Cyber Business Interruption
Attacks on internet
unknown risks for
insureds and insurers
By Anne Freedman
The attack on internet infrastructure company Dyn was a wake-up call for cyber risk accumulation.
There are more than a billion websites on the internet but they rely on just a handful of companies to keep them operating. Confidence in the system’s resilience declined significantly in October 2016, when a massive distributed denial of service (DDoS) attack assaulted Dyn, a company that controls much of the internet
That DDoS attack, in turn, brought down major sites including Netflix, CNN,
Spotify, Airbnb, Twitter and many others in Europe and the U.S.
“At this point we know this was a sophisticated, highly distributed attack
involving tens of millions of IP addresses … across multiple attack vectors and
internet locations,” said Kyle York, Dyn’s chief strategy officer on Oct. 21.
The attacks originated from Mirai-based botnets via internet-connected
DVRs, video cameras and devices. Those attacks substantially disrupted service
at the managed DNS (domain name system) infrastructure for about two hours
from about 11 a.m. to 1 p.m. GMT, and again from about 4 to 5 p.m. GMT, with
residual impact until about 8: 30 p.m. on Oct. 21.
Then, to add more uncertainty, came the outages on Feb. 28 connected to
Amazon Web Services. Although this was due to human error — apparently a
coding error — rather than maliciousness, the result was the same: Companies,
large and small, including Netflix, Airbnb, the Securities and Exchange
Commission and Expedia, became inaccessible or their sites ran like molasses.
The problem, affecting mostly the East Coast, lasted from about 12: 30 p.m. to
about 4 p.m. ET.
“I definitely think [internet outages] will continue to happen,” said Nick
Economidis, underwriter at Beazley. “I think there are some unknown risks out there.
“We are dealing with new exposures and new risks that we don’t have the
background for, and I think there are going to be some surprises. … I think Dyn
caught a lot of people’s attention.”
Dan Burke, vice president and cyber product head at Hiscox USA, agreed.
“I think this is an attack vector we will continue to see for the foreseeable
future, based on the ease in which one can initiate such attacks. … Just the sheer
volume of devices that can be compromised and used to launch these attacks —
there are such economies of scale in this space that we will continue to see this
happen,” he said.
Such broad internet outages affect insureds and insurers alike, and the potential
downside could be devastating.
For insureds, it’s the concern that their losses, which could last for months after
an outage, will not trigger coverage in their policies. For insurers, it’s the fear of a
catastrophic accumulation of cyber exposures.
LOW LIMITS OR LACK OF COVERAGE
Steve Bridges, senior vice president of cyber risk and E&O, JLT Specialty
USA, said that for many companies, a business interruption loss due to an outage
at a cloud partner or ISP would only be covered if caused by a security failure and
then only with a sublimit under most cyber policies.
The reason? Fear of risk aggregation, he said. “[Insurers] could have a
catastrophic loss across industries and a bunch of different policies,” Bridges said.
“The cyber insurance marketplace is starting to extend contingent/dependent
business interruption to include system failure triggers and to offer higher limits,
but is wary about the impact of these aggregate loss situations,” he said.
For companies that offer significant CBI coverage, an extended cyber event
affecting an ISP or cloud provider could result in them paying huge claims to
their insureds resulting from an event affecting a company they didn’t underwrite
or insure, Bridges said.
And with the lack of standardization of cyber policies, many insureds are
uncertain if they even have coverage.
Plus, insurers have limited experience adjusting cyber BI or CBI claims. There
haven’t been that many, and adjusting them is quite different than data breach or
privacy claims that have become more common.
“I’m not getting a feeling
that insurance companies
themselves have a good idea
of how to aggregate these
—Fred Eslami, senior financial analyst, property
and casualty, A.M. Best