A major attack last week is ‘the most disruptive cyber incident’ since the birth of the internet and could have a profound impact on insurance.
The attack saw Dyn, a significant Domain Name Server (DNS) that facilitates the loading of web pages, taken offline. This action subsequently impacted websites across the globe including Netflix, Twitter and PayPal as well as Australian sites for AAMI, ANZ and Woolworths, The Sydney Morning Herald
The attack used devices linked to the Internet of Things (IoT) in a Distributed Denial of Service (DDoS) style attack and Fergus Brooks, national practice leader, cyber risk at Aon Australia, said that the impact will be widely felt.
“In my mind, I think it is the most disruptive incident that has happened on the internet in terms of the wideness of scale and the impacts of it,” Brooks told Insurance Business.
“Every business should be having a look at how they could be impacted by it.
“This is an attack on the infrastructure of the internet itself as opposed to attacking specific companies.
“If you look at insurance as definitely covering malicious intent, really only Dyn the company have had a malicious intent slant on it, but it could be argued otherwise. This is what insurers need to think about and everyone will be thinking about it now.”
Business interruption will also be top of mind for many in the industry and Brooker noted that the system outage caused by the attack also needs to be considered.
Meena Wahi, a cyber insurance specialist and director of Cyber Data-Risk Managers, said that this latest attack highlights the challenges facing the cyber insurance market. The interconnectivity of digital and physical assets, alongside changes around the IoT will need to be given more thought in coming years.
“We could see more evolution in policy wordings,” Wahi told Insurance Business.
“We have taken cyber attacks and defined them in our minds to mean a hacker getting into a system. But if you use a third party to get into a system and customers are affected, where do you stop and who do you blame?”
The Dyn attack used tens of millions of unique IPs linked to IoT devices such as web cameras. Both Wahi and Brooks agreed that the security around such devices leaves a lot to be desired.
“If the cyber security industry does not respond and evolve to these threats and businesses result to buying cyber insurance, premiums will be a lot higher,” Wahi said.
“Somebody has to step up…. because if Internet of Things comes up and the security industry hasn’t been proactive then businesses are suffering and where does the buck stop?”
Brooks stressed that brokers, insurers and businesses need to look at the specific policy wordings to determine what they are covered for in the event of an attack on a third party linked to the business.
“When the outage has been caused by a third party provider… That is something that needs to be looked at and every policy needs to be looked at accordingly to see whether or not that is something that it covered.”
If policies do not include this cover, insurers should look to make changes, Brooks continued.
“In my mind, this is not a problem that is easy to fix and I think a lot of security and infrastructure people would agree with me so it is going to take some time to fix based on the fact that now we have this level of attack.”
Data and analytics key to industry relevance
The global state of cyber insurance
Insurance industry needs more cyber expertise