We are entering a new era for global insurers, where business interruption claims are no longer confined to a limited geography, but can simultaneously impact seemingly disconnected insureds globally. This creates new forms of systemic risks that could threaten the solvency of major insurers if they do not understand the silent and affirmative cyber risks inherent in their portfolios.
On Friday, October 21, a distributed denial of service attack (DDoS) rendered a large number of the world’s most popular websites inaccessible to many users, including Twitter, Amazon, Netflix, and GitHub. The internet outage conscripted vulnerable Internet of Things (IoT) devices such as routers, DVRs, and CCTV cameras to overwhelm DNS provider, Dyn, effectively hampering internet users ability to access websites across Europe and North America. The attack was carried out using an IoT botnet, called Mirai, which works by continuously scanning for IoT devices with factory default user names and passwords.
The Dyn attack highlights three fundamental developments that have changed the nature of aggregated business interruption for the commercial insurance industry:
The emergence of systemically important vendors can cause simultaneous business interruption to large portions of the global economy.
The insurance industry is aware about the potential aggregation risk in cloud computing services, such as Amazon Web Services (AWS) and Microsoft Azure. Cloud computing providers create potential for aggregation risk; however, given the layers of security, redundancy, and 38 global availability zones built into AWS, it is not necessarily the easiest target for adversaries to cause a catastrophic event for insurers.
There are potentially several hundred systemically important vendors that could be susceptible to concurrent and substantial business interruption. This includes at least eight DNS providers that service over 50,000 websites, and some of these vendors may not have the kind of security that exists within providers like AWS.
The emergence of IoT with applications as diverse as consumer devices, manufacturing sensors, health monitoring, and connected vehicles is another key development. Estimates vary that anywhere from 20 to 200 billion everyday objects will be connected to the internet by 2020. Security is often not being built into the design of these products with the rush to get them to market.
Symantec’s research on IoT security has shown the state of IoT security is poor:
The Dyn attack compromised less than one percent of IoT devices. By some accounts, millions of vulnerable IoT devices were used in a market with approximately 10 billion devices. XiongMai Technologies, the Chinese electronics firm behind many of the webcams compromised in the attack, has issued a recall for many of its devices.
Outages like these are just the beginning. Shankar Somasundaram, Senior Director, Internet of Things at Symantec, expects more of these attacks in the near future.
A core tenant of natural catastrophe modeling is that the aggregation events are largely independent. An earthquake in Japan does not increase the likelihood of an earthquake in California.
In the cyber world consisting of active adversaries, this does not hold true for two reasons (which require an understanding of threat actors).
First, an attack on an organization like Dyn will often lead to copycat attacks from disparate non-state groups. Symantec maintains a network of honeypots, which collects IoT malware samples. A distribution of attacks is below:
Groups, such as New World Hacking, often replicate attacks. Understanding where they are targeting their time and attention, and whether there are attempts to replicate attacks, is important for an insurer to respond to a one-off event.
Second, a key aspect to consider in cyber modeling is intelligence about state-based threat actors. It is important to understand both the capabilities and the motivations of threat actors when assessing the frequency of catastrophic scenarios. Scenarios where we see a greater propensity for catastrophic cyber attacks are also scenarios where those state actors are likely attempting multiple attacks. Although insurers may wish to seek refuge in the act of war definitions that exist in other insurance lines, cyber attack attribution to state-based actors is difficult—and in some cases not possible.
The Dyn attack illustrates that insurers need to pursue new approaches to understanding and modeling cyber risk. Recommendations for insurers are below:
Symantec is partnering with globally-leading insurers to develop probabilistic, scenario-based modeling to help understand cyber risks inherent in their standalone cyber policies, as well as cyber as a peril across all lines of insurance. The Internet of Things opens up tremendous new opportunities for consumers and businesses, but understanding the financial risks inherent in this development will require deep collaboration between the cyber security and cyber insurance industries.