I have often written about the insurance industry and its effect on the cyber technology market.
Additionally, I have been involved in securing the Internet of Things (IoT), particularly medical devices, for the past few years. Those two worlds have now intersected in an odd, disturbing way.
One of the largest cyber insurance conferences, the Advisen Cyber Risk Insights Conference, was held recently in New York. At the same time, the Security of Things forum was being held in Washington D.C. What is the connection between these two areas? Aggregation.
The cloud hanging over cyber insurance
There are a lot of myths about the cyber insurance industry floating around, such as "there is not enough data for insurance," "nobody is buying insurance," "claims are not being paid" and "insurance companies are losing money." The reality is that cyber insurance is a flourishing business. Nearly 1,000 people attended the Advisen conference, and there are currently around 65 carriers offering some form of cyber insurance.
Other insurance coverage, such as E&O, also covers some of clients' cyber risk. Claims are being submitted and are being paid. The policies are capped, so the risks to the insurance companies are controlled. And insurance companies are making money.
There is, however, a cloud that hangs over the insurance industry that worries industry executives across the board — again, aggregation. The concern is not one company getting hacked, like a Target or Anthem; the concern is what happens when numerous major insureds, all with multimillion-dollar policies, all suffer major breaches at once. This could trigger a loss event equivalent to a Katrina-level hurricane.
Enter DYN and IoT
As most know, on Oct. 21, the domain name service DYN was the target of a coordinated Distributed Denial of Service (DDoS) attack. The effect was to bring down several major Internet services including Twitter and Spotify. (There are several well-written analyses of the attack on sites such as securityledger.com and krebsonsecurity.com.)
The reason the insurance industry has cause for concern is that this could very well be a foreshadowing of an aggregation event. Most discussions about an aggregated attack have focused on major infrastructure providers such as Microsoft or Amazon Web Services; this event, however, occurred with the DDoS of a company most people have never heard of.
With this attack, several major companies had a significant disruption in business and, by most accounts, the approach merely replicated similar attacks from the previous weeks on a major blog and a French cloud provider. A more sophisticated and planned attack could have done significantly worse damage —and it still could.
Does this mean aggregation is closer?
So now the question arises, is an aggregation event more likely than previously considered? And where are the connecting elements, such as DYN, that can cause this aggregated loss? Also, the IoT attack approach is very new, only occurring over the last few weeks. How much more sophisticated could future attacks become?
The questions for the insurance industry after the DYN event are many, but several seem to rise to the top. The P&C industry is addressing a number of other issues, such as quantification of risk through standards such as Factor Analysis of Information Risk (FAIR) and other modeling techniques.
Is there a now a need for greater evaluation of aggregate attack points such as DYN? How would the presence of these attack points affect the quantified risk of a company? Will the application process begin to explore aggregation points? And what would be the effect on the policies and associated premiums based on these findings?
Answering these questions may be the beginning of a new discipline within the overall insurance marketplace.
Chip Block is vice president of cybersecurity and infrastructure services company Evolver Inc. Contact him at chip.block@evolverinc.com. Opinions expressed in this article are the author's own.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.