Other parts of this series:
The interconnectedness of everything—driven by the Internet of Things (IoT), cloud, social, analytics, mobile, telematics and the automation that Industry 4.0 brings—is creating a vastly porous global network. This is causing the frequency and severity of cyber attacks to increase. For insurers, cyber security is both a threat and an opportunity.
The threat—and it’s a significant one—is the risk that cyber threats pose for insurers themselves. The opportunity is the growing threat it poses to everyone else—and the opportunity insurers have to provide solutions that will help businesses and individuals mitigate that risk.
In this, the first of a six-part blog series, I’d like to discuss the shape of the cyber opportunity and how insurers can ride this—the third and biggest wave of cyber insurance to hit the market yet.
Sizing up the opportunity
According to Allianz, premium income from cyber security will rise to $20 billion by 2022. That’s a big jump from researchers’ current estimate of $3 billion gross written premiums. But cyber security is not something insurers want to attempt on their own—they will need to acquire, grow or partner for the advanced cyber security skills and capabilities they will need to:
- Comprehend and quantify cyber risk
- Provide customers with appropriate cover
- Know how to limit liability
How big is the cyber threat and how fast is it growing?
Cyber threats are evolving fast. Three main features underscore the dynamic nature of cyber risk, says SwissRe in its research paper Cyber: Getting to grips with a complex risk. These are: the growing speed and scope of digital transformation, the widening sources of vulnerability from hyper-connectivity, and the evolution of threat actors.
The same interconnectedness of everything—from smart cars, homes, mobile devices, TVs, medical devices, and everyday embedded devices like routers and webcams—that brings us the improved and enhanced experiences we crave is growing cyber risk for consumers, end users and, by extension, businesses. And, as more business infrastructure is connected, the ‘attack surface’ is growing, further increasing risk.
The price we will pay? Cybersecurity Ventures says the global cyber security market will grow to more than $120 billion in 2017, up from just $3.5 billion in 2004. Gartner puts that figure at $93 billion in 2018 while Juniper Research says the worldwide cost of data breaches will exceed $2 trillion by 2019, four times the cost in 2015. Cybersecurity Ventures put that figure at $6 trillion annually by 2021.
Those breaches will occur through vulnerabilities in IT and network infrastructure, but also through exploitation of security weaknesses in smart devices and assets. However, it’s the form in which cyber threats are now arriving that tells us that a defensive stance alone will not be enough.
Ransomware, IoT botnets and the work of hacker groups are currently raising alarms to unbearable decibel levels.
Ransomware—makes you wanna cry
For 2017, Cybersecurity Ventures predicts global ransomware damage costs will exceed $5 billion. The WannaCry ransomware made headlines in May 2017 when it hit over 200,000 systems in 150 countries, including the UK’s National Health Services. To do so, it used an exploit to take advantage of a known flaw in the Microsoft operating system. While security specialists found the kill switch on this one, new ransomware variants and tactics continue to emerge.
Taking advantage of known flaws has become big business for cyber criminals.
Kaspersky Lab reports that worldwide an individual is hit with a ransomware attack every 10 seconds, and a business every 40 seconds. Most recently, it reported that mobile ransomware has grown by over 250 percent during the first few months of 2017. The kicker? Don’t think the hacker targeting you or your company is a coding whizz. Kaspersky says ransomware-as-a-service is on the rise, with enterprising individuals and groups enabling anyone to carry out attacks by providing them with specialized malware and resources in as-a-service schemes.
How does ransomware infect a system? Via malicious software, also known as malware. The expanding and converging network of personal and business devices is exposing a soft underbelly that is an attractive target for cyber criminals. In Q1 2017, six in 10 malware payloads were ransomware, according to Malwarebytes.
But ransomware is just one facet of the threat malware poses.
The Mirai malware has provided a rude awakening to an unaware public and a less than vigilant vendor community selling connected and connectable ‘things’.
Mirai—the future of malware
Mirai, Japanese for ‘the future’, spreads to vulnerable devices by scanning the Internet for IoT systems protected by factory default usernames and passwords (e.g., routers and IP cameras). It then uses these devices as part of a botnet in large-scale distributed denial of service (DDoS) and spam attacks. The source code for Mirai has been published in hacker forums as open-source and has since been adapted for use in other malware projects.
We know systems are interdependent and threats can enter via partner and supplier networks, but this puts a new perspective on the kinds of risk that cyber insurers may want to build into their risk models for consumers, vendors, businesses and service providers.
Hacker enterprise – maximize exploit
And I have one more example to offer: the threat that groups like the Shadow Brokers present.
In 2013, they hacked the National Security Agency (NSA). In 2017, they published a series of hacking tools and computer exploits, presumably information obtained from their 2013 heist. The information included exploits for major vulnerabilities in Cisco routers, Microsoft Windows, and Linux mail servers. It sent vendors, security providers and businesses into a frenzy. This info dump also gave the authors of the WannaCry ransomware the exploit they needed—the EternalBlue exploit for the Windows operating system was one the NSA was aware of and was using for its own purposes. Shadow Brokers also published the working directory of an NSA analyst breaking into the SWIFT banking network. That’s a lot of hacking tools hand-delivered to cyber criminals.
Kaspersky believes the extent of the fallout from these published hacking tools and exploits has yet to be accounted for. “What were attackers able to gain with these exploits on hand? What sort of implants may lie dormant in vulnerable devices,” it asks.
A lot of hacking tools have been hand-delivered to cyber criminals.
The fallout has yet to be accounted for.
A third wave of cyber insurance hits
My colleague Uwe Kissman, a seasoned security professional and Managing Director, Cyber Security Services at Accenture, notes that in 18 years, this current wave of cyber insurance—the third—is the biggest yet.
The first wave got a tepid response because businesses were oblivious to the threat. The second fell flat as businesses chose to invest in security infrastructure rather than cyber insurance. Today, however, high profile breaches have made both insurance and business leaders keenly aware of the potential business and financial impacts. The magnitude of the threat is being emphasized by the emergence of new industry and government regulations around cyber security.
However, cyber insurance is not an easy offering to design.
In my next post—Cyber insurance: three ways to reduce carrier risk—I take a closer look at the three key elements that will assist insurers to provide risk cover in a hyper-connected world while also managing the potentially massive risk to their own businesses.
For more on the cyber security conundrum for insurers, and to get detailed insight into Accenture’s research, read this report.