Editor's Note: These insights first published as a Lockton Companies white paper.
In the movie Arrival, government scientists come face-to-face with extraterrestrial visitors, not knowing if they're friendly or why they've landed on earth. A linguist is brought in to decipher the aliens' language, yet despite her best efforts, she can only translate a few syllables. Armed with this incomplete information, some of the world's most powerful governments react irrationally and mobilize for a military attack.
Related: Uncovering silent cyber risk
We've met the enemy
There are parallels in cyber risk. We're learning more all the time as defenses and protections improve, but much is still unknown. The playing field favors the attackers, while emerging vulnerabilities bring new revelations at a seemingly inexorable pace.
Absent thoughtful mitigation strategies, the odds of making ill-informed decisions will only increase.
What we know about cyber risk is only a fraction of the vast unknown. While general awareness continues to grow with each incident, progress made on the mitigation front is usually eclipsed by the latest attack or breach.
The threat is evolving because the spectrum of motivation is widening, and weapons once considered esoteric are more widely accessible than ever.
The actors no longer have only criminal intent (e.g., stealing data for personal enrichment), but these 'agents of chaos' are increasingly sabotaging companies and governments for political and terroristic gain, leaving significant first party damage in their wake.
Layers of vulnerability
A cyber attack on Saudi Aramco threatened to cut off a large percentage of the world's oil supply when an employee clicked on a link that released a virus into the company's computer systems. As a result, 35,000 computers were frozen, Internet service went down, and phones went dead. Typewriters and fax machines were pressed into service, and the company had to turn away transport trucks because it lost the ability to make electronic payments.
Hackers seized control of a blast furnace in a German steel mill, causing "massive" property damage, according to reports. At the time the incident came to light, Wired magazine warned that attacks on industrial control systems "in the electric grid, in water treatment plants and chemical facilities, and even in hospitals and financial networks ... could cause even more harm than at a steel plant."
In October 2016, Amazon, Comcast, The New York Times, Starbucks, and scores of other large companies were impacted by an attack on DNS provider Dyn. Hackers used a network of infected devices called a botnet to flood and overwhelm Dyn’s servers, which rendered many popular websites inaccessible.
Clearly, the cyber threat is growing as weapons and motivations evolve.
There's strong evidence that for the first time in history a nation-state is employing ransomware. (Photo: Shutterstock)
Britain's security services recently joined a host of other agencies in concluding that the WannaCry outbreak was the work of the North Korean government. In May 2017, WannaCry seized control of computers running an older version of Microsoft Windows — in particular, operating systems that didn't have a patch previously issued by Microsoft, including unlicensed systems that weren’t eligible for the patch. The attack infected hundreds of thousands of computers in more than 150 countries, demanding payment to release them. Organizations affected included Britain’s National Health Service (NHS), Spain’s Telefónica, FedEx, and Germany’s railway system.
Distributed denial of service attacks (DDos) are also growing in size and sophistication, and even Internet of Things (IoT) devices within a botnet now contribute to exponential amounts of bandwidth to overload servers with data. Unlike attacks on retailers to steal credit card information, DDoS attacks can cripple an entire enterprise. Instead of draining bank accounts or fraudulently purchasing goods, the intent is to render an entire ecosystem ineffective — or even worse, powerless.
The Internet of Things
Another emerging threat that's outpacing available defenses is attacks on physical devices and assets. The Internet of Things has improved efficiency in our daily lives; we can control the environment in our home from our smartphones, and wearable devices give us actionable health data. In the commercial world, the IoT is delivering remote control and diagnostic capabilities to big machines—everything from jet engines to industrial controls. Companies that want to improve margins and efficiencies are connecting operational technology (think turbines in a utility) to corporate IT networks and running them remotely instead of with humans. Yet, the IoT is a double-edged sword because the number of significant physical assets at risk for disruption is growing rapidly. With a projected economic impact of $11 trillion by 2025, the attraction of the IoT is irresistible for hackers.
Related: How IoT offers insureds more value
There's greater transparency on personal data theft because retailers and other industries that handle it are required to disclose a breach to its owners. With respect to attacks on companies motivated by sabotage, for example, it's difficult to know the scale of the threat because companies haven't been required by law to disclose. Yet more will come to light with the increase in regulatory oversight. For example, the state of New York now requires financial services firms to notify the state Department of Financial Services of cybersecurity events, scrutinize the security of third-party vendors, perform risk assessments, and design a cyber mitigation program.
Cyber risk is now one of the most important issues in the boardroom. (Photo: Shutterstock)
Insurance market response
Despite the growing attention that cyber risk now commands, first-party consequences are one aspect that has been marginalized or even overlooked.
Cyber risk is no longer confined to liability from handling personal data, but has implications related to property and physical assets that warrant serious consideration.
The evolving nature of the threat is posing a challenge to legacy property policies that were never intended to cover cyber risks and are often silent on whether those risks are covered or not.
Historically, stand-alone cyber insurance products have resided with the financial lines carriers, but when it comes to first-party cyber risk, the insurance market is fragmented. The lines have become blurred as to where coverage starts and stops between insurers. It’s difficult for buyers to navigate this relatively new world and know where to find the right product. Although a number of market participants are strongly advocating for cyber insurance to be accessed only through all risks policies, this development is unlikely to occur anytime soon, if ever.
From small businesses to Fortune 500s, every enterprise that uses a computer network has assets that can be compromised by a cyber incident. Some of the first-party consequences of the incidents described above are:
Property damage: Equipment sustains physical damage in an attack. Researchers predict there will be upward of 20 billion connected devices by 2020, and experts agree that critical infrastructure, water, energy, nuclear reactors, and the communication sectors will all be at risk. Property insurance should cover the cost of replacement and installation of equipment as most cyber insurance products exclude property damage.
Network interruption: The insured is unable to operate after suffering a denial of service or phishing attack. This should be treated as a business interruption loss and the insured compensated for loss of income and the increased cost of working around the clock until the network is restored. The majority of cyber insurance products will address this risk, but many property carriers will exclude it based on their consideration of data as an excluded intangible asset and a cyber attack as an excluded peril.
Data corruption: Digital content is damaged, destroyed, or stolen in an attack. A cyber criminal can infiltrate a system through a phishing attack and delete manufacturing code, for example. Besides the Business Interruption consequences, property insurance should cover data restoration costs as a cyber insurance product would.
Theft of intellectual property: The calculation of economic loss is elusive when it comes to theft of intellectual property. This remains an uninsurable risk, as seen when Chinese hackers allegedly stole radar designs and engine schematics for the Lockheed Martin F-35 fighter jet. What remains elusive is how an insurer can model just how much economic damage can be inflicted on a defense contractor by the theft of proprietary confidential blueprints.
Cyber extortion: In this scenario, users are unable to access encrypted data until a ransom payment is made. While the majority of cyber insurers will cover this, it could be argued that this peril would fall under protection and preservation of property where physical property is involved because paying a ransom would restore the IT system and prevent the insured’s physical property from being damaged.
Ensuing damage: Coverage for ensuing damage is also an important consideration. An example of this is seen in food processing, where most policies exclude a change of temperature in freezers. However, if hackers gain access to the controls and raise the temperature in a dairy’s freezers, an entire inventory of ice cream products can be ruined. Some property carriers would consider this physical damage and are increasingly willing to cover it. Conversely, it’s important to note the majority of cyber insurers would not cover this, as ensuing damage is damage to property other than data.
In all of these examples, the adversary has an advantage over the defender.
An attacker only has to be right once, but the defender has potentially multiple physical and intangible assets to protect as well as an ever-increasing attack surface and interdependencies with third parties.
Related: Cyber risk and reputational harm
The Internet of Things has introduced more connected devices that can be exposed to a cyber attack; thus, as physical assets, they should be considered by property underwriters.
Many companies have a difficult time defining and assessing their cyber risks. (Photo: Shutterstock)
Selling cyber policies: It's all in the wording.
The purchase of insurance to cover first-party cyber risks, particularly to address physical assets, is only now being considered, and it is leading to considerable ambiguity:
Actuarial data is limited and has minimal relevance in the context of continually evolving threats and attack vectors.
Large, undefined coverage gaps exist in many property carrier forms.
Companies have a difficult time defining and assessing the risks they face.
As cybersecurity is now a business risk and no longer simply a technology consideration, brokers must position themselves as trusted advisors. They can play a vital role by helping clients identify and quantify risk to critical corporate assets and ultimately decide whether to transfer that risk through insurance or not. Products are coming on line which address the gaps in legacy property and casualty policies, known as difference in conditions and difference in limits policies.
Often, business interruption and denial of service are covered, but as far as ensuing perils are concerned, there’s no uniformity among carriers. Understandably, many property underwriters have only limited experience with cyber and, therefore, find it difficult to classify data as "property." This represents an opportunity for risk managers and brokers to work toward a deeper understanding of the data that exists in enterprises and how that data impacts the risk.
The technology solution
Much has been written about the challenges of underwriting cyber risk for insurers, in particular catastrophe modeling for cascading losses from single events as well as insufficient actuarial data. A common theme is the lack of understanding of how an investment in specific controls moves the risk needle in a constantly changing threat environment. However, for the first time in this relatively brief period since cyber’s onset, we can feel more confident about our ability to get ahead of the problem. Technology is playing an increasingly important role in our advancement, and the insurance industry has a powerful ally in Silicon Valley.
Just as linguist Louise Banks ventured into the belly of the beast to better understand the extraterrestrial visitors in Arrival, a rapidly growing league of intrepid investigators is exploring new frontiers. Deeper data analytics that promise to accelerate our understanding of cyber risk are emerging, as Silicon Valley firms join insurers and brokers to develop tools to evaluate an enterprise’s security position from the inside and the outside. Traditional underwriting processes offer only a snapshot in time in a dynamic and fast-moving risk environment.
Technologies that help insurers evaluate risk in real time are supporting many more underwriting decisions today and, over time, will evolve to influence how these risks are priced. (Photo: iStock)
In a nation where 80 percent of the critical infrastructure is owned by the private sector and beyond the purview of effective government regulation, technology innovation driving rigorous enterprise risk management will become the best way to improve mitigation and protect valuable assets such as data, intellectual property, and machinery.
'The new asbestos'
Cyber risk is certainly insurable, but in many respects, it's the new asbestos. Its reach appears to be infinite. It's also an existential threat to business, where one event can cause multiple losses in unanticipated ways. This is due, in part, to the fact that the cyber threat has been shown to have a growing impact on physical property. In this instance, it would be advisable to adopt a historical context and acknowledge the parallels to the evolution of property insurance. Just as the introduction of fire protection systems transformed underwriting of physical property, so should risk managers, brokers and insurers reevaluate physical assets in the context of cyber.
Addressing cyber risks as a property issue is a relatively new concept, which is why there is ambiguity in the insurance marketplace. Aggressive action needs to be taken because the risks are propagating at an alarming rate. The insurance industry must innovate so it remains an indispensable business partner to clients who have a lot riding on protecting their financial performance, reputation, and sustainability.
Jared Wosleger is an assistant vice president and a property/cyber broker at Lockton Companies, Inc. He can be reached by sending email to email@example.com.