You Thought COVID-19 Was Bad
COVID-19 forced many businesses to admit they had failed to adequately prepare for such a catastrophic event.
But that was forgiven because, after all, it was only the third U.S. pandemic in the last century. In conducting cyber risk assessments, the lowest-scoring areas are often business continuity/disaster recovery and incident response planning. Low scores in these areas are usually attributable to senior management’s reluctance to allocate resources to something that “hasn’t happened yet” or “probably won’t happen.” The problem with cyber is that a catastrophic cyber event is likelyto happen, and business leaders need to plan for it.
Consider the 2017 cyber attacks involving the WannaCry ransomware cryptoworm that sped around the globe and infected more than 230,000 computers in 150 countries before it could be contained. That attack was followed by the NotPetya malware that brought major corporations, such as Merck, Maersk, and a division of FedEx, to their knees for three weeks, with each company incurring substantial business interruption losses. The White House estimated the impact of NotPetya at more than $10 billion. Merck has filed a $1.3 billion insurance claim stemming from the attack.
The Merck case is a great example of the impact of a cyber attack. It was one company; imagine that scaled over a country or 100 countries. The WannaCry and NotPetya attacks were close together and raised fears globally that they were a precursor to a catastrophic cyber event, an event that could crater both businesses and the insurance industry. Just because a similar or larger event has not occurred, there is no reason for comfort: a major cyber attack could cripple nations, destroy critical infrastructure, kill thousands, and crash economies. It is possible, it is likely, and companies and governments are not prepared.
The risk was heightened by the COVID-19 pandemic and the necessity for employees to work from home. Cyber attacks have skyrocketed. The FBI is receiving more than 4,000 reports of cyber attacks per day—400% more than before coronavirus—and Interpol is seeing an “alarming” number of attacks on companies, critical infrastructure, and governments. For example, during the pandemic, corporations such as Honda and Garmin suffered cyber attacks that disrupted their operations, and Canon had 10 terabytes of data stolen.
A recent Guy Carpenter/CyberCube report examined some possible cyber catastrophic scenarios, including data losses from a major email service provider ($19.1 billion loss), an outage at a cloud service provider ($14.3 billion loss), a ransomware attack at a large cloud provider ($11.5 billion loss), and data loss at a cloud provider ($22.2 billion loss).
Catastrophe modeling is widely used in the insurance industry for risk planning, determining appropriate limits, and allocating capital. It can also be useful in cyber risk management. Laurel Di Silvestro, principal client services manager at CyberCube, recently noted key similarities and differences between modeling the systemic risks of natural disasters and cyber attacks. Similarities in modeling include utilizing risk-specific data, aggregate data in the absence of detailed data, augmenting risk data at the time of underwriting with other available data, and incorporating the impact of past events to inform predictions of the impact of potential future events.
Key differences between natural disasters and cyber events revolve around the intentional actions of adversaries, the potential impact of geopolitical threats, global interconnectivity, the interdependencies of economies, and the reliance upon major providers that could be a single point of failure, such as cloud providers, payment systems, and communication networks. These factors can significantly impact modeling. Other impacts that need to be considered include innovation and the unauthorized release of cyber offensive weapons by cyber criminals. The 2016-2017 unauthorized release of stolen NSA cyber weapons by the Shadow Brokers contributed to an increase in nation-state cyber attacks. Some of them were used in the WannaCry and NotPetya attacks.
The Centre for Risk Studies at Cambridge University developed a cyber risk scenario with global consequences that was based on actual, smaller incidents that slowly caused significant harm, such as manipulating an algorithm to cause small corruptions to a database or causing insignificant accounting errors that pile up over time. The scenario is intended to test an organization’s ability to counter and mitigate the impact of a similar cyber attack.
The university’s work examines the impact of such an attack on a “systemically important technology enterprise” (SITE) that could interrupt the global economy or disrupt organizations critical to corporate productivity. In the example, the algorithm manipulation causes a fund management firm to lose £440 million ($581 million) in less than an hour of trading, a bank has to write off $1.75 billion due to an accounting error, and a utility company incurs massive liability due to uncontrolled sewage spillage from changes to the industrial control system that kept sewage valves open. The total estimated losses to global GDP output over five years range from $4.5 trillion to $15 trillion.
The bottom line is modeling for catastrophic cyber events is hard stuff. The internet is not one giant “single point of failure,” but it comes close. Attacks on critical infrastructure that disrupt communications and electrical grids, financial systems, utilities, hospitals and other organizations must be considered by each organization. When each company does the risk work to manage its cyber exposures, the impact of major cyber events will be blunted.
“There are limitations in any modeling and lots of uncertainties, but it can provide important data and valuable insights that lead to better decision making with respect to both cyber coverage limits and risk transfer strategies and managing operational impacts,” says Di Silvestro. In addition to modeling, the Cambridge University exercise notes the effectiveness of controls to counter the impact of attacks—for example, required reporting of the small stuff, using different database technologies, and controls to detect and defend against the insider threat.
Agents and brokers should work with their clients and help them evaluate systemic risks and the impact of a catastrophic cyber attack. They can help refer appropriate expertise for modeling such risks and understanding operational impacts. All companies are vulnerable to a catastrophic cyber event, and they need to prepare for it. Not planning for a pandemic may be excusable, but there will be no such forgiveness over a cyber catastrophe. Everybody saw it coming.