During Thanksgiving weekend 2016, workers at the San Francisco Municipal Transportation Agency (SFMTA) received a rude awakening about just how powerfully cybercrime can affect the “real” world.
On Nov. 26, the SFMTA discovered it was the victim of a malicious ransomware attack that froze all of its office computers, internal computer systems and computers inside station agent booths, where an ominous message flashed across computer monitors: “You Hacked. ALL data encrypted.”
If that scenario sounds like fiction, it isn't. The perpetrator demanded the transit agency pay 100 bitcoin (about $73,000 in real-world funds) to have its system returned to normal. Ransomware attacks occur when a user unknowingly downloads the malicious software (or “malware”) on their computer, control of which is then seized by the party who sent the ransomware. The ransom is then requested.
SFMTA officials contacted the Department of Homeland Security, mobilized their own technology division to contain the attack, shut off all ticket vending machines and opened the fare gates inside its subway stations so that service wouldn't be affected. After nearly two days of free rides, service was restored with the government's help.
San Francisco transit officials have estimated that $50,000 in fare revenue was lost during the attack — and cybersecurity bloggers who follow these types of threats concur that the damage could have been much worse.
High-profile DDoS attack
In a separate, even more high-profile event on Oct. 21, many internet users experienced the largest cyber attack of its kind to affect them personally. The victim in that case: Dyn, a company that controls much of the internet's domain name system (DNS) infrastructure. A distributed denial of service (DDoS) attack was executed in which a network of computers infected with special malware known as a “botnet” are coordinated into bombarding a server with enough traffic that it becomes overwhelmed and crashes.
Dyn's servers were relentlessly strained for most of the day, bringing down sites including Twitter, Reddit, Netflix, CNN and many others in Europe and the U.S. The attack illustrated for many that the Internet is not as stable an institution as many would like to think, and experts fear this could only be the beginning of a greater series of attacks to come in the near future.
“The truly scary part of this attack for clients and insurers is the potential widespread impact of an attack on one piece of the broader internet ecosystem,” says Dan Burke, Cyber and Technology product head and vice president at Hiscox USA. “Many web companies with very tight security protocols and significant investments dedicated to network security infrastructure were impacted by an attack over which they had no control.”
Emy R. Donavan offers a different perspective. “The Dyn attack tells us that we’ve been pretty lucky so far. There was fairly minimal damage, outside of inconvenience,” says the regional head of Cyber, North America; U.S. Head of E&O-Technology, Media, Specialty PI and A&E for Allianz Global Corporate & Specialty SE. “I’m hopeful that this incident will serve as a wake-up call to private industry and the government that more must be done to secure our infrastructure. From an insurance perspective, it reminded us of the looming presence of potential aggregation issues due to cyber events that can impact multiple policies across a number of lines of business.”
Events in which cybercrime intrudes upon real life are one of the things that keeps Thomas Dunbar awake at night. Dunbar, head of information risk management and enterprise risk management for XL Catlin, isn't convinced the general public understands exactly what happened in October or the possible consequences of future attacks.
“This attack was new in that it harvested the power of the Internet of Things (IoT),” Dunbar explains. The DDoS incident, he continues, was made possible by the insecurity of home routers, smart TVs, DVRs, CCTV and other devices — all of which are built with functionality in mind, not security. This allowed attackers to install malware on these devices, add them to a botnet (“think of a zombie army,” he says) and send them en masse to attack a particular company that provided address resolution for the internet.
“The size of the attack was massive, and no company can currently protect itself against such magnitude,” adds Dunbar. It raises several key questions: “First, how do you build security into IoT devices that are mainly consumer devices, when the consumer doesn't care? And, two, who was behind this attack, who else can use this type of attack, and what are the consequences of an even larger and more prolonged attack?”
Scale and sophistication of attacks increasing
While DDoS attacks are not new, including against internet infrastructure providers, “the scale and sophistication of attacks that can be achieved using open-source code is increasing,” says Tom Kang, Cyber product manager for The Hartford. “The implications are that low-skilled individuals can generate large-scale attacks using established botnets and open source programs to impact operations of many businesses at the same time.”
If the Dyn attack “wasn't a wake-up call, nothing is,” says Andrew Harris, vice president of PIAPRO, the agent-owned captive insurance company of the National Association of Professional Insurance Agents (PIA) and PIA National's liaison to the Insurance Services Office.
Harris’ nearly four decades of experience in insurance sales and agency management includes more than 20 years spent as president and CEO of Liberty Insurance Associates of Millstone Township, N.J. As a member of a select group working with the Department of Homeland Security's Banking & Insurance online security task force, he knows a thing or two about cyber threats.
Even with the aforementioned headline-making events, Harris says, that one galvanizing moment that affects millions of people and proves to them once and for all the value of cyber insurance still has yet to happen. “There hasn't been the one giant claim yet that serves as the wake-up call,” he relates.
While the majority of citizens don't spend a great deal of time worrying about it, Harris assures PropertyCasualty360 that the U.S. government is “incredibly effective” at maintaining constant diligence and protecting our critical systems and infrastructure. “You don't hear about all the things that never happen,” he says. “You only hear about the ones that were missed. It’ll be the one that gets through, that will finally put cyber on everyone's radar screen.”
Speaking during a panel at NU's parent company ALM's Annual Insurance Executive Conference in December, Greg Vernaci, AIG's head of cyber for the U.S. and Canada, referred to 2016 as “The Year of Ransomware” as insurance carriers have seen “a significant uptick of our clients experiencing ransomware attacks.”
The FBI estimates that $150 million a year in the U.S. is exchanged through ransomware crime as victims acquiesce to hackers’ demands. According to Osterman Research, both phishing and crypto ransomware are increasing at the rate of several hundred percent per quarter, a trend it believes will continue for the next 18 to 24 months, at least.
Osterman also states in a recent white paper that the vast majority of organizations in the U.S. have been victimized by some level of phishing, ransomware or a variety of security-related cyber attack in the past year.
Even if an insured does fall victim to ransomware, Harris advises against ever paying the ransom. “If you pay, there's no guarantee that they won't come back and visit you again,” he says, noting that there's malware out there that could simply lock you out again every 30 days.
Good 'hygiene' among employees
Diligence at the corporate level is critical in maintaining good “hygiene” among employees, teaching them what they can click on when it comes to email attachments and links — and more importantly, what they can't. “The educational curve in this is happening, but not at the rate that we’d like to see,” says Harris — especially among insurance agents, who collect a lot of personal identifiable information. “We’re a very target-rich environment,” he says of U.S. independent producers. “Agents need to understand those exposures and then properly insure our clients.”
“If a company's data, trade secrets or other intellectual property assets are stolen, released or otherwise breached, the resulting financial loss could be tremendous,” says Evan Fenaroli, Philadelphia Insurance Cos.’ Cyber product manager. “The issue here is the difficulty and perhaps inability for both buyers and insurers to place a value on intellectual property and understand the implications of such a breach. Indeed, such a loss could have a permanent effect on a company's competitive advantage and ability to survive.”
‘We are vulnerable’
But what about a nightmare scenario in which multiple policies are triggered at once? From an insurance-carrier perspective, “aggregation concerns keep underwriters up at night,” says Burke. “Nearly every insurer and reinsurer is trying to get their arms around aggregation modeling at the moment, and often looking for outside help in developing those models.” Burke cites Cyence, RMS and Symantec as some of the players offering solutions to help insurers comprehend their cyber aggregation and better mitigate the risks.
Yet no matter the industry they’re in, businesses across the board must first acknowledge that no system is 100 percent secure, says Tracey Vispoli, president, Berkley Cyber Risk Solutions, a W.R. Berkley Company: “Everyone should assume at some point that their data will be viewed by an unauthorized person or group of persons with the intent to disrupt, destroy or hack that information for their own gain or purposes. It's that simple. We are vulnerable. Period.”
Cyber perils impact all insurance products
Insureds, Vispoli says, are concerned with what she calls the “Swiss cheese” conundrum: “They buy all kinds of insurance to help provide financial protection. But cyber perils impact all insurance products. It's like Swiss cheese, to determine where coverage exists and doesn't. Some coverage forms may include data breach exclusions or even stay silent on certain exposures, while others offer some affirmative coverage, but are not designed to cover all losses stemming from one or multiple breaches.”
Vernaci says that many clients are realizing that their concerns go beyond losing data, and include downtime of their computer networks or of their IT providers’ computer networks causing business interruption, being extorted for access to their data, or a cyber incident that results in physical and tangible harm.
“A cyber peril can result in both financial impact as well as physical, tangible losses such as bodily injury and property damage,” he notes. “Consequently, clients need to evaluate their entire P&C insurance portfolio to determine if their policies will respond adequately to each type of cyber incident.”
Evolution of coverage
As the exposures continue to evolve in the cyber market, so have requests for coverage. “Risk managers would certainly like to see policies that provide coverage for all losses resulting from a ‘cyber peril,’” says Kang.
The market, however, is still wrestling with defining cyber perils and which policies should provide coverage for those losses. Barring a large catastrophic cyber event that radically changes the marketplace, he adds, “we anticipate that the insurance industry will eventually find broader risk-transfer solutions for cyber risk.”
While early offerings from the market were focused primarily on data and privacy exposures, buyers are now increasingly interested in coverage for business interruption, data loss and cyber extortion, says Fenaroli.
At XL Catlin, the two newest and most prevalent coverage enhancements have been dependent business interruption and system failure, says John Coletti, chief underwriting officer for the carrier's North America Cyber & Technology unit. System failure coverage, he adds, is being sought should an insured suffer a business interruption loss in the event that their own systems go down.
Manny Cho, executive vice president, executive lines at Risk Placement Services Inc., says that as policies evolve, property coverage may look to include cyber-related damages as the U.S. moves to more automated manufacturing facilities. General liability coverages (that is, contingent and direct property damage and bodily injury) are creeping into cyber policies, adds Cho, who sees blended cyber and medical malpractice coverage as telemedicine becomes more prevalent.
“Coverage is constantly evolving to meet the market demand. Unfortunately, the challenges that impact companies today on the cyber front change from month to month, week to week and day to day,” he says. “Every company seems to be moving to a modular policy to help meet the challenges … maybe the third and first-party coverages will be stripped away so that brokers and carriers can further customize coverage for their clients.”
While some in the industry see the emergence of specialist “all risks” cyber policies covering all types of first- and third-party consequences, from data-breach liability response costs to property damage and bodily injury, Ben Beeson, Cyber Risk practice leader for Lockton, believes that dog won't hunt. “This assumes that property & casualty insurers will seek to exclude cyber perils. But if anything, the property market is now starting to invest resources in underwriting and pricing these risks,” he says. “The broker's role will become more important than ever in helping clients understand where coverage lies under the products they currently buy and whether gaps exist or not.”
“I think the cyber market will evolve in a similar manner to that which the E&O market developed,” says Donavan at Allianz. E&O coverage, she notes, began with a narrow scope; now, there is a lot of depth and complexity to E&O underwriting that she believes translates really well to the exposures posed by cyber. “For example, not every company is worried about property damage arising out of a cyber event, but manufacturers are; not every company is worried about product liability associated with hacking of IoT devices, but hardware companies are.”
Adequate insurance coverage for cyber risks probably doesn't exist in one product. (Photo: iStock)
Future policy innovations
In terms of coverage requests, she's seeing more clients asking for property damage and business income coverages that, “if they hadn't been requested before, they certainly weren't being provided by the commercial cyber insurance market,” says Donavan. “We’ve seen ‘cyber as a peril’ policies placed for companies with manufacturing and consumer products exposures, which is an interesting development.
“My opinion on these policies is that there is not yet sufficient comfort in the market to provide limits that would be really sufficient for large consumer-product firms,” she adds. “But the fact that these policies have been placed with meaningful limits is itself a real step forward in the scope of cyber products available in the market.”
AIG has developed cyber coverage solutions that affirmatively address bodily injury and property damage on a primary basis, an excess and difference-in-conditions basis, or to be included with other lines of business, such as their property policy. “This kind of flexibility allows organizations to tailor their insurance to their individual organizational needs and reflecting that cyber is not a one-size fits all insurance,” says Vernaci.
Vispoli believes that adequate insurance coverage for cyber risks does not exist in one product; it needs to coexist among many. “In time, the market will dictate the products best suited to provide adequate protection,” she says. “For instance, future policy innovations might include a catastrophic approach to cyber perils. It might also further embed loss control/risk engineering into the service offerings of carriers to help insureds assess their potential exposures and provide better state-of-the-market security solutions.”
More insureds, at the request of their brokers, have an expectation that the once sub-limited coverages for first-party expenses are now routinely full limits, adds Vispoli. “There will also be more coverage requests for system failures that result in business interruption losses and other first-party exposures such as crime and social engineering,” she says. “Bodily injury and property damage coverage requests are also new, with insureds looking to find ways to get this more traditional coverage from their property policy.”
The next ‘blackswan’
Meanwhile, online threats continue to mount. The two hackers who were responsible for the DDos attack in October remain at large. In an online chat with Vice's “Motherboard,” they revealed that a larger botnet is being assembled, with the capacity to take down targeted systems for a price. In the age of the IoT, no system is completely safe, no security foolproof.
“I’m worried about [the threats] we haven't thought of yet,” Donavan says. She's seen recommendations for public-private partnerships to allow voluntary sharing of cyber events, and automatic reporting to the same voluntary database of any incident reported to law enforcement. “That will enable insurers to hasten their understanding of pricing sufficiency and better hone their scenario modeling,” she adds. “That would allow us all to get our arms around the breadth of cyber exposures much quicker, both for insurers and companies alike.”
Related: 8 ways to improve cyber insurance