logo image

The cyber risk landscape is constantly changing. In the last few weeks alone we’ve seen potentially game-changing events with the release of U.S. National Security Agency hacking tools through the shadow brokers auction, and one of the most significant Denial of Service (DDoS) attacks ever seen when millions of Internet of Things devices were hijacked to target a major piece of Internet infrastructure taking hundreds of websites offline. In this blog I’ll discuss some of the constant ebb and flow of attack verses defense through the lens of the five cyber loss methods currently modeled by RMS.

Data Breaches

The loss of 500 million records in a single cyberattack represents the largest data breach event in history – so far, at least. The recent Yahoo hack, and the potential impact on the proposed Verizon takeover, has sent another stark reminder to industry executives of the dangers surrounding data breaches.

It may have been the biggest single hack ever in terms of records lost, but it’s hardly an isolated one. The leak of the Panama Papers was significant in terms of size – but also led to huge political fall-out globally as politicians were implicated in secret offshore funds, with the resignation of the Icelandic prime minister.

Governments and public agencies themselves have also been targeted in the U.S., Mexico, and the Philippines, for example. One of the most significant breaches affected Turkey, with the release of nearly 50 million records from the country’s General Directorate of Population and Citizenship Affairs, which included addresses, birth dates, and most troublingly, national ID numbers.

These individual large events fit within the observed pattern for 2016 so far, with less frequent cyber data hacks, though ones of higher severity.

Denial of Service Attack

2016 has been another active period for Denial of Service (DDoS) attacks. Going into the year we’d seen signs of a downwards trend. However this was spectacularly reversed in the first quarter which saw 19 attacks greater than 100 gigabits per second. Gaming and software industries continue to be most heavily impacted. Furthermore, we’re seeing a growing number of companies attacked repeatedly – on average, each targeted company was attacked 29 times, but with one company being attacked 283 times!

Frequency aside, the increasing complexity of attacks is most disturbing. 59% in the first quarter of 2016 were “multi-vector” attacks which require unique mitigation controls for each attack vector, as seen in the recent DDoS attack on Dyn, the DNS provider. If this trend continues we can expect existing defenses to be less effective against DDoS, and therefore disruption to be increased.

Cloud Provider Failure

With the leading cloud providers continuing to achieve double and even triple-digit year-on-year growth, the clear trend of companies moving their services to the cloud is continuing apace. Though overall trends have seen a decrease in the annual downtime, 2016 has seen several small but significant failures including an Amazon Web Services outage in Australia, Salesforce in both the U.S. and Europe and a Verizon issue that impacted among others JetBlue Airways. As these cloud services become more popular, the accumulation of risk to both business interruption and data loss is becoming ever more severe as more companies become increasingly reliant on the cloud.

Financial Transaction Theft

Perhaps the most audacious cyber-attack of the past year was when almost US$100 million was stolen from Bangladesh’s central bank and transferred to accounts in Manila and the Philippines. Even more shocking, this money was stolen from the bank account at the U.S. Federal Reserve and was transferred using standard SWIFT financial transaction messages.

The largest cyber heist ever could have been even larger but for a misspelling, and it was this typo that raised the attention of the U.S. Federal Reserve Bank in New York. The perpetrators had attempted to withdraw $950 million over 35 separate transactions. A similar attack, using a vulnerability in the SWIFT messaging system, led to another multi-million dollar theft from a Ukrainian bank.

Perhaps more than any other sector, the interconnected nature of modern financial services leaves the industry open to large scale systemic cyber losses.

Cyber Extortion

Ransomware attacks are continuing to become more frequent and more complex in 2016. One alarming pattern has seen an increased targeting of healthcare institutions where we’ve seen multiple hospitals in California and Kentucky in the U.S. and in Germany, all being attacked. In one particularly un-ethical incident the Hollywood Presbyterian Hospital had to pay out around $17,000 to regain access to their systems.

The more sophisticated software now being used to perpetrate attacks is starting pay dividends for the hacking groups. The “Jigsaw” malware, for example, threatens to delete an increasing number of files after every hour of nonpayment. Encryption type malware has become the norm – and targeted, business-focused malware is growing as evidenced by the “Samsam” scheme which targets unpatched server software.

Incorporating Into the RMS Cyber Model

RMS is continuing to monitor the broad spectrum of cyber-attacks that are impacting thousands of companies every month. During a recent online seminar, the RMS cyber team shared some of these key trends outlined in this blog, and discussed the impacts on cyber insurers. Through the RMS Cyber Accumulation Management System, RMS is continuing to incorporate these insights into our modeling to provide the most comprehensive and accurate view of cyber risk.

Share:
You May Also Like
October 10, 2019
Cyber Risk Seminars Introduce New Solutions to Address Evolving Threat Landscape

During September, RMS ran a series of cyber risk seminars in London and New York. These half-day events coincided with the release of RMS Cyber Solutions version 4.0 and featured both RMS and industry experts discussing cyber risk and the opportunities for the cyber insurance industry. At both events, the day kicked off with Dr. Andrew Coburn, senior vice president for RMS, examining recent developments within the cyber risk landscape by outlining the approach RMS takes to tracking and categorizing the wide range of evolving threat actor groups. He also proposed some key future trends, such as the potential impact of a “gloves-off” nation-state cyberattack and its implications for the cyber insurance industry. Former ethical hacker Eireann Leverett dug deep into the topic of contagion mapping and how hacking groups – both good and bad, are utilizing innovative techniques to map out the digital world. He also touched on the growing use of deepfakes in spear phishing attacks, whereby executive identities are faked to trick employees into fraudulently transferring funds out of the business. To provide the industry’s perspective, we were delighted to be joined by two expert panels in London and New York discussing the cyber market and the role of models to support growth. Thanks to Jamie Pocock (Guy Carpenter), Laila Khudairi (Tokio Marine Kiln), Rory Egan (Munich Re), and Kirsten Mitchell-Wallace (Lloyd’s) for participating in London, and to Anthony Shapella (AIG), Jon Laux (Aon), and Kara Owens (Markel) in New York. RMS Cyber Risk Seminars held in London (left) and New York (right)For the second half of the agenda, members of the RMS cyber team focused on the release of RMS Cyber Solutions version 4.0. This release features substantial enhancements to the RMS model and capabilities across several key areas including exposure data enrichment, expanded model data sources, and new stochastic modeling approaches to quantify cyber risk. Dave Gatey, senior director – modeling for RMS, revealed how new modeling methods, such as agent-based modeling and multi-compartment models were being used in RMS Cyber Solutions v4. Chris Vos, lead modeler for RMS, took to the stage in New York, and myself in London, to give context as to how these improvements to the model and software will assist clients in understanding their cyber risk and therefore making better decisions for their business. In New York, the RMS cyber seminar was followed by a half-day terrorism seminar. Introducing RMS Cyber Solutions Version 4.0 For many insurers, obtaining complete and accurate exposure data from cyber submissions remains a challenge. Often, these submissions are missing key information such as business revenue, profit, or business sector – all attributes that are critical to understanding the potential effect of cyber events. To address this, RMS has released a company database consisting of 13 million companies across 30 countries, alongside a data enrichment engine that uses a custom similarity matching algorithm to allow users to enrich their exposure data. This will help ensure the inputs into the model are as accurate as possible, reducing model uncertainty, and minimizing an insurer’s data collection efforts. Although historical data does not show you the whole picture when it comes to cyber risk, it is still critical to inform the lower return period scenarios. To enable this, RMS has invested substantially in automating our historical event data collection techniques by employing bespoke machine learning algorithms that extract event data from hundreds of thousands of unstructured data sources. These new data sets cover multiple event types including breach, malware, ransomware, and cloud outages and allows our v4 model to be run at a significantly increased level of granularity, supporting greater risk differentiation. RMS has continued to research the causal processes that drive cyber risk, working closely with our partners across cybersecurity and academia, to map out and build simulations of these underlying processes. By stochastically modeling these individual components and applying game theory models to explore threat actor behavior, we can extract probabilities associated with both short- and long-tail cyber events. Investing in Cyber-Physical Loss Models Finally, RMS has maintained its substantial investment in cyber-physical loss models. These models take data from the EDM (the RMS property exposure data store) and other casualty classes to quantify the impact of clash-type cyber catastrophe events such as power blackouts. This allows insurers to explore the potential for silent cyber losses across their business, supporting regulatory reporting. Many insurers are exposed to this type of cyber risk, even if they don’t write affirmative cyber insurance policies. These new insights and models continue to be delivered within an open modeling framework, allowing complete transparency into each of the modeling components. This transparency allows users to validate each component and create custom models to support their own view of risk. This new solution from RMS represents a significant step forward for the insurance industry to model its cyber risk. For more information, please contact cyberrisk@rms.com.…

cyber event
July 03, 2019
The Future of Cyber Risk
Tom Harvey
Tom Harvey
Head of Cyber Product Management, RMS

Tom is the Head of Cyber Product Management for RMS, and since early 2015 has worked together with the Cambridge Centre for Risk Studies and RMS’ development partners to bring the RMS Cyber Accumulation Management System and subsequent RMS Cyber Solutions to the market. Tom joined RMS in 2013 as a technical sales expert assisting a number of leading (re)insurers further their catastrophe management practices.

Prior to joining RMS, Tom spent 4 years at Hewlett Packard Software within the European presales team working closely with a number of HPS’ IT security products.

cta image

Need Help Managing Your Portfolio?

close button
Overlay Image
Video Title

Thank You

You’ll be contacted by an Moody's RMS specialist shortly.