Waves of online attacks on Domain Name Server (DNS) provider Dyn Inc. blocked access to Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, The New York Times and various other sites throughout Friday — an attack that Andrew C. Harris, CEO of brokerage Liberty Insurance Associates in Millstone Township, N.J., calls "overdue."
The cause was a distributed denial of service (DDoS) attack against Dyn, which as a DNS facilitates the loading of webpages. According to USA Today, the hackers used the malware program Mirai, which can send thousands and even hundreds of thousands of server requests at once, creating a flood of fake traffic and overwhelming a DNS.
According to a report from Reuters, the FBI and the Department of Homeland Security are investigating.
"This is not news to anybody who has been watching this for a while. It was a matter of when, not if," Harris says. "The bad guys — the foreign states — have been attempting to do what they accomplished today for a long time." (Editor's note: No suspects have been named as of press time, but the event calls to mind U.S. intelligence officials' claims of recent Russian cyber attacks on U.S. businesses.)
"It's no longer the student hackers or people who do this as a hobby or for fun,: Harris notes. "In the nation states, they have been trying to get into critical infrastructure for some time. That includes banking and insurance."
Harris has been involved in cybersecurity and cyber liability for years, working with the Department of Homeland Security since it began a public/private partnership around seven years ago.
"As we become more and more independent on the internet, and the more information we put out there, the more vulnerable we are," he continues. "This is a wake-up call for the insurance industry to recognize that we need to advise our clients that cyber protection and cyber awareness is critical."
Need for standardization
The sooner the insurance industry can get to issuing a standard Cyber Liability form, the better the industry will be able to handle these types of attacks. "The first step is building a standard Cyber policy that is an industry standard, with basic coverages on all types of Cyber policies," says Harris. "As with most of the things that ISO builds, it will be done in conjunction with agents, companies and reinsurers." Harris says ISO is working on this now, and speculates that this event could help to expedite the process.
"As the business and the public demands that, we as an industry respond," he continues. "Insurance agents will have more comfort selling a policy where they know these basic coverages are including, and then start building a la carte [policies] for clients that need bigger, stronger and more sophisticated coverage."
Risk management in focus
As individuals — and businesses — become more comfortable with Internet-based and cloud-based storage, we make ourselves more
vulnerable to cyber attacks. The insurance industry can provide loss prevention and risk management services.
Firewalls and "good computer hygiene" can lessen the risk of cyber loss due to attacks like the one that caused so much disruption on Friday. "Don't open attachments from strangers; if you bring your own device to work, don't connect to the employer's network and go shopping. It's an educational process, and mindful risk management is part of this whole process," he says.
Because of this event, Harris adds, "People will take [cyber liability] a lot more seriously."