Cat Claws

Can a single catastrophic event turn the reinsurance market? With the influx of capital, excess capacity and competition for business  high – perhaps as high as it has ever been – is the notion that an event can right the ship a possibility anymore?

Likely not; a shift has occurred, bringing with it the new normal. In concert with that is another shift, namely what peril is most likely to move the reinsurance pricing needle away from year-upon-year of lows to something more reflective of the risk.

Angela Stelmakowich, Editor

Clearly, this space has been dominated by natural Cats – deservedly so.  Still, there seems to be a new entrant.

Surely, it is not a stretch to think a well-conceived, expertly delivered cyber attack on connected systems could unleash true devastation, albeit solely on the financial front.

Cyber could invade this fertile ground, particularly since coverage is still finding its feet and many customers are still weighing its worth.

Enter the new Petya — or GoldenEye, NotPetya, Petrwrap and ExPetr — said to encrypt a computer’s hard drive and make it inoperable until ransom is paid (though paying may provide no remedy), encrypt the computer’s master boot record and launch malware to look for usernames and passwords.

Whatever its name, the malicious software delivered a hard disruptive hit to businesses and governments in June, initially with aN apparent focus on Ukraine and then spreading to Europe and beyond. Downed networks, compromised systems and intrusions involving banks, governments, power grids, natural resources firms and shipping operations resulted.

That Petya unleashed holy hell about a month after the WannaCry ransomware attack is a concern — and should be. RMS cyber expert Tom Harvey called the WannaCry assault “arguably the first-ever cyber catastrophe,” noting it spurred the infection of hundreds of thousands of machines in 150-plus countries.

One cannot help but feel recent attacks represent test runs to see how much damage can be done when the bugs are worked out and a bit more venom injected.

Or perhaps, hopefully, it is merely a trial balloon — harshly demonstrating what could be done — in a bid to encourage concerted action and commitment to advance a collaborative, world view of security. Clearly, connectedness will continue to increase.

Graeme Newman, chief innovation officer at CFC Underwriting Ltd., pointed out in late June that though WannaCry spread like wildfire, it inflicted relatively little damage. Petya “looks much more dangerous” and early indications suggest it “could cost organizations 10 times more than WannaCry.”

Claims of this sort “can quickly spiral out of control when the costs of system damage and business interruption are tallied, Newman said.

Consider what policies might come into play. But also consider the exclusions.

Reports out the United Kingdom are that a survey of 250 insurance broking firms found 73% of respondents have seen no increase in cyber cover demand in the wake of the WannaCry attack.

As it stands, it seems the status quo has won out — a strategy that could hardly be considered forward-looking.

“There is a commonality that exists across software and hardware as many businesses use similar systems, which make global attacks possible,” reports Matthew Webb, group head of cyber at Hiscox. “Every business is a technology business these days and so we are unlikely to see the frequency of these attacks reduce,” Webb says.

It may be that the best defence is a good offence. A new Bugcrowd report found organizations paid out more than US$4 million to a global crowd of 60,000-plus security researchers in the past year, a 200% hike over the prior year. Financial services is among the top five sectors embracing bug bounty programs.

Traditional security assessment is no longer enough, notes Casey Ellis, founder and chief executive officer of Bugcrowd. “The combination of broken status quos, a ballooning attack surface, a dearth of defenders and the increasing proof of active, efficient adversaries are accelerating this trend.”