Log In
Access all customer product support, event response, and training in one place
LifeRisks PortalFind modeling tools based on best practice actuarial techniques and medical science
Miu PortalExplore analytics and risk insights for the alternative capital market
Insurance Solutions
Formerly Moodyâs RMS
The Dyn distributed denial of service (DDoS) attack in October 2016 highlighted security flaws inherent in the Internet of Things (IoT). EXPOSURE asks what this means for businesses and insurers as the world becomes increasingly connected.
A decade ago, Internet connections were largely limited to desktop computers, laptops, tablets, and smart phones. Since then there has been an explosion of devices with IP addresses, including baby monitors, connected home appliances, motor vehicles, security cameras, webcams, âFitbitsâ and other wearables. Gartner predicts there will be 20.8 billion things connected to the Internet by 2020.
In a hyper-connected world, governments, corporates, insurers and banks need to better understand the potential for systemic and catastrophic risk arising from a cyber attack seeking to exploit IoT vulnerabilities. With few actual examples of how such attacks could play out, realistic disaster scenarios and cyber modeling are essential tools by which (re)insurers can manage their aggregate exposures and stress test their portfolios.
âIF MALICIOUS ACTORS WANTED TO, THEY WOULD ATTACK CORE SERVICES ON THE INTERNET AND I THINK WEâD BE SEEING A NEAR GLOBAL OUTAGEâ
KEN MUNRO
PEN TEST PARTNERS
Many IoT devices currently on the market were not designed with strict IT security in mind. Ethical hackers have demonstrated how everything from cars to childrenâs toys can be compromised. These connected devices are often an organizationâs weakest link. The cyber criminals responsible for the 2013 Target data breach are understood to have gained access to the retailerâs systems and the credit card details of over 40 million customers via the organizationâs heating, ventilation and air conditioning (HVAC) system.
The assault on DNS hosting firm Dyn in October 2016, which brought down multiple websites including Twitter, Netflix, Amazon, Spotify, Reddit, and CNN in Europe and the U.S., was another wake-up call. The DDoS attack was perpetrated using the Mirai virus to compromise IoT systems. Like a parasite, the malware gained control of an estimated 100,000 devices, using them to bombard and overwhelm Dynâs infrastructure.
This is just the tip of the iceberg, according to Ken Munro, partner, Pen Test Partners. âMy first thought [following the Dyn attack] was âyou ainât seen nothing yetâ. That particular incident was probably using the top end of a terabyte of data per second, and thatâs nothing. Weâve already seen a botnet that is several orders of magnitude larger than that. If malicious actors wanted to, they would attack core services on the Internet and I think weâd be seeing a near global outage.â
In the rush to bring new IoT devices to market, IT security has been somewhat of an afterthought, thinks Munro. The situation is starting to change, though, with consumer watchdogs in Norway, the Netherlands and the U.S. taking action. However, there is a significant legacy problem to overcome and it will be several years before current security weaknesses are tackled in a meaningful way.
âIâve still got our first baby monitor from 10 years ago,â he points out. âThe Mirai botnet should have been impossible, but it wasnât because a whole bunch of security camera manufacturers did a really cheap job. IT security wasnât on their radar. They were thinking about keeping peopleâs homes secure without even considering that the device itself might actually be the problem.â
In attempting to understand the future impact of such attacks, it is important to gain a better understanding of motivation. For cyber criminals, DDoS attacks using IoT botnets could be linked to extortion attempts or to diverting the attention of IT professionals away from other activities. For state-sponsored actors, the purpose could be more sinister, with the intent to cause widespread disruption, and potentially physical damage and bodily harm.
It is the latter scenario that is of growing concern to risk and insurance managers. Lloydâs, for instance, has asked syndicates to create at least three internal âplausible but extremeâ cyber attack scenarios as stress-tests for cyber catastrophe losses. It has asked them to calculate their total gross aggregate exposure to each scenario across all classes, including âsilentâ cyber.
AIG is also considering how a major cyber attack could impact its book of business. âWe are looking at it, not only from our own ERM perspective, but also to understand what probable maximum losses there could be as we start to introduce other products and are able to attach cyber to traditional property and casualty policies,â explains Mark Camillo, head of cyber at AIG. âWe look at different types of scenarios and how they would impact a book.â
AIG and a number of Lloydâs insurers have expanded their cyber offerings to include cover for non-damage business interruption and physical damage and bodily harm arising from a cyber incident. Some carriers â including FM Global â are explicitly including cyber in their traditional suite of products. Others have yet to include explicit wording on how traditional products would respond to a cyber incident.
âWE HAVE RELEASED A NUMBER OF CYBER-PHYSICAL ATTACK SCENARIOS THAT CAUSE LOSSES TO TRADITIONAL PROPERTY INSURANCEâ
ANDREW COBURN
RMS
âI donât know if the market will move towards exclusions or including affirmative cyber coverage within property and casualty to give insureds a choice as to how they want to purchase it,â states Camillo. âWhat will change is that there is going to have to be some sort of due diligence to ensure cyber exposures are coded properly and carriers are taking that into consideration in capital requirements for these types of attacks.â
In addition to markets such as Lloydâs, there is growing scrutiny from insurance industry regulators, including the Prudential Regulation Authority in the U.K., on how a major cyber event could impact the insurance industry and its capital buffers. They are putting pressure on those carriers that are currently silent on how their traditional products would respond, to make it clear whether cyber-triggered events would be covered under conventional policies.
âThe reinsurance market is certainly concerned about, and constantly looking at the potential for, catastrophic events that could happen across a portfolio,â says William Henriques, senior managing director and co-head of the Cyber Practice Group at Aon Benfield. âThat has not stopped them from writing cyber reinsurance and thereâs enough capacity out there. But as the market grows and gets to US$10 billion, and reinsurers keep supporting that growth, they are going to be watching that accumulation and potential for catastrophic risk and managing that.â
In December 2015 and again in December 2016, parts of Ukraineâs power grid were taken down. WIRED magazine noted that many parts of the U.S. grid were less secure than Ukraineâs and would take longer to reboot. It was eerily similar to a fictitious scenario published by Cambridge Universityâs Centre for Risk Studies in partnership with Lloydâs in 2015. âBusiness Blackoutâ considered the impact of a cyber attack on the US power grid, estimating total economic impact from the 1-in-200 scenario would be US$243 billion, rising to US$1 trillion in its most extreme form.
It is not beyond the realms of possibility for a Mirai-style virus targeting smart thermostats to be used to achieve such a blackout, thinks Pen Test Partnersâ Ken Munro. âYou could simultaneously turn them all on and off at the same time and create huge power spikes on the electricity grid. If you turn it on and off and on again quickly, youâll knock out the grid â then we would see some really serious consequences.â
Smart thermostats could be compromised in other ways, for instance by targeting food and pharmaceutical facilities with the aim to spoil goods. There is a commonly held belief that the industrial and supervisory control and data acquisition systems (ICS/SCADA) used by energy and utility companies are immune to cyber attacks because they are disconnected from the Internet, a protective measure known as âair gappingâ. Smart thermostats and other connected devices could render that defense obsolete.
In its Cyber Accumulation Management System (CAMS v2.0), RMS considered how silent cyber exposures could impact accumulation risk in the event of major cyber attacks on operations technology, using the Ukrainian power grid attack as an example. âWeâve released a number of cyber-physical attack scenarios that cause losses to traditional property insurance,â explains Andrew Coburn, senior vice president at RMS and a founder and member of the executive team of the Cambridge Centre for Risk Studies.
âWeâre working with our clients on trying to figure out what level of stress test should be running,â he explains. âThe CAMS system weâve released is about running large numbers of scenarios and we have extended that to look at silent cover, things in conventional insurance policies that could potentially be triggered by a cyber attack, such as fires and explosions.â
Multiple lines of business could be impacted by a cyber event thinks Coburn, including nearly all property classes, including aviation and aerospace. âWe have included some scenarios for marine and cargo insurance, offshore energy lines of business, industrial property, large numbers of general liability and professional lines, and, quite importantly, financial institutions professional indemnity, D&O and specialty lines.â
âThe IoT is a key element of the systemic potential of cyber attacks,â he says. âMost of the systemic risk is about looking at your tail risk. Insurers need to look at how much capital they need to support each line of business, how much reinsurance they need to buy and how they structure their risk capital.â
Cyber-Induced Fires in Commercial Office Buildings
Hackers exploit vulnerabilities in the smart battery management system of a common brand of laptop, sending their lithium-ion batteries into thermal runaway state. The attack is coordinated to occur on one night. A small proportion of infected laptops that are left on charge overnight overheat and catch fire, and some unattended fires in commercial office buildings spread to cause major losses. Insurers face claims for a large numbers of fires in their commercial property and homeownersâ portfolios.
Cyber-Enabled Marine Cargo Theft From Port
Cyber criminals gain access to a port management system in use at several major ports. They identify high value cargo shipments and systematically switch and steal containers passing through the ports over many months. When the process of theft is finally discovered, the hackers scramble the data in the system, disabling the ports from operating for several days. Insurers face claims for cargo loss and business interruption in their marine lines.
ICS-Triggered Fires in Industrial Processing Plants
External saboteurs gain access to the process control network of large processing plants, and spoof the thermostats of the industrial control systems (ICS), causing heat-sensitive processes to overheat and ignite flammable materials in storage facilities. Insurers face sizeable claims for fire and explosions in a number of major industrial facilities in their large accounts and facultative portfolio.
PCS-Triggered Explosions on Oil Rigs
A disgruntled employee gains access to a Network Operations Centre (NOC) controlling a field of oil rigs, and manipulates several of the Platform Control Systems (PCS) to cause structural misalignment of well heads, damage to several rigs, oil and gas release, and fires. At least one platform has a catastrophic explosion. Insurers face significant claims to multiple production facilities in their offshore energy book.
Regional Power Outage From Cyber Attack on U.S. Power Generation
A well-resourced cyber team infiltrates malware into the control systems of U.S. power generating companies that creates desynchronization in certain types of generators. Sufficient generators are damaged to cause a cascading regional power outage that is complex to repair. Restoration of power to 90 percent of customers takes two weeks. Insurers face claims in many lines of business, including large commercial accounts, energy, homeowners and speciality lines. The scenario is published as a Lloydâs Emerging Risk Report âBusiness Blackoutâ by Cambridge Centre for Risk Studies and was released in RMS CAMS v1.1.
Regional Power Outage From Cyber Attack on UK Power Distribution
A nation-state plants âTrojan Horseâ rogue hardware in electricity distribution substations, which are activated remotely to curtail power distribution and cause rolling blackouts intermittently over a multi-week campaign. Insurers face claims in many lines of business, including large commercial accounts, energy, homeowners and specialty lines. The scenario is published as âIntegrated Infrastructureâ by Cambridge Centre for Risk Studies, and was released in RMS CAMS v1.1.
Â