logo image

The event is arguably the most significant cyber-catastrophe to date and clearly demonstrates the systemic nature of cyber risk. A single vulnerability was utilized to spread malware to over 300,000 machines in over 150 countries causing havoc to industries as diverse as hospitals and car manufacturers.

The cyber extortion campaign we saw on Friday May 12, whilst unprecedented in its spread, was not unexpected. As part of its Cyber Accumulation Management System, RMS models this type of campaign as just one of numerous extreme but plausible cyber-catastrophes that could occur. Over the coming days, RMS will continue to monitor the situation and provide updates to clients to assist in calculating the potential impact of this event.

Fair use Wikipedia

What We Know So Far

In terms of significant malware, WannaCry has reached the same notoriety as the “MyDoom” and “ILOVEYOU” worms and viruses of history.

A ransomware strain named WannaCry started infecting machines globally on Friday May 12. WannaCry uses standard malware infection techniques of a malicious email attachment to infect Windows machines and encrypt all files on the system. A message notifies the user and offers an encryption key in return for a ransom to be paid in Bitcoin. A seven-day timer is started after which time data will be deleted. This is typical of the types of malware attacks that have been increasingly seen over the last 18 months.

What made this ransomware particularly virulent was its utilization of a vulnerability in Windows which enabled its spread to other Windows machines on the network. This vulnerability was originally identified by the U.S. National Security Agency (NSA) and released by a group known as the Shadow Brokers earlier this year. Microsoft released a patch for this vulnerability on March 14, however the infection rates of WannaCry show that this patch was certainly not applied by all.

A security blogger based in the U.K. called MalwareTech identified an effective “kill switch” for this particular virus. By registering the domain name the malware was pinging, it effectively deactivated the virus and stopped its spread.

Impacted Insurance Coverages

Cyber extortion is offered within 74 percent of cyber policies on the market today and clearly represents a potential cause of loss for insurers. Fortunately, ransom payments have totaled only a modest $80,000 so far. However, with a day or so left on the WannaCry timer clocks, it is expected this amount will increase.

Ransom payments are only a small proportion of the total losses that insurers stand to lose. Responding to this event will likely trigger policies that provide coverage for incident response, business interruption (BI) and data and software loss. With several large manufacturers, hospitals and telecoms providers disclosing downtime, the majority of losses for insurers will most likely be represented by BI.

This is not just an issue for cyber insurers. With such a soft property market, several insurers have offered non-damage BI coverage that may trigger. Insurers with Kidnap and Ransom books may also want to look closely at their policies wordings to see whether they are exposed.

Reaction from the Market

For the insurance industry, it is too early to count the cost of this cyber-attack, but it was interesting to get the reaction from close to 200 attendees who joined us at our RMS Cyber Risk Seminar in New York on Monday 16 May, just three days after the event.  Unsurprisingly, there was a great deal of discussion and questions about WannaCry. How did it happen? What will the impact be? How can we better protect ourselves? But despite the big questions, the mood was one of cautious optimism, as Reactions reported from the seminar.  One important reason given for this is that the vast majority of cyber premiums (around 90 percent) are written in the U.S., whilst the largest impact of this event appeared to be targeted in Europe and Asia.

What is clear from this event though is that the scale of the infections will act as a jolt in the arm to potential cyber insurance purchasers leading to an increased take up of cyber insurance products.

Could It Have Been Worse?

It is still early days but it does appear this could have been a lot worse. Rather than being a true “zero-day” vulnerability, the WannaCry virus utilized a vulnerability that had been patched by Microsoft a full 60 days prior. This gave many companies the opportunity to secure their networks before the attack started. In addition, the presence of a kill switch within the software (in the form of a remote polling web site) allowed security experts to control the spread before too long.

Should this event have used a true zero-day and without the presence of a kill switch, it’s fair to say the scale of this event would have been many orders of magnitude higher.

Share:
You May Also Like
October 10, 2019
Cyber Risk Seminars Introduce New Solutions to Address Evolving Threat Landscape

During September, RMS ran a series of cyber risk seminars in London and New York. These half-day events coincided with the release of RMS Cyber Solutions version 4.0 and featured both RMS and industry experts discussing cyber risk and the opportunities for the cyber insurance industry. At both events, the day kicked off with Dr. Andrew Coburn, senior vice president for RMS, examining recent developments within the cyber risk landscape by outlining the approach RMS takes to tracking and categorizing the wide range of evolving threat actor groups. He also proposed some key future trends, such as the potential impact of a “gloves-off” nation-state cyberattack and its implications for the cyber insurance industry. Former ethical hacker Eireann Leverett dug deep into the topic of contagion mapping and how hacking groups – both good and bad, are utilizing innovative techniques to map out the digital world. He also touched on the growing use of deepfakes in spear phishing attacks, whereby executive identities are faked to trick employees into fraudulently transferring funds out of the business. To provide the industry’s perspective, we were delighted to be joined by two expert panels in London and New York discussing the cyber market and the role of models to support growth. Thanks to Jamie Pocock (Guy Carpenter), Laila Khudairi (Tokio Marine Kiln), Rory Egan (Munich Re), and Kirsten Mitchell-Wallace (Lloyd’s) for participating in London, and to Anthony Shapella (AIG), Jon Laux (Aon), and Kara Owens (Markel) in New York. RMS Cyber Risk Seminars held in London (left) and New York (right)For the second half of the agenda, members of the RMS cyber team focused on the release of RMS Cyber Solutions version 4.0. This release features substantial enhancements to the RMS model and capabilities across several key areas including exposure data enrichment, expanded model data sources, and new stochastic modeling approaches to quantify cyber risk. Dave Gatey, senior director – modeling for RMS, revealed how new modeling methods, such as agent-based modeling and multi-compartment models were being used in RMS Cyber Solutions v4. Chris Vos, lead modeler for RMS, took to the stage in New York, and myself in London, to give context as to how these improvements to the model and software will assist clients in understanding their cyber risk and therefore making better decisions for their business. In New York, the RMS cyber seminar was followed by a half-day terrorism seminar. Introducing RMS Cyber Solutions Version 4.0 For many insurers, obtaining complete and accurate exposure data from cyber submissions remains a challenge. Often, these submissions are missing key information such as business revenue, profit, or business sector – all attributes that are critical to understanding the potential effect of cyber events. To address this, RMS has released a company database consisting of 13 million companies across 30 countries, alongside a data enrichment engine that uses a custom similarity matching algorithm to allow users to enrich their exposure data. This will help ensure the inputs into the model are as accurate as possible, reducing model uncertainty, and minimizing an insurer’s data collection efforts. Although historical data does not show you the whole picture when it comes to cyber risk, it is still critical to inform the lower return period scenarios. To enable this, RMS has invested substantially in automating our historical event data collection techniques by employing bespoke machine learning algorithms that extract event data from hundreds of thousands of unstructured data sources. These new data sets cover multiple event types including breach, malware, ransomware, and cloud outages and allows our v4 model to be run at a significantly increased level of granularity, supporting greater risk differentiation. RMS has continued to research the causal processes that drive cyber risk, working closely with our partners across cybersecurity and academia, to map out and build simulations of these underlying processes. By stochastically modeling these individual components and applying game theory models to explore threat actor behavior, we can extract probabilities associated with both short- and long-tail cyber events. Investing in Cyber-Physical Loss Models Finally, RMS has maintained its substantial investment in cyber-physical loss models. These models take data from the EDM (the RMS property exposure data store) and other casualty classes to quantify the impact of clash-type cyber catastrophe events such as power blackouts. This allows insurers to explore the potential for silent cyber losses across their business, supporting regulatory reporting. Many insurers are exposed to this type of cyber risk, even if they don’t write affirmative cyber insurance policies. These new insights and models continue to be delivered within an open modeling framework, allowing complete transparency into each of the modeling components. This transparency allows users to validate each component and create custom models to support their own view of risk. This new solution from RMS represents a significant step forward for the insurance industry to model its cyber risk. For more information, please contact cyberrisk@rms.com.…

cyber event
July 03, 2019
The Future of Cyber Risk
Tom Harvey
Tom Harvey
Head of Cyber Product Management, RMS

Tom is the Head of Cyber Product Management for RMS, and since early 2015 has worked together with the Cambridge Centre for Risk Studies and RMS’ development partners to bring the RMS Cyber Accumulation Management System and subsequent RMS Cyber Solutions to the market. Tom joined RMS in 2013 as a technical sales expert assisting a number of leading (re)insurers further their catastrophe management practices.

Prior to joining RMS, Tom spent 4 years at Hewlett Packard Software within the European presales team working closely with a number of HPS’ IT security products.

cta image

Need Help Managing Your Portfolio?

close button
Overlay Image
Video Title

Thank You

You’ll be contacted by an RMS specialist shortly.