We are entering a new era for global insurers, one where business interruption claims are no longer confined to a limited geography but can simultaneously have an impact on seemingly disconnected insureds globally. This creates new forms of systemic risks that could threaten the solvency of major insurers if they do not understand the silent and affirmative cyber risks inherent in their portfolios.
On Friday, Oct. 21, a distributed denial of service attack (DDoS) rendered a large number of the world’s most popular websites — including Twitter, Amazon, Netflix and GitHub — inaccessible to many users. The internet outage conscripted vulnerable Internet of Things (IoT) devices such as routers, DVRs and CCTV cameras to overwhelm DNS provider Dyn, effectively hampering internet users' ability to access websites across Europe and North America. The attack was carried out using an IoT botnet called Mirai, which works by continuously scanning for IoT devices with factory default user names and passwords.
The Dyn attack highlights three fundamental developments that have changed the nature of aggregated business interruption for the commercial insurance industry:
1. The proliferation of systemically important vendors
The emergence of systemically important vendors can cause simultaneous business interruption to large portions of the global economy.
The insurance industry is aware about the potential aggregation risk in cloud computing services, such as Amazon Web Services (AWS) and Microsoft Azure. Cloud computing providers create potential for aggregation risk; however, given the layers of security, redundancy and the 38 global availability zones built into AWS, it is not necessarily the easiest target for adversaries to cause a catastrophic event for insurers.
See also: Who Will Make the IoT Safe?
There are potentially several hundred systemically important vendors that could be susceptible to concurrent and substantial business interruption. This includes at least eight DNS providers that service over 50,000 websites — and some of these vendors may not have the kind of security that exists within providers like AWS.
2. Insecurity in the Internet of Things (IoT) built into all aspects of the global economy
The emergence of IoT with applications as diverse as consumer devices, manufacturing sensors, health monitoring and connected vehicles is another key development. Estimates state that anywhere from 20 to 200 billion everyday objects will be connected to the internet by 2020. Security is often not being built into the design of these products with the rush to get them to market.
Symantec’s research on IoT security has shown the state of IoT security is poor:
- 19% of all tested mobile apps used to control IoT devices did not use Secure Socket Layer (SSL) connections to the cloud.
- 40% of tested devices allowed unauthorized access to back-end systems.
- 50% of tested devices did not provide encrypted firmware updates — if updates were provided at all.
- IoT devices usually had weak password hygiene, including factory default passwords; for example, adversaries use default credentials for the Raspberry Pi devices to compromise devices.
The Dyn attack compromised less than 1% of IoT devices. By some accounts, millions of vulnerable IoT devices were used in a market with approximately 10 billion devices. XiongMai Technologies, the Chinese electronics firm behind many of the webcams compromised in the attack, has issued a recall for many of its devices.
Outages like these are just the beginning.
Shankar Somasundaram, senior director, Internet of Things at Symantec, expects more of these attacks in the near future.
3. Catastrophic losses because of cyber risks are not independent, unlike natural catastrophes
A core tenant of natural catastrophe modeling is that the aggregation events are largely independent. An earthquake in Japan does not increase the likelihood of an earthquake in California.
In the cyber world consisting of active adversaries, this does not hold true for two reasons (which require an understanding of threat actors).
First, an attack on an organization like Dyn will often lead to copycat attacks from disparate non-state groups. Symantec maintains a network of honeypots, which collects IoT malware samples. A distribution of attacks is below:
- 34% from China
- 26% from the U.S.
- 9% from Russia
- 6% from Germany
- 5% from the Netherland
- 5% from the Ukraine
- Long tail of adversaries from Vietnam, the UK, France and South Korea
Groups such as New World Hacking often replicate attacks. Understanding where they are targeting their time and attention and whether there are attempts to replicate attacks is important for an insurer to respond to a one-off event.
See also: Why More Attacks Via IoT Are Inevitable
A key aspect to consider in cyber modeling is intelligence about state-based threat actors. It is important to understand both the capabilities and the motivations of threat actors when assessing the frequency of catastrophic scenarios. Scenarios where we see a greater propensity for catastrophic cyber attacks are also scenarios where those state actors are likely attempting multiple attacks. Although insurers may wish to seek refuge in the act of war definitions that exist in other insurance lines, cyber attack attribution to state-based actors is difficult — and, in some cases, not possible.
What does this mean for global insurers?
The Dyn attack illustrates that insurers need to pursue new approaches to understanding and modeling cyber risk. Recommendations for insurers are below:
- Recognize that cyber as a peril expands far beyond cyber data and liability from a data breach and could be embedded in almost all major commercial insurance lines.
- Develop and hire cyber security expertise internally — especially in the group risk function — to understand the implications of cyber perils across all lines.
- Understand whether basic IoT security hygiene is being undertaken when underwriting companies using IoT devices.
- Partner with institutions that can provide a multi-disciplinary approach to modeling cyber security for insurers, including:
- Hard data (for example, attack trends across the kill chain by industry);
- Intelligence (such as active adversary monitoring); and
- Expertise (in new IoT technologies and key points of failure).
Symantec is partnering globally with leading insurers to develop probabilistic, scenario-based modeling to help understand cyber risks inherent in standalone cyber policies, as well as cyber as a peril across all lines of insurance. The Internet of Things opens up tremendous new opportunities for consumers and businesses, but understanding the financial risks inherent in this development will require deep collaboration between the cyber security and cyber insurance industries.