It’s possible that tens of thousands of websites across the world could be labeled as unsafe this October, potentially leading to business interruptions losses for the companies whose income relies on maintaining consistent traffic through their websites. This is because Google’s Chrome web browser (used by 60% of all devices according to Net Marketshare) will no longer recognize certificates issued by Symantec, an SSL (Secure Sockets Layer) certificate authority market leader at the beginning of last year.
Why Are Trusted SSL Certificates Needed?
SSL certificates are necessary for websites that require users to submit sensitive information such as passwords and credit card numbers because they provide secure and encrypted communication between these websites and web browsers. Certificate authorities issue these digital certificates and act as trusted third parties between a company’s website and web browsers and their users. When the SSL certificate of a company’s website isn’t trusted by a web browser, the company can suffer significant financial damage.
According to a study, having unsecured certificates can result in large losses for a business. Nearly two-thirds (59%) of IT security professionals have admitted that their organization lost customers because they failed to secure the online trust established by keys and certificates. There are several reasons why this occurs:
- Browsers create visible cues, such as the error message in Figure 1, that discourage people from accessing untrusted websites
- A system’s failure can occur when downstream services are blocked from accessing the websites thy need to operate
In addition, there may be regulatory consequences. Payment Card Industry (PCI) rules require businesses to have an SSL certificate when credit card information is collected on a website. Noncompliance may result in fines from USD 5,000 to USD 500,000 imposed by banks and credit card institutions.
How Can Insurers Mitigate This Risk?
- Check policy wording. Some insurers don’t consider this event to be insurable because it is not a “fortuitous” event, meaning it isn’t happening by chance or unpredictably; other insurers feel differently. Because there is no widely accepted "standard" cyber policy, each insurer should verify if this type of event is covered or excluded. Ultimately, the courts may decide the issue when the wording isn’t clear.
- Measure your portfolio accumulations. There is a possibility that this event could impact a large portion of an insurance portfolio. Insurers should find out which insureds rely on Symantec SSL certificates and aggregate their total exposed limit to understand the maximum loss potential.
- Identify drivers of accumulations. There may be a small group of organizations that produce most of the expected losses. Insurers should identify these organizations and engage with those they insure to take the necessary mitigation steps.
Luckily, there is enough time to prepare for and mitigate this event, as it won’t be until the release of Chrome 70, expected on about October 16, 2018, that any Symantec SSL certificates issued from the previous infrastructure will become invalid. By then it’s possible that many diligent website owners will have transitioned to another SSL certificate provider.
Even if this event doesn’t become the next internet apocalypse, its potential demonstrates the challenge insurers face when dealing with systemic cyber risk. Businesses today are more interconnected than ever before and the numerous sources of interconnectivity are often unknown until an incident occurs. Market forces prevent insurers from directly collecting the data needed from their insureds—but that’s a topic for a whole different blog. In the meantime, check out how analytics are helping insurers understand systemic cyber risk today.
Editor’s Note: This post was originally published on June 7, 2018.