Recently, the Internet experienced the sort of unprecedented event that insurers fear most—one that exposes a systemic vulnerability and could result in a massive amount of claims. A distributed denial of service (DDoS) attack took down many of the world’s most popular websites (including Twitter, Spotify, GitHub, Netflix, and more) for a span of several hours, leaving many insurers asking themselves what impact the event might have on their portfolios of business.
To answer that question, let’s start by breaking down the risk and the nature of the attack.
Most websites use a domain name—air-worldwide.com for example—rather than the long string of digits that make up the Internet Protocol (IP) address it represents. Because the Internet is based on IP addresses, not domain names, web servers that host websites have Domain Name Systems (DNS) to translate domain names into IP addresses. Managed DNS providers, like Dyn, have become a popular option for many businesses for the some of the same reasons cloud services have enjoyed success. However, the convenience of this service comes with a price for the system as a whole because it creates significant aggregation of risk around DNS providers.
Cyber criminals were keenly aware of this situation and took advantage of the proliferation of Internet-enabled devices to amass an army of bots capable of executing a large-scale DDoS attack against Dyn—an attractive target due to its position as a leader in managed DNS services. Dyn reported that the attack came in waves, and indications are that a system-wide outage was avoided so users could access the impacted websites in some regions. The first attack wave affected the East Coast of the U.S. for two hours. The second wave expanded to other regions across the globe and only lasted one hour; a third attack was attempted, but Dyn was able to mitigate the effects on its clients.
Gathering the right data
The impact for the cyber insurance industry appears to be minimal. Some observers have estimated that the attack caused USD 110 million in total business interruption loss, most of which is unlikely to hit insurers’ balance sheets since deductibles may be higher than the amount of downtime experienced. However, this event does serve as a reminder to insurers of the importance of managing the aggregation of cyber risk with respect to third party service providers, and ensuring the data necessary to model the risk is readily available.
By collecting data on who the insured’s DNS providers are and the amount of revenue that is dependent on the company’s Internet activities, insurers have the means to use enhanced methods for managing accumulation risk. The amount of revenue dependent on the DNS provider’s service is a key driver for modeling the business interruption loss per day; while industry averages can be used to generate estimates, knowing the actual numbers for a company provides a more accurate view of the risk. AIR has developed a Cyber Industry Exposure Database that includes detailed information (such as DNS provider) for millions of companies worldwide and can be used to augment data within a portfolio of business for modeling and risk assessment.
Could this type of attack happen again?
The answer is undoubtedly yes. Cyber security experts believe this attack was meant to probe Internet infrastructure to examine interconnectivity. There are also reports that Mirai, the malware that turned devices into the bots used for this attack, recently became open source, allowing anyone to build their own botnet army made of Internet-enabled devices.
It behooves insurers, therefore, to continuously monitor their DNS service provider accumulations and test their books against this type of attack. With that in mind, AIR recently released an Open Source Cyber Scenario to deterministically model business interruption losses due to a DNS service provider outage. This scenario leverages the same framework used in the cloud service and payment processor scenarios so losses related to DNS downtime can be estimated with small modifications to the framework. SQL-savvy users can benefit from the open source nature of AIR’s scenario and follow this same approach to model other sources of third party provider risk, such as content delivery networks and SSL Certificate Providers, among others. Will your organization be prepared to respond when the next cyber attack strikes?