New Tool to Detect Ransomware May Prevent a Cyber Catastrophe

We here in the CAT – Law pressroom occasionally come to have a dispirited world view due to our constant and laser-like focus on the topic of catastrophes.  However, our Magic 8 Ball has been saying “it is most probable” every time we ask if the recent “WannaCry” ransomware virus might actually be the dark just before the dawn.  So rather than our normal article on a possible catastrophe, here is our take on a type of cyber catastrophe that is now more easily prevented.

Last month, hackers attacked businesses and government entities in 150 countries with a ransomware worm known as “WannaCry.” These hackers gained access to business and government servers, infecting them with WannaCry, either by exploiting software vulnerabilities in an older, yet popular, Windows operating system or through phishing emails designed to trick users into giving hackers access. Once WannaCry was in, it spread rapidly and autonomously throughout the system, encrypting the files on the victims’ systems and thus denying the victims access to their own data. The hackers then demanded a ransom, requiring victims to pay, on average, $300 for the release of their information.

Although WannaCry is the latest cyber-attack to make the news, it is by no means the only threat. IBM President and CEO Ginni Rometty, has described cybercrime as “the greatest threat to every profession, every industry, every company in the world.” And analysts predict that cybercrime will cost consumers more than $2 trillion globally by 2019, nearly four times the estimated cost of breaches in 2015.

But massive ransomware attacks like WannaCry are now more easily prevented.

The cyber-security community has developed a sophisticated new weapon for battling malware generally, and ransomware specifically, known as Endpoint Detection and Response (“EDR”). EDR software focuses on protecting each user device, which are known as endpoints. Endpoints include not only servers but individual computers and portable devices as well. EDR software uses artificial intelligence to learn and analyze system activity. So when a virus attempts to perform a function out of the ordinary, such as encrypting all of one’s files, it becomes a red flag and the EDR software can act to detect and prevent it.

Because EDR software focuses on the behavior of a program, it can detect malware other more traditional virus protection programs cannot. For example, traditional signature-based virus detection programs function by blocking malware when the program’s coding—or signature—reveals that it’s malware. Thus, traditional malware detection programs can only stop known viruses. But because EDR software focuses on a program’s behavior, rather than its signature, it’s able to detect malicious software (including unknown viruses) that affect the function of the endpoint. In short, EDR software is a more effective, proactive tool against cyber-attacks.

Entities looking to improve their odds against cyber-criminals should consider adding EDR software to their arsenal, to compliment their other weapons against cyber-crime such as ongoing training of personnel and restricting user privileges. And insurers covering the risk of loss from cyber-attacks should consider recommending—or even requiring—that policyholders use EDR software to better prevent or minimize loss from cyber attacks, thereby lowering their exposure to such losses. The use of EDR software as part of a diligent cyber-security plan may dramatically reduce the risk of loss from a number of cyber attacks.

Posted by Thomas Caswell and Justin Evans

Stressed about CATs? The London Market Is Ready

Earlier this year, a London insurance market industry group published London Market looks ahead: Preparing for the next big insurance event, a White Paper describing a stress test of the market when faced with a never-before-seen catastrophic loss event.  London passed the test.

This “dry run” simulation analyzed the impact of two fictional CAT events taking place in quick succession:  a major cyber attack on power infrastructure in the U.S. (“Halloween Blackout”), and a Category 5 hurricane hitting Miami (“Hurricane Guy Fawkes”).  To make matters worse, these two CATs were followed by a stock market crash, with a 16% drop in global stocks, and the default of a major reinsurer, causing delays in claims payments.

This nightmare scenario resulted in global insurance losses of USD 200 billion, dwarfing other recent major catastrophes like Hurricane Katrina (insured losses of approximately USD 80 billion) and September 11 (USD 44 billion).

The market test was conducted over several months by a group of 28 organizations, including London Market insurers, brokers, industry groups, Lloyd’s, and rating agencies, with the support of regulators.  Two working groups were established, led by Hiscox and Aon.  The actual simulation took place over a two-week period in November 2016. 

The genesis of this project was the realization that it had been over 15 years since 9/11, the last “market-turning event” for London insurers, and that it was necessary for the London Market to prepare itself for the next major CAT loss event, particularly in light of the significant changes in market dynamics since 2001.  In addition to testing the industry’s preparedness, the dry run also sought to identify how the London Market could improve its resilience to these events, and maintain its leading position in the global insurance market.

As Robert Childs, Chairman of Hiscox Group and leader of the project stated, many of the people making key decisions in the London Market “haven’t yet experienced anything like [9/11].  I hope they never do, but we need to be prepared for the worst.”

The stress test showed that the London Market has access to sufficient resources, both practical and financial, to cope with these extraordinary losses, and that the industry would be able to pay the resulting claims fairly and, at the same time, ensure that cover can continue to be priced after a worst-case scenario catastrophe.

This conclusion relied on the strength of the London Market’s reinsurance and recapitalization arrangements, and insurers’ ability to implement these arrangements during a turbulent period.  The White Paper also found that, in order to achieve a successful outcome, it was critical for the London Market to maintain its deep underwriting and industry expertise, and for regulators to respond quickly as the crisis unfolds.

In order to improve the London Market’s ability to withstand a major CAT, the White Paper made three broad recommendations: (i) put in place internal processes to respond effectively to market-turning events, such as crisis management training programs and clear plans for raising additional capital; (ii) maintain the London Market’s leading position and expertise in the global marketplace, by strengthening Lloyd’s position and involving a broad set of key stakeholders; and (iii) collaborate with the insurance regulator, the Prudential Regulation Authority, to clarify mutual expectations and ensure an effective post-catastrophe response.

In sum, the industry-led dry run showed that the London Market is sufficiently robust to survive huge CAT losses.  Other insurance markets may consider conducting similar studies to assess how they would respond if the worst happens. 

Published by José Umbert

Hacktastrophe: How cyber-attacks on critical U.S. infrastructure could lead to catastrophic property loss

Although cyber-attacks have traditionally implicated more liability-leaning coverages, several attacks in recent years should give property insurers cause for concern going into the future. Hackers have proven they can seize control over governmental and industrial computer systems and manipulate them to cause tangible—and substantial—real-world property damage. Armed with the ability to cause real-world property damage, sophisticated computer criminals will undoubtedly target the systems of critical, and vulnerable, U.S. infrastructure operations, looking to cause catastrophe-level property destruction. They could be successful.

Property damage from cyber-attacks is not only possible, it has already happened.

In 2000, a hacker infiltrated the computers of a wastewater management system in Queensland, Australia. Over the course of two months, the hacker broke into the system 46 times, instructing it to spill hundreds of thousands of gallons of raw sewage into rivers, parks, and public areas.

In 2008, hackers used a program known as Stuxnet to access and disrupt the operations of an Iranian nuclear facility being used to enrich uranium. The uranium enrichment process required the operators to precisely control the speed of the centrifuges in order to produce viable uranium. Knowing that precise control over the centrifuges was absolutely critical to the enrichment process, the hackers used Stuxnet to manipulate the speed of the centrifuges, making them spin wildly out of control. At the same time, the hackers made it appear to the facility operators that the centrifuges were operating correctly, even though in reality they were tearing themselves apart. By altering the speed of the centrifuges, the hackers destroyed the operators’ ability to effectively enrich uranium. 

In 2014, German officials confirmed that hackers with advanced knowledge of both IT security and industrial processes seized control over a German steel mill, compromising components and systems, rendering the mill unable to shut down a blast furnace in a regulated manner, which resulted in “massive”—though unspecified—damage to the mill.

And in 2015, hackers infiltrated the controls of three regional electric power distribution companies in the Ukraine, shutting down a power grid and impacting more than 225,000 customers. Highly sophisticated, well-trained, well-funded hackers hijacked the credentials of workers at the control center and used those credentials to access the systems that controlled the breakers. In a coordinated attack, the hackers reconfigured the systems, blocking out the operators; turned off power to the grid, plunging customers into the dark; and launched a secondary denial-of-service attack against customer call centers, preventing customers from reporting the power outage. Although the power wasn’t out for long—between one and six hours—the control centers weren’t fully operational for months after the attack.

U.S. infrastructure is vulnerable to attack.

The Department of Homeland Security lists 16 critical infrastructure sectors “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Indeed, cyber-attacks on these sectors—which include dams, energy companies, chemical facilities, nuclear facilities, and water and wastewater facilities—could be catastrophic.

It is impossible to eliminate the threat hackers pose when a system is connected to the internet. (Even when a system is “air gapped” (having no direct connection to the internet) safety from hackers, is still not assured.) Protecting these facilities is critically important, since many of them are particularly susceptible to cyber-attacks. Over the past 25 years, hundreds of thousands of old analog control systems in these facilities have been replaced with digital systems connected to the internet. Any device that is computer-controlled and connected to the internet is vulnerable to hacking.

Not only are these systems vulnerable because of their internet connectivity, but many of these systems were built without cyber security in mind. Even where security measures, such as software firewalls, are used, the software can be misconfigured or circumvented by human error, allowing hackers access. 

These concerns aren’t overblown. Indeed, hackers have already targeted and accessed such systems in the U.S. Such hacks often require little more than Google searches and default passwords to succeed. Indeed, in 2013, Iranian hackers were able to access systems into the Bowman Avenue Dam in Rye Brook, N.Y. using nothing more than a simple, legal search engine that surfs for and identifies unguarded control systems online. Although hackers have not yet caused catastrophic property damage in the U.S., efforts to accomplish precisely that are clearly ongoing by various actors.

Cyber-attacks may lead to catastrophic property loss. 

It’s not hard to imagine the type of catastrophic property loss that could occur if hackers effectively took control over critical infrastructure. In the real world example of the Iranian hackers who broke into the control systems of the dam in New York, the hackers could have caused a flood by manipulating the dam, damaging or destroying homes in the area.

Attacks on industrial, nuclear, or chemical facilities—similar to those on the Iranian nuclear facility and German steel mill noted above—could cause unsafe conditions that lead to a chemical spill or explosion that, in turn, leads to large scale property loss. Similarly, an attack on a railway company could cause a train carrying explosives or hazardous or combustible materials to derail, causing substantial damage to property. Indeed, there are any number of scenarios where hackers could cause catastrophic property loss by seizing control over vulnerable infrastructure.

The takeaway is this: Insurers covering the risk of property loss from cyber-attacks should be aware that the risk of loss is very real given the vulnerabilities in critical U.S. infrastructure and the increasing sophistication of cyber criminals and that the scope of property loss from a well-coordinated attack could be akin to traditional catastrophes.

Posted by Thomas Caswell and Justin Evans