Across the globe, our teams have observed these new cyber trends emerging over the past year, with many emerging over the past six months. These trends represent new developments in the cyber risk and security landscape and may have significant implications for both companies and consumers. Today, many cyber risks have become systemic. Such large-scale, rapid-fire attacks spread from one country to another. The globally disruptive cyber-threats of 2017 unite businesses and individuals around the world in a common endeavor to stay secure.
From helping companies adopt some of the world’s leading best practices for cybersecurity to consulting individuals on how to help protect their identities in the aftermath of large-scale data breaches, AIG can deliver unique perspectives that stem from our longstanding experience as a global leader in cyber insurance. As cyber risks around the world become increasingly interconnected, AIG can help its clients develop global cyber risk solutions and can deliver, through collaborative partnerships, the meaningful risk insights that enable stronger and safer outcomes.
1. Supply Chains Disrupted by Systemic Ransomware Attacks
“Hackers’ motivations have changed,” says Tracie Grella, AIG’s Global Head of Cyber. While hackers once focused primarily on “disclosing and monetizing data,” hackers now seek to “disrupt business” to “reduce revenue.” Using ransomware, hackers can lock up and destroy data, “leaving companies unable to operate” and “resulting in loss of business income.” Ransomware attacks have far-reaching implications for industries, especially for industry leaders with global reach.
In 2017, ransomware attacks proved systemic, spreading across networks to affect companies in multiple countries in parallel. In a December 2016 AIG survey of cyber risk and cybersecurity specialists, 90% of respondents agreed that cyber risks were systemic, capable of impacting many companies at once.i Since complex supply chains may offer hackers a greater number of points of entry into the business, multinationals may be particularly vulnerable to the new wave of cyber disruption. Furthermore, as political interests or state-sponsored activity may motivate hackers to carry out these disruptive attacks, global companies may be more exposed to cyber sabotage.
Recent ransomware attacks such as NotPetya affected global companies through their local subsidiaries to cause business downtime and financial harm. By attaching itself to Ukranian tax-filing software, the NotPetya attack spread to multiple multinationals including a giant in the shipping sector and a leading pharmaceutical manufacturer, both of which operate in the Ukraine. This new form of ‘ransomware’ attack destroyed companies’ data, even when companies paid the ransom, causing irreversible losses for some businesses. A month after the attack, a European subsidiary of a global shipping company affected by NotPetya was still unable to restore its operations and stated that the damage from the attack might be permanent. As the subsidiary did not have cyber insurance, the subsidiary and the global organization may be strongly affected by the costs of business disruption.ii Indeed, the global company stated that the cyberattack would harm its full-year financial results.iii
When breaches at their vendors and suppliers lead to breaches in global organizations, these organizations may seek to more thoroughly review their own supply chains for end-to-end cybersecurity. “It’s not just what you’re doing to protect your company’s own cybersecurity maturity,” says Grella. “You have to think about the maturity of your vendors. How are those vendors being monitored? What standards are they being held to? How are they protecting themselves? What’s their overall risk management plan? Do they include insurance as part of that? Insurance can help them respond in the right manner if they have a cyber breach.”
2. Cybercrime Strikes Financial Services
In an AIG survey of cybersecurity and risk professionals, respondents identified the financial services industry as the sector most likely to experience a systemic attack in 2017.iv “The frequency, severity, and sophistication of cyberattacks against global financial institutions continue to increase, even though the vast majority of such breaches remain unreported,” says Mark Camillo, AIG’s Head of Cyber, EMEA.v
Around the world, countries face a growing threat to financial security in the form of increasingly prevalent cyberattacks against banks and their customers. In attacks in 2016 and 2017, hackers breached the multinational UniCredit, Italy’s largest bank, to access the data of 400,000 Italian clients—the “most serious data breach ever reported by a major Italian lender,” according to Reuters News.vi In Q4 2016, hackers carried out Britain’s largest reported cyber robbery, stealing more than £2.5 million ($3.25 million) from Tesco Bank.vii Earlier in 2016, hackers had stolen SWIFT codes and transferred $81 million from Bangladesh’s central bank’s accounts at the U.S. Federal Reserve.viii According to data from the Reserve Bank of India, every hour Indian banks lost an average of 88,553 Rs ($1389) to cybercrime between April 2014 and June 2017 in an average of nearly 40 attacks per day.ix The amount banks lost to cybercrime in this period “could have written off 50,400 farm loans of Rs 50,000 rupees each,” according to the Times of India.x
The risks are significant: such attacks not only lead to losses for consumers and businesses, but may also damage public trust in financial institutions. In a study by security analysts Comparitech, companies in the financial services sector experienced the sharpest drop in share prices immediately following a cyberattack.xi
“Financial institutions need to embark on a holistic risk management strategy if they are to combat effectively the renewed threat,” says Camillo. “Insurance can play a key role in not just offsetting costs when an event happens at a financial institution, but in preventing an attack in the first place and responding correctly to mitigate when cybersecurity does fail. Put simply, the underwriting process helps different parts of a company unify and focus on what their vulnerabilities are and where they can work together to mitigate them.”xii
3. Adoption of IoT Leads to Risks for Consumers and Companies
Global cyber risks are expanding as the use of connected devices soars. The number of connected devices worldwide is expected to reach 46 billion by 2021, a 200% increase from 2016.xiii “The unceasing proliferation of technology, the increase in network speed, and an explosion in data…are multiplying the potential attack surface for malicious actors,” says Mark Camillo, AIG’s Head of Cyber, EMEA. “The growth of the internet of things (IoT) has introduced vulnerabilities, as not all connected devices are currently designed with security in mind.”xiv
The October 2016 Distributed Denial of Service (DDoS) attack on domain name service provider Dyn raised cybersecurity specialists’ awareness of the severity of IoT cyber risks. The coordinated attack harnessed tens of millions of connected consumer devices, including home surveillance cameras, baby monitors, smart thermostats, and webcams, to shut down the websites of leading companies, including Twitter, Netflix, Reddit, CNN and others in the United States and the EU. Only one month later, hackers used the same approach—coordinating IoT devices to bombard websites with junk data, enough data to block legitimate visitors from accessing these websites—to carry out a series of attacks in Liberia, bringing down the country’s entire internet infrastructure within one week. Liberia’s use of a central cable to deliver internet service within the country rendered the system vulnerable to attack.xv
As the DDoS attacks illustrate, the connected devices that assist consumers may become, in hackers’ hands, malicious tools that serve purposes other than the ones for which they were designed. Smart, connected devices increasingly help consumers manage and secure their property, relationships, and health, and spending on smart home devices and software is expected to reach $195 billion by 2021, more than double the expected spend of $83 billion for 2017.xvi Yet even as consumer IoT devices offer safety and convenience to individuals and families, these devices bring a range of new cyber risks into the home: a hacked security camera or smart television can deliver visual data on an individual or a family to a malicious actor.
Researchers continue to identify vulnerabilities in consumer smart home devices—vulnerabilities which commonly arise from poor product design and improper user implementation. At a hackathon organized by MIT, participants analyzing more than 20 different smart home systems were able to exploit 25% of the devices in fewer than 3 hours.xvii Researchers studying smart locks from different manufacturers found that 12 out of the 16 tested Bluetooth-enabled smart locks lacked proper security and were vulnerable to cyberattacks.xviii Research on commercially available smart home devices by global security leader Symantec found that one ‘smart’ door lock could be operated remotely online without using a password.xix
The vulnerabilities within IoT devices are not only risks for individuals, but for industries and services as well. Increasingly, businesses seem to be relying on IoT to enable manufacturing and large-scale industrial control systems. Connectivity can lead to better monitoring and security, but connected devices are also more vulnerable to hacking, emphasizes Tracie Grella, AIG’s Global Head of Cyber. “These types of devices could be attacked and could cause disruption at energy plants, manufacturers, and power companies.”
At an RSA conference in February 2017, researchers revealed that they had discovered more than 178 million IoT devices vulnerable to hacking in the ten largest U.S. cities alone—including machinery that controls business operations, manages traffic, generates power, and manufactures products.xx Hacks have already damaged industrial control systems, causing significant physical damage in heavy industries. While to date these risks have been isolated events, the increasing connectivity of systems across sectors leads to “the potential” for systemic cyber events to affect multiple industries at once.xxi
In a 2016 AIG survey on systemic cyber risks, cybersecurity, technology, and insurance professionals in the U.S., UK, and continental Europe stated that they expected “a mass distributed denial of service (DDoS) attack on a major cloud provider” to be “the most likely cross-sector mega event.” Rapid growth in cloud computing and “the proliferation of IoT devices which have been used to launch large DDoS attacks” may make this risk significant, according to the AIG report. The 2016 Dyn DDoS attack, which affected “high-traffic websites across multiple industries,” revealed “the very real threat of larger systemic events,” the report notes.xxii
As the world applies IoT devices to help manage challenges, from the safety of industry to the intricacies of healthcare, cyber risks are becoming physical risks, and industries and individuals will need to take action in order to protect one another’s security. Grella recommends that companies who produce IoT devices work with clients to help improve mutual cybersecurity by improving communication around passwords. DDoS attacks that leverage IoT devices often stem from the fact that “Most IoT devices come with default passwords…and consumers don’t reset those default passwords, so IoT devices are very easy to break into and take over,” Grella explains. “Hackers can use those devices as a means of launching attacks against other networks.”
According to Grella, “vendors of IoT devices need to be more vocal about which protections there are on those devices” and need to explain “to the consumer or the business that’s using that IoT device how it needs to be configured.” IoT device vendors should speak up about default passwords, tell clients that these passwords need to changed, and create “an easy process to do that,” explains Grella. In addition to increasing communication and transparency, Grella recommends that IoT device vendors take steps to increase the cybersecurity of IoT devices “from the point of production.”
Companies which acquire IoT devices from vendors can also take steps to enhance their cybersecurity. Businesses using IoT devices for large industrial control systems, for example should make sure that the devices’ “passwords are updated regularly, that the technology is set up in the right way, and that there are extra security controls going over those devices—so that [the company] is not relying on the security that’s built into those devices, but layering security on top of it,” Grella says. While vendors of IoT devices do have “a responsibility” to increase “transparency and communication of what the product actually does, and what it doesn’t do, as far as security,” there are a range of other security responsibilities that rest on “the company that’s acquiring that technology.”
IoT devices offer tremendous opportunities for efficiency, business growth, and even individual health and wellbeing. But nevertheless the trend in IoT attacks continues to present risks for the connected economy. In 2016, global cybersecurity leader Symantec observed a rising number of attacks on IoT devices, including an increase in ‘proof-of-concept’ attacks, which pave the way for real attacks. Symantec expects the trend in IoT-related hacking to continue to rise in 2017.xxiii
Since IoT devices represent complex networks of interactions—among vendors, software and application developers, cloud service providers, consumers, and companies—increasing IoT security is a challenge that requires protecting each point of interaction and communication among all of these stakeholders. As IoT attacks continue to rise, the cybersecurity approach for IoT must shift from simply protecting devices to protecting networks of interactions and the data that flows through them.xxiv As governments, industries, and insurers continue to learn more about the risks of IoT, improving product design, increasing communication around proper implementation, and applying new protective technology—such as self-learning, smart endpoints which can detect risks in systems—may be only some of the steps needed to secure the devices that individuals and industries now use to connect.
i “Is Cyber Risk Systemic?” AIG, May 2017. http://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/aig-cyber-risk-systemic-final.pdf. Accessed 19 Sept. 2017.
ii Burton, Graeme. “TNT Express Warns of Permanent Data Loss from WannaCry and NotPetya Malware Outbreaks.” Computing, 20 Jul. 2017. https://www.computing.co.uk/ctg/news/3014179/tnt-express-warns-of-permanent-data-loss-from-wannacry-and-notpetya-malware-outbreaks. Accessed 19 Sept. 2017.
iii “FedEx says cyber attack to hurt full-year results.” Reuters, 17 Jul. 2017. https://www.reuters.com/article/us-cyber-attack-fedex/fedex-says-cyber-attack-to-hurt-full-year-results-idUSKBN1A21D7. Accessed 24 Oct. 2017.
iv “Is Cyber Risk Systemic?” AIG, May 2017. http://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/aig-cyber-risk-systemic-final.pdf. Accessed 19 Sept. 2017.
v “Cybersecurity: Risks and management of risks for global banks and financial institutions.” Journal of Risk Management in Financial Institutions, Mar. 2017. https://www.aig.co.uk/content/dam/aig/emea/united-kingdom/documents/Insights/jrmfi-mark-camillo-article-mar-2017.pdf. Accessed 19 Sept. 2017.
vi Arosio, Paolo and Gianluca Semeraro. “Update 2 – Italy’s UniCredit Reveals Data Attack Involving 400,000 Clients.” Reuters News, 26 Jul. 2017. http://www.nasdaq.com/article/italys-unicredit-reveals-data-attack-involving-400000-clients-20170726-00202
viii “Cybersecurity: Risks and management of risks for global banks and financial institutions.” Journal of Risk Management in Financial Institutions, Mar. 2017. https://www.aig.co.uk/content/dam/aig/emea/united-kingdom/documents/Insights/jrmfi-mark-camillo-article-mar-2017.pdf. Accessed 19 Sept. 2017.
ix Kumar, Chethan. “Banks Lost Rs 88,553 an Hour to Cybercrime in Last 3 Yrs: RBI Data.” The Times of India – Kolkata Edition, 25 Jul. 2017. http://timesofindia.indiatimes.com/india/banks-lost-rs-88553-an-hour-to-cybercrime-in-last-3-years/articleshow/59747797.cms. Accessed 19 Sept. 2017.
xi Eckett, Tom. “Cyber-hacked companies underperform NASDAQ by 42% over three years; finance companies severely affected.” Investment Week, 11 Jul. 2017. https://www.investmentweek.co.uk/investment-week/news/3013595/report-hacked-companies-underperform-nasdaq-by-42-over-three-years. Accessed 19 Sept. 2017.
xii “Cybersecurity: Risks and management of risks for global banks and financial institutions.” Journal of Risk Management in Financial Institutions, Mar. 2017. https://www.aig.co.uk/content/dam/aig/emea/united-kingdom/documents/Insights/jrmfi-mark-camillo-article-mar-2017.pdf. Accessed 19 Sept. 2017.
xiii VMware. “The Internet of Thieves? Why IoT Urgently Needs to be Secured.” Forbes, 13 Apr. 2017. https://www.forbes.com/sites/vmware/2017/04/13/__trashed-3/#2d15f93353ca. Accessed 19 Sept. 2017.
xiv Camillo, Mark. “Cyber risk and the changing role of insurance.” Journal of Cyber Policy, 27 Mar. 2017, http://www.tandfonline.com/doi/full/10.1080/23738871.2017.1296878. Accessed 19 Sept. 2017.
xvi “Cybersecurity Considerations for Connected Smart Home Systems and Devices.” UL, Mar. 2017. http://library.ul.com/wp-content/uploads/sites/40/2017/03/CS10027_White_Paper-Web_02.pdf. Accessed 19 Sept. 2017.
xix “2016 Symantec Internet Security Threat Report.” Symantec, Apr. 2016. https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf. Accessed 19 Sept. 2017.
xx VMware. “The Internet of Thieves? Why IoT Urgently Needs to be Secured.” Forbes, 13 Apr. 2017. https://www.forbes.com/sites/vmware/2017/04/13/__trashed-3/#2d15f93353ca. Accessed 19 Sept. 2017.
xxi Millaire, Pascal. “7 Predictions for How IoT Will Impact the Global Insurance Industry.” Symantec Official Blog, 28 Sept. 2016. https://www.symantec.com/connect/blogs/7-predictions-how-iot-will-impact-global-insurance-industry. Accessed 19 Sept. 2017.
xxii “2016 Symantec Internet Security Threat Report.” Symantec, Apr. 2016. https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf. Accessed 19 Sept. 2017.
xxiii “Cybersecurity and the Internet of Things: Insights on Governance, Risk, and Compliance.” EY, Mar. 2015. http://www.ey.com/Publication/vwLUAssets/EY-cybersecurity-and-the-internet-of-things/$FILE/EY-cybersecurity-and-the-internet-of-things.pdf. Accessed 19 Sept. 2017.