Printer Friendly

A CYBERRISK GROWS UP: Once considered an innocuous threat, ransomware has morphed into a new, formidable risk.

The British National Health Service, a major Japanese automotive manufacturer and the Chernobyl nuclear power plant have all been the victims of a new type of ransomware, one that already has caused a publicly traded company to announce that the attack will cause a "material" impact to its year-end financials. These types of attacks are driving new demand worldwide for cyber insurance and creating unprecedented challenges for the product's underwriters.

Once viewed as a pedestrian form of cybercrime by corporate risk managers and insurers alike, ransomware has grown up. Modern ransomware such as WannaCry and Petya has been supercharged by leaks of previously classified hacking techniques and can inflict a wide range of damages such as loss of data, business interruption, property damage and reputational harm. Coupled with the growth of the internet of things, the attack surface vulnerable to ransomware has radically expanded from just a few years ago. And ransomware criminals have never been more ambitious in terms of scope, strategy and sophistication. These factors have made ransomware perhaps an exceptional global cyberthreat.

Insurance brokers have already reported an uptick in interest in the purchase of cyber insurance coverage from a wide range of companies, beyond the banks and retailers that had traditionally bought the coverage. This is especially true in Europe, where next year's implementation of the General Data Protection Regulation can potentially lead to penalties up to 4% of global revenue on companies that suffer a data breach.

But the same factors that spur market demand for coverage of ransomware attacks also make the product difficult to underwrite. Comparability for diverse cybersecurity systems is difficult, and claim experience is still relatively nascent.

The Evolution of Ransomware

Early ransomware efforts were typically limited in scope and complexity. The introduction of global and anonymous forms of moving money changed all that. Not only could extortion payments now move in more untraceable ways, but cybercriminals could subcontract with each other without revealing their identities or locations. Coupled with the use of the darknet, more sophisticated forms of ransomware flourished.

Ransomware took an evolutionary jump in May 2017 with WannaCry that was allegedly created by the U.S. National Security Agency and released into the wild by hackers. The ransomware detects and takes advantage of flaws in a computer system so it has a highly developed method of propagation. Once installed on a networked computer, WannaCry could spread and install automatically across the network, without user input. This fueled an unprecedented rate of infection. Evidence suggests that 230,000 computers in 150 countries were infected within 24 hours of WannaCry's introduction. The WannaCry attack spread across countries and industries, impacting British hospitals, Japanese automobile manufacturers, a Spanish telephone company and the German state railway. Ransomware 2.0 was born.

The same exploit was repackaged a few weeks later in Petya. Nicknamed for a satellite loaded with a nuclear warhead featured in the 1995 James Bond film GoldenEye, Petya improved WannaCry's propagation method by employing a variety of hacking techniques to spread once within a system, such as password harvesting and using collected passwords to seek to gain entry to new computers (even those with fully patched systems). Within 24 hours of its release, Petya had spread worldwide. The radiation monitoring system for the cleanup of the Ukraine's Chernobyl nuclear power plant went offline, forcing employees to use hand-held monitors to track radiation levels. Others affected include a Danish shipping firm, an American pharmaceutical giant, a multinational law firm and a German logistics company.

Underwriting Challenges

The market for stand-alone cyber insurance is estimated to have reached $3.5 billion in premiums written in 2016, according to the Organization for Economic Co-operation and Development. And with the new EU General Data Protection Regulation taking effect in mid-2018, some project the worldwide market for cyber insurance to reach $25 billion in 2025, reports Marsh & McLennan Cos.

But with those opportunities come significant challenges. Cyberrisks change constantly and even the limited historical loss data available do not necessarily reflect the future cyber threat environment. AIR Worldwide, RMS, Guy Carpenter and others are developing cyber models to bridge that gap, but ultimately models are only as robust as the data upon which they rely. Authoritative cyber loss data are not only difficult to come by, but are rarely reported in a systematic and complete way using commonly understood terms.

It is difficult to compare cybersecurity levels across companies. Although the National Institute of Standards and Technology Cybersecurity Framework may result in some ability to compare cybersecurity levels and identify and propagate cost-effective best practices, the industry still lacks much helpful information.

Given the paucity of cyber loss data and its inconsistent nature, insurers are understandably reluctant to plunge into the cyber insurance market. But its growth prospects make the cyber market very appealing, especially to well-capitalized insurers.

At present, however, a consensus has not yet been reached regarding coverages and exclusions, which has resulted in difficulties for the reinsurance markets to function fully.

For insurers willing and able to take on the risk, the following are three suggested best practices for underwriting cyberrisks, including ransomware.

Get the Data

The lifeblood of good underwriting is data. In cyber, like in every other insurance line, the underwriting process starts with it. Insurers that have been underwriting cyberrisks for a longer time have a head start here, as they can draw on a pool of internal data on which to price risks. But newer participants can use third-party services or cyber data brokers. And all underwriters can and should use assessments to gather information about insureds and potential insureds.

Generally, these assessments collect information on computer systems, data security procedures, technological and physical safeguards and organizational structure, chain of command and company training.

A company's benchmarking against tools such as the NIST Cybersecurity Framework and, for financial institutions, the related Federal Financial Institutions Examination Council Cybersecurity Assessment Tool can also help underwriters gauge risk. Technical questions such as number of network connections, common software and updating/patching practices, data center locations and number of end points are likewise important--although the significance of these areas remains an area of active study. An understanding of protections in place such as firewalls, encryption, monitoring, incident response and data loss retention policies likewise play an important part in the cyber underwriting process.

Finally, general facts about the organization like industry revenue, number of employees, data security budget, use of ISO or other industry standards, percent of outsourced services, and jurisdiction are all important, as they often correlate with frequency and severity of potential attacks. Questionnaires are often coupled with interviews, where insurers can get a qualitative, not just quantitative, view of a company's data security awareness culture.

Next, insurers should seek a more uniform data pool. Data from self-reported incidents (or gleaned from publicly available breach reports) often contain limited and inconsistent data. Ransomware incidents often do not involve the unauthorized access to or acquisition of personal data and so are often unreported. Some data breaches that do not involve personal data are reported to the public, but information collected from one source may not be the same as that collected from another. Accordingly, seeking to develop a marketwide set of uniform data requests is an important step in the right direction. Lloyd's of London has partnered with AIR Worldwide and RMS to create a common core of data requirements for cyberrisk assessments. Cyber insurers should work together to further the collection of a common core of cyber data points.

Get Behind the Data

Data collection and risk assessments are a good first step in cyber underwriting best practices. But underwriters must go beyond these surface measures to understand aggregation and correlation risks present in their policyholders individually and collectively.

For example, ransomware risks a few years ago were focused on consumers and sought relatively small amounts of money that would be below most cyber insurance deductibles. But as the Petya attack demonstrates, ransomware tools are increasingly being used to cripple operations and spread rapidly, resulting in the potential for massive business operations and property damage on a global scale. For ransomware or other cyberattacks, a single point of failure in software or hardware can lead to a global, coordinated attack, almost overnight.

Insurers hoping to diversify risks can instead, find themselves in a point of convergence, where the risk of attack for multiple policyholders converge on a single piece of vulnerable software or hardware. Underwriters need to consider not just the vulnerabilities of a policyholder's systems, but also those of its vendors and others in their IT infrastructure. We are increasingly in an age of global, systemically important cyber vendors that companies may not even realize they are using. For example, Dyn, a DNS-provider, maps internet domain names to the corresponding IP address.

In October 2016, Dyn was knocked offline by a cyberattack. As a result, legions of websites, including many major media outlets, were not able to be accessed from their web address. These companies suffered significant disruption to their operations, due to vulnerabilities not in their systems, but in the basic building blocks of the modern internet. Of note, many of the devices used to power the DDoS attack on Dyn were internet-enabled devices such as smart refrigerators or baby monitors. The internet of things has thus changed fundamentally the cyberthreat environment. And, a successful attack can lead to copycat attacks, further increasing the likelihood of aggregation of risk. These are just some of the risks that insurers need to understand to appreciate the dangers of an aggregated business interruption claim.

Skate to Where the Puck Is Going

Hockey great Wayne Gretzky is credited with the saying "I skate to where the puck is going, not where it's been." Cyber insurance underwriters may need Gretzky-like powers to not just understand historical cyber loss patterns, but to appreciate what they portend for future cyber threat environments. Few would have thought that ransomware, a garden-variety type of cyberrisk just a few years ago, could cause a material impact on the year-end financials of a publicly traded company. Yet, that is exactly where we find ourselves now.

Cyber underwriters looking for an assist may want to speak with underwriters of other lines of man-made perils, such as terrorism or kidnap and ransom.

Generally speaking, terrorism and K&R underwriters try to understand the political, financial, or criminal motivations of the bad actors, the types of methods employed, the nature of targets and target selection, the networks employed for recruiting fellow bad actors, surveilling a target, and conducting an attack. All these elements translate to understanding cyberrisks. Coupled with good data and cyber modeling, they offer a path to better understanding and pricing cyberrisks.

The WannaCry and Petya attacks illustrate the need for cyber insurers to gather better data and analyze it in new ways to understand and model ransomware and other cyberrisks. Insurers must couple traditional underwriting methods with an appreciation of the capabilities and motivations of threat actors, and the new tools available to them, to better model the severity and frequency of cyberattacks. Ransomware authors have made their moves, it is now up to the cyber insurance industry to respond.

by Edward R. McNicholas and Thomas D. Cunningham

Best's Review contributors: Edward R. McNicholas and Thomas D. Cunningham are partners with the law firm of Sidley Austin LLP, working in the areas of cybersecurity and insurance. They can be reached at and

Key Points

The Background: New forms of ransomware have been supercharged by their ability to detect and take advantage of flaws in a computer fueling an unprecedented rate of infection.

The Problem: Given the lack of cyber loss data and its inconsistent nature, insurers are reluctant to plunge into the cyber insurance market.

What Has to Happen: Cyber insurers need to couple traditional underwriting methods with an understanding of the capabilities and motivations of threat actors and the new tools available to them to better model the severity and frequency of cyberattacks.
COPYRIGHT 2017 A.M. Best Company, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2017 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:A World of Risk
Author:McNicholas, Edward R.; Cunningham, Thomas D.
Publication:Best's Review
Date:Dec 1, 2017
Previous Article:Flying Apart: A Munich Re product manager says the marketplace for drone coverage is already splitting into segments.
Next Article:WATCH THE CONCENTRATIONS With a fast-growing cyber insurance marketplace and the rising threat of global cyber shocks, insurers must have a robust...

Terms of use | Privacy policy | Copyright © 2022 Farlex, Inc. | Feedback | For webmasters |