A new article, The Science of Cyber Risk: A Research Agenda has just been published in Science. A free, non-paywall version of this paper is available here. Written by a diverse team of 19 authors, including myself, it presents a concise argument for interdisciplinary research, to establish a scientific basis for risk analysis and management in the cyber security domain.
As a leading provider of cyber risk models for the (re)insurance industry, RMS is committed to advancing the state-of-the-art in the science of cyber risk. The proposed six category research agenda is of keen interest to RMS and we recommend this Science journal article to anyone who shares our interest in solving the hard problems.
In this the first of three blog posts, I’ll explore why we need a “science” and what difference it will make. The next two posts will feature case studies in interdisciplinary collaboration, including lessons from past successes and failures.
Technological advances in communications, computing and computer networks are exposing new vulnerabilities that terrorist groups can exploit, making cyberterrorism a potential security concern. The media has extensively discussed this issue, invoking images of massive economic losses and even larger-scale loss of life from a cyberattack executed by a terrorist group. But just how real is the threat that cyberterrorism poses? Fortunately, the fear surrounding this issue outpaces the magnitude of the risk, and in this blog I will attempt to investigate.
The Twitterverse got its chance to pose cyber risk questions to a panel of distinguished experts at the NetDiligence® Cyber Risk Summit in Santa Monica on October 16. RMS and NetDiligence teamed up to host a live #ChatCyberRisk Q&A session at the conference. The experts on hand included Vinny Sakore, Chief Technology Officer, NetDiligence; Russell Thomas, Principal Engineer – Cyber, RMS and Christos Mitas, Vice President – Model Development, RMS.
Which cyberattacks will grow in prominence?
Vinny Sakore sees more and more attacks against individuals – especially high
net worth individuals, with personal cyber insurance coverage becoming an
important issue in the future.
And the biggest driver of cyber risk for organizations? Russell Thomas stated that the main ones remain; contagious malware (including ransomware) and data theft/exfiltration will continue to be the most prominent types of attacks with potential for severe or catastrophic loss to victims. The number of attacks will also grow as more firms, government organizations, schools, etc. become more dependent on automated processes and e-commerce. Financial risk due to business interruption stands out as the immediate risk driver; in a 2018 survey of 1,300 global companies, 34 percent of companies reported business interruption due to cyberattack.
If you are a business insurer, then your clients are typically being exposed to cyber risk. As RMS has discussed previously in our 2019 Cyber Risk Outlook, the digital economy has become more pervasive and now accounts for almost a third of the GDP of developed countries, and e-commerce now represents 14 cents in every U.S. dollar spent in retail. The “attack surface” vulnerable to cyber risk expands as more and more business devices are being connected to the Internet, with technologies become more standardized, homogenized, and cloud dependent.
So, it’s never been more important to understand the cyber risk landscape, whether you are a dedicated affirmative cyber insurer or exposed to “silent-cyber” – where potential cyber-related losses stem from traditional property and liability policies not specifically designed to cover cyber risk.
September, RMS ran a series of cyber risk seminars in London and New York. These
half-day events coincided with the release of RMS Cyber Solutions version 4.0 and
featured both RMS and industry experts discussing cyber risk and the opportunities
for the cyber insurance industry.
At both events, the day kicked off with Dr. Andrew Coburn, senior vice president for RMS, examining recent developments within the cyber risk landscape by outlining the approach RMS takes to tracking and categorizing the wide range of evolving threat actor groups. He also proposed some key future trends, such as the potential impact of a “gloves-off” nation-state cyberattack and its implications for the cyber insurance industry.
What will cyber-risk look like in 2030? Given the rate of change of technology this may seem like an impossible question to answer. But for those making investments that depend on these new technologies and the risk that surround them – either managing or insuring the risk – it’s critical that these investments are being made not only with a 12 month horizon in mind, but with a projection that extends over the next five or even ten years.
To facilitate this important discussion, RMS is delighted to be co-hosting an event at the University of Cambridge Judge Business School on “The Future of Cyber Risk”. To be held on July 24, the event will challenge cyber risk specialists and risk managers to think beyond the next 12 months and to consider how cyber could evolve over a five- to ten-year horizon.
In particular, the event will focus on the potential paradigm shifts that could provide strategic shock, and how business strategies should be developed to cope with this uncertain future.
In 1915, Cuthbert Heath – pioneer of catastrophe insurance at Lloyds of London, decided to offer insurance policies to cover the impacts of war, far from the front line. Zeppelin airships were arriving over London during World War One, dropping bombs and incendiary devices. Later in the War, the bombs were being thrown out of Gotha biplanes.
Heath did some simple calculations: the number of Zeppelins, the frequency of attacks, the number of bombs each airship could carry, the damage area of an explosion, and how much of London was built up compared to open spaces. Having generated a risk cost estimate, he then multiplied it by six to arrive at his proposed rate for the insurance coverage. As the intensity of air attacks went up and down so his insurance prices followed.
RMS recently participated in a cyber model comparison exercise at the Cat Risk Management and Modellingconference in London. These types of comparison for natural catastrophe models have been performed at several conferences during the last decade, but this was the first time that losses from multiple cyber models had been compared in this way. The assessment included established cyber model firms such as RMS and Guidewire, as well start-ups including Corax, Kovrr and CyberCube.
This comparison exercise clearly demonstrated that the cyber modeling industry has not reached a consensus on the likelihood and impact of extreme cyber catastrophes. The comparison was run against a small number of accounts – looking at a total of 46 U.S. companies across a range of industry sectors.
On Monday, March 18, 2019, Norsk Hydro, one of the world’s largest aluminum producers, announced the replacement of its CEO, who had left the company through early retirement. This followed admissions that the company was responsible for a massive environmental spillage of bauxite residues at its plants in north-eastern Brazil in February 2018. As a result, a government-imposed shutdown of some of Norsk Hydro’s operations had seen aluminum production at its Alunorte refinery cut to just 50 percent of its capacity.
Late that same evening, the company’s IT team became alerted of a major cyberattack. At a press conference the following morning, it was the CFO rather than CEO who disclosed that IT systems in most Norsk Hydro business areas were impacted, including the digital systems at its smelting plants. Apart from switching to manual operations at its smelting plants, several metal extrusion plants had to be shut down. Acting resiliently to avoid infection from one plant to another, Norsk Hydro quickly isolated its plants.
This article was originally published in The Insurer, click here to access the original article.
Examples of data theft continue to stream through; no one brand seems immune from having to announce major losses of customer data records. Uber paid US$148 million to settle a legal action over a cyberattack in 2016 that exposed data from 57 million customers and drivers. Forbes reported that Yahoo agreed to pay a US$50 million settlement to roughly 200 million people affected by the email service’s 2013 data breach.
It is still the case that data theft is the leading source of loss for both insurers and reinsurers that cover cyber. The cyber insurance market is still in an early growth stage as the overall economic impact on the global economy from cyberattacks in 2017 was estimated at US$600 billion. Insured loss for standalone cyber policies was a fraction of this, at around US$1 billion to US$1.5 billion. But with cyber risk continually evolving, insurers may have to contend with a new, growing source of loss as cyber attackers are turning to ransomware, as it offers a potentially easier and more lucrative attack method.
Ransomware sees malware infiltrated into the networks of a company and disables servers or locks up data until a ransom is paid. This contagious malware, of which WannaCry and NotPetya are probably the most renowned examples, can even plague companies with high standards of security, and has the ability to scale and to cause systemic loss to thousands of companies. Attackers have also stolen data from a company, and then attempt to extort a ransom from the victim company in return for the data.
Overall, the number of ransomware attacks are increasing each year, and for cyber attackers there is the easy availability of ransomware to buy on the dark web. As outlined in our recent RMS Cyber Risk Outlook Report, estimates of ransomware extorted in 2017 exceed five billion dollars, a 15-fold increase over the previous two years.