In Part 2 of ‘One byte at a time: a series on cyber insurance’, Kitty Ho outlines the three types of cyber incidents you need to know about; malware attacks, DDoS attacks and data breaches.
Computers with Microsoft Windows versions before Windows 10 are vulnerable to WannaCry if patch management was not applied. It propagated through EternalBlue, an exploit developed by the United States National Security Agency (NSA) for older Windows systems. EternalBlue was stolen and leaked by a group called “The Shadow Brokers” a few months prior to the attack.
According to Kaspersky Lab, the four most affected countries were Russia, Ukraine, India and Taiwan. In England and Scotland, the attack affected up to 70,000 devices in the National Health Service hospitals such as computers, MRI scanners, blood-storage fridges and theatre equipment, causing the services to turn away non-critical emergencies and diversion of ambulances.
Car manufacturers like Nissan in the UK and Renault had to halt production to stop the spread of the ransomware. Other infrastructure providers such as Spain’s Telefonica, FedEx and Deutsche Bahn were also affected.
A month later, the ‘NotPetya’ malware attack struck, affecting 12,500 machines through a hacked update of a major accounting software widely used in Ukraine. It spread to other countries through internal networks, locking disk contents and demanding a ransom payment. It was later discovered that even if users paid the ransom, their data could never be recovered because the malware could not revert its own changes, and there was no way for attackers to track individual Bitcoin payment ID’s.
Total reported economic costs are in excess of US$1 billion, with at least 2,000 companies affected including Maersk (Danish logistics company and world’s largest contain ship operated lost US$200 – $300 million in revenue), Merck & Co (US pharmaceutical), DLA Piper (multinational law firm), Reckitt Benckiser (British consumer goods), DHL (German logistics company), Mondelez (US food company) and Australia’s Cadbury’s Chocolate Factory Hobart.
US and UK intelligence agencies attributed the attack to the Russian government, implying a motive to cause damage to the Ukrainian economy, rather than financial gain. Interestingly, Mondelez’s insurer, Zurich, has denied the insurance claim, on the grounds that NotPeya is an “act of war” not covered by the policy. Mondelez is currently taking legal action against Zurich.
A denial-of-service attack (DoS attack) is when the cybercriminal seeks to make a computer or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. A distributed denial-of-service attack (DDoS attack) is where the incoming traffic flooding the victim from multiple sources such that it is difficult to block a single point of attack.
One such DDoS attacked happened in 2007 when hackers coordinated hundreds of thousands of computers in attacking government agencies and banks in Estonia. In 2017, a number of South Korean banks were threatened with a DDoS attack unless they pay a US $315,000 ransom in Bitcoin. In 2016, one of the largest domain name system infrastructure providers, Dyn, experienced a DDoS attack which in turn caused vast online disruption to popular sites such as Netflix, Twitter, Spotify, Reddit, PayPal and Pinterest.
DDoS attacks can have very significant financial costs associated with them. There are direct incident response costs such as costs to get the systems back online as well as damaged system repair or replacement costs. There will also be business interruption costs due to lost revenue and costs in attempting to rectify a company’s reputation post event. Just imagine the impact if a DDoS attack is to occur on a Black Friday or a Cyber Monday sale when the 2018 single day sales recorded at US$6.2 billion and US$7.9 billion respectively.
In a world where Internet of Things take prevalence and even your Dyson fan is always online, the opportunity for DDoS attacks can only grow.
Perhaps the type of cyber incident which triggers significant media attention is data breaches of high profile enterprises:
- May 2013 – Target (US) – 100 million user data affected, the financial costs totalled to US$291 million and exhausted Target’s US$90 million insurance cover.
- August 2013 – Yahoo! – 3 billion user data were compromised, it happened again in 2016 impacting 500 million users
- September 2017 – Equifax – the US credit Bureau incurred a cyber security incident impacting 143 million users’ personal information (names, Social Security numbers, addresses, driver license numbers). The breach has recently settled for US$700 million, exceeding its US$150 million of cyber insurance coverage.
- September 2018 – British Airways – The airline’s IT system was hacked and details of around 500,000 customers were stolen. Under the GDPR, the Information Commissioner’s Office issued a record £183 million fine (or 1.5% of turnover). The insurability of the fine is still being debated by the cyber market.
- September 2018 – Marriott – the hotel chain discovered unauthorised access to its Starwood guest reservation database in the US. The cyber hackers had copied and encrypted information and taken steps towards removing information on about 500 million guests – which was lost. And the cost? A guesstimate could be derived by assuming $1 per user account lost. The market predicted the total cyber loss in the range of US$200 – $600 million.
- July 2019 – Capital One – One of the ten largest US banks had nearly 100 million individuals’ credit card application data stolen. The cyber market expects this loss to reach up to US$400 million, which can potentially exhaust its cyber insurance limit.
Data breach notification laws were first introduced in California in 2002 and progressively, similar laws were rolled out to the other 50 US states with Alabama enacting theirs in 2018. EU introduced the General Data Protection Regulation (GDPR) Legislation in May 2018 which has differences to the US laws including a broader application to “personal data” rather than just credit card and Social Security number information as well as timeliness of breach notification. At the beginning of 2020, Canada, California and Brazil are looking to introducing similar laws. Singapore and India are also considering adopting data breach reporting regimes.
CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.