shutterstock / portraitimagesasiabynonwarit
Traditional warfare has shaped the political and economic fortunes of continents, nation-states and cities, but are we entering a new age where battles for power will take place in cyberspace. What are the implications for insurers, asks George Thomas of PwC Bermuda.
“Silent” cyber and non-affirmative cover of cybersecurity incident-related claims are under extreme scrutiny. Long-accepted industry norms are being tested on several fronts including in a prominent $100 million lawsuit addressing payment for a claim related to 2017’s NotPetya cybersecurity attack filed against a major insurance carrier by a global consumer products company.
The case hinges on the interpretation and application of a “wartime” exclusion given the widely accepted understanding of NotPetya’s origin and purpose, an offensive weapon designed and deployed by Russia to inflict damage on Ukraine. The court’s ruling, in favour of either party, may substantially shape the insurance landscape.
Insurance carriers and companies that need cybersecurity cover can be informed by putting cyberspace and cybersecurity in a broader context: military history.
The new paradigm
Warfare across the globe has directly shaped the political and economic fortunes of continents, nation states and cities. Throughout most of human history, warfare has been confined to three theatres: land, sea, and air, with a fourth theatre—space—evolving out of the Cold War after World War 2 and the development of Intercontinental Ballistic Missiles (ICBMs).
Cyberspace represents the fifth theatre of warfare and military forces around the world have developed offensive and defensive capabilities. Nation states have engaged in offensive cyber attacks for a variety of sharply targeted reasons ranging from North Korea hacking Sony Pictures in response to movie content and Russia crippling utility grids and influencing elections in Ukraine. While there is substantial circumstantial evidence and reports of attribution from credible authorities, neither North Korea nor Russia has claimed responsibility for these actions.
The first widely reported offensive cyber weapon, Stuxnet, dates back to 2010. It targeted a specific class of supervisory control and data acquisition (SCADA) industrial systems of software and hardware elements in centrifuges used by the Iranian nuclear programme for separating nuclear material. While this highly specialised cyber weapon was effective in inflicting damage on its intended targets in Iran, Symantec reported that more than 40% of Stuxnet hits were outside of Iran. Almost a decade after its discovery, no country or entity has claimed responsibility for Stuxnet.
Clear examples of the recognition of the importance of effective cybersecurity capabilities by western nations abound, including communications from the UK’s Government Communications Headquarters (GCHQ) and US Cyber Command.
In a March 29, 2019 Wall Street Journal article titled FBI, Retooling Once Again, Sets Sights on Expanding Cyber Threats, it was reported that the FBI plans to “retrain and refocus special agents to combat cyber criminals, whose threats to lives, property and critical infrastructure have outstripped US efforts to thwart them”.
Amy Hess, head of the FBI’s criminal, cyber, response and services branch is quoted in the same article, stating: “The future of cyber, that’s the future of the organisation. That’s the future of the world. We’ve got to be thinking about how our adversaries think about cyber—whether it’s a nation state or just an individual criminal for-profit type of attack.”
Dealing with the risk
PwC’s most recent Global State of Information Security Survey: https://www.pwc.com/us/en/services/consulting/cybersecurity/library/information-security-survey.html) highlights that as cybersecurity spending worldwide continues to grow, decision-makers struggle to treat cyber risk as an enterprise business risk that carries the same weight as traditional issues such as finance.
Traditional strategic cybersecurity planning is an imperfect art that often involves coalescing disparate data sources from technical reviews, compliance or controls-based risk assessments, security audits and applying a practitioner’s judgement to prioritise areas of focus and investments. This is no longer sufficient: cyber risks evolve by the hour and budgets, spending and hiring receive greater visibility and scrutiny.
Organisations are turning to techniques commonly used in the financial services sector to build advanced risk models using statistical and probabilistic techniques to measure cyber risk exposure and risk investments. These advanced cyber risk models, called cyber value-at-risk (CyberVaR), consider the interlocking dependencies among three main factors: vulnerabilities, strategic assets and the profile of attackers.
Understanding the potential consequences of cyber risks will require that businesses perform a thorough assessment of their unique threats, cybersecurity readiness and the value at stake.
In March, Bermuda hosted a NetDiligence Cyber Risk Summit, which was well attended and covered a broad range of topics. One panel of particular interest on cyber reinsurance and retrocession markets included Bermuda-based Ari Chatterjee of Envelop Risk and Oxford-based Raveem Ismail of Fractal Industries, co-authors of a thought-provoking 2018 paper: PTBA: Risk Selection In Cyber Insurance Underwriting.
Their paper describes a methodology to quantify and measure the probability that a firm will be attacked as the expected income for an attacker as a function of the type and amount of sensitive data that can be gained. This type of dynamic thinking and modelling will become increasingly essential in accurately pricing cybersecurity risks.
The world of insurance is watching a landmark case filed on October 10, 2018 in the Circuit Court of Cook County, Illinois. The plaintiff, Mondelez International, filed a complaint against Zurich American Insurance stating in the complaint: “In this insurance coverage action, Mondelez seeks relief for Zurich’s breaches of its contractual obligations to Mondelez under an all-risk property insurance policy...”
This case hinges on the interpretation and application of a “wartime” exclusion and will undoubtedly set a powerful precedent.
As the internet of things (IoT) moves toward the core of digital business, the integration of security domains—IT, OT and consumer technologies—will likely introduce game-changing hazards. These potential risks include disruption in the information flow among connected devices, physical interference with equipment, impacts on business operations, theft of sensitive information, compromise of personal data, damage to critical infrastructure, and even loss of human life.
Beyond security, many privacy issues surround IoT implementation, particularly related to the collection, storage and use of data flows of information acquired through the use of these devices. When the collection and use of IoT data includes personal information—or if the information collected can be used to paint a detailed picture of an individual’s activities—businesses must then consider the privacy risks associated with processing this data.
Indeed, as internet-connected devices proliferate—ranging from smartphones to fitness trackers to cars and manufacturing floors—IoT security and privacy have become a new business priority.
Prudent boards of companies and insurance carriers will have to use evolving assessment and quantification techniques to effectively manage cybersecurity risks. Leveraging new thinking and new tools including PwC’s CyberVAR can help companies address cybersecurity and its increasingly disruptive impacts.
George Thomas is a senior adviser at PwC Bermuda. He can be contacted at: firstname.lastname@example.org
The NotPetya attack
The unprecedented global business interruption impact of the NotPetya cyber attack and magnitude of claims paid by insurers has sharpened focus on cybersecurity and cybersecurity insurance.
Multinational organisations across a broad range of industries and sectors were directly affected, including pharmaceutical giant Merck, global law firm DLA Piper, the world’s largest advertising firm WPP, and TNT Express, a division of the global logistics leader FedEx.
A.P. Møller-Maersk, a global leader in shipping and logistics, estimated that NotPetya cost in excess of $500 million in lost business and cleanup.
The attack caused major disruptions in normal, essential business activity. Seafaring vessels are responsible for the carriage of about 80 percent of world trade, making safe, secure and on-schedule deliveries a critical part of economic activity.