Is the insurance industry facing a Cyber-Cat? Thousands of websites at risk to heartbleed bug...
9 April 2014
No no - I'm not referring to an animated cat on an App but rather the announcement yesterday regarding the Heartbleed bug affecting the security of over 50% of the Internet according to some estimates. The bug affects the OpenSSL package and is believed to have been in the package since 2011. It affects the way the package deals with heart beat messages, hence the moniker given to the bug. There are already tools in use that exploit the bug and provide access to recent user data on compromised servers. There have been security alerts before with many large brands facing fines and media inquiries about their losses but this bug potentially affects hundreds of thousands of websites and many businesses globally, but why characterise this as a catastrophe and why would insurers be interested? In the last 2 to 3 years with the cost of data breaches growing significantly businesses have been offsetting the risk of a breach or loss through Cyber Liability Insurance Covers. Whilst the practice and cover is arguably in it's infancy it's popularity suggests that this sort of event could constitute a significant liability to insurers globally offering this cover. Further the event has some characteristics in common with other events requiring catastrophe response:
- Many insured are at risk.
- The event will likely draw the attention of governments and regulators.
- Swift response will mitigate further loss.
There are some significant differences here though. Most notably in the event of hail, storm or flooding the insured are likely aware if their assets are affected or not - they may not know the extent of the loss but are likely aware if they need to claim. Increasingly risk aggregation and modelling tools are helping carriers and brokers understand the likely impact of catastrophe events. In this case however the insured may not be aware if they are compromised or not since the bug allowed for intrusions that would not be logged by the affected systems. In this case the advice is to determine if OpenSSL is used and if so then the server has been vulnerable, may have been compromised and should be patched immediately. The full statement regarding the bug is available at http://heartbleed.com/
although it is also covered at http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/
which contains some useful advice. Further coverage is available from Reuters
and The Guardian
. As noted on heartbleed.com - Apache and NGinx webservers are known to typically use the OpenSSL library and account for 66% of the Internet according to Netcraft's April 2014 Web Server Survey
. Google says that it is not affected however Yahoo has already reported that they are working to fix the affected services on their side. As always communication and collaboration is crucial to managing these events. Insurer clients of Celent may like to read Celent's case study combining internal and external data to respond to a catastrophe