As we reach the end of January (and for those of us who have done Dry January look forward to a celebratory glass of wine), we start to properly look forward to the festivities that 2018 brings. One of the first events is Chinese New Year, which, this year, is the Year of the Dog, or more specifically, the Earth Dog.
In the recent past, the cyber insurance market has had years named after certain events. For example, 2014 was the year of the retail data breach while 2015 was the year of the healthcare breach. The WannaCry and NotPetya events caused 2017 to be the year of the cyber NatCat.
This cyber NatCat threat is not going to disappear this year, in fact quite the reverse. Perhaps the Chinese are onto something as, for them, the Earth Dog is not very connected with the world and society!
John Drzik, Marsh’s president of Global Risk and Specialties, was clearly warming to this NatCat theme when he recently predicted that a single cyber attack could cost the insurance industry more than Hurricane Katrina. To put this in perspective, Katrina cost insurers approximately $40bn in 2005 while last year’s Hurricanes Harvey, Irma and Maria are estimated to have cost insurers in excess of $50bn.
It is debateable whether the cyber market has the capacity to deal with a single event of this nature, let alone multiple events that occur within a short period of each other, as was the case with WannaCry and NotPetya. It is widely acknowledged that the market dodged a bullet, given that the widely reported impact of these events on large multinationals did not result in a plethora of large insurance claims. However, it seems reasonable to assume that the market is not going to get lucky again, given that more events based on zero day flaws are going to occur in future.
Two questions therefore arise, namely how does a zero day flaw occur and how can these be mitigated against?
I have previously worked with software developers and was astounded to find out that, if a section of code is no longer used, it invariably isn’t deleted. Consequently, the code is still there and, in certain circumstances, it may be possible for the “redundant” code to be triggered. Sometimes, this just results in the software failing, causing it to crash. However, sometimes it can result in a more malevolent outcome.
This creates the image of software code as being comparable to a student’s bedroom. In amongst the (hopefully) clean clothes in the wardrobe, there is the potential for dirty clothes to be strewn around the floor and empty beer bottles or pizza boxes to be littered all over the place. Given how much code will exist in a piece of software as complex as Windows, there is the potential for there to be a lot of dirty laundry and empty pizza boxes!
If zero day flaws occur as the result of poor housekeeping, then the solution seems to be blindingly obvious. However, if the above practices are endemic in the development of software, then this cultural change isn’t going to happen overnight.
Property insurers with hurricane exposures in the Caribbean and the US have addressed their risk by insisting on buildings being built in such a way that they can withstand windstorm. Perhaps cyber insurers can address their NatCat risk by targeting the software industry with the line often issued by my parents when I was a teenager: “TIDY YOUR BLOODY BEDROOM”!