Professional Documents
Culture Documents
2017 Cyber Risk Landscape
2017 Cyber Risk Landscape
Landscape
2017 Cyber Risk Landscape
Foreword by Hemant Shah........................................................................... 1
Overview ..................................................................................................... 2
Section 2: Cyber Risk Landscape ............................................................... 4
Data Exfiltration ........................................................................................... 7
Financial Theft ............................................................................................. 12
Cloud Service Provider Failure .................................................................... 15
Denial of Service Attacks ............................................................................ 16
Cyber Extortion .......................................................................................... 19
CAMS Version 1.0 Scenarios ........................................................................22
Section 3: Silent Cyber Insurance Exposure ............................................ 24
Operation Technology (OT) Attacks .......................................................... 24
Smart Devices and the Internet of Things ................................................. 25
How Can Cyber Attacks Cause Physical Damages? .................................. 25
Cyber-Physical Attack Scenarios in RMS CAMS Version 2.0 ..................... 26
Scenarios Added in CAMS Version 2.0 ...................................................... 28
Section 4: What’s New in RMS CAMS Version 2.0 ................................... 30
Updates of Affirmative Cyber Insurance Accumulation Scenarios ........... 30
Expected Loss Baselines ............................................................................ 31
Cyber-Physical Attack Scenarios ................................................................ 31
Improvements in Functionality ................................................................... 31
Section 5: Cyber Insurance Market Update ............................................. 34
Rapid Growth ............................................................................................. 34
Market Participants .................................................................................... 34
Available Insurance Coverage .................................................................... 35
Cyber Risk Management Practices ............................................................ 35
Insurance Regulations ................................................................................ 37
The RMS Commitment to the Future ......................................................... 38
Foreword Overview
We are in a period where the cyber risk landscape is rapidly changing.
The past year has seen unprecedented changes in the cyber risk landscape. Writing cyber insurance means anticipating emerging trends in this
When we at RMS first launched our Cyber Accumulation Management System (CAMS) in February landscape. We are seeing new records set for the scale of cyber incidents,
2016, we provided a new data standard, analytical framework, and a functional platform for our escalation in the costs of events, changes in technologies – both offensive
insurance clients to manage this emergent risk.
and defensive – and shifts in target preferences, activities, and protagonists.
We have been delighted with the take-up of this solution across the market. And, we continue to
innovate to improve your understanding of this dynamic risk so you can approach new opportunities
To respond to these changes, the cyber insurance industry is evolving dynamically both in the coverage
prudently and with confidence in your accumulations. With the release of RMS CAMS Version 2.0,
offered and the risk management practices employed.
we have enhanced our solution to widen its scope and to reflect the most recent data and trends in the
domain. In February 2016, RMS released the Cyber Accumulation Management System (CAMS).1 This has been
well received and has been adopted across the industry in a short space of time. RMS has built-out a
Recent events have demonstrated just how dynamic the world of cyber
research and development team that continues to monitor and update its view of risk, and to release new
risk can be. Records for the most severe incidents have been broken
for many of the loss processes we model – the largest volumes of data
modeling cyber versions of the platform that incorporate these views and improved functionality.
This report provides an update on the cyber insurance market and sets out the landscape of cyber
risk in 2017.
HEMANT SHAH
Co-Founder and CEO
Risk Management Solutions 1 CCRS, 2016a.
PAG E 1 PAG E 2
2 017 Cy b e r R i sk Lan d scap e
SECTION 2
Cyber Threat: Increasingly Professional, International, This situation may change with the reorganization of law
and Political enforcement to provide specialist cyber investigation units,
the improvement of international extradition cooperation
Cyber hacking continues to become increasingly
and a willingness to pursue cybercriminals abroad, the
professional and international, with growing political
empowerment of national security cyber units to pursue
dimensions. Amateur hackers and “hacktivists” are still
offensive cyber operations against criminals in foreign
active, but much of the threat to corporate business
jurisdictions, and changes in legal prosecution procedures
comes from well-resourced criminal gangs that have
including evidence of harm. Progress is being made in each
professionalized their hacking activities. Much of this
of these arenas and, over time, it is expected to increase the
activity is organized and hosted from countries beyond the
conviction rate which will be the main control system for
jurisdiction of Western law enforcement. The cybercriminal
deterring cybercrime.
economy is informal, collaborative, and mercenary.
Organized gangs can buy the resources, skills, and tools Rapid Growth in Security Investment by Companies
to perpetrate cybercrime in a thriving black market. Stolen
Many companies are investing heavily in their own
information can be sold and the proceeds of cybercrime
cybersecurity systems to protect their assets. Global
laundered through a sophisticated gray economy.
expenditure on cybersecurity is estimated to have grown
Law Enforcement Lags Behind 14 percent year-on-year, from US$75 billion in 2015, to
$86 billion in 2016.5 On average, U.S. companies now
Cybercrime is still met with little deterrence, with extremely
spend around three percent of their capital expenditure
low conviction rates for perpetrators. Cybercrime statistics
budget on cybersecurity.6 Projections suggest that global
published in the U.S. by the FBI in 2015 show that less than
cybersecurity expenditure will continue to grow rapidly and
1 in 200 reported cases of cyber identity theft resulted
will reach hundreds of billions of dollars annually by the end
in a criminal case being brought, and only 1 in 50,000
of the decade.
resulted in a conviction.2 In contrast, armed robbery in
the U.S. results in conviction rates of 1 in 5.3 Convicted The type of expenditure is also shifting. Traditional purchases
cybercriminals face low deterrence as judges struggle to of hardware IT security components, such as servers,
determine reasonable punishments.4 networking gear, data centers, and physical infrastructure,
are being augmented by broader security solutions, such as
2 FBI
personnel training, non-computer platforms, and Internet
IC3, 2015 Internet Crime Report.
3 Grimes, 2012. of Things (IoT) security.7 The cybersecurity industry is
4 Williams, 2016.
5 Cyber Security Ventures, Cybersecurity Market Report Q4 2016.
becoming more competitive, with many start-ups and a
6 Pacific Crest Analyst, Rob Ownes, quoted in Investor's Business Daily News, 6/10/16. proliferation of security-tech offerings taking an increased
7 Cyber Security Ventures, Cybersecurity Market Report Q4 2016.
PAG E 4
Cyb e r R i s k L a n d s c a p e 2 017 Cy b e r R i sk Lan d scap e
• A similar breach was perpetrated against the • Destructive attacks on civil aviation computers in quality cyber tools were obtained from public release meant that unscrupulous and traded by cyber criminals, and
Saudi Arabia in November 2016, similar to the 2012 the NSA, and that the ShadowBrokers hackers could use these tools to access exhibited the potential for clusters of
Philippines’ Commission on Elections (COMELEC), had either hacked the NSA and stole the networks of the many companies them to trigger a systemic wave of
Aramco oil company attack, both blamed on Iran’s
leaking 55 million voter details including fingerprint their tools, or an NSA insider had running these firewalls. Firewall cyber losses.
cyber army.
records, posted with anti-government slogans.10 “The leaked the content. In October 2016, a vendors and corporate security teams
decision of the National Privacy Commission (NPC) • Allegations that North Korean cyber teams were
implicated in the theft of millions of dollars from over
8 Investor’s Business Daily News, 6/10/2016, ‘Security Freeze’.
9 Murdock 2016. a dozen banks in the SWIFT cyber heist.
10 Temperton 2016.
11 Ronda, 2017. • Spear-phishing attacks for data breaches on U.S.
12 Gupta, 2016. 15
corporations being blamed by the FBI on Russian Greenberg, 2016.
13 Entous and Nakashima 2016. 16 Fox-Brewster, 2016.
14 Lewis 2012, Centre for Strategic and International Studies. government-backed “Cozy Bear” perpetrators. 17 CERT, 2016.
PAG E 5 PAG E 6
Cyb e r R i s k L a n d s c a p e 2 017 Cy b e r R i sk Lan d scap e
• Factories in Ukraine that suffered power outages around the world. Terrorism insurance is treated as Table 1: Selected Large Data Breach Events Reported in 2016
because of attacks on the Ukrainian power grid, specialist coverage in many countries, and is typically
alleged to have been carried out by Russian included in government pools or has some level of Organization No. of Date of Cause Jurisdiction Business Data
Records Lost Breach Sector Breach
cyber units.18 government backstop. In the U.S., insurers are required to Severity
offer terrorism coverage, and it is automatically included in
Good Guys Go on the Offensive Mossack Fonseca 2.6 terabytes 3/1/2016 Malicious Insider Panama Financial Services P8
workers compensation coverage.
Governments across the world are stepping up their Yahoo! 1,000,000,000 2013, reported Malicious Outsider United States IT Services P8
The U.S. Terrorism Risk Insurance Program Reauthorization Dec. 2016
cyber-offensive capabilities, significantly raising the
Act 2015 (TRIPRA 2015 or TRIA) backstop does not Yahoo! 500,000,000 2014, reported Malicious United States IT Services P8
potential for escalation of interstate cyber conflicts.
explicitly cover cyber, and the introduction of a backstop Aug. 2016 Outsider
The ShadowBrokers leak revealed NSA Equation Group's
has been the subject of debate for several years.22 The Myspace.com 360,000,000 2016 TBD United States IT Services P8
aggressive targeting and intrusive activities.19 The U.K.
ambiguity over the level of protection that TRIA provides is Yahoo!
government established a new National Cyber Security 200,000,000 2016 TBD United States IT Services P8
a key driver towards the development of a bespoke
Center in March 2016. In addition to its role in facilitating U.S. Voter/Amazon/ 154,000,000 06/22/16 Accidental Loss United States Government P8
industry-provided cybersecurity market. Google
security, it has a mandate to move to “active cyber defense”
– i.e., to hack back against attackers.20 In April 2016, the Changes in Extreme Cyber Tail-Risk Mexican Voters 93,400,000 04/14/16 Accidental Loss Mexico Government P7
German government announced a new cyber and Philippines' Commission 55,000,000 03/28/16 Malicious Philippines Government P7
The most obvious changes in cyber risk have occurred on Elections (COMELEC) Outsider
information command in the German military Bundeswehr,
at the extreme tail. In the past year, the scale of attacks
controversially including a cyber-attack capability.21 National Turkey General 50,000,000 03/28/16 Malicious Outsider Turkey Government P7
has consistently exceeded the largest attacks previously Directorate of Population
security organizations in several advanced economies have and Citizenship Affairs
observed – typically by an order of magnitude. For
ramped up their cybersecurity and counter-cyber activities.
example, at the start of 2016, the largest data exfiltration Verticalscope/ 45,000,000 02/09/16 Malicious Outsider Canada Technology P7
events involved hundreds of millions of records. By the Techsupportforum.com
Is Cyber Insurable if Cyber Wars Intensify? and others
end of 2016, events of over a billion (Yahoo!) terabytes of
The debate about the insurability of commercial cyber Fling 40,000,000 05/06/16 Malicious Outsider United Kingdom IT Services P7
financial data (Mossack Fonseca) had been exfiltrated.
losses originating from state-sponsored cyber groups is Twitter, Inc. 32,000,000 2016 TBD United States IT Services P7
Denial of Service attacks had previously been recorded with
intensifying. A potential increase in cyber warfare activity
intensities as high as 600 gigabits per second (Gbps), but 17 Media 30,000,000 04/29/16 Malicious Outsider Asia Technology P7
would have significant implications for cyber insurers who
by the end of 2016, the Dyn event (page 18) was of an order Mate1 27,000,000 02/16/16 Malicious Outsider United States IT Services P7
pay claims to private sector companies caught up in any
of magnitude more intense – several terabits per second
international clandestine cyberwar cross-fire. Attribution Alibaba.com 20,000,000 2016 TBD China Retail P7
– enabled by new techniques that utilized the Internet of
of attacks is extremely difficult, so it is challenging for U.S. Health Insurer 9,300,000 06/27/16 Malicious Outsider United States Healthcare P6
Things (IoT) for volumetric attacks. Previous financial cyber
cyber insurers to differentiate between criminal and Lifeboat 7,089,395 2016 TBD United States IT Software P6
thefts of tens of millions of dollars were eclipsed by an
state-sponsored losses. The risk appetite for insurance
attempt to steal a billion dollars in a cyber heist involving U.S. Department of 5,000,000 02/05/16 Malicious Outsider United States Government P6
companies to cover cyber loss is unlikely to be sustainable Health and Human
a compromise of the SWIFT financial transaction system.
if losses from state-sponsored attacks become a significant Services and others
The pattern of increasingly large extreme events is being
proportion of the risk. The resources of state-sponsored Lightspeed 5,000,000 2016 TBD United States IT Software P6
repeated in many of the loss processes of cyber risk.
cyber teams pose a threat of major systemic loss across Adult Friend Finder 3,900,000 2016 TBD Unknown IT Services P6
thousands of insured accounts. Additionally, we are seeing more cyber-attacks in which
Banner Health 3,700,000 06/17/16 Malicious Outsider United States Healthcare P6
multiple companies are impacted in one single event. The
Terrorism and Cyber Loss Dyn distributed denial of service (DDoS) attack affected
Assessments of the capabilities of proscribed terrorist web-based services at hundreds of companies, including
groups suggest that they do not currently possess Amazon, Netflix, Airbnb, Spotify, and PayPal. The Ukraine This information is gathered from various open source compromised, first in September 2016 when it revealed
destructive cyber capability, although some groups, such cyber-grid attack caused power outage to many companies. data resources and has been heavily enriched by RMS data that data on 500 million users had been hacked in 2014,
as the United Cyber Caliphate arm of Islamic State, are scientists to provide a historical picture of data exfiltration. and then again in December 2016 when it revealed a data
The following sections highlight the changing trends in
known to be actively pursuing the strategic increase of their This data is a key input into the RMS data exfiltration model breach of over one billion user accounts dating from 2013.23
several key IT loss processes.
offensive cyber capabilities. and is used to parameterize incident and cost information. The Yahoo! share price dropped six-and-a-half percent after
the December 2016 breach announcement, prejudicing and
Destructive acts of cyber terrorism could face similar Record-breaking Sizes of Data Exfiltration Events
2.1 Data Exfiltration delaying acquisition negotiations with Verizon.24
ambiguity in attribution, but mechanisms for determination The past year has seen the largest data exfiltration events
have been proposed. Cyber terrorism has become a Data exfiltration continues to be the predominant cause Because of these increasingly large events, the RMS
ever revealed. In April 2016, the world’s largest data leak
growing topic of concern for terrorism insurance pools of insured cyber loss, with many instances of individual magnitude scale for data breach has been adjusted. The P8
by volume saw 2.6 terabytes of confidential tax data stolen
companies suffering from data leaks. Companies are at scale is now extended to include events of more than one
from Mossack Fonseca (see page 9). Yahoo! broke the
risk of larger data losses; the risk of data exfiltration loss is billion personal records or more or a terabyte of data lost.
record – twice – for the largest number of personal records
18
increasing in severity.
ICS-CERT, 2016, and Zetter, 2016.
19 Fox-Brewster, 2016.
20 The Register, 2016. Over the last 18 months, RMS has built out its cyber
21 ORF, 2016.
22 For more information on TRIA visit the U.S. Department of Treasury website.
incident database of historical data exfiltration events. 23
24
Finkle and Tharakan, 2016.
Moritz and Womack,, 2016.
PAG E 7 PAG E 8
Cyb e r In s u ra n ce U p d ate 2 017 Cy b e r R i sk Lan d scap e
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Figure 2: Incident count for all magnitude data exfiltration events from 2006 to 201628
PAG E 9 PAG E 1 0
Cyb e r R i s k L a n d s c a p e 2 017 Cy b e r R i sk Lan d scap e
One possible explanation is that professional criminals are Data Breach by Business Sector
concentrating their efforts on obtaining larger datasets
The recent incidents of data loss in different business
where they can get a bigger return.
sectors remains consistent with the previous five years of
Fewer Small Data Breaches relativities, with a few notable differences. There has been
an increase in data breach incidences in the retail, IT services,
At the other end of the spectrum, there is a measurable and manufacturing sectors that has continued into 2016.
reduction in the incidences of smaller data breaches, as
routine security measures prevent the accidental loss of There has been a significant reduction in data breaches
data by employees that caused many of the small loss from financial services companies – their incident rates
incidents in the past. The number of incidents of accidental are down in 2015 and 2016, compared to previous periods
data loss of P5 or smaller (100,000 records) was at its of breach records, reflecting the investment in security
lowest at any point in the past five-year average. and data protection that is being made in this sector.
Healthcare, despite some newsworthy events, has also
Data Loss is Increasingly Caused by External Attackers seen a drop in the number of incidents – but this is
During 2016, the main cause of data breaches and losses counterbalanced by the fact that healthcare has seen a Data Privacy Regulation Layer
was predominantly shown to be malicious interference significant increase in extortion incidents. Strong Regulation
from outside actors, rather than insider or whistleblower A notable feature of recent data breaches has been the
Moderate Regulation
leaks. This continues the recent pattern observed over repeated targeting of adult social sites, such as Fling, Mate1, Limited Regulation
recent years. As proposed in the RMS “Data Exfiltration” and Ashley Madison, where criminals can add blackmail to No Regulation
accumulation stress test scenario, malicious outsiders pose their earning potential from the stolen data.
more of a systemic threat than either accidental loss or
insider leaks. Data exfiltration scenarios now explore more Costs of Data Loss
Figure 4: Data breach of privacy regulation heatmap31
potential vectors for malicious outsiders to impact multiple Since 2010, the average cost per record of a data loss of
companies in different attack patterns, sectors, and over 100,000 records has more than doubled.29 This reflects
targeting preferences. increasing regulatory fines and procedures, growing costs
of compensation, and escalation of legal complexities Implication for RMS Modeling
in dealing with identity loss. Projecting forward for 2017,
This shift in the pattern of data breach sizes – increased
Type of Attack a further inflation of costs by 15 to 25 percent could be
targeting of larger data sets and reductions in the incidence
expected.
100% rate of small data breaches – is represented in the release of
Data Exfiltration Risk is Increasingly International the “Leakomania” data exfiltration accumulation stress test
90% scenarios in CAMS Version 2.0, with adjusted frequency-
Although the U.S. remains a major source of data breach severity distributions of sizes of data leaks and the addition
80% loss, sizeable data loss events were reported in many of a risk potential for companies in some sectors to suffer
other countries in 2016. It is becoming common practice data breaches of over a billion records.
70% for responsible large companies in many countries to
Partner publicly disclose a data breach and to notify the individuals The recent trends of relativities across business sectors of
60% data breach incidences is reflected in the CAMS Version 2.0
Internal affected, although mandatory reporting requirements in
many countries is still some way behind the United States. release of data exfiltration accumulation stress test scenarios.
50% Collusion
Statutes are currently in preparation to require mandatory The relative risk levels of cyber data exfiltration loss remain
External
40% reporting of data breaches in many countries, including the consistent with the country risk parameterizations for
European Union (EU) and several other countries that are frequency and cost modeling in Version 1.0, with minor
30% developing markets for cyber insurance.32 The EU General changes in RMS CAMS Version 2.0.
Data Protection Regulation (GDPR) will require notification
20% within 72 hours from when a breach is discovered with
maximum fines of four percent of annual global turnover or 2.2 Financial Theft
10%
€20 million, whichever is greater.33 Financial theft has continued to be a major source of
0% Costs of data breaches to companies in other countries are cyber attacks and cyber-enabled fraud. The most
2010 2011 2012 2013 2014 2015 broadly similar to those in the United States, although when common manifestation of financial theft is credit card
tort actions are brought, these make U.S. data breaches misappropriation. Some of the recent higher-profile credit
Figure 5: Percent of breaches per threat actor category over time30 more expensive than in other countries. card misappropriations have involved hotel chains, with the
31Based on data from Forrester Research Data Privacy Map 2015 and DLA Piper, 2017.
29 32
RMS Cyber Incident Database. Forrester Research Data Privacy Map 2015 and DLA Piper, 2017.
30 Verizon 2016 Data Breach Investigations Report. 33 European Commission General Data Protection Directive.
PAG E 1 1 PAG E 1 2
Cyb e r R i s k L a n d s c a p e 2 017 Cy b e r R i sk Lan d scap e
Mandarin Oriental34, Hilton35, and Starwood36 hotel chains Financial Transaction Theft
each hit in separate theft campaigns involving data
The source of systemic tail-risk from cyber attack in the
harvesting from their point-of-sale systems. Point-of-sale
financial services sector is the penetration of banks internal
systems remain targets, particularly with legacy systems
systems and the transaction systems that link with them.
that are slow to be updated and widely distributed.
There have been recent individual cyber bank robberies; in
The growing use of chip and pin (EMV) credit cards is November 2016, Tesco Bank in the U.K. lost US$2.5 million
reducing theft levels in many countries. Barclays attributes from 9,000 accounts, showing that online banking systems
EMV technology for reducing credit card-related thefts are still vulnerable.40 Several new types of point-of-sale and
in the U.K. by 70 percent since its introduction in 2003.37 ATM malware were discovered in 2016.41
EMV now has an 81 percent adoption rate in Europe and
A truly systemic cyber bank heist involving many banks
is in use in Australia, Russia, and several other countries.
occurred in 2016, with the Lazarus SWIFT campaign (page
However, EMV uptake in the U.S. is slow, resulting in higher
14). This campaign appears to have successfully stolen
credit card misappropriation levels than in countries where
hundreds of millions of dollars, and to have narrowly failed
this is standard. In 2015, Barclays noted that although
to secure a transfer request for one billion dollars. Dozens
the U.S. accounts for 24 percent of total credit card
of banks were compromised across several different
transactions worldwide, it represents 47 percent of global
countries by a sophisticated and well-resourced cyber
credit card fraud.38
hacking gang. Investigators have found similarities in the
Shift of Liability for Credit Card Thefts to Non-EMV malware computer code with previous malware attributed
Retailers to North Korean cyber teams. The scale of the operation
was considerable, involving local bank infiltration activities
In 2016, Visa, Mastercard, and Europay credit card
in at least seven countries, the creation of a sophisticated
companies introduced new rules requiring retailers in
suite of malware with many tricks to disguise its presence,
Europe to upgrade their point-of-sale systems to EMV and
– importantly – requiring retailers to bear the liability for
and an untraceable central monitoring system to gather Lazarus SWIFT Financial Theft:
The Billion Dollar Cyber Heist That Nearly Succeeded
data transmitted from the malware. The plot was also
fraudulent card transactions if they do not do so. This move
notable for the sophistication of the money laundering
could potentially result in increased or shifted exposure
operations put in place to prevent the funds from being
for insurance companies with retail cyber insurance
recovered once the transaction compromise was discovered. In 2016, the SWIFT interbank financial infiltrating their malicious software At one point, the gang issued 30
policyholders if their coverage includes liabilities that were
transaction system was hit repeatedly, onto the SWIFT transaction servers. transfer requests totaling $951 million
previously indemnified by the credit card companies. This Networks of Trust
using specially-crafted software from Banks were reported compromised in to be withdrawn from the Bangladesh
has the potential to create a new route for systemic loss for
The key feature of this criminal gang was its ability to break a criminal gang called the “Lazarus Ukraine, Bangladesh, the Philippines, National Bank account with the U.S.
cyber insurers, where many retailers suffer theft losses from
into a network of trust used for financial transactions and Group.”42 The software provided a Ecuador, Vietnam, and potentially other Federal Reserve. Security alerts,
non-EMV point-of-sale system cyber compromise that is
then to use legitimate authentication protocols to syphon sophisticated method of enabling the Southeast Asian countries.43 including reported typo errors in the
not indemnified by the credit card companies.
money out of the system. criminals to gather information on requests and triggering flags on money
Over a period of months these banks
Because of this change, RMS strongly recommends that standard practices and send fraudulent laundering blacklists, blocked $850
The accumulation management of cyber insurance coverage requested other banks, including
in the CAMS cyber exposure data schema, insurers should requests through the SWIFT system million of the transfers.45
for financial theft loss requires identification of these networks the U.S. Federal Reserve, to transfer
ensure they capture data in the “Financial Loss Potential: for financial transfers disguised as
of trust as key potential sources of future correlation of loss funds via the SWIFT system with fully The discovery of the attempted billion-
Named Payment System Provider(s)”39 field for retail legitimate transactions, from software
between numbers of financial services companies. credentialed authentication protocols. dollar heist has resulted in a radical
insureds specifically for EMV compliance. The ability to that had been infiltrated into a
The money was then diverted through overhaul of the SWIFT system and new
report on this will become increasingly more important Research is ongoing to map these networks of trust as number of banks with many layers of
laundering operations, including casinos security systems put into place.
over time, especially for those in Europe who could variants of potential financial transaction cyber compromise subterfuge to prevent discovery. The
in the Philippines and cover accounts
otherwise potentially face liabilities from future credit card scenarios, including: fraud was combined with a complex The RMS accumulation management
in Sri Lanka and Hong Kong. The full
thefts, deferred from the credit card companies who have money laundering process that stress test scenario “Financial
previously held this risk.
• Consumer financial transaction systems, point-of- extent of the operation and the total
obscured the proceeds of the theft Transaction Interference Scenario”
sale systems, online payment processing, credit and amount stolen remain undisclosed,
from investigators. includes many of the features that were
debit card purchasing and reconciliation systems, but reports include US$81 million
seen in the Lazarus SWIFT campaign,
electronic funds transfers, and check clearing To break into the trusted SWIFT unrecovered from Bangladesh National
particularly the multimillion dollar
network, the gang found lower- Bank, a $10 million loss from a Ukrainian
• Interbank payment and lending systems, clearing thefts from dozens of banks in trusted
security banks in many different bank, a bank in Ecuador with a $12
houses, debit and credit systems, wire networks, financial transaction networks.
34 ComputerWeekly, 2015. 45 hotels of Mandarin Oriental hotel chain reported countries around the world and million loss, and a dozen more potential
compromised. settlement and reconciliation systems, credit transfer
35 ComputerWeekly, 2016. found a variety of ways of secretly losses to Southeast Asian banks.44
36 Starwood, 2016.
systems, and loan management
PAG E 1 3 PAG E 1 4
Cyb e r R i s k L a n d s c a p e 2 017 Cy b e r R i sk Lan d scap e
Applications Outages
for very long durations enterprises means that cyber theft events should become
less likely, but the extreme case of many severe losses from Microsoft Office 365 users suffered a multiday outage January 2016
and to exceed the eight- within a network of trust remains an important stress test
for insurers to run on their financial services accounts.
Yahoo Mail was disrupted for several days by an outage December 2013
PAG E 1 5 PAG E 1 6
Cyb e r R i s k L a n d s c a p e
55 Akamai 2016.
Figure 6: Frequency of “very high” and “ultra-high” 56 Akamai 2016.
57 The Hacker News, 2016.
DDoS attacks56 58 Akamai, 2016. 62 Ibid.
59 Newman, 2016. 63 Woolf, 2016.
60 Woolf, 2016. 64 Ibid.
61 Rawlinson, 2014 and Constantin, 2016. 65 Source: DownDetector, Wikipedia Commons.
PAG E 1 7 PAG E 1 8
Cyb e r R i s k L a n d s c a p e 2 017 Cy b e r R i sk Lan d scap e
companies have seen reductions in attacks – previously extortion demands on corporations resulting from data reportedly hit with ransomware in March 2016, leading to
they were attacked more than media and entertainment, exfiltration, in which confidential data is threatened to be patients being turned away.76
Very-high intensity and Internet and telecom companies. Other sectors, such as
retail, education, public sector, business services, and hotel
released, and as part of denial of service attacks. These
elements are likely to become more common components
Few companies admit to being targeted by ransomware
or paying ransom demands and so historical data is scant.
and ultra-high intensity and travel, continue to receive a significant, though smaller,
proportion of all attacks.
of these loss processes in the future.
The costs of business disruption are typically much higher
69 Ibid. personal computing and is occasionally seen in attacks 77 The Merkle, 2016.
PAG E 1 9 PAG E 20
Cyb e r R i s k L a n d s c a p e
Cyber Extortion
Denial-of-Service
Attack
Cloud Service
Provider Failure
PAG E 2 1 PAG E 22
2 017 Cy b e r R i sk Lan d scap e
SECTION 3
It is also becoming apparent that there is potential for 3.1. Operational Technology (OT) Attacks
cyber attacks to cause disruption and damage that
Cyber attacks can cause property damage and
could trigger insurance payouts in traditional non cyber-
disruption when they are targeted on interfering with the
specific lines of business. For example, if a cyber attack
computerized systems that control physical processes,
causes physical damage, destruction of property, fires or
known as operational technology (OT) attacks.
explosions, deaths, injuries, loss of services, or other harms
that are covered in policies without excluding cyber as a There have been several examples of cyber attacks on OT,
cause, then insurers could suffer losses under these policies. including:
The policies in these lines of business may be silent on • “Stuxnet” is the most prominent example of a cyber
whether they would pay out if cyber was the proximate attack causing physical damage to centrifuges that
cause. “Silent” exposure to the peril of cyber is a growing separate nuclear materials.80
concern. Many insurers have instigated reviews of the lines
of business that may contain silent exposure to identify
• Researchers demonstrated that a cyber attack on
a 2.25 megawatt (MW) electricity generator could
ambiguities in the terms and conditions of policies, and to
cause physical damage to the unit. The vulnerability
identify the amount of risk that this may represent.
in the generator software was called “Aurora.”81 This
CAMS Version 2.0 contains an additional suite of scenarios vulnerability not only has the potential to cause
that enable an insurer to review the exposure it may face damage to the generator and surrounding buildings
from silent coverages in other lines of insurance business, from fire, but also a lengthy blackout that could
described on page 28. These scenarios enable insurers to cause significant business interruption.82
identify potential losses from lines of business including
property – commercial and residential – marine, energy,
• A cyber attack on Ukrainian power companies
caused a power outage for thousands of customers
industrial, facultative, specialty, casualty/liability, and other
for several hours in December 2015, and another
lines.
suspected event in December 2016 (see page 27).83
80 Zetter, 2014.
81Meserve, 2007.
82 See CCRS report on Lloyd's Business Blackout Scenario, 2015.
83 ICS-CERT, 2016.
84 Strohm, 2016.
PAG E 2 3 PAG E 24
S ile n t Cy b er In su ra n ce Exp o s ure 2 017 Cy b e r R i sk Lan d scap e
3.2 Smart Devices and the Internet of Things cybersecurity, and this may prove influential in improving Actuators – Controlling Physical Components
the security standards of IoT devices in the future.
There is a concern about potential attacks on various Actuators open and close valves, lock and unlock doors,
Improvements in security are unlikely to occur rapidly, so
types of physical control systems that can be controlled control robot arms, change the pitch of ailerons, drive
society and insurers may have to accept vulnerabilities in
electronically, particularly where they are connected car accelerators, apply brakes, and control many other
these systems and their potential for use in cyber-physical
to networks and could be accessed by unauthorized processes. The remote control of actuators has significant
attacks for some time to come.
third parties. These smart devices and “cyber-physical” potential to cause damage, either by preventing them
systems85 consist of a wide range of sensors, actuators, from operating or causing them to operate unsafely. Cyber
valves, switches, mechanical devices, and electronic 3.3 .How Can Cyber Attacks Cause Physical attacks have opened valves and manipulated pumps to
controls sometimes known as supervisory control and data Damage? maliciously release water, sewage, and gas supplies, for
acquisition (SCADA) systems, and perhaps most crucially example. There is obvious potential for deliberate accidents
Examples have been seen of using cyber attacks in several
in industrial control systems (ICS). Many electronic systems to be caused in transportation systems, manufacturing,
ways to trigger physical damage. They broadly follow the
now contain elements of connectivity for diagnostic industrial processes, and other systems where remotely-
following types of interference processes.
read-outs, upgrading and programming uploads, data managed actuators are an integral part of the operation.
transmission, and signal processing. Spoofing – Sending False Data to a Sensor Industrial and manufacturing systems tend to have security
systems and fail-safe mechanisms, but these may not
The proliferation of devices that are connected to the When a sensor is vital to the safe performance of a
have always been designed against malicious intent, and
Internet has given rise to the term the “Internet of Things” system, spoofing the sensor can trick the system into
determined hackers have found ways to penetrate even
(IoT). This is also described as “the infrastructure of the unsafe activities. An example would include thermostat
well-designed security systems.
information society.” It is estimated that there are currently readings that normally prevent a process overheating, so by
around 28 billion devices connected to the Internet, and spoofing the thermostat, the system could be forced into
various projections suggest that the number could reach overheating. Other examples would include spoofing GPS 3.4.Cyber-Physical Attack Scenarios in RMS
50 billion by 2020.86 The number of devices connected to interpretation, electronic map systems, or beacons that CAMS Version 2.0
the Internet is currently increasing by 30 percent year-on- guide aircraft navigation systems. Sending false data can The greatest concerns for insurers are the potential for
year.87 There are many studies that describe the growing potentially be a damaging attack mechanism. cyber-physical attacks to trigger fires, explosions, or to
potential for the transformative power of IoT including cause major industrial accidents or system failures that
Hysteresis – Forcing Cyclical Behavior
smart grids, smart homes, intelligent transportation, and could lead to large losses or systemic claims across
smart cities. Once an unauthorized hacker has control of a physical multiple insureds.
It is evident that the IoT has significant vulnerability
system, damage can sometime be caused by forcing Cyber Insurance Exclusions Cyber-physical attacks have the potential to cause claims
the system to start and stop in rapid cycles. This causes
to malicious manipulation. The increasing ubiquity of on traditional policies that do not explicitly exclude cyber
machinery to wear out, damage bearings and misalign, Many exclusion clauses have been developed for
connected devices causes concerns for the insurance as a proximate cause, but include the consequential perils
overheat, blow electrical fuses, and potentially trigger traditional general liability and property policies to help
exposure that it could potentially represent. Connected and of fire and explosion, water escape, or other destructive
uncontrolled positive feedback. The “Aurora” vulnerability in insurers prevent loss accumulation from cyber events.
smart devices are a growing part of the everyday world processes. Lines of business that could potentially be
power generators and thermal runaway in lithium batteries Two of the exclusions (CL 380 and LMA 3030) prevent
and cybersecurity issues have been raised around products impacted include marine, aviation, energy, casualty liability,
are examples of hysteresis damage in cyber-physical
varying from household appliances, industrial process claims from cyber events committed with malicious
attacks. and property.
control systems, building heating and ventilation systems, intent or deemed acts of war, while NMA 2912, 2914, and
webcams, drones, autonomous cars, medical devices and 2915 exclusions prevent property damage claims from RMS CAMS Version 2.0 includes an additional suite of
Disconnection – Stopping the Function of a Device
heart pacemakers, and entertainment systems. scenarios, listed on page 28, that can be used by insurers
cyber events unless caused by fire or explosion.
Simply preventing a physical system from connecting to to test their exposure to cyber-physical attacks and identify
Many of these systems were originally designed with poor its control system may be enough to cause damage and their silent exposure in policies in several lines of business,
attention to security, and have relatively low levels of anti- loss. A denial of service attack on a system that requires including commercial and residential property, marine
hacking protection. This is likely to change over time as connectivity to operate can shut down a process. Examples cargo, industrial facilities, offshore energy, and a variety
manufacturers are held to higher standards of security, but include disabling a building management system with a of other lines impacted by cyber-induced power outage
low costs and volumes of products constrain the levels of DoS attack; by making it unable to connect to the Internet scenarios.
protection that can be expected. The January 2017 filing it was unable to start a heating system for an apartment
by the United States Federal Trade Commission against building.89
the D-Link Corporation88 because its devices were used
Draining the battery of a device by forcing it into constant
in the Dyn attack (see page 18) is the first example of a
activity is also a method for causing the failure of
lawsuit against a manufacturer of IoT devices for poor
connected battery-powered systems.
85 Loukas (2015).
86 Statistica, 2017.
87 Gartner, 2015, reports 6.4 billion connected devices in 2016, up 30 percent from 2015.
88 FTC, 2017.
89 SC Media, 2016.
PAG E 2 5 PAG E 26
Cyb e r In s u ra n ce U p d ate 2 017 Cy b e r R i sk Lan d scap e
Hackers exploit vulnerabilities in the External saboteurs gain access to A well-resourced cyber team
smart-battery management system the process control network of large introduces malware into the control
of a common brand of laptop, processing plants, and spoof the systems of U.S. power generating
sending their lithium-ion batteries temperature and pressure set points companies that creates de-
into a thermal runaway state. The of the ICS, causing heat-sensitive synchronization in certain types of
attack is coordinated to occur on processes to overheat and ignite generators. A sufficient number of
a specific night. A small proportion flammable materials in storage generators are damaged to cause
of the infected laptops left on facilities. Insurers face sizeable claims a cascading regional power outage
charge overnight then overheat and for fire and explosions at several that is complex to repair. Restoration
catch fire; some unattended fires in major industrial facilities in their large of power to 90 percent of customers
commercial office buildings spread accounts and facultative portfolios. takes two weeks. Insurers face claims
to cause major losses. Insurers face in many lines of business, including
claims for a large number of fires large commercial accounts, energy,
in their commercial property and PCS-Triggered homeowners, and specialty lines.
homeowner portfolios. Explosions on Oil Rigs The scenario is published as a Lloyd’s
Emerging Risk Report “Business
Blackout” by Cambridge Centre for
A disgruntled employee gains access
Cyber-Enabled Marine Risk Studies, and was released in RMS
to a network operations center (NOC)
Cargo Theft from Port CAMS Version 1.1.
controlling a field of oil rigs and
manipulates several of the platform
Cyber criminals gain access to a port control systems (PCS) to cause Regional Power Outage
management system in use at several structural misalignment of wellheads, from Cyber Attack on
major ports. They identify high-value damage to several rigs, release of oil U.K. Power Distribution
cargo shipments and systematically and/or gas, and fires. At least one
switch and steal containers passing platform has a catastrophic explosion. A nation state plants “Trojan Horse”
Cyber Attack on Ukrainian Power Grid through the ports over many months. Insurers face significant claims to rogue hardware in electricity
When the process of theft is finally multiple production facilities in their distribution substations and
On December 23, 2015, three regional Ukrainian government officials blamed Kiev substation grid, which caused discovered, the hackers scramble offshore energy book. activates it remotely to curtail
electricity distribution companies in Russian security services for the a 75-minute outage for the northern the data in the system, disabling the power distribution and cause rolling
Ukraine reported service outages to incident.92 part of Kiev in December 2016, during ports from operating for several days. blackouts intermittently over a multi-
an estimated 225,000 customers.90 one of the colder months in Ukraine.93 Insurers face claims for cargo loss week campaign. Insurers face claims
The event has highlighted the potential
The outages were caused by external and business interruption in their in many lines of business, including
for OT cyber attacks and the RMS CAMS Version 2.0 includes a
agencies that delivered malware via marine lines. large commercial accounts, energy,
vulnerability of national critical suite of accumulation scenarios of
a phishing attack, gaining access homeowners, and specialty lines. The
infrastructure, a threat that is potential OT attacks for insurers
to the companies’ computers and scenario is published as “Integrated
being taken seriously by Western to manage their silent OT cyber
remotely controlling the industrial Infrastructure: Cyber Resiliency in
governments and national exposures.
control systems (ICS) to disconnect Society” by the Cambridge Centre for
cybersecurity agencies worldwide.
the substation power breakers, Risk Studies, and was released in
disabling power supply. At least 30 Investigators are reviewing another RMS CAMS Version 1.1.
110kV and 35kV substations were suspected cyber attack on the
disconnected for three hours.91 SCADA systems of the 330 kW
90 ICS-CERT, 2016.
91Lee, Asante and Conway, 2016.
92 Zetter, 2016.
93 Constantin, 2016.
PAG E 27 PAG E 28
Cyb e r In s u ra n ce U p d ate 2 017 Cy b e r R i sk Lan d scap e
SECTION 4
PAG E 2 9 PAG E 3 0
Wh at ’s N ew i n R M S C AM S Vers io n 2.0 2 017 Cy b e r R i sk Lan d scap e
The shifting targeting To respond to client demand for stress tests for silent
cyber exposure in other lines of business, CAMS Version 2
sectors is reflected RMS CAMS Version 2.0 has been rebuilt on a new software
platform to improve the ability to add future features and
in the new scenario functionality. It incorporates a new user interface designed
to help clients in their workflows and incorporates
footprints. additional report generation to aid risk management
decision making.
Cyber Extortion
Stress test scenarios for the Cyber Extortion Version 2 RMS CAMS Version 2.0 Scenarios
now include incidence of extortion on larger companies
as seen in the past year as part of a systemic campaign
with ransom payment amounts recalibrated to recent
experience. The targeting incorporates the recent trend
of targeting the healthcare sector. Business interruption
consequences have been expanded to reflect evidence of
the impact of extortion events. Cyber-Induced ICS-Triggered
Fires in Commercial Fires in Industrial
Office Buildings Processing Plants
4.2 Expected Loss Baselines
In addition to stress test scenarios, RMS CAMS Version 2
introduces an expected loss baseline for U.S. businesses
for data exfiltration. Data exfiltration accounts for a large
proportion of the insurance costs of typical affirmative
cyber insurance products. The data exfiltration expected Cyber-Enabled PCS-Triggered
Marine Cargo Theft Explosions on
loss baseline provides average annual industry loss from Port Oil Rigs
values, before insurance is applied, for incidence rates of
different magnitudes of data exfiltration events by business
sector and company size. It enables clients to benchmark
their own loss experience to industry averages, to set
expected loss levels and burn rate assumptions, and to
explore potential market expansion strategies for safe
diversification of new business. Regional Power Regional Power
Outage from Cyber Outage from Cyber
The expected loss baseline is calibrated from the Attack on U.S. Attack on U.K.
Power Generation Power Distribution
historical average annual incident rates experienced in
U.S. businesses over the past six years. We augment this
to apply cost levels that are trended to estimate likely
claims values for 2017/18. This provides a portfolio-specific
estimation of burn rate for data exfiltration incidents for
cyber insurance accounts across businesses of different
sectors and sizes, if incident rates continue their historical
average levels.
PAG E 3 1 PAG E 3 2
Cyb e r In s u ra n ce U p d ate 2 017 Cy b e r R i sk Lan d scap e
SECTION 5
Cyber Insurance
Market Update
As a result of the new pressures in the cyber risk landscape, the insurance industry
has continued to evolve and grow.
5.1 Rapid Growth • Strong growth from other sectors: Currently, cyber
insurance take-up is largely within a relatively
The global cyber insurance market continues to experience
concentrated set of business sectors, but cyber
strong growth. The affirmative cyber insurance market
insurance premium growth is expected to become
is estimated to have increased in premium volume from
more mainstream, with take-up from more sectors
around $2 billion in 2015 to up to $3.5 billion in 2016. The
outside of this current core.
large majority of this insurance is purchased in the U.S. and
is focused on cover against breach of privacy. • New regulations to drive international demand:
With most cyber premiums currently generated in
Several analysts forecast the market growing rapidly, with
the U.S., growth is likely to accelerate in non-U.S.
some predictions stating that the global cyber insurance
markets driven by new regulatory requirements.
market will reach $7.5 billion by 2020.94 Others predict
One such area of growth will be the European Union
estimates of over $20 billion by 2025.95
(EU) where EU-wide legislation for cybersecurity
Even the more conservative growth forecasts expect annual is due to be ratified during 2018. The EU directive
cyber premium growth rates of over 20 percent. With the sees providers of critical infrastructure and essential
context of a wider P&C soft market, many insurers are physical and digital services adopting strengthened
making cyber insurance a key area of focus. cyber defense measures, along with heightened
reporting requirements for security incidents.
The current drivers of cyber insurance premium growth are:
94 PWC, 2015.
95 Allianz.
96 The Betterly Report, 2016.
PAG E 3 3 PAG E 3 4
Cyb e r In s u ra n ce M a r ke t U p d ate 2 017 Cy b e r R i sk Lan d scap e
In addition, more insurers are integrating cyber cover in find a product that matches their exposure.
the policies of their traditional business lines. This increase
While the existing types of cyber coverage available
Percentage of policies offering coverage
in the number of market entrants, together with extension
has remained broadly consistent, RMS has seen that
of cyber into traditional policies, both present significant
more insurers are now offering network service liability,
challenges to cyber risk management. Breach of privacy event
regulatory defense costs, and business interruption
Most cyber premiums still originate from the U.S. where coverage. There has also been a decline in the number of Network service failure liabilities
data privacy laws have been in place for over 10 years, insurers offering intellectual property (IP) theft, directors
though an increasing amount of cyber risk is being written and officers insurance, and contingent business interruption Regulatory/defense coverage
internationally, with the London market making a significant coverage.
play to increase its cyber expertise.97 Incident response costs
Several new affirmative cyber insurance products were
For reinsurance, though the market for cyber is launched in the market during 2016, with existing market Cyber extortion
comparatively small, reinsurers are playing an active role in players extending the range of products they offer, as well
increasing the capacity available for the primary carriers. as new market entrants. Business interuption
Most reinsurance being written today is placed as per-risk
An increasing number of insurers now offer breach Data and software loss
quota share, with some agreements having an aggregate
response services alongside their insurance offerings.
stop loss term in place. There is a move towards excess of
Having an established incident response plan and team in Multimedia liabilities (defamation, disparagement)
loss agreements; however this is still a nascent market for
advance of any data breach reduces the average breach
cyber and RMS expects per-risk agreements to remain as Reputational damage
costs by as much as $16 per record.98
the mainstay for 2017.
Increasing Limits Being Purchased Liability (errors and omissions)
The reinsurance market is expected to continue to grow
as the primary market increases and insurers look to cede Insurers are making more limit available, and insureds are Contingent business interuption
out a portion of the risk. Improved cyber exposure data purchasing cover to higher levels. Limits purchased are
capture techniques and improved risk quantification is reported to have increased by more than 10 percent in the Financial theft and fraud
also expected to lead to additional forms of reinsurance past year, with the average cyber insurance limit passing
becoming more commonplace. US$20 million for the first time in the third quarter of 2016.99 Liability (professional lines, contract)
PAG E 35 PAG E 3 6
Cyb e r In s u ra n ce M a r ke t U p d ate 2 017 Cy b e r R i sk Lan d scap e
For the first time, this is enabling a more consistent view 5.6 The RMS Commitment to the Future
of the risk and a more efficient use of capital across the
As the economy increasingly relies on the digital world to
The reinsurance market market.
drive innovation and foster growth, the transfer of cyber
to grow as the primary Regulators have made significant steps to push the
opportunity – one which RMS is committed to helping
insurers capitalize on.
insurance industry towards better cyber risk management.
market increases and In the London market in 2016, Lloyd’s has taken an active
The information in this report will provide you with the
knowledge to better understand cyber risk and how it
insurers look to cede role by adding cyber scenarios to the mandatory reporting
requirements of their managing agents.
impacts the insurance market. It also helps demonstrate the
great steps the industry is taking to provide coverage of
out a portion of the risk. The U.K. financial services regulator, the Prudential this important peril to the economy.
Regulatory Authority (PRA), has begun instigating
The RMS commitment to the future of cyber security will
regulatory approaches for insurers to improve their
continue, as the RMS cyber risk team works to develop
management of cyber risk, with a supervisory statement for
and provide the analytical tools, newest technologies, and
consultation highlighting preferred best practices.
As the market continues to grow, and the risk landscape models the insurance industry needs to address emerging
RMS was pleased to be able to contribute scenarios for and evolving global cyber and terrorism threats. These will
shifts, RMS expects to see continued price volatility.
the Lloyd’s RDS requirement, and to provide inputs to the enable us to provide valuable insights into the evolving
An increasing trend has been toward companies leveraging PRA’s regulatory best-practice consultation. cyber landscape; identify the type of attacks to expect
Cyber Hygiene Scores as a method of quantifying the and how far-reaching they might be; anticipate the shifts
The U.S. National Association of Insurance Commissioners
IT security maturity of a company. While undoubtedly in target preferences; and state the potential for cyber to
(NAIC) has convened a task force for cybersecurity to
a valuable tool, RMS would encourage organizations trigger physical damage.
create model laws that will provide minimum standards for
relying on these types of products to fully understand the
insurance company security. The model laws will also spell We look forward to a continued partnership with our clients
underlying factors that go into these scores.
out how insurance departments will monitor companies’ in the development of a cyber insurance market that serves
Accumulation Management cybersecurity practices. NAIC also commissioned a data the enterprises at risk, and enables insurers to understand
call on types of policies and relative premium sizes being and diversify portfolio risk, while managing your capital
Managing the accumulations of risk in a cyber portfolio
underwritten in the private market. adequacy.
is one of the key challenges of growing a resilient cyber
insurance portfolio. With the growth in cyber insurance U.S. rating agencies, such as AM Best, are not yet requiring
and the corresponding increase in exposure, insurance quantitative analysis of cyber risk in their assessments but
companies are increasingly focused on managing their have added questions about a company’s preparedness
portfolio accumulation risk. Where cyber is added to other and disaster plan for responding to cyber attacks as part of
lines, this is often intended rather than “silent,” but insurers assessing an overall enterprise risk management framework.
are concerned that it may not be adequately priced
and constrained by soft market conditions and limited
historical data.
PAG E 37 PAG E 3 8
Re fe re n ces 2 017 Cy b e r R i sk Lan d scap e
References Digital Trends, 2015, “DoS Attacks hit Record Numbers in Q2 2015,” August 19, 2015.
DiRenzo, J., Goward, D. and Roberts, F., “The Little-known Challenge of Maritime Cyber Security,” Rutgers University, November
2015.
Advisen, “Cyber Risk Trends: 2016 Year in Review.” 24 January 2017, Advisen Webinar. DLA Piper, “Data Protection Laws of the World,” 2017. Quarterly Security Reports, Q3, 2016.
Akamai, 2015. Quarterly Security Reports, Q3 2015. Emm, D., Unuchek, R. and K. Kruglov, “Kaspersky Security Bulletin 2016: Review of the Year.”
Akamai, 2016. Quarterly Security Reports, Q3 2016. Entous, A. and E. Nakashima, E., “FBI in agreement with CIA that Russia aimed to help Trump win White House,” Washington
Post., December 16, 2016.
Ali, M.A., Arief, B., Emms, M., van Moorsel, A., “Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?”
Gartner, 2015, “Value and Impact of IoT on Business,” Symposium/ITxpo, November 8-12, Barcelona, Spain.
Allianz, 2015, Cyber Risk 2015 – the next 10 years, Allianz Insights, Expert Risk Articles.
FBI IC3, 2016, 2015 Internet Crime Report; Internet Crime Complaint Center, Federal Bureau of Investigation; US Bureau of
Arnold, M., “Tesco Bank ‘ignored warnings’ about cyber weakness.” Financial Times. November 13, 2016. Justice Assistance.
Ashok, I., “Tesco Bank under investigation for possibly ignoring warning of potential cyberattack.” International Business Times, Finkle, J. and A. G. Tharakan, “Yahoo says one billion accounts exposed in newly discovered security breach,” Reuters,
November 28, 2016. Technology News, December 15, 2016.
Assante, M. and R. Lee., “The Industrial Control System Cyber Kill Chain,” SANS Institute, October 2015. Forbes Tech, 2016, “Here’s How Much Businesses Worldwide Will Spend on Cybersecurity by 2020,” Market Intelligence, October
13, 2016.
AWS, 2017, AWS Global Infrastructure, Amazon Web Service, January 2017.
Forbes, 2015, “J.P. Morgan, Bank of America, Citibank And Wells Fargo Spending $1.5 Billion To Battle Cyber Crime,” December
Bakir, N. (2007), A Brief Analysis of Threats and Vulnerabilities in the Maritime Domain, Create Research Archive, Los Angeles,
13, 2015.
USA: Create Homeland Security Center, pp.1-30.
Forbes, 2016, “Bank of America's Unlimited Cybersecurity Budget Sums Up Spending Plans In A War Against Hackers,” January
Bateman, T., (2013), Police warning after drug traffickers' cyber-attackcyber attack - BBC News, [online] BBC News.
27, 2016.
Beazley Breach Insights Report, January 2017.
Forrester, 2015, Sherman et al., Forrester Research Data Privacy Heat Map 2015, FTI Consulting, October 13, 2015.
Betterly, Richard S., The Betterly Report: Cyber/Privacy Insurance Market Survey, June 2016.
Fox-Brewster, Thomas, “Shadow Brokers Give NSA Halloween Surprise With Leak Of Hacked Servers,” Forbes, October 31, 2016.
CCRS, 2015, Lloyd's Business Blackout Scenario, Cambridge Centre for Risk Studies and Lloyd’s, June 2015.
FTC, 2017, “FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and
CCRS, 2016a, Cyber Insurance Exposure Data Schema Version 1.0, Cambridge Centre for Risk Studies and Risk Management Cameras,” Federal Trade Commission, January 5, 2017.
Solutions, Inc. January 2016.
Gartner, “Gartner Says Worldwide PC Shipments Declined 8.3 Percent in Fourth Quarter of 2015,” Gartner Newsroom, January
CCRS, 2016b, Managing Cyber Insurance Accumulation Risk, Cambridge Centre for Risk Studies and Risk Management 12, 2016.
Solutions, Inc. February 2016.
GDPR Key Changes.
CCRS, 2016c, Integrated Infrastructure: Cyber Resiliency in Society, Cambridge Centre for Risk Studies and Lockheed Martin,
Greenberg, A., “Hackers Claim to Auction Data They Stole From NSA-Linked Spies,” Wired, August 15, 2016.
January 2016.
Grimes, Roger, A., 2012, “Why Internet crime goes unpunished,” InfoWorld, January 10, 2012.
CERT, “The Shadow Brokers auctions cyber weapons from Equation Group,” TLP: White, Version 1.5, August 26, 2016.
Gupta, R., “The Panama Papers Signal A New Kind of Cyber Attack,” Fortune, July 28, 2016.
Chen, K., “Reversing and Exploiting an Apple Firmware Update.”
ICS-CERT, “Alert (IR-ALERT-H-16-056-01): Cyber-AttackCyber attack against Ukrainian Critical Infrastructure,” February 26, 2016.
Collette, M. L. Olsen and J. Malewitz, “Ten years after a Texas City refinery blast killed 15 and rattled a community, workers keep
dying,” Houston Chronicle, March 21, 2015. InfoSEC Institute, “Panama Papers – How Hackers Breached the Mossack Fonseca Firm,” April 20, 2016.
ComputerWeekly, 2015, “Mandarin Oriental hack highlights security risk of legacy point of sale systems,” Warwick Ashford, Investor’s Business Daily News, 2016, “Security Freeze: Giants IBM, Cisco 'Squeeze' Palo Alto, Check Point,” 6/10/2016.
March 6, 2015.
Karvets, D., “Feds: Hacker Disabled Offshore Oil Platforms’ Leak-Detection System,” March 18, 2009.
ComputerWeekly, 2016, “Data breach hits Hilton Worldwide hotel chain,” Warwick Ashford, November 25, 2016.
Kaspersky, “Energetic Bear – Crouching Yeti.”
Constantin, L., “Cyberattack suspected in Ukraine power outage,” PC World, December 20, 2016.
Keane, J., “Apple Gains Notebook Market Share in 2015, Can’t Top HP and Lenovo,” Digital Trends, February 16, 2016
Constantin, L., “Hackers found 47 new vulnerabilities in 23 IoT devices at DEF CON,” CSO, September 13, 2016.
Klahr, R., Amili, S., Shah, J.N., Button, M., Wang, V., “Cyber Security Breachers Survey 2016,” HM Government, Ipsos MORI and
Costin, A., Zaddach, J., Francillon, A., Balzarotti, D., “A Large-Scale Analysis of Security of Embedded Firmwares,” 23rd USENIX University of Portsmouth, May 2016.
Security Symposium.
Kramek, J. (2013), “The critical infrastructure gap: U.S. Port Facilities and Cyber Vulnerabilities,” Washington D.C.: Brookings
Cox, J.W., “MedStar Health turns away patients after likely ransomware cyberattack,” The Washington Post, March 29, 2016. Institution, pp.1-35.
Cui, A., Costello, M., and S. J. Stolfo, “When Firmware Modifications Attack: A Case Study of Embedded Exploitation,” Columbia Lee, R. M. Assante and T. Conway, “German Steel Mill Cyber Attack,” SANS Industrial Control Systems, December 30, 2014.
University.
Lee, R., Assante, M. and T Conway. “Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case,” TLP: White.
CyberSecurity Ventures, 2016, CyberSecurity Market Report Q4 2016. Electricity Information Sharing and Analysis Center and SANS Industrial Control Systems, Washington D.C., March 18,
2016.
Department for Transport, (2015), “Maritime Growth Study: Keeping the UK competitive in a global market. Moving Britain
Ahead,” [online] London: The Department for Transport, pp.5-12.
PAG E 39 PAG E 4 0
Re fe re n ces 2 017 Cy b e r R i sk Lan d scap e
Lewis, James A., 2012, “Cybersecurity, Threats to Communications Networks, and Private-sector Responses,” Testimony to Security, 2015, “47% of the World’s Credit Card Fraud Happens in the US,” June 1, 2015.
House Committee on Energy and Commerce, Subcommittee on Communications and Technology, February 8, 2012,
submission by Center for Strategic and International Studies. Starwood, 2016, Letter From Our President, January 22, 2016.
Loukas, George, 2015, “Cyber-Physical Attacks: A Growing Invisible Threat,” Butterworth-Heinemann, ISBN 978-0-12-801290-1. Statistica, 2017, IoT Number of Connected Devices Worldwide.
Los Angeles Times, 2016, “Hollywood hospital pays $17,000 in bitcoin to hackers,” FBI investigating, February 18, 2016. Strohm, C., “New York's Little Dam Sends Super-Sized Warning of Cyber-AttackCyber attacks,” Bloomberg Technology, March
20, 2016.
Malwarebytes Lab, 2016, “Look Into Locky Ransomware,” March 1, 2016.
Sullivan. B., “Amazon, Microsoft, IBM And Google Growing 30 Percent Faster Than Next 20 Cloud Providers,” Silicon, August 1, 2016.
Marsh, Global Insurance Market Index, Q3 2016.
Symantec Security Response, “SWIFT attackers’ malware linked to more financial attacks,” Symantec Official Blog, May 26, 2016.
Meserv, J. “Staged cyber attack reveals vulnerability in power grid,” CNN, September 26, 2007.
Temperton, J., “The Philippines election hack is 'freaking huge',” Wired, April 14, 2016.
Miller, C. (a), “Battery Firmware Hacking: Inside the innards of a Smart Battery,” July 27, 2011.
The Guardian, 2016, “Tesco cyber-raid raises serious questions over UK banks’ security,” November 12, 2016.
Miller, C. (b), “Battery Firmware Hacking.”
The Hacker News, 2016, World’s largest 1 Tbps DDoS Attack launched from 152,000 hacked Smart Devices; Sept 27, 2016.
Millman, Rene, “How Vulnerable are Smart Buildings to Cyber Hacks?” IFSEC Global, March 29, 2016.
The Merkle, 2016; “Muni First Targeted By Ransomware, Now Faces Extortion Demand By Same Hackers,” November 29, 2016.
Moritz, S. and Womack, B., “Verizon Explores Lower Price or Even Exit From Yahoo Deal,” Bloomberg Technology, December 15,
2016. The Register, 2016, “National Cyber Security Centre to shift UK to 'active' defence: Cyber chief calls for 'offensive' weapons,”
September 19, 2016.
Murdock, J., “Turkey: Political hacktivist leaks 'citizen database' containing 50 million personal records,” International Business
Times, April 4, 2016. U.S. Energy Information Administration (2016), “Commercial Buildings Energy Consumption Survey (CBECS) – 2012 CBECS
Preliminary Results,” [Online].
NetworkWorld, 2015, “Which cloud providers had the best uptime last year?” Cloud providers are becoming more reliable, but
some still had downtime issues,” Jan 12, 2015. United States District Court For the Central District of California February 2009 Grand Jury.
NetworkWorld, 2016, “And the cloud provider with the best uptime in 2015 is…Amazon’s cloud bests those of Microsoft and US Department of Energy, “Transforming the Nation’s Electricity System: The Second Installment of the Quadrennial Energy
Google by this reliability test,” Jan 7, 2016. Review,” January 2017.
Newman, L.H., “What We Know About Friday’s Massive East Coast Internet Outage,” Wired, October 21, 2016. US Department of Homeland Security, National Cybersecurity and Communications Integration Center, ICS-CERT Year in
Review, Industrial Control Systems Cyber Emergency Response Team, 2015.
Oregon State University, “Lithium Battery Safety and Handling Guide,” Enterprise Risk Services, Environmental Health & Safety,
December 2013. Van der Walt, C., “Four Lessons to Learn From the SWIFT Hacks,” Info Security, August 3, 2016.
ORF, 2016, Bundeswehr: Cyber security, the German way, Observer Research Foundation, Isabel Skierka, October 20, 2016. Williams, Katie, 2016, “Judges struggle with cyber crime punishment,” The Hill, 01/09/16.
Palmer, E., “Panama Papers: Simon Cowell and Jackie Chan among celebs named in Mossack Fonseca leak,” International Woolf, N., “DDoS attack that disrupted internet was largest of its kind in history, experts say,” The Guardian, October 26, 2016.
Business Times., April 7, 2016.
World Shipping Council, (2016a), “Global Trade | World Shipping Council,” [online] Worldshipping.org.
Paul, “Industrial Control Vendors Identified in Dragonfly Attack,” The Security Ledger, July 4, 2014.
World Shipping Council, (2016b), “Ports | World Shipping Council,” [online] Worldshipping.org.
Paul, “Update: Let’s Get Cyberphysical: Internet Attack shuts off the Heat in Finland,” The Security Ledger, November 8, 2016.
York, K., “Dyn Statement on 10/21/2016 DDoS Attack,” Dyn.
Polityuk, P., Vukmanovic, O. and Jewkes, S., “Kiev power outage in December was cyber attack: Ukrenergo,” Reuters,
Zetter, K., (2014), “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon,” New York, NY, USA:
January 18, 2017.
Crown Publishing Group.
Positive Technologies, “Security Trends & Vulnerabilities Review: Industrial Control Systems,” 2016.
Zetter, K., “Everything We Know About Ukraine’s Power Plant Hack,” Wired, January 20, 2016.
PwC, 2015, “Cyber insurance market set to reach $7.5 billion by 2020,” September 15, 2015.
Zetter, K., “That Insane, $81M Bangladesh Bank Heist? Here’s What We Know,” Wired, May 17, 2016.
Rawlinson, K., “HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack,” HP, July 29, 2014.
Zetter, K., “Why Hospitals Are the Perfect Targets for Ransomware,” Wired, March 30, 2016.
Response, S. S. (2014, 06 30), “Dragonfly: Western Energy Companies Under Sabotage Threat,” Retrieved February 11, 2015,
from Symantec.
Richman, D., “Cloud computing revenues jumped 25% in 2016, with strong growth ahead, researcher says,” Geek Wire,
January 4, 2017.
Riley, M. and Katz, A., “Swift Hack Probe Expands to Up to a Dozen Banks Beyond Bangladesh,” Bloomberg Technology.
Ronda, R. A., “NPC: Victims of data leak may file suit,” Philstar Global, January 8, 2017.
SC Media, 2016, “Finns have their heating systems knocked offline by a DDoS attack,” November 9, 2016.
Security News Desk, “Securing critical infrastructure from virtual and physical threats,” November 24, 2016.
PAG E 41 PAG E 4 2
2 01 7 Cy b er R i sk L a n d s c ap e
Acknowledgements
Risk Management Solutions, Inc; 2017; Cyber Risk Landscape Update; report prepared by RMS in
collaboration with the Centre for Risk Studies, University of Cambridge.
PAG E 4 3
RMS solutions help insurers, financial markets, corporations, and
public agencies evaluate and manage risks throughout the world,
promoting resilient societies and a sustainable global economy.