Wider lessons from Bangladesh’s central bank hacking

15 June 2016

Main features in this issue:

Bangladesh central bank cyber attack

It’s not just about the routers; the theft of USD 81 million from Bangladesh’s central bank was widely blamed on poor security. The lack of a firewall and use of second-hand equipment turns out to be only half the story though, and there are implications for others who are much better prepared. For a start, it’s worth noting that it may have been Bangladesh’s money, but it was transferred from the bank’s account with the US Federal Reserve (fed). Bangladesh officials have insisted the fed shares the blame. The fed denies this, and there have been reports of potential inside help in Bangladesh Bank. If nothing else, it’s a reminder that security is only as good as the weakest link.

Good news and bad news for cyber claims in general insurances

The recent decision in the Portal Healthcare case in the US has potentially brought more coverage, but less certainty for businesses there. Longer-term it might also have consequences for insurance data breaches over in Europe. The decision challenges insurers’ argument – routinely applied – that the cover provided by commercial general liability (CGL) policies for “publication” of material violating privacy is not intended to apply to data breaches.

The countdown begins: The EU Data Protection regulation

After four years of consideration the European Parliament has finally passed the General Data Protection Regulation (GDPR). The regulation, the final text of which is now available, will apply automatically across the EU – without requiring new national laws to implement it – from 25 May 2018. The headline provisions – such as fines of up to four per cent of global turnover or EUR 20 million for breaches – have been known for some time. Businesses also still have two years to prepare. However, many have their work cut out.

What’s floating your boat

The Internet of Things (IoT) is vastly expanding the range of possible exposures into new areas, such as shipping. Allianz’s annual Safety and Shipping Review shows generally positive trends for losses in the shipping industry: Large shipping losses have declined by 45 per cent over the last decade. One area of increasing concern, however, is the cyber risk the industry faces.

Buzzword of the month 

The payment card industry data security standard (PCI DSS) is a security standard for all those handling credit cards from the major card companies such as Visa, MasterCard and American Express. An updated version – v3.2 – was published in April. Administered by the PCI Security Standards Council its intention is to increase data security and reduce internet-enabled payment card fraud. There are 12 headline requirements, such as a requirement to install a firewall to protect cardholder data and encrypt cardholder data transmitted across public networks, for example. Underneath each, however, are a large number of more detailed obligations that elaborate how the requirement can be met.

Download Cyber Decoder

For more information please email cyber@jltgroup.com