January 11, 2018
Computer security experts discovered last week what’s to be the largest cybersecurity vulnerability disclosure to date, potentially affecting nearly every computer across the globe. At risk are personal and workplace computers, servers and even cloud service providers in the likes of Amazon, Google and Microsoft.
The disclosed vulnerabilities, known as Meltdown and Spectre, are strictly a hardware design flaw in microprocessors, making them much harder to secure compared to software vulnerabilities. The microprocessor, made by Intel, is “used in nearly 90 percent of the computer servers that underpin the internet and private business operations,” according to a recent New York Times article. This also means it will likely be a problem that will stick around for a while, as the problem cannot be solved by simple patching techniques. Others are calling for enterprises to replace every processor delivered in the last 15 years, a financial burden too large for small and medium-sized enterprises (SMEs).
In short, Meltdown breaks isolation between the user application and operating system, so the application allows a memory dump for data theft. Meltdown could also allow hackers to bypass the hardware barrier between applications run by users and the computer’s memory, potentially letting hackers read a computer’s memory and steal passwords. While Meltdown will likely be the first vulnerability secured, or at least patched, experts are already saying computing power could be reduced by as much as 30 percent.
The second vulnerability, Spectre, is slightly different. Spectre goes a step further—application to application—and is harder to exploit, but also harder to mitigate. This means vulnerable machines have to be running malware to exploit the vulnerability. However, many servers are already running malware that system administrators fail to discover. Secondly, Spectre could require entirely redesigning the processors, according to researchers, and patches must be made for every application. Not to mention, vendors will likely never write patches for legacy machines, which have been out of support for years.
According to a recent joint report by Lloyd’s of London and cyber risk analytics firm, Cyence, a hypothetical catastrophic cyber-attack targeted against a cloud service provider could result in average losses of $53 billion in just a matter of days. In the most extreme situations, an attack could cost $121 billion, greater than the total losses from catastrophic natural disasters such as Hurricanes Katrina and Sandy.
Is this the vulnerability that nation-sate actors and cybercriminals have been waiting for? Perhaps. An attack on cloud service providers could have detrimental and global consequences. Surely, nation-sate actors, and commercial actors connected to nation states, are already looking for ways to exploit the vulnerability and monetize it. The motivation is surely there. The question is, if those motivated have the technical skills to exploit the vulnerabilities, how fast they can download data? And if they can beat those trying to secure the vulnerability, do they have the capacity to store such an immense amount of data?
This situation brings to life what the cyber insurance world has long feared, as a breach of this magnitude would have severe implications on the insurance industry. Insurance companies must view this as a risk-based model and understand that an attack with “Sandy-like” losses could cripple the insurance industry. Unlike other lines of business, which rely on hundreds of years of historical data to hedge risk, cyber insurers struggle to estimate potential losses due to the possibility of aggregate loss scenarios. “Because cyber is virtual, it is such a difficult task to understand how it will accumulate in a big event,” explained Lloyd’s of London CEO Inga Beale.
While the true effects from Meltdown and Spectre are far from known, if cybercriminals or nation-state actors can exploit the vulnerabilities before the government or tech world can patch them, millions of potentially insured individuals and organizations will be at risk for cyber extortion and data loss.
The Council’s Cyber Market Watch Survey
The Council recently released its fifth biannual Cyber Insurance Market Watch Survey. Results were consistent with those in May 2017, as take-up rates remained relatively low at around 31 percent. While many clients were curious about cyber insurance, their interest did not necessarily translate to the purchase of a policy. It is interesting to note that widely publicized international events, including the Equifax breach and the WannaCry and Petya ransomware attacks, did not greatly influence adoption.
“Cyber coverage is becoming an increasingly critical line of business for our members’ clients,” explained Ken A. Crerar, President/CEO of The Council. “However, as cybercrime continues to increase around the globe, with the average cost of a data breach approaching $4 million, it’s essential for broker members to continue emphasizing the importance of adding cyber policies to clients’ risk-portfolios.”