Tag Archives: cyber risk

The Future of Cyber Risk

What will cyber-risk look like in 2030? Given the rate of change of technology this may seem like an impossible question to answer. But for those making investments that depend on these new technologies and the risk that surround them – either managing or insuring the risk – it’s critical that these investments are being made not only with a 12 month horizon in mind, but with a projection that extends over the next five or even ten years.

To facilitate this important discussion, RMS is delighted to be co-hosting an event at the University of Cambridge Judge Business School on “The Future of Cyber Risk”. To be held on July 24, the event will challenge cyber risk specialists and risk managers to think beyond the next 12 months and to consider how cyber could evolve over a five- to ten-year horizon.

In particular, the event will focus on the potential paradigm shifts that could provide strategic shock, and how business strategies should be developed to cope with this uncertain future.

Continue reading

On Writing a Book on Cyber Risk

Accessing information on the Internet was once likened to searching for information in a library, where the pages of all the books had been ripped out and strewn on the floor. Everyone knows that there is a colossal amount of online information about cyber security issues. How can this seemingly boundless ocean of information be processed for the practical benefit of cyber risk professionals?

This is a daunting multi-disciplinary challenge because cyber risk management spans the broad domains of information technology, risk regulation, law and criminology, security economics, insurance, as well as risk analysis.

This challenge can’t be met by one person – but it can with three. Early in 2017, Andrew Coburn conceived of the idea of a book on cyber risk, with Éireann Leverett and myself as the two other co-authors. Eireann is an ethical hacker, with specialist capabilities and technical insight into the shadowy world of cyber attack and defense. I knew he had special expertise when he showed he could hack my (Samsung) phone in five minutes.

After a brainstorming session in the RMS London office, Andrew came up with the title, Solving Cyber Risk, and after a year and a half of gestation, this book has just been published by Wiley.

Continue reading

Does Cyber Now Pose the Greatest Threat to Businesses?

Of the many risks that businesses must face, it is now probable that cyber poses the greatest risk for any business – across the globe and across all sectors. Hardly a day passes without another high profile, global business, hitting the headlines with the latest report of a cyberattack, and these incidents are costly. RMS recently estimated that the losses for the Marriott International incident could reach in excess of US$250 million, in an attack that impacted half a billion customers.

Managing the impact of a cyberattack is a complex, lengthy process, and losses occur from a long list of sources. These range from the immediate costs of securing or replacing IT systems, the direct losses occurred by customers or suppliers, all the way through to the “long-tail” losses of litigation such as customer class actions. Perhaps most damaging of all is the loss of reputation as customers feel cheated and violated as their personal details are stolen and sold. Businesses have to try and win back the trust of their customers who may never return.

I invite you to read an excerpt from Solving Cyber Risk, a new book jointly written by Andrew Coburn, Éireann Leverett, and Gordon Woo, which illustrates the origins and the mechanics of an attack, as well as its impact, by examining the Target cyberattack in 2013. The story of the Rescator cyber-hacker team, the perpetrators of a data-theft involving 110 million payment card details from Target customers, is as worthy as any Ocean’s 11 casino-heist. Reading the story, it is hard not to acknowledge the proficiency of this small team of hackers. They identified the vulnerabilities, drew up their target list, circumvented defenses, then through a combination of luck and skill – struck gold, and got clean away from the scene without a trace.

Continue reading

Exceedance: Time to Make Risk More Transparent

As the sun shone over the Biscayne Bay at the start of the second full day at Exceedance, our keynote guest speaker, Jeff Goodell, energy and environmental expert, investigative journalist and author of numerous books including The Water Will Come asked a provocative question in his opening slide. It simply said, “Goodbye Miami?”

Jeff said that he was at home being in the company of fellow “catastrophists” and the risk management community at Exceedance, but this is not always the case. When talking about climate change and sea-level rise, he sometimes felt as if he was Richard Dreyfuss in the movie Jaws. Dreyfuss played oceanographer Matt Hooper, a character who continually warned the Mayor of Amity Island to close the beach because of the risk of shark attacks. The Mayor ignored the advice, due to the economic impact of closing the beach … but [spoiler alert] the shark kept coming. Jeff remarked that sea-level rise is the shark, and it’s bigger and more dangerous than we first anticipated.

Jeff Goodell presenting at Exceedance

Continue reading

Crossing the Divide – How Cyberattacks Affect the Physical World

We tend to think that critical systems responsible for managing oil rigs, power stations, steel production plants, are somewhat immune to what happens in the “wild west” of cyberspace. News of cyberattacks tend to focus on data theft, financial heists, or bringing down websites; they are contained within IT systems. If cyberattacks are contained in the cyber world, then the logic goes that only cyber insurers should be concerned by the risk.

There is also a sense of security in the belief that critical control systems for “real world” assets and processes would either be too mechanical, too old, not connected to the same network as the wider Internet, or would run on their own networks. The reality is that industrial control systems (ICS) that manage energy, water, transport, communications, and manufacturing plants, are increasingly managed and controlled remotely or need to be networked. Wherever the systems need to use a network, the systems are exposed to vulnerabilities on that network. For non-cyber insurers, this risk needs to be assessed and managed.

Continue reading

Implications of the WannaCry Cyber-Attack for Insurance

The event is arguably the most significant cyber-catastrophe to date and clearly demonstrates the systemic nature of cyber risk. A single vulnerability was utilized to spread malware to over 300,000 machines in over 150 countries causing havoc to industries as diverse as hospitals and car manufacturers.

Continue reading

EXPOSURE Magazine Snapshots: A New Way of Learning

This is a taster of an article published by RMS in the second edition of EXPOSURE magazine.  Click here and download your full copy now.

7 Apr 2017 - Machine Learning blog - Exposure banner image 720 x 168

 

In EXPOSURE magazine, we delved into the algorithmic depths of machine learning to better understand the data potential that it offers the insurance industry.  In the article, Peter Hahn, head of predictive analytics at Zurich North America illustrated how pattern recognition sits at the core of current machine learning. How do machines learn?  Peter compares it to how a child is taught to differentiate between similar animals; a machine would “learn” by viewing numerous different pictures of the animals, which are clearly tagged, again and again.

Hahn comments “Over time, the machine intuitively forms a pattern recognition that allows them to tell a tiger from, say, a leopard. You can’t predefine a set of rules to categorize every animal, but through pattern recognition you learn what the differences are.”

Hahn adds that pattern recognition is already a part of how underwriters assess a risk. “A decision-making process will obviously involve traditional, codified analytical processes, but it will also include sophisticated pattern recognition based on their experiences of similar companies operating in similar fields with similar constraints. They essentially know what this type of risk ‘looks like’ intuitively.”

The Potential of Machine Learning

EXPOSURE magazine asked Christos Mitas, vice president of model development at RMS, on how he sees machine learning being used.  Mitas opened the discussion saying “We are now operating in a world where that data is expanding exponentially, and machine learning is one tool that will help us to harness that.”

Here are three areas where Mitas believes machine learning will make an impact:

Cyber Risk Modeling: Mitas adds “Where machine learning can play an important role here is in helping us tackle the complexity of this risk. Being able to collect and digest more effectively the immense volumes of data which have been harvested from numerous online sources and datasets will yield a significant advantage.”

Image Processing: “With developments in machine learning, for example, we might be able to introduce new data sources into our processing capabilities and make it a faster and more automated data management process to access images in the aftermath of a disaster. Further, we might be able to apply machine learning algorithms to analyze building damage post event to support speedier loss assessment processes.”

Natural Language Processing: “Advances here could also help tremendously in claims processing and exposure management,” Mitas adds, “where you have to consume reams of reports, images and facts rather than structured data. That is where algorithms can really deliver a different scale of potential solutions.”

For the full article and more insight for the insurance industry, click here and download your full copy of EXPOSURE magazine now.

For more information on RMS(one)®, a big data and analytics platform built from the ground-up for the insurance industry, and solutions such as Risk Modeler and Exposure Manager, please click here.

Prudential Regulation Authority on the Challenges Facing Cyber Insurers

Most firms lack clear strategies and appetites for managing cyber risk, with a shortage of cyber domain knowledge noted as a key area of concern. So said the Prudential Regulation Authority, the arm of the Bank of England which oversees the insurance industry, in a letter to CEOs last week.

This letter followed a lengthy consultation with a range of stakeholders, including RMS, and identified several key areas where insurance firms could and should improve their cyber risk management practices. It focussed on the two distinct types of cyber risk: affirmative and silent.

Affirmative cover is explicit cyber coverage, either offered as a stand-alone policy or as an endorsement to more traditional lines of business. Silent risk is where cover is provided “inadvertently” through a policy that was typically never designed for it. But this isn’t the only source of silent risk: it can also leak into policies where existing exclusions are not completely exhaustive. A good example being policies with NMA 2914 applied, which excludes cyber losses except for cases where physical damage is caused in any cyber-attack (eg. by fire or explosion).

The proliferation of this silent risk across the market is highlighted as one of the key areas of concern by the PRA. It believes this risk is not only material, but it is likely to increase over time and has the potential to cause losses across a wide range of classes, a sentiment we at RMS would certainly echo.

The PRA intervention shines a welcome spotlight and adds to the growing pressure on firms to do more to improve their cyber risk management practices. These challenges facing the market have been an issue for some time, but the how do we help the industry address them?

The PRA suggests firms with cyber exposure should have a clearly defined strategy and risk appetite owned by the board and risk management practices that include quantitative and qualitative elements.

At RMS our cyber modeling has focussed on providing precisely this insight, helping many of the largest cyber writers to quantify both their silent and affirmative cyber risk, thus allowing them to focus on growing cyber premiums.

If you would like to know more about the RMS Cyber Accumulation Management System (released February 2016), please contact cyberrisk@rms.com.

The Changing Landscape of Cyber Threats

The cyber risk landscape is constantly changing. In the last few weeks alone we’ve seen potentially game-changing events with the release of U.S. National Security Agency hacking tools through the shadow brokers auction, and one of the most significant Denial of Service (DDoS) attacks ever seen when millions of Internet of Things devices were hijacked to target a major piece of Internet infrastructure taking hundreds of websites offline. In this blog I’ll discuss some of the constant ebb and flow of attack verses defense through the lens of the five cyber loss methods currently modeled by RMS.

Data Breaches

The loss of 500 million records in a single cyberattack represents the largest data breach event in history – so far, at least. The recent Yahoo hack, and the potential impact on the proposed Verizon takeover, has sent another stark reminder to industry executives of the dangers surrounding data breaches.

It may have been the biggest single hack ever in terms of records lost, but it’s hardly an isolated one. The leak of the Panama Papers was significant in terms of size – but also led to huge political fall-out globally as politicians were implicated in secret offshore funds, with the resignation of the Icelandic prime minister.

Governments and public agencies themselves have also been targeted in the U.S., Mexico, and the Philippines, for example. One of the most significant breaches affected Turkey, with the release of nearly 50 million records from the country’s General Directorate of Population and Citizenship Affairs, which included addresses, birth dates, and most troublingly, national ID numbers.

These individual large events fit within the observed pattern for 2016 so far, with less frequent cyber data hacks, though ones of higher severity.

Denial of Service Attack

2016 has been another active period for Denial of Service (DDoS) attacks. Going into the year we’d seen signs of a downwards trend. However this was spectacularly reversed in the first quarter which saw 19 attacks greater than 100 gigabits per second. Gaming and software industries continue to be most heavily impacted. Furthermore, we’re seeing a growing number of companies attacked repeatedly – on average, each targeted company was attacked 29 times, but with one company being attacked 283 times!

Frequency aside, the increasing complexity of attacks is most disturbing. 59% in the first quarter of 2016 were “multi-vector” attacks which require unique mitigation controls for each attack vector, as seen in the recent DDoS attack on Dyn, the DNS provider. If this trend continues we can expect existing defenses to be less effective against DDoS, and therefore disruption to be increased.

Cloud Provider Failure

With the leading cloud providers continuing to achieve double and even triple-digit year-on-year growth, the clear trend of companies moving their services to the cloud is continuing apace. Though overall trends have seen a decrease in the annual downtime, 2016 has seen several small but significant failures including an Amazon Web Services outage in Australia, Salesforce in both the U.S. and Europe and a Verizon issue that impacted among others JetBlue Airways. As these cloud services become more popular, the accumulation of risk to both business interruption and data loss is becoming ever more severe as more companies become increasingly reliant on the cloud.

Financial Transaction Theft

Perhaps the most audacious cyber-attack of the past year was when almost US$100 million was stolen from Bangladesh’s central bank and transferred to accounts in Manila and the Philippines. Even more shocking, this money was stolen from the bank account at the U.S. Federal Reserve and was transferred using standard SWIFT financial transaction messages.

The largest cyber heist ever could have been even larger but for a misspelling, and it was this typo that raised the attention of the U.S. Federal Reserve Bank in New York. The perpetrators had attempted to withdraw $950 million over 35 separate transactions. A similar attack, using a vulnerability in the SWIFT messaging system, led to another multi-million dollar theft from a Ukrainian bank.

Perhaps more than any other sector, the interconnected nature of modern financial services leaves the industry open to large scale systemic cyber losses.

Cyber Extortion

Ransomware attacks are continuing to become more frequent and more complex in 2016. One alarming pattern has seen an increased targeting of healthcare institutions where we’ve seen multiple hospitals in California and Kentucky in the U.S. and in Germany, all being attacked. In one particularly un-ethical incident the Hollywood Presbyterian Hospital had to pay out around $17,000 to regain access to their systems.

The more sophisticated software now being used to perpetrate attacks is starting pay dividends for the hacking groups. The “Jigsaw” malware, for example, threatens to delete an increasing number of files after every hour of nonpayment. Encryption type malware has become the norm – and targeted, business-focused malware is growing as evidenced by the “Samsam” scheme which targets unpatched server software.

Incorporating Into the RMS Cyber Model

RMS is continuing to monitor the broad spectrum of cyber-attacks that are impacting thousands of companies every month. During a recent online seminar, the RMS cyber team shared some of these key trends outlined in this blog, and discussed the impacts on cyber insurers. Through the RMS Cyber Accumulation Management System, RMS is continuing to incorporate these insights into our modeling to provide the most comprehensive and accurate view of cyber risk.

Mandatory reporting of cyber-attacks would improve understanding of cyber risk

The recent call by the Association of British Insurers (ABI) for the U.K. government to mandate the reporting of cyber-attacks is another welcome attempt to improve the collective learning opportunities presented by the continuous stream of cyber events. Every attack provides new data which can be fed into probabilistic models which help build resilience against this growing corporate peril – so long as we are able to find out about those attacks. Thus initiatives like this, which will lead to the sharing of valuable information and insights, are paramount.

Reporting cyber attacks is already mandatory in most U.S. states where laws require companies to notify their customers and regulators as soon they suffer a security breach. In 2018 a similar EU law, The European Network Information Security Directive, will make it mandatory for certain firms to provide alerts of cyber incidents.

However, having more information on data breaches still only provides just part of the picture required to fully understand cyber as a peril.

Current security breach notification laws, where they exist, do not require companies to report the many other types of cyber-attack that are increasingly being used to target organizations. Cyber extortion, for example, is a growing trend. Firms typically choose not to report this type of attack to limit damage to their corporate reputation.

Historical attacks not a good indicator of the future

While having access to data on historical cyber breaches is valuable, the threat is constantly evolving, such that previous attacks have rarely been a good indicator of future events. Even a small shift in the balance between the capabilities of hackers and cyber defenses could lead to a significant shift in the frequency and severity of cyber attacks.

Staying on top of the myriad of threat actors and their motivations and resources, as well as having a broad view of the range of viable attack methods that exist today, is crucial to understanding and managing cyber risk. But is challenging to manage.

As a first step to help insurers better understand their existing cyber risk loss potential, RMS recently launched its Cyber Accumulation Management System. This tool provides insurers with a framework to organize and structure their data, identify their accumulations and correlated risk, and stress test their portfolios against a range of cyber loss methods. Having this capability enables insurers to understand the potential size of cyber catastrophes and set their risk appetite to safely grow capacity for this line of business.

Cyber attacks are an increasingly significant threat to the global economy. The combination of new cyber risk management solutions combined with initiatives such as mandatory reporting will help the insurance industry to continue to play itscrucial role in ensuring the resiliency of our economy.

Contact the RMS cyber team for more information cyberrisk@rms.com.