Counting the Cost Cyber Exposure Decoded 02
Total Page:16
File Type:pdf, Size:1020Kb
Emerging Risks Report 2017 Technology Counting the cost Cyber exposure decoded 02 Lloyd’s of London Disclaimer Key Contacts This report has been co-produced by Lloyd's and Cyence Trevor Maynard for general information purposes only. While care has Head of Innovation been taken in gathering the data and preparing the [email protected] report, Lloyd's does not make any representations or warranties as to its accuracy or completeness and For general enquiries about this report and Lloyd’s expressly excludes to the maximum extent permitted by work on innovation, please contact law all those that might otherwise be implied. [email protected] Lloyd's accepts no responsibility or liability for any loss or damage of any nature occasioned to any person as a About the authors result of acting or refraining from acting as a result of, or Trevor Maynard PhD, MSc, FIA has degrees in pure in reliance on, any statement, fact, figure or expression of maths and statistics and is a Fellow of the Institute of opinion or belief contained in this report. This report Actuaries. He is Head of Innovation at Lloyd’s including does not constitute advice of any kind. responsibility for horizon scanning and emerging risks. Subjects covered in recent years include: the economic © Lloyd’s 2017 and social implications of a food system shock; the All rights reserved effects of cyber-attacks on the US energy grid and an exploration of aggregation modelling methods for liability About Lloyd’s risks. Lloyd's is the world's specialist insurance and He is co-chairman of OASIS, an open modelling platform reinsurance market. Under our globally trusted name, we for catastrophe models and sits on the Board of the act as the market's custodian. Backed by diverse global Lighthill Risk Network. capital and excellent financial ratings, Lloyd's works with a global network to grow the insured world – building the George Ng, a founder and Chief Technology Officer, resilience of local communities and strengthening global leads major research projects and initiatives at Cyence. economic growth. Previously, he was the Chief Data Scientist at YarcData. George has also worked as a Research Scientist at With expertise earned over centuries, Lloyd's is the DARPA and US-CERT and as faculty at American foundation of the insurance industry and the future of it. University. He received his PhD from UC Irvine and B.A. Led by expert underwriters and brokers who cover more from UC Berkeley, both in Economics. than 200 territories, the Lloyd’s market develops the essential, complex and critical insurance needed to underwrite human progress. About Cyence Cyence empowers the insurance industry to understand the impact of cyber risk in the context of dollars and probabilities. It’s unique approach combines economic/risk modeling, cybersecurity and big data analytics to create an economic cyber risk modeling platform. Cyence Platform and analytics are leveraged by leaders across the insurance industry to help understand and manage cyber risk as well as to roll out new transformative insurance products. Counting the cost – cyber exposure decoded 03 Acknowledgements Cyence project team and area of expertise − Dr George Ng, CTO and co-founder The following people were interviewed, took part in workshops or roundtables, or commented on earlier − Dr Yoshifumi Yamamoto, Principal Modeler drafts of the report; we would like to thank them all for − Matthew Honea, Cyber Manager their contributions: − Misti Lusher, Director of Marketing Insurance industry workshops and consultation − Scott Hammesfahr, Product Marketing Manager − Tom Allen, Channel 2015 − Phil Rosace, Senior Solutions Manager − Scott Bailey, Markel − David Baxter, Barbican Cyence external partners − Sean Kanuck, advisory board member for Cyence − Marcus Breese, Hiscox and former first United States National Intelligence − Stephanie Bristow, Hiscox Officer for Cyber Issues from 2011-2016 − Robert Brown, Neon − Marc Goodman, New York Times best-selling author of Future Crimes and global strategist and advisory − Wesley Butcher, Atrium board member for Cyence − Danny Clack, Pembroke Lloyd’s project team − Jason Clark, Faraday − Dr Trevor Maynard, Head of Innovation − Nils Diekmann, MunichRe − Dr Keith Smith, Innovation team − Daniel Fletcher, QBE − Lucy Stanbrough, Innovation team − Matt Harrison, Hiscox − Flemmich Webb, Speech and Studies − Matthew Hogg, Liberty Further thanks go to the following for their expertise, − Adam Holdgate, AM Trust feedback and assistance with the study: − Jerry Hyne, Aegis LMA − Laila Khudairi, Tokio Marine Kiln − Mel Goddard, Market Liaison Director, Lloyds Market − Nick Leighton, Aegis Association − Alessandro Lezzi, Beazley − Tony Ellwood, Senior Technical Executive – − Ben Maidment, Brit Underwriting, Lloyds Market Association − Kelly Malynn, Beazley Lloyd’s − Phil Mayes, Talbot − Caroline Dunn, Class of Business − Alastair Nappin, MunichRe − Linda Miller, Marketing and Communication − Raheila Nazir, Aspen − Tope Omisore, International Regulatory Affairs − Matt Northedge, AM Trust − Paul Sanders, International Regulatory Affairs − Andrew Pearson, Barbican − Christian Stanley, Class of Business − Scott Sayce , CNA Hardy − David Singh , MS Amlin − Dan Trueman, Novae − Stephen Wares, MS Amlin Counting the cost – cyber exposure decoded 04 Contents Executive summary ............................................................................................................................................................... 5 1. Introduction ....................................................................................................................................................................... 8 2. Research approach ......................................................................................................................................................... 12 3. The current state of cyber coverage ............................................................................................................................... 15 4. The scenarios ................................................................................................................................................................. 19 4.1. Cloud service providers ............................................................................................................................................... 20 4.2. Modelled scenario: Cloud service provider hack ......................................................................................................... 27 4.3 Mass vulnerabilities ....................................................................................................................................................... 32 4.4 Modelled scenario: mass vulnerability attack ............................................................................................................... 36 5. Conclusion ...................................................................................................................................................................... 47 References .......................................................................................................................................................................... 50 Counting the cost – cyber exposure decoded Executive summary 05 Executive summary The aim of this report is to provide insurers who write Lloyd’s worked with the Lloyd’s Market Association on a cyber coverage with realistic and plausible scenarios to series of collaborative workshops involving cyber help quantify cyber-risk aggregation. The understanding underwriters from the Lloyd’s market to discuss and of cyber liability and risk exposures is relatively include feedback in the report, and identify the underdeveloped compared with other insurance classes. implications and considerations for the insurance industry. By understanding cyber risk exposure, insurers can improve their portfolio exposure management, set Cyber-attack – an increasing threat appropriate limits and gain the confidence to expand into this fast-growing insurance class. Cyber risk is a growing global threat. While digitisation is revolutionising business models and transforming daily The report is designed for risk managers whose lives, it is also making the global economy more businesses are exposed to the types of cyber-attacks vulnerable to cyber-attacks. described in the report’s two scenarios: a hack that takes down their cloud-service provider or an attack that As a result, the economic and insurance consequences causes the failure of a particular operating system across of cyber-crime are increasing. In 2016, cyber-attacks their own company, customers, suppliers and/or business were estimated to cost businesses as much as $450 partners. billion a year globally (Graham, 2017). Increasingly, insurers are helping policyholders manage these events; Each of these scenarios encompasses a range of everything from individual breaches caused by malicious variables including possible risk mitigation and cyber- insiders and hackers, to wider losses such as breaches attack response. This means organisations can consider of retail point-of-sale devices, ransomware attacks such the impact on their own operations. as BitLocker, WannaCry and distributed denial-of-service attacks such as Mirai. Methodology The cyber threat is increasing and is expected to This report was developed collaboratively by Lloyd’s and continue to do so as the world economy continues to Cyence, who brought