istock-504925836_bliznetsov
Bliznetsov / istockphoto.com
10 May 2017Insurance

Preparing for a ‘cybergeddon’

There is still a lot of work to be done when it comes to insurers understanding cyber risk. Matt Webb, global group head of cyber at Hiscox, suggests that the understanding of cyber aggregation risk is now more crucial than ever, and that insurers have a responsibility to know what cyber exposure they are running across all lines of business, and to ensure that it flows into their aggregation modelling.

This has led to a new crowd of sleep-deprived insurance executives anticipating the next big cyber loss, pondering what form it is going to take.

“From a nat cat perspective, the modelling is sufficiently mature that insurers should be able to manage their aggregate exposures through individual natural catastrophes,” Webb says.

“The sleep deprivation should not be there as much, but with cyber insurance, we’re closer to the start of the journey in understanding the aggregated risk and exposures that exist with cyber insurance. And it changes as technology advances.”

Similar to an earthquake hitting a fault line, it is some of the newer breaches—such as Amazon’s S3 outageat the end of February and the breach of domain service provider Dyn in October—where there is a single point of failure which impacts a number of other companies.

Seeing the whole picture
Even if insurers do not write specific cyber insurance, Webb says, they will have a big exposure to cyber-related losses within their existing line of business.

However, many of the companies potentially faced with some of these exposures do not see the full picture.

“Cases like the attack on Dyn exploit the vulnerabilities of IoT and IoT devices, looking for areas where security is weaker.”

More than 53 percent of businesses in the UK, US and Germany are ill-prepared to deal with cyber attacks, according to a survey of 3,000 companies in The Hiscox Cyber Readiness Report 2017.

US firms were among the most prepared, with nearly half of the top-ranked companies or ‘cyber experts’ being based there. Large US firms were often the most targeted, with 72 percent falling victim an attack in the past 12 months and nearly half (47 percent) of all firms experiencing two or more.

Of these US firms, 55 percent said they have cyber insurance.

By contrast, firms in the UK were the least likely to have experienced a cyber attack in the past year, with only 45 percent affected. However, more than 35 percent of these companies said they had not changed anything following the incident.

“We live in a connected world,” says Webb. “The internet of things (IoT) is going to proliferate everywhere. Estimates vary but it’s commonly suggested there are now around 10 billion devices, expected to rise to 50 billion by 2020.

“We’re at the dawn of industry 4.0 and automated factories. We have the digitisation of everything. There is an increased use of cloud. And all those things connect us in a way that is unprecedented.”

Changing exposures
It is the interconnectivity of devices and IoT that is creating new challenges for insurers regarding risk aggregation, according to Webb.

He refers to it as ‘the ripple effect’, where a single point of failure can initiate a chain of events that can adversely impact balance sheets and portfolios.

One such example is the recent outage of Amazon’s cloud service S3, which is used by more than 100,000 different companies.

Amazon, as one of the largest cloud providers, is a big area of focus for Hiscox and others in the insurance industry to model their aggregated exposures to them.

“From our perspective—Hiscox and the insurance industry—it’s a big exposure as it poses a ‘cybergeddon’ scenario where there has been one incident and many of our policyholders are affected by it. That’s where you get the balance sheet stretched,” says Webb.

Denial of service
Another regularly cited example is the breach of domain name system provider Dyn in October 2016, significant in Webb’s eyes due to the nature of the large systemic loss, affecting multiple companies which use Dyn’s domain services.

In this case, a botnet—a network of private computers infected with malicious software—was used to bring a denial of services (DoS) attack against Dyn.
“This had existed before, an IoT botnet harnessing the power of everyday devices that are now connected to the internet, such as CCTV cameras, baby monitors, things like that,” suggests Webb.

He says cases like the attack on Dyn exploit the vulnerabilities of IoT and IoT devices, looking for areas where security is weaker.

Devices with weak security—such as default usernames and passwords—are hacked into, which allows the hacker to harness all of those devices at once to bring an unprecedented volume of attack.

This was seen with Dyn, which experienced a DoS attack at the rate of 1.2 terabytes per second, due to the high processing power of the botnet involved.

“We consider that kind of scenario a massive DoS attack. Previously, we thought that the only bad actors with access to that much bandwidth were nation states, but now cyber criminals also have access to it.”

And with this single point of failure, the impact is felt by a number of other companies, some of them quite high profile, Webb adds.

From a customer perspective, Webb says he is seeing more demand come into the market after the likes of the Target, Home Depot and Anthem were hacked.

“You’ve got one off breaches in a particular industry sector that causes peers to think ‘right, we’re susceptible to that type of risk, and I think we need insurance to help us manage it’,” he concludes.

Already registered?

Login to your account

To request a FREE 2-week trial subscription, please signup.
NOTE - this can take up to 48hrs to be approved.

Two Weeks Free Trial

For multi-user price options, or to check if your company has an existing subscription that we can add you to for FREE, please email Elliot Field at efield@newtonmedia.co.uk or Adrian Tapping at atapping@newtonmedia.co.uk


More on this story

Insurance
10 May 2017   The interconnectivity of devices and Internet of Things (IoT) can adversely impact insurers’ balance sheets and portfolios due to the nature of cyber risk aggregation.
Insurance
26 January 2017   The fear of an impending cyber attack driven by a series of high-profile breaches has led to a surge in the demand for cyber insurance, with many insurers now broadening the scope of the coverage offered. But this also brings challenges, as Intelligent Insurer finds.