The biggest data leak to date should be seen as a warning sign for the industry of the challenges and opportunities of cybersecurity
In April 2016, millions of documents relating to high-profile political and public figures all over the world were leaked online. The documents, belonging to Panama-based law firm Mossack Fonseca, allege that some of its clients had hidden money, dodged sanctions and evaded tax in their own countries, using offshore tax and banking structures in the central American country. Mossack Fonseca, which denies any wrongdoing and claims it was hacked, has filed a complaint with the Panamanian attorney general’s office adding that the information leaked has been misrepresented.
With 2.6 terrabytes of information revealed – more than 11 million documents, including 4.8 million emails – the leak dwarfed the 2010 Wikileaks by about 1,500 times and inaugurated a new chapter in the history of data breach.
Furthermore, it opened the eyes of the (re)insurance industry to the importance and role of cyber coverage. “The data breach at Mossack Fonseca is the latest in a string of high profile breaches, and must act as a final warning for the insurance industry to up the ante and implement a robust cyber security strategy,” says Quostar chief executive Robert Rutherford, whose company specialises in cyber consultancy and information technology.
The size and volume of the breach are also indicators of how technology has evolved in recent years. Moving that amount of data with no-one noticing would not have been possible had it not been for sophisticated encryption tools and protected channels. Beazley UK technology, media and business services focus group leader and underwriter Paul Bantick says: “As businesses rely more and more on technology and, in particular, the cloud and data, the risk of data breach and cyber liability raises, and the increasing scale of the threat means that no company is immune to cyber risk.”
Law firm FWD specialist Jacquetta Castle adds: “Breaches have always existed, in the sense that documents have always been susceptible to ending up in the wrong hands, whether because someone forgot them somewhere or because there is an intentional or unintentional leak from inside. However, this kind of massive breach opens up a whole new chapter in the history of cybersecurity.”
At the time of writing, the question of how the information was actually moved still remains, as it was proving to be difficult to establish whether to blame it on malware, an inside job, or a phishing attack. While Mossack Fonseca claimed the documents were taken by an “unauthorized data subtraction” and not, as most media around the world said, a leak perpetrated by one of the firm’s employees, Bantick says: “There is no difference, since it is the breach that is the trigger for the cover, and not the reason why it happened.”
In any case, media and publications such as technology-specialist Wired magazine highlighted the fact that Mossack Fonseca’s cyber security protocols were anything but up-to-date. With unique and vulnerable servers and outdated software, according to experts, the company’s poor security protocols made it extremely vulnerable to an episode like this. “Client confidentiality is a core professional responsibility of any solicitor,” Castle pointed out. “Every law firm is, or should be, completely on top of their security system.”
Something similar can be said about all companies that handle and manage personal and private client information but, as Rutherford points out: “There is no set strategy that will suit all organisations and, as much as it is important to have the basic cybersecurity barriers in place, it is also important to use technology as part of an all-encompassing shield, as the types of risks will vary between firms.”
“Many small- and mid-sized insurers are at a greater risk than the larger firms, as they often view IT security as a box-ticking exercise, as adhering to regulation, rather than a serious matter. This cannot continue,” he adds.
All experts agree that the Mossack Fonseca breach must act as a wake-up call, especially for the small- and medium-sized players who, regardless of this, should also start preparing for the cybersecurity regulations that are coming after the EU General Data Protection Regulation was passed recently.
“Firms based in Europe need to take notice of this, which places a number of requirements on firms to protect customer data and notify regulators (and customers) of any breach of privacy,” says Bantick. “Businesses have two years in which to comply with the regulation and penalties for non-compliance are onerous – in addition to the reputational issues of suffering and publicising a data breach, punitive fines can be imposed for non-compliance of up to 4% of global business turnover.”