Accessing information on the Internet was once likened to searching for information in a library, where the pages of all the books had been ripped out and strewn on the floor. Everyone knows that there is a colossal amount of online information about cyber security issues. How can this seemingly boundless ocean of information be processed for the practical benefit of cyber risk professionals?
This is a daunting multi-disciplinary challenge because cyber risk management spans the broad domains of information technology, risk regulation, law and criminology, security economics, insurance, as well as risk analysis.
This challenge can’t be met by one person – but it can with three. Early in 2017, Andrew Coburn conceived of the idea of a book on cyber risk, with Éireann Leverett and myself as the two other co-authors. Eireann is an ethical hacker, with specialist capabilities and technical insight into the shadowy world of cyber attack and defense. I knew he had special expertise when he showed he could hack my (Samsung) phone in five minutes.
After a brainstorming session in the RMS London office, Andrew came up with the title, Solving Cyber Risk, and after a year and a half of gestation, this book has just been published by Wiley.
Of the many risks that businesses must face, it is now probable that cyber poses the greatest risk for any business – across the globe and across all sectors. Hardly a day passes without another high profile, global business, hitting the headlines with the latest report of a cyberattack, and these incidents are costly. RMS recently estimated that the losses for the Marriott International incident could reach in excess of US$250 million, in an attack that impacted half a billion customers.
Managing the impact of a cyberattack is a complex, lengthy process, and losses occur from a long list of sources. These range from the immediate costs of securing or replacing IT systems, the direct losses occurred by customers or suppliers, all the way through to the “long-tail” losses of litigation such as customer class actions. Perhaps most damaging of all is the loss of reputation as customers feel cheated and violated as their personal details are stolen and sold. Businesses have to try and win back the trust of their customers who may never return.
I invite you to read an excerpt from Solving Cyber Risk, a new book jointly written by Andrew Coburn, Éireann Leverett, and Gordon Woo, which illustrates the origins and the mechanics of an attack, as well as its impact, by examining the Target cyberattack in 2013. The story of the Rescator cyber-hacker team, the perpetrators of a data-theft involving 110 million payment card details from Target customers, is as worthy as any Ocean’s 11 casino-heist. Reading the story, it is hard not to acknowledge the proficiency of this small team of hackers. They identified the vulnerabilities, drew up their target list, circumvented defenses, then through a combination of luck and skill – struck gold, and got clean away from the scene without a trace.
On September 8, 2018, Marriott International received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. A subsequent investigation carried out by security specialists firm Kroll, determined unauthorized access had taken place. As the investigation progressed, Marriott discovered that the Starwood network had been accessed since 2014. An unauthorized party had also copied information and had taken steps towards removing it.
In its statement on November 30, Marriott stated that it had not finished identifying this duplicate information in the database, but believed it impacted around 500 million customers. For approximately 327 million of these guests, the information includes some combination of name, address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, and arrival and departure information. For some, the information also includes payment card numbers and expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).
With regards to the potential perpetrators, rumors have spread that Chinese state hackers might have been behind the cyberattack, although as with most cyberattacks the attribution to a specific threat actor is a lengthy and uncertain task.
The latest edition of EXPOSURE is essential reading for risk professionals, as we look back at what can be learned from last year’s events and look forward to the future including new challenges faced by the global risk management community and new opportunities to capitalize on.
EXPOSURE offers a unique perspective with a clear mission “… to provide insight and analysis to help insurance and risk professionals innovate, adapt and deliver.” And with a new North Atlantic hurricane season nearly upon us, and memories of HIM (Hurricane Harvey, Irma and Maria) fresh in the industry’s collective consciousness, EXPOSURE talks to the industry and paints a picture of a mature, responsible insurance sector that managed HIM with certainty and confidence. Cyber has also demonstrated its potential as a global systemic risk, and EXPOSURE looks at how events such as an outage of a major cloud services provider could generate economic losses as high as Superstorm Sandy.
As the sun shone over the Biscayne Bay at the start of the second full day at Exceedance, our keynote guest speaker, Jeff Goodell, energy and environmental expert, investigative journalist and author of numerous books including The Water Will Come asked a provocative question in his opening slide. It simply said, “Goodbye Miami?”
Jeff said that he was at home being in the company of fellow “catastrophists” and the risk management community at Exceedance, but this is not always the case. When talking about climate change and sea-level rise, he sometimes felt as if he was Richard Dreyfuss in the movie Jaws. Dreyfuss played oceanographer Matt Hooper, a character who continually warned the Mayor of Amity Island to close the beach because of the risk of shark attacks. The Mayor ignored the advice, due to the economic impact of closing the beach … but [spoiler alert] the shark kept coming. Jeff remarked that sea-level rise is the shark, and it’s bigger and more dangerous than we first anticipated.
On Thursday April 6, 2017, President Trump ordered a Tomahawk missile attack on a Syrian military airfield. This was a direct response to President Assad’s use of sarin gas to attack Syrian dissidents. Just two days later, the password to an encrypted archive of cyber weapons (stolen from the U.S. National Security Agency) was posted by the so-called Shadow Brokers cyber group. This hacking group is thought to have connections with Russia, which is the leading supporter of the Assad regime. They were angered by President Trump’s action.
An immediate beneficiary of this password release was the Lazarus Group, linked with North Korea, which had been launching ransomware attacks at targets over the previous several months. What they lacked was an effective tool to propagate their ransomware from computer to computer. This missing tool, a Microsoft Windows bug called “EternalBlue”, they now were gifted thanks to Shadow Brokers.
The mass production of the internal combustion engine facilitated many new kinds of insurable damage and loss. It also provided opportunities to extend and expand older forms of crime. Before cars, robbers were reduced to committing burglary within their own town or village, potentially aided by a speedy horse. Cars took these crimes to a new level. Cars facilitated “smash-and-grab” raids on banks, and kidnap and ransom, grabbing the unfortunate victim on the street and hustling them into the back of the car. Cars facilitated rapid getaway after any kind of attack, whatever the motivation — sabotage, vandalism, revenge. And that is before all the causes of loss associated with cars themselves, such as hit-and-run, manslaughter, dangerous driving, or speeding.
The term “car crime” relates specifically to the robbery of the car or its contents, or otherwise damaging the car — we would not consider lumping together all these different ways in which the car has facilitated losses and crimes under a single heading.
So why does it make sense to lump together all those varieties of crime and loss facilitated by another quantum leap in communications, through computing and the Internet? Because that is what we currently do when it comes to the use of the catch-all term “cyber”.
I invite you to explore the latest digital edition of EXPOSURE Magazine, which also hit the streets of Monte Carlo as a print edition for those attending Les Rendez-Vous de Septembre, and will be available at RMS events over the coming months.
There is a clear mission for EXPOSURE, which is “… to provide insight and analysis to help insurance and risk professionals innovate, adapt and deliver.” And change is in the air for all businesses in the industry, whether it is developing new opportunities, getting products to market faster, being more agile and efficient, or using data-driven insight to transform decision making.
The recent Equifax incident was by all measures a significant cyberattack. As the press statement released by Equifax on September 8 highlighted, the data theft potentially impacted approximately 143 million U.S. consumers. To put this into perspective this represents nearly 70 percent of the U.S. working population.
However, we should not be surprised. RMS tracks data theft among other types of cyber events on an ongoing basis, and we have seen numerous events of this magnitude or larger over the last few years. This Equifax breach would have ranked just #7 on the list of the largest data breaches in the 2017 RMS Cyber Risk Landscape report.
We tend to think that critical systems responsible for managing oil rigs, power stations, steel production plants, are somewhat immune to what happens in the “wild west” of cyberspace. News of cyberattacks tend to focus on data theft, financial heists, or bringing down websites; they are contained within IT systems. If cyberattacks are contained in the cyber world, then the logic goes that only cyber insurers should be concerned by the risk.
There is also a sense of security in the belief that critical control systems for “real world” assets and processes would either be too mechanical, too old, not connected to the same network as the wider Internet, or would run on their own networks. The reality is that industrial control systems (ICS) that manage energy, water, transport, communications, and manufacturing plants, are increasingly managed and controlled remotely or need to be networked. Wherever the systems need to use a network, the systems are exposed to vulnerabilities on that network. For non-cyber insurers, this risk needs to be assessed and managed.