As Glitches Mount, Cyber Safety Net for Businesses Shrinks
It is shaping up to be the year of the glitch. Days after the massive software failure which nearly put Knight Capital Group out of business, exchanges in Tokyo and Spain were forced to suspend some trading due to glitches, while a software bug caused Southwest Airlinesto charge online customers several times over for the same flight.
The problems are raising a red flag about system risks resulting from software upgrades, but there are few security products or insurance coverage to protect businesses from glitch-related losses.
“These incidents are certainly a wakeup call for software quality at these organizations,” says Eric Baize, senior director of the product security office at RSA, a division of EMC.
“Updates now happen frequently on a weekly basis. It needs to be done increasingly in a time-pressured manner,” and developers often don’t get enough time to fully vet software upgrades, Baize says.
The software malfunction at Knight happened as a result of an upgrade of the firm’s trading programs to meet new specifications at the New York Stock Exchange for the debut of a new system of executing buy and sell orders of individual investors. Similarly, the trading meltdown during Facebook’s debut on the Nasdaq OMX occurred after an upgrade of the firm’s system ahead of the highly anticipated initial public offering. Nasdaq’s trading platform was unable to keep up with the massive volume of cancelled trades in the lead-up to the stock’s opening.
“The interconnection of different applications creates these new complexities and obviously increases the risk of the glitch to happen,” argues Baize, and he says those same glitches can create system security risks which will potentially allow hackers to exploit software vulnerability.
Cyber Insurance Tougher to Get
Knight’s software malfunction resulted in a $440 million loss to cover errant trades, while the Nasdaq OMX’s problems during the Facebook IPO have exposed the exchange to multiple lawsuits. Their losses are not likely to be covered by insurance.
“If they’d had a fire in a server room, then that would have been covered,” says Robert Hartwig, president of the Insurance Information Institute, but such catastrophic losses from a software malfunction go beyond most comprehensive cyber insurance plans, which generally cover first party business interruption losses and costs association with hacking attacks.
“It’s impossible to figure out what the cost is associated with a software glitch,” Hartwig explains, especially when the potential financial damage is so widespread.
“Even if there were insurance policies like this,” says Kevin Kalinich, global network and cyber risk practice leader for AonRisk Solutions, “it's getting much more difficult for these catastrophic risks. The market's shrinking for the tougher risks.”
Part of the reason, the rising number of costly data breaches is prompting insurance underwriters to re-examine cyber insurance plan coverage and policy rates. An industry study conducted by NetDiligence found insurance payments for data breaches climbed to an average of $3.7 million between 2006-2011, up more than 50 percent from $2.4 million for claims filed between 2000 and 2005.
A Chubb survey of publicly traded firms found that in 2011 a typical data breach resulted in $5.5 million in organizational costs, yet nearly two thirds of firms surveyed said they had no cyber insurance protection.
This year has seen massive data breaches with even bigger losses. A breach at Wyndham Worldwide resulted in more than $10.5 million in fraud losses after 500,000 customer credit card numbers were compromised through the hotel firm’s computer systems. Payment processing firm Global Payments is taking an $85 million charge, to covers costs for a breach that compromised up to 1.5 million credit card customers’ numbers.
As a result, Aon’s Kalinich says, underwriters are requiring greater documentation from clients. “They're conducting extreme underwriting due diligence to go in and see how companies are implementing quality assurance, how companies are beta testing their software,” he says.
At the end of the day, says RSA’s Eric Baize, that’s the real key to protecting against massive losses from glitches and data breaches.
“Modern software development techniques need to look at both quality and security at the same time, as one and the same discipline,” he says.