Cyber scenarios keep experts awake at night
Cybersecurity case studies that keep a group of experts awake at night were discussed at the International Cyber Risk Management Conference at the Hamilton Princess & Beach Club.
George Do, chief information security officer at Gojek, spoke about the impact of a major cloud service provider going down, such as could happen with a denial of service attack.
“Any cloud provider can go down because of a cyberattack or some disaster incident,” he said.
If there was a wide enough outage on a big service provider, such as Amazon Web Services, it has the potential to hit day-to-day devices people use, from refrigerators, to cameras and phones, which are connected as elements on the so-called Internet of Things.
In such a scenario, Mr Do said: “Multiple services that we are all used to, that we are happy with and use every day, would become unusable.”
He mentioned Uber, banking apps and banking services from the likes of Chase and Bank of America, and disruption to social media platforms such as Facebook and Twitter.
“Imagine on your phone you would not be able to use 75 per cent of the apps out there,” Mr Do said.
If a major cloud service like AWS went down, the effect would be “something of that magnitude” of disruption for people, he warned.
Also on the panel was Jeremy Gittler, practice leader and head of cyber claims, Americas, Axa XL. He spoke about cyberterrorism and the difficulty to classify an incident as an act of war, act of a foreign enemy, or as an act of terrorism.
In addition, he said because it is hard to attribute such attacks as being the work of a foreign government, he was unaware of any incident falling under insurance exclusion clauses that reference damage being caused by a confirmed act of war or terrorism.
He also said if, on a single day, 50 of the largest banks in the world “went down” due to a cyberattack there would be worldwide chaos.
“That's not something that's really insurable,” he said.
“Can the industry sustain an actual cyberwar by another country? The answer is no, it probably can't.”
The third panellist was Brian Middlebrook, partner, Gordon Rees Scully Mansukhani. He spoke about major attacks that are on the scale of perceived nation state action.
He said: “NotPetya is a great example. It is the single largest event resulting in damage, calculated at this point at over $10 billion worldwide.”
He said 2017's NotPetya was two exploits released simultaneously that had the ability to cross borders and “destroy anything it touched”.
“It was solely created to do damage,” Mr Middlebrook said.
Examples of businesses affected was a chocolate factory in Australia that had to close, the world's largest container shipping company Maersk being put out of business for days, and some of its divisions being affected for weeks, while FedEx was another business impacted.
“The scale of damage done to institutions large and small; we are talking about hardware replacement, software replacement, man-hours to rebuild networks,” he said.
“But then you are also talking about the business interruption claims, the shareholder claims — there are limitless types and numbers of claims that arise from a catastrophic attack like that, and there is no discrimination between entities big and small.
“If you didn't have insurance it's a problem, but if you did have insurance, chances are it's not enough.”
He added: “It is very difficult to plan for, but to date it is the best example of how catastrophic an attack like that is — which again, you're talking about Russia targeting Ukraine and impacting the entire world as collateral damage.”
Meanwhile Mr Do warned the hardest cybersecurity incidents to guard against are those originating from within an organisation, caused by a rogue employee.
“If the attack is from inside the walls of the company you have a much greater problem — because the user or users behind the attack all ready have access to your system, so anything they do on the network is legitimate,” he said.
“They can do massive harm. It is extremely difficult for security teams to detect and protect against something like that.”
The panel was asked to summarise their biggest cybersecurity fears.
Mr Do said: “The Internet of Things. We are all very well trained on cybersecurity attacks on traditional networks and application systems, we are very bad around the world on how to secure the Internet of Things.
“I'm talking about security cameras, microwaves, the refrigerator that talks to you. All those things are now embedded in our daily lives, but they are very insecure.”
While Mr Gittler said: “It's our insurance that don't have enough coverage, so they might only have a tower of $10 million or $20 million, and then they get a fine of $50 million. And here they went out and bought cyber insurance — they took time to do it, and here they are still probably going to go out of business because they didn't buy enough coverage.”
Mr Middlebrook said his biggest fear in the cybersecurity arena is clients who walk away against the advice of counsel in the face of a breach.
He said it is the clients who say “My IT told me everything is fine, thanks for your services”.
Mr Middlebrook said: “It creates a situation where, I believe, with the benefit of hindsight they are eventually sued because someone has had their information exposed. When it comes to light that they were the source, they didn't investigate it, they didn't report it, they didn't notify about it.
“The question is going to be ‘Well, did you have counsel?' and their answer is going to be ‘Yes, and I talked to counsel and I decided not to do it'.
“That's a problem for me and the firm from a malpractice perspective, when I spent hours trying to convince you to do something about it.”