In 2017, WannaCry infected computers in over 150 countries across the globe, taking out critical functions such as the National Health Service (NHS) in the U.K. One year later, the NotPetya cyberattack brought many household names to a standstill. The pharmaceutical giant, Merck, was reportedly the source of US$1.3 billion of total impact to (re)insurers from the NotPetya attack, 87 percent of which was considered silent exposure. These two major cyberattacks highlighted to insurance carriers the risk of being exposed to silent cyber events and the need to start quantifying and managing that risk.
Regulators have started to
take notice. Since summer 2017, the U.K. Prudential Regulatory Authority (PRA) is
asking insurance firms to provide action plans on how they plan to address
their silent cyber risk. In November 2018, Moody’s announced it will soon start
evaluating organizations on their risk to a major impact from a cyberattack.
Following this, in July 2019, Lloyd’s announced a deadline of January 1, 2020
for all syndicates to start to address their silent cyber risk where “… all
policies provide clarity regarding cyber coverage by either excluding or
providing affirmative coverage.”
NotPetya and WannaCry were just two examples of
costly silent cyber events. As pressure from regulators mounts and cyberattacks
become more common, it is imperative to understand where silent cyber exposure
can be found, and how much it could cost you.
A new article, The Science of Cyber Risk: A Research Agenda has just been published in Science. A free, non-paywall version of this paper is available here. Written by a diverse team of 19 authors, including myself, it presents a concise argument for interdisciplinary research, to establish a scientific basis for risk analysis and management in the cyber security domain.
As a leading provider of cyber risk models for the (re)insurance industry, RMS is committed to advancing the state-of-the-art in the science of cyber risk. The proposed six category research agenda is of keen interest to RMS and we recommend this Science journal article to anyone who shares our interest in solving the hard problems.
In this the first of three blog posts, I’ll explore why we need a “science” and what difference it will make. The next two posts will feature case studies in interdisciplinary collaboration, including lessons from past successes and failures.
Technological advances in communications, computing and computer networks are exposing new vulnerabilities that terrorist groups can exploit, making cyberterrorism a potential security concern. The media has extensively discussed this issue, invoking images of massive economic losses and even larger-scale loss of life from a cyberattack executed by a terrorist group. But just how real is the threat that cyberterrorism poses? Fortunately, the fear surrounding this issue outpaces the magnitude of the risk, and in this blog I will attempt to investigate.
The Twitterverse got its chance to pose cyber risk questions to a panel of distinguished experts at the NetDiligence® Cyber Risk Summit in Santa Monica on October 16. RMS and NetDiligence teamed up to host a live #ChatCyberRisk Q&A session at the conference. The experts on hand included Vinny Sakore, Chief Technology Officer, NetDiligence; Russell Thomas, Principal Engineer – Cyber, RMS and Christos Mitas, Vice President – Model Development, RMS.
Which cyberattacks will grow in prominence?
Vinny Sakore sees more and more attacks against individuals – especially high
net worth individuals, with personal cyber insurance coverage becoming an
important issue in the future.
And the biggest driver of cyber risk for organizations? Russell Thomas stated that the main ones remain; contagious malware (including ransomware) and data theft/exfiltration will continue to be the most prominent types of attacks with potential for severe or catastrophic loss to victims. The number of attacks will also grow as more firms, government organizations, schools, etc. become more dependent on automated processes and e-commerce. Financial risk due to business interruption stands out as the immediate risk driver; in a 2018 survey of 1,300 global companies, 34 percent of companies reported business interruption due to cyberattack.
If you are a business insurer, then your clients are typically being exposed to cyber risk. As RMS has discussed previously in our 2019 Cyber Risk Outlook, the digital economy has become more pervasive and now accounts for almost a third of the GDP of developed countries, and e-commerce now represents 14 cents in every U.S. dollar spent in retail. The “attack surface” vulnerable to cyber risk expands as more and more business devices are being connected to the Internet, with technologies become more standardized, homogenized, and cloud dependent.
So, it’s never been more important to understand the cyber risk landscape, whether you are a dedicated affirmative cyber insurer or exposed to “silent-cyber” – where potential cyber-related losses stem from traditional property and liability policies not specifically designed to cover cyber risk.
September, RMS ran a series of cyber risk seminars in London and New York. These
half-day events coincided with the release of RMS Cyber Solutions version 4.0 and
featured both RMS and industry experts discussing cyber risk and the opportunities
for the cyber insurance industry.
At both events, the day kicked off with Dr. Andrew Coburn, senior vice president for RMS, examining recent developments within the cyber risk landscape by outlining the approach RMS takes to tracking and categorizing the wide range of evolving threat actor groups. He also proposed some key future trends, such as the potential impact of a “gloves-off” nation-state cyberattack and its implications for the cyber insurance industry.
What will cyber-risk look like in 2030? Given the rate of change of technology this may seem like an impossible question to answer. But for those making investments that depend on these new technologies and the risk that surround them – either managing or insuring the risk – it’s critical that these investments are being made not only with a 12 month horizon in mind, but with a projection that extends over the next five or even ten years.
To facilitate this important discussion, RMS is delighted to be co-hosting an event at the University of Cambridge Judge Business School on “The Future of Cyber Risk”. To be held on July 24, the event will challenge cyber risk specialists and risk managers to think beyond the next 12 months and to consider how cyber could evolve over a five- to ten-year horizon.
In particular, the event will focus on the potential paradigm shifts that could provide strategic shock, and how business strategies should be developed to cope with this uncertain future.
In 1915, Cuthbert Heath – pioneer of catastrophe insurance at Lloyds of London, decided to offer insurance policies to cover the impacts of war, far from the front line. Zeppelin airships were arriving over London during World War One, dropping bombs and incendiary devices. Later in the War, the bombs were being thrown out of Gotha biplanes.
Heath did some simple calculations: the number of Zeppelins, the frequency of attacks, the number of bombs each airship could carry, the damage area of an explosion, and how much of London was built up compared to open spaces. Having generated a risk cost estimate, he then multiplied it by six to arrive at his proposed rate for the insurance coverage. As the intensity of air attacks went up and down so his insurance prices followed.
RMS recently participated in a cyber model comparison exercise at the Cat Risk Management and Modellingconference in London. These types of comparison for natural catastrophe models have been performed at several conferences during the last decade, but this was the first time that losses from multiple cyber models had been compared in this way. The assessment included established cyber model firms such as RMS and Guidewire, as well start-ups including Corax, Kovrr and CyberCube.
This comparison exercise clearly demonstrated that the cyber modeling industry has not reached a consensus on the likelihood and impact of extreme cyber catastrophes. The comparison was run against a small number of accounts – looking at a total of 46 U.S. companies across a range of industry sectors.
On Monday, March 18, 2019, Norsk Hydro, one of the world’s largest aluminum producers, announced the replacement of its CEO, who had left the company through early retirement. This followed admissions that the company was responsible for a massive environmental spillage of bauxite residues at its plants in north-eastern Brazil in February 2018. As a result, a government-imposed shutdown of some of Norsk Hydro’s operations had seen aluminum production at its Alunorte refinery cut to just 50 percent of its capacity.
Late that same evening, the company’s IT team became alerted of a major cyberattack. At a press conference the following morning, it was the CFO rather than CEO who disclosed that IT systems in most Norsk Hydro business areas were impacted, including the digital systems at its smelting plants. Apart from switching to manual operations at its smelting plants, several metal extrusion plants had to be shut down. Acting resiliently to avoid infection from one plant to another, Norsk Hydro quickly isolated its plants.