The recent Equifax incident was by all measures a significant cyberattack. As the press statement released by Equifax on September 8 highlighted, the data theft potentially impacted approximately 143 million U.S. consumers. To put this into perspective this represents nearly 70 percent of the U.S. working population.
However, we should not be surprised. RMS tracks data theft among other types of cyber events on an ongoing basis, and we have seen numerous events of this magnitude or larger over the last few years. This Equifax breach would have ranked just #7 on the list of the largest data breaches in the 2017 RMS Cyber Risk Landscape report.
Equifax confirmed that hackers gained access to their network through a popular open-source software package called Apache Struts, that powers some of its Web-facing applications. The hackers utilized a vulnerability that was spotted in March this year, which was then patched by Apache within a few days.
Once inside the Equifax network, during a two-month period the hackers accessed birth dates, addresses, driver’s license numbers and social security numbers of U.S. consumers, as well as 209,000 credit card numbers. The breach was not solely limited to American consumers, the hackers had also illegally accessed data from consumers in the U.K. and Canada.
The attack was discovered by Equifax’s security team on July 29, as they observed suspicious network traffic associated with its U.S. online dispute portal web application. The team blocked the suspicious traffic, and a day later the affected web application was taken offline. Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.
Since the attack, Equifax have engaged specialist cyber security experts to assist with the investigation, in addition to working with the FBI and the U.S. Federal Trade Commission. It has also seen the departure of both Equifax’s Chief Information Officer and Chief Security Officer.
What Is the Impact for Insurers?
According to the RMS® Cyber Accumulation Management System model, a company such as Equifax could reasonably expect to lose around US$109 million from an event of this magnitude, although this could increase to in excess of US$250million. The typical types of cover triggered by these attacks include incident response costs, notification and ongoing monitoring of consumers, regulatory and defense costs, and business interruption. Given the sensitivity of this case it is likely Equifax will suffer substantial litigation, with many class action lawsuits already taking place.
Insurers would typically protect themselves against large single company losses with the use of controlled limits and sub limits. We would expect these limits to be saturated in this event.
In addition to the losses suffered by Equifax and their insurers, the growing market for personal lines cyber insurance is also likely to suffer losses. Where data of this nature has been stolen in the past, we have seen a noticeable increase in identify theft attempts, costs of which are typically covered under personal lines cyber policies. Once this data is stolen, criminals use it for identify fraud, filing of fraudulent tax returns, loan applications, counterfeit cards, and even extortion and blackmail attempts.
Does This Change the Likelihood of Systemic Cyber Catastrophe?
While this breach is extremely significant, in the view of RMS it does not reflect a significant change in the potential for a systemic cyber catastrophe. Attacks utilizing unpatched software are unfortunately all too common. As we saw with the recent WannaCry malware attack that utilized a Microsoft flaw, it highlights the need for insureds to keep updated on the latest security announcements from product vendors, and to ensure patches are deployed quickly and effectively.
High profile attacks such as Equifax will always attract great attention from the media and the insurance industry, but this underlines the importance of effective modeling for cyber risk to be able to both keep up with the latest threat trends and to ensure that cyber incidents are always put into context.