What will cyber-risk look like in 2030? Given the rate of change of technology this may seem like an impossible question to answer. But for those making investments that depend on these new technologies and the risk that surround them – either managing or insuring the risk – it’s critical that these investments are being made not only with a 12 month horizon in mind, but with a projection that extends over the next five or even ten years.
To facilitate this important discussion, RMS is delighted to be co-hosting an event at the University of Cambridge Judge Business School on “The Future of Cyber Risk”. To be held on July 24, the event will challenge cyber risk specialists and risk managers to think beyond the next 12 months and to consider how cyber could evolve over a five- to ten-year horizon.
In particular, the event will focus on the potential paradigm shifts that could provide strategic shock, and how business strategies should be developed to cope with this uncertain future.
In 1915, Cuthbert Heath – pioneer of catastrophe insurance at Lloyds of London, decided to offer insurance policies to cover the impacts of war, far from the front line. Zeppelin airships were arriving over London during World War One, dropping bombs and incendiary devices. Later in the War, the bombs were being thrown out of Gotha biplanes.
Heath did some simple calculations: the number of Zeppelins, the frequency of attacks, the number of bombs each airship could carry, the damage area of an explosion, and how much of London was built up compared to open spaces. Having generated a risk cost estimate, he then multiplied it by six to arrive at his proposed rate for the insurance coverage. As the intensity of air attacks went up and down so his insurance prices followed.
RMS recently participated in a cyber model comparison exercise at the Cat Risk Management and Modellingconference in London. These types of comparison for natural catastrophe models have been performed at several conferences during the last decade, but this was the first time that losses from multiple cyber models had been compared in this way. The assessment included established cyber model firms such as RMS and Guidewire, as well start-ups including Corax, Kovrr and CyberCube.
This comparison exercise clearly demonstrated that the cyber modeling industry has not reached a consensus on the likelihood and impact of extreme cyber catastrophes. The comparison was run against a small number of accounts – looking at a total of 46 U.S. companies across a range of industry sectors.
On Monday, March 18, 2019, Norsk Hydro, one of the world’s largest aluminum producers, announced the replacement of its CEO, who had left the company through early retirement. This followed admissions that the company was responsible for a massive environmental spillage of bauxite residues at its plants in north-eastern Brazil in February 2018. As a result, a government-imposed shutdown of some of Norsk Hydro’s operations had seen aluminum production at its Alunorte refinery cut to just 50 percent of its capacity.
Late that same evening, the company’s IT team became alerted of a major cyberattack. At a press conference the following morning, it was the CFO rather than CEO who disclosed that IT systems in most Norsk Hydro business areas were impacted, including the digital systems at its smelting plants. Apart from switching to manual operations at its smelting plants, several metal extrusion plants had to be shut down. Acting resiliently to avoid infection from one plant to another, Norsk Hydro quickly isolated its plants.
This article was originally published in The Insurer, click here to access the original article.
Examples of data theft continue to stream through; no one brand seems immune from having to announce major losses of customer data records. Uber paid US$148 million to settle a legal action over a cyberattack in 2016 that exposed data from 57 million customers and drivers. Forbes reported that Yahoo agreed to pay a US$50 million settlement to roughly 200 million people affected by the email service’s 2013 data breach.
It is still the case that data theft is the leading source of loss for both insurers and reinsurers that cover cyber. The cyber insurance market is still in an early growth stage as the overall economic impact on the global economy from cyberattacks in 2017 was estimated at US$600 billion. Insured loss for standalone cyber policies was a fraction of this, at around US$1 billion to US$1.5 billion. But with cyber risk continually evolving, insurers may have to contend with a new, growing source of loss as cyber attackers are turning to ransomware, as it offers a potentially easier and more lucrative attack method.
Ransomware sees malware infiltrated into the networks of a company and disables servers or locks up data until a ransom is paid. This contagious malware, of which WannaCry and NotPetya are probably the most renowned examples, can even plague companies with high standards of security, and has the ability to scale and to cause systemic loss to thousands of companies. Attackers have also stolen data from a company, and then attempt to extort a ransom from the victim company in return for the data.
Overall, the number of ransomware attacks are increasing each year, and for cyber attackers there is the easy availability of ransomware to buy on the dark web. As outlined in our recent RMS Cyber Risk Outlook Report, estimates of ransomware extorted in 2017 exceed five billion dollars, a 15-fold increase over the previous two years.
Accessing information on the Internet was once likened to searching for information in a library, where the pages of all the books had been ripped out and strewn on the floor. Everyone knows that there is a colossal amount of online information about cyber security issues. How can this seemingly boundless ocean of information be processed for the practical benefit of cyber risk professionals?
This is a daunting multi-disciplinary challenge because cyber risk management spans the broad domains of information technology, risk regulation, law and criminology, security economics, insurance, as well as risk analysis.
This challenge can’t be met by one person – but it can with three. Early in 2017, Andrew Coburn conceived of the idea of a book on cyber risk, with Éireann Leverett and myself as the two other co-authors. Eireann is an ethical hacker, with specialist capabilities and technical insight into the shadowy world of cyber attack and defense. I knew he had special expertise when he showed he could hack my (Samsung) phone in five minutes.
After a brainstorming session in the RMS London office, Andrew came up with the title, Solving Cyber Risk, and after a year and a half of gestation, this book has just been published by Wiley.
Of the many risks that businesses must face, it is now probable that cyber poses the greatest risk for any business – across the globe and across all sectors. Hardly a day passes without another high profile, global business, hitting the headlines with the latest report of a cyberattack, and these incidents are costly. RMS recently estimated that the losses for the Marriott International incident could reach in excess of US$250 million, in an attack that impacted half a billion customers.
Managing the impact of a cyberattack is a complex, lengthy process, and losses occur from a long list of sources. These range from the immediate costs of securing or replacing IT systems, the direct losses occurred by customers or suppliers, all the way through to the “long-tail” losses of litigation such as customer class actions. Perhaps most damaging of all is the loss of reputation as customers feel cheated and violated as their personal details are stolen and sold. Businesses have to try and win back the trust of their customers who may never return.
I invite you to read an excerpt from Solving Cyber Risk, a new book jointly written by Andrew Coburn, Éireann Leverett, and Gordon Woo, which illustrates the origins and the mechanics of an attack, as well as its impact, by examining the Target cyberattack in 2013. The story of the Rescator cyber-hacker team, the perpetrators of a data-theft involving 110 million payment card details from Target customers, is as worthy as any Ocean’s 11 casino-heist. Reading the story, it is hard not to acknowledge the proficiency of this small team of hackers. They identified the vulnerabilities, drew up their target list, circumvented defenses, then through a combination of luck and skill – struck gold, and got clean away from the scene without a trace.
On September 8, 2018, Marriott International received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. A subsequent investigation carried out by security specialists firm Kroll, determined unauthorized access had taken place. As the investigation progressed, Marriott discovered that the Starwood network had been accessed since 2014. An unauthorized party had also copied information and had taken steps towards removing it.
In its statement on November 30, Marriott stated that it had not finished identifying this duplicate information in the database, but believed it impacted around 500 million customers. For approximately 327 million of these guests, the information includes some combination of name, address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, and arrival and departure information. For some, the information also includes payment card numbers and expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).
With regards to the potential perpetrators, rumors have spread that Chinese state hackers might have been behind the cyberattack, although as with most cyberattacks the attribution to a specific threat actor is a lengthy and uncertain task.
The latest edition of EXPOSURE is essential reading for risk professionals, as we look back at what can be learned from last year’s events and look forward to the future including new challenges faced by the global risk management community and new opportunities to capitalize on.
EXPOSURE offers a unique perspective with a clear mission “… to provide insight and analysis to help insurance and risk professionals innovate, adapt and deliver.” And with a new North Atlantic hurricane season nearly upon us, and memories of HIM (Hurricane Harvey, Irma and Maria) fresh in the industry’s collective consciousness, EXPOSURE talks to the industry and paints a picture of a mature, responsible insurance sector that managed HIM with certainty and confidence. Cyber has also demonstrated its potential as a global systemic risk, and EXPOSURE looks at how events such as an outage of a major cloud services provider could generate economic losses as high as Superstorm Sandy.
As the sun shone over the Biscayne Bay at the start of the second full day at Exceedance, our keynote guest speaker, Jeff Goodell, energy and environmental expert, investigative journalist and author of numerous books including The Water Will Come asked a provocative question in his opening slide. It simply said, “Goodbye Miami?”
Jeff said that he was at home being in the company of fellow “catastrophists” and the risk management community at Exceedance, but this is not always the case. When talking about climate change and sea-level rise, he sometimes felt as if he was Richard Dreyfuss in the movie Jaws. Dreyfuss played oceanographer Matt Hooper, a character who continually warned the Mayor of Amity Island to close the beach because of the risk of shark attacks. The Mayor ignored the advice, due to the economic impact of closing the beach … but [spoiler alert] the shark kept coming. Jeff remarked that sea-level rise is the shark, and it’s bigger and more dangerous than we first anticipated.