On October 21, 2016, a distributed denial of service attack (DDoS) rendered a large number of the world’s most popular websites inaccessible to many users, including Twitter, Amazon, Netflix, and GitHub.
The internet outage conscripted vulnerable Internet of Things (IoT) devices such as routers, DVRs and CCTV cameras to overwhelm DNS provider Dyn, effectively hampering internet users’ ability to access websites across Europe and North America. The attack was carried out using an IoT botnet called Mirai, which works by continuously scanning for IoT devices with factory default user names and passwords.
The MMC Cyber Handbook 2018, a collection of recent articles from business leaders including those across the Marsh & McLennan Companies, includes an article on the Dyn attack that highlights three fundamental developments that have changed the nature of aggregated business interruption for the commercial (re)insurance industry:
- The proliferation of systemically important vendors: The emergence of systemically important vendors can cause simultaneous business interruption to large portions of the global economy.
- Insecurity in the Internet of Things (IoT) built into all aspects of the global economy: The emergence of IoT with applications as diverse as consumer devices, manufacturing sensors, health monitoring, and connected vehicles is another key development. Estimates vary that anywhere from 20 billion to 200 billion everyday objects will be connected to the internet by 2020. Security is often not being built into the design of these products with the rush to get them to market.
- Catastrophic losses due to cyber risks are not independent, unlike natural catastrophes: A core tenant of natural catastrophe modeling is that the aggregation events are largely independent. An earthquake in Japan does not increase the likelihood of an earthquake in California.
The Dyn attack illustrates that insurers need to pursue new approaches to understanding and modeling cyber Risk.
The contents of this article are from an article in the MMC Cyber Handbook by Pascal Millaire of CyberCube, formerly Symantec. It first appeared in the Symantec Thought Leadership Blog titled “The Mirai DDOS Attack Impacts the Insurance Industry.”