly seeking to protect their interests by transferring cyber risk to the insurance markets. There are three types of insurance policies that participants in M&A transactions should focus upon to protect their interests to offset losses if a cyber event diminishes the value of a transaction. They are cyber insurance, which protects a company against cyber events; Representations and Warranties coverage, which backs the obligations in the purchase agreement; and D&O insurance which protects individual officers and directors. All provide critical elements of protection. The value of these insurance policies all depends upon the risks that the particular transaction represents, the parties to the transaction and the terms of the contract.
“Whether the Purchase and Sale agreement has provisions that contemplate liabilities or loss from a cyber event will impact what can be insured and how an insurance program can be structured. The focus on cyber risk has been on companies that hold large amounts of private personal information or have a large credit card exposure. That view should be changing as we see large income losses and direct costs as a result of ransomware, wiper viruses and new types of malicious code. These types of losses can occur at any company that relies on computer technology. As more examples of malicious access of systems occurring before the purchase but coming to light after the transaction, we should see more contracts specifically dealing with the issue.
BARNABY: Can you point to divergent outcomes from recent M&A transactions?
JIM: “While buyers are starting to realize the importance of Cyber Due Diligence they don’t always know what to do with the information. At KPMG we recently assisted a PE Firm client with its acquisition of a manufacturing target and a healthcare client with its strategic acquisition of several regional hospitals.
“KPMG’s Cyber Due Diligence of the manufacturing target uncovered a number of cyber security issues. We provided our client with a recommendations report identifying high priority items to be fixed immediately and a roadmap of items for the buyer to undertake to improve the overall cyber security of the newly acquired company. Unfortunately, our client did not implement even the simplest and most critical recommendations like initiating Multi Factor Authentication and patching of known vulnerabilities. Subsequently the company was hit with Ransomware and their manufacturing was interrupted for nearly a week and other functions were adversely affected for months.
“While this client realized the importance of performing Cyber Due Diligence to value the transaction, their failure to follow through and address the identified cyber security weaknesses likely cost them well over $10 million.
“The story of our healthcare client has a much happier ending. While it the midst of the transaction to purchase the regional hospitals the CISO insisted that KPMG be retained to perform Cyber Due Diligence. While performing the Cyber Due Diligence KPMG uncovered significant weaknesses in the target’s cyber security program. With KPMG’s findings in hand our client negotiated a reduction in the purchase price and escrow funds to be set aside in case any other cyber security weaknesses were uncovered after closing. The CISO also secured budget from the board to allow his organization to address the identified cyber security weaknesses.
“These two examples show the importance of not only going through the motions of performing Cyber Due Diligence, but acting upon the findings to properly value the transaction and protect the value of the newly acquired company going forward.
LUKE: “Increasingly, our clients are investing more in cyber and privacy diligence to try to surface these issues. There are several things they are worried about.
–For example, is there an historical or ongoing breach? Has valuable data been already exposed even unbeknownst to the seller? We will increasingly be asked to start to evaluate a potential acquisition before there is even a term sheet or any signing. This can include dark web searches to identify hacker chatter about the target or stolen credentials purporting to belong to the target or one of its key vendors
BARNABY: Do you take steps like conducting a Darkweb search, without telling the target company or before you enter into a due diligence phase?
LUKE: “Yes, we can look at public source information on the dark web. We can take other publicly available steps like reviewing the target’s website and glean something about the level of sophistication of the seller, including through the way that they set up or configured the site. We, take advantage of threat intelligence including the type of threat intelligence provided by Cylance, to be able to come in on an informed basis, looking for any yellow flags or red flags that we may see on the outside.
JIM: “A recent KPMG client buyer engaged us to perform dark net investigation of a target company. During our investigation KPMG uncovered significant information about the company which indicated they had been compromised for some time and their confidential information and intellectual property was available for sale on the dark net. KPMG’s findings led our client to cancel the proposed transaction. Most dark net investigations do not uncover this level of negative information, but often times does help inform both the Seller and buyer as to what steps need to be taken to improve cyber security at the target company.
BARNABY: The privilege issue that you have during an IR, is there a similar phase here? Do you run the risk of collecting or exposing or learning something that will then become part of your client’s company which then wasn’t shielded from privilege?
LUKE: “We are careful to keep our legal advice regarding the risks under privilege, but the underlying facts are never privileged. You may learn facts that do create some potential future exposure, but the idea is it is better to know sooner rather than later and ideally to know before you sign on the dotted line.
BARNABY: Can you think of any disclosure or lack of disclosure that might have resulted in a problem for a transaction?
LUKE: “We have had people present a rosy picture to us of their cybersecurity program. We have seen targets with the right industry certifications and we have looked under the hood and found a different picture… so you can’t take these things at face value unless you are confident the worst case cybersecurity outcome is still not enough to derail the deal. That’s rare these days. If you are buying a brick and mortar company and you know, whether or not there is a cyber or data privacy issue--maybe limited to their HR data and you know there are only X number of employees, then you might conclude you could manage that. But if you are buying someone whose crown jewel is IP, and that’s the value of the transaction and that has been exposed by outsiders, it’s generally not going to be worth it. Similarly, if someone’s holding large stores of personal data of individuals and diligence reveals a likely breach, then liability risks now are through the roof and it very well may not be worth it to proceed with the transaction.
BARNABY: Are there any other things you want to highlight in the early stages of a transaction?
LUKE: “Sometimes our clients acquire startups and, with some exceptions, they tend to present more risk in terms of legal and compliance issues because they are usually thin in that area and, compliance-wise, may not realize they are subject to the full range of applicable legal regimes. They may be learning for the first time through the diligence process about legal regimes that they should be complying with all along. So some of the early questions have to do with, not only what are you doing to protect systems and data, but what legal regimes do you believe you are subject to and what have you done to comply with them, as well as others that you have not mentioned?
JIM: “Both targets and acquirers need to continue to focus more on cybersecurity.
Targets/sellers need to ensure they have their cyber house in order before they begin the sales process. Recent surveys have shown buyers are willing to pay more for a target that can prove it has a strong Cyber Security Program.
“Buyers need to demand more information from sellers during the pre-deal process – data rooms should include information about the target’s Cyber Security Program – budgets, Incident Response Plans, Playbooks, employee awareness / training materials, cyber security tools, results of any recent pen-testing and org chart for the cyber security team.
In addition, information about any prior cyber incidents, including cyber insurance claims, investigation reports and remediation steps taken to strengthen cyber security. Buyers can also initiate dark-net and other threat intelligence searches at this stage which do not require access to the target’s environment. Valuable information can be obtained from these dark-net and threat intelligence investigations.
CHRIS: “Cyber risk is broader than most companies think. Buyer companies should not only focus on credit card information but on the broader sphere of confidential and other information that is highlighted in newly minted statues such as CCPA and GDPR. Recent fines have been well over $100 million, enough to change the dynamics of any transaction. There is a broader set of information that can be subject to these types of laws, and the exposures are not necessarily triggered by breach but can be triggered by the way in which such information is handled or shared. Theft of money and diversions of payments by hackers are becoming increasingly common and large enough to impact a company’s bottom line. Companies should be focusing their attention as much on these types of events and direct damage from ransomware and other types of destructive code and vandalism. Many experts think the worst of cyber events are in the future with effects that we are not currently anticipating.
“The insurance market has increasingly been asking buyers to do cyber due diligence especially if they are planning on transferring the cyber risk to the insurance market. Confidentiality provisions and time considerations in the run up to a closing can limit the due diligence but companies expecting to be able to transfer risk should be aware that audit of the purchased company may be required if they expect to have affordable insurance options.
During the Transaction
BARNABY: Companies may not be forthcoming on the initial data request – have you found that to be the case?
LUKE: “It’s a mix. We see some companies that are very well papered from a compliance standpoint but they can be more of a paper tiger where the cybersecurity controls are weak. We see others that are the opposite. They are quite savvy on cybersecurity issues but not so great on the legal and compliance aspects. I would rather have a paper compliance issue than an underlying cybersecurity breach issue. I’d rather have tires on my car, so to speak, and I can worry about the color of the paint and other details as I go. Not that that is insignificant, but relatively speaking that is a more manageable situation than one where you made the right presentations to regulators and industry certifiers, but you don’t actually have the goods to uphold that.
BARNABY: Do you bring in third parties for technical or systems audit?
LUKE: “Of course. We would retain KPMG or Cylance or other leading forensic experts or threat intelligence source vendors, to be able to help us with that, and this usually occurs pre-signing and often before there has been any approach to the target.
BARNABY: Is it possible to determine if IP has been altered in any way?
LUKE: “You can certainly look for what purport to be copies of the IP or people offering to sell it and then you make a determination about whether you can legally buy that to review. You might instead bring it to attention of the seller and let them considering buying what purports to be their own IP. IP, customer data, business strategic plans-- those are all the kinds of things that we look for from public sources. There are vast underground markets now and have been there for quite some time with valuable company data, even beyond the personal data of individuals, and so there’s a whole market for that type of info and people buying and selling it.
“You will also see people advertise access to a system, plug-ins to a particular company network where they allow you to install your malware or other scheme. We look for any of those signs pre-signing. Once a contract is signed with the seller and there’s substantial commitment on both sides, then you start doing the path towards more formal diligence efforts. A lot of that is a function of your leverage and the time that you have. If the seller has told you that they have other bidders and you have good reason to believe that it’s true, you may not have much leverage. If they will permit access to systems even in a limited way-- a third party vendor runs a penetration test, or a vulnerability scan or CA-- that obviously is ideal to identify any historical issues.
BARNABY: Last year, we had SEC cyber guidance on BEC, that cited 10-11 companies lost $100 million in aggregate. Do acquisition candidates seem to be following regulatory controls?
LUKE: “Well it’s all over the spectrum as you would expect, and more sophisticated parties certainly are but startups seem much generally less aware on those issues. There are certainly exceptions. They are getting their business launched and are not majoring in some of the legal developments in the space. So we often have to get them up to speed. And another risk is integration. When you go to ingest the systems into your own, that’s the greatest risk. Sometimes the acquisition remains as a standalone business and the systems may have some kind of connectivity to the buyer’s systems, such that there’s some level of trust in between networks but they are separate. But there are situations when a client has gone to integrate the network systems and data of the target that they’d acquired and closed on, only to find out that they’d effectively be swallowing a pill that is not worth doing.
“The other variable is that you try to get a sense of how they are vetting their own employees, contractors, and vendors. They are dependent on the trust of their own people including their vendors. It may be they have the best of intentions but they are not doing a good job of vetting some of their employees and that may be in certain countries, for example. All of this is part of the risk picture that we present to the client.
BARNABY: If you are acquiring a business with 20 million records that were collected with consent as part of the business, can I as the acquiring company, have use of that database or are they required to refresh the consent?
CHRIS: “In our experience, these issues are reviewed on a case-by-case basis. Whether action is required will depend upon several factors such as where the companies are doing business, how the systems are being integrated, where data is being held and the laws that both companies may be subject to. The insurance markets would defer to legal teams and outside legal counsel to provide a review of the status of the networks and data pre transaction and then the changes that need to take place post transaction. Given the many legal changes that are taking place around the world and with enforcement becoming more aggressive, these are issues which should be being reviewed on a constant basis.”
LUKE: “Yeah, you have to understand whether or not the consent will carry through to the buyer. We work on a lot of acquisitions around the world and the client may want to buy a target in a part of the world that has very strict data localization law like China, in which case we will need to advise our client on the ability to move that data out of the host country or not and they have to make valuations or decisions accordingly. Even doing penetration testing in some parts of the world requires a careful legal analysis-- you cannot just cart out data in and out of every country in the world. You have to be keenly aware of the local requirements and get the necessary government approvals to do so.
BARNABY: On allocating risks between the seller and the buyer, to what extent if info is available to the buyer to judge the IT security posture of a selling company? How do you protect the value of the acquired data in a contract?
LUKE: “The data issues are moving front and center in more and more transactions because we have more technology and data-focused companies being bought and sold. What I think that means is that there’s an increased likelihood that the buyer will be able to negotiate a very large scale data breach for example as a material adverse event that could allow them to back out of closing if it’s discovered between signing and closing, or be leverage to renegotiate the price.
BARNABY: What is the interplay between the components of the purchase and sale agreement, and the reps and warranties coverage?
CHRIS: “The insurance under R&W insurance policies will depend upon the representations and warranties in the purchase agreement. Surprisingly, many agreements still do not make specific reference to cyber, but they are becoming less common. Representations & Warranties (R&W) insurance can provide several options depending upon the perceived risk, the target company and the size and type of the transaction.
“Companies can negotiate full cover for cyber under their R&W policy with the insurance market if the risks seem relatively insignificant, the representations and warranties in the contract seem to be manageable or if the premium is attractive to insurers. Where the risks are significant or representations in the contract open the possibility of responsibility for large losses, the R&W carriers are likely to seek to limit their responsibility for cyber exposures. Buyers for R&W cover should beware of carriers adding specific exclusions for statutes such as GDPR, the EU privacy legislation.
“R&W insurers may require the buyer to purchase and maintain cyber cover for a set number of years post-closing of the transaction, a requirement that we are seeing in more and more transactions. The R&W carriers will then sit above the cyber coverage but may further limit their exposure to the coverage that is provided in the cyber policy
“Whether cyber gets flagged as a risk in the Reps & Warranties process depends on the type of target and their specific business. Even if a deal has a very short turnaround and the insurance markets are asked to push it through to the close date as quickly as possible, we see the Representations & Warranty carriers and due diligence by firms being extremely thorough. If there is a risk to be aware of, it will be fleshed out in the underwriting process.
BARNABY: If the target company is being transparent would your next action be, to do a thorough evaluation?
LUKE: “At a minimum, you want the seller to be sharing their own test results with you. And ideally they have their own third party penetration test and other technical tests, but of course, the devil is in the details in how you designed the test. And so, increasingly buyers will be asking sellers for the ability to have their own third party trusted expert like KPMG do that technical testing and evaluate the results. And it needs to be a careful protocol worked out in terms of access to what’s necessary but not access to customer content for example. There are careful protocols worked out for this type of hands on testing that is for the benefit of the buyer. And the seller’s rightfully nervous that they may learn something about their network that they did not know, that now paints them with knowledge as to other perspective buyers.
BARNABY: How “hands on” can the acquiring entity be during the deal?
LUKE: “In general, you can work with the buyer to preserve the assets, but you cannot take over their operations before closing. What’s good is if you’ve done good diligence, you then come out of the closing with a sprint to take care of the priority issues.
BARNABY: What is the greater concern for the acquiring entity, the first party exposures from poor cyber controls or related third party, industry fines (PCI) or government fines?
CHRIS: “Buyers and sellers should want to audit their respective insurance programs of both companies and be ready to align insurance with cyber exposures to make sure there are no gaps in coverage. The best companies go through a checklist of exposures in order to make sure that they have considered what can be insured and then make a conscious decision on transferring the risk or not. Where insured exposures are being handed from one insurance program to another, companies need to make sure programs are aligned.
BARNABY: How do D&O and R&W insurance work together?
CHRIS: “Lawsuits against directors and officer have come about in mergers and acquisitions as a result of cyber issues. Those involved in transactions should make sure firstly that their Directors and Officer liability program is sufficient to protect individuals in the event there is a suit after a cyber issue. Directors and officers can make themselves aware of cyber issues from advice from law firms such as Debevoise and advisors such as Blackberry and KPMG that can provide protection against cyber risk. The best solution is not to have a cyber event and avoid calling upon insurance programs.
“Purchasing R&W and cyber coverage adds an additional layer of protection for directors, officers and corporations. If there is an issue, companies and their employees can point to another layer of protection that they put into place prior to the transaction if there is a cyber issue that arises. The advantage of being able to say that they anticipated the risk and financed it through insurance can have a considerable positive impact from a public relations standpoint in the crises stage after a breach.
Post Transaction Issues
BARNABY: What are your main watch areas post-close?
CHRIS: Many cyber events occur in the first few months after and event when changes in staff, and other integration is taking place. Keeping breach response vendors coordinated. Confirming controls the seller said were in place are in place. Making sure that insurance carriers are aware of discovery of any issues with a view to the following renewal.
JIM: During the transaction or post deal period is where we are seeing the most growth in Cyber Due Diligence. Buyers are performing more in-depth dark net and threat intelligence due diligence. Tools and services are employed to search the dark net for information about the company’s executives, customers, vendors, Intellectual Property and other valuable information. Also scanning is performed to see if the target has any open ports or other vulnerabilities. It is important for the Buyer to know if the target is compromised and its assets are already available for sale on the dark net.
Bad actors are also known to pick up their attacks on target companies during this post deal period because they know both the Seller and the Buyer are focusing on the transaction and often times neglect their overall cyber security. This is also a stressful time for the target company’s employees who are uncertain about their future employment and are prone to making mistakes and even attempting to copy or otherwise misappropriate the company’s intellectual property. For these reasons the Buyer should step up its threat intelligence investigation of the company to monitor and investigate any new activity it sees about the target.
LUKE: “Our role is usually to carry through on updating any risk assessments that the client wants to do or is required to do, so we now take into account the new pieces that have been added both personnel and systems, data and so forth. And we work to move the compliance pieces up to date and current with the acquisition. If issues arise, then we are then well-positioned to advise the client because we have the whole context of having studied the target, knowing our own client, and being able to spot potential seams or gaps in the integration. And we will typically work with the technical teams to help with that process. It’s got both controls aspects and compliance aspects, legal aspects, and our team is quite technical for being lawyers but our primary job is on the legal issues.
BARNABY: One article cited that 40% of cyber-related problems are discovered post M&A. Does that sound right?
LUKE: “Maybe a bit high but not outrageously so, Very troubling if it’s true.
BARNABY: How should the acquirer work with Insurance policies of both companies to maximize protection post close?
CHRIS: “The liability where a breach occurs prior to the closing of a transaction but the claims comes to light after the transaction can be dealt with in two ways under a cyber policy. The policy purchased by the selling company can be extended. Alternatively, the purchasing company can amend or purchase a cyber policy to cover the purchased company. If they choose the later, the insurance should be amended to cover the selling company’s “prior acts.” Depending upon the risk underwriters may ask for information on the transaction and the company being purchased by endorsement, which may cost an additional amount if the company is large or high risk. For the most complex transactions with the highest risks, we have placed a separate cyber insurance program for the purchased company. This type of structure allows the purchasing company to not have its program be impacted by the purchased entity while the purchaser has an opportunity to assess systems and the cyber exposures at the new entity with full access to their technology.
“For smaller transactions, the buyer’s cyber policy should have an acquisition threshold that allows for target companies to be added to existing coverage at no extra charge. These provisions allow purchasing companies to add cyber cover based upon a percentage of the revenue of the purchaser company which can go as high as 25%. For large companies these clauses should allow immediate coverage for purchased companies for at least 90 days and allow negotiation of revised insurance terms. A cyber broker should negotiate these clauses into a program prior to the transaction. If there are systems breaches which might have taken place prior to the company being purchased which have not been discovered, they could represent an exposure to the purchasing company which can be insured in a cyber policy but only with specific amendments.
BARNABY: Is there a window of time for things to be taken care of, that you set in the purchase and sale agreement?
JIM: “Unfortunately, there are still instance where the Buyer is not allowed to perform adequate Cyber Due Diligence in the pre-deal and post-deal phases of the transaction. In these cases it is critical for the Buyer to begin assessing the overall cyber security of the newly acquired organization as soon as possible after closing. Then the Buyer needs to begin remediating the high risk cyber security issues identified during the Cyber Due Diligence and post closing investigation of the target company.
“We are seeing positive trends in the market where our clients are beginning to insist on more robust Cyber Due Diligence and following up after the closing of the transaction to address identified cyber security issues. We are also seeing more PE Firm clients start to complete cyber security valuations of their existing portfolio companies to ensure they are protecting the value of their investment.
CHRIS: “If we are placing either the Cyber or Reps & Warranties policies, or both, we remain involved as the broker for purposes of continuing to service the policy, manage and advocate regarding any claims that may arise and continue our ongoing relationship with the insured.
“In large transactions, keeping underwriters informed, integration of systems and the status of IT protections at the purchased company is critical to keeping cyber insurance cover in place and preventing any restrictions on terms for activities of the purchased company. Setting up underwriting meetings for communicating this type of information is critical to keeping strong relationships with insurance carriers and preventing issues in the claims process should any occur.”
More and more, corporate boards are mandating cyber insurance to transfer risk, but watch out, because you might not get what you paid for. A recent International Monetary Fund (IMF) report estimates that annual banking losses could be as high as "9% of net income or $100 billion annually."
Bank breaches impact the viability of both the bank and the customer’s ability to transfer funds or access our accounts. JP Morgan reports that "78% of companies were targets of payment fraud last year... 54% of business email compromise (BEC) scams targeted wires and 28% were subject to ACH debit fraud."
In the 2016 Bangladesh Bank cyber heist, $81 million disappeared in no time, and - but for a typo made by the hackers - it could have been $1 billion. The SWIFT messaging system serves over 11,000 banks and relies on each bank to keep access to its service secure.
More recently, the Bank of Chile lost $10 million to hackers after SWIFT was used to send the money to Hong Kong. The bank is now working with insurers to recoup its losses. Bloomberg reports that in May of this year, $15 million was stolen from Banxico, as hackers attacked the domestic payments system SPEI. And Bancomext was targeted by North Korean hackers attempting to steal $110 million and resulted in the international payments system being frozen across the country.
The Silence Before the (Banking) Storm
Criminal syndicates have been using malware for years in multi-stage attacks that take advantage of unpatched systems, untrained users and weak processes. These kinds of hackers are incredibly patient and creative.
Industry veteran Scott Scheferman described the attackers as “a criminal ring with many operative layers that work in coordination.... it’s not unusual at all for the threat to stay in ‘monitor’ mode for extended periods of time before performing the ‘power moves’ at the end of the heist."
For example, the notorious FIN7 or Carbanak Gang, known for its multi-purpose malware, stole over $1 billion from more than 100 banks over several years. What made Carbanak so successful in hacking banks? Their malware combined keylogging, form grabbing, point-of-sale (POS)/ HTTP monitoring, and desktop video capture for stealing banking data.
In August of 2018, the Department of Justice indicted the Carbanak gang leaders on 26 counts, including conspiracy to commit wire and bank fraud and computer hacking. FIN7 had started their own pen testing company Combi Security to cover their activities and used instant messengers Jabber and HipChat to share files and instructions.
It’s hard to disentangle the many aspects of these breaches. Some are targeted or use insiders, others utilize social engineering, and many are the result of malvertising from innocent browsing. Users click on shady links or enable dangerous macros in Word documents which come to them in the form of fake invoices or bogus IRS communications - as in this example. And with so much data scraping from LinkedIn, Facebook and online dumps from recent data breaches, the phishing threat vector is likely to establish the foothold hackers need.
Many 2017 bank hacks utilized utilized Emotet banking malware, which evades sandbox detection and uses Powershell and other ‘living off the land’ techniques to download additional malware payloads.
The current one-two punch is from Smokeloader and Trickbot (a data stealer). Clients can be pwnd in seconds and unless they have protections against scripts and sophisticated malware variants, their systems may become part of a multi-stage attack. Hackers will collect username/passwords, move to other workstations, repeat and use video and keystroke capturing malware to watch how the user transfers money in third-party systems like SWIFT, SPEI, STAR Network or Navigator.
The ability to access these third-party services means that the hackers can destroy the integrity of account data by temporarily inflating customer balances, which they can then harvest.
The Impact of GDPR on Banking Fraud
It's no wonder we are seeing stringent rules emerge for the monitoring of networks and multi factor authentication (2FA) in the newly published GDPR and US regulations. Hackers are monitoring users, collecting passwords and then accessing payment systems to wire out funds or send payment card data for use in ATM cash-out schemes. Authentication systems that are used to access payment systems should leverage more attributes about the user and apply a real-time score that verifies the identity and correlates any anomalous activity to that of malicious activity.
But even with regulations in place, breach reports cite a lack of controls or technology capable of preventing one or more phases of the attack. A good red team will surface these weaknesses before the bad guys do.
Most people agree that risk transfer via insurance is necessary to account for gaps in security. For example, Brian Krebs recently reported on a bank hack on the National Bank of Blacksburg (NBB). Account balances were increased, credentials stolen with access to the First Data STAR network for ATMs, and a mule cash-out operation successfully yielded $2.4 million over two separate incidents. In another example in May 2016, it is thought that NBB was phished by Russians and $569k was taken from ATMs. Later, in January 2017, an additional $1.8 million was stolen in the same manner.
"Repeat attacks are common and often successful because they know the environment," adds Cylance’s Scheferman. Now two years later, we are learning the details because the insurer is denying coverage. This hack is very similar to the RBS Worldpay incident, when hackers broke encryption on debit cards and used over 2,000 ATM's to cash out $9 million over a single weekend.
Sign of the Changing Times
The National Bank of Blacksburg incident doesn’t read like a garden variety phishing scam. The malware, monitoring, lateral movements and control over financial workstations enabling debit card production (used by money mules) is a persistent sophisticated hack. International cybersecurity expert Bryan Cunningham points to a problem with insurance cover: "There remains vigorous disagreement – and little clear legal precedent – on basic definitions of terms in cyber insurance policies."
And as the cyber insurance market has added new policy forms to cover emerging risks like social engineering, they then exclude those types of attacks from existing policies. "Traditional crime and FI bond policies are designed to cover losses that arise from embezzlement by employees [where] social engineering attacks are made by external actors, not employees," offered David Lewison, co-leader of the AmWINS Financial Services National Practice. And with the new products, "carriers have sublimited social engineering fraud to low levels due to high volume of claims," adds Ryan Gibney at Lockton, the world’s largest privately held independent insurance broker.
NBB had purchased an $8 million Computer & Electronic Crime rider to its financial bond. The CE Rider points to a "loss resulting directly from an unauthorized party acting alone or in collusion with others, entering or changing Electronic Data or Computer Programs [which] causes property to be transferred, paid or delivered..." NBB also purchased a $50,000 Debit Card Rider to cover lost or stolen debit cards that might be used at ATMs.
NBB argues that the primary attack was against the NBB network which enabled the hackers to access the STAR and Navigator systems, change balances, steal account data and ultimately cash out via the ATMs. And, there was an exclusion of coverage for “loss resulting directly or indirectly from the use or purported use, of credit, debit [cards] used in [ATMs]."
So, the Debit Card Rider which specifically names the ATM becomes the operative policy? "We would expect many crime carriers to try and pigeon hole the coverage through a small sublimit that they apply for social engineering fraud due to the phishing email initial access and behind the scenes criminal activities," said Gibney.
I recently spoke with coverage counsel Scott Godes about NBB and his reaction was, "The loss should be seen as within the heart of the coverage of the policy, particularly the crime rider. One would hope that the insurance carrier should carry the burden of proving that a sublimit applies, as a restriction on coverage."
Recurrent Attacks: a Reasonable Expectation?
Based on the bank hacks going back to the RBS Worldpay incident, what happened in Blacksburg seems likely to occur, or 'reasonable' to expect. "Exclusions and limitations on coverage in insurance policies should be read narrowly, and insurance carriers should not be rewarded for reading them broadly", noted Scott N. Godes, a cyber insurance and commercial litigator.
Here, the exclusion seems to swallow the coverage. The insurer is calling this a single incident. "The crime policy is most likely an occurrence-based policy and the bank should not have coverage limited because the event happened multiple times," stated Lockton’s Gibney.
Buying these policies is complex, however. Godes adds that "insurance carriers should sell products with robust coverage, so that policyholders do not fall through hidden trapdoors at the time of a claim." NBB’s position that the ATM cash-out could not have occurred but for the internal hack on their systems has support from a recent federal court decision in the Second Circuit, Medidata Solutions, Inc. v. Federal Insurance Co. In Medidata, Godes noted, the court ruled that the crime insurance policy provides coverage for a fraudulent scheme and wire transfer, even though the insurer claimed it was not a direct loss.
The court rejected the arguments that the loss was not “direct” because there were steps in between the original fraudulent message and the wiring of funds. This result is favorable for victims of complex phishing and malware attacks.
For those currently looking for cyber insurance, David Lewison suggested some practical steps to get the right coverage.
· "Work with a broker that specializes in Cyber-liability and Crime/Bond, from the same brokerage;
· Hold an underwriting/broker meeting or conference call so you can ask questions about who has the ball when something bad happens;
· Prior to binding coverage, put both policy forms and all endorsements side by side and verify that the coverage has been assembled as intended;
· It may also be worthwhile for larger insurance buyers to include a claims leader from the insurance company on a call, so you know who you are dealing with at the time of claim."
And, to avoid ending up in court, involve counsel and review your existing and proposed new policies before you buy.