The following is an opinion article written by Pascal Millaire, the vice president and general manager, cyber insurance, at Symantec Corporation.
Turn the clock back a few weeks and headlines were dominated by news of one of the most pervasive forms of malware ever seen. Hundreds of thousands of computers were impacted globally by the so called WannaCry malware in over 100 countries, causing disruption to businesses in sectors as diverse as manufacturing, transportation, telecoms, financial services, utilities and healthcare. But what are the implications for those in the insurance industry who transfer cyber risk?
In the short-term, the losses on insurers could be relatively modest given the scope of the event and there may even be an uptick in demand for cyber insurance policies, particularly in Europe. In the long-term, however, WannaCry is an illustration of one of the most important shifts impacting global insurance, which will require the industry to take a whole new approach to understanding risk and aggregation.
This article attempts to provide some of the basic facts based on what we know, as well as exploring some of the short- and long-term implications for various constituents in the cyber insurance industry.
What is WannaCry?
WannaCry is a virulent new strain of ransomware. It has hit hundreds of thousands of computers worldwide since its emergence and is far more dangerous than other common ransomware types because of its ability to spread itself across an organization’s network.
WannaCry searches for and encrypts 176 different file types and appends .WCRY to the end of the file name. It asks users to pay a US$300 ransom in Bitcoin. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted. Users of Microsoft operating systems are vulnerable to the attack.
When was this vulnerability discovered?
On January 16, 2017, the DHS US Computer Emergency Readiness team issued a warning about an SMB remote code execution vulnerability in Microsoft Windows computers.
On March 14, 2017, Microsoft responded by issuing a patch (MS17-010), which remedied the vulnerability for supported licensed users who applied the patch.
Is it common for vulnerabilities to emerge in such a critical piece of software?
Yes, vulnerabilities in software are very common.
In 2016, Symantec tracked 3,986 new vulnerabilities, which forms part of a database of 88,900 vulnerabilities, covering 24,560 vendors over two decades. Vendors such as Microsoft have a detailed process for tracking and remedying vulnerabilities and in May alone, Microsoft released 56 vulnerabilities, 17 of which are rated critical.
How did this vulnerability get exploited?
Having a vulnerability emerge does not mean that companies will experience a loss as there needs to be a tool to exploit that vulnerability.
An exploit for this vulnerability, known as “Eternal Blue”, was released online in April, in the latest of a series of leaks by a group known as the Shadow Brokers. This group claimed it had stolen the data from the Equation cyber espionage group, whose most likely country of origin is the United States.
Who was impacted?
The ransomware hit hundreds of thousands of computers worldwide in over 100 countries and spread rapidly.
Symantec observed 22 million attempts to infect machines and at its height was blocking 200k attacks per hour. Attacks spiked on Friday, May 12.
Detections of WannaCry were highest in Brazil, Russia, China and the United Kingdom but all major economies were impacted.
What will the short-term impact on cyber insurers be?
As this attack is unfolding, it is too early to say, however there are mitigating factors that will substantially reduce the financial impact of this event.
Around 85% of all standalone cyber insurance policies are written within the United States, which has not been badly impacted. Ransomware amounts are typically below the deductible and even when a business interruption or network interruption policy will respond to attack, coverage includes a 12hr or 24hr waiting period.
More importantly, one of the key mitigating factors is that the cyber insurance losses are fundamentally lower for the exploit of an unknown vulnerability when compared to a known vulnerability like Eternal Blue.
Why are the losses for insurers so much lower for known vulnerabilities like Eternal Blue?
With a known vulnerability, clients will often have had time to patch software. Nonetheless, with nearly 330 material vulnerabilities emerging every month (and patches only available for a subset of those vulnerabilities) losses cannot be modeled on the basis of patch cadence alone and nor is it the only line of defense.
Companies are also protected by security software. Software can provide protection against unknown exploits but is particularly effective against exploits leveraging known vulnerabilities.
To use WannaCry as a specific example, Symantec released IPS sig to explicitly block exploit attempts on May 02, 2017, which provided an added layer of protection on top of an existing suite of technologies that provided protection against unknown vulnerabilities. As of May 15, 2017, Symantec had blocked 22 million attempted WannaCry ransomware attempts and Symantec Endpoint Protection and Norton customers are fully protected from WannaCry, regardless of their current patch status. Other security companies have also been successful at blocking attacks against unpatched systems. Regardless, patching remains an important additional layer of defense as new variants continue to emerge.
What does this mean for underwriters?
Much has been made of how far the underwriting industry has to go in terms of understanding cyber risk and asking the right questions of their insureds.
Saying that, we should also pause and reflect on how far the cyber underwriting discipline has come. The insurance industry has a growing cadre of specialist cyber underwriters, with an understanding of cyber risk. One of the reasons why losses from WannaCry will be relatively low is that the (primarily) US carriers who have expanded internationally into markets more impacted by WannaCry have brought with them underwriting guidelines and expertise. Carriers that have expanded into Brazil (a market particularly hard hit by WannaCry) will be highly unlikely to have accepted a submission from a firm using a pirated version of Windows software with no formalized patching cadence and no endpoint protection.
As demand for cyber insurance increases, demand for skilled cyber underwriters will also increase and there will continue to be a fundamental labor supply/demand mismatch. Going forward, there will be a need for more technology-enabled tools to streamline the underwriting process and supplement decisions with readily consumable underwriting data, even for those underwriters without deep expertise.
What does this mean for brokers?
Two of the biggest drivers of cyber insurance awareness and purchasing are regulatory changes around breach notification and major high profile cyber security events.
Early indications suggest an increase in cyber insurance interest from brokers. In particular, given the low cyber insurance penetration rates in Europe, the footprint of the current attack and the impending roll-out of GDPR, European brokers in particular could be beneficiaries.
What does this mean for aggregation management?
The last 12 months have illustrated that insurers cannot ignore the aggregation impact of cyber as a peril.
This is particularly true of insurers with large standalone cyber portfolios; however, there are even larger exposures that exist within other lines of insurance, including business interruption, which is transitioning from a silent cover to an affirmatively covered peril within a property policy for some carriers.
A year ago, it was possible (but incorrect) to make the case that insurers are not yet subject to cyber aggregation risk. After the near misses of the Amazon S3 outage, the Mirari DDOS attack and now the WannaCry ransomware attack, cyber aggregation is a topic all insurers must now take seriously.
Is it even possible to model cyber aggregation?
Cyber aggregation presents fundamentally new challenges to the insurance industry but the risk can and must be modeled.
Unlike natural catastrophes, where events have a geographically contained footprint, companies impacted by cyberattacks cross geographic boundaries. The risk is non-stationary and is impacted by changes in technologies, attack patterns and defense postures. Furthermore, Internet of Things device penetration expected by some to grow from 15 billion to 200 billion devices, means few aspects of the global economy will remain non-impacted by cyber risk.
A multi-pronged approach is needed to understand cyber aggregation as there is no silver bullet but here are four initial guidelines that are important to consider when modeling aggregation scenarios:
- Modelers need an understanding of historical events as not all of these risks are completely novel and parallels can be drawn from the past. For example, in 2004, Symantec detected the first occurrence of the Sasser worm, a self-replicating piece of malware that took advantage of a vulnerability in the Windows Operating System impacting several hundreds of thousands of machines and has many similarities to May’s attack.
- We need an understanding of security data across the entire kill chain, and not just at the level of publicly observable data points scrapped from the internet. This is particularly true when getting to the nuance of quantifying different types of both known vulnerabilities like Eternal Blue but also unknown vulnerabilities and the likely impact on a portfolio.
- Modelers need to engage deeply with security experts in emerging technologies as hard data has substantial limits in modeling emerging IoT technologies that have yet to be rolled out.
- Finally, we need an understanding of adversaries, including their capabilities (tools, tactics and procedures), their motivations (target categories and regions) and their recent activities.
Modeling cyber aggregation is one of the most difficult analytic challenges facing the cyber security and insurance industry but a multi-pronged approach can help understanding where risk already lies in insurer portfolios today and in the future.
Should those in the insurance industry want to cry? In the long-term those tears could be tears of joy or tears of sadness depending on how well the industry understands the risks its clients are facing.
WannaCry is one of the most significant malware events seen to-date but it will not be the last to pose a potential systemic risk to the global economy. Understanding emerging cyber risk may seem challenging but as interconnected technologies permeate all aspects of the global economy, the problem is too important for insurers not to understand. Addressing cyber risk will require collaborations between the cyber security industry, insurers and our mutual clients.
Together, the cyber security and insurance industries can make our economy more resilient to the most important risk of the 21st century.
The preceding was an opinion article written by Pascal Millaire, the vice president and general manager, cyber insurance, at Symantec Corporation. In that role he is responsible for creating underwriting and catastrophe modeling software for insurers, as well as developing new offerings at the intersection of cyber security and insurance. The views expressed within the article are not necessarily reflective of those of Insurance Business.