Guest Blog from Pascal Millaire, Symantec
We are entering a new era for global insurers, where business interruption claims are no longer confined to a limited geography, but can simultaneously impact seemingly disconnected insureds globally. This creates new forms of systemic risks that could threaten the solvency of major insurers if they do not understand the silent and affirmative cyber risks inherent in their portfolios.
On Friday, October 21, a distributed denial of service attack (DDoS) rendered a large number of the world’s most popular websites inaccessible to many users, including Twitter, Amazon, Netflix, and GitHub. The internet outage conscripted vulnerable Internet of Things (IoT) devices such as routers, DVRs, and CCTV cameras to overwhelm DNS provider, Dyn, effectively hampering internet users ability to access websites across Europe and North America. The attack was carried out using an IoT botnet, called Mirai, which works by continuously scanning for IoT devices with factory default user names and passwords.
The Dyn attack highlights three fundamental developments that have changed the nature of aggregated business interruption for the commercial insurance industry:
1. The proliferation of systemically important vendors
The emergence of systemically important vendors can cause simultaneous business interruption to large portions of the global economy.
The insurance industry is aware about the potential aggregation risk in cloud computing services, such as Amazon Web Services (AWS) and Microsoft Azure. Cloud computing providers create potential for aggregation risk; however, given the layers of security, redundancy, and 38 global availability zones built into AWS, it is not necessarily the easiest target for adversaries to cause a catastrophic event for insurers.
There are potentially several hundred systemically important vendors that could be susceptible to concurrent and substantial business interruption. This includes at least eight DNS providers that service over 50,000 websites, and some of these vendors may not have the kind of security that exists within providers like AWS.
2. Insecurity in the Internet of Things (IoT) built into all aspects of the global economy
The emergence of IoT with applications as diverse as consumer devices, manufacturing sensors, health monitoring, and connected vehicles is another key development. Estimates vary that anywhere from 20 to 200 billion everyday objects will be connected to the internet by 2020. Security is often not being built into the design of these products with the rush to get them to market.
Symantec’s research on IoT security has shown the state of IoT security is poor:
- 19 percent of all tested mobile apps used to control IoT devices did not use Secure Socket Layer (SSL) connections to the cloud
- 40 percent of tested devices allowed unauthorized access to back-end systems
- 50 percent did not provide encrypted firmware updates, if updates were provided at all
- IoT devices usually had weak password hygiene, including factory default passwords; for example, adversaries use default credentials for the Raspberry Pi devices to compromise devices
The Dyn attack compromised less than one percent of IoT devices. By some accounts, millions of vulnerable IoT devices were used in a market with approximately 10 billion devices. XiongMai Technologies, the Chinese electronics firm behind many of the webcams compromised in the attack, has issued a recall for many of its devices. Outages like these are just the beginning.
3. Catastrophic losses due to cyber risks are not independent, unlike natural catastrophes
A core tenant of natural catastrophe modeling is that the aggregation events are largely independent. An earthquake in Japan does not increase the likelihood of an earthquake in California.
In the cyber world consisting of active adversaries, this does not hold true for two reasons (which require an understanding of threat actors).
First, an attack on an organization like Dyn will often lead to copycat attacks from disparate non-state groups. Symantec maintains a network of honeypots, which collects IoT malware samples. A distribution of attacks is below:
- 34 percent from China
- 26 percent from the United States
- 9 percent from Russia
- 6 percent from Germany
- 5 percent from the Netherland
- 5 percent from the Ukraine
- Long tail of adversaries from Vietnam, the UK, France, and South Korea
Groups, such as New World Hacking, often replicate attacks. Understanding where they are targeting their time and attention, and whether there are attempts to replicate attacks, is important for an insurer to respond to a one-off event.
Second, a key aspect to consider in cyber modeling is intelligence about state-based threat actors. It is important to understand both the capabilities and the motivations of threat actors when assessing the frequency of catastrophic scenarios. Scenarios where we see a greater propensity for catastrophic cyber attacks are also scenarios where those state actors are likely attempting multiple attacks. Although insurers may wish to seek refuge in the act of war definitions that exist in other insurance lines, cyber attack attribution to state-based actors is difficult—and in some cases not possible.
What Does This Mean for Global Insurers?
The Dyn attack illustrates that insurers need to pursue new approaches to understanding and modeling cyber risk. Recommendations for insurers are below:
- Recognize that cyber as a peril expands far beyond cyber data and liability from a data breach and could be embedded in almost all major commercial insurance lines
- Develop and hire cyber security expertise internally, especially in the group risk function, to understand the implications of cyber perils across all lines
- Proactively understand whether basic IoT security hygiene is being undertaken when underwriting companies using IoT devices
- Partner with institutions that can provide a multi-disciplinary approach to modeling cyber security for insurer including:
- Hard data (for example, attack trends across the kill chain by industry)
- Intelligence (such as active adversary monitoring)
- Expertise (in new IoT technologies and key points of failure)
Symantec is partnering with globally-leading insurers and leading non-profits including the Online Trust Alliance to develop probabilistic, scenario-based modeling to help understand cyber risks inherent in their standalone cyber policies, as well as cyber as a peril across all lines of insurance. The Internet of Things opens up tremendous new opportunities for consumers and businesses, but understanding the financial risks inherent in this development will require deep collaboration between the cyber security and cyber insurance industries.