Economic losses from cyber events have the potential to be as large as those caused by major hurricanes, says the insurance market Lloyd’s of London in a report. It suggests that insurers could benefit from thinking about cyber cover in these terms and make explicit allowance for aggregating cyber-related catastrophes. To achieve this, data collection and quality is important, especially as cyber risks are constantly changing.
For insurance companies, the global cyber market is worth between $3 billion and $3.5 billion, Lloyd’s Class of Business team estimates. Despite this growth, insurers’ understanding of cyber liability and risk aggregation is an evolving process as experience and knowledge of cyber-attacks grows.
Introducing the report, one of its authors, Trevor Maynard, Head of Innovation at Lloyd’s, said that insurers should have confidence to underwrite; and understand more the cyber risks they face, ‘and think differently about them’: “Insurers should think about cyber risks in the same way they think about natural disasters. Large aggregating events can arise and that would cause effects on business and the economy as a whole … It tells us that a major cyber attack can cause up to $53 billion of economic loss, which is roughly the size of Superstorm Sandy.”
For the report, Counting the Cost; Cyber exposure decoded, visit https://www.lloyds.com/news-and-insight/risk-insight/library/technology/countingthecost.
Cyber market insurers would benefit from a deeper understanding of the potential tail risk implicit in cyber coverage, according to the report, which offers two scenarios:
A sophisticated group of “hacktivists” sets out to disrupt cloud-service providers and their customers to draw attention to the environmental impacts of business and the modern economy. The group makes a malicious modification to a “hypervisor” that controls the cloud infrastructure. This causes many cloud-based customer servers to fail, leading to widespread service and
business interruption. Cyber-attacks have the potential to trigger billions of dollars of insured losses. For example, in the cloud services scenario, insured losses range from US$620m for a large loss, to US$8.1 billion for an extreme loss.
And in a ‘mass vulnerability attack’, a cyber analyst accidentally leaves his bag on a train that contains a hard copy of a report on a vulnerability that affects all versions of an operating system run by 45pc of the global market. This report is traded on the dark web and is purchased by an undetermined number of unidentified criminal parties who develop system exploits; and begin attacking vulnerable businesses for financial gain.
Traditional insurance risk modelling relies on authoritative information sources such as national or industry data, but there are no equivalent sources for cyber-risk, the report points out.
David Emm, principal security researcher at IT security product firm Kaspersky Lab, said: “These are big numbers, but they don’t mean much unless terms such as ‘serious cyber-attack’ are quantified. How can we assess the global cost of an attack? It could mean anything from a temporary interruption of service to the takeover of customer systems – with very different costs.
“It’s important for companies to conduct their own risk assessment and develop a strategy that’s designed to secure corporate systems and mitigate the risk of an attack on those systems.”
Rob Norris, VP Head of Enterprise and Cyber Security EMEIA at Fujitsu, said: “The ripple effects of an attack no longer stay within the four walls of an organisation. In fact, recent events have shown us how the consequences can be played out on the world stage affecting governments, health services and even the physical safety of people on the street. With such significant financial and reputational consequences, we need to start seeing more proactivity when it comes to tackling cybercrime before an attack happens.
“Research by Fujitsu revealed that less than 10 per cent of consumers believe that businesses are doing enough to ensure that their data is protected. With data fast becoming the new currency, its ever clearer that the maturation of the digital industry has brought its own set of unique challenges and businesses are not quite there when it comes to addressing the cybercrime challenge. As attackers always have the initiative, even the best-run company could suffer from a hack or data theft. Because of this, it’s vital organisations take a proactive approach, focusing on the integration of threat intelligence and other information sources to provide the visibility to identify a breach or suspicious behaviour quickly, coupled with the threat context necessary to deal with today’s sophisticated attacks.”
Dean Ferrando, Systems Engineering Manager (EMEA) at Tripwire, said: “$53 billion is an astronomical figure and it could get even worse unless organisations understand that securing IT infrastructures, endpoint devices and data is not a simple case of having the latest technology. There is a plethora of choice in defence mechanisms for examples: Firewalls, IDS/IPS, Encryption, Duel Factor Authentication, System Integrity Monitoring, Change Management, Off-line Backup, Vulnerability Management and Configuration Management to name but a few. If enterprises are to avoid being stung by a cyber attack they need a security hygiene program that incorporates educating the workforce about security, installing protective platforms which involves investing in the right technology. An important point to mention would be that having the right technology also means maintaining the basic levels of patching. If everyone implemented this and followed the business recommended processes, then we would start to see a reduced number in attacks and the costs that surround them.”
And Pete Banham, at Mimecast, said: “The doomsday scenarios painted in the report highlight the growing issue of cyber risk aggregation. By adopting a cloud strategy that seeks to reduce the number of vendors, organisations may be tipping towards short term cost savings at the expense of security.
“Cyber insurance has a role to play but it’s also crucial that organisations understand exactly what their policies protect them from and what their terms require them to assume responsibility for. Evolving, sophisticated attacks and lack of employee training is leaving organisations at great risk of breaking policy terms.”