Cyber attacks continue to increase in scope, frequency and severity
February 25, 2016: Infidelity website Ashley Madison hit the news headlines for all the wrong reasons recently when hackers successfully stole and then released the personal, and very sensitive, information of 37 million of its users.
In this case, the consequences of the data breach may cost people their marriages and has already been linked to two suicides in Canada. In addition, Ashley Madison’s parent company, Avid Life Media, is facing one lawsuit and can expect more to follow.
The data loss followed hot on the heels of a hack that forced Fiat Chrysler to recall 1.4 million vehicles that showed that a Jeep Cherokee could be wirelessly controlled through its radio system.
The manufacturer may not just be liable for the costs of recalling affected cars but could face regulatory fines and will suffer reputational damage, which could negatively impact future sales.
The incident was just another example of how cyber attacks continue to increase in scope, frequency and severity as both public and private sectors struggle to get a grip on the issue.
Governments and corporate boardrooms are now addressing cyber risk as a strategic priority. This is no surprise because as the global economy becomes increasingly dependent on e-commerce and cloud computing, the susceptibility to cyber risk increases exponentially.
These risks have increased the need for insurers and reinsurers to respond with increasingly more sophisticated and responsive covers and increased capacity.
Barely a week goes by without another company reporting a loss of some kind and one recent development in cyber attacks was the large-scale transfer of funds out of financial institutions during the Carbanak attack. This advanced persistent threat (APT) attack saw the theft of up to $500 million not only from the banks but from more than a thousand private customers too.
The cyber criminals used a variety of techniques to access banking networks and steal the money. Malware was reportedly introduced to its targets via phishing emails. In some cases, ATMs were then ordered to dispense cash, which was then collected by money mules. The Carbanak group went so far as to alter databases and inflate balances on existing accounts before pocketing the difference unbeknown to the user whose original balance was still intact.
It would appear that even the cyber security experts are not immune to attacks after the Italian firm Hacking Team suffered a major data loss. Its systems were hacked and 400GB of data, including thousands of private corporate emails, has since been dumped onto the Wikileaks website. The source code of a number of its top secret programs has also been published online.
The company has advised clients to halt their use of its programmes until they can upgrade the compromised software, but warned that all computer systems might now be vulnerable.
Meanwhile, in the US, last year’s two massive data breaches at the Office of Personnel Management (OPM) has served to highlight the potential for personal liability faced by executives with responsibility for systems and data security.
In a single incident, the OPM had files containing security clearance information affected 21.5 million people, including current and former employees, contractors and their families and friends hacked. And in a separate attack, the organisation lost files relating to another 4.2 million people.
The attacks, which are believed to be linked to the Chinese government, enabled hackers to gain access not only to personnel files but also personal details about millions of individuals with government security clearances – information a foreign intelligence service could potentially use to recruit spies.
It has led to calls from politicians for OPM Director Katherine Archuleta and Chief Information Officer Donna Seymour to resign. Seymour is also facing a lawsuit for her role in failing to protect the data.
Worse to come
And there could be worse to come as a recent report from Lloyd’s of London predicted that a cyber attack on the US power grid could cost more than $1 trillion because of property damage, higher death rates and crippled infrastructure.
The report stated: “The scenario predicts a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks.”
Lloyd’s said costs for insurers could be $21.4 billion or $71.1 billion in an extreme event.
“The modern, digital, and interconnected world creates the conditions for significant damage. We know there are hostile actors with the skills and desire to cause harm,” said Tom Bolt, Director of Performance Management at Lloyd’s.
Bolt continued: “Understanding the impact of severe events is one of the key requirements for insurers to develop cyber risk cover, and this study aims to contribute to that knowledge base.
“This report reveals a complex set of challenges, but the combination of insurers’ expertise in pricing risks together with the capabilities of the cyber security sector to assess threats and vulnerabilities, and the risk modelling expertise of the research community, has the potential to offer a new generation of cyber insurance solutions for the digital age.
“For insurers, responding to these challenges will demand innovative collaborations harnessing multidisciplinary expertise. Key requirements will be to enhance the quality of data available and to continue the development of probabilistic modelling for cyber risk. Sharing of cyber attack data and pooling of claims information is a complex issue, but the systemic, intangible, dynamic nature of cyber risk means that all parties involved in managing the risk have an interest in sharing anonymised data on the frequency and severity of attacks.”
The insurance market modelled a hypothetical attack in which 15 states, including New York, lose power in a shutdown affecting 93 million people, leaving some regions blacked out for weeks. Economic costs, including business interruption and damaged assets, were projected to be $243 billion and could exceed $1 trillion in a worst case, according to the report.
“The scenario, while improbable, is technologically possible and is assessed to be within the benchmark return period of 1:200 against which insurers must be resilient,” according to the report.
Lloyd’s is already at the forefront of the response to cyber risk after it teamed up with Tom Ridge, the former US Homeland Security Secretary, and reinsurance broker Guy Carpenter to improve cyber protection for companies.
Ridge now heads Ridge Insurance, a Lloyd’s managing agency that offers a cyber security and insurance product through Guy Carpenter and that will be underwritten by five Lloyd’s syndicates.
The product contains a cyber privacy and network protection insurance policy, including coverage for business interruption, privacy and security liability, crisis and event management costs, information assets and cyber extortion. It carries a worldwide coverage with a limit of $50 million.
It also consists of an initial onsite assessment of existing cyber security capabilities that must be purchased up front and carried out by Ridge Insurance. This is a new approach to the issue.
Innovative new products such as the one developed by Ridge will start to close the gap between cyber protection and insurance coverage.
Guy Carpenter estimates that the current size of the global cyber network/privacy insurance market, from a premium perspective, is approximately $2 billion. However, it is expected to grow to approximately $5 billion over the next five years.
In a report, the broker said: “The number of first time purchasers is increasing, while many existing buyers continue to increase limits purchased. In addition to exposure from cyber network security and privacy liability policy portfolios, the potential for loss to physical assets is especially significant for energy and utility infrastructures, financial institutions and power grids that are now grappling with the consequences of ‘cyber’ as a peril.
“While this emerging risk presents significant opportunities for the industry, there are also many challenges. The potential catastrophic loss following an industrial infrastructure event effecting physical damage or bodily injury, as well as the ultimate cost and/or ramifications of a large data breach, represent a significant challenge to insurers.
“The limited history, lack of data and emerging exposure makes it difficult for insurers to measure cyber risk and calculate capital needs. There is an opportunity to innovate with the development of modelling capabilities that can measure and quantify the cyber risk to determine pricing, correlated loss and capital support.
“The network/privacy insurance marketplace is robust and is evolving as society becomes more interconnected. Along with rapid technology changes, the (re)insurance market is grappling with how the peril and exposure can be managed within specialty, casualty and property reinsurance programs.”
There are other initiatives going on with insurance broker Aon partnering on the WISER project as part of the EU’s Horizon 2020 Research and Innovation programme, under the Europe 2020 flagship initiative aimed at securing Europe’s global competitiveness in the coming decade. Horizon 2020 is the biggest EU Research and Innovation programme, with nearly €80 billion of funding available over seven years.
Giorgio Aprile, Director, Financial Industry Advisory Services explains, “Aon’s involvement in this WISER project will drive practical business outcomes such as a real time IT assessment platform and a cyber risk exposure model for non-traditional aspects of cyber risk. A staggering 90% of companies worldwide recognise they are insufficiently prepared to protect themselves against cyber-attacks.”
The WISER risk platform targets critical infrastructures or highly complex cyber systems, which demand real-time and cross-system assessment of vulnerabilities and threats. WISER’s analytical tools will be simple and easy to use, facilitating security managers and risk managers in understanding such complex systems. Both private and public sector organisations will be able to assess the potential loss in a specific business context and help determine tolerance range.
The threat posed by computer hackers and cyber criminals is constantly evolving and growing. Attacks can range from data loss, to denial of service, ransomware to cyber theft.
And there is the added problem that the digital revolution that has taken place over the past couple of decades has allowed organisations to collect data in much larger volumes than previously practical and to archive it longer without physical space becoming an issue.
Commissioner Adrian Leppard, the policing lead for the UK National Fraud (and Cyber) Intelligence Bureau, said: “Cyber insurance has a vital role to play in helping to keep society safe from the growing threat we are facing. Traditional enforcement methods have limited impact in this area and better standards for information security endorsed through comprehensive insurance models are an important means of creating a safer world for our communities.”
Insurance policies offer a number of components to offset the risk that organisations face. These include privacy and security liability, which covers defense costs and damage to third parties and employees for the failure of network security resulting in a violation of a right to privacy or confidentiality or resulting in a denial of service attack or virus transmission.
Technology liability covers potentially expensive litigation involving professional negligence or charges of breach of contract.
Other parts of the coverage mitigate against breach notification costs, regulatory defence, loss of network assets, loss of business income, public relations and media liability.
Matthew Webb, Head of Technology at insurer Hiscox UK, says: “Cyber and data risks affect more businesses than you would think and are often less well understood. Any business that holds sensitive customer details such as names and addresses or banking information, has a website, relies on computer systems to conduct business or is subject to a Payment Card Industry merchant service agreement is at risk.
“That risk could be a data breach, or it could be a loss of vital business services, and can result in lost revenue, a damaged reputation, legal and regulatory costs – not to mention the associated business disruption.
“Our new cyber and data product is more than just a promise to pay. We know that businesses that suffer a cyber attack or data breach often want more than just a payout from their insurer – they want practical advice and expert guidance that gets them back on their feet and helps safeguard their business from the distress and inconvenience that these types of claims bring.
“With this in mind, we’ve assembled a formidable panel of experts – PR consultants, lawyers, auditors and IT forensics – who will provide an important hands-on element to the policy.”