The cyber risk landscape is constantly changing. In the last few weeks alone we’ve seen potentially game-changing events with the release of U.S. National Security Agency hacking tools through the shadow brokers auction, and one of the most significant Denial of Service (DDoS) attacks ever seen when millions of Internet of Things devices were hijacked to target a major piece of Internet infrastructure taking hundreds of websites offline. In this blog I’ll discuss some of the constant ebb and flow of attack verses defense through the lens of the five cyber loss methods currently modeled by RMS.
The loss of 500 million records in a single cyberattack represents the largest data breach event in history – so far, at least. The recent Yahoo hack, and the potential impact on the proposed Verizon takeover, has sent another stark reminder to industry executives of the dangers surrounding data breaches.
It may have been the biggest single hack ever in terms of records lost, but it’s hardly an isolated one. The leak of the Panama Papers was significant in terms of size – but also led to huge political fall-out globally as politicians were implicated in secret offshore funds, with the resignation of the Icelandic prime minister.
Governments and public agencies themselves have also been targeted in the U.S., Mexico, and the Philippines, for example. One of the most significant breaches affected Turkey, with the release of nearly 50 million records from the country’s General Directorate of Population and Citizenship Affairs, which included addresses, birth dates, and most troublingly, national ID numbers.
These individual large events fit within the observed pattern for 2016 so far, with less frequent cyber data hacks, though ones of higher severity.
Denial of Service Attack
2016 has been another active period for Denial of Service (DDoS) attacks. Going into the year we’d seen signs of a downwards trend. However this was spectacularly reversed in the first quarter which saw 19 attacks greater than 100 gigabits per second. Gaming and software industries continue to be most heavily impacted. Furthermore, we’re seeing a growing number of companies attacked repeatedly – on average, each targeted company was attacked 29 times, but with one company being attacked 283 times!
Frequency aside, the increasing complexity of attacks is most disturbing. 59% in the first quarter of 2016 were “multi-vector” attacks which require unique mitigation controls for each attack vector, as seen in the recent DDoS attack on Dyn, the DNS provider. If this trend continues we can expect existing defenses to be less effective against DDoS, and therefore disruption to be increased.
Cloud Provider Failure
With the leading cloud providers continuing to achieve double and even triple-digit year-on-year growth, the clear trend of companies moving their services to the cloud is continuing apace. Though overall trends have seen a decrease in the annual downtime, 2016 has seen several small but significant failures including an Amazon Web Services outage in Australia, Salesforce in both the U.S. and Europe and a Verizon issue that impacted among others JetBlue Airways. As these cloud services become more popular, the accumulation of risk to both business interruption and data loss is becoming ever more severe as more companies become increasingly reliant on the cloud.
Financial Transaction Theft
Perhaps the most audacious cyber-attack of the past year was when almost US$100 million was stolen from Bangladesh’s central bank and transferred to accounts in Manila and the Philippines. Even more shocking, this money was stolen from the bank account at the U.S. Federal Reserve and was transferred using standard SWIFT financial transaction messages.
The largest cyber heist ever could have been even larger but for a misspelling, and it was this typo that raised the attention of the U.S. Federal Reserve Bank in New York. The perpetrators had attempted to withdraw $950 million over 35 separate transactions. A similar attack, using a vulnerability in the SWIFT messaging system, led to another multi-million dollar theft from a Ukrainian bank.
Perhaps more than any other sector, the interconnected nature of modern financial services leaves the industry open to large scale systemic cyber losses.
Ransomware attacks are continuing to become more frequent and more complex in 2016. One alarming pattern has seen an increased targeting of healthcare institutions where we’ve seen multiple hospitals in California and Kentucky in the U.S. and in Germany, all being attacked. In one particularly un-ethical incident the Hollywood Presbyterian Hospital had to pay out around $17,000 to regain access to their systems.
The more sophisticated software now being used to perpetrate attacks is starting pay dividends for the hacking groups. The “Jigsaw” malware, for example, threatens to delete an increasing number of files after every hour of nonpayment. Encryption type malware has become the norm – and targeted, business-focused malware is growing as evidenced by the “Samsam” scheme which targets unpatched server software.
Incorporating Into the RMS Cyber Model
RMS is continuing to monitor the broad spectrum of cyber-attacks that are impacting thousands of companies every month. During a recent online seminar, the RMS cyber team shared some of these key trends outlined in this blog, and discussed the impacts on cyber insurers. Through the RMS Cyber Accumulation Management System, RMS is continuing to incorporate these insights into our modeling to provide the most comprehensive and accurate view of cyber risk.