Tag Archives: ransomware

Cyber: The Spectre of Uninsurable Risk?

It’s been an awfully eventful start to the New Year. In case you’ve missed the news, two major security flaws have been discovered in the processors that power nearly all of the world’s computers. The two techniques discovered to exploit these flaws, nicknamed Meltdown and Spectre, could allow hackers to steal data and secrets from any vulnerable computer, including mobile devices. Because the flaws are with the computer processor itself, any software platform running on top of an affected processor is potentially vulnerable.

If by this point you’ve tired of hearing about technology vulnerabilities, this one is different (but also mostly the same, as I’ll get to a bit later). For one, this isn’t a software bug like you might find in your operating system or browser. Nor is it a physical defect in the processor itself. Meltdown and Spectre aren’t really “bugs” at all. Instead, they represent methods to take advantage of the normal ways that many processors work for the purpose of extracting secrets and data. More important, though, is the magnitude of the impact. By comparison, the WannaCry and NoPetya ransomware attacks wreaked global havoc exploiting vulnerabilities that are believed to have affected ~400,000 computers versus the estimated 2 billion computers susceptible to Meltdown and Spectre.

See also: New Approach to Cyber Insurance  

The timing of these events could hardly come at a more interesting time for the cyber insurance industry. Only a few days prior, in an interview with the Financial Times, Christian Mumenthaler, CEO of Swiss Re, one of the world’s largest reinsurers, wisely questioned the very insurability of cyber risk due to the possibility for accumulation risk—the possibility that a cyber event could hit many insurance policyholders at the same time, by the same attack, resulting in huge potential claims payouts.

Sound familiar?

Cut the FUD

As we’ve discussed before, we now live at a time where a cyber attack, technology failure or human error can cause everything from data theft to supply chain disruptions, hospital shutdowns, hotel room lockouts, blackouts and even nuclear centrifuge explosions—literally the entire spectrum of known risk. That these events could even theoretically occur on a massive scale, and all at once, is certainly cause for alarm—it would indeed pose a serious accumulation risk and eliminate one of the core pillars of insurability.

However, it would be mistaken to assume that such a scenario, as in the case of Meltdown and Spectre, is anything more than FUD (fear, uncertainty and doubt). This is hardly to say that the discovery of these security flaws is much ado about nothing. On the contrary, they pose a very real threat and may well open the door to serious cyber attacks. However, as with the headline-grabbing ransomware attacks of 2017, there are many reasons to believe that subsequent losses will be relatively contained.

Hierarchy of Cyber Security

To understand why, it’s helpful to understand the hierarchy of cyber security. At the base are vulnerabilities in all their forms (software, humans, even processor architectures). That the base is bounded is misleading because, in reality, there are an infinite number of vulnerabilities that can and will exist. However, vulnerabilities only matter if they pose a threat to an organization. This combination of threat and vulnerability is generally the risk an organization faces. Even then, threats don’t matter unless someone proceeds to attack you. And that someone at the top of the pyramid is, 10 out of 10 times, a human actor. Why does this matter?

It matters because cyber attacks are really just forms of cybercrime, which itself is merely a form of crime—it is the people, not the form, that matter. There are costs for criminals to launch attacks, and not just the risk of being caught (which for the moment is abysmally low). Criminals require time, infrastructure and money to fund their enterprises, enumerate targets and move through the kill chain toward the realization of their desired outcomes. All the while they must also factor in the uncertainty of achieving the outcome.

Exploits for security flaws can accomplish many things, but few produce cash.

Every step in this chain takes effort. Although cyber criminals are becoming more numerous and sophisticated, they are still limited in how much damage they can cause and profit they can reap. As a result, even though an entire population may be vulnerable, the economically optimal strategy for an attacker is nonetheless to focus on a relatively small set of victims.

Cyber insurance is dead. Long live cyber insurance!

Although there is little doubt that certain accumulation scenarios exist, limiting the insurability of certain cyber risk exposures, this is not one of them. Absent an expertise in hacking and cybercrime—and the economics thereof—it is no surprise that many insurers offering cyber insurance struggle to understand, much less manage, accumulation risk. It’s high time they woke up.

See also: Cyber Insurance Needs Automated Security  

Insurers must come to realize the role that insurance plays in protecting companies from all forms of risk that accompany the digitization of everything. It also means thinking about cyber insurance as more than just coverage for data breach and response. The most recent devastating attacks have resulted in business and supply chain interruption, and even physical property damage. It is hardly a stretch to imagine exposure to nearly every other form of known risk, including bodily injury or even pollution. Of course, with new exposures come new challenges in underwriting and management of accumulation.

Overcoming these challenges won’t be easy. It will mean using data in an entirely novel way to not only assess the risk of an individual policyholder, but an entire population of policyholders, and doing so on a continuous basis. It will also mean measuring diversity, and particularly technological diversity, to manage accumulation in novel ways. How many insurers today know which cloud service provider their clients use, much less which versions of software they are running? Or whether their clients’ passwords have been compromised in a third-party data breach? If you don’t know these answers, you’re in trouble. Gone are the days when accumulation will be managed by geography, industry and revenue size. Are we up to the challenge?

Long live cyber insurance.

How to Immunize Against Cyber Attacks

Cyber-attacks see no signs of abating. In fact, deadly threats such as ransomware and malware have now become mainstream. Enterprises have no option but to expect cyber-attacks as a fact of life. They need to make their systems immune from such attacks.

The State of Cyber Attacks

Cyber-attacks increase in magnitude and scale with every passing day. A case in point is the WannaCry ransomware, which wreaked havoc in more than 200,000 systems across 150 countries in the world, during May 2017. This attack, the largest ransomware delivery campaign to date, held up everything from surgical operations to public information display systems, and from government initiatives to corporate work. And WannaCry is just one example. More than 4,000 ransomware attacks have taken place since the start of 2016.

Ransomware damages will touch $5 billion by the end of 2017, a 15X increase from the damage levels just two years ago!

Data-encrypting ransomware such as WannaCry is socially engineered malware. The hackers trick unsuspecting victims in many ways to install Trojan horse programs. They may:

  • Compromise an otherwise trusted site on a temporary basis, to offer a malicious download link.
  • Arrive as a rogue friend or application install request through mainstream social media.
  • The innovation of their attacks is matched only by the ingenuity in the ways they breach the network.

Close on the heels of socially engineered malware are password phishing attacks. A good proportion of the unsolicited emails try to pry out login credentials from gullible account holders. Despite the best anti-spam software, good phishing replicas of legitimate emails slip in. All it takes is a single careless employee for the hackers to breach the corporate network.

Countermeasures

Cybersecurity has been fighting a losing battle against cyber attackers for many years now.

Traditional security approaches, such as firewalls and antivirus suites, are now inadequate to protect against the entire gamut of attacks. Many enterprises realize this fact and now invest heavily in security. Gartner estimates information security spending to exceed $86.4 billion in 2017. However, many enterprises go after the latest tools and technologies, while neglecting the basics.

See also: Quest for Reliable Cyber Security  

Time-tested basic security hygiene is the basics of any countermeasure against cyber threats. Some of the basics include:

  • Installing advanced anti-malware suits
  • Regular patching and updating key software
  • Regular data backups
  • Controlled access to resources within the network
  • An Enterprise-wide whitelist of authorized apps and software.
  • Strong two two-factor authentication (2FA), with smartcards, biometrics, or OTP through SMS.

Another key component of basic security hygiene is training users on safe browsing. The ideal end-user education is ongoing. It covers the latest threats, and make employees aware of what to do in the face of various eventualities.

However, all these basics serve only as a foundation on which to construct sound security architecture for the enterprise. These basics alone are no longer effective in keeping cyber criminals at bay.

Patch Management: Vital for online security

Socially-engineered malware such as WannaCry spread across the organizational network without user interaction. The malware exploits latent vulnerabilities in the operating system of application software. Browser add-on programs such as Adobe Reader are especially rife with vulnerabilities, and hackers exploit it at will. In WannaCry’s case, the malware exploited “EternalBlue,” a known Microsoft Windows vulnerability.

Software vendors and cyber criminals are locked in a never-ending battle. Cyber criminals are always looking to unearth some vulnerability. The “good guys” try to beat cyber criminals to the game, to identify vulnerabilities before cyber criminals discover it first. Either way, the software developer releases a patch as soon as the vulnerability becomes known.

But, it is rare to find any enterprise with perfectly patched software. Enterprises do not install the patch updates even when one becomes available, owing to many reasons, such as:
Operational constraints and exigencies
Concerns about whether a newly patched version would contain some other bugs, rendering the system unstable.

Continuous Monitoring: Around the clock website check-ins

Today’s cyber criminals are sophisticated, and the attacks they launch are unpredictable.

Enterprises would do well to ensure continuous monitoring of the network environment. They would also do well to manage the implemented security controls on a proactive basis.

An effective network monitoring system offers end-to-end visibility of the network traffic. It:

  • Understands legitimate traffic patterns in the network, and issues prompt alerts when discovering unexpected traffic flows.
  • Triggers automated responses, such as shutting down the network, or blocking the user, on detecting anomalies.
  • Integrates threat intelligence capabilities, aggregating threat information from multiple sources.

Large enterprises could consider setting up an in-house security operations center, with robust incident response capabilities. Smaller firms could consider enlisting the services of a managed security services provider, to monitor their network and respond to incidents in real-time. Either way, proactive network monitoring is essential to keep the network safe.

See also: Paradigm Shift on Cyber Security  

Security Assessment: Third party independent security reviews

Network security does not work in isolation. An effective security set-up offers tight integration, without leaving any loose ends. Enterprises would do well to conduct a thorough security audit to ensure such a state.

A sound and comprehensive review compare the existing state of cybersecurity with best practices, in terms of:

  • The integration of basic and advanced controls to the security architecture
  • Integration of the existing security environment architecture with the business and IT vision
  • How the security framework leverages latest technologies, such as Machine learning, behavior analysis, and threat modeling, to detect and mitigate identified threats
  • The scalability of the security architecture to defend against future threats
  • The preparedness of the architecture to deliver Intelligent and flexible responses

The state of cybersecurity is fluid. Enterprises need to adopt an adaptive and evolving approach the security. They need to re-evaluate security processes, practices, policies, platforms, and tools, on a regular basis.

With cybercrime damage estimated to touch $6 trillion annually by 2021, the stakes have never been higher.

4 Keys on Cyber-Risk Accumulation

As the sale of cyber policies grows and other types of policies are extended to include cyber coverage, the industry is taking on a massive amount of new risk. Although it is true that auto, workers compensation, environmental policies and so many others were all new offerings at one time, there are some things about cyber that make it more unusual, more uncertain and more potentially dangerous for the insurance industry than new offerings of the past.

Simultaneity

It is entirely possible for hackers to plan and launch simultaneous attacks on a large number of targets. Those targets may be corporations, infrastructure such as power plants, government bodies, hospitals, or any other type of entity.

If a successful, very harmful simultaneous attack, whether ransomware, malware, or any other type of IT weaponry, was to be made on a sizeable number of entities, the losses occurring at one point in time could create serious liquidity pressures and even jeopardize solvency for an insurer.

See also: Urgent Need on ‘Silent’ Cyber Risks  

Individual insurers are modeling their aggregate exposures, but are they doing it comprehensively enough? Analysis must take into account not only the limits and reinsurance on their cyber policies (including such add-ons as contingent business interruption or other enhancements) but also what level of coverage is afforded in existing casualty and property policies as well as any other policies that may be triggered (such as D&O, E&O, reputation, etc.). In addition, correlated risks that have nothing to do with claims liabilities per se should also be considered. For example, what will they do if their contracted vendor networks, which are supposed to help insureds after a breach, are not resourced sufficiently to handle simultaneous attacks.

Ubiquity

Given the global nature of the internet, attacks may be not only simultaneous but ubiquitous. The entities affected may be all over the world. An insurer that relies on geographic diversity to protect its capital can lose the benefit of diversification when it comes to cyber.

A global event or series of events could have significant capital implications for insurers that have considered their cyber portfolio in part rather than in whole.

Unpredictability

There is scant history upon which to base underwriting and pricing decisions when it comes to cyber. The earliest policies were geared toward system failures, not cyber attacks. More recent policies were focused on data breaches and stolen data and the actual cover involved handling some of the expertise needs and certain expenses post breach. Now, cyber policies are dealing with ransomware attacks and cover business interruption and other loss. This is heady stuff when there are no historical patterns to use in predicting frequency and severity as there is with property or workers compensation. Ransomware attacks continue to escalate at a rapid pace. Who knows how much faster or greater this trend line will grow.

Some cyber attacks have been targeted while others are random. In either case, they test the ability of insurers to make predictions. This, in turn, makes it difficult for actuaries to price the product appropriately. How much business should an insurer write of a particular kind until it can be sure the business is priced correctly for the exposure?

A random attack might seem to better fit the principle of insuring against fortuitous events, however, it does mean that an insurer that relies on customer segment diversity to protect its capital can lose the benefit of such diversification. This is similar to the situation mentioned above in connection with geography.

A targeted attack will likely strike an entity (or entities) with the most money, records or other treasure worth capturing or destroying. Hence, the losses generated will be greater.

Initial attacks were focused mostly on retailers with hospitality and with banking and healthcare following. The great fear is that power and infrastructure will be next. The impact from attacks on power and infrastructure could be catastrophic in the extreme.

The flexibility to strike randomly or with fixed intent leaves underwriters in a quandary about which classes of business are riskier than others. How, then, can they manage their customer mix as do with other lines of business?

See also: What if You Had a Cyber Risk Score?  

Sponsorship

Hackers can work alone or in groups. They can also be actors for foreign governments. When Marissa Mayer spoke about the Yahoo attack, she commented on the unevenness between a company’s attempts at IT security versus an attack potentially perpetrated by a nation state. This phenomenon is something insurers must consider when parsing the words in their contracts. To what extent should there be exclusions, as there are in terrorism policies or other policies that exclude acts of war? To what extent is a future federal backstop needed?

Conclusion

This is not to say that cyber insurance should not be offered. Society has a protection need, and insurers have been answering that need since the first handshake at Lloyds. In addition, this line of business has been streaming new revenues into an industry that, in recent years, has had excess capacity. Rather, it is to say that insurers must put robust and innovative solutions in place to manage aggregation risk.

What if You Had a Cyber Risk Score?

There have been three major global cyberattacks in the last six months. These attacks have caused extensive system damage and monetary loss. Some companies affected remain crippled weeks or months after the attack. Will this rate of “one every other month” continue? Nobody knows, of course. But, as a recent Wall Street Journal op-ed suggests, ransomware will remain the dominant attack method of choice, and the problem “isn’t going anywhere.” The article claims that “cybercriminals launch hundreds of millions of attacks daily across the globe, and recent studies have found that as many as 60% involve ransomware.” Why? Because they are easy, and they work.

Without a robustly secured network, it is impossible for most entities to withstand a targeted or random cyberattack. So most companies, big or small, generally enlist the help of third-party vendors, which traffic a multitude of software products, modules or platforms to keep cybercriminals from exploiting vulnerabilities. But, because nothing is fail-safe, companies must still consider buying insurance to protect against the staggering potential of loss that a global cyberattack can cause.

See also: Why Buy Cyber and Privacy Liability. . .  

Cyber is no different from other risks that an organization could be exposed to (e.g., fire, burglary, flooding, power failure, strikes and liability issues). Businesses have to consider insurance against cyber-attacks and the relating financial consequences. This kind of insurance policy is known as Cyber Liability Insurance Coverage, or CLIC. With the estimated annual costs to the global economy from cybercrime estimated between $375 billion and $575 billion in 2014 alone and the average cost of a corporate data breach at more than $3 million per incident, it is understandable why cyber insurance is catching on.

Still, there seems to leave a lot of room for error, rounding or otherwise, in a market where U.S. insurers wrote approximately $1.3 billion in cyber coverage last year. This is expected to reach $14 billion by 2022. There is industry data that shows insurance premiums could range from $800 to $1,200 for SMEs/SMBs with revenues of $100,000 to $500,000 (on the low end) to more than $100,000 for SMEs/SMBs with revenues in the millions. Allianz SE, the largest insurer in the world, expects these premiums to skyrocket by 2025. Furthermore, the Insurance Information Institute estimates that the third-largest risk for companies worldwide is cybercrime, not in the least due to cyber attacks such as WannaCry and Petya/NotPetya.

As it stands right now, insurance companies have limited resources to address the growing number of CLIC applicants. There are the obvious factors that come into play when calculating an insurance premium: the nature of the business, the vulnerability (attractiveness for cyber crooks) of the data, the size of the company and the amount of revenues, etc. But pinpointing the exact risk is still evolving. Currently, insurers mostly rely on questionnaires or third-party onsite assessments to estimate the cybersecurity posture of applicants, which is time-consuming and expensive. Because this branch of insurance is not mature enough, there is a lack of specialized and qualified personnel that have the experience and expertise to perform cyber risk assessments. In many cases, the onsite assessments are conducted by junior staff members of the insurer and junior security consultants using non-standardized methods.

My guess is that insurance companies still don’t know exactly what they are insuring and what to charge, because there are still inefficiencies in the market. There are conflicting definitions of what exactly makes a system “secure” and what constitutes a threatening vulnerability that must be decided upon. Knowledge still has to be gained to determine how to manage risk. Most insurance companies are large enough to have a staff of security officers and to use third-party vendors to protect themselves from cyber vulnerabilities. But what to do about assessing insurance candidates?

The good news is that there is progress being made where advanced simulation can help assess the various attack vectors that are being used today. The value of such a CLIC assessment would derive from being able to put an aggregate “risk score” on an insurance candidate. The score would be based on known and acceptable risk calculating methods such as NIST, CVSS3 and DREAD. It would be provided to each applicant based on the results from a simulated assessment done on its network, testing all its security controls.

See also: How Data Breaches Affect More Than Cyberliability  

The value from such technology comes from insurers being able to know within a few hours if they should provide coverage to an applicant based on demonstrated risk, how much coverage to provide the applicant without putting the insurers at risk and how much in premiums to charge based on an accepted risk score provided after the assessment. Providing a uniform score for cyber insurance applicants reduces the exposure level for insurers, possibly saving millions of dollars and could even lead to revenue growth by raising premium prices to match the risk level.

How to Determine Your Cyber Coverage

Public agencies and organizations around the world are making cyber risk their top priority. North American policyholders dominate the market, but Europe and Asia are expected to grow rapidly over the next five years due to new laws and significant increases in targeted attacks, such as ransomware. Various experts predict the $3 billion global cyber insurance market will grow two-, three- or even four-fold by 2020.

Deciding how much cyber insurance to buy is no inconsequential matter, and the responsibility rests squarely with the board of directors (BoD). Directors and executives should have the highest-level view of cyber risk across the organization and are best-positioned to align insurance coverage with business objectives, asset vulnerability, third-party risk exposure and external factors.

See also: New Approach to Cyber Insurance  

So, how much does your organization stand to lose from a supply chain shut down, a web site outage or service downtime?

Recent data points from breach investigations help frame the discussion around risks and associated costs. Following a variety of high-profile breaches helps ensure that your projected coverage requirements match up with reality. Be sure to follow older cases for deeper insight into the full expense compared with insurance payout; related costs and losses are often incurred for years afterward due to customer and market response as well as legal and regulatory enforcement actions.

In 2013, Target suffered a very public breach that resulted in the resignation of the CEO, a 35-year employee. Target had purchased $100 million in cyber insurance, with a $10 million deductible. At last count, Target reported that the breach costs totaled $252 million, with some lawsuits still open.

Home Depot announced in 2014 that between April and September of that year cyber criminals stole an estimated 56 million debit and credit card numbers – the largest such breach to date. The company had procured $105 million in cyber insurance and reported breach-related expenses of $161 million, including a consumer-driven class action settlement of $20 million.

These cases illustrate the need for thoughtful discussion when deciding how much breach insurance to buy. Breach fallout costs depend on multiple factors, are not entirely predictable and can rise quickly due to cascading effects. Cases in point: the bizarre events surrounding Sony’s breach and the post-breach evisceration of Yahoo’s pending deal with Verizon.

Organizations need to review their security posture and threat environment on a regular basis and implement mechanisms for incessant improvement. The technology behind cyber security threats and countermeasures is on a sharp growth curve; targets, motives and schemes shift unpredictably. Directors may find it useful to assess risk levels and projected costs for multiple potential scenarios before cyber insurance amounts are decided upon.

Most policy premiums are currently based on self-assessments. The more accurate the information provided in your application, the more protected the organization will be. Most policies stipulate obligations the insured must meet to qualify for full coverage; be sure to read the fine print and seek expert advisement.

A professional security assessment can pinpoint areas in need of improvement. If you claim to be following specific protocols, but a post-breach investigation finds they were poorly implemented, circumvented or insufficiently monitored, the insurer may deny or reduce coverage. Notify your insurance provider immediately about significant changes to your security program.

Review policy details regularly to ensure they match prevailing threats and reflect the evolution of crimeware and dark web exploits. Cyber insurance carriers continually adjust their offerings based on risk exposure and litigation outcomes.

See also: Promise, Pitfalls of Cyber Insurance  

As the industry matures, cyber insurance policies will become more standardized. For now, it’s an evolving product in a dynamic market; boards and executives need to keep an eye on developments. Simultaneously, they must maintain a high degree of visibility across their security program. Checking off compliance requirements, writing policies and purchasing security software isn’t sufficient.

My advice is to lead from the top. Organizations need to ensure risk assessments are thorough and up-to-date, policies are communicated and enforced and security technology is properly configured, patched and monitored.

Turning a blind eye to cyber threats and organizational vulnerabilities can have disastrous consequences. Cyber insurance may soften the financial blows, but it only works in conjunction with an enterprise-wide commitment to security fundamentals and risk management.