Aggregated Cyber Risk: The Nightmare Scenarios
May 26, 2015
Editor's Note: Editor's Note: In this article, we explore several kinds of cyber risk aggregation scenarios that could lead to catastrophic accumulated losses.
For those who insure against cyber risk, a cyber event that causes simultaneous losses to millions of clients is the stuff of nightmares. Several kinds of cyber risk aggregation scenarios could lead to catastrophic accumulated losses, and we discuss four of the major ones: power blackouts; hacking of a major credit card payment processing center; exploiting vulnerabilities in common operating systems and firmware; and hacking of a major commercial cloud service provider. A common thread that runs through all these scenarios is that the target of the hacker is very large, highly centralized, and has many, many users.
Power Blackout Scenario
Although many cyber hackers are focused on specific industries, some are focused on causing major disruption to business via a cyber attack on the power grid. An attack on the power grid, which is run by a common utility that drives electricity through a common network of power lines, could lead to business interruption losses across a large geographic area. Although this type of cyber attack has not yet happened (at least no blackout has been publicly attributed to it), it is plausible that such a power outage could cause an extreme aggregation loss and could be caused by the types of malware and viruses that hackers have already produced.
The Northeast Blackout of 2003, which impacted the U.S. and Canada, illustrates how a failure at a single location, in this case a control room in Ohio, can lead to a blackout impacting tens of millions of people. The blackout occurred when a software bug in FirstEnergy's energy management system was triggered and prevented controllers from hearing any alarms. The North American power grid is structured in such a way that this single failure cascaded to larger and larger geographic areas, leading to the loss of power to more than 55 million people. Even though power was restored to most locations within hours, losses to the insurance industry were estimated at USD 180 million by ISO's Property Claim Services®.
A piece of malware called Energetic Bear1 is evidence that hackers have developed tools meant to infiltrate energy systems, including power grids in North America and Europe. Energetic Bear is delivered by emails that appear legitimate, but when clicked will infect the victim's computer. If an Energetic Bear attack is successful, the hackers have nearly unfettered access to the servers at power plants and complete control over their operation.
Why would hackers target the power grid? One can imagine state-sponsored hacks that could force other countries to purchase energy from preferred sources. Imagine, for example, that Country X usually purchases energy from Country Y. Country Z also produces energy, and decides to disrupt Country Y's infrastructure. Country Z's hope could be that Country X is now forced to purchase energy from Country Z.
Whether cyber insurance would pay out business interruption losses for a cyber-caused blackout is not clear. Some carriers suggest that their policies include specific provisions excluding utility failures from their cyber coverage. Other carriers are extremely concerned about such an aggregation scenario, not only for their cyber-specific exposures, but for their main property books of business. In addition to business interruption losses, a power failure in winter could lead to frozen pipes bursting. People who use generators may also face a risk of fire due to improper use.
Breach of Major Credit Card Acquirer or Payment Processor Scenario
In the United States alone, consumers hold hundreds of millions of credit and debit cards and use them for tens of billions of transactions every year. These transactions total trillions of dollars per year and are processed by just a few major processing centers.2 Every one of these transactions is at risk for cyber wrongdoing, but it is also possible for millions of credit and debit card accounts to be simultaneously threatened. A brief synopsis of how card transactions are processed will help explain how such a scenario might occur.
Figure 1 is a simplified schematic of the life cycle of a single card transaction.3 The process is as follows:
- Consumer presents card to merchant, who enters the card information into his payment system.
- The card data is sent to an acquirer and payment processor for routing. In principle, the acquirer and payment processor can be separate entities; in practice, these processors—at least the major ones—are one entity.
- The acquirer and payment processor route the transaction data to the governing brand (e.g., VISA, MasterCard, etc.)
- The governing brand forwards the data to the issuing bank, which verifies that the card account is legitimate and contains sufficient funds.
- If the issuing bank approves the transaction, it issues an authorization number for the transaction, and returns that number to the governing brand.
- The brand forwards the card data, along with the authorization number, back to the acquirer and payment processor…
- ...which, in turn, sends that information back to the merchant…
- ...who completes the transaction with the customer.
Acquirer/processors represent the greatest sources of risk in the payment processing chain. From an insurance perspective, they are valuable and vulnerable. A small number of providers dominate the market; it is estimated that in 2010, the top 10 acquirers handled nearly 50% of the global transaction volume.4 For domestic U.S. transactions, the market concentration is even more dramatic: The top five acquirers (Bank of America, Chase Paymentech Solutions, First Data, Citi Merchant Services, and Vantiv) together handled almost 58% of the transaction volume in 2011.5 The sheer volume of credit card data and transaction details transmitted through these acquirers and processors is daunting. They are trophy targets for cyber criminals; a successful attack could yield millions of credit card numbers. For the insurer, the financial consequences would be catastrophic.
In addition to containing valuable data, the large size of acquirer/processors makes them vulnerable. The things that allow them to leverage economies of scale and provide cost effective solutions to customers are the same things that necessarily soften them as cyber targets. Many of these companies are the result of mergers and acquisitions, during which multiple legacy technology systems were forced to interact. The combination of multiple systems often presents hackers with security vulnerabilities that the individual systems had protected against.
Compromised System Software Scenario
Firmware is software that resides inside a piece of hardware. For example, a laptop will include firmware that regulates its battery and controls the transfer of data to and from the hard drive. This software is not typically noticed by the user. Most firmware is vulnerable to hackers because it is not digitally signed, meaning that there is no way for the user of the machine to distinguish the original firmware from a corrupted, hacked version. Kaspersky Lab reports that the Equation Group—a highly secretive group of hackers suspected by some to be affiliated with the NSA and the distribution of Stuxnet6 —used malware that could alter the firmware in hard drives produced by more than a dozen vendors. The corrupted firmware grants the hackers storage on the hard drive of the infected machine that is invisible to the user. Both the altered firmware and the storage that it creates cannot be removed by reformatting the disk, and the infection can only be removed by replacing the drive. Others have demonstrated attacks that corrupt firmware in order to destroy a laptop battery7 or deliver malware through a USB drive.8 The easiest solution is to not use the affected hardware.
System software, which includes operating systems and device drivers, is the class of software that coordinates different components of a single machine. A typical weakness would grant remote access and unauthorized privileges.9 Compromised system software can lead to risk aggregation because a small number of vendors have large market shares. Three operating systems (Windows 7, XP, and 8) are estimated to account for approximately 90% of desktop market10 and two operating systems (IOS and Android) account for 90% of mobile operating systems.11 Particularly vulnerable are the approximately 17% of desktops and laptops that still use Windows XP, a 12-year-old operating system that is no longer supported. Any new security flaws found in it or in its now unsupported web browser IE8 will not be patched.12
Applications are software that performs tasks for the users of a machine. These are usually the programs that the users intentionally installed. While many are aware of vulnerabilities in critical programs such as web browsers13 and encryption tools,14 a major security weakness can reside in any software. Kaspersky Lab reports that a multinational group of hackers was able to steal approximately USD 1 billion from financial institutions. Around 100 banks were infected and about half suffered financial loss. The malicious code that granted access to the banks' networks exploited three known vulnerabilities in Microsoft Office, all of which have associated security patches that were not installed.15 One of these flaws was a security hole in a module that processes RTF files, a document format dating back to the late 1980s.
An insurer should keep in mind that the companies they insure, regardless of industry, country, and revenue, are most likely using the same software. An insurer must determine what are the common tools used by many of their insureds and not simply rely on estimated record counts when estimating the distribution of loss attributable to a portfolio of companies.
Hacking of a Major Commercial Cloud Service Scenario
In recent years, many companies have started hosting much of their computing enterprise on cloud services. The term cloud actually includes several different kinds of services. In addition to remote storage that one can think of as extra disk space, there are various "as-a-Service" uses of the cloud.16 (Please see box.)
What is perhaps most important about all cloud services, from a security point of view, is they involve multiple clients sharing computing resources hosted by a third party—the cloud provider. This creates a privacy and security concern because the third-party host can at any time access, accidentally or deliberately alter, or even delete client data on the cloud.17
Even if the provider is honest, some of the many users of the cloud may not be. Many types of possible attacks on the cloud have been identified. Protecting against them can be particularly vexing because precautions taken against one type of risk may exacerbate another. An example of the kinds of tradeoffs involved is illustrated by the following situation:18
Fearing a data breach, a cloud client encrypts his data before moving it to the cloud. However, he risks losing all his data if the encryption key is lost. Yet if he creates backup copies of the data, the likelihood increases that his data will be breached.
So far, this sounds more like a danger to one client and less like an aggregate threat to many. However, if a hacker is able to breach a cloud server, he can easily access all the unencrypted data on that server. Perhaps even more alarming, it has been demonstrated19 that a malicious hacker could use one virtual machine hosted on a cloud server to extract the keys used on other virtual machines on the same server. In principle, the data of all other clients on the cloud server could be breached regardless of whether it is encrypted.
Although cloud security is likely better than most individual enterprises' security, similar to the credit card processor breach, clouds are "trophy targets" for many hackers.
The "Big One" Is Yet to Come
We have reviewed several ways in which cyber events can lead to massive accumulations of loss that could threaten the solvency of an insurer. An extreme manifestation of any one of the scenarios described in this article could result in losses that would justify calling it the "Hurricane Andrew of Cyber." In 1992, Hurricane Andrew served as a wake-up call to the insurance and reinsurance communities when it left not only unprecedented physical destruction in its wake, but also about a dozen insurance company insolvencies. Although there have been a few newsworthy cyber events during the past few years, such as breaches at Target and Sony, the "Hurricane Andrew of Cyber" has not yet happened.
AIR is in the process of developing a probabilistic model for estimating losses from cyber events, in addition to a set of deterministic scenarios that will allow companies to begin to truly understand their aggregated risk from large-scale cyber attacks
2 DeGennaro, R. P., "Merchant Acquirers and Payment Card Processors: A Look inside the Black Box", Economic Review, First Quarter 2006
3 First Data Thought Leadership and R. McMillon, "Where Security Fits in the Payments Processing Chain", a First Data White Paper, May 2010
16 Curtis, J., "10 top cloud computing providers for 2014", Computer Business Review, Oct. 10, 2014
17 Ryan, M.D., "Cloud Computing Privacy Concerns on Our Doorstep", Communications of the ACM, Vol. 54, No. 1, 2011
18 Samson,T., "9 top threats to cloud computing security", InfoWorld Tech Watch, Feb.25, 2013
19 Goodin, D., "Virtual machine used to steal crypto keys from other VM on same server", Ars Technica, Nov. 6, 2012
20 Curtis, J., "10 top cloud computing providers for 2014", Computer Business Review, Oct. 10, 2014