What trait does a global cyerattack and a hurricane share? Both could cost insurers – and victims – dearly, according to a report published Monday by insurance giant Lloyd’s of London.
A global, major attack on cloud computing services could cost an average of $53 billion, according to the report, which was co-written with Cyence, a firm that helps the insurance industry evaluate cyber-related risks.
Only 17 percent of those losses, however, would be covered by insurance, according to the report.
Meanwhile, a global attack that leveraged a widespread software vulnerability could cost as much as $28 billion, with only 7 percent of losses covered by insurance, the report says.
Lloyd’s report is significant in that it lays out the risks that companies are facing by relying on networked systems. “Cyberattacks have the potential to trigger billions of dollars in insured losses,” it says.
The insurance industry sees great potential in cyber insurance policies. Lloyd’s estimates the market is worth $3 billion to $3.5 billion. But it’s an emerging area, and actual risks are tough to estimate, warns the firm, which offers both cyber insurance as well as reinsurance.
“Traditional insurance risk modeling relies on authoritative information sources such as national or industry data, but there are no equivalent sources for cyber risk, and the data for modeling accumulations must be collected at scale from the internet,” the report says.
Trevor Maynard, head of innovation at Lloyd’s.
“We want insurers to think about the cyber aggregations and to have confidence to underwrite this new, innovative class,” says report co-author Trevor Maynard, head of innovation at Lloyd’s. “But we also want risk managers and the companies we insure to understand the cyber risks they face, and think differently about them.”
Lack of Data
Although Lloyd’s offered estimates of the average financial damages that would be seen following a cloud services-related attack, as well as a scenario involving a software vulnerability, the figures could swing much lower or much higher.
That’s because it’s difficult to estimate which companies or organizations would be affected and how long attack-related disruptions might linger. It’s a similar problem for insurers when trying to predict losses related to natural catastrophes.
“Insurers could benefit from thinking about cyber coverage in these terms and make explicit allowances for aggregating cyber-related catastrophes,” the report says. “To achieve this, data collection and quality is important, especially as cyber risks are constantly changing.”
One of the attack scenarios outlined in the report sounds familiar. It involves a fictitious government intelligence contractor dubbed XYZ Corp. – specializing in tailored access and offensive cyber operations – as well as a fictitious operating system.
“On the way home from work, an analyst accidentally leaves a bag on the train that contains a physical copy of a full report on a recently completed operation,” the report says. “The report includes details on an identified vulnerability affecting all versions of the DEFG 111 operating system, which is deployed by 45 percent of the global market.”
Lloyd’s theorizes that in that scenario, it would take three weeks, post-exposure, for a full patch to be released. But applying the patch across all affected organizations would take much longer. “It is important to note that remediation never hits 100 percent because of poor awareness and patching practices,” it says.
Switching to a real-world scenario, the world’s largest mass ransomware attack in May was enabled, in part, by a leak of two suspected NSA exploits for Microsoft’s Windows operating system. The subsequent WannaCry ransomware attack, which used those exploits, infected more than 300,000 systems.
Likewise, a different type of malware called NotPetya last month embraced the same exploits. Although it initially targeted Ukraine, NotPetya spread to other organizations and companies.
As an example of how costly that attack was, FedX reported Monday that it expects to suffer a “material” loss due to NotPetya. The malware affected its TNT Express unit, which lost revenue and is still trying to restore services. FedEx does not carry cyber insurance.
Both WannaCry and NotPetya could have been stopped if organizations had applied a patch released by Microsoft, prior to the exploits coming to light publicly.
The report also looks into the effects of a large-scale disruption of cloud service providers. Many services rely on common infrastructure and open source code. If there’s a vulnerability in one component, the knock-on effect can hit many providers.
“Open source software has varying levels of review process,” the report says. “When the coding community is small, mistakes can make it past the peer-review process and have real-world implications, as was demonstrated with Heartbleed, a vulnerability in the open source OpenSSL protocol that powers many secure website communications.”
Other weaknesses that can affect many providers can be software problems in hypervisors, which are software components critical to running multiple operating systems on a single piece of hardware.
Attackers may also stumble across backdoors in products, which are sometimes inserted as ways to conduct remote maintenance but are generally regarded as dangerous. Software developers also simply make mistakes that are only caught years later.
“With minor and unintended flaws in code having such serious implications, the problem becomes a cryptographic puzzle with endless combinations,” the report says.